Information Security and Cyber Crimes

About Presenter Kandarp Shah has worked at a managerial position for leading Info security consulting organization and has been engaged to provide advisory and auditing services to customers across verticals for more than 10 years. Helped various organizations to strategies their information security requirements in terms of services and/or solutions. Shahkandarp(at)outlook.com

in.linkedin.com/in/kandarps/

Information Security and Cyber Crimes

The objective of this presentation is to educate and create awareness amongst the student community on use of Technology, Internet media and its implications on possible cyber crimes. Some of the possible preventive measures, one can take to avoid getting victimized for a cyber crime

Introduction

Internet and smart Gadgets are now integral part of our lives

Cyber Laws

Cyber crime is a generic term that refers to all criminal activities done using the medium of computers, the internet, cyber space and the worldwide web. "Cyber Security“ means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. Cyber law is a term used to describe the legal issues related to use of communications technology, particularly "cyberspace", i.e. the Internet. Cyber Law is represented by Indian IT ACT 2008

Cyber Crime - Motivation

• Money

• Curiosity • Revenge • Fun • Praise seekers

Cyber Crime – Upward Trends

• Huge increase in the use of Internet and smart phones

• Individuals share personal and work related information on

Internet

•Critical and sensitive information are shared on Internet

• Financial transactions take place on Internet

• Security controls are never 100% and adequate

• BAD guys are always ahead of GOOD guys

Cyber Crime – Its No more a fun

Cyber crime controlled by IT ACT 2008 and respective IPC (constantly evolving) Complete control of Govt agencies over information stored, processed and transmitted over internet Upradation of Investigating agencies with latest technology Service providers like ISPs, email service providers, etc are liable to share information with Govt agencies Upgradation of Forensic labs Stringent punishment for cyber crimes

Cyber Crime – Awareness for Students

Curiosity and Revenge may be primary reasons for a student to get motivated for a cyber crime. Most of the times, students are not aware about the implications of a cyber crime Girls are the most found victims of a cyber crime

Common Scenarios - Cyber Pornography

Cyber pornography covers pornographic websites, pornographic magazines produced using computers and the Internet. Whoever publishes or transmits or causes to be published in the electronic form, any material which is obscene in nature falls under cyber pornography

Section 67: Punishment for publishing or transmitting obscene material in electronic form

Punishment – Imprisonment from 2 – 10 years with fine upto 10 lakhs

Common Scenarios - Cyber Pornography

Illustrations : - 1. The CEO of a software company in Pune (India) was arrested for sending highly

obscene emails to a former employee 1. A student of the Air Force Balbharati School, New Delhi, was teased by all his

classmates for having a pockmarked face, used a free hosting provider to create a website

He regularly uploaded “morphed” photographs of teachers and girls from his school onto the website. He was arrested when the father of one of the victims reported the case to the police.

Common Scenarios - Identity Theft

Identity theft is a term used to refer to fraud that involves stealing money or getting other benefits by pretending to be someone else.

Section 66C Punishment for identity theft. Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh. Section 66D Punishment for cheating by personation by using computer resource Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

Common Scenarios - Identity Theft

Illustrations : - 1. An American national named Ken Haywood, whose most likely fault was, that his Wi-Fi internet connection was hacked, and under the scanner for involvement in the Ahmadabad terrorist attacks. 2. The biggest case of identity theft ever seen, took place in August of 2009. Eleven people, including a US secret service informant, had been charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers. This data breach is believed to be the largest hacking and identity theft case ever prosecuted by the US Department of Justice. 3. Kingfisher Airlines was duped of Rs 17 crore caused by an online ticket booking fraud, caused by credit card bookings. These credit card details were obtained by the thieves from various places like shopping mall, restaurant and petrol-pump employees who swipe these cards, felt the officers working on this case.

