Transcript Document

History of Cyber Crime

When did this new and insidious variety of crime actually come into being? One may say that the concept of the computer came with the invention of the first abacus, hence it can be said that “cybercrime” per se has been around ever since people used calculating machines for wrong purposes. However, cybercrime has shown itself as a serious threat to society for less than a decade.

• • The first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage.

• In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded cyber crime!

• Cyber crimes—harmful acts committed from or against a computer or network— differ from most terrestrial crimes in four ways. • • They are easy to learn how to commit; they require few resources relative to the potential damage caused; • they can be committed in a jurisdiction without being physically present in it; • and they are often not clearly illegal.

• Laws of most countries do not clearly prohibit cyber crimes. Existing terrestrial laws against physical acts of trespass or breaking and entering often do not cover their “virtual” counterparts. Web pages such as the e-commerce sites recently hit by widespread, distributed denial of service attacks may not be covered by outdated laws as protected forms of property.

• • • • • Criminal statutes have been extended into cyberspace to cover ten different types of cyber crime in four categories: data-related crimes, including interception, modification, and theft; network-related crimes, including interference and sabotage; crimes of access, including hacking and virus distribution; and associated computer-related crimes, including aiding and abetting cyber criminals, computer fraud, and computer forgery.

What is a Computer Crime?

• • • • • • • • • Hacking Computer "Pirates" Copyright violations have civil and criminal remedies.

Financial crimes Cyber pornography Sale of illegal articles Intellectual Property crimes Forgery Cyber Defamation

Hacking

• The actual word is “Cracking” and not “Hacking”. • 'Hackers' are very intelligent people who use their skill in a constructive and positive manner. They help the government to protect national documents of strategic importance, help organisations to protect documents and company secrets, and even sometimes help justice to meet its end by extracting out electronic evidence.

Hacking has been defined as "Deliberately gaining unauthorised access to an information system."

Contd…

• A cracker is generally someone who breaks into someone else's computer system, often on a network, bypasses passwords or licenses in computer programs or in other ways intentionally breaches computer security. A cracker can be doing this for profit, maliciously, for some altruistic purpose or cause, or because the challenge is there. Some breaking-and-entering has been done ostensibly to point out weaknesses in a site's security system.

• But with time , both the word are used interchangeably.

Contd…

What Hackers Do?

• • • • Criminals Can Operate Anonymously Over the Computer Networks.

Hackers Invade Privacy Hackers Destroy "Property" in the Form of Computer Files or Records Hackers Injure Other Computer Users by Destroying Information Systems

Contd…

• • • •

Code Hackers

- They know computers inside out. They can make the computer do nearly anything they want it to

Crackers -

They break into computer systems. Circumventing Operating Systems and their security is their favourite past time. It involves breaking the security on software applications.

Cyber Punks -

They are the masters of cryptography.

Phreakers -

They combine their in-depth knowledge of the Internet and the mass telecommunications system

A number of Internet credit card schemes involve computer hacking as the means of accessing the numbers.

• An active hackers’ group, led by one “Dr. Nuker”, who claims to be the founder of Pakistan Hackerz Club, reportedly hacked the websites of the Indian Parliament, Ahmedabad Telephone Exchange, Engineering Export Promotion Council, and United Nations (India).

• For example, in

United States v. Bosanac

, the defendant was involved in a computer hacking scheme that used home computers for electronic access to several of the largest United States telephone systems and for downloading thousands of calling card numbers (access codes). The defendant, who pleaded guilty to possession of unauthorized access devices and computer fraud, used his personal computer to access a telephone system computer and to download and transfer thousands of access codes relating to company calling card numbers. In taking these codes, the defendant used a computer program he had created to automate the downloading, and instructed his coconspirators on how to use the program. The defendant admitted that the loss suffered by the company as a result of his criminal conduct was $955,965. He was sentenced to eighteen months' imprisonment and $10,000 in restitution.

Contd…

Virus Builders -

Virus incidents have resulted in significant and data loss at some stage or the other. The loss could be on account of: - Viruses - A virus is a programme that mayor may not attach itself to a file and replicate itself. It can attack any area: from corrupting the data of the file that it invades, using the computer's processing resources in attempt to crash the machine and more.

- Worms - Worms may also invade a computer and steal its resources to replicate themselves. They use the network to spread themselves. "Love bug" is a recent example

Contd…

- Worms Worms may also invade a computer and steal its resources to replicate themselves. They use the network to spread themselves. "Love bug" is a recent example Trojan horse Trojan horse is dicey. It appears to do one thing but does something else. The system may accept it as one thing. Upon execution, it may release a virus, worm or logic bomb.

