Cyber Crime, Cyber Security

The Computer and Cybercrimes Bill: A step in the right direction 0 1868

Avatar
  • President Uhuru Kenyatta approved to criminalize cyber offences such as computer fraud, cyber-stalking, child pornography and unauthorized access to computerized systems.
  • Cybercriminals have identified the Kenyan digital economy as a thriving ecosystem with questionable resilience against cyber-attacks.
  • Every offence found under the Computer and Cybercrimes Bill which occurs to protected computer systems attracts a twenty-five-year imprisonment term, twenty-five million shillings or both
The Computer and Cybercrimes Bill

Chaired by President Uhuru Kenyatta on April 6th, 2017, the Cabinet approved the details that criminalize cyber offences such as computer fraud, cyber-stalking, child pornography and unauthorized access to computerized systems.

The latter highlights the Government’s concern regarding the escalated cybercrime risk within the region. Per a 2016 Cybersecurity Report published by Serianu, a whopping $175 million has been pilfered from Kenya’s economy by savvy cybercriminals who have identified the Kenyan digital economy as a thriving ecosystem with questionable resilience against cyber-attacks.

The Computer and Cybercrimes Bill has been drafted with the following legislative objectives; to protect the confidentiality, integrity and availability of computer systems, programs and data; prevent the unlawful use of computer systems; facilitate the investigation and prosecution of cybercrimes; and to facilitate international co-operation in the achievement of the Bill’s objectives.

A perusal of the Bill will demonstrate that it is vastly grounded on the Articles present in the Budapest Convention on Cybercrime passed by the Council of Europe in 2001. This action highlights Kenya’s legislators’ conviction to ensure that the Kenyan digital economy achieves international standards in terms of protection against local and foreign cybercriminals, their dedication towards enabling litigation support for victims and the successful prosecution of cybercriminals.

The following is a summary of the pros and cons of the Bill, as well as our suggestions as to how to best improve the drafting and implementation of the Computers and Cybercrime Bill.

The Pros of the Bill

 Utilisation of the Mutual Legal Assistance Act (2011)

The utilisation of this legislation should be regarded as a rare show of legislative innovation, designed to specifically remedy the lack of reciprocal legal instruments present to combat the globalisation of cybercrime and its effect in Kenya.

The concept of mutual legal assistance was best outlined in the Budapest Convention on Cybercrime (2001) , whereby, under Article 25, signatory States should afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.

According to the Mutual Legal Assistance Act (2011), it is essential to note that the scope of legal assistance is particularly wide with obligations that are designed to inflict fear upon any cyber criminal’s defence attorney worth his salt.

They include:

  • Identifying and locating of persons for evidential purposes,
  • Examining witnesses;  
  • Providing, including formal production where necessary, originals or certified copies of relevant documents and records, including but not limited to government, bank, financial, corporate or business records; 
  • Facilitating the voluntary attendance of witnesses or potential witnesses in a requesting state;
  • Facilitating the taking of evidence through video conference;
  • Effecting a temporary transfer of persons in custody to appear as a witness;
  • Identifying, freezing and tracing proceeds of crime; 
  • The recovery and disposal of assets; 
  • Preserving communications data;
  • Interception of telecommunications and conducting covert electronic surveillance.

Central to the cybercrime prosecution agenda is the preservation of communications data in order to facilitate collection of evidence and investigations, interception of relevant telecommunications and conducting electronic surveillance which have been outlined in Section 31 of the Computer and Cybercrimes Bill.

Per Section 31 of the Mutual Legal Assistance Act (2011), the requesting State can request for the preservation of the subscriber information traffic data or any other information falling within the definition of communications data, as long as it can demonstrate the relationship which that data has towards the investigation or prosecution, to the requested State. Aptly, there exists a caveat where the Requested State can reject the request if its fulfilment can prejudice the security, international relations, or other essential public interests of Kenya.

The interception of telecommunications relevant to demonstrated investigations or prosecutions is of immense importance for the prosecution of transnational cyber crimes. In accordance with Section 27 of the Mutual Legal Assistance Act, requested States can fulfil a request for the interception and immediate transmission of telecommunications as well as the interception, recording and subsequent transmission of telecommunications.

