Phishing: Examples and its prevention methods.

Phishing is an attempt to criminally & fraudulently steal people information such as username, password, credit card number, bank account number to invade other people privacy. It also can be defined as Phishing emails attempt to steal your identity and will often ask you to reveal your password or other personal or financial information.

The perpetrator will use fake website they have created to steal the information from people, the fraudulent email address that they have sent usually redirect to the perpetrator website which is fake so that it looks similar to the original website., such as through e-mail, ebay, paypal, bestbuy, msn, yahoo, Citibank, AOL & etc.

Example of phishing from e-mail:




Example of phishing from Citibank:

There are many prevention methods to prevent or stop phishing:
1) Never reply to e-mail message that request your personal information.
Legitimate companies don’t ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address yourself but don’t cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place.


2) Don’t click links in suspicious e-mail, the link might not be trustworthy. Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a “refund.” If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. In any case, delete random emails that ask you to confirm or divulge your financial information.

3) Help protect your PC, keep your PC updated & use antivirus software.
Anti-virus software scans incoming communications for troublesome files that can effectively reverse the damage; and that updates automatically. A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Netscape) also may offer free software “patches” to close holes in the system that hackers or phishers could exploit.


4) Don’t send personal information in regular e-mail messages.
Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). However, no indicator is foolproof; some phishers have forged security icons.


5) Monitor your transaction, and review credit card and bank account statements as soon as you receive them
Check for unauthorized charges. If the statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

Although internet has given us many convenience especially in buying or selling goods or services, but the awareness must be taken into account so that we will not been cheated.


References:
http://www.planb-security.net/wp/503167-001_PhishingDetectionandPrevention.pdf

http://chowkamleeng.blogspot.com/2008/06/phishing-examples-its-prevention.html

by Lim Hui Min

Posted on 12:40 PM by 4EvEr and filed under | 1 Comments »

The application of 3rd party certification programme in Malaysia.


TrustGate is a licensed Certification Authority (CA) in Malaysia since 1999 which is famous application of 3rd party certification programme in Malaysia. It offers complete security solutions and leading trust services that are needed by individuals, enterprises, government, and e-commerce service providers using digital certificates, digital signatures, encryption and decryption.

It was incorporated in 1999 and its objectives are to secure the open network communications and become the catalyst for the growth of e-commerce, both locally and across the ASEAN region. Its core business is to provide digital certification services, including digital certificates, cryptographic products, and software development.

TrustGate has provided several products and services. They are SSL Certificate, Managed PKI, Personal ID, MYTRUST, MYKAD ID, SSL VPN, Managed Security Services, VeriSign Certified Training, and Application Development. The vision of TrustGate is to enable organizations to conduct their business securely over the Internet, as much as what they have been enjoying in the physical world.

It also provides the finest Public Key Infrastructure (PKI) to assist all types of companies and institutions conducting their business over the Internet. The state of the art back-end infrastructure that costs RM 14 million is one of the best in the region.

Digital certificate usually attach to an e-mail message or an embedded program in a web page that verifies that user or website is who they aim to be. The common functions of digital certificate are user authentication, encryption, and digital signatures.

The user authentication has provided security than username and password. Encryption can secure the data transmission. The intended recipient of the data is only person to receive the message. Digital signature is like hand signature in the internet world. It can ensure the integrity of the data.

By using the digital certificate, users will not fear when make the transaction through the internet. It will avoid the problems of personal data being stolen, information contaminated by third parties, and the transacting party denying any commercial commitment with the users.

Furthermore, the digital certificate has brought many benefits to users in the internet world. So, it is important for users when using the internet.



Reference:


by Koh Suh Tyng
Posted on 10:57 PM by 4EvEr and filed under | 1 Comments »

How to safeguard our personal and financial data?


Internet is a public network of nearly 50,000 networks connecting millions of computers throughout the world. Nowadays, internet is no longer a safe place. Data is sent back and forth through various servers through which personal and information and financial data are housed. The is a problem occur when data transferring which is the ability to intercept and record that data that is moving from server A to server B. Hackers have the ability to intercept and use that information, such as credit card numbers and expiry dates, to falsely do transactions.


The information is including name, date of birth, gender, address, telephone, e-mail address, occupation and interests. “Personal Financial Information” means any record containing a customer of a financial institution, whether in paper, electronic, or another form, that is handled by behalf of the institution or its affiliates. It also may include company’s secret such as consumer information records such as names, addresses, phone numbers, bank and credit card account numbers and et-cetera.


Although some website has provided the privacy and security to user, such as: Secure Socket Layer (SSL), require password customization, monitor industry standards and etc. But yet, data stolen cases are still increasing.

There are a few simple approaches I would like to share on how to safeguard our personal and financial data:


1. Protection of financial accountsInternet users should review the transaction confirmations and quarterly statements as soon as they receive and notify to the website immediately of any unauthorized activity. Besides, review your credit report regularly for inaccuracies. Shred, rather than toss, documents which include credit card offers, bank statements and junk mail.

