Friday, June 20, 2008

The application of third party certification programme in Malaysia


The internet security has always been a big issue ever since it was created. As a matter of fact the internet has become a very important part in people’s daily life.

With the advancement of technology nowadays, customers can now even buy almost everything they want to buy online. Of course when buy from companies which provide websites we need to pay, but an issue is actually raised: how secured is it when a customer decides to pay online?

What my topic concerns this time is the usefulness of third party certification in tackling the problem of customers browsing to a fake website, or so-called phising. A third party verification is extremely important to ensure customers are dealing with the genuine website.

There are two licensed company in Malaysia which are eligible of issuing digital certificates, they are:




~MSC Trustgate.com Sdn Bhd






~Digicert Sdn Bhd.



Well then, what are the applications of third party verification program, or digital certificate? The program may satisfy the requirements of the following applications.

Firstly, third party verification programs are needed in browsers or smart cards to grant access control to facilities, intranet and extranet.

Secondly, they are used to validate incoming messages which have not been modified yet. In other words, it is very useful in operating document archive and retrieval.
Thirdly, digital certificates are required to create the organization’s rights and privileges, in particular, for the purpose of licensing.

Fourthly, companies will need them for integrity and authentication purposes. They are usually used for digital signing of messages to verify the status and identity of the particular sender.

Fifthly, this verification program is used as a proof for document sending or time-stamping. It is crucial for time and date verification for important messages, in this case, the payment systems as it involves legal and commercial activities.

Last but not least, and the most important one, is that the verification program ensures high level security, the private and confidentiality of the organizations. The company will need the program to encrypt and decrypt a code or message, which is the process of converting a message into password by sender and translate it back to readable form by receiver.

In short, third party verification program has been very useful in securing customers and the company data and important information.

References:

Prepared by: WONG CHEE WAI

Thursday, June 19, 2008

Phishing: Examples and its prevention methods



Phishing is a crime ware technique used to steal identity of a target company to get the identities of their customers. Phishers (pronounced “fishers”) create websites that look just like the one from your bank, online bookstore, or other familiar destinations. It includes sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

The e-mail will directs the user to visit a Web site where they are asked to update or verify their personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.

HTML-based emails often include company logos, colors, graphics, font styles, and other elements, and cover topics such as account problems, account verifications, security upgrades, and new product or service offerings. Web links included in these emails almost always possess the look and feel of the legitimate sites they copy, making the fraud almost impossible to detect.

Many fraudsters use fear to trigger a response, and phishers are no different. In common phishing scams, the emails warn that failure to respond will result them to no longer having access to their account. Other emails might claim that the company has detected suspicious activity in the account or that it is implementing new privacy software or identity theft solutions.

Phishers also use techniques such as filter evasion that they uses images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails. Some phishing scams use Java Script commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.

In an example PayPal phishing, phishers send e-mail to their targetd PayPal users. The e-mails has several spelling mistakes in the e-mail and the presence of an IP address in the link (visible in the tooltip under the yellow box) are both clues that this is a phishing attempt. Another giveaway is the lack of a personal greeting, although the presence of personal details would not be a guarantee of legitimacy. Other signs that the message is a fraud are misspellings of simple words and the threat of consequences such as account suspension if the recipient fails to comply with the message's requests.
Example of phising:







Here are some recommendation on how users can protect and prevent their network, servers, pcs and mobile devices from phishing:



  • Implement a comprehensive anti-phishing and anti-pharming solution, comprising protection at all possible entry-points—including the Internet gateway, messaging gateway, endpoint clients, endpoint servers, and the network. Trend Micro offers a variety of anti-phishing and anti-pharming products and solutions to suit various enterprise needs.

  • Keep all browser, email, and IM security patches up to date.

  • Get knowledge about the latest threats, symptoms of infection, and how to protect servers, PCs, and mobile devices

  • Never give personal or confidential information to an unfamiliar or unknown individual or business.

  • Delete any email that requests confidential information. If the request appears legitimate, use an established phone number to verify the request.

  • Seek IT counsel and support if you experience any communication (via email, phone, fax, or instant message) that requests corporate or personal information.

Prepared by: YEAP SUE YIE

The threat of online security: How safe is our data?

Internet is an incredible invention that has been widely used by many large companies and small businesses. Although internet has brought convenience to the users, it has also brought with a whole mass of problems. In this case, how safe would our data be when we expose our personal information to the internet?

As we know there are tremendous of security risks on the internet. The most common online threats and attacks are as follow:

Online Fraud
It is strictly where a computer system is instrumental to the crime. Data theft and identity theft are the issues comprise in online fraud.

-Data theft
Data theft is an “invisible” or “faceless” crime, posing a real threat to businesses. The risks to your business can include, a salesperson quits but takes your customer database with them, and an employee sells private data to criminals or even hacked into your database systems to perform activities that benefiting them. Several types of data theft are thumbsucking, bluesnarfing and data spill.

