Emerging threats in Cyberspace- Cyber terrorism, MMS Scams and Data thefts

geographertonguesAI and Robotics

Nov 30, 2013 (3 years and 8 months ago)

99 views

copyright(c)Seth Associates 2009
All rights reserved

1



National Seminar on Information Security : Emerging Threats and
Innovations in the 21st century


Institute of Technology & Science, Ghaziabad

April 4
th
, 2009




Emerging threats in Cyberspace
-


Cyber terrorism, MMS Scams and


Data thefts






Karnika Seth



Chairperson,



Cyber law Expert & Managing Partner





SETH ASSOCIATES



ADVOCATES AND LEGAL
CONSULTANTS












copyright(c)Seth Associates 2009
All rights reserved

2

What is cyberspace?



Cyberspace



from the
Greek

Κυβερνήτης

(
kybernētēs
,
steersman, governor, pilot, or rudder)


is the global domain of
electro
-
magnetics accessed through electronic technology and
exploited through the modulation of electromagnetic energy to
achieve a wide range of communication and control system
capabilities. The term is rooted in the science of cybernetics

.



William Gibson

coined the term "
cyberspace
" in his short story
"Burning Chrome" and later popularized the concept in his debut
novel,
Neuromancer

(
1984
)

copyright(c)Seth Associates 2009
All rights reserved

3

What is a cyber threat?



From the information security perspective, a ‘
threat ‘
is defined as
the potential to cause an unwanted incident in which an asset,
system or organisation may be harmed.



‘Cyber threat

‘ is a threat that percolates or infiltrates through the
use of computers , internet or interconnected communication
devices and could comprise of information stealth, cyber warfare,
virus attacks, cyber terrorism, hacking attempts , phising,sabotage,
singly or in combination
.


copyright(c)Seth Associates 2009
All rights reserved

4

Emerging Cyber threats
-


Georgia Tech Information Security Centre
-

Reports for 2008

Threats to RFID

Threats targeting

mobile convergence

Botnets


Targetted messaging attacks

Web 2.0 client side attacks

copyright(c)Seth Associates 2009
All rights reserved

5

Cyber Threats in 2009 and Beyond

Report of
Georgia Tech Information Security Center
(GTISC)


Malware

Botnets

Threats to VOIP and

mobile convergence

Cyber warfare

Data thefts

copyright(c)Seth Associates 2009
All rights reserved

6


Vectors & trends for cyber threats

Malicious attackers will install malware on
social networking sites

leading to
increased phising scams, or stealing
data,etc
-

browser level protection needed.

Hackers will install
malcode within video
content

which will affect users accessing
video clips.

Mash up technology

used by web
applications to combine data/media from
multiple sources, locations and coding
styles may lead to increased corporate
espionage and other scams

Identity thefts

will only increase and
botnets
will be used for corporate
espionage and phising scams

Polymorphic exploitation
-

creation of
unique exploit with each user request

signature based protection engines at
network or host level fail

Growing popularity of VOIP applications
-
instances of
voice spam and voice
phising or smishing

will increase.

Targeted attacks

-
Attack activity through
e
-
mail, Instant messaging ,P2P networks
will increase

Denial of service

affecting voice
infrastructure

Cyber terrorist

attacks will increase and
lead to cyber warfare
-

threat to nation’s
sovereignty

MMS scams

will be on the rise and raise
issues of defamation and invasion of
privacy

copyright(c)Seth Associates 2009
All rights reserved

7

Source: Government Accountability Office (GAO), Department of
Homeland Security's (DHS's) Role in Critical Infrastructure Protection
(CIP) Cybersecurity, GAO
-
05
-
434 (Washington, D.C.: May, 2005).


Cyber threat

groups

Bot network

operators

Spyware

authors

Foreign

intelligence


Insiders

Phishers

spammers

copyright(c)Seth Associates 2009
All rights reserved

8

Categories of hackers

copyright(c)Seth Associates 2009
All rights reserved

9

Prevention is proven to be better than cure
….



