Embed Size (px)
Citation preview
Types of Cyber Crimes (Unit II)
V. RajendranAdvocate and Cyber Law Consultant+91-44-22473849; +91-9444073849
Website: [email protected], [email protected]
Cyber Crimes in India
Cyber crimes in India likely to cross 3,00,000 by 2015: ASSOCHAM – Mahindra study
No of cyber crimes in India in 2015, almost double the 2014 level
While releasing the joint study on “Cyber and Network Security Framework” Mr. D.S Rawat, Secretary General ASSOCHAM said, “What is causing even more concern is that the origin of these crimes is widely based abroad in countries including China, Pakistan, Bangladesh and Algeria among others”
During 2011, 2012, 2013 and 2014 years, a total number of cyber crimes registered were 13,301, 22,060 71,780 and 62,189 (till May). Currently, the cyber crimes in India is nearly around 1,49,254 and may likely to cross the 3,00,000 by 2015 growing at compounded annual growth rate (CAGR) of about 107 per cent. As per the findings, every month nearly 12,456 cases registered in India.
white collar crimes
• Frauds – definition in IPC ?
• Sec 415 “fraudulent and dishonestly…”
• Fraud, cheating, offences, crimes – Indian laws
• White collar crimes and offences
• Computer related offences
• Includes civil and criminal and contractual
• Punishments, investigation procedures vary
• as crime committed by people of high social position in the course of their occupations
• Crime in suits as compared to crime in streets
1
Against persons
Cyber StalkingHarassmentSocial engineeringPersonationCheating, e-forgeryIncl criminal offences
2
Against propertiesMostly civil offences
cards: cloning, skimmingInternet BankingTrojans and keyloggersMobile and data thefthemeGallery is a Design Digital Content & Contents mall developed by Guild Design Inc.
3Against society
Spams, Fastflux,StuxnetCyber espionageCyber warCyber TerrorismGuild Design Inc.SCADA attacks
Cyber extortion• Repeated DoS in a website, e-mail server, or computer system as a malware attack and the hackers demand money in return for promising to stop the attacks and to offer "protection".• Cyber extortion associated with cyber espionage, hacking, system vulnerabilities, insider threats etc• In technology dependent organisation, this is a major concern• In the US alone, more than 20 cases getting reported, according to FBI• Many incidents often go un-reported, for fear of adverse publicity• How does an organisation react to an attack of cyber extortion
–Preventive steps–Detective steps–Post incident review–Compliance and regulatory norms–Corporate accountability–Stake-holders role
Data related frauds
• Data and information – Legal angle
• Data storage: scope for frauds
• Retrieval issues:
• Access to data: Data Integrity
• Access Privileges and Access Control
• Data definition – Data Manipulation
• DBMS and RDBMS - features
Data related frauds
• Access to data through front-end• Program-based access and retrival• Back-end access to data
– The need, circumstances, persons, rights– Logs and trails, checks and balances– post-access review and preventive action– Seriousness of crime– Insider Threats– Detection and trace: cyber forensics?– Investigation issues and impediments to it
Data diddling
• Altering in an unauthorized way• Needs some technical expertise • Associated with data theft• Unauthorised transaction and modification• Altering the data before entry or entering false data either
deliberately or unknowingly– When victim becomes the accused/offender– Unknowingly altering the data and causing harm to organisation– Unknowinlgy altering and causing benefit to organisation..?– Alteration made possible by progammatic error or bug– Inadequacy of , or by entering unauthorized instructions or using
unauthorized processes;
• Altering or deleting stored data;
Data diddling
• Data Manipulation
• Salami Technique
• Data Slicing and dicing and drilling down with a view to analyse, understand the data for the purpose of manipulation
• Data checks and balances: Chgeck-sum etc
• Redundancy and CRC
• Front end validations and data base controls
• O/s level, RDBMS and application based controls
Data theft
• How is data theft different from normal theft?
• Data theft?
