Introduction

Govt. Engg.
College, Ajmer
Chapter -1
1.1
Introduction to Cyber Law
Cyber Law is the law governing Cyber space. Cyber space is a collective noun for the diverse range of environments that have arisen using the Internet and the various services. The expression crime is defined as an act, which subjects the doer to legal punishment or any offence against morality, social order or any unjust or shameful act. The "offence" is defined in the Code of Criminal procedure to mean as an act or omission made punishable by any law for the time being in force. Cyber crime is a term used to broadly describe criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity and include everything from electronic cracking to denial of service attacks. It is also used to include traditional crimes in which computers or networks are used to enable the illicit activity. Computer crime mainly consists of unauthorized access to computer systems data alteration, data destruction, theft of intellectual properly. Cyber crime in the context of national security may involve hacktivism, traditional espionage, or information warfare and related activities. Cyber crimes have been reported across the world. Cyber crime is now amongst the most important revenue sectors for global organized crime, says Frost Sullivan Industry Analyst Katie Gotzen. Because of this, the potential risks associated with malware have risen dramatically. Unlike in traditional crimes, the Information Technology infrastructure is not only used to commit the crime but very often is itself the target of the crime. Pornography, threatening email, assuming someone's identity, sexual harassment, defamation, SPAM and Phishing are some examples where computers are used to commit crime, whereas viruses, worms and industrial espionage, software piracy and hacking are examples where computers become target of crime.
Govt. Engg. College, Ajmer
1.2 Need for Cyber Law

There are various reasons why it is extremely difficult for conventional law to cope with cyberspace. 1. Cyberspace is an intangible dimension that is impossible to govern and regulate using conventional law. 2. Cyberspace has complete disrespect for jurisdictional boundaries. A person in India could break into a banks electronic vault hosted on a computer in USA and transfer millions of Rupees to another bank in Switzerland, all within minutes. All he would need is a laptop computer and a cell phone. 3. Cyberspace handles gigantic traffic volumes every second. Billions of emails are crisscrossing the globe even as we read this, millions of websites are being accessed every minute and billions of dollars are electronically transferred around the world by banks every day. 4. Cyberspace is absolutely open to participation by all. A ten-year-old in Bhutan can have a live chat session with an eight-year-old in Bali without any regard for the distance or the anonymity between them. 5. Cyberspace offers enormous potential for anonymity to its members. Readily available encryption software and steganographic tools that seamlessly hide information within image and sound files ensure the confidentiality of information exchanged between cyber-citizens. 6. Cyberspace offers never-seen-before economic efficiency. Billions of dollars worth of software can be traded over the Internet without the need for any government licenses, shipping and handling charges and without paying any customs duty. 7. Electronic information has become the main object of cyber crime. It is characterized by extreme mobility, which exceeds by far the mobility of persons, goods or other services. International computer networks can transfer huge amounts of data around the globe in a matter of seconds. 8. A software source code worth crores of rupees or a movie can be pirated across the globe within hours of their release. 9. Theft of corporeal information (e.g. books, papers, CD ROMs, floppy disks) is easily covered by traditional penal provisions. However, the problem begins when electronic records are copied quickly, inconspicuously and often via telecommunication facilities. Here the original information, so to say, remains in the possession of the owner and yet information gets stolen.
1.3 Cyber Crime Classifications

1.3.1 Against Individuals Email spoofing: A spoofed email is one in which e-mail header is forged so that mail appears to originate from one source but actually has been sent from another source Spamming: Spamming means sending multiple copies of unsolicited mails or mass emails such as chain letters. Cyber Defamation: This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends e-mails containing defamatory information. Harassment & Cyber stalking: Cyber Stalking Means following the moves of an individual's activity over internet. It can be done with the help of many protocols available such at e- mail, chat rooms, user net groups.
1.3.2 Against Property Credit Card Fraud. Intellectual Property crimes: These include Software piracy, illegal copying of programs, distribution of copies of software, Copyright infringement, Trademarks violations Internet time theft: the usage of the Internet hours by an unauthorized person which is actually paid by another person.
1.3.3 Against Organization Unauthorized Accessing of Computer: Accessing the computer/network without permission from the owner. Denial of Service: When Internet server is flooded with continuous bogus requests so as to denying legitimate users to use the server or to crash the server. Virus attack: A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of it. Viruses can be file infecting or affecting boot sector of the computer. Worms, unlike viruses do not need the host to attach themselves to. Email Bombing: Sending large numbers of mails to the individual or company or mail servers thereby ultimately resulting into crashing. Salami Attack: When negligible amounts are removed & accumulated in to something larger. These attacks are used for the commission of financial crimes. Logic Bomb: Its an event dependent programme, as soon as the designated event occurs, it crashes the computer, release a virus or any other harmful possibilities. Trojan horse: an unauthorized program which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing. Data diddling: This kind of an attack involves altering raw data just before it is processed by a computer and then changing it back after the processing is completed.
3
1.3.4 Against Society Forgery: currency notes, revenue stamps, mark sheets etc can be forged using computers and high quality scanners and printers. Cyber Terrorism: Use of computer resources to intimidate or coerce others. Web Jacking: Hackers gain access and control over the website of another, even they change the content of website for fulfilling political objective or for money.
1.4 Types of Cyber Crime
1.4.1 Cyber Stalking Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using Internet services. Stalking in General terms can be referred to as the repeated acts of harassment targeting the victim such as 1. 2. 3. 4. 5. Following the victim Making harassing phone calls Killing the victims pet Vandalizing victims property Leaving written messages or objects
Stalking may be followed by serious violent acts such as physical harm to the victim and the same has to be treated and viewed seriously. It all depends on the course of conduct of the stalker. Cyber-stalking refers to the use of the Internet, e-mail, or other electronic communications device to stalk another person. It is a relatively new form of harassment, unfortunately, rising to alarming levels especially in big cities. In many cases, the cyber stalker and the victim had a prior relationship, and the cyber stalking begins when the victim attempts to break off the relationship. However, there also have been many instances of cyber stalking by strangers. Given the enormous amount of personal information available through the Internet, a cyber stalker can easily locate private information about a potential victim with a few mouse clicks or keystrokes. The fact that cyber stalking does not involve physical contact may create the misperception that it is more benign than physical stalking. This is not necessarily true.
1.4.2 Denial of Service

This is an act by a criminal, who floods the bandwidth of the victims network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide. This act is committed by a technique called spoofing and buffer overflow. The criminal spoofs the IP address and flood the network of the victim with repeated requests. Since the IP address is fake, the victim machine keeps waiting for response from the criminals machine for each request. This consumes the bandwidth of the network which then fails to serve the legitimate requests and ultimately breaks down. The diagram below will give you an idea of how the attack happens.
1.4.3 Hackers Hacking is in some ways the online equivalent to burglary; in other words breaking into premises against the wishes of the lawful owner - in some jurisdictions a crime in itself from which other criminal acts such as theft and/or damage generally result. Computer hacking refers to gaining unauthorised access to, and hence some measure of control over, a computer facility, and most countries now have specific legislation in place to deter those who might wish to practice this art and science. In some jurisdictions, unauthorised access alone constitutes a criminal offence, even if the hacker attempts nothing further. However, in practice, hackers generally have a particular target in mind, so their unauthorised access leads to further acts, which national law might also define as criminal activities. These can be summarised under the headings of unauthorised: Obtaining of confidential information: perhaps the major growth area in computer crime is "identity theft", in other words the obtaining of personal information that can then be used to commit other serious offences, usually in the area of fraud. However, other motives include espionage (both governmental and commercial secrets) and the obtaining
5
of personally sensitive information that might be used for tracing people, deception and blackmail. Alteration or deletion of data and code: most organisations now depend to some extent on computerised information systems, and any act resulting in significant corruption or deletion of corporate data could have serious implications on their ability to transact business. Degradation or cessation of service: acts that result in systems being unable to carry their workload or that fail altogether, could also have serious business implications;
1.4.4 Online Fraud

The net is a boon for people to conduct business effectively, very quickly. It saves businesses a lot of time, money and resources. Unfortunately, the net is also an open invitation to scamsters and fraudsters and online frauds are becoming increasingly rampant.
Spoof websites and email security alerts Fraudsters create authentic looking websites that are actually nothing but a spoof. The purpose of these websites is to make the user enter personal information. This information is then used to access business and bank accounts. Fraudsters are increasingly turning to email to generate traffic to these websites. A lot of customers of financial institutions recently received such emails. Such emails usually contain a link to a spoof website and mislead users to enter User ids and passwords on the pretence that security details can be updated, or passwords changed. Virus hoax emails It is a sad fact of life that there are those who enjoy exploiting the concerns of others. Many emailed warnings about viruses are hoaxes, designed purely to cause concern and disrupt businesses. These warnings may be genuine, so don't take them lightly, but always check the story out by visiting an anti-virus site such as McAfee, Symantec before taking any action, including forwarding them to friends and colleagues. Lottery Frauds These are letters or emails, which inform the recipient that he/ she has won a prize in a lottery. To get the money, the recipient has to reply. After which another mail is received asking for bank details so that the money can be directly transferred. The email also asks for a processing fee/ handling fee. Of course, the money is never transferred in this case, the processing fee is swindled and the banking details are used for other frauds and scams.
Spoofing Spoofing means illegal intrusion, posing as a genuine user. A hacker logs-in to a computer illegally, using a different identity than his own. He is able to do this by having previously obtained actual password. He creates a new identity by fooling the computer into thinking he is the genuine system operator. The hacker then takes control of the system.
1.4.5 Pornography
Child pornography is a very unfortunate reality of the Internet. The Internet is being highly used by its abusers to reach and abuse children sexually, worldwide. The Internet is very fast becoming a household commodity in India. Its explosion has made the children a viable victim to the cyber crime. As more homes have access to Internet, more children would be using the Internet and more are the chances of falling victim to the aggression of pedophiles. Child pornography means any visual depiction, including 1. any photograph 2. film, video, picture, or 3. computer or computer-generated image or picture, of sexually explicit conduct, where the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct
1.4.6 Software Privacy

Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original is termed as termed as software piracy. Software privacy includes End user copying, Hard disk loading, Counterfeiting, Illegal downloads from the Internet. A consumer of pirated software may get untested software potentially containing hard-drive-infecting viruses; have no technical support in case of software failure, warranty protection and no legal right to use the product.
1.4.7 Spoofing

Spoofing means a hacker logs-in to a computer illegally using a different identity than his own. He is able to do this by having previously obtained actual password. He creates a new identity by fooling the computer into thinking he is the genuine system operator. Hacker then takes control of the system.
1.4.8 Usenet Newsgroup