Attackers will continue to post malicious links as part of the user’s everyday online
activity
-
at the end of an IM string, hidden in a You Tube Video or embedded in an Excel
spreadsheet


-

Paul Judge, Senior Vice President and chief Technology Officer, Secure Computing




When massive numbers of users are infected, it poses a serious risk to the infrastructure
. When the Storm Worm virus broke out last January, it infected 40 to 50 million of some
300 million users connected by broadband . To combat this, network and point

based
security solutions need to be invented for the mobile environment
.”

-
Chris Rouland
-

Chief Technology Officer, IBM Internet security Systems and IBM
Distinguished Engineer


copyright(c)Seth Associates 2009
All rights reserved

10

The

Storm botnet


The
Storm botnet

or
Storm
worm botnet

is a remotely
-
controlled network of
"zombie"
computers

(or "
botnet
") that has
been linked by the
Storm Worm
, a
Trojan horse

spread through
e
-
mail spam
. Some have estimated
that by September 2007 the Storm
botnet was running on anywhere
from 1 million to 50 million
computer systems .



United States

Federal Bureau of
Investigation

considers the botnet
a major risk to increased
bank
fraud
,
identity theft
, and other
cybercrimes


The typical lifecycle of spam that
originates from a botnet:

(1)

Spammer's web site (2)

Spammer
(3)

Spamware (4)

Infected computers
(5)

Virus or trojan (6)

Mail servers
(7)

Users (8)

Web traffic


copyright(c)Seth Associates 2009
All rights reserved

11

The
Conficker

Worm


Conficker
, also known as
Downup
,
Downadup

and
Kido
, is a
computer
worm

targeting the
Microsoft Windows

operating system

that was first
detected in October 2008. Conficker is
believed to be the most widespread
computer worm infection since
SQL
Slammer

in 2003.The initial rapid
spread of the worm has been
attributed to the number of Windows
PCs (estimated at 30%) which have
yet to apply the Microsoft patch for the
MS08
-
067 vulnerability.


By January 2009
, the estimated
number of infected computers ranged
from almost 9 million to 15 million.
Antivirus software vendor
Panda
Security

reported that of the 2 million
computers analyzed through
ActiveScan, around 115,000 (6%)
were infected with Conficker.

copyright(c)Seth Associates 2009
All rights reserved

12

Levels of cyber threats and
vulnerabilities

Individual

sector

society

State level


Global

copyright(c)Seth Associates 2009
All rights reserved

13

Cyber Crime mechanisms

Network based attacks

Operation based attacks

User authentication

Software based attacks

Hardware based attacks

copyright(c)Seth Associates 2009
All rights reserved

14

Striking facts!



According to
a report compiled by
Panda Labs
, in 2008, 10 million bot
computers were used to distribute
spam and malware across the Internet
each day.




Annual take by theft
-
oriented cyber
criminals is estimated to be as high as
100 billion dollars and 97 per cent of
these offences go undetected,
-
CBI's
Conference on International Police
Cooperation against Cyber Crime,
March 2009

.


copyright(c)Seth Associates 2009
All rights reserved

15

Cyber crime & warfare


EMERGING CHALLENGE: SECURITY AND SAFETY
IN CYBERSPACE by
Richard O. Hundley and Robert
H. Anderson in
IEEE Technology and Society,
pp. 19

28 (Winter 1995/1996).




In this cyberspace world, the distinction between “crime” and “warfare”
in cyberspace also blurs the distinction between police
responsibilities, to protect societal interests from criminal acts in
cyberspace, and military responsibilities, to protect societal interests
from acts of war in cyberspace
.”


copyright(c)Seth Associates 2009
All rights reserved

16

Cyber warfare
-
key attributes

Jon Ramsey
, chief technology officer for Secure Works
attributes increasing cyber warfare activity to the
following:



The low cost to launch cyber attacks


The lack of cyber defenses


The plausible deniability that the Internet affords


The lack of cyber rules of engagement in conflicts
between nation states
.

copyright(c)Seth Associates 2009
All rights reserved

17

What is Cyber terrorism?


It is generally understood to
mean unlawful attacks and
threats of attack against
computers
, networks, and the
information stored therein when
done to intimidate or
coerce a
government or its people

in
furtherance of political or social
objectives
.



