INFORMATION SECURITY DEMYSTIFIED There are many definitions of Information Security. Some say, it is “Preservation of the confidentiality, integrity and availability of information” While other’s of the opinion that it is “The securing and safeguarding of all sensitive information, electronic or otherwise which is owned by an organization.” Some experts also say that Information Security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. The terms information security, computer security and information assurance are frequently used interchangeably. You can say any thing, but ultimately the main heart is protection of confidentiality, Integrity and availability of data . Overview: With the rapid globalization of the world economic activity and the rise of the ICT industry as the principle empowering factor, the issue of information security has become the top agenda for the CXOs globally.Information security breaches, rising demand for regulations in the area of security, privacy and governance, onerous compliance norms and an increasingly mobile workforce are challenges facing governments and enterprises globally.As we entered the new millennium, IT managers were busy safeguarding their (legacy) systems from the Y2Kbug. Around that time, the threat of Internet viruses and worms loomed large. Naturally, every connected enterprise had to have an anti-virus solution and perhaps a firewall. And that's what security was all about. Today, as the stakes go higher, Information Security (InfoSec) takes on a broader meaning. What's more, certain Indian enterprises, aspiring to move up the value chain, have no choice but to take a more proactive stance towards security, through means like security certification and refining internal processes including compliance norms. As one industry analyst puts it, "Security has become all-encompassing—it's not just about technology and point products anymore." Information security has received a renewed focus in today’s global environment. The different areas of info security including the design, development and deployment of systems that enhance security have gained prominence. Companies have begun tightening access to their systems and core applications, but are still scrambling to ensure a correct balance between the free flow of information and security. The prime driver for enterprise security is (Internet) Connectivity. India's information technology industry is forecast to grow at a compounded rate of 21% over the next few years and touch US $60 billion by 2010. Within this burgeoning market, NASSCOM Information Security Conclave 2007 promises to be the most prestigious information technology & security event of the year and will be an essential platform for organizations that deploy, develop or investigate IT/ITES & security solutions and services. The other driver for security is Globalization. International companies seeking to outsource work to Indian firms insist on security certification, or adherence to laws, standards and business practices prevalent in their respective countries. Not surprisingly, all the top software services companies, IT-enabled services companies, and BPO outfits are going in for security certifications like ISO 27001. Besides there is an impending boom in the Information System Security Sector in India: • India is the second fastest growing IT security market in the Asia Pacific region. As per the 2007 Global State of Information Security Survey conducted by CIO, CSO and PwC, the InfoSec budget of India is expected to be 33% of the total IT Budget. • Indian enterprises are in the process of establishing / reinforcing their network security architecture • IT budgets, with a focus on developing effective IT security management processes, are becoming increasingly substantial NASSCOM Information Security Conclave 2007 will be the authoritative source for learning about new security threats and is a “must attend" for organizations in the industry. The conclave will focus on key issues related to information and network security with presentations by eminent personalities. Drivers of Information Security: The prime driver for enterprise security is (Internet) Connectivity. IDC says the worldwide InfoSec market was worth $6.7 billion in 2000. With a CAGR of 25.5 percent, this market is projected to more than triple to $21 billion by the end of 2005. An IDC analyst says remote LAN, Internet, extranet/intranet, and wireless access services will drive the need for advanced information security services, as technologies for circumventing network security systems continue to keep pace with the technologies designed to defend against them. The other driver for security is Globalization. International companies seeking to outsource work to Indian firms insist on security certification, or adherence to laws, standards and business practices prevalent in their respective countries. Not surprisingly, all the top software services companies, IT-enabled services companies, and BPO outfits are going in for security certifications like BS 7799 or ISO 17799. The third driver for increased security awareness is the Regulator. The The third driver for increased security awareness is the Regulator. The Reserve Bank of India (RBI) has created a comprehensive document that lays down a number of security-related guidelines and strategies for banks to follow in order to offer Internet banking. The guidelines broadly talk about the types of risks associated with Internet banking, the technology and security standards, legal issues involved, and regulatory and supervisory concerns. Any bank that wants to offer Internet banking must follow these guidelines and adhere to them as a legal necessity. Taking a cue from RBI, SEBI has now come up with a risk management framework for mutual funds. Recent information security surveys indicate that the Banking and Finance sector companies are most serious about security, are the major investors in security solutions, and regularly revise their security policies following periodic audit trials. Next in line are the software services companies, BPO firms, and IT-enabled services companies. EXTRACTS OF INFORMATION SYSTEMS SECURITY POLICY FOR YOU (For details please refer to Information Security Portal) Acceptable Usage IT assets of the bank are provided for business purposes and authorized users should adhere to safe usage practices that do not disrupt business or bring disrepute to the bank. Standards will be defined to include safe usage of desktops, computer accounts, business applications, computer networks and for protection of information in physical or logical form and maintenance of Intellectual Property Rights by the users of information systems. 1 Desktop Usage 1.1 Users are responsible for the security of their desktops and should take adequate measures to restrict physical and logical access to their desktops. Configuration & Installation 1.2 All desktops will be configured by system administrators as per the secure configuration standards provided by Information Systems Security Formulation and Implementation Team (ISSFIT). 1.3 Users should not install any software or applications on their desktop that is not authorized or not essential to bank‟s business. 1.4 Users should not connect modems to their machines unless and otherwise approved by the appropriate authority. Protection Measures 1.5 Necessary measures should be adopted by users to prevent the risk of unauthorized access. Anti-virus 1.6 Users should not disable the installed anti-virus agent or change its settings defined during installation. 