Talking of 2010 , this has been a very interesting and fulfilling year for me as a developer ,Kenyan and employee. Met different guys physically and on social media encouraging and discouraging (is like i care) thanks for those who have been good to me, learned so much ……gotten a new constitution and new hope for Kenyan developers thanks to the ICT board and *ihub_ which i secured green membership(i got dibs) more innovation to come from Kenya.I will always go with them words by a couple of tweeples including @mbuguanjihia Luck is when opportunity meets preparedness @alykhansatchu if you snoose you loose @nesbit(kencall) Owerneship of an idea is by execution among others …..have a g33kmass everyone i sure will have one thanks for friends and enemies(like they care) for everything and following and followers who have provided links to enable me learn more and feel appreciated(@alykhansatchu @kenya_tweets @g33kmate @NonieMG just to mention a few) …. kuweni na siku kuu njema yenye fanaka na mwaka mpya(my swa iko down)
Today bad folks shoot bytes more than bullets.
I always tell my friends the best anti-malware, anti-virus, anti-hacking is common sense.
Am writing this not as a security expert or working with some security firm but because I have interest in security and always learning and practicing stuff to do with pen-test, vulnerability assessments and security.
Why security? Security enables the following reliability, confidentiality and integrity of the information being transmitted. Reliability is being there when needed, confidentiality this to do with privacy (intellectual property rights and patents), Integrity -info received as it was sent not modified or altered.
In a nutshell I will highlight a few issues:
Interconnection of the computer to share resources, networks have to be secure internally and externally this can be achieved by:
- Wireless networks – When I walk around Nairobi with a borrowed laptop I tend to stumble upon so many unsecured networks, this is by using typical windows XP scan no need to use the likes of kismet and Netstumblers for most of the networks are always broadcasting. If you happen to get a secured one, passwords are easily guessed, or if you try cracking a password It doesn’t take long for one to connect. Security is of essence especially around hotspot, folks connects to a hotspot starts browsing not knowing someone is accessing file on their computer Shared folder (this a no brainer) no rocket science involved .I recently tried the Firesheep on a friend and it worked well thank God windows has a patch for that (Google is your best friend) and now BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network.
BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked. Remedy secure you wireless networks with strong passwords, browse securely by encryption , shared folders should be unshared while in public hotspots .
- Firewalls -This includes filtering packets and ports to allow only genuine traffic in and out of the internal network. This can be achieved by deploying firewalls the hardware and software or configuration on router (Cisco is simpler).
- Banners on network devices being accessed must have disclaimers (#unauthorized access will be prosecuted#).
- Remote access to devices must be secure …do not use telnets (with Wireshark packets can be captured and passwords revealed) please use SSH (secure shell).
- Network devices should not be left with default passwords visit http://www.phenoelit-us.org/dpl/dpl.html to see default passwords for various devices. Implement strong passwords (#4d01phU$Lw0v@*) not simple and guessable ones, do not write the passwords on some sticky notes or save them.
- Separate internal networks according to departments and others .Different departments on different subnets (VLANs).
- Physical access to devices should be controlled either by well secured locked doors or by only a certain MAC address allowed to connect to a port.
Most of us here in Kenya happen to be using free or pirated softwares (thank God I use Linux (open source)) most of this softwares are normally outdated and unpatched the following are risks are involved;
- Computer operating systems are never patched –most of us use pirated Microsoft products with vulnerabilities and holes discovered and patched years ago .This makes it easy to run old exploits and gain access to the machines easily here in Kenya.
- Firewalls and anti-virus- Anti-viruses must be up to date to be able to detect, delete and neutralize viruses failure to which might cause a lot of distraction, windows firewalls too should be turn on. It is advisable to acquire legit anti-virus and install on your computer to download updates. Users must be educated on browsing, downloading freeware and visiting malicious websites which are normally source of viruses.
- Downloading of freewares in the name of spyhunter or spamblocker is highly discourage ,this kind of software might removes all spywares but install there on to spy on you or install Trojans/ keyloggers and rootkits connecting to a remote server expositing your private data including passwords and personal info.
- Humans being the worst enemy – do not to write passwords on sticky notes share passwords and use the same passwords to log onto different websites and applications.
E-Mails and Mail servers
Email is a vital part of communication in this age it can be sent and received from pc to handheld devices .We must ensure our emails are secure this involves;
- Passwords –Use strong passwords and they have to be unique for every address simple passwords can be guessed easily this is risky for one who uses the same password for several email addresses.
