Saturday, June 27, 2009

The Application of 3rd Party Certification Programme In Malaysia

Third Party Certification (TPS) is an assessment carried out to ensure satisfaction and confidence of customers. The increasing phishing and spoofing attacks on the internet has boost the implementation of TPC programme to ensure the information traveled over the internet reaches to the recipient safely. The TPC programme requires the posting of a website privacy statement to inform a visitor about what peronal information a web site may collect from them and how it will be used and disclosed amont other features.

Security is the primary concern of entering into a new internet economy. The ever-changing paradigm of e-commerce requires a well-mandated security infrastructure.



MSC Trustgate.com Sdn Bhd is the most famous application of third party certification programme in Malaysia. It is a licensed Certificate Authority (CA) operating within the Multimedia Super Corridor. MSC Trustgate was incorperated in 1999 to meet the growing need for secure open network communications and become the catalyst for the growth of e-commerce, both locally and across the ASEAN region. The vision of Trustgate is to enable organizations to conduct their business securely over the Internet, as much as what they have been enjoying in the physical world due to the issue above.

Trustgate's core business is to provide digital certification services which including digital certificates,cryptograhic products, and software development. There are several products provided by Trustgate, such as SSL Certificate, PKI, Personal ID, MyTRUST, MyKad ID, SSL VPN, and etc.

MyKad PKI

Malaysia Government has put in place a smart National Identity Card (MyKad) for every citizen. My Kad with PKI capability allows its holder to conduct online transaction with governement agencies private sectors.

MyKey is the MyKad PKI solution that works with the physically MyKad which allowing to authenticate users online and to digitally sign documents or transactions and is accepted by the Malaysian Government.

MyTRUST
For Mobile Signature
Users can turn a SIM Card into Mobile Digital Identity for secure banking and other financial services with MyTRUST. Users are able to digitally sign any transaction with ease and convenient via their mobile phone.

For Government


For Banks & Enterprise
SSL Certificate
SSL is the short for Secure Sockets Layer. It is a protocol developed by Netscape for transmitting private documents via the Internet.
VeriSign is the leading SSL Certificate Authority that enabling secure e-commerce, communications, and interactions for web sites, intranets, and extranets. It choose the most trusted mark on the internet and enable the strongest SSL encryption available to every site visitor.


When we see the VeriSign logo on the website, we can click on the seal to find out more about the security of the site.

Public Key Infrastructure (PKI)
Trustgate provide PKI to assist all the companies in conducting their business over the internet.
Organizations are helped by PKI technologies to enhance the security of the data and manage identification credentials from the users and organizations. It helped to secure by based on the exchange of digital certificates between authenticated users and trusted resources.

Last but not least, TPC can enhance customer trust because of its efficient management of digital certificates. It also have a complete control over digital certificate issuance, usage, and certificate content. Besides, it is easy to use and manage with web-based user and administrative services. Scalability of TPC also provide customers a better solution if there are any treats happen toward the computer system.
Related links:
  1. http://www.verisign.com/
  2. http://www.trademal.com/global/index.php/id/17463/target/about/MSC_Trustgate_com_Sdn_Bhd/index.html
-Mun Yee-

Friday, June 26, 2009

Phishing: Examples and its prevention methods

This summary is not available. Please click here to view the post.

The threat of online security: How safe is our data?



Online security threats are one of the biggest challenges for most of the organizations today. Organizations continue to experience cyber attacks from inside and outside of the organization. In addition, the types of cyber attacks that organizations experience were varied. These made organizations started to worry that the user's break into the server purposely is to alter the pages and content at the site. Besides, they would also worried about the disruption of server by user, because by doing that would possibly made it unavailable to other.

Cyber attacks fall under several general categories:
(i) accidental actions
- A large number of computer security risks are contributed by accidental actions. Most of the users nowadays are lack of knowledge about online security concepts, these includes poor password choices, accidental disclosure, erroneous or even using a outdated software. For example, many people are using facebook, friendster, ebay and others. All of these are actually need user to enter their user name and password to log in. The problem is people are tend to use their IC number, birthday, or even an "easy memorize number" like "1234"as their password. This make it easy for people to figure out their password and break into their account. However, this form of cyber vulnerability is avoidable if education and prudence are being considered.

(ii) malicious attacks
- Attacks that specifically aim to do harm. It is at root of so-called "crackings" and "hackings"-notable examples of which include computer viruses, denial-of-service (Dos) attacks, and distributed denial-of-service (DDos) attacks.

