Vol 40 - (1/2016)

Understanding and Defending Against Mobile Botnets: A Case Study

Social Engineering Experiment via Social Media

“People often represent the weakest link in the security chain and are chronically responsible for the failure
of security systems. ”
Bruce Schneier, Secrets and Lies

e-Security | CyberSecurity Malaysia 2016 | Vol: 40 (1/2016)

ii

CyberSecurity Malaysia, an agency under Malaysia’s

Ministry of Science, Technology and Innovation was
set up to be the national cyber security specialist
centre. Its role is to achieve a safe and secure
cyberspace environment by reducing the vulnerability
of ICT systems and networks while nurturing a culture
of cyber security. Feel secure in cyberspace with
CyberSecurity Malaysia.

Level 5, Sapura@Mines
No. 7 Jalan Tasik
The Mines Resort City
43300 Seri Kembangan Cyber999 Help Centre | My CyberSecurity Clinic |
Selangor Darul Ehsan Professional Development (Training & Certification) |
Malaysia. Product Evaluation & Certification (MyCC) |
Information Security Management System Audit and
T: +603 8992 6888
Certification (CSM27001) | Malaysia Trustmark | Security
F: +603 8992 6841
E: info@cybersecurity.my Assurance | Digital Forensic & Data Recovery | Malaysia
Computer Emergency Response Team (MyCERT) | Security
Customer Service Hotline: Management & Best Practices | Cyber Security Research |
1 300 88 2999 CyberSAFE (Cyber Security Awareness for Everyone)
www.cybersecurity.my

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
WELCOME MESSAGE FROM THE CEO OF CYBERSECURITY MALAYSIA

Dear Readers,

Thank you for your continuous patronage of CyberSecurity Malaysia’s e-Security

Bulletin!

Because of you, we feel motivated to write more interesting articles.

For this 40th edition of e-Security Bulletin, we have compiled 20 articles for
you — mostly technical articles that are eagerly sought after by researchers,
practitioners and observers alike. Personally, I do make sure I read them all, in
order to update and enhance my understanding of the current cyber security
scenario in Malaysia. If you cannot read all of the articles, I highly recommend
you to at least read the ‘Social Engineering Experiment via Social Media’, as
well as ‘The Case Study for Understanding and Defending Against Mobile
Botnets’.

Till we meet again in the next edition of e-Security Bulletin; be smart and be
safe!

Dr. Amirudin Abdul Wahab

Chief Executive Officer, CyberSecurity Malaysia

PUBLISHED AND DESIGNED BY

CyberSecurity Malaysia,
Level 5, Sapura@Mines,
No. 7 Jalan Tasik, The Mines Resort City,
43300 Seri Kembangan,
Selangor Darul Ehsan, Malaysia.
EDITORIAL BOARD

Chief Editor
Dr. Zahri bin Yunos

Editor
Lt. Col Mustaffa bin Ahmad ( Retired )

Internal Reviewers
1. Mohd Shamil bin Mohd Yusoff
2. Ramona Susanty binti Ab Hamid
3. Nur Arafah binti Atan
4. Sandra binti Isnaji

Designer & Illustrator

1. Zaihasrul bin Ariffin
2. Nurul Ain binti Zakariah

READERS’ ENQUIRY
Outreach and Corporate Communications, Level 5, Sapura@Mines, No.7 Jalan Tasik, The Mines Resort City, 43300 Seri Kembangan
PUBLISHED AND DESIGNED BY
CyberSecurity Malaysia,
Level 5, Sapura@Mines,
No. 7 Jalan Tasik, The Mines Resort City,
43300 Seri Kembangan,
Selangor Darul Ehsan, Malaysia.
 1. Understanding and Defending Against Mobile Botnets: A Case Study.................... 1
2. Addressing the Threat of Cyber Terrorism............................................................. 4
3. WordPress vs Joomla: A Comparative Study.......................................................... 7
4. Steganography Series: Peak Signal-to-Noise Ratio............................................... 13
5. Rise of the DD4BC copycats................................................................................ 16
6. Successful Cybersecurity Capacity Building......................................................... 19
7. Getting to Know The Knowledge Management Centre of
CyberSecurity Malaysia ...................................................................................... 22
8. National Cryptographic Algorithm Projects......................................................... 25
9. FIPS 140-2 Evaluation Laboratory Accreditation and Its Programs........................ 30
10. Vulnerability Assessment & Penetration Testing (Vapt):
Approach And Methodology ............................................................................... 34
11. Comparing sampled Information Security Body of
Knowledge with ISO/IEC 27001.......................................................................... 37
12. ICT Product Evaluated and Certified? Go for MyCC!............................................. 40
13. Securing Your Online Gaming Experience............................................................ 42
14. A Picture is Worth a Thousand Words – Investigating Images............................... 45
15. Top Five Common Penetration Tools................................................................... 48
16. Social Engineering Experiment – Social Media .................................................... 52
17. Securing The Cyber Space Through International Collaboration of Computer
Emergency Response Teams............................................................................... 56
18. Drafting Security Target 101............................................................................... 59
19. Impersonation and Spoofing Fraud Q4 2015....................................................... 62
20. Keselamatan Siber Anak-Anak : Akujanji Ibu Bapa Siber...................................... 65

READERS’ ENQUIRY
Outreach and Corporate Communications, Level 5, Sapura@Mines, No.7 Jalan Tasik, The Mines Resort City, 43300 Seri Kembangan
PUBLISHED AND DESIGNED BY
CyberSecurity Malaysia,
Level 5, Sapura@Mines,
No. 7 Jalan Tasik, The Mines Resort City,
43300 Seri Kembangan,
Selangor Darul Ehsan, Malaysia.
Understanding and Defending Against
Mobile Botnets: A Case Study 1

By | Sharifah Roziah Mohd Kassim

Introduction trojan game apps with bot-like capabilities

that compromise Android devices. These were
followed in November 2014 by the discovery of
It is no exaggeration to say that mobile devices
NotCompatible.C malware. This was considered
have become part of daily life and have been
the most advanced mobile botnet targeting
emerging tremendously over the past years.
Android-based devices including smartphones.
They are now handy devices for multiple usage,
Botnets are capable of gaining unauthorised
such as communication, sending SMS messages,
access to secure enterprise networks.
socializing, chatting, reading emails, online
banking and catching up on early morning news.
In late 2014, WireLurker malware was discovered,
Mobile devices actually offer a better attack
which targeted Apple iPhones and iPads. Mobile
avenue than non-mobile devices because users
botnets infect Apple devices through installing
almost always carry them around, providing
pirated versions of popular Mac applications.
greater probability for stealing confidential
A botnet has the capabilities to download and
information, credentials or even pictures. As for
install enterprise-signed apps to vulnerable
non-mobile devices, the probability of attack is
devices without the user’s knowledge.
lower because they depend upon the device’s
uptime and user’s availability with the device.
In March 2014, a variant of the Zorenium Bot
was found targeting and infecting IOS device
Overview of Mobile Botnets operating systems, which had previously
included Windows and Linux. Upon infection,
So what is a mobile botnet? It is just like a it can bypass anti-virus software detection and
computer botnet, which is a piece of malicious allows attackers to use the mobile phones as
code that targets and infects mobile devices agents to conduct DDOS attacks and other
such as smartphones in order to gain complete notorious activities. Apart from the above
ownership of them. Infection can happen by examples are CommWarrior and Sexy Space.
various means and regardless of the smartphone
platform. Once infected, the device will establish Methods of Infection
communication with a Command & Control
(C&C) server that is controlled remotely by an
There are several ways in which mobile botnets
attacker known as a botmaster. The C&C servers
can infect smartphones and they are quite
are normally geographically dispersed around
similar to the methods used to infect computers.
the world to ensure the longevity of activities
and to evade tracing by Legal Enforcement
1. A popular and traditional method of how a
Agencies.
botnet can infect and spread is when a user
clicks on an attachment or malicious URL
Just like computer botnets, mobile botnets
that contains the botnet, normally bundled
take advantage of vulnerable mobile devices
in emails.
to compromise and gain full control of them,
enabling the botnets to make phone calls, send 2. Besides email, attachments or malicious
SMS messages, and access confidential data, URLs may attach to unsuspecting SMS
contacts and pictures that may be stored in messages.
the mobile device. Besides, for the botnet to
3. A botnet also spreads through unsuspected
be more widespread and maximize its impact,
illegitimate applications and when
it will propagate by sending a copy of itself to
unknowingly browsing malicious websites.
other vulnerable devices through SMS messages
and emails.
Case Study
Examples
MyCERT received an incident from a foreign
Mobile botnet infections can be traced back Computer Emergency Response Team (CERT)
to as early as 2011. Two such examples are regarding the discovery of a Command & Control
DroidDream and Gemini botnets. They are (C&C) server that stores thousands of mobile

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 phone numbers stolen from the contact lists of Implications of mobile botnets on smartphones
infected smartphones. The botnets residing in can be huge and serious if immediate action is
2 the mobile devices seemed to have established not taken to mitigate the infection. The impacts
communication with a remote C&C server and can be as follows:
delivered the stolen data including the mobile
phone numbers to the server. This information a. Cybercriminals or botnet herders direct the
could be retrieved by the attackers who control infected smartphones to buy digital goods
the C&C server. from micropayment providers in Malaysia.
b. The botnet will send SMS messages to other
In this case study, it was found that mobile
smartphone users, which were extracted
botnets spread through SMS messages that target
from the infected smartphone’s address
Android smartphones only. Other platforms
book, containing a malicious APK in order
were not affected. Users who clicked on a link
to propagate further.
in an SMS message they received inadvertently
installed a malicious Android Package (APK) that c. Confidential information like contact
took control of their smartphones. numbers extracted from the infected
smartphones’ address books are stolen and
In this case study, we found the infected the perpetrators can use them for malicious
smartphones can be hijacked remotely and activities.
potentially used for various fraudulent activities,
d. The botnet will establish a connection and
such as buying digital goods and services
make call-backs to a Command & Control
without the smartphone owners knowing it.
(C&C) server controlled by the attackers.
The infected smartphones become launching
pads to further propagate the malware to other
smartphones by sending SMS messages with Below is a diagram illustrating how a mobile
links to the malicious APK. botnet works.

Diagram 1: How a Mobile Botnet Works

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Defend Your Mobile Devices Reference:
3
As best practices to safeguard smartphones, 1. http://www.bullguard.com/bullguard-
users are advised to: security-center/mobile-security/mobile-threats/
mobile-botnets.aspx
a. Set a password for your smart phone. All
major smartphone operating systems allow 2. http://www.webopedia.com/TERM/M/
you to set a password and automatically mobile_botnet.html
lock your phone after a period of inactivity.
3. https://www.mycert.org.my/en/services/
b. Verify an app's permission and the app's advisories/mycert/2014/main/detail/1011/
author or publisher before installing it. index.html
c. Do not click on adware or suspicious URLs 4. http://www.darkreading.com/cloud/
sent through SMS/messaging services. the-rise-of-the-resilient-mobile-botnet/d/d-
Malicious programs could be attached to id/1317593
collect users’ information.
5. h t t p : / / w w w. c y b e r t r e n d . c o m /
d. Always run a reputable anti-virus on your
article/16969/mobile-botnets
smartphone/mobile device, and keep it up
to date regularly.
e. Switch off Bluetooth if it is not in use. This
way, your phone will be less vulnerable to
attacks.

Conclusion
Mobile devices, particularly smartphones, have
become essential in our everyday life and the
majority of us own at least one smartphone.
However, it is the responsibility of each
smartphone owner to ensure full protection is
enabled for the device to prevent exploitation
and botnet infections. Smartphones are now
gaining popularity among attackers as a form of
easy prey. As such, safeguarding devices must
be given utmost priority to prevent unwanted
incidents.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Addressing the Threat of Cyber Terrorism
4
By | Mohd Shamil bin Mohd Yusoff & Norhafizah Hashim

What is Cyber Terrorism? iii. Serious attacks against critical information

infrastructures, such as finance, energy,
transportation and government operations;
Cyber terrorism is the convergence of
cyberspace and terrorism. It refers to unlawful iv. Attacks that disrupt non-essential services
attacks and threats of attacks against computers, are not considered cyber terrorism;
networks and information stored therein
v. Attacks that are not primarily focused on
done to intimidate or coerce a government or
monetary gain.
its people in furtherance of political or social
objectives [1] [2]. Furthermore, to qualify as
Malaysia has not experienced any serious
cyber terrorism, an attack should result in
cyberattacks, but several cyberattacks have
violence against persons or property, or at least
affected the country including an attack in 2011
cause enough harm to generate fear. Attacks
by a group calling themselves “Anonymous” [7].
that lead to death or bodily injury, explosions,
or severe economic losses are such examples.
Serious attacks against critical infrastructures Preventive Measures Taken by
may be acts of cyber terrorism, depending on the Government
their impact. Attacks that disrupt nonessential
services or that are mainly a costly nuisance
In Malaysia, the Government has taken
would not be considered cyber terrorism.
initiatives to mitigate and combat cyberattacks.
One of the initiatives is the development of the
Cyber Terrorism Attacks in National Cyber Security Policy (NCSP), which
Malaysia was endorsed by the Government in May 2006
[8] [9]. NCSP consists of eight (8) policy thrusts:
Effective Governance, Legislative and Regulatory
Cyberspace is a virtual place that has become
Framework, Cyber Security Technology
as important as physical space for social,
Framework, Culture of Security and Capacity
economic, and political activities. Many
Building, Research and Development towards
countries around the world are increasingly
Self Reliance, Compliance and Enforcement,
dependent on cyberspace when using
Cyber Security Emergency Readiness and
Information and Communication Technology
International Cooperation.
(ICT) [3] [4]. This dependency renders these
countries in an insecure position because
The NCSP was formulated to address threats
cyberspace is borderless and vulnerable to
and risks to the Critical National Information
cyberattacks. Individuals have the ability and
Infrastructure (CNII) and to develop action plans
capability to cause damage to a nation through
to mitigate such risks. CNII consists of assets
cyberspace. Cyberattacks are also attractive
(real and virtual), systems and functions that
because they are cheap in relation to the costs
are vital to the nation, and whose exploitation,
of developing, maintaining and using advanced
damage or destruction would have a devastating
and sophisticated tools. Many have declared
impact on national economic strength, image,
that cyberspace is the fifth domain along with
defence and security, government capabilities
land, air, sea and space, and it is crucial to
to function efficiently and public health and
battlefield success.
safety. The NCSP is particularly focusing on
In general, to understand cyber terrorism, it can protecting CNII against cyber threats [10] [11].
be broken down into at least five elements that
construe cyber terrorism [5] [6]: Alongside clear and effective governance, NCSP
provides mechanisms for improving trust and
i. Politically-motivated cyberattacks that lead cooperation among the public and private
to death or bodily injury; sectors. NCSP also focuses on enhancing skills
ii. Cyberattacks that cause fear and/or physical and capacity building as well as advancing
harm through cyberattack techniques; research and development initiatives towards
self-reliance. It also maps out emergency
readiness initiatives and dictates a programme
of compliance and assurance across the entire

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
CNII. The NCSP also reaches out to Malaysia’s iv. Enhancing the People-Process-Technology
international partners and allies. The policy triad.
describes ways in which Malaysia can share 5
knowledge with the region and the world The Roles of CyberSecurity
on cyber security-related matters. Malaysia
developed NCSP as a proactive step in protecting Malaysia in Combating Cyber
critical sectors against cyber threats. Terrorism
Other actions taken against cyberattacks are: CyberSecurity Malaysia is structured to be able
i. A layered approach for defence mechanisms to mitigate cyberattacks and cyber threats. One
By having combinations of email filtering, of the major characteristics of such threats is
installations of anti-virus software, pro-active their cross-border nature, whereby Internet
malware protection, security policies and crimes do not conform to a nation’s physical
keeping protection software, operating systems boundaries. On account of this, CyberSecurity
and applications up to date can help tackle Malaysia rigorously pursues international
security-related concerns such as spam and relations by establishing collaborative efforts
malware attacks. with foreign government agencies and
international organizations through bilateral
ii. Awareness and multilateral engagements. CyberSecurity
Internet users and organizations should Malaysia is also heavily involved in the
constantly be offered cyber security awareness establishment of cyber security multilateral
of current security threats and how to engagement platforms, such as the Asia Pacific
protect against threats via best practices and CERT (APCERT) and the Organization of Islamic
safeguarding their systems/networks from Cooperation-CERT (OIC-CERT). These platforms
attacks. see to the collaboration of similar organizations
in mitigating international cyber threats.
How serious is Cyber Terrorism?
In addition, other departments including
Cyber terrorism is real and extant. It is Digital Forensics, the Malaysia Computer
considered an attractive option for modern Emergency Response Team (MyCERT) and
terrorists who value its anonymity, its potential Security Assurance have specific arrangements
to inflict massive damage, its psychological with their counterparts overseas. Since 2001,
impact, and its media appeal. It includes warfare CyberSecurity Malaysia has been actively
attacks against a nation’s state and forcing ICT participating in various cyber security events
infrastructure (including the critical national locally, regionally and internationally. All
infrastructure) and assets to fail or get destroyed. conferences, seminars and workshops have
Not only are cyber criminals not slowing down, been of great benefit not only to the target
but they keep upgrading and innovating ways audiences (who attended the event) but also to
of hacking into systems, stealing identities and the country.
data, hijacking computers and much more.
CyberSecurity Malaysia also organises its own
Ways forward to mitigate cyberattacks and yearly event in Kuala Lumpur, known as Cyber
terrorism include: Security Malaysia – Awards, Conference and
Exhibition (CSM-ACE). CSM-ACE stands out as the
i. Strengthening domestic cyber security biggest and most talked-about public-private-
through inter-agency cooperation and community partnership event in Malaysia.
Public-Private Partnership; We provide assistance in terms of detection,
containment, analysis, eradication and recovery
ii. Global collaboration and strategic alliances of incidents during a national cyber crisis. We
to strengthen regional cyber security in also produce Security Advisory/Alerts during
addressing cross-border cyberattacks and national cyber crises.
cybercrimes;
An awareness program known as CyberSAFE
iii. Adopting more innovative, aggressive and
- Cyber Security Awareness for Everyone is
proactive approaches in order to stay ahead
CyberSecurity Malaysia's initiative to educate
of cyber threats - with both defensive and
and enhance the general public’s awareness of
offensive capabilities;
technological and social issues facing Internet

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 users, particularly the dangers of being online. of Strategy and Policy Framework,” in IEEE
CyberSAFE in Schools is a program in cooperation International Intelligence and Security
6 with Malaysia’s Ministry of Education (MOE) Informatics (ISI) Conference, Vancouver,
aimed to reach out to young generations in Canada, 23-26 May, 2010, p. 169.
schools, which comprise the major portion of
Internet users in the country and are the most [11] Z. Yunos, S. H. Suid, R. Ahmad, and
vulnerable group. Z. Ismail, “Safeguarding Malaysia’s Critical
National Information Infrastructure (CNII)
Against Cyber Terrorism: Towards Development
References: of a Policy Framework,” in IEEE Sixth International
Conference on Information Assurance & Security,
[1] R. Ahmad and Z. Yunos, “A Dynamic Cyber Atlanta, GA, 23-25 Aug, 2010, pp. 21–27.
Terrorism Framework,” Int. J. Comput. Sci. Inf.
Secur., vol. 10, no. 2, pp. 149–158, 2012.