In the realm of cybersecurity, incidence response time is fundamental as it enables information security teams to block the culprit’s access to the system, collect data regarding the means used to access the hacker and appropriately reverse-tunnel the hacker’s path in order to collect evidence and hopefully identify the hacker via the culprit computer’s IP address for litigation purposes.

Notably, the speed which interception and identification of the method and culprit occurs ultimately determines the success of a cybercrime suit in a court of law. This is because the collection of admissible evidence in the modern era has been obscured by numerous hacking ploys such as botnet technology, file-less malware and the infamous onion router used by cyber criminals to mask their identities.

As such, due to the simple inadmissibility of evidence collected against perpetrators, numerous cyber criminals go scot-free after pocketing millions.

Similarly, covert surveillance has been sanctioned in accordance with the tenets of Section 32 of the Mutual Legal Assistance Act.

Fundamentally, this clause is centrally dependent on the Requested State’s legislation. In States, where covert surveillance is permitted by the Government, cyber criminals could be spied on and sufficient evidence collected to put them behind bars.

However, the constitutional right to privacy in certain jurisdictions could be violated if this clause is improperly applied.

The differentiation between critical infrastructure and other networking systems

Through Section 10 of the Computer and Cybercrimes Bill, enhanced penalties for critical infrastructure has been incorporated into cybersecurity policy. According to the Bill, “a protected computer system” has been defined as a computer system used directly in connection with, or necessary for:

  • The security, defence or international relations of Kenya;
  • The existence or identification of a confidential source of information relating to the enforcement of a criminal law;
  • The provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities or public transportation, including government services delivered electronically;
  • The protection of public safety including systems related to essential emergency services such as police, civil defence and medical services;
  • The provision of national registration systems; 
  • Or such other systems as may be designated by the Cabinet Secretary in the manner or form as the Cabinet Secretary may consider appropriate.

Every offence found under the Computer and Cybercrimes Bill which occurs to protected computer systems attracts a twenty-five-year imprisonment term, twenty-five million shillings or both.

Due to the nature of data stored in critical infrastructure (therein renamed protected computer systems), the risks for Kenyan citizens is particularly immense.

Sensitive data can be used by vindictive cybercriminals to extort military information, steal finances and in certain events, affect the democratic governance structures of a People.

As such, the punitive penalties instigated against cyber criminals in Section 10 should be commended.

The inclusion of cyberstalking and cyber-bulling as an express offence:

Section 14 of the Bill has defined the crimes of cyber-stalking and cyber-bulling as express offences.

Cyber stalking and cyber-bullying have been collectively defined as an occurrence where a person who, individually or with other persons, wilfully and repeatedly communicates, either directly or indirectly, with another person or anyone known to that person, commits an offence, if they know or ought to know that their conduct is likely to cause those persons’ apprehension or fear of violence to them or damage or loss on that persons’ property; or detrimentally affects that person.

The appurtenant fine for the latter offence is a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or both.

Society should pen this as another win for feminism. The impact of cyber-bulling is particularly significant among girls. Per a Report regarding cyber-violence against women and girls, published by The United Nations Broadband Commission for Digital Development Working Group on Broadband and Gender, about 73% of women and girls are abused online.

This policy should enable women to safely adopt and engage with technology, much to the benefit of our thriving ecosystem.

Confiscation and Forfeiture of Assets

Per Section 17 of the Bill, cybercrime will no longer pay.  According to the Bill, a court may order the confiscation or forfeiture of monies, proceeds, properties and assets purchased or obtained by a person with proceeds derived from or in the commission of an offence therein.

Further, the court may, on conviction of a person for any offence under this Act make an order of restitution of any asset gained from the commission of the offence, in accordance with the provisions and procedures of the Proceeds of Crime and Anti-Money Laundering Act, 2009.

