Online Security Threats: How Safe is Our Data?

In the current world, people rely on computers to create, store and manage their personal data. But, the threat of online security has become one of the biggest challenges on the Internet today. Because of this, the use of security software and hardware such as firewalls and authentication servers became the most effective way in order to protect users’ computer and users’ personal data. However, these types of protections are not effective enough for the security of the users’ computer and their personal data. This is due to the online security threats which are more advanced than ever.

There are various types of online security threats:

(a) Computer Viruses

Computer viruses are programs or a fragment of code that replicates by attaching copies of it to other programs. There are four main classes of viruses which included file infectors, system or boot-record infectors, macro viruses, and multi-part viruses.

(b) Online Fraud

Online fraud is a broad term that covers all the internet transactions that involve falsified information. The common forms of online fraud includes sales via Internet of counterfeit documents, such as fake IDs, certification, and recommendation letters sold as credentials.

(c) Identity Theft

Identity theft is another common form of online fraud, or the misrepresentation of information. In the online world, most of the information can be intercepted as a result of vulnerabilities in computer security. Thieves can then use such information like credit card numbers and do something which is illegal or violates with laws.

(d) File Sharing Applications

File sharing programs are used by most users of computers to share files and data. Computer users use the Peer- to- peer files to share files between themselves because it is easier to use. This file sharing is linking the computers to one another by using a network for the purpose of sharing the information. But, this will allow the hackers to have easier access to search or download files from any computers on the network. Because of this, many experts conclude that it is not a good idea for the computer users to use peer-to-peer programs to share files.

(e) Mail Client

Many hackers spread the devastating viruses and worms by sending emails to the computer users. The computer users can prevent or limit such threats by configuring their mail server properly and regularly so that the suspicious attachments or files can be blocked by them immediately.

(f) Spyware Attacks

Spyware attacks are the threat that most of the computer users are familiar with because they are the most common online security threat that are faced by many Internet users today. Spyware is a computer program that is designed by the hackers to steal information from computer users without their knowledge. The common types of spyware include Trojan horses, key loggers, dialers, and adware programs.

Review on Internet Security

Favourite Passwords Used Online

Nowadays, we need proper safeguards to protect our personal data since there are many viruses and hackers that may have unauthorized access to our data. A password is a secret word or characters to prove identity for authentication. Using strong passwords will lower the risk of security breach. A strong password is determined by its length and complexity. Although strong passwords is important for us to access personal information in our computer or online account, most of us would like to do the easy way to make the passwords simple such as "1234" or their first name.

According to the research on an analysis of 28000 passwords from popular websites, there are 16% who like to use their own name, spouse or childrens' name as a password, 14% prefer "1234" or "12345678" as a password because it is easier to remember, 4% like to use the word "password" or "password1". 5% like to use names of a singer, television shows or cartoon as a password, 3% of passwords expressed attitudes like "whatever", "yes", "no", and other favourite passwords include "iloveyou", "ihateyou".

According to the aggregate sample of passwords which are primarily from the UK, the most common favourite password is "123" which get 3.784% votes. Next is the word "password" which get 3.780%. "password" is often used as a default password for many programs, so it is extremely common and not secure at all. In my opinion, another favourite passwords used is our IC number which is easier to remember. However, it can also be known by others easily.

To keep our data well protected, it is necessary for us to have a strong password. Passwords should be longer than 8 characters, with combine letters, numbers and symbols. We should avoid repeated characters, login names and use more than 1 password everywhere.

How to Safeguard Our Personal and FInancial Data?

Introduction

Nowadays, identity theft and unauthorized access to personal and financial data becoming a serious problem since interest has been widely used. This is because internet is easier for theives to obtain personal and financial data especially in online banking. Hackers may have unauthorized access to customer database to steal their confidential information. However, even if you never use computer, your personal information such as credit card numbers, account numbers and address may be stolen by someone. Therefore, unauthorized access to personal and financial data is the most important area that draw companies' attention. So, it is neccessary to safeguard our personal and financial data properly.

Ways to safeguard our personal and financial data

There are several ways to safeguard our personal data. First, use and maintain firewall. Firewall is used to block unauthorized access to personal data. All message passed through firewall to examine the message and block those unauthorized internet users. Firewall is integrated into operating system but if you are using older computer, you have to install firewall.

Second, install and update antispyware and antivirus programs. Antivirus programs are the software that used to prevent and remove computer viruses, worms and trojan horses. It can detect and remove adware and spyware. Example of antovirus software are Norton Antivirus, Symantic and AVG. Microsoft and other applications allow user to update antispyware programs. For those who want to save costs, Alwil Avast allow for free virus protection. It is important for us to ensure that our virus definition are up to date.

Third, use passwords and encrypt sensitive files. By using password protection, we use secret words for authentication to gain access to particular resource. Another method is encrypting files to ensure unauthorize access to personal data. However, the drawbacks of file encryption is that we must remember passwords because we may lose our data if we forgot our passwords.

