1. Emerging Trends in Cyber Crime
Vicky Shah,
Digitally signed
by Vicky Shah
Vicky Date: 2010.06.20
14:49:30 Z
Reason:
Presented for
Founder – THE EAGLE EYE Shah Educational
Purpose
Signature Location: Mumbai
Not Verified
- India
YOUR INFORMATION SECURITY IS OUR BUSINESS
2. Is this Reality?
• Computers and internet changed our
lives so much that now if we don't have
access to e-mail for a day or two, we feel
uncomfortable.
• Computer and Information security has
become a crucial legal and a technical issue.
• Is the internet taking over our lives?
• We are on the Net 24x7, whether it’s our
PCs, Laptops or Mobiles.
• Have we started relating more to virtual
world than real world?
3. What we do Online?
Email: Love it for speed and hate it for
SPAM.
Chat: Instant Messaging and real time
communication
Google Maharaja: GOD of Search
Social Networking: Facebook, Orkut and
Twitter have become our clone
Reading Blogs: Research, Education, etc..
You Tube: Free Videos
Downloading: Changed the definition of
Free Food.
4. Cyber Crime Challenges - Global
Perpetrator
Easy to learn techniques and acquire tools
Small investments that cause massive economic damage
No need for physical contact with the victims
When done subtly it leaves few or no traces
Easy for players to hide – Anonymity
Service Providers
Many network operators are involved
Many countries may be involved – No boundary
Different policy of different companies
Inadequate cyberspace legislation
No common law for the entire world
No effective regulatory body for content
5. India – Growing Challenges
• Exponential growth of Internet use
• Interconnected business and government
• E-governance growth has implications for
Information Security, Privacy and Cyber
Security
– Income Tax, Excise, Customs, Sales tax networks
connected
– Smart cards, UID being issued
– Land records computerized
– Police networks
– Defense is no longer arms & ammunition but GPS
& networks
6. Transformation
In 2001, we were afraid
of rockets destroying buildings
and computer centers...
9/11
Today, we should be aware of
software destroying rockets and
missiles!
9. Cyber Incidents (Wireless)
• September 13, 2008: Indian Mujahideen militants used
unsecured WiFi system of a company in Chembur
• August 2008: A stray terror e-mail was traced to the
Khalsa College, Matunga, Mumbai.
• July 2008: E-mails were sent before and after the
Ahmedabad blasts. One was traced to Navi Mumbai and
the other to an IP address in Vadodara.
• May 2008: A terror e-mail was sent before the Jaipur
Incidents blasts from a cyber cafe in Ghaziabad.
• November 2007: Serial blasts in Lucknow, Varanasi,
and Faizabad courts in UP. The terror e-mail was sent by
Indian Mujahideen (IM) from a cyber café in Laxmi
Nagar, Delhi.
10. Mumbai Terror Attack 26/11
• Use of technology by the
attackers Terrorists are using
– Global Positioning Satellite sophisticated
technology devices.
systems
– Blackberry It is complicated and
difficult to develop
– CDs with high resolution and coordinate
satellite images necessary security
measures to counter
– Multiple cell phones with such threats
switchable SIM cards
– Satellite phones
13. Lack of Cyber Knowledge
Hampers a parent’s ability to raise
their children
appropriate amount of teaching and ethical
foundation.
Creates a greater differences in
families
Culture of Security and Respectability
in Question
Raises children with no cyber ethical
guidance: bad for business and society as a whole.
15. What is Cyber Security?
• Security deals with three primary issues,
called the CIA triad.
– Confidentiality
• Assurance that only authorized user may access a
resource
– Integrity
• Assurance that resource has not been modified
– Availability
• Assurance that authorized user may access a
resource when requested
• Cyber Security is concerned with the risk of
malpractices in the cyberspace which involves
the people, process and technology.
16. Cyber Crime/Computer Related Offense
Crimes performed or resorted to by abuse of
electronic media or otherwise, with the purpose
of influencing the functioning of computer or
computer system
In simple words,
Cyber/Computer Crime is any crime where:
Computer is a target
Computer is a tool of crime
Computer is incidental to crime.
