Saturday, April 28, 2012

Online Payment

I think this is a joke, but stupid hackers will always find preys.
Online payment is becoming an integral part of our life, still it poses multiple risks ranging from identity theft to financial losses.
Here are some safety tips to follow when purchasing online:
  • Use a prepaid internet card, you can ask your bank for an internet credit card with a low credit line in order to limit the loss should that cards be stolen. You should recharge this card with the exact amount needed before usage.
  • Use your credit card diligently with well known websites – trusty websites (appstore, amazon, your airlines…)
  •  Verify that the URL you are using is right and always look for the "S". (https)
  • Monitor your statement for any suspicious transactions on a weekly basis, directly report any fraud or theft to your issuing bank.
  • Subscribe to SMS or email services that can directly notify you with every transaction after seconds of being conducted.
  • Don’t ever send your Credit Card number using email, fax, SMS or any other communication media.
Shop online safely

Sunday, April 22, 2012

Scams: The Story Never Ends

Last week, I received 2 missed calls from an unknown number, When I called the number back a voice with an accent said "hi sir, this is Etisalat (The main mobile operator in UAE), congratulations you won AED500,000. Please turn off your phone, and get your sim out and read the last 3 digits on it, they should read 639 (apparently all Etisalat sims end with this number) and call me back" - I said ok, and closed.

He made another missed call after 5 min, he said did you check, I confirmed and said that I should receive my gift. Here I asked why do you make missed call, and not call, if you are from Etisalat, he said they are calling me, but it's is an issue in the network (Etisalat is suddenly having problems with my sim only).

He asked for my name, and nationality, I gave fake ones, he said that they opened an account with my name in Dubai Islamic Bank and gave me an account number. And then he said, one more thing is needed, I have to go to the nearest supermarket, buy AED2,000 worth of Etisalat vouchers to verify that I'm an Etisalat user.

I started laughing and told him, I will get them later, he said no, now, you have 15 min, you are on the air on the radio and people are listening to me as I speak.
I ended the call by threatening them, and I called the police who took the number and promised to take action.

Surprisingly, I was telling this story to a friend, and he told me that he fell for it, and after giving them the pins for the vouchers, they asked for another set of AED2,000 and another one ( they turn greedy once they capture a prey)
They ripped him AED 6,000 and you know what happened.

 Again, spotting scams requires a little bit of awareness and questioning. I hope that this post saves some people from getting conned.

Thursday, April 19, 2012

Certified and Validated

In this post, I will elaborate more on HTTPS. We previously discussed the term phishing in this blog. To summarize, phishing is an attempt to manipulate or trick a person into providing confidential information to an individual that is not authorized to receive such information. To protect yourself from phishing, recent web browsers have developed a way for checking if a website is valid or not.

Web browsers trust HTTPS websites based on certificate authorities which come pre-installed in their software. Examples of certificate authorities are “Microsoft” and “VeriSign”. In the example below, the bank's web site is verified by "VeriSign, Inc."

Always look for the green address bar. Recent web browsers show a green address bar in order to tell the user that this web site is legit and trustworthy. Its purpose is to give more confidence to the user and ensure them that they are visiting a trusted web site.

This issue plays an important role in Information Security. Next time you visit a web site make sure you look for the green address, especially web sites that ask for important and private information and web sites for payment transactions. To reassure yourself, check the certificate to know if this site is validated.

Saturday, April 14, 2012

Cookies, should we really like them

What are Cookies?
Cookies are small, mostly circular pieces of sweets, that are fun to... Oops Sorry!

Cookies are small, often encrypted text files that are stored silently on a user's computer. These files are designed to carry a little amount of data specific to a particular client and website. Cookies are automatically created when a browser loads a website, allowing a server to deliver a custom made page to a particular user every time this user goes back to the same website.

Cookies Expiry Periods
The expiry time of a cookie is assigned when the cookie is originally created. Some cookies are deleted or purged when the current browser window is closed (Session cookie), but others can be made to last for a longer period of time (Persistent cookie). Yet some can last for one year or even more.

Are Cookies Secure enough?
Internet security and privacy is of huge concern. Cookies do not in themselves present a threat to privacy, since they can only be used to store information that the user has volunteered or that the web server already has. But the existence of cookies poses an inherent risk of being abused

Cookies are NOT viruses, nor are they malicious; using a plain text format, they are not compiled pieces of code so they cannot be executed nor are they self-executing. Accordingly, they cannot make copies of themselves and spread to other networks to execute and replicate again. Unable to perform these functions, they are not classified as Malware. However, breaches of browser security can allow tracking cookies to be placed. These cookies can be used to follow users from one site to another, forming comprehensive profiles. Users consider this to be a violation of privacy, and in the wrong hands this information can potentially be exploited for questionable purposes. For that reason several anti-malware products flag cookies as candidates for deletion after standard virus and/or spyware scans.

Cookies can be exploited
Several malicious activities could be associated with the existence of cookies much like: Network eavesdropping, publishing false sub-domain – DNS cache poisoning, and Cross-site scripting. (More on these attacks in later posts)

Traffic on a network can be intercepted and read by computers on the network other than the originator (Especially over unencrypted open Wi-Fi). This traffic includes cookies sent on ordinary unencrypted HTTP sessions. When network traffic is not encrypted, attackers can read the communications of other users on the network, including HTTP cookies as well as the entire contents of the conversations.

