MyCERT 4th Quarter 2011 Summary Report - CyberSecurity Malaysia

MyCERT 4 th Quarter 2011 Summary Report1IntroductionThe MyCERT Quarterly Summary Reportprovides an overview of activities carriedout by the Malaysian Computer EmergencyResponse Team (hereinafter referred to asMyCERT), a department within CyberSecurityMalaysia. These activities are related tocomputer security incidents and trendsbased on security incidents handled byMyCERT. The summary highlights statisticsof incidents according to categories handledby MyCERT in Q4 2011, security advisoriesand other activities carried out by MyCERTpersonnel.The statisticsprovided in this report reflectonly the total number of incidents handledby MyCERT and not elements such asmonetary value or repercussions of theincidents. Computer security incidentshandled by MyCERT are those that occur ororiginate within the Malaysian constituency.MyCERT works closely with other local andglobal entities to resolve computer securityincidents.quarter. In Q4 2011, incidents such asIntrusions, Intrusion Attempts and CyberHarassment showed an increase comparedto the previous quarter while other types ofincidents had considerably decreased.Figure 1 illustrates incidents received inQ4 2011 classified according to the type ofincidents handled by MyCERT.Figure 1: Breakdown of Incidents by Classification in Q4 2011Figure 2 illustrates the incidents receivedin Q4 2011 classified according to the typeof incidents handled by MyCERT and itscomparison with the number of incidentsreceived in the previous quarter.Incidents Trends Q4 2011Incidents were reported to MyCERT byvarious parties within the constituencyas well as from foreign sources, whichinclude home users both local and foreign,private sector entities, government sector,security teams from abroad, foreign CERTs,Special Interest Groups including MyCERT’sproactive monitoring on specific incidentssuch as Intrusions.From October to December 2011, MyCERT,via its Cyber999 service, handled a totalof 3,288 incidents representing a 27.35percent decrease compared to the previousCategories of IncidentsQ32011QuarterQ42011PercentageIntrusion Attempt 189 209 10.58Denial of Service 14 1 -92.86Spam 1646 299 -81.83Fraud 1355 1153 -14.91Vulnerability Report 17 11 -35.29Cyber Harassment 80 105 31.25Content Related 14 11 -21.43Malicious Codes 233 142 -39.06Intrusion 978 1357 38.75Figure 2: Comparison of Incidents between Q3 2011 and Q42011e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

2Figure 3: Shows the percentage ofincidents handled according to categoriesin Q4 2011.As was in the previous quarter, MyCERTobserved that the majority of webdefacements were done using the SQLinjection attack technique.More information about SQL Injectiontechnique and fixes is available at:http://www.mycert.org.my/en/resources/web_security/main/main/detail/573/index.htmlFigure 4 shows the breakdown of domainsdefaced in Q4 2011.Figure 3: Percentage of Incidents in Q4 2011In Q4 2011, a total of 1,357 incidents onIntrusion representing a 38.75 percentincrease compared to previous quarter.Most of these Intrusion incidents are webdefacements, also known as web vandalismfollowed by account compromise.Web defacements are referred to asunauthorised modifications to a websitewith inappropriate messages or imageswith various motives by the defacer. Thiswas made possible due to vulnerableweb applications or unpatched serversinvolving mostly web servers running onIIS and Apache with a few others involvingother platforms.In this quarter, we received a total of 565.MY domains defaced with the majorityinvolving .COM.MY and .COM domainsbelonging to the private sector. The defaceddomains were hosted on single serversthat host single domains as well as onvirtual hosting servers that host multipledomains, belonging to local web hostingcompanies. These web defacements weresuccessfully controlled. MyCERT advisedSystem Administrators on steps to rectifyand recover from these defacements.Figure 4: Percentage of Web Defacement by Domain in Q42011Account compromise refers to unauthorisedaccess or ownership to another accountvia stolen passwords or the act of sharingpasswords for various malicious motives.The account compromise reported tous mainly involved free-based emailand social networking accounts. Thecompromised accounts will then be usedin malicious activities on the net such as inNigerian scams, impersonation and cyberharassment. Based on our observation,account compromise incidents are mainlydue to poor password managementpractices such as using weak passwordsand the act of sharing passwords. As suchwe advise users to practice good passworde-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

management to prevent their accountsfrom being compromised.Users may refer to the below URL on goodpassword management practises:http://www.auscert.org.au/render.html?it=2260http://www.us-cert.gov/cas/tips/ST04-002.htmlFraud incidents had decreased to about14.91 percent in this quarter comparedto the previous quarter. The majority offraud incidents handled were phishingattacks involving foreign and local brandswith the rest of fraud incidents consistingof Nigerian scams, lottery scams,illegal investments, job scams and fraudpurchases. The reason for the decreasecould possibly be due to more awarenessamong Internet users of scam activities.A total of 1,153 incidents were receivedon fraud activities in this quarter, fromorganisations and home users. A total of241 phishing websites involving domesticand foreign brands were reported to usin this quarter with the majority of thembelong to local brands. In this quarter,we observed an increase in local IslamicBanking entities becoming target ofphishing activities compared to previousquarters. MyCERT handled both thesource of the phishing emails as wellas the removal of the phishing sitesby communicating with the respectiveInternet Service Providers (ISPs).As was in the previous quarter, incidentson job scams and fraud purchases continueto increase with fraudsters using the samemodus operandi.We continue to receive incidents oncyber harassment in this quarter witha total of 105 incidents representinga 31.25 percent increase comparedto the previous quarter. Harassmentreports mainly involved cyberstalking,cyberbullying and threatening. Manyof cyberharassment victims are peopleknown to the perpetrators such as theirfriends, relatives, colleagues. etc. Threatsvia emails, blogs and social networkingsites are prevalent in this quarter in whichvictims are threatened to pay money toindividuals they just got to know on thenet. If they refuse,their pictures will beexposed or uploaded on porn websites.MyCERT advised users to be very carefulwith whom they befriend with and neverprovide their personal details or photosto a third party on the net as details ofsuch materials can be used for maliciousactivities.In Q4 2011, MyCERT handled 142incidents on malicious codes, whichrepresents a 39.06 percent decreasecompared to the previous quarter. Some ofthe malicious code incidents we handledare active botnet controllers, hosting ofmalware or malware configuration fileson compromised machines and malwareinfections to computers.3Based on our analysis, the majorityof the phishing sites were hosted oncompromised machines besides phishershosting them on purchased or renteddomains. The machines may had beencompromised and used to host phishingwebsites and other malicious programmeson it.Advisories and AlertsIn Q4 2011, MyCERT had issued a totalof two advisories and alerts for itsconstituency which involved popular end-ser applications such as Adobe PDF Readerand Multiple Microsoft Vulnerabilities.e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