Further, to qualify as cyber
terrorism, an attack should
result in
violence against
persons or property
, or at least
cause enough harm to generate
fear


.

copyright(c)Seth Associates 2009
All rights reserved

18

Examples of Cyber
-
terrorism


Attacks that lead to death or bodily injury, explosions, plane crashes,
water contamination, or severe economic loss or Serious attacks
against critical infrastructures would be examples.



Solar Sunrise
-

In early 1998 U.S. military systems were subjected
to an "electronic assault," noted as "Solar Sunrise." The intruders
hid their tracks by routing their attack through computer systems in
the United Arab Emirates.


It was found that two young hackers in California had carried out the
attacks under the direction of a hacker in Israel, himself a teenager.
They gained privileged access to computers using tools available
from a university web site and installed sniffer programs to collect
user passwords. They created a backdoor to get back into the
system and then used a patch available from another university web
site to fix the vulnerability and prevent others from repeating their
exploit.


copyright(c)Seth Associates 2009
All rights reserved

19

Examples of Cyber terrorism


Middle East terrorist groups
--
such as
Hizballah, HAMAS, and
Usama Bin Ladin's organization
-
-
are using computerized files,
email, and encryption to support their organizations.



Kurdish separatists in Greece and Turkey, Kashmiri separatists in
India, and Zapatista rebels in Mexico

have also hacked official
government Web pages and posted anti
-
government propaganda
and pictures.


Terrorists and extremists already use the Internet to cause
destruction
,
communicate, to raise funds, recruit, and gather
intelligence
. They may even launch attacks remotely from countries
where their actions are not illegal or with whom we have no
extradition agreements


copyright(c)Seth Associates 2009
All rights reserved

20

Examples of Cyber terrorism


A group calling themselves the
Internet Black Tigers

took responsibility for attacks
in August 1998 on the email systems of
Sri Lankan diplomatic posts

around the
world, including those in the United States.




Third
-
country sympathizers of the
Mexican Zapatista rebels

crashed web pages
belonging to Mexican financial institutions. While such attacks did not result in
damage to the targets, they were portrayed as successful by the activists and used to
generate propaganda and rally supporters.



Distributed Denial of Service (DDoS) attack on Estonia

in May 2007 led to
crippling of banking institutions and blocked the connectivity of the offices of
President, Prime Minister, Parliament and other governmental agencies bringing the
whole system down, crippling government and private institutions



Very recently,

China
-
based cyber spy network has hacked into government and
private systems in 103 countries
, including those of many Indian embassies and
the Dalai lama.

copyright(c)Seth Associates 2009
All rights reserved

21

IT Act 2000 and Cyber terrorism



Section 66 of IT Act

-
Hacking ( punishment upto 3 yrs/fine of 2
lakhs)


Section 70

of IT Act

-

any act to harm protected systems punishable
under IT Act 2000 ( punishment upto 10 yrs)


Section 121of IPC

-
waging war against Government ( punishable
with life imprisonment)


Section 153A,295 A of IPC

-
promoting enmity between different
religious groups is punishable offence( 3 yrs imprisonment/fine/both)



Section 66F of the Indian Information Technology

Amendment
Bill 2008

specifically deals with issue of cyber terrorism.


Covers denial of access, unauthorised access, computer
contaminant leading to harm to persons, property, critical
infrastructure, disruption of supplies, ‘sensitive data’ thefts


Punishable with imprisonment which may extend to imprisonment
for life.


copyright(c)Seth Associates 2009
All rights reserved

22

Recent amendments in IT Act,2000


To protect interests of sovereignty , integrity of India, public order,
security of State , defence of India, friendly relations with foreign
states

-


Section 69

-
Power of interception, decryption, monitoring of
information by Central govt/state govt authorised agencies



Section 69 A

-
Power to block objectionable websites
-
to protect
interests of sovereignty , integrity of India, public order, security of
State , defence of India, friendly relations with foreign states



Section 69 B

-
Power to authorize to monitor and collect traffic data,
or information through any computer resource for cyber security



Section 70

-
Protected systems, and
Section 70A

Central Govt shall
appoint Indian Computer Emergency Response Team to protect its
critical infrastructure

copyright(c)Seth Associates 2009
All rights reserved

23

Data theft





According to the section 2 of Information Technology Act
,



“Data”

means a representation of information, knowledge, facts,
concepts or instruction which are being prepared or have been prepared
in a formalised manner, and is intended to be processed, is being
processed or has been processed in a computer system or computer
network, and may be in any form (including computer printouts magnetic
or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer
.