Usenet is a popular means of sharing and distributing information on the web with respect to specific topic or subjects

Possible Criminal Uses of Usenet Distribution/Sale of pornographic material. Distribution/Sale of pirated software Distribution of Hacking Software Sale of Stolen credit card numbers Sale of Stolen Data/Stolen property.
1.4.9 Virus Dissemination

A computer virus is a program that can infect other legitimate programs by modifying them to include a possibly evolved copy of it. Viruses can spread themselves, without the knowledge or permission of the users, to potentially large numbers of programs on many machines. A computer virus passes from computer to computer like a biological virus passes from person to person. Viruses can also contain instructions that cause damage or annoyance; the combination of possibly damaging code with the ability to spread is what makes viruses a considerable concern. A virus spreads without any readily visible symptoms. A virus can start on event-driven effects, time-driven effects or can occur at random.
CHAPTER 2 INFORMATION TECHNOLOGY ACTS

2.1 Information Technology Act 2000
The Information Technology Act 2000 (ITA-2000) is an Act of the Indian Parliament (No 21 of 2000) notified on October 17, 2000. The United Nations General Assembly by resolution A/RES/51/162, dated the 30 January 1997 has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law. Following the UN Resolution India passed the Information Technology Act 2000 in May 2000 and notified it for effectiveness on October 17, 2000. The Information technology Act 2000 has been substantially amended through the Information Technology Amendment Act 2008 which was passed by the two houses of the Indian Parliament on December 23, and 24, 2008. The salient features of the Information Technology Act, 2000 are as follows: Extends to the whole of India (Section 1) Authentication of electronic records (Section 3) Legal Framework for affixing Digital signature by use of asymmetric crypto system and hash function (Section 3) Legal recognition of electronic records (Section 4) Legal recognition of digital signatures (Section 5) Retention of electronic record (Section 7) Publication of Official Gazette in electronic form (Section 8) Security procedure for electronic records and digital signature (Sections 14, 15, 16) Licensing and Regulation of Certifying authorities for issuing digital signature certificates (Sections 17-42) Functions of Controller (Section 18) Appointment of Certifying Authorities and Controller of Certifying Authorities, including recognition of foreign Certifying Authorities (Section 19) Controller to act as repository of all digital signature certificates (Section 20) Data Protection (Sections 43 & 66) Various types of computer crimes defined and stringent penalties provided under the Act (Section 43 and Sections 66, 67, 72) Appointment of adjudicating officer for holding inquiries under the Act (Sec. 46 & 47) Establishment of Cyber Appellate Tribunal under the Act (Sections 48-56) Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any Civil Court (Section 57) Appeal from order of Cyber Appellate Tribunal to High Court (Section 62) Interception of information from computer to computer (Section 69) Protection System (Section 70)
Act to apply for offences or contraventions committed outside India (Section 75) Investigation of computer crimes is to be investigated by officer at the DSP level. Network service providers not to be liable in certain cases (Section 79). Power of police officers and other officers to enter into any public place and search and arrest without warrant (Section 80) Offences by the Companies (Section 85)
2.2 The Information Technology Act Amendment (2008) The Information Technology (Amendment) Act, 2008 has been signed by the President of India on February 5, 2009. A review of the amendments indicates that there are several provisions relating to data protection and privacy as well as provisions to curb terrorism using the electronic and digital medium that have been introduced into the new Act. Some of the salient features of the Act are as follows: The term digital signature has been replaced with electronic signature to make the Act more technology neutral. A new section has been inserted to define communication device to mean cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text video, audio or image. A new section has been added to define cyber caf as any facility from where the access to the internet is offered by any person in the ordinary course of business to the members of the public. A new definition has been inserted for intermediary. Intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes, but does not include a body corporate referred to in Section 43A. A new section 10A has been inserted to the effect that contracts concluded electronically shall not be deemed to be unenforceable solely on the ground that electronic form or means was used. The damages of Rs. One Crore (approximately USD 200,000) prescribed under section 43 of the earlier Act for damage to computer, computer system etc has been deleted and the relevant parts of the section have been substituted by the words, he shall be liable to pay damages by way of compensation to the person so affected. A new section 43A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body corporate owns, controls or operates. If such body corporate is negligent in implementing and
10
maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. A host of new sections have been added to section 66 as sections 66A to 66F prescribing punishment for offenses such as obscene electronic message transmissions, identity theft, cheating by impersonation using computer resource, violation of privacy and cyber terrorism. Section 67 of the old Act is amended to reduce the term of imprisonment for publishing or transmitting obscene material in electronic form to three years from five years and increase the fine thereof from Indian Rupees 100,000 (approximately USD 2000) to Indian Rupees 500,000 (approximately USD 10,000). A host of new sections have been inserted as Sections 67 A to 67C. While Sections 67 A and B insert penal provisions in respect of offenses of publishing or transmitting of material containing sexually explicit act and child pornography in electronic form, section 67C deals with the obligation of an intermediary to preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe. In view of the increasing threat of terrorism in the country, the new amendments include an amended section 69 giving power to the state to issue directions for interception or monitoring of decryption of any information through any computer resource. Further, sections 69 A and B, two new sections, grant power to the state to issue directions for blocking for public access of any information through any computer resource and to authorize to monitor and collect traffic data or information through any computer resource for cyber security. Section 79 of the old Act which exempted intermediaries has been modified to the effect that an intermediary shall not be liable for any third party information data or communication link made available or hosted by him if; (a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; (b) the intermediary does not initiate the transmission or select the receiver of the transmission and select or modify the information contained in the transmission; (c) the intermediary observes due diligence while discharging his duties. However, section 79 will not apply to an intermediary if the intermediary has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act or upon receiving actual knowledge or on being notified that any information, data or communication link residing in or connected to a computer resource controlled by it is being used to commit an unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. A provision has been added to Section 81 which states that the provisions of the Act shall have overriding effect. The proviso states that nothing contained in the Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957.
11
CHAPTER 3 PROTECTIVE MEASURES

3.1 System hacking

Use of Good Antivirus like BitDefender, McAfee, Kaspersky A well established Firewall at company's router may help in analyzing every packet Eliminate use of the Internet on the job as long as possible. Use a good password length. Encrypt data. Avoid P2P File Sharing Software. Delete Unknown Emails. Do not click on Ads. Be careful what you attach to your computer. Secure Your Wireless Network. Install only Trusted Software. Windows update.
3.2 Bluetooth Hacking

Switch of Bluetooth at public places or when not in use. The "pairing procedure" is the main fundamental level of protection for Bluetooth devices. The Encoding algorithm must be enough safe to employ a secure communication among devices. Switch the phone into invisible mode. Regularly update the phones security features. Exercise caution before opening attachments. Only download content from a trusted source.
3.3 Mobile and Wireless Hacking Be careful where you store sensitive information for example dont use a non secure notes type app to store your credit card, bank account or pin codes in. Use a secure (password/pin protected) app or better still dont store this type of information anywhere. Avoid public Wi-Fi Avoid checking emails, logging into mobile banking sites and accessing private information when your phone is connected to public Wi-Fi such as those in coffee shops as these are often insecure.
Set a phone password If your phones lost or stolen then a password could stop a data hacker in their tracks.
12

Turn off Bluetooth When youre not using Bluetooth always turn it off as hackers could use the wireless connection to gain remote access to your phone. Turn off auto-complete Some phones save user names and passwords automatically to help you log-in faster next time, but this could also help a hacker access your personal data. Check your phones Settings menu to see if it is automatically storing information. Delete your browsing history Not seeing a list of which websites youve recently visited and the information youve accessed might be a little inconvenient, but clearing your mobile phones Internet browser history, cookies and cache will make it harder for a hacker to get your data.
13
CHAPTER 4 MODERN COUNTERMEASURES

Modern Trends leads to the following effective countermeasures:
4.1 Live CDs/USBs

Rebooting the computer using a Live CD or write-protected Live USB is a possible countermeasure against software keyloggers if the CD is clean of malware and the operating system contained on it is secured and fully patched so that it cannot be infected as soon as it is started. Booting a different operating system does not impact the use of hardware or BIOS based keylogger. These approaches keep the attackers file system segregated by keeping data in RAM (CDs & Bootable USB Tokens)
4.2 Encrypted Hard Drives

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term "full disk encryption" (or whole disk encryption) is often used to signify that everything on a disk is encrypted, including the programs that can encrypt bootable operating system partitions. But they must still leave the master boot record (MBR), and thus part of the disk, unencrypted. There are, however, hardwarebased full disk encryption systems that can truly encrypt the entire boot disk, including the MBR. Disk encryption does not replace file or directory encryption in all situations. Disk encryption is sometimes used in conjunction with filesystem-level encryption with the intention of providing a more secure implementation. Since disk encryption generally uses the same key for encrypting the whole volume, all data is decryptable when the system runs. However, some disk encryption solutions use multiple keys for encrypting different partitions. If an attacker gains access to the computer at run-time, the attacker has access to all files. Conventional file and folder encryption instead allows different keys for different portions of the disk. Thus an attacker cannot extract information from still-encrypted files and folders.
14
4.3 Virtualization
Virtualization is the creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources. There are many types of Virtualization Hardware - Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real computer with an operating system. Desktop - Desktop virtualization is the concept of separating the logical desktop from the physical machine. Software

It includes hosting of multiple virtualized environments within a single OS instance Application virtualization and workspace virtualization, the hosting of individual applications in an environment separated from the underlying OS. Service virtualization, emulating the behavior of dependent system components that are needed to exercise an application under test (AUT) for development or testing purposes.
Memory

Memory virtualization, aggregating RAM resources from networked systems into a single memory pool Virtual memory, giving an application program the impression that it has contiguous working memory, isolating it from the underlying physical memory implementation
Storage

Storage virtualization, the process of completely abstracting logical storage from physical storage Distributed file system Storage hypervisor
15
Data

Data virtualization, the presentation of data as an abstract layer, independent of underlying database systems, structures and storage Database virtualization, the decoupling of the database layer, which lies between the storage and application layers within the application stack
Network
Network virtualization, creation of a virtualized network addressing space within or across network subnets.
4.4 Web 2.0

Web 2.0 is a loosely defined intersection of web application features that facilitate participatory information sharing, interoperability, user-centered design, and collaboration on the World Wide Web. A Web 2.0 site allows users to interact and collaborate with each other in a social media dialogue as creators of user-generated content in a virtual community, in contrast to websites where users are limited to the passive viewing of content that was created for them. Examples of Web 2.0 include social networking sites, blogs, wikis, video sharing sites, hosted services, web applications, mashups and folksonomies.
16
CHAPTER - 5
PHISHING
5.1 INTRODUCTION
In October 2004, the Canada-U.S. Cross-Border Crime Forum released a report, prepared jointly by the U.S. Department of Justice (DOJ) and Public Safety and Emergency Preparedness Canada (PSEPC), on Identity Theft. The report identified, among other methods of committing identity theft, the growing use of a technique known as phishing. Consumers will receive "spoofed" e-mails (e-mails that appear to belong to legitimate businesses such as financial institutions or online auction sites). These e-mails will typically redirect consumers to a spoofed website, appearing to be from that same business or entity. Similarly, many consumers receive "pretext" phone calls (phone calls from persons purporting to be with legitimate institutions or companies) asking them for personal information. In fact, the criminals behind these e-mails, websites and phone calls have no real connection with those businesses. Their sole purpose is to obtain the consumers personal data to engage in various fraud schemes. The Canada-U.S. Cross-Border Crime Forum determined that it would be appropriate to follow up on the Identity Theft report with a joint report on Phishing and its impact on cross-border criminality. It directed the Canada-U.S. Working Group on Cross-Border Mass-Marketing Fraud, which reports to the Forum annually, to prepare this report.
5.2 What is Phishing?