[2] Z. Yunos, “Putting Cyber Terrorism into

Context,” Published in the STAR In-Tech, p. IT11,
2009.

[3] Z. Yunos and R. Ahmad, “The Application

of Qualitative Method in Developing a Cyber
Terrorism Framework,” in Proceedings of the
2014 International Conference on Economics,
Management and Development (EMD 2014),
2014, pp. 133–137.

[4] R. Ahmad, Z. Yunos, and S. Sahib,

“Understanding Cyber Terrorism  : The Grounded
Theory Method Applied,” in IEEE International
Conference on Cyber Security, Cyber Warfare
and Digital Forensic, Malaysia, 26-28 June,
2012, pp. 334–339.

[5] Z. Yunos, R. Ahmad, and N. A. A. Abd Aziz,

“Definition and Framework of Cyber Terrorism,”
Proceeding Southeast Asia Reg. Cent. Count.
Terror. Sel. Artic., vol. 1/2013, pp. 67–79, 2013.

[6] R. Ahmad, Z. Yunos, S. Sahib, and M.

Yusoff, “Perception on Cyber Terrorism: A Focus
Group Discussion Approach,” J. Inf. Secur., vol.
03, no. 03, pp. 231–237, 2012.

[7] Z. Yunos, “The New Frontier for Terrorists,”

Published in the STAR In-Tech Malaysia, 2008.

[8] Z. Yunos, “Illicit Activities and Terrorism

in Cyberspace,” in Proceeding of CENS-GFF
CyberSecurity Forum – The Geostrategic
Implications of Cyberspace, 2011, pp. 12–13.

[9] Z. Yunos, R. Ahmad, S. M. Ali, and S.

Shamsuddin, “Illicit Activities and Terrorism
in Cyberspace : An Exploratory Study in the
Southeast Asian Region,” in Pacific Asia Workshop
on Intelligence and Security Informatics (PAISI
2012), Malaysia, 29 May, Springer Lecture Notes
in Computer Science, Volume 7299/2012, 2012,
pp. 27–35.

[10] Z. Yunos and S. H. Suid, “Protection of

Critical National Information Infrastructure
(CNII) Against Cyber Terrorism: Development

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
WordPress vs Joomla: A Comparative Study
7
By | Nur Fazila Selamat, Mohd Nor Akashah Mohd Kamal, Mohd Masri Abd Kamad

Abstract - At present, content management

systems (CMS) are a well-known technology in
the Web development industry, especially among
website developers. CMS can ease the process of
development and offers several useful features
and benefits. WordPress, Drupal, Joomla,
Blogspot and Moodle are several types of CMS
applications. This article addresses only two
open-source content management software,
which are WordPress and Joomla. This article
also provides an overview of these content
management systems with their features and Fig. 1: Statistics for websites using CMS technology [3]
key vulnerabilities together with how to prevent
them. A comparative study is done between the What is CMS?
two abovementioned CMSs, namely WordPress
and Joomla.
A CMS is defined as an application (more
likely web-based) that provides capabilities for
Keywords: Content management system,
multiple users with different permission levels
Joomla, WordPress, CMS
to manage (all or a section of) content, data or
information of a website project or internet/
Introduction intranet application [5].
Managing content refers to creating, editing,
In the current Information Technology era, archiving, publishing, collaborating on,
there is great desire to automate and simplify reporting, and distributing website content,
processes. A content management system data and information [5].
(CMS) serves as a tool to manage website
content and information depositories. CMS is
a software bundle that facilitates building a
website that can be updated quickly and easily
by non-technical staff members [1]. Such open
source software is created and subsidized by a
group or community of developers and can be
downloaded at no cost. CMS is used to support
creating, updating, publishing, translating,
distributing, archiving, and retiring of digital
information. It also includes standard features,
such as tracking changes made to digital
information [2]. Figure 1 represents statistics of
websites that use CMS technologies. According
to the statistics, WordPress (39%) has the highest
usage of open source CMS, followed by Drupal
(9%), Google Search Appliance (3%) and Adobe
CQ (3%). Fig. 2: Background of CMS [4]

Features of Content Management

Systems
There are three types of features available in
CMS. These are core features, design features
and extra features. Details of these types of
features are given below.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Core Features Design Features Extra Features
8 • Integrated and online help • XHTML and CSS compliant • Search
• Modular and extensible • Auto-generated menu • Polls
• Easy user and group • Every page can have • News
management different themes • Blogs
• Group-based permission • Design protected from • Newsletters
system content editors • CGCalendar
• Full template support for • Multiple content areas on • File Uploading
unlimited looks without one page • Glossary
changing a line of content • Forms
• Easy install and upgrade • User Management
procedures • Guestbooks
• Administration panel with • Google Sitemap
multiple language support
• Hierarchy content with
unlimited depth and size
• Integrated file manager
• Integrated audit log
• Small footprint

Table 1: Features of Content Management Systems [2]

Key Vulnerabilities of CMS • Ensure the CMS systems are updated

Web security is becoming more important as regularly.
more enterprises outsource their business • Use trusted sources for themes and plug-
applications to software-as-a-service models ins.
[15]. As a web application, a CMS is an attractive • Change the default settings and “ADMIN”
target for attackers and a major source of name.
security vulnerabilities [15]. Threats affect one • Reduce credentials.
or more security aspects. Some of the web • Always use strong passwords.
application threats include the following. • Protect the .htaccess file.
• Ensure CMS installation is backed up
regularly.
•• Data manipulation
• Plan a disaster recovery plan.
This type of attack entails the process of
changing data, which can violate data integrity. WordPress
Common attack techniques include parameter
manipulation and SQL injection [16].
1. What is WordPress?
•• Accessing confidential data WordPress was released in 2003 by Matt
Mullenwegg [10]. WordPress is the world’s most
Attackers access off-the-record data using popular content management system [3]. It
techniques such as structured Query Language started out as a platform exclusively for blogging
(SQL) injection and cross-site scripting (XSS). but has grown and advanced significantly over
the years. Today, over 40% of sites using CMSs
•• Code execution are using WordPress [3]. In addition, over 60
million websites are using WordPress, showing
Attackers can exploit CMS vulnerabilities to load just how popular it is [12].
files or programs containing defective codes
onto a web server [16]. A consequence of this Figure 3 below illustrates a sample website that
attack in 2015 was that most Joomla platform uses WordPress, while Figure 4 shows the back-
versions up to 3.4.5 were affected [17]. end structure of WordPress to administrate the
site.
How to Prevent CMS Vulnerabilities?
Several processes need to be implemented on
any CMS platform to prevent vulnerabilities,
such as [9]:
• Ensure CMS is running in the latest version.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Joomla was released in 2005 forked by Mambo
[10]. Joomla is a class of Open Source CMS
written in PHP scripting language and uses a 9
MySQL database for the backend [6]. Joomla
is one of the best and most widely used CMS
applications. It is suitable for creating corporate
websites or intranets, online magazines,
community-based portals and more. It has
numerous built-in features as well as a large
selection of extra modules and components to
enhance the value of the website and enrich
the visitors' experience [4]. Many aspects like
extensibility and ease of use have made Joomla
one of the most popular content management
software. Best of all, Joomla is an open source
software that is freely available to all.

Figures 5 and 6 show a sample page in Joomla

for front-end and back-end views respectively.
Fig. 3: Sample website using WordPress

Fig. 4: Backend structure for WordPress

Fig. 5: Front-end of Joomla

2. Features of WordPress
WordPress provides some features that can ease
the development or editing process. Features
offered by WordPress include [8]:

i. Simplicity
ii. Flexibility
iii. Ease of publishing
iv. Publishing tools
v. User management
vi. Built-in comments
vii. Search Engine Optimization (SEO)
viii. Multilingual Fig. 6: Back-end structure of Joomla
ix. Easy installation and upgrades
x. Own your data
xi. Media management 2. Core Features of Joomla
xii. Easy theme system
xiii. Extended with plug-ins Joomla offers several core features, including
xiv. Freedom the following:
xv. Community
Multilingual
Joomla offers more than 64 languages.
Joomla
Well-Supported
1. What is Joomla? Thousands of professional (developer and other
user) service providers throughout the world

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 can help build, maintain and market a Joomla Extensions
project. There are more than 8000 extensions to
10 customize a website in Joomla.
Easy Upgrades
There is a "One Click Version Update" feature to Frontend Editing
make this process super easy for users of any Users can do content editing easy and fast by
skill level. simply clicking and editing from the frontend.

Media Manager Menu Manager

A tool for easy uploading, organizing and Allows creating as many menus and menu items
managing media files and folders. as needed as well as structuring the menu
hierarchy (and nested menu items) completely
Better Search independent of the content structure.
The search ability of Joomla facilitates better
and smarter searches for users.

WordPress vs Joomla: Comparative Analysis

i. Overview Comparison
For a quick overview, WordPress is the best pick for beginners as it works well for small to medium
size websites, blogs and stores. Meanwhile, Joomla is great for e-commerce types of sites, but
it requires at least some level of technical coding [10]. The table below shows a more in-depth
comparison between WordPress and Joomla.

WordPress Joomla
Release Year 2003 by Matt Mullenwegg 2005, forked from Mambo
Popularity > 140 million downloads > 30 million downloads
Cost Free Free
Top Sites using
the Platform

Free Themes 2,000+ 900+

Free Plugins 27,000+ 7,000+
One Click Available Available
Installation
Availability
Manual 5 minutes 10 minutes
Installation
Time
“Skill” Level
Needed
Technical experience is not necessary; More complex than WordPress.
it is intuitive and easy to get a simple Relatively uncomplicated installation
site set up quickly. It is easy to paste and setup. With a relatively small
text from a Microsoft Word document investment of effort to understand
to a WordPress site, unlike Joomla. Joomla’s structure and terminology,
it is possible to create fairly complex
sites.
Update 42 days 36 days
Frequency
Best Used for Blogs, corporate websites, small- e-commerce, social networking sites
medium size websites

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Pros • User friendly • Powerful
• SEO integration • User friendly 11
• Responsive sites • E-commerce
• Great support • Developer community
• Extensions
Cons • Security • Small Module Marketplace
WordPress is a target for hackers Joomla has a much more limited
and prone to attacks. Although marketplace for additional modules
security has got better over and add-ons. If you are looking for
the past 12 months, there are additional modules to customize a
still vulnerabilities in the CMS, site, they can be harder to find and
particularly around the 3rd party maintain through Joomla.
plugin used.
• Plugin Compatibility
• Updates There may occur some frustrating
WordPress (WP) releases system compatibility issues between some
updates that are good for WP but of the plugins. It may turn out
may not be for the user. If the that it is impossible to get certain
user needs are the same as those functionalities without some
that WP tries to address, users are serious work on the PHP code.
lucky. Otherwise, a user might
get updates that harm rather than
improve the website.

• Speed
WordPress sites contain lots of
generic codes unnecessary for
every specific website, so the
webpage loading time becomes
slower.

Table 2: Comparison Chart between WordPress and Joomla [7][8][10][13][14]

ii. Comparison based on Popularity by In addition, as we can see in Figures 8 and 9,

Google Trends there are several regions that frequent the use
of CMS, either WordPress or Joomla as their
Referring to Figure 7, Google Trends indicates platform. Figure 8 indicates that Bangladesh is
that starting in 2010, WordPress has been the top community that most frequently uses
strongly increasing in popularity compared with WordPress as their CMS. Meanwhile, Figure 9
Joomla [18]. The figure also shows that as of shows that Kenya is the region or community
January 2016, people’s interest with WordPress that most frequently uses Joomla as the
is higher than with Joomla, and most of the backbone of their website or system.
time, people prefer using WordPress instead of
Joomla.

Fig. 8: Regional interest with WordPress [18]

Fig 7: Popularity comparison between WordPress and Joomla

according to Google Trend [18]

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 [6] Wakode, B. V, & Chaudhari, D. N. (2013).
Study of Content Management Systems Joomla
12 and, 569–573.

[7] About Joomla. (n.d.). Retrieved from http://

www.joomla.org/about-joomla.html

[8] WordPress Features. (n.d.). Retrieved from

https://WordPress.org/about/features/

[9] Alvarez, M. (2015). Pressing Your Luck

Fig. 9: Regional interest with Joomla [18] With WordPress? A Look at CMS Security Risks.
Retrieved February 17, 2016, from https://
Conclusion securityintelligence.com/pressing-your-luck-
with-wordpress-a-look-at-cms-security-risks/
Cybercriminals are aware that there are [10] Robert Mening. (n.d.). WordPress vs Joomla
large numbers of unpatched installations of vs Drupal + CMS “Comparison Chart.” Retrieved
popular content management systems (CMS), from http://websitesetup.org/cms-comparison-
including WordPress and Joomla. Therefore, wordpress-vs-joomla-drupal/
it is crucial to have a good understanding of
the risks of content management systems and [11] Hagen Graf. (n.d.). Joomla CMS. Retrieved
of how to prevent risks. Based on the results from http://www.wilsonmar.com/joomla.htm
of a comparative study, both WordPress and
[12] Colao, J. J. (2012). With 60 Million Websites,
Joomla have various strengths and weaknesses.
WordPress Rules The Web. So Where’s The
WordPress is more well-known than Joomla in
Money? Retrieved from http://www.forbes.com/
terms of popularity, whereby WordPress has over
sites/jjcolao/2012/09/05/the-internets-mother-
140 million downloads compared to Joomla with
tongue/#7b00443955fe
only 30 million downloads. However, selecting
a CMS all depends on the user’s requirements [13] The 2015 WordPress vs Joomla vs Drupal
to support their web strategy both today and Infographic. (n.d.). Retrieved from https://
in the future. Users also recommend employing cmsreport.com/articles/the-2015-wordpress-
Google Trends [18] to get an idea of current vs-joomla-vs-drupal-infographic-13720
CMS trends.
[14] Joomla! Core Features. (n.d.). Retrieved
from https://www.joomla.org/core-features.
References html
[1] Ghorecha, V., & Bhatt, C. (2013). A guide for [15] Symantec Global Internet Security Threat
Selecting Content Management System for Web Report Trends for July–December 07 Volume XIII.
Application Development. Computer Science (2008). Retrieved from http://eval.symantec.
Management Studies, 1(3), 13–17. com/mktginfo/enterprise/white_papers/b-
whitepaper_internet_security_threat_report_
[2] Soediono, B. (2015). Open source content xiii_04-2008.en-us.pdf
management software, Joomla & Drupal:
A comparative study. Journal of Chemical [16] Sametinger, J., & Wiesauer, A. (2009).
Information and Modeling, 53(2394), 160. Security in Open Source Web Content
doi:10.1017/CBO9781107415324.004 Management Systems, (August).
[3] CMS technologies Web Usage Statistics. (n.d.). [17] Marc-Alexandre Montpas. (2015).
Retrieved February 12, 2016, from http:// Vulnerability Details: Joomla! Remote Code
trends.builtwith.com/cms Execution. Retrieved from https://blog.sucuri.
net/2015/12/joomla-remote-code-execution-
[4] Ghorecha, V., & Bhatt, C. (2013). A guide for the-details.html
Selecting Content Management System for Web
Application Development. Computer Science [18] Google Trend-WordPress vs Joomla. (n.d.).
Management Studies, 1(3), 13–17. Retrieved from https://www.google.com/
trends/explore#q=WordPress%2CJoomla&cmpt
[5] What is a Content Management System =q&tz=Etc%2FGMT-8
(CMS)?. (n.d.). Retrieved February 12, 2016,
from http://www.comentum.com/what-is-cms-
content-management-system.html

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Steganography Series:
Peak Signal-to-Noise Ratio 13

By | Abdul Alif Bin Zakaria

Introduction colours that will produce a coloured image.

Digital images are typically stored in either 24-
bit (true colour) or 8-bit files (colour palette).
Steganography is the art and science of hiding
24-bit pictures have better resolution; thus,
messages. The word steganography comes
the file size would be larger and there would
from the Greek words “Steganós” meaning
be more space available to hide information. 3
covered and “Graptos” meaning writing [5].
bytes are used to represent each pixel (1 byte
Steganography and cryptography are similar
for each colour) in 24-bit images. The 3 bytes
in that both are used to protect important
can be represented as hexadecimal, decimal or
information. However, steganography differs
binary values. A sequence FFFFFF represents
from cryptography because it involves hiding
a combination of 100% red, 100% green and
information without noticing any alteration
100% blue that will produce the colour white.
made to the cover object. Cover objects or
Meanwhile, 00000 represents a combination
carriers are files such as text, images, audio
of 0% red, 0% green and 0% blue that produce
or video in which secret messages are hidden.
black. This combining method is applied to each
The secret message can be in the same form
pixel in order to compose an image. Information
as the cover object. A file containing a secret
could be hidden by embedding secret messages
message hidden in the cover object is called
into image pixels depending on the method
a stego object. Cryptography entails changing
implemented by the users.
a readable into an unreadable message, while
steganography involves hiding messages into
another medium. Peak Signal-to-Noise Ratio

Steganalysis PSNR is a standard measurement method used

in steganography in order to test the quality of
stego images [2]. The higher the PSNR value,
Steganalysis is the art and science of detecting
the higher the quality of the stego image is. If
secret communication in steganography.
the cover image is C with size M × M and the
In general, steganalysis techniques can be
stego image is S with size N × N, then each
categorized into six levels depending on how
cover image C and stego image S will have a
much information is required about the hidden
pixel value (x, y) from 0 to M-1and 0 to N-1
messages. The techniques are (i) Differentiating
respectively. The PSNR is calculated as follows:
between the cover and stego object, (ii) Identifying
the steganographic method, (iii) Estimating the
length of a hidden message, (iv) Identifying the
stego-bearing pixels, (v) Retrieving the stego
key, and (vi) Message extraction [6]. Changes in
where
statistical properties of the cover may lead to a
steganalyst attempting to detect the existence
of the secret communication [5]. One of the most
common steganalysis methods implemented is
to measure the quality of the stego image using
Peak Signal-to-Noise Ratio (PSNR). Note that MAX is the maximum possible pixel
value of an image. For example, if the pixels are
represented by 8 bits per sample, then the MAX
Image Pixel value is 255. MSE, or Mean Square Error is an
error metric used to compare image compression
An image is an array of numbers that represent quality. It represents the cumulative squared
the intensity level of each pixel comprising error between the compressed and original
the image. A colour image is represented by image. If the stego image has a higher PSNR
arrays of each of the three primary colours, value, then the stego image is of better quality.
red, green and blue. By superimposing these
three arrays, each pixel is a sum of those three

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Analysis
14

Figure 2 [1]: Lena Image

Stego image performance decreases when

Figure 1 [4]: Jelly Bean Image more bits of cover image are modified. Figure
2 shows the differences in stego images that
have been implemented with 1-bit to 7-bit data
hiding using steganography. As the stego image
gets more distorted, the PSNR value becomes
lower and could increase the awareness of the
existence of the hidden data.

