NIN Data Breach: Hacker Present Evidence Against NIMC - Crime - Nairaland
Nairaland Forum › Nairaland General › Crime › NIN Data Breach: Hacker Present Evidence Against NIMC (1566 Views)
| NIN Data Breach: Hacker Present Evidence Against NIMC by o123456789(op): 3:17pm On Jul 22, 2024 |
I hacked the National identity management commission of Nigeria to demonstrate the habitual lack of cyber security of the commission, and I was able to bring in a new revelation that not only the NIN data of Nigerian are poorly secured but also the confidential files and datas of all organizations that are licensed to use the NIMC verification/tokenisation platform are poorly secured by NIMC, this exposee shows numerous verifiable vulnerabilities of NIMC as evidence. NB: This exposee was done within the ambit of the the law, Cyber crime act 2024. INTRODUCTION On 3–16–2024, the media reported that a website known as expressverify was monetising the recovery of national identity number (NIN) and personal information of Nigerians from the National identity management commission (NIMC) database. Furthermore other websites like expressverify was identified, they include idfinder.com.ng, verify.ng, championtech.com.ng, trustyonline.com, and anyverify.com. In all these data breaches NIMC stated that there was no data breach on any of it’s system or database, instead NIMC blamed Nigerians for giving out their informations by submitting their NIN and other personal information to these fraudulent websites which the commission tagged “data harvesters”. NIMC via it’s director of IT/IDD, Lanre Yusuf said on Arise television that “NIMC is full proof against any cyber attack”, and there was never any successful hacking of it’s systems before. (See: https://www.youtube.com/watch?v=G1cMZo0nJUE?si=mgO0uub) Co-founder of Recital Finance, Bobola Ojo-Ami, stated, “Technically, it is easy to assume that there is a breach, but what seems to be happening here is a proliferation of illegal entries from third-party sources”. (See: https://punchng.com/nimc-facing-multiple-unauthorised-accesses-to-nin-data-stakeholders/). The Nigerian police certified that NIMC is highly secure and there was no data breach. (See: https://punchng.com/nimc-database-secure-police/) . AUTHOR’S STAND ON THIS MATTER I Ayanbe Francis Uzezi a patriot, is here to set the records straight by acting for myself and on behalf of the public to demonstrate via hacking that the data of Nigerians and third party agents are not safe with NIMC, because NIMC systems were hacked and the commission operates one of the most insecure clusters of IT infrastructures in the world. I rate NIMC zero in relation to cyber security. For many years and still ongoing NIMC is faced with multiple and persistent cyber security attacks and breaches, because NIMC is prone to millions of cyber security vulnerabilities of which the commission denies. The concept of data harvesters is not correct and misleading, because from a layman perspective, it is impossible for a data harvesting website to capture the entire NIN data of all Nigerians, because not all Nigerians have access to or uses the internet. Even if it is possible who will update the website of the data harvesters? or any Nigerian that just got registered for NIN will be instructed to give his or her data to these sites? I am asking these questions because the database of those websites monetizing NIN of Nigerian are up-to-date, thereby signaling data breaches. So the assertion that Nigerians are the ones that gave out their NIN data to data harvesting websites is incorrect. There is no compromise from third parties agents, the breaches were due to direct unauthorized access to NIMC systems. Before I go into details I want to let the whole world know that not all Nigerians are novices when it comes to cyber security matters, I am saying this against the backdrop that some technology business owners and even the Nigerian police certified that NIMC is highly secure, without any form of verifiable or comprehensive evidence to back up these certifications. EVIDENCE OF NIMC VULNERABILITIES. NIMC have 72 servers in Abuja Nigeria according to the cyber security search engine shodan (https://www.shodan.io/search?query=isp%3A%22National+Identity+Management+Commission%22). Shodan lists these systems alongside their precise location meta data and vulnerabilities (https://www.shodan.io/host/102.219.223.252). This is against the assertion of Lanre Yusuf director of IT NIMC that all their systems are highly secure, infact this NIMC server (https://www.shodan.io/host/102.219.223.250) is vulnerable to over 1,000 vulnerabilities. Even the most painful part is that this server is vulnerable to a 2006 vulnerability and the security implication is that over the years old vulnerabilities have countless numbers of exploits that are mainly free to get. Note that when shodan.io did not list any vulnerability alongside a system doesn’t mean that the system is secure, because shodan only list vulnerabilities based on two criteria namely version name and version number of a particular service, protocol or component, eg one NIMC server (https://www.shodan.io/host/102.219.223.247) is running a software called “Network time protocol version 3” that is obsolete and highly vulnerable, but this vulnerability was not listed by shodan.io meaning expertise is needed to spot other vulnerabilities not listed by shodan. The impact of this vulnerability is that if exploited an attacker can disable all encryption of all NIMC servers because server encryption is based on certificate and certificate is based on time. Network