Cyber law of India is an essential part of legal
enablement of ICT systems in India. The same must be
strengthened by good cyber
forensics capabilities in India. The present cyber
law of India is not only a weak piece of legislation but
also ineffective against the contemporary cyber crimes. Similarly, it
is also violating human
rights of Indian in the cyberspace. The bottom line is
that Indian needs a good techno-legal
expertise to tackle the growing menace of cyber crimes.
The information
technology is a double edge
sword, which can be used for destructive as well
as constructive work. Thus, the fate of many ventures depends upon
the benign or vice intentions, as the case may be, of the person
dealing with and using the technology. For instance, a malicious
intention forwarded in the form of hacking, data theft, virus attack,
etc can bring only destructive results unless and until these methods
have been used for checking the authenticity, safety and security of
the technological device which has been primarily relied upon and
trusted for providing the security to a particular organization. For
instance, the creator of the “Sasser worm” has been hired as a
“security software programmer” by a German firm, so that he can
make firewalls, which will stop suspected files from entering
computer systems.
These methods may also be used for checking the authenticity, safety and security of one’s technological device, which has been primarily relied upon and trusted for providing the security to a particular organization. In fact, a society without protection in the form of “self help” cannot be visualized in the present electronic era.
Thus, we must concentrate upon securing our ICT and e-governance bases before we start encashing their benefits. The same can be effectively achieved if we give due importance to this fact while discussing, drafting and adopting policies decisions pertaining to ICT in general and e-governance in particular. The same is also important for an effective e-commerce base and an insecure and unsafe ICT base can be the biggest discouraging factor for a flourishing e-commerce business. The factors relevant for this situation are too numerous to be discussed in a single work. Thus, it would be better if we concentrate on each factor in a separate but coherent and holistic manner. The need of the hour is to set priority for a secure and safe electronic environment so that its benefits can be reaped to the maximum possible extent.
Prevalence of Cyber Crime
The prevalence of Cyber crime throughout the world has frustrated law enforcement agents and legislators alike. According to an article published in the American Criminal Law Review, at least half of all businesses in the United States alone have been the victims of cyber crime or some sort of security breach. Cyber Crime is such a detrimental type of offense not only because of the type of damage that it can do to individuals and businesses but also because of the costs involved in cyber crime. These costs are most often associated with the repair of a computer system or network. There are also costs associated with the compromise of data that often occurs. This is particularly costly because of the damage that it can do to the reputation of a business and organizations. Customers can become more apprehensive about shopping at a franchise that has experienced computer security problems or going to a bank that has been the victim of cyber crime. For this very reason, the article points out that some businesses and organizations that have been affected by Cyber Crime do not report breaches in security.
Cyber Crimes in India
India is on the verge of a technology revolution and the driving force behind the same is the acceptance and adoption of Information and Communication Technology (ICT) and its benefits. This technology revolution may, however, fail to bring the desired and much needed result if we do not adopt a sound and country oriented e-governance policy. A sound e-governance policy presupposes the existence of a sound and secure e-governance base as well. The security and safety of various ICT platforms and projects in India must be considered on a priority basis before any e-governance base is made fully functional. This presupposes the adoption and use of security measures more particularly empowering judiciary and law enforcement manpower with the knowledge and use of cyber forensics and digital evidencing.
Cyber Forensics and Its Need
The concepts of cyber security and cyber forensics are not only interrelated but also indispensably required for the success of each other. The former secures the ICT and e-governance base whereas the latter indicates the loopholes and limitations of the adopted measures to secure the base. The latter also becomes essential to punish the deviants so that a deterrent example can be set. There is, however, a problem regarding acquiring expertise in the latter aspect. This is so because though a computer can be secured even by a person with simple technical knowledge the ascertainment and preservation of the evidence is a tough task. For instance, one can install an anti-virus software, firewall, adjust security settings of the browser, etc but the same cannot be said about making a mirror copy of hard disk, extracting deleted files and documents, preserving logs of activities over internet, etc. Further one can understand the difficulty involved in the prosecution and presentation of a case before a court of law because it is very difficult to explain the evidence acquired to a not so techno savvy judge. The problem becomes more complicated in the absence of sufficient numbers of trained lawyers in this crucial field.