- Email client application-most us here use Microsoft outlook to pop and receive our emails, I performed an ARP poisoning on a network (was testing a network administered by a friend) using Cain& able with this I was able to get email addresses and there passwords (all the @theorganization.org) .this is because the email are never encrypted, outlook has the option of full encryption with SSL or use certificated.
- Mozilla Firefox and Google chrome save the passwords in clear text if you agree to save the passwords, they can be accessed by anyone using the same browser this is risky especially for folks checking their mails from cyber cafes .Do not save the passwords is the browser if it is to be used by someone else other than you. Someone can use your email address maliciously.
- Mail servers – Port 25 on most mail servers I have checked on is normally open ,this is a risk because if someone telnets to the server via port 25 using a simple command prompt and some simple commands ,he can be able to send mails from you server (beware it can be used for uchochezi (incitation)).
Websites today have become a requirement, for business, cooperates, governments and personal use Webhosting is affordable, more folks are having one online which is a good a thing. Are the websites secured? Web design now here in Kenya is affordable at KSH.2000 someone can develop one for you or with Dreamweaver, xampp and internet to download templates you are good to go .Folks concentrate more on the design and contents assuming security:
- Unsecure code like the php scripts Sql commands exposes the website to xss(cross site scripting) and Sql injection which can lead to defacement and exposure of usernames ,passwords and details stored in databases.
- Joomla –This a web 2.0 CMS that is easy to use and develop a website , it has its shortcomings, simply because one can download templates that they like and edit to come up with their desired website , It is not so secure especially when one adds plug-ins that they barely know just to make their websites look good ,from experience hackers mostly target plug-ins that are vulnerable to exploit them, It is advisable to download the plug-ins unzip them modify or simply check what it entails just to be sure. Another thing is the URL itself most Joomla websites are left to the default whereby if you add a suffix /administrator to the URL boom! You are greeted with enter username ,password and language this is a security risk especially for folks who write passwords on sticky notes, simple to guess passwords, sniffers capturing passwords and a colleague shoulder surfing while you are doing your thing. This can be rectified by Installing the jSecure Authentication plug-in where you can add a suffix to your back-end URL http://yousite/administrator?h3ll0w0rld , this will help only if you memorize the URL ,if anyone stumbles upon the password he/she will not be able to login in (/administrator = 405 error) .It’s a shame even government sites have not effected this.
That’s all for now, If you think some of this is scary unplug your network cable and play solitaire for the rest of your life.
The only way to know you are secure is to test it
Antiviruses,anti-malware, spyhunters, spam filters are like religion .There to give hope ..use your common sense.
Reminiscing in my office doing some internet research, coding and tweeting, a thought just crossed my mind about how far Kenya has come technologically , what i have seen and done while in this Kenyan tech-wagon. In a nutshell I would like to blog about a few things.
VOICE and DATA
I remember them days, when it came to phone calls you had to get to a call box (the Telkom ones). They were positioned in strategic places where not everyone could access the box and if you managed to get to one you had to patient .The queues were not only long, you had to wait for guys who were waiting for calls (real calls and the then common reverse calls).This are times when one had no privacy whatsoever, call times were limited for the guys calling from offices using office phones there was fear of being fired for misuse of office phone which were for official calls only.
Then came Kencell (now Zain) and Safaricom this when sanity came I remember my Dad had this Nokia3310 going for KSH.15000 (I wonder if they are still being sold), a whooping KSH 15000 is an equivalent of a Smartphone ,here we are referring a 3G enabled ,memory slot , Bluetooth handset with up to date features (you can get an androids and others regardless of the inflation and Kenya shilling loosing value).
I could tell guys how my dad had a Nokia 3310 and it was unbelievable I remember telling guys how I knew how to use ,dial and make calls (thanks it dint have Much ) ,I was seen as the lucky and cool guy amongst my peers.
Buying and using a phone at that time was damn expensive, the least airtime to be purchased was KSH.250 which never lasted for any serious call(now there is bamba KSH5 which is enough) ,this the time when the now Zain only targeted the cooperates (big fish) ,the small fish the kawaida guy was not considered ,I remember mostly the India-Kenyans were synonymous with Kencell . Safaricom came in and targeted the kawaida person although there network coverage and quality was lousy at that time compared to Kencell. Safaricom got more subscribes (I wonder why Zain is complaining right now) and took over the market (If you snooze you loose big-time). This went on for some time and now Safaricom still the leaders but Zain being the cheapest thus preferable .I can now make calls at a cheaper rate without fear thanks to Zain call rate as low as KSH.1 and high as KSH.3.Not to forget the entrance of new providers YU and Orange hope they will catch up, this is possible if and only if they come up with innovative, affordable and competitive Kenyan products geared toward helping the consumers and developers.