Restitution is particularly punitive for cyber criminals, as it is a gain-based form of recovery which can be applied by the Kenyan court of law. Restitution essentially orders the defendant to give up his/her gains to the claimant. It can be contrasted with compensation where the court orders the defendant to pay the claimant for his or her loss.

Essentially, if the Bill were in force during the occurrence and Alex Mutuku were convicted of any offence under therein, he would have to “indemnify” the Kenya Revenue Authority of the missing 4 billion shillings sourced from the cyber-heist.

Penalties for Misuse of Powers by Investigative Officers

Under Section 28(2) of the Bill is a rare piece of legislation which cautions authorised persons or police from misusing the powers accorded to their office by the Bill, the latter penalty amounts to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both.

Section 28(2) of the Bill serves as an essential check towards the arbitrary abuse of the investigatory powers of the government, thus protecting the essential constitutional rights of privacy and consumer rights.

Cons of the Bill:

Numerous violations of the principle of legal certainty:

An apt reading of the Bill reveals numerous instances whereby the principle of legal certainty has been grossly violated and could pose numerous risks to the adoption of rule of law within Kenya’s digital ecosystem.

The concept of legal certainty can be defined as a principle which holds that the law must provide those subject to it with the ability to regulate their conduct. The legal system needs to permit those subject to the law to regulate their conduct with certainty and to protect those subject to the law from arbitrary use of state power.

This is particularly evident within the prior discussed Section 14 regarding cyber stalking and cyber-bulling, wherein it has been described as a defence to a charge of an offence if the person establishes that: the conduct was pursued for the purpose of preventing or detecting crime; the conduct was pursued under any enactment or rule of law or to comply with any condition or requirement imposed by any person under the enactment; or in particular circumstances, the conduct was in the public interest.

Note that the “particular” circumstances have not been defined by the Bill, creating an immense void that could lead to the violation of the constitutional right of privacy accorded to Kenyan citizens via covert surveillance as well as online harassment by the authorities.

Suggested Statutes:

Mandatory Breach Notification:

Emulating the impending General Data Protection Regulation in the EU as well as the Digital Privacy Law in Canada, the Kenyan digital economy could benefit immensely from ensuring that there exists mandatory notification of breach occurrences by organisations handling personal or sensitive data to a given supervisory authority.

The threshold should essentially be breaches which could lead to significant harm. In Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) ‘significant harm’ includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records and damage to or loss of property.

In determining whether the risk threshold is met, the organisation must consider: the sensitivity of the personal data that has been exposed; the probability that the personal data has been, is being or will be misused; and any other factors that the government prescribes.

Cybercriminals thrive on the siloed efforts of numerous attacked institutions as they collaborate to come up with more innovative means to compromise security systems. Breach notification eliminates the clandestine manner through which hacks are handled and enabled synergised efforts towards the prevention of cybercriminal activity as well as their prosecution.

24/7 Network:

Under Article 35 of the Budapest Convention on Cybercrime, the Council of Europe necessitated States to designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.

Such assistance should include facilitating, or, if permitted by its domestic law and practice, directly carrying out the following measures: the collection of evidence, the provision of legal information, and locating of suspects, the preservation of data and the provision of technical advice.

The latter enables expeditious incidence response, collection of evidence and location of users which ultimately leads to the conviction of cyber criminals.

Previous ArticleNext Article

Secure Videoconferencing: The Basics 0 1115

Avatar
Woman working at home on laptop

With COVID-19 concerns canceling face-to-face meetings, be aware of the security risks of videoconferencing and how to easily overcome them

As a way of controlling the spread of the COVID-19 pandemic, several countries have been forced to impose a lockdown on its citizens bringing normal operations to a near stand-still. Consequently, a considerable percentage of the working population has turned to remote working, a chunk of it for the first time.

This has spiked up the demand for video conferencing services, chat systems, and online collaboration tools to serve the increasing number of students, employees, and teachers, among other experts working from home.

By 11th March 2020, Kentik―a San Francisco network operator— had achieved a 200% increase in video traffic within the provided working hours in Asia and North America. Even before the start of the official lockdown in California.

