1. Introduction
Chapter 1
The world we are in today is all about Information Technology (IT) because we are in the age of Information Technology and the people with the right information, with proper way of disseminate this information and processing them is considered as the most successful. Information technology is the transfer of information using telecommunication and micro based computer system. Nowadays, the computer has replaced manual records, and the fraudulent input document has been substituted by manipulating data held in a computer system. This manipulation does not need to be sophisticated. Computers have become the mainstay of business and government processes. Business has been using them for years and in most countries, there are drives towards electronic or joined up government. This is to allow the people to access government services from their desktop in their own home. Cybercrime, like every digital industry, is outsourcing. Though the U.S. still produces more malware, spam and viruses than any country in the world, illicit IT jobs are increasingly scattered across an anarchic and international Internet, where labor is cheap, legitimate IT jobs are scarce and scammers are insulated from the laws that protect their victims by thousands of miles. As Thomas Friedman might say, the criminal underworld is flat.The statistics that have been obtained and reported about demonstrate the seriousness Internet crimes in the world. Just the "phishing" emails mentioned in a previous paragraph produce one billion dollars for their perpetrators (Dalton 1). In a FBI survey in early 2004, 90 percent of the 500 companies surveyed reported a security breach and 80 percent of those suffered a financial loss . A national statistic in 2003 stated that four billion dollars in credit card fraud are lost each year. Only two percent of credit card transactions take place over the Internet but fifty percent of the four billion, mentioned before, are from the transaction online . All these finding are just an illustration of the misuse of the Internet and a reason why Internet crime has to be slowed down. Internet crime is crime committed on the Internet, using the Internet and by means of the Internet.Computer crime is a general term that embraces such crimes crimes as phishi phishing, ng, credit credit card card frauds frauds,, bank bank robber robbery, y, illegal illegal downlo downloadi ading, ng, indust industria riall espionage, child pornography, kidnapping children via chat rooms, scams, cyberterrorism, creation and/or distribution of viruses, Spam and so on. All such crimes are computer related and facilitated crimes.With the evolution of the Internet, along came another revolution of 1
crime where the perpetrators commit acts of crime and wrongdoing on the World Wide Web. Internet crime takes many faces and is committed in diverse fashions. The number of users and their diversity in their makeup has exposed the Internet to everyone. Some criminals in the Internet have grown up understanding this superhighway of information, unlike the older generation of users. This is why Internet crime has now become a growing problem in the United States. Some crimes committed on the Internet have been exposed to the world and some remain a mystery up until they are perpetrated against someone or some company. compan y. The different different types of Internet Internet crime vary in their design design and how easily they are able to be committed committed.. Internet Internet crimes crimes can be separated separated into two different different categories. categories. There are crimes that are only committed while being on the Internet and are created exclusively because of the World Wide Web. The typical crimes in criminal history are now being brought to a whole different level of innovation and ingenuity. Such new crimes devoted to the Internet are email “phishing”, hijacking domain names, virus immistion, and cyber vandalism. A couple of these crimes are activities that have been exposed and introduced into the world. People have been trying to solve virus problems by installing virus protection software and other software that can protect their computers. Other crimes such as email “phishing” are not as known to the public until an individual receives one of these fraudulent emails. These emails are cover faced by the illusion that the email is from your bank or another bank. When a person reads the email he/she is informed of a problem with he/she personal account or another individual wants to send the person some of their money and deposit it directly into their account. The email asks for your personal account information and when a person gives this information away, they are financing the work of a criminal. Cyber Crime as Introduction : According to Oxford Advance Learners dictionary (2001), crime is the activities that involve breaking the law or illegal act or activities that can be punished by law. Computer crime has been defined as the act of stealing or o r misusing the computer hardware or software. The larger the organization, the more they make use of computers for their day-to-day activities and more likely it is that someone is out there to commit a crime. Computer crimes were committed for many reasons, some which are rational, others of which may make no sense to the observer. There are those who will steal under the best of employment circumstances. Other would not steal even if they were the worst treated employees in the world. This is 2
crime where the perpetrators commit acts of crime and wrongdoing on the World Wide Web. Internet crime takes many faces and is committed in diverse fashions. The number of users and their diversity in their makeup has exposed the Internet to everyone. Some criminals in the Internet have grown up understanding this superhighway of information, unlike the older generation of users. This is why Internet crime has now become a growing problem in the United States. Some crimes committed on the Internet have been exposed to the world and some remain a mystery up until they are perpetrated against someone or some company. compan y. The different different types of Internet Internet crime vary in their design design and how easily they are able to be committed committed.. Internet Internet crimes crimes can be separated separated into two different different categories. categories. There are crimes that are only committed while being on the Internet and are created exclusively because of the World Wide Web. The typical crimes in criminal history are now being brought to a whole different level of innovation and ingenuity. Such new crimes devoted to the Internet are email “phishing”, hijacking domain names, virus immistion, and cyber vandalism. A couple of these crimes are activities that have been exposed and introduced into the world. People have been trying to solve virus problems by installing virus protection software and other software that can protect their computers. Other crimes such as email “phishing” are not as known to the public until an individual receives one of these fraudulent emails. These emails are cover faced by the illusion that the email is from your bank or another bank. When a person reads the email he/she is informed of a problem with he/she personal account or another individual wants to send the person some of their money and deposit it directly into their account. The email asks for your personal account information and when a person gives this information away, they are financing the work of a criminal. Cyber Crime as Introduction : According to Oxford Advance Learners dictionary (2001), crime is the activities that involve breaking the law or illegal act or activities that can be punished by law. Computer crime has been defined as the act of stealing or o r misusing the computer hardware or software. The larger the organization, the more they make use of computers for their day-to-day activities and more likely it is that someone is out there to commit a crime. Computer crimes were committed for many reasons, some which are rational, others of which may make no sense to the observer. There are those who will steal under the best of employment circumstances. Other would not steal even if they were the worst treated employees in the world. This is 2
dependent dependent on individual individual character. character. Olawepo Olawepo (1999) observed observed that it is against the backdrop backdrop that management of computerized organizations should address all the energy at disposal, the issue of detection and preventing computer related crimes. According to a Symantec report at the end of 2006, Beijing is now home to the world's largest collection of malware-infected computers, nearly 5 percent of the world's total. Research by the security company Sophos in April showed that China has overtaken the U.S. in hosting Web pages that secretly install malicious programs on computers to steal private information or send spam e-mails. And another report from Sophos earlier that month showed that Europe produces more spam than any other continent; one Polish Internet service provider alone produces fully 5 percent of the world's world's spam.Finall spam.Finally, y, the growing growing danger from crimes crimes committed committed against computers, computers, or against against informati information on store on computers, computers, is beginning beginning to claim attention attention in national national capitals. capitals. The existing laws are likely to be unenforceable against such crimes in most countries around the world, world, especi especiall ally y Nigeri Nigeria. a. This This lack lack of legal legal protec protecti tion on means means that that bus busine inesse ssess and governments must rely solely on technical measures to protect themselves from those who would steal, deny access to, or destroy valuable information why should learn about cyber crime : We should learn about cyber crime because •
Everybody is using COMPUTERS.
•
From white collar criminals to terrorist organizations and from teenagers to adults.
•
Conventional crimes like Forgery, extortion, kidnapping etc. are being committed with the help of computers.
•
•
New generation is growing up with computers. MOST IMPORTANT- Monetary transactions are moving on to the INTERNET.