4Attackers often compromise end-users’computers by exploiting vulnerabilitiesin the users’ applications. Generally,the attacker tricks the user in opening aspecially crafted file (i.e. a PDF document)or web page.Readers can visit the following URL onadvisories and alerts released by MyCERThttp://www.mycert.org.my/en/services/advisories/mycert/2011/main/index.htmlOther ActivitiesIn Q4 2011, MyCERT wasinvited to conductan Incident Handling training sessionfor OIC-CERT Conference participants inBrunei. The training was held from 21 –25 November 2011 focusing on IncidentHandling, network and web security. Theparticipants were mostly from the CERT oftheir respective countries. MyCERT staff hadalso presented findings at the HomelandSecurity Conference in Malaysia on topicsconcerning CyberSecurity Incidents inOctober 2011 and also at the IndonesianInformation Security Forum on CERT/CC inDecember 2011. Other presentations wereon MyCERT Experience in Handling ChildOnline Related Issues at Seminar ChildOnline Protection in October 2011 and akeynote address at the Cloud ComputingConference in November 2011 on AreWe Ready to Go Into Cloud Computing?Another keynote address was also givenat the ARADO CyberSecurity Seminar inDecember 2012 on CyberSecurity Trendsand Technology.Another important activity that was heldin Q4 2011 was the country’s fourthannual Cyber Drill, codenamed X-MAYA4,a simulated and coordinated exerciseto assess the cyber security emergencyreadiness of Malaysia’s Critical NationalInformation Infrastructure (CNII) to copeagainst cyber attacks. This year’s CyberDrill scenarios involved two cyber securityemergency incidences: web defacementand malware infection in which the playerswere required to identify the origin of theattacks, take minimising and mitigatingsteps, and rectify the defacement and/oroutbreak.ConclusionBasically, in Q4 2011, the number ofcomputer security incidents reported to ushad decreased compared to the previousquarter. In addition, most categories ofincidents reported to us had also decreased.The decrease is also a reflection that moreInternet users are aware of current threatsand are taking proper measures againstthese threats. It could also probably be dueto the absence of significant attacks on thenet specifically to Malaysian constituency.No severe incidents were reported to usthis quarter and we did not observe anycrisis or outbreak in our constituencies.Nevertheless, users and organisationsmust be constantly vigilant of the latestcomputer security threats and are advisedto always take measures to protect theirsystems and networks from these threats.Internet users and organisations maycontact MyCERT for assistance at thebelow contact:E-mail: mycert@mycert.org.myCyber999 Hotline: 1 300 88 2999Phone: (603) 8992 6969Fax: (603) 8945 3442Phone: 019-266 5850SMS: Type CYBER999 report & SMS to 15888http://www.mycert.org.my/Please refer to MyCERT’s website for latestupdates of this Quarterly Summary. ■e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

CyberCSI 4 th Quarter 2011 Summary Report5IntroductionThe CyberCSI’s Fourth Quarter SummaryReport provides an overview of activitiesundertaken by the Digital ForensicsDepartment (hereinafter referred to as DFD)of CyberSecurity Malaysia for the month ofOctober, November and December 2011. Theactivities for this quarter are more focused onASCLD/LAB Accreditation and case analysisreceived from law enforcement agencies(hereinafter referred to as LEAs) and regulatorybodies (hereinafter referred to as RBs) such asRoyal Malaysian Police (RMP), Malaysian Anti-Corruption Commission (MACC), MalaysianCommunications and Multimedia Commission(MCMC) and the Securities CommissionMalaysia (SC). This summary will also highlightthe training sessions and talks given to LEAs,RBs and public based organisations on digitalforensics modules.The 1 st Digital ForensicLaboratory Accredited WithASCLD/Lab in AsiaASCLD/LAB was originally created as acommittee of its mother organisation,the American Society of Crime LaboratoryDirectors (ASCLD) in 1998. It was created as avoluntary programme and remains one today.It offers voluntary accreditation to public andprivate crime laboratories in the United Statesand around the world. Accreditation is offeredin forensic disciplines for which services aregenerally provided by forensic laboratories.The American Society of Crime LaboratoryDirectors/Laboratory Accreditation Board(ASCLD/LAB) is the oldest and most well knowncrime/forensic laboratory accrediting body inthe world. ASCLD/LAB has been accreditingcrime laboratories since 1982 and currentlyaccredits most federal, state and local crimelaboratories in the United States includingforensic laboratories in six other countries.Before laboratories were accredited, ASCLD/LAB established four objectives for itsprogramme. The four objectives haveremained unchanged since the inception ofthe programme. ASCLD/LAB subsequentlyestablished a Quality Policy Statement and aStatement of Guiding Principles for ForensicScientists and Forensic Laboratories.The objectives of the ASCLD/LAB accreditationprogramme are:1. To improve the quality of crime laboratoryservices provided to the criminal justicesystem.2. To develop and maintain criteria which canbe used by a crime laboratory to assessits level of performance and strengthen itsoperations3. To provide an independent, impartial andobjective system by which laboratoriescan benefit from a total operational review4. To offer to the general public and tousers laboratory services a means ofidentifying those laboratories which havedemonstrated that they meet establishedstandardsWe are proud to announce that the DigitalForensics Lab of CyberSecurity Malaysiahas officially received an accreditation fromASCLD International on 3rd November 2011.This is a direct recognisition of CyberSecurityMalaysia as the first organisation in SoutheastAsia to obtain this certification. It is also anachievement to be proud of as DFD workedhard for three years to obtain the certificate.Some of the cases submitted by the LEAsfor analysis will usually be brought to courtfor arbitration. Analysts involved will appearin court to testify on cases that have beenanalysed. This certificate is important as itis a measure of DFD credibility, which will beadopted by the courts later.Digital Forensics and DataRecovery StatisticsDigital Forensics Case StatisticsFrom October to December 2011, DFD handlede-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