Conclusion
It is hard to detect the presence of steganography
because the existence of secret messages that
are kept secret through steganography. One will
never try to do steganalysis for all images, text,
audio or video in communication to find secret
or hidden message, as it would cost a lot of time
and money. An efficient method implemented is
Table 1 [4]: Jelly Bean PSNR by calculating the PSNR. Even though it is not the
absolute solution to this problem, a steganalyst
can at least narrow down the suspected stego
Table 1 [4] shows a comparison of PSNR and object that contains a secret message, which
MSE values of a "jelly bean" in Figure 1. The could lead to finding the secret message.
image was embedded with different data (secret
message) capacities ranging from 0.1% - 1% of Previous steganography series can be viewed
different image sizes (256 x 256, 306 x 468 and on the CyberSecurity Malaysia website:
512 x 512). It can be seen that with increasing
embedded data capacity, the value of PSNR Title :
decreases and MSE increases. In other words, Steganography Series: Colour Palettes
the more data that is embedded in the original
image file, the more the picture quality will Publication :
decrease. Depreciating picture quality happens CyberSecurity Malaysia e-Security Bulletin. Vol
because many bits of the original image have 38 – (1/2015)
been changed or replaced by secret message
bits. Link :
http://www.cybersecurity.my/data/content_
The more bits that are modified in the original files/12/1499.pdf
image, the more obvious the changes are to the
naked eye. In steganography, if one can see a
significant change in a cover object, the secrecy
of data is exposed and it is contrary to the main
objective of steganography, which is to hide the
presence of messages [3].

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
References
15
[1] Gupta H., Kumar R. and Changlani S.
2013. Enhanced Data Hiding Capacity Using
LSB-Based Image Steganography Method.
International Journal of Emerging Technology
and Advanced Engineering. Vol. 3, No. 6.

[2] Ibrahim R. and Kuan T.S. 2011.

Steganography Algorithm to Hide Secret
Message Inside an Image. Computer Technology
and Application. Vol. 2: 102-108.

[3] Shamimunnisabi and Cauvery N.K. 2012.

Empirical Computation Of Rs-Analysis for
Building Robust Steganography Using Integer
Wavelet Transform and Genetic Algorithm.
International Journal of Engineering Trends and
Technology. Vol. 3, No. 3.

[4] Usha B.A., Srinath N.K. and Cauvery

N.K. 2013. Data Embedding Technique In
Image Steganography Using Neural Network.
International Journal of Advanced Research in
Computer and Communication Engineering.
Vol. 2, No. 5.

[5] Zakaria A.A., Yusof N.A.M., Omar W.Z.,

Abdullah N.A.N. and Rani H.A. 2015. Analysis
of Steganography Substitution System Methods
Using New Testing Techniques Proposed for
Strict Avalanche Criterion. International Journal
of Cryptology Research. Vol. 5, No. 1: 61-76

[6] Chaturvedi P. and Bairwa R.K. 2013.

Image Steganography Method for Hiding Secret
Message in Colored Images by Using IWT.
International Journal of Recent Research and
Review. Vol. 6, No. 3.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Rise of the DD4BC Copycats
16
By | Farah Ramlee

Introduction DD4BC recently threatened to expose targeted

organizations via social media, adding to the
damage caused by the DDoS attack itself. The
From September 2014 through July 2015, cyber
goal apparently was to garner more attention to
extortion was taken to another level and DD4BC
the group's ability to create service disruptions
emerged as the latest crime with a new modus
by publicly embarrassing the target and
operandi similar to Ransomware. DD4BC is an
tarnishing the company's reputation through
abbreviation of DDoS for Bit Coin. DD4BC is an
these wide-reaching channels. {2]
extortionist group responsible for many bitcoin
extortion campaigns involving DDoS attacks
According to Akamai researchers, the group's
and ransom demands. This type of extortion
methodology typically includes multi-vector
is distributed through email. The email content
DDoS attack campaigns, revisiting former
is used to inform the target that if the ransom
targets and also incorporating Layer 7 DDoS in
demand does not meet the deadline, a low-
multi-vector attacks, specifically concentrating
level DDoS attack would be launched against
on the WordPress pingback vulnerability.
the victim's server [2]. To show the seriousness
This vulnerability is exploited to repeatedly
of such extortion, a mini demonstrative attack
send reflected GET requests to the target to
will be launched to prove their point. [3] Like
overload the website. This attack method
Ransomware, the ransom goes through the dark
is also incorporated into DDoS booter suite
web by charging in BitCoin and keeps increasing
frameworks. The group used multi-vector DDoS
while the attack is in action.
attacks including NTP floods, SSDP floods, UDP
floods, SYN floods, UDP fragment floods, ICMP
floods, DNS floods, GET floods, SNMP floods and
CHARGEN floods. 141 DDoS attacks confirmed
as DD4BC were observed by Akamai and
partners from September 30, 2014 to July 24,
2015. [1] The key cyber extortionist member
was reportedly arrested in early January 2016.
[3]

However, soon after, a new group called

Armada Collective imitated the DD4BC tactics,
techniques and procedures (TTP) hoping to
Figure 1: DD4BC DDoS attack activity increased dramatically gain billions of dollars. The possible drive
in April but began tapering off in July (by Akamai) [4]
for this act was probably that the price index
of bitcoins keeps increasing and bitcoins are
The financial service sector was most targeted,
encrypted. The remaining cyber criminals took
including banks, credit unions, currency
advantage and produced even more copycats,
exchange and payment processing companies.
as companies were willing to pay the ransom to
[1]
avoid being attacked. [6]

Analysis
Cyber999 received a report regarding this
incident involving a cyber extortionist group,
Armada Collective. However, the email reported
below is just imitating the real Armada Collective
because the attack did not happen on the said
date.

Figure 2: DD4BC attack distribution by target industry (by

Akamai)[4]

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 17

Figure 5: Email received regarding a time bomb threat

Figure 3: Sample ransom email from Armada Collective

reported to Cyber999

Figure 3 shows that the email consists of a

template starting with an introduction of them,
followed by a ransom that the victim would be
DDoS-ed on the given date if the payment in
bitcoins was not done. The extortionist also
included their bitcoin wallet ID.

Figure 6: Email header received regarding a time bomb threat

Figure 6 shows the email was sent using yet

another public mail server called Sigiant.
However, it was written in the website’s
disclaimer that any incidents should be reported
if any abuse was traced using the server. In
this case, an email from trainmain@sigiant.org
with the source IP address xx.xx.238.120 was
detected. The incident was then escalated to
Figure 4: Email header from the Armada Collective Copycat the respective ISP for further action.
In both cases, none of the attacks were launched
Figure 4 shows that the email header from the after the dates passed. We may conclude these
so-called Armada Collective with the email was were just other copycats following the TTP of
originally sent using a free email web server the original DD4BC for money extortion through
called OpenMailbox. The sender’s IP address the net.
is internal, which means it belongs to the
application, hence preventing the detection
of the originating IP source. This is in fact a
Conclusion
way that culprits are able to get away, as the
application protects its users under their own Different types of DDoS attacks can affect
privacy. However, we have reported regarding specific IT network elements and require various
this email through their web-reporting channel. DDoS mitigation techniques. Attackers identify
the weakest links that will cause the most
Another case that caught our eye was reported damage. To help protect against extortionist
by an organization that received an extortion groups and subsequent DDoS attacks, advice
email with a different threat. The threat content and recommendations are given as the follows
was not to DDoS their servers, but the email for defensive measures [5]:
mentioned that time bombs were physically • Deploy anomaly- and signature-based DDoS
placed at some unstated stations and would detection methods to identify attacks before
blow up on the said date if the ransom demand a website becomes unavailable to users.
were not fulfilled.
• Distribute resources to increase resiliency

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 and avoid single points of failure due to an [5] https://blogs.akamai.com/2015/11/
attack. operation-profile-armada-collective.html
18
• Implement Layer 7 DDoS mitigation [6] http://www.securityweek.com/dd4bc-
appliances on the network in strategic armada-collective-inspire-cyber-extortion-
locations to reduce the threat to critical copycats
application servers.
[7] https://blogs.akamai.com/2015/09/case-
study-operation-dd4bc.html
The best practice to prevent your network from
getting a DDoS attack is to develop a checklist [8] https://www.us-cert.gov/ncas/alerts/TA12-
or standard operating procedure (SOP) to follow 024A
in the event of a DDoS attack. [8] A proper DDoS
mitigation plan also needs to be in place to help
minimize damage and conduct “business as
usual” during an attack.

If you need any assistance, do not hesitate to

contact Cyber999 via the following channels:

E-mail:
cyber999@cybersecurity.my

Phone:
1-300-88-2999 (monitored during business
hours)

Fax :
+603 89453442

Mobile:
+60 19 2665850 (24x7 call incident reporting)

SMS:
CYBER999 REPORT EMAIL COMPLAINT to 15888

Business Hours:
Mon - Fri 08:30 - 17:30 MYT

Web:
http://www.mycert.org.my

References
[1] https://www.stateoftheinternet.com/
resources-web-security-threat-advisories-
2015-dd4bc-case-study-ddos-attacks-bitcoin-
extortion-ransom.html

[2] http://www.prnewswire.com/news-releases/
akamai-releases-findings-of-increased-attacks-
and-more-aggressive-tactics-from-dd4bc-
extortionist-group-300139405.html

[3] http://www.scmagazine.com/key-member-
of-dd4bc-arrested-in-international-crackdown/
article/465097/

[4] http://pages.arbornetworks.com/rs/082-
KNA-087/images/ATIB2015-04DD4BC.pdf

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Successful Cybersecurity Capacity Building
19
By | Adam Palmer, FireEye

Detection: Detection includes utilizing

intelligence from a range of sources and making
decisions based on a flexible programmatic
approach. Threat intelligence should include
awareness of known threat groups, their known
Long-term capacity building is the foundation attack methodologies and anticipated attack
for success in achieving cybersecurity goals. A vectors. Identifying who may be the source
capacity building plan should include a dynamic of an attack can support understanding the
assessment and improvement process that objectives of the attackers and why they may be
aligns with a long-term strategy. This should targeting an organization. An adaptive defence
be a flexible approach that is modified as security programme should evolve from passive
technology and threats evolve. It is proposed monitoring to active “hunting” for evidence of
in this article that the goal of a cybersecurity threat actors within a network. This approach
programme should achieve a level referred to assumes the presence of an attacker that is
as “Adaptive Defence.” Adaptive Defence is using unknown intrusion techniques.
the ability to detect and respond to identified
security needs by utilizing intelligence-based Prevention: Prevention includes basic activities
information and effective response planning. to avert known threats. These activities
comprise traditional security controls that are
Adaptive defence entails more than achieving essential to a security programme. However,
“Basic Cyber Hygiene.” This base level must these basic controls must be supplemented
be expanded to include advanced threats and by additional behavioural-based heuristic
unknown attacks. 70% of the time malware is detection capabilities that can prevent attackers
used only once. Traditional means of ‘basic from exploiting an unknown vulnerability.
hygiene’ are no longer sufficient to protect
against today’s cyber threats, which are unique, Response: Response should include both the
complex and no longer preventable by using capability to recover quickly from a cyberattack
traditional prevention methods. and a measurement of the time necessary
to resume critical operations after an attack.
The SANS Institute and the Council on Response should also include the following sub-
Cybersecurity, a consortium of security experts domain controls:
from across public and private sectors, has • Incident Management
published a list of ‘Top 20 Security Controls’ • Service Continuity Management
- a relatively short list of high-priority, highly • External Dependency Management
effective actions that provides a useful and
effective starting point for every enterprise The Response Strategy must establish an
seeking to improve their cyber defence. Two incident response coordinator and precisely
key controls in particular – CSC-5 and CSC- define protocols to inform key stakeholders.
13 – include recommended measures that go These protocols should govern privacy
beyond traditional hygiene for malware and disclosure requirements and assignment of
boundary defence. In the USA, the National work streams for investigation, remediation,
Institute of Standards and Technology (NIST) communication and response plan execution.
Cybersecurity Framework best practices include
NIST 800.53 SC-7 (Boundary Protection), SC-44 Analysis: Analysis consists of containment,
(Detonation Chambers) and SI-3 (Malicious Code forensics investigation and skill chain
Protection). These are elements of cybersecurity reconstruction. An effective strategy should
best practices that are particularly critical to any emphasize on adaptation based on analysis of
effective cyber hygiene program and they have known attacks. Post-incident analysis forms the
been adopted and recommended by leading basis of an “adaptive” response by adjusting
independent global security experts. controls based upon actual known risks. Analysis
of known attacks should promote the adoption
Each of the core Adaptive Defence domains are of appropriate technical and organizational
examined in detail below. measures to safeguard data at a security level

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 appropriate to actual risks. Understanding • Delivery of training at the basic, intermediate,
attack methodologies promotes informed and advanced levels on advanced electronic
20 decision-making, intelligence integration and evidence collection and handling
timely response.
• For the government, the delivery of
Long-Term Planning investigator and prosecution training at the
basic, intermediate and advanced levels
The most important concept of a capacity on the role and presentation of electronic
building plan is that each organization has evidence and applicable substantive and
unique needs. An organization must identify procedural law in the prosecution and
critical areas that correlate with a desired adjudication of cybercrime cases
security readiness posture. Within each area are • Organization of public private partnership
maturity levels. Maturity levels are established expert working groups to create protocols on
by measuring progress along a continuum of the involvement of specialized procedures,
risk-based preparedness from low readiness use of investigative measures, guidelines
levels to advanced full capability. This risk and for intelligence sharing operations, and the
capability evaluation process allows decision introduction and consideration of electronic
makers to benchmark existing cybersecurity evidence in legal forums.
preparedness and evaluate core competencies,
and it provides an operational framework Sustainability:
for capacity building that also measures
• Providing long-term coordination and
improvement dynamically.
support mechanisms to effectively transfer
capabilities from global experts or security
Cybersecurity is not only a technical solution.
vendors to internal organizational staff and
The foundation for all technical solutions
to maintain team readiness
should be based on a clear understanding
of policy requirements and strategy goals.
Compliance is not “true security.” Many threats Cooperation:
can evade basic compliance measures that tend • Facilitating working relations between
to only promote “basic hygiene.” The overall law enforcement and local offices of key
objective of an Adaptive Defence capacity global digital service providers, developing
building programme is to create more than a procedures and due legal process
mere compliance or basic hygiene capability as requirements, and facilitating the sharing of
recommended above. strategic threat information from key global
cybersecurity providers with intelligence
The capacity building structure should be analysts
designed so as to enable a comprehensive,
long-term and holistic approach. Each activity • Establishing advanced teams working with
domain within the suggested capacity building law enforcement and intelligence groups to
programme can be summarized as follows: apply legal, procedural and technical tools
to monitor and respond effectively to threats
Framework Support: A suggested phased implementation plan is
• The assessment of operational needs outlined below:
and development of a strong sustainable
framework that provides comprehensive Phase I: Operational Framework Assessment
operational security and procedures for & Development
operations. a. Assessment of Operational, Procedural, and
Training Requirements
Operational Standards: b. Development and Review of a Capacity
• Comprehensive assessment of existing Building Framework and Capacity Building
legislative policies covering criminalization, Programme Recommendations
procedural law, electronic evidence,
jurisdiction, private sector responsibilities Phase II: Implementation
and liabilities, and international cooperation, a. Establishing on-site cooperative partnership
using good practice benchmarks and teams led by global experts to implement
relevant regional and national standards capacity building programmes from basic to
advanced levels
Operational Training: b. Training in advanced detection and response
capabilities that ensure compliance with

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 international regulatory frameworks and
best practices
21
c. Evaluating implementation and adjustment
to meet identified standard goals
Phase III: Sustainability and Maintenance
a. Additional support for staff on tools and
techniques as determined necessary
through monitoring and evaluation
b. Implementing long-term external
cooperation and support mechanisms

Progress in programme implementation should

be tracked through ongoing monitoring of
the needs indicators established in an initial
assessment. The purpose of ongoing monitoring
is to ensure accountability through transparent
and clearly-documented records with a view to
enable clear oversight, decision-making and
transparent operations. Information required
for the indicators should be collected with a
periodicity appropriate to each indicator, taking
into account the time required for outputs and
outcomes to have effect. Results from calculated
available indicators can be used to ensure that
activities, outputs and outcomes are in line with
the expected results.

The challenge of advanced cyber threats is

unlikely to be resolved in the near future. Both
private organizations and the government must
commit to a long-term programme of capacity
building for prevention, detection and response.
It is critical for capacity building actions to
aim clearly towards a sustainable response
that achieves an “active defence.” Investment
should be made in establishing functional
and sustainable solutions that create a solid
foundation for the future.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Getting to Know The Knowledge
22
Management Centre of CyberSecurity
Malaysia
By | Zaleha Abd Rahim

Introduction •• To gain national recognition as a national

knowledge hub through the establishment
of a place that provides a mind-stimulating
Wikipedia defines 'Special Library' as a library
knowledge acquiring environment in the
that provides specialised information resources
field of cyber security.
on particular subjects, serves a specialised
and limited clientele and delivers specialised
services to that clientele. In other words,
Special Library is a term for a library that is
Collection Development
neither an academy or school, nor a public or
national library. Normally, special libraries are The Knowledge Management Centre (KMC)
developed to support the vision and mission of envisions being a National Knowledge Reference
an organisation. Special libraries are 'special' in Point in the area of cyber security. For this
their collections and services, which are more reason, our collections consist primarily of print
targeted and specific to the needs of the users. and electronic resources focusing on cyber
security-related information materials in order
The Knowledge Management Centre (KMC) to meet the information needs of cyber security
of CyberSecurity Malaysia falls under this professionals and communities. The collections
category, whereby we specialize in subject are basically divided into a few categories:
matters related to information security and •• Main Collections: Printed and online
cyber security. The Knowledge Management resources covering disciplines specified by
Centre was established in 2008 as part of the CyberSecurity Malaysia and the information
CyberSecurity Malaysia initiative to realize the security community nationwide.
vision of a National Cyber Security Reference and
Specialist Centre by the year 2020. Previously, it •• Reference Collections: Dictionaries,
was known as the Knowledge Resource Centre encyclopaedias, directories, biographies,
(KRC). However, the name has been changed to numerical data compilations, handbooks,
the Knowledge Management Centre to reflect its manuals, bibliographies and yearbooks.
role and discipline in promoting a collaborative
and integrated approach to the creation, •• Control Access Collections: Materials
capturing, access and use of knowledge that are commonly used, such as theses,
assets. The centre acts as a platform for cyber dissertations, research reports, seminar/
security professionals and communities to seek conference papers, official publications (e.g.
a comprehensive collection of cyber security- annual reports) and small-size publications
related information materials. The Knowledge (e.g. statistics, surveys).
Management Centre also aims to provide a
conducive learning and knowledge acquisition •• Serial Collections: Cyber security-related
environment for cyber security professionals journals, magazines, newspapers and
and practitioners across the nation. bulletins.