Cybercrime Crimes : Perhaps the most prominent form of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming. Both of these methods lure users to fake websites (that appear to be legitimate), where they are asked to enter personal information. This includes includes login informati information, on, such as usernames usernames and passwords, passwords, phone numbers, numbers, addresses, addresses, credit card numbers, bank account numbers, and other information criminals can use to "steal" another person's identity. For this reason, it is smart to always check the URL or Web 3
address of a site to make sure it is legitimate before entering your personal information. Because cybercrime covers such a broad scope of criminal activity, the examples above are only a few of the thousands of crimes that are considered cybercrimes. While computers and the Internet have made our lives easier in many ways, it is unfortunate that people also use these technologies to take advantage of others. Therefore, it is smart to protect yourself by using antivirus and spyware blocking software and being careful where you enter your personal information Cyber Security : Cyber security standards have been created recently because sensitive information is now frequently stored on computers that are attached to the internet. Also many tasks that were once done by hand are carried out by computer; therefore there is a need for Information Assurance and security. Cyber security is important to individuals because they need to guard against identity theft. Businesses also have a need for this security because they need to protect their trade secrets, proprietary information, and customer’s personal information. The government also has the need to secure their information. This is particularly critical since some
terrorism
acts
are
organ
ized
and
facilitated
by
using the internet. One of the most widely used security standards today is ISO/IEC 27002 which started in 1995. This standard consists of two basic parts. BS 7799 part 1 and BS 7799 part 2 both of which were created by (British Standards Institute) BSI. Recently this standard has become ISO 27001. The National Institute of Standards and Technology (NIST) have released several special papers addressing cyber security. Three of these special papers are very relevant to cyber security: the 800-12 titled “Computer Security Handbook;” 800-14 titled Accepted.
4
2. TYPES OF CYBER CRIME
Chapter 2
2.1 Hacking Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user. There is an equivalent term to hacking i.e. cracking, but from Indian Laws perspective there is no difference between the term hacking and cracking. Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money. They extort money from some corporate giant threatening him to publish the stolen information which is critical in nature.
Fig 1 Hacking 2.1.1 Purposes of hacking •
Greed
•
Power
•
Publicity
•
Revenge
•
Adventure 5
•
Desire to access forbidden information
2.1.2 Every act committed towards breaking into a computer and/or network is hacking .
Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money. They extort money from some corporate giant threatening him to publish the stolen information, which is critical in nature. Government websites are the hot targets of the hackers due to the press coverage they receive.
2.1.3 About Hackers, Crackers and Phreaks
The original meaning of the word "hack" was born at MIT, and originally meant an elegant, witty or inspired way of doing almost anything. Now the meaning has changed to become something associated with the breaking into or harming of any kind of computer or telecommunications system. Purists claim that those who break into computer systems should be properly called "crackers" and those targeting phones should be known as "phreaks". 0G refers to pre-cell phone mobile telephony. Being the predecessors of the first generation of cellular telephones, these systems are called 0G (zero generation) systems. Usually vehicle mounted, they had the transceivers mounted in the vehicle trunk and dials & display mounted near the driver seat.
2.2 Denial of Service Attack This is an act by a criminal, who floods the bandwidth of the victim’s network or fills his email box with spam mail depriving him of the services he is entitled to access or provide. This act is committed by a technique called spoofing and buffer overflow. The criminal spoofs the IP address and flood the network of the victim with repeated requests. Since the IP address is fake, the victim machine keeps waiting for response from the criminal’s machine for each request. This consumes the bandwidth of the network which then fails to , a serve the legitimate requests and ultimately breaks down. Short for denial-of-service attack
type of attack on a network that is designed to bring the network to its knees by flooding it 6
with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like Virus, new DoS attacks are constantly being dreamed up by Hacker. The diagram below will give you an idea of how the attack happens:-
Fig 2 normal synchronization
Fig 3 denial of service attack Technologies used in 0G systems included PTT (Push to Talk), MTS (Mobile Telephone System), IMTS (Improved Mobile Telephone Service), and AMTS (Advanced Mobile Telephone System).
7
2.3 Software piracy Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original is termed as termed as software piracy. Beware! That pirated software CD which you bought for a couple of hundred bucks may have saved you some money…but in the long run, it can do a lot more harm to you than good. Do you know that by buying such pirated software, you maybe aiding and abetting crime? With the growing popularity of computer-sharing programs such as Bear-Share, torrents and LimeWire, piracy is becoming a growing problem. People can download or "share" programs instead of purchasing them or getting a license for them. Any time a friend copies software, downloads software from a sharing website or program, or a business doesn't report the numbers of computers using software, it is a form of software piracy. Being convicted of software piracy often involves jail time and large fines. The software industry plays a leading role in creating products that have vastly improved our lives and work environment. Unfortunately, software theft, or piracy, has had a negative impact on the global marketplace and the ability to create new products. Copying in the workplace, counterfeiting and various forms of illegal distribution cost the Asia Pacific region US$11.6 billion in 2006 (Fourth Annual BSA and IDC Global Software Piracy Study. This study covers all packaged software that runs on personal computers, including desktops, laptops, and ultra-portables, including operating systems, systems software such as databases and security packages, business applications, and consumer applications such as PC games, personal finance, and reference software. The study does not include other types of software such as that which runs on servers or mainframes or software sold as a service). Furthermore, the unauthorized electronic distribution and sale of copyrighted works over the Internet threatens to make these problems seem almost quaint by comparison. Legal and cultural frameworks to protect creative works online, including computer software, must be identified and built to encourage creativity and growth. Example of software piracy are as follows:•
End user copying - Friends loaning disks to each other, or organizations underreporting the number of software installations they have made.
•
Hard disk loading – Hard disk vendors loads pirated software
8
•
Counterfeiting - large-scale duplication and distribution of illegally copied software.
Illegal downloads from the Internet - By intrusion, cracking serial numbers etc
2.4 Virus dissemination A computer virus is a program that can ‘infect’ other legitimate programs by modifying them to include a possibly ‘evolved’ copy of itself. Viruses can spread themselves, without the knowledge or permission of the users, to potentially large numbers of programs on many machines. A computer virus passes from computer to computer like a biological virus passes from person to person. Malicious software that attaches itself to other software. (virus, worms, Trojan Horse, Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious. Viruses can also contain instructions that cause damage or annoyance; the combination of possibly damaging code with the ability to spread is what makes viruses a considerable concern. Viruses can often spread without any readily visible symptoms. A virus can start on eventdriven effects (for example, triggered after a specific number of executions), time-driven effects (triggered on a specific date, such as Friday the 13th) or can occur at random. Typical action of virus are as follows:•
Display a message to prompt an action which may set of the virus
•
Erase files
•
Scramble data on a hard disk
•
Cause erratic screen behavior
•
Halt the PC
2.5 Spoofing •
Spoofing means a hacker logs-in to a computer illegally using a different identity than his own.
•
He is able to do this by having previously obtained actual password.
•
He creates a new identity by fooling the computer into thinking he is the genuine system operator.
•
Hacker then takes control of the system.