2. Password and Social Security protectionPassword and other security features add layer of protection if used appropriately by viewing to the "Choosing and Protecting Passwords" and " Supplementing Passwords". Avoid using passwords that are easy for someone to guess, such as the name of your favorite pet or your date of birth. We should not write this information down and never carry it in your wallet or briefcase. Use a combination of numbers and letters if possible.
Protect your Social Security number as well. Store your card in a safe place and avoid giving the number to others.

3. Secure our computers
We must make sure that our computers have up-to-date spyware; antivirus protection program such as Symantec, Norton antivirus, AVG antivirus and firewall software to protect ourselves against viruses and worms that may steal or alter our personal and financial data. These antivirus protection programs should update every single day to make sure it is up to date to protect our computers.
On the other hand, avoid clicking on pop-up ads or downloading information from unknown sites. Some website might have spyware that can hack our personal information.


4. Conduct the transaction on trusted methodThe best way to protect our financial and personal data is by conducting the transaction with trusted, well known online retailers that using the reputable payment processors such as Paypal or Google Checkout. Avoid giving your personal information to “cold callers” and other unknown parties online, via e-mail and over the phone. Hacker might able to get the information during the transactions.

5. Avoid accessing financial information in publicUse your own computer, instead of a work or public machine, to access financial and other sensitive personal information. Some private information might expose to others when we use public computer. Besides, resist using free wireless connections particularly in cafes, airports and other public places to check personal information.


If we have no choice but to use public computers, we must remember to close the browser window. This is to prevent other users from reading your personal information and mail.





by Foo Seow Min
Posted on 10:46 PM by 4EvEr and filed under | 1 Comments »

Threat of Online Security: How Safe Is Our Data?


Nowadays, people rely on computers to create, store and manage critical information. Consequently, it is important for users to aware that computer security plays a major role in protecting their data from loss, damage, and misuse.

Most security threats are made by attackers using a relatively small number of vulnerabilities. Attackers, being relatively opportunistic, take the path of least resistance, and continue to take advantage of these most common failures, rather than seeking out new exploits or taking advantage of more difficult ones.


According to the SANS Institute (SysAdmin, Audit, Network, Security Institute), the top ten threats are:

  • Web servers and services. Default HTTP (Web) servers have had several vulnerabilities, and numerous patches have been issued over the past several years. Make sure all your patches are up to date, and do not use default configurations or default demonstration applications. These vulnerabilities may lead to denial-of-service attacks and other types of threats.
  • Workstation service. An attacker can obtain full control over a computer by compromising the Windows Workstation service, which is normally used to route user requests.
  • Windows remote access services. A variety of remote access methods are included by default on most systems. These systems can be very useful, but also very dangerous, and an attacker with the right tools can easily gain control over a host.
  • Microsoft SQL Server (MSSQL). Several vulnerabilities exist in MSSQL that could allow an attacker to gain information from a database or compromise the server. In addition to applying all the latest patches, enabling SQL Server Authentication Logging and securing the server at both the network and system level will prevent most of these attacks.
  • Windows authentication. Most Windows systems use passwords, but passwords can be easily guessed or stolen. Creating stronger, more difficult to guess passwords, not using default passwords, and following a recommended password policy will prevent password attacks.
  • Web browsers. Your window to the Internet, a Web browser contains much vulnerability. Common exploits may include disclosure of “cookies” with personal information, the execution of rogue code that could compromise a system, and exposure of locally-stored files. Configuring the browser’s security settings for a setting higher than the default value will prevent most Web browser attacks.
  • File sharing applications. Peer-to-peer (P2P) programs are commonly used to share files. In a P2P system, computers are open to others in the P2P network to allow for all participants to search for and download files from one another. Many corporations forbid use of P2P networks because of the obvious risk of compromised data.
  • LSAS exposures. The Windows Local Security Authority Subsystem (LSAS) has a critical buffer overflow that can be exploited by an attacker to gain control over the system. Again, proper configuration and application of patches will prevent most exploits.
  • Mail client. Attackers can use the mail client on a computer to spread worms or viruses, by including them as attachments in emails. Configuring the mail server appropriately, and blocking attachments such as .exe or .vbs files, will prevent most mail client attacks.
  • Instant messaging. Many corporations also block employees from using instant messaging, not only because of the technical threats but also because of the possibility of lost productivity. Configuring IM properly, applying all the latest patches, and taking control over any file transfers that occur over IM will prevent most attacks.

In conclusion, risk exposed by computer users is increasing with the increasing developed technology. Therefore, safeguards developed must be always up to date to enhance the defenses against online security threats. In the same time, users must be educated and informed about the crucial damages and loss caused by imposing online security threats.

Posted on 10:08 PM by 4EvEr and filed under | 0 Comments »