cyber crime-longwe 20-6-06
TRANSCRIPT
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 1/15
Kenyan Experience
Cybercrime WorkshopILEA, Botswana
Brian Longwe ± General Manager
African Internet Service Providers Association
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 2/15
AfrISPA
African Association of National ISP
Associations
Members represent 12 out of about 30eligible countries
Founded in 2001
Established 2002
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 3/15
AfrISPA Members
Botswana
DRC
Ghana
Kenya
Malawi
Mauritius
Nigeria
Rwanda
South Africa Tanzania
Uganda
Mali
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 4/15
AfrISPA Objectives
1. To provide industry perspectives on policy formulation andregulation as it relates to the Internet industry and to act as aninterface with Governmental bodies and the public at large.
2. To develop policies and positions in the best interest of theMembers and protect and promote these interests in regional
and International Fora.3. To promote the development of key Internet Infrastructure on the
Continent.
4. To promote the development of a free and opentelecommunications market.
5. To facilitate the establishment of national ISP Associations in Africa
and to provide common services to them.6. To provide and promote educational opportunities that will enhanceand empower technical and policy understanding of the Internet.
7. To build, maintain, and publish relevant industry data for Members.
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 5/15
Personal Background
14 years in Information Technology
Chief Technology Officer and Head of Technical
Department for 3 different ISPs over past 11
years
± Form-Net Africa: 1995-1997
± Mission Aviation Fellowship Information Services:
1997-1999
± ISPKenya: 1999-2005
Currently providing various forms of specialised
equipment and consulting services
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 6/15
Development of Internet in Kenya
1996 ± Digital Internet access ± primarily via International
Leased lines (IPLC)
1998 ± Jambonet (National Gateway) established by Telkom
Kenya
1999 ± Internet Mainstream ± 80 Licensed ISPs with 40
operational ± Internet Points of Presence in 6 Major Cities/Towns
± Most Medium/Large Corporations with dedicatedInternet links
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 7/15
Cyber Threats June 2000
± 3am: ISPKenya helpesk starts to receive complaints about email delays
± 3:30am: Helpdesk starts to receive calls about problems accessingwebsites
± 4am: Helpdesk contacts CTO about potential system-wide problems
± 4am: CTO logins remotely, can¶t access most external websites
± 4:15am: CTO arrives at office and finds that primary (only) Internet link isflooded with traffic/unusable
Cisco debug reveals massive volumes of IP traffic
Cisco router shows 99%-100% CPU utilisation
Most packets have similar IP source address (remote/foreign)
Primary internet connection is flooded/can¶t pass traffic ± dropping packets
CTO contacts Jambonet to request IP filter to block source IP address block
Within 5 minutes of implement filter ± network goes back to normal ± Diagnosis reveals successful denial of service attack originating from
systems/IP addresses located in Brazil
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 8/15
Cyber Threats
February 2002 ± 1:30am: ISPKenya helpesk starts to receive complaints about problems
with web-browsing
± 2:00am: Helpdesk starts to receive calls about problems logging in ondialup
± 2:15am: Helpdesk contacts CTO about potential system-wide problems ± 2:15am: CTO attempts remote login, can¶t login
± 2:30am: CTO arrives at office and finds that network is completelyflooded with traffic/unusable
Cisco debug reveals normal operation
Cisco router shows 2%-6% CPU utilisation
TCPDUMP on internal network reveals broadcast storm originating from
DNS server Disconnection of DNS server from network restores normal operations,secondary DNS provides normal name resolution
± Analysis of DNS server (running Linux Redhat) reveals rootkit, mostbinaries replaced with tainted/modified binaries
± Further analysis reveals that un-patched version of BIND provideopportunity for compromise
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 9/15
Cyber Threats
September 2003 ± 9:30am: ISPKenya CTO receives visit from CID officer affiliated
to Cyber-Crime Unit
Visitor produces copies of email sent to various members of management with threats
Visitor relates hijack and subsequent beating/physical harassmentof managing director by persons who told him that he had ³beenwarned´
Perusal of email headers revealed that origin IP address for emailwas on ISPKenya network
Scrutiny of IP assignments reveals that source IP is from client with
leased line in Nairobi suburb CTO provides physical address, names of contacts and officer
proceeds with investigation
Later communication reveals seemingly successful intervention
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 10/15
Cyber Threats
June 2003 ± ISPKenya CTO receives visit from Pipeline company IT Manager
& Head of Security
Officers relate case of offensive email
Copy of email sent to MD, key management, entire staff and anti-corruption authoriy
Email contained offensive language insulting MD and somedirectors
Email contained confidential internal information
More critically contained information exposing major fraud
DNS and IP address lookups revealed that email was sent from anISPKenya client; a cyber-café situated in a densely populatedresidential neighborhood
Efforts to establish true identity of sender were futile
± Note: 3 months later MD and key personnel dismissed pendinginvestigation into misappropriation of funds and abuse of tenderingprocess
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 11/15
Issues
Local legislation has not moved fast enough to
encompass technology related offenses
± Evidence laws in Kenya do not provide for recognition
of electronic data ± Creates legal ³loopholes´ that allow illegal operations
Standards for encryption, digital signatures,
certication and authentication have not been
recognised/embraced/implemented
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 12/15
Issues
Cyber-threats are among most difficult toevaluate
Similar symptoms are not always result of similar causes
Investigation is impossible withoutcollaboration/cooperation from various
players Risk mitigation is difficult or impossible
without collaboration from various players
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 13/15
Points to Consider
IP address lookups via Regional Internet
Registries
± Online WHOIS Africa: http://www.afrinic.net
North America: http://www.arin.net
Europe: http://www.ripe.net
Asia Pacific: http://www.apnic.net Latin America: http://www.lacnic.net/en/
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 14/15
Points to Consider
Close collaboration with national ISP
association
Contacts can be facilitated by AfrISPA ± [email protected]
8/3/2019 Cyber Crime-Longwe 20-6-06
http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 15/15
Thanks!
Questions?