Emerging threats in Cyberspace- Cyber terrorism, MMS Scams and Data thefts

geographertonguesAI and Robotics

Nov 30, 2013 (4 years and 7 months ago)


copyright(c)Seth Associates 2009
All rights reserved


National Seminar on Information Security : Emerging Threats and
Innovations in the 21st century

Institute of Technology & Science, Ghaziabad

April 4
, 2009

Emerging threats in Cyberspace

Cyber terrorism, MMS Scams and

Data thefts

Karnika Seth


Cyber law Expert & Managing Partner



copyright(c)Seth Associates 2009
All rights reserved


What is cyberspace?


from the


steersman, governor, pilot, or rudder)

is the global domain of
magnetics accessed through electronic technology and
exploited through the modulation of electromagnetic energy to
achieve a wide range of communication and control system
capabilities. The term is rooted in the science of cybernetics


William Gibson

coined the term "
" in his short story
"Burning Chrome" and later popularized the concept in his debut


copyright(c)Seth Associates 2009
All rights reserved


What is a cyber threat?

From the information security perspective, a ‘
threat ‘
is defined as
the potential to cause an unwanted incident in which an asset,
system or organisation may be harmed.

‘Cyber threat

‘ is a threat that percolates or infiltrates through the
use of computers , internet or interconnected communication
devices and could comprise of information stealth, cyber warfare,
virus attacks, cyber terrorism, hacking attempts , phising,sabotage,
singly or in combination

copyright(c)Seth Associates 2009
All rights reserved


Emerging Cyber threats

Georgia Tech Information Security Centre

Reports for 2008

Threats to RFID

Threats targeting

mobile convergence


Targetted messaging attacks

Web 2.0 client side attacks

copyright(c)Seth Associates 2009
All rights reserved


Cyber Threats in 2009 and Beyond

Report of
Georgia Tech Information Security Center



Threats to VOIP and

mobile convergence

Cyber warfare

Data thefts

copyright(c)Seth Associates 2009
All rights reserved


Vectors & trends for cyber threats

Malicious attackers will install malware on
social networking sites

leading to
increased phising scams, or stealing

browser level protection needed.

Hackers will install
malcode within video

which will affect users accessing
video clips.

Mash up technology

used by web
applications to combine data/media from
multiple sources, locations and coding
styles may lead to increased corporate
espionage and other scams

Identity thefts

will only increase and
will be used for corporate
espionage and phising scams

Polymorphic exploitation

creation of
unique exploit with each user request

signature based protection engines at
network or host level fail

Growing popularity of VOIP applications
instances of
voice spam and voice
phising or smishing

will increase.

Targeted attacks

Attack activity through
mail, Instant messaging ,P2P networks
will increase

Denial of service

affecting voice

Cyber terrorist

attacks will increase and
lead to cyber warfare

threat to nation’s

MMS scams

will be on the rise and raise
issues of defamation and invasion of

copyright(c)Seth Associates 2009
All rights reserved


Source: Government Accountability Office (GAO), Department of
Homeland Security's (DHS's) Role in Critical Infrastructure Protection
(CIP) Cybersecurity, GAO
434 (Washington, D.C.: May, 2005).

Cyber threat


Bot network









copyright(c)Seth Associates 2009
All rights reserved


Categories of hackers

copyright(c)Seth Associates 2009
All rights reserved


Prevention is proven to be better than cure

Attackers will continue to post malicious links as part of the user’s everyday online
at the end of an IM string, hidden in a You Tube Video or embedded in an Excel


Paul Judge, Senior Vice President and chief Technology Officer, Secure Computing

When massive numbers of users are infected, it poses a serious risk to the infrastructure
. When the Storm Worm virus broke out last January, it infected 40 to 50 million of some
300 million users connected by broadband . To combat this, network and point

security solutions need to be invented for the mobile environment

Chris Rouland

Chief Technology Officer, IBM Internet security Systems and IBM
Distinguished Engineer

copyright(c)Seth Associates 2009
All rights reserved



Storm botnet

Storm botnet

worm botnet

is a remotely
controlled network of

(or "
") that has
been linked by the
Storm Worm
, a
Trojan horse

spread through
mail spam
. Some have estimated
that by September 2007 the Storm
botnet was running on anywhere
from 1 million to 50 million
computer systems .

