A laptop containing the personal information of VeriSign’s current and former employees was stolen from an employee’s car last month, the company confirmed Tuesday.
In an e-mailed statement, VeriSign, a digital infrastructure vendor that manages Internet domain names such as .com and provides security services, said it was taking the recent laptop theft “very seriously” and that the company initiated an investigation as soon as the theft was discovered.
At InfoWorld
I have seen many sites using a logo, provided by the security certificate vendor, be it VeriSign, Thawte or any for that matter. Most of the people trust this logo as they can check the validity of the site in real-time. Now comes the real question. Are you really getting the authenticity of the website? It is true sometimes, but not always. In the recent past I have seen many websites with the security logo which will enable the users to verify the authenticity of the website.
The phishers/attackers take the advantage of HTML coding. They just embed the target URL which will result while you are on the genuine website. Let’s check the scenario with eBay.
The Login page of Ebay has the VeriSign Secured logo. Verify the site by clicking the logo; it will take you to
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&lang=en&dn=sig…
Now let’s see this URL
Where did you reach? Does this give an added assurance to the user? No!!! This can be imitated even by the attackers and eventually it will make the fake site more authentic.
Please take these logos as reminders and not as the security assurance. If you have followed an external link to reach the website where you want to trust the security, then re-enter the URL by hand in a new browser window, be on the safer side.
What is Phishing?
Phishing is the art of stealing the idnetity of an individual and obtaining confidential information by the attacker. Surveys and studies reveals that the direct financial loss due to phishing attacks accounted for 1.2 billion in 2003 and is increasing day-by-day. The indirect loss is many times higher than the direct loss.
The most popular phishing attack strategy is to trick the users by sending fraudulant messages into giving out information. You might have seen messages like “ABC bank requires to verify your account information, please follow the below URL and enter the login credentials to verify your account”.
Other methods include malware attacks, where malicious code is used to obtain the confidential information and DNS redirection, where the DNS entries are altered to redirect the users to the fraudulant server.
Phishing attack flow
Most of the phishing attacks falls in the following work flow
Countermeasures
The phishing problem cannot be handled solely by the end-users, financial institutions or regulations. A combined effort is important to mitigate the threat of phishing. The solution to phishing lies in taking counter measures at all levels. This includes, technical solutions, user awareness and regulations.
To effectively counter a phishing attack, the early detection of such activity is important.
99.99% of the phishing attacks have an associated phishing page, which captures the information from the end user. This hosting of the phishing page is the first step in the phishing. Many attackers use the images and buttons from the real website by saving the webpage as it is or will redirect the page to the geniune site after the submission of the confidential data. In both the cases, the webserver logs will have the referer names recorded. Regularly reviewing the webserver logs will help the detection in the planning stage of a phishing attack.
Once the server is setup, the attacker starts sending the “bait” emails with the URLs encoded in the email. These emails are either from a valid email address or from an invalid address. As the attacker sends thousands of emails, there is a high chance of finding bounced messages in the inbox of the valid mailbox. Tracking the customer facing mailboxes for bounced messages can help detecting that a phishing attack is in progress and a possibility of finding the details of the phishing site.
Another way to detect the phishing is by asking the users to report it. Ideally, your website shouold have a option for reporting the phishing incidents they recieve.
Once you have identified the phishing attack and the detils related to it, the next step is to take the phishing site down. To achive this, the phishing site need to be reported to the authorities. The lsit includes ISP’s, the related NIC, hosting provider etc…
Security Meassures for End Users
The above details give a snapshot of how the phishing works and how to prevent it. References:This document has excerpts/ideas from articles posted in and websites.
The above details give a snapshot of how the phishing works and how to prevent it.
The above details give a snapshot of how the phishing works and how to prevent it. References:
The above details give a snapshot of how the phishing works and how to prevent it. References:This document has excerpts/ideas from articles posted in SANS and Antiphishing websites.
The Reserve Bank of India (RBI) has instructed banks to furnish data on frauds, thefts and burglaries on a quarterly basis to the regional offices of the Urban Banks Department.
Cases of online fraud and identity theft (also known broadly as phishing) come under the purview of this notification. The premier bank’s recent directive is a follow-up to its master circular on “Frauds - Classification and Reporting” for Primary (Urban) Co-operative Banks, issued in 2003.
There are more than seven million phishing attempts every day, according to security company Symantec, of which 84 per cent are targeted at banks and financial institutions.
In recent years, HDFC Bank, ICICI, SBI and more recently UTI Bank have been the target of phishing attacks. Phishing is a form of online identity theft where consumers’ personal identity data and financial account credentials are stolen by third parties.
Phishing involves sending “spoofed” e-mails that direct consumers to websites designed to trick them into entering sensitive information such as usernames and passwords.
According to cyber law expert Pavan Duggal, many of these cases are not reported as financial institutions fear loss of credibility among customers.
The low rate of cyber crime convictions in India has been a further deterrent to reporting of cases. According to Duggal, there have been only two convictions in India so far — one of identity theft (credit card details) by a BPO employee and the other pertaining to an obscenity case in Tamil Nadu.
Following the RBI notification, banks are now scrambling to beef up existing security measures. Sources at HDFC Bank confirmed that several measures were being taken to tighten security and adopt internationally accepted best practices.
Anyone who steals the identity of a user becomes that user and has access to their most sensitive systems and data. If just one user’s identity is compromised, corporate systems are vulnerable. This is the threat posed by corporate identity theft.
Identity theft takes many forms – exploiting weak passwords, keystroke capture, phishing, Trojan software, social engineering, password sharing and so on. Not every attacker is sitting at home with their computer, trying to break in to the corporate web site. Sometimes all they have to do is call up and ask! As Dorothy Denning, author of Information Warfare and Security said, “Any medium that provides one-to-one communications between people can be exploited, including face-to-face, telephone and electronic mail. All it takes is to be a good liar.”
Organisations make very dangerous assumptions about the security of data on their networks. No-one considers, or more importantly tests, who might be able to view or steal mergers and acquisitions data, business plans, payroll information or BACS payments. On a typical corporate Windows network, anyone with an administrator account can see or copy anything. Putting information on a network server is not the same as locking it in your desk drawer.
Information is vital for any organization in this world. Information is not only power, but also Money. In today’s world, stolen data is not only annoyance, but also a powerful weapon that can be used by the competition or by any malicious user. The information leakage can damage your organization in many ways like financial loss, threat to your brand image or loss of customer confidence.
So how do you know your data is sufficiently protected? Start asking the right questions? The right questions are those which will help you to assess what you have? Once you have a clear understanding of what you have, it is easy for you to start working on how to protect them. So here is a list of questions one should ask.
These questions will enable your organization to assess the data security posture. Once you identify the weakness, you can start developing strategies to protect your information.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996
Title II of HIPAA, the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers
Let have a look at the Security rule. The HIPAA Security rule has 3 focus areas, just like we discussed in the BS7799 article, they are:
The act contains 42 rules which are classified in to “Required” and “Addressable”. 20 rules are marked as “Required”; and 22 are marked “Addressable”
The rules marked as “Required” calls for mandatory implementation, while the others are recommended for implementation. So if you are looking at getting the HIPAA Security audit through, just implement the “Required” rules. But if you are looking at having a good Information Security Management System, it is suggested that you implement all possible rules defined the act.
