Third party certification is a process by which a product or service is reviewed by an independent third party to validate a set of standards, claims or criteria are being met. It provides a measure of conformity, satisfy customer demands and limit supplier risks by eliminating the expense of repeating testing. It is a kind of certification that gives confident to customers to surf internet due to the increased in phishing and spoofing attacks on the internet. For example, it can avoid online users’ computer system being spammed, hacked and attacked by malicious software such as virus, Trojan horse and worms. Besides, it can secure the confidential information of the online users such as IC number, passwords, credit card numbers, telephone number and etc. The most famous application of third party certification programme in Malaysia is provided by MSC Trushgate.com Sdn Bhd.

MSC Trustgate.com Sdn Bhd was incorporated on 1999 and is a licensed Certification Authority (CA) operating within the Multimedia Super Corridor. Certification Authority (CA) is the body that given the license to operate as a trusted third party in the issuance of digital certifications. The reasons for this incorporation are to meet the growing need for secure network communications and become the catalyst for the development of e-commerce, both locally and across the ASEAN region.

Besides, MCS Trustgate.com Sdn Bhd is licensed under the Digital Signature Act 1997 (DSA) which is a Malaysian Law that sets a global precedent for the mandate of a CA. Thus, as a CA, MCS Trustgate.com Sdn Bhd’s core business is providing digital certification services, such as cryptographic products, digital certificates, and software development. For instance, the company has provided solutions and trusted services to help companies to build a secure network and application infrastructure for their electronic communications and transactions over the network. Furthermore, they also delivering high quality services by brought their recognitions with the government, enterprises and e-commerce sites. The example of products and services that provided by MCS Trustgate.com Sdn Bhd are SSL Certificate, Managed PKI, Personal ID, MyTRUST, MyKard ID, SSL VPN and etc. Furthermore, MSC Trustgate.com Sdn Bhd are also is an affiliate of VeriSign in the South East Asia region and a member of VeriSign Trust Network.

The vision of MSC Trustgate.com Sdn Bhd is to enable organizations to conduct their business securely over the Internet, as much as what they have been enjoying in the physical world. This is due to the security is the primary concern of entering into the new Internet economy.

In order to help all types of institutions and companies conducting their businesses over the Internet, MSC Trustgate.com Sdn Bhd provides the finest Public Key Infrastructure (PKI) for them. Managed Public Key Infrastructure (MPKI) service is a fully integrated enterprise platform designed to secure intranet, extranet, and Internet applications by combining maximum flexibility, scalability, and performance, with greater security and availability. This service allows enterprise to establish a robust PKI and Certification Authority (CA) system cost-effectively and quickly with complete control over security policies, certificate lifecycle management, authentication models and PKI hierarchies.

The service also enables lower operating costs and faster deployment while providing an open platform that integrates with off-the-shelf solutions. By using this service, many organizations can set up their own multiple digital certification program easily, quickly and economically. They can issue 250 or more digital certificates to partners, customers, employees or supplies. This solution helps to secure online transactions, sign them digitally and control the access to intranets and extranets.

MyKad is designed by government with PKI capability that allows its holder to conduct online transaction with privates sectors and government agencies. MCS Trustgate.com Sdn Bhd had provided MyKey which is the solution that allowing users to authenticate themselves online and to sign documents or to conduct transaction digitally. Moreover, MSC Trustgate.com Sdn Bhd is the main PKI developer and integrator for MyKad which offered different types of MyKey (MyKad PKI) modules for developers who desires to develop MyKad applications such as MyKey Application Programming Interface (API) and MyKad Client Kit.

About VeriSign
VeriSign, Inc. is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, it allows companies and consumers all over the world to engage in trusted communications and commerce through its SSL, identity and authentication, and domain name services. It has the ability to know and trust the parties with due to doing business and communicate in the networked world has become critical.

Besides, VeriSign internet infrastructure has become the heart of the Internet by protecting valuable data and enabling key transactions. This is because VeriSign has facilitates 50 billion authoritative Domain Name System (DNS) queries a day since 1998 with 100% availability. It also intends to increase the capacity of the .com and .net DNS by 10 times by 2010 to provide the stability and security required for global online transaction. It has issued 2 million VeriSign® Identity Protection (VIP) credentials to consumers for strong authentication on a network of leading Web sites so that consumers will feel confident when the conduct online business transaction.

VeriSign SSL Certificates is the public encrypted key that Webmaster sends to CA which is a standard part of most web browser packages and web server when works with the Secure Sockets Layer (SSL) technology. It is the leading Secure Sockets Layer (SSL) Certificate Authority under MCS Trustgate.com Sdn Bhd which enables the security of communications, e-commerce and interactions for websites, extranets and internets. It means that VeriSign is used to enhance the security of server of the website and providing security solutions to protect organization’s consumers, website, networks and brand. It also increases customers’ confidence in conducting online business transaction due to the increased phishing and spoofing attacks on the Internet. VeriSign also will protects the organization’s website and make it easier for the visitors build trust on the organization because the encryption of sensitive information during online transaction is enabled .Each of it has unique, authenticated information about the certificate owner which his or her identity will be verified by Certificate Authority when it is issued.

