Sunday, January 31, 2010

Urgent Measures Are Needed To Curb Cyber Crimes In India

India has finally shown some concerns towards the growing menace of cyber crimes in India. The government of India has shown an absolute apathy towards growing cyber crimes in India by making almost all the cyber crimes in India “bailable”. Through this process the government made India a safe heaven for cyber criminals. The cyber criminals are virtually free to do whatever they want because at best they can be caught and then have to be set free because Indian cyber law is toothless in this regard. Even these cyber criminals would be very difficult to nab as Indian law enforcement is not well trained to deal with cyber crimes.

India is confused regarding its cyber law and the same has resulted in cyberspace anarchy in India. The Indian political thinking is marred by gross confusion. There are growing incidences of exploitation of Indian cyberspace by cyber criminals and foreign powers. Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India sent an open letter to the Government of India including the Prime Minister of India, President of India, Supreme Court of India, Ministry of Parliamentary Affairs, etc and brought to their attention the growing menace of cyber crimes in India.

Reacting immediately, the Law Minister M. Veerappa Moily announced the enactment of separate laws and creation of a specialised agency to deal with the menace of cyber crimes. Cyber crimes in India are increasing in the absence of a strong and stringent cyber law i.e. Information Technology Act 2000 (IT Act 2000). The ICT Trends of India 2009 have proved that India has failed to enact a strong and stringent Cyber Law in India. On the contrary, the Information Technology Act 2008 (IT Act 2008) has made India a “safe heaven” for cyber criminals, say cyber law experts of India.

The problem seems to be multi-faceted in nature. Firstly, the cyber law of India contained in the IT Act, 2000 is highly deficient in many aspects. Thus, there is an absence of proper legal enablement of ICT systems in India. Secondly, there is a lack of cyber law training to the police, lawyers, judges, etc in India. Thirdly, the cyber security and cyber forensics capabilities are missing in India. Fourthly, the ICT strategies and policies of India are deficient and needs an urgent overhaul. Fifthly, the Government of India is indifferent towards the “ICT reforms” in India. This results in a declining ranking of India in the spheres of e-readiness, e-governance, etc. While International communities like European Union, ITU, NATO, Department of Homeland Security, etc are stressing for an enhanced cyber security and tougher cyber laws, India seems to be treading on the wrong side of weaker regulatory and legal regime, says Praveen Dalal.

At last, somebody in the government has shown some concern regarding the growing menace of cyber crimes in India. However, the task is difficult since we do not have trained lawyers, judges and police officers in India. However, at least a step has been taken in the right direction by the law minister of India.

SOURCE: GROUND REPORT

Saturday, January 30, 2010

E-Voting In India

Electronic voting (e-voting) is a process that allows casting of votes through different electronic mechanisms. It includes both casting of votes as well as the counting of the same through electronic methods. The e-voting technology and platform may include punch cards, optical scan voting systems and specialised voting kiosks, telephone, SMS, etc.

The Gujarat State Election Commission is discussing plans to introduce voting through SMSes and over the Internet for municipal and panchayat elections. Previously, India has adopted the use of Electronic Voting Machines (EVMs) for elections. EVMs have revolutionised the Indian election process. EVMs have many advantages over the traditional paper based voting system. However, all the advantages are futile if they can be abused and the election results can be manipulated.

According to Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India, “E-Voting in India must be accompanied by proper plan and adequate information and communication technology infrastructure. At the same time special emphasis must be given to the cyber security aspect of e-voting mechanism in India”.

While the use of e-voting may help expanding the voting community yet there must be a suitable policy and regulation to prevent and remedy misuses arising out of such voting system. The crucial question is what if e-voting is proved to be tainted subsequently after cyber forensics appraisal and a Government has been formed on the basis of that voting? Will the Election Commission declare such elections null and void? Will the President of India declare a re-election? Will the Supreme Court of India take cognisance of this fact, asks Praveen Dalal.

The attempt of Gujarat State is a good one in the right direction provided some basic safeguards and plans are formulated in advance. Every new system brings its own peculiar problems and the proposed e-voting system would also face the same. Only time would tell how effective this system would be?

AUTHOR: RAM KAUSHIK

Thursday, January 28, 2010

The Future Of Indian Cyber Law And Cyber Forensics

Cyber law of India is an essential part of legal enablement of ICT systems in India. The same must be strengthened by good cyber forensics capabilities in India. The present cyber law of India is not only a weak piece of legislation but also ineffective against the contemporary cyber crimes. Similarly, it is also violating human rights of Indian in the cyberspace. The bottom line is that Indian needs a good techno-legal expertise to tackle the growing menace of cyber crimes.

The information technology is a double edge sword, which can be used for destructive as well as constructive work. Thus, the fate of many ventures depends upon the benign or vice intentions, as the case may be, of the person dealing with and using the technology. For instance, a malicious intention forwarded in the form of hacking, data theft, virus attack, etc can bring only destructive results unless and until these methods have been used for checking the authenticity, safety and security of the technological device which has been primarily relied upon and trusted for providing the security to a particular organization. For instance, the creator of the “Sasser worm” has been hired as a “security software programmer” by a German firm, so that he can make firewalls, which will stop suspected files from entering computer systems.

These methods may also be used for checking the authenticity, safety and security of one’s technological device, which has been primarily relied upon and trusted for providing the security to a particular organization. In fact, a society without protection in the form of “self help” cannot be visualized in the present electronic era.

Thus, we must concentrate upon securing our ICT and e-governance bases before we start encashing their benefits. The same can be effectively achieved if we give due importance to this fact while discussing, drafting and adopting policies decisions pertaining to ICT in general and e-governance in particular. The same is also important for an effective e-commerce base and an insecure and unsafe ICT base can be the biggest discouraging factor for a flourishing e-commerce business. The factors relevant for this situation are too numerous to be discussed in a single work. Thus, it would be better if we concentrate on each factor in a separate but coherent and holistic manner. The need of the hour is to set priority for a secure and safe electronic environment so that its benefits can be reaped to the maximum possible extent.

Prevalence of Cyber Crime

The prevalence of Cyber crime throughout the world has frustrated law enforcement agents and legislators alike. According to an article published in the American Criminal Law Review, at least half of all businesses in the United States alone have been the victims of cyber crime or some sort of security breach. Cyber Crime is such a detrimental type of offense not only because of the type of damage that it can do to individuals and businesses but also because of the costs involved in cyber crime. These costs are most often associated with the repair of a computer system or network. There are also costs associated with the compromise of data that often occurs. This is particularly costly because of the damage that it can do to the reputation of a business and organizations. Customers can become more apprehensive about shopping at a franchise that has experienced computer security problems or going to a bank that has been the victim of cyber crime. For this very reason, the article points out that some businesses and organizations that have been affected by Cyber Crime do not report breaches in security.