The Cyber Forensics has given new dimensions to the Criminal laws, especially the Evidence law. Electronic evidence and their collection and presentation have posed a challenge to the investigation agencies, prosecution agencies and judiciary. The scope of Cyber Forensics is no more confined to the investigation regime only but is expanding to other segments of justice administration system as well. The justice delivery system cannot afford to take the IT revolution lightly. The significance of cyber forensics emanates from this interface of justice delivery system with the Information Technology.
The growing use of IT has posed certain challenges before the justice delivery system that have to be met keeping in mind the contemporary IT revolution. The contemporary need of Cyber Forensics is essential for the following reasons:
(a) The traditional methods are inadequate: The law may be categorized as substantive and procedural. The substantive law fixes the liability whereas the procedural law provides the means and methods by which the substantive liability has to contended, analyzed and proved. The procedural aspects providing for the guilt establishment provisions were always there but their interface with the IT has almost created a deadlock in investigative and adjudicative mechanisms. The challenges posed by IT are peculiar to contemporary society and so must be their solution. The traditional procedural mechanisms, including forensic science methods, are neither applicable nor appropriate for this situation. Thus, “cyber forensics” is the need of the hour. India is the 12th country in the world that has its own “Cyber law” (IT Act, 2000). However, most of the people of India, including lawyers, judges, professors, etc, are not aware about its existence and use. The traditional forensic methods like finger impressions, DNA testing, blood and other tests, etc play a limited role in this arena.
(b) The changing face of crimes and criminals: The use of Internet has changed the entire platform of crime, criminal and their prosecution. This process involves crimes like hacking, pornography, privacy violations, spamming, phishing, pharming, identity theft, cyber terrorisms, etc. The modus operendi is different that makes it very difficult to trace the culprits. This is because of the anonymous nature of Internet. Besides, certain sites are available that provides sufficient technological measures to maintain secrecy. Similarly, various sites openly provide hacking and other tools to assist commission of various cyber crimes. The Internet is boundary less and that makes the investigation and punishment very difficult. These objects of criminal law will become a distant reality till we have cyber forensics to tackle them.
(c) The need of comparison: There is a dire need to compare the traditional crimes and criminals with the crimes and criminal in the IT environment. More specifically, the following must be the parameters of this comparison:
a. Nature of the crime
b. Manner/Methods of commission of the crime,
c. Purpose of the crime,
d. Players involves in these crimes, etc.
Thus, Cyber Forensics is required to be used by the following players of criminal justice system:
a. Investigation machinery- Statutory as well as non-statutory
b. Prosecution machinery, and
c. Adjudication machinery- Judicial, quasi-judicial or administrative.
d. Jurisdictional dilemma: The Internet is not subject to any territorial limits and none can claim any jurisdiction over a particular incidence. Thus, at times there is conflict of laws. The best way is to use the tool of Cyber Forensics as a “preventive measure” rather than using it for “curative purposes”.
The growing use of ICT for administration of all the spheres of our daily life cannot be ignored. Further, we also cannot ignore the need to secure the ICT infrastructures used for meeting these social functions. The threat from “malware” is not only apparent but also very worrisome. There cannot be a single solution to counter such threats. We need a techno-legal “harmonized law”. Neither pure law nor pure technology will be of any use. Firstly, a good combination of law and technology must be established and then an effort must be made to harmonies the laws of various countries keeping in mind common security standards. In the era of e-governance and e-commerce a lack of common security standards can create havoc for the global trade in goods and services. The tool of Cyber Forensics, which is not only preventive but also curative, can help a lot in establishing a much needed judicial administration system and security base.
Cost of Computer Security Breach
Many CEOs and CIOs are slow to invest in computer security because they do not know how to measure their Return on Investment (ROI). No one has shown them the actual costs associated with not investing in computer security. The objective of this paper is to provide the information security officer with objective data about the actual cost of computer security breaches to commercial companies. The information presented herein can be used as input into the ROI analyses to support security procurements.
How Cost Is Measured
In the commercial world, the cost of a cyber security breach is measured by both “tangibles” and “intangibles.” The tangibles can be calculated based on estimates of:
(a) Lost business, due to unavailability of the breached information resources
(b) Lost business, that can be traced directly to accounts fleeing to a “safer” environment
(c) Lost productivity of the non-IT staff, who have to work in a degraded mode, or not work at all, while the IT staff tries to contain and repair the breach
(d) Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources
(e) Labor costs of the IT staff and legal costs associated with the collection of forensic evidence and the prosecution of an attacker
(f) Public relations consulting costs, to prepare statements for the press, and answer customer questions
(g) Increases in insurance premiums
(h) Costs of defending the company in any liability suits resulting from the breached company’s failure to deliver assured information and services.