Digital certificate is usually attached to an e-mail message or an embedded program in a web page in order to verify that user or website is who they claim to be. The general functions of digital certificate are user authentication, encryption and digital signatures. User authentication will provide security by using username and password. Encryption will make the data transmission secured through the information encrypted. So, recipient of the data is the person who only can receive the message. Digital signatures are like the hand signature in the digital world which can ensure the integrity of the data. Therefore, the users will conduct online transaction confidently without fear of the personal data being stolen, transacting party denying any commercial commitments and information corrupted by third parties. Moreover, the digital certificate can assist in the development of internet based activities.

In conclusion, by applying the 3rd party certification is secured for e-shopping and enhance the trust and confident to the organizations’ website and products..




Reference:

http://msctrustgate.com/about_us.htm
http://www.mykey.com.my/Website/home.php
http://www.verisign.com/corporate/information/index.html
https://www.msctrustgate.com/product/mpki.htm

Privacy and confidentiality had always been an issue with the advancements in technology. The threat of privacy invasion by hackers leads to an increasing need in protecting important personal and financial data with effective measures. More often than not, the problems include stealing data for illegal usage either from database or when it is being transferred over the network. Listed below are the safeguards one can employ to reduce the risk of successive information abuse.

Password protection
· The most common protection consisting of alphabets and numbers
· Although this protection is still susceptible to automated attacks, it is still effective because it can slow down the attacker, which increase the probability that the attack will be detected and/or attacker abandon the attack and turn to easier targets
· To increase the strength of this protection, hard password should be used whereby it contains 6 or more character with at least 1 special character or digit and mixed case sensitivity, and not forming a name, date, acronym, or pronounceable word.

Firewall
·A protected gateway that stands between the resources requiring protection and the “outside; a filter between private network and the internet
·To be effective, a firewall must guard all access to the internal network, including modem connections as well as remote network access.
· Always keep the firewall on.

Encryption
· The process a message is scramble in a difficult, expensive or time consuming way for an unauthorized person to decipher it.
· Can use either public or private key to encrypt and decrypt the message
· Provide security to both stored and transmitting data.

Packet filters
· Rules that can accept/reject incoming packets based source and destination address and other identifying information
· If suspicious attachment were found to be accompanying an email, only the email will be accepted on the condition that the attachment is to be rejected.

Antivirus/Antispyware software
· The number of known viruses is increasing exponentially, including viruses, worms, Trojan horses, trapdoors, and logic bombs.
· Hidden spyware are also being embedded into the data.
· Install antivirus and antispyware to detect these malicious codes and to remove it such as Norton AntiVirus, Doctor Spyware, Avira, AVG and etc.
· Free antivirus software can be easily obtained from the internet.
· Also, always keep the software updated to eliminate new malware of which the older version of the software is incapable of detecting it.

Virtual Private Network
· Public internet is used to carry information but network remain private by using encryption to scramble for communication, authentication by ensuring information transmitted not altered, and access control to verify the identity of anyone using the network.
· Security is also given when using this safeguard

Intrusion Detection System (IDS)
· A special software which monitors the activity across a network or host computer,watching out for suspicious activity and taking automated action based on what it encounters
· Include shutting down the server if found necessary

Be educated
· Take time to keep update with the latest strategy in how hackers hack into database.
· Be aware of the popular phishing methods to prevent leaking sensitive information to third party accidentally.

All in all, practice using private communication lines when possible to limit public eavesdropping and potential intrusions, facilitate the usage of passwords, access restrictions, and user authentication to guard against unauthorized access and also secure systems with virus scanners, firewalls, and intrusion detection systems if possible. Never forget to read on the current issues of how data were being stolen.

Source: CONCERNS ABOUT INTRUSIONS INTO REMOTELY ACCESSIBLE SUBSTATION CONTROLLERS AND SCADA SYSTEMS by Paul Oman and Edmund O. Schweitzer Deborah Frincke , retrieved from http://www.csds.uidaho.edu/deb/SCADA.pdf

Have you ever heard before the word phishing? I’m sure many of you didn’t hear it before and not even know what it means. Actually, phishing is a terms in the field of computer network security. “Phishing” is a form of internet fraud that aims to steal personal valuable information such as credit cards, social security numbers, user name and IDs and passwords as well. Still not understand? Let us simplify it as ‘Phishing is THEFT’.

It has been increasingly common in nowadays computer network users facing. So, how phishing really works out over the network? Phishing usually will be appeared in the form out e-mail or instant messaging. If it is appear as the form of e-mail, they will usually use the well-known organization so that your alertness will be highly reduce in order for them to steal your personal information. Phishing also might attempts through the website by giving services which you do not need an account.

