Internet Security and Privacy Lab

ISLAMABAD: The Arms Control & Disarmament Centre (ACDC) at the Institute of Strategic Studies Islamabad (ISSI) organised a seminar on “Ensuring Traditional Security through Technology Optimisation” on Tuesday, said a press release.

ISSI holds seminar on ‘ensuring traditional security through technology optimisation’ ISLAMABAD: The Arms Control & Disarmament Centre (ACDC) at the Institute of Strategic Studies...

"Washington State University will begin offering a new undergraduate cybersecurity degree starting in fall of 2023, thanks to $2 million in Washington state funding.

The new program aims to meet burgeoning demand for computer scientists with expertise in cybersecurity."

New cybersecurity degree offered - WSU Insider The program begins this fall thanks to $2 million in Washington state funding. It aims to meet growing demand for cybersecurity experts.

"Cybersecurity is a complicated field, and any way to simplify its many facets into short, easy-to-remember maxims is always welcome. The five laws are a very good start towards developing a robust security program."

Reexamining the “5 Laws of Cybersecurity” | The State of Security Cybersecurity is a complicated field, and any way to simplify its many facets into short, easy-to-remember maxims is always welcome.

A week after prominent technologists publicly slammed crypto for being too risky and unproven in a letter to Congress, human rights advocates from around the world have sent a rebuttal to U.S. lawmakers defending digital assets for the access they provide to people in countries where “local currencies are collapsing, broken, or cut off from the outside world.”

Human rights advocates say bitcoin critical in authoritarian countries - Verve times WASHINGTON — A week after prominent technologists publicly slammed crypto for being too risky and unproven in a letter to Congress, human rights advocates from around the world have sent a rebuttal to U.S. lawmakers defending digital assets for the access they provide to people in countries where ...

"The United Kingdom's National Cyber Security Centre (NCSC) has announced a new email security check service to help organizations identify vulnerabilities that could allow attackers to spoof emails or lead to email privacy breaches.

While the Email Security Check service will only be able to identify vulnerabilities that cybercriminals can discover, its goal is to help organizations identify them before they're exploited and the email domain targeted in attacks."

UK govt releases free tool to check for email cybersecurity risks The United Kingdom's National Cyber Security Centre (NCSC) today released a new email security check service to help organizations easily identify vulnerabilities that could allow attackers to spoof emails or can lead to email privacy breaches.

“Pakistan is among the 10 most targeted countries in the world, so copyright and trademark offences need international legislative responses and countries cooperation on cybercrime. Pakistan must ensure system security hardening, revision of PECA-2016 to PECA-2022 as well as social media roles with the help of establishing telecom operators approved by the PTA.”

63rd meeting of SDPI’s Study Group on ICT: Expert speaks about cybersecurity challenges ISLAMABAD: Over the years, Pakistan has survived numerous cyber-attacks from multiple state and non-state actors,...

Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked."

MGM Resorts' customer data now leaked on Telegram for free Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

"Pakistan can generate revenues worth at least $90 million (around Rs19 billion) annually through a 15 percent tax on the trade of cryptocurrency under hard-and-fast regulations, industry officials said on Tuesday."

‘Regulated crypto trade can prove a revenue goldmine for Pakistan’ ISLAMABAD: Pakistan can generate revenues worth at least $90 million annually through a 15 percent tax on the trade of cryptocurrency under hard-and-fast regulations, industry officials said on...

GCC banks are managing their exposure to cyber risks effectively through investment in digital security, according to S&P Global Ratings.

Strong profitability, capitalisation and liquidity provide a financial buffer to the region's lenders against potential cyber incidents, the rating agency said in a report.

Gulf banks have managed to move their activities online during the Covid-19 pandemic with minimal disruption, owing to “years of investment in infrastructure and systems”.

GCC banks minimise cyber risks with strong investment in digital security, S&P says Strong profitability, capitalisation and liquidity provide a financial buffer to lenders against potential cyber incidents

"A major cyberattack was reported on government of Pakistan websites, the Ministry of Information Technology and Telecommunication confirmed on Tuesday. However no data theft was reported."

Major Cyberattack Hits Govt of Pakistan Websites A major cyberattack was reported on government of Pakistan websites, the Ministry of Information Technology and Telecommunication confirmed on Tuesday.

"The car industry will continue to grow and propose more services for sure, so the attack surface will continue to grow; that means that this issue will continue so the hackers can continue to monetise, that is their main goal.