• Investigation issues in dealing with data theft
• Evidence issues and forensic issues
• Organisation role in preventing and detecting data theft
• Data security and standards associated with it
• Handling third party data: due diligence
• IT Act in India and the legal implications
Data theft - public
• Information harvesting
• Phreaking - study, experiment with, or explore telecom systems making long distance calls etc
• Information freely available in public domain
– Government sites, corporate clientele, shopkeepers’ databases, merchant data, advertisers’ data, publicity material, academics etc
• Voluntarily giving information leading to theft?
Data Hiding
• How is data hidden?
• Hardware and forensic issues in hiding
• Software based and application based hiding
• User level based hiding – access controls
• Hardware based hiding eg disk partition
• O/s level data hiding: Apps running on O/s
• Bringing out hidden data – forensic issues
Id theft
• User name and id
• Significance of id in corporates, banks etc
• System Manager’s role and responsibility
• Id theft by social engineering
• List of ids – physical list and access to the list
• User – id – temporary, active, time-bound, session, access-based, access control lists
• Privacy of id, usernames and compliance issues
Password theft
• Password cracking is the process of guessing or recovering a password from stored locations or from data transmission system.
• Used to get a password for unauthorized access or to recover a forgotten password.
• In penetration testing, it checks the security of application.• Tail gating – software access• Shoulder surfing – password and user id• Password crackers – software and tools• Social engineering – personal contacts• Brute Attacks – Brute Force Attacking
– Brutus, Rainbowcracks, Wfuzz, John the Ripper, Medusa etc
Cyber Squatting
• Trade Marks and patents and Software ownership
• Squatting mainly deals with domain names only irrespective of the nature of trade, goods etc
Jupiter Infosys Ltd. vs Infosys Technologies Limited - Sept, 2004
In another case, in www.blitzerinfosys.com website carried the logo-mark of infosys and sold computer goods. Infosys questioned the use of “infosys”
INRegistry accredited registrars – ac.in, mil.in nic.in
Role of INDRP –
Detailed procedure on how to file complaint, disputes mechanism, like cancellation of domain name or transfer of domain name etc
Sonyericsson.co.in in 2005 and later many cases / disputes settled
Domain Names
• Attorneys Handling Cybersquatting Cases Under the Uniform Domain Name Dispute Resolution Policy (UDRP) and the Anticybersquatting Consumer Protection Act (ACPA) in the US
• Websites like Godaddy.com
• In India and other nations, common repositories and agencies
• Domain names disputes are different from trade marks, copyrights, piracy and patents disputes
• I.T. Act and also I.P.C. wherever applicable
• Registration – Cyber Squatting is the first step and the criminality starts when the domain name is misused in cases of fraudulent transactions, mens rea. Id theft, cheating, misrepresentation etc and for commercial or other gain
Cyber squatting cases
Trump is a registered trade marks in the US under their Trade Marks Act.
J. Taikwok Yung, a self-described "domainer" developed four websites -- trumpmumbai.com, trumpindia.com, trumpbeijing.com, and trumpbudhabi.com -- parodying the well-known businessman and providing commentary, often disparaging, on Trump and his television shows "The Apprentice" and "The Celebrity Apprentice.“ He had registered domain names related to the real estate mogul Donald Trump and was awarded $32,000 as damages, -- judgement in March 2014
Source: Internet
ICANN• The Internet Corporation for Assigned Names and Numbers is a
nonprofit organization responsible for coordinating the maintenance and methodologies of several databases, with unique identifiers,
• information about ICANN and its work accessible to those who speak languages other than English in a multi-stakeholder model.
• effective as a global organization with translations are available in the six United Nations languages –Arabic, Chinese (Simplified), English, French, Russian and Spanish – where appropriate.
• Translation mechanisms like Language Services team consists of regional and language industry experts focussing on high quality translation and localization of content.
• Currently, dozens of content items on www.icann.org are translated every day, but no full-site translation.
• ICANN plans to add translation mechanisms and workflows with a goal to provide full-site translations.