With the extremely high population of internet users nowadays, phishing can appear to us in many different ways or methods. There are plenty types of phishing attacks such as deceptive phishing, malware-based phishing, key loggers and screen loggers, session hijacking, web Trojans, host file poisoning, system reconfiguration attacks, data theft, DNS-based phishing, content-injection phishing, man-in-the-middle phishing and search engine phishing.

However, the most frequently use and common method of phishing is by sending fraudulent e-mails. So what to look for in order to identify a phishing e-mail?

1) Generic greeting – phishing e-mails are usually sent by spamming in massive batches. Phishing criminals will use generic names like ‘Dear Customer’ so they can save the time rather than type all recipients’ names out. If the e-mails does not contain your full name, you need to be suspicious the reliability of that e-mail.

2) Forged link – usually there will be a link for you to link directly to the websites, but it might not link to the real organization or bank. When you see the websites that begin with “https”, then it is safe for you to enter your personal information, the “s” stands for secure.

3) Requests personal information – the main purpose criminal spamming phishing e-mail is to cheat you by providing your personal information. So whenever you receive e-mail that request for personal information, it is probably a phishing e-mail.

4) Sense of urgency – Criminals will attempt to get your personal information in a hurry. They wanted you to update or provide personal information as soon as possible so that your account will not be suspended or closed. This will make the victims act fast in order to ‘save’ their account. Beware of this sense of urgency.

Examples of Phishing are as below:

Prevention Methods of Phishing:Actually, there are few technical methods to prevent phishing attackers. The approaches are as follow:

1) Educate users – whenever you received an e-mail that urges you to provide or update your personal information such as username, password, IDs, credit card, social security numbers, date of birth and others as well. Normally, there is high probability that it is phishing e-mail, because bank or company will not request their customers by sending an e-mail. Users need to be alert when receive phishing-alike e-mails.

2) Detect and block the phishing websites in time – users must learn how to detect whether it is a phishing site or not. Users can detect it by using the web master of a legal website to scans the root DNS for suspicious sites. Users can also trace back the downloader of web pages at the web server.

3) Enhance the security of the websites – Banks and owners of e-commerce business need to use hardware devices to enhance the security to prevent phishing attacks. For example, when every time customer purchasing through online, they are required to insert their credit card into card reader and key in the correct password in order to perform transactions. Or another way is to implement the biometrics systems, customers are require to perform voice, fingerprint or iris for confirmation of customers’ identification.

4) Block the phishing e-mails by various spam filters - by using Microsoft’s Caller ID and Sender Policy Framework (SPF), it helps to verify whether the e-mail is sent from an authorized server. And it also determines whether that e-mail got use spoofed e-mail address. If the e-mail address is fake, then Internet service can determine that it is a spam e-mail.

5) Install online anti-phishing software in user’s computers – by installing anti-phishing software, if the visited site is on the blacklist, then anti-phishing tool will warns the users immediately. The advantage is that developers of this software are able to update the blacklist in time to protect users from phishing attacks. Besides, there is another tool for users to be use; the tool will check the security of visited websites. It will perform check on the domain name, URL whether it is similar to a well-known domain name. The toolbar will notify users whether the website is verified and trusted.

References:

http://www.google.com.my/search?hl=en&defl=en&q=define:Phishing&ei=IJRISuDcJ5KZkQXg1an5CQ&sa=X&oi=glossary_definition&ct=title

http://www.phishtank.com/what_is_phishing.php

http://www.pcworld.com/businesscenter/article/135293/types_of_phishing_attacks.html

http://research.microsoft.com/en-us/um/people/chguo/phishing.pdf

Reviewing post: "More than 1 million computer viruses in circulation now”

http://ecommerze.blogspot.com/search/label/Internet%20Security

Symantec bi-annual Internet Security Threat Report in 2008 show that more than a million of computer viruses, worms and trojans in circulation for last twelve month. It is the efforts of the cyber criminal groups to put up the malwares to foll the anti-virus programmes.

In year 2007, Symantec detected more than 711,912 new malicious code threat which brings the total number of malicious programs that Symantec anti-virus programs detect to 1,122,311. On the other hand, it shows that almost two thirds of all malware were created during 2007.

Most of the malicious programs are targeted at the various versions of Microsoft's Windows operating system such as Window XP and Window 2000. S

Some security firms reported a significant increase in the number of viruses online

• Panda Software indicated that it was getting more than 3000 sample of malware everyday.
• Security software testing organisation AV Test reported that a total of 5.49 million unique samples of malicious software were detected in 2007 which is 5 times higher than 2006.
• Finnish security firm F-Secure highlighted a doubling increase in the number of pieces of malware it detected in 2007 as compared to 2006.

Common types of malware software:

virus	A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.
Trojan Horse	A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves
worm	A program or algorithm that replicates itself over a computer network and usually performs malicious actions

References:

• http://news.bbc.co.uk/2/hi/technology/7340315.stm
• http://news.bbc.co.uk/2/hi/technology/7232752.stm
• http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp