"It is easy to see the faults of others but not so easy to see one’s own faults."
These words of Gautam Buddha hold true even in today’s digitalized world. The ability of criminals to easily misuse technology to commit crimes is blamed upon weaknesses in computer software. Rarely does the common man realize that the spread of cyber crime can be attributed more to his ignorance than to anything else.
Based upon 7 years of real world cyber crime investigations, ethical hacking and penetration testing, we at Asian School of Cyber Laws (ASCL) came to two very fundamental conclusions –
1. most cyber crimes are committed using one of 5 methods,
2. most cyber crimes can be prevented by user awareness of these 5 methods.
5. Computer Viruses & Worms
Not many people know that two brothers from Pakistan are (dis)credited with having created the world’s first computer virus. From the humble beginnings of the Brain virus, today’s computer virus packs quite a punch with artificial intelligence, encrypted source code and dynamic payloads.
Several viruses and worms have caught public attention with the sheer magnitude of their impact e.g. Melissa, Love Bug, SQL Slammer, Chernobyl, Nimda etc.
Viruses can be of various types such as polymorphic, stealth, multipartite, armored, companion etc. But deep down they are usually created for one primary purpose – to damage data. And most modern viruses have a highly successful track record.
Worms on the other hand are usually created to eat into your computer and network resources.
Of late a disturbing trend is the marriage of viruses, worms, Trojans and other malicious code to produce a highly evolved artificial intelligence enabled code that we at ASCL have nicknamed hydra (HYbrid Data Raiding Agents). So far hydra are confined to sophisticated information warfare attacks where national interest and high finance is the motivation.
Hydra are in contrast to simpler viruses and worms which are primarily created to damage random computers. Hydra on the other hand are sent to carefully selected computers and are almost never found in the wild.
Because of this there is almost no known anti-virus program that is effective on hydra.
4. Trojans & Spyware
The term Trojan has a rather romantic and violent origin in the unfortunate events surrounding Helen of Troy. True to the origins of the word, Computer Trojans are software programs that appear to be very useful to but in reality enable malicious hackers to control the computers on which they are installed.
Script kiddies regularly use Trojans to cause serious damage to unsuspecting victims. Trojans are very easy to download and deploy and are most commonly sent as attachments to spoofed e-mails. The recipient of the e-mail believes that his friend / colleague has sent him an e-card or an important document and so he unsuspectingly downloads and runs the file on his computer.
Once the Trojan is installed on a computer the computer virtually becomes a free-for-all computer which people around the world can easily break into.
Case: A young lady reporter was working on an article about online relationships. The article focused on how people can easily find friendship and even love on the Internet. During the course of her research she made a lot of online friends. One of these ‘friends’ managed to infect her computer with a Trojan.
This young lady stayed in a small one bedroom apartment and her computer was located in one corner of her bedroom. Unknown to her, the Trojan could activate her web camera and microphone even when the Internet was switched off. A year later she realized that hundreds of her pictures were posted on pornographic sites around the world!
Case: The network administrator in a global bank received a beautifully packed CD ROM containing “security updates” from the company that developed the operating system that ran his bank’s servers. He installed the “updates” which in reality was Trojanized software. Three years later, the effects are still being felt in the bank’s system!
Spyware and key loggers are regularly used were to log all the strokes a victim makes on the keyboard. This assumes sinister proportions, if a key logger is installed on a computer which is regularly used for online banking and other financial transactions.
Key-loggers and spyware are most commonly found in public computers such as those in cyber cafes, hotels etc. Unsuspecting victims also end up downloading spyware when they click on “friendly” offers for free software.
1. Do not download email attachments unless you are sure about the authenticity of the email.
2. Use good anti-virus software (many are available for free).
3. Regularly download updates for the anti-virus software. If your software has an auto update facility, use it.
4. Regularly apply updates and security patches to your operating system. For Windows users, the “automatic updates” option should be turned on.
5. Do not go “click happy” to download free software from pop-up advertisements. Almost always there is a catch!
6. Use a personal firewall (e.g. ZoneAlarm) and enable the firewall and other safety options in your operating system.
3. Phishing & Spoofing attacks
In the 19th century, British comedian Arthur Roberts invented a game called Spoof, which involved trickery and nonsense. This gave the English speaking world a new word that today symbolizes a gamut of hacking technologies.
Spoofing attacks primarily include e-mail spoofing, SMS spoofing, IP spoofing, and web spoofing. Spoofing attacks are used to trick people into divulging confidential information (e.g. credit card data) or doing something that they would usually not do (e.g. installing malicious software on their own computers).
Such use of spoofing attacks is commonly referred to as Phishing.
Sending an e-mail from somebody else’s e-mail ID is the simplest form of Email spoofing. Innumerable tools exist on the Internet which can easily be used to send e-mails appearing to have been sent by somebody else. The effects are intense.
Case: Customers of ABC bank received an email from the bank asking them to verify their usernames and passwords for the bank records. The emails were spoofed, but thousands of customers clicked on the link in the email and submitted their login information at the webpage that opened up. On investigation it was found that the emails had been sent by a disgruntled employee.