Cyber Crimes in India

India is on the verge of a technology revolution and the driving force behind the same is the acceptance and adoption of Information and Communication Technology (ICT) and its benefits. This technology revolution may, however, fail to bring the desired and much needed result if we do not adopt a sound and country oriented e-governance policy. A sound e-governance policy presupposes the existence of a sound and secure e-governance base as well. The security and safety of various ICT platforms and projects in India must be considered on a priority basis before any e-governance base is made fully functional. This presupposes the adoption and use of security measures more particularly empowering judiciary and law enforcement manpower with the knowledge and use of cyber forensics and digital evidencing.

Cyber Forensics and Its Need

The concepts of cyber security and cyber forensics are not only interrelated but also indispensably required for the success of each other. The former secures the ICT and e-governance base whereas the latter indicates the loopholes and limitations of the adopted measures to secure the base. The latter also becomes essential to punish the deviants so that a deterrent example can be set. There is, however, a problem regarding acquiring expertise in the latter aspect. This is so because though a computer can be secured even by a person with simple technical knowledge the ascertainment and preservation of the evidence is a tough task. For instance, one can install an anti-virus software, firewall, adjust security settings of the browser, etc but the same cannot be said about making a mirror copy of hard disk, extracting deleted files and documents, preserving logs of activities over internet, etc. Further one can understand the difficulty involved in the prosecution and presentation of a case before a court of law because it is very difficult to explain the evidence acquired to a not so techno savvy judge. The problem becomes more complicated in the absence of sufficient numbers of trained lawyers in this crucial field.

The Cyber Forensics has given new dimensions to the Criminal laws, especially the Evidence law. Electronic evidence and their collection and presentation have posed a challenge to the investigation agencies, prosecution agencies and judiciary. The scope of Cyber Forensics is no more confined to the investigation regime only but is expanding to other segments of justice administration system as well. The justice delivery system cannot afford to take the IT revolution lightly. The significance of cyber forensics emanates from this interface of justice delivery system with the Information Technology.

The growing use of IT has posed certain challenges before the justice delivery system that have to be met keeping in mind the contemporary IT revolution. The contemporary need of Cyber Forensics is essential for the following reasons:

(a) The traditional methods are inadequate: The law may be categorized as substantive and procedural. The substantive law fixes the liability whereas the procedural law provides the means and methods by which the substantive liability has to contended, analyzed and proved. The procedural aspects providing for the guilt establishment provisions were always there but their interface with the IT has almost created a deadlock in investigative and adjudicative mechanisms. The challenges posed by IT are peculiar to contemporary society and so must be their solution. The traditional procedural mechanisms, including forensic science methods, are neither applicable nor appropriate for this situation. Thus, “cyber forensics” is the need of the hour. India is the 12th country in the world that has its own “Cyber law” (IT Act, 2000). However, most of the people of India, including lawyers, judges, professors, etc, are not aware about its existence and use. The traditional forensic methods like finger impressions, DNA testing, blood and other tests, etc play a limited role in this arena.

(b) The changing face of crimes and criminals: The use of Internet has changed the entire platform of crime, criminal and their prosecution. This process involves crimes like hacking, pornography, privacy violations, spamming, phishing, pharming, identity theft, cyber terrorisms, etc. The modus operendi is different that makes it very difficult to trace the culprits. This is because of the anonymous nature of Internet. Besides, certain sites are available that provides sufficient technological measures to maintain secrecy. Similarly, various sites openly provide hacking and other tools to assist commission of various cyber crimes. The Internet is boundary less and that makes the investigation and punishment very difficult. These objects of criminal law will become a distant reality till we have cyber forensics to tackle them.

(c) The need of comparison: There is a dire need to compare the traditional crimes and criminals with the crimes and criminal in the IT environment. More specifically, the following must be the parameters of this comparison:

a. Nature of the crime
b. Manner/Methods of commission of the crime,
c. Purpose of the crime,
d. Players involves in these crimes, etc.

Thus, Cyber Forensics is required to be used by the following players of criminal justice system:

a. Investigation machinery- Statutory as well as non-statutory
b. Prosecution machinery, and
c. Adjudication machinery- Judicial, quasi-judicial or administrative.
d. Jurisdictional dilemma: The Internet is not subject to any territorial limits and none can claim any jurisdiction over a particular incidence. Thus, at times there is conflict of laws. The best way is to use the tool of Cyber Forensics as a “preventive measure” rather than using it for “curative purposes”.

The growing use of ICT for administration of all the spheres of our daily life cannot be ignored. Further, we also cannot ignore the need to secure the ICT infrastructures used for meeting these social functions. The threat from “malware” is not only apparent but also very worrisome. There cannot be a single solution to counter such threats. We need a techno-legal “harmonized law”. Neither pure law nor pure technology will be of any use. Firstly, a good combination of law and technology must be established and then an effort must be made to harmonies the laws of various countries keeping in mind common security standards. In the era of e-governance and e-commerce a lack of common security standards can create havoc for the global trade in goods and services. The tool of Cyber Forensics, which is not only preventive but also curative, can help a lot in establishing a much needed judicial administration system and security base.

Cost of Computer Security Breach

Many CEOs and CIOs are slow to invest in computer security because they do not know how to measure their Return on Investment (ROI). No one has shown them the actual costs associated with not investing in computer security. The objective of this paper is to provide the information security officer with objective data about the actual cost of computer security breaches to commercial companies. The information presented herein can be used as input into the ROI analyses to support security procurements.

How Cost Is Measured

In the commercial world, the cost of a cyber security breach is measured by both “tangibles” and “intangibles.” The tangibles can be calculated based on estimates of:

(a) Lost business, due to unavailability of the breached information resources
(b) Lost business, that can be traced directly to accounts fleeing to a “safer” environment
(c) Lost productivity of the non-IT staff, who have to work in a degraded mode, or not work at all, while the IT staff tries to contain and repair the breach
(d) Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources
(e) Labor costs of the IT staff and legal costs associated with the collection of forensic evidence and the prosecution of an attacker
(f) Public relations consulting costs, to prepare statements for the press, and answer customer questions
(g) Increases in insurance premiums
(h) Costs of defending the company in any liability suits resulting from the breached company’s failure to deliver assured information and services.

Not all of these tangible costs will occur with each breach; some will only occur with major, well-publicized breaches. The intangibles refer to costs that are difficult to calculate because they are not directly measurable, but are nevertheless very important for business. Many of these intangibles are related to a “loss of competitive advantage” that results from the breach. For example, a breach can affect an organization’s competitive edge through:

(a) Customers’ loss of trust in the organization
(b) Failure to win new accounts due to bad press associated with the breach
(c) Competitor’s access to confidential or proprietary information.

Even the military environment has similar cost issues. In the military, the tangible costs are measured in human lives, replacement costs of equipment, and prolonged military operations. The intangibles would include loss of tactical advantage, loss of international prestige, and impaired negotiating positions.

