Sunday, December 30, 2012

List Of Companies With SSL Expertise

This list was compiled by me for the purpose of my Cryptography and Network Security Assignment. So, here's the list.

1) Symantec Corporation
Consists of VeriSign, GeoTrust & Thawte. Symantec has the maximum market share in
Certificate issuing. Along with being a root CA it has other products in the area of Network
Security. For normal users it has the Norton Antivirus and Internet security. It has specialised
products for Small and Medium Industries as well as for Large businesses. Symantec is what
it is today because of a lot of acquisitions and partnerships with some of the best known
companies in Network Security domain.

2) Comodo Group, Inc.
Comodo is a privately held group of companies providing computer software and SSL digital
certificates. The Comodo companies offer many free products through their website,
available for public download. Comodo also offers many business products. Most notable of
these being : Comodo Backup, Comodo SSL, Secure Email Pro, Comodo SSL Certificates

3) Go Daddy Group Inc.
Go Daddy is a privately held company that is primarily an internet domain registrar and web
hosting company. Along with this go daddy also provides Website Management & Security.
This involves SSL certificates, Website Security Scanner and Code signing certificates.

4) GlobalSign
GlobalSign is a WebTrust certified certificate authority. It also provides products for Mobile
Authentication, Cloud Security, Secure e commerce and Document Security.

5) Entrust Inc.
provides identity-based security software and services in the areas of public key
infrastructure (PKI), multifactor authentication, Secure Socket Layer certificates, fraud
detection, digital certificates and mobile authentication.

6) StartCom
is a company based Israel that has three main activities: StartCom Linux Enterprise (Linux
distribution), StartSSL (Certificate Authority) and MediaHost (Web hosting). StartCom
offers the free (for personal use) Class 1 X.509 SSL certificate "StartSSL Free", which works
for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME). It also offers Class 2
and 3 certificates as well as Extended Validation Certificates.

7) CyberTrust
was a security services company formed as a result of a merger of
the TruSecure and Betrusted security companies. Cybertrust acquired a large stake in Ubizen,
a European security services firm based in Belgium to become one of the largest information
security firms in the world. CyberTrust is now owned by Verizon.

8) DigiCert Inc
is a privately held, US based X.509 SSL certificate provider. As a trusted third party,
DigiCert verifies the authenticity of secure websites on behalf of a web browser for the
purpose of preventing online phishing scams. DigiCert was a founding member of
the CA/Browser Forum, DigiCert assisted in the development of the Extended Validation
Certificate. DigiCert also worked in conjunction with Microsoft to develop and promote the
use of subject alternate names in SSL certificates, for use with Microsoft Exchange Server

9) SECOM Co., Ltd.
is the largest security company in Japan. It has several products like Secom Information
Security, Secom Certifying Agency among others.

Saturday, December 29, 2012

Everything You Wanted to Know About Phishing


Phishing refers to the process where a targeted individual is contacted by email or telephone by someone posing as a legitimate institution to lure the individual into providing sensitive information such as banking information, credit card details, and passwords. The personal information is then used to access the individual’s account and can result in identity theft and financial loss.
Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.


The first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called Although phishing scams originated sometime around the year 1995, they did not become commonly known by everyday people until nearly ten years later. A phishing technique was described in detail, in a paper and presentation delivered to the International HP Users Group, Interex.
The first way in which phishers conducted attacks was by using algorithms to create randomized credit card numbers. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things. This practice was put to an end by AOL in 1995, when the company created security measures to prevent the successful use of randomly generated credit card numbers.
With their random credit card number generating racket shut down, phishers created what would become a very common and enduring set of techniques. Through the AOL instant messenger and email systems, they would send messages to users while posing as AOL employees. Those messages would request users to verify their accounts or to confirm their billing information.


Phishing hasn’t changed a lot since its AOL heyday. In 2001,  phishers turned their attention to online payment systems. Although the first attack, which was on E-Gold in June 2001, was not considered to be successful, it planted an important seed. In late 2003, phishers registered dozens of domains that suggested legitimate sites like eBay and PayPal. They used email worm programs to send out spoofed emails to PayPal customers. Those customers were led to spoofed sites and asked to update their credit card information and other identifying information. By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. Popup windows were used to acquire sensitive information from victims. Since that time, many other sophisticated methods have been developed.


