The Threat of Online Security: How Safe is Our Data?

There are two types of attacks by online such as nontechnical attack and technical attack. In this blog I will elaborates the threat of online security.

Nontechnical Attacks

Normally, nontechnical attack used in the persuasion to cheat people to expose secret or sensitive information or performing in illegal actions into the network. Well, one of the nontechnical attack is social engineering. Social engineering used in the social tricks to computer users into compromising computer networks. Another form of nontechnical attack that used broadly was phising by tricking the users to reveal their money credits. This technique usually can be found in e-mail messages that asking our certain personal informations. So, in order to avoid this incident happening, we can counter it by educating and training,policies and procedures, and penetration testing.


Tehnical Attacks

Examples of technical attack are denial of service (DOS) attack, distributed denial of service (DDoS) attack, virus, worm, macro virus or macro worm and Trojan horse and commonly used by the hackers using the software programing or expertise.

DOS is an attack that bombards system until it crashes or cannot respond. Attacker will uses specialized software to send flood of data packets to the target computer. It may cause a network to shut down,impossible the user to access and example are E-Bay, Amazon.com, CNN and Yahoo.

Virus is pieces of software code that require host program be run to activate it. Virus will inserts itself into host and propagate when it spreads. Virus will delete files or corrupt the hard drive.

Worm can spread itself without human intervention. It consumes the resources of its host in order to maintain itself, worm able to self-propagate and degrade network performance.

Marco virus or macro worm is a virus or worm that executes when the application object that contains macro is opened or a particular procedure is executed.

Trojan horse is a program that appears as useful function but contains hidden function that presents security risks. This program will allow other people to access and control a person’s computer over the internet.

From the above, we can see how important to secure our data. How to avoid this happen? Well the best way is by applying public key infrastructure(PKI). PKI is based on encryption and it is a process of transforming or scrambling (encrypting) data to make it difficult, expensive or time-consuming long for an unauthorized person to access it. Encryption has five basic parts such as plaintext, ciphertext, ecryption algorith, the key and key space.

There are two systems are symmetric systems, with one secret key, and asymmetric systems, with two keys. In symmetric (private) key system uses the same key to encrypt and decrypt the message and the example the data ecryption standard (DES). Meanwhile, asymmetric (public) key ecryption is a method of encryption that uses a pair of matched keys. Example are is RSA.

Reference:
-www.symantec.com/business/theme.jsp?themeid=threatreport
-http://news.cnet.com/8301-13739_3-9935170-46.html
-http://blogcritics.org/archives/2006/12/11/193220.php
-http://www.bio-itworld.com/BioIT_Content.aspx?id=74012
-Turban, E., King, D., McKay, J., Marshall, P., Lee, J., & Viehland, D. (2008). Electronic Commerce: A Managerial Perspective 2008 (International Edition). Upper Saddle River, NJ: Pearson-Education International. [www.prenhall.com/turban/]

Prepared by Agu
All right reservced by EnT02 Group Rui,Ean and Agu™

The Application of 3rd Party Certification Programme in Malaysia

3rd Party Certification Programme is a scientific process by which a product or service is reviewed by a reputable and unbiased third party to verify that a set of criteria, claims or standards are being met. Certification Authority (CA) is a trusted third party in a public key security system is responsible for vouchsafing the identity of users and issuing them with certificates that bind the public key to their identities.

Now, I will like to discuss about one of the application of 3rd Party Certification Programme that used in Malaysia, MSC TrustGate Sdn Bhd.

MSC TrustGate Sdn Bhd is a Certification Authority (CA) operating out of the Multimedia Super Corridor which established in 1999 to meet the growing need for secure open network communications and become the catalyst for the growth of e-commerce, both locally and across the ASEAN region.

MSC, as known as Malaysia Super Corridor,is a Government initiative, designed to leapfrog Malaysia into the information and knowledge age. It originally included an area of approximately 15x50 km² which stretched from the Petronas Twin Towers to the Kuala Lumpur International Airport and also included the towns of Putrajaya and Cyberjaya. It has was expanded to include the entire Klang Valley on 7 December 2006.

Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.In the other words, it provide a safe and risk free solution for the users of Internet and monitor the security of those activities.There are slight differences between SSL and TLS, but they are essentially the same.

VeriSign is a Secure Sockets Layer (SSL) services provide by MSC TrustGate Sdn Bhd.The VeriSign SSL Certificates can help business and user to protect themselves by following reason:

Authentication: An SSL certificate securely authenticates your web site to your customers - they can be confident that the site they are dealing with is genuine and not a forged or "spoof" site. MSC Trustgate authentication procedures are recognized as the most thorough in the industry. A VeriSign certificate gives confidence that your web site, intranet, or extranet is one that can be trusted.

Encryption: When a Digital Certificate is correctly installed on your web server, your customers can communicate with your website over an encrypted HTTPS connection - all data (such as credit card details) sent to or from your customers will be secured against interception or eavesdropping. Seeing HTTPS in the URL reassures your clients that they can deal safely with your site.

High Grade Security: Choose a VeriSign Global Certificate, and you'll receive 128bit SSL encryption - the strongest grade of encryption available. Compare features of our Global and Secure certificates.

One Year or Two: Our SSL comes with a choice of one or two year validity periods. Two year certificates bring significant cost savings and means fewer certificate renewals.

Local Support: MSC Trustgate, affiliate of VeriSign in Southeast Asia, prides itself on the quality of our local based support that we offer on our certificates. Get the help you need to enroll, install, use and renew your certificates.

VeriSign Secured Seal: Included with your digital certificate is the VeriSign Secure Seal, the Web's most recognized trust mark. The seal allows your customers to quickly and easily verify your site's credentials and that their personal data is secure.

Protection Plan: For your peace of mind a warranty cover of up to RM 400,000 is included with every SSL Certificate. This protects you should you experience any economic loss resulting from corruption, identity theft, or loss of use of your web server certificate.

Reference:

1.http://www.msctrustgate.com/

2.http://en.wikipedia.org/wiki/Verisign

http://en.wikipedia.org/wiki/MSC_Malaysia

Done by Rui
All right reservced by EnT02 Group Rui,Ean and Agu™

How To Safeguard Our Personal and Financial Data ?

Since the Internet founded in late 1980's, more and more people join this network,or we called World Wide Web and become an user of it. Internet is a public network of nearly 50,000 networks connecting millions of computers throughout the world, and this figure will only increase as daily basis.

We keen to use Internet because it brings a lot of convenience into our life.Nowadays, we can find that human are hardly to perform many task if there is no Internet provided. Human are now heavily dependant on Internet, which make the world become smaller, make us a global village.

Once we involve into those website, we are always request to provide some personal information. The information are including name, age, gender, email address or even financial or privacy data.Those information are normally used to contribute into a database of the website, which are purposely use to store their user's information and try to identify and understand their users.

However, as we reveal our information, there are some risk for us. The information that we given via Internet might not safe to be revealed. Our information might be infringe by third party such as hackers or other spyware. There are many real world issue can be found, and the credit card issue is the most common problem in infringe information.As we purchase in Internet, we can paid by using Bank Transfer and Credit Card, but these 2 method are required us to provide our financial data to the e-merchant. Fraud and phising arise when the things go on. The security issue make a big impact on Internet users, causes them reluctant to use E-Commerce and other services in Internet.

How to protect our personal and financial data ? Here are some of the tooltips:

1.Do not use desktop search tools like Google Desktop or Microsoft Desktop Search.

A full index of every keyword on your hard drive in the hands of marketers is very useful for the purposes of targeted advertising.

2.Do not use webmail from a service provider like AT&T, Google or Microsoft.

Same reason as above, except here it applies to every email you send or receive.

3.Do not use browser toolbars or desktop gadgets.

Both of these types of add-ons from companies like Yahoo and Google are known to gather information on your online activity for marketing purposes.

4.Remove all social network accounts.