Hypothetical Examples of the Cost Impact of Security Breaches

Forrester Research1 estimated the tangible and intangible costs of computer security breaches in three hypothetical situations. Their analysis indicated that, if thieves were to illegally wire $1 million from an on-line bank, the cost impact to the bank would be $106 million. They also estimated that, in the hypothetical situation that cyber techniques are used to divert a week’s worth of tires from an auto manufacturer; the auto manufacturer would sustain losses of $21 million. Finally, they estimated that if a law firm were to lose significant confidential information, the impact would be almost $35 million. Does this sound unrealistic? Remember, that Forrester used both tangibles and intangibles in their estimates, including the loss of confidential information and reputation. The sections below present the results of analyses of real world cost impacts of cyber events, using largely tangible costs as the means of estimating impact.

Real World Examples of Cost Impacts

Cost Impacts on Individual Companies


In December, 1998 Ingram Micro, a PC wholesaler, had to shut down its main data center in Tucson, Arizona due to an electrical short. While the reason for the shutdown was not a security breach, the loss of Ingram’s Internet business and electronic transactions from 8:00 AM to 4:00 PM mimicked what could happen with a Distributed Denial of Service (DDOS) attack or a major intrusion. As a result of its one day of lost sales and system repairs, Ingram estimates that it lost a staggering $3.2 million. This figure is comparable to Forrester’s projection of a $21 million loss for an auto manufacturer who is unable to get tires for a week. To estimate the cost impact of the types of breaches that happen daily to companies, one can turn to the annual surveys of the Computer Security Institute (CSI) (www.gosci.com) and the FBI. For the past five years, the CSI-FBI “Computer Crime and Security Survey” has been a major source of information on the frequency and impact of computer security breaches, through their polling of commercial, non-profit, and government organizations. Their Year 2000 report was based on a survey of 643 information security professionals from organizations throughout the United States. Typically, the respondents represent organizations that have already made some commitment to computer security. In the 1999 survey, 91% of the respondents had firewalls, 42% had intrusion detection systems, and 34% were using digital certificates in their companies. Of the 643 respondents in the year 2000, 90% had detected cyber attacks on their organizations; and 74% reported financial losses associated with those attacks. Of the total sample of respondents, 42% (273 people) were able to quantify their exact losses, which totaled $265,589,940, or $972,857 cost impact per organization across all types of breaches.


The highest impact came from theft of proprietary information, reported by 66 people. Their total losses came to $66,708,000 or $1,010,727 cost impact per organization for theft of proprietary information. While this may seem like a lot, the average cost impact of theft of proprietary information in their 1999 survey was even greater -- $1,847,652. The sabotage of data or networks was reported by 61 respondents, for a total loss of $27,148,000 or an average loss of $445,049 per organization. This loss was significantly higher than the 1999 average loss of $163,740 associated with sabotage. While these estimates are presumably based on tangible costs to the company, one can infer that the respondents are very aware of and sensitive to the intangible costs of a tarnished reputation that could result from media treatment of security breaches. I base this conclusion, on some interesting data in the 1999 survey. In 1999, 48% of those respondents who had been subjected to an intrusion did not report it. Among the most important reasons cited for their decision not to report those breaches were the fear of negative publicity and the use of the information by competitors.

Cost Impacts across Industries

Some research and consulting firms such as Computer Economics (www.computereconomics.com) measure the impact of computer breaches across several companies or industries. Computer Economics5 has estimated that in 1999 businesses around the globe spent $12.1 billion to combat the effect of computer viruses. Their estimate was based on tangibles such as lost productivity, network down time, and expenses incurred to get rid of the virus infections. The ILOVEYOU virus and its copycats have also been studied for their financial impacts across industries. According to Computer Economics the ILOVEYOU virus and its variants caused $6.7 billion in damage in the first five days.

The FBI, in their testimony before the Senate Subcommittee on Technology, Terrorism and Government Information, cites the Yankee Group’s estimate that industries around the world lost $1.2 billion to the DDOS attacks on e-commerce in February 2000. Their estimate was based on lost capitalization, lost revenues and the costs of security upgrades.

The Cost of Piracy

A different form of security breach – software piracy – also has a cost impact across the software industry. International Planning and Research, an independent research firm, estimated that software vendors lost $12.2 billion 1999 due to software piracy. They estimate that one out of three pieces of software used by businesses around the world is pirated copies.

The financial impact of computer security breaches has been quantified by several sources. The best estimate of the impact of security breaches on a single organization can be found in the CSI-FBI survey of over 600 organizations. They concluded that the average cost impact of security breaches on each organization is over $972,000 per year.

Hacking Technique, How Hackers Do It

Every day, hackers compromise systems using these attacks. Being aware of how these attacks are performed, you can raise awareness within your organization for the importance of building and maintaining secure systems.

Many organizations make the mistake of addressing security only during installation, and then never revisit it. Maintaining security is an ongoing process, and it is something that must be reviewed and revisited periodically. Using the information in this article, you can try hacking into your organization’s datacenter, high-end server, or other system to determine where basic attacks would succeed. Then, you can address security weaknesses to prevent unauthorized users from attacking the system.

Tricks

A trick is a “mean crafty procedure or practice...designed to deceive, delude, or defraud.” Hackers use tricks to find short cuts for gaining unauthorized access to systems. They may use their access for illegal or destructive purposes, or they may simply be testing their own skills to see if they can perform a task. Given that most hackers are motivated by curiosity and have time to try endless attacks, the probability is high that eventually they do find a sophisticated method to gain access to just about any environment. However, these aren’t the types of attacks we address in this article, because most successful intrusions are accomplished through well-known and well-documented security vulnerabilities that either haven’t been patched, disabled, or otherwise dealt with. These vulnerabilities are exploited every day and shouldn’t be.

Finding Access Vulnerabilities

What generally happens is that an advanced or elite hacker writes a scanning tool that looks for well-known vulnerabilities, and the elite hacker makes it available over the Internet. Less experienced hackers, commonly called “script kiddies,” then run the scanning tool 24 x 7, scanning large numbers of systems and finding many systems that are vulnerable. They typically run the tool against the name-spaces associated with companies they would like to get into.

The script kiddies use a list of vulnerable IP addresses to launch attacks, based on the vulnerabilities advertised by a machine, to gain access to systems. Depending on the vulnerability, an attacker may be able to create either a privileged or non privileged account. Regardless, the attacker uses this initial entry (also referred to as a “toe-hold”) in the system to gain additional privileges and exploit the systems the penetrated system has trust relationships with, shares information with, is on the same network with, and so on.
Once a toe-hold is established on a system, the attacker can run scanning tools against all the systems connected to the penetrated system. Depending on the system compromised, these scans can run inside an organization’s network.

Finding Operating System Vulnerabilities

As mentioned previously, hackers first look for vulnerabilities to gain access. Then they look for operating system (OS) vulnerabilities and for scanning tools that report on those vulnerabilities.