From data we have, we can see that the number of cyber-attacks on cars increased to 125% from 2018 to 2021, this is a huge increase. Carmakers have to change their model and they have to do that quickly because the competition is very high."

Cybersecurity, a growing threat for the automotive industry Honda was found to have a vulnerability that allows cybersecurity hackers to remote start vehicle engines and unlock them from a nearby distance.

"Consumers from three private banks were affected by an online debit card scam just before Eid ul-Fitr ... With the growing use of digital banking over the last two years, data breaches have become increasingly frequent in Pakistan, despite the banking regulator and relevant ministry issuing a strong cybersecurity strategy.

In the last six months, data breaches have affected not just banks, but also numerous government organisations, including the Federal Board of Revenue (FBR)..."

Digital threats | Political Economy | thenews.com.pk Commercial bank customers hit by online fraud

"Cyber threats and attacks are no longer limited to Hollywood blockbusters – organizations, big and small, need to take precautions and be ready to face crypto jacking, denial-of-service (DOS) attack, hacking, data breaches, malware, insider threats or insecure applications by implementing better policies that can guarantee a secure environment in a changing digital world.

Despite the shift from centralized computing to cloud-based services – which is more secure – it has become essential for businesses to identity a range of security gaps and figure out a way to fix them."

A cybersecurity solution? Malware malfunction Remember when Trinity removed a bug from Neo’s stomach in the Matrix – what if you had a similar option to get...

"Pakistan’s National Cybersecurity Policy 2021 mentions taking retaliatory measures in case of aggression on Pakistan’s critical infrastructure. Its objective states that ‘[It] Will regard a cyber-attack on Pakistan CI/ CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures.’ However, the deterrence mechanism mainly followed by the policy is deterrence by denial – denying any benefit to the attacker."

Cyberspace policy According to the Identity Theft Resource Centre , the total number of data breaches in 2021 was 1,291 compared to 1,108 breaches in 2020. Cyber security experts estimate that by 2025 global...

"The digital world is so vulnerable to virtual threats that no country can claim to have achieved fool-proof cybersecurity; however, the states can maximize the security of IT systems. The issue of cyber threats and security is getting prominent globally. It is transcending the political, social, and private boundaries."

Cyber threats: A case study of Pakistan A state can achieve its nefarious goals by employing its resources in the cyber domain by proxy non-state actors.

"Full cybersecurity awareness must cover both offense and defense. It’s essential for stakeholders to have an understanding of both new and emerging threats and the latest developments in defensive tools and strategies. Here, 15 industry experts from Forbes Technology Council discuss recent developments in industrial and business cybersecurity every organization’s leadership team should be aware of, and why they’re so important."

Council Post: 15 Tech Leaders On The ‘Next Big Thing’ In Cybersecurity Knowing about the “next big thing” in cybersecurity—even if it’s only a potential threat—helps organizations prepare and protect their and their customers’ data.

"Thales is opening a new Cyber Security Operations Center (SOC) in Morocco, the sixth in its international network. This center will provide real-time protection against cyber-attacks in the country and across the African continent as a whole."

Thales Launches Its Sixth Cyber Security Operations Center in Morocco to Serve the African Continent Thales is opening a new Cyber Security Operations Center (SOC) in Morocco, the sixth in its international network. This center will provide real-time

"The most transformative invention in the last century has to be the internet, which is bending the arch of human history towards democratisation of power, disinformation and making daily life a little easier. Today, in a poetic twist, the internet which disrupted so many industries is on the cusp of being disrupted itself. Web 3.0 is the most significant disruption to the internet since the internet was invented. But what in the world is Web 3.0, beyond the Bitcoin bubble?"

Is Web 3.0 a $100 billion opportunity for Pakistan? | The Express Tribune The emerging ecosystem is expected to grow from around $1.5 trillion to almost $50 trillion by 2030

"Recent examples show that AI and other measurement tools can provide meaningful assessments. Time to make cybersecurity efficacy a thing."

Yes, you can measure cybersecurity efficacy Recent examples show that AI and other measurement tools can provide meaningful assessments. Time to make cybersecurity efficacy a thing.

“We put so many resources into ’locking up’ using technology that we forget about the back doors in the organization, and that’s usually people,” said Pearlson, who has a doctorate in business administration with a focus on management information systems. “We need a culture of cybersecurity because you can’t tell everyone everything they need to do. You need them to understand that organizational safety is part of what they need to do in today’s world.”

