The application of third party certification programme in Malaysia

Nowadays, trust is considered the primary concern if entering into the new internet economy. The ever-changing paradigm of e-commerce requires a well-mandated security infrastructure. Certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption. If the registration authority verified the information, which provided by the requestors, CA can then issue a digital certificate.


In Malaysia, any organization that wants to communicate securely with their customers should subscribe to the DIGISIGN™ SERVER ID Enrich, especially if the organizations require their customer to submit confidential information (such as credit card number, identity card information and the like) online. Moreover, the Server ID Enrich helps to protect the customers against falling victim to impostor web sites as it provides proper mean to verify the legitimate owner. Example of web operations that could benefit from the use of the digital certificate includes online financial institutions, banks, government web sites, online merchants, and universities or colleges. The features are as follow:


1. Strong Encryption: Digicert’s Server certificate ensures that the organization’s Web site visitors will receive powerful 128 bit up to 256 bit encryption. Protect information submitted online via SSL. Any confidential Information submitted between the organization and their customers (e.g. Credit Card Number) will be encrypted thus keeping them private.


2. Web Site Authenticity: It provides the ultimate in credibility for the online business. DIGICERT The most reliable infrastructure and stringent authentication practices back each DIGISIGN™ SERVER ID Enrich issued by DIGICERT.


3. DIGICERT Reliance Protection Plan: For your peace of mind, DIGICERT protects users against economic loss resulting from wrongful issuance of DIGISIGN™ SERVER ID Enrich.


4. Quick registration and Delivery: DIGICERT will be able to issue your DIGISIGN™ SERVER ID Enrich in less than 24 hours.


5. Legal Recognition: Digital Certificates issued by DIGICERT is in compliance with the Digital Signature Act 97 and Digital Signature Regulations 98.

The application of third party certification programme has become prevalent although complex. It provides a sound and robust risk management framework which held accountable for controlling and managing e-commerce risks and security posture.


http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213831,00.html
http://www.digicert.com.my/expresslink02.htm

Phishing: Examples and its prevention methods

What is phishing?

Generally, phishing is a criminally fraudulent process illegally acquires sensitive information. Phishers try to lure unsuspecting users to fake websites hoping that their victims would try to supply login information, credit card details or social security numbers while trying to use the service.


Examples in Malaysia



Figure 1: Citibank Phishing scam










Figure 2: HSBC Phishing scam










Figure 3: Maybank2u.com scam in hotmail account











Figure 4: Another Maybank2u.com scam








From the examples, receivers are asked to click the link provided to update their data. Once the link is click, users' login name and password is divulged and embezzled by phisher.



Prevention method

• Be suspicious of any email with urgent requests for personal financial information - if users are unsure if that is a valid message, always confirmed with the bank and check whether it’s a scam or not.

• Avoid filling out forms in email messages that ask for personal financial information - bankers will not require their client to update personal information through e-mail.

• Don't use the links in an email, instant message, or chat to get to any web page - for e-mail link, before click on the link provided mouse over or view source the link and the real link will be revealed (for example in Figure 3 at above).When you reach the website thru the link in the email, try to login using wrong login name and password, if it’s logged in then you know it’s a phishing scam, if not then it should be safe.
  

• Get in the habit of looking at the address line - remember your bank's URL or bookmark it. if the URL from e-mail message is different, it might be a phishing message.

• Always ensure that the website is secured when submitting credit card or other sensitive information via Web browser - secured website will shown with a yellow lock near the bottom screen on a secure site. By double-clicking the lock, security certificate of the site will be displayed.

References :

http://blog.saimatkong.com/index.php/2008/08/01/maybank2ucom-email-phishing-scam/
http://ezinearticles.com/?Phishing-Techniques&id=1818216
http://www.antiphishing.org/consumer_recs.html
http://www.ghacks.net/2007/02/16/introduction-to-new-phishing-techniques/
http://www.mycert.org.my/en/services/advisories/mycert/2004/main/detail/464/index.html
http://www.mycert.org.my/en/services/advisories/mycert/2004/main/detail/465/index.html

The threat of online security: How safe is our data?

Internet security is one of the largest challenges faced by most of the companies today. As a business becomes increasingly reliant on data on its systems, it explores further to online security threats such as phishing, Denial-of-service attack, virus, worm and Trojan horse.

