Naureen Aqueel

Archive for July 2009

An edited version of this article was published in CIO Pakistan, July 2009.

The current humanitarian crisis in Swat has given the online community another chance to rise up to another round of digital activism to mobilize support for a cause. The current campaign of the Pakistani blogging community to mobilize support for the Internally Displaced Persons (IDPs) has earned accolades in the international media.

The Pakistani blogging community in the past few months joined hands to spread awareness about the plight of the IDPs and to call for action to mobilize monetary support for the refugees. Popular Pakistani blog Teeth Maestro has like always been playing a prominent role in the campaign. These bloggers or citizen journalists aim to make a difference by appealing to the national and international community for support.

The blogs have featured posts highlighting the conditions of the IDPs and those providing updates about relief operations in IDP camps. Teeth Maestro, for example, also posted links to real-time Twitter updates on the issue.

The campaign to mobilize support for the IDPs is thus not only limited to bloggers. In fact, including the new media into the picture, one can see social networking communities like Facebook, Orkut and Twitter also playing a commendable role in the campaign. Furthermore, mobile social networking platforms like Chopaal, an initiative by students of LUMS university to provide a web-based SMS service that brings together people of similar interests and keeps them updated on each others activities, is another player in the field. Chopaal set up a group called “IDP” in an effort to quicken the notification process for volunteer opportunities for its members. So, now volunteer opportunities and efforts to mobilize support for the affected citizens of Swat were there right at your finger tips. In this day and age, this leaves no chance for anyone to plead ignorance—it’s time to get out and act!


An edited version of this article was published in CSO Pakistan, July 2009.

The hi-tech digital era has opened the door to a range of possibilities and risks. Where on the one hand we have access to connectivity and easy access and management of information, the risks involved have also increased. Information is now more vulnerable to misuse as more and more of our storage systems become digitalized. In fact, most companies, bodies and institutions now store, collect and process their sensitive and confidential information on computers. The need to protect this sensitive information therefore becomes ever more important in a world where risks to information security are evolving with the same speed and frequency at which the cyberspace advances.

While Information Security (IS) is getting an increased amount of attention lately, the field is still new in Pakistan. Qazi Ahmed, founder of PakCERT is one individual working to secure the Information landscape of the country. Speaking about the awareness about Information Security among Pakistan’s enterprise community, Ahmed recounts, “When I started PakCERT back in February 2000, most organizations had no clue about security. This was mainly because most companies were not relying much on technology and so there were hardly any businesses that could understand the risk of a security breach or downtime. During 2004-2006, security became a buzzword but there was a lack of security awareness and workforce to understand and show the importance of security to the organization. Luckily, during the past two years there is an increase in people taking security as a profession and these professionals are going for industry leading certifications and trainings and thus bringing back security knowledge and showing its importance to their organizations. Security awareness now is far better than what we had back in those years but the enterprise community still needs to adopt a more practical approach leading into the right direction.”

PakCERT Security Services is an organization aiming to provide anyone the means to protect their valuable information assets by giving organizations and individuals direct access to hackers and other IT professionals not usually available for hire. The organization employs the latest exploit codes and techniques the underground has been using for years to exploit networks. It uses the same techniques to harden networks from intruder attacks.

Ahmed is the Pakistani who discovered a critical security flaw in MSN’s Hotmail/.NET Passport services in 2003. “It was April 2003 when while helping my brother reset his hotmail account, I found the hotmail password process a bit insecure and decided to test it since such vulnerability research was never made from Pakistan,” narrates Ahmed. “It took me only a couple of hours and some test email addresses along with HTTP protocol testing tools to discover two serious security vulnerabilities. First vulnerability allowed me to bypass the data of birth verification process and the second vulnerability allowed me to reset any hotmail/msn account and receive the password reset link on my own email address. I made it public in May 2003 during a press conference in Karachi and it was covered by major online and print media. It was very surprising for the rest of the world to know that a Pakistani discovered such a critical security flaw in Hotmail/.NET Passport services.”

