The information
technology is a
double edge
sword, which can be used for destructive as well
as constructive work. Thus, the fate of many ventures depends upon
the benign or vice intentions, as the case may be, of the person
dealing with and using the technology. For instance, a malicious
intention forwarded in the form of hacking, data theft, virus attack,
etc can bring only destructive results unless and until these methods
have been used for checking the authenticity, safety and security of
the technological device which has been primarily relied upon and
trusted for providing the security to a particular organization. For
instance, the creator of the “Sasser worm” has been hired as a
“security software programmer” by a German firm, so that he can
make firewalls, which will stop suspected files from entering
computer systems.
These
methods
may also be used for checking the authenticity, safety and security
of one’s technological device, which has been primarily relied upon
and trusted for providing the security to a particular organization.
In fact, a society without protection in the form of “self help”
cannot be visualized in the present electronic era.
Thus, we
must concentrate upon
securing
our ICT and e-governance bases before we start encashing their
benefits. The same can be effectively achieved if we give due
importance to this fact while discussing, drafting and adopting
policies decisions pertaining to ICT in general and e-governance in
particular. The same is also important for an effective e-commerce
base and an insecure and unsafe ICT base can be the biggest
discouraging factor for a flourishing e-commerce business. The
factors relevant for this situation are too numerous to be discussed
in a single work. Thus, it would be better if we concentrate on each
factor in a separate but coherent and holistic manner. The need of
the hour is to set priority for a secure and safe electronic
environment so that its benefits can be reaped to the maximum
possible extent.
Prevalence of
Cyber CrimeThe prevalence of Cyber crime
throughout the world has frustrated law enforcement agents and
legislators alike. According to an article published in the American
Criminal Law Review, at least half of all businesses in the United
States alone have been the victims of cyber crime or some sort of
security breach. Cyber Crime is such a detrimental type of offense
not only because of the type of damage that it can do to individuals
and businesses but also because of the costs involved in cyber crime.
These costs are most often associated with the repair of a computer
system or network. There are also costs associated with the
compromise of data that often occurs. This is particularly costly
because of the damage that it can do to the reputation of a business
and organizations. Customers can become more apprehensive about
shopping at a franchise that has experienced computer security
problems or going to a bank that has been the victim of cyber crime.
For this very reason, the article points out that some businesses and
organizations that have been affected by Cyber Crime do not report
breaches in security.
Cyber
Crimes in IndiaIndia is on the
verge
of a technology revolution and the driving force behind the same is
the acceptance and adoption of Information and Communication
Technology (ICT) and its benefits. This technology revolution may,
however, fail to bring the desired and much needed result if we do
not adopt a sound and country oriented e-governance policy. A sound
e-governance policy presupposes the existence of a sound and secure
e-governance base as well. The security and safety of various ICT
platforms and projects in India must be considered on a priority
basis before any e-governance base is made fully functional. This
presupposes the adoption and use of security measures more
particularly empowering judiciary and law enforcement manpower with
the knowledge and use of cyber forensics and digital
evidencing.
Cyber Forensics and
Its NeedThe concepts of cyber security and
cyber
forensics are not only
interrelated
but also indispensably required for the success of each other. The
former secures the ICT and e-governance base whereas the latter
indicates the loopholes and limitations of the adopted measures to
secure the base. The latter also becomes essential to punish the
deviants so that a deterrent example can be set. There is, however, a
problem regarding acquiring expertise in the latter aspect. This is
so because though a computer can be secured even by a person with
simple technical knowledge the ascertainment and preservation of the
evidence is a tough task. For instance, one can install an anti-virus
software, firewall, adjust security settings of the browser, etc but
the same cannot be said about making a mirror copy of hard disk,
extracting deleted files and documents, preserving logs of activities
over internet, etc. Further one can understand the difficulty
involved in the prosecution and presentation of a case before a court
of law because it is very difficult to explain the evidence acquired
to a not so techno savvy judge. The problem becomes more complicated
in the absence of sufficient numbers of trained lawyers in this
crucial field.