The term phishing is a general term for the creation and use by criminals of e-mails and websites designed to look like they come from well-known, legitimate and trusted businesses, financial institutions and government agencies in an attempt to gather personal, financial and sensitive information. These criminals deceive Internet users into disclosing their bank and financial information or other personal data such as usernames and passwords, or into unwittingly downloading malicious computer code onto their computers that can allow the criminals subsequent access to those computers or the users financial accounts. Although phishing, identity theft and identity fraud are terms that are sometimes used interchangeably, some distinctions are in order. Phishing is best understood as one of a number of distinct methods that identity thieves use to steal information through deception that is, by enticing unwitting consumers to give out their identifying or financial information either unknowingly or under false pretenses, or by deceiving them into allowing criminals unauthorized access to their computers and personal data. The United States and some other countries use the term identity theft, and the United Kingdom often uses the term identity fraud, to refer
17
broadly to the practice of obtaining and misusing others identifying information for criminal purposes. Identity fraud also can be used to refer to the subsequent criminal use of others identifying information to obtain goods or services, or to the use of fictitious identifying information (not necessarily associated with a real living person) to commit a crime. Phishing is committed so that the criminal may obtain sensitive and valuable information about a consumer, usually with the goal of fraudulently obtaining access to the consumers bank or other financial accounts. Often phishers will sell credit card or account numbers to other criminals, turning a very high profit for a relatively small technological investment.
5.3 The Scope of Phishing

A leading multinational industry coalition called the Anti-Phishing Working Group (APWG) focuses on phishing, issues regular reports about the current volume and types of phishing attacks. The APWGs most recent statistics for August 2006 show the growth and variety of phishing attacks over the past year and more. In the month of August 2006, for example, The APWG received 26,150 unique phishing reports (compared to 13,776 in August 2005 and 6,957 in October 2004). This total represents the second highest number of phishing reports that the APWG has received in a single month. The APWG detected 10,091 unique phishing websites worldwide (compared to 5,259 websites detected in August 2005, and only 1,142 in October 2004). 148 separate corporate brands were hijacked (misused) in phishing schemes (compared to 84 in August 2005). The financial sector was the most heavily targeted for phishing schemes, constituting 92.6 percent of all phishing attacks (compared to 84.5 percent in August 2005). The APWG found 2,303 unique websites that hosted key logging programsi.e., programs that record all keystrokes made at a particular computer, enabling criminals to obtain others usernames, passwords, and other valuable data. In comparison, the number of unique computer applications that included malicious code such as key logging software has remained relatively constant (172 in August 2006, compared to 168 in August 2005). In general, phishing schemes have relied heavily on indiscriminate sending of spam e-mail to large numbers of Internet users, without regard to the demographic characteristics of those users. But some phishing schemes might disproportionately affect certain segments of the population.xii In addition, some phishing schemes, known colloquially as spear phishing, seek to target more precisely defined groups of online users.
18
Although data on phishing attempts provide important indications of the dimensions of the phishing problem, several obstacles may prevent complete and accurate measurement. First, victims often have no idea how criminals obtained their data. Victims typically provide their personal information to phishers precisely because they believe the solicitation to be trustworthy. The unexplained and unexpected charges that later appear on their credit card statements often occur so long after the phishing solicitation, and involve items having no relation to the original subject matter of the phishing e-mails and websites, that victims have no reason to understand that there is a connection between these events. Second, companies that are victimized by phishing may not report these instances to law enforcement. Unlike some other types of Internet-based crime, such as hacking, that may be conducted surreptitiously, phishing, by its nature, involves public misuse of legitimate companies and agencies names and logos. Nonetheless, some companies may be reluctant to report all such instances of phishing to law enforcement -- in part because they are concerned that if the true volume of such phishing attacks were made known to the public, their customers or accountholders would mistrust the companies or they would be placed at a competitive disadvantage. As these statistics indicate, phishing continues to be a rapidly growing form of online identity theft that can cause both short-term losses and long-term economic damage. In either event, phishing scams and other identity theft crimes create significant costs that may ultimately be borne by consumers in the form of increased fees from the credit card companies or higher prices from the merchants who accept credit cards.
5.4 How is Phishing committed?

In a typical phishing scheme, criminals who want to obtain personal data from people online first create unauthorized replicas of (or spoof) a real website and e-mail, usually from a financial institution or another company that deals with financial information, such as an online merchant. The e-mail will be created in the style of e-mails by a legitimate company or agency, using its logos and slogans. The nature and format of the principal website creation language, Hypertext Markup Language, make it very easy to copy images or even an entire website. While this ease of website creation is one of the reasons that the Internet has grown so rapidly as a communications medium, it also permits the abuse of trademarks, trade names, and other corporate identifiers upon which consumers have come to rely as mechanisms for authentication. Phishers typically send the "spoofed" e-mails to as many people as possible in an attempt to lure them in to the scheme. These e-mails redirect consumers to a spoofed website, appearing to be from that same business or entity. The criminals know that while not all recipients will have
19
accounts or other existing relationships with these companies, some of them will and therefore are more likely to believe the e-mail and websites to be legitimate. The concept behind many phishing attacks is similar to that of "pretext" phone calls (i.e., phone calls from persons purporting to be with legitimate institutions or companies asking the call recipients for personal information). In fact, the criminals behind these e-mails, websites, and phone calls have no real connection with those businesses. Their sole purpose is to obtain the consumers personal data to engage in various fraud schemes. Phishing schemes typically rely on three elements. First, phishing solicitations often use familiar corporate trademarks and trade names, as well as recognized government agency names and logos. The use of such trademarks is effective in many cases because they are familiar to many Internet users and are more likely to be trusted without closer scrutiny by the users. Moreover, the indicators that are provided for web browsers to assess the validity and security of a website (e.g., the lock icon or the address bar) can all be spoofed. This problem is further compounded by the lack of standardized protocols among financial institutions for how they will communicate with their customers and what information they will request via the Internet. Second, the solicitations routinely contain warnings intended to cause the recipients immediate concern or worry about access to an existing financial account. Phishing scams typically create a sense of urgency by warning victims that their failure to comply with instructions will lead to account terminations, the assessment of penalties or fees, or other negative outcomes. The fear that such warnings create helps to further cloud the ability of consumers to judge whether the messages are authentic. Even if a small percentage of people who receive these fraudulent warnings respond, the ease with which such solicitations can be distributed to millions of people creates a sizable pool of victims. (It should be noted that some schemes instead are based on offering positive incentives, for example by offering the promise of a payment in return for taking part in an online survey). Third, the solicitations rely on two facts pertaining to authentication of the e-mails: (1) online consumers often lack the tools and technical knowledge to authenticate messages from financial institutions and e-commerce companies; and (2) the available tools and techniques are inadequate for robust authentication or can be spoofed. Criminals can therefore use techniques, such as forging of e-mail headers and subject lines, to make the e-mails appear to come from trusted sources, knowing that many recipients will have no effective way to verify the true provenance of the e-mails. Example Phishing scam targets Royal Bank Customers In June 2004, the Royal Bank of Canada notified customers that fraudulent e-mails purporting to originate from the Royal Bank were being sent out asking customers to verify account numbers and personal identification numbers (PINs) through a link included in the e-mail. The fraudulent e-mail stated that if the receiver did not click on the link and key in his client card number and
20
pass code, access to his account would be blocked. These e-mails were sent within a week of a computer malfunction that prevented customer accounts from being updated. The malfunction impacted payroll deposits that were scheduled to enter many accounts, leaving customers at risk of missing mortgage, rent and other payments. The Royal Bank believes it is likely someone tried to take advantage of the situation.
5.5 Variants of Phishing

Over the past two years, criminals have increasingly refined their phishing attacks by incorporating various other techniques to contact prospective victims or obtain their information.
5.5.1 Spear phishing Spear phishing is a colloquial term that can be used to describe any highly targeted phishing attack. Spear phishers send spurious e-mails that appear genuine to a specifically identified group of Internet users, such as certain users of a particular product or service, online account holders, employees or members of a particular company, government agency, organization, group, or social networking website. Much like a standard phishing e-mail, the message appears to come from a trusted source, such as an employer or a colleague who would be likely to send an e-mail message to everyone or a select group in the company (e.g., the head of human resources or a computer systems administrator). Because it comes from a known and trusted source, the request for valuable data such as user names or passwords may appear more plausible.
Whereas traditional phishing scams are designed to steal information from individuals, some spear phishing scams may also incorporate other techniques, ranging from computer hacking to pretexting (the practice of getting personal information under false pretences), to obtain the additional personal information needed to target a particular group or to enhance the phishing emails credibility. In essence, some criminals will use any information they can to personalize a phishing scam to as specific a group as possible.
5.5.2 Vishing A phishing technique that has received substantial publicity of late is vishing, or voice phishing. Vishing can work in two different ways. In one version of the scam, the consumer receives an e-mail designed in the same way as a phishing e-mail, usually indicating that there is a problem with the account. Instead of providing a fraudulent link to click on, the e-mail
21
provides a customer service number that the client must call and is then prompted to log in using account numbers and passwords. The other version of the scam is to call consumers directly and tell them that they must call the fraudulent customer service number immediately in order to protect their account. Vishing criminals may also even establish a false sense of security in the consumer by confirming personal information that they have on file, such as a full name, address or credit card number. Vishing poses a particular problem for two reasons. First, criminals can take advantage of cheap, anonymous Internet calling available by using Voice over Internet Protocol (VoIP), which also allows the criminal to use simple software programs to set up a professional sounding automated customer service line, such as the ones used in most large firms. Second, unlike many phishing attacks, where the legitimate organization would not use e-mail to request personal information from accountholders, vishing actually emulates a typical bank protocol in which banks encourage clients to call and authenticate information.xix Although banks will legitimately phone a client and ask questions to verify the clients identity, consumers must remember that a bank will never ask for PINs or passwords. It is also important that consumers never trust a phone number provided in an e-mail, and instead contact the institution through a number that has been independently verified or obtained through directory assistance. As noted above, this might include the telephone number or website printed on the back of their credit cards or on monthly account statements. Consumers, law enforcement, and the private sector should assume that as public education about phishing increases, criminals will continue to use these variants but also develop additional variants and refinements to phishing techniques.
5.6 The impact of phishing