Case: Thousands of employees of a global IT company ended up installing viruses on their computers when they executed an attachment appearing to have been sent out by their officers. The employees even disabled the anti-virus software because the email said that “the attachment may be incorrectly detected as a virus!” On investigation it was found that the emails had been sent out by a rival company.
SMS spoofing is very similar to e-mail spoofing. The major difference being that instead of an email ID, a cell phone number is spoofed and instead of a spoofed e-mail, a spoofed SMS is sent.
Case: A young lady received an SMS from her husband’s cell phone informing her that he had had an accident and was at the hospital and urgently needed money. On receiving the SMS, she rushed out of the house with the money. She was attacked and robbed by the person who had sent her the spoofed SMS.
An IP address (e.g. 184.108.40.206) is the primary identification of a computer connected to a network (e.g. the Internet). A criminal usually uses IP spoofing to bypass IP based authentication or to mislead investigators by leaving a trail of false evidence.
IP spoofing can be accomplished using proxy servers and simple PHP scripts that are readily and freely available online.
Case: Internet users in many countries use proxy servers to bypass Government imposed Internet censorship. (We are not passing any comment on whether is it right or wrong to impose Internet censorship or bypass it, as the case may be.)
Case: A criminal hacked into the computer systems of a sensitive Government organization. The digital trail that he left behind led to a senior official of the same department. This officer would have been arrested immediately had it not been for his impeccable record. Detailed investigations proved that the digital trail was faked.
When you sit at a computer, open up a browser and type in www.asianlaws.org, you expect to reach the correct website (and most often you do!). This is because of the domain name system which converts human readable domain names such as asianlaws.org into computer readable IP addresses such as 220.127.116.11.
DNS spoofing involves manipulating the domain name system to take unsuspecting victims to fake websites (that look identical to the original ones). Sitting at the computer you may type in www.asianlaws.org but the site that opens up may be a fake site!
This can and has been done at the local organizational level (e.g. by host file rewriting or by a network administrator with malicious intentions) or at the national or international level (by hackers exploiting vulnerabilities in the BIND software that runs most of the world’s domain name servers).
Case: Hundreds of employees at a global financial services company received emails from a popular online store about a huge discount on some popular books and DVDs. On clicking the link in the email, users were taken to what appeared to the website of the online store. Most of the recipients of the emails placed orders using their credit cards. No one got the books / DVDs, but they all got hefty credit card bills at the end of the month.
On investigation it was uncovered that the network administrators had connived to carry out a simple Phishing attack. It was a fake email and a fake website. None of the victims (most of whom were advanced computer users) realized that something was amiss.
1. Use digital signatures to authenticate your emails. This technology is very cheap (sometimes free!) and easy to use. Digitally signed documents enjoy legal validity in many countries.
(Visit www.asianlaws.org/cyberlaw/library to learn more about digital signatures.)
2. Avoid accessing your primary email account(s) from a public computer. You can set up secondary email accounts for non critical work.
3. Treat with suspicion any email which makes an urgent request for your credit card or online banking account details.
4. If you suspect an email, do not click on the links in the email. Open up your browser and type in the URL.
5. Ensure that your operating system and Internet browser is updated regularly.
2. Packet Sniffing
On computer networks, data travels in the form of data packets. A packet sniffer can be used to read these packets while they are in transit.
On the legitimate side system administrators use this technology to monitor and troubleshoot network traffic. On the criminal side, this technology can easily be used to sniff out username and password information, credit card details etc.
Surprisingly, such sensitive information is generally transmitted in clear text from your computer to the web server. Such plain text information can easily be viewed with packet sniffing technology.
Case: A disgruntled former employee of a global trading corporation had installed Trojans in some of the company computers before resigning from his job. Subsequently, he used the Trojans to install packet sniffing software on the infected computers. Using these compromised computers, he was able to view huge amounts of sensitive information. His earnings from selling this information to rival companies were more than that of the Chairman of the company!
Packet sniffers are not very difficult to install and use and are difficult to detect. With the growing popularity of wireless networks in companies and even in public places, the risks are even higher.
Case: ASCL recently conducted experiments near several software parks. The wireless networks of a whopping 90% of the software companies were leaking out sensitive information. A malicious hacker could easily sit in a parked car with a laptop; run some sniffing software and access huge mounts of sensitive data including source codes!
If someone gets an email telling him that he has won a huge lottery, what is the first thing that he should do? Ask himself – did I even buy a ticket for this lottery? If you have not bought the ticket, how can you win the lottery? If you still want to believe it and then even pay a “small” processing fee, who can you blame if you get defrauded?
Every time that you download “free” software, that promises to change your very way of life, from a popup advertisement, you risk compromising your entire digital identity.
Today your computer holds the key to your digital life – your health records, bank accounts, online share trading accounts, email accounts, utility bills, credit card information, tax filings.... the list is endless.