Idea no.3: IT and other Tech solutions for Pakistan

[ps3linux]

I am posting a few days old news as a new thread, with question cybersecurity is becoming a serious matter across the globe, do we really understand the needs and challenges it brings. I will add my thoughts and analysis on the subject but firts here goes some of the findings by Kaspersky:

Another Taj Mahal (between Tokyo and Yokohama)
April 9, 2019
In the fall of 2018, we detected an attack on a diplomatic organization belonging to a Central Asian country. There would be no story here (diplomats and their information systems attract the interest of various political forces every now and again) were it not for the tool employed: a new APT platform by the name of TajMahal.

More than a mere set of back doors, TajMahal is a high-quality, high-tech spyware framework with a vast number of plugins (our experts have found 80 malicious modules so far), allowing for all kinds of attack scenarios using various tools. According to our experts, TajMahal has been in operation for the past five years, and the fact that only one victim has been confirmed to date suggests only that others have yet to be identified.

What can TajMahal do?
The APT platform consists of two main parts: Tokyo and Yokohama. Both were detected on all infected computers. Tokyo acts as the main back door and delivers the second-stage malware. Interestingly, it remains in the system even after the second phase starts, evidently to operate as an additional communication channel. Yokohama, meanwhile, is the weapon payload of the second stage. It creates a virtual file system complete with plugins, third-party libraries, and configuration files. Its arsenal is extensive in the extreme:

• Stealing cookies,
• Intercepting documents from the print queue,
• Collecting data about the victim (including a list of backup copies of their iOS device),
• Recording and taking screenshots of VoIP calls,
• Stealing optical disc images made by the victim,
• Indexing files, including those on external drives, and potentially stealing specific files when the drive is detected again.

Conclusion
The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase. That said, Kaspersky Lab products detect TajMahal. A more technically detailed report can be found on Securelist.

Initially, the threat was discovered using our automatic heuristic technologies. So to guard against TajMahal and its analogs, it makes sense to use proven security solutions such as Kaspersky Endpoint Security for Business.

 

[R Wing]

It's so hard to avoid discussions that end up in the usual "Pakistan should have..." line of argument.

But the truth is that Pakistan needs an NSA/NRTO-like civ-mil agency that acts as Cyber Command / our main SIGINT infrastructure. It needs to include PhDs from top universities and High School dropout blackhat hackers in equal measure!

Current capabilities are laughably underdeveloped. Various proposals for the above are doing the rounds. Need a visionary to implement them, and that kind of leadership seems to have eluded Pakistan for a while now (in all institutions.)

 

[ps3linux]

It's so hard to avoid discussions that end up in the usual "Pakistan should have..." line of argument.

But the truth is that Pakistan needs an NSA/NRTO-like civ-mil agency that acts as Cyber Command / our main SIGINT infrastructure. It needs to include PhDs from top universities and High School dropout blackhat hackers in equal measure!

Current capabilities are laughably underdeveloped. Various proposals for the above are doing the rounds. Need a visionary to implement them, and that kind of leadership seems to have eluded Pakistan for a while now (in all institutions.)

That dear sir is the problem. See in the hacker community there are elite hackers, there are hackers and then there are crackers, but elite of the elite never register on any radar. I do know few high school/college students over the years did crack/hack various websites/accounts in Pakistan, eventually caught and "convinced" to work for the govt. I have visited the NR3C seen the techniques used there they at best are crude no sophistication, no wait and see all brute force. Hell even I did find all sorts of bank account details belonging to various banks being sold on the dark net for peanut prices which are supposed to be using better security measures/software than any Public Sector Entity. Here is another stinker:

Huawei wi-fi modules were pulled from Pakistan CCTV system
By Leo Kelion & Sajid Iqbal BBC News

• 8 April 2019

Huawei removed wi-fi transmitting cards from a Pakistan-based surveillance system's CCTV cabinets after they were discovered by the project's staff.

Punjab Safe City Authority (PSCA) told BBC Panorama it had told the firm to remove the modules in 2017 "due to [a] potential of misuse".

The authority said that the Chinese firm had previously made mention of the cards in its bidding documents.

But a source involved in the project suggested the reference was obscure.

A spokesman for Huawei said there had been a "misunderstanding". He added that the cards had been installed to provide diagnostic information, but said he was unable to discuss the matter further.

The PSCA confirmed that the explanation it had been given was that wi-fi connectivity could have made it easier for engineers to troubleshoot problems when they stood close to the cabinets, without having to open them up.