How to live with cookies
Due to the fact that many of the largest and most-targeted websites use cookies by default, cookies usage is almost inevitable. Websites like Facebook, YouTube, Gmail, and many others require the usage of cookies for best performance and presentation. Even search settings require cookies for language settings.

Here are some tips you can use to ensure worry-free cookie-based browsing:
  • Most modern browsers support different levels of cookie acceptance, expiration time and ultimately deletion. Change your browser settings “Cookie Settings” to your preference.
  • When sharing PC access, you should make sure to set your browser to purge browsing data every time the browser is closed.
  • Don’t use other's / Public wireless networks especially when communicating sensitive information over the internet.
  • Use Https rather than Http when available.
  • Use a capable and updated anti-malware software.
  • Routinely back-up your computer to prevent data loss.
  • Make sure your browser is updated: security patches are applied when you update your browser.
Finally you should acknowledge that Cookies are widely used and can't really be avoided. If you wish to enjoy your internet surfing experience by navigating to “cookie creating websites” you should have a clear understanding of how cookies operate, and how to protect them from being abused. After all you are responsible of taking the necessary security measures to ensure your information security.

Tuesday, April 10, 2012

Look for the S in The HTTP

We are all familiar with the word HTTP, Hyper Text Transfer Protocol. It is an application protocol that functions as a request/response protocol in the client/server computing model. Basically, most of what you see in your browser is transferred to your computer over HTTP. Our topic is not about HTTP and its functions, it is about HTTP and security.

Some of us are familiar with HTTPS, Hyper Text Transfer Protocol Secure. As you can see, the letter ‘S’ stands for secure. The ‘S’ comes from SSL/TLS protocol, which provides communication security over the Internet. A combination of HTTP and SSL/TLS produces HTTPS. The main objective of HTTPS is to provide a secure connection over an insecure network. Not all pages have HTTPS since it is very expensive. Pages that communicate personal data like passwords and credit cards use the HTTPS.

A page who’s URL begins with “https://” means that this page is secured and the current connection between you and the server is secured, since it provides an encrypted communication and secure identification. Payment transactions on the Internet often use HTTPS communication in order to prevent any third part interception.
You can now easily differentiate between HTTP and HTTPS. HTTP starts with “http://” :

It is an unsecured connection that is subject to third party interception, which can allow attackers to gain access to sensitive information. On the other hand, HTTPS starts with “https://”  
It is a secured connection that is designed to resist attacks or interception or even eavesdropping.

To conclude, always look for the ‘S’ in HTTP when providing secure and confidential data, this will ensure that this page is secure and nothing is suspicious about it. In my next post I will address more about HTTPS.

Wednesday, April 4, 2012

A Disaster In The Making

While I was having some paper work done at a public institution, whose name I would rather not disclose, I came across an unpleasant scene. Being provoked by these things, I picked up my cellular phone and took this picture.

In this picture I can spot: Fire Alarm System, Intrusion Detection System Panel, DVR System (Digital Video Recorder for surveillance cameras), Network Switch, Exposed Cables, Multiple electricity adapters and contactors.

I guess this image is what we information security people classify as a disaster in the making.
It is just a matter of time, where intentionally or unintentionally, these systems are going to fail: the exposed wiring imposes the risk of fire or even electrocution.

Information Security doesn’t only address the protection of servers, password, firewalls and antivirus software, but also it is concerned with physical security and people safety. After all restoring lost data is often possible, but restoring people is impossible.

Sunday, April 1, 2012

Protecting your USB flash drive

Flash drive, a typical USB mass storage device, commonly known as the USB. The USB is a mobile device that stores our day-to-day data. As common mobile device users, we should understand the importance of password protecting a USB. USB's are vulnerable, as they are likely to be lost because of their small size, stolen, or can be simply corrupted.

Imagine you have some important data on the USB stick, not music or videos, however people often put something like business presentation, coursework, and contract draft in the USB. In order to avoid data theft from the USB we need to protect our USB by using USB encryption software, in other words, a PASSWORD. Common USB encryption software is Wondershare USB Drive Encryption. This software can provide your USB stick with password protection. In addition, it provides you with a read-only option- an option that allows you to read data from the USB ONLY rather than altering the data - to protect the encrypted data on the USB flash drive. 

Here are some tips that will help you increase you protection rate: 
  • Keep personal and business USB flash drives separate.
  • Use anti-virus software, a firewall and anti-spyware software to make you computer less vulnerable to attacks, as you know, USB flash drives can easily be infected with a virus that might corrupt the data in the USB. Also, make sure to keep the virus definitions up to date.
  • Do not attach your USB flash drive to an infected or public computer, since the virus will be transferred to the USB in no time infecting all the data in your USB. This data maybe not be recovered depending on the nature of the virus.
  • It is good practice to backup your data on daily basis. If not daily, then weekly basis is enough. This will help you recover your data since you have a copy of your data in case your USB flash drive is corrupted or lost.
  • Always make sure you unplugged your USB flash drive wherever you are. People are likely to forget to unplug it.
  • Do not put your USB anywhere you might forget later. Put it with your keys or in a safe drawer.