Institutions ranging from private businesses, corporations, government bodies and the military all use computers to collect, store and process their sensitive information. Keeping in view the damage that could be incurred on the breach of any of their confidential information systems, it is vital for these intuitions to realize the importance of a proper system of information security for the protection of their valuable information assets. Information security therefore becomes vital for everyday transaction as well as to protect stored information.

With respect to the corporate enterprise, Ahmed sees many loopholes in the security landscape. He attributes this to a lack of training and a lack of awareness among IT professionals and programmers. “Organizations are relying greatly on technology solutions to run their businesses with a keen interest to adopt the latest technology trends,” says Ahmed. “Customized web applications and databases are getting common and so are interactive websites to connect employees, partners and customers and this introduces one big problem; complicated code. Programmers are not properly trained for secure programming and often leave the web application vulnerable to different attacks. At the same time, IT and IS professionals are only trained on vendor products and cannot understand the risks associated with such customized code. Organizations have focused only on external attacks but due to increase in malware, phishing scams and internal threats as well as end user mistakes companies are now trying to focus on internal security as well. Traditional security products and standards which are usually implemented as a silver bullet are failing and companies are now looking for more rigorous solutions like Vulnerability Assessment and Penetration Testing to get a feel of real attacks and see how traditional security controls can be thwarted by hackers and how such vulnerabilities can be fixed for good.”

Ahmed points out that in most local companies security often comes as an after thought and is not given the attention it deserves right from the beginning.  “Even though most companies have traditional security measures in place like antivirus, firewalls and access controls but without proper information security management and auditing, such traditional security measures do not give expected results,” he says. “Most of the time good security practice is an afterthought and sometimes good security practice is taken as a temporary attempt to patch a vulnerability till they get hit by the next one. There are organizations which are very serious about protecting their information assets but are lost in the technology jargons, standards and vendor products. Organizations need to understand that products and standards provide a minimum baseline and not a fool proof security environment. I have worked with many clients some of which had a good layered approach in terms of security with antivirus, firewalls, IDS, VPN, and different IS standards in place to protect their information assets but they lacked proper understanding of technical attacks and were still vulnerable. It is indeed scary but I would share that I still boast of a 100% penetration rate and yes, this means that every organization for which I performed a Penetration Test had a critical security vulnerability leading to a compromise!”

In such an alarming scenario, Ahmed quite rightly stresses the need for proper and separate arrangement for IS in local companies. Most organizations in the country tend to couple budgets together and work for both IT and IS departments. Ahmed strongly disagrees to such practices. “Coupling budgets and work for IT and IS departments would hamper the functionality and priorities of IS department,” he explains. “Just like CFI/CIO/CTO, the IS department should be headed by a CSO/CISO aligning the scope of Information Security with the rest of the business functions with separate budget and work force.”

One of the most common mistakes that organizations make in terms of their security policy and execution according to Ahmed is neglecting the importance of end users. “Organizations neglect the importance of end user when creating security policies,” he points out. “Often it’s the weakest link which breaks the overall information security chain. End user education regarding security awareness is very important. End user is bound to make the same or new mistake again unless the organization regularly conducts security awareness programs to show the role and responsibilities of end users. The security policy is not much of use if it is not aligned with organization’s business practices or if end users are not included as part of the overall security program. At the same time IT and IS professionals must also be properly trained to understand and safeguard against latest attacks. All security controls need customization and fine tuning but are usually implemented out of the box which leaves the organization vulnerable to attacks. I have witnessed organizations having security policies which are only there to get in compliance with some standard and the end users are not even aware about the existence of such policies.”

Yet, the IS scenario in the country is not as bleak as it appears. Describing some noteworthy trends in the field Ahmed shares, “Antivirus and firewalls are a default now and organizations are now moving to IDS/IPS with antivirus engines and spam filters all as a single box solution. Use of NAC (Network Access Control) is also on the rise. The latest trends include compliance with different standards including ISO27001, COBIT, ITIL and even PCI-DSS. Most of the companies are now encouraging their IT and IS staff to enroll in vendor neutral security trainings and write industry leading certification exams like CISSP, CISM and CEH to name a few. Penetration Testing is the new buzzword and companies are realizing its importance and making it mandatory to have their information systems tested at least once a year.”

