Friday, June 26, 2009

The threat of online security: How safe is our data?



Internet is a global system of interconnected computer networks. It allows everyone to exchange information and data with other users who are staying at different countries. But, how safe is our data?




In year 2007, the University of California server was hacked into and the confidential information such as names, social security numbers and bank account details of 46,000 students, faculties and staffs were disclosed. The reason for the amount of cybercrimes is rapidly increasing because the cyber criminals know that successful attack is very profitable.

Hence, the users need to be aware the threat of online security and it can improve user's knowledge about methods to prevent the data to be disclosed. Types of threats and attacks can be divided into two categories:
  1. Nontechnical attack which is an attack that uses techniques to trick people into revealing sensitive information or performing actions that compromise the security of a network. For example:
  • Social engineering which uses social pressures such as human weaknesses (scare, no confident) to trick computer users into comprising computer networks to which those individuals have access. This method is usefulness for cyber criminals to trick computer users rather than waste times and cost to break control system.
Phishing is one example of social engineering and it is a technique used to gain personal information such as account number and passwords by sending fraudulent e-mail messages to e-mail users.



2. Technical attack is using programming skills and knowledge to inappropriate use of data.

For example:

  • Virus which is a program that attaches itself to other program. For example: I love you virus
  • Worm which is a program that copy themselves until it interrupts the operation of network or computer system. This program is automatic attack other computers through network if one of the computers is attacked by worm eventhough already stop the operation network.
  • Denial of service (DOS) is hackers flood a network server with thousands of false request to crash networks.Like constantly dialing tel no so no one can get through. For example, February 6, 2000:DOS on e-commerce cause 3 hours slow performance in Yahoo.
In conclusion, the threat of online security cannot eliminate regardless the strongest of internet security such as passwords, change of file permissions, back up of computer's data and so on. However, those threats can be reduced through internet securities.



Thursday, June 25, 2009

The application of 3rd party certification programme in Malaysia

Third party can known as certificate authority or certification authority (CA). It is an entity that issues digital certificates for use by other parties. The digital certificates contain a public key and the identity of the owner.A CA can be a remote third party, such as VeriSign, or it can be a CA that you create for use by your organization by installing Windows 2000 Certificate Services. Certification authorities help verify transactions on the Internet. A certificate does not prove that the website that you visit is legitimate. This is due to any website also can create certificate by their own. Therefore, certification authorities is needed. One of the application of third party certification programme in Malaysia is MSC Trustgate.com Sdn Bhd.



MSC Trustgate.com Sdn Bhd was established in 1999. Trustgate is a licensed Certification Authority(CA) under the Digital Signature Act 1997 (DSA), Malaysia. They have offer complete security solutions and leading trust services that are needed by individuals, enterprises, government, and e-commerce service providers using digital certificates, digital signatures, encryption and decryption. MSC Trustgate.com Sdn Bhd had provide many service such as SSL Certificate, Managed PKI, Personal ID, MyTRUST, MyKAD ID, SSL VPN, Managed Security Services, VeriSign Certified Training and Application Development. MSC Trustgate has been appointed as Asia's first VeriSign Authorised Training Centre.Since year 2000, MSC Trustgate.com Sdn Bhd has been an affiliate of VeriSign. They focus on reselling VeriSign's Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI) services to businesses and government, incorporating digital certificates, digital signatures and encryption.

The SSL Certificates that the MSC Trustgate offer to the sever security are Global Server ID (GSID) and Secure Server ID(SSID). GSID using the strongest encryption commercially available for secure communications via Server Gated Cryptography (SGC) technology. It verify your website and enables 128- or 256-bit encryption to secure communications and transactions between the site and its visitors. For the SSID, it protect the transfer of sensitive data on Web sites, intranets, and extranets using a minimum of 40-bit and up to 256-bit encryption.

VeriSign is the leading Secure Sockets Layer (SSL) Certificate Authority enabling secure e-commerce, communications, and interactions for Web sites, intranets, and extranets. VeriSign is well known for the VeriSign Secured Seal, which is an outward expression of a Web site's authentication and encryption commonly posted to VeriSign SSL Certificate customers' Web sites. The VeriSign Secured Seal was part of the VeriSign's SSL service. It can help the owner
deliver a secure and convenient way to interact with the customer over the internet. This will help the owner increase the customer's confidence to complete the transaction.





Wednesday, June 24, 2009

Phishing- Example and Prevention Method


What is " phishing"????