Data speeds, rates and Charges have really changed compared to the past, the past I mean not long ago because when cell phones came in Kenya, I never saw a colored screen we used to call the terminals, GPRS and 3G were like riding in a UFO .Phones had WAP which I never understood its work .It never worked .Then came GPRS which fascinated most guys but we dint have local content and guys used it to download ringtones and wallpapers the immoral one would download porn clips. After GPRS came Enhanced Data Rates for GSM Evolution (EDGE) or Enhanced GPRS this is faster guys could use them for surfing the internet, it is still being used by guys who are rigid this has evolved to 2G to 2.7G then 3G which all the networks have not fully implemented .Safaricom was first to roll 3G they have the best speeds compared to the rest ,the charges are higher good for anyone who want to do some serious thing without delays from the network .Overheard they are testing 4G but for anyone who is interested in poking a friend and checking some mail can use services from other providers nothing much can be done (you pay peanuts you get monkey)Orange has 3G it but only in Nairobi CBD .We need faster speeds at affordable prices .
Tumetoka mbali natunaenda mbali with competition, innovation/creativity, peace, economy growth, investors, Venture capitalist staring to finance Ideas and fiber optic cable much is expected in the near future am Positive we are in the right TechWagon.
When using social networking sites from your phone, skip the native apps – which know far more about your life than web browsers ever could – and access the sites through your phone’s browser. Also, use a password-protected screen lock to keep your phone secure.
Beware the false “update” link for apps! Verify the link you’re using to download an app before you click on it, or go directly to the company’s site to download the update. Sending fraudulent “update” links is a common method for directing users to sites where personal information can be compromised.
Clean up your apps regularly, removing those you don’t use. Some apps may be able to monitor and access various types of data on your phone, including your contact list. And if your phone has a SIM card, set a PIN code for the card — if the phone is ever lost, nobody can use the card.
Read the reviews of apps before you download, and choose reputable apps. Apps without many reviews and those that have been recently uploaded to the app market or app store are more likely to contain privacy and security problems.
Don’t trust Bluetooth If you use a hands-free device to make cell phone calls, always use a wired headset. Bluetooth devices can be compromised and your personal data can be accessed or corrupted. If you do use Bluetooth protect the connection with a longer, more secure password instead of a short PIN.
Watch out for apps that ask for too many permissions – if you’re installing a calculator app and it requests Internet and contacts permissions, that’s a bad sign. One way cyberthieves exploit smart phones is by creating a good app with some extra code and overreaching permissions.
Log out of all web services every time you’re finishing using them, or you may stay logged in indefinitely – even to sensitive sites like banking and email. On desktops, there’s a timeout period if you remain inactive, but not always with mobile access. If the phone is lost, anyone can access the sites you’re logged into.
Think twice before answering calls or text messages from unknown numbers, especially if you’ve received a call more than once. Phishing scams are often initiated through cell phone calls or texts. Google the phone number that’s calling you, and see if anyone has reported it as linked to a scam.
Google is and will always be your best friend.
The Basic search help article covers all the most common issues, but sometimes you need a little bit more power. This document highlights the more advanced features of Google Web Search. Have in mind though that even very advanced searchers, such as the members of the search group at Google, use these features less than 5% of the time. Basic simple search is often enough. As always, we use square brackets [ ] to denote queries, so[ to be or not to be ] is an example of a query; [ to be ] or [ not to be ] are two examples of queries.
- Phrase search (“”)
By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change. Google already uses the order and the fact that the words are together as a very strong signal and will stray from it only for a good reason, so quotes are usually unnecessary. By insisting on phrase search you might be missing good results accidentally. For example, a search for [ “Alexander Bell” ] (with quotes) will miss the pages that refer to Alexander G. Bell.
- Search within a specific website (site:)
Google allows you to specify that your search results must come from a given website. For example, the query [ iraq site:nytimes.com ] will return pages about Iraq but only from nytimes.com. The simpler queries [ iraq nytimes.com ]or [ iraq New York Times ] will usually be just as good, though they might return results from other sites that mention the New York Times. You can also specify a whole class of sites, for example [ iraq site:.gov ] will return results only from a .gov domain and [ iraq site:.iq ] will return results only from Iraqi sites.
- Terms you want to exclude (-)
Attaching a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results. The minus sign should appear immediately before the word and should be preceded with a space. For example, in the query [ anti-virus software ], the minus sign is used as a hyphen and will not be interpreted as an exclusion symbol; whereas the query[ anti-virus -software ] will search for the words ‘anti-virus’ but exclude references to software. You can exclude as many words as you want by using the –sign in front of all of them, for example [ jaguar -cars -football -os ]. The –sign can be used to exclude more than just words. For example, place a hyphen before the ‘site:’ operator (without a space) to exclude a specific site from your search results.