• There are many simple ways of installing a Trojan in someone’s computer. To cite an example, two friends Rahul and Mukesh (names changed), had a heated argument over one girl, Radha (name changed) whom they both liked. When the girl, asked to choose, chose Mukesh over Rahul, Rahul decided to get even. On the 14th of February, he sent Mukesh a spoofed e-card, which appeared to have come from Radha’s mail account. The e-card actually contained a Trojan. As soon as Mukesh opened the card, the Trojan was installed on his computer. Rahul now had complete control over Mukesh’s computer and proceeded to harass him thoroughly.

• • •

Internet time theft

This connotes the usage by an unauthorized person of the Internet hours paid for by another person. In May 2000, the economic offences wing, IPR section crime branch of Delhi police registered its first case involving theft of Internet hours. In this case, the accused, Mukesh Gupta an engineer with Nicom System (p) Ltd. was sent to the residence of the complainant to activate his Internet connection. However, the accused used Col. Bajwa’s login name and password from various places causing wrongful loss of 100 hours to Col. Bajwa. Delhi police arrested the accused for theft of Internet time.

• On further inquiry in the case, it was found that Krishan Kumar, son of an ex army officer, working as senior executive in M/s Highpoint Tours & Travels had used Col Bajwa’s login and passwords as many as 207 times from his residence and twice from his office. He confessed that Shashi Nagpal, from whom he had purchased a computer, gave the login and password to him.

• • The police could not believe that time could be stolen. They were not aware of the concept of time-theft at all. Colonel Bajwa’s report was rejected. He decided to approach The Times of India, New Delhi. They, in turn carried a report about the inadequacy of the New Delhi Police in handling cyber crimes. The Commissioner of Police, Delhi then took the case into his own hands and the police under his directions raided and arrested Krishan Kumar under sections 379, 411, 34 of IPC and section 25 of the Indian Telegraph Act.

Web jacking

• • This occurs when someone forcefully takes control of a website (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on that website. In a recent incident reported in the USA the owner of a hobby website for children received an e-mail informing her that a group of hackers had gained control over her website. They demanded a ransom of 1 million dollars from her. The owner, a schoolteacher, did not take the threat seriously. She felt that it was just a scare tactic and ignored the e-mail.

• • It was three days later that she came to know, following many telephone calls from all over the country, that the hackers had web jacked her website. Subsequently, they had altered a portion of the website which was entitled ‘How to have fun with goldfish’. In all the places where it had been mentioned, they had replaced the word ‘goldfish’ with the word ‘piranhas’. Piranhas are tiny but extremely dangerous flesh eating fish. Many children had visited the popular website and had believed what the contents of the website suggested. These unfortunate children followed the instructions, tried to play with piranhas, which they bought from pet shops, and were very seriously injured!

Contd…

• Logic bomb - A logic bomb is an attack triggered by an event, like computer clock reaching a certain date. Chernobyl and Melissa viruses are the recent examples .

Computer Piracy

• Computer "Pirates" Steal Intellectual Property. They also harm your computer by installing viruses or spy ware, or allow others to access the files contained on your hard drive beyond those you intend to share.

Copy Right violation

Copyright violations have civil and criminal remedies

Financial Crimes

• This would include cheating, credit card frauds, money laundering etc.

• Misappropriation of funds by manipulation of computer records was reported, wherein Punjab National Bank was cheated to the tune of Rs. 1.39 crores through false debits and credits in computerized accounts. In another case, Rs. 2.5 lakhs were misappropriated from Bank of Baroda through falsification of computerized bank accounts.

• In April 2001, the Hyderabad police arrested two persons, namely, Manohar, an unemployed computer operator and his friend, Moses who was a steward in a prominent five-star hotel in the city. They were arrested and charged under various sections of the IPC and the IT Act for stealing and misusing credit card numbers belonging to others.

• Moses, being a steward in the hotel noted down the various details of the credit cards, which were handed by clients of the hotel for paying their meal bills. Then, he passed all the details of the various credit cards to his computer operator friend Manohar. Manohar used the details to make online purchases on various websites such as sify.com and rediff.com. The case was unearthed on the complaint of a prominent businessman who had visited the five-star hotel for dinner and had paid the bill by credit card through the steward, Moses.

• One approach to retail fraud has involved placing banner advertisements on an auction site that offers the same types of goods being auctioned. Prospective buyers who click on the banner advertisement are taken to a different Website that is not part of the auction site, and that offers none of the protections that leading auction Websites have adopted for their members. Another approach involves using unsolicited commercial e-mail ("spam") to lure prospective victims to a Website which purports to sell items of the same type that are available through well-known online auction sites.

