Wednesday, June 18, 2008

The application of 3rd party certification programme in Malaysia






MSC Trustgate.com Sdn Bhd is a licensed Certifacation Authority (CA) operating out of the Multimedia Super Corridor. MSC Trustgate was incorporated in 1999 to meet the growing need for secure open network communications and become the catalyst for the growth of e-commerce, both locally and across the ASEAN region. In present, MSC Trustgate has 12 million in paid up capital.

Trustgate has been licensed under the Digital Signature Act 1997 (DSA), a Malaysia law that sets a goal precedent for the mandate of a CA. Its core business is to offer complete security solutions and leading trust services that are needed by individuals, enterprises, government, and e-commerce service providers' digital certification services, including digital certificates, cryptographic products, and software development. They are committed to providing the finest Public Key Infrastructure (PKI) to assist all types of companies and institutions conducting their business over the Internet. The state of the art back-end infrastructure that costs RM14 million is probably one of the best in the region.



Security is the primary concern of entering into the new Internet economy. The ever-changing paradigm of e-commerce requires a well-mandated security infrastructure. Trustgate is determined to become the leading service provider of Internet utility company, thus complementing the aspiration of the MSC to be a world-class e-environment.








Secure Socket Layer (SSL) is a protocol developed by Netscape in 1996 which was quickly adopted around the world as the method of choice for securing data transmissions across the Internet. SSL is an integral part of virtually all web browsers and web servers and makes use of a public-and-private key encryption system originally developed by RSA.





In order to establish an SSL connection, the SSL protocol requires that a server have a digital certificate installed. A digital certificate is an electronic file that uniquely identifies individuals and servers. Digital certificates allow the client (Web browser) to authenticate the server prior to establishing the SSL session. Typically, digital certificates are signed by an independent and trusted third party to ensure their validity. The "signer" of a digital certificate is known as a Certification Authority (CA), such as VeriSign.












SSL enables secure online transactions by combining the following three important elements:


(a) Authentication (b) Encryption (c) Message Integrity




Combining the three elements above, SSL becomes a simple yet extremely powerful security solution, enabling you to conduct authenticated and encrypted online transactions with visitors


to your Web site. With a VeriSign SSL certificate installed on your Web site,visitors will be able to submit credit card numbers or other sensitive information to you, with complete assurance that they are really doing business with you (and not an impostor) ad that the information they are sending to you can not be intercepted or tampered with during transmission. more





With the increased phishing and spoofing attacks on the Internet, your customers want to make sure that they are dealing with trusted parties when they conduct business with you online. They need to ensure that their information traveled over the Internet reaches the intended recipients and is safe from intruders. Trustgate offers the following SSL Certificates for your server security:



1. Global Server ID adopts today's strongest encryption commercially available for secure communications via Server Gated Cryptography (SGC) technology. GSID authenticates your web sites and enables 128- or 256-bit encryption to secure communications and transactions between the site and its visitors. Every purchase of GSID comes with a VeriSign Secured Seal that you can display on your web site. The seal is an instant proof that your web site is genuine because you have been verified by the World Leader of SSL Provider, and your customers can conduct business with you free of worry.
Example: Compaq, IBM, Javasoft, Lotus, Microsoft, Nokia



2. Secure Site SSL Certificates protect the transfer of sensitive data on Web sites, intranets, and extranets using a minimum of 40-bit and up to 256-bit encryption. It includes VeriSign Secured Seal.


Example: Compaq, IBM, Microsoft, Nokia, Novell, Oracle



How do SSL certicicates enable secure authenticated e-commerce on the Web?


By obtaining and installing an SSL certificate, you enable the use of SSL at your Web site. When a browser connects via "https" to a Web site with an SSL certificate, the browser and the server will exchange information during what is called the "SSL handshake." Once the SSL session has been negotiated, all information that passes between the browser and the server will be encrypted. Most all browsers are equipped to recognize VeriSign SSL certificates automatically, enabling almost every visitor in the world to safely exchange sensitive information and conduct e-commerce transactions with your Web site.








































How to safeguard our personal and financial data.