KMC Key Objectives •• Multimedia Collections: Non-print materials

in the form of audio, CDs and DVDs.
•• To complement the government's effort to
produce 'K-Workers' particularly in the field •• Leisure Reading Collections: Light reading
of cyber security materials covering bestsellers, fiction,
motivation, hobbies, crafts, etc.
•• To contribute to CyberSecurity Malaysia's
goal of becoming a Learning Organisation •• Cybersiana Collection: Articles and slide
that empowers employees to be innovative presentations written by CyberSecurity
and productive human capital, possess Malaysia professionals
positive attitude and forge strong teamwork

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Services And Activities KMC also offers a service known as 'InfoQuest'
where CyberSecurity Malaysia staff can request
Knowledge Management staff to assist with 23
The Knowledge Management Centre of
identifying and finding articles of interest.
CyberSecurity Malaysia supports and upholds
the CyberSecurity Malaysia vision, i.e. 'To Be
Today, knowledge matters. Therefore, more
a Globally Recognised National Cyber Security
organisations are recognising knowledge as
Reference and Specialist Centre by 2020.'
their most valuable and strategic resource
Therefore, we provide services and activities to
to sustain their competitive advantage.
cater and meet the information needs of staff.
The Knowledge Management Centre of
In addition to the basic operational services,
CyberSecurity Malaysia aims to develop a
such as cataloguing, classification, check-out
knowledge-intensive culture by encouraging
and check-in of materials, we also provide
and aggregating behaviours, such as knowledge
information dissemination services, such as the
sharing and proactively seeking, acquiring and
Current Awareness Service [CAS] and Selective
offering knowledge. Therefore, in addition to
Dissemination of Information [SDI]. However, we
the information dissemination services, the
re-brand the services by giving special names
Knowledge Management Centre also takes the
and disseminate information daily in order to
initiative to organize several knowledge sharing
keep our staff well-informed.
activities, as we strongly believe these activities
help CyberSecurity Malaysia with acquiring,
Monday:
capturing, storing and utilizing knowledge for
Pick of the Week -- we choose several titles
problem solving, dynamic learning, strategic
and display the books in the centre. Then we
planning and decision making.
broadcast the titles via email to inform staff,
especially newcomers, that we have those titles
in the collection and they are most welcome Cafe Ilmu @ KMC
to borrow them. However, if we purchase new Cafe Ilmu @ KMC was initiated to encourage
titles, we change the broadcast to What's New. CyberSecurity Malaysia staff to share and
exchange their reading experiences and
Tuesday: knowledge in an informal environment. Staff
SDI K-Brief -- we choose a subject and select share and discuss what they have read and
a few articles related to the subject. Then we audiences are most welcome to add value based
email the abstracts of the selected articles to all on their own knowledge and experiences as
staff. Those who are interested to read the full well. Since the centre's collection is very limited
text of the articles are encouraged to request a and focused on information security and cyber
copy from us. security matters, we encourage our Cafe Ilmu
@ KMC participants to share their own reading
Wednesday: materials regardless of subject interest. After
Current Awareness Service (CAS) -- we the session, a summary is written and emailed to
disseminate information extracted from new CyberSecurity Malaysia staff in order to benefit
issues of technical journals and magazines those who were not able to join and participate
received in a particular month. This way, our in the session. Later, those summaries are
users will update their knowledge on the latest compiled and published as a KM Newsletter.
trends and technologies on cyber security
matters.

Thursday:
Santai Jom Baca is targeted for those who want
to take a break and relax by reading leisure
materials such as Men's Health, Impiana;
Harmoni; Reader's Digest; Pa & Ma; Umpan; Saji,
etc.

Friday: [Picture: Dr. Zahri Yunos sharing his reading entitled 'It Worked
K-Share materials are extracted from several for me in Life and Leadership' by Colin Powell]
resources and those who are interested to read
the full text over the weekend are most welcome Jom Borak Ilmu
to request a copy from us.
This is a platform where staff of CyberSecurity
Malaysia can present and share their specific
knowledge, especially technical knowledge

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 once they return from any training, seminar Summary
or conference. Again, it is done in an informal
24 environment with the hope that knowledge will
Knowledge is an important asset to CyberSecurity
flow freely and trigger informative discussions.
Malaysia as it can enhance communication
This is also a good platform for staff to practice
and collaboration among employees, create
their communication skills and public speaking.
new knowledge and add value to the entire
organisation. For these reasons, the Knowledge
Management Centre plays its role effectively
and efficiently to ensure that CyberSecurity
Malaysia's vision and mission are met.

References
1. https://en.wikipedia.org/wiki/Special_
library

2. KRC Policies and Procedures

[Picture: Ahmad Dahari Jarno from the SA Department sharing

his technical expertise on a Social Engineering Experiment]

Technical Colloquium
The Technical Colloquium serves as a platform
for CyberSecurity staff to present their research
papers in order to solicit feedback and
comments before their papers are submitted
for journal publications. In addition, Technical
Colloquium is a knowledge sharing platform
for researchers to enhance their communication
and presentation skills.

[Picture - Khairul Akram from the Digital Forensics

Department presenting his paper]

Occasionally, the Knowledge Management

Centre also organizes activities, such as
Infohunt, Merdeka Day Quizzes, ISMS Awareness
Day, Thematic Exhibition and KM Appreciation
Day.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
National Cryptographic Algorithm Projects
25
By | Isma Norshahila binti Mohammad, Nik Azura binti Nik Abdullah Shah, Norul Hidayah binti Lot@Ahmad Zawawi, Liyana
Chew binti Nizam Chew

Introduction This project was set up to identify new stream

ciphers suitable for widespread adoption.
The submissions to eSTREAM fall into either
Cryptography plays a crucial role in information
or both of two profiles, which are Profile 1:
security. Cryptography systems are used to
Stream ciphers for software applications with
protect valuable information resources for
high throughput requirements and Profile 2:
both data in transit and at rest. However, there
Stream ciphers for hardware applications with
have been a variety of cryptographic problems
restricted resources.
arise, involving cryptographic algorithms
in communication to protect classified
The objectives and goals of each project are as
information. Therefore, many countries, such
follows:
as Japan, the USA and European countries have
shown initiatives to develop a mechanism to
identify trusted algorithms. Trusted algorithms
are used by standard bodies and governments.
This article briefly explains four national
cryptographic algorithm projects that have
been set up, namely NESSIE, CRYTREC, projects
by NIST and eSTREAM.

NESSIE is a project within the Information

Society Technologies (IST) Programme of the
European Commission. It was founded from
2000 to 2003 to identify secure cryptographic
primitives. The project was comparable to the
NIST AES process and the Japanese government-
sponsored CRYPTREC project, but with notable
differences.

CRYPTREC is an abbreviation of Cryptography

Research and Evaluation Committees and refers
to a project to evaluate and monitor the security
of e-Government recommended ciphers as well
as to examine the establishment of evaluation
criteria for cryptographic modules. The task of
evaluating existing cryptographic techniques
has been entrusted to the Information
Technology Promotion Agency, Japan (IPA).

AES, SHA-3and CAESAR are projects by National

Institute of Standards and Technology (NIST),
United States of America. AES is a competition
ran by NIST to find a block cipher to replace
the Data Encryption Standard (DES). The NIST
hash function competition, which is SHA-3
competition, was set up to develop a new hash
function called SHA-3 to complement the older
SHA-1 and SHA-2. CAESAR is a competition for
Authenticated Encryption: Security, Applicability
and Robustness schedule from 2014 to 2017.

eSTREAM is a stream cipher project by ECRYPT

(European Network of Excellence in Cryptology).

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Types of Primitives
26
A list of cryptographic primitives per project is
as follows:

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Evaluated Algorithms
Cryptographic algorithms evaluated for each 27
project are as follows:

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Decision Factors Approved Algorithms
28
Cryptographic algorithms for each project The approved cryptographic algorithms for
were selected based on the following decision each project are listed below:
factors:

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 29

References
1. https://competitions.cr.yp.to/

2. h t t p : / / w w w. e c r y p t . e u . o r g / s t r e a m /
finallist.html

3. https://en.wikipedia.org/wiki/Advanced_
Encryption_Standard_process

4. h t t p : / / w w w. i a c r. o r g / a r c h i v e /
ches2010/62250240/62250240.pdf

5. https://www.cosic.esat.kuleuven.be/
publications/article-439.ps

6. https://en.wikipedia.org/wiki/Advanced_
Encryption_Standard

7. h t t p : / / w w w. e c r y p t . e u . o r g / s t r e a m /
portfolio.pdf

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 FIPS 140-2 Evaluation Laboratory
30
Accreditation and Its Programs
By | Norul Hidayah binti Lot@ Ahmad Zawawi, Liyana Chew binti Nizam Chew, Nik Azura binti Nik Abdullah, Isma Norshahila
binti Mohammad Shah

Introduction 1. FIPS140-2 Accreditation Laboratory

Process
The Federal Information Processing Standard The following are the six steps in acquiring
(FIPS) 140-2 cryptographic module is a set of accreditation from NVLAP, NIST to enable an
standards that have been approved and adopted evaluation lab to perform FIPS140-2 evaluation.
at the international level. This standard outlines
a clear evaluation and is reliable for evaluating
the security capabilities of information
technology products. The evaluation process is
conducted by the Cryptographic and Security
Testing Laboratory (CST Lab) and the evaluation
report is reviewed by a body under the National
Institute of Standard Technology (NIST) called
the National Voluntary Laboratory Accreditation
Program (NVLAP) to ensure that the security of
cryptographic product is assessed to comply
with standard guidelines. Verification of the
cryptographic product is an important process
to guarantee its security foundation before a
certification is awarded. Figure 1 below shows
the number of CST Lab(s) in each country that
conduct cryptographic product evaluation
based on the FIPS140-2 standard.

Figure 2: FIPS140-2 Accreditation Process

2. Cryptographic and Security Testing

Laboratory (CST Lab) Validation
Program
The Laboratory Accreditation Program (LAP) for
CST Lab was established by NVLAP to accredit
laboratories that perform cryptographic module
Figure 1: List of countries that have CST Lab(s) validation conformance testing and algorithm
testing known as the Cryptographic Module
This article briefly explains the flow of the Validation Program (CMVP) and Cryptographic
FIPS140-2 accreditation laboratory process as Algorithm Validation Program (CAVP).
well as the Cryptographic and Security Testing
laboratory validation program consisting of Cryptographic Module Validation
the Cryptographic Module Validation Program Program (CMVP)
(CMVP) and Cryptographic Algorithm Validation
Program (CAVP). CMVP is a validation program developed jointly
by the Information Technology Laboratory

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
(ITL) of NIST and the Communication Security
Establishment Canada (CSEC). The purpose of
CMVP is to ensure the availability and assurance 31
of secure cryptographic modules for the
protection of information through conformance
testing of cryptographic modules against the
FIPS140-2 standard.

There are five steps in the CMVP process as

shown in Figure 3:

Step 1: Implementation Under Test (IUT)

a. The vendor submits the cryptographic Figure 3: CMVP Process
module for testing to an accredited CST Lab
under a contractual agreement.
Cryptographic Algorithm Validation
b. Cryptographic module validation testing Program (CAVP)
is performed using the Derived Test
Requirements (DTR) for FIPS Publication CAVP is a validation program jointly developed
(FIPS PUB) 140-2, which are Security by ITL of NIST and CSEC for the validation of all
Requirements for Cryptographic Modules. If FIPS-approved and NIST-recommended security
the CST Lab has any questions or requires functions. ITL developed a validation test suite
clarification of any requirement with regard to test the correctness of a security function’s
to the particular cryptographic module, the implementation for every FIPS-approved and
lab can submit Requests for Guidance (RFG) NIST-recommended. CAVP is a pre-requisite to
to NIST and CSE. the CMVP.

There are eleven steps in the CAVP process as

Step 2: Review Pending shown in Figure 4:
Once all the testing requirements have been
completed, a validation submission is prepared Step 1
and submitted to NIST and CSE for validation. The vendor selects one of the accredited
CST Labs to oversee the algorithm validation
Step 3: Under Review testing of their cryptographic algorithm
A reviewer each from NIST and CSE is assigned implementation. Note that the cryptographic
to review the validation report, the non- algorithm implementation can be tested in-
proprietary security policy and other supporting house by the vendor, or it can be sent to the
documents. selected CST Lab for testing (the term “tester”
refers to the party performing the algorithm
Step 4: Coordination test).
During the review process, NIST and CSE will
combine their comments on the validation Step 2
report as required and then submit them to the The CST Lab requests from the vendor
CST Lab for action. This process will continue information related to each cryptographic
until all comments and/or questions have been algorithm to be tested in the implementation.
satisfactorily addressed.
Step 3
Step 5: Finalization Using the validation system document, the
a. The vendor pays a validation fee prior to tester implements the validation system test
validation. suite via the vendor’s algorithm implementation.

b. Once the cryptographic module has been Step 4

validated, NIST and CSE will issue a certificate For each algorithm being tested, the CST Lab
through the CST Lab to the vendor. uses this information and the CAVS tool to
generate input test vectors to be used in the
c. The new validated cryptographic module validation tests.
will be given an entry in the FIPS 140-1 and
FIPS 140-2 Cryptographic Module Validation Step 5
List on the NIST website. The CST Lab supplies the input test vectors to
the tester.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Step 6
The tester uses the test vectors as inputs into
32 the implementation.

Step 7
a. The results are forwarded to the CST Lab.

b. The CST Lab uses the CAVS tool to verify

the validation test results. If the results are
not correct, the CAVS tool records which
test failed. The lab informs the vendor
that the implementation does not meet the
requirements of the associated reference
and provides the information generated by
CAVS to assist the vendor in determining
where their algorithm implementation
deviated from the reference specifications.

Step 8
Upon passing the cryptographic algorithm
implementation validation test, the CST Lab
submits an algorithm validation submission
request package to NIST. This package contains
the official validation request from the lab Figure 4: CAVP Process
and all the files generated from the CAVS tool
including a file summarizing the validation test Roles and Responsibilities
results for each algorithm tested.
There are four parties involved in CMVP and
Step 9 CAVP. Each party has roles and responsibilities
NIST reviews the package for completeness and that are described in Figures 5 and 6:
verifies that all tests have passed. If this is true,
NIST and CSEC validate the implementation.

Step 10
NIST enters all relevant information related
to this validation into an internal database
that generates the Cryptographic Algorithm
Validation Consolidated Certificate, which
contains multiple cryptographic algorithm
implementations. NIST signs this certificate and
sends it to CSEC for their signature.

Step 11
Once validated, the cryptographic algorithm
implementation is posted to the CAVP website.
A separate cryptographic algorithm validation
list exists for each approved cryptographic
algorithm for which NIST has available testing.

Figure 5: Roles and Responsibilities in CMVP

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 33

Figure 6: Roles and Responsibilities in CAVP

Conclusion
It is recommended for organizations to use
validated cryptographic modules that comply
with the requirements of FIPS140-2 in order to
improve the protection of sensitive information.
Although this standard is formally accepted by
the Government of the United States of America
and the Government of Canada, this program
has been adopted by many other industries and
countries. Organizations who choose to adopt
this FIPS140-2 standard are well-served by the
benefits of the security assurance provided by
the validated modules.

References
3. http://www.nist.gov/nvlap/

4. http://csrc.nist.gov/publications/nistbul/
itlbul2014_11.pdf

5. http://csrc.nist.gov/groups/STM/cavp/
documents/CAVPMM.pdf

6. http://www.nist.gov/nvlap/upload/NIST-
HB-150-17-2013.pdf

7. http://csrc.nist.gov/groups/STM/cmvp/
documents/CMVPMM.pdf

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Vulnerability Assessment & Penetration
34
Testing (Vapt): Approach And Methodology
By | Norazlila Binti Mat Nor

Introduction
Among the points recommended for inclusion
in the NDA are:
Vulnerability assessment is defined as a
comprehensive on-site security vulnerability •• Identify truly valuable information
testing and evaluation process performed by and information that is critical to the
security analysts to identify security weaknesses organization.
and potential exposures to threats in the
target systems. Penetration testing meanwhile •• Clearly specify that the person/organisation
attempts to exploit vulnerabilities in the system who signs the agreement should not disclose
to determine whether unauthorized access or what is mentioned within.
other malicious activity may possibly pose a
threat to the system. •• Clearly identify all parties in the agreement.

The objective of this article is to explain the •• Specifically include the starting date and
approach and methodology of how to conduct length of the nondisclosure period.
Vulnerability Assessment & Penetration Testing
(VAPT) in an organization. However, this is not
2. Conducting a Kick-Off Meeting
a guide on how to hack networks and systems.
In order to perform VAPT successfully, good
planning and preparations need to be done.
Approach and Methodology Basically, a kick-off meeting should be held
between the client and the security analysis
The overall VAPT approach encompasses three team. The kick-off meeting will address the
(3) phases: pre-assessment, assessment and scope of work and objective of the assessment.
post-assessment. The activities are summarized The security analysis team should present to
in Figure 1 below. the client the expected output or assessment
deliverables.

During the kick-off meeting, a project timeline

also needs to be finalized. This is important to
ensure that while VAPT activities are carried out,
the normal business or daily operations of the
organization are not compromised. The security
analysis team are required to obtain permission
on the allowable penetration testing hours and
other client rules and regulations that need to
Figure 1: Phases and activities of VAPT be adhered to.

