cyber crime-longwe 20-6-06

8/3/2019 Cyber Crime-Longwe 20-6-06

http://slidepdf.com/reader/full/cyber-crime-longwe-20-6-06 1/15

Kenyan Experience

Cybercrime WorkshopILEA, Botswana

Brian Longwe ± General Manager

African Internet Service Providers Association



AfrISPA

African Association of National ISP

Associations

Members represent 12 out of about 30eligible countries

Founded in 2001

Established 2002



AfrISPA Members

Botswana

DRC

Ghana

Kenya

Malawi

Mauritius

Nigeria

Rwanda

South Africa Tanzania

Uganda

Mali



AfrISPA Objectives

1. To provide industry perspectives on policy formulation andregulation as it relates to the Internet industry and to act as aninterface with Governmental bodies and the public at large.

2. To develop policies and positions in the best interest of theMembers and protect and promote these interests in regional

and International Fora.3. To promote the development of key Internet Infrastructure on the

Continent.

4. To promote the development of a free and opentelecommunications market.

5. To facilitate the establishment of national ISP Associations in Africa

and to provide common services to them.6. To provide and promote educational opportunities that will enhanceand empower technical and policy understanding of the Internet.

7. To build, maintain, and publish relevant industry data for Members.



Personal Background

14 years in Information Technology

Chief Technology Officer and Head of Technical

Department for 3 different ISPs over past 11

years

± Form-Net Africa: 1995-1997

± Mission Aviation Fellowship Information Services:

1997-1999

± ISPKenya: 1999-2005

Currently providing various forms of specialised

equipment and consulting services



Development of Internet in Kenya

1996 ± Digital Internet access ± primarily via International

Leased lines (IPLC)

1998 ± Jambonet (National Gateway) established by Telkom

Kenya

1999 ± Internet Mainstream ± 80 Licensed ISPs with 40

operational ± Internet Points of Presence in 6 Major Cities/Towns

± Most Medium/Large Corporations with dedicatedInternet links



Cyber Threats June 2000

± 3am: ISPKenya helpesk starts to receive complaints about email delays

± 3:30am: Helpdesk starts to receive calls about problems accessingwebsites

± 4am: Helpdesk contacts CTO about potential system-wide problems

± 4am: CTO logins remotely, can¶t access most external websites

± 4:15am: CTO arrives at office and finds that primary (only) Internet link isflooded with traffic/unusable

Cisco debug reveals massive volumes of IP traffic

Cisco router shows 99%-100% CPU utilisation

Most packets have similar IP source address (remote/foreign)

Primary internet connection is flooded/can¶t pass traffic ± dropping packets

CTO contacts Jambonet to request IP filter to block source IP address block

Within 5 minutes of implement filter ± network goes back to normal ± Diagnosis reveals successful denial of service attack originating from

systems/IP addresses located in Brazil



Cyber Threats

February 2002 ± 1:30am: ISPKenya helpesk starts to receive complaints about problems

with web-browsing

± 2:00am: Helpdesk starts to receive calls about problems logging in ondialup

± 2:15am: Helpdesk contacts CTO about potential system-wide problems ± 2:15am: CTO attempts remote login, can¶t login

± 2:30am: CTO arrives at office and finds that network is completelyflooded with traffic/unusable

Cisco debug reveals normal operation

Cisco router shows 2%-6% CPU utilisation

TCPDUMP on internal network reveals broadcast storm originating from

DNS server Disconnection of DNS server from network restores normal operations,secondary DNS provides normal name resolution

± Analysis of DNS server (running Linux Redhat) reveals rootkit, mostbinaries replaced with tainted/modified binaries

± Further analysis reveals that un-patched version of BIND provideopportunity for compromise



Cyber Threats

September 2003 ± 9:30am: ISPKenya CTO receives visit from CID officer affiliated

to Cyber-Crime Unit

Visitor produces copies of email sent to various members of management with threats

Visitor relates hijack and subsequent beating/physical harassmentof managing director by persons who told him that he had ³beenwarned´

Perusal of email headers revealed that origin IP address for emailwas on ISPKenya network

Scrutiny of IP assignments reveals that source IP is from client with

leased line in Nairobi suburb CTO provides physical address, names of contacts and officer

proceeds with investigation

Later communication reveals seemingly successful intervention



Cyber Threats

June 2003 ± ISPKenya CTO receives visit from Pipeline company IT Manager

& Head of Security

Officers relate case of offensive email

Copy of email sent to MD, key management, entire staff and anti-corruption authoriy

Email contained offensive language insulting MD and somedirectors

Email contained confidential internal information

More critically contained information exposing major fraud

DNS and IP address lookups revealed that email was sent from anISPKenya client; a cyber-café situated in a densely populatedresidential neighborhood

Efforts to establish true identity of sender were futile

± Note: 3 months later MD and key personnel dismissed pendinginvestigation into misappropriation of funds and abuse of tenderingprocess



Issues

Local legislation has not moved fast enough to

encompass technology related offenses

± Evidence laws in Kenya do not provide for recognition

of electronic data ± Creates legal ³loopholes´ that allow illegal operations

Standards for encryption, digital signatures,

certication and authentication have not been

recognised/embraced/implemented



Issues

Cyber-threats are among most difficult toevaluate

Similar symptoms are not always result of similar causes

Investigation is impossible withoutcollaboration/cooperation from various

players Risk mitigation is difficult or impossible

without collaboration from various players



Points to Consider

IP address lookups via Regional Internet

Registries

± Online WHOIS Africa: http://www.afrinic.net

North America: http://www.arin.net

Europe: http://www.ripe.net

Asia Pacific: http://www.apnic.net Latin America: http://www.lacnic.net/en/



Points to Consider

Close collaboration with national ISP

association

Contacts can be facilitated by AfrISPA ± [email protected]

± [email protected]



Thanks!

Questions?

cyber crime-longwe 20-6-06

Documents