17. Computer Related Offense
Common types of Crimes may be broadly
classified in the following groups:
1)Against Individual
2)Against Organization
3)Against Society
18. Crime Against Individual
Against Person:
i. Harassment Through e-mails
ii. Cyber-Stalking
iii. Dissemination of obscene material on the
Internet
iv. Defamation
v. Hacking/Cracking
vi. Indecent Exposure
Against property of an individual:
i. Computer vandalism (damage)
ii. Transmitting virus
iii. Internet Intrusion
iv. Unauthorized control over computer system
v. Hacking /Cracking
19. Crime Against Organization
Against Government, Private Firm,
Company, Group of Individuals:
i. Hacking & Cracking
ii. Possession of unauthorized
Information
iii. Cyber terrorism against the
government organization
iv. Identity Theft/Impersonation
v. Distribution of pirated software,
etc…
20. Crime Against Society
At large,
i. Pornography (specially child
pornography)
ii. Polluting the youth through Indecent
Exposure
iii. Trafficking
iv. Hate Speech, Anti Communities,
v. Discrimination and Derogatory
remarks on Religion/Caste on online
platform
21. Email Crimes
• Spamming and Unsolicited Mail
• Blackmailing/Defamatory Mail
• Extortion/Threatening/Obscene/Abusive Mail
• Transmission of Malwares (Virus/Worm/Trojan)
• Advance Fee Schemes – Lottery Schemes – Nigerian
Scams – Job Opportunities, Mule
• Phishing Scams, Identity Theft
22. Cyber Incidents
Mobile Phone based
Forgery, illegal interception & ID Theft
Payment card fraud & e-funds transfer fraud
On-line Gaming/Betting
Theft of Internet & Telephone services
IP offences: illegal software; copyright
breaches etc.
Misuse of Technology: Mobile and Wi-Fi
Commercial/Corporate Espionage
On-line Securities Fraud
Extortion & Criminal conspiracy
23. Emerging Trends and Threats for
2010 - 2011
Spamdexing - Many types of businesses use
search engine optimization to be listed more
prominently in searches conducted on
Google and other sites.
In Spamdexing a Web site with relevant
keywords or search terms, is being
increasingly used by cybercriminals seeking
to disguise malware as legitimate software.
Because so many consumers tend to trust
rankings on leading search engines, they may
readily download one of the fake software
packages.
24. Contd…
Cloud Computing:
Jumping in the cloud - the expense to
maintain a physical IT infrastructure,
the thought of replacing server rooms and
haphazardly configured appliances with
cloud services is simply too hard for many
companies to resist.
But rushing into the cloud without a
security strategy is a recipe for risk.
25. Contd…
Social Engineering: Public Enemy
Number One:
less than two years, social networking
has gone from an abstract curiosity to a
way of life for many people.
Cabinet Minister Lost his Job recently
Vulnerabilities: OS Versus
Application
Trends are shifting from OS now the
applications are being targeted.
26. Contd…
Advertising replaced by
Malvertising
rogue software - Malware as a Service
(MaaS)
Web Content Filters
27. Resourse: Cybercrime Scenario, Investigation Lifecycle, Cybercrime Analysis Categories: North Virginia
Technology Council, aV. Lillard
Cyber Crime Investigation Lifecycle
Incident Expert Witness
Awareness / Testimony
Preliminary Analysis
Consultation
Prevention
Technologies
Improved Processes
Image New Security Policies
Acquisition/ Improved Configurations
Recovery
Preliminary/
Detailed Containment
Final Report
Analysis Presentation
28. Resourse: Cybercrime Scenario, Investigation Lifecycle, Cybercrime Analysis Categories: North Virginia Technology Council,
Terrence V. Lillard
Cyber Crime Analysis Categories
Cybercrime Scene Cybercrime Investigation Lifecycle
Cyber Offender Characteristics Cybercrime Offender Signatures
Cybercrime Motivations
Cybercrime Reconstruction
Deductive
Analysis
Cyber-Victimology
Cybercrime Scene Characteristics
Cybercrime Modus Operandi Cyber-Geographical Mapping
Equivocal Forensics
Digital Evidence Analysis
29. Profile of People Involved
Insider - Disgruntled employees and ex-employees,
spouses, lovers
Crackers - Crack into networks with malicious intent,
Setting traps, etc…
Virus Writer - Pose serious threats to networks and
systems worldwide
Foreign Intelligence - Use cyber tools as part of their
services, For espionage activities, Can pose
the biggest threat to the security of another
country
Terrorists - Use to formulate plans, to raise funds,
propaganda
Script Kiddies - Use tools available on the net
32. Important Case - MMS
CEO of Bazee.com was arrested in December 2004
because a CD with objectionable material was being
sold on the website. The CD was also being sold in the
markets in Delhi.