Finding vulnerabilities specific to an OS is as easy as typing in a URL address and clicking on the appropriate link. There are many organizations that provide “full disclosure” information. Full disclosure is the practice of providing all information to the public domain so that it isn’t known only to the hacker community.

Attacking Solaris OE Vulnerabilities

Let’s use Solaris 2.6 OE as an example. A well-known vulnerability, for which patches are available, is the sadmind exploit. Hackers frequently use this vulnerability to gain root access on Solaris 2.6 OE systems. Using only a search engine and the CVE number, found by searching through the Mitre site listed previously, it is possible to find the source code and detailed instructions on how to use it. The entire process takes only a few minutes. The hacker finds the source code on the Security Focus web site and finds detailed instructions on the SANS site.

Tools

Hackers use a variety of tools to attack a system. Each of the tools we cover in this article has distinct capabilities. We describe the most popular tools from each of the following categories:
(a) Port scanners
(b) Vulnerability scanners
(c) Rootkits
(d) Sniffers

Port scanners are probably the most commonly used scanning tools on the Internet. These tools scan large IP spaces and report on the systems they encounter, the ports available and other information, such as OS types. The most popular port scanner is Network Mapper (Nmap).The Nmap port scanner is described as follows on the Nmap web site:


Nmap (“Network Mapper”) is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL3.


Nmap is an excellent security tool because it allows you to determine which services are being offered by a system. Because Nmap is optimized to scan large IP ranges, it can be run against all IP addresses used by an organization, or all cable modem IP addresses provided by an organization. After using Nmap to find machines and identify their services, you can run the Nessus vulnerability scanner against the vulnerable machines.


Nmap supports an impressive array of scan types that permit everything from TCP SYN (half open) to Null scan sweeps. Additional options include OS fingerprinting, parallel scan, and decoy scanning, to name a few. Nmap supports a graphical version through xnmap. For more information about Nmap,

Vulnerability Scanners

This section describes tools available for scanning vulnerable systems. Vulnerability scanners look for a specific vulnerability or scan a system for all potential vulnerabilities. Vulnerability tools are freely available. We focus on the most popular and best-maintained vulnerability scanner available, Nessus. The Nessus vulnerability tool is described on the Nessus web site:
The “Nessus” Project aims to provide to the Internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will remotely audit a given network and determine whether bad guys (aka ‘crackers’) may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port—that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.

Nessus provides administrators and hackers alike with a tool to scan systems and evaluate vulnerabilities present in services offered by that system. Through both its command line and GUI-based client, Nessus provides capabilities that are invaluable. Running Nessus is much more convenient in its GUI mode. For more information about Nessus, refer to their web site.

Rootkits

The term rootkit describes a set of scripts and executables packaged together that allow intruders to hide any evidence that they gained root access to a system. Some of the tasks performed by a rootkit are as follows:


(a) Modify system log files to remove evidence of an intruder’s activities.
(b) Modify system tools to make detection of an intruder’s modifications more difficult.
(c) Create hidden back-door access points in the system.
(d) Use the system as a launch point for attacks against other networked systems.

Sniffers

Network sniffing, or just “sniffing,” is using a computer to read all network traffic, of which some may not be destined for that system. To perform sniffing, a network interface must be put into promiscuous mode so that it forwards, to the application layer, all network traffic, not just network traffic destined for it.

The Solaris OE includes a tool called snoop that can capture and display all network traffic seen by a network interface on the system. While being relatively primitive, this tool can quite effectively gather clear-text user IDs and passwords passing over a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and POP-3 do not encrypt their user authentication and identification information. Once a system is accessed, an intruder typically installs a network sniffer on the system to gain additional user ID and password information, to gather information about how the network is constructed, and to learn.

Techniques

In this section, we describe two different attack scenarios to demonstrate how easily a hacker can gain access to an unsecured system. These successful attacks simulate the following scenarios:
(a) Attacks from the Internet
(b) Attacks from employees

In both attack scenarios, after the hacker establishes a root account, the hacker wants to maintain access to the system and establish additional privileges to access the rest of the environment. We correlate the tools that the hacker uses to find vulnerabilities, gain access, and establish additional privileges.

Attacks From the Internet

In this scenario, a hacker uses the Nessus vulnerability scanner to locate a system running Solaris 2.6 OE that has not been protected from the sadmind remote procedure call (RPC) service vulnerability. Let’s see how the sadmind exploit works against the victim system. After the hacker gains access, the hacker uses a rootkit to gain and maintain root access. The header of the sadminindex.c program provides the following information on its usage: The author of the sadmindex program made things even easier by providing example stack pointer values. Some tinkering with the sp value was necessary in this example to get the exploit to work; however, it didn’t take much trial and error because the next offset tried was 0xefff9588.

Attacks From Employees

In this scenario, an employee has user access privileges to the system, however, the employee is not authorized to have root access privileges. This scenario is very common. It usually occurs when accounts are left logged on and systems are insecure, thus providing an intruding employee the opportunity to perform unauthorized actions. The ability of malicious internal users to gain additional privileges on Solaris OE systems is a very real security issue. Unfortunately, it is frequently overlooked or ignored by administrators and managers who say, “That could never happen here” or “We have to trust all of our employees.” Serious security incidents occur in situations like these.

Most systems have different types of users. Authorized individuals are systems administrators, operators, database administrators, hardware technicians, and so forth. Each class of user has permissions and privileges defined by user ID and group IDs on the system. Most of these users do not have a root password or permission to use it.

Once on a system, malicious users and intruders can use buffer overflow attacks to gain root privileges. For example, on August 10th, 2001, a buffer overflow against xlock was released. (The xlock executable is a utility for locking X-windows displays.) This utility is useful to attack because it is installed with the setuid root command, due to its need to authorize access to the display when it is locked. A quick search through a few web sites provides the sample source code, which only has 131 lines of code.

Now that the attacker has root privileges on the system, it is easy to use a sniffer, install back doors, maintain and gain additional access privileges using rootkits, and perform tricks and subsequent attacks.

Future of Cyber Crime and Conclusion

What's in the future for Internet Crime and Punishment? With every new avenue opening up on the Internet, comes more possibilities for criminal intent. The difference now and in the future is, technology and human services are now in place or coming into place, to make these individuals or organizations accountable for their actions. Laws and punishments for even the smallest Internet crimes are now on the books, or in the process of being created. Make no mistake; once something is on the Internet, it is fact. It is traceable and punishable. No matter how hard someone tries to cover it up, erase it or disassociate from their actions, once the footprint is made, it can't be unmade. Somewhere there is a way to track that footprint. Law enforcement across the globe will enforce it.

The Internet has not only drawn people together, it has drawn international crime fighting agencies together in a common purpose. The Internet is not a free playground anymore. It is a global arena. Internet crime will take the punch.