time protocol is used to synchronize time to all computers in a data center. This negates the assertion of Lanre Yusuf director of IT NIMC, that NIMC uses the highest form of encryption. The 72 NIMC servers in Abuja Nigeria, are used to to store API keys and host websites and proxy to other cloud servers in Germany, UK & USA etc. When a request is made to the NIMC server here in Abuja either you will get an API key or the server will forward your request to the cloud server around the world, then the server in Abuja will also return the response it got from these servers. This is against the assertion of NIMC director of IT that all NIMC servers are hosted in Abuja when he was questioned by Rufai Oseni of Arise TV. (See https://www.youtube.com/watch?v=G1cMZo0nJUE?si=mgO0uub). PROOF OF CONCEPT In cyber security after a vulnerability is identified the next thing is a proof of concept that contains what you were able to do with this vulnerability to serve as evidence to your claim. Although step by step demonstration of how I was able to hack NIMC servers is supposed to be on this proof of concept, but I will not add it to this exposee, so as to stay safe in the path of law. I will display some hacked files but I will redact partially any sensitive part on these files. Some of the things I was able to lay my hands on inside NIMC servers include but not limited to the following: 1. I have in my custody, the entire NIN database. 2. I have API keys, source codes and security keys. (See: https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk) 3. I also have in my custody, sensitive and confidential files of both NIMC and all companies, organizations and businesses, both private and government owned, that have direct access to NIMC Tokenisation system. These files include emails, memos, CV of job seekers, corporate affairs commission (cac) registration documents, CAC certificates, tax clearance certificates, data protection policy documents, financial audit reports documents, request for authorization to NIMC NIN verification system documents, NIN/passport numbers of company directors, username of admin/contact persons of various organizations on the NIMC verification system etc. These files are exclusively from NIMC servers. Affected companies and organizations include: 1. Yellow card. 2. Quidax global. 3. Binance 4. Hcwallet (fastcent or fastcoin). 5. Gtbank (Gtco). 6. Zenith bank. 7. Taj bank. 8. Titan trust bank. 9. Premium trust bank. 10. Wema bank. 11. 9payment PSB. 12. Fairmoney bureau de change. 13. Opay (paycom). 14. Fairmoney MFB. 15. FBN quest. 16. FCMB MFB. 17. Sagamu MFB. 18. Nomba. 19. SunTrust bank. 20. Now now. 21. Latfad multi ventures. 22. Gotok technology. 23. Elta solutions. 24. Orauku MFB. 25. Uni technology. 26. Spytech security guard (Based in presidential villa Abuja). 27. . 28. Chams holding. 29. Doja technologies. 30. Telecomsxchange. 31. Access bank. 32. Fidelity bank. 33. Jaiz bank, and many more. Download this PDF file containing some redacted files i just mentioned. I displayed a small sample and redacted them for privacy reasons. (Download https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk) NOTE: In 2022 a hacker named Sam claimed he hacked NIMC database and got a huge cache of juicy files (See https://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-number), so for the avoidance of doubt and speculation no file in this report was sourced from him or any other hacker. Infact the dates on the file from this my report span way back beyond 2022 up to 2024. IMPACT OF VULNERABILITIES/HACKED FILES 1. An attacker can conduct account take over of any company or organization with direct access to the NIMC verification/tokenisation platform. 2. An attacker can generate the entire NIN database within 24 hours without any form of authentication. 3. An attacker can sell the hacked documents of third party agents at the black market, thereby exposing these organizations to impersonation, intellectual property theft, disrepute, phishing attacks, aiding of corporate wars and even kidnapping of company owners with ease. 4. An attacker can conduct sim swap attack against any Nigerian. 5. An attacker can modify the NIMC database. 6. An attacker can open fake corporate account. 7. An attacker can bypass security checks with a fake but verifiable NIN. THE RISKS OF HOSTING DATA IN CLOUD 1. In case of data breaches, it is very difficult to secure a cloud system, only a few functionalities are available. 2. So many cloud hosting providers have vulnerable systems by design and outdated applications, eg. the cloud provider of NIMC called Digital Ocean, runs a cloud storage called Spaces bucket, and it has no log functionality, according to Digital Ocean website (https://docs.digitalocean.com/reference/api/spaces-api), meaning there is never any record whatsoever if the data stored in this cloud storage is accessed even when a malicious actor accessed the files. There is also no inventory functionality, meaning no record of uploaded or deleted files. And no MFA functionality, AT&T telecom of the USA recently witnessed a staggering data breach that affected almost all its customers due to insecure cloud server. (See: https://foundation.mozilla.org/en/privacynotincluded/articles/att-had-a-huge-data-breach-heres-what-you-need-to-know/) 3. With emergency data request (EDR) from any police or government agency, any cloud provider can submit sensitive information on its servers. Mind you malicious threat actors now spoof EDR requests to get quick access to confidential information. 