• In a variation of this approach, the criminals send counterfeit merchandise in place of the promised merchandise. A third approach involves the criminal contacting losing bidders in a particular online auction, informing them that additional units of the item on which they bid have become available, and taking the bidders' money without delivering the items.

• Two additional aspects that are unique to online auctions are "shill bidding" and "shill feedback." "Shills" are bidders who have no genuine interest in the merchandise on which they are bidding, but have been hired to place bids in order to create an appearance of interest and prompt genuine bidders to bid higher than they might have otherwise. In online auctions, criminals can take advantage of multiple e-mail addresses and false identities to place shill bids.

• In

United States v. Lee

, the defendant knew that the Hawaii Marathon Association operated a Website with the Uniform Resource Locator (URL) "www.hawaiimarathon.org" to provide information about the Marathon and enable runners to register online. Although he had no affiliation with the real Hawaii Marathon, he copied the authorized Marathon Website, and created his own Website with the confusingly similar name, "www.hawaiimarathon.com." Runners who came to his Website thinking that it was the real Hawaii Marathon site were charged a $165 registration fee -- $100 more than the real site charged for entry. The defendant also operated another Website where he sold Viagra over the Internet without a prescription. (The defendant later pleaded guilty to wire fraud and unlawful sale of Viagra, and in February 2001 was given a split sentence of ten months imprisonment.)

• Online auction fraud typically involves several recurring approaches. The most common approach appears to be the offering of some valuable item, such as computers, high-priced watches, or collectible items, through a known online auction site. The individuals who are informed that they are successful bidders send their money to the seller, but never receive the promised merchandise.

• "Pump-and-Dump." The most widely publicized form of online market manipulation is the so called "pump and dump" scheme. In a "pump and dump," criminals identify one or more companies whose stock is thinly traded or not traded at all, then adopt various means to persuade individual online investors to buy that company's stock. These means can include posting favorable, but false and misleading, representations on financial message boards or Websites, and making undisclosed payments to people who are ostensibly independent but who will recommend that stock.

• Once the price has increased sufficiently, the participants in the scheme -- who may be company insiders, outsiders, or both, sell their stock, and the stock price eventually declines sharply, leaving uninformed investors with substantial financial losses. While an outsider who merely expresses his opinions about the worth or likely increase or decrease of a particular stock may not be committing criminal fraud, outsiders or insiders whose conduct extends beyond mere advocacy to manipulation of markets for their personal profit by giving the public false and misleading information may violate securities fraud statutes and other criminal statutes.

• "Cyber smear." The converse of the "pump and dump" is the "cyber smear." A "cyber smear" scheme is organized in the same basic manner as a "pump-and- dump," with one important difference: the object is to induce a decline in the stock's price, to permit the criminals to realize profits by short-selling. To accomplish a sufficiently rapid decline in the stock's price, the criminal must resort to blatant lies and misrepresentations likely to trigger a substantial sell off by other investors.

• In

United States v. Moldofsky

, the defendant, a day trader, on the evening of March 22, 2000, and the morning of the next day, posted a message nearly twenty times what was designed to look like a Lucent press release announcing that Lucent would not meet its quarterly earnings projections. For most of those postings, he used an alias designed to resemble a screen name used by a frequent commentator on the Lucent message board who had historically expressed positive views of Lucent stock. He also posted additional messages, using other screen names that commented on the release or on the message poster's conduct. On March 23, Lucent's stock price dropped more than 3.7 percent before Lucent issued a statement disavowing the false press release, but rose by 8 percent within ten minutes of Lucent's disavowal.

• In

United States v. Jakob

, the defendant engaged in even more elaborate fraudulent conduct to effect a "cyber smear." After he tried to short-sell stock in Emulex, but found that the market was bidding up the price, he wrote a press release falsely reporting that Emulex was under investigation by the SEC, that Emulex's Chief Executive Officer was resigning, and that Emulex was reporting a loss in its latest earnings report. He then caused his former employer, a company that distributed online press releases, to send it to major news organizations, which reported the false statements as fact. When Emulex stock rapidly declined, the defendant covered his short-sale position by buying Emulex stock and realizing nearly $55,000 in profits. He also bought more Emulex stock at lower prices, and sold when the stock had recovered most of its value.