Cloud computing is a new trend gaining sway in the IT scenario of the country. The great deal of hype about this new technology has caught many Pakistani enterprises in its midst. Shedding light on this new trend Ahmed cautions, “Organizations need to decide how much data they are ready to share with a third party and how much control they would have on the shared data. Economic aspects might make sense but what if the remote server crashes without a backup or the service provider simply bankrupts. These problems are not fiction but several companies have been through such issues with even a greater financial loss as compared to hosting their own applications. A cost benefit analysis is a good area to begin with.”

Ahmed describes the main difference between traditional networks and cloud computing in terms of security issues when using services and applications as the fact that businesses using cloud computing share data with a third party and have to rely on their security controls. “Every time your employees initiate a connection, they are transferring authentication information as well as company data on the internet. During normal circumstances, companies are in charge of their own security but in cloud computing, you need to rely on your vendor. Moving your business to cloud computing means relying and trusting on the whole communication link starting from your employee on the terminal to your vendor hosting applications”

Cloud computing changes the traditional definition of “sharing resources” as it no longer allows as much control of where and with whom the platform of the resource may be shared. This is because the entire foundation of Cloud computing is on the economics of where an app resides and how many other people share the app location with you when it is requested by you. According to Ahmed this involves fundamental security risks. However, he points out that organizations are already sharing their data with third parties by using Google Apps/Gmail for their corporate emails, third party hosting providers for websites, ISPs for internet access and VPNs, different companies for managed services. “You can take certain steps before selecting a vendor,” he advises. “Make sure the vendor is financially strong, already have some good customers, performs regular backups and provides enough resources (bandwidth, processing power, disk space). Vendor should have good security controls in place because as a client you will not be in charge of security on the remote server and you need to rely and trust the security controls put in place by your vendor. Another important point is to make sure that the application and database are portable. What if you lost network access and want to use the backup locally? or what if you decide to change the vendor altogether? You should know how much you are ready to risk, just in case.”

Ahmed is however quick to point out that despite all the advancements in terms of IS, security is not a product but an ongoing process. As new methods to breach security come up each day, there is also a need to develop new methods to combat them. “Despite all the good marketing by every vendor claiming to produce the next big thing, organizations must understand that there is no silver bullet when it comes to security,” he says. “Organizations need a continuous plan to monitor, secure and control their information assets. Having all the standards, security software and hardware in place, the internet is still witnessing worms like Confiker. It is time we realize the importance of security awareness for end users and hands-on vendor neutral trainings for IT and IS professionals so they understand the threats before evaluation a solution.”

With new IS threats evolving each day, it is vital that institutions realize the importance of protecting their information systems and take appropriate measures in time to prevent their information from falling into the wrong hands. For this, IS should be given the attention it deserves by aligning this system with a separate budget and workforce with the needed training, awareness and innovation skill.

An edited version of this article was published in CIO Pakistan

Pakistan recently made the headlines when Google recently made it known to the public that Pakistan had topped its Google Map’s experiment evident in the speed with which it had populated itself on Google’s Map Maker. Among the 160 countries simultaneously availing the global search leader’s experiment that started in June 2008, Pakistanis were able to post the greatest amount of localized information about their country.

Google maps is a Google service that was launched on 23rd June, 2008 aiming to provide powerful, user-friendly mapping technology and local business information for various countries. Speaking to CIO Pakistan, Creator of Google Map Maker, Lalit Katragadda outlines the basic idea behind Google Map Maker: “The greatest need for people coming online was for local information, and the biggest shortfall that Google or any other online information systems had was the lack of local data that obviously requires great map data. The idea behind Map Maker was to meet this need. We thought that if people know where they live and we provide them with the right tools, they could make maps out of it.”

Katragadda shares that Google Map Maker launched with some countries that were completely blank and had no information about them. Pakistan was one of them, yet it made the most “astonishing progress among all other countries”. He says that they were pleasantly surprised to see that within a month that Lahore, Karachi and Islamabad were mapped to the extent that you could recognize the cities, see the major neghbourhoods and major points of interest and so on.