Not all of these tangible costs will occur with each breach; some will only occur with major, well-publicized breaches. The intangibles refer to costs that are difficult to calculate because they are not directly measurable, but are nevertheless very important for business. Many of these intangibles are related to a “loss of competitive advantage” that results from the breach. For example, a breach can affect an organization’s competitive edge through:
These methods may also be used for checking the authenticity, safety and security of one’s technological device, which has been primarily relied upon and trusted for providing the security to a particular organization. In fact, a society without protection in the form of “self help” cannot be visualized in the present electronic era.
Thus, we must concentrate upon securing our ICT and e-governance bases before we start encashing their benefits. The same can be effectively achieved if we give due importance to this fact while discussing, drafting and adopting policies decisions pertaining to ICT in general and e-governance in particular. The same is also important for an effective e-commerce base and an insecure and unsafe ICT base can be the biggest discouraging factor for a flourishing e-commerce business. The factors relevant for this situation are too numerous to be discussed in a single work. Thus, it would be better if we concentrate on each factor in a separate but coherent and holistic manner. The need of the hour is to set priority for a secure and safe electronic environment so that its benefits can be reaped to the maximum possible extent.
Prevalence of Cyber Crime
The prevalence of Cyber crime throughout the world has frustrated law enforcement agents and legislators alike. According to an article published in the American Criminal Law Review, at least half of all businesses in the United States alone have been the victims of cyber crime or some sort of security breach. Cyber Crime is such a detrimental type of offense not only because of the type of damage that it can do to individuals and businesses but also because of the costs involved in cyber crime. These costs are most often associated with the repair of a computer system or network. There are also costs associated with the compromise of data that often occurs. This is particularly costly because of the damage that it can do to the reputation of a business and organizations. Customers can become more apprehensive about shopping at a franchise that has experienced computer security problems or going to a bank that has been the victim of cyber crime. For this very reason, the article points out that some businesses and organizations that have been affected by Cyber Crime do not report breaches in security.
Cyber Crimes in India
India is on the verge of a technology revolution and the driving force behind the same is the acceptance and adoption of Information and Communication Technology (ICT) and its benefits. This technology revolution may, however, fail to bring the desired and much needed result if we do not adopt a sound and country oriented e-governance policy. A sound e-governance policy presupposes the existence of a sound and secure e-governance base as well. The security and safety of various ICT platforms and projects in India must be considered on a priority basis before any e-governance base is made fully functional. This presupposes the adoption and use of security measures more particularly empowering judiciary and law enforcement manpower with the knowledge and use of cyber forensics and digital evidencing.
Cyber Forensics and Its Need
The concepts of cyber security and cyber forensics are not only interrelated but also indispensably required for the success of each other. The former secures the ICT and e-governance base whereas the latter indicates the loopholes and limitations of the adopted measures to secure the base. The latter also becomes essential to punish the deviants so that a deterrent example can be set. There is, however, a problem regarding acquiring expertise in the latter aspect. This is so because though a computer can be secured even by a person with simple technical knowledge the ascertainment and preservation of the evidence is a tough task. For instance, one can install an anti-virus software, firewall, adjust security settings of the browser, etc but the same cannot be said about making a mirror copy of hard disk, extracting deleted files and documents, preserving logs of activities over internet, etc. Further one can understand the difficulty involved in the prosecution and presentation of a case before a court of law because it is very difficult to explain the evidence acquired to a not so techno savvy judge. The problem becomes more complicated in the absence of sufficient numbers of trained lawyers in this crucial field.
The Cyber Forensics has given new dimensions to the Criminal laws, especially the Evidence law. Electronic evidence and their collection and presentation have posed a challenge to the investigation agencies, prosecution agencies and judiciary. The scope of Cyber Forensics is no more confined to the investigation regime only but is expanding to other segments of justice administration system as well. The justice delivery system cannot afford to take the IT revolution lightly. The significance of cyber forensics emanates from this interface of justice delivery system with the Information Technology.
