Another one. Cyber security seems to be the arch-nemesis of Zimbabwe’s government institutions, and most recently, their personal accounts. Last week a group by the pseudo name Team Pachedu took the Justice Department to the cleaners exposing how easy it was to access their private servers and collect some private cases in their archives not meant to exist in the public domain. A couple of years ago, one of Zimbabwe’s most popular YouTube series, Wadiwa Wepamoyo, got its YouTube account compromised losing precious YouTube revenue and its following to hackers.
Now it seems our Minister of Finance has also suffered the same fate with his Twitter account. It no longer has a profile picture and is retweeting crypto content and whatever the account Cyber Kong posts. In fact, the last time the Finance Minister’s account tweeted Zimbabwean relevant content was on the 29th of November 2022.
The ABCs of cybersecurity
Let’s start off with personal social media accounts. You as the individual who creates the account are largely responsible for keeping it secure. There are elementary ways of doing it which we are all familiar with.
- Secure it with a password
- Ensure the password is a strong password and definitely not your name or birthday
- Avoid sharing this password
The last point there is one that is very difficult for big public figures who usually do not manage their own social media accounts. They have a Public Relation team that handles their social media presence and this team shares credentials to this account. The more people that have these credentials the higher the risk of any one of them being the entry point to such hacks.
What could have made our Finance Minister’s account a lot more secure is Two Factor Authentication (2FA). It is an additional layer of protection on top of your strong password just in case anyone gets access to it. This second way of verification usually uses a completely different platform from the app you are trying to log into. These 2FA methods include:
- verification code/link via the email used when signing up for the social media account
- verification code sent via SMS
- verification code randomly generated from a 3rd party authentication app
The first 2 options might not really be ideal because they involve the Finance minister sharing his email and access to his phone with a whole PR team. So option 3 then. A 3rd party authenticator app can be used to generate this code which is used as a requirement for one to log into the account, especially on a new device. Take this as a tip for everyone, not just the Finance Minister.
And for organizations like the Justice Department?
With such organizations there needs to be a competent IT and networking administrator who ensures that private servers are only accessible by authorized personnel only. This is usually done by setting up the right firewall policies for accessing these servers. On top of that, a private server should be set up in such a way that it is only accessible via an intranet that the organization manages and not on the internet.
The fact that Team Pachedu was able to easily access that server by just entering a URL in a browser shows that someone at the Justice Department made it accessible on the web with no form of authentication to protect it. Imagine if ongoing cases were to get exposed to the wrong side. Chaos!
Big organizations perform financial audits every year to secure what they value which is money. But remember information is probably more valuable than money. So their IT infrastructure requires that same level of auditing to ensure the competitive advantage that comes with that information held by the business or the integrity of the business in securing 3rd party confidential data is not lost to a hack that could have been avoided by something as simple as blocking internet access to a local server.
Most hacks in Zim are not even worth being called hacks
This is a testament to how poor Zimbabweans are with cybersecurity at an individual level. Just last month there was a report that a man had ‘hacked’ NMB and transferred over ZW$700 000 from NMB customer accounts to his own. This man was a former NMB employee who most likely was able to do this because he still possessed backend credentials to the NMB system allowing him to make the transfers.
These credentials worked because NMB might not have a security policy on how an employee’s user account to access the system is dealt with when the employee leaves the company.
With Team Pachedu they only did a smart search on Google. No fancy tools or tricks to crack some codes and whatnot. A Google search that anyone can do. They did not hack anything. What Team Pachedu did is the equivalent of saying someone robbed a house by picking the lock on the door when all they did was take the key from under the doormat.
This is all to say that the way a majority of user accounts and organization systems are getting compromised in Zimbabwe is at such an elementary level to the point of it being a disservice to the term ‘hacking’. We simply have extremely poor cybersecurity measures put in place as individuals which then feeds into the level of security we implement at an organizational level. Just as a starting point, let’s all enable 2FA on our personal accounts and stop the business of using our names and birthdays as passwords.
10 comments
I think just hacking a system should not be punishable. They should only punish one on what they do after the hack, if it is bordering on criminality. Noone gets punished for looking at someone longer than is socially expectable, and, noone gets arrested for looking at what society terms a scantily dressed lady or gentleman, so why arrest or charge one for just hacking? If society had its way, they would instead want the scantily dressed to be arrested or charged. If I had my way, I would want those whose systems are hacked to be charged, maybe with negligence or something stronger. Also, do the people leading organizations know what to hack a system is? Someone said it is akin to raping a system, hoping that is not the reason why they want the minimum sentence for rape to be 15 years in jail. To simplify the hacking issue, the IT system is like a beautiful or pretty wife, and any man who tries to propose love to her is a hacker. If all men who approached her were arrested and charged, how many men would we have with a clean record?
Mmmh that would be wrong. Almost every system will have a vulnerability that can be exploited. Some exploits are easier to find than others. Some aren’t even the fault of the system developer and might come from system dependencies like the Apache logging library that took the Java world by storm recently. Who would you charge in that case?
So if it’s not hacking why did you title it the minister’s twitter has been hacked? What is hacking?
Looking at a scantily dressed woman wouldn’t be hacking because it’s open for the public to see just like what pachedu did with the Google search. If now you were to try and see what’s under the scanty clothes that’s would be hacking since she won’t want you to see that without permission and that would be harassment which can actually get you arrested. The raping a system comparison is actually a good one. Even attempted rape can land you in big trouble
I could look at your scantily dressed wife through your bedroom window. She’s was going to come out of the house anyway, so there’s nothing wrong, isn’t it? 😂
The context of viewing/access is very important.
Go and just start trying to open people’s locked cars doors. Then when confronted, tell them you didn’t do take anything so it’s all cool.
Oops too bad for him. 2FA doesn’t always work, I got my Facebook account hacked with it enabled, a unique strong password and my phone off. Always having a recovery option is the best choice cause you never actually know what might happen even with all those security measures.
If you see the minister tell him that WE CAN HELP @0733623605 for A pRIce
Good
Don’t do that
Don’t do that guys