1.7 Users should not disrupt the auto virus scan scheduled on their desktop. 1.8 All files received from external sources should be scanned for virus before opening 1.9 User should report to system administrator on any virus detected in the system and not cleaned by the anti-virus. Laptop Security 1.10 Laptop users need to adopt the following measures  Ensure that laptop is configured as per the secure configuration documents provided by ISSFIT.  Enable boot level password in the laptop.  Encryption or password protection should be enabled for protection of data.  Antivirus agent with latest signatures should be installed, before laptop is connected to the LAN.  All necessary patches / hot fixes for the operating system and applications installed should be periodically updated.  Log off laptops when not working for extended period and enable screen saver with password for protection during short period of inactivity.  Backup critical files from laptop to your desktop or removable media like CD/floppies.  Take adequate measures for physical protection of laptop including not leaving laptops unattended in public places or while traveling. 1.11 If the laptop has modem / dial up facility for Internet, users should disconnect Internet connection before connecting to the bank‟s LAN. 1.12 Loss of laptop should be reported immediately to the department head and ISSFIT. 1.13 Third party laptop connecting to the bank‟s network should be restricted. Prior approval from IT head should be taken before connecting third party laptops to bank's network. 2 Password Security 2.1 Users are responsible for all activities originating from their computer accounts. Password construction 2.2 Users should choose passwords that are easy to remember but difficult to guess. 2.3 Users should not share their passwords with anyone including colleagues and IT staff. Password Protection 2.3 Users should not share their passwords with anyone including colleagues and IT staff. 2.4 Users should ensure that nobody is watching when they are entering password into the system. 2.5 User should not keep a written copy (in paper or electronic form) of password in easily locatable places. 2.6 Users should change their password regularly. 2.7 User should report to the system administrator if account is locked out before 3 bad attempts. 3 Internet Usage 3.1 Internet access is provided to users for the performance and fulfillment of job responsibilities. 3.2 Employees should access Internet only through the connectivity provided by the bank and should not set up Internet access without authorization from IT department. 3.3 All access to Internet will be authenticated and will be restricted to business related sites. 3.4 Users are responsible for protecting their Internet account and password. 3.5 In case misuse of Internet access is detected, bank can terminate the user Internet account and take other disciplinary action as bank may deem fit. 3.6 Users should ensure that security is enabled on the Internet browser. 3.7 Users should ensure that they do not access websites by clicking on links provide in emails or in other websites. 3.8 Bank reserves the right to monitor and review Internet usage of users to ensure compliance to this policy. 4 E-mail Usage Email Service 4.1 Use of Bank‟s official mail account for personal purposes is discouraged. 4.2 Users will be provided with a fixed amount of storage space in their mailboxes at the email server. 4.3 Bank does not maintain central or distributed electronic mail archives of all electronic mail sent or received. 4.4 The email message including all attached files will be limited to fixed size for transmission. 4.5 Personal email id which is not provided by the bank should not be used to send official communications. Types of messages 4.6 Confidential or sensitive information should not be transmitted over email unless it is encrypted or password protected. 4.7 Emails that are not digitally signed should not be used for critical transactions requiring legal authentication of sender. 4.8 Users owning the email account are responsible for the content of email originated, replied or forwarded from their account to other users inside or outside the Bank Account protection 4.9 Users should protect their email account on the server through strong password and should not share their password or account with anyone else. 4.10 Users should exercise caution in providing their email account or other information to websites or any other Internet forum like discussion board/ mailing list. Monitoring & Reporting 4.11 Bank reserves the right to monitor email messages and may intercept or disclose or assist in intercepting or disclosing email communications to ensure that email usage is as per this policy. 4.12 Users should promptly report all suspected security vulnerabilities or incidents that they notice with the email system to the help desk or the branch / department system administrator. 5 Document and Storage Security 5.1 All documents containing sensitive information should be marked as “secret or confidential” both in electronic and print format. 5.2 All removable media including CD, floppy or DAT tape must be labeled as “secret or confidential” if it is used to store sensitive documents. 5.3 Confidential documents and media should not be kept unattended. 5.4 Users are encouraged to adopt a clean desk policy for papers, diskettes and other documentation. 5.5 Un-used documents/papers should be destroyed using shredder machine. 5.6 Users should keep a backup copy of important documents Security of information 5.7 Sensitive information should not be discussed in the presence of external personnel or other Bank employees 5.8 Care should be exercised to protect sensitive information which may get revealed unintentionally due to unsafe practices. 6 Incident Reporting 6.1 Users of the IT system should report any security incidents identified on the IT systems. 6.2 Users are required to provide their identity and contact details while reporting incidents for effective follow up. 7 Security Violations 7.1 Activities which have potential to harm, or actually harms information assets of the Bank are defined as security violations and are strictly prohibited. Third Party Access Access by third parties to any IT asset must be strictly limited and controlled. An assessment of third party access risks must be made and controls appropriate to producing an acceptable level of residual risk should be put in place. Third party contracts should include specification of responsibilities and consequences for unauthorized access to information systems of the bank. 1 Access Request and Approval 1.1 Access to bank‟s information and other IT resources should be provided to third parties having a business need for the same. 1.2 All access should be provided only after approval from the authority appointing the third party. 2 Privilege Allocation 2.1 Necessary privileges should be allocated by the respective application owners and IT teams. 2.2 Application owners and IT teams are responsible for disabling the access after requested time. 3 Connection on Internal network 3.1 If access is required on the internal network, the third party user machine should meet bank‟s security standards. 4 Remote network access 4.1 External network connections to the bank should be separated by Firewall. 4.2 Firewall should restrict access to essential IP/Ports. 4.3 Remote access over Internet should be encrypted and authenticated. 