Another one. Cyber security seems to be the arch-nemesis of Zimbabwe’s government institutions, and most recently, their personal accounts. Last week a group by the pseudo name Team Pachedu took the Justice Department to the cleaners exposing how easy it was to access their private servers and collect some private cases in their archives not meant to exist in the public domain. A couple of years ago, one of Zimbabwe’s most popular YouTube series, Wadiwa Wepamoyo, got its YouTube account compromised losing precious YouTube revenue and its following to hackers.
Now it seems our Minister of Finance has also suffered the same fate with his Twitter account. It no longer has a profile picture and is retweeting crypto content and whatever the account Cyber Kong posts. In fact, the last time the Finance Minister’s account tweeted Zimbabwean relevant content was on the 29th of November 2022.
The ABCs of cybersecurity
Let’s start off with personal social media accounts. You as the individual who creates the account are largely responsible for keeping it secure. There are elementary ways of doing it which we are all familiar with.
- Secure it with a password
- Ensure the password is a strong password and definitely not your name or birthday
- Avoid sharing this password
The last point there is one that is very difficult for big public figures who usually do not manage their own social media accounts. They have a Public Relation team that handles their social media presence and this team shares credentials to this account. The more people that have these credentials the higher the risk of any one of them being the entry point to such hacks.
What could have made our Finance Minister’s account a lot more secure is Two Factor Authentication (2FA). It is an additional layer of protection on top of your strong password just in case anyone gets access to it. This second way of verification usually uses a completely different platform from the app you are trying to log into. These 2FA methods include:
- verification code/link via the email used when signing up for the social media account
- verification code sent via SMS
- verification code randomly generated from a 3rd party authentication app
The first 2 options might not really be ideal because they involve the Finance minister sharing his email and access to his phone with a whole PR team. So option 3 then. A 3rd party authenticator app can be used to generate this code which is used as a requirement for one to log into the account, especially on a new device. Take this as a tip for everyone, not just the Finance Minister.
And for organizations like the Justice Department?
With such organizations there needs to be a competent IT and networking administrator who ensures that private servers are only accessible by authorized personnel only. This is usually done by setting up the right firewall policies for accessing these servers. On top of that, a private server should be set up in such a way that it is only accessible via an intranet that the organization manages and not on the internet.
The fact that Team Pachedu was able to easily access that server by just entering a URL in a browser shows that someone at the Justice Department made it accessible on the web with no form of authentication to protect it. Imagine if ongoing cases were to get exposed to the wrong side. Chaos!
Big organizations perform financial audits every year to secure what they value which is money. But remember information is probably more valuable than money. So their IT infrastructure requires that same level of auditing to ensure the competitive advantage that comes with that information held by the business or the integrity of the business in securing 3rd party confidential data is not lost to a hack that could have been avoided by something as simple as blocking internet access to a local server.
Most hacks in Zim are not even worth being called hacks
This is a testament to how poor Zimbabweans are with cybersecurity at an individual level. Just last month there was a report that a man had ‘hacked’ NMB and transferred over ZW$700 000 from NMB customer accounts to his own. This man was a former NMB employee who most likely was able to do this because he still possessed backend credentials to the NMB system allowing him to make the transfers.
These credentials worked because NMB might not have a security policy on how an employee’s user account to access the system is dealt with when the employee leaves the company.
With Team Pachedu they only did a smart search on Google. No fancy tools or tricks to crack some codes and whatnot. A Google search that anyone can do. They did not hack anything. What Team Pachedu did is the equivalent of saying someone robbed a house by picking the lock on the door when all they did was take the key from under the doormat.
This is all to say that the way a majority of user accounts and organization systems are getting compromised in Zimbabwe is at such an elementary level to the point of it being a disservice to the term ‘hacking’. We simply have extremely poor cybersecurity measures put in place as individuals which then feeds into the level of security we implement at an organizational level. Just as a starting point, let’s all enable 2FA on our personal accounts and stop the business of using our names and birthdays as passwords.