Category Archives: Analysis & Opinions

The ePickpocketer

The great EMV migration has been here with us for a while and everybody is excited with the new innovations of cashless payment (especially matatu industry) which brought a lot of excitement even though still trying to trace its tracks to be adopted industry-wide. This is because no other industry Kenyans detest like the matatu industry. Most Kenyans detest matatu drivers (because of careless driving) and conductor due to their crooked and dishonest behavior. No-wonder we use disgraced names like “Makanga”,”Concordi / Konkodi (Local Swahili slang for pickpocket-er)” etc to refer to conductors since there aim is to con us the meager shillings by increasing the fares or refusing to handover change. 

As the saying goes, “The more things cange, the more they remain the same”  ~Jean-Baptiste Alphonse Karr. Contactless / radio-frequency identification chips (RFID) / Near Field Communication (NFC) chips bring in new paradigm of IT risk profile revolutionizing ‘ Concordi (Konkodi)’ to ePickpocketer. Continue reading The ePickpocketer

Advertisements

Spear Phishing – Simple, very effective and most prevalent social engineering hacking technique

Spear-phishing is an attempt by a hacker to obtain confidential information about a user through fraudulent means by targeting a specific employee in order to gain access to information. While phishers are usually attempting to steal from the victim, spear phishers attempt to compromise the victim’s company’s network and systems to steal corporate secrets, intellectual property, customer details and other valuable information. “Spear phishers play on people’s emotions, and often use curiosity, fear or the offer of a reward to arouse interest,” says Scott Greaux, a VP at anti-spear phishing training firm Phishme by use of email. Spear phishing uses the weakest point in security and that is us (people) as Bruce Schneier states “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.” by use of social engineering to deceit, manipulate and “influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail.” ~ Kevin Mitnick.Spear Phising Fig. I – Spear Phising Continue reading Spear Phishing – Simple, very effective and most prevalent social engineering hacking technique

PENETRATION TESTING OF ANDROID-BASED TABLET

ABSTRACT
“If you know the enemy and know yourself you need not fear the results of a hundred
battles.” – Sun Tzu, Ancient Chinese Strategist and Philosopher
The purpose of this a study is to conduct a pen test in android-based tablet. The pen test
was implemented in a manner that simulated a malicious attacker engaging in a targeted
attack against the tablet with the goal of pinpointing how an attacker could penetrate
android-based tablet security features. The assessment was conducted in accordance with
the recommendations outlined in NIST SP 800-115 penetration testing guidelines.
The results of this assessment will be used by Network administrators, Information security
managers and Information system auditors on how to make decisions on securing tablets
and Bring Your Own Device (BYOD) accessing the organization network. All tests and
actions were conducted under controlled conditions and a report written with detailed
explanation of the activities involved and the objective of the test.

Get a copy  here

How to create strong passwords

How to create strong passwords

The world has become a digital village and each one of us has got various computing devices at their disposal (Mobile phones, Personal Computers, Laptops, and tablets). Operate myriads of social media accounts (Facebook, LinkedIn, yahoo, Gmail and many more). The common denominator for all of them is the ‘PASSWORD’. Oxford online dictionary password defines password as “A secret word or phrase that must be used to gain admission to a place” (Oxford Dictionary, 2014).

Continue reading How to create strong passwords

The Microsoft Security Intelligence Report – Volume 16, 2014 summary based on Kenya information security environment in 17 points

Microsoft has released security intelligence report giving analysis of the threat and attack vectors globally. “The Microsoft Security Bulletins and Microsoft Security Advisories that are issued each month give IT professionals the latest information about vulnerabilities, the products they affect, and any security updates or actions they can implement to mitigate related risks.” (Microsoft Security Intelligence Report Volume 16, 2014 Microsoft Corporation).The reports are of three types;

The Microsoft Security Intelligence Report – Volume 16 is a 152 paged document, I tried to summarise in 17 points;

Continue reading The Microsoft Security Intelligence Report – Volume 16, 2014 summary based on Kenya information security environment in 17 points

ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)

S

oftware is ubiquitously and fundamentally in all computing devices. Applications are developed using numerous sorts of programming languages, programmers and software vendors (with diverse training, experience and programming know-how). This creates difficulty in determining and discovering vulnerabilities present in software developed in house, vendor supplied or outsourced. It is very hard to determine the severity of a vulnerability that is or will be present having installed software package in a work environment.

Software Vendor market has become economic weapon as they try to outdo each other. The motivation being to seize software market segments so as to stay dominant. To achieve this, dirty tricks are deployed by competitors and hackers by use of malwares, viruses, Trojans and worms so as to mudsling competitors. The motivation of the attackers and the profile of a victim all play into who ultimately get attacked and who doesn’t. To prevent this, organizations need to deploy tools to deter this kind of attacks; example of this kind of a tool is Enhanced Mitigation Experience Toolkit (EMET). The tool is freely available and downloadable at Microsoft website. The tool plays a very critical role in enhancing the bank network security and detects malicious activities.

EMET is a free mitigation tool that helps system administrators, IT Professionals and developers beef up the security of third-party applications by helping prevent vulnerabilities in software (both Microsoft and third parties) from being successfully exploited. The tool protects through the state-of-the-art security mitigation technologies built into Windows, even in cases where the programmer of the software didn’t include security controls / code hardening so that the software is more resistant to known, zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.
Continue reading ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)

Can you track a ‘Turned off’ Cellphone?

cyber crime has been hitting the headlines of late. Michaels snowden, the run away NSA agent holed up in Russia has given us a glimpse of the whole new world that we never imagined.  For sure i can now conclude that;

“If you did not invent the technology, you never know the devil inside it”, by Kimson Kimathi.

Why do i say this? Well, it is true ” the National Security Agency has had the ability to track cell phones, even when they’re turned off” (informationweek.com,Mathew J. Schwartz | July 25, 2013 09:06 AM).

“This tracking ability was revealed on July 20 by The Washington Post, in an article chronicling the evolution of the NSA’s signals intelligence work in the wake of the Sept. 11 attacks, when intelligence agencies, the military and the FBI created an “insatiable demand for its work product.” Continue reading Can you track a ‘Turned off’ Cellphone?