How to build a culture of cybersecurity | MIT Sloan Technology and training are not enough to safeguard companies against cybersecurity attacks. Here’s how to infuse safe behavior into corporate culture.

"Sharing the details of the cloud first policy, Minister for Information Technology Syed Amin-ul-Haque said that the technology policy “would help develop a common platform for all public sector departments,” allow easier management of data and help save time and money.
However, cloud first strategy should not be mistaken for a cloud-only strategy. “Pakistan’s objective should be cloud smart policy as one size doesn’t fit all and it has to be about equipping departments with training and tools they need to move to the cloud that fits their requirements,” Ali said."

https://gulfnews.com/world/asia/pakistan/pakistan-approves-cloud-first-policy-to-enable-digital-transformation-1.85772602

Pakistan approves cloud first policy to enable digital transformation Cloud service will allow flexible, easier management of data and help save time and money

Misinformation has become an increasingly prevalent and concerning phenomenon, especially when relevant to political, economic, and societal issues.
Attend TPI's panel discussion tomorrow to learn about the role of socio-cultural factors in the spread and acceptance of misinformation, the types of misinformation prevalent in the country and factors which play a role in countering the spread of this misinformation.
When: Friday, 18th March, 2022 from 12 to 1 pm
Zoom link: https://lums-edu-pk.zoom.us/j/97800815630

Misinformation has become an increasingly prevalent and concerning phenomenon especially when relevant to political, economic, and societal issues.
TPI is excited to invite you to a panel discussion on the role of socio-cultural factors in the spread and acceptance of misinformation, the types of misinformation prevalent in the country and factors which play a role in countering the spread of this misinformation.
When: Friday, 18th March, 2022 from 12 to 1 pm
Zoom link: https://lums-edu-pk.zoom.us/j/97800815630

"In the unprecedented 2020-21 push to cloud, the dearth of talent to manage hybrid environments became the number-one hot-button issue. Here are the top issues that have arisen:

- Lack of talent required to manage cloud 45%
- Increased cybersecurity/data privacy concerns 44%
- Difficulty integrating cloud services/data 34%
- Lack of end-to-end visibility across the technology environment (in cloud and on-premises) 31%
- Increased costs 24%
- Making rushed choices that create more work later on (e.g., technical debt) 23%"

Are we getting ahead of our abilities in the headlong rush to cloud? Applications and data may be getting handed over to the cloud, but oversight of cybersecurity, monitoring and new service development remains an in-house commitment.

IBM’s X-Force Threat Intelligence Index 2021 noted that nearly 36% of server access attacks observed in 2020 targeted the finance and insurance sector.
Solutions based on outcomes is really important: Venture capitalists have focused on where they will make money out of cybersecurity tools as opposed to what actually protects the customer. Financial services institutions are demanding more from their vendors: not just a compliance tool but something which gives real protection.

https://capital.com/cybersecurity-in-fintech

Cybersecurity in Fintech: Challenges and prospects Cybersecurity in Fintech: Challenges and prospects By Angela Barnes Edited by Alexandra Pankratyeva 17:44, 15 February 2022 Share this article Tweet Share Post Have a confidential tip for our reporters? Get In Touch Cybersecurity in Fintech: Challenges and prospects – Photo: ShutterstockFinancial ...

A three million global staffing shortage in cybersecurity has been highlighted in 2021: a gap that could be substantially closed if women were proportionately represented in the industry.
Women have stayed away from cybersecurity because of the associated stereotype that STEM is better suited to men, the pay differentials, and the difference in treatment of the two within in the industry. With the increasing staffing shortage cybersecurity companies are now increasing an emphasis on recruiting and retaining females in the workforce by changing their internal processes and environments.

https://cybersecurityguide.org/resources/women-in-cybersecurity/

Women in Cybersecurity This guide aims to provide the tools to encourage women to pursue a career in cyber security. Find tips, scholarship information, and helpful resources.

"...security is often the last thing we want to address because it tends to slow down everything else.
However, the sooner we discover our sources of risk, the better equipped we will be to create effective mitigations for them. We may still end up running 75% of our containers with high or critical vulnerabilities, but if we have actively considered the risk associated with those vulnerabilities and implemented controls to reduce it, our security posture may not be so bad."

https://www.darkreading.com/cloud/if-the-cloud-is-more-secure-then-why-is-everything-still-broken-

If the Cloud Is More Secure, Then Why Is Everything Still Broken? The sooner we discover sources of risk, the better equipped we will be to create effective mitigations for them.