• In

United States v. Christian

, No. 00-03-SLR (D. Del. filed Aug. 3, 2000), two defendants obtained the names and Social Security numbers of 325 high-ranking United States military officers from a public Website, then used those names and identities to apply for instant credit at a leading computer company and to obtain credit cards through two banks. They fenced the items they bought under the victims' names, and accepted orders from others for additional merchandise. The two defendants, after pleading guilty to conspiracy to commit bank fraud were sentenced to thirty-three and forty-one months imprisonment and restitution of more than $100,000 each.

• Similarly, in

United States v. Wahl

, No. CR00 285P (W.D. Wash. sentenced Oct. 16, 2000), the defendant obtained the date of birth and Social Security number of the victim (who shared the defendant's first and last name and middle initial). He then used the victim's identifying information to apply online for credit cards with three companies and to apply online for a $15,000 automobile loan. He actually used the proceeds of the automobile loan to invest in his own business. (The defendant, after pleading guilty to identity theft, was sentenced to seven months' imprisonment and nearly $27,000 in restitution).

• • •

Email bombing

Email bombing refers to sending a large number of emails to the victim resulting in the victim’s email account (in case of an individual) or mail servers (in case of a company or an email service provider) crashing. In one case, a foreigner who had been residing in Simla, India for almost thirty years wanted to avail of a scheme introduced by the Simla Housing Board to buy land at lower rates. When he made an application it was rejected on the grounds that the scheme was available only for citizens of India. He decided to take his revenge. Consequently he sent thousands of mails to the Simla Housing Board and repeatedly kept sending e-mails till their servers crashed.

• • •

Data diddling

This kind of an attack involves altering raw data just before it is processed by a computer and then changing it back after the processing is completed. Electricity Boards in India have been victims to data diddling programs inserted when private parties were computerizing their systems. The NDMC Electricity Billing Fraud Case that took place in 1996 is a typical example. The computer network was used for receipt and accounting of electricity bills by the NDMC, Delhi. Collection of money, computerized accounting, record maintenance and remittance in he bank were exclusively left to a private contractor who was a computer professional. He misappropriated huge amount of funds by manipulating data files to show less receipt and bank remittance.

• •

Salami attacks

These attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed. E.g. a bank employee inserts a program, into the bank’s servers, that deducts a small amount of money (say Rs. 5 a month) from the account of every customer. No account holder will probably notice this unauthorized debit, but the bank employee will make a sizeable amount of money every month.

Cyber Pornography

This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc).

• • Recent Indian incidents revolving around cyber pornography include the Air Force Balbharati School case. In the first case of this kind, the Delhi Police Cyber Crime Cell registered a case under section 67 of the IT act, 2000. A student of the Air Force Balbharati School, New Delhi, was teased by all his classmates for having a pockmarked face.

• He decided to get back at his tormentors. He created a website at the URL www.amazing-gents.8m.net. The website was hosted by him on free web space. It was dedicated to Air Force Bal Bharti School and contained text material. On this site, lucid, explicit, sexual details were given about various “sexy” girls and teachers of the school. Girls and teachers were also classified on the basis of their physical attributes and perceived sexual preferences. The website also became an adult boys’ joke amongst students.

• • This continued for sometime till one day, one of the boys told a girl, “featured” on the site, about it. The father of the girl, being an Air Force officer, registered a case under section 67 of the IT Act, 2000 with the Delhi Police Cyber Crime Cell. The police picked up the concerned student and kept him at Timarpur (Delhi) juvenile home. It was almost after one week that the juvenile board granted bail to the 16- year old student.

• In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear for obscene photographs. They would then upload these photographs to websites specially designed for pedophiles. The Mumbai police arrested the couple for pornography.

Sale of Illegal Article

This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and bulletin boards or simply by using email communication.

• This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and bulletin boards or simply by using email communication. E.g. many of the auction sites even in India are believed to be selling cocaine in the name of ‘honey’

Online Gambling

There are millions of websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering

Intellectual Property Crimes

These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc for e.g Email spoofing Email spoofing: A spoofed email is one that appears to originate from one source but actually has been sent from another source.

• Bharti Cellular Ltd. filed a case in the Delhi High Court that some cyber squatters had registered domain names such as barticellular.com and bhartimobile.com with Network solutions under different fictitious names. The court directed Network Solutions not to transfer the domain names in question to any third party and the matter is sub-judice

Forgery

Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners.

Cyber Defamation

This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends e mails containing defamatory information to all of that person's friends.