The Mumbai city police and the Delhi Police got into
action. The CEO was later released on bail.
THIS OPENED UP THE QUESTION AS TO WHAT KIND
OF DISTINCTION DO WE DRAW BETWEEN INTERNET
SERVICE PROVIDER AND CONTENT PROVIDER.
RESULTED IN AMENDMENTS OF IT ACT 2000.
The burden rests on the accused that he was the
Service Provider and not the Content Provider. It also
raises a lot of issues regarding how the police should
handle the cyber crime cases and a lot of education is
required.
34. PLEASE
If a stranger came up to you on the street would
You give him/her your Name,
You give him/her your Date of Birth,
You give him/her your Likes/Dislikes,
You give him/her your Email Id,
You give him/her your Contact Number ?
You give him/her your Photograph?
NO ! NO ! NO ! NO! NO!
THEN WHY DO YOU PUBLISH THE SAME ON
SOCIAL NETWORKING WEBSITES?????
35. How you should handle and approach?
Don’t Panic
Call in your incident response team.
Contain the problem and avoid the “quick
fix.”
Take good notes of the entire situation.
Have your backup facilities ready.
Get rid of the problem.
Use trusted, uncompromised
communications.
Know what to say, to whom and when.
Know when to involve Crime Investigator.
37. Electronic Information & Investigations
Today’s litigious and regulatory
environments mean organizations are
obligated to electronically store information
to support discovery and disclosure
requests.
Organizations that archive email risk losing
control and may struggle to produce
evidential-quality email evidence.
Email is a technological issue, this requires
technological solutions.
38. Sample Header
1. Return-Path: <secret@hotmail.com>
2. Received: from mailhub-1.net.treas.gov ([10.7.14.10]) by
nccmail.usss.treas.gov for <avenit@usss.treas.gov>;Fri, 18 Feb
2000
11:46:07 -0500
3. Received: from mx-relay.treas.gov ([199.196.144.6])
bytias4.net.treas.govvia smtpd (for mailhub.net.treas.gov
[10.7.8.10]) with SMTP; 18 Feb 2000 16:55:44
4. Received: from hotmail.com (f7.law4.hotmail.com
[216.33.149.7]) by mx-relay2.treas.gov for
<avenit@usss.treas.gov>; Fri, 18 Feb 2000 11:55:44 –0500
(EST)
5. Message-ID: <20000218165543.56965.qmail@hotmail.com>
6. Received: from 199.196.144.42 by www.hotmail.com with
HTTP; Fri, 18 Feb 2000 08:55:43
7. X-Originating-IP: [199.196.144.42]
8. From: “Secret" <secret@hotmail.com>
9. To: avenit@usss.treas.gov
10. CC: smith@aol.com
39. 1. Return-Path: <secret@hotmail.com>
Line (1) tells other computers who
really sent the message, and where to
send error messages (bounces and
warnings).
40. 2. Received: from mailhub-1.net.treas.gov ([10.7.14.10]) by
nccmail.usss.treas.gov
for <avenit@usss.treas.gov>;Fri, 18 Feb 2000 11:46:07 -0500
3. Received: from mx-relay.treas.gov ([199.196.144.6]) by
tias4.net.treas.gov via smtpd (for mailhub.net.treas.gov [10.7.8.10])
with SMTP; 18 Feb 2000 16:55:44
4. Received: from hotmail.com (f7.law4.hotmail.com [216.33.149.7]) by
mx relay2.treas.gov for <avenit@usss.treas.gov>; Fri, 18 Feb 2000
11:55:44 -0500 (EST)
Lines (2), (3) and (4)show the route
the message took from sending to
delivery.
Each computer that receives this
message adds a Received: field with its
complete address and time stamp; this
helps in tracking delivery problems.