-Identity theft
Identity theft occurs when someone uses your personally identifying information such as your name, social security number, or credit card number, without your permission, to commit fraud or other crimes. Examples of the fraud that involves are credit card fraud, phone or utilities fraud, bank or finance fraud, government documents fraud and etc. Skilled identity thieves may use a variety of methods to get hold of your information. It may include dumpster diving, skimming, phishing, changing your address, old-fashioned stealing and pretexting.


Hack Threat
It can be refer to the illegal and unauthorized hack attempts to a system or network with nasty intention to compromise a defenseless system. Examples for hack threat are illegal part scanning and exploratory actions.

Malicious Code
It is any code added, changed, or removed from a software system in order to cause intentionally harm or threaten the intended function of the system. Viruses, worms, Trojan Horses, and attack scripts are the traditional malicious code whereas Java attack applets and dangerous ActiveX controls are the modern examples for malicious code.

Intrusion
It is the unauthorized access or illegal access to a system or network successfully. It could be web defacement or installations of malicious programs.

Denial of Service (DOS)
It is the illegal act to bring a particular system down or to damage a system in order to disabled at least one of the services provided by the systems. Common forms of DOS attacks are Buffer Overflow Attacks, SYN Attack, Teardrop Attack and Smurf Attack.

Spam
Spam flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Basically there are two types of spam; that is Usenet spam and Email spam.

Due to the expansion of internet, electronic commerce information is no longer secured. Numerous of security risks on the internet may lead users to serious financial loss, information thefts and the attack on your computer. Companies should look into this matter seriously (threats of online security) as in it is the major factor contributing to failures in customer service by most of the B2B companies.

Companies and customers should recognize those online threats and attack in order to safe guard their data. Companies must ensure that the information security is up to the standards and consists of the basic core principles of information security such as confidentiality, integrity and availability.

References:

Prepared by: HO PECK KEE

Wednesday, June 18, 2008

How to safeguard our personal and financial data?

As we know the internet contains about 50,000 networks connecting millions of computers in the world. It is publicly accessible series interconnected computer networks that transmit data. These data can be divided into several categories. Each category of the data needs various level of protection.

Before computer is being used, people store their confidential data in a locked cupboard or hide under their beds. But nowadays people used to keep their data in their personal computer.








Personal Data
Those stored privacy data are usually from a wide range of sources like the healthcare records; criminal justice investigation and proceedings documents; financial institutions and transactions statements; biological traits, such as genetic material; residence and geographic records; and also their ethnicity background.



Financial Data
The information about one’s personal financial transactions, such as the amount of assets owned, positions held in stocks and funds, outstanding debts, and made purchases can be very sensitive. If criminals able to access to the information such as one’s account number and credit card number, which means that person might become a victim of fraud or identity theft.
Whereas information of one’s purchases can reveal a great deal about that particular person’s history, like places that he had visited, whom he had contacted with, products he usually purchase, his activities and habits, or his medications which he had consumed. There are cases where some corporations use these information to target individuals with customized marketing strategy towards those individual’s personal preferences, which he may or may not agree with it.




Here are some ways how to safeguard your personal and financial data.

1. Use a credit card with a small limit when buying through mail-orders and online purchases. By doing this may avoid dishonest sales person to use your credit card information. Cards with low limit will not help those thieves to rack up many bills before you hit the wall.

2. Reviewing your monthly statements is a simple thing you can do to prevent your financial data being stolen. Yet many people neglect to do it. This method not only will review your monthly statements, and on the other hand you may also get alert of possible fraudulent charges and find legitimate charges that are not necessary or redundant.

3. Choose your pin wisely. While you are choosing something that you will remember, but you do not want it to be something that a wise thief could crack out just by learning your date of birth, your identification card number or your child’s name. Choose a combination of uppercase and lowercase letters, numbers and symbols will offer you more security. Remember it by heart, never write it down and carry it in your wallet or mobile phone.

4. Protect your personal computer’s security by using as many tools as to guard your computer from being hack. Install spyware, anti-virus software, firewalls to tighten the security. Failing to protect your personal computer is like leaving your doors unlocked, windows widely open and with a banner saying, “Welcome burglars!”

5. Do prepare for a disaster. It is very important to make sure that you safeguard your family’s important documents in case of disasters. You can keep an emergency box on hand which includes copies of the important documents in sealable plastic bags or you can purchase a fire proof safe for temporary protection of your valuables. You can also rent a safety deposit box from a bank which located outside of your immediate vicinity, in case of the disaster effects the whole town.

6. If information is shared with other user or using the services on a public computer of a public library or internet café, remember to close all the browser windows and logout properly before leaving the place. It is to avoid other users from reading your personal information and also your e-mails.
Prepared by: CHOI LAI YEET