9
2.6 Cyber stalking Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using Internet services. Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using internet services. Stalking in General terms can be referred to as the repeated acts of harassment targeting the victim such as following the victim, making harassing phone calls, killing the victims pet, vandalizing victims property, leaving written messages or objects. Stalking may be followed by serious violent acts such as physical harm to the victim and the same has to be treated and viewed seriously. It all depends on the course of conduct of the stalker. Stalking in General terms can be referred to as the repeated acts of harassment targeting the victim such as… •
Following the victim
•
Making harassing phone calls
•
Killing the victims pet
•
Vandalizing victims property
•
Leaving written messages or objects
Stalking may be followed by serious violent acts such as physical harm to the victim and the same has to be treated and viewed seriously. It all depends on the course of conduct of the stalker. Cyber-stalking refers to the use of the Internet, e-mail, or other electronic communications device to stalk another person. It is a relatively new form of harassment, unfortunately, rising to alarming levels especially in big cities like Mumbai. 2.6.1 Who is a cyber stalker?
A cyber stalker sends harassing or threatening electronic communication to the victim. Both kinds of stalkers – online and offline - have desire to control the victim’s life. 10
2.6.2 How does a cyber stalker operate? •
A typical cyber stalker collects all personal information about the victim such as name, family background, telephone numbers of residence and work place, daily routine of the victim, address of residence and place of work, date of birth etc. If the stalker is the victim’s acquaintances, he/ she has easy access to this information. If the stalker is a stranger, he/ she collects the information from internet resources such as various profiles, the victim may have filled in while opening chat or e-mail accounts or while signing an account with some website.
•
The stalker may post this information on any website related to sex-services or dating services, posing as if the victim is posting this information and invite the people to call the victim on her telephone numbers to have sexual services. A stalker even uses very filthy and obscene language to invite the interested persons.
•
People of all kind from nook and corner of the World, who come across this information, start calling the victim at her residence and/or work place, asking for sexual services or relationships.
•
Some stalkers subscribe the e-mail account of the victim to innumerable pornographic and sex sites, because of which victim starts receiving such kind of unsolicited emails.
•
Some stalkers keep on sending repeated e-mails asking for various kinds of favors or threaten the victim.
•
The stalkers follow their victim from message board to message board. They "hangout" on the same boards as their victim, many times posting notes to the victim, making sure the victim is aware that he/she is being followed. Many times they will "flame" their victim (becoming argumentative, insulting) to get their attention.
•
Stalkers will almost always make contact with their victims through email. The letters may be loving, threatening, or sexually explicit. They will many times use multiple names when contacting the victim.
•
In extreme cases, the stalker becomes bold enough to contact victim via telephone to make calls to the victim to threaten, harass, or intimidate him/ her. Ultimately, the stalker is even known to track the victim to his/ her home. 11
2.6.3 When does cyber stalking happen?
In many cases, the cyber stalker and the victim had a prior relationship, and the cyber stalking begins when the victim attempts to break off the relationship. However, there also have been many instances of cyber stalking by strangers. Given the enormous amount of personal information available through the Internet, a cyber stalker can easily locate private information about a potential victim with a few mouse clicks or keystrokes. The fact that cyber stalking does not involve physical contact may create the misperception that it is more benign than physical stalking. This is not necessarily true. As the Internet becomes an ever more integral part of our personal and professional lives, stalkers can take advantage of the ease of communications as well as increased access to personal information. In addition, the ease of use and non-confrontational, impersonal, and sometimes anonymous nature of Internet communications may remove disincentives to cyber stalking. Put another way, whereas a potential stalker may be unwilling or unable to confront a victim in person or on the telephone, he or she may have little hesitation sending harassing or threatening electronic communications to a victim. Finally, as with physical stalking, online harassment and threats may be a prelude to more serious behavior, including physical violence.
2.7 Online fraud The net is a boon for people to conduct business effectively, very quickly. It saves businesses a lot of time, money and resources. Unfortunately, the net is also an open invitation to scamsters and fraudsters and online frauds are becoming increasingly rampant. Fraudsters create authentic looking websites that are actually nothing but a spoof. The purpose of these websites is to make the user enter personal information. This information is then used to access business and bank accounts. Fraudsters are increasingly turning to email to generate traffic to these websites. A lot of customers of financial institutions recently received such emails. Such emails usually contain a link to a spoof website and mislead users to enter User ids and passwords on the pretence that security details can be updated, or passwords changed. 12
If you ever get an email containing an embedded link, and a request for you to enter secret details, treat it as suspicious. Do not input any sensitive information that might help provide access to your accounts, even if the page appears legitimate. No reputable company ever sends emails of this type.
13
3. PREVENTIVE MEASURE
Chapter 3
The Internet can be secure. Keep in mind, virtually every business and government agency uses the Internet, often to view highly confidential and valuable information. None of these actions could take place without Internet security. But it is up to every individual and every organization to take the proper steps, and utilize the advanced technologies available, to make their personal experience with the Internet as secure as possible. The question about how to police these crimes has already been constructed, but this task is turning out to be an uphill battle. Since the first computer crime law, the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, the government has been trying to track down and stop online criminals. The FBI has tried many programs and investigations in order to deter Internet crime, like creating an online crime registry for employers (Metchik 29). The reality is that Internet criminals are rarely caught. One reason is that hackers will use one computer in one country to hack another computer in another country. Another eluding technique used is the changing of the emails, which are involved in virus attacks and “phishing” emails so that a pattern cannot be recognized. An individual can do their best to protect themselves simply by being cautious and careful. Internet users need to watch suspicious emails, use unique passwords, and run anti-virus and anti-spyware software. Do not open any email or run programs from unknown sources. The most important way to protect your personal information from being compromised by cybercrime is to protect your computer. Always use a firewall. Also, always use one or two anti-spyware programs in addition to your anti-virus software, and keep them up to date. Beyond protection of your computer, you can take action to protect yourself, too. First, don't reply to an email or pop-up message that asks for personal or financial information, and don't click on links in the message. If you want to go to a bank or business's Web site, type the Web address into your browser yourself, and if you want to reach organization with which you do business, call the number on your financial statement. A final protection mechanism to consider -- some kind of personal security device separate from your PC that is part of your login process to the Web sites you use. This might be a card
14
or USB token that uses smart card technology to safely identify you and make sure you are logging in to the real site.
3.1 Preventive Measures For Children Children have to take care that they •
Should not give information such as Name, Home Address, School Name or Telephone number in a chat room.
•
Should not give photographs to anyone on the net.
•
Should not respond to messages, which are suggestive, obscene, belligerent or threatening.
•
Should not arrange a face-to –face meeting without telling parents or guardians.
3.2 Preventive Measures For Parents Parents should have to take care that they •
should use content filtering software on PC to protect children from pornography, gambling, hate speech, drugs and alcohol.
•
Install software to establish time controls for use of limpets .
•
allowing parents to see which site item children have visited.
•
Be careful before revealing any personal information such as age, marital status, or financial information while chatting.
•
Never post photographs of your children on web sites or newsgroups that are available to the public.
•
Consider using a fake name, avoid listing your child’s name and E-mail address in any public directories and profiles, and find out about your Internet Service Provider’s privacy policies and exercise your options for how your personal information may be used.
15
•
Get to know the Internet and any services your child uses. If you don’t know how to log on, get your child to show you. Ask your child show you what he or she does online, and familiarize yourself with all the things that you can do online.
•
Never allow a child to arrange a face-to-face meeting with another computer user without your permission. If a meeting is arranged, make the first one in a public place, and be sure to accompany your child.
•
Do not respond to messages or bulletin board items that are suggestive, obscene, belligerent, threatening, or make you feel uncomfortable. Ask your children to tell you if they respond to such messages advice them not to do that. If you or your child receives a message that is harassing, of a sexual nature, or threatening, forward a copy of the message to your ISP, and ask for their assistance.