41. 5. Message-ID:
20000218165543.56965.qmail@hotm
ail.com
Line (5) is the Message-ID, a unique
identifier for this specific message. This
ID is logged, and can be traced through
computers on the message route if
there is a need to track the mail.
42. Trace This
6. Received: from 199.196.144.42 by
www.hotmail.com with HTTP; Fri, 15
Feb 2004 08:55:43
Line (6) shows where the email was
first received from with the IP address
of the sender
Also show the date and time when the
message was sent.
43. 7. X-Originating-IP: [199.196.144.42]
Line (7) shows the originating IP
address of the sender, but without the
date and time the IP address will not
allow you to identify the specific user.
This may or may not be present in
Headers
If the IP Address is a “Static” Address
you WILL be able to identify the
specific user. (most IP Address are
“dynamically” assigned)
44. 8. From: “Secret" secret@hotmail.com
Line (8) tells the name and e-mail
address of the message originator (the
"sender").
Generally this is the domain name we
want to trace
45. 9. To: venit@usss.treas.gov
Line (9) shows the name and e-mail
address of the primary recipient; the
address may be for a
mailing list, (sales_dep@company.com)
system-wide alias, (venit@usss.treas.gov)
a personal username.
46. 10. CC: smith@aol.com
Line (10) lists the names and e-mail
addresses of the "courtesy copy"
recipients of the message.
There may be "Bcc:" recipients as well;
these "blind carbon copy" recipients
get copies of the message, but their
names and addresses are not visible in
the headers.
47. Email as Evidence Copyright
1. Ensure the use of email is subject to agreed procedures, which are supported and enforced by
management at a high level. Acceptable use policies must prescribe good usage and identify bad
usage.
2. Train users of email in acceptable use, and their rights and the obligations expected of them.
3. Implement access control mechanisms to computer systems – so that use can be attributed to a
person, a terminal, a date and a time.
4. Ensure computer systems are kept safe and secure, so that the systems and the data within are
protected from unauthorized access and accidental or deliberate loss and damage.
5. Retention and deletion of email should be organization-defined, not user defined. Individual
users should not have any discretion as to the categories of emails that should be retained or
deleted.
6. Implement a solution that archives and stores emails centrally. The archive should support all
the main file formats and also retain metadata.
7. The archive should classify emails entering the archive at the point-of-entry. The archive should
prevent the entry of duplicates.
8. Ensure the archiving platform facilitates the exporting of evidence as files as a part of the e-
discovery process.
9. Implement an archiving solution that allows full search and retrieval. Metadata should be
searchable as should content.
10. Enable logging of all events acting on the archive. The logs should be retained as part of the
archive, for auditing and verification purposes.
11. Provide contingency for continuity of both archiving and discovery in the event of an outage.
12. Ensure the archiving platform supports the marking-up of files, so that privileged materials can
be withheld and/or redacted during e-discovery.
48. IT Act 2008
(xiii) Data Protection (Sections 43 & 66)
(xiv) Various types of computer crimes defined and stringent penalties provided
under the Act (Section 43 and Sections 66, 67, 72)
(xv) Appointment of Adjudicating officer for holding inquiries under the Act
(Sections 46 & 47)
(xvi) Establishment of Cyber Appellate Tribunal under the Act (Sections 48-56)
(xvii) Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and
not to any Civil Court (Section 57)
(xviii) Appeal from order of Cyber Appellate Tribunal to High Court (Section 62)
(xix) Interception of information from computer to computer (Section 69)
(xx) Protection System (Section 70)
(xxi) Act to apply for offences or contraventions committed outside India (Section
75)
(xxii) Investigation of computer crimes to be investigated by officer at the PI
(xxiii) Network service providers not to be liable in certain cases (Section 79)
(xxiv) Power of police officers and other officers to enter into any public place and
search and arrest without warrant (Section 80)
(xxv) Offences by the Companies (Section 85)
(xxvi) Constitution of Cyber Regulations Advisory Committee who will advice the
Central Government and Controller (Section 88)
49. IT Act 2008
• New Section to address promotion of e-Governance Section 6A & other IT
application
– Delivery of Service
– Outsourcing – Public Private Partnership
• New Section to address electronic contract Section 10A
• New Section to address data protection and privacy Section 43
• Body corporate to implement best security practices Sections 43A & 72A
• Preservation and Retention of Data/Information Section 67C
• Revision of existing Section 69 to empower Central Section 69 Government to
designate agencies and issue direction for interception and safeguards for
monitoring and decryption
• Blocking of Information for public access Section 69A
Monitoring of Traffic Data and Information for Section 69B Cyber Security
• New section for designating agency for protection Section 70A of Critical
Information Infrastructure
• New Section for power to CERT-In to call and Section 70B analyse information
relating to breach in cyber space and cyber security
50. Legal Scenario - India
• Section 65 - Tampering with computer source code
• Section 66 – Computer Related Offence
Indian IT • Section 66 A – Obscene Communication
• Section 66 B – Stolen Resource
Act, 2000 • Section 66 C – Identity Theft
• Section 66 D – Cheating by Personation
• Section 66 E – Violation of Privacy
• Section 66 F – Cyber Terrorism
• Section 67 A– Pornography
• Section 67 B – Child Pornography
• Section 72 - Breach of confidentiality and Privacy
• Section 72 A – Disclosure of information in breach of lawful contract
Indian • States any person who knowingly makes use of an illegal
copy of computer program shall be punishable.