DIRECT FINANCIAL LOSS. Depending on the type of fraud that a criminal commits with the aid of stolen identifying data, consumers and businesses may lose anywhere from a few hundred dollars to tens of thousands of dollars. Indeed, small e-commerce businesses may be particularly hard-hit by identity fraud. For example, because of credit card association policies, an online merchant who accepts a credit card number that later proves to have been acquired by identity theft may be liable for the full amount of the fraudulent transactions involving that card number. EROSION OF PUBLIC TRUST IN THE INTERNET. Phishing also undermines the publics trust in the Internet. By making consumers uncertain about the integrity of commercial and financial websites, and even the Internets addressing system, phishing can make them less likely to use the Internet for business transactions. People who cannot trust where they are on the World Wide Web are less likely to use it for legitimate commerce and communications. This perspective finds support in a 2005 Consumer
22
Reports survey, which showed declining confidence in the security of the Internet. Among several findings, the survey found that 9 out of 10 American adult Internet users have made changes to their Internet habits because of the threat of identity theft, and of those, 30 percent say that they reduced their overall usage. Furthermore, 25 percent say they have stopped shopping online, while 29 percent of those that still shop online say they have decreased the frequency of their purchases.
DIFFICULTIES IN LAW ENFORCEMENT INVESTIGATIONS. Unlike certain other types of identity theft that law enforcement agencies can successfully investigate in a single geographic area (e.g., theft of wallets, purses, or mail), phishing like other types of crime that exploit the Internet -- can be conducted from any location where phishers can obtain Internet access. This can include situations in which a phisher in one country takes control of a computer in another country, and then uses that computer to host his phishing website or send his phishing e-mails to residents of still other countries. Moreover, online criminal activity in recent years has often reflected clearcut divisions of labor. For example, in an online fraud scheme, the tasks of writing code, locating hosts for phishing sites, spamming, and other components of a full-scale phishing operation may be divided among people in various locations. This means that in some phishing investigations, timely cooperation between law enforcement agencies in multiple countries may be necessary for tracing, identification, and apprehension of the criminals behind the scheme.
INCENTIVES FOR CROSS-BORDER OPERATIONS BY CRIMINAL ORGANIZATIONS. Law enforcement authorities in Canada and the United States are concerned that each of the preceding factors also creates incentives for members of fullfledged criminal organizations in various countries to conduct phishing schemes on a systematic basis. Law enforcement already has indications that criminal groups in Europe are hiring or contracting with hackers to produce phishing e-mails and websites and develop malicious code for use in phishing attacks.
5.7 Legislative frameworks to check phishing

A strong legislative framework is also fundamental to combating identity theft, and specific mechanisms and/or methods used to that end such as phishing. In Canada, there are currently no offences in the Criminal Code that directly prohibit or apply to phishing or other methods of
23
obtaining identity information for a criminal purpose. If a phishing attack is using large volumes of spam (unsolicited e-mails) that could interfere with a computer system, or if the spam employs deceptive headers so as to avoid spam filters, then certain computer data related offences in the Criminal Code may apply. The use of identity information that has been obtained by phishing or by other means, could however amount to any of a number of criminal offences, such as fraudulent personation, fraud, or unlawful use of credit card data. The Department of Justice began several years ago to review the Criminal Code to determine its adequacy for dealing with the growing problem of identity theft. The Department has begun developing proposals to address some of the limitations of the criminal law in this area and consulting with key stakeholders to obtain their valuable input on legislative amendments. Another recent development in Canada with implications for phishing-related legislation was the 2004 launch by the Government of Canada of An Anti-Spam Action Plan for Canada and the establishment of a government-private sector task force to oversee and coordinate its implementation. In 2005 this task force was asked to produce a report on the status and progress that had been made. The report that they produced, Stopping Spam: Creating a Stronger, Safer Internet, set forward 22 recommendations to combat spam, promote public awareness, and restore confidence in e-mail. They also set forward best practices for Internet service providers and other network operators, and for e-mail marketing. Additionally, they recommend that legislation be enacted to prohibit certain forms of spam and other emerging threats to the safety and security of the Internet (e.g. phishing), and that a federal coordinating body should be established to deal with the spam issue on an ongoing basis. This is important for the phishing issue because phishing is usually accomplished through the technique of spamming, which is the sending out of unsolicited bulk e-mails. In the case of phishing, spam routinely allows criminals to distribute their fraudulent e-mails to many consumers at minimal cost. In the United States, since 1998 federal law, and laws in nearly all of the states, has adopted specific criminal legislation on identity theft that can be applied to phishing. In addition, federal authorities can use a variety of federal fraud offences, such as wire fraud, and the CAN-SPAM Act to address both the sending of phishing e-mails and the use of deceptive e-mail headers or other techniques characteristic of criminal spam. Currently, at the direction of President Bush, the Presidents Identity Theft Task Force is preparing a strategic plan to combat all forms of identity theft more effectively, including possible changes in legislation where appropriate. That plan is expected to be submitted to the White House in early February 2007.
24
CHAPTER 6 BOTNETS
6.1 Introduction
The term bot, derived from ro-bot in its generic form is used to describe a script or set of scripts or a program designed to perform predefined functions repeatedly and automatically after being triggered intentionally or through a system infection. Although bots originated as a useful feature for carrying out repetitive and time consuming operations but they are being exploited for malicious intent. Bots that are used to carry out legitimate activities in an automated manner are called benevolent bots and those that are meant for malicious intent are known as malicious bots. Benevolent bots among various other activities are used by search engines to spider online website content and by online games to provide virtual opponent. The first bot program Eggdrop created by Jeff Fisher in 1993 originated as a useful feature on Internet Relay Chat (IRC) for text based conferencing on many machines in a distributed fashion. In a typical IRC setup (Oikarinen & Reed 1993), a user running an IRC client program connects to an IRC server in an IRC network. The default TCP service port for IRC is 6667 and generally IRC servers listen on port range of 6000-7000, though servers could be configured to run on any TCP port. All servers are interconnected and pass messages from one user to other. As IRC gained popularity among Internet users, attacks on IRC started, initially due to curiosity or seeking fame and later for illicit financial gain, resulting in its misuse. An IRC malicious bot program runs on an IRC host or client each time it boots in a hidden manner and controlled by commands given by other IRC bot(s). It is typically an executable file with a size of less than 15 KB in its compressed form. An IRC host computer running an IRC bot malware program becomes a Zombie or a drone. The first malicious IRC bot, Pretty Park Worm that appeared in 1999 contained a limited set of functionality and features, such as the ability to connect to a remote IRC server, retrieve basic system information e.g. operating system version, login names, email addresses, etc. . However, bots extend the basic functions of their predecessors and have become a very powerful tool in building large computer armies which is the key difference between bots and other programs like viruses and worms. This very large pool of such Zombie hosts running bot programs form a large network called a botnet run under the command and control of a single or a group of hackers known as botmaster. Any host on Internet that is compromised by the botmaster becomes part of this botnet. A typical botnet comprises of thousands of Zombie hosts and thus poses a tremendous threat to the Internet security and privacy.
25
6.2 Botnet Creation and Propagation The process of building a botnet requires minimum technical and programming skills. Besides this, some IRC channels offer special training programs for creation, propagation and use of botnets. A brief two stage overview of building a botnet is outlined in this section.
6.2.1 Bot Creation This stage largely depends on skills and requirements of an attacker. The attacker may choose to write its own code or simply extend or customize an existing bot. Readymade and highly configurable bots with step by step instructions on how to compromise systems are sold on Internet. The instructions include instructions to obtain packaging exploits, simple character and graphical user interfaces, and various other tools for gaining backdoor entry into networks. The bot code generally contains configurable components that include IRC server and channel information, remote IRC TCP service port, the location and name of the bot code file in the infected machine, and other components permitting the botmaster to dynamically change the attack behavior and to hide it, list of botmasters and their credentials. The values pertaining to these components are supplied to the bots by the botmaster(s) using various Command and Control techniques.
6.2.2 Bot Propagation In this stage vulnerable systems and tools to exploit them are located which are then used to gain backdoor access to these systems facilitating installation of bot malware by uploading or commanding the victim machine to download a copy of the bot malware. This infection stage involves use of various direct and indirect techniques to spread bot malware. These include attack through software vulnerabilities, vulnerabilities caused by other infections, social engineering through the use of email, instant messaging and malicious web page content. The bot malware is also propagated through peer to peer networks, open file sharing, and direct client to client file exchange. Bot malware uses FTP, TFTP, HTTP protocol based services to infect computers and spread it until a desired strength of botnet is assembled. Botnets are also created by other botnets called seed botnets.
26
6.3 Security threats from Botnet
6.3.1 Distributed denial of services (DDoS)

Denial of Services (DoS) attack is an attempt on a computer system or network to make unavailable the computational resources to its intended user. A Distributed DoS (DDoS) attack is a DoS attack which involves use of multiple compromised systems to cause a loss of service to its intended users by depleting the bandwidth and other computational resources of the target system or network. Bandwidth depletion and resource depletion are two main variants of DDoS attacks. Flooding and reflection attacks are two primary types of bandwidth depletion attacks. Bandwidth depletion involves flooding a target machine with unwanted traffic as an attempt to overwhelm the processing power of the target machine. Flooding attack involves sending multiple packets to some target website simultaneously to congest traffic. The reflection attack involves sending many packets to many computers with a spoofed source address. Resource depletion also called protocol exploitation involves a target that specifically attempts to deplete resources on the targeted computer or cause it to become unstable and crash. To launch a DDoS attack using botnet has several advantages that include magnifying impact of the attack without the requirement of any source IP address spoofing.
6.3.2 Spamming
Loosely defining spam is any message or posting, regardless of its content, that is sent to multiple recipients who have not specifically requested the message (Opt-In). Spam can also be multiple postings of the same message to newsgroups or list servers that are not related to the topic of discussion. A person engaged in spamming is called spammer. Spam in blogs called blog spam or comment spam is a form of search engine spamming done manually or automatically by posting random comments, promoting commercial services, to blogs, wikis, guestbooks, or other publicly-accessible online discussion boards. Any web application that accepts and displays hyperlinks submitted by visitors may be a target of Link Spam. This is the placing or solicitation of links randomly on other sites, placing a desired keyword into the hyperlinked text of the backlink. Blogs, guest books, forums and any site that accepts visitors' comments are particular targets and are often victims of drive-by spamming, where automated software creates nonsense posts with links that are usually irrelevant and unwanted. Link spam dishonestly and deliberately manipulates link-based ranking algorithms of search engines like Google's PageRank to increase the rank of a web site or page so that it is placed as close to the top of search results as possible. Spam generally refers to email, rather than other forms of
27
electronic communication. The term spim, for example, is used for unsolicited advertising via Instant Messaging. Spit refers to unsolicited advertising via Voice Over Internet Protocol (VOIP). Unsolicited advertising on wireless devices such as cell phones is called wireless spam.
6.3.3 Click Fraud