Key logger
• Also called Keystroke logger, screen capture
• Hardware-based like BIOS, keyboard monitoring and logging, wireless keyboard sniffers, accoustic based, EM emissions etc
• Software based like Trojans or remotely placed
• Counter and prevention methodologies like anti keylogger, anti spyware, antivirus etc
Child pornography - definitions
• Definition of child ‘every human being below the age of 18 years unless under the law applicable to the child, majority is attained earlier.’ International Convention – Ministry of Women and Child Welfare etc
• Upper age limit for childhood as 18 years, but it is accepted that majority may be obtained at an earlier age under laws applicable to the child.
• Minimum legal age defined by national legislation like Child labour, apprentices, Factories Act etc -. 14
• Under IPC, Sec 83 no criminal responsibility for those from age 7 to 12 and U/s 82, below 7 are ‘incapable’ of committing any ‘crime’ and Juvenile Act it is 18
• Under IT Act also it is clearly mentioned as 18 only• Sec 118 of Indian Evidence Act no age limit to testify
Child Pornography
• Treated and dealt with very seriously as a crime in all nations including India
• IT A A 2008, Sec 67-B child pornography is an offence –elaborately described – first conviction five years and/or Rs.10 lakhs and second time, 7 years and/or Rs.10 lakhs
• Exceptions to this section and 67 and 67A laid down in the same section
• Dr L Prakash case, Chennai, infamous case on child pornography resulting in conviction
• Recent cases in Supreme Court and the central government’s affidavit and statement on porno sites and child porno sites
Obscene messages
• Sec 67: punishment for publishing or transmitting obscene material in electronic form
• ‘material containing sexually explicit act etc in electronic form’
• Punishments for both also laid down in the sections
• Many case laws – mostly relevant sections of IPC and other relevant acts also cited and cases filed under them too
Job Racketing• A dishonest or fraudulent business or practice and mostly in a planned
and organised manner as a moneymaking activity• Associated with money making arising out of
– frauds and cheating, – luring unemployed people – extortion and sometimes ,harassment – money laundering and money sharking,
• June 15: Job racketing case busted in Hyderabad – jobs offered in government – Gramin Swa Rozgar Yojana - money demanded from job aspirants
• Aug 15: Cyber crime wing Coimbatore busted an online job racket by arresting a 30-year-old man and his mother-in-law for allegedly cheating two brothers of Rs 1.33 lakh in November 2013 by promising them to get job abroad.
• Most of the job racketing cases involve e-cheating, personation, forgery, e-forgery, falisification of documents etc
• Besides personation u/s 66 (c) and (d) and 84(b) of ITA, IPC Sections 419, 420, 465, 468, 471 were also invoked.
Marketing and Advertising Rackets
• Marketing rackets: data spying and customer profiling from behaviour, previous searches, queries raised, social engineering, information harvest, social networking sites information and data willingly offered for receiving greeting messages etc
• Previous search patterns always used by search engines and data shared with firms to market the products
• Data leakage and data sharing facilitating marketing strategies
Nigerian frauds
• Advance Fee Fraud (AFF), gloabally known as "4-1-9" fraudafter the section of the Nigerian penal code dealing with frauds ... a formerly relevant section of the Criminal Code of Nigeria, "419 Advance Fee Fraud (419 AFF)” – also called 419 scams
• Associated with web-based, emails and contact lists, money transfers, overseas remittances etc
• Lottery, online luring of money, will and property intestate, inheritance of faked properties, pet animals scams including romance and similar proposals etc
• Mostly random targets and victims and sometimes specific targets and victims based on profession, name-similarities, like-minded and hobbies etc
Pay per click scams
• Also called click fraud – an Internet fraud – a legitimate user is faked or imitated and ad is clicked with no interest in the matter advertised –generating false searches and artificial interest in the matter or product advertised - by employing robots or low-wage workers to repeatedly click on each AdSense ad on their sites, thereby generating money to be paid by the advertiser to the publisher and to the web host (like Google)
• Competitors of advertisers and malicious intent • Legally its an activity…punishable? Detectable?
Web defacement
• An attack on a website to change the visual appearance of the site or webpage.
• Done by system crackers, (hackers) gaining access to server and replacing the hosted website with another.
• Unauthorized changes made to the appearance of either a single webpage, or an entire site.