3. Assigning the Team

Phase 1: Pre-Assessment
Based on the scope of work agreed upon,
1. Signing a Non-Disclosure Agreement the assessment team should establish the
project team structure. The project team will
Before any VAPT activities begin, any usually consist of a project manager, project
supporting documents required, especially the management executive, quality assurance,
Confidentiality and Non-Disclosure Agreement team leader and team members. The roles and
(NDA), must be finalised. The Confidentiality responsibilities of each member must be clear
Agreement states that the information provided and if possible, the project team structure should
by the target organization will be treated as be presented to the client. This is to ensure the
confidential and proprietary while NDA protects client reaches the right person in charge if any
an organization’s confidential information problems arise while conducting VAPT.
during business dealings with customers,
suppliers, employee or any third parties. The roles and responsibilities of each member

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
include but are not limited to: Phase 2: Assessment
a. Project Manager
35
•• Responsible for the overall VAPT and 1. Conducting VAPT
reporting. Ideally, VAPT activities begin with gathering
•• Ensuring timely completion of project information on the target or scope of
activities and submission of deliverables. assessment. A number of ways are available to
do the necessary information gathering by using
•• Planning, developing and managing the
online tools or manual searching. The collected
overall project implementation.
information is very useful to the project team to
conduct the VAPT in the next stage.
b. Project Management Executive
•• Managing day-to-day aspects of the project One of the popular information gathering tools
to ensure smooth operation throughout the is Nmap, which is made for scanning large
project timeline. networks. It can also be used to determine what
operating systems are running on a network as
•• Monitoring and tracking project activities.
well as the type of packet filters/firewalls are in
•• Recording project expenses and invoices. use, and numerous other characteristics.
•• Following up with the client on outstanding
matters. Moreover, information can be gathered manually
by searching the Internet. Many organizations
•• Managing and ensuring all matters and reveal their activities, contact information and
change requests are properly addressed and history information on their websites. Hence,
resolved. conducting queries on the web might reveal
information about domain names and networks
c. Quality Assurance that could be used to conduct further attacks.
•• Evaluating all aspects of the report, such as
content, structure, overall style and format. Subsequent to information gathering, the project
team will start with vulnerability assessment to
•• Reviewing and evaluating the accuracy and discover any potential vulnerabilities present
completeness of the report content. in the systems. Vulnerability assessment is
essentially conducted using automated tools.
d. Team Leader Such tools are Nessus, SAINT and Retina for
•• Delivering, conducting and leading the network security assessment and Acunetix for
assessment. web application security assessment. The tools
will scan a specific network or web application
•• Preparing updates on the progress of the and are able to produce a list of possible
assessment. vulnerabilities existing, together with steps to
•• Developing a VAPT report. be taken to eliminate the vulnerabilities. The list
will then be utilized in penetration testing.
•• Ensuring the client data are protected during
the assessment. Penetration testing is a method to evaluate
security weaknesses of a web application and
e. Team Members
database, computer system or network device by
•• Conducting VAPT based on the scope of simulating an attack from malicious outsiders as
work. well as insiders performed on-site and remotely.
The goal of this activity is to demonstrate the
•• Assisting the team leader with developing
existence or absence of known vulnerabilities
the VAPT report.
that could be exploited by attackers. Even the
•• Providing expert advice on related technical potential vulnerabilities already listed during
matters. vulnerability assessment do not mean that the
exploitation or simulation can be done during
•• Supporting the team leader with facilitating
the assessment period, as some of the exploits
key project activities.
can take longer to succeed. Penetration testing
is also not always successful even though it is
theoretically possible.

2. Updating the assessment progress

During VAPT activities, it is recommended to

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 update the client on the assessment progress well as means of exploitation. This is due to
regularly. This is to ensure the client is aware of the nature of an ever-changing network and
36 the extent of project completion. Most clients its services adapting to new user demands.
are very certain with project timelines and are Technology advancements and the need for
unhappy with delays. This is why any problems improvement inadvertently put networks or
or hiccups should be communicated to the applications at risk.
client to ensure project success. The findings
from the assessment can also be highlighted The foundation of this VAPT exercise is to
to the client on a daily basis, especially high- demonstrate that there is always a need to
impact vulnerabilities. ensure establishing security processes like
auditing and analysis to reduce risks and that
Phase 3: Post-Assessment VAPT must be conducted on a continuous basis.

1. Analysing the Vulnerabilities References

Discovered
1. Penetration Testing Procedures and
This process involves presenting the data Methodologies. EC Council Press.
analysis results, categorising the vulnerabilities
based on impact level ratings and proposing 2. Conducting a Penetration Test on an
areas of improvement. Organization. SANS Institute InfoSec Reading
Room.
All data gathered during the vulnerability
assessment and penetration testing will be 3. How Penetration Testing is Conducted.
compared and analysed against security Core Security
best practices, the security environment and 4. Penetration Testing Guidance, PCI Security
classification of vulnerabilities. Any vulnerability Standards Council
found during assessment will also be verified to
avoid false positive findings. 5. The Penetration Testing Execution
Standard. www.pentest-standard.org/
2. Developing a Report
6. Vulnerability Assessment and Penetration
During the last phase of VAPT, the project team Testing. http://www.veracode.com/security/
will be working offsite to develop a report. vulnerability-assessment-and-penetration-
The report usually consists of vulnerability testing
assessment findings and areas of improvement
to mitigate the vulnerabilities.

Among the contents that should be included in

the report are:
a. A technical description of each vulnerability

b. An anatomy of exploitation including steps

taken and proof in the form of screenshots

c. Business or technical impact inherent in the

vulnerability

d. Vulnerability classification that describes the

impact level as a function of vulnerability
risk and ease of exploitation

e. Technical descriptions of how to mitigate

the vulnerabilities

Conclusion
There will always be new vulnerabilities and
weaknesses in a network and its services as

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Comparing sampled Information Security
Body of Knowledge with ISO/IEC 27001 37

By | Razana Md Salleh, Sharifah Norwahidah Syed Norman

Introduction person(s) doing work under its control that

affects its information security performance.
In addition, a new Standard document is
Experience from recent years shows that
currently being developed - the ISO/IEC 27021
cyberattacks aimed at informational systems
– which entails competence requirements for
of state bodies, the healthcare, energy, finance
information security management professionals.
and transport sectors, and other critical national
This indicates that having competent personnel
infrastructure (CNII) bodies are increasing
is critical to preserving the confidentiality,
and may lead to unpredictable consequences.
integrity and availability of an organization’s
With the rising threats, the need for skilled
information.
information security practitioners to safeguard
critical systems is also on the rise. This has led
Besides the Standard requirements, academic
to various academic, industrial and government
research has been conducted on the purposes
bodies worldwide and especially in the United
of BOK for the IS field. One of the studies from
Kingdom and United States to start establishing
2007 proposed a common BOK for the IS field
a common body of knowledge for practitioners
[3]. It was found in that research that IS field
in the information security (IS) area. A body of
is a multi-disciplinary endeavour, so in reality,
knowledge, referred to as BOK, is a framework
IS practitioners require knowledge in fields
that contains a collection of information that
such as management, ethics, sociology and
provides a basis for understanding terms and
political science. According to the study, the
concepts in a particular knowledge area. It
existing IS BOK focuses on specific IS sub-
defines the fundamental information that people
domains, thus offering limited understanding
working in the area are expected to have [1].
and narrow perceptions of the overall domain.
The common BOK proposed for IS contains 10
This article addresses the fundamentals of
basic domains that can serve as a foundation to
BOK for the IS field, which is used to develop
design academic curricula and courses for the
certification programs for the beginner
beginner-level IS practitioners as follows:
IS practitioner level, i.e. the first level of
competency, as a first step in the IS career for 1. Security Architectures and Models
recent graduates or those transferring from
2. Access Control Systems and Methodologies
different careers. With BOK, IS practitioners
are expected to have foundation knowledge 3. Cryptography
and skill sets to assist with protecting an
4. Network and Telecommunications Security
organization.
5. Operating System Security
Comparing sampled IS BOK with 6. Program and Application Security
ISO/IEC 27001 7. Database Security
8. Business and Management of Information
The main international standard for IS compliance Systems Security
is the International Standard ISO/IEC 27001:2013
Information Security Management System [2]. 9. Physical Security and Critical Infrastructure
The standard specifies the requirements for Protection
establishing, implementing, maintaining and 10. Social, Ethical and Legal Considerations
continually improving an information security
management system (ISMS) in an organization. Various certification bodies are also actively
The revised version of the standard contains 14 offering beginner level certification in the IS
domains (from 11 domains in the 2005 version), field, such as CESG [4] and SANS [5] to name
constituting 114 controls. a few. The CESG certified professional (CCP)
scheme for practitioners (entry level) is based
In the ISO/IEC 27001 Standard, personnel on the BOK established by the Institute of
competency is addressed in clause 7.2, which Information Security Professionals (IISP), which
specifies the requirement for an organization consists of eight (8) main competency groups:
to determine the necessary competence of

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 1. Information Security Management security administration. The domains are:

38 2. Information Risk Management 1. Security Policy and Procedures

3. Implementing Secure Systems 2. Configuration Management and Change
Control
4. Information Assurance Methodologies and
Testing 3. Cryptography Fundamentals
5. Operational Security Management 4. Networking Foundations
6. Incident Management 5. Networking Security
7. Audit, Assurance and Review 6. Data Protection
8. Business Continuity Management 7. Systems Security
8. Information Security Principles and Risk
On the other hand, the SANS Institute offers
Management
an introductory level certification, which is the
GIAC Information Security Fundamentals (GISF). 9. Authentication, Authorization,
It covers nine (9) domains that fit the task of Accountability

Based on the BOK extracted from the Standard, and research works and certification programs
from CESG and SANS mentioned above, a comparison of BOK for beginner-level IS practitioners is
tabulated in Table 1. The IS domains from ISO/IEC 27001 serve as a baseline.

CESG
Common BOK for
(CCP Accreditor GIAC Info Sec
IS Domain (ISO 27001) IS
Role - Practitioner Fundamental (GISF)
(research papers)
Level)
1. Risk management √ √ √

2. IS policy √ √ √

3. Organization of IS √ √ √

4. HR security √ √ √

5. Asset management √ √ √

6. Access control √ √ √

7. Cryptography √ - √

8. Physical and environmental √ √ √

security
9. Operations security √ √ √

10. Communications security √ √ √

11. System acquisition, √ √ √

development and
maintenance
12. Supplier relationships - √ -

13. Incident management √ √ √

14. Business continuity √ √ √

15. Compliance √ √ √

Table 1: Comparison of Sampled IS BOK with ISO/IEC 27001

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Analysis References
39
From the comparison data in Table 1 it is 1. Bishop, M., & Engle, S. (2006, June).
observed that 13 out of 15 or 87% of the IS The software assurance CBK and university
domains in the ISO/IEC 27001 Standard can curricula. In Proceedings of the 10th Colloquium
be mapped with the findings from research for Information Systems Security Education.
papers and BOK for CESG and SANS certification
programs. CESG certification for the practitioner 2. ISO/IEC 27001:2013 Information
level does not cover cryptography in its BOK. technology — Security techniques — Information
On the other hand, neither research papers nor security management systems — Requirements.
GIAC or GESF includes the supplier relationship
3. Theoharidou, M., & Gritzalis, D. (2007).
domain in their BOK. This observation could
Common body of knowledge for information
mean that the knowledge regarding supplier
security. Security & Privacy, IEEE, 5(2), 64-67.
relationships and cryptography is not for
beginner-level IS practitioners. This observation 4. CESG (2014, April). Application Guidance
may also be due to limited resources at the time CCP Accreditor Role, Practitioner level.
this article was written, which restricts an in-
depth comparison, for example including the 5. GIAC Information Security Fundamentals
depth of coverage of each domain in detail. (GISF) http://www.giac.org/certification/
information-security-fundamentals-gisf
Conclusion
The ISO/IEC 27001 Standard requirement states
that only competent IS practitioners should be
responsible for ensuring the confidentiality,
integrity and availability of information in an
organization. In order to measure competency
levels, a baseline that defines the knowledge,
skills and abilities of IS practitioners must be
developed. As a start, measurement can be
done by having a common BOK for the IS field.
Besides, beginner-level certification programs
can also be developed to equip IS practitioners
with foundation knowledge and skill sets to
assist with protecting an organization.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 ICT Product Evaluated and Certified? Go for
40
MyCC!
By | Nur Shazwani bt Mohd Zakaria

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 41

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Securing Your Online Gaming Experience
42
By | Muhamad Faeez Bin Pauzi, Nor Safwan Amirul Bin Salleh

Introduction However, as amazing as it seems, it also means

that online transactions involving money for
online gaming are widely used nowadays,
The popularity of online gaming has increased
especially to purchase in-game items. A gaming
tremendously over the past few years. With the
account will normally have an inventory in
rising numbers of Internet users, the amount of
which a user can keep in-game items. Those
games, gamers, sponsors and tournaments is
with extra money on hand will have inventories
by far different from what it was before. Playing
full of valuable items that can be sold for real
games is now considered a career similar to
money.
sports, or e-Sports to be exact, with competitive
gaming tournaments held around the world.

Figure 1: Gaming tournaments are now held in stadiums or

arenas instead of cyber cafes [1]

The most incredible outcome of this phenomenon

may be the sums of prize pools collected,
especially from crowd funding programs. Last
year, the fifth edition of ‘The International,’ a
world championship of the computer game
Dota 2 broke the record when the prize pool
reached over US$18 million.

Figure 3: Example of in-game item for a CSGO game [3]

This will inevitably attract cyber criminals to

obtain user account credentials so they can
steal users’ in-game items or overtake the
whole account. The following are a few basic
steps and some good online habits to keep in
mind to prevent cyber criminals from ruining
your online gaming experience.

1. SECURE YOUR HOME NETWORK

Your home network is the best place to start,
since many devices can be connected to it. This
is to prevent devices with infected malware
from spreading the malware or gaining access
Figure 2: Prize pool for The International 5 will produce an to your computer using your home network.
instant millionaire [2] Make sure your Wi-Fi network is encrypted by

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
identifying it using SSID and a password to computer. If it detects an infected file or program
connect to your home network. You also need to it will delete or move it to a quarantine folder,
use the strongest security level for your router, thus preventing it from interacting with the rest 43
such as WPA2 or WPA [4]. of the computer.
A router normally has many default settings Antivirus will also protect your computer from
that are set by the vendors, which are publicly other threats, such as clicking on suspicious
available on the Internet for an easier setup links or attachments in emails and visiting
process. Unfortunately, this could also make untrustworthy websites. This is normally done
your router more vulnerable to unauthorized by blocking the user from opening the website/
access. Always change the default IP address attachment or prompting a warning for the user
and default log-in password for your router to before continuing.
prevent unauthorized access to your router’s
web interface. In addition, turn off remote 3. EDUCATE YOURSELF ABOUT
access-related features so attackers cannot have PHISHING SCAMS
remote access and always update the router's
firmware with the latest patch or update. Phishing will always be a common threat to
gamers. Knowing how phishing is done can
2. INSTALL ANTIVIRUS AND THE LATEST stop you from being one of the victims of this
scamming technique. Phishing is an attempt by
UPDATES attackers to acquire personal user information
Gaming is deemed a download-heavy activity, like usernames, passwords and credit card
since you need to have installer files, the latest numbers using various tricks.
patches, anti-cheats and sometimes third-party
modifications on a computer to play games [5]. Phishers may try to trick you into giving away
It is possible for you to download a malicious your personal information via emails, phone
file that could compromise your computer, calls, text messages and even Internet chat
especially when you are downloading files from rooms. There are also cases where phishers will
unknown or unfamiliar websites. attempt to fool you into installing a malicious
program, known as spyware, which can track
and record the information you enter into
your computer. The most common types of
phishing scams related to gaming are links that
redirect to forged websites, suspicious emails
requesting you to update your account and
malicious websites [6].

Figure 4: Installing a game using Steam, a well-known online Figure 5: Scammers making use of hyperlinks to hide fake links
game platform [7]

Using an antivirus software will provide another With knowledge, an antivirus and a bit of
layer of protection for your computer. Most scepticism, these sly tricks by trickster can be
antivirus programs have a real-time scanner avoided. Try to spend some time educating
that will actively scan files as they enter your yourself about the latest phishing techniques.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Victims normally share their experiences on 2. Dota 2, The International Compendium.
forums or websites. Retrived from http://www.dota2.com/
44 international/compendium/ on 17 September
Always think twice before responding to 2015.
suspicious emails or downloading attachments
within. Never give out any personal information 3. CSGO Analyst, AWP | Dragon Lore (Factory
via email, social media platforms, text messages New). Retrieved from http://csgo.steamanalyst.
or instant messages. Last but not least, instead com/id/120615/ on 17 September 2015.
of clicking on the link, go to your web browser
4. Dong Ngo, Home networking explained,
and type in the website’s URL [6].
part 6: Keep your network secure. Retrieved
from http://www.cnet.com/how-to/home-
4. USE A STRONG PASSWORD n e t w o r k i n g - e x p l a i n e d - p a r t - 6 - k e e p - y o u r-
A password is like a digital key to unlock your network-secure/ on 17 September 2015.
gaming account. In order to protect it from
5. Joel Lee, The Worst Security & Malware
attackers, you need to create a password that is
Threats for Online Gamers. Retrived from www.
easy to remember and at the same time strong
makeuseof.com/tag/security-malware-threats-
and hard to guess. In case a user’s account gets
online-gamers-aware/ on 17 September 2015.
hacked, people would think that the person
responsible is a great hacker. Too bad nobody 6. Nadia_Kovacs, How To Protect Yourself
bothers to consider the strength or complexity From Phishing Scams. Retrived from https://
of the password for the hacked account. community.norton.com/en/blogs/norton-
protection-blog/how-protect-yourself-phishing-
Always ensure that you are using strong and scams on 17 September 2015.
unique passwords for your accounts, which
include your gaming, social and online banking 7. Sinshroud, WoW Account Maximum
accounts. This will prevent attackers from Security Guide. Retrived from http://stormspire.
gaining access to all your accounts if any one net/consortium-quality-guides/4614-wow-
of them is hacked. Be extra cautious with your account-maximum-security-guide.html on 17
email account password, because if attackers September 2015.
get access to it, they could use the “forgot login”
function to reset the password for any of the 8. David Jacoby, False Perceptions of IT
accounts connected to that email address [8]. Security: Passwords. Retrieved from https://
blog.kaspersky.com/false-perception-of-it-
A number of golden rules for creating a smart security-passwords/7036/ on 20 September
and strong password are as follows: 2015.

•• Length is very important. Generally go for a 9. Chris Hoffman, How to Create a Strong
minimum of 12 characters [9]. Password (and Remember It). Retrieved from
http://www.howtogeek.com/195430/how-to-
•• Include numbers, symbols, and capital and create-a-strong-password-and-remember-it/ on
lower-case letters. 20 September 2015.

•• Do not use obvious dictionary words and

combinations of dictionary words such as
“password.”