Referred Works

[1] Praveen Dalal, Cybercrime and cyberterrorism: Preventive defense for cyberspace violation

[2] Praveen Dalal, Cybersecurity in India: An Ignored World

[3] Praveen Dalal, ICT Strategy in India: The Need of Rejuvenation

[4] Techtalk, India Caught On The Wrong Foot Of Cyber Anarchy

[5] Praveen Dalal, Private defence in cyberspace

[6] Praveen Dalal, Techno-Legal Compliance In India: An Essential Requirement

[7] Praveen Dalal, Cyber Forensics In India

[8] Noack, David. Computer Viruses Cost $12 Billion in 1999”, APB News, Jan. 20, 2000

[9] “Love Bug Damage Costs Rise to $6.7 Billion” Press release by Computer Economics, May 9, 2000

[10] “Statement for the Record of Guadalupe Gonzalez, Special Agent in Charge, Phoenix Field Division, FBI on Cybercrime” before the Special Field Hearing, Senate Committee on Judiciary, Subcommittee on Technology, Terrorism, and Government Information, Washington, DC

[11] Noack, David. “Businesses Use $12 Billion of Stolen Software” APB News, May 25, 2000,

[12] Salkeyer, Alex. “Who Pays When a Business Is Hacked?” Business Week Online: Daily Briefing, May23, 2000.

[13] “Cyber attacks rise from outside and inside corporations”, Press Release from Computer Security Institute

[14] “Ninety percent of survey respondents detect cyber attacks, 273 organization report $265,589,940 in financial losses”, Press Release from Computer Security Institute, March 22, 2000

[15] Howe, Carl; McCarthy, John C.; Buss, Tom; and Davis, Ashley. “The Forrester Report: Economics of Security”, February, 1998

[16] Webster’s Third New International Dictionary, Merriam-Webster, Inc., Springfield, MA, 1986, page 2442.

[17] Common Vulnerability and Exposures (CVE)

[18] NMap

[19] Nessus

[20] Amit Sachan, Future Of Cyber Crime

National Intelligence Grid Of India

National Intelligence Grid (NATGRID) is an essential requirement for robust and effective intelligence agencies and law enforcement functions in India. The only requirement is to ensure that its abuses can be anticipated, prevented and remedied, says Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India.

The Ministry of Home affairs, India is managing this ambitious NATGRID project. It sent the proposal to establish NATGRID to various other allied Ministries for their suggestions. Now Ministries like external affairs, finance, defence, telecom, etc have provided their suggestions in this regard. This has paved way for the final clearance of the project.

Techno-Legal specialist Praveen Dalal informs that the aim of NATGRID is to ensure a readily available and real time information sharing platform between intelligence agencies, law enforcement agencies, etc of India. Information gathering and its timely distribution is also an essential part of “Crisis Management Strategies” of any nation. While the NATGRID system is a must for India, yet India has to make it sure that it is not abused for “Political Purposes” and in a manner that goes against the provisions of the Constitution of India.

The scope for misuse is tremendous as NATGRID is planning to link 21 categories of databases maintained by different public and private agencies for ready access by the country’s intelligence agencies. There must be “mechanism” to ensure that this wonderful system may not be abused, warns Praveen Dalal.

Since the concerned ministries have cleared the proposal the same will be now placed before the Cabinet Committee on Security (CCS) for approval. The CCS consent would be the penultimate step for the establishment of NATGRID within next two years, i.e. till 2011. It would be a good idea if the CCS “consults” experts and stakeholders before finally approving the projects, opines Praveen Dalal.

Tuesday, January 26, 2010

The Truth About E-Courts Of India


Lots of media reports have recently surfaced declaring that India has established the first e-court. This is not the first time such rumours have been heard. In fact, the unfulfilled dream of establishment of e-courts in India is in session from 2003. So what is the present position and truth regarding establishment of e-courts in India.

There is a difference between a computerised court and e-court. The recent rumour regarding establishment of e-court by Delhi High Court is a classical example of such ignorance to appreciate the difference between the two. The Delhi High Court has established a computerised court and not an e-court. The court has simply computerised the traditional litigation aspects and nothing more.

The fact is that India does not have even a single e-court in India. In e-court system one can file a case and contest it from any location, even from one’s home. If he/she has to go to the concerned court for filing and contest, it is not an e-court.

The moment litigants in person and lawyer can file case on Internet we can safely assume that e-courts have been established. This is not the case presently. The lawyers and litigants have to go to the concerned court to file their pleadings and cases. None of the High courts in India have such a capability hence there is no question of establishment of e-courts in India.

Finally, the purpose of such false declarations of establishment of e-courts is to seek another extension that usually happens in the month of February. The same is due in the month of February 2010. Even the ICT Trends of India 2009 have confirmed the absence of any e-courts in India. It is high time for the government of India to be serious and do something constructive so that e-courts are not opened on papers only.

SOURCE: ITVOIR

Sunday, January 24, 2010

The Growing Risks Of Electronic Communications Sniffing In India

Recent news has revealed that some unknown Pakistani hackers had intercepted an official email communication between J&K Police’s intelligence chief and the J&K Chief Minister. However, it is claimed that the intercepted email did not carry “sensitive information”. As per a senior police officer this is normal as both sides do it.

Omar Abdullah, Chief Minister J&K, has been encouraging use of Information and Communication Technology (ICT) for government functions. He has been seeking police reports and daily confidential police bulletins through e-mails instead of traditional mailing system.

According to Mr. Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India, “Electronic communications sniffing is a very effective mechanism to steal e-mail passwords and confidential information. The same happens if the sniffer is at the same network in case of wired networks or through airwaves if he is targeting the wireless networks”.

To avoid the interception of the email communication by the security agencies, terrorists are not communicating between two email addresses but use a single address with several people knowing the password. The militant then save the document in the draft folder which could be subsequently read by his companions.

Similarly, security agencies are also adopting various methods to keep their e-communications safe and secure. This tussle between the terrorists and security agencies would further increase in the distant future and India should be well prepared to deal with the same.



Friday, January 22, 2010

Backtrack 4 Final Version Is A Good Tool Says Perry4law And PTLB

BackTrack 4 final version is now released for security professionals. The development team has mentioned that lots of downloads have already taken place from the official site. BackTrack 4 is providing penetration testing, cyber security and most importantly cyber forensics functionalities for the concerned people. It is a fantastic tool as suggested by Perry4Law and PTLB.

BackTrack is one of the highest rated and acclaimed Linux security distribution to date. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester.

BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tool collection to-date.

If you need any help feel free to contact its “Forum” or check its “how to” segment or its “FAQ” segment. If you need good training in these crucial areas, feel free to consult its “Training” segment.

If you need any “Techno-Legal” assistance in India you must contact Perry4Law for the same. Perry4Law is India’s first and exclusive techno-legal law firm of India and one of the few in the world.

