MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

More documents

Recommendations

Info

12transactions, electronically through the useof digital signatures. This Act is an enablinglaw that allows for the development of,amongst others, e-commerce by providingan avenue for secure on-line transactionsthrough the use of digital signatures. TheAct provides a framework for the licensingand regulation of Certification Authorities,and the recognition of digital signatures.The Controller of the Certification Authoritywho has the authority to monitor andlicense recognized Certification Authoritieswas appointed on 1st of October 1998.iii.Communications and Multimedia‘Art. 249 of the Communications andMultimedia Act requires people, during asearch, to give access to computerised datawhether stored in a computer or otherwise,which includes providing the necessarypassword, encryption code, decryptioncode, software or hardware required toenable comprehension of computeriseddata. Refusal to cooperate is punishablewith at most RM100,000 and/or two years’imprisonment (art. 242). This Act containsa provision (art. 256(2)) allowing people torefuse answering questions if they therebywould incriminate themselves; by contrast,the privilege against self-incrimination canbe deemed not to hold for complying with adecryption order.’An authorized officer making an investigationunder this Act may verbally examine aperson who supposed to be acquaintedwith the facts and circumstances of thecase. The person shall be legally bound toanswer all questions relating to the caseput to him by the authorized officer, but theperson may refuse to answer any questionswhere the answer to which would have atendency to expose him to a criminal chargeor penalty or forfeiture. A person making astatement under this section shall be legallybound to state the truth, whether or not thestatement is made wholly or partly in answerto questions.ConclusionCryptography itself is a harmless system.It was built to defend the security systemsof individuals or a nation. The nature ofcryptography is defensive and not offensive.It depends on the user to use it wisely.Cryptography tools are not easily importedor exported because there may be issues thatwill arise at the end of the day if people wereto use cryptography for negative purposes.Restrictions are not same in all countries andthere are no standard restrictions. It dependson what is the government’s view on theimpact of applying cryptography in theircountry. From my personal point of view,cryptography restrictions are not necessarybecause cryptography is not a harmful tool.Cryptography does protect communicationsand does not serve to take advantage onothers. It is the people factor that still playsa role in determining the dangers associatedwith cryptography. ■References1. Whitfield Diffie and Susan Landau(2005). The Export of Cryptography inthe 20th Century and 21st. Palo Alto: SunMicrosystems.2. Wassenar Arrangement onExport Controls for Conventional andDual-Use Goods and Technologies.http://www.wassenaar.org/index.html3. Cryptography Export Laws.http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/exportlaws.html4. Export or Import Restrictions.http://www.citrix.com/lang/English/lp/lp_1319021.asp5. John Markoff. International GroupReaches Agreement on Data-ScramblingSoftware. The New York Tomes.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved
Software Product Liability from anInformation Security Perspective13BY | Ahmad Ismadi Yazid B. SukaimiThe argument thatassessing liabilityfor negligence in asoftware productscontext would exposemanufacturers andsellers to “damagesof unknown andunlimited scope” istotally unconvincing.IntroductionInformation is an asset that and like otherimportant business assets, it is essentialfor a business entity and consequentlyneeds to be suitably protected. Informationcan exist in many forms. It can be printedor written on paper, stored electronically,transmitted by post or by using electronicmeans, shown on films, or spoken inconversations. Management systems, basedon a legitimate business risk approaches,to establish, implement, operate, monitor,review, maintain and improve informationsecurity must be in place.This paper will discuss softwareownership and responsibility issues froman information security managementperspective clearly defining every formof responsibility. The responsibility of anowner is described under one of the ISO/IEC 27001 domains, the organisationalaspects of information security and thecontrol elements of dealing with externalparties. In addition, perspectives from bothMalaysia and the United States’ will also bediscussed.Malaysia vs. US LandscapeSoftware vendors are likely to faceincreasing exposure to lawsuits allegingthat software products did not perform aswas expected when the real issues is reallyabout software ownership. Many companiesin Malaysia and US have been alerted withthese issues and had incorporated certaindisclaimers in their products in order toprotect themselves from any security orphysical incidents related to the usage oftheir software. Malaysia’s premier onlinebanking institution stated at their website[1] in particular that the bank shall not beliable for any loss or damage caused byany unavailability or improper functioningof the Mobile Banking-Service for anyreason. This showed how serious they arein facing product liability issues. The samegoes with a US based company, Microsoft[2] as stated at6 their website prohibitingsoftware users from abusing their softwarein any manner that could damage, disable,overburden, or impair any of their servers,or the network(s) connected to any of theirservers, or interfere with any other party’suse and enjoyment of any services. Usersare also warned to not perform any illegalattempt to gain unauthorised access to anyof their services, other accounts, computersystems or networks connected to anyMicrosoft server or to any of their services,through hacking, password mining or anyother means.Definitions of Faulty SoftwareThe ISO/IEC 27001 main objective is toensure business continuity, minimisebusiness risks and business interruptions,maximise return on investments andincrease business opportunities. Thiscan be achieved by increasing customerconfidence in order to protect financialand intellectual properties to gain apositive reputation. Both Malaysia and theUS are discussing the same main issue ine-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved
Page 3: MyCERT 3 rd Quarter 2011 Summary Re
Page 6 and 7: 4compared to the previous quarter.
Page 8 and 9: 6Based on the statistics, there was
Page 10 and 11: 8Legal Restriction on CryptographyB
Page 12 and 13: 10Wassenaar Agreement “will not i
Page 16 and 17: 14deciding if software is considere
Page 18 and 19: 16SPAM, the Annoying Culprit on the
Page 20 and 21: 18Figure 4: The distribution of spa
Page 23 and 24: “wire-once” settings pool bare-
Page 25 and 26: San Francisco, CA. McKesson has dou
Page 27 and 28: 3. Consistency:It means that the be
Page 29 and 30: Mathematics Operations in BinaryNum
Page 31 and 32: compare the difference between a bi
Page 33 and 34: divided, it will remain as remainde
Page 35 and 36: Criteria is in a better spot to pro
Page 37 and 38: ASPECTS PLAN EXECUTE ANALYSISObject

MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

Create successful ePaper yourself

Delete template?

Save as template?