The growing use of IT has posed certain challenges before the justice delivery system that have to be met keeping in mind the contemporary IT revolution. The contemporary need of Cyber Forensics is essential for the following reasons:
(a) The traditional methods are inadequate: The law may be categorized as substantive and procedural. The substantive law fixes the liability whereas the procedural law provides the means and methods by which the substantive liability has to contended, analyzed and proved. The procedural aspects providing for the guilt establishment provisions were always there but their interface with the IT has almost created a deadlock in investigative and adjudicative mechanisms. The challenges posed by IT are peculiar to contemporary society and so must be their solution. The traditional procedural mechanisms, including forensic science methods, are neither applicable nor appropriate for this situation. Thus, “cyber forensics” is the need of the hour. India is the 12th country in the world that has its own “Cyber law” (IT Act, 2000). However, most of the people of India, including lawyers, judges, professors, etc, are not aware about its existence and use. The traditional forensic methods like finger impressions, DNA testing, blood and other tests, etc play a limited role in this arena.
(b) The changing face of crimes and criminals: The use of Internet has changed the entire platform of crime, criminal and their prosecution. This process involves crimes like hacking, pornography, privacy violations, spamming, phishing, pharming, identity theft, cyber terrorisms, etc. The modus operendi is different that makes it very difficult to trace the culprits. This is because of the anonymous nature of Internet. Besides, certain sites are available that provides sufficient technological measures to maintain secrecy. Similarly, various sites openly provide hacking and other tools to assist commission of various cyber crimes. The Internet is boundary less and that makes the investigation and punishment very difficult. These objects of criminal law will become a distant reality till we have cyber forensics to tackle them.
(c) The need of comparison: There is a dire need to compare the traditional crimes and criminals with the crimes and criminal in the IT environment. More specifically, the following must be the parameters of this comparison:
a. Nature of the crime
b. Manner/Methods of commission of the crime,
c. Purpose of the crime,
d. Players involves in these crimes, etc.
Thus, Cyber Forensics is required to be used by the following players of criminal justice system:
a. Investigation machinery- Statutory as well as non-statutory
b. Prosecution machinery, and
c. Adjudication machinery- Judicial, quasi-judicial or administrative.
d. Jurisdictional dilemma: The Internet is not subject to any territorial limits and none can claim any jurisdiction over a particular incidence. Thus, at times there is conflict of laws. The best way is to use the tool of Cyber Forensics as a “preventive measure” rather than using it for “curative purposes”.
The growing use of ICT for administration of all the spheres of our daily life cannot be ignored. Further, we also cannot ignore the need to secure the ICT infrastructures used for meeting these social functions. The threat from “malware” is not only apparent but also very worrisome. There cannot be a single solution to counter such threats. We need a techno-legal “harmonized law”. Neither pure law nor pure technology will be of any use. Firstly, a good combination of law and technology must be established and then an effort must be made to harmonies the laws of various countries keeping in mind common security standards. In the era of e-governance and e-commerce a lack of common security standards can create havoc for the global trade in goods and services. The tool of Cyber Forensics, which is not only preventive but also curative, can help a lot in establishing a much needed judicial administration system and security base.
Cost of Computer Security Breach
Many CEOs and CIOs are slow to invest in computer security because they do not know how to measure their Return on Investment (ROI). No one has shown them the actual costs associated with not investing in computer security. The objective of this paper is to provide the information security officer with objective data about the actual cost of computer security breaches to commercial companies. The information presented herein can be used as input into the ROI analyses to support security procurements.
How Cost Is Measured
In the commercial world, the cost of a cyber security breach is measured by both “tangibles” and “intangibles.” The tangibles can be calculated based on estimates of:
(a) Lost business, due to unavailability of the breached information resources
(b) Lost business, that can be traced directly to accounts fleeing to a “safer” environment
(c) Lost productivity of the non-IT staff, who have to work in a degraded mode, or not work at all, while the IT staff tries to contain and repair the breach
(d) Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources
(e) Labor costs of the IT staff and legal costs associated with the collection of forensic evidence and the prosecution of an attacker
(f) Public relations consulting costs, to prepare statements for the press, and answer customer questions
(g) Increases in insurance premiums
(h) Costs of defending the company in any liability suits resulting from the breached company’s failure to deliver assured information and services.