“Data Theft”
-

It is the term used when any information in the form of data
is illegally copied or taken from a business or other individual without his
knowledge or consent.


copyright(c)Seth Associates 2009
All rights reserved

24

Glaring Examples


Data thefts


The incidents in the recent past involving Cyber Space have
highlighted the issues of privacy and data protection in India


The Pune scam

was the first among the many BPO frauds that made international
headlines. In April 2005, five employees of
MsourcE in Pune

were arrested for
allegedly pulling off a fraud worth nearly 2.5 crore rupees from the Citibank accounts
of four New York
-
based account holders.


In June 2005, the
British tabloid
Sun
, in a sting operation, purchased the bank
account details of 1,000 Britons from Karan Bahree, an employee of Gurgaon
-
based
BPO company
Infinity E
-
Search.


copyright(c)Seth Associates 2009
All rights reserved

25

Examples of Data thefts


In June 2006, Nadeem Kashmiri,
an employee at HSBC's call

center
in Bangalore, sold the customer credit card information to a group of
scamsters who used the information to siphon off nearly Rs 1.8
crore from bank accounts of UK
-
based customers.



An Indian engineer and
former Intel employee
, Bishwasmohan Pani
has been charged as stealing secret information from Intel for its
new employer and Intel's rival Advanced Micro Devices (AMD)



Acme Tele Power Private Limited
, a Manesar
-
based IT company,
decided to shift its $10 million R&D facility to Australia because of a
recent incident of data theft that caused it a loss of Rs 750 crore.
Acme had developed a product called Power Interface Unit (PIU)
and had it patented by the government of India. The patent was
valued at Rs 750 crore by Ernst and Young. One of our employees,
Sachidanand Patnaik, worked on the project and leaked the
patented software of PIU to Lambda Eastern Telecom Limited.”


copyright(c)Seth Associates 2009
All rights reserved

26

Data theft & the Indian legal Provisions


Section 378

of the
Indian Penal Code
, 1860 defines ‘Theft’ as
follows:
-


“Theft



Whoever, intending to take dishonestly any movable property out
of the possession of any person without that person’s consent, moves that
property in order to such taking, is said to commit theft
.”


Section 22 of I.P.C
., 1860 defines “movable property” as follows:
-



“The words “movable property” are intended to include corporeal property
of every description, except land and things attached to the earth or
permanently fastened to anything which is attached to the earth
.”



Since Section 378 I.P.C., only refers to “Movable Property” i.e.
Corporeal Property, and Data by itself is intangible, it is not covered
under the definition of "Theft
.
However, if data is stored in a medium
(CD, Pen
-
drive etc.) and such medium is stolen, it would be covered
under the definition of ‘Theft’, since the medium is a movable
property

.



copyright(c)Seth Associates 2009
All rights reserved

27

Data theft & the Indian legal Provisions



Section 405 of I.P.C
., defines ‘Criminal Breach of Trust ‘ as
follows
:
-



Criminal Breach of Trust’
.
-

Whoever, being in any manner entrusted with
property, or with any dominion over property, dishonestly misappropriates or
converts to his own use that property, or dishonestly uses or disposes of
that property in violation of any direction of law prescribing the mode in
which such trust is to be discharged, or of any legal contract, express or
implied, which he has made touching the discharge of such trust, or willfully
suffers any other person so to do, commits ‘criminal breach of trust’ ”.


Section 406 I.P.C. punishes Criminal Breach of Trust with
punishment of imprisonment upto 3 years, or with fine, or with both

copyright(c)Seth Associates 2009
All rights reserved

28

Data theft & the Indian legal Provisions


Section 43 IT Act
:
-

This section provides protection against destruction and
unauthorized access of the computer system by imposing heavy penalty up
to one crore. The unauthorized downloading, extraction and copying of data
are also covered under this section. Clause ‘C’ of this section imposes
penalty for unauthorized introduction of computer viruses of contaminants.
Clause ‘G’ provides penalties for assisting the unauthorized access.