Some of the advertisements appearing on the websites are charged by the website operators on the basis of pay per click revenue model wherein an advertiser is charged on the basis of the number of clicks made by visitors on the advertisement appearing in a website. Any mechanism that is used to increment this click counter in an automated or artificial manner is click fraud. For illicit financial advantages botmaster can increment the click counter in an artificial manner by commanding bots under its control to send web requests that represent clicks on Internet advertisements. Botnet based click fraud is harder to detect because botnet comprises of large number of geographically dispersed IP addresses and click through pattern matching wherein geographical locations of IP addresses from each click are monitored fails. Click fraud activity generates large volumes of revenue for attackers and their customers but at the same time poses a great threat to both the advertisers and the content providers and thus is considered as an emerging threat to e-commerce. Several examples of use of botnet in facilitating click fraud have been reported wherein the content provider had to pay huge amount to settle the lawsuit alleging the content providers of overcharging the advertiser. One such recent example has been reported in July 2006 where Google agreed to pay US$ 90 million to settle such a lawsuit.
6.3.4 Other Security Threats

Although botmasters need not to be highly technical yet some are skilled, organized and are getting smarter day by day. Further, they have thousands of bot compromised computers at their disposal and thus can launch variety attacks other than those detailed above. Online games and polls can easily fall victim to botnets where bots can manipulate the results. Bots can be levered to steal the online software license by transferring the same to some other computer. Key loggers can be deployed with bots to retrieve sensitive and secret data. Bots can use packet sniffing to watch for clear text data passing by compromised machines and retrieve sensitive data such as usernames and passwords. Botnets can setup a fake website with advertisements thus leading to click fraud. Bots are used to download and execute harmful executive files via FTP or HTTP and thus spread new malware and viruses. The growing access to Internet through mobile phones can prompt hackers to attack cellular network system and create botnets on this system which may cause inconvenience to millions of cell phone users.
28
6.4 Botnet Prevention, Detection and Disruption

Botnets present significant new challenges for the Internet community as the attackers come up with new and improved tools. Protection against falling victim to a botnet and detecting the location of botmaster is very challenging owing to various facts that include i) the mechanism used in constructing and maintenance of botnets and that used in its possible attack are independent of each other, ii) Every Zombie in a botnet is a source of attack and iii) Botnets remain in a silent state until they are leveraged to launch a specific attack. Preventing a system on Internet from falling victim to a botnet requires a high level of awareness about online security and privacy. Besides this, the system must be kept up to date by installation of various Operating System updates and patches. Use of pirated software, games, and other illegal material available online are always a source of malicious code and thus presents a grave security threat and as such users should restrict themselves from accessing such web sites. Further, software firewalls and antivirus/anti-spyware programs should be installed and periodically updated on systems to prevent them from being infected. The use of CAPTCHA tests has been suggested for website and other services for prevention against bots and other malicious agents. Detecting the bot activity on a system or on a network is dominant to the study of botnets. The use of honeypot has been the most popular method of setting a trap to detect botnet activity. Honeypot is generally an isolated and protected system that appears to be part of a network and having valuable information stored on it. It allows itself to be infected by a bot and become part of botnet. The honeypot is next used to capture the bot malware and detect the bot controller. Various reactive and proactive techniques have been suggested to detect and identify botnets. Detection of botnet by monitoring the network and host activity in terms of number of users per channel service ports used or abnormal ratio of invisible to visible users, etc have been suggested. In examination of flow characteristics such as bandwidth, duration and timing is suggested for detection of botnet C&C activity. In (Akiyama& et al 2007) three metrics namely relationship, response and synchronization have been proposed for detecting botnets through analyzing their behavior. On detecting a botnet immediate mitigation goals are to neutralize the zombie by removing the bot infection and more importantly to disrupt the C&C Server of the entire botnet. Disrupting the botnet C&C server is significant because bot infected system is only part of very large zombie army controlled by C&C Server and thus disrupting this controller will reutilize the entire botnet.
29
CHAPTER 7
BLUETOOTH
7.1 Introduction Bluetooth is a short-range wireless communication protocol for personal area networks (PAN). In any communication link there is one master and one or more slave. The master and its slaves form a piconet. Overlapping piconet is called a scatternet. A unit may be a master in one piconet and a slave in another. It was initially developed by Ericsson but is formalized as an industrial standard by the Bluetooth Special Interest Group (SIG). The SIG was formed by Ericsson, Intel, Toshiba, Nokia, and IBM but is now expanded to include about 1800 members. There are a numerous devices that support the Bluetooth standard now approximately 6 years after its launch. It is used mostly in consumers products like cell phones and personal digital assistants.
7.2 Security Mechanisms in Bluetooth

PIN code. The pin code is the only shared security at initialization. The PIN code should be exchanged over an external secure channel. Some Bluetooth units have pre-programmed PIN code. Unit Addresses. The unit addresses are not secret but is used in the generation of the different keys. 128-bit random number generator. These random numbers are so called nonces, namely numbers that is used only once. A proper implementation of Bluetooth shall have a random generator where it is a very unlikely that random numbers are drawn twice. Keys Link key K. The link key is used manage the link key and to produce the encryption key. At init the link key is set to the init key, (se under.) Initialization key Kinit. This key is used only to establish a link between two Bluetooth units. It should not be confused with the authentication. This key is made in each of the units by using following in the algorithm. 1. The device address of one of the two communicating units. 2. A PIN code and its length 3. A public random number IN_RAND. The device address and the number IN_RAND are communicated over the Bluetooth link manager (LM) channel.
30
Unit key. Each unit has a unit key. This key is almost never changed and should be kept secret. This key may be used as the link key. It is then sent to the opponent by XOR-ing it with the present link key. It is not recommended to use this option. However some units with limited memory must use this as a link key. Then the PIN code could also be fixed for the unit. Such units offer reduced security. Combination key. Two units that will communicate and does not want to use the unit key of one of the opponents create a common key, (the Combination key). The opponents exchange this key by a key exchange protocol. Random variables LK_RANDA and LK_RANDB are created. These random variables are exchanged secure by using the present link key as a cipher. The link key is now discharged. The algorithm E21 uses the addresses of the opponents and the two random numbers to produce the combination key, One should assume that any attacker knows XOR (LK_RANDA, LK_RANDB) and the addresses of the units A and B. Master key. If the links are parts of a point to multipoint piconet there may be need for a master key. This key is made from random numbers and the algorithm E22. It is exchanged by using a key made by E22 from the present link key and a random number. Encryption key. The encryption key is made by the algorithm E3 from 1. The current link key K 2. A random number EN_RAND 3. COF (128 bit): Either a number computed in the authentication procedure or made from the master key. Using the master key for creating COF is obligatory if such is used as the current link key. The length of the encryption key can be from 8 of 128 effective bits. This is up to each device and is not user configurable. Payload encryption key. This key is made from the encryption key, a unit address, the master clock, and a 128 bit publicly known random number EN_RAND. This key is used to encrypt up to 2745 bits in one payload. The payload key is unique for each packet. The length of the key is 128 bits.
31
7.3 Security issues in Bluetooth Is short range an effective security feature?

'Short range' is not a security mechanism but is used by the SIG to accept weak encryption. This may be a mistake since 'short range' is only short range for those who follow to the rules. The range of Bluetooth is limited to 100 meter for Class 1 devices. The most common devices such as cell phones and PDAs are off Class 1 and Class 2 and work at the maximum range of 10 meter or less. This is under normal circumstances, but if a device is modified with some kind of signal amplification and directional antennae, Bluetooth may work on longer distances. A range of more than 1.0 mile is registered. The conclusion is that the limited range of Bluetooth gives only a partial security i.e. one is protected against the less malicious and low skill attackers, but for the high skilled and well-equipped attackers low range communication is a more theoretic than a practical barrier. Even if the range of the Bluetooth is short, the mobility of those devices revokes the positive effect of short range and makes it even more vulnerable than the wider reaching Wireless LAN. This is because we are bringing the devices with us on train, airports and other public areas.
Weaknesses of the cryptographic protocol

There are many known attacks on the encryption scheme E0 that is used in Bluetooth. There are algebraic attack and correlation attacks. The correlation attacks needs much more than the maximum 2745 bits of data that are encrypted with each payload encryption key to be effective. The best known attack needs up to 500 billion bits to be useful! Therefore the attacks seem not to apply to the usage of E0 in Bluetooth.
Implementation weaknesses
In some implementations there are security breaches, such as the possibility to overwrite the stack by buffer overflow. In this way one can run arbitrary code on the victim unit. This weakness is in the Bluetooth connectivity software made by WIDCOMM. Newer versions (3+) of this software are not vulnerable. It is not clear if the failure makes the units vulnerable for attacks from arbitrary units, or if the attacking units already must be connected to the victim unit.
Weakness of the invisibility in version 1.1 and older

If a Bluetooth device is in Non-visible mode, it guaranties not that it is invisible. It is not easy to find such a Bluetooth device. Its identity can be found in less than 11 hours. This attack can be
32
done via so-called Bluetooth war nibbling. Often, when a unit is on the move or when the unit is never switched on for a longer time, the vulnerability of such an attack should be small.
Bluejacking
Bluejacking is the process of hijacking a Bluetooth session/unit. It can be done in different ways, e.g. through social engineering or by using backdoors in second hand units, (even if the pin-card is changed a unit may still be paired with another unit.) A hacker can also hijack a Bluetooth device by using his own PIN card and then set up a connection to a given Bluetooth device he controls. The hacker needs physical access to the target phone to success with the last attack. A long user definable name-field in the protocol for requesting a link can be used to send messages to a phone holder in the purpose to trick him to accept a connection request from the attacking party. A good user interface should alert the user and prevent him from being a victim of such an attack. The short range of Bluetooth will make it harder for intruders, but the nature of the Bluetooth technology one should expect that it would increase the users mobility, and hence we can assume that the users carry the equipment with them.
Attack on the Link Layer.