Fourth, avoid accessing financial information in public. We must avoid checking our financial information such as bank balance in public. For example, many people like to access to internet in coffee shops which offer wireless connection Although these systems are convenient, users may not know how strong is their firewall.

Fifth, do not open mystery attachments. We should not open an attachment or link that is sent by an unknown party. This is because these attachments may contain viruses or allow hackers to steal our information.

Lastly, regularly scan your computer for spyware. To protect our financial data, it is necessary for us to regularly scan our computer because spyware or adware may be hidden insoftware programs that can allow hackers to access our data. By scanning our computer, it can detect and remove them.

Phishing : Examples and Prevention Methods

Nowadays, phishing has become a serious network security problem in the organization. It has caused consumers and e-commerce companies suffer billions of dollars financial loss. Therefore, phishing has made e-commerce distrusted and less attractive to normal consumers.

What is phishing?

Phishing is a new type of network attack where the attacker creates a website to fool users to acquire sensitive personal information such as user names, passwords, national security ID and credit card details which are carried out by e-mails and instant messaging. The most frequent method which attackers used is to send e-mails to victims which look like it was sent by the bank or online organizations and then they will make up some causes like re-enter login credentials or providing update services. Paypal and ebay websites are the common targets for them.

Phishing attack procedure methods

In general, phishing attacks are performed with four steps.

1.) Phishers will set up a counterfeited website which looks exactly like the legitimate Web site. It includes setting up the web server, applying the DNS server name, and creating the web pages similar to the Web site.

2.) Send large amounts of spoofed e-mails to target users in the name of those legitimate companies and organizations. They try to convince the potential victims to visit their Web sites.

3.) Receivers receive the e-mail, then open it, and click the spoofed hyperlink in the e-mail, and input the required information.

4.) Phishers take this opportunity to steal the personal information and perform their fraud such as transferring money from the victims account.

How to identify the fraudulent e-mails?

1.) Update personal information- If you receive an e-mail from Microsoft that requires you to update your credit card personal information, there is a phishing attempt.

2.) Generic greeting- Phishing e-mail usually sent out in bulk such as “Dear User” or “Dear Customer” and does not contain your first name and last name.

3.) Sense of urgency-Phishing e-mail generally uses scare tactics. These messages convey a sense of urgency so that you will respond immediately without thinking. This e-mail stated with if customers do not take action within 24 hours, the customer account will be closed. It you see about this might be suspicious.

4.) Fake links-Normally, phishing e-mails will hide the true URL and the URL list in the email is not relates to the company URL. The websites where it is safe to enter personal information begin with “https”, the s means for secure. If you not see the word “http”, you must not process it.

Below are the examples of phishing:

Example 1

Example 2

Example 3

Example 4

How to prevent phishing ?

There are several steps to prevent phishing .Firstly, detect and block the phishing Web sites in time. When we detect the phishing Web sites, we must block the sites and prevent phishing immediately especially two master keywords of a legal website that periodically scans the root DNS for suspicious sites. For example, www.1cbc.com.cn vs. www.icbc.com.cn

Second, use strong passwords protection. Users must use several passwords instead of just one password. The passwords should combine uppercase and lowercase letters, numbers and symbols in order to avoid the phishers detect it. If you use different passwords between your blog and e-mail account, when a phisher gains access to your blogging account and e-mail address, they will be unable to access your account.

Third, do not click on suspicious links in emails. If you receive an email that requires you to update private information by clicking the link directly from the email, do not copy and paste links from messages into your browser. It is because the link might not be trustworthy. You may go to the organization website directly by typing the address in URL.

Fourth, do business only with companies you know and trust. Users should use well-known, established companies with a good reputation for quality services. Basically, the business web site should have a privacy statement that specifically states that the company will not pass personal information to others.

Fifth, install online anti-phishing software in the computer. When a user visits a Web site, the anti-phishing tool will search the address of that site in a blacklist store in a database. If the visited site is on the list, the anti-phishing software will warn the users. The tools include ScamBlocker from the Earth Link company, PhishGuard and Netcraft and others.

Lastly, use a browser that has a phishing filter. User can use the latest versions of browsers such as Firefox 3x, Internet Explorer 7, and Opera 9x. These browsers included phishing filters that provides safer web browsing experience without being interrupted by phishing activities.

Links:

http://www.digitalpurview.com/ways-to-identify-phishing-email/

http://www.microsoft.com/athome/security/email/phishing.mspx?ifs=0

http://office.microsoft.com/en-us/outlook/HA011400021033.aspx

http://www.uni.edu/its/security/phishingexamples.html

http://research.microsoft.com/en-us/um/people/chguo/phishing.pdf

Applications of 3rd Party Certifications in Malaysia

E-commerce is gradually becoming an essential part of our life. Internet users achieved to a number of 1.57 Billion users worldwide in 2009 and the total e-commerce sales in the U.S. has reached 145.6 billion US dollars in 2008. However, when it comes to internet safety, we are still concerned and worried on security problems. This is because e-commerce involves transaction processes with no boundaries and the transfer of data is highly exposed to potential attacks like phishing, hacking and virus attacks. Therefore, having a good security system is not enough for an online business to take place. We need an additional security feature which is the 3^rd party certification programme.