4.4 Remote access through direct dialup should be secured. 5 Non-disclosure agreements 5.1 Third party vendors should sign non-disclosure agreements with the bank. Business Continuity Plan Information systems that are critical to the Bank‟s business should be planned for continuity of operations in the event of disasters. A written Disaster Recovery Plan (DRP) should be maintained, tested and updated for such systems. The plan should provide for appropriate safeguards to minimize the risk, cost, and duration of disruption to business processes caused by disasters. 1 DR requirement 1.1 All centralized applications with nation-wide deployment should have a Disaster Recovery (DR) plan. 1.2 Business unit heads of respective applications should be responsible for developing the DR plan. 2 Business Impact Analysis 2.1 Business unit head should setup a Disaster Recovery Planning team (DRP team). 2.2 DRP team should conduct a Business Impact Analysis (BIA) to understand the critical IT functions and the acceptable downtime. 3 Disaster Recovery Strategy (DRS) 3.1 DRP team should evaluate different recovery strategies based on the results of the BIA. 3.2 DRP team should present the possible recovery strategies and requirements to the business unit head. 4 Disaster Recovery (DR) Plan 4.1 Disaster recovery plan should be developed based on the strategy. 4.2 DRP team should identify the conditions under which the disaster recovery plan should be activated. 5 Awareness and Training Program 5.1 Awareness and training program should be conducted to educate the users about the DR plan. 5.2 DRP team should decide on the frequency and mode of training. 6 Testing of DR Plan 6 Testing of DR Plan 6.1 Test exercise should be conducted to verify the DR plan. 6.2 DRP team should decide the frequency and mode of testing. 6.3 The DR plan should be reviewed and corrected based on the test results. 7 Review of DR Plan 7.1 The head of IT should be responsible for ensuring that the DR plan is updated and meets business objectives. 1.1 All critical information processing facilities should have adequate protection against unauthorized access. Physical Security All sites, which house Bank‟s critical IT assets, should provide resistance to unauthorized physical access and protection against environmental threats. All physical access and movement of IT assets should be monitored and reviewed. 1 Access Control 1.1 All critical information processing facilities should have adequate protection against unauthorized access. 1.2 All employees should be provided with identification cards. 1.3 Access to secure areas should be provided only after necessary approval. 1.4 A log book should be maintained to track access to critical information processing facilities. 1.5 An updated list of personnel who have access to critical information processing facilities should be maintained. 1.6 Security guards must check IT equipments and media carried by all personnel entering or leaving information processing facilities. 1.7 External people should be accompanied by Bank staff when working in critical information processing facilities. 2 Environmental Protection 2.1 There should be adequate provisions for fire detection and control. 2.2 All personnel should be trained for fire fighting. 2.3 Air conditioning systems should be implemented to ensure that the operational environment conforms to the equipment manufacturer's specifications. 3 Monitoring 3.1 Automatic alerting systems should be installed at all access points to critical information processing facilities. 3.2 Monitoring systems should be deployed to track any suspicious activity. 4 Document Security 4.1 Sensitive documents should be stored in locked cabinets. 4.2 Fax machines and printers should be protected against unauthorized access. We appreciate your effort and support in making our bank as IT savvy . We have spent considerable amount on acquiring latest security products. But without generating Information security culture within ourselves and contribute towards implementation of security best practices, this expenditure would be wasted. Do’s: • I will Make myself aware of our Information system security policies of our bank and will attend such awareness programmes as and when intimated to me. A copy of the same is available on Knowledge Management Portal • I will always keep my desktop Password protected • I will Change the Password of the machine at regular intervals and keep very strong password ( Combination of 8 characters and one alpha numeric ) • I will ensure that no one is watching me when I enter the password. • I will make sure to install and regularly update anti virus on my desktop PC • I will make sure that my PC is locked(Ctrl-Alt-Del) when I go out , even for few minutes. • I will make sure that all the discarded and obsolete records , old unused printouts will be disposed off in a proper way • I will Change password of my internet banking software regularly • I will make myself aware of Helpdesk contact nos. • I will maintain records of any incidents /problems related to PC for future reference and for IS audit purpose Don’t’s : • I will not keep weak and “simple to guess” password • I will not keep old/obsolete records and computer generated printouts on the desk. Instead dispose them off or tear them if they have become obsolete • I will not write my individual password any where • I will not leave my PC unattended when ever I am logged on . • I will not download any unauthorized software on my PC. It is an offense under section 43 , 72 of IT act • I will not type the password when some one is watching me • I will not run or install any computer games in my PC. It is again an offense under IT act • I will not use floppy disk / pen drive , unless it is scanned for virus • I will not panic in case of any incidents. I will Inform our crisis management teams /helpdesk Introduction to Cyber Crime The first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage. In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded cyber crime! Frequently Used Cyber Crimes Unauthorized access to computer systems or networks This activity is commonly referred to as hacking. The Indian law has however given a different connotation to the term hacking, so we will not use the term "unauthorized access" interchangeably with the term "hacking". Theft of information contained in electronic form This includes information s tored in computer hard disks, removable storage media etc. Email bombing Email bombing refers to sending a large number of emails to the victim resulting in the victim's email account (in case of an individual) or mail servers (in case of a company or an email service provider) crashing. In one case, a foreigner who had been residing in Simla, India for almost thirty years wanted to avail of a scheme introduced by the Simla H ousing Board to buy land at lower rates. When he made an application it was rejected on the grounds that the 169 schemes was available only for citize ns of India. He decided to take his revenge. Consequently he sentthousands of mails to the Simla Housing Board and repeatedly kept sending e-mailstill their servers crashed. Data diddling This kind of an attack involves altering raw data just before it is processed by a computer and then changing it back after the processing is completed. El ectricity Boards in India have been victims to data diddling programs inserted when private parties were computerizing their systems. Salami attacks These attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed. E.g. a bank employee inserts a program, into the bank's servers, that deducts a small amount of money (say Rs. 5 a month) from the account of every customer. No account holder will probably notice this unauthorized debit, but the bank employee will make a sizable amount of money every month. To cite an example, an employee of a bank in USA was dismissed from his job. Disgruntled at having been supposedly mistreated by his employers the man first introduced a logic bomb into the bank's systems. Logic bombs are programmes, which are activated on the occurrence of a particular predefined event. The logic bomb was programmed to take ten cents from all the accounts in the bank and put them into the account of the person whose name was alphabetically the last in the bank's rosters. Then he went and opened an account in the name of Ziegler. The amount being withdrawn from each of the accounts in the bank was so insignificant that neither any of the account holders nor the bank officials noticed the fa ult. It was brought to their notice when a person by the name of Zygler opened his account in that bank. He was surprised to find a sizable amount of money being transferred into his account every Saturday. Denial of Service attack This involves flooding a computer resource with more requests than it can handle. This causes the resource (e.g. a web server) to crash thereby denying authorized users the service offered by the resource. Another variation to a typical denial of service attack is known as a Distributed Denial of Service (DDoS) attack whe rein the perpetrators are many and are geographically widespread. It is very difficult to control such attacks. The attack is initiated by sending excessive demands to the victim's computer(s), exceeding the limit that the victim's servers can support and making the servers crash. Denial-of-service attacks have had an impressive history having, in the past, brought down websites like Amazon, CNN, Yahoo and eBay! Viruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly till they eat up all the available space on a computer's memory. 170 The VBS_LOVELETTER virus (better known as the Love Bug or the ILOVEYOU virus) was reportedly written by a Filipino undergraduate. In May 2000, this deadly virus beat the Melissa virus hollow - it became the world's most prevalent virus. It struck one in every five personal computers in the world. When the virus was brought under check the true magnitude of the losses was incomprehensible. Losses incurred during this virus attack were pegged at US $ 10 billion. The original VBS_LOVELETTER utilized the addresses in Microsoft Outlook and emailed itself to those addresses. The e-mail, which was sent out, had "ILOVEYOU" in its subject line. The attachment file was named "LOVE-LETTER-FORYOU. TXT.vbs". The subject line and those who had some knowledge of viruses, did not notice the tiny .vbs extension and believed the file to be a text file conquered people wary of opening e-mail attachments. The message in the e-mail was "kindly check the attached LOVELETTER coming from me". Since the initial outbreak over thirty variants of the virus have been developed many of them following the original by just a few weeks. In addition, the Love Bug also uses the Internet Relay Chat (IRC) for its propagation. It e-mails itself to users in the same channel as the infected user. Unlike the Melissa virus this virus does have a destructive effect. Whereas the Melissa, once installed, merely inserts some text into the affected documents at a particular instant during the day, VBS_LOVELETTER first selects certain files and then inserts its own code in lieu of the original data contained in the file. This way it creates ever-increasing versions of itself. Probably the world's most famous worm was the Internet worm let loose on the Internet by Robert Morris sometime in 1988. The Internet was, then, still in its developing years and this worm, which affected thousands of compute rs, almost brought its development to a complete halt. It took a team of experts almost three days to get rid of the worm and in the meantime many of the computers had to be disconnected from the network. Virus / worm attacks Logic bombs These are event dependent programs. This implies that these programs are created to do something only when a certain event (known as a trigger event) occurs. E.g. even some viruses may be termed logic bombs because they lie dormant all through the year and become active only on a particular date (like the Chernobyl virus). Trojan attacks A Trojan as this program is aptly called, is an unauthorized program which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing. There are many simple ways of installing a Trojan in someone's computer. To cite and example, two friends Rahul and Mukesh (names changed), had a heated argument over one girl, Radha (name changed) whom they both liked. When the girl, asked to choose, chose Mukesh over Rahul, Rahul decided to get even. On the 14th of February, he sent Mukesh a spoofed e-card, which appeared to have come from Radha's mail account. The e-card actually contained a Trojan. As soon as Mukesh opened the card, the Trojan was installed on his computer. Rahul now had complete control over Mukesh's computer and proceeded to harass him thoroughly. Internet time thefts This connotes the usage by an unauthorized person of the Internet hours paid for by another person. In a case reported before the enactment of the Information Technology Act, 2000 Colonel Bajwa, a resident of New Delhi, asked a nearby net café owner to come and set up his Internet connection. For this purpose, the net café owner needed to know his username and password. After having set up the connection he went away with knowing the present username and password. He then sold this information to another net café. One week later Colonel Bajwa found that his Internet hours were almost over. Out of the 100 hours that he had bought, 94 hours had been used up within the span of that week. Surprised, he reported the incident to the Delhi police. The police could not believe that time could be stolen. They were not aware of the concept of time-theft at all. Colonel Bajwa's report was rejected. He decided to approach The Times of India, New Delhi. They, in turn carried a report about the inadequacy of the New Delhi Police in handling cyber crimes. The Commissioner of Police, Delhi then took the case into his own hands and the police under his directions raided and arrested the net café owner under the charge of theft as defined by the Indian Penal Code. The net café owner spent several weeks locked up in Tihar jail before being granted bail. Web jacking This occurs when someone forcefully takes control of a website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on that website In a recent incident reported in the USA the owner of a hobby website for children received an e-mail informing her that a group of hackers had gained control over her website. They demanded a ransom of 1 million dollars from her. The owner, a schoolteacher, did not take the threat seriously. She felt that it was just a scare tactic and ignored the e-mail. It was three days later that she came to know, following many telephone calls from all over the country, that the hackers had web jacked her website. Subsequently, they had altered a portion of the website which was entitled 'How to have fun with goldfish'. In all the places where it had been mentioned, they had replaced the