•
Instruct your child not to click on any links that are contained in E-mail from persons they don’t know. Such links could lead to sexually explicit or otherwise inappropriate web sites.
•
Remember that people online may not be who they seem. Because you can’t see or even hear the person it would be easy for someone to misrepresent him- or herself. Thus, someone indicating that "she" is a "12-year-old girl" could in reality be a 40year-old man.
•
Remember that everything you read online may not be true. Any offer that’s "too good to be true" probably is. Be very careful about any offers that involve you coming to a meeting, having someone visit your house, or sending money or credit card information.
•
A child’s excessive use of online services or the Internet, especially late at night, may be a clue that there is a potential problem. Remember that personal computers and online services should not be used as electronic babysitters.
•
Be sure to make Internet surfing a family activity. Consider keeping the computer in a family room rather than the child’s bedroom. Get to know their "online friends" just as you get to know all of their other friends.
16
3.3 General Information •
Don’t delete harmful communications (emails, chats etc.). They will provide vital information about system and address of the person behind these.
•
If you feel any immediate physical danger, contact your local police.
•
Avoid getting into huge arguments online during chat and discussions with other users.
•
Be extremely careful about how you share personal information about yourself online
•
Be extremely cautious about meeting online introduced person. If you choose to meet, do so in a public place along with a friend.
•
Save all communications for evidence. Do not edit it in any way. Also, keep a record of your contacts and inform Law Enforcement Officials.
•
Use the latest version of a good anti-virus software package that allows updating from the Internet.
•
Use the latest version of the operating system, web browsers and e-mail programs.
•
Don't open e-mail attachments unless you know the source. Attachments, especially executables (those having .exe extension) can be dangerous.
•
Confirm the site you are doing business with. Secure yourself against "WebSpoofing". Do not go to websites from email links.
•
Create passwords containing at least 8 digits. They should not be dictionary words. They should combine upper and lower case characters.
•
Use different passwords for different websites.
•
Send credit card information only to secure sites.
•
Use a security program that gives you control over "Cookies" that send information back to websites. Letting all cookies in without monitoring them could be risky.
3.4 Preventive Measures for Organization and Governments •
Physical Security
•
Implement Access Control Systems 17
•
Use Of Password
•
Finding the Holes in Network
•
Using Network Scanning Program ( E.g. UNIX, COPS-computer oracle and password system)
•
Using Intrusion Alert Program
•
Using Encryption
•
Setup an e-security program for your business
•
Ensure your security program facilitates confidentiality, integrity and availability
•
Identify the sources of threats to your data from both internal and external sources. Examples: disgruntled employees - leaving bugs behind in your system, hackers looking to steal confidential information.
•
The security program that you create for your business must have provisions to maintenance and upgrades of your systems
•
Administrators have access to all files and data. Therefore, one must be mindful of who is guarding the guards
•
Roles for security should be defined, documented, and implemented for both your company and external contractors.
•
Establish a security awareness program for all users. Content should be communicated in non-technical terms. This could include briefings, posters, clauses in employee contracts, security awareness days etc
•
Implement security training for technical staff that is focused on the security controls for their particular technical areas
•
Maintain logs of all possible activities that may occur on your system. System records must note who was using the system, when, for how long, deletions etc.
•
User accounts should not be shared. User authorization should be mandatory. Employees should only be able to see information that they are authorized to see.
•
Employee user accounts must be disabled or removed when no longer needed. Example: in case an employee leaves the company.
18
•
Ensure network security from external sources by installing firewalls and intrusion detection systems.
•
Allow remote access to employees only through secure communication channels like SSL or VPN
•
Install antivirus software on all desktops and servers. Buy Anti-Virus software solutions that allow real time upgrading of systems with anti-virus patches.
•
Create a data backup and disaster recovery plan in case of unforeseen natural calamities.
•
Ensure back-up procedures are in place and tested
•
Ensure back-up procedures include all your critical as well as back office data such as finance, payroll etc.
•
Incident response is the ability to identify, evaluate, raise and address negative computer related security events.
•
Incase of an incident, do not panic, and continue to save logs.
•
Incident response - Take a backup of the affected system and notify the authorities.
.
19
4. CASE STUDY ON CYBER CRIME
Chapter 4
While I have a huge collection of international cyber crimes I thought it may be more relevant if we discuss Indian Cyber crime case studies. However if any of you is interested in international case studies please do reach me. I have not arranged the following section in an order to create flow of thought for the reader. And it is possible there is a drift from the taxonomy which we have defined in the beginning. Insulting Images of Warrior Shivaji on Google – Orkut
An Indian posts ‘insulting images’ of respected warrior-saint Shivaji on Google’s Orkut. Indian police come knocking at Google’s gilded door demanding the IP address (IP uniquely identifies every computer in the world) which is the source of this negative image. Google, India hands over the IP address. No such incident in India would be complete without a few administrative slip-ups. The computer with that IP address is using Airtel, India as the ISP to connect to the internet and Orkut. Airtel gives police the name of an innocent person using a different IP address. How two IP addresses could be mixed-up in a sensitive police case is anyone’s guess. An innocent Indian, Lakshmana Kailash K, is arrested in Bangalore and thrown in jail for 3 weeks. Eventually, his innocence is proved and he is released in Oct, 2007. A number of news media report this incident. American citizen and India lover Christopher Soghoian (home page http://www.dubfire.net/chris/) studies Informatics at Indiana University and researches/writes about security, privacy and computer crime. Christopher does an excellent article on this topic for the blogs at respected tech media group CNET. Like all good writers, Christopher Soghoian, gives Google, India a list of questions so that he can give a balanced perspective to the millions of CNET readers. How does Google, India respond?
The only comment was: "Google has very high standards for user privacy and a clear privacy policy, and authorities are required to follow legal process to get information. In compliance with Indian legal process, we provided Indian law enforcement authorities with IP address information of an Orkut user." 20
Not surprisingly, Google is a keen to play this down as Yahoo is being hauled over the coals by US Congress for handing over an IP addresses and emails to the Chinese Government which resulted in a Chinese democracy activist being jailed. Techgoss contacted Christopher and asked him for a list of the questions he had put to Google. The following were the questions that Christopher put to Google which were never answered. Sometimes what you do not say says more about what you have done. How does it Airtel react to rectify its mistake?
Firstly, with an immediate, unqualified apology.
In itself, a positive first step.Techgoss
(techgoss.com) had heard rumors about Airtel also offering monetary compensation to the person wrongly jailed. But Airtel is being coy about possible financial compensation. An Airtel spokesperson issued the following statement to techgoss.com “Airtel are aware of this incident and deeply distressed by the severe inconvenience caused to the customer. We are fully cooperating with the authorities to provide all information in this regard and we are in touch with the customer. We have robust internal processes, which we review frequently to make them more stringent. We have conducted a thorough investigation of the matter and will take appropriate action”. Does this mean the customer will get compensation? It is not clear either way. Let’s wait and see. It is interesting to see that despite the arrest he is still with Airtel. Now that’s loyalty to your telecom company. What is the current Scenario?