Not all of these tangible costs will occur with each breach; some will only occur with major, well-publicized breaches. The intangibles refer to costs that are difficult to calculate because they are not directly measurable, but are nevertheless very important for business. Many of these intangibles are related to a “loss of competitive advantage” that results from the breach. For example, a breach can affect an organization’s competitive edge through:
(a) Customers’ loss of trust in the
organization
(b) Failure to win new accounts due to bad press associated with the breach
(c) Competitor’s access to confidential or proprietary information.
Even the military environment has similar cost issues. In the military, the tangible costs are measured in human lives, replacement costs of equipment, and prolonged military operations. The intangibles would include loss of tactical advantage, loss of international prestige, and impaired negotiating positions.
Hypothetical Examples of the Cost Impact of Security Breaches
Forrester Research1 estimated the tangible and intangible costs of computer security breaches in three hypothetical situations. Their analysis indicated that, if thieves were to illegally wire $1 million from an on-line bank, the cost impact to the bank would be $106 million. They also estimated that, in the hypothetical situation that cyber techniques are used to divert a week’s worth of tires from an auto manufacturer; the auto manufacturer would sustain losses of $21 million. Finally, they estimated that if a law firm were to lose significant confidential information, the impact would be almost $35 million. Does this sound unrealistic? Remember, that Forrester used both tangibles and intangibles in their estimates, including the loss of confidential information and reputation. The sections below present the results of analyses of real world cost impacts of cyber events, using largely tangible costs as the means of estimating impact.
Real World Examples of Cost Impacts
Cost Impacts on Individual Companies
In December, 1998 Ingram Micro, a PC wholesaler, had to shut down its main data center in Tucson, Arizona due to an electrical short. While the reason for the shutdown was not a security breach, the loss of Ingram’s Internet business and electronic transactions from 8:00 AM to 4:00 PM mimicked what could happen with a Distributed Denial of Service (DDOS) attack or a major intrusion. As a result of its one day of lost sales and system repairs, Ingram estimates that it lost a staggering $3.2 million. This figure is comparable to Forrester’s projection of a $21 million loss for an auto manufacturer who is unable to get tires for a week. To estimate the cost impact of the types of breaches that happen daily to companies, one can turn to the annual surveys of the Computer Security Institute (CSI) and the FBI. For the past five years, the CSI-FBI “Computer Crime and Security Survey” has been a major source of information on the frequency and impact of computer security breaches, through their polling of commercial, non-profit, and government organizations. Their Year 2000 report was based on a survey of 643 information security professionals from organizations throughout the United States. Typically, the respondents represent organizations that have already made some commitment to computer security. In the 1999 survey, 91% of the respondents had firewalls, 42% had intrusion detection systems, and 34% were using digital certificates in their companies. Of the 643 respondents in the year 2000, 90% had detected cyber attacks on their organizations; and 74% reported financial losses associated with those attacks. Of the total sample of respondents, 42% (273 people) were able to quantify their exact losses, which totaled $265,589,940, or $972,857 cost impact per organization across all types of breaches.
(b) Failure to win new accounts due to bad press associated with the breach
(c) Competitor’s access to confidential or proprietary information.
Even the military environment has similar cost issues. In the military, the tangible costs are measured in human lives, replacement costs of equipment, and prolonged military operations. The intangibles would include loss of tactical advantage, loss of international prestige, and impaired negotiating positions.
Hypothetical Examples of the Cost Impact of Security Breaches
Forrester Research1 estimated the tangible and intangible costs of computer security breaches in three hypothetical situations. Their analysis indicated that, if thieves were to illegally wire $1 million from an on-line bank, the cost impact to the bank would be $106 million. They also estimated that, in the hypothetical situation that cyber techniques are used to divert a week’s worth of tires from an auto manufacturer; the auto manufacturer would sustain losses of $21 million. Finally, they estimated that if a law firm were to lose significant confidential information, the impact would be almost $35 million. Does this sound unrealistic? Remember, that Forrester used both tangibles and intangibles in their estimates, including the loss of confidential information and reputation. The sections below present the results of analyses of real world cost impacts of cyber events, using largely tangible costs as the means of estimating impact.