•• Make the password personal to remember

it easily, but make sure that “personal”
information is not available online.

•• Change the password periodically, for

example once every six months.

References
1. HLTV.org, ESL One Cologne 2015 – Day
4. Retrived from http://www.hltv.org/gallery/
view/48807 on 17 September 2015.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
A Picture is Worth a Thousand Words –
Investigating Images 45

By | Noor Azwa Azreen Binti Abd Aziz

Introduction iv. Who has uploaded the images?

v. For what purpose were the images uploaded?

In the past there was a saying, “what you see
is what you get.” However, as humans evolve,
vi. How will the above factors affect which
the way they see and interpret images changes
online tools and techniques are probably the
as well. In an online investigation, an image
most effective in locating specific images?
seen with the naked eye is just the “tip of the
iceberg.” Investigators need to dig deeper by Investigators must have knowledge and skills for
evaluating the image and searching for clues researching images online as well as searching
both found on the surface and also hidden in information embedded in images. In addition,
plain sight. This is because online images may investigators need to know and understand the
contain valuable and essential information. tools available for image searching.
Furthermore, the evidence that can be found in
an image may potentially lead to other evidence
in a case investigation or even directly to the Image Tagging
source of the image. Investigators should take
to heart that ‘a picture is really worth a thousand
Images can be categorised in numerous ways
words.’
depending on the nature of the website to which
they were uploaded. Image tagging is an act of
Cross-Examining The Image embedding information pertaining to an image
Itself into the image file itself. The information may
include technical details, copyright information,
keywords, dates, full descriptions and the
Before using online tools or resources to
photographer’s details. Traditionally, this kind
investigate an image, every aspect of the image
of information is stored with the image in a
itself should be cross-examined to assist with
database, enabling users to search, retrieve and
identifying individuals, locations and properties
use the image based on its metadata.
that may be relevant to an investigation.
People often use the same photo as a profile
Investigators should assess the image to
picture for different social networks. In this
determine whether it is believable or not. Then
regard, investigators could do reverse image
they ought to find clues they can extract and
searches on sites like TinEye and Google
explain from the picture before drawing a
Images to help identify linked accounts. Facial
conclusion. It is also important for investigators
recognition technology is also widely used
to understand the inner thoughts of the
by sites such as Facebook, whereby the facial
person who captured the image. Nonetheless,
recognition software “Face” serves to locate
investigators need to additionally learn to
images of people from numerous Web-based
anticipate and detect inaccuracies or misleading
databases.
features of an image.

Image Search Locating Images

It is possible to locate images in several areas of
During an investigation involving uploaded
the Internet, including the following:
digital imagery, investigators need to consider
the following matters: i. The surface Web via regular search engines.
i. How are online images categorized and ii. The deep Web, which can only be done by
tagged? searching the site directly.
ii. Where are specific images likely to be iii. Social media sites, such as Digg and Reddit
located? may group images into topics relevant to a
iii. What are the images likely to contain?

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 particular subject. Investigators will have to keywords, colour, file format, size and several
46 search by topic or subject to get the image. other specifications.

iv. Some images on social network sites like

Facebook, Myspace, Friendster and Bebo
Google Image Search
can be located depending on the user’s
privacy settings in relation to their uploaded Google image search has a feature with which
images. a user can either upload an image to search
or choose a Uniform Resource Locator (URL)
that specifies an image by clicking the camera
Creative Searching button. Google image works similar to TinEye
but appears to focus more on the overall
characteristics of the image on which to base
Images can have various meanings, depending
its results. The original image will be found, as
on what the site owner intended. Many images
well as other websites containing this image.
are tagged only by date, some by name or
location, some are parts of series, while others
have no names. In locating a specific image, TinEye
investigators need to know exactly what they
are looking for; they also need to be creative TinEye is owned by Idée and based in Toronto,
with their searching methods, such as the use Canada. TinEye is identified as the world’s first
of keywords and relevant searching tools. Filters reverse image search engine. It developed
should be removed during an investigation an image search technology that looks at the
as the keywords may have double meanings patterns and pixels of images and videos to
or reveal images that are not relevant to the make each image or frame searchable by colour,
investigation. similarity or exact duplicate. Users can initiate a
search using TinEye in one of two ways: either by
Ownership uploading an image or by entering the location
of an image that is already online using the
URL. The search results are based on the Best
It is not simple to find the source of an image
Match, the Most Changed, the Biggest Image,
because uploaded images can be altered,
the Newest, the Oldest and the Most Changed.
redistributed, tagged and downloaded by
Investigators can determine whether images
others online due to the lack or absence of
have been “Photoshopped” or otherwise altered
restrictions. At times, an online image does not
by a third party. Beneath each search result
even represent the actual person.
are two further refining options, Compare and
Link. The Compare link provides a comparison
Thus, investigators must carefully examine
between the initially submitted image and the
the image to ensure that it is genuine and not
selected result. In addition, the Switch button
a malicious copy. Exchangeable Image File
allows switching back and forth between the
format (EXIF data) can also be useful to assist
two images to highlight any differences.
investigators in their examinations. It is also
important for investigators to download the
image separately from the webpage, as the Flikr
image may be removed from the server and
disappear from the downloaded webpage since Flickr was established in 2004 and is a global
it is not an integral part of the webpage. network owned by Yahoo. With over 6 billion
images, Flickr is a great intelligence tool, and
Google Images users are not required to create a Yahoo account
to search images and profiles. Images can place
an individual in a specific location at a specific
Through Google Images, keywords are entered
time, often with specific people. Geo-tagged
into the search box and visual results are
images can provide additional confirmation
returned from surface websites based on the
pertaining to geographical location, and EXIF
frequency, location, and relevance of keywords.
Data can add further details regarding the
Image results can be refined by size, colour,
images. An important service that goes hand-in-
type, and time by clicking on the Search Tools
hand with Flickr is Creative Commons, located at
link at the top of the page and selecting a
http://creativecommons.org. An online method
relevant link. The Advanced Image Search
of copyrighting all media types, the Creative
section of Google images allows users to specify
Commons licence allows users to specify the
image search parameters based on aspect ratio,
viewing, editing, distribution and reproduction

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
terms of original materials that are displayed that require a closer look behind the scenes of
online. an image. Therefore, image uses are crucial to
exhibiting the progress of an investigation. 47

Cooliris
References
Cooliris was founded in 2006 by Austin
Shoemaker and Soujanya Bhumkar. Cooliris is 1. Toddington International Inc.,
a highly innovative image sharing and search Investigating Images, https://toddington.com/
tool. It is an Apple-based application that lesson/usint-03-topic-13/, access on 27 April
combines images from Instagram, Flickr, Picasa, 2015.
Photobucket, Facebook and many other image
sharing portals. 2. Hill, Dr. Stephen from Snowdrop
Consulting Ltd, Online Investigations, http://
www.acfe.com/uploadedFiles/ACFE_Website/
Examining Exif Data Content/european/Course_Materials/2013/
ppt/4B_Stephen-Hill.pdf, downloaded on 24
EXIF Data stores interchange information on April 2015.
image files, particularly those with the .jpg file
extension. It contains information regarding 3. Jake van der Lan, 2013. A Guide
the origin of an image captured using a digital to Internet Investigation, http://www.
camera or any other relevant type of imaging nasaa.org/wp-content/uploads/2012/09/
device. To access the EXIF Data, the image G u i d e To I n t e r n e t I n v e s t i g a t i o n s - v - 1 - 9 - 5 -
must first be downloaded to one’s computer December2013.pdf, downloaded on 28 April
hard drive. Having downloaded the image to 2015.
a computer hard drive, investigators need to
access the image properties to obtain the EXIF
Data. EXIF Data provides general information
about the image and further details that
contain very specific information regarding the
construction and creation of the image.

Image Verification
Investigators need to verify the authenticity
of an image and whether it was altered or
distorted by anyone. Investigators must capture
a screenshot of the image and search the image
using TinEye, Google Image or ImageMagick.
Then they should look for the same image on
other sites to identify whether any alterations
have been made, such as logos or names added
to buildings, office locations, products, etc. It
is necessary for investigators to also determine
whether a person in a particular picture is
really in the picture itself or they were added.
Investigators can also determine whether
the picture was altered or “Photoshopped”
by using http://www.pskiller.com/. Besides,
investigators could also examine any EXIF data
for the image, if any.

Conclusion
Investigators should never take for granted the
worth of an image because “a picture is really
worth a thousand words.” Images can provide
valuable information in numerous ways, by
offering clues that are hidden in plain sight or

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Top Five Common Penetration Tools
48
By | Nur Sharifah Idayu Mat Roh, Noraziah Anini Mohd Rashid

Introduction
A penetration test, sometimes called a pentest,
is an attack on a computer system/machine in
search of security weaknesses to gain access to
important information in a computer/machine.
Basically, a penetration tester or pentester
gathers information to identify the targeted
machine and review the information collected
to plan a real attack. This way, the pentester
can identify existing vulnerabilities or if
present defence is sufficient. Several tools are
available nowadays for pentesters to carry out
penetration testing.
Figure 1 Password sniffing
1. Wireshark
2. SQL Inject Me
Wireshark (known as Ethereal) is a fantastic
open source network protocol analyser for Unix
SQL Inject Me is the Exploit-Me tool used to test
and Windows. It allows examining data from
for SQL Injection vulnerabilities.
a live network or from a file captured on disk.
Users can interactively browse the capture data,
A malicious user can possibly view records,
and view a summary and detailed information
delete records, drop tables or gain access to
for each packet. Wireshark has several powerful
the server. The tool works by submitting HTML
features, including a rich display filter language
forms and substituting the form values with
and the ability to view the reconstructed stream
strings that are representative of SQL injection
of a TCP session. It also supports hundreds of
attacks. Below are sample steps of how to use
protocols and media types. Below is an example
SQL Inject Me.
used for password sniffing using an HTTP
protocol.
STEP 1:
STEP 1: Open the victim URL, e.g. http://192.168.1.13/
dvwa/login.php
Open Wireshark, then capture the interface and
click start.
STEP 2:
STEP 2: Download and install SQL Inject Me from Firefox
Mozilla add-ons. Click on Open SQL Inject
Key in the ‘http’ at the filter value and search for Me Sidebar. A list of available forms will be
the target IP address, for example 192.168.1.13 displayed.
(victim), then find the ‘POST’ on the HTTP
protocol.
STEP 3:
STEP 3: Click on the loginForm menu. Choose Run all
tests. Tick all elements on the form.
Analyse the POST info and you will read the
username and password of the victim web
application.
STEP 4:
Change the loginForm:username value to 1’ OR
‘1’=’1 and the loginForm:password value to 1’
OR ‘1’=’1 . Then click the Execute button.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Choose Run all tests. Tick all elements for the
form and then click the Execute button.
49

Figure 2 SQL Inject Me Figure 4 XSS Me

STEP 5: STEP 4:
The result will be displayed in a new tab. The result will be displayed in a new tab.
according to the result, there are 68 failures, According to the result, there are 11 failures,
meaning the web application exploitation was meaning the web application exploitation was
successful. successful.

Figure 3 SQL Inject Me result

Figure 5 Result XSS me

3. XSS Me (cross site scripting) STEP 5:

Send text-based attack scripts that exploit the
Cross Site Scripting is a method of hacking
interpreter in the browser, to the username and
(cracking) used to change the code of a
password fields on the Webconfig login page.
vulnerable website to include a malicious script.
This website is then sent to other people to view,
which causes script initialization. Detecting STEP 6:
XSS vulnerabilities early in the development In the username and password field, type
process will help protect a web application from <script>alert("TEST");</script>). Click the
unnecessary flaws. XSS-Me is the Exploit-Me tool Login button. If the web application has an XSS
used to test for reflected XSS vulnerabilities. vulnerability, the victim will display an alert
Below are example steps on how to use XSS Me. popup.

STEP 1:
Open the victim URL, for example
http://192.168.1.13/ghost

STEP 2:
Download and install XSS me from Firefox Mozilla
add-ons. Click on the Open XSS me Sidebar. A
list of available forms will be displayed.

STEP 3: Figure 6 Cross site scripting

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 by typing nmap 192.168.1.*. The penetration
tester will get the open port information and
50 MAC address that is in the range of IP addresses
beginning with ‘192.168.1.*’.

Figure 7 Successful XSS exploitation

4. Nmap (Network Mapper)

Nmap is an open source security tool for network
exploitation, security scanning and auditing. Command 3:
Nmap is a popular tool used by penetration Scan the network by excluding the IP
testers in the reconnaissance stage, which is address from being scanned by typing nmap
the stage of gathering information before any 192.168.1.0/24 –exclude 192.168.1.11. This
real attacks are planned. Data acquired through command will exclude IP address 192.168.1.11
Nmap gives the penetration tester the hosts from the scanning.
of the targeted network, open ports, version
used by the machine, and operating system and
hardware characteristics of the network devices.
For example, by knowing the machine’s open
port, the penetration tester can later use the
open port to deploy attacks. There are four (4)
common commands that can be used to acquire
crucial information.

Disclaimer: The IP address used below is only

an example for testing purposes. The actual IP
address in a real environment may be different.

Command 1:
Scan a single IP address by typing nmap
192.168.1.13. The penetration tester will get
the open port information and the MAC address
of the targeted machine.

Command 4:
Find out if the host/network is protected by a
firewall by typing nmap
–sA 192.168.1.13. Nmap will report whether
the IP address is protected by a firewall by
using filter/unfiltered. If the port is protected
by a firewall, nmap can bypass it by using the
command nmap –PN 192.168.1.13.

Command 2:
Scan a range of IP addresses using a wildcard

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 51

5. THC Hydra
Hydra is an online password cracking tool.
This tool can perform rapid dictionary attacks
against more than 50 network protocols,
including telnet, ftp, https, https, smb, several
databases, and many more. Hydra can use
brute force on website login credential by using
a list of usernames and passwords.

Disclaimer: The IP address and text files used

below are only examples for testing purposes.
The actual IP address and files in a real
environment may be different.

Command:
Typing hydra –l admin –P pass.txt
http://192.168.1.13. Brute force the website
using a single username and a list of passwords.
The penetration tester can also replace –l with
–L to include a list of usernames instead of only
one username.

Conclusion
Nowadays, there are hundreds of network
penetration tools available that can be used
for testing. However, it is advisable to use a
suitable tool based on the testing environment
criteria and multiple suitable tools to achieve
firm output.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Social Engineering Experiment – Social
52
Media
By | Ahmad Dahari Bin Jarno

Abstract have introduced new ways of hacking IT

infrastructure through human manipulation and
behavioural observations. Likewise, hacking
Vulnerabilities and unethical hacking have
is also known to be usable to leverage human
rigorously evolved from many different
trust for profitable income by hacking target
perspectives including Information Technology
financial profiles.
(IT) products, systems and its environments. Yet
according to this evolution, it can be concluded
“Hacking humans,” also well-known as
that the biggest vulnerability is human beings
social engineering attacks are currently
themselves as users of IT products, systems
under heated discussion throughout the IT
and environments.
hacking community. The idea is to essentially
manipulate the trust and response behaviours
Thus, in many IT incident events, people are
of the target in light of the fact that sharing
the weakest link as either the trigger point of
confidential and private information among IT
attacks or as leading to the cause of problems
users is a form of human bonding. This links to
in systems through mistakes that could be
the quote “sharing is caring.” Social engineering
avoided. Lack of awareness, putting value to
attacks can be performed directly or indirectly
responsibility and taking into consideration
on targets based upon the type of information
further details are the less expected weaknesses
the attacker/hacker needs. The key component
of humans as IT consumers.
of a successful social engineering attack
on IT users/humans is being able to gather
As such, new breeds of hackers use these new
information about the target user by replicating
opportunities to manipulate these weaknesses
their exact identity through understanding the
of humans as IT consumers. They carry out
user’s habits, communication attitudes and
unethical hacking activities with the objectives
cravings/needs.
of bringing down target systems or looking for
profit that may be beneficial in financial terms.
In this article, the focus of discussion is on
indirect social engineering attacks through the
Hacking on Humans usage of publicly available information on the
Internet and the chain of information offered on
According to history, hacking started around the social media platforms linked to target users.
late 1950s, when the phreaking attack entered
the world of IT. This type of hacking is done Social Engineering through
through the phone by listening to a specific
tone, thus allowing the user to manipulate the Social Media
weakness of phone dialling capabilities just to
feed their need for free phone calls. As the world Social Media platforms like Facebook (FB),
of communication and IT has evolved, better Twitter (TW), Instagram (IG) and many others
technologies introduced seem to be irrelevant around the Internet are fond to IT users as places
since attack/hacking tools and techniques are where everyone shares information, stories, life
closely trailing to catch up with inventions. updates and many other types of information
Nowadays, faster computing processing through friendship and social lifestyles. As the
capabilities allow hackers to easily send attack platforms broadly evolve from time to time,
commands to targets with the support of faster they are places where IT users keep private
networking capabilities. information. Still, some of those facts are
lingering around the Internet, unfortunately, as
Nonetheless, even in this era of new inventions public information.
and technologies, humans have maintained
their place to which hackers look for any Hackers that are highly interested in Social
vulnerabilities due to human mistakes and Engineering attack techniques targeting victims
lack of awareness with IT security. Some through Internet information sharing (also
perspectives of IT hacking tools and techniques known as cyberstalkers) use these opportunities