Finally he has demanded that he be compensated for the injustice meted out to him! The illegally accused and detained techie in the Chatrapati Shivaji defamation picture case on Orkut, Lakshmana Kailas K, has slapped a ten page legal notice on Telecom giant Bharti Airtel, the Principal Secretary (Home) of the state government in Maharashtra, India and the Assistant Commissioner of Police (Financial & Cyber crime unit) demanding that an amount of 20 crores be paid as damages.The software engineer has also sent a copy of the legal notice to the National Human rights commission. Lakshmana had spent a harrowing 50 days in police custody accused of a crime he had never committed just because an IP address sought by the police was wrongly supplied by Bharti Airtel. The legal notice smacks of his anger with the police and judiciary making a mockery of the rights of an individual and the pitiable conditions of the Yerwada jail where he was detained with a number of hardened 21
criminals. He is reported to have been beaten by a lathi and asked to use the same bowl to eat and to use in the toilet. Financial crime
Wipro spectramind lost the telemarketing contract from Capital one due to an organized crime.The telemarketing executives offered fake discounts, free gifts to the Americans in order to boost the sales of the Capital one. The internal audit revealed the fact and surprisingly it was also noted that the superiors of these telemarketers were also involved in the whole scenario. Cyber pornography: Some more Indian incidents revolving around cyber pornography include the Air Force Balbharati School case. In the first case of this kind, the Delhi Police Cyber Crime Cell registered a case under section 67 of the IT act, 2000. A student of the Air Force Balbharati School, New Delhi, was teased by all his classmates for having a pockmarked face. Online Gambling
Recent Indian case about cyber lotto was very interesting. A man called Kola Mohan invented the story of winning the Euro Lottery. He himself created a website and an email address on the Internet with the address '
[email protected].' Whenever accessed, the site would name him as the beneficiary of the 12.5 million pound.After confirmation a telgu newspaper published this as a news. He collected huge sums from the public as well as from some banks for mobilization of the deposits in foreign currency. However, the fraud came to light when a cheque discounted by him with the Andhra Bank for Rs 1.73 million bounced. Mohan had pledged with Andhra Bank the copy of a bond certificate purportedly issued by Midland Bank, Sheffields, London stating that a term deposit of 12.5 million was held in his name. Intellectual Property crimes
These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc. In other words this is also referred to as cybersquatting. Satyam Vs. Siffy is the most widely known case. Bharti Cellular Ltd. filed a case in the Delhi High Court that some cyber squatters had registered domain names such as barticellular.com and bhartimobile.com with Network solutions under different fictitious names. The court directed Network Solutions not to transfer the domain names in question to any third party and the 22
matter is sub-judice. Similar issues had risen before various High Courts earlier. Yahoo had sued one Akash Arora for use of the domain name ‘Yahooindia.Com’ deceptively similar to its ‘Yahoo.com’. As this case was governed by the Trade Marks Act, 1958, the additional defence taken against Yahoo’s legal action for the interim order was that the Trade Marks Act was applicable only to goods Cyber Defamation
India’s first case of cyber defamation was reported when a company’s employee started sending derogatory, defamatory and obscene e-mails about its Managing Director. The emails were anonymous and frequent, and were sent to many of their business associates to tarnish the image and goodwill of the company. The company was able to identify the employee with the help of a private computer expert and moved the Delhi High Court. The court granted an ad-interim injunction and restrained the employee from sending, publishing and transmitting e-mails, which are defamatory or derogatory to the plaintiffs. Cyber stalking
Ritu Kohli has the dubious distinction of being the first lady to register the cyber stalking case. A friend of her husband gave her telephonic number in the general chat room. The general chatting facility is provided by some websites like MIRC and ICQ. Where person can easily chat without disclosing his true identity. The friend of husband also encouraged this chatters to speak in slang language to Ms. Kohli. Unauthorized access to computer systems or networks
However, as per Indian law, unauthorized access does occur, if hacking has taken place. An active hackers’ group, led by one “Dr. Nuker”, who claims to be the founder of Pakistan Hackerz Club, reportedly hacked the websites of the Indian Parliament, Ahmedabad Telephone Exchange, Engineering Export Promotion Council, and United Nations (India). IPR Theft
Jun 23, 2009 at 0119 hrs IST The economic offences wing (EOW) of the Pune police on Monday arrested a software engineer Asma Sandip Thorve (37), a resident of Uday Society in Sahkar Nagar, for allegedly cheating Brainvisa Technologies to the tune of Rs 46.5 crores, by stealing their source code. Earlier, the police had arrested software engineer Sameer Ashok Inamdar (36) of Kondhwa in the same case. 23
According to the police, Inamdar resigned from Brainvisa Technologies in August 2006. He allegedly stole the source code and other secret information of Brainvisa Technologies and started his own company. Owner of Brainvisa Technologies Nitin Hemchandra Agarwal had lodged a police complaint alleging that the company lost Rs 46.5 crores due to this. A team, led by assistant commissioner Pushpa Deshmukh, arrested Thorve, who was Inamdar’s business partner and allegedly provided him the confidential data of Brainvisa. Thorve worked as senior manager, business development, for Brainvisa from May 2004 to December 2005 and there on as vice president till December 2008, after which she joined Inamdar as a partner. Thorve was produced before court on Monday and has been remanded to police custody till June 26. Email bombing (DoS)
In one case, a foreigner who had been residing in Simla, India for almost thirty years wanted to avail of a scheme introduced by the Simla Housing Board to buy land at lower rates. When he made an application it was rejected on the grounds that the scheme was available only for citizens of India. He decided to take his revenge. Consequently he sent thousands of mails to the Simla Housing Board and repeatedly kept sending e-mails till their servers crashed. Data diddling
The NDMC Electricity Billing Fraud Case that took place in 1996 is a typical example. The computer network was used for receipt and accounting of electricity bills by the NDMC, Delhi. Collection of money, computerized accounting, record maintenance and remittance in he bank were exclusively left to a private contractor who was a computer professional. He misappropriated huge amount of funds by manipulating data files to show less receipt and bank remittance. Internet time theft
This connotes the usage by an unauthorized person of the Internet hours paid for by another person. In May 2000, the economic offences wing, IPR section crime branch of Delhi police registered its first case involving theft of Internet hours. In this case, the accused, Mukesh Gupta an engineer with Nicom System (p) Ltd. was sent to the residence of the complainant to activate his Internet connection. However, the accused used Col. Bajwa’s login name and password from various places causing wrongful loss of 100 hours to Col. Bajwa. Delhi police arrested the accused for theft of Internet time. On further inquiry in the case, it was found 24