4. A staff or owner of the cloud data center can copy or manipulate files without hindrance. CAUSES OF NIMC CYBER INSECURITIES Incompetence and corruption is a dangerous combo, and this combo is responsible for the cyber insecurities in NIMC. Confidential internal documents I got from NIMC servers points to a particular organization called “Common Identity” and an individual called “Chinedum Echendu”. Now, who are Common Identity and Chinedum Echendu? Chinedum Echendu is the lead software developer at Common Identity, an Abuja based software development company. NIMC gave the contract of seting up all it’s servers and development of all it’s IT infrastructures including websites and softwares to Common Identity, so automatically Chinedum Echendu is the lead software developer for NIMC, but the problem here is that this lead software developer called Chinedum Echendu is incompetent and NIMC is aware. There is an Isoko adage that says “When the source of a river is dirty and bad, then the rest of the entire river can never be clean or good for human consumption”. Another secret document from NIMC server is a report where Common Identity company admitted and I quote “Various errors were experienced in production even after remote testing exercises were performed during development environments. Sprint tasks were assigned on the fly, and bugs were resolved as they were raised. This method of work seemed more reactive than proactive and hence posed issues such as task context switching and sprints aimed at product maintenance, instead of product improvement”. The above qouted statement means that there is no effective way of catching bugs before making a system live in Common Identity Ltd. In the heat of data breach allegations against NIMC in June 2024, the lead software developer called Chinedum Echendu when making a comment on a topic at LinkedIn.com, he repeated the same statement of incompetence in the document submitted by his company (Common Identity Ltd) to NIMC, and I quote “Building projects actually exposes you a lot of real life scenarios. You will get bugs and different errors and you will learn. Make sure these projects are live. They are proud moments” See (https://www.linkedin.com/advice/0/what-do-you-want-explore-job-roles-opportunities-programming-0tj3f) and (https://ng.linkedin.com/in/chinedum-echendu-4b029b14b). So it is now clear that incompetence and corruption is a very dangerous combo, because if not for corruption a developer that is proud of errors bugs and vulnerabilities in production/live system is not supposed to handle the development of NIMC IT infrastructures. For any body in doubt of the exact identity of this lead developer should visit this Shodan link and search for his name (https://www.shodan.io/host/164.92.179.237) this server is a critical NIMC server that is running on expired server certificate since August 2023. Another error is that this developer is diverting email messages meant for NIMC to his personal email, which is a security breach, but my question is that who will detect all these loopholes in NIMC and all other government IT infrastructures in Nigeria? and even if detected who will take action by way of sanction? the executive, legislature and judiciary are the ones to answer these questions. Incompetence and corruption if not killed will kill Nigeria. RECOMMENDATIONS 1. Office of the national security advicer must contact me for a robust talk, towards securing the nation’s critical assets/infrastructures, because there are other government agencies with various degrees of cyber insecurity. 2. NIMC should get in touch with me so as to map a way forward, with a view of securing it’s IT infrastructures. Reliance on software developers for cyber security is a wrong step to take, an expert is needed and I am ready to serve my country. 3. All companies and organizations using the NIMC verification/tokenisation platform should contact me, so that we can talk about the future of their leaked sensitive corporate files/data. 4. Federal government of Nigeria must take cyber security seriously, agencies like NIMC, EFCC, NIA, DSS, NITDA, NCC, ICPC, CBN, NDPC, NPF, ngCert, NIBSS, and the Nigerian army etc, must have real cyber security director each with proven expertise, not a mere political appointee or thug as we have it today. Advance nations don’t joke with cyber security, because modern secret service and spying depends largely on it. 3. Chinedum Echendu, the developer at Common Identity Ltd. should not see the author of report as his enemy, instead he must critically study this report and amend his short comings. Your perception of celebrating errors in programming is a big turn off for potential employers. Source: https://medium.com/@AyanbeFrancisUzezi/nin-data-breach-2024-why-i-hacked-nimc-by-ayanbe-francis-uzezi-885216780dcb And https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk
|
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by ThinkSmarter: 4:00pm On Jul 22, 2024 |
Ethical hacker
If you know, you know |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by freemanq(m): 4:03pm On Jul 22, 2024 |
Are we really save? |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by Shomek(m): 6:09pm On Jul 22, 2024 |
Nice one sir
I really need to know you better. |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by o123456789(op): 6:55pm On Jul 22, 2024 |
Shomek:You can check my profile for my WhatsApp number, then message me. |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by Shomek(m): 7:53pm On Jul 22, 2024 |
o123456789:that nice |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by Shomek(m): 7:55pm On Jul 22, 2024 |