699 cases in digital forensics. Digital Forensicscases comprised cases concerning computerforensics, mobile forensics, audio forensicsand video or image forensics submitted byLEAs, RBs and Public.Figure 1: Illustrates the Digital Forensics casesreceived from October to December 2011.the copyrighted work.From the point of law, piracy means copyingactivity, distribution and use of intellectualproperty products illegally without thepermission of the copyright holder of theintellectual property. Piracy is an offenceunder the Copyright Act 1987. Intellectualproperty refers to any product and the workis registered copyright, such as books, music,film, television and radio broadcasts, computersoftware and industrial design. All intellectualproperty is protected by the Copyright Act1987.Figure 1: Cases Breakdown from October to December 2011The chart below shows the categories ofcases breakdown received by DFD in theperiod between October – December 2011.There are three (3) major categories thathave been classified as of ‘highest priority’which is Copyright, Bribery and CCTV/VideoExtraction.Figure 2: Illustrates the breakdown of thecategories of cases received by DFDPiracy is rampant in Malaysia due to severalfactors:1. Lack of awareness among consumersabout intellectual property.2. Pirated product prices far cheaper thangenuine products.3. Misuse of technology such as CD writersand DVD writers on the computer used forpiracy.4. Abuse of the Internet makes it a mediumspread pirated products.Bribery cases were the second highestcontributor with 12.67% cases reported.When dealing with these type of cases, DFDprovides support to LEAs by analysing emails,text messages, multimedia messages, callsvia electronic gadgets such as mobile phones,notebooks, hard disks and thumb drives thathas been used as case evidences. DFD alsoinvolved in the task force units with consistsof various LEAs for Ops 3B. During thisoperation, the DFD teams focuses solely oncorruption and bribery elements within eachcase. This operation was lead by BNM (BankNegara Malaysia).Figure 2: Breakdown by Categories of Digital Forensics Cases(Oct-Dec 2011)Copyright cases were highest contributorwith 14.93% cases reported. Infringement(or copyright violation) means the use ofmaterials protected by copyright laws withoutthe consent, it violates one of the originalcopyright owner’s exclusive rights, such asthe right to reproduce the copyrighted workor exercise, or create work products based onCCTV/Video Extraction category was atthird place for this period with 12.44% casesrecorded. Here are examples of CCTV casesanalysis:1. Authenticity of video- verify sources ofvideo either genuine or not.2. Video content analysis- analyze the contentin term of any object and activity recordedby CCTV system3. Facial identification- match CCTV imagewith photo received4. Object comparison-compare the objectdisplayed on CCTV with object received.e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

Example: attire comparison5. Video frame enhancement- improve thequality of video frameHowever, the success rates for the CCTVcases are really depending on the devicesquality itself. Currently, majority of thedevices received were in low quality and thishas impacted the findings as it’s impossibleto enhance the poor quality video images.There should be awareness to the public touse more reliable devices and strategic CCTVinstallation area for their safety. DFD will alsoshare with LEA’s and RB’s on the importanceof the matters to ensure investigation can behandled smoothly.Data Recovery Case StatisticsFigure 3: Illustrates the breakdown of casesreceived under Data Recovery (Oct-Dec 2011)OctNovDecFigure 3: Breakdown of cases received by Sector under DataRecovery (Oct-Dec 2011)Figure 3 show breakdown of cases receivedfrom Public, Private and Government Agenciesin Quarter 4 of 2011. It can be concluded thatcases received from the government sectorcontributed to the highest majority with 8cases, followed by public with 2 cases andprivate with 1 case. Data Recovery casesreduce due to a few factors:1. The service charges imposed for the datarecovery services (starting Jan 2011)2. Effective from October 2011, Data Recoveryservice taken over by CyberSecurity Clinics.The objectives of its setting up are:• To provide an avenue for consumers toobtain assistance and to resolve issuesin relation to cyber security, cybersafety and data privacy from a trustedservice provider at competitive cost• To serve as a citizen ‘touchpoint’and to demonstrate thegovernment’s commitment to thepeople by meeting their needs.3. Outside competitors-the competitors mightoffer lower price to the public. Public alsowilling to take risk on data security. Thismight due to lack of awareness on securityof data.Talk and TrainingFor year 2011, DFD have been successfullyconducted talks and trainings to the relatedparties such as government bodies andenforcement authorities as well as localuniversities. Not less than 20 trainingsconducted which includes various topics onDigital Forensics area. For 2012 onwards, DFDwill continue to serve in giving training to theLEAs and RBs in handling cybercrimes.DFD offers five (5) trainings to the LEAs, RB,other institutions and public who interestedon Digital Forensics such as:-1. CSMDF Essentials Digital Forensic For Non-IT Background2. CSMDF01 Digital Forensics for FirstResponder3. CSMDF02 Digital Forensic Investigation &Analysis4. CSMDF03 Data Recovery (Advanced)5. CSMDF04 Forensics on Internet Application(Advanced)ConclusionIn total, year 2011 have given many valuableexperiences and challenges to the DigitalForensics Department through high profilecases and ordinary cases. Certainly thesweetest moment is when our lab haveaccredited by ASCLD / LAB (first accreditedin Asian) and had successfully helping localauthorities to solve their cases.We foresee 2012 will be another challengingyear for DFD. With very dynamic and activeworks in R&D and manufacturing for newdigital equipments and applications, DFD willbe exposing to more tough tasks to cope with.However with the enthusiasm and capabilityplus availability of the up-dated tools, all thesechallenges hope will make DFD be a betterorganisation. As always, we will continuouslyrender our services to all our stakeholders.■7e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

8Implementing ISO/IEC 27001: Choosingan ISMS ConsultantBY | Asmuni Bin YusofIntroductionIn protecting their information assets,many organisations have planned to adoptthe ISO/IEC 27001 standard to establisha framework to protect their informationassets. The standard is also known asInformation Security Management System(ISMS) which can be defined as a set ofinterrelated and/or interacting elementsto establish the policy and objectives usedto direct and control an organisation withregard to information security, in order toachieve those objectives. Organisationsmay be interested to adopt the standarddue to many reasons such as regulatorycompliance, to gain a stronger businessadvantage, to provide clear roles andresponsibilities towards informationsecurity, etc. Due to certain complexitiesin implementing ISMS, organisations havethe option to hire ISMS consultants whomay assist them in getting the job done.As in other industries, selecting the rightISMS consultant can be a daunting task.Many consultants claimed that they areworthy to be considered to assist clientsin getting their company certified againstthe ISMS standard. What is the benchmarkof a good ISMS consultant? This paper willdiscuss the traits of a good ISMS consultantwhich may help organisations to selecta credible consultant to assist them intheir journey towards ISO/IEC 27001certification.Should your company becertified in ISO/IEC 27001?Before proceeding further, an organisationshould ask themselves why they need to getcertified against ISO/IEC 27001. Is it becausethey are abiding to the government’s/regulators’ regulation of mandating suchcertification for their organisations? Thetrue spirit of ISMS certification shouldbe to provide a framework for managinginformation security issues in a systematicand continuous manner. As informationand information systems are the lifebloodof almost all organisations, protectinginformation assets cannot be left to theIT department alone. It is inevitable thatboard of directors and top executives takean interest in the protection of informationassets of their organisations. Ultimately, ISO27001 should be utilised as a managementtool or system to help you manage allinformation security risks and opportunitiesin the spirit of continual improvement.The point I want to bring home, “Do notplan to get the certification as a means toget a badge on the wall that confirms yourcompany is ISMS certified.”Issues in ISMS ConsultanciesWe see the mushrooming of ISMS consultanciesthroughout the country, claiming to possessvast experience in ISMS. In reality, their trackrecords are quite difficult to verify. Theservices rendered by these consultants arenot standardised and some organisations inneed of their services are still not clear ofwhat they should be expecting from thoseconsultants. Probably, the criteria for aneffective ISMS consultancy service has notbeen defined resulting in the vast differencesin consultation costs/prices. Althoughovercharging is not desirable, under-pricingis also bad as it might compromise quality ofe-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