Real World Examples of Cost Impacts
Cost Impacts on Individual Companies
In December, 1998 Ingram Micro, a PC wholesaler, had to shut down its main data center in Tucson, Arizona due to an electrical short. While the reason for the shutdown was not a security breach, the loss of Ingram’s Internet business and electronic transactions from 8:00 AM to 4:00 PM mimicked what could happen with a Distributed Denial of Service (DDOS) attack or a major intrusion. As a result of its one day of lost sales and system repairs, Ingram estimates that it lost a staggering $3.2 million. This figure is comparable to Forrester’s projection of a $21 million loss for an auto manufacturer who is unable to get tires for a week. To estimate the cost impact of the types of breaches that happen daily to companies, one can turn to the annual surveys of the Computer Security Institute (CSI) and the FBI. For the past five years, the CSI-FBI “Computer Crime and Security Survey” has been a major source of information on the frequency and impact of computer security breaches, through their polling of commercial, non-profit, and government organizations. Their Year 2000 report was based on a survey of 643 information security professionals from organizations throughout the United States. Typically, the respondents represent organizations that have already made some commitment to computer security. In the 1999 survey, 91% of the respondents had firewalls, 42% had intrusion detection systems, and 34% were using digital certificates in their companies. Of the 643 respondents in the year 2000, 90% had detected cyber attacks on their organizations; and 74% reported financial losses associated with those attacks. Of the total sample of respondents, 42% (273 people) were able to quantify their exact losses, which totaled $265,589,940, or $972,857 cost impact per organization across all types of breaches.
The highest impact came from theft of proprietary information, reported by 66 people. Their total losses came to $66,708,000 or $1,010,727 cost impact per organization for theft of proprietary information. While this may seem like a lot, the average cost impact of theft of proprietary information in their 1999 survey was even greater -- $1,847,652. The sabotage of data or networks was reported by 61 respondents, for a total loss of $27,148,000 or an average loss of $445,049 per organization. This loss was significantly higher than the 1999 average loss of $163,740 associated with sabotage. While these estimates are presumably based on tangible costs to the company, one can infer that the respondents are very aware of and sensitive to the intangible costs of a tarnished reputation that could result from media treatment of security breaches. I base this conclusion, on some interesting data in the 1999 survey. In 1999, 48% of those respondents who had been subjected to an intrusion did not report it. Among the most important reasons cited for their decision not to report those breaches were the fear of negative publicity and the use of the information by competitors.
Cost Impacts across Industries
Some research and consulting firms such as Computer Economics (www.computereconomics.com) measure the impact of computer breaches across several companies or industries. Computer Economics5 has estimated that in 1999 businesses around the globe spent $12.1 billion to combat the effect of computer viruses. Their estimate was based on tangibles such as lost productivity, network down time, and expenses incurred to get rid of the virus infections. The ILOVEYOU virus and its copycats have also been studied for their financial impacts across industries. According to Computer Economics the ILOVEYOU virus and its variants caused $6.7 billion in damage in the first five days.
The FBI, in their testimony before the Senate Subcommittee on Technology, Terrorism and Government Information, cites the Yankee Group’s estimate that industries around the world lost $1.2 billion to the DDOS attacks on e-commerce in February 2000. Their estimate was based on lost capitalization, lost revenues and the costs of security upgrades.
The Cost of Piracy
A different form of security breach – software piracy – also has a cost impact across the software industry. International Planning and Research, an independent research firm, estimated that software vendors lost $12.2 billion 1999 due to software piracy. They estimate that one out of three pieces of software used by businesses around the world is pirated copies.
The financial impact of computer security breaches has been quantified by several sources. The best estimate of the impact of security breaches on a single organization can be found in the CSI-FBI survey of over 600 organizations. They concluded that the average cost impact of security breaches on each organization is over $972,000 per year.
Hacking Technique, How Hackers Do It
Every day, hackers compromise systems using these attacks. Being aware of how these attacks are performed, you can raise awareness within your organization for the importance of building and maintaining secure systems.
Many organizations make the mistake of addressing security only during installation, and then never revisit it. Maintaining security is an ongoing process, and it is something that must be reviewed and revisited periodically. Using the information in this article, you can try hacking into your organization’s datacenter, high-end server, or other system to determine where basic attacks would succeed. Then, you can address security weaknesses to prevent unauthorized users from attacking the system.
