Thus Spaketh Idd Salim

Tick… tock… Tick… tock… Goes my HackOmeter. “Have they been hit yet?”, I ask myself. I switch on the TV to see if a Kenyan Bank has yet been hit. “Not yet”, I conclude. “I see voluptuous women flaunting naked in the streets an on bill boards. Soon the rapists are coming.”, I tell my friends. And Ohh, what a sad day it will be.

The Topic for today is SMS Banking.

What it is MEANT to do:

SMS banking is a remote banking service via mobile phones. Upon each money withdrawal operation with a card account (purchase using a card, cash withdrawal in an ATM), the client connected to the SMS Bank system receives an SMS message with information on the transaction. Such SMS message usually includes the charged amount, part of the credit card number, date, time, and place of the transaction (shop or ATM location). Full stop! That is what SMS Banking was meant to be, should Be and Must remain as.

What is has been ABUSED to be:

But hang on, there. What about these services all over the news that allow a user to check balances, transfer money, stop checks etc, all from SMS (or USSD as the case of Equity and Barclays) ? Isn’t that what SMS banking really is?

Well, this is classic example Security Through Obscurity.  Like walking at Tom Mboya at 2am waving a KSHS 1000 Note and reaching home safe. You won’t do that for long.

Shamelessly stolen from The RSA Website, :

We have all read about the iPhone and Blackberry SMS attacks and vulnerabilities. There is current commercially available (let alone black market) software that allows eaves dropping and spoofing of SMS. The lack of SMS confidentiality has been established by congressional members, city mayors, and international government officials in dozens of cases where their text messages were intercepted and made public. Like landline communication, cell phone communications including SMS should be considered to have no confidentiality.

An SMS can be:

• Intercepted on its way from your phone to Zain/Safaricon/Safaricom.
• Changed and edited [The content, the destination Numbers, The Source Number etc].
• Delayed.
• Deflected and even deleted before it ever gets there.

This can be done with equipment that cost less than USD 10, 000 and also with techniques that anyone who knows the difference between Hellon and Arunga can master in a week.

How Can this be done?

There are 3 Knows ways to Intercept communication between 2 sources that are sent via SMS:

• Phone cloning – The best. Totally bamboozles the MSP Cell Towers [Saf/Zain]. They see two phones with same phone number, MIN and ESN. Very effective on CDMA networks but not as effective on GSM – More Info -
• SIM Copying – VERY Illegal because it is 100% efficient. Clones the SIM and yours becomes active whereas the clone is dormant but receives copies of all your SMS and calls.
• Patched Firmware  – A very easy and common method is for a hacker to upload a super-firmware to their phone. This upgrade turns their phone into a super-phone radio transmitter and they can receive SMSes that are addressed to THEM and people AROUND them. You can really have fun with this at a club, a mall or a bus-stop.

Ever been robbed or attacked then the assailants returned your phone / SIM? Chances are you got cloned and All your phone-calls [as long as you are on the same Cell Area] and ALL your SMSES [irrespective], get delivered to YOU real phone and its clone.

Where is the problem?

Ok. Enough phone hacking lessons. For those dumb enough not to grasp where the problem is, so far, please, allow me to reiterate:

• Your SMSes are neither CONFIDENTIAL nor PERSONAL. Get over it! In a recent article about how guys from SafCon sell data call and SMS records shows the first level of breach. Your data can be bought!
• Your SMSes can be intercepted by hackers. SafCon can fire all those name-spoilers they hire, but your information is only secure from humans. It is NOT digitally secure. SMS and USSD traffic is rarely encrypted, if ever.

What is MY problem?

Just your money, my reader. You dont want all your hard-eraned cash to end up in Nigeria, do you?

Why doesnt Safcon [Not to be confused with Safaricom] etc do something?

Honestly, not their problem. You send SMSes, they make money. And it is not their mandate to SECURE these systems. they offer the ROAD. If you get an accident on it, hard luck!

Is All Lost in the Mobile Banking Sector?

Not by a long shot. But that is a topic for another day, or you can skype/gmail/yahoo me @iddsalim so tell you HOW Symbiotic is Countering this menace. Power through serious code..

Adios!

Back to code!

In 2006

As hackers in Kenya, we have/are always been taken as fact-less doomsayers and merchants of fear about an IT apocalypse.

I remember in 2006, From a 32Kbps line in my bedroom in Kampala, I Hacked into a top Nairobi Stock brokerage firm registered with the CMA/NSE and downloaded their Entire Database of Investing clients. The database, obviously included some juicy details e.g. Names, Cell #s, Address, ID No, Trading History, Usernames and Password.

Being the Naive and PURELY technical hacker I was those days [No Business Sense or mentorship], I sent the MD and IT manager an email with the Database as a Zipped attachment and advised them on how to secure their enterprise and lock-out people. Maybe it is the Concortion of Matoke, Lumonde, Kallo and oBushere I had taken for lunch, But this was a very dumb move.