services rendered to clients. At the end ofthe day, an organisation will have to selecta credible consultant/consultancy to assistthem in getting the certification completed.They should dictate the selection criteriafor choosing an ISMS consultant, and thus,ensuring best value for their money.Expected Deliverables of anISMS ConsultantA consultant should be able to establishISMS in your organisation and set it readyfor an ISMS certification. He/She shouldalso equip your staff with sufficient skills to‘drive’ the ISMS adoption. At the minimum,organisations should be expecting theseitems from their consultants:• Identify information assets and providerecommendations on how to protectthose assets• Gap analysis• Assist in a Risk Assessment exerciseand propose a Risk Treatment Plan• Preparation of Statement of Applicability• Review existing Information SecurityPolicies and procedures. Develop newpolicies and procedures if required• Review existing IT infrastructure andorganisation of information security inthe organisation and highlight areas forimprovement.• Provide external and internalVulnerability Assessment andPenetration Testing for critical systemsand services• Identif and recommend ISMS controls• Guide to develop Document and RecordManagement capabilities• Help to develop Incident Managementand Response capabilities• Help to develop Business ContinuityManagement capabilities• Develop Internal Audit teams throughtraining• Provision of Security AwarenessProgramme Development and ISMSimplementation workshopsThe Consultant CompanyHow do we choose companies that arefit to render ISMS consultancy services?Preferably, their core business is ininformation security and they are ISO/IEC27001 certified. We should expect thecompany to completely understand thevalue of ISMS and share their experiences inrunning information security programmesand provide ‘tips’ in dealing with auditorsfor Certification Bodies.The company should also provide evidencein the form of client testimonials onsuccessful ISO/IEC implementations oftheir previous ISMS projects.Traits of a Credible ConsultantThe followings are some of the traits of agood ISMS consultant:1. Being an Information SecurityProfessional. To be able to adviceon information security matters,a consultant should have a goodbackground on information securityand should have some experience inplanning and executing informationsecurity programmes in their company.To assist organisations to gaugethe potential of a consultant, theyshould insist for a consultant withsome internationally recognisedinformation security certificationsuch as Certified Information SecuritySystem Professional (CISSP), CertifiedInformation Security Manager (CISM)and Certified Information SystemAuditor (CISA). You should demandthese requirements as many importantcontrols to protect information assetswill involve analysing and proposing9e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

10the right technical controls. The validityof the certifications possessed by theholders can be easily verified from thecertifiers.2. Experience in ISMS Implementation.Preferably, a potential consultantshould hold a certification on ISMSImplementation. It will be more worthyif the consultant has prior experiencein implementing ISMS projects. Theexperience is much needed especiallyin consulting critical issues suchas getting top management buy in,across-organisation commitments,identifying risks, business impactanalysis, continuous development andimprovement matrix. Inexperienceconsultants may not be able to deliverthese crucial tasks.3. Certified ISO/IEC Lead Auditor. Itis paramount for an ISMS consultantto have credible information securityauditing capability. He/she should beable to consider security controls inthe perspective of a certification body.The consultant should possess a validcertificate in ISO 27001 Lead Auditor.4. Registered to Relevant Bodies. Toensure that the chosen consultant iscredible, an organisation may want todictate that the consultant is registeredto the relevant auditing or certificationboards. You should expect the consultantis registered to the relevant auditingauthorities such as the InternationalRegister of Certified Auditors,Professional Evaluation and CertificationBoard (PECB) and the InternationalRegister of Certificated Auditors.5. Knowledge of the Industry you arein. Preferably, the potential consultantshould have some knowledge of theindustry you are in. For example ifyour company is in the communicationsectors, a consultant should understandissues in running the communicationbusiness such as bandwidth and qualityof service issues. For energy sectors,knowledge of industrial control systemsshould be necessary.6. Thorough understanding of theISO/IEC 27001. Although it is difficultto gauge the capabilities of a consultantthrough any tender selection process,you should be able to do so whenyou have the opportunity to meet theconsultant. The potential consultantshould possess a thorough knowledgeof the ISO/IEC 27001:2005 standard andother ISMS related standards.ConclusionSelecting an ISMS consultant is not a trivialmatter as it may affect the outcome ofyour ISMS certification. The consultantshould have vast experience in informationsecurity and with substantial experiencein ISMS consultancy. An organisationshould determine the agreed deliverablesto ensure a timely ISMS certification. Anorganisation should also get the best out ofthe consultancy services to ensure their ISMSdrivers are ready to take over the ‘steeringwheel’ when the contract ends.An organisation should expect a substantialamount of knowledge transfer. Hence,someone from the organisation must haveknowledge of ISMS so as to be able to at leastcheck the performance of the consultant.Remember, “The actual journey startswhen your organisation achieve the ISMScertification.” ■References1. ISO/IEC 27001 – Information technology– Security Techniques – Information securitymanagement systems - Requirements2. ISMS Implementation Guide, http://www.atsec.com/.../ISMS-Implementation-Guide-and-Examples.pdf accessed on 28 Feb 2012.3. ISO/IEC 27001 for Small Businesses PracticalAdvicee-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

Mobile Devices Asset Classification in ISO27001 implementation11BY | Ahmad Ismadi Yazid B. SukaimiIntroductionInformation in mobile devices is an asset.Just like other important business assets, isessential to an organisation’s business andconsequently needs to be suitably protected.The use of mobile devices involves thesharing of its functions between officialand personal use of the data in the samedevice. Thus, the security risk of the data inthese devices is often ignored because it ismobile, portable and the necessity to use itall time. In analysing the risk, consider thishypothetical scenario. There is a malwareoutbreak with root access privilege forthe Android mobile operation system.The malware is distributed by installingspoof Angry Bird application via email. Theinstalled malware will copy all the contactinformation and send the data throughoutshort messaging system. It will also switchon the GPS, Bluetooth to drain out thebattery usage. What is the risk level of themalware outbreak to the top managementofficers’ Android mobile devices issued bythe company?Mobile Devices RiskAssessmentThere are existing researches on mobiledevices security. Mulliner [11] studiesstated that there are needs to establishstudy for mobile devices security andhe demonstrated it by using a Windowsmobile environment. Mulliner’s work hasbeen a reference to Woongryul Jeon et al(2011) study [8], which describes that it isimportant to establish the framework. Inthe paper he demonstrated the theory byexperimenting on smart phone security.He also pointed out that it is importantto establish a vulnerability frameworkfocusing on mobile devices. Ledermuller [1]studies on mobile device risk assessmentalso mentioned about there is a needto establish vulnerability assessmentframework specific for mobile devices. Heintroduced a novel approach for mobile riskanalysis using a categorisation method.For a company that adopts ISO 27001 in theorganisation, mobile devices issued by thecompany can be a challenging factor froma security point of view. The organisationneeds to perform a risk assessment in orderto determine the organisation’s mobiledevices exposure to risks and determine thebest ways to manage those risks. There aremany ways of performing a risk assessment,and all that ISO 27001 requires is that [2]‘An appropriate risk assessment shall beundertaken’. It is left to the organisationthat implements ISO 27001 to determinewhat is ‘appropriate’. The challenge is toperform it on mobile devices. Accordingto LederMuller [1], determination of riskwithin the methodology is based uponthe standard formula, which the risk iscalculated from the multiplication of theasset value, threats and vulnerabilities.The worth of an asset can be a result fromvarious dimensions. It can be estimated interms of money, and also from a securityimpact [2] as confidentiality, integrity andavailability. The studies introduced sixsteps to be followed for mobile devices riskassessment.• RA_Step 1 - Evaluation of asset valuecategories• RA_Step 2 - Calculation of a singleasset value• RA_Step 3 - Evaluation of threats• RA_Step 4 - Calculation of a singlethreat value• RA_Step 5 - Answer vulnerabilityquestions.• RA_Step 6 - Calculation of risk levele-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