• Sometimes like a malware with some desire to profit • Sometimes data theft like credit card details and personal information.• Mostly with no financial incentive and for some motives like
– Religions fanaticism– Some ideological mission or motives– Prove technological supremacy
• Mostly done by ‘Anonymous’ or some such fictitious groups and may be sometimes by internationally known groups claiming responsibility too
• Results in often data theft, Trojan, or to send a shock or to instill fear • Like early days of virus writing or hacking: to prove technological supremacy
ATM frauds
• Meaning of electronic delivery channel in banks• Popular electronic delivery channels in banks
– ATMs, Internet Banking, Cards, Mobile Banking and Funds Remittances
• Cash Loading in ATMs, Preservation of ATM logs, CCTV footages• Physical security concerns in ATMs
– Surveillance, CCTV, Security Guard, ATM cabin, Wallmounted ATMs, Lobby types and Drive-in types, Cash Dispensers and full-fledged, Skimming and cloning, Fake Notes in ATMs, Safety of ATMs, security of cash kept inside, bio metric enabled ATMs
• Logical Security of ATMs and the related data– How the PIN travels, Account data stored in ATMs, ATM logs and trails,
interpretation of logs, reconciliation issues
• Strip based cards and chip based cards• Card Cloning …..and now chip cloning too? Remedial measures?
Physical safety of ATMs
Monitoring mechanism by banks: Video Surveillance, security guards, logs, bio-metric devices, bullet proof filming and other measures
Customers: Be alert – Security concerns use of PINs and passwords – Physical possession of cards and preservation of PIN
Issuing bank’s responsibilities: Despatch of cards, PIN mailers, bank’s custody, Cash Management, Database issues, reconciliation issues
Security in ATMs
1. ATM Interior 2. Small Fancy ATM
Tampa police show a skimming device — the false card slot goes over the original; underneath is a card reader that captures information. A camera is typically hidden on the ATM, often in a pamphlet holder, angled to view the monitor and keypad.
A fifty-eight (58) year-old Pasco County man noticed something odd at a drive-thru ATM machine last Saturday morning. When he tried to insert his ATM card, there seemed to be an odd piece of plastic attached to the ATM machine that was loose.Wisely, the man removed it from the ATM at the Bank of America branch at 5242 Little Road in New Port RIchey. Because that Bank of America branch was closed, the man took it to another location and showed it to a bank teller. That bank then called the Pasco County Sheriff's Office.
Cyber Crimes – e-bankingNever from a browsing centre, cyber café or any public placeAlways look for security features like lock symbol Green Address bar - EVSSL Site Certification details
Beware of key-logger software – Use of virtual keyboardBeware of phishing mails and phishing siteNever reveal any information (user-id password) over emailNever click any hyperlink in any website and give info
No bank will ever require any info by emailIn addition to the CVV-CVC, remember the t-PIN (additional PIN auth-PIN) for e-commerce payment
What banks should do when confronted with: Zeus, GameOver and other attacks, Preparedness initiatives – part of legal compliance.
Cyber Crimes – Internet Banking
• Prevention initiatives to be taken by banks
• Customer level – user awareness
• Compliance and regulatory norms
• OTP or 2FA and other measures
• Per day cap or per transaction cap
• RBI’s role as a regulator or as a facilitator of electronic banking
• Cyber Crime Insurance in Banks…?
Cyber Crimes – Internet Banking
Cyber Crimes in Electronic Delivery Channels in Banks
Meaning and definition of electronic delivery channel in a bank
Various electronic delivery channelsAdvantages and uses of such channelsAre they to replace human/personal channel?Security concerns in electronic delivery channel in
banksSecurity enhancement or security threats?Benefits to:
Customer? Bank staff? Industry? Government?
