Sitemap | Mobile | Feedback / Comment
Theme: Blue and Green Theme: Red Theme: Green
Background: 1 Background: 2 Background: 3 
Welcome to Welcome to the Sarawak State Government Information Security Portal
Last Update: 16 Apr 2014
Version 5.0.3


USEFUL LINKS
Link to QCERT Online System
Link to National ICT Security Portal
Link to Cybersecurity Malaysia
Link to CyberSAFE Malaysia

STATISTICS
online visitor Online Visitors 1
total visitor Total Visitors 15,686
  More...

CONTACT US


Picture

Information and Communication Technology Unit (ICTU),

Chief Minister's Department,
Level 4, Wisma Bapa Malaysia,
93502 Petra Jaya, Kuching. 

Tel: +6082-449005
Fax: +6082-449002

Picture LOCATION MAP


slide_534c9a053adfd.jpg
slide_5302c47683d4e.jpg
slide_5268bc0c75f87.jpg
slide_506bab0f4bb07.jpg
 

Announcement
» Do Not Reveal Your SarawakNet Userid and Password To Anyone

[Alert for SarawakNet Users]

1. DO NOT RESPOND to any email requesting your SarawakNet userid and password.
2. DO NOT REVEAL your SarawakNet userid and password to anyone.
3. Please RESET your password IMMEDIATELY if you had exposed your userid and password to anyone.

For more details, please contact SAINS Call Centre:

SAINS Call Centre (24 x 7)

Tel: 1-300-88-7246
Fax: 082-442522
Email: callcentre@sains.com.my
Online      http://callcentre.sains.com.my
Archive


News
Nota Makluman GCERT Bil 1 Tahun 2014 - OpenSSL Heartbleed Information Disclosure Vulnerability
10 Apr 2014

Untuk makluman, GCERT telah mendapat makluman berkenaan ancaman keselamatan ICT ke atas portal Kerajaan yang menggunakan OpenSSL Versi 1.0.1 - 1.0.1f yang mempunyai kelemahan dan boleh mengganggu perkhidmatan portal Kerajaan.   

Sehubungan dengan itu, agensi-agensi adalah disarankan untuk menjalankan pengukuhan ke atas portal yang menggunakan OpenSSL berkenaan sebagaimana Nota Makluman GCERT Bil. 1/2014 yang dilampirkan dengan SEGERA bagi mengurangkan risiko pencerobohan.

Untuk maklumat lanjut, sila rujuk sini

Here's What You Need to Know About the 'Heartbleed' Bug That's Attacking Millions of Websites
08 Apr 2014
Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data.
The Heartbleed bug, as it’s called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site’s encryption keys, user passwords and site content.
Once an attacker has a website’s encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.
MORE: Best Antivirus Software 2014
There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.
Websites that are currently vulnerable to Heartbleed exploits include Yahoo, Comixology, Flickr, Imgur and OculusVR. Many other top sites — including Facebook, Google, Wikipedia, Amazon, Twitter, Apple and Microsoft — are not currently vulnerable, though some may have been in the past.
How the Heartbleed bug works
Most secure websites encrypt traffic to and from their servers using a protocol called SSL/TLS. There are several different encryption “libraries” that can be used in this protocol, and one of the most widely used is an open-source library called OpenSSL.
The Heartbleed bug is in versions of OpenSSL issued from December 2011 onward, not in SSL/TLS itself. Not every instance of SSL or TLS encryption across the Internet is compromised. But OpenSSL is the default encryption library in Apache and Nginx server software, which power two-thirds of all websites.
An attack exploiting the Heartbleed bug would leave no trace in an attacked Web server’s logs. It’s impossible to tell how many sites, if any, may have been exploited, and how many may have been vulnerable over the past two years.
Neel Mehta of Google Security and a team of engineers at Oulu, Finland-based security company Codenomicon first discovered the Heartbleed bug, though they haven’t specified when. They’ve created a FAQ page at heartbleed.com with full details.
The bug’s name refers to a handshake (process of connecting to a network) in OpenSSL’s code called the “heartbeat extension,” which sets a limit on how long an encrypted session stays valid. A coding error meant that the extension was missing a necessary verification (called a bounds check), thus giving an attacker access to additional information about the server and creating the vulnerability.
The most recent version of OpenSSL, 1.0.1g, patches the flaw, so any websites running OpenSSL should upgrade to the newest version immediately.
However, the damage has been done. Versions of OpenSSL with the bug have been in use for more than two years. If an attacker used the Heartbleed bug to get into a Web server, he would have access to the website’s “crown jewels”: its encryption keys.
With the keys, attackers could decrypt traffic to and from the server; impersonate the server so that users who think they’re visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the server’s databases, including their users’ personal information, such as usernames, passwords, email addresses, payment information and more.
Web servers that use or used vulnerable versions of OpenSSL need to do more than upgrade to the latest version of OpenSSL; they also need to revoke and reissue all of their encryption certificates. It’s no use boarding up a hole in the wall if the intruders can now let themselves in through the front door.
Who is affected?
Administrators of websites using Apache or Nginx server software need to evaluate whether they have, or had used, vulnerable versions of OpenSSL. Such websites should be considered compromised.
OpenSSL is also incorporated into email servers using the SMTP, POP and IMAP protocols; chat servers using the SMPP protocol; and most virtual private networks (VPNs) that use SSL to protect their networks.
Want to check if an individual Web domain is affected? Cloud security company Qualys’ SSL Labs hascreated a test.
"Ironically, smaller and more progressive services, or those who have upgraded to the latest and best encryption, will be affected most," wrote the Codenomicon researchers in a thorough write-up on the Heartbleed bug.
Many large consumer sites are not vulnerable to the Heartbleed bug, the researchers said, because those sites tend to be slow to adopt new security measures and have failed to upgrade to modern Web architecture. (They might, of course, be vulnerable to other kinds of attacks.)
What should you do?
Unless you’re a system administrator, there’s not much you can do right now. We can’t even recommend that you change your online passwords — not yet, at least. If a website hasn’t upgraded its OpenSSL library and changed its encryption certificates, then a new password would be just as compromised as an old one.
The vulnerable versions of OpenSSL are 1.0.0 through 1.0.1f. If you’re a website administrator and can’t upgrade to the newest version, then you can manually disable the heartbeat function and then recompile OpenSSL’s code.

Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data.

The Heartbleed bug, as it’s called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site’s encryption keys, user passwords and site content.

Once an attacker has a website’s encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door....

Archive news  
 

DOWNLOADS

Picture

Picture


CALENDAR OF EVENTS

More...

PHOTO GALLERY