The link layer is not encrypted and the integrity protection of the packet headers is weak. That can make the Bluetooth link layer vulnerable for attacks.
Snarf attack
On some phones it is possible to connect to a cell phone without the knowledge of the owner. It is possible to see some of the stored data in the attacked phone. The entire phonebook, the calendar, the clock, etc is accessible. The IMEI (International Mobile Equipment Identity) is also accessible which makes it possible for an intruder to make a clone of the phone. According to Laurie et all vulnerable phones include: Ericsson T68; Sony Ericsson R520m, T68i, T610 and Z1010; and Nokia 6310, 6310i, 8910 and 8910i. The NOKIA phones mentioned is also vulnerable if it is in invisible mode.
Backdoor attack
This attack is using already establish pairing with a unit. Vulnerable devices are mostly second hand cell phones and PDAs that has not its former pairing erased.
BlueBug
There is a bug in some cell phones that makes them vulnerable for attacks. This attack seems to be serious for those phones that are infected. The attack opens up for sending AT-commands to a cell phone. These attacks opens for reading and sending SMS initiate phone talks, enter the Internet, writing and reading phone book entries. The author does not know which phones that is vulnerable.
33
CHAPTER 8 WIRELESS SECURITY

8.1 WIRELESS NETWORKING
Wireless networking is easy to set up, and it's convenient, especially if you like to move around the house or office without your portable computer while staying connected. But because they use the airwaves, wireless communications are more vulnerable to interception and attack than a wired connection.
8.2 WAYS FOR SECURING WIRELESS NETWORK 8.2.1 Use encryption

Encryption is the number one security measure, but many wireless access points (WAPs) don't have encryption enabled by default. Although most WAPs support the Wired Equivalent Privacy (WEP) protocol, it's not enabled by default. WEP has a number of security flaws, and a knowledgeable hacker can crack it, but it's better than no encryption at all. Be sure to set the WEP authentication method for "shared key" rather than "open system". The latter does not encrypt the data; it only authenticates the client. Change the WEP key frequently and use 128-bit WEP rather than 40-bit.
8.2.2 Use strong encryption

Because of WEP's weaknesses, you should use the Wi-Fi Protected Access (WPA) protocol instead of WEP if possible. To use WPA, your WAP must support it (you may be able to add support to an older WAP with a firmware upgrade); your wireless network access cards (NICs) must support it (again, a firmware update may be necessary); and your wireless client software must support it. Windows XP Service Pack 2 installs the WPA client. SP1 machines can be updated to support WPA by installing the Windows WPA client with the Wireless Update Rollup Package see this page for more details. Another encryption option is to use IPsec, if your wireless router supports it.
8.2.3 Change the default administrative password

Most manufacturers use the same default administrative password for all their wireless access points (or at least, all those of a particular model). Those default passwords are common
34
knowledge among hackers, who can use them to change your WAP settings. The first thing you should do when you set up a WAP is change the default password to a strong password.
8.2.4 Turn off SSID broadcasting

The Service Set Identifier (SSID) is the name of your wireless network. By default, most WAPs broadcast the SSID. This makes it easy for users to find the network, as it shows up on their list of available networks on their wireless client computers. If you turn off broadcasting, users will have to know the SSID to connect. Some folks will tell you that turning off SSID broadcasting is useless because a hacker can use packet sniffing software to capture the SSID even if broadcasting is turned off. Thats true, but why makes it easier for them? That's like saying burglars can buy lockpicks, so locking the door is useless. Turning off broadcasting won't deter a serious hacker, but it will protect from the casual "piggybacker".
8.2.5 Turn off the WAP when not in use

This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only at certain times, there's no reason to run the wireless network all the time and provide an opportunity for intruders. You can turn off the access point when it's not in use such as at night when everyone goes home and there is no need for anyone to connect wirelessly.
8.2.6 Change the default SSID

Manufacturers provide a default SSID, often the equipment name (such as Linksys). The purpose of turning off SSID broadcasting was to prevent others from knowing the network name, but if you use the default name, it's not too difficult to guess. As mentioned, hackers can use tools to sniff the SSID, so don't change the name to something that gives them information about you or your company (such as the company name or your physical address).
8.2.7 Use MAC filtering

Most WAPs (although not some of the cheapest ones) will allow you to use media access control (MAC) address filtering. This means you can set up a "white list" of computers that are allowed to connect to your wireless network, based on the MAC or physical addresses assigned to their network cards. Communications from MAC addresses that aren't on the list will be refused. The method isn't foolproof, since it's possible for hackers to capture packets transmitted over the wireless network and determines a valid MAC address of one of your users and then spoofs the address. But it does make things more difficult for a would-be intruder, and that's what security is really all about.
35
8.2.8 Isolate the wireless network from the rest of the LAN
To protect your wired internal network from threats coming over the wireless network, create a wireless DMZ or perimeter network that's isolated from the LAN. That means placing a firewall between the wireless network and the LAN. Then you can require that in order for any wireless client to access resources on the internal network, he or she will have to authenticate with a remote access server and/or use a VPN. This provides an extra layer of protection.
8.2.9 Control the Wireless signal

The typical 802.11b WAP transmits up to about 300 feet. However, this range can be extended by a more sensitive antenna. By attaching a high gain external antenna to your WAP, you can get a longer reach but this may expose you to war drivers and others outside your building. A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omni-directional antenna that usually comes built into the WAP. Thus, through antenna selection you can control both the signal range and its direction to help protect from outsiders. In addition, some WAPs allow you to adjust signal strength and direction via their settings.
8.2.10 Transmit on a different frequency

One way to "hide" from hackers who use the more common 802.11b/g wireless technology is to go with 802.11a instead. Since it operates on a different frequency, NICs made for the more common wireless technologies won't pick up its signals. Sure, this is a type of "security through obscurity" but it's perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information. A drawback of 802.11a, and one of the reasons it's less popular than b/g, is that the range is shorter: about half the distance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this "disadvantage" is actually an advantage, as it makes it more difficult for an outsider to intercept the signal even with equipment designed for the technology.
36
CHAPTER - 9 MOBILE SECURITY

9.1 Introduction
Mobile devices are the fastest growing consumer technology, with worldwide unit sales expected to increase from 300 million in 2010, to 650 million in 2012. Mobile applications are likewise booming. In June 2011, for the first time ever people on average spent more time using mobile applications (81 minutes) than browsing the mobile web (74 minutes). While once limited to simple voice communication, the mobile device now enables us to also send text messages, access email, browse the Web, and even perform financial transactions. Even more significant, apps are turning the mobile device into a general-purpose computing platform. In just three short years since introducing the iPhone SDK in 2008, Apple boasts over 425,000 apps available for iOS devices. Seeing similarly explosive growth, the Android Market now contains over 200,000 apps after only a short period of time. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware, for example, is clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Recently over 250,000 Android users were compromised in an unprecedented mobile attack when they downloaded malicious software disguised as legitimate applications from the Android Market. The emergence of mobile payments is another key driver of mobile threats. The value of mobile payment transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 2010. Vendors, retailers, merchants, content providers, mobile operators, and banks are all actively establishing new payment services. Mobile payments create an attractive target for attackers, as they allow direct monetization of attacks.
9.2 Mobile Threats

As with PCs, there are a variety of security threats that can affect mobile devices. We split mobile threats into several categories: application-based threats, web-based threats, networkbased threats and physical threats. For the sake of brevity, this list is intended to be a general overview of the most important mobile threats, not an exhaustive treatment of all possible threats.
37
9.3 Application-Based Threats

Downloadable applications present many security issues on mobile devices, including both software specifically designed to be malicious as well as software that can be exploited for malicious purposes. Application-based threats generally fit into one or more of the following categories:
Malware is software that is designed to engage in malicious behaviour on a device. For example, malware can commonly perform actions without a users knowledge, such as making charges to the users phone bill, sending unsolicited messages to the users contact list, or giving an attacker remote control over the device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud. Spyware is designed to collect or use data without a users knowledge or approval. Data commonly targeted by spyware includes phone call history, text messages, location, browser history, contact list, email, and camera pictures. Spyware generally fits into two categories: it can be targeted, designed for surveillance over a particular person or organization, or untargeted, designed to gather data about a large group of people. Depending on how it is used, targeted spyware may or may not be considered malicious, such as in the case of a parent using a text messaging or location monitoring application on a childs phone. Privacy Threats may be caused by applications that are not necessarily malicious (though they may be), but gather or use more sensitive information (e.g., location, contact lists, personally identifiable information) than is necessary to perform their function or than a user is comfortable with. Vulnerable Applications contain software vulnerabilities that can be exploited for malicious purposes. Such vulnerabilities can often allow an attacker to access sensitive information, perform undesirable actions, stop a service from functioning correctly, automatically download additional apps, or otherwise engage in undesirable behavior. Vulnerable applications are typically fixed by an update from the developer.
9.4 Web-based Threats

Because mobile devices are often constantly connected to the Internet and used to access webbased services, web-based threats that have historically been a problem for PCs also pose issues for mobile devices:
Phishing Scams use web pages or other user interfaces designed to trick a user into providing information such as account login information to a malicious party posing as a legitimate service. Attackers often use email, text messages, Facebook, and Twitter to send links to phishing sites.
38
Drive-By Downloads automatically begins downloading an application when a user visits a web page. In some cases, the user must take action to open the downloaded application, while in other cases the application can start automatically. Browser exploits are designed to take advantage of vulnerabilities in a web browser or software that can be launched via a web browser such as a Flash player, PDF reader, or image viewer. Simply by visiting a web page, an unsuspecting user can trigger a browser exploit that can install malware or perform other actions on a device.
9.5 Network Threats

Mobile devices typically support cellular networks as well as local wireless networks. There are a number of threats that can affect these networks:
Network exploits take advantage of software flaws in the mobile operating system or other software that operates on local or cellular networks. Network exploits often do not require any user intervention, making them especially dangerous when used to automatically propagate malware. Wi-Fi Sniffing can compromise data being sent to or from a device by taking advantage of the fact that many applications and web pages do not use proper security measures, sending their data in the clear (not encrypted) so that it may be easily intercepted by anyone listening across an unsecured local wireless network.
9.6 Physical Threats