Tricks
A trick is a “mean crafty procedure or practice...designed to deceive, delude, or defraud.” Hackers use tricks to find short cuts for gaining unauthorized access to systems. They may use their access for illegal or destructive purposes, or they may simply be testing their own skills to see if they can perform a task. Given that most hackers are motivated by curiosity and have time to try endless attacks, the probability is high that eventually they do find a sophisticated method to gain access to just about any environment. However, these aren’t the types of attacks we address in this article, because most successful intrusions are accomplished through well-known and well-documented security vulnerabilities that either haven’t been patched, disabled, or otherwise dealt with. These vulnerabilities are exploited every day and shouldn’t be.
Finding Access Vulnerabilities
What generally happens is that an advanced or elite hacker writes a scanning tool that looks for well-known vulnerabilities, and the elite hacker makes it available over the Internet. Less experienced hackers, commonly called “script kiddies,” then run the scanning tool 24 x 7, scanning large numbers of systems and finding many systems that are vulnerable. They typically run the tool against the name-spaces associated with companies they would like to get into.
The script kiddies use a list of vulnerable IP addresses to launch attacks, based on the vulnerabilities advertised by a machine, to gain access to systems. Depending on the vulnerability, an attacker may be able to create either a privileged or non privileged account. Regardless, the attacker uses this initial entry (also referred to as a “toe-hold”) in the system to gain additional privileges and exploit the systems the penetrated system has trust relationships with, shares information with, is on the same network with, and so on.
Once a toe-hold is established on a system, the attacker can run scanning tools against all the systems connected to the penetrated system. Depending on the system compromised, these scans can run inside an organization’s network.
Finding Operating System Vulnerabilities
As mentioned previously, hackers first look for vulnerabilities to gain access. Then they look for operating system (OS) vulnerabilities and for scanning tools that report on those vulnerabilities.
Finding vulnerabilities specific to an OS is as easy as typing in a URL address and clicking on the appropriate link. There are many organizations that provide “full disclosure” information. Full disclosure is the practice of providing all information to the public domain so that it isn’t known only to the hacker community.
Attacking Solaris OE Vulnerabilities
Let’s use Solaris 2.6 OE as an example. A well-known vulnerability, for which patches are available, is the sadmind exploit. Hackers frequently use this vulnerability to gain root access on Solaris 2.6 OE systems. Using only a search engine and the CVE number, found by searching through the Mitre site listed previously, it is possible to find the source code and detailed instructions on how to use it. The entire process takes only a few minutes. The hacker finds the source code on the Security Focus web site and finds detailed instructions on the SANS site.
Tools
Hackers use a variety of tools to attack a system. Each of the tools we cover in this article has distinct capabilities. We describe the most popular tools from each of the following categories:
(a) Port scanners
(b) Vulnerability scanners
(c) Rootkits
(d) Sniffers
Port scanners are probably the most commonly used scanning tools on the Internet. These tools scan large IP spaces and report on the systems they encounter, the ports available and other information, such as OS types. The most popular port scanner is Network Mapper (Nmap).The Nmap port scanner is described as follows on the Nmap web site:
Nmap (“Network Mapper”) is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL3.
Nmap is an excellent security tool because it allows you to determine which services are being offered by a system. Because Nmap is optimized to scan large IP ranges, it can be run against all IP addresses used by an organization, or all cable modem IP addresses provided by an organization. After using Nmap to find machines and identify their services, you can run the Nessus vulnerability scanner against the vulnerable machines.
Nmap supports an impressive array of scan types that permit everything from TCP SYN (half open) to Null scan sweeps. Additional options include OS fingerprinting, parallel scan, and decoy scanning, to name a few. Nmap supports a graphical version through xnmap. For more information about Nmap,
Vulnerability Scanners
This section describes tools available for scanning vulnerable systems. Vulnerability scanners look for a specific vulnerability or scan a system for all potential vulnerabilities. Vulnerability tools are freely available. We focus on the most popular and best-maintained vulnerability scanner available, Nessus. The Nessus vulnerability tool is described on the Nessus web site:
The “Nessus” Project aims to provide to the Internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will remotely audit a given network and determine whether bad guys (aka ‘crackers’) may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port—that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.
Nessus provides administrators and hackers alike with a tool to scan systems and evaluate vulnerabilities present in services offered by that system. Through both its command line and GUI-based client, Nessus provides capabilities that are invaluable. Running Nessus is much more convenient in its GUI mode. For more information about Nessus, refer to their web site.
