In an instance of a cyber crime investigation in India, a police officer was asked to seize the computer of the hacker. What he brought from the hacker’s premise was his monitor. In another similar instance, the police officials seized the memory and the CD-ROM drive of a hacker’s computer instead of taking out the hard disk.
If that doesn’t explain the state of cyber crime awareness amongst the law enforcement agencies, try reporting a cyber crime and most likely you will never think of contacting the police again for such an instance.
Today’s cyber attacks are not undertaken by amateur hackers who create viruses or malware to prove their worth or to showcase the vulnerabilities of government systems. There is a new economy emerging around cyber crime, which is sophisticated and organized.
In its Cybercrime Intelligence Report of 2009, Finjan shows the operations of the Golden Cash network consisting of an entire trading platform of malware-infested PCs. The trading platform utilizes all necessary components (buyer side, seller side, attack toolkit, and distribution via “partners”). This advanced trading platform marks a new milestone in the evolution of cyber crime.
By turning compromised PCs from a one-time source of profit into a digital asset that can be bought and sold again and again, cybercriminals are maximizing their illegal gains.
Another report from Symantec on the ‘Underground Economy’, highlights the kind of money these cyber criminals make. According to the report, Script (a well-known figure in the underground economy) and his associates were known for mass-producing counterfeit credit and debit cards, which they delivered internationally and used to withdraw cash.
This was so efficient that, at one point, those working with Script were reportedly earning up to $100,000 a day—significantly more than estimates of earnings on US-based forums. Script was arrested by Russian authorities in 2005.
Trends in cyber crime
The last few weeks have seen cyber attacks being carried out on many countries. Just a couple of weeks ago, it was reported that a widespread and unusual computer attack was launched on Web sites of several government agencies in the United States, including some that are responsible for fighting cyber crime as well.
In addition to this the last few days saw the Web sites of major South Korean government agencies, banks and Internet sites being paralyzed in a suspected cyber attack as well.
Analysts at Symantec pointed out that many of these attacks were offline. Vishal Dhupar, MD, Symantec India said, “We observed a number of malware components that were responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm and W32.Mytob!gen work in tandem to both spread and attack.”
All these components of the attack are basically pieces of old malware code, which were bolted together to launch the attack. If these highly unsophisticated attacks were able to create such havoc, imagine what would happen if more sophisticated and better-coordinated attacks occur!
Yuval Ben-Itzhak, CTO of Finjan, opined, “The primary trend that we see is that hackers are using automatic tools to conduct crime. These automatic tools (toolkits) enable any person with some basic IT skills to start infecting online users with data-stealing malware within hours. Data stealing malware is what these criminals are using to cash out from their activities. They are selling the data they managed to steal online.”
Dr. Jose Nazario, Manager of Security Research, Arbor Networks, Inc. added, “We have seen, just like in physical criminal world, criminals who specialize in different things, criminals who burglar houses, criminals who buy and sell stolen property, there are conmen online too. This kind of specialization has existed in the physical world for thousands of years. Now it has appeared in the online world as well. So you have division of labor, and specialization in the online crime world.”
Dr. Nazario said, “If you are able to do a complete investigation of all the various actors involved in online crime such as DDoS attacks, economic espionage, or financial fraud, there would be many different parties who are enablers at different points in the process just as the people who are enablers of a crime in the physical world.
Long-standing physical crime organizations have moved heavily into online crime as it is extremely lucrative when compared to similar efforts in the physical world and the risk of being caught is lower. Victims can be global as opposed to local in the physical world. So the vast majority of online crime today is organized crime and a big proportion of it is being committed by traditional organized criminals.”
Indian criminals learn the ropes
There are many small groups of cyber criminals in India. We have not yet seen the emergence of a cyber crime mafia. However, most small-organized groups are located either in big cities or in small towns. This phenomenon hasn’t percolated to the countryside yet.
Most of these initially began as amateur activities and after tasting success, they went ahead with other cyber criminal activities. In the metros, and in the B class cities, we have seen the emergence of data brokers or data merchants who source data from people working with offshoring or outsourcing companies like the BPOs, KPOs and LPOs. Then these brokers go ahead and process the data before selling it. This is rampant.
Pavan Duggal, Advocate, Supreme Court of India and a noted cyber lawyer, said, “Cyber crime in India is going through a learning curve of maturity. Gone are the days when Indians would indulge in petty cyber crime activities such as defacing profiles or cyber stalking. What is emerging is a professional approach towards cyber crime.”