14Evaluation Of Asset ValueWhen a company issues mobile devices toemployees, it become officiall assets to thecompany and also shares the same riskswith other computers and peripherals. Therisk is even greater since it is small andmobile in nature and has the same accessto the company’s network infrastructure.The values of company issued mobile assetswill be determined using ISO/IEC 27001Information Security Management System(ISMS) implementation [3] controls andcontrols objectives. There are 11 domains and133 controls for the certification. Necessarycontrols should be identified based on riskassessment information and the organisation’soverall approach in mitigating risks. Selectedcontrols should then be mapped to thestandard and scope of implementations.Selecting Control and ControlObjectiveMobile devices need to be evaluated as assetswhere there is a specific asset managementdomain and control objectives defined toperform the evaluation. The control objectivesand controls [3] listed below are directlyderived from and aligned with those listed inISO/IEC 17799:2005 Clauses 5 to 15.Each mobile device must undergo the samecontrol procedures with other digital assetssuch as inventory, ownership record andusage. Because there is a very fine line indifferentiating the usage of mobile devicebetween official and personal use, this isthe most challenging aspect for monitoringpurposes. For mobile devices, detailedrecords for incoming and outgoing calls,Short Messaging System (SMS) and MultimediaMessaging System (MMS) can be obtainedfrom the service provider. For email systems,the logs can be obtained from the mail serveritself. For other applications such as webbrowsing, social networking, online gamesand others, no audit trail can be done unlesswe have access to the operating system ofmobile devices. The logs of applicationsinstalled in mobile devices can become thebaseline for its asset value. The next challengeis to identify the applications that will beinstalled by the users. The asset value maychange accordingly to the functionality of theapplications where the company now has nocontrol since the devices are controlled bythe users.A.7 Asset managementA.7.1 Responsibility for assetsObjective: To achieve and maintain appropriate protection oforganisational assets.A.7.1.1Inventory ofassetsA.7.1.2Ownership ofassetsA.7.1.3Acceptableuse of assetsControl:All assets shall beclearly identifiedand an inventoryof all importantassets drawn upand maintained.Control:All informationand assetsassociated withinformationprocessingfacilities shallbe ‘owned’ by adesignated part ofthe organisation.Control:Rules for theacceptable use ofinformation andassets associatedwith informationprocessingfacilities shallbe identified,documented, andimplemented.To detect deviationsfrom the distributionsof the number of visitsof a random walk to acertain state.To determine how farthe tested sequencecan be compressed.To determine whetherthe number of zerosand ones in a sequenceare approximatelythe same as would beexpected for a trulyrandom sequence.Table 1: Control and Controls ObjectiveInformation ClassificationInformation in mobile devices can becategorised by labelling such servicesusing information classification policiesas specified by an ISMS implementation.Then, the information classification will beconverted into mathematical data for scoringcalculation. Information classificationdefined by an organisation is based on needsand agreements. The classification of theinformation will be determined in terms ofits values, legal requirements, sensitivity andcriticality to the organisation. The inventoryshould also reflect the sensitivity and securitypriority assigned to each information asset.An Information Classification label shouldbe developed based on their sensitivityand security needs, i.e. Top Secret, Secret,Confidential, Restricted and Public. Each ofthese classification categories designatesthe level of protection needed for a particularinformation asset. Some asset types, suchas personnel, may require an alternativee-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

classification scheme that would identifythe information security processes usedby the asset type. Classification categoriesmust be comprehensive and mutuallyexclusive to the organisation. Below areinformation classification explanations to beadapted for mobile devices categorisation.A. Top SecretIt is the highest category of a company’sinformation classification. An unauthoriseddisclosure, loss of integrity and unavailabilityof information that has been classified as TOPSECRET would cause serious adverse impactto the organisation. If the Information endsup with a third party, it can only be done witha formal authorisation from the owner and/or after signing a non-disclosure agreement.This is for “read only” purposes and shall notbe taken out from the premises. Informationshall be labelled with the right handling policy.B. SecretIt is the second highest category of acompany’s information classification. Anunauthorised disclosure, loss of integrity,unavailability of information classified asSECRET would cause severe adverse impactto an organisation. Information shall beaccessed by the employee only with explicitauthorisation. Information shall be extendedto third parties only with formal authorisationfrom the owner and/or after signing a nondisclosureagreement and for “read only”purposes. It shall not be taken out fromthe premises. Information shall be labelledand handled with the right handling policy.C. ConfidentialIt is the third highest category of a company’sinformation classification. An unauthoriseddisclosure, loss of integrity, unavailabilityof information classified as CONFIDENTIALwould cause significant adverse impactto an organisation. Information shall beaccessed by the employee only with explicitauthorisation. Information shall be extendedto third parties only with formal authorisationfrom the owner and/or after signing a nondisclosureagreement and for “read only”purposes. It shall not be taken out from thepremises. Information shall be labelled andhandled with the right handlin.D. RestrictedIt is the fourth highest category of a company’sinformation classification. An unauthoriseddisclosure, loss of integrity, unavailabilityof information classified as RESTRICTEDwould cause minor adverse impact toan organisation. Information shall beaccessed by the employee only with explicitauthorisation. Information shall be extendedto third parties only with formal authorisationfrom the owner and/or after signing a nondisclosureagreement and for “read only”purposes. It shall not be taken out fromthe premises. Information shall be labelledand handled with the right handling policy.E. PublicIt is the lowest category of a company’sinformation classification. An unauthoriseddisclosure, loss of integrity, unavailabilityof information classified as PUBLIC wouldnot cause any impact to an organisation.Information shall be accessed by anyemployee of the company. Information canbe extended to external parties with norequirements in place.Mobile Device Asset CategoryAccording to LederMuller [1], determinationof risk within the methodology is basedupon a standard formula, where the riskis calculated from the multiplication of theasset value, threats and vulnerabilities. Theworth of an asset can be measured fromvarious dimensions. It can be estimated interms of money and from a security impactperspective ranging from confidentiality,integrity and availability. LederMuller [1] studyintroduces Mobile Devices Risk assessmentusing an asset categorisation methodology.The technique is identifying applicationsfrom mobile devices and categorise them byfunctionality.1. Asset Category2. E-Mail (corporate)3. E-banking4. E-health5. Remote access (corporate)6. Remote access (private)7. Voice communicatione-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved15