Since mobile devices are portable and designed for use throughout our daily lives, their physical security is an important consideration.
Lost or Stolen Devices are one of the most prevalent mobile threats. The mobile device is valuable not only because the hardware itself can be re-sold on the black market, but more importantly because of the sensitive personal and organization information it may contain.
39
9.7 Tips to Stay Safe

As the frequency of mobile threats increase, people can take measures to stay safe while using their smartphones
Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be if you are asked to enter account or login information. Set a password on your mobile device so that if it is lost or stolen, your data is difficult to access. Download a mobile security tool that scans every app you downloads for malware and spyware and can help you locate a lost or stolen device. For extra protection, make sure your security app can also protect from unsafe websites. Be alert for unusual behaviours on your phone, which could be a sign that it is infected. These behaviours may include unusual text messages, strange charges to the phone bill, and suddenly decreased battery life. Make sure to download firmware updates as soon as they are available for your device.
40
CHAPTER - 10 CYBER CRIME SECURITY IN USA

10.1 Introduction
Threats posed to organizations by cyber crimes have increased faster than potential victimsor cyber security professionalscan cope with them, placing targeted organizations at significant risk. This is the key finding of Deloittes review of the results of the 2010 CSO Cyber Security Watch Survey, sponsored by Deloitte and conducted in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Center at Carnegie Mellon (see sidebar on page 4). This whitepaper reports several key results of this survey and Deloittes interpretation of key survey results. By its nature, interpretation goes beyond simple reporting of results (which is not our goal here) and may prompt disagreement or even controversy. Deloitte believes however, that some of the findings point to significant incongruities between the views of much survey respondents and the current reality of cyber crime. Given that the survey respondents include mainly executives and professionals responsible for the security of their organizations IT environments, such incongruities are worth examining.
10.2 Cyber crime update in USA

An increasing number of criminals and criminally minded enterprises have hired, purchased, or otherwise acquired the ability to infiltrate systems with new penetration techniques while developing a criminal e-business network. Concurrently, an increasing number of hackers have turned professional. Some who once attacked IT systems for the intellectual challenge and to match wits with (or to aggravate) others in their field have discovered strong financial rewards in online crime. Trends that demand a bold response In addition, the following key cyber crime trends have emerged, and they demand a strong, bold, near-term response: Cyber attacks and security breaches are increasing in frequency and sophistication, with discovery usually occurring only after the fact, if at all.
41
Cyber criminals are targeting organizations and individuals with malware and anonymization techniques that can evade current security controls. Current perimeter-intrusion detection, signature-based malware, and anti-virus solutions are providing little defense and are rapidly becoming obsoletefor instance, cyber criminals now use encryption technology to avoid detection. Cyber criminals are leveraging innovation at a pace which many target organizations and security vendors cannot possibly match. Effective deterrents to cyber crime are not known, available, or accessible to many practitioners, many of whom underestimate the scope and severity of the problem. There is a likely nexus between cyber crime and a variety of other threats including terrorism, industrial espionage, and foreign intelligence services.
10.3 Todays stunning cyber-crime trends Demand a strong, bold, near-term response.
Cyber crime attacks being more severe, more complex, and more difficult to prevent, detect, and address than current ones, which are bad enough. An underground economy has evolved around stealing, packaging, and reselling information. Malware authors and other cyber criminals for hire provide skills, capabilities, products, and outsourced services to cyber criminals. These include data acquisition and storage, stealthy access to systems, identity collection and theft, misdirection of communications, keystroke identification, identity authentication, and bonnets, among others. Meanwhile, todays security model is primarily reactive, and cyber criminals are exploiting that weakness. As a result of such developments, data breaches have occurred in many organizations which appear to have deployed traditional security controls, processes, and leading practice architectures, including the following representative instances in 2008 and 2009: At a major online service provider, more than one-half million credit card accounts were put at risk by malware, to be discovered four months later. At a major online payment facilitator, over one hundred million credit card accounts were put at risk by malware over an unknown period
42
before discovery. Malware on an online booking system exposed some eight million personal records to risk. Malicious software on cash register terminals at a regional restaurant chain compromised thousands of credit and debit card accounts and, separately at a major supermarket chain, over four million credit card accounts. Website intrusion compromised tens of thousands of customer records at an auto repair chain.
10.4 Deloittes view of the cyber crime scene
10.4.1 Awareness or complacency Deloitte believes the survey responses reveal a serious lack of awareness and a degree of complacency on the part of IT organizations, and perhaps security officers, vis--vis the threat of cyber crime. Much of this belief is predicated on the notion that cyber crime technologies and techniques are so effective at eluding detection that the actual extent of the problem may be grossly underestimated. Although we cannot quantify the financial impact of cyber criminal activity, we would like to highlight a comment made last year to help establish some potential statistics. Last year, the White House issued the Cyber Security Policy Review, which profiled the systemic loss of U.S. economic value from intellectual property and data theft in 2008 as high as $1 trillion. In this section, we will first summarize our view and then examine areas of divergence with selected survey responses. Some of our views will not surprise security and IT professionals in industries characterized by high vulnerability or organizations that have experienced some degree of cyber crime. Other readers may find our view of the seriousness of cyber crime surprising. Our purpose here is to provide an updated, broad, but well-supported view of the cyber crime threats that we perceive as most serious and to present potentially more effective ways of addressing these threats.
10.4.2 Essentially our view is that:

1. Cyber crime is now serious, widespread, aggressive, growing, and increasingly sophisticated, and poses major implications for national and economic security. 2. Many industries and institutions and public- and private-sector organizations (particularly those within the critical infrastructure) are at significant risk.
43
3. Relatively few organizations have recognized organized cyber criminal networks, rather than hackers, as their greatest potential cyber security threat; even fewer are prepared to address this threat. 4. Organizations tend to employ security-based, wall-and-fortress approaches to address the threat of cyber crime, but this is not enough to mitigate the risk. 5. Risk-based approachesand approaches that focus on what is leaving the IT environment as well as on what is entering ithold potentially greater value than traditional security-based, wall-andfortress approaches. 6. Organizations should understand how they are viewed by cyber criminals in terms of attack vectors, systems of interest, and process vulnerabilities, so they can better protect themselves from attack.
10.4.3 The focus obscures the view Most cyber security focuses on preventing attacks and unauthorized usage. It is this very focus that can allow and even enable cyber criminals to employ legitimate users as unwitting accomplices. Authorized users can access and travel throughout a system, remove or change data in the system, and conduct transactions. When cyber criminals employ such users as unwitting accomplices or money mules, they can operate as if they were users. They can acquire the same, or even greater, ability to navigate pathways, copy data, execute transactions, and monitor keystrokes. It is that kind of activity that must be detected, prevented, and addressed. Of course, practices designed to secure the environment and data and to detect traditional breaches must remain in place. But sophisticated cyber criminals have studied the methods organizations use to both wall off and grant access to their networks and data. This positions criminals to conduct activities that can go undetected for months, or to commit a single, major, extremely profitable and damaging crime, such as wire transfer fraud. In many cases cyber criminals have obtained credentials and accessed systems as if they were actual employees and customers. Thus, the integrity of the endpoint that is being granted access to the organizations systems and data must be a primary concern. The public sector is as exposed as the private sector. There have been cases in which state-level government agencies in the United States have lost measurable monetary sums. For example, the July 2, 2009 entry on Washington Post reporter Brian Krebs
44
blog stated that Ukrainian cyber criminals had stolen $415,000 from a county by means of unauthorized wire transfers from the countys bank. The criminals were aided by more than two dozen coconspirators in the United States. Krebs reported that his source, an investigator on the case, noted that the criminals used a custom variant of a keystroke logging Trojan that promptly sent stolen credentials to the attackers by instant messenger. This malware also enabled the attackers to log into the victims bank account by using the victims own Internet connection. Similarly, $480,000 was stolen from a bank account of a county Redevelopment Authority by means of Trojan malware. Threats from cyber crime at federal agencies could extend to matters of national security. 10.4.4 Shifting the basic approach One of the more fruitful approaches to consider in addressing the threat of cyber crime involves moving from a primarily security-based approach to a more risk-based approach. Blocking what is coming into the environment the strength of the security-based approachis useful and necessary. However, that can often be accomplished less expensively and perhaps more selectively. Shifting the focus to include monitoring and identifying data that leaves the environment can detect activities enabled by techniques and technologies that mimic, exploit, or piggyback on the access of authorized users. Relevant items may include user credentials, personally identifiable information, financial data, and vulnerability details. Current security wall, access control, and identity authentication approaches typically wont identify criminal activity geared to capturing that data and information. With their current methods, cyber criminals can even infiltrate systems of organizations that hire white hat hackers to test their defenses. Cyber criminals view a system from a process perspective with the goal of gaining access as an actual user would. They then focus on acquiring the access and authentication tools that an actual user would have. Once inside a system, cyber criminals can use it in ways that the organization did not, and cannot, anticipate or defend against. While security personnel are intently watching their Security Information Manager screens, the cyber criminals are already inside.
45
10.5 A risk-based approach to cyber security