1) Email / Spam
Phishers may send the same email to millions of users, requesting them to fill in personal details. These details will be used by the phishers for their illegal activities. Phishing with email and spam is a very common phishing scam. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, and verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.
2) Web Based Delivery
Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.
3)Instant Messaging
Instant messaging is the method in which the user receives a message with a link directing them to a fake phishing website which has the same look and feel as the legitimate website. If the user doesn’t look at the URL, it may be hard to tell the difference between the fake and legitimate websites. Then, the user is asked to provide personal information on the page.
4)Trojan Hosts
Trojan hosts are invisible hackers trying to log into your user account to collect credentials through the local machine. The acquired information is then transmitted to phishers.
5)Link Manipulation
Link manipulation is the technique in which the phisher sends a link to a website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. One of the anti-phishing techniques used to prevent link manipulation is to move the mouse over the link to view the actual address.
6)Key Loggers
Key loggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse click to make entries through the virtual keyboard.
7)Session Hacking
In session hacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.
8)System Reconfiguration
Phishers may send a message whereby the user is asked to reconfigure the settings of the computer. The message may come from a web address which resembles a reliable source.
9)Content Injection
Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is asked to enter personal information.
10)Phishing through Search Engines
Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.
11)Phone Phishing
In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.
12)Malware Phishing
Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.
Phishers take advantage of the vulnerability of web security services to gain sensitive information which is used for fraudulent purposes. This is why it’s always a good idea to learn about the various phishing techniques, including phishing with Trojans and Spyware.



Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded. The exploit employs scripts to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their login, password and other details.
A practical implementation of Tabnabbing can be found in this webpage :
2) Evil twin
Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.
Wireless devices link to the Internet via "hotspots" – nearby connection points that they lock on to. But these hotspots can act like an open door to thieves. Anyone with suitable equipment can locate a hotspot and take its place, substituting their own "evil twin".
This type of evil twin attack may be used by a hacker to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent Web site and luring people there.


Although complete prevention is virtually impossible, mentioned below are some logical precautionary measures that both consumers and corporations can take in an attempt to reduce the potential of being conned by phishing scams.
1. Never Click on Hyperlinks within emails
Hyperlinks within emails are often cloaked, or hidden. The text you see as a hyperlink may not be where the hyperlink takes you. If you are unsure of the source of the email, you should not click on hyperlinks within emails that are apparently from a legitimate company. Instead, directly type in the URL in the Internet browser address bar, or call the company on a contact number previously verified or known to be genuine.
2. Use Anti-SPAM Filter Software
Some studies have shown around 85% of all email sent is SPAM, with a majority fraudulent. This can be costly and time consuming to end users who receive them. Effective SPAM filters can reduce the number of fraudulent and malicious emails consumers are exposed to.
3. Use Anti-Virus Software
To protect against Trojan and worm attacks, anti-virus software can detect and delete virus files before they can attack a computer. It is important to keep all anti-virus software up to date with vendor updates. These virus programs can search your computer for personally sensitive information and pass this information to fraudsters.
4. Use a Personal Firewall
Firewall's can monitor both incoming and outgoing Internet traffic from a computer. This can protect the computer from being hacked into, and a virus being planted, and can also block unauthorized programs from accessing the Internet, such as Trojans, worms and spyware.

5. Keep Software Updated (Operating Systems & Browsers)
Fraudsters and malicious computer hackers are continually finding vulnerabilities in software operating systems and Internet Browsers. Software vendors are constantly updating their software to fix these vulnerabilities and protect consumers.
6. Always look for "https" and a padlock on a site that requests personal information
Information entered on an Internet Web Site can be intercepted by a third party. Web Sites that are secure protect against this activity. When submitting sensitive financial and personal information on the Internet, look for the locked padlock on the Internet browser's status bar or the “https://” at the start of the URL in the address bar.
7. Keep your Computer clean from Spyware
Spyware & Adware are files that can be installed on your computer, even if you don't want them, without you knowing they are there! They allow companies to monitor your Internet browsing patterns, see what you purchase and even allow companies to inundate you with those annoying "pop up" ads!
8. Educate Yourself on Fraudulent Activity on the Internet
Internet Fraud methods are evolving at a rapid rate. Consumers need to be aware they are vulnerable as fraudsters are persuasive and convincing; many victims thought they were too smart to be scammed. Consumers should educate themselves on Internet Fraud, the trends and continual changes in fraudulent methods used.

This was my Data communication and Networking Assignment. 

 References :