Nlfpmod
Front page Can this really get to front page ? |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by o123456789(op): 8:06pm On Jul 23, 2024 |
For those having difficulty downloading from https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk permission to download the leaked file is now set to public thanks. |
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by buyawsacc1(m): 5:46pm On Sep 05, 2024 |
Would you like to buy DigitalOcean accounts? We are offering verified Digital Ocean accounts for sale. Buy DigitalOcean accounts at a discount. DigitalOcean has emerged as a preferred choice for many developers and businesses seeking reliable, scalable, and cost-effective cloud solutions. Whether you're managing a startup, scaling a business, or working on personal projects, accessing a DigitalOcean account can be a game-changer. For those looking to streamline their cloud setup, purchasing DigitalOcean accounts can be an efficient solution. One platform that stands out in this space is Buyawsacc, a trusted provider specializing in cloud accounts. Visit our for more information: https://buyawsacc.com/product/buy-digitalocean-accounts/ Why Choose DigitalOcean? DigitalOcean is renowned for its simplicity and robust infrastructure. It offers a range of cloud services including virtual servers (droplets), managed databases, and scalable storage. With its straightforward pricing model and user-friendly interface, DigitalOcean is ideal for developers, small businesses, and enterprises looking for flexible and reliable cloud resources. Why Buy DigitalOcean Accounts from Buyawsacc.com? Buyawsacc is a leading platform that specializes in selling cloud accounts, including DigitalOcean. Here’s why Buyawsacc is the go-to choice for acquiring your DigitalOcean account: 1. Easy and Quick Access Navigating cloud services can be complex, but Buyawsacc simplifies the process. The platform offers a seamless purchasing experience, allowing you to acquire your DigitalOcean account quickly and efficiently. With just a few clicks, you can have access to a fully functional DigitalOcean account, eliminating the hassle of setting up and configuring the account yourself. 2. Reliable and Secure Transactions Security is a top priority at Buyawsacc. The platform ensures that all transactions are conducted with the highest level of security, protecting your personal and payment information. The accounts sold are verified and reliable, providing you with peace of mind that your cloud resources are secure and ready for use. 3. Competitive Pricing Buyawsacc offers competitive pricing for DigitalOcean accounts, making it an economical choice for individuals and businesses alike. The platform regularly updates its pricing to ensure that you get the best value for your investment. Whether you’re looking for a basic account or a more advanced setup, Buyawsacc has options to suit different needs and budgets. 4. Customer Support Exceptional customer support sets Buyawsacc apart. The team is dedicated to assisting you with any questions or issues that may arise during the purchasing process or while using your DigitalOcean account. Whether you need help with account setup, troubleshooting, or general inquiries, the support team is readily available to provide assistance. 5. Variety of Account Options Buyawsacc provides a range of DigitalOcean account options to meet diverse requirements. Whether you need a basic account for a small project or a more advanced configuration for a larger application, the platform has various solutions to cater to your needs. This variety ensures that you can find an account that perfectly matches your cloud computing goals. How to Get Started Getting started with Buyawsacc is straightforward: Visit the Website: Navigate to Buyawsacc and explore the available DigitalOcean account options. Select Your Account: Choose the account type that fits your needs and add it to your cart. Complete the Purchase: Follow the simple checkout process to complete your purchase securely. Access Your Account: Once the transaction is complete, you will receive your DigitalOcean account details, allowing you to start using your cloud resources immediately. Conclusion For those looking to leverage the power of DigitalOcean without the complexities of setting up an account from scratch, Buyawsacc offers a streamlined, secure, and cost-effective solution. With its easy purchasing process, competitive pricing, and excellent customer support, Buyawsacc is your go-to platform for acquiring DigitalOcean accounts. Simplify your cloud computing journey today and unlock the full potential of DigitalOcean with Buyawsacc. If you have any questions or need further assistance, feel free to reach out in the comments below or visit Buyawsacc for more information. Happy cloud computing! Telegram: /Bestdigitalacc
|
| Re: NIN Data Breach: Hacker Present Evidence Against NIMC by ThinkSmarter: 7:19pm On Sep 05, 2024 |
An ethical hacker is not a bad person. An ethical hacker tests for vulnerability in a system for the purpose of reinforcing security. It's a technical talent. Skill-up! Abi no be wetin FG wan make we learn through 3MTT ? The said guy is a good student of NITDA and Ministry of Digital Economy. |
₦30 Billion Fraud: EFCC Tenders Evidence Against Ex-Head Of Service, Oyo-Ita • EFCC Arrests Facebook Hacker • British Hacker, Daniel Kaye Who Took Down Liberia's Internet Jailed For 3 Years • 2 • 3 • 4
Scenes From The Ilado Blast (very Graphic) • Two Arrested Drug Couriers Fight In Airport Over Drugs • Malicious And Barbaric Activites In Gboko Main Market, Gboko-benue State