Cyber Crime
30 August 2015 IOB IT Products Feb12
Web defacement
An attack on a websiteChanges the visual appearance of the site or a webpageMainly an activity of hacking or crackingIllegally breaking into a web-server and replacing the webserver
with an entirely new oneAn unauthorized change made to the appearance of either a single
webpage, or an entire siteSometimes, the website is completely removed and replaced by
something new or objectionable or obsceneMostly of late, used in terrorism, religious fanaticism, outlawed
outfiltsUsed as a threat to the website owner and normally replaced or
given back to the original position in a few minutes, sometimes, after the owner is made to realise the seriousness of the issue on hand
•
Telecom fraud
• Frauds in telecom, telephone lines Cramming: charging a subscriber for a call he did not make or service
he did not avail, or other hidden charges Dishonest levies - third-party suppliers of data and communication service – outsourced parties and services
Slamming: a fraudulent, unauthorized change to the default long-distance or other lines made by dishonest vendors desirous to steal business from competing service providers.
False answer supervision: a misconfiguration of telcom equipment, by negligence or design, when the billing starts when its rings even when the call is not answered
Excess billing or wrong billing: Studying the pattern of calls made and billing calls not made taken from frequently called numbers
Telecom frauds
• Software frauds: Unethical practices by telcos
• Illegal practices and procedures
• Customers’ ignorance
• TRAI role and responsibility
• Hardware issues in telecom equipment
• Hardware gadgets: spying, data storage, data diversion, router tables, switching tables
• Due diligence on the part of telecoms
Softlifting
• A type of software piracy – software users sharing their software with others who are otherwise not licensed to use it
• Normally purchased by one and then copied in many other systems
• (like taking xerox copies of official publications)• Not only license infringement but also revenue loss
and ultimately illegal purposes leaving the original seller unable to trace the end user…? Legal issue?
• Also called end-user piracy or softloading
Software Licensing
• What is software licensing?
• Need for it and its usage, purpose
• Unauthorised use of software and impact on the economy - impact in the crime scenario e.g unauthorised use of a SIM card or issue of duplicate card and traceability etc
• Source code – functionalities – outputs – screens
• Licensing of software programs
• User defined – customisation
• In-house developed software and licensing
• Customising a software and third party usages
IT Assets and software • IT Asset Management includes mainly software management
and its inventory• Manual compilation and reconciliation of IT assets may be
sometimes not dependable• Licensing of patches, entire software, user-level, geographic
installation, hard disk based installation, system-based usage, client site installation etc
• There are many Web-based Inventory Management tools and utilities too available
• There are also many network Inventory reports• Inventory Management of software is a complex issue• Depends upon the license vendor’s policy, corporate polciy of
the user, user-organisation’s system of accounting etc.
Microsoft Licensing
• Genuine Microsoft Label or a Certificate of Authenticity (COA) are labels to identify genuine Microsoft software.
• Microsoft does not call it a software license but it is a visual identifier to know whether the MS software is genuine.
• A legal license to use the MS software
• Microsoft Open Licensing Policy
• Volume Licensing policy of MS
Electronic documents
• Recognition of electronic records – IT Act
• Electronic documents: preservation, retrieval
• Access to electronic documents and crimes
• Access control and privileges
• Data Mining and Data Warehousing
• Electronic documents Preservation Policy
• Documents Maintenance Policy in banks, telecom companies, cyber cafes, public utilities, private firms, legal entities, legal requirements and records
Electronic Contracts
• Meaning and legality in a contract
• Contract essentials: Agreement, offer, acceptance, consideration, enforceability
• Genesis of a business contract – national and international needs and legal impact –replaced by e-commerce, e-transactions and e-contracts
• Enforceability in an electronic contract
• Legal requirements in electronic contracts
Issues in electronic contacts
• Legal validity of an e-contract• Evidence, proof, e-records, enforceability• Software driven acceptance and evidences• Preservation of evidences at the other end?• Accountability on the part of data custodians• Acceptance of such e-contracts – Retrieving• Version control and configuration management• Production of such e-contracts in a court of law• Contracts Act – Compliance of issues involved
Crimes on Documentation
• Frauds, forgery and now electronic forgery!
• Covered in the IPC as amended by the IT Act
• Forgery of documents and contracts by data diddling, data manipulation, spoofing, id theft, password theft, card cloning, card skimming, software theft, piracy and other technologies
• Prevention methodologies
• Detection methodologies
• Legal remedies: National and global scenario