Two people involved in Lahore's project helped bring the matter to the BBC's attention and have asked to remain anonymous. One said that Huawei had never provided an app to make use of the wi-fi link, and added that the cabinets could already be managed remotely via the surveillance system's main network.

Image caption It was suggested that a wi-fi link could have helped engineers troubleshoot problems without having to climb up and open the cabinets
A UK-based cyber-security expert said that it was not uncommon for equipment sellers to install extra gear to let them offer additional services at a later date.

But he added that the affair highlighted the benefit of oversight because if the authority had remained unaware of the cards' existence, it could not have taken steps to manage any potential risk they posed.

"As soon as you give someone another method of remote connectivity you give them a method to attack it," commented Alan Woodward.

"If you put a wi-fi card in then you're potentially giving someone some other form of remote access to it. You might say it's done for one purpose, but as soon as you do that it's got the potential to be misused."

There is no evidence that the cards created a vulnerability, and one of the sources involved confirmed that there had not been an opportunity to test if they could be exploited before the kit was removed.

'Prompt response'
Lahore's Safe City scheme was first announced in 2016 following a series of terrorist bombings.

It provides a vast surveillance network of cameras and other sensors, and a brand new communications system for the city's emergency services

As part of the system, Huawei installed 1,800 CCTV cabinets, within which it placed the wi-fi modules behind other equipment.

Image caption The cards were placed among other equipment in the cabinets
The PSCA's chief operating officer told the BBC that Huawei had been "prompt" in its response to a request to remove them and had fully "complied with our directions".

"It is always [the] choice of the parties in a contract to finalise the technical details and modules as per their requirements and local conditions," added Akbar Nasir Khan.

"PSCA denies that there are any threats to the security of the project [and the] system was continuously checked by our consultants, including reputed firms from [the] UK."

Local concerns have been raised over the Safe City scheme after reports that images had been leaked and circulated via social media earlier this year showing couples travelling together in vehicles.

But there is no suggestion that this was related to Huawei's involvement, and in any case the wi-fi modules would have been removed by this point. The PSCA has also denied anyone from its office had been involved.

 

[R Wing]

That dear sir is the problem. See in the hacker community there are elite hackers, there are hackers and then there are crackers, but elite of the elite never register on any radar. I do know few high school/college students over the years did crack/hack various websites/accounts in Pakistan, eventually caught and "convinced" to work for the govt. I have visited the NR3C seen the techniques used there they at best are crude no sophistication, no wait and see all brute force. Hell even I did find all sorts of bank account details belonging to various banks being sold on the dark net for peanut prices which are supposed to be using better security measures/software than any Public Sector Entity. Here is another stinker:

Huawei wi-fi modules were pulled from Pakistan CCTV system
By Leo Kelion & Sajid Iqbal BBC News

• 8 April 2019

Huawei removed wi-fi transmitting cards from a Pakistan-based surveillance system's CCTV cabinets after they were discovered by the project's staff.

Punjab Safe City Authority (PSCA) told BBC Panorama it had told the firm to remove the modules in 2017 "due to [a] potential of misuse".

The authority said that the Chinese firm had previously made mention of the cards in its bidding documents.

But a source involved in the project suggested the reference was obscure.

A spokesman for Huawei said there had been a "misunderstanding". He added that the cards had been installed to provide diagnostic information, but said he was unable to discuss the matter further.

The PSCA confirmed that the explanation it had been given was that wi-fi connectivity could have made it easier for engineers to troubleshoot problems when they stood close to the cabinets, without having to open them up.

Two people involved in Lahore's project helped bring the matter to the BBC's attention and have asked to remain anonymous. One said that Huawei had never provided an app to make use of the wi-fi link, and added that the cabinets could already be managed remotely via the surveillance system's main network.

Image caption It was suggested that a wi-fi link could have helped engineers troubleshoot problems without having to climb up and open the cabinets
A UK-based cyber-security expert said that it was not uncommon for equipment sellers to install extra gear to let them offer additional services at a later date.

But he added that the affair highlighted the benefit of oversight because if the authority had remained unaware of the cards' existence, it could not have taken steps to manage any potential risk they posed.

"As soon as you give someone another method of remote connectivity you give them a method to attack it," commented Alan Woodward.

"If you put a wi-fi card in then you're potentially giving someone some other form of remote access to it. You might say it's done for one purpose, but as soon as you do that it's got the potential to be misused."