168. Stored business documents9. Physical device10. Personal information (onlinesynchronised)11. E-Mail (private)12. Social networking13. Messaging14. Personal information15. Web access (browser)16. Stored documents17. Maps & Navigation18. News client19. UtilitiesIdentifying Asset ValueThe next step is to label the informationinside mobile devices using the InformationHandling label. The table below describesthe asset value of a mobile device issuedto a company’s management team. Theevaluating methods listed here should beconsidered but should not be limited to thequestions below:1. What is the information insidmobiledevices?2. What happened to the information if theasset is missing?3. Can the information be retrieved fromthe device?4. Can the devices communicate to thecorporate network?5. Who is the owner of the device?By answering the given questions, theevaluator can identify the optimuminformation handling for each group ofmobile device asset category. Each categorycan be a single application or multipleapplications, which will share the sameinformation handling label. The table belowshows mobile devices information handlinglabel for a management officer with a mobiledevice issued by the company.Asset Category Information ValueHandling LabelE-mail (corporate) Top Secret 5E-banking Top Secret 5E-health Top Secret 5Remote access(private)Confidential 3VoicecommunicationStored businessdocumentsConfidential 3Top Secret 5Physical device Top Secret 5Personalinformation (onlinesynchronised)Top Secret 5E-mail (private) Top Secret 5Social networking Confidential 3Messaging Top Secret 5PersonalinformationWeb access(browser)Confidential 3Confidential 3Stored documents Top Secret 5Maps & Navigation Top Secret 5News client Confidential 3Table: Asset Value By Information Handling LabelFrom the classification of the applicationcategory information, the informationin the mobile device can be classified asTop Secret and has the highest value of 5.This value will be incorporated later forcalculating the risk value of mobile devicesduring the company risk assessmentprocess for ISO 27001 implementation.The table below is the data collected foreach user in different categories, namelythe management and corporate user wherethey were supplied with mobile devices. Thenormal user; on the other hand, obtained theirdevices personally. The issue is that whetherthe normal users are able to connect theirdevices to the corporate network which willresult in their mobile devices status to be thesame as the corporate user. If the corporateemail is using POP or IMAP services, thenormal user can connect to the corporatenetwork with their mobile devices easily andshare the same risks with other corporateusers.e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

Asset categoryManagementUserAsset valueCorporateUserNormalUserE-mail (corporate) 5 5 0E-banking 5 5 2E-health 5 5 2Remote access(corporate)Remote access(private)VoicecommunicationStored businessdocuments5 5 05 2 25 2 25 3 3Physical device 5 3 3Personalinformation(onlinesynchronised)5 2 2E-mail (private) 4 2 2Social networking 4 2 2Messaging 3 2 2PersonalinformationWeb access(browser)3 2 23 2 2Stored documents 1 2 2Maps & Navigation 1 1 1News client 1 1 1Utilities 1 1 1Base on the information handling scoring foreach mobile devices category, the asset valueof the mobile devices can be calculated. Byhaving an information value of 5, whichshows the highest risk value, it will affectthe security measures, handling and usageof the mobile devices. The owners of themobile devices must also understand therisks of using the device inside and outsidethe premises. The differentiating factor ofofficial and personal usage must be identifiedclearly.ConclusionMobile devices asset value can be determinedby giving scores for each categorisation.Even though the value of the asset showsthe highest ranking of information securitylabel, we cannot escape from using mobiletechnology to access office communicationsystems. By knowing the value of a mobilephone, the user and the company can findout what security measures are appropriateto the asset itself. This step can set the levelof risk faced by a company if the mobileequipment is exposed to threats and leadsto loss of information. The risk of havingmobile devices connected to the corporatenetwork now can be managed by identifyingthe true value of the asset which will be usedlater for completing the mobile device riskassessment. ■References1. [1] Thomas Ledermuller, Nathan L. Clarke.2011.Risk Assessment of mobile devices. Trust, Privacyand Security in Digital Business:8th InternationalConference, Trustbus 2011, Toulouse, France,August 29 - September 2, 2011, Proceedings2. [2] MAMPU. UNIT PEMODENAN TADBIRANDAN PERANCANGAN PENGURUSAN MALAYSIA.Jabatan Perdana Menteri Malaysia (2007). ISMSRISK ASSESSMENT GUIDELINE.3. [3] Kamat, M. (2009). Guideline for InformationAsset Valuation. Forum American BarAssociation, (c).4. [4] Vulnerability Assessment tools .2011.Information Assurance Technology AnalysisCenter5. [5] NIST Risk Management Framework. FISMA.National Institute of Standards and Technology.Online at http://csrc.nist.gov/groups/SMA/fisma/framework.html6. [6] Stoneburner, G., Goguen, A., & Feringa, A.(n.d.). Risk Management Guide for InformationTechnology Systems Recommendations of theNational Institute of Standards and Technology.Nist Special Publication.7. [7] Etsi, C. R., Brookson, C., & Uk, B. I. S. (2009).Security for ICT - the Work of ETSI Authors :European Telecommunications, (1)8. [8] Woongryul Jeon, Jeeyeon Kim, YoungsookLee and Dongho Won. A Practical Analysis ofSmartphone Security. Lecture Notes in ComputerScience, 2011, Volume 6771/2011, 311-320,DOI: 10.1007/978-3-642-21793-7_359. [9] Enck, W., & Mcdaniel, P. (2008).Understanding Android ’ s Security Framework.Security, (October).10. [10] Ongtang, M., Mclaughlin, S., Enck,W., & Mcdaniel, P. (2009). Semantically RichApplication-Centric Security in Android. Intents.11. [11] Mulliner, C.R.: Security of SmartPhone, Master’s Thesis of University of California(June 2006)17e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