The Cyber Forensics has given
new
dimensions to the Criminal laws, especially the Evidence
law. Electronic evidence and their collection and presentation have
posed a challenge to the investigation agencies, prosecution agencies
and judiciary. The scope of Cyber Forensics is no more confined to
the investigation regime only but is expanding to other segments of
justice administration system as well. The justice delivery system
cannot afford to take the IT revolution lightly. The significance of
cyber forensics emanates from this interface of justice delivery
system with the Information Technology.
The growing use of IT
has posed certain
challenges
before the justice delivery system that have to be met keeping in
mind the contemporary IT revolution. The contemporary need of Cyber
Forensics is essential for the following reasons:
(a)
The traditional methods are inadequate: The law may be
categorized as substantive and procedural. The substantive law fixes
the liability whereas the procedural law provides the means and
methods by which the substantive liability has to contended, analyzed
and proved. The procedural aspects providing for the guilt
establishment provisions were always there but their interface with
the IT has almost created a deadlock in investigative and
adjudicative mechanisms. The challenges posed by IT are peculiar to
contemporary society and so must be their solution. The traditional
procedural mechanisms, including forensic science methods, are
neither applicable nor appropriate for this situation. Thus, “cyber
forensics” is the need of the hour. India is the 12th country in
the world that has its own “Cyber law” (IT Act, 2000). However,
most of the people of India, including lawyers, judges, professors,
etc, are not aware about its existence and use. The traditional
forensic methods like finger impressions, DNA testing, blood and
other tests, etc play a limited role in this arena.
(b)
The changing face of crimes and criminals: The use of
Internet has changed the entire platform of crime, criminal and their
prosecution. This process involves crimes like hacking, pornography,
privacy violations, spamming, phishing, pharming, identity theft,
cyber terrorisms, etc. The modus operendi is different that makes it
very difficult to trace the culprits. This is because of the
anonymous nature of Internet. Besides, certain sites are available
that provides sufficient technological measures to maintain secrecy.
Similarly, various sites openly provide hacking and other tools to
assist commission of various cyber crimes. The Internet is boundary
less and that makes the investigation and punishment very difficult.
These objects of criminal law will become a distant reality till we
have cyber forensics to tackle them.
(c) The need of
comparison: There is a dire need to compare the traditional
crimes and criminals with the crimes and criminal in the IT
environment. More specifically, the following must be the parameters
of this comparison:
a. Nature of the crime
b.
Manner/Methods of commission of the crime,
c. Purpose of the
crime,
d. Players involves in these crimes, etc.
Thus,
Cyber Forensics is required to be used by the following players of
criminal justice system:
a. Investigation machinery- Statutory
as well as non-statutory
b. Prosecution machinery, and
c.
Adjudication machinery- Judicial, quasi-judicial or
administrative.
d. Jurisdictional dilemma: The Internet is not
subject to any territorial limits and none can claim any jurisdiction
over a particular incidence. Thus, at times there is conflict of
laws. The best way is to use the tool of Cyber Forensics as a
“preventive measure” rather than using it for “curative
purposes”.
The growing use of ICT for
administration
of all the spheres of our daily life cannot be ignored. Further, we
also cannot ignore the need to secure the ICT infrastructures used
for meeting these social functions. The threat from “malware” is
not only apparent but also very worrisome. There cannot be a single
solution to counter such threats. We need a techno-legal “harmonized
law”. Neither pure law nor pure technology will be of any use.
Firstly, a good combination of law and technology must be established
and then an effort must be made to harmonies the laws of various
countries keeping in mind common security standards. In the era of
e-governance and e-commerce a lack of common security standards can
create havoc for the global trade in goods and services. The tool of
Cyber Forensics, which is not only preventive but also curative, can
help a lot in establishing a much needed judicial administration
system and security base.
Cost of
Computer Security BreachMany CEOs and CIOs
are slow to invest in computer security because they do not know how
to measure their Return on Investment (ROI). No one has shown them
the actual costs associated with not investing in computer security.
The objective of this paper is to provide the information security
officer with objective data about the actual cost of computer
security breaches to commercial companies. The information presented
herein can be used as input into the ROI analyses to support security
procurements.