Perry4Law is also managing Perry4Law Techno-Legal Base (PTLBTM/SM). PTLB is India’s first dedicated techno-legal platform that is providing consultancy, litigation and training services in the fields of cyber law, cyber security, cyber forensics, etc. Presently, India lacks cyber forensics capabilities and PTLB is meeting this much needed requirement. PTLB is operating as a “Resource Centre for Cyber Forensics in India”.

If any person is interested in getting consultancy, litigation or training services in the field of cyber forensics in India, you may check the “Contact Point” of Perry4Law.

SOURCE: MYNEWS

The Confused Indian Political Thinking Regarding Cyber Law Of India

The Parliament of India is either not willing to enact suitable laws in a timely manner or it makes absurd laws like the Information Technology Amendment Act 2008 (IT Act 2008). India is already struggling hard to tackle cyber crimes and cyber contraventions. However, what is more confusing is why Indian government made India a Safe Heaven for cyber criminals? Further, with the IT Act 2008 India became an E-Surveillance State. The E-Surveillance may be crucial for Indian National security and Internal Security vis-à-vis information technology but even these crucial capabilities are missing. The cyber warfare capabilities of India are still decades far away. The net result due to the Irrational Cyber Law of India is that there is a complete Cyber Anarchy existing in India.

Realising the gravity of the situation, Mr. Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India, sent a communication to the Government of India including the Prime Minister of India, President of India, Supreme Court of India, Ministry of Parliamentary Affairs, etc in this regard. The government reciprocated through media by showing its concern regarding the rising number of cyber crimes in India. Now the Centre is planning to assign the Central Bureau of Investigation (CBI) to investigate cases registered under the Information Technology Act 2000 (IT Act 2000) in the country. This is the irony of Indian political thinking. On the one hand they made almost all the cyber crimes in India “Bailable” whereas on the other hand they are “showing concern” for the very same cyber crimes that have been committed due to the lax cyber law of India that they enacted, says Praveen Dalal.

The Centre has in a letter to the State Governments requested them to issue general consent for the handing over of such cases to the CBI. The CBI cannot proceed till the States grant it permission to do so. This step of the Centre may be a compulsion as Indian law enforcement needs Techno-Legal Training to solve cyber crimes effectively. Surprisingly, the Centre is aware that cyber crimes are affecting the life of the general public and cases of phishing, online credit card fraud, hacking, pornography and theft of data, source code and identity are on the rise. It also believes that these cases have national and international ramifications and affect national security. What is not understandable is why such serious crimes have been made bailable and why India has been made a cyber heaven for cyber criminals, questions Praveen Dalal.

The only explanation to this strange behaviour of Indian government may be that it is “confused” regarding its cyber law. Further, Indian government cannot enact strong and stringent cyber law because the “industry lobbying” of Indian companies would not allow it to do so. Till India acquires good “legislative skill” and shows its will to provide a robust cyber law of India, the confusion will keep on marring the government’s decision making power.

AUTHOR: SHAYAM PRASAD

SOURCE: MYNEWS

Wednesday, January 20, 2010

E-Courts In India Does Not Exist

Use of Information and Communication Technology (ICT) for judicial purposes in India received another major setback when even the Delhi High Court failed to establish the proposed e-court. At Delhi High Court the litigants and lawyers cannot file cases electronically, evidence cannot be submitted through Internet and many more prerequisites of e-courts are still missing. It seems, India has once again failed to establish the first e-court of India.

The establishments of E-Courts in India have always remained a distant dream. Time again there has been press releases and official statements regarding establishment of e-courts in India. However, these are mere media rumours and there is no relief for the litigants, witnesses, lawyers and judges.

The latest court to join this race is the Delhi High Court. It has been widely publicized in the media that Delhi High Court would open the first e-court of India in the first week of December, 2009. From the past experience it was absolutely clear that nothing like that would happen. The history repeated once again and the Delhi High Court also failed to establish the first e-court of India.

E-court presupposes, at least, a facility to file cases electronically. Till now there is no e-filing facility provided by the Delhi high Court at its website. If cases cannot be filed and fought online, there is no question of a court be called as e-courts. If a litigant has to go all the way to the concerned court, then there is no need of any e-courts at all. E-courts facilitate a timely, economical and hassle free litigation system. The same cannot be achieved through an e-court established on paper alone.

The fact remains that India has no e-court. E-courts are much more that mere connectivity and computerisation of traditional courts. The moment e-filing, presentation, contest and adjudication of the cases in an online environment would start, India would surely be capable of establishing e-courts. In the absence of these capabilities, we have to wait for few more years to get speedier justice in India and all media rumours must be ignored.

SOURCE: MERINEWS

Intelligence Agencies In India Must Be Under Parliament Scrutiny

Intelligence agencies and law enforcement agencies in India are practically operating without a “Parliamentary Scrutiny” and “Constitutionally Sound Legislation”, says Praveen Dalal. Earlier experts like B.S.Dalal have warned that India urgently needs a “Legal Framework” for law enforcement and intelligence agencies. Perry4Law has provided a “10 Point Legal Framework for Law Enforcement and Intelligence Agencies in India” to the Government of India. India has finally given some hints regarding adopting these suggestions. Even political parties of India have now shown interest in this much needed requirement.

The CBI is not at all independent and has been used by successive governments to serve their purposes. Favouring amendments in the Indian Police Act, the former CBI Director Joginder Singh said major reforms for efficient and effective policing are need of the hour. This reiterates the earlier demand of experts in this direction.

Fortunately, the Vice President of India Mr. Hamid Ansari has suggested bringing the country's intelligence agencies under legislative oversight and the same has been supported by most political parties. Some have expressed their desire that the idea needed to be discussed further.

Congress spokesman Manish Tewari, who is a vibrant reformer in this regard, said that the vice president had raised a very pertinent governance issue. "There is a need to both legally empower and create a mechanism of oversight for our intelligence and law and order agencies. It is an idea whose time has come.

Observer Research Foundation in its report observed that intelligence and enforcement agencies need to have a legal framework and their working should be brought up to speed with present day realities.

Time has come for the Parliament of India to step in and make necessary arrangements on the fronts of scrutiny, accountability and legislation for law enforcement and intelligence agencies of India.

SOURCE: ITVOIR

Tuesday, January 19, 2010

Google Must Choose And Declare Its Priority Now

Google has been “cooperating” with law enforcement and security agencies all over the World. To perform its cooperating task more adequately it is making every possible effort to get the relevant data of its users.

As a result, the privacy and anonymity of its users is more vulnerable to legal and illegal disclosures. At last Google objected to the omnipresent censorship by Chinese authorities and declared that it would withdraw from China.

This situation may also arise at other places of the World, including India. However, the bigger questions are whether Google would cease to operate from China and if it does not cease its operations than whether it would no longer censor the results from Chinese netizens, says Praveen Dalal.

If Google does not exercise either of these options than the entire episode would be branded as a “gimmick” to increase “commercial gain” in China and nothing more.

Recently, Google was in controversy for showing Indian Territory differently in three different parts of the World. So much so that Indian Government decided to ban Google maps in India.

