The local press recently carried the story of Brighton Berejena, a Zimbabwean ICT professional who acted unethically by accessing his former employer’s internet service, disabled five servers and changed some of the passwords.
As the former IT administrator for a company called Kreamorn Investment, he had all the necessary intelligence to access the company’s system and make the changes that eventually got him arrested.
While all of this might be worth some food for thought for any disgruntled employee (it’s not just IT administrators who can do this by the way) facing the axe because of the three month notice tsunami and contemplating some corporate revenge, the reality is our laws will probably let you get off with a light sentence.
In this Kreamorn Investment case, the accused was charged with unauthorized access to a computer network. Those charges are as elaborate as the criminal code will get regarding the violation of private servers, data manipulation and prejudice of digital information.
The full extent of the damage he could have caused is not factored in or fully considered because of a limited judicial scope when it comes to cybercrime. However, changes are being made regarding the laws around that.
While the e-Transaction Bill might have been the first to be tabled before Parliament, the draft Computer Crime and Cybercrime Bill is also being readied for legislative debate. It has been discussed by various stakeholders so far, with some stakeholders questioning the probability of its passing before a new ICT Policy is released.
This piece of law is meant to further clarify what it means to be a cyber criminal in Zimbabwe and how hard the law will come down on such perpetrators.
There are aspects that hopefully the team behind it will consider such as the ubiquity of tools for cybercrime, the reality of access to information on how to compromise systems and the varied reasons behind cyber crime that are not necessarily related to profit.
Revenge, as noted by the Kreamorn administrator and local examples of Revenge Porn, is fairly common in the world of Cybercrime. We have even noted cases of advocacy instigating cybercrime. It’s not always about money for the digital criminal.
What else should the laws on Cybercrime in Zimbabwe consider?
10 comments
The guy is a fool for the actions he took in the first place, but that said the company is an even bigger fool for not changing generic passwords after letting him go and disabling any of his logins from being used – in some respects they were asking for such an event to happen – not if it would happen but when
Other companies should take note:
a) don’t use generic login accounts – always user specific
b) if you have to (cheap routers etc) then always change them when staff leave that had access to said devices)
c) protect remote access to restricted IP’s or VPN only so you can more quickly lock down access when you need to
I doubt it has anything to do with use of generic passwords.
I also highly doubt that the company is entirely to blame
Like many companies that have scaled down staff, it is most likely that he was the sole custodian and single expert in IT.
This would mean all IP and any knowledge and policies that determine security procedures(such as resetting of passwords…) could only have been determined by the very person they were firing.
Having no knowledge of the vulnerability they were exposed to by having a single IT person holding “the keys”, there was no way they could’ve predicted it.
You sound knowledgeable young sir. However, that point B is not feasible (even if you use “cheap” routers) for the Zimbabwean economy. What I would suggest to people looking to avoid this is to get in touch with someone knowledgeable on the InfoSec sector regarding policies on security during downsizing.
Hear! Hear!
Besides the company having relaxed security measures , its up to an individual to grow proffesionally.
To answer the what else should the laws on Cybercrime in Zimbabwe consider? malicious hacking should just be as punishable as breaking into physical buildings. Months to Years in prison.
As one wise man once said back in 1984:
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Why is everyone rushing to the conclusion that the former sysadmin is to blame? Am I missing something? The facts I could gather: sysadmin gets fired, then a month later the password to an internet-facing system is changed – could have been hacked by the Syrian Electronic Army for all we know. No forensic investigation and no confession yet he get’s arrested anyway.
How about mandating competent forensic investigations to be carried out before anyone gets charged? (can anyone say ‘ZRP Cybercrime Division’ with a straight face? I can’t)
It’s a long way to go.
Before the law is even passed or maybe starting yesterday (sadly our law makers and government are buisy on other things) this must have been long ago.
Capacity building:
Our institutions of learning must have degrees in cyber crimes etc
Our judiciary system recruits appropriate
Police cyber crime unit. Kkkkkk
Kuzoti cyber journalist
And more
i heard some time ago that Harare Institute of Technology is offering a degree in cyber security but i never followed up so im not sure if that’s true or not
I do concur with @Tapiwa, not guilty until proven. May be the “new IT” person who took over messed up and blamed it on the retrenched guy.