The Recent IT Amendment Bill 2008

adds stealing of computer source
code and destruction/alteration of data within its ambit and removes
stipulated upperlimit of one crore to claim compensation.


Section 43A

imposes heavy liability on body corporates for failure to protect
sensitive personal data or information.


Section 66


Element of mens rea in any acts covered by Section 43
-
punishment of three years/fine upto 5 lakh or both


Section 66C

-
punisment for identity thefts
-
upto three year punishment /upto
1 lakh fine


Section 72A
-
Punishment for disclosure of information in breach of contract

punishable with imprisonment upto three years, fine upto 5 lakhs/both



copyright(c)Seth Associates 2009
All rights reserved

29

Data theft & Copyright law


Indian Copyright Act, 1957

protects “
Databases
” as ‘literary
works’ under Section 13 (1) (a) of the Act which states that
Copyright shall subsists throughout India in original literary,
dramatic, musical and artistic works.


The definition of ‘literary works’ as defined under Section 2(o) of
Copyright Act, 1957 includes computer programmes, tables and
compilations including computer data bases.



Civil remedies in infringement of copyright

is covered by
Section 55 of the Copyright Act
-
injunction, damages, accounts,
delivery up of infringing goods.



Section 63
-

criminal remedy
-

punishment not less than 6
months,extend to 3 years and fine upto 2 lakhs


copyright(c)Seth Associates 2009
All rights reserved

30

Industry Measures to check data thefts



Nasscom launched a
National Skills Registry

for IT professionals
to help employers conduct
background checks.


Nasscom announced plans to set up an independent,
self
-
regulatory
organization to set and monitor data security and privacy best
practices by outsourcing service providers

in India.


Service providers in India are also increasingly adopting compliance
programs and
comprehensive security audits, including personnel
and equipment audits

to prevent misuse of sensitive information and
data.


Compliance programs include
training of employees to enhance
awareness of confidentiality

and of managers with regard to
securing computer systems, common threats to information security,
access
-
control techniques, risk assessment

and management,
intrusion detection, authentication and other issues.


Enforcement agencies in India

also working with business process
outsourcers to conduct workshops aimed at improving employees’
knowledge and skills in the area of the misuse of data.



copyright(c)Seth Associates 2009
All rights reserved

31

MMS Scams


The Multimedia Messaging Service,
similar to EMS, is a new and improved
format of
Short Message Service

(SMS). MMS allows compatible cell
phone users to exchange multimedia
messages on their phones, such as
graphical postcards, animations, video
clips, maps and business cards.




Where a video clip is circulated in the
cyberspace through ‘Multimedia
Messaging Service’ which contains
sexually explicit material can be
defined as
MMS scams



copyright(c)Seth Associates 2009
All rights reserved

32

MMS scandals


In 2004 a DPS (Delhi Public School)

student filmed a sexually explicit video clip of
his classmate in a compromising position on his cell phone, forwarded the video via
MMS to his friends. The clip was then put up on Bazee.com and widely circulated.



Case of the State of
Tamil Nadu Vs Suhas Katti

is notable for the fact that the
conviction was achieved successfully within a relatively quick time of 7 months from
the filing of the FIR .


The case related to posting of obscene, defamatory and annoying message about a
divorcee woman in the yahoo message group. Additional Chief Metropolitan
Magistrate, delivered the judgment on 5
-
11
-
04 as follows:



“The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act
2000 and the accused is convicted and is sentenced for the offence to undergo RI for
2 years under 469 IPC and to pay fine of Rs.500/
-

and for the offence u/s 509 IPC
sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/
-

and
for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of
Rs.4000/
-

All sentences to run concurrently.”



This is considered the first case convicted under section 67 of Information
Technology Act 2000 in India

copyright(c)Seth Associates 2009
All rights reserved

33

Srinagar Sex abuse scandal



Srinagar sex abuse scandal
involved top J&K politicians.


