INTERVIEW OF THE PRESIDENT OF PAKCERT FEATURED IN THE MAY 2002 ISSUE OF @INTERNET MAGAZINE

Security begins with YOU!
Interview by Sabaina Bukhari & Syed Asim Ali

An enlightening tête-à-tête with the energetic Qazi Ahmed of PakCERT

Computer and network security has been a problem in Pakistan for the last couple of years. Hackers, both inside Pakistan and elsewhere, are slashing away at easy, vulnerable targets. Ranging from the intelligent, diligent, and knowledgeable intruder, to the bored, having-nothing-better-to-do script kiddy; they all pose an obvious threat to your network.

The PakCERT Coordination Center (PakCERT/CC) is dedicated to provide you the latest security alerts and advisories to help you build a secure network. PakCERT is a member of Asia Pacific Security Incident Response Coordination Working Group (APSIRC-WG).

Qazi Ahmed is the President, Director, of PakCERT. We talked to him about the various aspects of PakCERT's operation, and goals. He gave us an insight into the network security arena here in Pakistan. Here are the excerpts from our discussion with him.

@internet: Why PakCERT? How did the idea originate?

Qazi: Internet crimes are on the rise all over the world as different breed of hackers and making regular runs against all types of Internet communities. It could be a normal PC connected to the Internet just to check e-mail or surf the Internet, a corporate server dealing in online transactions, an ISP access, a mail server, or a government-owned computer system; there is no exception. Internet security has been as issue of major concern for quite sometime now, as hackers are now targeting government and corporate services to steal information and render machines and servers incapacitated. The hackers, whether intelligent of mere script kiddies, just want to put "I 0wn j00" (I own you) on your web site; chalking up one more web site defacement to their name.

Incident response and security teams continue to form around the globe. But we never had any Emergency Response Team in our country to create awareness among the local community about the ins and outs of computer security. Security has been my passion for years and I always wanted to do something in the field of security for the country. There are many CERTs around the world like SingCERT (Singapore), AusCERT (Australia), JPCERT (Japan), HKCERT (HongKong, China) etc. but there was no CERT for Pakistan. So I decided to take this step and formed PakCERT.

@internet: What is APSIRC?

Qazi: PakCERT is currently a member of the Asia Pacific Security Incident Response Coordination (APSIRC), a working group of the Asia Pacific Network Group. APSIRC is a team of all Computer Emergency Response Teams working the Asia Pacific region. APSIRC-WG arranges meetings and seminars and coordinates with other APSIRC members regarding security related issues.

@internet: In your opinion, why is a CERT needed?

Qazi: Computer security is the need of today's world. Everything is going online. Being online could be a fortune and also your worst nightmare. Not many people have the idea of computer security and not everyone can put a lot of time reading books or researching security vulnerabilities. Different countries have different type of computer communities. Some are very mature about security and some are not. Hence, there needs to be a centralized place for every country where the specific community can find the latest security information which it can easily understand and implement. CERT is the solution. Every CERT, responsible for its country, works according to its community.

@internet: Any problem you faced in the formation of such an organization?

Qazi: Well, I faced a lot of problems during the formation of PakCERT. Not many have the idea of CERTs and security services. The main thing is that our people don't know much about security and thus they are not serious about it. Those who have a small idea are not updated, and are not ready to accept a change. So getting people realize the need, and understand the importance of the establishment of such an organization was the first major challenge.

@internet: What are the objectives of PakCERT?

Qazi: Among our goals is the promotion of cooperation amongst IT constituents in Pakistan for the effective prevention, detection, and recovery from computer security incidents. PakCERT provides a means for the dispensing of alert and advisory information on potential threats and emerging security breach situations.

@internet: What sort of customers do you have?

Qazi: At the moment, we have customers ranging from ISPs, hosting companies, government organizations, e-commerce portals, private companies, and hospitals.

@internet: For many of us, computer security is still considered an alien phenomenon. Talk about security and you will hear a dozen firewall names, encryption techniques, and blah, blah. No, it's not just like that. How can you stop an intruder cracking into your web site even if you have a firewall installed on the server with only one port open, which is using Secure Socket Layer (SSL) to provide the web services? If you are running a vulnerable web server, then an intruder needs nothing but a piece of code to exploit the web server itself! Once your server is compromised, the intruder can use the SSL to transfer data on his/her computer so that no one can see the intruder's activity. The thing to understand here is that computer security is not a tool or software which you can download or install and feel safe.

Qazi: Many of the system administrators, especially ones here in Pakistan, don't care much about security. They think security is about taking backups and restoring data after the intrusion. People have a lax attitude towards the concept of security because they have little or no knowledge about it, and sorry to say, many of them portray computer security as a "mission impossible" because they feel insecure about their jobs! No, I am not satisfied with the security trends here.

@internet: What is Ethical Hacking? What are the PakCERT Ethical Hacking Services about?

Qazi: To learn about Ethical Hacking, you first have to know the real meaning of 'hacker' and 'hacking'. The media loves to call every other intruder, crack, or script kiddy a hacker. Hacking is not about getting into systems or sabotage. Traditionally, the term 'hacker' means one who tinkers with unfamiliar systems in an effort to gain insight or to re-engineer it for the better. A 'Cracker,' on the other hand, refers to those malicious hackers who break into systems for fun or profit. According to hackers, the code of hacker ethics prohibits any profit from their activities. In fact, their motive for such practices is the activity itself. Hence, they divide themselves into "white-hat" hackers (ethical hackers) and "black-hat" hackers (crackers).

PakCERT Ethical Hacking Services were introduced to provide anyone the means to protect their valuable information assets by giving organizations and individuals direct access to hackers and other IT professionals not usually available for hire. We protect the information assets of our clients through the use of education, technology and experience, while maintaining the strictest levels of confidentiality in the industry. Armed with the latest exploit codes and techniques the underground is using for years to compromise your networks, we use the same techniques to harden your network from such intruder attacks.

@internet: What are your future plans for your organization?

Qazi: Looking at the local community, we have realized that we need to start teaching people about security from scratch. People are still impressed by the kids who use trojans to enter and take control of your computer, or script kiddies defacing web sites. We have conducted some seminars to create awareness about computer security and are planning a series of seminars in different sectors. Any company, institute or university interested can contact us and we will arrange one for them.

 

All rights reserved. Copyright© PakCERT 2000-2024