Rootkits
The term rootkit describes a set of scripts and executables packaged together that allow intruders to hide any evidence that they gained root access to a system. Some of the tasks performed by a rootkit are as follows:
(a) Modify system log files to remove evidence of an intruder’s activities.
(b) Modify system tools to make detection of an intruder’s modifications more difficult.
(c) Create hidden back-door access points in the system.
(d) Use the system as a launch point for attacks against other networked systems.
Sniffers
Network sniffing, or just “sniffing,” is using a computer to read all network traffic, of which some may not be destined for that system. To perform sniffing, a network interface must be put into promiscuous mode so that it forwards, to the application layer, all network traffic, not just network traffic destined for it.
The Solaris OE includes a tool called snoop that can capture and display all network traffic seen by a network interface on the system. While being relatively primitive, this tool can quite effectively gather clear-text user IDs and passwords passing over a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and POP-3 do not encrypt their user authentication and identification information. Once a system is accessed, an intruder typically installs a network sniffer on the system to gain additional user ID and password information, to gather information about how the network is constructed, and to learn.
Techniques
In this section, we describe two different attack scenarios to demonstrate how easily a hacker can gain access to an unsecured system. These successful attacks simulate the following scenarios:
(a) Attacks from the Internet
(b) Attacks from employees
In both attack scenarios, after the hacker establishes a root account, the hacker wants to maintain access to the system and establish additional privileges to access the rest of the environment. We correlate the tools that the hacker uses to find vulnerabilities, gain access, and establish additional privileges.
Attacks From the Internet
In this scenario, a hacker uses the Nessus vulnerability scanner to locate a system running Solaris 2.6 OE that has not been protected from the sadmind remote procedure call (RPC) service vulnerability. Let’s see how the sadmind exploit works against the victim system. After the hacker gains access, the hacker uses a rootkit to gain and maintain root access. The header of the sadminindex.c program provides the following information on its usage: The author of the sadmindex program made things even easier by providing example stack pointer values. Some tinkering with the sp value was necessary in this example to get the exploit to work; however, it didn’t take much trial and error because the next offset tried was 0xefff9588.
Attacks From Employees
In this scenario, an employee has user access privileges to the system, however, the employee is not authorized to have root access privileges. This scenario is very common. It usually occurs when accounts are left logged on and systems are insecure, thus providing an intruding employee the opportunity to perform unauthorized actions. The ability of malicious internal users to gain additional privileges on Solaris OE systems is a very real security issue. Unfortunately, it is frequently overlooked or ignored by administrators and managers who say, “That could never happen here” or “We have to trust all of our employees.” Serious security incidents occur in situations like these.
Most systems have different types of users. Authorized individuals are systems administrators, operators, database administrators, hardware technicians, and so forth. Each class of user has permissions and privileges defined by user ID and group IDs on the system. Most of these users do not have a root password or permission to use it.
Once on a system, malicious users and intruders can use buffer overflow attacks to gain root privileges. For example, on August 10th, 2001, a buffer overflow against xlock was released. (The xlock executable is a utility for locking X-windows displays.) This utility is useful to attack because it is installed with the setuid root command, due to its need to authorize access to the display when it is locked. A quick search through a few web sites provides the sample source code, which only has 131 lines of code.
Now that the attacker has root privileges on the system, it is easy to use a sniffer, install back doors, maintain and gain additional access privileges using rootkits, and perform tricks and subsequent attacks.
Future of Cyber Crime and Conclusion
What's in the future for Internet Crime and Punishment? With every new avenue opening up on the Internet, comes more possibilities for criminal intent. The difference now and in the future is, technology and human services are now in place or coming into place, to make these individuals or organizations accountable for their actions. Laws and punishments for even the smallest Internet crimes are now on the books, or in the process of being created. Make no mistake; once something is on the Internet, it is fact. It is traceable and punishable. No matter how hard someone tries to cover it up, erase it or disassociate from their actions, once the footprint is made, it can't be unmade. Somewhere there is a way to track that footprint. Law enforcement across the globe will enforce it.
The Internet has not only drawn people together, it has drawn international crime fighting agencies together in a common purpose. The Internet is not a free playground anymore. It is a global arena. Internet crime will take the punch.
Source: Cyber Laws In India