18‘Right-Sizing’ Security in the Cloud: A Risk-Based Approach for ProvidersBY | George ChangIntroductionRecent stories on network interruptions andsystem break-ins made many organizationshesitant about transferring data, applicationsand/or processes to the Cloud. Just lastyear, Malaysian Government websites werehacked by hacker group Anonymous, leakingthousands of private user information to thepublic.These incidents prompt experts andcustomers to wonder whether securitybecomes a greater issue with cloudcomputing compared with other formsof hosting. Not really. Even if the differentservice models and technologies applied inenabling cloud services do introduce newrisks. For an organization, opting for cloudcomputing means losing control over its ITenvironment, while retaining the liabilityfor it. And so, even if the responsibility foroperations is handed over to a third party.Cloud services share the same challengesas any average application in the privatedatacenter. The level of protection is equalto security measures such as physical,network, system and information security.It may also involve access policies, rules ofconduct for employees and processes.Any organization should ask whether theircloud provider is able to match or surpasstheir own level of protection. The profitabilityresulting from scalability, uniformity andstandardization, is one of the most attractivebenefits of cloud computing. However,cloud providers must offer services that areflexible to satisfy the largest customer basepossible while balancing security measuresthat constraints such flexibility. This renderscloud providers unable to offer the equal levelof security of a traditional IT environment.If cloud providers cannot offer trustedsecurity measures, then sound agreementsmust be made in regards of responsibility. InSoftware as a Service (SaaS) environments,security measures and their scope areformulated in contracts. In the Infrastructureas a Service (IaaS) model, the security of theunderlying infrastructure, and the layersbased on it, come under the responsibility ofthe IaaS provider. The remainder of the chain,such as the operating systems, applications,and data leveraging the infrastructure,is the responsibility of the customer.The Platform as a Service (PaaS) model ispositioned somewhere in between SaaS andIaaS. The security of the platform is part ofthe responsibilities of the PaaS provider;however, the customer is responsible forsecuring the applications developed on thatplatform.It is important to assign responsibilities inthe event incidents or disaster occurs. Thereshould be redundant back-up servers at aremote location to maintain operations andfail-over systems to temporarily transferservices to another cloud provider. This doesnot only apply to cloud providers but alsoenterprises.Network securityIf information security in the private datacenter requires strict rules and measures,same goes for the Cloud. The cost savingsof a SaaS application are worthless if dataand reputation are compromised. The cloudprovider must warrant the security of theCloud, but also the one of the network andthe physical environment. It is importante-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

to select a cloud provider that has a solidtrack record, expertise and best solutionsin networking and system security. Onethat is able to review all security risks, testsystem protections, and control or avertthreats. At last, network security shouldprotect all virtual access points to the cloud.Cloud providers must employ well-managedsecurity rules to block attacks, protectingall virtual access points to the cloud. Theyshould be able to search and stop emergingthreats before it becomes a real danger.Physical securitySocial engineering is on the rise as a meansto break through the physical or networksecurity perimeters. People attempt toobtain the trust of employees by telephoneor in person in order to gain access to thedatacenter or to lure employees into sharinginformation they can in turn use to hackdata systems. Consequently, in additionto technical measures, the cloud providermust define and enforce rules of conductand social guidelines for employees. A greatway to test compliance with these rules isby hiring the services of an ‘ethical hacker’,who will try to gain access to the physicaland digital environments on behalf of thecustomer.When thinking about physical security, itis also advisable to look at the specificsolutions the cloud provider has in place fordisaster recovery. Where is data stored whenit is not in use? Is the data encrypted andavailable in a redundant remote location?Blind spotOne feature of cloud computing is thatmultiple users leverage the same applicationor hardware. This so-called ‘multitenant’environment implies that multipleorganizations’ information is present onone physical system. It is therefore criticalto ensure that the systems are segmentedcorrectly and that their data and applicationsare fully separated from each other. However,virtual environments operate differentlythan traditional servers. The latter monitorall traffic transported on the spot, througha physical Ethernet switch or router. Ina virtual environment, data is streamedthrough a virtual adapter, without everpassing through any physical device. Thiscreates a blind spot in the communicationbetween the datacenter and the end user,and consequently a potential security issue.Setting up a physical or virtual securityappliance between the cloud provider andthe private organization may prove to be asmart solution, as it will help provide theright mix of performance and control acrossthe traffic streams.ConclusionIn conclusion, there are many different waysto approach the Cloud: via the SPI servicemodels (Software-as-a-Service, Platform-asa-Service,of Infrastructure-as-a-Service),the public versus private cloud, internalversus external hosting, and a large numberof hybrid solutions in between. Given thenumber of options, there is no standardlist of security measures that covers allpossible events exhaustively. So, beforemoving forward, organizations shouldapply a risk-based approach towards theCloud and make sure that the necessarysecurity measures required do not impedethe expected efficiency and cost benefits oftheir cloud solutions. ■.......................................................................George Chang is Fortinet’s RegionalDirector for Southeast Asia & Hong Kong.Fortinet is a leading provider of networksecurity appliances and the worldwideleader in Unified Threat Management orUTM. Fortinet integrates multiple levelsof security protection (such as firewall,antivirus, intrusion prevention, VPN,spyware prevention and antispam) to helpcustomers protect against network andcontent level threats.19e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

20Tracing Cyber Criminals Via Full HeadersBY | Sharifah Roziah Binti Mohd KassimIntroductionPresently, cyber criminals are activelyusing emails as a medium for launchingcyber crimes on the Internet. This isespecially prevalent in cases involving emailcorrespondences as seen in the Nigerianscam, phishing, cyber harassments, cyberbullying, cyber stalking, malware and spam.However, many are not aware that the fullheaders of any email can actually be used byinvestigators to detect, trace cyber criminalsand eventually curb cyber crimes on the net.The question is, how an investigators or ananalysts go about doing so? Before we delvefurther in the answer, we need to understandwhat a full header is.Definition of Email HeaderAll emails arrive in standard Headers oraccurately termed as Brief Headers. A BriefHeader has basic information about an emailsuch as FROM, TO, SUBJECT, DATE/TIME. Anexample is provided below:Brief HeaderA brief header will look like the examplebelow with the following information:Date: Fri, 8 May 1998 10:05:21 +0800(MYT)From: ass@pc.jaring.myTo: john@ace.cdc.abu.comSubject: happy holidayThe above brief header provides basicinformation about the date, time the emailwas sent, the sender of the email, the recipientand subject matter of the email. However,the above information is not sufficient forinvestigators analysing cases related toemails. The FROM (sender) information in anemail can be forged or spoofed.Full HeaderBesides the brief header which contains basicinformation, a more detailed information canbe extracted from it called the full header.This has detailed technical informationabout an email. All email programmes canbe set to show only brief headers or fullheaders and it is up to a particular user toset the programme as to whether to viewonly brief headers or full headers.Full headers will have information such asthe mail’s server data that the email passedthrough on its way to the recipient. It alsocontains the IP addresses of the recipient andthe sender. Additionally, it has the name ofthe email programme and the version usedin completing the process. This is essentialfor analysis and for investigation purposeson cases involving email abuse, spamming,mail bombing, etc. This information isnot available in a brief header. Thus, it isimportant for investigators to have fullheaders for cases involving email abuse,worm infected emails, harassment, forgeriesand other email related cases.What is in Full Header?Full headers contain the names and IPaddresses of all the hosts/servers that haverelayed a message from the sender untilit reaches the recipient. Each host/serverthat forwards the message along its routeadds a line of information to the headers.The information provided in the full headersallows an investigator to discover theorigin of an email based on the originatingIP address. It is important to trace theoriginating IP address of an email in orderto find out the actual sender of the email asthe “From:” line on the email header can bespoofed, or faked.It is also important for investigators toobtain the full header from the originalrecipient of the email. The full header cannotbe retrieved from forwarded copies of theoriginal message. As such, the originalrecipient of the concern email must keep theemail for investigation purposes.How to Read a Full HeaderHere is an example of a full header. TheReceived information in the full header ise-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