How Cost Is
MeasuredIn the commercial world, the cost of
a cyber security breach is measured by both “tangibles” and
“intangibles.” The tangibles can be calculated based on estimates
of:
(a) Lost business, due to unavailability of the breached
information resources
(b) Lost business, that can be traced
directly to accounts fleeing to a “safer” environment
(c) Lost
productivity of the non-IT staff, who have to work in a degraded
mode, or not work at all, while the IT staff tries to contain and
repair the breach
(d) Labor and material costs associated with the
IT staff’s detection, containment, repair and reconstitution of the
breached resources
(e) Labor costs of the IT staff and legal costs
associated with the collection of forensic evidence and the
prosecution of an attacker
(f) Public relations consulting costs,
to prepare statements for the press, and answer customer
questions
(g) Increases in insurance premiums
(h) Costs of
defending the company in any liability suits resulting from the
breached company’s failure to deliver assured information and
services.
Not all of these tangible costs will occur with each
breach; some will only occur with major, well-publicized breaches.
The intangibles refer to costs that are difficult to calculate
because they are not directly measurable, but are nevertheless very
important for business. Many of these intangibles are related to a
“loss of competitive advantage” that results from the breach. For
example, a breach can affect an organization’s competitive edge
through:
(a) Customers’ loss of trust in the
organization
(b) Failure to win new accounts due to bad press
associated with the breach
(c) Competitor’s access to
confidential or proprietary information.
Even the military
environment has similar cost issues. In the military, the tangible
costs are measured in human lives, replacement costs of equipment,
and prolonged military operations. The intangibles would include loss
of tactical advantage, loss of international prestige, and impaired
negotiating positions.
Hypothetical
Examples of the Cost Impact of Security Breaches
Forrester
Research1 estimated the tangible and intangible costs of computer
security breaches in three hypothetical situations. Their analysis
indicated that, if thieves were to illegally wire $1 million from an
on-line bank, the cost impact to the bank would be $106 million. They
also estimated that, in the hypothetical situation that cyber
techniques are used to divert a week’s worth of tires from an auto
manufacturer; the auto manufacturer would sustain losses of $21
million. Finally, they estimated that if a law firm were to lose
significant confidential information, the impact would be almost $35
million. Does this sound unrealistic? Remember, that Forrester used
both tangibles and intangibles in their estimates, including the loss
of confidential information and reputation. The sections below
present the results of analyses of real world cost impacts of cyber
events, using largely tangible costs as the means of estimating
impact.
Real World Examples of
Cost Impacts
Cost
Impacts on Individual Companies
In
December, 1998 Ingram Micro, a PC wholesaler, had to shut down its
main data center in Tucson, Arizona due to an electrical short. While
the reason for the shutdown was not a security breach, the loss of
Ingram’s Internet business and electronic transactions from 8:00 AM
to 4:00 PM mimicked what could happen with a Distributed Denial of
Service (DDOS) attack or a major intrusion. As a result of its one
day of lost sales and system repairs, Ingram estimates that it lost a
staggering $3.2 million. This figure is comparable to Forrester’s
projection of a $21 million loss for an auto manufacturer who is
unable to get tires for a week. To estimate the cost impact of the
types of breaches that happen daily to companies, one can turn to the
annual surveys of the Computer Security Institute (CSI) and the FBI.
For the past five years, the CSI-FBI “Computer Crime and Security
Survey” has been a major source of information on the frequency and
impact of computer security breaches, through their polling of
commercial, non-profit, and government organizations. Their Year 2000
report was based on a survey of 643 information security
professionals from organizations throughout the United States.
Typically, the respondents represent organizations that have already
made some commitment to computer security. In the 1999 survey, 91% of
the respondents had firewalls, 42% had intrusion detection systems,
and 34% were using digital certificates in their companies. Of the
643 respondents in the year 2000, 90% had detected cyber attacks on
their organizations; and 74% reported financial losses associated
with those attacks. Of the total sample of respondents, 42% (273
people) were able to quantify their exact losses, which totaled
$265,589,940, or $972,857 cost impact per organization across all
types of breaches.