Common Scenarios - Email Spoofing

A spoofed email is one that appears to originate from one source but actually has been sent from another source

Forgery of electronic records, Email spoofing Under ITA 2008 Section 66A, 66C. • 66A Punishment for sending offensive messages through

communication service, etc. • 66C Punishment for identity theft

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh

Common Scenarios - Email Spoofing

Illustrations : - 1. In an American case, a teenager made millions of dollars by spreading false

information about certain companies whose shares he had short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies like Reuters, to share brokers and investors who were informed that the companies were doing very badly. Even after the truth came out the values of the shares did not go back to the earlier levels and thousands of investors lost a lot of money.

2. A branch of the erstwhile Global Trust Bank in India experienced a run on the bank. Numerous customers decided to withdraw all their money and close their accounts. An investigation revealed that someone had sent out spoofed emails to many of the bank’s customers stating that the bank was in very bad shape financially and could close operations at any time. The spoofed email appeared to have originated from the bank itself.

Common Scenarios - Intellectual Property Crime

Intellectual Property Crime include software piracy, copyright infringement, trademarks violations, theft of computer source code etc

Motivation for the IP crime is high as it is easy and cheap to steal someones IP. Owners and creators are at huge risk of loosing out their creative work after investing huge amount of money and time Any person who knowing performs a IP crime shall be punishable for a term of not less than 6 months and fine not lest than fifty thousand

Common Scenarios - Intellectual Property Crime

Illustrations : - A software professional from Bangalore was booked for stealing the source code of a product being developed by his employers. He started his own company and allegedly used the stolen source code to launch a new software product. In 2003, a computer user in China obtained the source code of a popular game - LineageII from an unprotected website. This proprietary code was then sold to several people in 2004. One of those people set up a website, www.l2extreme.com, to offer the “Lineage” game at a discount.

Common Scenarios - Cyber Defamation

It occurs when defamation takes place with the help of computers and / or the Internet.

Any person who sends, by means of a computer resource or a communication device,- a) any information that is grossly offensive or has menacing character; or b) any information which he knows to be false, but for the purpose of causing defamation c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages Punishment for creating Cyber Defamation extends to 2-3 years with fine

Common Scenarios - Cyber Defamation

Illustration 1 Abhishek, a teenaged student was arrested by the Thane police in India following a girl’s complaint about tarnishing her image in the social networking site Orkut. Abhishek had allegedly created a fake account in the name of the girl with her mobile number posted on the profile. The profile had been sketched in such a way that it drew lewd comments from many who visited her profile. The Thane Cyber Cell tracked down Abhishek from the false e-mail id that he had created to open up the account. Illustration 2 The Aurangabad bench of the Bombay high court issued a notice to Google.com following a public interest litigation initiated by a young lawyer. The lawyer took exception to a community called ‘We hate India’, owned by someone who identified himself as Miroslav Stankovic. The community featured a picture of the Indian flag being burnt. Illustration 3 Unidentified persons posted obscene photographs and contact details of a Delhi school girl. Girl’s family started receiving defamatory calls

Common Scenarios - Web Defacement

Website defacement is usually the substitution of the original home page of a website with another page (some abusive page) by a hacker.

Whoever knowingly or intentionally, destroy or alter any computer source code, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Common Scenarios - Web Defacement

Illustration 1 Mahesh Mhatre and Anand Khare (alias Dr Neukar) were arrested in 2002 for allegedly defacing the website of the Mumbai Cyber Crime Cell. They had allegedly used password cracking software to crack the FTP password for the police website. They then replaced the homepage of the website with pornographic content. The duo was also charged with credit card fraud for using 225 credit card numbers, mostly belonging to American citizens. Illustration 2 In 2001, over 200 Indian websites were hacked into and defaced. The hackers put in words like bugz, death symbol, Paki-king and allahhuakbar.

Common Scenarios - Email Bombing

Email bombing refers to sending a large number of emails to the victim resulting in the victim’s email account or mail servers crashing.