Phishing which also known as “Fishing”. In other words, it is an online fraud technique used by criminals to entice you to disclose your personal information. Phishing is the fastest rising online crime method used for stealing personal finances and perpetrating identity theft.


Phishers use many different tactics to lure you, including e-mail and Web sites that mimic well-known, trusted brands. A common phishing practice involves "spamming" recipients with fake messages that resemble a valid message from a well-known Web site or a company that the recipients might trust, such as a credit card company, bank, charity, or e-commerce online shopping site.


How will a phishing email/website look like?



Here are provided some example of phishing email and website:





What to look for in a phishing email ?



  • Generic greeting. Phishing emails are usually sent in large batches. Moreover, the internet criminal will use generic names like "Dear sir/madam" or like "First Generic Bank Customer", so they don't have to type all recipients' names out and send emails one-by-one in order to save time. Therefore, be aware if you do not see your name.


  • Forged link. Be aware of the forged link which is provided in email. Usually, it will appear in the email with a link that require you to update the personal information. Furthermore, even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If you don't see "https" then do not proceed.


  • Requests personal information. Usually, some email will request for personal information. Therefore, if you receive an email requesting your personal information, it is probably a phishing attempt.




What to look for in a phishing website ?




  • Poor resolution. Phishing websites are often poor in quality, since they are created with urgency and have a short lifespan. If the resolution on a logo or in text strikes you as poor, be suspicious.


Below are some of the recommendation about the prevention method of "Phishing":


Keep antivirus up to date – The most important things you can do to avoid phishing attacks is keeping your antivirus software up-to-date。This is because most of the antivirus vendors have signatures that protect against some common technology exploits. Thus, can prevent things such as a Trojan disguising your Web address bar or mimicking an https secure link. If your antivirus software is not keep up-to-date, you are usually more vulnerable to attack which can seize your Web browser and put you at risk.


Do not click on hyperlinks in e-mails – Never! Never! Never click on any hyperlink in an e-mail, especially from unknown sources. You never know where the link is going to really take you or whether it will trigger malicious code. Moroever, some hyperlinks can take you to a replicate HTML page that may try to scam you into typing private information. If you really want to check out the link, manually retype it into a Web browser.


Take advantage of anti-spam software – Anti-spam software can help keep phishing attacks at a minimum. A lot of attacks come in the form of spam. By using anti-spam software such a Qurb, the phishing attacks can be reduced because the messages will never end up in the mailboxes of end users.


Pay attention to your billing cycle. If credit card or utility bills fail to arrive, contact the companies to ensure that they have not been illicitly redirected.



Use anti-spyware software –Keep spyware down to a minimum by installing an active spyware solution such as Microsoft Antispyware and also scanning with a passive solution such as Spybot. If for some reason your browser is hijacked, anti-spyware software can often detect the problem and provide a solution..

References:


http://antivirus.about.com/od/emailscams/ss/phishing.htm


http://www.phishtank.com/what_is_phishing.php?view=website


http://mcobit.business.nd.edu/phishing.cfm

Tuesday, June 23, 2009

How to safeguard personal and financial data?




Nowadays, most people rely on computers to save our personal data and using online financial services to do financial transactions such as online banking. Information transmitted over the Internet is more vulnerable and has a higher degree of security risk, the information will easily stolen or hacked by others. Therefore, every user must know some ways to safeguard their personal or financial data.

Below will be some suggestion ways for users to safeguard their data:

1. Usernames and passwords
The longer passwords will provide greater security than shorter passwords. If can, try to change the password frequently and do not disclose to anyone.

2. Install and update antivirus software and firewall.
Install the antivirus software and firewall in order to protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer. In order to well protection, you must make sure to keep your antivirus up to date.

3. Regularly scan your computer for spyware
Spyware or adware hidden in software programs may affect the performance of your computer and give attackers access to your data. Use a legitimate anti-spyware program to scan your computer and remove any of the infected files.

4. Encrypt any sensitive files
Encryption is a process of converting readable data into unreadable characteristic to prevent unauthorized access. By encrypting files, you can ensure that unauthorized people can’t view data even if they can physical access it. When you use encryption, it is important to remember your passwords, if you forget the passwords, you may lose your data.

5. Avoid accessing financial information in public
Resist to logging on your bank account or others important data when working from a coffee shop that offers wireless access, Although the systems are convenient, it also easy for hacker the your information though the public wireless access.

References:
http://finance.yahoo.com/banking-budgeting/article/103893/Six-Ways-to-Safeguard-Your-Online-Assets
http://www.us-cert.gov/cas/tips/ST06-008.html