You are currently browsing the category archive for the 'Security' category.
I saw this news at a local paper that ISPs have lashed out strongly against PCL. The ISPs lodged complaint against PTCL for anti-competitive practices by offering lower rates to consumers than the rates it offers to ISP. I also saw this statement by the PM that 75% of house-holds in the country are to be covered with high speed Internet by 2015.
I am not sure what to make of these contradictory statements from the Telecommunication day on May 17.
The last time I checked PTA and PTCL were still in court about the bandwidth tariffs. If one was to look at the low bandwidth penetration rate and all the issues such as the ISP complaint described below, we are still in a poor shape. So HOW in the world are we going to go from say 2% to 75% in 7 years?
As you can note from the statements by Prime Minister, it does not specify an action plan or a policy change - just empty political statements. Does it give us any confidence about bandwidth proliferation in Pakistan?
Shaukat Aziz has said that we are moving forward with great speed to bridge the digital divide in the country by improving the access of information and communication technology to low-income groups and a target of 1.6 million broadband connections has been set for the next three years and infrastructure would be developed to cover 75% of house-holds in the country with high speed Internet by 2015.
“We are moving forward with great speed to bridge the digital divide in the country by improving the access of information and communication technology to low-income groups”, he expressed these views while delivering a speech on the world telecommunications and information society day being observed on May 17.
And then there’s the view from Pakistan’s Internet Service Providers (ISPs), as reported in The News.
As the world marks Telecom Day on Thursday, small telecom operators in Pakistan see their business threatened, blaming the giant Pakistan Telecommunication Company Limited (PTCL) for anti-competitive practices, which has launched DSL service at much lower rates without the regulator’s approval.
The country’s Internet Service Providers (ISPs) have warned that if the Pakistan Telecommunication Authority (PTA) fails to stop the PTCL from offering such service, it would put the future of most of the operators at risk.
It was also reported that the ISPs Association of Pakistan (ISPAK) has formally complained to PTA asking to intervene and to play its role. According to ISPAK there should be a hearing on this. The ISPs offerDSL services of 256 kbps for home users at Rs1,00o-s1,200 per month out of which around 25 per cent is paid to PTCL for local loop sharing charges.
What is digital identity and why do we need to protect it, in Pakistan of all the places? With globalization and outsourcing on the rise privacy and Identity theft is fast becoming a global problem. Here are a few reasons for concern regarding privacy and data protection in Pakistan: rise in banking and consumer credit industry, surging number of telecom subscribers, outsourced data processing and grwoth of E-commerce transactions. I’ll provide some background, discuss the existing rules and provide recommendations for business organizations.
The question is: do we have adequate identity and privacy protection in Pakistan? Are banks and telecom companies doing enough to keep your personal information safe? As one example, I was sent phone bills of someone else via e-mail and even after reporting the issue there was no followup. Probably similar incidents have happened with others in Pakistan as well, though statistics are not readily available.
My prediction is that gradually Asian societies (Pakistan, China, India etc) will become more sensitive to data protection and privacy issues. Now is a good time to demand good security practices to safeguard our data.
As a related item I’ll mention theITU Internet Report entitled “digital.life” (in pdf), which was prepared for ITU TELECOM World 2006 . The report examines how innovation in digital technology is radically changing individual and societal lifestyles.
Chapter four, identity.digital, explores the changing nature of the digital individual and the need for greater emphasis on the creation and management of digital identity. Individuals today spend more and more time using digital means to communicate and transact, be that sending and receiving e-mail, talking on a mobile phone, participating in a social networking site, buying music, booking vacations over the internet, or playing an online game. The complexity of the interaction between technology, personal consumption and the construction of identity in the virtual space is a growing area of research. Users of digital technologies have a wide scope for constructing their virtual identity.