Some observers have remarked that by showing different results in different parts of the World Google is trying to make happy all concerned. This smacks “double standards” on the part of Google and only shows that it is more interested in commercial gains than all other practices objected to by it.

SOURCE: GROUND REPORT

Monday, January 18, 2010

Civil Liberties Protection Or Commercial Gain: What Is Google’s Objective?

Google has been “cooperating” with law enforcement and security agencies all over the World. To perform its cooperating task more adequately it is making every possible effort to get the relevant data of its users. As a result, the privacy and anonymity of its users is more vulnerable to legal and illegal disclosures. At last Google objected to the omnipresent censorship by Chinese authorities and declared that it would withdraw from China. This situation may also arise at other places of the World, including India. However, the bigger questions are whether Google would cease to operate from China and if it does not cease its operations than whether it would no longer censor the results from Chinese netizens, says Praveen Dalal. If Google does not exercise either of these options than the entire episode would be branded as a “gimmick” to increase “commercial gain” in China and nothing more. Recently, Google was in controversy for showing Indian Territory differently in three different parts of the World. So much so that Indian Government decided to ban Google maps in India. Some observers have remarked that by showing different results in different parts of the World Google is trying to make happy all concerned. This smacks “double standards” on the part of Google and only shows that it is more interested in commercial gains than all other practices objected to by it.

The rules of expression of political thoughts and activities on the Internet are pretty simple and very complex at the same time. You are free to dance the way you like America. Play as long and as much as you want in the fabric of the net but don’t brush away national security.

In the Middle East, as in some South American dictatorships and China, the ubiquitous censors monitor every word what you write. In India we are a very sensible and sensitive democracy. We do willy-nilly try to follow the game of golden-mean. Information Technology Act of 2008 gives the following guidelines:

(a) Ministry of Communication and Information Technology has the power to block sites and remove content to maintain "public order," as well as for national security and to preserve friendly relations with foreign states.
(b) It requires companies to have a point of contact to receive government blocking requests.
(c) A committee of Indian officials with representatives from ministries such as Law and Home Affairs would review blocking requests.
(d) The accused party/company would have 48 hours to present a case.
(e) Company officials who don't assist the government when blocking is mandated would face a fine and up to seven years in jail.
(f) India's Penal Code, Section 295A

So far the things are almost running smoothly and there have been no evidence of any major violations from any horizon. However, the recent confrontation between China and Google does make an interesting story.

A worldwide company DIT was founded in 2001 to provide low-cost, reliable Internet services for people living under repressive regimes. DIT's DynaWeb is a constantly updated, free proxy network designed to circumvent Internet blocking. On 15 September, a volunteer working with DynaWeb, observed that Google's Chinese news was giving one result in China and another in the United States. Bill Xia, CEO of Dynamic Internet Technology (DIT) said, "We were able to confirm this report through proxies in China. Search results inside China do not contain news from blocked sites."

Google tried to water down the issue and made the following response: "In order to create the best possible news search experience for our users, we sometimes decide not to include some sites, for a variety of reasons. They may display improperly in our service, or be inaccessible to users. We have not included links to a number of sources that are not accessible to mainland China Internet users."

Xia remained unconvinced. "The Chinese government controls the media and the military and through them, is able to create a 'Matrix' that hides web sites that relate to civil rights and opinions the Chinese authorities don't want people to see. I condemn it and urge the public to demand that Google explains how it's able to justify the practice." Xia also said that he has demonstrated that Google is using geographical differentiation to display different results to different locations.

Baidu. com is a largest Chinese search engine and Google also has a minority share in it. Two years ago, Baidu infuriated many Chinese Internet users as China's censors had installed new filtering software to keep unwanted information out of the country.
Despite the intellectual flexibility and discretion shown by Google it found that the hackers had attacked 33 other companies, including American companies like Adobe and others. The sophistication of attacks strongly suggests that this operation was either launched by the Chinese government’s agencies, or was approved by them at the least. US Government still cannot do much about it, as Google is unable to prove the allegation on the 100 per cent involvement of the Chinese government.

Google went for a strong retaliation against these hackers by hacking them right back. There are many more moves that might follow in this cyber war between the titans. Let us see how the Google navigates the Animal Farm.

AUTHOR: NAIM NAQVI

SOURCE:
MERINEWS

Google Hack Code Is In Public

The code used by China-based hackers in cyber attacks against Google and at least 20 other companies has been published on the internet. Code that exploits the yet-to-be-patched Microsoft Internet Explorer vulnerability has appeared on at least one website, according to researchers at security firm McAfee.

Microsoft published a blog post about the vulnerability after it was identified by McAfee researchers investigating the attacks. The public release of the exploit code increases the possibility of widespread attacks using the IE vulnerability, said McAfee chief technology officer George Kurtz in a blog post.

"The now public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems," he said. According to McAfee, the attack is especially deadly on older systems running Window XP and IE 6, although versions 7 and 8 are also vulnerable. This is the largest and most sophisticated cyber attack in years targeted at specific corporations, said Kurtz. "What really makes this a watershed moment in cybersecurity is the targeted and coordinated nature of the attack, with the main goal appearing to be to steal core intellectual property," he said.

The attacks prove these threats are no longer the stuff of science fiction, and should be taken seriously by the public and private sectors alike, according to security advisors. Hopefully, the attacks will prompt organisations to review their security and perhaps even discover breaches that have remained hidden for some time, said Tony Dyhouse, director of the UK's Cyber Security Knowledge Transfer Network (CSKTN). "The problem is organisations are often unaware they have been infiltrated and do not take seriously threats they cannot see," he said.

SOURCE: COMPUTER WEEKLY

India Is Suffering From Cyber Anarchy: An Open Letter To Government Of India

India is presently plagued by cyber anarchy. Issues like stringent cyber law, good cyber forensics capabilities, efficient cyber security, etc have still not attracted the attention of government of India.

There are growing incidences of exploitation of Indian cyberspace by cyber criminals and foreign powers. Mr. Praveen Dalal, Managing Partner of Perry4Law and the leading Techno-Legal Expert of India has send an open letter to the Government of India including the Prime Minister of India, President of India, Supreme Court of India, Ministry of Parliamentary Affairs, etc.

We hope the Government of India would do the needful and all political parties would join hands to rescue Indian cyberspace from cyber crimes and cyber contraventions.

This work is analysing some of the suggestions given by Mr. Praveen Dalal to the Government of India regarding the strategic and policy lacunas of Indian Government in the fields of Cyber Law, Cyber Security, Cyber Forensics, etc.

As a result India has not only become a safe heaven for cyber criminals but also a “soft target” for hackers and cyber war criminals worldwide. This work is summarising his suggestions and recommendations (with his approval) and we hope the Government of India in general and the Prime Minister Mr. Manmohan Singh in particular would consider and act upon these suggestions as soon as possible in the larger interest of India.