* computer viruses
- a piece of software code that inserts itself into a host, including the opearating system, to propagate; it requires its host program be run to activate it. A virus will simply infect and spread over the operating system and consequently cause the server system broke down. As an example, the May 2000 "I LOVE YOU" virus. A small piece of code attached to electronic mail (E-mail),and double-clicking on the executable caused it to send an e-mail to everyone in an address book, subsequently damaging victim's machines. The virus caused over $100million in US damages and over $1million in worldwide losses.

* denial-of-service (Dos) attacks
- an attack on a web site in which attacker used specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. It may cause a network to shut down, making it impossible for users to access the site.

* distributed denial-of-service (DDos) attacks
- a denial-of-service attack in which attacker gains illegal administrative access to computers on the Internet and uses them to send a flood of data packets to the target computer. Such attacks were witnessed in a number of large corporate computer shutdown in 2000.

(iii) online fraud
- A broad term covering Internet transactions that involve falsified information. There are 2 major form of online fraud: identity theft and data theft.

* identity theft
- the theft of personal identity on the internet is the newest form of fraud. A person may open a credit card account by using a false identity such as the victim's name, address, or bank account. Besides, since it's impossible to identify the identity of buyer through online, a person can also do online transaction using victim's identity if they can get the victim's personal information.
- Talking about identity theft, I have an experience before. My sister's boyfriend (A) ever used my account to chat in messenger with my friend and my friend didn't aware about it even until they finished the conversation. Sounds so funny! At the moment, I realize that there is "online security threat" in messenger too. "A" using my identity while my friend can't even recognise who is she dealing with. These shown that there is lack of proper security to detect people's identity and thus enable a person to do whatever he/she want using other people's identity.

* data theft
- the theft of information , unauthorized data, or manipulation of private data. Data theft is a problem primarily perpetrated by office workers with access to technology. Since employees often spend a considerable amount of time developing confidential and copyrighted information for the company they work for, they often feel they have some right to the information and are inclined to copy/delete it when they leave the company. Besides, they might also misuse it while they are still in employment.
- In April 2001,2 employees of Cisco System were obtained unauthorized access to Cisco stock and they broke into the computer system that handled stock distribution. They were able to transfer stock shares nearly $6.3million to their private portfolios.

As the conclusion, the financial losses from a cyber attack can be substantial. Except the financial losses, it also bring other effect to users. These shown that the online security still need to be improved. Security requirements such as authentication, authorization, and confidentiality also need to be considered.

Posted by: Shu Hui

Thursday, June 25, 2009

How to safeguard our personal and financial data

As Internet criminals grow smarter and sneakier, Internet is no longer a safe place. It is increasingly difficult to keep your financial and personal information safe because hackers have the ability to get that information. Have you done proper safeguards for data? If you don't take basic steps to protect your data, you may find yourself a victim of fraud or identity theft.

Here are a few tips on how to safeguard your personal information:

~ Password protection
While you choose passwords (you'll remember), please make sure that passwords is not be something that are easy for someone else to guess, such as the name of your child's name or your date of birth. A combination of uppercase and lowercase letters, numbers, and symbols will offer more security. Also, never write this information down and never carry it in your wallet .

~ Do not reveal any personal information or particularly passwords to anyone.
Don't give your personal and financial information to someone or organizations that you don't know or never dealt with before. Even though giving something, such as date of birth and mother's maiden name, can be used to steal personal identity. Therefore, it's important to know that personal information can be just as dangerous as financial information.

.

~ Be careful of the merchants which you deal with
If you place orders or shop online, try to make sure it is a legitimate site. Transaction made only with good reputation organization, such as Amazon.com. If in the real world, you're shopping, you're more likely to trust an established store that you know and using normal payment means. Besides, it's essential that you use a password-protected and encrypted wallet, to safeguard your credit card information.

.

~ Keep your eye out for scams
Many people have become familiar with common scams. Don’t hesitate, DELETE them. But now there are even more-convincing scam e-mails. You are probably confident you're not getting RM1million from anonymous sources, but if you get an e-mail, where the bank needs you to update your personal information for the security purpose, it looks realistic, Right? People will probably hand over their information and compromise all their financial accounts. If you receive an e-mail from any institution asking for your personal or financial information, even if it appears to come from a place you trust such as eBay, Paypal or Maybank, DO NOT respond. Instead, pick up the phone and call in order to verify. Nowadays, many fake e-mails have been circulating around us. Many people have been a victim of the fake e-mail. PLEASE be cautions! Don’t be one of them.


Sound terrible, right? You don't need to be scared, but you need to be cautious and aware that there are people on the Internet that will take advantage if you allow them. If something doesn't seem right, trust your gut and avoid it.

Related Links:
  1. http://buckeyesecure.osu.edu/SafeComputing/Passwords
  2. http://azlan.anilezfa.com/maybank-fake-email

Posted by Qiao Ling