word 'goldfish' with the word 'piranhas'. Piranhas are tiny but extremely dangerous flesh-eating fish. Many children had visited the popular website and had believed what the contents of the website suggested. These unfortunate children followed the instructions, tried to play with piranhas, which they bought from pet shops, and were very seriously injured! Theft of computer system This type of offence involves the theft of a computer, some part(s) of a computer or a peripheral attached to the computer. Physically damaging a computer system This crime is committed by physically damaging a computer or its peripherals The Vast Range Of Cyber Crimes ..... Hacking: It is the most common type of Cyber crime being committed across the world. Hacking has been defined in section 66 of The Information Technology Act, 2000 as follows "whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means commits hacking". Punishment for hacking under the above mentioned section is imprisonment for three years or fine which may extend Upto two lakh rupees or both. A Hacker is a person who breaks in or trespasses a computer system. Hackers are of different types ranging from code hackers to crackers to cyber punks to freaks. Some hackers just enjoy cracking systems and gaining access to them as an ordinary pastime; they do not desire to commit any further crime. Whether this itself would constitute a crime is a matter of fact. At most such a crime could be equated with criminal trespass. Security Related Crimes : With the growth of the internet, network security has become a major concern. Private confidential information has become available to the public. Confidential information can reside in two states on the network. It can reside on the physical stored media, such as hard drive or memory or it can reside in the transit across the physical network wire in the form of packets. These two information states provide opportunities for attacks from users on the internal network, as well as users on the Internet. Network Packet Sniffers Network computers communicate serially where large information pieces are broken into smaller ones. The information stream would be broken into smaller pieces even if networks communicated in parallel. These smaller pieces are called network packets. Since these network packets are not encrypted they can be processed and understood by any application that can pick them off the network and process them. A network protocol specifies how packets are identified and labeled which enables a computer to determine whether a packet is intended for it. The specifications for network protocols such as TCP/IP are widely published. A third party can easily interpret the network packets and develop a packet sniffer. A packet sniffer is a software application that uses a network adapter card in a promiscuous mode (a mode in which the network adapter card sends all packets received by the physical network wire to an application for processing) to capture all network packets that are sent !across a local network. A packet sniffer can provide its users with meaningful and often sensitive information such as user account names and passwords. IP Spoofing An IP attack occurs when an attacker outside the network pretends to be a trusted computer either by using an IP address that is within its range or by using an external IP address that you trust and to which you wish to provide access to specified resources on your network. Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data passed between client and server application or a peer to peer network connection. Password attacks Password attacks can be implemented using several different methods like the brute force attacks, Trojan horse programmes. IP spoofing can yield user accounts and passwords. Password attacks usually refer to repeated attempts to identify a user password or account. These repeated attempts are called brute force attacks. Distribution of sensitive internal information to external sources At the core of these security breaches is the distribution of sensitive information to competitors or others who use it to the owners’ disadvantage. While an outside intruder can use password and IP spoofing attacks to copy information, an internal user could place sensitive information on an external computer or share a drive on the network with other users Man-in-the-middle-attacks This attack requires that the attacker have access to network packets that come across the networks. The possible use of such attack are theft of information, hijacking an ongoing session to gain access to your internal network resources, traffic analysis to drive information about one’s own network and its users, denial of service, corruption of transmitted data, and introduction of new information into network sessions. Fraud On The Internet .................................................. This is a form of white collar crime. Internet fraud is a common type of crime whose growth has been proportionate to the growth of internet itself. The internet provides companies and individuals with the opportunity of marketing their products on the net. It is easy for people with fraudulent intention to make their messages look real and credible. There are innumerable scams and frauds most of them relating to investment schemes and have been described in detail below as follows: Online investment newsletters Many newsletters on the internet provide the investors with free advice recommending stocks where they should invest. Sometimes these recommendations are totally bogus and cause loss to the investors. Bulletin boards This is a forum for sharing investor information and often fraud is perpetrated in this zone causing loss of millions who bank on them. E-mail scams Since junk mail ( E mail which contains useless material ) is easy to create, fraudsters often find it easy to spread bogus investment schemes or spread false information about a company. Credit card fraud With the electronic commerce rapidly becoming a major force in national economies it offers rich pickings for criminals prepared to undertake fraudulent activities. In U.S.A. the ten most frequent fraud reports involve undelivered and online services; damaged, defective, misrepresented or undelivered merchandise; auction sales; pyramid schemes and multilevel marketing and of the most predominant among them is credit card fraud. Something like half a billion dollars is lost to consumers in card fraud alone. Publishing of false digital signature .According to section 73 of the I.T. Act 2000, if a person knows that a digital signature certificate is erroneous in certain particulars and still goes ahead and publishes it, is guilty of having contravened the Act. He is punishable with imprisonment for a term that may extend to two years or with fine of a lakh rupees or with both. Making available digital signature for fraudulent purpose Alteration And Destruction Of Digital Information The corruption and destruction of digital information is the single largest menace facing the world of computers. This is introduced by a human agent with the help of various programmes which have been described in detail below as follows: Virus Just as a virus can infect the human immunity system there exist programs, which, can destroy or hamper computer systems. A computer virus is a programme designed to replicate and spread, generally with the victim being oblivious to its existence. Computer viruses spread by attaching themselves to programmes like word processor