Cyber terrorism is another challenge in India. Ankit Fadia, an independent computer security and digital intelligence consultant, who is also a cyber terrorism expert, said, “During the investigations after the Mumbai attacks it was found that the terrorists were using VoIP to do all of their planning and communications. Before the Gujarat blasts, an e-mail was sent to a few news agencies in Mumbai. Both Gujarat and Mumbai police were inadequately equipped to track who sent the e-mail etc. I was working with the Gujarat police and the Navi Mumbai cyber cell department on both of these cases and after talking to them, I realized that they weren’t properly trained.
They asked me for tools and software that are basically downloadable from the Internet and that every hacker would know about. Together with my help and that of some other security consultants, we were able to track down the e-mail but then the problem was that the e-mail was sent from a Yahoo e-mail account and when the Mumbai cyber cell and ATS contacted Yahoo, it took about four-five days for Yahoo to get back on this as they needed approvals from their US office. This is too long a time when you are working on such a critical case.”
Indian Web sites are being hacked all the time just to demonstrate the vulnerabilities of these sites. Now with cyber terrorism coming in, although cyber terrorism has been termed a heinous offence with life imprisonment as the penalty, Duggal felt that many mechanisms needed to evolve pertaining to investigation and prosecution in cyber terrorism cases. It would be far better if India had a dedicated cyber crime force. Further, cyber crime related matters have to be given a fast track court rather than go to trial, a process that drags on for years.
According to Mikko Hypponen, Chief Research Officer, F-Secure Corporation, “India is not a major source of malware or cyber crime. However, it is a major target of such crime—mostly because of its size and emphasis on high tech. In the early days of computer viruses, India used to be a big source of viruses. That was the days of hobbyist virus writers. Nowadays, the large-scale organized criminal malware attacks are coming from Russia, China and Brazil.”
That said, cyber crime is not local; it is international. The criminals are in country A, stealing money from victims in countries B, C and D through computers in countries E, F and G. In order to get the criminal arrested and sentenced, you need cooperation from the law enforcement authorities in all of these countries. That doesn’t happen as smoothly as it should.
Call for Internetpol
The Internet has no borders and online crime is almost always international, yet local police authorities often have limited resources for investigations. According to Hypponen, we should consider the creation of an online version of Interpol – ‘Internetpol’ that is specifically tasked with targeting and investigating the top of the crimeware food chain.
“I’m not holding my breath waiting for this to happen overnight. In my talks with international law enforcement, everybody agrees we need more info sharing and more co-operation. However, getting all the necessary countries on board will be hard. Then we have to take into account the possible resistance from people who think such a ‘Net police’ would be used to curb free speech or hunt peer-to-peer users when what we would really be after would be catching online criminal gangs,” Hypponen said.
According to Fadia, “An organization like an Internetpol, which is an international body that operates on a cross-border investigation, is really required. The problem that every country faces today, is that even if you get trained officials to do the investigations for a cyber crime case, if the criminal is in another country, even if the agencies have all the proof, for them to be able to contact the local police agencies in the other country to even arrest the person is nearly impossible. No international agencies like the UN or the Interpol for Internet security currently exist. Every country wants to protect their own citizens, they would never cooperate in such an investigation.”
The IT Act 2008
In order to curb cyber crime and protect the country’s sovereign interests, the government has come up with the amended IT Act 2008. Duggal believed that while the amended Act has taken two steps forward, it has taken three steps back. So, while it has increased the coverage of cyber crimes in terms of covering crimes like cyber defamation, identity theft and cyber terrorism, the majority of cyber crimes, barring a few, have been made bailable.
Duggal said, “Once a person is out on bail, as a matter of right, he will immediately go and tamper with the electronic evidence. That being so, the chances of getting convictions in the cyber crime cases would further decrease. Therefore, to that extent, it is a piece of cyber crime friendly legislation.
Already statistics are not in India’s favor. We have got only four cyber crime convictions till date, which gives you an idea of how poor the law is. I think the actually number of convictions would further recede with the new cyber act because in any cyber crime case, conviction depends upon electronic evidence and if evidence is tampered, there will be no conviction. Therefore, I think the law has gone soft on cyber criminals, except for cyber terrorism, which has been made a heinous offense.”
Duggal explained, “The amendments have deleted the term ‘hacking’ from the law. This will have a psychologically negative impact. Cyber criminals today feel that hacking has been deleted from the law. Moreover, I think this soft approach is sending out a loud message to the world is that we are not focused on cyber crime. This would certainly hurt corporate India and the rate of growth of the Indian economy. So I think it would have been far better had the government gone for stringent punishments.