The highest impact came from theft of
proprietary information, reported by 66 people. Their total losses
came to $66,708,000 or $1,010,727 cost impact per organization for
theft of proprietary information. While this may seem like a lot, the
average cost impact of theft of proprietary information in their 1999
survey was even greater -- $1,847,652. The sabotage of data or
networks was reported by 61 respondents, for a total loss of
$27,148,000 or an average loss of $445,049 per organization. This
loss was significantly higher than the 1999 average loss of $163,740
associated with sabotage. While these estimates are presumably based
on tangible costs to the company, one can infer that the respondents
are very aware of and sensitive to the intangible costs of a
tarnished reputation that could result from media treatment of
security breaches. I base this conclusion, on some interesting data
in the 1999 survey. In 1999, 48% of those respondents who had been
subjected to an intrusion did not report it. Among the most important
reasons cited for their decision not to report those breaches were
the fear of negative publicity and the use of the information by
competitors.
Cost Impacts across
Industries
Some
research and consulting firms such as Computer Economics
(www.computereconomics.com) measure the impact of computer breaches
across several companies or industries. Computer Economics5 has
estimated that in 1999 businesses around the globe spent $12.1
billion to combat the effect of computer viruses. Their estimate was
based on tangibles such as lost productivity, network down time, and
expenses incurred to get rid of the virus infections. The ILOVEYOU
virus and its copycats have also been studied for their financial
impacts across industries. According to Computer Economics the
ILOVEYOU virus and its variants caused $6.7 billion in damage in the
first five days.
The FBI, in their testimony before the Senate
Subcommittee on Technology, Terrorism and Government Information,
cites the Yankee Group’s estimate that industries around the world
lost $1.2 billion to the DDOS attacks on e-commerce in February 2000.
Their estimate was based on lost capitalization, lost revenues and
the costs of security upgrades.
The
Cost of Piracy
A different form of security
breach – software piracy – also has a cost impact across the
software industry. International Planning and Research, an
independent research firm, estimated that software vendors lost $12.2
billion 1999 due to software piracy. They estimate that one out of
three pieces of software used by businesses around the world is
pirated copies.
The financial impact of computer security
breaches has been quantified by several sources. The best estimate of
the impact of security breaches on a single organization can be found
in the CSI-FBI survey of over 600 organizations. They concluded that
the average cost impact of security breaches on each organization is
over $972,000 per year.
Hacking
Technique, How Hackers Do It
Every
day, hackers compromise systems using these attacks. Being aware of
how these attacks are performed, you can raise awareness within your
organization for the importance of building and maintaining secure
systems.
Many organizations make the mistake of addressing
security only during installation, and then never revisit it.
Maintaining security is an ongoing process, and it is something that
must be reviewed and revisited periodically. Using the information in
this article, you can try hacking into your organization’s
datacenter, high-end server, or other system to determine where basic
attacks would succeed. Then, you can address security weaknesses to
prevent unauthorized users from attacking the system.
Tricks
A
trick is a “mean crafty procedure or practice...designed to
deceive, delude, or defraud.” Hackers use tricks to find short cuts
for gaining unauthorized access to systems. They may use their access
for illegal or destructive purposes, or they may simply be testing
their own skills to see if they can perform a task. Given that most
hackers are motivated by curiosity and have time to try endless
attacks, the probability is high that eventually they do find a
sophisticated method to gain access to just about any environment.
However, these aren’t the types of attacks we address in this
article, because most successful intrusions are accomplished through
well-known and well-documented security vulnerabilities that either
haven’t been patched, disabled, or otherwise dealt with. These
vulnerabilities are exploited every day and shouldn’t be.
Finding
Access Vulnerabilities
What
generally happens is that an advanced or elite hacker writes a
scanning tool that looks for well-known vulnerabilities, and the
elite hacker makes it available over the Internet. Less experienced
hackers, commonly called “script kiddies,” then run the scanning
tool 24 x 7, scanning large numbers of systems and finding many
systems that are vulnerable. They typically run the tool against the
name-spaces associated with companies they would like to get
into.
The script kiddies use a list of vulnerable IP addresses
to launch attacks, based on the vulnerabilities advertised by a
machine, to gain access to systems. Depending on the vulnerability,
an attacker may be able to create either a privileged or non
privileged account. Regardless, the attacker uses this initial entry
(also referred to as a “toe-hold”) in the system to gain
additional privileges and exploit the systems the penetrated system
has trust relationships with, shares information with, is on the same
network with, and so on.
Once a toe-hold is established on a
system, the attacker can run scanning tools against all the systems
connected to the penetrated system. Depending on the system
compromised, these scans can run inside an organization’s
network.