or spreadsheets or they attach themselves to the boot sector of a disk. When an infected file is activated or when the computer is started from an infected disk, the virus itself is also executed. Pornography On The Net The growth of technology has flip side to it causing multiple problems in everyday life. Internet has provided a medium for the facilitation of crimes like pornography. Cyber porn as it is popularly called is widespread. Almost 50% of the web sites exhibit pornographic material on the Internet today. Pornographic materials can be reproduced more quickly and cheaply on new media like hard disks, floppy discs and CD-Roms. The new technology is not merely an extension of the existing forms like text, photographs and images. Apart from still pictures and images, full motion video clips and complete movies are also available. Another great disadvantage with a media like this is its easy availability and accessibility to children who can now log on to pornographic web-sites from their own houses in relative anonymity and the social and legal deterrents associated with physically purchasing an adult magazine from the stand are no longer present. Furthermore, there are more serious offences which have universal disapproval like child pornography and far easier for offenders to hide and propagate through the medium of the internet. The Information and Technology Act 2000 makes the publishing of information which is obscene in electronic form punishable as under: " Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent Conviction, with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees." This new law will operate upon anyone who is within its jurisdictional net. Any one within the country or the area of operation of the law who is carrying on a business of cyber porn will be liable under section 67 of the above mentioned Act. Apart from this, a multi-layered governance programme should be ushered in. This will mainly include a mixture of national and international legislations and self imposed regulations by internet service providers and users like parents for their children, hotlines and special organizations to report pornographic content. In this way the balance between the freedom of the individual and the greatest good of the society can be maintained. Cryptography, privacy and national security concerns: The Internet has provided its users with a new forum to express their views and concerns on a world wide platform. As a necessary corollary to the freedom to communicate and speak is the fact that this must be allowed with as little State interference as possible; in other words, in the absence of State intrusion. This immediately raises the controversial issue of the right to privacy. It can be considered a logical corollary to the freedom of speech and expression. At the same time it is common knowledge that liberty cannot thrive without certain restrictions put on them so that each individual in society can be best protected. The practice of encryption and its study which is known as cryptography provides individuals with means of communication that no third party can understand unless specifically permitted by the communicators themselves. It would therefore seem that this practice is a legitimate utilization of the right to freedom of speech and expression and the right to have a private conversation without intrusion. Breach Of Confidentiality And Privacy Under The Information And Technology Act 2000 According to section 72 of the above mentioned Act, if a person has secured access to any electronic record, book, register correspondence, information, document or other material without the consent of the person concerned and discloses the same to any other person then he shall be punishable with imprisonment upto two years, or with fine which may extend to one lakh rupees, or with both. Encryption And Cryptography Encryption is like sending a postal mail to another party with a lock code on the envelope which is known only to the sender and the recipient. This therefore has the effect of ensuring total privacy even in open networks like the internet. Encryption involves the use of secret codes and ciphers to communicate information electronically from one person to another in such a way that the only person so communicating, would know to use the codes and ciphers. The field of cryptography on the other hand deals with the study of secret codes and ciphers and the innovations that occur in the field. It is also defined as the art and the science of keeping messages secure. Thus while encryption is the actual process, cryptography involves a study of the same and is of wider connotation. The Right To Privacy And Encryption It is usually agreed upon that in most democracies there do exist private and public spheres in every citizen’s life and that these two spheres are distinct and have to be treated as such. Although the line of distinction is blurred and continues to be the subject of much debate especially with regard to certain subjects such as pornography or the use of narcotics, it is generally agreed that the liberal democratic state has no power to interfere with the private aspect of its citizen’s lives. There is a common misconception that the right to privacy is merely a weapon to ensure confidentiality in human affairs. This however does not present the complete picture. It must be remembered that the right to confidentiality arises only after information regarding human transaction or affairs have reached third parties. It may be said that privacy involves the right to control one’s personal information and the ability to determine it and how that information should be used and obtained. This principle has sometimes been referred to as the right to “informational self-determination". This principle becomes all the more relevant with the onset of the internet and e-commerce. The volume and the varying nature of the transaction carried out on the net are such that the right to privacy must extend at least to a limited extent. At the same time, the very same factors, volume and the nature of transactions also raise the issue of security concerns as to the political, social and economic health of the country. Encryption of the details of our personal transactions would certainly assure us of greater degree of privacy but may also encroach upon the domain of national security concerns and two ends may be said to be in conflict. Restrictions On Cryptography In India The use of the cryptography and encryption in India is a relatively new phenomenon. The use of this technology for the purposes of communication has begun only over the last 15-20 years in India. According to a recent report in India there are very few companies involved in the development of cryptography. Further, cryptography remains within the domain of the defense sector. It is only as late as 1995 that India introduced a list of items that required licensing before export. The list only included encryption software for telemetry systems in specific and did not relate to encryption software in general. The Information and Technology Act 2000 seeks to introduce some sort of control over the use of encryption for communication in India. Cyber crimes, latest news: Three people held guilty in on line credit card scam Date: February 28, 2007 Customers credit card details were misused through online means for booking air-tickets. These culprits were caught by the city Cyber Crime Investigation Cell in pune. It is found that details misused