that Krishan Kumar, son of an ex army officer, working as senior executive in M/s Highpoint Tours & Travels had used Col Bajwa’s login and passwords as many as 207 times from his residence and twice from his office. He confessed that Shashi Nagpal, from whom he had purchased a computer, gave the login and password to him. The police could not believe that time could be stolen. They were not aware of the concept of time-theft at all. Colonel Bajwa’s report was rejected. He decided to approach The Times of India, New Delhi. They, in turn carried a report about the inadequacy of the New Delhi Police in handling cyber crimes. The Commissioner of Police, Delhi then took the case into his own hands and the police under his directions raided and arrested Krishan Kumar under sections 379, 411, 34 of IPC and section 25 of the Indian Telegraph Act. In another case, the Economic Offences Wing of Delhi Police arrested a computer engineer who got hold of the password of an Internet user, accessed the computer and stole 107 hours of Internet time from the other person’s account. He was booked for the crime by a Delhi court during May 2000. SBI arm wins cybersquatting case - Peeyush Agnihotri - Tribune News Service
Chandigarh,24August SBI Card and Payment Services Private Limited, the credit card arm of the State Bank of India (SBI), received a shot in the arm when it won a case of cybersquatting against Domain Active Pty Limited, an Australian dotcom company. The judgement, a notification of which was received earlier this week, was delivered by the administrative tribunal constituted by the World Intellectual Property Organisation (WIPO), Geneva. Established in 1998, SBI Card and Payment Services Private Limited is a joint venture between GE Capital Services, the largest issuer of private label credit cards in the world, and the State Bank of India (SBI), the largest Indian bank. SBI holds 60 per cent stake while GE 40 per cent. The venture offers a range of credit cards — SBI Classic Card, SBI Gold Card, SBI International Card, SBI Doctors Card. It also has a number of city affinity cards (SBI Kolkata Card, SBI Mumbai Card, SBI Delhi Card, SBI Hyderabad Card, SBI Bangalore Card), commanding sales of over one million. It all began when Domain Active Pty Limited, an Australian entity, floated a website on the domain name, www.sbicards.com, and even ‘tricked’ financial big–time entities like Chase Manhattan into advertising on the site. The SBI arm, which had already registered the domain name with Fabulous.Com Pty. Ltd, lodged a complaint on March 16 at the World Intellectual Property Organisation (WIPO), Geneva. The WIPO Administrative Panel found that the Australian entity’s website 25
could have attracted potential attention from the public because of its affiliation with SBI Cards’ products and services. At the same time it created a risk of confusion with the products/services and trademark as to the source, sponsorship, affiliation or endorsement of its website. The panel’s independent verification showed that the current use of the Australian firm’s website, www.sbicards.com, was practically the same. The panel held that the respondent (Domain Active Pty Limited) “has registered the disputed domain name in bad faith”.Talking exclusively to The Tribune from New Delhi, Mr Rodney D. Ryder, who represented SBI Cards, said that it was a clear case of cyber fraud and cybersquatting. “The judgement has come as big relief. No penalty could, however, be imposed on the errant firm since at WIPO we have not been able to evolve a consensus on what should be the proper damage/compensation amount as the cases involve the jurisdiction clause,” he said. Credit Card Frauds
Amit Tiwari had many names, bank accounts and clients. None of them were for real. With a plan that was both ingenious and naïve, the 21-year-old engineering student from Pune tried to defraud a Mumbai-based credit card processing company, CC Avenue, of nearly Rs 900,000.He was arrested by the Mumbai Police on August 21, 2003 after nearly an year of hide and seek with CC Avenue. He's been charged for cheating under Section 420. CC Avenue verifies and validates credit cards of buyers for over a thousand e-commerce Web sites. It conducts checks like IP mapping, zip code mapping and reverse lookup of telephone numbers.Amit Tiwari found a way to bypass them.In May 2002, Col Vikram Tiwari signed up for CC Avenue's services. In November, he requested the company to deal with his son, Amit, who offered Web designing services on www.mafiaz.com. CC Avenue's security team confirmed his credentials through bank signature verification, driving license and his HDFC Bank debit card. Everything was genuine.Amit processed several transactions, worth Rs 311,508, via CC Avenue from November 2002 to February 2003. Then the transactions stopped.In April 2003, CC Avenue began receiving charge-backs from the credit card holders, who denied using mafiaz.com's Web designing service.Amit had assumed the identities of these 'customers', and purchased mafiaz.com's services with credit card details that he found on the Net. He was both the buyer and the seller.Calls to Amit's house in Lucknow went unanswered. Legal notices came back unclaimed. Amit had disappeared without a trace. 26
India's First ATM Card Fraud
The Chennai City Police have busted an international gang involved in cyber crime, with the arrest of Deepak Prem Manwani (22), who was caught red-handed while breaking into an ATM in the city in June last, it is reliably learnt. The dimensions of the city cops' achievement can be gauged from the fact that they have netted a man who is on the wanted list of the formidable FBI of the United States.At the time of his detention, he had with him Rs 7.5 lakh knocked off from two ATMs in T Nagar and Abiramipuram in the city. Prior to that, he had walked away with Rs 50,000 from an ATM in Mumbai.While investigating Manwani's case, the police stumbled upon a cyber crime involving scores of persons across the globe.Manwani is an MBA drop-out from a Pune college and served as a marketing executive in a Chennai-based firm for some time. Interestingly, his audacious crime career started in an Internet cafe. While browsing the Net one day, he got attracted to a site which offered him assistance in breaking into the ATMs. His contacts, sitting somewhere in Europe, were ready to give him credit card numbers of a few American banks for $5 per card. The site also offered the magnetic codes of those cards, but charged $200 per code.The operators of the site had devised a fascinating idea to get the personal identification number (PIN) of the card users. They floated a new site which resembled that of a reputed telecom company's. That company has millions of subscribers. The fake site offered the visitors to return $11.75 per head which, the site promoters said, had been collected in excess by mistake from them.Believing that it was a genuine offer from the telecom company in question, several lakh subscribers logged on to the site to get back that little money, but in the process parted with their PINs.Armed with all requisite data to hack the bank ATMs, the gang started its systematic looting. Apparently, Manwani and many others of his ilk entered into a deal with the gang behind the site and could purchase any amount of data, of course on certain terms, or simply enter into a deal on a booty-sharing basis.On receipt of large-scale complaints from the billed credit card users and banks in the United States, the FBI started an investigation into the affair and also alerted the CBI in New Delhi that the international gang had developed some links in India too.Manwani has since been enlarged on bail after interrogation by the CBI. But the city police believe that this is the beginning of the end of a major cyber crime.