SOURCE: MYNEWS

Sunday, January 17, 2010

Cyber Terrorism In India: A Government Nightmare

Cyber Terrorism in India is a serious national security problem. India must not take the threats of Cyber war and Cyber Terrorism lightly and should take active steps to prevent the same. The Home Ministry of India must take some serious steps to ensure a robust cyber security in India so that threats of cyber war and cyber terrorism can be prevented and cured at an earlier stage. Even the cyber laws all over the World must be stringent and reasonable so that these nefarious activities can be curbed.

Cyber terrorism is the premeditated use of disruptive activities, or the threat thereof, in cyber space, with the intention to further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives.

Computers and the internet are becoming an essential part of our daily life. They are being used by individuals and societies to make their life easier. They use them for storing information, processing data, sending and receiving messages, communications, controlling machines, typing, editing, designing, drawing, and almost all aspects of life.

The most deadly and destructive consequence of this helplessness is the emergence of the concept of “cyber terrorism”. The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of information technology the terrorists have acquired an expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as “Cyber Terrorism”.

The law dealing with cyber terrorism is, however, not adequate to meet the precarious intentions of these cyber terrorists and requires a rejuvenation in the light and context of the latest developments all over the world.

Terrorist prefer using the cyber attack methods because of many advantages for it. These are:-

1. It is Cheaper than traditional methods.
2. The action is very difficult to be tracked.
3. They can hide their personalities and location.
4. There are no physical barriers or check points to cross.
5. They can do it remotely from anywhere in the world.
6. They can use this method to attack a big number of targets.
7. They can affect a large number of people.

Forms of cyber terrorism

(I) Privacy violation: Law of privacy is the recognition of the individual’s right to be let alone and to have his personal space inviolate. The right to privacy as an independent and distinctive concept originated in the field of Tort law, under which a new cause of action for damages resulting from unlawful invasion of privacy was recognized.

(II) Secret information appropriation and data theft: The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies.

(III) Demolition of e-governance base: The aim of e-governance is to make the interaction of the citizens with the government offices hassle free and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. In a democracy, people govern themselves and they cannot govern themselves properly unless they are aware of social, political, economic and other issues confronting them. This, right to receive information is, however, not absolute but is subject to reasonable restrictions which may be imposed by the Government in public interest.

(IV) Distributed denial of services attack: The cyber terrorists may also use the method of distributed denial of services (DDOS) to overburden the Government and its agencies electronic bases. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. Once control is obtained, they can be manipulated from any locality by the terrorists. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses.

(V) Network damage and disruptions: The main aim of cyber terrorist activities is to cause networks damage and their disruptions. This activity may divert the attention of the security agencies for the time being thus giving the terrorists extra time and makes their task comparatively easier. This process may involve a combination of computer tampering, virus attacks, hacking, etc. The intention of a cyber terrorism attack could range from economic disruption through the interruption of financial networks and systems or used in support of a physical attack to cause further confusion and possible delays in proper response.

Effects of Cyber Terrorism on economic & social life

Direct Cost Implications

• Loss of sales during the disruption
• Staff time, network delays, intermittent access for business users
• Increased insurance costs due to litigation
• Loss of intellectual property – research, pricing, etc.
• Costs of forensics for recovery and litigation
• Loss of critical communications in time of emergency.

Indirect Cost Implications

• Loss of confidence and credibility in our financial systems
• Tarnished relationships& public image globally
• Strained business partner relationships – domestic and internationally
• Loss of future customer revenues for an individual or group of companies
• Loss of trust in the government and computer industry


The following are notable incidents of cyber terrorism:

• In 1998, ethnic Tamil guerrillas swamped Sri Lankan embassies with 800 e-mails a day over a two-week period. The messages read “We are the Internet Black Tigers and we’re doing this to disrupt your communications.” Intelligence authorities characterized it as the first known attack by terrorists against a country’s computer systems.

• During the Kosovo conflict in 1999, NATO computers were blasted with e-mail bombs and hit with denial-of-service attacks by hacktivists protesting the NATO bombings. In addition, businesses, public organizations, and academic institutes received highly politicized virus-laden e-mails from a range of Eastern European countries, according to reports. Web defacements were also common.

• Since December 1997, the Electronic Disturbance Theater (EDT) has been conducting Web sit-ins against various sites in support of the Mexican Zapatistas. At a designated time, thousands of protestors point their browsers to a target site using software that floods the target with rapid and repeated download requests. EDT’s software has also been used by animal rights groups against organizations said to abuse animals. Electrohippies, another group of hacktivists, conducted Web sit-ins against the WTO when they met in Seattle in late 1999.

The Interpol, with its 178 member countries, is doing a great job in fighting against cyber terrorism. They are helping all the member countries and training their personnel. The Council of Europe Convention on Cyber Crime, which is the first international treaty for fighting against computer crime, is the result of 4 years work by experts from the 45 member and non-member countries including Japan, USA, and Canada. This treaty has already enforced after its ratification by Lithuania on 21st of March 2004. The Association of South East Asia Nations (ASEAN) has set plans for sharing information on computer security. They are going to create a regional cyber-crime unit by the year 2005.

The protection of I.T.A can be claimed for:

a) Preventing privacy violations,
(b) Preventing information and data theft,
(c) Preventing distributed denial of services attack (DDOS), and
(d) Preventing network damage and destruction.

Here are few key things to remember to protect from cyber-terrorism:

1. All accounts should have passwords and the passwords should be unusual, difficult to guess.
2. Change the network configuration when defects become know.
3. Check with venders for upgrades and patches.
4. Audit systems and check logs to help in detecting and tracing an intruder.
5. If you are ever unsure about the safety of a site, or receive suspicious email from an unknown address, don’t access it. It could be trouble.

The problems associated with the use of malware are not peculiar to any particular country as the menace is global in nature. The countries all over the world are facing this problem and are trying their level best to eliminate this problem. The problem, however, cannot be effectively curbed unless popular public support and a vigilant judiciary back it. The legislature cannot enact a law against the general public opinion of the nation at large. Thus, first a public support has to be obtained not only at the national level but at the international level as well. The people all over the world are not against the enactment of statutes curbing the use of malware, but they are conscious about their legitimate rights. Thus, the law to be enacted by the legislature must take care of public interest on a priority basis. This can be achieved if a suitable technology is supported by an apt legislation, which can exclusively take care of the menace created by the computers sending the malware. Thus, the self-help measures recognized by the legislature should not be disproportionate and excessive than the threat received by the malware. Further, while using such self-help measures the property and rights of the general public should not be affected.

Referred Works

1. Praveen Dalal, Cybercrime and cyberterrorism: Preventive defense for cyberspace violations

2. Praveen Dalal,
Private defence in cyberspace

3. Wikipedia,
Cyberterrorism

4. Praveen Dalal,
Techno-Legal Compliance In India: An Essential Requirement