were belonging to 100 people. Mr. Parvesh Chauhan, ICICI Prudential Life Insurance officer had complained on behalf of one of his customer. In this regard Mr. Sanjeet Mahavir Singh Lukkad, Dharmendra Bhika Kale and Ahmead Sikandar Shaikh were arrested. Lukkad being employeed at a private institution, Kale was his friend. Shaiklh was employed in one of the branches of State Bank of India . According to the information provided by the police, one of the customer received a SMS based alert for purchasing of the ticket even when the credit card was being held by him. Customer was alert and came to know something was fishy; he enquired and came to know about the misuse. He contacted the Bank in this regards. Police observed involvement of many Bank s in this reference. The tickets were book through online means. Police requested for the log details and got the information of the Private Institution. Investigation revealed that the details were obtained from State Bank of India Shaikh was working in the credit card department; due to this he had access to credit card details of some customers. He gave that information to Kale. Kale in return passed this information to his friend Lukkad. Using the information obtained from Kale Lukkad booked tickets. He used to sell these tickets to customers and get money for the same. He had given few tickets to various other institutions. Cyber Cell head DCP Sunil Pulhari and PI Mohan Mohadikar A.P.I Kate were involved in eight days of investigation and finally caught the culprits. In this regards various Banks have been contacted; also four air-line industries were contacted. DCP Sunil Pulhari has requested customers who have fallen in to this trap to inform police authorities on 2612-4452 or 2612-3346 if they have any problems. Juhu police arrest 5 Nigerians 06 March 2007 Mumbai: Juhu police arrested five Nigerian nationals for their alleged involvement in an inter-state job racket. The arrested have been identified as Vinset Mezek (26), Ogobol Tony (25), Kovhni Okosav (35), Charles Niogo (21) and Odirom Babatude (26). One person named Terri, who is a wanted in the case, is at large, say police. According to the police, the accused used to sent mails to people about vacancies in hotels outside India. If anyone responded, they would ask him to deposit money in their bank accounts in Mumbai. However, once they received the money, they would never contact the person. Although the accused have admitted to have duped only one person of Rs 1.2 lakh, the police say that they may have cheated many more in Mumbai and in other cities. The whole matter came to light after Prabhat Singh, a resident of Orrisa, lodged a complaint with the Juhu police. Singh had paid Rs 1.2 lakh to an unidentified person for a job in the UK. He was never contacted after that. “During our course of investigation, we tracked the account numbers where the money was deposited. We also tracked down the e-mail ID and the mobile numbers from which the mails and messages were sent,” said PD Shinde, senior police inspector at Juhu police station. Mumbai Police can now nail web offenders 11 March 2007 Landmark deal signed with Orkut to share ip addresses and help arrest those posting objectionable content Mumbai, March 10: Anti-Shivaji forums or anti-Ambedkar postings or “hate India” campaigns on Google’s social networking site, Orkut, have been confounding our authorities for quite sometime now. Other than blocking the objectionable forums, the Mumbai Police could do little—except wait for the next one to pop up on the web, say, a “fan club” of wanted underworld dons like Dawood Ibrahim or Chhota Shakeel. But not any more. The Mumbai Police is finally equipped to track down such offenders and bring them to book. A single e-mail between the DCP in charge of the Enforcement Branch and the California-based company will now nail such persons. Following a meeting between representatives of the site and the Enforcement Directorate last month, the Mumbai Police and Orkut have entered into an agreement to seal such cooperation in matters of objectionable material on the web. “Early February, I met three representatives from Orkut.com, including a top official from the US. The other two were from Bangalore. We reached a working agreement whereby Orkut has agreed to provide us details of the ip address from which an objectionable message or blog has been posted on the site and the Internet service provider involved,” said DCP Enforcement, Sanjay Mohite. That the measure is fool-proof is evident from the fact that an encrypted code has also been agreed upon for such communication to prevent people from posing as the Mumbai Police and laying their hands on such information from Orkut. “I am also going to hold a meeting with all Internet service providers to stress the need to share information. We are also hoping to rope in U Tube in the future,” said Mohite. Earlier, if a complaint regarding objectionable content was received, the police would contact the computer emergency response team, a government body based in New Delhi, and ask it to block the concerned web page. They did not have any way to track down the culprits. “It was almost out of the question to track down the person who posted the material as we would have to go through the CBI to get basic information from Orkut as they are based in the US. The entire process of letter rogatory would come into play. But now we can take action on any content posted on the site from India,” he explained. Mohite talks of a citizen who had complained to the police in November regarding a photograph of her posted on Orkut, along with derogatory text. “She provided us the name of a suspected, but we did not have any proof. After the new agreement was reached, we asked Orkut for the details of the concerned ip address. They replied instantly and we nailed the culprit, who turned out to be the suspect,” said Mohite UTI Bank hooked in a phishing attack 14 February 2007 Fraudsters of cyberspace have reared its ugly head, the first of its kind this year, by launching a phishing attack on the website of Ahmedabad-based UTI Bank, a leading private bank promoted by India' s largest financial institution, Unit Trust of India (UTI). A URL on Geocities that is almost a facsimile version of the UTI Bank's home page is reported to be circulating amongst email users. The web page not only asks for the account holder's information such as user and transaction login and passwords, it has also beguilingly put up disclaimer and security hazard statements. " In case you have received any e-mail from an address appearing to be sent by UTIBANK, advising you of any changes made in your personal information, account details or information on your user id and password of your net banking facility, please do not respond. It is UTI Bank's policy not to seek or send such information through email. If you have already disclosed your password please change it immediately, " the warning says. The tricky link is available on http://br.geocities/ If any unsuspecting account holder enters his login id, password, transaction id and password in order to change his details as 'advised' by the bank, the same info is sent vide mailform.cz (the phisher's database). After investigation, we found that Mailform is a service of PC Svet, which is a part of the Czech company PES Consulting. The Webmaster of the site is a person named Petr Stastny whose e-mail can be found on the web page. Top officials at UTI Bank said that they have reported the