United States

Federal Bureau of

considers the botnet
a major risk to increased
identity theft
, and other

The typical lifecycle of spam that
originates from a botnet:


Spammer's web site (2)


Spamware (4)

Infected computers

Virus or trojan (6)

Mail servers

Users (8)

Web traffic

copyright(c)Seth Associates 2009
All rights reserved




, also known as

, is a

targeting the
Microsoft Windows

operating system

that was first
detected in October 2008. Conficker is
believed to be the most widespread
computer worm infection since

in 2003.The initial rapid
spread of the worm has been
attributed to the number of Windows
PCs (estimated at 30%) which have
yet to apply the Microsoft patch for the
067 vulnerability.

By January 2009
, the estimated
number of infected computers ranged
from almost 9 million to 15 million.
Antivirus software vendor

reported that of the 2 million
computers analyzed through
ActiveScan, around 115,000 (6%)
were infected with Conficker.

copyright(c)Seth Associates 2009
All rights reserved


Levels of cyber threats and




State level


copyright(c)Seth Associates 2009
All rights reserved


Cyber Crime mechanisms

Network based attacks

Operation based attacks

User authentication

Software based attacks

Hardware based attacks

copyright(c)Seth Associates 2009
All rights reserved


Striking facts!

According to
a report compiled by
Panda Labs
, in 2008, 10 million bot
computers were used to distribute
spam and malware across the Internet
each day.

Annual take by theft
oriented cyber
criminals is estimated to be as high as
100 billion dollars and 97 per cent of
these offences go undetected,
Conference on International Police
Cooperation against Cyber Crime,
March 2009


copyright(c)Seth Associates 2009
All rights reserved


Cyber crime & warfare

Richard O. Hundley and Robert
H. Anderson in
IEEE Technology and Society,
pp. 19

28 (Winter 1995/1996).

In this cyberspace world, the distinction between “crime” and “warfare”
in cyberspace also blurs the distinction between police
responsibilities, to protect societal interests from criminal acts in
cyberspace, and military responsibilities, to protect societal interests
from acts of war in cyberspace

copyright(c)Seth Associates 2009
All rights reserved


Cyber warfare
key attributes

Jon Ramsey
, chief technology officer for Secure Works
attributes increasing cyber warfare activity to the

The low cost to launch cyber attacks

The lack of cyber defenses

The plausible deniability that the Internet affords

The lack of cyber rules of engagement in conflicts
between nation states

copyright(c)Seth Associates 2009
All rights reserved


What is Cyber terrorism?

It is generally understood to
mean unlawful attacks and
threats of attack against
, networks, and the
information stored therein when
done to intimidate or
coerce a
government or its people

furtherance of political or social

Further, to qualify as cyber
terrorism, an attack should
result in
violence against
persons or property
, or at least
cause enough harm to generate


copyright(c)Seth Associates 2009
All rights reserved


Examples of Cyber

Attacks that lead to death or bodily injury, explosions, plane crashes,
water contamination, or severe economic loss or Serious attacks
against critical infrastructures would be examples.

Solar Sunrise

In early 1998 U.S. military systems were subjected
to an "electronic assault," noted as "Solar Sunrise." The intruders
hid their tracks by routing their attack through computer systems in
the United Arab Emirates.

It was found that two young hackers in California had carried out the
attacks under the direction of a hacker in Israel, himself a teenager.
They gained privileged access to computers using tools available
from a university web site and installed sniffer programs to collect
user passwords. They created a backdoor to get back into the
system and then used a patch available from another university web
site to fix the vulnerability and prevent others from repeating their

copyright(c)Seth Associates 2009
All rights reserved


Examples of Cyber terrorism

Middle East terrorist groups
such as
Hizballah, HAMAS, and
Usama Bin Ladin's organization
are using computerized files,
email, and encryption to support their organizations.

Kurdish separatists in Greece and Turkey, Kashmiri separatists in
India, and Zapatista rebels in Mexico

have also hacked official
government Web pages and posted anti
government propaganda
and pictures.

Terrorists and extremists already use the Internet to cause
communicate, to raise funds, recruit, and gather
. They may even launch attacks remotely from countries
where their actions are not illegal or with whom we have no
extradition agreements

copyright(c)Seth Associates 2009
All rights reserved


Examples of Cyber terrorism

A group calling themselves the
Internet Black Tigers

took responsibility for attacks
in August 1998 on the email systems of
Sri Lankan diplomatic posts

around the
world, including those in the United States.

country sympathizers of the
Mexican Zapatista rebels

crashed web pages
belonging to Mexican financial institutions. While such attacks did not result in
damage to the targets, they were portrayed as successful by the activists and used to
generate propaganda and rally supporters.