In the same vein, the UK Prime Minister chaired a cabinet meeting via zoom, which communicated the government’s appeal for social distancing through the use of video conferencing. His actions, however, brought about several questions regarding the security of the communication.

But with a quick rejoinder, the UK’s National Cyber Security Centre pointed out that such communications shouldn’t cause any worries if they are below particular classifications. Accordingly, companies have developed confidence in the technology; therefore, are utilizing it to communicate with their remote workers.

Nevertheless, as an employee (or typical user), you need to understand the technology’s built-in security options, as well as control features before using it. Here we provide you with some primary considerations. Let’s dig in!

Your immediate surroundings

For you to realize a smooth and quality video conferencing experience, it is essential to cordon off your working space to prevent in kind of interruptions that might occur while in session; for instance, from your kids, better half, or even pets.

Besides, ensure that your working area is devoid of any sensitive or confidential information/material that can be captured by the camera.

Limit access

As you may be aware, a lot of video conferencing platforms allow the creation of multiple user groups to enable the providence of internet domain according to specific criteria; for instance, the use of company email address to join a video call.

Or offer access to a limited number of people whose email addresses have been invited or scheduled for a call.

As such, when creating a meeting, you can enable the set a meeting password option that creates a randomly generated code for your invitees to input before joining a conversation. Similarly, you can authenticate those using phones by the use of a numerical password. However, avoid embedding the password in the meeting link.

As an organizer, you can hold your participants in a “waiting room,” as you approve them one by one, which gives you full control over whom to allow or deny access. In case you have a large conference, you can delegate such duties to your trusted attendees.

File transfers and communication over the net

As a rule of thumb, always ensure that your end-to-end communication is encrypted. Do not assume that this option is the default for video calls since a few services may require you to request encryption.

If the third-party endpoint client software is permitted, ensure it abides by the requirements of the end-to-end encryption.

What’s more, consider limiting the types of documents you can send across the net; for instance, avoid transferring executable files.

Manage the attendees, as well as the engagement process

Often, your attendees will be distracted by notifications, pop-ups, and emails, among other things, when attending your conference calls. Therefore, as a host, you can request notification from your service provider if your conferencing client isn’t the primary or active window (depending on your platform). For instance, if you are a tutor, you can use this feature to get the attention of all your students.

You can also monitor those who joined the call by downloading the attendee list at the end of the call. Or request attendees to register before being connected.

Limit screen sharing capabilities

As the host, the sole responsibility of controlling screen sharing remains only yours, unless you delegate it to someone else that you trust. This eliminates any chances of an individual sharing content by mistake.

Importantly, only share the required application rather than the whole desktop when screen sharing. This is informed by the fact; even the name of a file or Icon can divulge sensitive company information.

Final thoughts

To ensure the security of your company communications, take time to consider all the available options security settings on your video conferencing system (or one you intend to use) settings. Importantly, take a look at the privacy policy of the service you intend to use to prevent the selling, sharing, collection, or re-use of your data.

In case you require more advice and endpoint client software for your video conferencing needs, then ESET has been here for you for over 30 years. We want to assure you that we will be here to protect your online activities during these uncertain times, too.

Protect yourself from threats to your security online with an extended trial of our award-winning software.

Try our extended 90-day trial for free.

Coronavirus con artists continue to thrive 0 1046

Avatar
Man working on laptop

The scam machine shows no signs of slowing down, as fraudsters continue to dispense bogus health advice, peddle fake testing kits and issue malware-laced purchase orders

As the Coronavirus pandemic continues to escalate, more companies are now shifting to remote work as a way of containing the spread of the disease. Similarly, lockdowns and travel bans, among other stringent measures, have become the order of the day across several nations. And to worsen the situation, there is a massive shortage of the required medical kits.

Such a crisis provides fraudsters undue advantage over a vulnerable lot that is financially destabilized, as well as emotionally drained as a result of the pandemic. 

In this case, you would likely receive fake updates regarding the pandemic, as well as non-existent offers for personal protective equipment, among others. Likewise, if you’re a business, you would certainly receive faux purchase orders and payment information.