The 3^rd party certification programme or commonly known as the digital certification programme is an additional attachment on a website or an electronic message for security purposes. So how does the certification process work? When a person wanted to send a confidential message, he needs to obtain a digital certificate from the certified authorities. The programme will help to encrypt the message then send it to the receiver. The encrypted message can only be accessed by using a private key given to the sender and the 3^rd party certification programme will also have a public key that is like a ‘spare key’ for the private key to encrypt and decrypt information. Popular certification programmes in Malaysia include Secure Sockets Layer (SSL), Digicert, MSC Trustgate, VeriSign and MyCert. These certification programmes help to enhance the security of data transfer by providing a certificate instead of requesting only a user name or password.

APPLICATIONS OF 3^RD PARTY CERTIFICATION:

Online business and Server Securtiy

When customers purchase products online, they would like to visit the websites they trusted

for. Digital certificates will help to ensure stronger security by providing better encryptions and more secured, instant verification that the websites are free from worries. For example, MSC Trustgate Malaysia provided services on Secure Socket Layer (SSL) Certificates for Internet, Intranet and Server security. The SSL provides two kinds of IDs, which are the Global Server ID and Secure Server ID. The Global Server ID enables 128 to 256 bits of encryption to secure the communication of business sites with its visitors. Customers can conduct business purchases with this service because it comes with a VeriSign Secured Seal that proves the website has been verified. The Secure Server ID protects transfers of sensitive data on the websites. With this SSL server IDs, online businesses can obtain purchase orders and volume discounts conveniently with easy set up steps and efficient security management because this certificate helps to manage the domain with multiple servers. Besides, the certificate will have flexible bundles according to business needs and wider compatibility with all types of web servers. DigiCert Malaysia also provides the DIGISIGN ID that is widely used in E-business applications like online banking, stock trading and insurance.

Enterprise Trust Services

Enterprises need to have quick and cost-effective web services in order to conduct their businesses with top security. Therefore, enterprises need to have an effective Public Key Infrastructure (PKI) and certificate authority system in order to have a more established security policy and certificate lifecycle management. In this case, Trustgate provides the Enterprise Managed PKI service that provides faster deployment and lower operating costs. These services help the enterprises to manage in designing, provisioning , staffing and maintaining its own system.

Transfer of Documents & E-mails

Everyday we have millions or billions of documents and emails transferred through the Internet. Some of the files transferred contain confidential information. Digital Certificates help to ensure information remains private during transit. It uses the private and public key to facilitate the authentication, privacy, authorization, integrity and non-repudiation of the information transferred online. This is in accordance to the Digital Signature Act 1997. MSC Trustgate Malaysia provides the CryptoSuite and Secured E-mail that enable security of confidential files and emails. The digital certificate encrypts the file and let the recipient with the public key to decrypt the contents. Confidential emails are substituted from handwritten signature and sealed envelopes using the Digital ID. DigiCert Malaysia, another certificate authority also provides the DigiSign File Manager that supports digital signature and asymmetrical key encryption and decryption of files with online or offline digital signing with multiple file formats.

Mobile Commerce

The advancement of M-commerce enables mobile banking and other financial services to take place. Besides, mobile phones can be used to transfer documents online. Therefore, an effective security feature should be added for mobile commerce. Trustgate advances their service by turning the SIM card into a Mobile Digital Identity to secure mobile banking transactions just like the encryption features in CryptoSuite. The only difference is this mobile feature runs on a wireless PKI platform and Mobile Operator Infrastructure. DigiCert Malaysia also offers DigiCert Mobile applications to attach the digital certificates that are able to store in the phone for application access. Mobile users can transact securely over the internet through GPRS, Bluetooth or 3G with these smart applications.

MyKad Applications

Malaysians now can use their own identification card to process transactions through the ATM machine. All we need to have is a microchip on our IC. This is a special feature brought by MSC Trustgate by providing this special MyKey PKI that works with the physical MyKad. This enables Malaysians to digitally sign documents or transactions online. This MyKey PKI provides a few types of modules for businesses to develop the applications of the MyKad. The modules include MyKey Application Programming Interface, Signing and Verification Module and the MyKad Client Kit.

From the information provided above, we can observe that the 3^rd party certification is in more priority for this ever developing e-commerce world. Nevertheless, this digital certificate authorities play a very important role by ensuring online security and enhancing customer confidence to use more online services.

Sources: http://www.msctrustgate.com

http://www.digicert.com.my/

http://www.verisign.com