It is also a kind of Denial of Service (DoS) attack If found guilty, the punishment shall be extended till 3 years

Common Scenarios - Email Bombing

Illustration 1 A British teenager was found guilty of launching a denial-of service attack against his former employer. The teenager was accused of sending 5 million e-mail messages to his ex-employer that caused the company's email server to crash. Illustration 2 In one case, a foreigner who had been residing in Simla, India for almost 30 years wanted to avail of a scheme introduced by the Simla Housing Board to buy land at lower rates. When he made an application it was rejected on the grounds that the scheme was available only for citizens of India. He decided to take his revenge. Consequently, he sent thousands of mails to the Simla Housing Board and repeatedly kept sending e-mails till their servers crashed.

Common Scenarios - Spreading Virus/Malwares

Computer viruses are small malicious software programs that are designed to spread from one computer to another and perform harmful activities

There are multiple ways one can spread viruses • Email messages • Infected websites • Instant messaging • Networking protocols • Open share machines If found guilty, then the punishment shall be two to three years.

Common Scenarios - Spreading Virus/Malwares

Illustration 1 The VBS_LOVELETTER virus was reportedly written by a Filipino undergraduate. In May 2000, this deadly virus became the world’s most prevalent virus. Losses incurred during this virus attack were pegged at US $ 10 billion. VBS_LOVELETTER utilized the addresses in Microsoft Outlook and e-mailed itself to those addresses. The e-mail, which was sent out, had “ILOVEYOU” in its subject line. The attachment file was named “LOVE-LETTER-FORYOU. TXT.vbs”. Illustration 2 In 2002, the creator of the Melissa computer virus was convicted. The virus had spread in 1999 and caused more than $80 million in damage by disrupting personal computers, business and government computer networks. Illustration 4 In 2006, a US citizen was convicted for conspiracy to intentionally cause damage to protected computers and commit computer fraud. Between 2004 and 2005, he created and operated a malicious software to constantly scan for and infect new computers. It damaged hundreds of US Department of Defence computers in USA, Germany and Italy. The software compromised computer systems at a Seattle hospital, including patient systems, and damaged more than 1,000 computers in a California school district.

Other Common Cyber Crimes

Cyber crimes can be categorized and listed in multiple ways, however some of the other common cyber crimes observed are as below but not limited to :-

• Cyber stalking

• Cyber Bullying

• Installing Key loggers

• Cyber Terrorism

• Email based Frauds

• Web jacking

• Online Gambling

• DoS Attacks

Security Awareness

YOU can make the difference

Security Awareness – PASSWORD

• Passwords are the only and/OR the primary option to ensure privacy of your information

• Ensure Passwords are complex in nature

• Not as complex that you tend to forget it

• Include combination of upper & lower case, special chars and numbers

• Not easy for others to guess (like your pet name, etc)

• Sensitive passwords should be changed frequently

• Do not write passwords

• Be extra careful of your passwords when using shared machines (like cyber café)

• Avoid sharing your passwords to anyone

Security Awareness – Social Media

• Social Media (FB, twitter, etc) is now an integral part of our daily life

• Be sensitive in what you upload on your social networking account (status, pics, etc)

• Use security and privacy options provided by social media sites

• SMS based second factor authentication

• Access control (who can see what)

• Browser /machine mapping to your social media profile

• Block

• Keep your personal details, personal.

Security Awareness – Smart mobile devices

• DO NOT jail break or root your smart phones

• Connect to ONLY authorized wifi access

• Use auto lock features

• Download apps from authorized app stores ONLY

• Use Privacy options provided by various mobile Operating system

• Do NOT accept calls from weird numbers OR do not give a call back

Security Awareness – Desktops/laptops

• Ensure your Antivirus is updated and scans are configured for a routine check

• Implement personal firewall

• Keep your Operating system updated with latest patches

• Avoid installing cracked softwares

• Keep OS files and personal files in different HDD partition

• Factory Restore is the best option to clean your system

Security Awareness – Internet

• Internet use is a two edge sword. Be SMART on using Internet

• NEVER visit untrusted websites

• NEVER user referral links to visit a website. Instead type in the URL address in the browser

• Always download software from authorized / Trusted sources

• Use Browser addons to get protected from known BAD sites

• Do Not Connect to unknown or unprotected wifi zones

• Ensure no one is shoulder surfing your key strokes

Your feedback is precious … shahkandarp(at)outlook.com