Hoax is a deliberate action that tricks people to believe that something is true when it is not. Email hoaxes usually contain false information that ask the user to perform an “ emergency action “, like sending to as much user as they can, which make the spreading of the hoax more successful.
Unlike spam mail, hoaxes email is almost impossible to be filter. The only defense against e-mail hoaxes is just to ignore them. Any email that appears as thought It could not be true probably is not true.
Example of a email hoax:
-------------------------------------------------------------------------------------
> >
> >> http://www.snopes.com/computer/virus/postcard.asp
> >>
>
> Hi All, I checked with Norton Anti-Virus, and
> >> they are gearing up for this virus!
> >> I checked Snopes (URL above:), and it is for
> >> real!!
> >> Get this E-mail message sent around to your
> >> contacts ASAP.
> >>
> >> PLEASE FORWARD THIS WARNING AMONG FRIENDS,
> >> FAMILY AND CONTACTS!
> >>
> >> You should be alert during the next few days.
> >> Do not open any message with an attachment entitled
> >> 'POSTCARD FROM HALLMARK,' regardless of who sent it
> >> to you.
> >>
> >> It is a virus which opens A POSTCARD IMAGE,
> >> which 'burns' the whole hard disc C of your
> >> computer.
> >>
> >> This virus will be received from someone who
> >> has your e-mail address in his/her contact list.
> >>
> >> This is the reason why you need to send this
> >> e-mail to all your contacts It is better to receive this
> >> message 25 times than to receive the virus and open it.
> >>
> >> If you receive a mail called'
> >> POSTCARD,' even though sent to you by a friend, do not
> >> open it! Shut down your computer immediately.
> >>
> >> This is the worst virus announced by CNN. It
> >> has been classified by Microsoft as the most destructive
> >> virus ever.
> >>
> >> This virus was discovered by McAfee yesterday,
> >> and there is no repair yet for this kind of virus.
> >>
> >> This virus simply destroys the Zero Sector of
> >> the Hard Disc, where the vital information is kept.
> >>
> >> COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS.
> >> REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US
> >>
> >> Snopes lists all the names it could come in.
> >>
> >>
> >>
>
-------------------------------------------------------------------------------------
For more information about the above email pls visit
http://www.hoax-slayer.com/postcard-virus-hoax.shtml
Wednesday, October 22, 2008
Wednesday, October 15, 2008
Authenticaiton Methods - Username and Password
Username and password is one of the most common authentication methods and because it is common, this methods can be the weakest type of authentication.
Nowadays computer chips are more and more advanced and powerful which makes password cracking faster and easier. Other than password cracking program, password guessing is also an effective way to breaking into a systems. Therefore we need to construct a stronger password and change it every 2 -3 months.
Not only password should be protected, username is equally important as password, username should be kept as confidential as a password because once the intruders knows the username, half of the battle is already won.
For more password protection guide please visit:
Password Protection Guide
Nowadays computer chips are more and more advanced and powerful which makes password cracking faster and easier. Other than password cracking program, password guessing is also an effective way to breaking into a systems. Therefore we need to construct a stronger password and change it every 2 -3 months.
Not only password should be protected, username is equally important as password, username should be kept as confidential as a password because once the intruders knows the username, half of the battle is already won.
For more password protection guide please visit:
Password Protection Guide
Wednesday, October 8, 2008
Authentication Methods - Biometrics
One of the most recent popular and effective authentication methods is biometric identifiers which make use of our unique physical characteristics, and it is an example of authentication based on what you are. Common example includes:
• Fingerprints
• Voice patterns
• Retina scan
• Hand geometry
• Face
• Iris scan
The most common biometrics used is the fingerprints. A fingerprint is made of a series of ridges and furrows on the surface of the finger. Fingerprint matching can be divided into two categories: minutiae-based and correlation based. Minutiae-based techniques locate the minutiae point and convert them into a unique series of numbers, and store the information as a template. However, using minutiae based technique may have some difficulties as it is not easy to extract the minutiae point accurately when the fingerprint is of low quality. Correlation-based technique uses one precise location on the finger print to create a template.
Although biometric uses our unique characteristics and is very difficult to duplicate but is possible. Intruders can simply lifting a fingerprint from a glass to copy the fingerprint. Biometric is more recommended to use along with a password- what you know + what you are.
Biometric device is expensive to implement but once it has implemented it can overcome the problem of users forgetting their log in password and reduce the numbers of calls to the help desk about forgetting password and reset password.
• Fingerprints
• Voice patterns
• Retina scan
• Hand geometry
• Face
• Iris scan
The most common biometrics used is the fingerprints. A fingerprint is made of a series of ridges and furrows on the surface of the finger. Fingerprint matching can be divided into two categories: minutiae-based and correlation based. Minutiae-based techniques locate the minutiae point and convert them into a unique series of numbers, and store the information as a template. However, using minutiae based technique may have some difficulties as it is not easy to extract the minutiae point accurately when the fingerprint is of low quality. Correlation-based technique uses one precise location on the finger print to create a template.
Although biometric uses our unique characteristics and is very difficult to duplicate but is possible. Intruders can simply lifting a fingerprint from a glass to copy the fingerprint. Biometric is more recommended to use along with a password- what you know + what you are.
Biometric device is expensive to implement but once it has implemented it can overcome the problem of users forgetting their log in password and reduce the numbers of calls to the help desk about forgetting password and reset password.
Tuesday, October 7, 2008
Authentication categories
Authentication is a process of proving identity. Authentication can be classified into three categories:
• What you know
• What you have
• What you are
What you know is a type of authentication that based on knowledge that only knows by the authorized person or user. One of the examples is PIN or password. We need password to log in our accounts and password is a unique knowledge that only knows by our self.