27
Work at Home scams Exposed
Cyber Crime Cell of Crime Branch, C.I.D., Mumbai Police have arrested a person by name Sripathi Guruprasanna Raj, aged 52 yrs who is the Chairman and Managing Director of Sohonet India Private Ltd., a company based in Chennai. Many complainants based in Mumbai had complained to the Cyber Crime Investigation Cell, that the said company has duped them each for Rs. 4,000/- and Rs. 6,000/- by promising them with monthly income of Rs. 15,000/-. Case of Cyber Extortion
He does not know much about computer hacking, yet 51-year-old cyber criminal Pranab Mitra has stunned even the cyber crime investigation cell of Mumbai police with his bizarre fraud on the Net. Mitra, a former executive of Gujarat Ambuja Cement, was arrested on Monday for posing as a woman and seducing online an Abu Dhabi-based man, thereby managing to extort Rs 96 lakh from him. Investigating officer, Assistant Commissioner of Police, J.S. Sodi, said Mitra has been remanded to police custody till June 24, and has been booked for cheating, impersonation, blackmail and extortion under sections 420, 465, 467, 471, 474 of the IPC, read with the newly formed Information Technology Act. Mitra posed as a woman, Rita Basu, and created a fake e-mail ID through which he contacted one V.R. Ninawe. According to the FIR, Mitra trapped Ninawe in a ‘‘cyber-relationship’’ sending emotional messages and indulging in online sex since June 2002.Later, Mitra sent an e-mail that ‘‘she would commit suicide’’ if Ninawe ended the relationship. He also gave him ‘‘another friend Ruchira Sengupta’s’’ e-mail ID which was in fact his second bogus address. When Ninawe mailed at the other ID he was shocked to learn that Mitra had died. Then Mitra began the emotional blackmail by calling up Abu Dhabi to say that police here were searching for Ninawe. Ninawe panicked on hearing the news and asked Mitra to arrange for a good advocate for his defence. Ninawe even deposited a few lakh in the bank as advocate fees. Mitra even sent e-mails as high court and police officials to extort more money. Ninawe finally came down to Mumbai to lodge a police case. ICICI Bank Phishing
Did you know that e-mails, long considered the most convenient form of communication, can actually spring some nasty surprises for you? Recently, a few ICICI Bank customers in Mumbai, to their utter dismay, discovered that e-mails can be extremely hazardous, if not to 28
their health, at least to their security.These ICICI Bank customers received an e-mail from someone who posed as an official of the bank and asked for sensitive information like the account holder's Internet login name and password and directed them to a Web page that resembled the bank's official site.When some customers wrote in to find out what the e-mail was about, the bank officials registered a complaint with the police.New as it may be in India, it is actually a popular banking scam, a warning against which had been issued by many international banks including Barclays and Citibank. rediff.com presents a guide that will help readers understand what the scam is about and how they can stay clear of it. Cyber Lotto an Effective Tool of Frauds
"It is a classic case of cyber crime, the first of its kind in Andhra Pradesh," was how Vijayawada Police Commissioner Sudeep Lakhtakia summed up the case of cheating and fraud registered against Kola Venkata Krishna Mohan, the self-styled winner of the multimillion dollar Euro lottery. Mohan admitted that he did not win the 12.5 million pound Euro lottery in November 1998, as he had claimed, but merely played fraud to make good his losses in gambling. "With the help of computers, the accused took the people for a ride," the Vijayawada police commissioner pointed out. Mohan, using the Internet and forged documents, allegedly cheated banks and several persons to the tune of 60 million rupees. Kola Mohan was arrested by the Vijayawada city police on Monday in connection with cases of fraud and forgery registered against him. He was remanded to judicial custody till December 13 by Fifth Metropolitan Magistrate K B Narsimhulu. He was shifted to the district jail at Gandhinagar in Vijayawada. Mohan was accused of cheating the Andhra Bank to the tune of Rs 1.73 million. By perpetrating the multi-million rupee fraud, Mohan has achieved the dubious distinction of allegedly committing the first and biggest cyber crime in Andhra. The state, incidentally is making rapid strides in information technology, thanks to the initiative of cyber-savvy Chief Minister N Chandrababu Naidu. A compulsive gambler who played cards regularly at high stakes in various clubs in the coastal city, Mohan told newsmen at the police commissioner's office at Vijayawada on Monday that he had lost as much as Rs 30 million in 1998 when a gambling syndicate led by a real estate dealer and a restaurant-owner cheated him. "I was on the look-out to make good the losses by hook or crook. During a visit to London, I learnt about the Euro lottery. I staked some money on it in vain. Then, I invented the story that I won the lottery. I created a website and an email 29
address on the Internet with the address '
[email protected].' Whenever accessed, the site would name me as the beneficiary of the 12.5 million pound (that is, $ 19.8 million or Rs 840 million) Euro-lottery," Kola Mohan recalled. A Telugu newspaper in Hyderabad received an email that a Telugu had won the Euro lottery. The website address was given for verification. The newspaper sent the query and got the "confirmation" since Kola Mohan had himself created and manipulated the website Collective Scam in Call Center
The telemarketing project for an American credit-card company was just coming to an end in January when an internal audit at the Wipro Spectramind call center in Navi Mumbai, India, discovered something very alarming: an organized ring of about 60 call-center agents had been systematically scamming U.S. consumers for two months. Supervisors had told the agents to spice up their sales pitch for the client, Capital One Financial Services, by making false claims about free gifts and membership fees, according to Indian press reports. The scam even bypassed Wipro’s sophisticated call-monitoring system. Pune BPO-Scam
Pune BPO scam was claimed to be the first scam in India. In April 2005, five employees of MsourcE in Pune were arrested for allegedly pulling off a fraud worth nearly $425,000 from the Citibank accounts of four New York-based account holders. Gurgaon BPO Scam
In June 2005, the tabloid Sun , in a sting operation, purchased the bank account details of 1,000 Britons for about 5.50 dollars companyInfinity E- Search Bangalore BPO Scam
In June 2006, Nadeem Kashmiri sold the customer credit card information to a group of scamsters who used the information to siphon off nearly £233,000 or roughly Rs. 1.8 crore from bank accounts of UK-based customers. Data theft makes IT firm quit India
Published on Fri, Oct 13, 2006 at 11:48, New Delhi: After registering a case against an employee who had allegedly stolen data, the Gurgaon-based IT firm Acme Telepower Management waited for something to happen. A week later they have decided to stop operating out of India and move to Australia. It seems like this is the beginning of a domino effect, even as India's antiquated police force tries to deal with new age crime like data 30
theft. Acme Telepower is claiming a national loss of Rs 750 crore. They are saying it's all because an ex-employee named Sachidanand Patnaik who allegedly stole research and handed it over to his new employer - a competitor in the power industry solutions space. On Thursday, the board of Acme met after a Gurgaon Sessions court granted bail to Patnaik and decided it was time to pack their bags. "We are disappointed in the system. Patents and research are not protected, so we are not sure if the law will be able to protect us,” GM Marketing, Acme, Sandeep Kashyap said. Acme employs around 1,100 people, who will be affected by the firm’s move to Australia that will happen over the next eight months. Most of the 70 people in the Research and Development section will be the first to move. For the rest, the future is unclear. According to Acme, only a small manufacturing operation will remain in India, but they say they will take care of their employees and that their reason for leaving is simple. "The fact that the main accused has got bail and the others got a clean chit has disappointed us completely,” Kashyap said. However, the lawyer for Sachidanand Patnaik says they are giving up too soon and that this trend could have dangerous repercussions. "If the reason they are leaving India is because the main accused has got bail, then it is contempt of court,” Patnaik's lawyer, Vakul Sharma said. When people lost faith in the system in the past, there was little they could, outside of rallying against everything wrong with the world. However, today people have a choice. They can simply move on. But the question remains - will the system respond?
31
5. CYBER ACTS
Chapter 5
. For stop the cyber crime USA government made the many rules and acts. These are as follows:-
5.1 Stop Online Piracy Act (SOPA) The Stop Online Piracy Act (SOPA) is a United States bill introduced by U.S Representative Lamar S. Smith (R-TX) to expand the ability of U.S. law enforcement to fight online trafficking in copyrighted intellectual property and counterfeit goods. Provisions include the requesting of court orders to bar advertising networks and payment facilities from conducting business with infringing websites, and search engines from linking to the sites, and court orders requiring Internet service providers to block access to the sites. The law would expand existing criminal laws to include unauthorized streaming of copyrighted content, imposing a maximum penalty of five years in prison.Opponents have warned that SOPA would have a negative impact on online communities. Journalist Rebecca MacKinnon argued in an op-ed that making companies liable for users' actions could have a chilling effect on user-generated sites such as YouTube. "The intention is not the same as China's Great Firewall, a nationwide system of Web censorship, but the practical effect could be similar", she says. The Electronic Frontier Foundation (EFF) warned that websites Etsy, Flickr and Vimeo all seemed likely to shut down if the bill becomes law. Policy analysts for New America Foundation say this legislation would enable law enforcement to take down an entire domain due to something posted on a single blog, arguing, "an entire largely innocent online community could be punished for the actions of a tiny minority". The English Wikipedia blackout occurred for 24 hours on January 18–19, 2012. In place of articles, the site showed only a message in protest of SOPA and PIPA asking visitors to "Imagine a world without free knowledge."