Distributed Denial of Service (DDoS) attack on Estonia

in May 2007 led to
crippling of banking institutions and blocked the connectivity of the offices of
President, Prime Minister, Parliament and other governmental agencies bringing the
whole system down, crippling government and private institutions

Very recently,

based cyber spy network has hacked into government and
private systems in 103 countries
, including those of many Indian embassies and
the Dalai lama.

copyright(c)Seth Associates 2009
All rights reserved


IT Act 2000 and Cyber terrorism

Section 66 of IT Act

Hacking ( punishment upto 3 yrs/fine of 2

Section 70

of IT Act


any act to harm protected systems punishable
under IT Act 2000 ( punishment upto 10 yrs)

Section 121of IPC

waging war against Government ( punishable
with life imprisonment)

Section 153A,295 A of IPC

promoting enmity between different
religious groups is punishable offence( 3 yrs imprisonment/fine/both)

Section 66F of the Indian Information Technology

Bill 2008

specifically deals with issue of cyber terrorism.

Covers denial of access, unauthorised access, computer
contaminant leading to harm to persons, property, critical
infrastructure, disruption of supplies, ‘sensitive data’ thefts

Punishable with imprisonment which may extend to imprisonment
for life.

copyright(c)Seth Associates 2009
All rights reserved


Recent amendments in IT Act,2000

To protect interests of sovereignty , integrity of India, public order,
security of State , defence of India, friendly relations with foreign


Section 69

Power of interception, decryption, monitoring of
information by Central govt/state govt authorised agencies

Section 69 A

Power to block objectionable websites
to protect
interests of sovereignty , integrity of India, public order, security of
State , defence of India, friendly relations with foreign states

Section 69 B

Power to authorize to monitor and collect traffic data,
or information through any computer resource for cyber security

Section 70

Protected systems, and
Section 70A

Central Govt shall
appoint Indian Computer Emergency Response Team to protect its
critical infrastructure

copyright(c)Seth Associates 2009
All rights reserved


Data theft

According to the section 2 of Information Technology Act


means a representation of information, knowledge, facts,
concepts or instruction which are being prepared or have been prepared
in a formalised manner, and is intended to be processed, is being
processed or has been processed in a computer system or computer
network, and may be in any form (including computer printouts magnetic
or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer

“Data Theft”

It is the term used when any information in the form of data
is illegally copied or taken from a business or other individual without his
knowledge or consent.

copyright(c)Seth Associates 2009
All rights reserved


Glaring Examples

Data thefts

The incidents in the recent past involving Cyber Space have
highlighted the issues of privacy and data protection in India

The Pune scam

was the first among the many BPO frauds that made international
headlines. In April 2005, five employees of
MsourcE in Pune

were arrested for
allegedly pulling off a fraud worth nearly 2.5 crore rupees from the Citibank accounts
of four New York
based account holders.

In June 2005, the
British tabloid
, in a sting operation, purchased the bank
account details of 1,000 Britons from Karan Bahree, an employee of Gurgaon
BPO company
Infinity E

copyright(c)Seth Associates 2009
All rights reserved


Examples of Data thefts

In June 2006, Nadeem Kashmiri,
an employee at HSBC's call

in Bangalore, sold the customer credit card information to a group of
scamsters who used the information to siphon off nearly Rs 1.8
crore from bank accounts of UK
based customers.

An Indian engineer and
former Intel employee
, Bishwasmohan Pani
has been charged as stealing secret information from Intel for its
new employer and Intel's rival Advanced Micro Devices (AMD)

Acme Tele Power Private Limited
, a Manesar
based IT company,
decided to shift its $10 million R&D facility to Australia because of a
recent incident of data theft that caused it a loss of Rs 750 crore.
Acme had developed a product called Power Interface Unit (PIU)
and had it patented by the government of India. The patent was
valued at Rs 750 crore by Ernst and Young. One of our employees,
Sachidanand Patnaik, worked on the project and leaked the
patented software of PIU to Lambda Eastern Telecom Limited.”

copyright(c)Seth Associates 2009
All rights reserved


Data theft & the Indian legal Provisions

Section 378

of the
Indian Penal Code
, 1860 defines ‘Theft’ as


Whoever, intending to take dishonestly any movable property out
of the possession of any person without that person’s consent, moves that
property in order to such taking, is said to commit theft

Section 22 of I.P.C
., 1860 defines “movable property” as follows:

“The words “movable property” are intended to include corporeal property
of every description, except land and things attached to the earth or
permanently fastened to anything which is attached to the earth

Since Section 378 I.P.C., only refers to “Movable Property” i.e.
Corporeal Property, and Data by itself is intangible, it is not covered
under the definition of "Theft
However, if data is stored in a medium
(CD, Pen
drive etc.) and such medium is stolen, it would be covered
under the definition of ‘Theft’, since the medium is a movable


copyright(c)Seth Associates 2009
All rights reserved


Data theft & the Indian legal Provisions

Section 405 of I.P.C
., defines ‘Criminal Breach of Trust ‘ as

Criminal Breach of Trust’

Whoever, being in any manner entrusted with
property, or with any dominion over property, dishonestly misappropriates or
converts to his own use that property, or dishonestly uses or disposes of
that property in violation of any direction of law prescribing the mode in
which such trust is to be discharged, or of any legal contract, express or
implied, which he has made touching the discharge of such trust, or willfully
suffers any other person so to do, commits ‘criminal breach of trust’ ”.

Section 406 I.P.C. punishes Criminal Breach of Trust with
punishment of imprisonment upto 3 years, or with fine, or with both

copyright(c)Seth Associates 2009
All rights reserved


Data theft & the Indian legal Provisions

Section 43 IT Act

This section provides protection against destruction and
unauthorized access of the computer system by imposing heavy penalty up
to one crore. The unauthorized downloading, extraction and copying of data
are also covered under this section. Clause ‘C’ of this section imposes
penalty for unauthorized introduction of computer viruses of contaminants.
Clause ‘G’ provides penalties for assisting the unauthorized access.

The Recent IT Amendment Bill 2008

adds stealing of computer source
code and destruction/alteration of data within its ambit and removes
stipulated upperlimit of one crore to claim compensation.

Section 43A

imposes heavy liability on body corporates for failure to protect
sensitive personal data or information.

Section 66

Element of mens rea in any acts covered by Section 43
punishment of three years/fine upto 5 lakh or both

Section 66C

punisment for identity thefts
upto three year punishment /upto
1 lakh fine

Section 72A
Punishment for disclosure of information in breach of contract

punishable with imprisonment upto three years, fine upto 5 lakhs/both

copyright(c)Seth Associates 2009
All rights reserved


Data theft & Copyright law

Indian Copyright Act, 1957

protects “
” as ‘literary
works’ under Section 13 (1) (a) of the Act which states that
Copyright shall subsists throughout India in original literary,
dramatic, musical and artistic works.

The definition of ‘literary works’ as defined under Section 2(o) of
Copyright Act, 1957 includes computer programmes, tables and
compilations including computer data bases.

Civil remedies in infringement of copyright

is covered by
Section 55 of the Copyright Act
injunction, damages, accounts,
delivery up of infringing goods.

Section 63

criminal remedy

punishment not less than 6
months,extend to 3 years and fine upto 2 lakhs

copyright(c)Seth Associates 2009
All rights reserved


Industry Measures to check data thefts

Nasscom launched a
National Skills Registry

for IT professionals
to help employers conduct
background checks.

Nasscom announced plans to set up an independent,
organization to set and monitor data security and privacy best
practices by outsourcing service providers

in India.

Service providers in India are also increasingly adopting compliance
programs and
comprehensive security audits, including personnel
and equipment audits

to prevent misuse of sensitive information and

Compliance programs include
training of employees to enhance
awareness of confidentiality

and of managers with regard to
securing computer systems, common threats to information security,
control techniques, risk assessment

and management,
intrusion detection, authentication and other issues.

Enforcement agencies in India

also working with business process
outsourcers to conduct workshops aimed at improving employees’
knowledge and skills in the area of the misuse of data.

copyright(c)Seth Associates 2009
All rights reserved


MMS Scams

The Multimedia Messaging Service,
similar to EMS, is a new and improved
format of
Short Message Service

(SMS). MMS allows compatible cell
phone users to exchange multimedia
messages on their phones, such as
graphical postcards, animations, video
clips, maps and business cards.

Where a video clip is circulated in the
cyberspace through ‘Multimedia
Messaging Service’ which contains
sexually explicit material can be
defined as
MMS scams

copyright(c)Seth Associates 2009
All rights reserved


MMS scandals

In 2004 a DPS (Delhi Public School)

student filmed a sexually explicit video clip of
his classmate in a compromising position on his cell phone, forwarded the video via
MMS to his friends. The clip was then put up on Bazee.com and widely circulated.

