The Standard Group Plc is a multi-media organization with investments in media
platforms spanning newspaper print
operations, television, radio broadcasting, digital and online services. The
Standard Group is recognized as a
leading multi-media house in Kenya with a key influence in matters of national and
international interest.
When a leading university claimed in a court that its systems were hacked into and exam results of three students altered, the lid on a bucket of rumours was lifted. Would the university have admitted to the hacking had it not been taken to court? How many of such incidences go unreported? Hashtag sought to unearth why research puts Kenyan students fourth on the list of top hackers in Africa.
The High Court, last month, concluded a year-long exam malpractice case at Kenyatta University. The judgment read on January 24, 2018, saw Losem Naomi Chepkemoi, a student, walk away triumphant after the court declared that the university had dealt with her unfairly.
Naomi launched a legal fight against KU last year when she received a discontinuation letter from the university citing her involvement in an exam irregularity that saw her doctor her exam results.
Naomi who failed to graduate with her classmates in December 2016 told the court that she was only ten days away from obtaining Bachelor of Science degree in Foods, Nutrition and Dietetics when the university slapped her with a suspension letter. According to the university, Naomi had failed to explain before a disciplinary panel why five units in which she had scored D had been changed to A.
She maintained before the court that being neither an employee of the university nor the administrator of its website, she had no access and capacity to tamper with the website.
According to information that was provided on the Kenya Law website, Naomi told the court that according to the results posted in the university’s web site, she passed all the units, except two in her second and third year. She retook the two units and passed.
Responding to the charges before Justice George Odunga, however, KU said that Naomi’s results had been altered using the password of a Mr Alphonse Wafula on October 7, 2017. KU further said that the same password had been used to doctor results of two other students.
Among other reasons the court gave in ruling in favour of Naomi was the assertion that the university failed to provide evidence that Naomi had indeed committed examination malpractices.
“Section 4(3) (g) of the Fair Administrative Action Act, makes it mandatory for the administrator to supply evidence. The respondent blatantly ignored this statutory obligation,” reads the judgment in part.
Hence the court ordered KU to pay the amount Naomi had spent in the suit as well as costs of other damages. Naomi had asked the court to order nullification of her discontinuation as well as award her Sh10 million compensation for violation of her rights.
The fact that KU claimed that its systems had been hacked before the court raises questions over the number of such cases that go undetected, not just at the university in question, but across learning institutions in Kenya.
Low investment in security
IT services and business consulting firm Serianu released a report that indicated that organisations hardly invest in security related issues. According to the report, dubbed Kenya cyber security 2016, 96 per cent of organisations spent less than Sh500,000 annually or none at all on cyber security related products.
The report further indicates that a negligible percentage of cybercrime is handled the legal way as only three per cent of reported cyber-crimes are successfully prosecuted.
Speaking to Hashtag about the hacking claims, Benson Kimotho an Information Technology student at JKuat pointed fingers a group of senior, computer savvy, students as the main culprits.
“Not anybody can hack just because they are studying an IT course. Hacking is done by a group of students mostly in the third and fourth year of study who are very good at it. I have no details of what they exactly make out of it but it must be quite a good sum. Hacking the JKuat system, after all, is not a joke,” Kimotho says.
Kimotho says students cornered by exam timelines have also fallen into the temptation to hack the exam system. He recalls a time early last year when the JKuat exam system was hacked into and a whole common course database crashed.
Kimotho narrates that the HIV/AIDS and Communication Skills course which was done and submitted online also had a deadline. Other students who could not beat the deadline accessed the records of those who had submitted their scripts and erased everything.
“It was terrible. The hackers had a field day as we had to re-sit the paper again,” Kimotho says.
Hacker’s confession
Hashtag also spoke to a second-year student hacker pursuing Actuarial Science at Maseno. The student who sought anonymity claims to have carved a niche among the university’s known top hackers as a freshman.
“There are about 12 of us. About eight are on top of the game and only they can crack into the university exam system,” the student says.
He says most hackers access the university system to make money out of the Internet connectivity that the university purchases from different network providers.
“The different tariffs have varied proxy servers and depending on the route channel; a good hacker can be able to bypass a given security,” he says. He says that once a hacker accesses the channel code of a given provider given to the university system, they use it to access Internet connectivity which they sell to students at Sh1,000 or more per student.
“We are always careful not to overuse it because the network provider can easily detect it and change settings, which take time to hack into,” he says.
He says that other hackers run cyber cafes near or within they school and use the Internet to download huge portable documents and videos.
According to the student, Maseno University exams system is one of the most difficult to hack into because each school offers IT classes with technicians who monitor the systems regularly.
East Africa Data Handlers CEO, George Njoroge points out that most institutions are not doing enough to prevent the hacking menace. According to Njoroge, most university system administrators don’t perform an overhaul on detected vulnerabilities and never update new security features on their systems.
“Obsolete software running on the windows servers lack updates. This makes them vulnerable,” Njoroge says.
He says that most universities lack the Bring Your Own Device policy where a student reports to the IT department to have his Media Access Control (MAC) address uploaded on the database.
Otherwise, he says, the department would easily monitor malicious activities done by rogue students.
According to the IT expert, MAC filtering reduces the chances of a student committing crime using his personal computer.
He says that malicious students also send phishing mail (in an attempt to obtain sensitive information) to various departments purporting to be asking for solution to a certain problem.
The recipient of such malicious mail unknowingly clicks an embedded link and automatically triggers the attack that obtains important details such as usernames and passwords of a certain lecturer. This gives them access to a target exam portals to manipulate the grades.
According to Njoroge, hacking is becoming simpler everyday owing to hacking tools that are easily available online, including tutorials which are easily available on instant messaging platforms such as Telegram.
“The rate at which the students are accessing these tools is uncontrollable but the institutions can defend these attacks if they adhere to simple security measures and policies,” he says.