There is no evidence that the cards created a vulnerability, and one of the sources involved confirmed that there had not been an opportunity to test if they could be exploited before the kit was removed.

'Prompt response'
Lahore's Safe City scheme was first announced in 2016 following a series of terrorist bombings.

It provides a vast surveillance network of cameras and other sensors, and a brand new communications system for the city's emergency services

As part of the system, Huawei installed 1,800 CCTV cabinets, within which it placed the wi-fi modules behind other equipment.

Image caption The cards were placed among other equipment in the cabinets
The PSCA's chief operating officer told the BBC that Huawei had been "prompt" in its response to a request to remove them and had fully "complied with our directions".

"It is always [the] choice of the parties in a contract to finalise the technical details and modules as per their requirements and local conditions," added Akbar Nasir Khan.

"PSCA denies that there are any threats to the security of the project [and the] system was continuously checked by our consultants, including reputed firms from [the] UK."

Local concerns have been raised over the Safe City scheme after reports that images had been leaked and circulated via social media earlier this year showing couples travelling together in vehicles.

But there is no suggestion that this was related to Huawei's involvement, and in any case the wi-fi modules would have been removed by this point. The PSCA has also denied anyone from its office had been involved.

The Americans probably pointed this out. They also provided the IB with call-monitoring tech, most of which was used to monitor the ISI (thanks to insecure PMs) rather than the enemy!

The "Safe City" projects are so easy to tap into that they don't even warrant a discussion!

The Tier 1 / elite blackhat people are earning exceptionally well on the global dark web / commercial pentesting etc space that they have no incentive to join any State institution on an in-house basis. The max that we can manage is using them for specific short-term projects --- while what we need is a Cyber Command/dedicated SIGINT that attracts, recruits and develops people and technologies in a constantly evolving environment.

But, as always, in a country of US sell outs/paid agents, bureaucratic lethargy and general incompetence, who is going to do it?

 

[baqai]

i used to be Account Manager for Verisign (now Symantec) information security products mostly dealing in MPKI, SSL, 2 and 3 factor authentications, smart tokens etc and you would be surprised to know that people sitting at CIO / CTO positions at major financial institutions had no clue how venerable their systems were, we did a phishing attack on their emails right in front of them as technology demonstrator when their CIO insisted that their router has a firewall and do no need "fancy stuff"

 

[ps3linux]

The Americans probably pointed this out. They also provided the IB with call-monitoring tech, most of which was used to monitor the ISI (thanks to insecure PMs) rather than the enemy!

The "Safe City" projects are so easy to tap into that they don't even warrant a discussion!

The Tier 1 / elite blackhat people are earning exceptionally well on the global dark web / commercial pentesting etc space that they have no incentive to join any State institution on an in-house basis. The max that we can manage is using them for specific short-term projects --- while what we need is a Cyber Command/dedicated SIGINT that attracts, recruits and develops people and technologies in a constantly evolving environment.

But, as always, in a country of US sell outs/paid agents, bureaucratic lethargy and general incompetence, who is going to do it?

Know about it and really always wondered how much stupid is stupid, not that I expect politicians to demonstrate any level of intelligence.

Safe city project at security level are a joke, few minutes of tinkering and you are in the system root, what I wanted to say was there were already back doors (not that I think they have been sealed) huawei is a very interesting company.

Even our free lancers are earning pretty good nowadays, hackers/crackers is altogether a different ball game. Have always been an admirer of unit 8200, they thought about it established a unit based on SIGINT back in 52, now it is one of the best in the world, many a cybersecurity analyst I know have come from that production line.

Last week I was delivering a lecture in a uni although on a different topic other than Cybersecurity, knowing me they started discussion that they are winding up their own data center and moving to MS Dynamics with cloud based model, my question was do you understand that other side of that, where is that server located?

All they knew was the cost saving in terms of server maintenance and IT personnel, despite having a full IT faculty and students, my suggestion was start from ground up with any open source platform like python but then again security of data is not really something we understand right now.

i used to be Account Manager for Verisign (now Symantec) information security products mostly dealing in MPKI, SSL, 2 and 3 factor authentications, smart tokens etc and you would be surprised to know that people sitting at CIO / CTO positions at major financial institutions had no clue how venerable their systems were, we did a phishing attack on their emails right in front of them as technology demonstrator when their CIO insisted that their router has a firewall and do no need "fancy stuff"

Have done it so many times even with ISP that many of them started adding free credit to my account as long as I don't "explore" their vulnerabilities and report them.