case to the Economic Office Wing, Delhi Police. The bank has also engaged the services of Melbourne-based FraudWatch International, a leading antiphishing company that offers phishing monitoring and take-down solutions. "We are now in the process of closing the site. Some of these initiatives take time, but customers have been kept in the loop about these initiatives, " said V K Ramani, President - IT, UTI Bank. As per the findings of UTI Bank's security department, the phishers have sent more that 1,00,000 emails to account holders of UTI Bank as well as other banks. Though the company has kicked off damage control initiatives, none of the initiatives are cent percent foolproof. "Now there is no way for banks to know if the person logging-in with accurate user information is a fraud," said Ramani. However, reliable sources within the bank and security agencies confirmed that the losses due to this particular attack were zilch. The bank has sent alerts to all its customers informing about such malicious websites, besides beefing up their alert and fraud response system. "Engaging professional companies like FraudWatch help in reducing time to respond to attacks," said Sanjay Haswar, Assistant Vice President, Network and Security, UTI Bank. Offensive SMS can lead to 2 years in jail 14 February 2007 With mobile phones virtually taking over the role of a personal computer, the proposed amendments to the Information Technology Act, 2006, have made it clear that transmission of any text, audio or video that is offensive or has a menacing character can land a cellphone user in jail for two years. The punishment will also be attracted if the content is false and has been transmitted for the purpose of causing annoyance, inconvenience, danger or insult. And if the cellphone is used to cheat someone through personation, the miscreant can be punished with an imprisonment for five years. The need to define communication device under the proposed amendments became imperative as the current law is quiet on what kind of devices can be included under this category. The amended IT Act has clarified that a cellphone or a personal digital assistance can be termed as a communication device and action can be initiated accordingly. Accentuated by various scandals that hit the country during the past two years, including the arrest of the CEO of a well-known portal, the government has also introduced new cyber crimes under the proposed law. The amended Act, which was placed before the Lok Sabha during the recently concluded winter session, has excluded the liability of a network service provider with regard to a third party’s action. However, it has made cyber stalking, cyber defamation and cyber nuisance an offence. Anybody found indulging in all these offences can be imprisoned for two years. The proposed changes have also sought amendments in the form of insertions in the Indian Penal Code, thereby declaring identity theft an offence. If a person cheats by using electronic signature, password or any other unique identification feature of any other person, he shall be punished with imprisonment for two years and also liable to fine. Asking for an insertion in the Indian Penal Code as Section 502A of the law, the proposed amendments have said that whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, shall be punished with two years of imprisonment and fine of Rs 2 lakh. The private parts can be either naked or undergarment clad public areas. Making the law more technologically neutral, the amended provisions have included authentication of electronic record by any electronic technique. At the moment, electronic records can be authenticated by just digital signatures, the public key infrastructure technology (PKI). With the new provisions, however, biometric factors like thumb impression or retina of an eye shall be included as techniques for authentication. Even as the law makers have tried to cover up for the lapses of the current IT Act, they seem to have made it liberal by way of reducing the punishment from three years to two years. With these changes, a cyber criminal will now be entitled to bail as a matter of right, as and when he gets arrested. 4.O CYBER LAW (IT ACT 2000) India has enacted the first I.T.Act, 2000 based on the UNCIRAL model recommended by the general assembly of the United Nations. Chapter XI of this Act deals with offences/crimes along with certain other provisions scattered in this Acts .The various offences which are provided under this chapter are shown in the following table: - 4.1 Offence Section under IT Act Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 Publishing obscene information Sec.67 5 Un-authorised access to protected system Sec.70 Breach of Confidentiality and Privacy Sec.72 Publishing false digital signature certificates Sec.73 NOTE: Sec.78 of I.T.Act empowers Deputy Supdt. Of Police to investigate cases falling under this Act. 4.2 Computer Related Crimes Covered under IPC and Special Laws Offence Section Sending threatening messages by email Sec 503 IPC Sending defamatory messages by email Sec 499 IPC Forgery of electronic records Sec 463 IPC Bogus websites, cyber frauds Sec 420 IPC Email spoofing Sec 463 IPC Web-Jacking Sec. 383 IPC E-Mail Abuse Sec.500 IPC Online sale of Drugs NDPS Act 5.0 ELEMENTARY PROBLEMS ASSOCIATED WITH CYBER-CRIMES: One of the greatest lacunae in the field of Cyber Crime is the absence of comprehensive law any where in the World. The problem is further aggravated due to disproportional growth ratio of Internet and cyber laws. Though a beginning has been made by the enactment of I.T. Act and amendments made to Indian Penal Code, problems associated with cyber crimes continue to persist. 1. Jurisdiction is the highly debatable issue as to the maintainability of any suits, which has been filed. Today with the growing arms of cyber space the territorial boundaries seem to vanish. Thus the concept of territorial jurisdiction as envisaged under S.16 of Cr.P.C. and S.2.of the I.P.C. will have to give way to alternative method of dispute resolution. 2. Loss of evidence is a very common & expected problem as all the data are routinely destroyed. Further, collection of data outside the territorial extent also paralyses the system of crime investigation. 3. Cyber Army: There is also an imperative need to build a high technology crime & investigation infrastructure, with highly technical staff at the other end. 4. A law regulating the cyber-space, which India has done. 5. Though S.75 provides for extra-territorial operations of this law, but they could be meaningful only when backed with provision recognizing orders and warrants for Information issued by competent authorities outside their jurisdiction and measure for cooperation for exchange of material and evidence of computer crimes between law enforcement agencies. 6. Cyber savvy judges are the need of the day. Judiciary plays a vital role in shaping the enactment according to the order of the day. One such case, which needs appreciation, is the P.I.L. (Public Interest Litigation), which the Kerala High Court has accepted through an email. 'Perfect' is a relative term. Nothing in this world is perfect. The persons who legislate the laws and by-laws also are not perfect. The laws therefore enacted by them cannot be perfect. The cyber law has emerged from the womb of globalisation. It is at the threshold of development. In due course of exposure through varied and complicated issues it will grow to be a piece of its time legislation.