5.2 Protect IP Act (PIPA) The PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA) is a proposed law with the stated goal of giving the US government and copyright holders additional tools to curb access to "rogue websites dedicated to infringing or counterfeit goods", especially those registered outside the U.S. 32
The bill was introduced on May 12, 2011, by Senator Patrick Leahy (D-VT). The PROTECT IP Act is a re-write of the Combating Online Infringement and Counterfeits Act (COICA), which failed to pass in 2010. The PROTECT IP Act says that an "information location tool shall take technically feasible and reasonable measures, as expeditiously as possible, to remove or disable access to the Internet site associated with the domain name set forth in the order". In addition, it must delete all hyperlinks to the offending "Internet site".
5.3 U.S. Computer Fraud and Abuse Act The Congress responded to the problem of computer crime by enacting several laws. The first federal computer crime statute was the Computer Fraud and Abuse Act of 1984 ("CFAA"). The fact that only one indictment was ever made under the original CFAA before it was amended in 1986 shows how difficult it is to write effective computer crime legislation. CFAA is the most important computer crime statute in the U.S. because almost every other statute that deals with computer crime modifies the CFAA.Originally CFAA had a major limitation because it required proof that the person accessed the computer without authorization. Thus by focusing on the method of entry into the computer instead of the use of the computer, the statute excluded any crimes committed by an insider, which couldn’t be prosecuted under the CFAA. Another limitation of CFAA was specifically written into it, the statute forbade prosecution for access to a computer where the only thing of value gained by the intruder was the use of the computer itself. As such, according to CFAA, merely viewing data stored on the computer was not illegal even if access was gained without authorization.In 1994 Computer Fraud and Abuse Act was modified again in order to deal with the problem of “malicious code” such as viruses, worms and other programs designed to alter, damage or destroy data on a computer. This was necessary because the old law only focused on access of the computer system and not on how that computer system was used. The amended CFAA could now be used to prosecute those who transmitted "a program, information, code, or command to a computer or computer system" with the intent to cause damage to the computer or information in the computer or prevent the use of the system without the knowledge or the authorization of the owners of that computer. In addition, the law made it a crime to act "with reckless disregard of a substantial and unjustifiable risk" of damage or loss occurring. 33
5.4 U.S. Electronic Funds Transfer Act This act Prohibits the use, transport, sale, receipt, or supply of counterfeit, stolen, altered, lost, or fraudulently obtained debit in interstate or foreign commerce. In the US the Electronic Funds Transfer Act (EFTA) read with the Electronic Fund Transfers Regulation (Regulation E) provide the basic framework establishing the rights, liabilities and responsibilities of participants in electronic fund transfer systems. The Electronic Fund Transfer Act, 1978 is basically a consumer protection measure and is codified as title IX of the Consumer Protection Act. This Act apart from defining certain basic concepts, lays down the disclosure norms in regard to terms, pricing etc. it also requires the service providers to supply transaction record. This Act defines the term unauthorised electronic fund transfer. and prescribes (limits) the consumers liability for unauthorised electronic transfers. The Act also prescribes the liability of the financial institutions in the situations enumerated therein. It also requires service providers to supply transaction record. This Act, however, applies mostly to consumer activated consumer payment systems and other consumer related Electronic funds transfer (EFT) like Electronic funds transfer at Point of Sale and ATMs. Inter-bank and intra-bank fund transfers are not covered by EFT Act.
5.5 U.S. Freedom of Information Act This act Provides public access to information collected by the executive branch of the federal government. This document was obtained under the Freedom of Information Act by the Electronic Privacy Information Center in November 1994 and scanned in by the Bureau of National Affairs. It is not copyrighted and may be freely distributed.
5.6 U.S. Electronic Communication Privacy Act This act protects the privacy of personal data collected by the government. This act Protects against wiretapping. Passed in 1986, Electronic Communications Privacy Act (ECPA) was an amendment to the federal wiretap law, the Act made it illegal to intercept stored or transmitted electronic communication without authorization.11 ECPA set out the provisions for
access,
use,
disclosure,
interception 34
and
privacy
protections
of
electronic
communications. Which is defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce." The Act prohibits illegal access and certain disclosures of communication contents. In addition, ECPA prevents government entities from requiring disclosure of electronic communications by a provider such as an ISP without first going through a proper legal procedure.ECPA was amended in 1994 by the Communications Assistance for Law Enforcement Act (CALEA).12 CALEA requires the ISPs to build in capabilities into their networks that would allow the law enforcement to carry out electronic surveillance of specific individuals. CALEA did not remove the need for a warrant before such surveillance could be carried out, it only made sure that if there was a need the law enforcement would be able to do so.
5.7 USA Patriot Act The USA PATRIOT Act, effective October 26, 2001, resulted in a number of significant changes to various Federal statutes governing the searching and seizing of computers and the gathering of electronic evidence. The Field Guidance memorandum provides an overview of the various ways in which the USA PATRIOT Act has changed the law in this area. Discussions of the Patriot Act seldom focus on the effect this legislation will have in fighting computer crime. People either express delight at law enforcement’s increased ability to use surveillance tools like roving wiretaps or they lament the decrease in civil liberties resulting from new monitoring now permitted under this Act. Yet within the Patriot Act are important changes that will increase prosecutorial power in fighting computer crimes. Specifically, the Act references the Computer Fraud and Abuse Act (18 U.S.C. § 1030) with both procedural and substantive changes that may significantly influence future prosecutions. There are also changes that will make it easier for law enforcement to investigate computer crimes. Although many changes speak to fighting terrorism and specifically cyberterrorism, the title and purpose of the Patriot Act are the only apparent limits to these modifications. As such, the statutory changes are likely to extend beyond these titles to include acts of fraud, identity theft, and other activities that are common forms of computer crimes. Some of the new
35
procedural changes are permanent; however, lacking congressional action, some changes will expire under sunset provisions on December 31, 2005.
5.8 USA Economic Espionage Act In addition to laws specifically tailored to deal with computer crimes, traditional laws can also be used to prosecute crimes involving computers. For example the Economic Espionage Act (EEA) was passed in 1996 and was created in order to put a stop to trade secret misappropriation. 15 EEA makes it a crime to knowingly commit an offense that benefits a foreign government or a foreign agent. The Act also contains provisions that make it a crime to knowingly steal trade secrets or attempt to do so with the intent of benefiting someone other then the owner of the trade secrets. EEA defines stealing of trade secrets as copying, duplicating,
sketching,
drawing,
destroying,
photocopying,
photographing,
replicating,
downloading,
transmitting,
delivering,
uploading,
altering,
sending,
mailing,
communicating, or conveying trade secrets without authorization. The Act, while not specifically targeted at computer crimes, nonetheless covers the use of computers.
6. CONCLUSION
Chapter 6 36
Obviously computer crime is on the rise, but so is the awareness and ability to fight it. Law enforcement realizes that it is happening more often than it is reported and are doing there best to improve existing laws and create new laws as appropriate. The problem is not with the awareness or the laws, but with actually reporting that a crime has occurred. Hopefully people will begin to realize that unless they report these crimes and get convictions, those committing computer crimes will continue to do so. While there is no silver bullet for dealing with cyber crime, it doesn’t mean that we are completely helpless against it. The legal system is becoming more tech savvy and many law enforcement departments now have cyber crime units created specifically to deal with computer related crimes, and of course we now have laws that are specifically designed for computer related crime. While the existing laws are not perfect, and no law is, they are nonetheless a step in the right direction toward making the Internet a safer place for business, research and just casual use. As our reliance on computers and the Internet continues to grow, the importance of the laws that protect us from the cyber-criminals will continue to grow as well. .
7. References
Chapter 7
37