very important in finding out the origin ofthe email and the route it took to reach therecipient. From the full header we can alsofind out if the email is forged, spoofed orintercepted.Normally, for tracing purposes, full headersare read bottom to top. The last Receivedline in a full header will tell the origin ofthe email which is the source computer/machine where the email was sent. On theother hand, the top Received line would tellthe email server where the email originatedwhich will eventually route to the recipientemail server before the email finally reachesthe recipient.Let’s look at the example below:Return-Path: ass@elay13.jaring.myDelivered-to: johnace.cdc.abu.comReceived: from relay13.jaring.my(relay13.jaring.my [192.228.128.124])by ace.cdc.abu.com (8.7.1/8.7.1)with ESMTP id KAA18533for ;Fri, 8 May 1998 10:01:01 +0800Received: from (j19.kch18.jaring.my [161.142.54.153])by relay13.jaring.my (8.8.8/8.8.7)with SMTP id KAA21792for john@ace.cdc.abu.com ; Fri, 8May 1998 10:05:21 +0800 (MYT)Message-Id: Date: Fri, 8 May 199810:05:21 +0800 (MYT)From: ass@pc.jaring.myTo: john@ace.cdc.abu.comSubject: happy holidayWe will analyse the full header by readingfrom bottom to top:1. Subject: happy holidayThe subject line gave us an idea of whatthe mail is all about.2. To: john@ace.cdc.abu.comThe ‘To’ line listed clearly the emailaddress/es of the recipients of the mail.3. From: ass@pc.jaring.myThe ‘From’ line showed who sent themail and his/her email address. This‘From’ information can easily be faked/forged.4. Date: Fri, 8 May 1998 10:05:21 +0800 (MYT)The Date line lists the date and timethis mail was originally sent. It was sentaccording to the sender’s local time zone.5. Message-Id: The message-Id line was intendedprimarily for tracing mail routing anduniquely identifying each mail.6. Received: from (j19.kch18.jaring.my [161.142.54.153]) by relay13.jaring.my (8.8.8/8.8.7) with SMTP idKAA21792 for john@ace.cdc.abu.com ;Fri, 8 May 1998 10:05:21 +0800 (MYT)The email originated from (j19.kch18.jaring.my [161.142.54.153]). Note theoriginating IP address of this email is161.142.54.153. A whois lookup of theIP 161.142.54.153 will show that the IPaddress is registered under Jaring (serviceprovider) as below:inetnum: 161.142.0.0- 161.142.255.255netname: JARING-NATdescr: JARINGCommunications Sdn Bhdcountry: MYThe above result indicated no possiblespoofing or forgery as the IP addressindeed belonged to jaring.my. The emailis relayed via server relay13.jaring.myusing Sendmail version 8.8.8/8.8.7.(Whenever the actual programme nameis left out, as it is here, Sendmail isassumed) with SMTP id KAA21792 forrecipient john@ace.cdc.abu.com. The“SMTP id KAA21792” is an internal IDnumber assigned to the message. This IDnumber is only of use by the ISP’s mailservice; it can be used to look up themessage in their log files.7. Received: from relay13.jaring.my(relay13.jaring.my [192.228.128.124])by ace.cdc.abu.com (8.7.1/8.7.1)with ESMTP id KAA18533for ; Fri, 8May 1998 10:01:01 +0800The email is then received fromrelay13.jaring.my (relay13.jaring.my[192.228.128.124]) by the recipient’smail server which is ace.cdc.abu.comusing their Sendmail version 8.7.1/8.7.1with ESMTP id KAA18533 for .8. Delivered-to: john@ace.cdc.abu.comThe email is then delivered to therecipient by his mail server.21e-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved

229. Return-path: ass@relay13.jaring.myReturn path is the path where the senderwill receive his reply from the recipient.FindingsFrom the above full header, we canconclude that the email originated from IP161.142.54.153. On further analysis, theIP address 161.142.54.153 matches thehostname j19.kch18.jaring.my. A Whoissearch of the above originating IP addressindicated the IP address indeed belonged toJaring Communications. There is no conflictbetween the IP address, the hostnameand the Whois result. As such we can sayfrom this findings that the full header isnot intercepted or forged as there are noindications of forgery or interception.========WHOIS==========IP: 161.142.54.153inetnum: 161.142.0.0- 161.142.255.255netname: JARING-NATdescr: JARINGCommunications Sdn Bhdcountry: MY=======================Once the originating IP address has beentraced, the investigator will need to go tothe ISP and make an official request to theCorporate Affairs Department requestingfor the identity of the person who sent theabove email. A copy of the full header mustbe accompanied together with the requestas evidence for the ISP. The ISP will facilitatefor further investigation until tracing of theidentity of the perpetrator is done. Once theidentity is traced, he/she will be prosecuted.Looking for Forgery orInterception From the FullHeaderIn a full header, there will be several IPaddresses, hostsnames and mail serverinformation. Normally, perpetrators or emailabusers will add the name of another mailserver to the headers in their attempt to trickrecipients and forge themselves. In order forinvestigators to ensure the information in thefull header is not forged, they can do a DNSlookup or Reverse DNSlookup to verify thehostname and the IP address that it belongsto.After completing the DNS lookup and if thehostname and IP address does not matchthen this may indicate that the informationin the full header has been forged. Thereis also a possibility of interception if thereis a presence of an unknown third partyIP address other than the IP address thatbelonged to the sender and recipient of theemail. In addition, investigators can alsodo a Whois lookup to check and verify thelocation of the IP address.Forged or intercepted email full headerscannot be used as valid evidence bylaw enforcement agencies for tracing orprosecuting perpetrators.ConclusionIn conclusion, full headers are an importantelement or a crucial piece of evidence forinvestigating the source of cyber crimesor cyber attacks that were conducted viaemail. Untampered or unforged full headerscan be produced in a court by investigatorsfor prosecution of cyber criminals. Theyare very useful for tracing or prosecutingperpetrators on the net and eventually curbthe rise cybercrimes on the net. This will helpto minimise cyber crime activities on thenet. Victims who are being abused, harassedor scammed via emails are encouraged toreport the matter to the relevant ISPs, CERTsor to law enforcement agencies for furtherinvestigation. They must keep the particularemail message together with its full headerin their PC for further investigation or fortracing purposes and for future recordpurposes. ■References1. http://kb.iu.edu/data/akij.html2. http://www.mycert.org.my/en/resources/email/email_header/main/detail/509/index.html3. http://www.emailquestions.com/full-emailheaders/244-do-i-read-full-headers-email.html4. http://support.google.com/mail/bin/answer.py?hl=en&answer=294365. http://www.policypatrol.com/spam-filterarticle.htme-Security | Cyber Security Malaysia | Vol: 29-(Q4/2011)© CyberSecurity Malaysia 2012 - All Rights Reserved