A risk-based approach can start with the assumption that an unauthorized user can gain access to the system, and then design responses based on the value of the data that could thus be compromised. This calls for prioritizing data and information based on value to the organization or other useful criteria. The organization can then decide which data to focus which resources on, how much to spend, and which tools to use to protect data. This approach can help the enterprise shift away from building a great wall against all threats, toward identifying and addressing the most significant ones. This entails prioritizing risks on the basis of their likelihood, impact, and potential interactions with other risks, then allocating resources accordingly. It takes effort, expense, training, and resources to develop a system of categorization by value and to track data after it leaves the organization, but it pays off in efficiency and effectiveness. It is also possible to risk-rank data by type, value, and impact if it were to be compromised. Relatively few organizations have developed categories based on value or risk. However, identifying which data is most and least valuable enables cyber security professionals to focus on the highest priorities. The most valuable data, such as product formulations and sensitive financial and legal information, can be tagged and monitored so that the organization knows where it is, where it is going, where it has gone, and on whose authority. Resources can then be shifted away from less valuable data, such as Website activity and routine email content, which can be treated accordingly.
10.5.1 Developing Actionable cyber threat intelligence Combating cyber crime requires commitment from senior executives and board members. Yes, their plates are full. However, addressing cyber crime falls within risk management, an item already on their plate. Cyber crime is best addressed in the context of the organizations overall risk management approach. That way, it becomes an item in the IT, security, and risk management budgets and on the agenda at management and board meetings. Once the commitment is made, several specific steps can improve cyber security and, incidentally, protection against other threats. These steps within Deloittes approach focus first on intelligence gathering and analysis, then on assessment. The overall process is summarized in Exhibit 1. In practice, this process is best applied to specific areasactivities, data sets, delivery channels,
46
and aspects of the IT infrastructure. Identifying these areas takes time and resources, but they can be identified in the context of an overall risk management system. If a detailed enterprise-wide risk assessment has already been conducted, that assessment will have identified critical processes, activities, data, delivery channels, and other resources, which can be employed in this effort.
47
10.5.2 Intelligence gathering Gathering intelligence is a continuous activity. For our purposes here, it involves choosing promontories from which to scan the external environment and monitor the internal environment. Another way to think of them would be as channels (akin to radio or television channels) through which you can monitor these environments. Promontories or channels include those that constitute external cyber threat intelligence feeds and internal cyber threat intelligence feeds, as listed in Exhibit 2.
While it pays to cast a wide net, there is always the factor of cost and the danger of sacrificing depth for breadth. So pick and choose your feeds given your industry, needs and capabilities. Not every source will be useful to every organization, and some will be more useful than others to a given enterprise. Proactive surveillance rounds out the intelligence gathering effort. Resources here include honeynets, malware forensics, brand monitoring, P2P (peer to peer) monitoring, DNS monitoring, and watchlist monitoring. A few of the specific technologies on which to focus threat research include the following: Internet applications: online transactions, HR systems, wire systems, Websites Mobile computing: Blackberries, Smart phones, cellular networks, text messaging services
48
Personal computers: operating systems, third-party Another potential source of intelligence would be the resources that potential adversaries use. Again, the goal should be to focus on devices and applications that expose the organizations most valuable data, processes, activities, and infrastructure to the most risk. Once a rich mix of intelligence is being acquired, efforts turn to analysis.
10.5.3 Intelligence analysis
The amount of data derived from broad-based intelligence gathering can be staggering. Therefore, analysis includes statistical techniques for parsing, normalizing, and correlating findings, as well as human review.
Six questions should drive this analysis: How can we improve our visibility into the environment? What new technologies do we need to watch for and monitor? Do we have vulnerable technologies and data? To what extent will our existing controls protect us? Which industries are cyber criminals targeting and which techniques are they using and planning to use? How can we identify actionable information?
This analysis should be conducted within a risk management process built around well-defined risk identification, prevention, and detection, communication, and mitigation activities. We wont delineate that process here, because most readers will be familiar with it. A cyber risk management process prioritizes threats, analyzes threats, detects a threat before, during, or after actual occurrence, and specifies the proper response. The latter may consist of remediation, control updates, vendor or partner notification, or other actions. Analysis, such as failure modes and effects analysis, provides a feedback mechanism, such as lessons learned, to constantly improve the effectiveness of the analytics being performed.
49
10.5.4 Benefits of a risk-based approach In light of the potential risks of cyber crime, Deloitte recommends a risk-based approach, as outlined above. This contrasts withbut also augmentssecurity-based approaches geared to walling off the IT environment. The benefits of a risk-based approach include the ability to: Define the value and risk-related significance of categories of data and to prioritize and protect them accordingly. Identify and mitigate devices inside the organizations network that are being used to support cyber criminal activities. Identify customers, suppliers, service providers, and other parties that have compromised devices inside their networks. Monitor transactions to identify those being conducted from compromised devices. Track compromised data that has left or is leaving the organization. Understand the organizations susceptibility to persistent, sustained access by cyber criminals.
Given the sophistication, complexity, and evolution of cyber crime technologies and techniques, no sizable organization can plan and implement the necessary response alone. CIOs, CSOs, CROs, and cyber security professionals should share information, techniques, and technologies in their battle against cyber crime. This can be done without revealing sensitive corporate or competitive information, but it had best be done.
In general, effective cyber security efforts require perspectives and expertise beyond those that reside in the organization. Thus, a 2010 CSO Cyber Security Watch Survey finding that we found disappointingand surprisingwas that only 21 percent of respondents reported participation in their industry-sector IT Information Sharing and Analysis Center (IT-ISAC). These communities of security specialists are supported by federal leadership, but much work remains if they are to become true public-private sector collaborations as originally intended. They certainly require the support of the cyber security community if they are to succeed.
50
10.6 Summing up the cyber crime dilemma

Data is more valuable than money. Once spent, money is gone, but data can be used and reused to produce more money. The ability to reuse data to access on-line banking applications, authorize and activate credit cards, or access organization networks has enabled cyber criminals to create an extensive archive of data for ongoing illicit activities. The world has not changed much since the early 1900s when Willie Sutton was asked why he robbed banks. He said, Thats where the money is. Today, cyber criminals go where the data is because it gives them repeated access to the money, wherever it is. Cyber crimes may pose the most potentially damaging threat to IT-related activities, transactions, and assets. We see this threat as underrecognized and under-rated among the risks that organizations face, and thus believe that many organizations are unprepared to detect, address, or protect themselves from these threats. A vigorous, rapidly growing underground economy supports cyber crime activities. Cyber crimes include thievery, fraud, and misdirection of communication, identity theft, intellectual property theft, corporate espionage, system sabotage, data destruction, money laundering, and terrorism, among others. Organizations can take several steps to protect themselves. The first step is to comprehend the seriousness of cyber crime threats to valuable data, processes, and assets. The second is to shift from a security-based approach to more of a risk-based approach to cyber security. Spend your budget and apply your resources to mitigate the highest ranking risks to your enterprise. The third step is to knock down the walls associated with soloed approaches of dealing with cyber threats. Sharing and combining data across the organization, for instance on fraud, loss prevention, information security, and human resources, while combining it with external sources strengthens the ability to perform value-added analysis. Efforts then turn to information gathering and analysis, with an eye toward identifying cyber crime methods and threats and to monitoring assets as they are accessed and as they leave and after they leave the IT environment. We do not suggest that cyber security professionals consider a change in focus and additional duties lightly. However, we do suggest that organizations consider their exposures to cyber crime and their current detection, prevention, and mitigation capabilities. Given the profits and current conditions, cyber crime may well be coming to your neighborhoodif it has not already moved in.
51
CHAPTER - 11 CONCLUSION
Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. It is quite possible to check them. History is the witness that no legislation has succeeded in totally eliminating crime from the globe. The only possible step is to make people aware of their rights and duties (to report crime as a collective duty towards the society) and further making the application of the laws more stringent to check crime. Undoubtedly the Act is a historical step in the cyber world. Further I all together do not deny that there is a need to bring changes in the Information Technology Act to make it more effective to combat cyber crime. I would conclude with a word of caution for the pro-legislation school that it should be kept in mind that the provisions of the cyber law are not made so stringent that it may retard the growth of the industry and counter-productive. The issue of network and Internet security has become increasingly more important as more and more business and people go on-line. To avoid the information from hackers we use the passwords secretly and we change the passwords regularly. We cannot use our names, initials as passwords that are easily traced. We should not download any executable files from unknown sources, information from any sources without checking for virus. We have to use licensed antivirus software. Also teams like CERT and FIRST assist in solving hacker attacks and to disseminate information on security.
52
BIBLIOGRAPHY AND REFERENCES

1. Bluetooth specification version 1.1, http://www.bluetooth.org/ 2. Socket, http://www.socketcom.com/ 3. wardriving.com http://www.wardriving.com/ 4. Buffer Overflow Vulnerabilities, http://www.pentest.co.uk/documents/ptl-200403.html, (2004). 5. CRIMINAL INVESTIGATION DEPARTMENT REVIEW-JANUARY2008, http://www.cyberlawsindia.net/ (24th Feb, 2012) 6. DEPARTMENT OF INFORMATION TECHNOLOGY, Information Technology Act 2000, 7. http://www.mit.gov.in/content/it-act-2000-dpl-cyber-laws (23th Feb, 2012) 8. INDIA 9. Defensive CYBER Measures LAB, against Types Hacking, of Cyber Facing (4th Crime, hacking, March, http://indiacyberlab.in/cybercrimes/types.htm (4th March, 2012)
http://facinghacking.blogspot.in/2008/10/hackingprevention.html 2012) 10. DEPARTMENT TECHNOLOGY, OF ELECTRONICS Information AND
INFORMATION Acts,
Technology
http://www.mit.gov.in/content/information-technology-act (4th March, 2012) 11. Forensic countermeasures.pdf - A Case Study - Mark-longworth
12. http://www.bluetooth.com/Bluetooth/Technology/Basics.htm 13. http://en.wikipedia.org/wiki/Bluetooth 14. http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf 15. Software Security Technologies, programmable approach, By Prof. Richard Sinn. 16. http://www.urel.feec.vutbr.cz/ra2008/archive/ra2006/abstracts/085.pdf 17. http://en.wikipedia.org/wiki/Bluetooth 18. http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf
53

Introduction

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Introduction

Încărcat de

Drepturi de autor:

Formate disponibile

Govt. Engg.

Introduction to Cyber Law

Govt. Engg. College, Ajmer

1.2 Need for Cyber Law

Govt. Engg. College, Ajmer

1.3 Cyber Crime Classifications

Govt. Engg. College, Ajmer

1.4 Types of Cyber Crime

Govt. Engg. College, Ajmer

1.4.2 Denial of Service

Govt. Engg. College, Ajmer

1.4.4 Online Fraud

Govt. Engg. College, Ajmer

1.4.6 Software Privacy

Govt. Engg. College, Ajmer

1.4.8 Usenet Newsgroup

1.4.9 Virus Dissemination

Govt. Engg. College, Ajmer

CHAPTER 2 INFORMATION TECHNOLOGY ACTS

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

CHAPTER 3 PROTECTIVE MEASURES

3.2 Bluetooth Hacking

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

CHAPTER 4 MODERN COUNTERMEASURES

4.1 Live CDs/USBs

4.2 Encrypted Hard Drives

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

4.4 Web 2.0

Govt. Engg. College, Ajmer

5.2 What is Phishing?

Govt. Engg. College, Ajmer

5.3 The Scope of Phishing

Govt. Engg. College, Ajmer

5.4 How is Phishing committed?

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

5.5 Variants of Phishing

Govt. Engg. College, Ajmer

5.6 The impact of phishing

Govt. Engg. College, Ajmer

5.7 Legislative frameworks to check phishing

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

6.3 Security threats from Botnet

6.3.1 Distributed denial of services (DDoS)

Govt. Engg. College, Ajmer

6.3.3 Click Fraud

6.3.4 Other Security Threats

Govt. Engg. College, Ajmer

6.4 Botnet Prevention, Detection and Disruption

Govt. Engg. College, Ajmer

7.2 Security Mechanisms in Bluetooth

Govt. Engg. College, Ajmer

Govt. Engg. College, Ajmer

7.3 Security issues in Bluetooth Is short range an effective security feature?

Weaknesses of the cryptographic protocol

Weakness of the invisibility in version 1.1 and older