“People are now putting in much richer quality of data so that you can now get directions to places in Pakistan and to various points of interest and also search for businesses etc,” says Katragadda. The quantity and quality of mapping information provided by Pakistani users enabled Google to post Pakistan on the Google maps early this week. Users have not only mapped the major cities but also the smaller cities in Pakistan.

When this experiment waslaunched however, Google did very little publicity. The launch of Google Map Maker was posted only on one blog post, the rest of the spread of the news among Pakistani web users was made through the viral buzz. “In three to four days, there were posts about this on Pakistani blogs and then the community took over,” recounts Katragadda.

Behind Map Maker is the idea that the community would take ownership not only for mapping out its country on the service, but also for moderating the other information that was being made available through the service. “The responsibility part is almost natural because you have sense of ownership of the city you are in.

“Google’s mission is to organize all the world’s information and make it universally accessible and useful, explains Katragadda. “It aims to make the information useful not just for the big businesses but also for the small businesses, not just for people who are internet savvy but for everyone. One of the goals of Map Maker is to actually democratize this information. For example, one of our engineers noticed that there is this pan shop in Karachi that one of the Pakistani users had added. The person whose shop has been added does not know about the internet or what Google is, but they have benefited from it because users can now discover them through Google and on the web.”

Google has released API’s (Application Programming Interface) which allow users to develop new content on the maps and to develop intelligent applications to benefit the community at large. “People have made amazing applications from it, everything from water sources–NGOs have mapped water sources where there is water scarcity—to mapping out which area has how many schools and how many teachers etc.”

Having put up the maps, Katragadda voices his anticipation to see what kind of interesting applications local developers can now come up with to take it to the next level.

An edited version of this article was published in CIO Pakistan magazine, July 2009.

Companies in our country face a dearth of information resources to form the base for effective decision-making concerning business issues. Few, if any, companies exist that provide such services to businesses. Those that do, however, either charge exorbitant fees for such services or conduct them on such large scales that do not apply to small businesses.

Instead of getting this done by other companies, it is much more cost-effective and efficient if companies conduct such surveys themselves. With the advent of web 2.0 technologies and the introduction of SAAS (Software as a Service) and other online survey services, surveys are no longer as difficult as they used to be.

Before these services were made available, surveys had to be typed, printed, dispatched and the results manually fed into the computer for it to be tabulated on Excel or other softwares. However, with the advent of services like Google docs forms and websites offering online survey facilities, research has become very easy. These websites enable anyone to create professsional surveys quickly and easily.

Gone are the days when questions had to be typed and printed with hundreds of questionnaires being manually administered to respondents across the population, now all you need to do is create a survey on google docs or an online survey website, submit the link to a website, social network etc or mail it to your respondents and have the responses coming in to you with basic compilation and tabulations done for you by the softwares. Online survey websites similarly compile the results for you and show you the percentage of responses against each item in the questionnaire.

Most websites also give you the option of selecting from a number of different types of questions.  You can select from multiple choice questions, ranking scales etc. This gives respondents the ease of answering questions quickly and conveniently and increases the response rate.

Many websites allow users to avail online survey facilities for free, the need being only to create an account on the website Once registered on the website, you can then go on to design your survey. Some websites also offer the option of customizing the creative style element of your survey by uploading your logo, using themes etc. You can then send your survey via e-mail or post it on your blog or any social networking websites. Analysis tools including graphs, charts, spreadsheets etc can then be used to analyze the results of the survey.

Small businesses, including for example eateries and restaurants across the city can benefit from such services by providing their customers with the link to their online surveys in the receipts instead of having them fill feedback forms. This can provide a steady flow of feedback allowing companies to align their services in accordance with customer demand.

However, these services do not come without their limitations. In online surveys, the respondents are limited to those customers who use the internet and actually go through the trouble of responding to such surveys online. Thus, these services are more useful to companies whose customers are regular netizens and therefore would be able to respond to such surveys.