What are the laws for data and privacy protection in Pakistan? I found a final draft of the Electronic Data Protection Act 2005 at Pakistan Software Export Board [PSEB] website. It is a relatively short and simple document which provides very basic rules over data collection, processing and handling. The Act tries to solve two problems: a) provide guidelines for outsourced data processing and b) data collection regulation in Pakistan. To give you a flavour of this Act here are 2 definitions from it:
“Sensitive Data” means data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, organizations and associations with a religious, philosophical, political or trade-union, or provide information as to the health or sexual life of an individual and financial, or proprietary confidential corporate data.
Electronic data security. Electronic data that is subject to data processing shall be kept under custody, controlled or processed in such a way as to minimize the risks of its destruction or loss, even accidental, unauthorized access, unlawful processing or processing for purposes other than those for which the electronic data were collected, by means of appropriate precautionary security measures.
I would like to hear more from those who are involved in data processing in Pakistan and get some stats about security breaches and their resolution. A few years ago there was some uproar in the US about a data processing company in Pakistan but that issue was settled. Perhaps that incident also contributed to the implementation of Electronic Data Protection Act 2005.
What is the situation in the developed (or G7) world? European Union has stricter standards than US, where laws vary from state to state. The privacy legislation in California is worth mentioning here. State of California is considered by many to be the most strict regarding privacy and identity issues. California has setup a privacy office for this purpose and you can find the legislature details here .
Based on California’s laws Forrester Research recommends the following practices for Business organizations - these recommendations can be applied to any organization:
Pick a framework. The establishment of reasonable security is best built on a foundation that is recognized and accepted. ISO17799 is currently the leading and most accepted framework to build an information security program around. The framework provides a standard architecture to document controls and make sure that everything is covered.
Identify and classify information. The focus of reasonable security is around personal California resident data. Security is first established by classifying this data — define it, assign information owners, establish controls —and identifying where in the organization this information resides. Personal data may be classified into subcategories such as employee data and customer/client data.
Determine business partners that touch your data. Identify which business partner relationships touch and store personal data; this is a critical element that is directly addressed in the legislation. Your organization’s liability does not stop with organizational boundaries — you are required to see adequate security is established in third-party relationships.
As more and more confidential and sensitive data makes it way to mobile devices there is an increasing need to improve its security (e.g. lock the phone or remotely wipe its data if its stolen). The focus of this post however is to review the efforts of Trusted Computing Group (TCG) to improve mobile device security of say, data stored on your device or to prevent thieves from assigning a new number to a stolen device, a common problem in Pakistan and elsewhere. However the security of wireless data in transit is not in scope here.
TCG is a non-profit organization which was formed to develop open standards for hardware-enabled trusted computing and security technologies (building blocks and software interfaces across multiple platforms). Naturally it started with PCs and then moved on to other platforms. The TCG approach for mobile devices means that the operating system, platform, and application level functionalities, as well as SIM cards etc, interact in a secure, trusted manner. The TCG specifications enable trust in the mobile phone equipment itself.
TCG started working on how to extend the group’s PC security spec to the cellphone environment with its multiple stakeholders including users, carriers, OEMs and content providers. After 3 years of work, Trusted Computing Group rolled out Mobile Trusted Module (MTM), its standard for cell phone security in September 2006. The spec is intended to help make it easier to protect mobile data and applications, although several hurdles lay ahead for broadly adopting it. The 100-page document is available at this page in TCG site. The 4-page overview is an easier read but does not provide technical details.
About 50 companies worked to define the Mobile Trusted Module (MTM) spec. However, two of the largest cellphone chip makers—Texas Instruments and Qualcomm—did not participate in developing the spec. The only carriers involved in the work were Vodaphone and France Telecom. It was supported by Motorola, Nokia, and Samsung on the handset side and Intel on the processor side. It is believed that handset makers will start delivering MTM-enabled devices by early 2008.
Information Week reports that:
MTM specifications will create an industrywide approach to developing mobile devices that includes stronger security, ensures data privacy, and reduces the risk of malware-ridden mobile devices infecting company networks. This protection will be a boon to businesses like Visa and MasterCard, which want customers to pay for purchases using mobile handsets that contain radio frequency chips that can be read at the point of sale.