The world over, post 9/11, the focus has been on increasing the quantum of punishment for cyber crime in different jurisdictions. India is the only country that has acted to the contrary and reduced punishment for cyber crimes. For e.g. Under section 67, publishing obscene electronic information was earlier punishable with five years imprisonment and a Rs. 1 lakh fine on the first conviction and 10 years imprisonment and a Rs 2 lakhs fine for the second conviction. This has now been reduced from five years to three years and from 10 to 5 years. Similarly, all other punishments have been reduced. This doesn’t make any sense.”
Government officials, however, beg to differ. According to a senior official, the quantum of punishment has not been reduced in most cases. However, he admits that most offences under the IT Act 2008 have been made bailable, but argues that this is to serve a purpose. Consider a scenario where your system is infected with a virus through the Internet or through an infected pen drive etc.
In case you send an e-mail to a company, the virus would be sent along with it and the company can press charges against you of causing harm to their systems. Though you did it unknowingly, you can be proved guilty. Now, if this offense were treated seriously with a high quantum of punishment, a large number of innocent people would get convicted. This is one reason why all many offences have been made bailable under the amended IT Act.
Another reason, for making the offences bailable pertains to the fact that due to low awareness and knowledge about technology (amongst police, lawyers as well as the judges), cyber crime related cases take a long time to resolve. In such case, many petty offenders or innocent people are treated like hardcore criminals, which isn’t fair. That being said, a lot needs to be done to educate the law enforcement agencies about technology and cyber crime.
According to Jatin Sachdeva (CISSP, CISA), Information Security Specialist, Cisco India & SAARC, “As with any law, there is a constant need to evaluate relevance and context. Even with cyber crime laws in place in so many places around the world, it has not brought about the end of cyber crime. We believe that there is definitely more that can be done, and more importantly, more stakeholders to be brought into the ecosystem.”
Plan of action
Enhancing law is one issue, then the law needs to be properly implemented. There must be an appropriate orientation and awareness of how the law needs to be applied. Then there need to be fast track courts. Another major problem is the non citizen-friendly interface of the law enforcement agencies. Getting an FIR registered is a herculean task in any cyber crime case.
It is time for India to provide for electronic FIRs. Similarly, the criminal justice system needs to be appropriately reformed in India to keep in sync with the changing realities of the electronic economy.
The Indian Computer Emergency Response Team (CERT-In) is working with state police forces to train them on cyber investigations and cyber crime. However, CERT-In has certain limitations and it is up to the state police to contact CERT-In as the latter is ready to give money for setting up cyber forensic labs.
CERT-In is also trying to educate school students about the Dos and Don’ts of the Internet and create awareness amongst them about cyber crime. This is being currently done in association with Data Security Council of India, Nasscom and Google.
Sources from the government claim that India is well prepared to face any large-scale cyber attack. The government has also prepared a cyber crisis management plan, the contents of which are classified.
When it comes to enterprise security, things come down to deploying best current practices (BCPs). From the network, server and application standpoint, there are well-known BCPs out there that network operators, server administrators, Webmasters and so forth can follow to ensure that their systems and infrastructures are hardened against attacks.
Roland Dobbins, Solution Architect, Arbor Networks, opined, “A lot of these BCPs don’t consist of most of the things that you buy so much as the things that you do in your infrastructure. It requires time and effort to implement these things and a lot of folks for various reasons are under resourced and overworked so they don’t deploy these well-known best current practices that would not only make their sites more resilient against attacks but also provide greater visibility into the attacks and mitigate them.
One of the basic things that people can do is to ensure they have a virtual team comprising of their networking staff, their sysadmins and Web and database administrators, who can be called together and can work together. Another effective thing that they need to do is that they need to have an understanding as to who are your ISPs, who’s your operational security contact who can be reached out if there is a problem.
There are lot of reports where the folks didn’t know who their SPs were and how to go about contacting them. Many SPs offer commercial DDoS mitigation services that organizations can subscribe to. These act like insurance for your systems.”
All in all, we as a country need to develop a culture of security through proper training—be it at school level, college level or at organization level. As the Chinese philosopher, Confucius rightly said, “Success depends upon previous preparation, and without such preparation there is sure to be a failure.”
Reference : http://www.expresscomputeronline.com/20090803/market01.shtml
No comments:
Post a Comment