Information is power and therefore today, every company or organisation worth its name, has more than 70 per cent of its workforce using computers to generate and store information. What most staff do not know, however, is that this information is important company property, which needs to be guarded jealously. Often, computers store sensitive information ranging from the financial stand of the company to trade secrets – information they would not want to fall into competitors’ hands, lest they are edged out of business.
Early this year, former Rubaga South Member of Parliament Singh Katongole, was reported to have lost more than Shs300m to hackers as he wired the money to suppliers of aluminum profiles for his company.
Katongole says when he went to China to place the order for the profiles, he did not have enough money but agreed with the suppliers that when they sent them, he would clear the balance.
He recalls that when the cargo reached Mombasa, the suppliers sent the invoice and the account number where to pay the money by e-mail. He suspects this to have been the beginning of his troubles.
“The invoice had been cut half way and it had a different account number and e-mail address, which I did not pay attention to. Since I was out of office, I instructed one of my workers to transfer $26,000 (approx. Shs67m) into the account on the invoice.
“After a few days, somebody called me from China saying that since it was the end of year in China, banks were closed and therefore they could not access the money. They told me they needed money urgently and asked me to send another $26,000 by telegraphic transfer to a bank account in Hong Kong and this would act as part payment for the next consignment of goods.” Katongole obliged.
A few days later, another phone call came in from China. This time, it was the genuine suppliers following up on the payments. When he told the suppliers that he had sent the money to the bank accounts he had been told to deposit it, they were shocked because they had not sent any such instructions. He immediately reported to Jinja Road Police Station and Interpol to follow up the matter.
Katongole is not the only victim. Many have suffered financial losses of money in a similar way.
How secure are companies?
Back home, here is a question to reflect on. After buying desktop computers, mobile gadgets or laptops and connecting them to the local area network, including the Internet, what security measures do you put in place to ensure that your treasured company information does not leak to the competitors? How often does your company go out of its way to deliberately train all the staff using computers on the basic computer security skills?
With the rising wave of hackings into web sites and databases, this new wave of computer-aided fraud is placing the security of organisations operating businesses on computers and the internet, into very vulnerable positions. They risk losing financial resources as well as vital company information.
In Uganda, the banking and the telecoms which are the fastest growing sectors in the economy, are the biggest victims so far with several banks registering huge losses of funds from customer accounts, and from electronic fund transfers, where lots of money is sent online through the internet into banks, while in the telecommunications sector, the most common forms of computer related crimes include jamming of the telephone networks, dropped telephone phone calls and incomplete call metering where phone calls do not last the 60 seconds in a minute.
According to Mustapha Mugisa, an anti-cyber-fraud and computer forensic expert and Director of Summit Consult, hacking is a process of gaining unlawful access to one’s computer system using technical or social skills or both, depending on the security awareness of the target of interest. He says the first step in hacking is foot printing and reconnaissance.
“Foot printing involves understanding the target system and studying the security practices in that system so that the hacker can exploit the weakest point of vulnerability,” he says.
In banks, hackers easily exploit ordinary computer users (bank tellers, customer care, loan officers, and administrators who account for over 80 per cent of computer use) and avoid the 20 per cent technical users (IT and internal audit teams) because the 80 per cent are not knowledgeable in computer security.
“All a hacker needs is an understanding of, say, a bank teller’s e-mail, the knowledge and interests of the user and the hacker sends an e-mail requesting the teller to click onto a link, which in the process installs a software (key logger) remotely and stealthily on the teller’s computer. Whichever key the teller touches thereafter, will be e-mailed directly to the hacker’s computer immediately,” he explains adding that through the process, the hacker will have access to all the teller’s passwords. He advises that the best way for banks to guard against such hackers is by training all users against clicking on such e-mails and disabling the administrative rights on user machines.
Mugisa adds: “Once the hacking is successful, the hackers can gain access to all bank information like the shares held in the bank or all customer bank account details.” He advises that because the technology uses services which run over ports and internet protocol (IP), they should always be closed.
“During foot printing, hackers look for open and unsecured ports like the post office protocol (POP), Domain Name Server (DNS) or the simple mail transfer protocol (FTP). Once these are open, it becomes easier for the hackers to access other users’ e-mails, a mistake, which actually contravenes the 2011 Electronic Transactions Act.”
He observes that most business e-mails are not digitally signed yet digital signatures are supposed to ensure that the e-mail has integrity and the recipient does not deny receiving the mail (non-repudiation). He warns that there is no single IT system or banking application that cannot be hacked.
“Systems with strong security only make it harder to hack requiring a lot of time and patience, which time hackers usually don’t have,” he says adding, “With e-commerce today, one will send you mail instructing you to transact for him or her and to ensure that you do not deny having received the instructions by e-mail, it should be digitally signed.” In Uganda, there is limited capacity to investigate and prosecute computer-related crimes yet they are punishable under the 2011 Computer Misuse Act.
“There is weak capacity by law enforcement to investigate computer crime. Computer hacking is a crime punishable under the 2011 misuse act. There is need for law enforcement and government auditors to study courses like computer hacking forensic investigator (CHFI), certified ethical hacker (CEH) and certified fraud examiner (CFE),” Mugisa says.
According to Mr James Saaka, the Executive Director, National Information Technology Authority Uganda (NITA-U), computer-aided fraud is a form of crime that has increased in the last 10 years, and government has since enacted the following cyber laws – Computer Misuse Act, e-Transactions Act and e-Signature Act. The regulations for the e-Transactions Act and e-Signature Act will be in place by the end of April, 2013. These regulations will help in the prosecution of those people who perpetuate these cyber crimes.
Furthermore, under NITA-U, a Directorate for Information Security has been formed, and a Director, Mr Peter Kahiigi, was appointed in December, 2012.
“NITA-U is in the process of developing the National Information Security framework, which will be in place by July 2013. All mission-critical systems will be required to comply to this framework. This will help in improving the information security of our computer systems,” Saaka says.
He adds that NITA-U will increase information security training and awareness in the country, so that people become more aware of the threats that are around them and possible vulnerabilities that may exist on information systems. A Computer Emergency Response Team (CERT) is also being put in place by UCC and NITA-U, which will help in fighting cyber crime. The CERT will be operational by July 2013.
As Saaka says, information security is everyone’s business and not just for IT people. You can never be too careful in trying to put security systems up, otherwise, your hard-earned work or money might disappear at the touch of a computer key.