Finding Operating
System Vulnerabilities
As mentioned
previously, hackers first look for vulnerabilities to gain access.
Then they look for operating system (OS) vulnerabilities and for
scanning tools that report on those vulnerabilities.
Finding
vulnerabilities specific to an OS is as easy as typing in a URL
address and clicking on the appropriate link. There are many
organizations that provide “full disclosure” information. Full
disclosure is the practice of providing all information to the public
domain so that it isn’t known only to the hacker
community.
Attacking Solaris OE
Vulnerabilities
Let’s use Solaris 2.6 OE as
an example. A well-known vulnerability, for which patches are
available, is the sadmind exploit. Hackers frequently use this
vulnerability to gain root access on Solaris 2.6 OE systems. Using
only a search engine and the CVE number, found by searching through
the Mitre site listed previously, it is possible to find the source
code and detailed instructions on how to use it. The entire process
takes only a few minutes. The hacker finds the source code on the
Security Focus web site and finds detailed instructions on the SANS
site.
Tools
Hackers
use a variety of tools to attack a system. Each of the tools we cover
in this article has distinct capabilities. We describe the most
popular tools from each of the following categories:
(a) Port
scanners
(b) Vulnerability scanners
(c) Rootkits
(d)
Sniffers
Port scanners are probably the most commonly used
scanning tools on the Internet. These tools scan large IP spaces and
report on the systems they encounter, the ports available and other
information, such as OS types. The most popular port scanner is
Network Mapper (Nmap).The Nmap port scanner is described as follows
on the Nmap web site:
Nmap (“Network Mapper”) is an open source
utility for network exploration or security auditing. It was designed
to rapidly scan large networks, although it works fine against single
hosts. Nmap uses raw IP packets in novel ways to determine what hosts
are available on the network, what services (ports) they are
offering, what operating system (and OS version) they are running,
what type of packet filters/firewalls are in use, and dozens of other
characteristics. Nmap runs on most types of computers, and both
console and graphical versions are available. Nmap is free software,
available with full source code under the terms of the GNU GPL3.
Nmap is an excellent security tool because it
allows you to determine which services are being offered by a system.
Because Nmap is optimized to scan large IP ranges, it can be run
against all IP addresses used by an organization, or all cable modem
IP addresses provided by an organization. After using Nmap to find
machines and identify their services, you can run the Nessus
vulnerability scanner against the vulnerable machines.
Nmap supports an impressive array of scan types
that permit everything from TCP SYN (half open) to Null scan sweeps.
Additional options include OS fingerprinting, parallel scan, and
decoy scanning, to name a few. Nmap supports a graphical version
through xnmap. For more information about Nmap,
Vulnerability
Scanners
This section describes tools
available for scanning vulnerable systems. Vulnerability scanners
look for a specific vulnerability or scan a system for all potential
vulnerabilities. Vulnerability tools are freely available. We focus
on the most popular and best-maintained vulnerability scanner
available, Nessus. The Nessus vulnerability tool is described on the
Nessus web site:
The “Nessus” Project aims to provide to the
Internet community a free, powerful, up-to-date and easy to use
remote security scanner. A security scanner is a software which will
remotely audit a given network and determine whether bad guys (aka
‘crackers’) may break into it, or misuse it in some way. Unlike
many other security scanners, Nessus does not take anything for
granted. That is, it will not consider that a given service is
running on a fixed port—that is, if you run your web server on port
1234, Nessus will detect it and test its security. It will not make
its security tests regarding the version number of the remote
services, but will really attempt to exploit the vulnerability.
Nessus is very fast, reliable and has a modular architecture that
allows you to fit it to your needs.
Nessus provides
administrators and hackers alike with a tool to scan systems and
evaluate vulnerabilities present in services offered by that system.
Through both its command line and GUI-based client, Nessus provides
capabilities that are invaluable. Running Nessus is much more
convenient in its GUI mode. For more information about Nessus, refer
to their web site.
Rootkits
The
term rootkit describes a set of scripts and executables packaged
together that allow intruders to hide any evidence that they gained
root access to a system. Some of the tasks performed by a rootkit are
as follows:
(a) Modify system log files to remove evidence
of an intruder’s activities.
(b) Modify system tools to make
detection of an intruder’s modifications more difficult.