• • India’s first case of cyber defamation was reported when a company’s employee started sending derogatory, defamatory and obscene e-mails about its Managing Director. The e-mails were anonymous and frequent, and were sent to many of their business associates to tarnish the image and goodwill of the company. The company was able to identify the employee with the help of a private computer expert and moved the Delhi High Court. The court granted an ad-interim injunction and restrained the employee from sending, publishing and transmitting e-mails, which are defamatory or derogatory to the plaintiffs.

Harassment

Internet harassment has become a concern for many people. This form of harassment includes directing obscenities toward others, as well as making derogatory comments based for example on gender, race, religion, nationality, sexual orientation. This type of Internet crime can take place often in chat rooms, through newsgroups, and even through the sending of hate email to targeted mailing lists. Unsolicited email messages and advertisements can also be considered to be forms of Internet harassment where the content is offensive or of an explicit sexual nature.

FAQ’S

How can I avoid getting a virus?

All computers should have anti-virus software installed. It is not enough just to install this anti-virus software, please make sure that it is updated with the latest computer virus definitions on a regular basis.

Back up your work regularly so that if a problem occurs you do not loose everything on your computer. Do not go online without virus protection and a firewall in place.

Watch out for e-mails from addresses you don't know, especially if it contains an attachment. If you are unsure, don't open it.

• •

How can I shop safely on the Internet?

You should always look out for a padlock symbol located on the bottom bar of your browser before transmitting your card details. Clicking on the icon will indicate the page is secure, preventing your confidential details being seen by anyone else.

Be wary of websites that require your card details up front before you actually place an order and find a mailing address for the company. Ask friends, family and work colleagues what sites they have found to be good and bad. Shop with names you know you can trust, major high street names have a duty to protect the security of their customers.

I have had an email that is advertising child pornography sites. What should I do?

Do not attempt to visit the site. Please make a report to the Internet Watch Foundation who will contact the relevant authorities.

How can I prevent people from hacking my computer and email accounts?

Install good internet firewall protection on your computer. Make all your passwords as long as possible. Do not use short passwords such as ‘cat’ or ‘dog’.

• •

My children love the Internet but I’m concerned what they might find on it. What can I do?

Install ‘nanny’ type software to control the sites the computer can access. Use the Internet with your children and ask them what they are looking at. For younger children enable password protection so they can only use the Internet when you are there.

Locate the computer in a busy area of the house, like the lounge, so an adult is never far away.

• •

How can I rid my email inbox of all this junk mail?

To stop getting junk mail or spam as it is otherwise known be careful to make sure you tick or untick the appropriate boxes when filling out forms. Information and anti-spam software that can be used to stop junk e-mails can be found by searching the Internet.

Common ‘unsubscribe’ requests are often a ploy to get your e-mail address and then send on more spam. Do not pass the mail on to friends and ignore chain letters

• •

How can I safeguard my personal documents?

• Although the rise of ID fraud is very alarming, there are steps you can take to try to protect yourself. • Carelessly discarding personal details is an easy way to become a victim. Criminal gangs have been known to employ homeless people to search through rubbish bins for financial records and identity documents.

• • • • • • •

* WARNING SIGNS-

You have a good credit history but are turned down because of a default on your record There are entries on your credit file you do not recognise You are being chased for outstanding debt Mail you normally expect from financial institutions does not arrive You have lost or had important documents stolen You apply for benefits and are told you are already claiming, when you are not

• •

What about documents I want to keep?

Experts advise people to lock away all important documents and financial records. • The most valuable paperwork, such as title deeds and share certificates should either be kept in a safe or at your bank or solicitor's offices

• • • •

My bank has sent me an e-mail, asking to update security details?

Identity fraud is not only committed using stolen paper documents, it also operates over the internet. If you receive an e-mail purporting to be from your bank or credit card provider which asks you to update your details, it is likely to be a "phishing" scam. If customers fall for the scam, the fraudsters can gain access to their bank accounts or use them to launder money.

• It is important to remember that your bank will never ask for your log in and password by e-mail. • If in doubt, call the bank.

• • •

My bank has telephoned me at home and asked for my pin?

Cold calling to gain access to bank account details is another tactic employed by identity fraudsters. But a genuine bank would never call you and ask for your pin number or password

COMPUTER SECURITY TIPS

• • • • •

COMPUTER SECURITY TIPS

Make sure you have a good anti-virus software which regularly runs scanning programmes for spy ware, a personal firewall and a spam filter Never keep passwords stored on your computer, or disclose them to anybody If you are accessing banking details from a computer that is used by other people, ensure you do not click on "save" password, as another user could gain access Check your bank statements and receipts carefully to ensure there are no fraudulent transactions