- Fill in the blanks (*)
The *, or wildcard, is a little-known feature that can be very powerful. If you include *within a query, it tells Google to try to treat the star as a placeholder for any unknown term(s) and then find the best matches. For example, the search[ Google * ] will give you results about many of Google’s products (go to next page and next page — we have many products). The query[ Obama voted * on the * bill ] will give you stories about different votes on different bills. Note that the * operator works only on whole words, not parts of words.
- Search exactly as is (+)
Google employs synonyms automatically, so that it finds pages that mention, for example, childcare for the query [ child care ] (with a space), or California history for the query [ ca history ]. But sometimes Google helps out a little too much and gives you a synonym when you don’t really want it. By attaching a +immediately before a word (remember, don’t add a space after the +), you are telling Google to match that word precisely as you typed it. Putting double quotes around a single word will do the same thing.
- The OR operator
Google’s default behavior is to consider all the words in a search. If you want to specifically allow either one of several words, you can use the OR operator (note that you have to type ‘OR’ in ALL CAPS). For example,[ San Francisco Giants 2004 OR 2005 ] will give you results about either one of these years, whereas [ San Francisco Giants 2004 2005 ] (without the OR) will show pages that include both years on the same page. The symbol | can be substituted for OR. (The AND operator, by the way, is the default, so it is not needed.)
Search is rarely absolute. Search engines use a variety of techniques to imitate how people think and to approximate their behavior. As a result, most rules have exceptions. For example, the query [ for better or for worse ] will not be interpreted by Google as an OR query, but as a phrase that matches a (very popular) comic strip. Google will show calculator results for the query [ 34 * 87 ] rather than use the ‘Fill in the blanks’ operator. Both cases follow the obvious intent of the query. Here is a list of exceptions to some of the rules and guidelines that were mentioned in this and the Basic Search Help article:
Exceptions to ‘Every word matters’
- Words that are commonly used, like ‘the,’ ‘a,’ and ‘for,’ are usually ignored (these are called stop words). But there are even exceptions to this exception. The search[ the who ] likely refers to the band; the query [ who ] probably refers to the World Health Organization — Google will not ignore the word ‘the’ in the first query.
- Synonyms might replace some words in your original query. (Adding + before a word disables synonyms.)
- A particular word might not appear on a page in your results if there is sufficient other evidence that the page is relevant. The evidence might come from language analysis that Google has done or many other sources. For example, the query[ overhead view of the bellagio pool ] will give you nice overhead pictures from pages that do not include the word ‘overhead.’
Punctuation that is not ignored
- Punctuation in popular terms that have particular meanings, like [ C++ ] or [ C# ](both are names of programming languages), are not ignored.
- The dollar sign ($) is used to indicate prices. [ nikon 400 ] and [ nikon $400 ]will give different results.
- The hyphen – is sometimes used as a signal that the two words around it are very strongly connected. (Unless there is no space after the – and a space before it, in which case it is a negative sign.)
- The underscore symbol _ is not ignored when it connects two words, e.g.[ quick_sort ].
“Their intention is to infect your computer so that you don’t even know you’ve been infected.”
We Kenyan folks are not keen about information/computer/network security, but now that the fiber optic cable landed ,users have to be very careful not to be preys for malicious hacker looking for low hanging digital fruit ,users do not patch ,update there software even antiviruses promptly.
Hardly reassuring words for computer users or business owners. Cybercrime continues to flourish for one simple reason: it’s profitable .most companies especially banks are going E.
Hackers use two broad approaches: Either they sneakily install malicious software on your computer to control it or steal your information, or they trick you into giving up your information voluntarily.
The malicious software can enter your system when you visit a shady website, or open an e-mail attachment carrying a virus. If it infects your machine “pap”, it might hand control of your computer over to networks that will rent it out to spammers, who will use it as a junk-mail-sending machine.
Or worse, it might install “key-logger” software that takes careful note of every word you type – usernames, passwords and all – and sends it back to hackers, who can co-opt your online accounts, take your money, and even represent themselves as you to your friends.
None of these things bode well for small businesses, which are often focused on the job at hand more than they are on information security. But there are new responses to these threats. In increasingly perilous seas, how do you stay on course without giving in to paranoia?
Here are some suggestions:
1. Don’t open unexpected attachments, even if they come from friends.
E-mail attachments are a great source of malware. But nowadays, they don’t just come from dodgy strangers, they can come from your best friends.
