- Just like in robbers’ gangs, it appears that the more sophisticated a hack is, the more respect the perpetrator receives from peers.
- One of the suspects being probed by police in Nairobi, Lifestyle has learnt, earned respect after taking credit for a major hack, after which a ring of West African hackers enlisted his services, particularly to assist in credit card fraud.
- According to a friend of the suspect, who spoke to Lifestyle in confidence, the hacker’s skills made him a much sought-after man, making it hard to hire his services.
- On the internet, there exist a number of forums where hackers exchange ideas and there appears to be a pecking order.
It could be the defacing of more than 100 government websites in January 2012 by a hacker believed to be from Indonesia or the attacks in August that year of the website of the now defunct ICT Board — ironically the patron of online activity in Kenya. Then in 2013 there were reported attempts to infiltrate the Independent Electoral and Boundaries Commission systems. A year later, the Twitter account of the Kenya Defence Forces (KDF) was taken over by a group called Anonymous. The July 2014 attack also tampered with the Twitter account of then KDF spokesman, Major Emmanuel Chirchir.
And when police busted a ring of cybercriminals two weeks ago, it would emerge that many more local institutions have been hit: the Kenya Revenue Authority (KRA), the National Transport and Safety Authority (NTSA), a number of banks, a supermarket chain and universities among others. In all these incidents the suspected hackers involved have either remained in the shadows, come out to openly declare their achievements or have been arrested by the authorities.
But what motivates hackers? From the series of hacks targeting Kenyan social media accounts, websites and institutions, where billions of shillings have been stolen, and multiple interviews with cyber security experts, Lifestyle has come up with the five things that go on inside the mind of a hacker.
1. Insiders are a hacker’s dream
An IT expert who has been training companies on how to avoid cyber-attacks for the last four years revealed that the support staff in most firms are the weakest links.
Mr David Kanyanjua, the CEO of Three Quality Services based in Nairobi’s Westlands, said that companies overlook some employees while training their workers about online security, which leaves a gap that hackers exploit.
“You will find that a company has a few guys trained on security here and there. But staff at the reception, for example, know nothing about security. And whatever they are doing is related to the company, because there are e-mails and everything is done on the internet,” explained Mr Kanyanjua.
“As a hacker, I will not go for the IT people. I will go for the receptionist. I’ll go for the marketing people in the field. Once you have access to one person who is doing anything on the network, including the receptionist, or even a security guy who might have a computer or maybe doing a few things, you can have access to the entire organisation,” he added.
Mr Kanyanjua warned workers against allowing any strange flash disk to be inserted in their computers, saying it was one of the preferred methods of gaining access to a company network.
Following the arrest of 19 people in a suspected hacking ring two weeks ago, some staff at KRA were arrested for being part of the ring — knowingly or unknowingly. Detectives said some could be witnesses in the case where massive hacking took place.
Ms Samson Wanjohi, a technology expert known for creating the ShulePro software that manages students’ marks in schools, said carelessness is a contributor.
“When some employees are used as prosecution witnesses, it means some guy somewhere accepted giving out a password without knowing it; or the password was stolen,” he said.
Besides staff, people using a service from an institution like a bank can also be the gateway, according to Mr Wanjohi.
“A hacker finds someone at a bank, tells them they’ll pay if given the password. That person has no idea the system is actually logged. So, security goes as far as the user. If he or she is a bad or stupid person, it becomes a problem,” he said.
2. Getting a job at the firm you attacked is an option
Sometimes hackers prefer taking up jobs in the companies they have hacked. One example is Nicholas Allegra, a 19-year-old who bothered Apple so much about his skill for discovering bugs in the operating system of its iPhone devices that they hired him in 2011.
Allegra, using the name Comex on Twitter, mastered Apple’s operating system so well that he developed a system, called JailBreakMe, that iPhone users could execute and afterwards they could install any programme they wanted in the phone.
Twice, Apple changed their operating system to lock him out but he always found a chink in their armour. Forbes magazine used various clues to track him down for an interview. The magazine published his story in August 2011 and revealed that Allegra had taught himself about Visual Basic, a programming language, at the age of nine.
“By the time I took a computer science class in high school, I already knew everything,” he said. The same month, Apple offered Allegra a job, though he quit in October 2012.
After police arrested a suspected hackers’ ring in Nairobi recently, a section of Kenyans also felt that, given their computer mastery, they should be hired by the government.
“Some of these good hackers should serve their punishment by working for the government instead of going to jail. Kenya could use all the help it can get in cyber security especially in government installations,” stated Faustin Mwendwa on the Nation Facebook page where the story was shared.
“These brainees (sic) don’t belong in jail, utilise their knowledge in enhancing cybersecurity otherwise conning from Kamiti is going pro,” said Lucy Mbugus on the same platform.
According to Mr Gilly Gathogo, a cyber security trainer and consultant at Three Quality Services, having a number of jobless computer gurus poses a risk to the economy.
“There are those who have been trained and they don’t have a job. That group, you don’t know what they’re doing; because they have the skills, they have the tools. That’s another challenge. We have a silent minority of people who have been trained and they don’t have jobs,” he said.
3. The tougher the ‘job’, the greater the respect
Just like in robbers’ gangs, it appears that the more sophisticated a hack is, the more respect the perpetrator receives from peers. One of the suspects being probed by police in Nairobi, Lifestyle has learnt, earned respect after taking credit for a major hack, after which a ring of West African hackers enlisted his services, particularly to assist in credit card fraud.
According to a friend of the suspect, who spoke to Lifestyle in confidence, the hacker’s skills made him a much sought-after man, making it hard to hire his services.
On the internet, there exist a number of forums where hackers exchange ideas and there appears to be a pecking order. The person with more useable credit cards, more cracked passwords, more mind-boggling discoveries on how to bypass one system or another, more flair in getting the way around the latest updates by technology companies ranks higher.