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
to study more about their target users (victims) performed with the intentions of the hackers’
without the need for physical interactions. points of interest. The following is a list of
These attack techniques are known as indirect interests likely relevant to hackers in carrying 53
social engineering attacks. Hackers can either out social engineering attacks through social
choose the method of sending fake, phishing media platforms.
emails to targets or conducting online surveys
a. Financial Credentials: Hackers dig relevant
that offer high value awards (for example,
information on the target user that leads to
vacation coupons or cash vouchers) that will
exposing their financial credentials, such as
attract potential victims.
credit card number, ID, name and purchasing
habits.
Through these methods of information
gathering (reconnaissance), hackers will start
b. Identity Theft: Hackers use publicly
digging further to understand the victim’s
available information to understand the
habits, favourites, life conditions (health,
target user with the objective of duplicating
finances, relationships, etc.), weaknesses,
the target user’s identity, thus using such
points of interest, places visited and many
treasured information to further exploit
more. The list can be miles long based on the
other persons or entities like companies.
hacker’s creativity and experience with social
engineering attacks. Chains of information c. Blackmailing: Hackers use a target user’s
linking various points will benefit the hackers public information that links to any relevant
in understanding the target victims through secret information, for instance information
the relationships the victims have with friends, regarding a company’s reputation. This
family members, Internet sites, social media high amount of information gathering can
subscriptions and many other categories of take months of work. Yet, at the end of the
information links. journey, the information can be beneficial in
many ways, especially in terms of financial
An example of a social engineering experiment gains from blackmail methods. Some of these
is when a hacker tries to duplicate the identity techniques can be applied to jeopardize any
of an online user who has large financial individual’s reputation or status.
savings and yet, the user is a very frequent
online shopper. The scenario here is that the
hacker is planning to steal the target user’s Continuing with the discussion on social
(victim) financial saving account by means of engineering attacks using social media
knowing crucial information about the target platforms, a hacker requires several seeds of
victim’s financial credentials. In Malaysia, most information as preliminary components to start
culture of financial customer service providers a social engineering attack. These can be the
requires simple verification of identity such as victim’s full name, nickname, email address,
ID number, credit card number and full name. phone number and other information related
Further verification questions are mostly related to the target’s lifestyles including hobbies,
to the last purchase made, where the last favourite food and favourite social media
purchase was made and card credit payment platforms. In this era of fast communication
method. For a hacker, this can easily be known and information sharing, almost all information
by monitoring the target user’s social media about certain individuals is available on the
account (commonly Facebook) based on posts Internet. With Google crawling capabilities that
made by the victim. Through social media, keep evolving to their best, more information
hackers can also gather information such as ID is being shared on the Internet without the
number based on the user’s education or work information owners knowing.
history posted online publicly.
With these seeds of information, hackers
Hackers can gather and record this type will use Internet platforms, such as search
of information with great imagination and engines, social media, blogs, online journals,
creativity in understanding online behaviour of online photo sharing, and many other online
victims as social media users. subscriptions that are publicly available in
search of more information from the links
Social Engineering Experiment to the seed information. The following are
several search engines that are applicable for
In the area of studying social engineering information crawling by focusing on given
attacks with focus on social media platforms, seeds of information.
several experiments or test scenarios can be

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 a. Google with Google Hacking Techniques the retrieval of relevant query outputs from
(URL: www.google.com): Google Hacking these relevant search engines. For example
54 Techniques are among the most famous here, an attacker makes the assumption that
tricks that hackers use to search relevant the target victim is using his/her full name
information by focusing the search that links to a company name. Subsequently,
keywords exactly to the specific needs of from the company bulletin board, it is known
the requester. that the victim has a Twitter account and uses
a nickname as tagged by his/her colleagues.
b. Social Searcher (URL: www.social-searcher.
From this information, it is known that some
com): This platform allows the requester to
of the family members tag the same Twitter
query target user credentials by using their
ID that links to a Facebook account owned by
name/ID/nickname that links to any known
his/her family members. Unfortunately, the
social media, such as Facebook, Twitter,
target’s family members have publicly shared
Google+, etc.
information about his/her hometown, current
c. Zuula Search (URL: www.zuula.com) is one events relative to the family, family members’
of the alternatives to Google as a search names and many more.
engine. It can perform multiple search
queries on other online search engines, In this way, crucial, private information can
such as Bing, Yahoo, Gigablast, Mahalo, etc. be gathered from these resources and can be
manipulated in unethical ways by hackers.
d. PIPL (URL: www.pipl.com) and PEEKYOU
The following is a list of information that
(URL: www.peekyou.com): It is possible to
may be manipulated for unethical actions that
search individuals by querying their full
are beneficial to hackers/attackers. Any type
name, username, phone number or location.
of information that may seem irrelevant to
an individual can be treasure for an hacker/
A social engineering attack commences with attacker.

No. Information Types: Information Manipulations:

A. Posts and pictures shared on social The attacker can use this information to pretend to
media of new items purchased, etc. be bank customer service calling the victim to verify
credit card information. From there, the attacker can
gather the victim’s financial credentials, such as 16
digit credit card number with its 3 digit authorization
code.
B. Information about family members, The attacker can perform identity theft of an
family credentials and relatives of individual by knowing crucial information about his/
the victim. her family members, daily activities and many more.
This can also lead to blackmailing or kidnapping.
C. Information about a company, The attacker can use this information as blackmail
lifestyle, popularity, public relations, input to jeopardize the individual’s reputation with
etc. the objectives of gaining financial credit or benefitting
another entity/company.
Table 1: Information that is crucial for hackers/attackers

On this note, there are no limits to hackers/

attackers manipulating information from
any point of the link that seems irrelevant to
the victim. From a hacker’s point of view, this
information is like seeds to their treasure. Thus,
from many perspectives it is ultimately worthy
to unethical hackers, especially for financial
gains.

Figure 1 shows areas of information that are

useful for social engineering attackers.

Figure 1: Example of information in Facebook (Hacker Interest)

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Figure 2 shows a basic information search using to disclose all information. If any issues arise
Google hacking techniques. This is one of the in communicating with these individuals, it
favourite search engines used by hackers for is recommend to contact close authorities in 55
Social Engineering attacks. Malaysia like the Malaysia Communication &
Multimedia Commission and also MyCERT at
CyberSecurity Malaysia.

Conclusion
Having great platforms of communication
and information sharing such as social media
Figure 2: Screenshot of Google findings in Social Engineering (Facebook, Twitter, Instagram, etc.) allows IT
hacking
users and communities to share information
without the limitations of physical boundaries
Prevention is BETTER than Cure! and geo-location conditions. When IT security
perspectives are taken into consideration due to
It is often said that prevention is better than problems with information disclosure, privacy
cure. Even a single piece of information flowing and risks of human threats, many entities and
through the Internet without the owner’s individuals are concerned about the future of
knowledge or authorization could be a fortune information sharing and its management while
for a hacker/attacker to gain from. Information projecting data protection.
links to an individual can be so valuable to them
that hackers/attackers are likely to manipulate Therefore, in ensuring the information flows
this information to gain some profit from it. correctly and is respectively managed with low
risk, awareness of social engineering threats
As IT users, the responsibility to manage and broadcasts should be offered accordingly
our information is crucial in ensuring clear to the public. Likewise, continues improvement
segregation and classification of information in online platforms will make the public more
types is in place with clear understanding of confident and assured with using social media
managing this information based on needs. platforms. In conclusion, all sectors of ICT
The first step that IT users can take is not to infrastructure and culture should have all
stay away from the current trends of social hands on deck in mitigating the risks of social
media platforms but rather to manage them engineering attacks.
accordingly with the best understanding of
information management. By understanding References
the risks of information disclosure, users
must take responsibility with each information
1. Hacking the Human – Social Engineering
disclosure and segregate information based on Techniques and Security Countermeasures, by
classifications. This way, users can be active Ian Mann, 2008, published by Gower Publishing
on social media platforms with less worries by Limited, Gower House.
following certain rules of communication with 2. Kali Linux Social Engineering, by Rahul Singh
limitations to information disclosure. Patel, Dec 2013, published by Packt Publishing
Ltd. Livery Place.
IT security perspectives and features have 3. Low Tech Hacking – Street Smarts for
already been implemented in most social media Security Professionals, by Jack Wiles, Dr, Terry
platforms like Facebook, Twitter and Instagram. Gudaitis, Jennifer Jabbusch, Russ Rogers and Sean
Under the preference setting, users can set Lowther (2012), published by Syngress.
certain access to posts, pictures, tagging and 4. No Tech Hacking – A Guide to Social
other relevant information, to control public Engineering, Dumpster Diving and Shoulder
access to viewing the information. Another Surfing, by Jonny Long, 2008, published by
perspective of security in access control is Syngress.
limiting access to information by first reviewing 5. Social Engineering – Art of Human Hacking,
it before posting it, for instance picture tagging, by Christopher Handnagy, 2011, published by
information sharing or post publishing. Wiley Inc.
6. Google Hacking – Cara baru Melakukan
As for online journals, blogs and entities that Hacking Tanpa Tools, by Efvy Zam Kerinci, 2007,
post credential information relatively private published by Neomedia Press.
to a certain extent, it is recommended to 7. vii. Google Power – Unleash the Full
contact the person in charge of the portals Potential of Google, by Chris Sherman, 2005,
published by Mc. Graw Hill.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Securing The Cyber Space Through International
56
Collaboration of Computer Emergency Response Teams
By | Mohd Shamir Hashim

Project Background collaboration and coordination among the

CERTs in Europe and neighbouring regions.
The Internet has changed modern life.
For the Asia region, a similar collaboration is
Information sharing has never been easier and
the Asia Pacific Computer Emergency Response
the accelerated data transfer flow has made
Team (APCERT). This is a group of CERTs from
modern society reliant on the Internet in daily
various Asia Pacific countries that work together
life. Individuals and organizations are now
to ensure Internet security in the region based
very dependent on the Internet for information
on genuine information sharing, trust and
sharing, daily operations and business, and
cooperation.
research.
At the global level, the Forum of Incident
However, this also attracts parties with ill
Response and Security Teams (FIRST) brings
intentions or cyber criminals to conduct illegal
together a wide variety of security and
activities online. This is because the Internet
incident response teams from the government,
provides anonymity and a borderless landscape,
commercial and academic sectors. This is an
which has proven to be a great hurdle for
international confederation of trusted computer
law enforcement agencies in conducting
incident response teams who cooperatively
investigations on such crimes.
handle computer security incidents and promote
incident prevention programs.
Computer Security Incident Response Teams
(CSIRTs) or Computer Emergency Response
Teams (CERTs) are entities that provide Organization of Islamic
services for ensuring that cyber space is safe Cooperation – Computer
by resolving their respective constituencies’
computer security incidents or cyber incidents. Emergency Response Team
Apart from mitigating cyber incidents, these
entities also offer cyber security training and Establishment
awareness.
The Organization of Islamic Cooperation (OIC)
is the second largest inter- governmental
Since the Internet does not conform to the physical
organization after the United Nations and has
boundaries of countries nor geographical
a membership of 57 states from across four
factors, cybercrimes can be easily committed
continents. The organization oversees the
across borders and outside of any particular
interests of Muslim communities in the spirit
law enforcement jurisdiction. Therefore, as the
of promoting international peace and harmony
point of contact for cyber incidents, CERTs find
among various people worldwide. With the
it beneficial to form collaborations beyond their
cyber environment becoming a vital part of
respective constituencies to solve incidents.
communities, some member states are voicing
out the need to establish a CERT collaboration
International Information using the OIC platform. Therefore, during an
Security Collaborations annual meeting of the Islamic Development
Bank (IDB) Board of Governors in Putrajaya,
The European Union Agency for Network and Malaysia in June 2003, the idea was tabled
Information Security (ENISA) is an organization and accepted. Malaysia was assigned to lead
working for the European Union (EU) institutions a task force consisting of leading OIC member
and member states, which responds to cyber states to establish the Organization of Islamic
security problems in the EU. This collaboration Cooperation - Computer Emergency Response
strives to achieve a high and effective network Team (OIC-CERT).
and information security level for the benefit of
EU citizens, consumers, businesses and public In 2008, during the 35th OIC Session of the
sectors. Another CERT collaboration in Europe Council of Foreign Ministers held in Kampala,
is TF-CSIRT, which is a task force that promotes Uganda, a resolution was put forward
expressing concern that Internet technologies

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
and means can potentially be used for purposes information security professionals from
that are inconsistent with the objectives of all over the world gather and participate
maintaining international stability and security. in the seminars, workshops and forums. 57
Thus, in realizing that the nature of the Internet Events like this serve as platforms for
and cyber space is not confined to the physical multinational professionals to meet and
boundaries of a country, the OIC agreed on the provide international exposure and access
establishment of a cross-border collaboration mainly to local professionals from the
to share information and initiatives to counter hosting countries.
cyber threats.
3. Cultivating and fostering education and
The OIC-CERT is governed by a seven outreach ICT security programs
(7)-member Steering Committee (SC) consisting
Capacity building is one of the major reasons
of a Chair and Secretariat. The SC, elected by
for CERT collaboration. Members share
members periodically during the Annual General
knowledge and technologies to strengthen
Meeting, is responsible for ensuring that OIC-
each other’s capabilities in order to maintain
CERT activities are in line with its objectives of
a secure cyber environment. This is done
securing the cyber environment.
through workshops and training sessions.
OIC-CERT conducts technical and regional
Activities for the Information Security workshops as part of its capacity-building
Community initiatives. These activities provide members
1. Strengthening relationships amongst with the necessary knowledge from setting
CERTs in the OIC member countries and up and operating CERTs to managing network
others security. Such workshop was organized and
hosted in Brunei, with participants from
OIC-CERT uses the OIC platform to leverage four continents attending. As a result of this
on international collaboration. Although the workshop, the participating member states
collaboration is OIC-centric and is based experienced a boost in their CERT capability.
on the spirit of resolving to form the OIC-
CERT that states that cyber space is not OIC-CERT regional workshops focus on
confined by countries’ borders, OIC-CERT subject matter requested by the respective
established cooperation ties with other regions. Each region may have different
similar organizations such as APCERT and priorities in managing cyber threats, thus
AfricaCERT. Such cooperation, as stated focus will differ. These workshops have
in the Memorandum of Understandings, been conducted in the Middle East hosted
has expanded the reach of the respective by Egypt, in Africa hosted by Morocco and
collaborative platforms and their regional in Asia hosted by Malaysia. The workshops
and global members. are co-financed by the hosting countries
and the Islamic Development Bank.
In addition, OIC-CERT is also open to non-
OIC state members and industries. Such In order to utilize the capabilities gained from
cooperation allows these organizations the workshops, OIC-CERT conducts annual
to exchange expertise, and with the cyber drills to test members’ knowledge of
convergence of knowledge and technologies responding to inter-border cyber incidents.
to support cyber security enhancement in The drills allow participating members to
the respective regions. This provides various face realistic incidents, test out internal
benefits to communities, such as improved procedures, exercise technical capabilities
mitigation of cyber threats to keep the cyber and analyse cyber threats. It also provides
environment safe. the opportunity to gauge members’
readiness levels in mitigating emerging
2. Encouraging experience and information cyber threats to avoid serious impact on
sharing member countries. Apart from OIC-CERT
OIC-CERT conducts information security members, collaborative partners are also
seminars and forums that involve experts invited to participate, including APCERT and
from the member states and industries. AfricaCERT members.
With the pool of resources available, such
events offer societies valuable knowledge, From the drills, analyses are done to identify
experience and awareness of cyber security. areas of weakness for consideration in OIC-
This can be seen at the OIC-CERT Annual CERT training programs.
Conference, where large numbers of

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 To further enhance the capacity building the hosting OIC-CERT members provide funds
program, OIC-CERT is embarking on a to cover the venue and local logistics for the
58 professional certification program to provide event. The IDB also provides some funding to
cyber security professionals with the right support selected activities. However, a better
knowledge, skills, abilities and experience. solution for obtaining funds is required to avoid
The objective of this program is to create dependence on contributors.
a world-class competent workforce in cyber
security and to promote the development of Conclusion
cyber security professional programs.
OIC-CERT is an international collaborative
4. Promoting collaborative technology
platform for cyber incident mitigation,
research, development and innovation in
which is open to any suitable CERT, whether
the ICT security fields
supported and/or funded by the government,
In addition to training, OIC-CERT is the private sector or a combination thereof
implementing collaborative projects among that is interested in sharing the objectives of
members. One such project is the Malware OIC-CERT. This platform promotes good values
Research and Coordination Facility led by and best practices to the Internet community
Malaysia. This project provides members through awareness and capacity building
access to necessary data for research on programs. Activities conducted to date have
malicious computer codes. This will be used managed to reach out to information security
to develop eradication solutions and provide communities within the OIC and worldwide
an overview of the community’s malware through collaborative arrangements with similar
infection landscape. This is a public-private organizations.
cooperation project because technology
and knowledge from the industry are This information security collaboration will
needed in seeking appropriate solutions continue to encourage participation from all
for malware eradication. The government parties to fulfil its objective of a secure cyber
of Malaysia supports the initial project cost environment for Internet users.
and participating members provide the
operating costs in subsequent years. This article was shortlisted as one of the top
five projects for the WSIS Champion Prize 2016.
Challenges On May 4, 2016 at the World Summit of the
Information Society (WSIS) Forum in Geneva,
this article won a WSIS Champion Prize under
Support for OIC-CERT has grown. Starting
category C11, International and Regional
with only six (6) member states in 2009, the
Cooperation, alongside projects from Canada,
collaboration has increased to 21 member
Mexico, Tunisia and the United Arab Emirates.
states today. However, considering that OIC
CyberSecurity Malaysia received a letter of
has 57 member states, OIC-CERT members only
appreciation from the ITU Secretary General,
represent 34% of the OIC community. Factors
H.E. Houlin Zhao.
contributing to this may be:
•• The political turmoil faced by some member
countries that have their governments
focusing on critical matters such as defence
and physical security rather than ICT
requirements;

•• The lower economic status of some member

countries that requires them to prioritize
basic needs like physical infrastructures,
food and clean water;

•• Lack of governmental support to join the

OIC-CERT o wing to the lack of
awareness of the importance of cyber
security or for other political reasons.