There is loads of good information there that can be used for targeting and correlation. At the very least, remove all personal information and have a username that does not give any clues to your true identity.

5.Clear your browser cookies after every session.

To take erasing your footprint a step further, do not accept any browser cookies by default. This additional step will make web surfing slower and more intrusive as you will have to manually accept or deny cookies. That being said, if you surf for an hour without accepting cookies by default you will become much more aware of them, and that in and of itself could prove enlightening.

6.Change your local username daily.

Browsers and other software have been known to pass local usernames to servers as part of their operation. If your username is something like “first.lastname” this is clearly useful information for data collection purposes.

7.Do not have a home broadband connection.

If you have a home broadband connection, a network service provider can map your name to your IP address to your physical location. Again, your name, where you live and your Internet activity is all useful information for marketers.

8.Use free Wi-Fi.

If you don’t have a home broadband connection but you will still want to be connected, find a free wireless access point at a local coffee shop. To further hide your existence, every time your computer associates with a wireless access point, manually change your MAC address.

9.Install a host-based Intrusion Detection System (IDS) like OSSEC.

Assuming that you are already using a personal firewall, anti-spam and anti-spy software, a host-based IDS will ensure your computer isn’t being used without your knowledge. For an additional level of security, you could block all Internet traffic except for HTTP (port 80) and then log and trap anything else.

Reference Link:

1.http://gigaom.com/2007/12/26/how-to-safeguard-your-privacy-online/

Prepared and review by Rui

All right reserved by EnT02 Group Rui,Ean and Agu™

Phishing: Examples and its prevention methods

What is phishing?

Phishing is a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individual into revealing credentials such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.

Besides, phishing is also consider as a THEFT, the act of sending an e-mail or instant messaging to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information for a purposes of identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site is bogus and set up only to steal the user information.

The Example of phishing

1. 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay site to update their account information. By spamming large groups of people, the phishing counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately.

2. Another example would be if you received an e-mail that appears to be from your bank requesting you click a hyperlink in the e-mail and verify your online banking information. Usually there will be a repercussion stated in the e-mail for not following the link, such as "your account will be closed or suspended". The goal of the sender is for you to disclose personal and (or) account related information. This type of e-mail scam is also called phishing.

The prevention method

1. Prevent phising with mutual authentication-Efforts such as Extended Validation certificates are bound to fail in many cases because they rely on inconsistent visual aids and not strong cryptography. One-time passwords alien have also proven to be vulnerable to real-tome MITM attacks. To prevent phising consistently requires strong mutual authentication for validating the host to the user and the user to the host.

2. Eliminating phishing mail-Specialized spam filters can reduce the number of phishing e-mails that reach their addressees' inboxes. To classify phishing e-mails is relying on machine learning and natural language processing approaches. Besides, never ever click the link within the text of e-mail. Always delete the e-mail immediately.

3.Using IP addresses instead of domain names in hyperlinks that address the fake web site. Many innocent users will not check (or know how to check) that an IP address is registered and assigned to the target organisation that the branded fake web site claims to represent.Besides that copy the apperance of another wedsite.

4.Use malware to manipulate the hosts file on a victim's PC that is used to maintain local mappings between DNS names and IP addresses. By inserting a fake DNS entry into a user's hosts file, it will appear that their web browser is connecting to a legitimate web site when in fact it is connecting to a completely different web server hosting the fake phishing web site.

5.Configuring the fake phishing web site to record any input data that the user submits (such as usernames and passwords), silently log them and then forward the user to the real web site. This might cause a "password incorrect, please retry" error or even be totally transparent, but in either situation many users will not be overly worried and put this event down to their own poor typing, rather than intervention by a malicious third party.

References:

1.http://www.webopedia.com/TERM/p/phishing.html

2.http://www.honeynet.org/papers/phishing/

3.http://en.wikipedia.org/wiki/Phishing

Prepared by Lew Pei Ean

All right reservced by EnT02 Group Rui,Ean and Agu™