F.Is have been with them abroad and Pakistan and I seems to be the best buddy/least favorite for the IT guys CTOs/CIOs just pick up a few jargon currently trending and then start repeating them without knowing what is what, "firewall" biggest scam for companies to sell their cheapshot hardware/software. Latest trend these days is block chains and A.I.

 

[Zarvan]

Pakistan needs its very own NSA. We need a full time dedicated SIGNIT and Cyber Warfare agency. Also every agency needs to develop a major cyber wing.

@Rafi @Horus @balixd @Tipu7 @Sulman Badshah @Path-Finder

 

[ps3linux]

Pakistan needs its very own NSA. We need a full time dedicated SIGNIT and Cyber Warfare agency. Also every agency needs to develop a major cyber wing.

@Rafi @Horus @balixd @Tipu7 @Sulman Badshah @Path-Finder

Agreed sir, but just thinking out loud again personally I am worried because I know what cellular companies are doing with our data, they are becoming bigger spyware platforms than google/android, facebook/whatsapp/insta, Microshit, coupled with the fact decision makers don't seem to be aware of the challenges that lie ahead.

American for example have a distributed backup of their corporate, social security and defense data in multiple locations. Here ask any corporate where their data backup facilities are located, any one with knowledge of IT will start laughing. There are PTCL DR sites, but trust me they are phhhh.

 

[R Wing]

Know about it and really always wondered how much stupid is stupid, not that I expect politicians to demonstrate any level of intelligence.

Safe city project at security level are a joke, few minutes of tinkering and you are in the system root, what I wanted to say was there were already back doors (not that I think they have been sealed) huawei is a very interesting company.

Even our free lancers are earning pretty good nowadays, hackers/crackers is altogether a different ball game. Have always been an admirer of unit 8200, they thought about it established a unit based on SIGINT back in 52, now it is one of the best in the world, many a cybersecurity analyst I know have come from that production line.

Last week I was delivering a lecture in a uni although on a different topic other than Cybersecurity, knowing me they started discussion that they are winding up their own data center and moving to MS Dynamics with cloud based model, my question was do you understand that other side of that, where is that server located?

All they knew was the cost saving in terms of server maintenance and IT personnel, despite having a full IT faculty and students, my suggestion was start from ground up with any open source platform like python but then again security of data is not really something we understand right now.



Have done it so many times even with ISP that many of them started adding free credit to my account as long as I don't "explore" their vulnerabilities and report them.

F.Is have been with them abroad and Pakistan and I seems to be the best buddy/least favorite for the IT guys CTOs/CIOs just pick up a few jargon currently trending and then start repeating them without knowing what is what, "firewall" biggest scam for companies to sell their cheapshot hardware/software. Latest trend these days is block chains and A.I.

The "buzz word" affinity is one of the most annoying diseases --- people think they can throw around a few phrases like "zero day exploits" and "backdoor" etc and they feel cool about it.

Ah, Unit 8200. Depression na dein! Voh kahan aur hum kahan.

 

[ps3linux]

The "buzz word" affinity is one of the most annoying diseases --- people think they can throw around a few phrases like "zero day exploits" and "backdoor" etc and they feel cool about it.

Ah, Unit 8200. Depression na dein! Voh kahan aur hum kahan.

I have a fair guesstimate we had some of the best experts building platform ground up when it comes to O.S of missile tech every known/explored vulnerability was/is patched immediately because we built it from scratch be it working with MCUs/C++ or CPLD/FPGA/Verilog. I am sure they must have done the same for JF-17 but as far as our corporate, mobile, public, Nadra, fully functional defense solution provided by "friendly" countries I am concerned. Ideally we should utilize the service of this core group even if we have retired some of these experts as they turned 60. Incidentally we seem to be the only nation which retires its scientists once they turn 60, i.e their most productive age.

 

[R Wing]

I have a fair guesstimate we had some of the best experts building platform ground up when it comes to O.S of missile tech every known/explored vulnerability was/is patched immediately because we built it from scratch be it working with MCUs/C++ or CPLD/FPGA/Verilog. I am sure they must have done the same for JF-17 but as far as our corporate, mobile, public, Nadra, fully functional defense solution provided by "friendly" countries I am concerned. Ideally we should utilize the service of this core group even if we have retired some of these experts as they turned 60. Incidentally we seem to be the only nation which retires its scientists once they turn 60, i.e their most productive age.