When certain malware infects computers, it will scan e-mail address books and send malicious messages to every contact, making it appear that the message comes from a friend. Oftentimes, they’ll contain messages such as “Here’s the PDF I said I’d send,” but they’re getting more clever and more subtle all the time.
If someone you know sends you an e-mail with attached files that you weren’t expecting, or that seem strangely generic (“Hey, check out these pictures!”), make contact with the sender first to make sure it’s genuine.
Social networks are the latest frontier for hackers because they engender so much trust. If a Facebook friend starts posting items they wouldn’t normally post, be careful: their account might have been compromised, and the items might be a trap.
2. Update, update, update.
Even if you never opened another attachment in your life, you can still let viruses in, even by doing something as simple as visiting the wrong website at the wrong time.
The software that runs modern computers is enormous and labyrinthine, and hackers are always finding new holes that they can use to sneak malicious software onto computers – usually by injecting. And software makers such as Microsoft, Apple, and anti-virus makers, are constantly rushing to patch those holes. It’s a never-ending game of cat-and-mouse.
This is why it’s essential to keep your software up-to-date, and up to the minute. You need to update three things: First, your operating system (such as Windows or Mac OS), which receive updates to plug security holes as they’re found. By default, these will install automatic updates – it’s important to let them. Second, your web browser (Internet Explorer, Firefox, Chrome) needs to be up-to-date for the same reason. New versions are free to download. This goes expecially for users of Internet Explorer 6, an older version of the popular browser that was well-known as a security nightmare.
Finally, your virus-checking software needs constant updates to know which malware to look for today.
3. Be very careful about following login links from e-mails.
The next trick is to keep from getting tricked. Increasingly, scammers will try to convince you to give away your login and password for a phony web page that’s set up to look like a real one.
It’s called “phishing” – as in, going fishing for victims. You’ve probably already received some that use banks as bait: An e-mail arrives, prompting you to visit your bank’s website to “verify your login information.” It will direct you to a page that looks like your bank’s website, but it is really a false front that passes your login information on to hackers.
So far, these have been fairly easy to spot. But scammers are getting smarter: they’re now sending e-mails that look like new-friend or message-waiting notices from social networks such as Facebook or LinkedIn.
Always be cautious. Watch out for vague-seeming notifications. Pay careful attention to the URL at the top of the web page. If there’s any doubt, don’t follow the link from the e-mail, but visit the social network’s page directly and log in there.
4. Use different passwords.
Password safety isn’t the be-all and end-all of security, but it’s an important rudiment. You’ve probably been regularly warned not to use simple or easy-to-guess passwords. But it’s probably even more important (and, yes, more annoying) not to use the same password for every online service you use.
The reason is simple: If, by installing a key-logger, or tricking you with a phishing trick, a hacker gets the username and password for one site, you can bet he’ll turn around and try it on every other service you’re signed up with. You could wind up being locked out of everything at once.
If remembering a dozen different passwords is unwieldy (and it is), consider using at least two groups of passwords – one for not-so-important sites, and different ones for the really sensitive logins.
5. Don’t think you’re smarter than the criminals.
So you know the ropes on the Internet. You know a malicious e-mail when you see one. Still, sometimes curiosity gets the best of you, and you click, thinking that you’re not going to divulge any personal information or download any suspicious files. Surprise: the bad guys have anticipated that, too.
“People believe that the operating system will protect them from everything they want to do; that by clicking on this link they’re smarter than the criminal,”
Tricks such as interstitial pages, pop-ups, and unpatched browser exploits can infect a computer before the user has clicked a single button or typed a word on a malicious web page.
And if you’re reading this on a Mac – don’t get too smug. For all of Apple’s marketing, Macs aren’t actually more secure, they’re just targeted less because fewer people own them. Malware comes for everyone, and – unfortunately – the only real solution is diligence.
My small online survey about different individuals in Kenya shows that most gutsy,go getter,successful individual in business,career,technology,consultancy studied abroad.They at least did a degree or masters abroad (This is from their online profiles and details).This leaves me with so many questions unanswered …is it our education system(more of theory no hand on -certificate oriented ) where guys go to college for the certificate ?are we really proud of what we did back in college?can we really do it? are we really qualified? is my English good enough?am I eloquent and fluent enough ? Is there anyone i can learn from?is it that we just cant think out of the box? is it luck of technology and access to it? Bandwidth? poverty? and many other..
It all trickle down to us ..you can do it? Do you believe in yourself? is everyone who studied abroad successful?(not all) are there guys who studied locally successful?(a couple).
Believe in yourself and you can do it no matter what.