An Indonesian hacker compromised 103 Kenyan government websites earlier this month with the aim of showing that the sites could be exploited, officials said this week.
Security experts in Kenya alerted the Computer Incident Response Team (CIRT) to the attacks after the hacker, known as "Direxer," compromised the sites on Jan. 17.
The attacks exploited a cross-site scripting vulnerability, according to Tyrus Kamau, head of security and risk at Cellulant. That vulnerability can be exploited because of "poor programming practices" and regular penetration testing by the attacker, he said.
The websites were hosted on one server and the sites had operating-system vulnerabilities, running outdated OSes, misconfigured servers and simple-to-break passwords. Analysts at ICT mailing lists suggested that some of the compromised websites were still using default passwords.
"The funny issue is the sites were running OSes that have regular updates from the developers, but if you check on these sites, the old framework is the same on all of them," said John Gichuki, an independent information security consultant.
Lack of coordination among government agencies to ensure that the sites were online as well as that vulnerabilities had been patched have led to questions about the preparedness and effectiveness of CIRT.
"As for now the CIRT team seems to be composed of people who are learners," Gichuki said, adding that the team didn't do any site imaging or "even check if the kernel was compromised."
Francis Wangusi, the acting director-general of the Communications Commission of Kenya, defended CIRT, saying that its role is to coordinate a cyber-incident response and to advise the government and private sector.
"Each stakeholder is required to implement internal network, information and data security standards in line with global best practice, server back-ups, ICT audits, application development and network infrastructure set-up," added Wangusi.
When CIRT was alerted that the government websites were compromised, Wangusi said that CCK alerted the directorate of e-government, the entity responsible for government e-infrastructure and services.
"The intended role of any CIRT is to complement whatever intelligence the government gathers from a cybersecurity point of view. In countries where it is well-established, they have a very clear and non-ambiguous mandate," added Kamau. "That is not the case in Kenya, the CIRT is yet to be felt as a recognized point of convergence."
Kenya is considered more technologically developed in the Eastern Africa region, with more affordable bandwidth compared to other countries, but failure to comprehensively address cybersecurity has exposed gaps in its policies. Kenya has no cybersecurity law, with cybercrime dealt with under the Kenya Communications Act of 2007.