The draft MTM specification is designed to supply the core framework, commands, and control specifications needed to provide the security building blocks within a mobile phone or one embedded in a PDA. The draft specification is designed to be complementary with existing mobile phone components, including subscriber identity modules and universal integrated circuit cards, and with specifications from industry organizations such as the Third Generation Partnership Project, Open Mobile Alliance etc.
Many of the MTM’s specs are already implemented in some phones such as the popular BlackBerry by RIM. For more than two years, RIM has offered Content Protect to protect data stored locally on BlackBerry devices. RIM has also given administrators the tools to remotely lock or wipe lost and stolen devices so their data can’t be accessed by thieves. Further technical description is ahead.
Search for ”Cell Phone Snatching” in google and many of the results will be about mobile phone snatching in Pakistan. It is a problem all over the world - but with the explosive growth of mobile phone subscribers in Pakistan this menace has also risen to an alarming proportion. As the media and bloggers have been pointing out, the IMEI blocking system put in place a few months ago by the government has many limitations and therefore its effectiveness is very limited. In addition to the technical aspect, this problem requires a combination of social, administrative and legislative solution. 
The cell phone industry is working on improvements to the hardware and chips to make the phones and the data on it more secure. However the set of standards and changes will take a while to reach us. What can we do now? A recent article in WIRED magazine has some interesting tips about fighting phone snatching. Of course none of these tips and techniques by themselves can effectively foil cell phone thieves and snatchers. The article suggests these:
4 Antitheft Technologies (Source: WIRED magazine)
• ScreamerThe Remote XT harasses UK cell-swipers with a loud, high-pitched human scream (the service puts a recording of a woman shrieking on your phone). The system activates when the owner calls a hotline. The nerve-jarring wails accompany a complete data wipe and button lockdown, creating one useless piece of plastic.
• Gait and Voice RecognitionResearchers at Finland’s VTT Technical Research Centre are developing a sensor system that enables a phone to recognize its owner’s unique style of walking. The plan is to combine this gait monitor with voice recognition software, so if your gadget senses a different stride or vocal pitch, it locks up and requests a password.
• Holster SensorCanada’s Research in Motion (of BlackBerry fame) is working on a phone that pairs wirelessly with its holster. If the two get separated, the phone locks up and asks for a password, and an alert goes off on the holster, notifying the owner immediately – provided, of course, the thief didn’t steal the holster, too.
• GPS TrackerJapanese mega telecom NTT DoCoMo introduced six handsets equipped with a GPS tracking service in October. If one of these phones goes missing, you can just log onto a Web site and locate it on a map. Then all you have to do is confront the pickpocket or get the police to give a damn about a stolen phone.
I’ll leave you with an advertisement clip from Sprint, a US company about using its phone as a crime deterrent. Some of you will find it hilarious.
As the price of smart phones falls the popularity of email on mobile phones is on the rise. This is especially useful for business folks who need access to their email on the road. However the security of email and data over the phones is still flaky … and phones are also more likely to get lost or stolen. Intellectual property issues and lawsuits among technology companies are also common (see last paragraph).
According to press reports Warid Telecom in Pakistan has announced the launch of a Push Mobile Email solution for its consumer and business customers in partnership with Ericsson and Seven. This new solution is called Wand Mobile Email (WME). Wand customers subscribing to this service will have instant access to their company and personal email through their mobile handset. 
This service is supported by a wide variety of handsets such as Sony Ericsson, Windows based phones, etc. Through Wand Mobile Email, Warid consumers will have secure access to their company and/or personal email. This service will allow consumers to send, receive, view, edit and delete emails or MS Office and PDF attachments instantly - just the way it is done from a personal computer.
Warid Mobile Email is a secure email solution from Seven. Leading telecom operators such as Vodafone, Hutch India, Maxis in Malaysia, Etisalat in UAE and many other leading operators around the globe are using push mail solution. Recently another e-mail technology company Visto won a final judgment in its patent infringement lawsuit against Seven Networks (see more at InformationWeek), another wireless e-mail provider. A U.S. District Court ordered Seven to pay Visto $7.7 million in damages and stayed an injunction against Seven that’s awaiting appeal.
The popularity of emails over the phone will continue to rise. The handset makers are aware of the security gaps and they are pushing for better technical standards to secure the data. More on this soon.
The Indian telecom market is again the topic of a political discussion about security and foreign telecommunication and technology firms. Recently the Chinese telecom equipment firms ZTE and Huawei were the issue but now Orascom has joined the list. Pakistan is a common link for all these companies.
As reported in Indian press here, the Egyptian telecom giant Orascom wants to pick up direct stake in Indian telecom companies. Currently, the company holds an indirect 10% stake in Hutch-Essar.
Orascom was being scrutinised by Indian Intelligence agencies since it was a key mobile player in Pakistan. CEO Naguib Sawaris says he needs more clarity on the government’s FDI policy. “The security issue surprises me, just because we operate in Pakistan does not mean our company becomes a threat to any nation’s security,” Sawaris added.
Orascom had sparked off the debate on the security issue of FDI from countries, percieved to be a threat to India. The debate within the government continues.
For a review of ZTE and Huawei with India see this Business Week blog. Excerpts below:
Indian telecom operator BSNL disqualified the Chinese company from bidding for contract worth $4 billion for GSM equipment. The Indian government, through the Foreign Investment Promotion Board, had also prevented Huawei and ZTE from expanding their small presence in India.
Both Huawei and ZTE early this month won some business from state-owned operators. And now comes news that ZTE is teaming up with an Indian partner. The Shenzhen-based company plans on working with MCorpGlobal, according to the Economic Times, “to set up a service-based company, which will import, distribute and sell telecom equipment and also offer other telecom-related services in India.”
Clearly this is a setback for ZTE, which no doubt would have much preferred to stick with its original plan of going it alone in India.
It would be good for all 3 countries - China, India and Pakistan - to clarify such matters of security and investment rules in detail so that foreign companies can invest with confidence. The rules of 21st century blur the geographical borders faced in the past by global businesses and telecommunication technology is at the forefront of this push. There’s not much to be gained by pushing back.
According to recent news the Pakistan government has decided to setup a system to curb mobile phone snatching. Perhaps too many VIPs lost their phones! Anyway this is certainly a good initiative. It has been modelled after similar systems in other countries such as UK.
The idea is to use the unique identifier for every phone – International Mobile Equipment Identity (IMEI) — and setup a database of stolen phones so that these phones can be locked. This is not going to stop the determined criminals but should act as a deterant, at least. The success of this will depend on the implementation and the awareness and education of the users.
For full story: http://www.brecorder.com/index.php?id=465018
For more on IMEI: http://en.wikipedia.org/wiki/IMEI
With the growing proliferation of technical gagdets the pains of security are being felt by more and more users – it used to be your PC which was often fell victim to hackers or viruses. The next big thing seems to be cell phone – more ubiquitous than PCs, cell phones are subject to fraud, hacking and of course plain old fashioned crime — stealing. Depending on your location one of the above security issue may be a higher priority than others. In Pakistan cell phones have always been popular with street robbers. Even in some parts of London theft of mobiles accounts for 35% of street robberies! Now the trend has evolved to hacking that is cyber robbery – identity theft or prepaid card balance theft. It was reported in the news that “Hackers attack pre-paid GSM connections”.
SIM (Subscriber Identification Module or Subscriber Identity Module) is a specific type of smart card for GSM systems holding the subscriber’s ID number and other information & settings, thus allowing him/her to call from any GSM device. In essence, it is the subscriber’s authorization to use the network. SIM is also supposed to provide location security and call content confidentiality (encrypting traffic between handset and base station). The SIM has these 3 numbers:
Recent Comments