Hey Michuki, Nice to see a thoughtful response. I will be commenting in greater detail soon, but just for the meantime here's some more food for thought. A group calling themselves "Rwandan-Hackers" compromised the Standard Media website yesterday and published online a list of KTN Live members which included username, encrypted password and email addresses, a snippet follows: 1. HACKED BY RWANDAN HACKED 2. 3. http://rwandan-hackers.blogspot.com/ 4. 5. Target:http://www.standardmedia.co.ke/ 6. Date:09/02/2012 18:27:43 7. DB Detection:MySQL (Auto Detected) 8. Method:GET 9. Type:Integer (Auto Detected) 10. Data Base:eastand_xp 11. Table:ktnlive_members 12. Total Rows:831 13. 14. username password email 15. 007finanz d3ce7658a5c2c9f66790ed0f5d4970ad 007finanz@gmail.com 16. 05mark 77a6bc8aedf55b28f38794e2d5b0d3a1 muniukm@yahoo.com The complete list with close to a thousand names is at: http://pastebin.com/QCtP3AxH Best regards, Brian On Sat, Feb 11, 2012 at 9:04 PM, Michuki Mwangi <michuki@swiftkenya.com>wrote:
Hi Brian, et al,
On 2/11/12 12:03 PM, Brian Munyao Longwe wrote:
Today's(last night's) hacking of the Toyota Kenya website as evidenced by Moses Kemibaro's screenshot - http://t.co/w7RDDjfP - should serve as a wake up call to CxOs and any organization that has a web presence or online resources.
While i agree with you. I would like to subject this to discussion.
1. There no business critical information sufficient to warrant the investment into securing the website. In reality, its not like they broke into the new toyota show room on Waiyaki way and got away with the any car(s).
2. I would bet that the folks at Toyota don't know what percentage of their monthly sales are courtesy of their website.
3. The website is hosted at http://www.softlayer.com/ so this means its an outsourced solution. In this case who is complacent a. the hosting company (they provide the infrastructure/service or b. the developer/website designer. The reason being I do not believe that its in toyota's core business to be concerned about their website security. Unless someone makes them see the business sense of it.
Especially as it comes hardly 2 weeks after the shameful hacking of over 103 government websites by an amateur Indonesian techie. In this particular case it turns out that all 103 sites were hosted on the same physical server - a malpractice, as far as web-hosting and system administration goes.
Am not 100% in agreement here.
1. It not uncommon to have 103 low traffic websites on a single server going by the computing resources available today. After all its what the world of Virtualization and virtual Web hosting is all about.
IMHO am pretty pleased by fact that;
1. We have 103 Government websites - so we are making baby steps.
2. It also means that we have a resourceful sysadmin who understands virtual web-hosting and is capable of hosting 103 website on one IP address (that we didn't know until this incident).
It is clear that the increase in online threats and cyber-security issues has a lot to do with Kenya's improved connectivity to the global Internet - with 3 submarine fiber optic cables opening the country and sub-region to cyber-criminals and pranksters alike.
+1
However, its important that we note that the websites in discussion were hosted in two different places i.e US and Kenya.
IMHO to mainstream security the websites will have to mean more than just online or web presence. For Govt websites for instance if the KRA website was hacked - we can indeed expect delays in customs clearance of goods, loss of revenue collection, etc. Currently it is a matter of public image. Therefore considering our brevity of mind, it will soon be back to business as usual.
Similarly, for many local companies, websites are like a company brochure + directory service (no pun intended). If you think am out of my mind compare www.toyotaea.com (the hacked site) and toyota.com. Clearly one is a brochure and the other is a salesperson. I almost obvious that if the www.toyota.com website had a 4 hour outage, it would affect their sales target for the week. Because they would be one salesperson less.
Taking into consideration that most of these companies have a PR agency that will issue a very reassuring statement after such an incident for a standard retainer.
In summary, considering that our websites are non-critical to the organization/business operations and continuity. Why should we be investing so much or to phrase it as Brian did why should CxO's care?.
Convince me!
Mich.
-- Brian Munyao Longwe e-mail: blongwe@gmail.com cell: +254715964281 blog : http://zinjlog.blogspot.com meta-blog: http://mashilingi.blogspot.com