Nonetheless, with the internet population growing day by day, online surveys have become effective medium of companies obtaining the much needed feedback from customers to form the basis of corporate plans and decision-making. They are not only cheap; but quick as well and provide the user with data in its complete form, compiled and tabulated, saving users the hassle of having to compile and tabulate information from hundreds of printed forms.

Some websites that offer free online surveys include:


Other websites that offer these services for a fee include:


An edited version of this article was published in CIO Pakistan magazine, July 2009.

With cellular subscribers increasing in number by leaps and bounds, it appears we are entering a new age. Cellular phones which were once a luxury that were out of the reach of many, have now become a necessity with the result that today just about everyone, be it the carpenter or the bus conductor, has a cellphone serving as a vital tool helping them in their business.

Pakistan’s cellular subscriber base has increased by over one million customers in the month of May alone. Cellphone subscribers have grown by 1.16 million within May 2009, adding to the overall users’ base by 1.3 percent. The growth has resulted from the ferocious sales campaigns launched by cellular companies in the country.

According to figures released by Pakistan Telecommunication Authority (PTA), this a rise in total subscribers is for the fifth consecutive month, with the subscriber base having risen to 93.1 million now.

Mobilink has shown the greatest rise in subscribers base in the month of May rising by an impressive 0.43 million additions. Mobilink is followed closely by Telenor which also added an impressive 0.374 million. Warid, Ufone and Zong come after that. 

Today, Mobilink has the largest subscriber base in the country with 28.81 million subscribers, after that come Telenor with 20.48 million users and Ufone with 19.85 million. Warid and Zong have17.65 million and 6.263 million connections respectively.

Mobile phone penetration has increased rapidly in the country over the years. According to World Bank reports half of Pakistanis including women have access to a cell phone together with rural areas (two-thirds in urban areas). WB reports that while more than 86 percent of men have their own cell phone, 40 percent of women do.

Pakistan had aimed to achieve 110 million subscribers  by the year 2010, however, in May 2009, PTA chairman had revealed that the overall slowdown in economic progress around the globe has affected the achievement of this target so far. Recent successes may however create hope for meeting the target if things go the same way.

An edited version of this article was published in CIO Pakistan magazine, July 2009.

Just how important SMS (Short Messaging Service) is to our youth was revealed when the government announced 20-paisa tax per SMS in the budget for the new financial year 2009-2010. There was an uproar among the youth of the country when the government announced its decision to levy a tax on SMS, responding to which cellular companies said they would have to withdraw their discount packages from July 1. 

SMS is one of the most popular past times among the youth, not to mention an integral means of remaining in touch and communicating with peers, fellow students and work colleagues. It is no surprise then that our youth was outraged when the government announced 20-paisa tax per SMS. Youth took to the streets in Lahore to protest against the decision, and cellular companies also registered their concern with the respective quarters through the PTA. Protests were also doing the rounds in chain SMS messages and in cyberspace. The protests proved successful when the government announced that it was withdrawing the decision to tax SMS due to the huge demand from the youth. Hats off to the youth!

An edited version of this article was published in CIO Pakistan magazine, July 2009.

Competition between brands can take to wars in ad campaigns, with each company coming up with ads to counter and hit back at the other. Almost every reader who is even a minimal netizen will understand what is being referred to in the context of the recent ad war between two of Pakistan’s top telecom companies.

Termed as ‘Ufone and Zong’s Cold War’ across forums in cyberspace, this counter ad campaign at first by Ufone, and then Zong, employed viral marketing techniques, spreading like wildfire through social networks like Facebook, Digg and Twitter.

Originally posted on YouTube, the Ufone reply to Zong’s ad campaign proved very popular with people enjoying a good laugh as it was posted across profiles on Facebook and through Twitter, Digg and various other blogs. No sooner did the popularity of that ad increase, did Zong come up with its own response and that too a viral one, originally posted on YouTube.

If anything, this campaign added a new dimension to advertising—all you need is creativity (though some may differ) and you can have a low cost ad spread through the cyberdom, reaching and entertaining audiences, without ever having to air it on mainstream TV channels.

My portfolio

This website is a collection of my published and unpublished articles.

Blog Stats

  • 17,708 hits

Twitter Updates

July 2009
« Jun   Aug »