“You have just burned an opportunity to have these guys pay you through their noses!!”, Said an Irate and totally annoyed Mwaniki. “Next time, talk to me or get a BUSINESS PERSON to handle the BUSINESS for you. You are just a hacker”. Hmmn, Kumbe things I do for fun could rake big scrilla.

2 days later, ‘I received an Email ridden with threats and gloating on how they can send cops to my house before I could Spell the name ‘DjembaDjemba’ and have me locked out for good.

So, What makes Kenya a FAT Juicy Bulls-Eye for hackers?

A lot of  things make Kenya a big fat juicy and warm err.. target.

1. This is Kenya – Name me the country where Systems like Mpesa/Zap pioneered? Yeah, Kenya. Ushahidi? Kenya. This makes Software development houses a major target for Industrial IP espionage.
2. No IT Criminal Law – Well, breaking into a place requires physical presence. so, technically, hacking isnt breaking in. In some states in the US, for you to be convicted of Hacking, you must be caught LIVE actually logged on tho the victims machine. The server/route logs from their ends are totally inadmissible. For all they know, states the rule, the machine could just be hacking another, and not the user. Logs can also be manipulated to show anything the SysAdmin wants them to show.
3. Kenyans are too stressed, to remember complex passwords – During all the times  I have had to Prank-Call or Social Engineer an ISP Support desk or every time I have gone to a Dormans or a Java, I have concluded that Kenyans use the Following password for Cisco Routers, Wireless Networks etc [1234124, 12345678901, p@ssw0rd, jesussaves, welovejesus, railatosha, hague]. or if the username is kamau, the password is normally kamau123 or KamauMnoma or personal/Work/neighbours car Number Plate or Date of birth..
4. Kenyans Trust the padlocks – Alot of times I have visited organizations [Not all ofcourse] and have been given an IT tour. the conversations normally goes like this:

IT – “And this is our server room. You can see all the servers are securely locked in there with that huge padlock.”

Salim : “What firewall do you use?”

IT : “We have Fire Extinguishers and also motion detectors.”

Salim : “No, No. I meant, FIREWALL. To really secure the servers from intrusion. Internally and externally.”

IT : “Hiyo padlock no Solex original mzee”

Salim : “OK. good.”

It is also a culture that most people use the same password for their PC, FB Account, Gmail, Chat etc. Usual Excuse : “Sitaki Stress ya kukumbuka password kama 30 mzee!”

Who can/will be Hacked in 2010?

This is no indication at all that the cogs are already oiled and raring to go. Just plain fact-less prediction based on Obvious situations. If you are a pool player, you know that if a black ball is set, it will eventually be pocketed. What is in the plate, will eventually be eaten.

The following are my personal top 5:

1. The Stock Market – I will not be surprised to wake up one day and find The price of Safaricm Shares is 15 bob. Definitely, the regulations protect the Market against such differentials, but what about the confidence of oblivious investor? One of the Arms of the Trio [NSE, CMA, CDSC] has a very insecure setup that could be the achilles heel for a skilled/semi-skilled hacker.
2. The Banking Sector – Alot of banks are jumping to the SMS and Online banking bandwagon. I must agree I accept the software models and security architecture of some of the players, but MOSt banks seem happy to just fire up an IIS with default settings box, throw in some insecure code and walla! They have an online banking system!
3. Social / eCommerce Sites – The advent of fibre brings with itself a surge of websites and me-too replicas of social networks and eCommerce and payment platforms. Quite a number are designed with a very strict methodology taking care of performance and security concerns, but there are still alot of vulnerable apps in terms of data sanitation and business logic.
4. Government Websites – A great percentage of Government are done Gungho by just setting up a quick installation od Joomla or Drupal. There is no differentiation between CMS implementors and actual web developers worth their salt. I have a bad feeling The reliance of security features of the CMSes and the reliance on the un-educated CMS guru on security will have bad ramifications. Let me not even list the government websites that have been recently hacked.
5. Individuals/SMEs – Corporates and SMEs normally need a one-time secure setup by a seasoned pro and then everything runs smoothly. Behaviorally, to save cost, new devices and configurations are added to the LAN without consulting the pro, later on. The adding of new items and possibly the need to change [read adulterate] the secure settings leads to an insecure environment. Alot of reasons e.g. espionage [delete all their data because they are my competition], Disgruntled employees, Ex-staff with access etc make the SMES a risk factor. again, since most ISPs have same/default password for their equipment [for ease of remembrance for the techies], a hacker can hop from Zimmerman to Hurlingham Zombifying home computers without even the owner smelling the trap.

Habari ndio hiyo!

Back to code..