It’s fitting that on the day we are celebrating Computer Security Day we talk about the hacking of UZ. It is reported that one Martin Magomana (36) unlawfully gained access to the University of Zimbabwe (UZ) computer network recently. We are not sure how much access he had and so cannot know the full extent of his activities.
Martin himself is a Zimbabwe National Geospatial and Space Agent and you will remember that they are located there at the UZ premises.
Before proceeding we should note that in Zimbabwe we believe in ‘innocent until proven guilty.’ So Mr Magomana is innocent as of right now. He was arraigned before a magistrate but is out on bail. Cases like this are the ones the Cyber Bill seeks to address as it outlines; appeals process, offences and penalties and regulations.
What happened?
UZ has an online platform where students can apply for accommodation. What the State is alleging is that Martin gained access to the UZ’s computer network and could edit information on that accommodation platform.
Once he had that access he proceeded to approach students who were seeking accommodation and charged them between US$40 and $60 to secure it. He is said to have done this between October and November 2021. All in all, he allegedly pocketed over US$3000 from the 64 students he offered the service.
How did he gain access?
It was a simple case of ‘human hacking.’ We don’t know yet exactly how he did it but we know that he somehow got the sign in credentials of a UZ employee who had access to that accommodation platform.
This is the bane of all systems administrators worldwide. You can secure a system as best you can but all that can be undone by the humans you have to trust with sign in credentials.
WhatsApp may be end to end encrypted and all that, but if a user leaves a phone unlocked and I gain access to their messages, it doesn’t matter what 64-bit encryption protocol they use. A chain is only as strong as its weakest link as they say.
So, the best thing to do to secure your systems might actually be to educate your employees. Stuff like; do not write your passwords down, remember to log out when you’re done, make sure no one can see you what you’re typing when you input your password etc.
How did Martin get caught?
One student he had allocated a room to went to the Accommodations Officer to get confirmation that he had indeed been allocated the room. The admissions crew investigated the matter and found that he had been fraudulently allocated the room. That’s when they saw that 63 other students had been allocated accommodation by the same actor.
When applications are received, a panel decides on who gets accommodation and updates the register accordingly, then the system is updated. So they have a record of who they have chosen that is apart from the computer system and so double checking is not that hard.
It may just be because the account Martin used did not have authority to allocate accommodation that they found this out. Either way, he was caught. We don’t know but Martin probably felt like, ‘mfana ane dzungu’ as the student seeking confirmation exposed the whole deal.
The messages he exchanged with students, soliciting money were then brought to light and he was promptly located and charged. My man had a good paper trail into his whole operation. So it shouldn’t be hard for the prosecution to get the conviction.
In closing
What happened to the UZ could happen to any organisation. Human hacking (social engineering) is much easier than system hacking and so criminals may choose this route more and more. That one employee who still clicks on links telling them they won US$10000 online should be the priority of the IT department. Education, education, education.
For the victims in this story, the lesson is to just stick to official channels when procuring anything. If it can be helped of course. The guy outside a manufacturer’s door selling the same goods inside at a discount, you should be suspicious of.
What’s your take?