Another main challenge is regarding the funds

required to implement the activities. As of now,

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Drafting Security Target 101
59
By | Ahmad Dahari Bin Jarno

Abstract (3) main components: functionality, compliance

requirements and security features.
Developers have the task to develop new
In light of these factors, the Common Criteria
products for markets and consumers are the
Communities have come up with the requirement
ones from whom developers make money; thus,
for developers to provide such detailed
both parties complement each other as they co-
documentation starting with a document called
exist in the ICT environment. As the world is
Security Target. This document describes a
evolving with technology, competition in the
product declared by the developer by providing
IT product field is not generous with either
detailed information from the aspect of high
developers or consumers, whereby markets
level product overview description inclusive
provide consumers with plenty of options for
of technical specifications. There is added
choosing and buying.
value with the specification of product security
features as it follows a set of regulations defined
A neutral concept is formed at this point, which
by the Common Criteria Members, which is also
is the introduction of product testing through
known as a standardized set of requirements.
functional testing, compliance testing and
Best of all, it is a public document.
security testing. The beauty of the concept
is that consumers tend to use these testing
According to a comparison, it is determined
notions as a checklist for their procurement
that Security Target is a superior to the Product
policies, whereas it haunts product developers
Specification document because it fulfils the
when consumers question their product security
three mentioned components.
aspects. Products generally must be functional,
follow certain best practices in development
and design, and most importantly, must have Security Target 101
security features to protect data residing with
product data management. Drafting a Security Target document requires
firm and thorough understanding of the
Accordingly, common criteria have been product and the ability to interpret the language
established for decades. Criteria are based elements of the Common Criteria. Language
on the Orange Book and facilitate developers interpretation here refers to elaborating product
and consumers to be on the same page of information into a language that binds developer
understanding in terms of ensuring that IT understanding and consumer perception of the
products are functionally tested, follow world market value of items, including items created
standards and provide the security assurance based on certain known IT technologies.
needs highlighted by consumers. The next
question that arises is, where should all The Security Target document consists of
this information be written? The answer is a four (4) main information quadrants that are
document called Security Target. interlinked to form a map that defines a product
and its technology. Even though Security Target
Security Target vs. Product is mostly referred to as a mandatory document
in Common Criteria Evaluation and Certification,
Specification it can also serve as a product brochure, product
specification and a justification of compliance
Understanding a product in general can be document. The four quadrants comprising
done in several ways, such as reading the Security Target are as follows:
brochure, testing it out during product demo or
testing it after purchasing as some consumers i. Quadrant 1: Product Overview consisting
do not buy directly from the retail store. Even of Target of Evaluation (TOE) Overview,
now, most IT products allow consumers to TOE Type, non-TOE Hardware/Software/
download technical product specifications Firmware and TOE Description with
from the developer’s website. Unfortunately, elaboration on the Physical and Logical
the information described in the technical Scopes of TOE.
specifications does not elaborate fully on three

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 ii. Quadrant 2: Product Development based that are mandatory to be fulfilled; thus, ten (10)
on the Problem Statement that consists of SFRs may lead to twenty (20) SFRs based on the
60 the Security Problem Definition and Security dependency itself.
Objectives.
In completing quadrants 2 and 3, the writer can
iii. Quadrant 3: Product Features consisting of start elaborating on the product overview under
a list of Security Functional Requirements quadrant 1. In this section, the writer needs to
(SFRs) and Security Assurance Requirements focus on writing the product details, especially
(SARs). in the TOE Overview and TOE Description. TOE
Overview shall contain a description of the
iv. Quadrant 4: Product Justification consisting product to allow the consumer to understand
of rationale mapping between Quadrant the product by glancing at the information and
1, 2 and 3, which shows the reasons for not necessarily going into detail like referring
developing each product feature, supported to the Technical Specification document.
with specific objectives of its development. However, a taboo here would be to elaborate
Likewise, this is where consumers tend to any marketing words/statements. Note that the
identify the limitations and advantages of a developer is not a judge for the consumers to
product without needing to go through the help determine which product is best. The idea is
entire pile of programming documentation. to let the consumers be the judge of the product,
as consumers are the ones who understand the
With regard to the four quadrants stated product background and what it can offer to fit
above, the next question is how to start its purpose to serve the consumers.
writing, or where to start? A Security Target
for a product can be drafted from scratch by Finally, the justification statement is placed in
first understanding the product through the quadrant 4. Justification needs to be clear and
reason for its development. Each IT product is consistent, which can be done via mapping in
developed to serve a specific purpose, thus the tables. Each SFR declared in quadrant 3 needs
purpose is to solve IT problems and limitations. to be mapped back to quadrant 2 regarding
Starting with quadrant 2, writers can first list whether each feature of TOE is relevant to
all the problem statements that relate to the counter, mitigate and reduce the risk of the
product features, each of which is meant to threats. Furthermore, each security objective
solve a problem. For example, “an unauthorized stated is meant to link back to all SFRs by showing
person may send impermissible information that the descriptions are consistent through the
through TOE that results in the exploitation definition statement of CC Part 2 Annex A. A
of resources on the Internal network.” Here, tip and trick here is to understand each SFR
the product defined as Target of Evaluation declaration by reading the CC Part Annex A.
(TOE) counters the statement with a feature Additionally, a small number of Assumptions,
that states “TOE shall mediate the information Threats, Organization Security Policies (OSP)
flow between users and web applications and Security Objectives in quadrant 2 will lead
intended based on user requests.” The product to easy justification and mapping. All mapping
feature thus facilitates such mitigation with its and justifications are elaborated under the
feature “Access Control Filtering and Security Rationale scope in Security Target.
Management.”
Moreover, with plenty of information to work
Next, in quadrant 3, all product features are on the draft, it is crucial to have several handy
defined in detail using specific language defined tools in designing the structure of the Security
by the Common Criteria requirements. Writers Target and its content.
can pick and choose any of the security features
from Common Criteria Part 2: Security Functional Writing Toolkits
Components (SFRs). Likewise, it is the same
for Security Assurance Requirements (SARs), Writing a technical document like Security Target
whereby selecting the Evaluation Assurance is far from easy with all the information that
Level (EAL) for product evaluation is all up to the needs to be incorporated within one document
developer. The trick of selecting the best SFR and that should say it all. Having an impressive
that fits the product features is to start selecting toolkit will lessen the burden. The toolkits used
a minimum of ten (10) units of SFRs only, with a for drafting any technical document vary among
baseline of one SFR from each SFR chapter (e.g. CC consultants. Nonetheless, the following
User Data Protection, Security Audit, etc.). Each toolkits should be of assistance and ease the
SFR is equipped with dependency requirements burden, especially in processing abundant

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
information. c. TeamViewer: This remote access software
is easy to configure and free to use.
i. Gathering Information and Centralized 61
Notes:
d. Google Hangouts and Skype: These
are software for discussion and
a. Windows Snipping Tools and Application
videoconferencing.
HoverSnap: These two tools are helpful for
doing automated image capturing while
studying the product features, interfaces Conclusion
and design. During the initial drafting
stage, the Security Target captures all
Security Target is an important document of
images of the product features, design
Common Criteria Evaluation and Certification.
and interfaces and will thus lessen the
Thus, having good knowledge of writing the
need to flip back and forth to refer to the
Security Target as well as being equipped with
actual product. Thus, there is less need
supporting toolkits can simplify the processes
to access the product remotely, which
of information gathering, content writing
sometimes gives rise to connectivity and
and easing the discussion sessions between
accessibility problems.
all parties. Likewise, producing a document
b. Evernote and DropBox: These two provide such as Security Target allows the developer
good platforms to record all information to be more transparent with the consumer in
gathered during a discussion session with describing their product without compromising
the programmer. All files are saved in any confidential information. The consumer
one location and can be accessed when is also able to sincerely decide on a product’s
needed. Evernote provides a centralized capability and capacity through all its relevant
note collector and Dropbox provides a features.
centralized file storing system. Also, both
are free. References
iii. Drafting the Security Target: 1. Common Criteria for Information
Technology Security Evaluation, Part 1:
a. Microsoft Word, Visio and PowerPoint: This Introduction and general model, September
software comes in a bundle installer that 2012, Version 3.1, Revision 4.
is recommended for writing the Security
Target and other CC documentation. It 2. Using the Common Criteria for IT
offers an acceptable format for open Security Evaluation, Debra. S. Herrmann, 2003,
source document writing tools. Microsoft Auerbach Publications.
Visio is used to design product architecture
deployment and Microsoft PowerPoint is 3. Successful Common Criteria Evaluations:
to design the block diagram of the logical A Practical Guide for Vendor, Wesley Hisao
scope of TOE. Higaki, 2010, CreateSpace Independent
Publishing Platform.
b. Adobe Acrobat Pro: This software
facilitates exporting any PDF document
to a word document and vice versa. It is
a useful tool when sharing documents
online and also for protecting documents
using passwords.

iii. Remote Access, File Sharing and Document

Review Discussion:

a. Google Document: It is recommended to

hold a discussion online while commenting
and reviewing CC documentation like the
Security Target.

b. Google Drive: It is synced with Google

Document and allows sharing documents
with sharing protection through group
access and links.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 Impersonation and Spoofing Fraud Q4 2015
62
By | Kilausuria Abdullah

Introduction
Impersonation refers to any activity or act of
pretending to be another person for the purpose
of fraud. The word "spoof" means to hoax, trick
or deceive. Therefore, in the IT world, spoofing
refers to tricking or deceiving computer systems
or other computer users. Hiding one’s identity
or faking another user’s identity on the Internet
is typical examples.

Impersonation and spoofing are basically

activities used by perpetrators to manipulate
victims’ trust for the purpose of fraud. Some
incidents include using the victim’s original
identity to make a fake account, purchase new
items, etc. Besides impersonating victims,
perpetrators can also spoof victims’ emails to
make the victims trust the email content.

Graph 1: Impersonation and Spoofing Fraud Q4 (Oct – Dec)

Analysis 2015

The analysis in this article is based on sample The categories of victims who reported
incidents received by Cyber999 In the fourth impersonation and spoofing fraud incidents are
quarter of 2015. A total of 22 incidents were shown in Table 2 and Graph 2.
received on impersonation and spoofing fraud
as shown in Table 1 and Graph 1. Types of reporting users Total
Home users 11
Impersonation and Spoofing Fraud for Q4 (Oct-
Dec) 2015 Local companies 7
Incident Oct Nov Dec TOTAL Local enforcement agency 1
Category Government 1
Impersonation 8 8 6 22 Foreign companies 2
and spoofing Table 2: Total Incidents by category of victims
Table 1: Impersonation and Spoofing Q4 (Oct - Dec) 2015
Note: The statistics reflect the number of incidents.

Graph 2: Total incidents by category of victims

According to the graph above, for Q4 2015

there are five categories of users who reported
fraud incidents. The majority of incidents
were reported by home users, contributing
50% of all reported incidents. Local companies

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
reported about 32% of all incidents and foreign fake account number to which to transfer
companies about 9%. the payment.
63
In this quarter, impersonation and spoofing c. Inexperienced and untrained staff will
incidents were identified based on the medium process the forged invoice and make
used by the perpetrators. The medium types payment to the fake account.
used for impersonation and spoofing incidents
identified in this quarter are presented in Table d. The supplier will inform the victim company
3 and Graph 3. that payment has not been made and the
victim company will say that payment has
Medium of Impersonation and Total already been made.
Spoofing
Email 18
Not available 2
SMS 1
Website 1
Table 3: Figures on medium used for impersonation and
spoofing Incidents

Figure 1: Method of a fraudster impersonating a supplier

Figure 2: Method of a fraudster impersonating a client

Graph 3: Percentage of impersonation and spoofing by medium

Based on the analysis for Q4 2015, impersonation a. The fraudster sends an order request to the
and spoofing incidents mostly occurred via email supplier.
as the main medium, which represents 82% of
b. The supplier sends a proforma invoice to
all incidents. This was followed by telephone/
the fraudster.
smart phone as the medium, contributing 13%
of overall impersonation and spoofing incidents
c. The fraudster sends a forged payment
in Q4 2015.
receipt to the supplier.

Case studies of impersonation d. Inexperienced and untrained staff will

and spoofing for commercial process the forged invoice and ship the
items to the fraudster.
fraud done via email as a medium
e. The supplier realizes the payment receipt is
Figures 1 and 2 display the steps involved in forged.
the method of operation for impersonation and
spoofing via email as a medium:
a. The victim company requests a purchase
Best Practices
order from the supplier and waits for a
proforma invoice from the supplier. •• Be wary of suspicious activities or emails
from known or unknown persons. Check
b. The victim company will receive a fake with the right parties the validity of the
proforma invoice from the perpetrator via information received.
email allegedly from the supplier, with a

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 •• The user may refer to registered companies Conclusion
for Malaysian products at Malaysia External
64 Trade (MATRADE):
By Q4 2015, 22 incidents were reported on
impersonation and spoofing fraud. The most
Malaysian Exporters: http://www.matrade.
incidents reported for impersonation and
gov.my/en/for-malaysian-exporters
spoofing fraud in Q4 2015 were done using
email as a medium to impersonate victims.
Foreign Buyers: http://www.matrade.gov.
Organizations and regular users must be
my/en/for-foreign-buyer
aware and concerned with impersonation and
•• The user may refer to registered companies spoofing fraud that may occur in daily activities.
in Malaysia via: https://www.ssm-einfo.my/ The repercussions from impersonation and
spoofing can have high impact on the affected
•• Get proper confirmation directly from the organization or user, even from a small mistake
supplier on their account number before such as misunderstanding email content or
making any payments. Confirmation can be an email address. As such, organizations and
done via a telephone call for instance. regular users must always make sure to adhere
to the best security practices to prevent data
•• Check/verify the email including the full from being stolen that might be used for
email header, email features (spelling) and malicious fraud activity.
email content (invoice, address, document
copy, payment method). References
•• Call your bank immediately if you realize the 1. http://www.mycert.org.my/en/services/
transfer has been made to a fake account report_incidents/cyber999/main/detail/799/
number. index.html
•• Employers are highly encouraged to train 2. h t t p s : / / z e l t s e r. c o m / m e d i a / d o c s /
and provide security awareness for their impersonation-attacks.pdf
employees.
3. h t t p : / / w w w. m y s e c u r i t y a w a r e n e s s .
•• Lodge a police report at a nearby police com/article.php?article=384&title=what-is-
station with details or evidence for further impersonation-in-social-engineering#.VYd_
police investigation. mKbkaf4

4. http://techterms.com/definition/spoofing
Impacts of Impersonation and 5. https://www.mycert.org.my/en/services/
Spoofing Fraud Reported advisories/mycert/2015/main/detail/1130/
index.html
The impacts of the impersonation and spoofing
fraud incidents reported are listed below:

1. An attacker may attempt to harvest records

of targeted information (financial data,
personal info) via various hacking or social
engineering techniques in order to steal
data.
2. An attacker may attempt to sell the stolen
data to third parties or underground
channels.
3. Impersonation attacks are increasingly tied
to organized crime. This is because the
profitability of impersonation attacks has
global implications not only for individuals
but also enterprises.
4. Impersonation and spoofing attacks can
also destroy financial security and financial
outcomes.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
Keselamatan Siber Anak-Anak : Akujanji Ibu
Bapa Siber 65

By | Zaleha Abd Rahim, Yuzida Md Yazid

Di zaman kecanggihan teknologi kini, 2. Saya akan mengajar anak saya supaya
pengaliran maklumat di dunia siber tiada siapa menghormati privasi orang lain sama ada
dapat mengawalnya. Beribu-ribu laman web dalam dunia realiti dan digital
telah dibangunkan hampir setiap hari demi
3. Saya akan menerangkan kepada anak
untuk menyalurkan maklumat walau dimana
saya tentang pembelian barang secara
juga kita berada. Betapa mudahnya hidup di
dalam talian dan saya akan menunjukkan
zaman ini, dengan hanya satu ‘klik’, serta-
kepadanya website yang selamat dan
merta kita mampu menerokai dunia tanpa batas
dipercayai untuk membeli barang secara
sempadan. Maka tidak hairanlah jika kanak-
dalam talian. Saya juga akan menunjukkan
kanak seawal usia 3 tahun sudah didedahkan
kepadanya bagaimana untuk mencari dan
dengan gajet-gajet dan aplikasi-aplikasi seperti
menentukan pembelian yang terbaik.
iPhone, iPAD, Notebook, Facebook, Twitter,
Instagram, YouTube dan lain-lain lagi. 4. Saya akan mengajar anak saya tentang
tatasusila penggunaan teknologi komunikasi
Justeru itu, adalah wajar ibu bapa memupuk atas talian. Saya juga akan menerangkan
nilai integriti yang tinggi, jati diri dan akhlak bahawa komunikasi secara bersemuka
yang mulia dalam diri anak-anak mereka agar adalah juga penting
gejala-gejala negatif dapat dihindari. Statistik
5. Saya akan menerangkan kepada anak-anak
yang dikeluarkan oleh Malaysian Computer
tentang keperluan budi bahasa dan tingkah
Emergency Response Team (MyCERT) jelas
laku yang sopan semasa berkomunikasi
menunjukkan angka peningkatan dalam
dengan orang lain dalam talian. Jika
jenayah siber seperti cyberbully, cyber flirt,
mereka mahu dihormati, mereka juga perlu
scam, cyberstalking dan lain-lain lagi. Oleh
menghormati.
yang demikian, ibu bapa perlu memainkan
peranan yang lebih aktif dalam memastikan 6. Saya akan cuba mengenali rakan-
keselamatan siber anak-anak mereka terjamin rakan Internet anak-anak saya dan akan
dan dipelihara. Komunikasi tanpa sempadan memastikan mereka adalah rakan-rakan
kadangkala boleh merosakkan akidah dan Internet yang sah dan selamat.
sahsiah anak-anak. Bukanlah sesuatu yang 7. Saya akan memberitahu anak-anak bahawa
menghairankan andainya seseorang anak yang ada sesetengah maklumat dalam talian
pada zahirnya kelihatan baik di depan mata adalah milik orang lain yang tidak boleh
ibu bapa, akhirnya terjebak dalam perangkap dicerobohi atau diambil tanpa kebenaran.
masalah sosial di alam siber, akibat kurangnya
perhatian.. 8. Saya akan memastikan anak-anak ada had
masa yang tertentu untuk melayari Internet
Sebagai orang yang terdekat dengan anak- agar mereka tidak ketagihan teknologi
anak, ibu bapa seharusnya memainkan peranan dan berkemungkinan mengalami masalah
penting dalam membantu mengawasi dan kesihatan.
memantau keselamatan anak-anak mereka 9. Saya akan meluangkan masa mengajar anak-
ketika berada di alam siber. Berikut adalah anak saya bagaimana untuk melindungi
beberapa akujanji yang perlu diambil oleh data-data peribadi mereka
ibu bapa bagi memastikan keselamatan dan
kesejahteraan anak-anak mereka. Maka dengan 10. Saya akan memberitahu anak-anak
ini saya berjanji akan melaksanakan perkara- bahawa pencegahan adalah lebih baik dari
perkara berikut: pemulihan. Justeru, saya akan menunjukkan
cara install perisian seperti antivirus,
1. Walau pun saya kurang pengetahuan tentang spyware dan adware.
Internet, saya akan mengambil masa untuk 11. Saya akan menjadi ‘role model’ terbaik untuk
mempelajari bagaimana menggunakannya anak-anak dengan memberikan contoh
agar saya boleh memantau dan mengawasi sebagai pengguna Internet yang baik.
apa yang dilayari oleh anak-anak saya.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved
 12. Saya akan membuat pemeriksaan
(spotcheck) ke atas gajet yang digunakan
66 anak-anak agar mereka lebih berhemah
dalam penggunaannya.

Menjadi ibu bapa kepada generasi siber

sememangnya mencabar. Di samping berikrar
untuk melakukan perkara-perkara di atas, ibu
bapa juga harus menerapkan dan memberikan
didikan agama yang sempurna sejak awal usia
anak-anak. Tidak dinafikan, agama merupakan
benteng yang paling kukuh untuk menghalang
perkara negatif yang dibawa dari alam siber.
Didiklah anak-anak tentang dosa dan pahala
sepanjang melayari Internet. Apabila anak-
anak memahami konsep Tuhan sentiasa melihat
apa yang mereka lakukan, dengan sendirinya
kegiatan mereka di alam siber akan lebih
terkawal.

e-Security | Vol: 40-(1/2016)

© CyberSecurity Malaysia 2016 - All Rights Reserved