(c)
Create hidden back-door access points in the system.
(d) Use the
system as a launch point for attacks against other networked
systems.
Sniffers
Network
sniffing, or just “sniffing,” is using a computer to read all
network traffic, of which some may not be destined for that system.
To perform sniffing, a network interface must be put into promiscuous
mode so that it forwards, to the application layer, all network
traffic, not just network traffic destined for it.
The Solaris
OE includes a tool called snoop that can capture and display all
network traffic seen by a network interface on the system. While
being relatively primitive, this tool can quite effectively gather
clear-text user IDs and passwords passing over a network. Many
popular protocols in use today such as Telnet, FTP, IMAP, and POP-3
do not encrypt their user authentication and identification
information. Once a system is accessed, an intruder typically
installs a network sniffer on the system to gain additional user ID
and password information, to gather information about how the network
is constructed, and to learn.
Techniques
In
this section, we describe two different attack scenarios to
demonstrate how easily a hacker can gain access to an unsecured
system. These successful attacks simulate the following
scenarios:
(a) Attacks from the Internet
(b) Attacks from
employees
In both attack scenarios, after the hacker
establishes a root account, the hacker wants to maintain access to
the system and establish additional privileges to access the rest of
the environment. We correlate the tools that the hacker uses to find
vulnerabilities, gain access, and establish additional
privileges.
Attacks From the
Internet
In this scenario, a hacker uses the
Nessus vulnerability scanner to locate a system running Solaris 2.6
OE that has not been protected from the sadmind remote procedure call
(RPC) service vulnerability. Let’s see how the sadmind exploit
works against the victim system. After the hacker gains access, the
hacker uses a rootkit to gain and maintain root access. The header of
the sadminindex.c program provides the following information on its
usage: The author of the sadmindex program made things even easier by
providing example stack pointer values. Some tinkering with the sp
value was necessary in this example to get the exploit to work;
however, it didn’t take much trial and error because the next
offset tried was 0xefff9588.
Attacks
From Employees
In this scenario, an employee
has user access privileges to the system, however, the employee is
not authorized to have root access privileges. This scenario is very
common. It usually occurs when accounts are left logged on and
systems are insecure, thus providing an intruding employee the
opportunity to perform unauthorized actions. The ability of malicious
internal users to gain additional privileges on Solaris OE systems is
a very real security issue. Unfortunately, it is frequently
overlooked or ignored by administrators and managers who say, “That
could never happen here” or “We have to trust all of our
employees.” Serious security incidents occur in situations like
these.
Most systems have different types of users. Authorized
individuals are systems administrators, operators, database
administrators, hardware technicians, and so forth. Each class of
user has permissions and privileges defined by user ID and group IDs
on the system. Most of these users do not have a root password or
permission to use it.
Once on a system, malicious users and
intruders can use buffer overflow attacks to gain root privileges.
For example, on August 10th, 2001, a buffer overflow against xlock
was released. (The xlock executable is a utility for locking
X-windows displays.) This utility is useful to attack because it is
installed with the setuid root command, due to its need to authorize
access to the display when it is locked. A quick search through a few
web sites provides the sample source code, which only has 131 lines
of code.
Now that the attacker has root privileges on the
system, it is easy to use a sniffer, install back doors, maintain and
gain additional access privileges using rootkits, and perform tricks
and subsequent attacks.
Future of
Cyber Crime and Conclusion
What's in the
future for Internet Crime and Punishment? With every new avenue
opening up on the Internet, comes more possibilities for criminal
intent. The difference now and in the future is, technology and human
services are now in place or coming into place, to make these
individuals or organizations accountable for their actions. Laws and
punishments for even the smallest Internet crimes are now on the
books, or in the process of being created. Make no mistake; once
something is on the Internet, it is fact. It is traceable and
punishable. No matter how hard someone tries to cover it up, erase it
or disassociate from their actions, once the footprint is made, it
can't be unmade. Somewhere there is a way to track that footprint.
Law enforcement across the globe will enforce it.
The Internet
has not only drawn people together, it has drawn international crime
fighting agencies together in a common purpose. The Internet is not a
free playground anymore. It is a global arena. Internet crime will
take the punch.
Source:
Cyber
Laws In India