Fortunately, as a follow up to our previous article about the ways scammers are exploiting coronavirus fears, we provide you with a few examples of the new campaigns aimed at stealing your money or personal information. To enable you to keep your guard up. Shall we?

Fake news/information

As the virus continues to escalate, more people are currently searching for practical information on how they can protect themselves. As a result, scammers have conveniently positioned themselves as the true COVID-19 information “crusaders” by impersonating well-known health organizations, such as the World health organization.

Don’t act surprised if you receive an email (containing an attachment) supposedly coming from a reputable health organization offering you “vital information” on how you can protect yourself from the disease.

For instance, our research team identified one such file containing a Trojan designed to steal personal credentials.

Apart from the WHO, fraudsters are also impersonating the US Centers for Disease Control and Prevention (CDC). Accordingly, the FBI has given a warning about scummy emails mainly riddled with malware-infested attachments and links purporting to originate from the CDC.

 To reduce the number of people falling for such schemes, the WHO shares examples of its official email addresses and methods of communication on its website.

Urgent purchase orders and late payments

Owing to the increased pressure from governments to reduce the spread of the virus, Companies, as well as factories, have been forced to streamline their operations according to the current situation. As an example, companies to integrate work from home modules, while factories to either increase or reduce their production capacities depending on their products.

Such erratic changes have brought about a climate of uncertainty that offers fraudsters a thriving environment.

In this case, as a factory owner or executive, be on the lookout for “urgent purchase orders” from “company representatives.” Since this fake orders come from scammers who want to make a kill out of your desperation of making some revenue before things go south.

Sadly, if you download such “urgent orders” (usually in attachments), your PC will be installed with malicious code designed to steal your details.

Below is an excellent example of such an “urgent order”:

Similarly, you would receive a “proof of payment” for you to take care of the order. However, like the last example above, instead of receiving a bank statement, the attached document contains a Trojan injector.

High demand products

A massive increase in demand compounded with an inadequate supply for essential protective items, such face masks has created another avenue for scams.

A typical example of such a scam involves a fraudulent site that is offering “OxyBreath Pro” face masks at a reduced price. These can lure you since there is a shortage of masks, and what is available is highly-priced.

However, if you click on the provided links, you’ll be at risk of exposing your sensitive personal information to the scammers.

Bogus testing gear

The unavailability or short supply of medical kits for testing folks for the virus has also attracted fraudsters in droves.

For instance, the existent low supply of masks, respirators, and hand sanitizers, among other necessities, has prompted scammers to impersonate medical officials.  So that, they can provide non-existent or fake COVID-19 test kits, as well as illegitimate “corona cures.”

As an illustration, more than 2000, links associated with fake coronavirus products have already been identified. Similarly, law enforcement bureaus alongside other relevant bodies have been able to seize US$ 13 million worth of potentially hazardous pharmaceuticals.

To contain these despicable actions, the U.S. Food and Drug Administration (FDA) has issued warnings that it hasn’t allowed the sale or purchase of coronavirus self-testing kits; therefore, it is currently bursting such sellers.

Final thoughts

In a wrap, what we have shared is a representative of the many current fraudulent campaigns doing rounds in our media spaces due to the prevailing situation.

Thus, it is critical to maintaining high alertness to avoid falling victim to both the COVID-19 pandemic, as well as the ensuing scam epidemic escalating through the internet. To keep yourself safe from the scams, you can practice the following basics:

  1. Avoid downloading files or clicking on links from unknown sources
  2. Never fall for unrealistic offers or order goods from unverified suppliers. You may also make a point of checking out the purported vendor’s reviews
  3. Invest in an excellent endpoint solution which can shield you from phishing attacks, as well as other forms of scams
  4. If an email suggests coming from a reputable organization, double-check with the firm’s website to confirm its authenticity

If you require consultation, as well as endpoint solutions for your cybersecurity needs, then ESET has been here for you for over 30 years. We want to assure you that we will be here to protect your online activities during these uncertain times, too.

Protect yourself from threats to your security online with an extended trial of our award-winning software.

Try our extended 90-day trial for free.