Case of the State of
Tamil Nadu Vs Suhas Katti

is notable for the fact that the
conviction was achieved successfully within a relatively quick time of 7 months from
the filing of the FIR .

The case related to posting of obscene, defamatory and annoying message about a
divorcee woman in the yahoo message group. Additional Chief Metropolitan
Magistrate, delivered the judgment on 5
04 as follows:

“The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act
2000 and the accused is convicted and is sentenced for the offence to undergo RI for
2 years under 469 IPC and to pay fine of Rs.500/

and for the offence u/s 509 IPC
sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/

for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of

All sentences to run concurrently.”

This is considered the first case convicted under section 67 of Information
Technology Act 2000 in India

copyright(c)Seth Associates 2009
All rights reserved


Srinagar Sex abuse scandal

Srinagar sex abuse scandal
involved top J&K politicians.

Police arrested Mohammad Ashraf
after a 15
old victim recognised
him during an identification parade.

Clip was prepared to blackmail the
girl so that she did not marry
anybody else .

the 15
year old victim of the J&K
sex abuse scandal given to the CBI
which identifies the culprit behind
the filming of the MMS and unveils
the personal trauma of the girl child

(5june 2006 Indian express)

copyright(c)Seth Associates 2009
All rights reserved


The Noida MMS Scandal

In February 2009, an MBA
student in Noida a boy
circulated video clip of his 23
girlfriend doing
striptease for him to his
classmates using the girl's e
mail id.

After the girl refused to marry
him, the boy who had access
to the girl's mail id and
circulated that MMS clip to
fellow students.

Police registered a case of
criminal intimidation following a
complaint filed by the girl's

copyright(c)Seth Associates 2009
All rights reserved


Indian legal provisions to combat MMS

Section 66 E
: This is a new section added in the ITAA 2008

Whoever, intentionally or knowingly captures, publishes or transmits the image of a
private area of any person without his or her consent, under circumstances violating
the privacy of that persons, shall be punished with imprisonment which may extend
to three years or with fine not exceeding two lakh rupees or with both.”

electronically send an image

means to By videotape, photograph ,film or record by any means

Section 67

transmitting obscene material in electronic form
3 years punishment and
fine upto 5 lakh

Section 67A

material containing sexually explicit act

extend to 5 years
imprisonment / fine upto 10 lakhs In the event of Second and subsequent conviction
with imprisonment for a term which may extend to seven years and also with fine
which may extent to ten lakhs

Section 67 B

Depicting children in sexually explicit conduct in electronic form

punishment upto 5 years/ fine upto 10 lakhs and in the event of second or
subsequent conviction with imprisonment of either description for a term which may
extend to seven years and also with fine which may extend to ten lakh rupees:

copyright(c)Seth Associates 2009
All rights reserved


To reduce vulnerability of country’s

To protect critical infrastructure and
critical information systems and

To improve interdepartmental
coordination mechanisms for
prevention, rapid response and
recovery from attacks

To advance legal mechanisms that
support the goals of the cyber security
recent changes in IT Act,
2000 and appointment of CERT as
official agency of Government


awareness programs on
cyber security

To enhance international cooperation
promoting cyber security culture and

copyright(c)Seth Associates 2009
All rights reserved



Threat assessment

periodical risk analyses, sectoral risk
analyses, long term threat assessments

Enhanced standards for CII, detecting security gaps

Resource planning and control mechanisms

Incident management:

detection and warning

launching protection mechanisms

Crisis management:

national coordination system on cyber emergencies

contingency plans

Recovery :

critical information infrastructure

other systems

copyright(c)Seth Associates 2009
All rights reserved



Information security

Securing widespread electronic collaboration while
protecting data at rest, in motion, in use, and throughout the lifecycle,

Threat and vulnerability management


Staying ahead of emerging
threats on all system components: network, server, and the

strategic endpoint,

Identity and access management


Assuring that the right people have
access to the right information and assets at the right time for the

right reason,

Application security


Ensuring application and business process security
across the software application lifecycle, and

Physical security


Integrating video surveillance and security solutions
with industry
standard components.

copyright(c)Seth Associates 2009
All rights reserved


Thank you!



New Delhi Law Office

1/16, Daryaganj, New Delhi
110002, India

Tel:+91 (11) 65352272, +91 9868119137

Corporate Law Office

10, Sector 40, NOIDA
201301, N.C.R ,India

Tel: +91 (120) 4352846, +91 9810155766

Fax: +91 (120) 4331304