Police arrested Mohammad Ashraf
after a 15
-
year
-
old victim recognised
him during an identification parade.


Clip was prepared to blackmail the
girl so that she did not marry
anybody else .


the 15
-
year old victim of the J&K
sex abuse scandal given to the CBI
which identifies the culprit behind
the filming of the MMS and unveils
the personal trauma of the girl child






(5june 2006 Indian express)

copyright(c)Seth Associates 2009
All rights reserved

34

The Noida MMS Scandal


In February 2009, an MBA
student in Noida a boy
circulated video clip of his 23
-
year
-
old
-
girlfriend doing
striptease for him to his
classmates using the girl's e
-
mail id.


After the girl refused to marry
him, the boy who had access
to the girl's mail id and
circulated that MMS clip to
fellow students.


Police registered a case of
criminal intimidation following a
complaint filed by the girl's
family


copyright(c)Seth Associates 2009
All rights reserved

35

Indian legal provisions to combat MMS
scandals


Section 66 E
: This is a new section added in the ITAA 2008




Whoever, intentionally or knowingly captures, publishes or transmits the image of a
private area of any person without his or her consent, under circumstances violating
the privacy of that persons, shall be punished with imprisonment which may extend
to three years or with fine not exceeding two lakh rupees or with both.”




Transmit
-
electronically send an image



Capture
means to By videotape, photograph ,film or record by any means




Section 67
-

transmitting obscene material in electronic form
-
3 years punishment and
fine upto 5 lakh


Section 67A

-
material containing sexually explicit act
-

extend to 5 years
imprisonment / fine upto 10 lakhs In the event of Second and subsequent conviction
with imprisonment for a term which may extend to seven years and also with fine
which may extent to ten lakhs


Section 67 B
-

Depicting children in sexually explicit conduct in electronic form
-

punishment upto 5 years/ fine upto 10 lakhs and in the event of second or
subsequent conviction with imprisonment of either description for a term which may
extend to seven years and also with fine which may extend to ten lakh rupees:



copyright(c)Seth Associates 2009
All rights reserved

36


To reduce vulnerability of country’s
cyberspace


To protect critical infrastructure and
critical information systems and
services


To improve interdepartmental
coordination mechanisms for
prevention, rapid response and
recovery from attacks


To advance legal mechanisms that
support the goals of the cyber security
strategy
-
recent changes in IT Act,
2000 and appointment of CERT as
official agency of Government


To
launch

awareness programs on
cyber security


To enhance international cooperation
,
promoting cyber security culture and
international
agreements




copyright(c)Seth Associates 2009
All rights reserved

37

1.
Prevention:


Threat assessment
-

periodical risk analyses, sectoral risk
analyses, long term threat assessments


Enhanced standards for CII, detecting security gaps


Resource planning and control mechanisms

2.
Incident management:


detection and warning


launching protection mechanisms

3.
Crisis management:


national coordination system on cyber emergencies


contingency plans

4.
Recovery :


critical information infrastructure


other systems


copyright(c)Seth Associates 2009
All rights reserved

38

.



Information security



Securing widespread electronic collaboration while
protecting data at rest, in motion, in use, and throughout the lifecycle,



Threat and vulnerability management

-

Staying ahead of emerging
threats on all system components: network, server, and the

strategic endpoint,



Identity and access management

-

Assuring that the right people have
access to the right information and assets at the right time for the

right reason,



Application security

-

Ensuring application and business process security
across the software application lifecycle, and



Physical security

-

Integrating video surveillance and security solutions
with industry
-
standard components.

copyright(c)Seth Associates 2009
All rights reserved

39

Thank you!


SETH ASSOCIATES


ADVOCATES AND LEGAL CONSULTANTS

New Delhi Law Office
:


C
-
1/16, Daryaganj, New Delhi
-
110002, India

Tel:+91 (11) 65352272, +91 9868119137

Corporate Law Office
:

B
-
10, Sector 40, NOIDA
-
201301, N.C.R ,India

Tel: +91 (120) 4352846, +91 9810155766

Fax: +91 (120) 4331304

E
-
mail:
mail@sethassociates.com