Personal Data
There are steps you can take to minimize the risk of data loss. Responding to a call to action from the Federal Trade Commission for all major trade associations to address the security of data, the Direct Marketing Association approved security guidelines for its members. All members must follow four specific ethical guidelines to keep information about consumers secure.
Step 1. Have a Security Policy.Establish information security policies and practices to ensure the uninterrupted security of information systems.
Step 2. Train and Supervise for Security.
Institute vigorous training and oversight of your designated security team. But don’t stop there. Any other employee or contract worker with even occasional access to personally identifiable information must be trained and supervised.
Step 3. Use Available Technology to Guard Personal Data.
Written policies and training go far, but not far enough. Construct structural and technological walls to contain personal information and run tests to ensure that the system works. Make contingency plans.
Step 4. Inform Data Suppliers and Business Partners of their Responsibilities to Meet Your Security Specifications.
The information chain is only as strong as its weakest link. Make sure that personal data in your care are “tagged” and “fenced” when they enter your database, while they’re in storage and once they leave. Permit no information transfers without informing business partners to meet your security standards.
Financial Data
A new ISO standard will help to safeguard the privacy of people's financial data when being processed by automated, networked information systems.
ISO 22307:2008, Financial services – Privacy impact assessment, defines a methodology to help organizations in private and public sectors identify privacy issues and mitigate risks associated with processing the financial data of customers and consumers, business partners and citizens.
“One way of proactively addressing privacy principles and practices is to follow a standardized privacy impact assessment process for a proposed financial system, such as the one recommended in ISO 22307.”
The standard describes the privacy impact assessment (PIA) which should be carried out at an early stage in the development of a proposed financial system. As well as helping to identify optimal privacy options and solutions, it provides a way to ensure that the system complies with applicable laws and regulations governing customer and consumer privacy.
It is a tool that, when used effectively, can identify risks associated with privacy and help organizations plan to mitigate those risks. ISO 22307:
@ describes the PIA process in general
@ defines the common and required components of a privacy impact assessment, regardless of business systems affecting financial institutions, and
@ provides informative guidance, including frequently asked questions (FAQs) on PIAs and their implementation, together with a number of questionnaires designed to help users assess their needs and develop an effective PIA.

Bearing in mind that the legal framework for privacy protection differs from country to country, this internationally agreed standard on privacy impact assessments is an important step forward. The internationalization of PIAs is critical for global banking and, in particular, for cross-border financial transactions.

Is me.. ah_Ju..


Let me introduce myself. My name is Teo Jing Ji. I am a Malaysian Chinese. I am currently living in Sungai Long for my studies in UTAR. This is my last year in UTAR. I hope I can do better and graduate with flying color.
I am a person who is positive about every aspect of life. There are many things I like to do, to see, and to experience. Most I like to do is swimming. I feel relax in the water. I have a dream to dining at Tioman Island. But the fees for dining there is expensive for me. It is around RM1000++. I cannot pay it. So I think I need to work hard and save money from now.
The five(5) websites I visited the most are www.google.com, www.hotmail.com, www.utar.edu.my, www.haoting.com, and www.sinchew.com. I always use www.google.com to find some information for my assignment and what I am interested to know. And use www.hotmail.com to check my mail and create my space there too. The www.haoting.com is a nice place to listen the latest pop-music without download. I read the news through Sin Chew web everyday. So I can save RM 1.30 for buying newspaper everyday. UTAR web is use by me to check my studies environment. Let me know more for my university.
The top five internet activities are entertainment. Because people like to watching, reading, listening, chatting, and buying. All this can do through internet. It is convenience for the busy man.
E-commerce is a new subject for me in this semester. I think it is an interesting subject. I will be happy to learn it. And I will adopt it in fast.

Tuesday, June 17, 2008

Phishing: Examples and its prevention methods


Phishing is a type method criminals use to get to sensitive information (like usernames or passwords). It is a method of social engineering. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. This mail appears to come from some bank or other service provider. It usually says that because of some change in the system, the users need to re-enter their usernames/passwords to confirm them. The users usually have a link to a page that looks almost like that of the real bank.

Through such practices, criminals get access data to bank accounts, or other platforms (like online trade platforms). Very often, it can also be used for identity theft.

Above is an example of a phishing email, disguised as an official email from a (fictional) bank. The sender is attempting to trick the recipient into revealing secure information by "confirming" it at the phisher's website.

While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet. A list of recommendations below that you can use to avoid becoming a victim of these scams.

  • Be suspicious of any email with urgent requests for personal financial information
    - unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed'
    - phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately
    - they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.
    - phisher emails are typically NOT personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure
  • Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle
    - instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser
  • Avoid filling out forms in email messages that ask for personal financial information
    - you should only communicate information such as credit card numbers or account information via a secure website or the telephone
  • Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser
  • Remember not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like "http://www.gotyouscammed.com/paypal/login.htm?" Be aware of where you are going.
  • Consider installing a Web browser tool bar to help protect you from known fraudulent websites. These toolbars match where you are going with lists of known phisher Web sites and will alert you.
  • Regularly log into your online accounts
    - don't leave it for as long as a month before you check each account
  • Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate
    - if anything is suspicious or you don't recognize the transaction, contact your bank and all card issuers
  • Ensure that your browser is up to date and security patches applied