According to 2009 Security Threat Report, one new infected web page is discovered every 4.5 seconds. A recent research also shows an increase in SQL injection attacks in 2008, specifically relating to financial services and the online retail industry. It seems that our data is highly explores to online risks. Nowadays, people become increasingly concern about the confidentiality and reliability of their data online.

Various software and systems have been adopted by companies in order to secure consumers’ privacy and build trust among their customers. Let’s us see how companies secure their consumers’ privacy.

1. Physically Secure Server Location - A major part of data security is physical security of servers and data, with secure access procedures to ensure compliance. This means that only authorized personal can access the servers that store his or her da
2. Network Security - The entire online service including consumers’ data is protected by the latest firewall protection, intrusion detection systems, and proprietary security products across all segments of our network. If working with third party service providers, the company should constantly test the network for security breaches.
3. Data Backup - All customer data is continually backed up to local disk as the first level of data protection and every night to an offsite location as part of Disaster Recovery program. This ensures that consumers’ data is safe and their information can be quickly restored in case of a catastrophe.
4. Application Access - Companies protect customer data by ensuring that only authorized users can access it using their username and password. Account Administrators can assign security rules that define which users in their company or partners have access to the data based on user's roles.
5. Data Encryption - All data is encrypted in transfer and all access to the service is governed by strict password security policies. All passwords are stored in MD5 hash format, which means they can not be reverse d to the original password and are not readable.
6. Monitoring and logging - Companies’ service should be continually monitored for security violations attempts and their team receives immediate notification on such violations. Some companies also implement various third party scanning technologies to monitor the service against existing and new threats.

These are common practices that implemented by most companies in order to keep our data safe. Nevertheless, every company may have their own security systems and there is no guarantee that our data is totally free from online threats.

References:

http://www.samanage.com/products/security.html

http://www.readwriteweb.com/archives/top_online_security_threats_for_2009.php

http://www.winweb.com/online-office-saas-software-as-a-service-benefits/online-office-data-communication-security

- How to Safeguard Our Personal and Financial Data ? -

Web-based services, including social networks such as MySpace and Facebook, are becoming prime targets for hackers to seek your personal information. It's nearly enough to make you long for the days of typo-ridden e-mails pretending to come from your bank.

If you use your computer to manage your personal finances (Eg. banking, taxes, online bill payment, etc), store sensitive personal data, or perform work-related activities away from the office, computer hackers are employing increasingly sophisticated methods to pry that information loose. However, you can take the following steps to protect yourself:

1. Use and maintain anti-virus software and a firewall -- To protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable



2. Regularly scan your computer for spyware -- Use a legitimate anti-spyware program to scan your computer and remove any of spyware or adware hidden in software programs, which may affect the performance of your computer and give attackers access to your data.
   
   
3. Keep software up to date -- Upgrade your software programs to the most current version and turn on the Windows' automatic update function to get Microsoft's regular security patches. (Eg. Internet Explorer 8)



4. Use passwords and encrypt sensitive files -- By encrypting files with passphrases, you ensure that unauthorized people can't view data even if they can physically access it.



5. Avoid unused software programs -- If you have programs on your computer that you do not use, consider uninstalling them. In addition to consuming system resources, these programs may contain vulnerabilities that, if not patched, may allow an attacker to access your computer.
   
6. 
   
7. Dispose of sensitive information properly -- To ensure that an attacker cannot access those sensitive files, make sure that you adequately erase them and avoid to give away any valuable or sensitive personal information on your MySpace or Facebook profile, or within messages to other members of the network.

7. Pay attention to the messages from Windows -- The messages that pop up on your screen, especially in the new Vista operating system are often containing helpful security information.

8. Consider creating separate user accounts -- If there are other people using your computer, you can create a different user account for each user, and you can set the amount of access and privileges for each account in order to avoid someone else may accidentally access, modify, or delete your files.

9. Evaluate your software's settings --The default settings of most software enable all available functionality. However, attackers may be able to take advantage of this functionality to access your computer. It is especially important to check the settings for software that connects to the internet (Eg. browsers, email clients, etc) and try to apply the highest level of security available.

References Links:

1. http://www.us-cert.gov/cas/tips/ST06-008.html
   
2. http://www.businessweek.com/technology/content/nov2007/tc2007119_234494_page_2.htm