What you have is a type of authentication that based on something that you have. A bit similar with what you know but the information is not stored into in your brain but a device that can be holding on your hand. A smart card, car keys or identity card are methods of authentication by what you have.
What you are is a type of authentication based on a person’s unique characteristic. For example, fingerprint, voice recognition and iris scan. Authentication by what you are can be an effective means of screening out impostors as it is not easy to duplicate human unique characteristics.
• What you know
• What you have
• What you are
What you know is a type of authentication that based on knowledge that only knows by the authorized person or user. One of the examples is PIN or password. We need password to log in our accounts and password is a unique knowledge that only knows by our self.
What you have is a type of authentication that based on something that you have. A bit similar with what you know but the information is not stored into in your brain but a device that can be holding on your hand. A smart card, car keys or identity card are methods of authentication by what you have.
What you are is a type of authentication based on a person’s unique characteristic. For example, fingerprint, voice recognition and iris scan. Authentication by what you are can be an effective means of screening out impostors as it is not easy to duplicate human unique characteristics.
Saturday, October 4, 2008
Importance of Information Security
Information security is always the first concern and requirement on network planning. It is important to any organization, business or even individual because it can prevent data theft, legal consequences and less productivity.
In business, preventing data theft is usually cite as the primary goal of information security because data theft can lead to the lost of business. A business can lose up to a few millions of dollars after an attack on information security or when the confidential information falls in the hand of competitor. In some countries it is against the law if businesses or organization failed to protect the privacy of electronic data.
In an attack of information security it can also affect the productivity of employees due to time and resources has been divert to the clean-up effort. Take a company with 500 employees as an example. If the time needed to clean-up and attack before it can go back to normal daily process is 2 days.
500 x 16 (Average of one employee working 8 hours a day) = 8000
If average per hour salary of each employee is $20
$20 x 8000 Hr = $ 160 000 lost on salaries.
This is only a very small portion on information attacks lost.In Information attacks lost which will also include the lost of reputation, trust between companies, legal consequences and the future business operation can totally bring down a business.
In business, preventing data theft is usually cite as the primary goal of information security because data theft can lead to the lost of business. A business can lose up to a few millions of dollars after an attack on information security or when the confidential information falls in the hand of competitor. In some countries it is against the law if businesses or organization failed to protect the privacy of electronic data.
In an attack of information security it can also affect the productivity of employees due to time and resources has been divert to the clean-up effort. Take a company with 500 employees as an example. If the time needed to clean-up and attack before it can go back to normal daily process is 2 days.
500 x 16 (Average of one employee working 8 hours a day) = 8000
If average per hour salary of each employee is $20
$20 x 8000 Hr = $ 160 000 lost on salaries.
This is only a very small portion on information attacks lost.In Information attacks lost which will also include the lost of reputation, trust between companies, legal consequences and the future business operation can totally bring down a business.
Thursday, October 2, 2008
Social Engineering
Social engineering is another form of intrusion that attacks human weakness without the use of any technical skills that we need to break into a network. Social engineering is one of the most difficult to defense security as it is attacking our human nature (being helpful, fear and trust). Social engineering can be dividing into two types: Computer- based and Human-based.
Types of social engineering attacks:
Computer-based
• Phishing
• Spam mail
• Email attachment
• Pop up windows
Human-based
• Dumpster diving
• Shoulder surfing
• Eavesdropping
• Pretend to be a “legitimate “employee.
Phishing is an attack where the attacker will send out an email that linked to a website that looks similar with the real website to gather information. Usually asking for username and passwords, once the information is keyed in, it will send to the intruders.
Do note that banks usually won’t ask you to change your password without you requesting.
Dumpster diving involves digging through the trash for information such as telephone contacts, list of passwords , telephone bill, employee’s information, job scope and job title. This information is sufficient to launch an attack to the target company.
Example of Social engineering:
An intruder calls a user to pretend to be from the IT department “HI, this is Michael from the IT department. We are doing a disc clean up at our file server as it is running out of space. We need to verify your account so that files safe under your user account will remind undelete. Files in account that doesn’t validate in 5 minutes will be deleted. Can you provide me your username and password so that I can help you to do the validation? “In a panic, scare that the file will be deleted soon, user then provides the intruders the Username and password letting him to have clear access to the corporate network.
Types of social engineering attacks:
Computer-based
• Phishing
• Spam mail
• Email attachment
• Pop up windows
Human-based
• Dumpster diving
• Shoulder surfing
• Eavesdropping
• Pretend to be a “legitimate “employee.
Phishing is an attack where the attacker will send out an email that linked to a website that looks similar with the real website to gather information. Usually asking for username and passwords, once the information is keyed in, it will send to the intruders.
Do note that banks usually won’t ask you to change your password without you requesting.
Dumpster diving involves digging through the trash for information such as telephone contacts, list of passwords , telephone bill, employee’s information, job scope and job title. This information is sufficient to launch an attack to the target company.
Example of Social engineering:
An intruder calls a user to pretend to be from the IT department “HI, this is Michael from the IT department. We are doing a disc clean up at our file server as it is running out of space. We need to verify your account so that files safe under your user account will remind undelete. Files in account that doesn’t validate in 5 minutes will be deleted. Can you provide me your username and password so that I can help you to do the validation? “In a panic, scare that the file will be deleted soon, user then provides the intruders the Username and password letting him to have clear access to the corporate network.
Subscribe to:
Posts (Atom)