"On one side, we have entities defending the internet’s freedom of expression as a fundamental human right. On the other, cautionary tales of misinformation and fake news haunt the open and safe digital realm. However, understanding the difference between oppression and protection is crucial. Internet safety won’t be as sweet if users cannot engage in healthy conversations or find transparent news."

https://www.telecomlead.com/broadband/internet-security-and-privacy-as-new-digital-freedom-103417

Internet security and privacy as new digital freedom - TelecomLead On one side, we have entities defending the internet's freedom of expression as a fundamental human right. On the other,

"Microsoft announced a seemingly minor tweak with massive implications: Beginning in April, macros will be disabled by default in files downloaded from the internet ... At least a quarter of ransomware attacks against businesses or other organizations start with phishing attempts, which often dangle a malicious document laced with tainted macros, according to Brett Callow, a threat analyst at the antivirus company Emsisoft."

https://www.wired.com/story/microsoft-disables-macros-default-security-phishing/

Microsoft's Small Step to Disable Macros Is a Huge Win for Security Word and Excel files you download from the internet just got a whole lot safer.

"We’re closing in on two full years of mitigating the Covid pandemic. And it has certainly sped up digital transformation efforts ... Cybercriminals are well aware of vulnerabilities associated with the adoption of new applications and from mass anxiety and uncertainty. Security teams are developing new tools and end-user strategies to defend organizations against targeted cyberattacks ... It’s a constant cat-and-mouse game, but the attackers have the advantage because they only need to be right once, and defenders need a 100% score."

https://www.forbes.com/sites/forbestechcouncil/2022/02/15/metaverse-as-the-new-attack-vector-and-other-security-headlines-to-come-in-2022/?sh=50ec3d183d00

Council Post: Metaverse As The New Attack Vector And Other Security Headlines To Come In 2022 Cybercriminals are well aware of vulnerabilities associated with the adoption of new applications and from mass anxiety and uncertainty.

“We are in a world that sits on data, and there is critical, sensitive Pakistani information that should stay within our borders. For that to happen, we need top-class, foolproof cloud infrastructure in the country. In this regard, the draft cloud policy seems encouraging and the industry has given its input," says Jazz’s Chief Business Officer, Syed Ali Naseer.

https://www.brecorder.com/news/40153080

Pakistan needs ‘foolproof’ cloud infrastructure: Jazz official ISLAMABAD: Jazz’s Chief Business Officer, Syed Ali Naseer believes Pakistan’s current ICT policies focus...

In general, there appears to be an inverse correlation between the stringency of COVID lockdowns and the volumes of downloader activity. The more stringent the lockdowns, the less of this activity we see. This general observation appears to hold for other forms of malware activity also. As we had already observed in earlier research, this runs contrary to the prevailing narrative that attacks increase when users are working from home.

https://thehackernews.com/2022/02/covid-does-not-spread-to-computers.html?_m=3n%2e009a%2e2673%2ejf0ao44ais%2e1pbi

COVID Does Not Spread to Computers "…well, of course!" is what you might think. It's a biological threat, so how could it affect digital assets?

In the 2021 report, IBM found that, on average, it takes an average of 212 days to identify a breach and then another 75 days to contain the breach, for a total of 287 days.

With the time required to identify and contain data breaches steadily increasing, we need to rethink the traditional cybersecurity approach. It seems companies keep throwing more money, more technology, and more bodies at the problem, yet achieving the same (or worse) results. Cynet is one company that seems to be approaching the problem differently by combining multiple prevention, detection, response, and automation capabilities on a single, unified breach protection platform.

https://thehackernews.com/2022/02/cynets-keys-to-extend-threat-visibility.html

Cynet's Keys to Extend Threat Visibility A new solution overview document provides insights on how XDR provider Cynet tackles the difficult problem of greatly improving threat visibility.

"A new approach which is becoming more common is adding a stage before the fraud detection phase: positive validation. The overwhelming majority of customers are real people ... If most of them can be identified confidently at the start, then the fraud detection problem becomes more manageable.

New technologies continue to increase the ways in which fraud prevention professionals can work together ... All this is a real basis for hope."

https://www.helpnetsecurity.com/2022/01/24/fraud-detection/

Fraud detection is great, but you also need prevention - Help Net Security In this interview with Help Net Security, Itay Levy, CEO of Identiq, talks about the importance of fraud detection.

Individuals’ personal data is protected by data-protection legislation, which governs the collection, use, transfer, and disclosure of such data.
MOITT had introduced the Personal Data Protection Bill 2021 (‘the Bill’), which is yet to be promulgated into law. The Bill, once enacted, will be the main legislation regulating controllers and processors of personal data in Pakistan and will apply to any person who processes, has control over, or authorizes the processing of any personal data, provided that the data subject, data controller, or data processor (either local or foreign) is located in Pakistan.
https://www.pakistantoday.com.pk/2022/01/21/why-does-data-privacy-matter-for-pakistan/

Why does data privacy matter for Pakistan? - Pakistan Today Data is something that is all around us and is created in almost every action we do in the digital world. We actively exchange data online, and data is generated whenever we perform any activity only. Booking a ticket online, ordering a meal from a food delivery app, or using public transit, all con...

"As card-not-present (CNP) digital payments registered explosive growth throughout 2021, 3-D Secure transaction volume also scaled ... transactions grew nearly 50% compared to the same time period in 2020.

Payment transaction fraud has skyrocketed to new heights ... digital business must prioritize strong and effective fraud prevention measures like 3-D Secure in order to protect their brand and their customers.”

https://www.helpnetsecurity.com/2022/01/24/brand-abuse-attacks-spike/?web_view=true

Spike in brand abuse attacks, 3-D Secure transaction volume rising - Help Net Security Outseer has published its latest Fraud & Payments report, confirming a troubling and massive spike in worldwide brand abuse attacks.

Pakistan to face debt crisis, failure of cyber security: World Economic Forum survey

"The 'Global Risk Report 2022' has listed five risks facing Pakistan with top risk of the debt crisis, followed by extreme weather events, failure to stabilise price trajectories, failure of cyber security measures and human-made environmental damage ... Meanwhile, cyber security threats are growing - in 2020, malware and ransomware attacks increased by 358% and 435% respectively."

https://www.aninews.in/news/world/asia/pakistan-to-face-debt-crisis-failure-of-cyber-security-world-economic-forum-survey20220112220212/

Pakistan to face debt crisis, failure of cyber security: World Economic Forum survey Islamabad [Pakistan], January 12 (ANI): The 'Global Risks Report 2022' has listed five risks facing Pakistan with top risk of the debt crisis, followed by extreme weather events, failure to stabilise price trajectories, failure of cyber security measures and human-made environmental damage, local me...

"It is important to keep in mind that cyberspace is a prerequisite for the existence of universal capitalism in its current form.
By 2000, all terrorist groups virtually had set up their online presence around globe and cyber space activities were conducted by terrorist organizations operating in Pakistan.
Cyber-armies are the unseen military cyber power which countries should employ to maintain national cyber security."

https://tribune.com.pk/story/2338876/should-pakistan-have-a-cyber-army

Should Pakistan have a cyber army? | The Express Tribune Could our country’s security apparatus do with a force of professionals well versed in state-of-the-art IT knowledge?

Happening tomorrow at 12 p.m. in the LUMS CS Department Smart Lab:

Uncovering Novel Partitioning Attacks on Bitcoin

Abstract:
The Bitcoin blockchain security relies on distributed mining power, physical network synchrony, and overlay network scalability. While these security primitives can be theoretically provisioned through various network configurations, their practical manifestation cannot be guaranteed due to the permissionless anatomy of the Bitcoin network. In this talk, I will contrast the theoretical underpinning of the Bitcoin network against its practical deployment to uncover novel partitioning attacks that violate the Bitcoin blockchain safety properties. More precisely, I will present the biased distribution of Bitcoin nodes across Autonomous Systems (ASes), the network asynchrony in the communication model, and a high churn rate among the Bitcoin nodes. By contextualizing those observations in adversarial settings, I will iteratively demonstrate how each observation relaxes the notable partitioning attacks, eventually allowing an adversary to double-spend without using any mining power. I will conclude the talk by discussing the open research problems in the blockchain community.

About the Presenter.
Muhammad Saad is a research scientist at PayPal. He is a LUMS alumnus and recently completed his Ph.D. from the University of Central Florida. Saad’s Ph.D. thesis was on blockchain systems security, and he has received 572 citations across twenty publications with two best paper awards.