Copyright • Computer programs have copyright protection, but no
Act patent protection.
• Section 406 - Punishment for criminal breach of trust
Indian Penal • Section 420 - Cheating and dishonestly inducing delivery
Code of property
• Sectio 417, 419, 467, 509, etc… applicable as per the case
Indian Offers following remedies in case of breach of contract:
• Damages
Contract Act, • Specific performance of the contract
1872
51. Way Forward
Shifting from a reactive to a proactive posture
Focus on more strategic approach
Get the right people together
Established a CISO or CSO position if not done
yet
Engage Business and IT decision-makers in
addressing security.
Embed security awareness more deeply
across the enterprise
Plan for better security, earlier in
development
52. Strengthen incident response planning:
(1) ensure that you have an integrated approach
to security breaches, staffed by a skilled,
interdisciplinary team;
(2) have a consistent response procedure for
incidents;
(3) review security policies and align them with
your incident response procedures; &
53. Recommendations
• Awareness is important and any incident should be
reported at once
• Users must try and save any electronic information
trail on their computers
• Avoid giving out unnecessary information about
yourself
• Use the licensed, latest & updated anti-virus software,
operating systems, web browsers and email programs
• Check out the site you are doing business with
thoroughly
• Send credit card information only to secure sites
• Protect your Website and Maintain Backups
54. Summary
• 99% of the problem lies between the keyboard and
chair i.e. the user
• Every one a target; Every system a challenge
• Cyber Security is not just a technical problem –
everyone has a role to play in it
• You cannot “fix” security – you can only manage it
• AWARENESS OF THE THREAT IS ITSELF A KEY
CONTROL
55. About Me
Educational Qualifications:
B.Sc. Information Technology,
P.G.D. Information Technology,
P.G.D. Cyber Laws,
Master of Computer Applications
Certifications:
Forensic Examiner: AccessData Certified Examiner,
Audit: ISO27001 Lead Auditor (IRCA)
Founder – The Eagle Eye
Founder - www.cybercrimes.in
Co-Founder – Open Security Alliance
Former Manager – DSCI & Senior Associate – Cyber Security
NASSCOM.
56. Contact Details
Questions
Thank You for your patient listening!
Email:
vicky@cybercrimes.in
Discussion Forum: www.cybercrimes.in/SMF
Cell:
+91-98201-05011
“Human Behaviour is the Biggest Risk in Security –
Vicky Shah”
“Cyber Space: Safe to Use; Unsafe to Misuse –
NASSCOM”
57. Disclaimer
This presentation is prepared for knowledge sharing and
awareness for ISACA Mumbai Chapter Members on June
19, 2010. You can use the information provided here
with proper credits. I have tried not to hide original
credits as far as possible, nor am I using this presentation
for any personal financial gain. Information available in
this presentation is not enforceable by law; however
these are my view about the topic which I feel should be
shared. Any errors, omissions, misstatements, and
misunderstandings set forth in the presentation are
sincerely apologized. Relying on the contents will be sole
responsibility of the users.
- Vicky Shah -