I agree with you.

Many times, when someone's contributions are considered vital, they are re-hired as civilian contractors after their service retirement. That's why, even in intel, you can sometimes find Brigs (experts / highly experienced in specific areas) who are older than their 2-star bosses.

 

[ps3linux]

Here is another interesting piece of information the benchmark Core Banking software is Temenos T24 nowadays, now banks do get it installed as per the number of modules purchased but if there is any problem which requires technical support, guess what where that query ends up.

And we talk about corporate security in the banking sector, thinking there are no back doors or how our user data of debit card was leaked and sold on the darkweb

 

[baqai]

Know about it and really always wondered how much stupid is stupid, not that I expect politicians to demonstrate any level of intelligence.

Safe city project at security level are a joke, few minutes of tinkering and you are in the system root, what I wanted to say was there were already back doors (not that I think they have been sealed) huawei is a very interesting company.

Even our free lancers are earning pretty good nowadays, hackers/crackers is altogether a different ball game. Have always been an admirer of unit 8200, they thought about it established a unit based on SIGINT back in 52, now it is one of the best in the world, many a cybersecurity analyst I know have come from that production line.

Last week I was delivering a lecture in a uni although on a different topic other than Cybersecurity, knowing me they started discussion that they are winding up their own data center and moving to MS Dynamics with cloud based model, my question was do you understand that other side of that, where is that server located?

All they knew was the cost saving in terms of server maintenance and IT personnel, despite having a full IT faculty and students, my suggestion was start from ground up with any open source platform like python but then again security of data is not really something we understand right now.



Have done it so many times even with ISP that many of them started adding free credit to my account as long as I don't "explore" their vulnerabilities and report them.

F.Is have been with them abroad and Pakistan and I seems to be the best buddy/least favorite for the IT guys CTOs/CIOs just pick up a few jargon currently trending and then start repeating them without knowing what is what, "firewall" biggest scam for companies to sell their cheapshot hardware/software. Latest trend these days is block chains and A.I.

I had a CIO of a major bank telling me that Authorization and Authentication is the same thing, yes jargon is the "thing" learn few words, google few definitions talk with accent english and you damn you are THE MAN, i gave a guest lecture at NED on Info Sec few years back at their Tech Elite event representing my company (NIFT) and i was surprised that even their dean was full of genuine questions

 

[ps3linux]

I had a CIO of a major bank telling me that Authorization and Authentication is the same thing, yes jargon is the "thing" learn few words, google few definitions talk with accent english and you damn you are THE MAN, i gave a guest lecture at NED on Info Sec few years back at their Tech Elite event representing my company (NIFT) and i was surprised that even their dean was full of genuine questions

Thank goodness you were spared from the torture I along few hundred had to endure by the cybersec head of a big 6 audit firm on13th April arranged by ICAP in PC lhr.

All the idiot knew was fourth industrial revolution, block chain and A.I it was full one and a half hour of pure torture, it was a presentation gobbled up from youtube, illustrations elcheapo from the internet and zero command on the subject.

Imagine this guy and his team giving audit certification to a large financial institution in Pakistan.

 

[NA71]

I am into Cyber Security affairs...things are in very bad shape.... We are on top of the list of the most vulnerable countries. regarding APT attacks on Pak infrastructure, currently, we are unable to detect such attacks or can't mitigate the risks associated with it. Pakistan badly missing few foundation steps such as CERT & incident reporting etc. The overall cyber policy is being developed for years.

The global cybersecurity ranking is issued on annual basis and according to the latest report, I am quoting here as:


Unfortunately, Pakistan lags behind in terms of cybersecurity, so much so that it’s included in the bottom 10 according to a report. A recent study conducted by Comparitech has revealed that Pakistan ranks 7th among the countries having the worst cybersecurity. The study has gathered data from different sources including Kaspersky, the Global Strategies Index, and the Global Security Index (ITU).

The study took into account the percentage of mobile phones infected with malware, the percentage of attacks by crypto miners, the percentage of computers affected by cyber attacks, and how up-to-date a country’s legislation is regarding cybersecurity among other indicators.

Japan (60) has been ranked as the most secure country for all indicators. Pakistan’s neighbors India and Bangladesh are ranked at 14 and 6 respectively.

Source: https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/