assignment - criminal uses of cryptography and law (1)
TRANSCRIPT
University of Glamorgan
MSC COMPUTER SYSTEMS SECURITY(FULL-TIME)
MODULE CODE: MS4S01
MODULE NAME: CRYPTOGRAPHY AND ELECTRONIC COMMERCE
LECTURERS: Dr DAVID KNIGHT AND Dr PAUL ROACH
COURSEWORK TITLE: CRIMINAL USES OF CRYPTOGRAPHY AND LAW
ENROLMENT NUMBER: 06140483
CONTENTS
Abstract
Introduction
What is Cryptography
Historical examples
Modern examples
Cyber crime or fraud related internet
Hacking
Fraud related Cryptography
Cryptographic Attacks
Bank frauds in India by using Cryptography
Survey of Cryptography laws and regulations
Criminal law
Terrorism n Steganography
Conclusion
References
CRIMINAL USES OF CRYPTOGRAPHY AND LAW
Abstract :
An analysis of the role of cryptography till date as used in the commission of the crime. It gives description about the cryptography and its criminal uses also about the available laws in misusing the cryptography. This report discuss the current regulatory framework and examine whether the proposals deriving mainly from various national law enforcement bodies for tighter national controls of Internet service provision and the cryptography are justification in the light of expanding role of e-commerce. Also a few modern and historical examples of cryptography were given. Fraud related cryptography concentrated on some of the crimes in India especially bank related frauds and I present some of the laws on cryptography crime not only in India but it covers on the whole.
Introduction :
Cryptography has emerged as the only alternative to protect Internet data, and it does the job well. Modern crypto techniques have evolved from the secret codes of the decades past, brilliantly augmented with a deep knowledge of modern mathematics. New cryptographic products and techniques have been developed particularly for Internet applications. Some people “cracking” codes and making misuse of the cryptography technology. Crypto is useless if used incorrectly. One of cryptography's primary purposes is hiding the meaning of messages, but not usually their existence. Cryptography also contributes to computer science, particularly in the techniques used in computer and network security for such things as access control and information confidentiality. Cryptography is also used in many applications encountered in everyday life; examples include security of ATM cards, computer passwords, and electronic commerce all depend on cryptography. Almost since people began writing, they have found ways to hide what they were writing. Cryptography, which is said to be the art of secret writing, has for a long time been used mainly by governments, diplomats, armies, and intelligence agencies. With the advent of modern (public-key) cryptography in the 1970s, cryptography is being used by an ever wider range of users. In effect, in the present information society, cryptography has become an essential tool for safeguarding information security. In its history, cryptography has been controlled by governments to prevent it from falling into the wrong (mostly: foreign) hands. Over the past few years, governments have increasingly worried about the threat of criminals using cryptography
to thwart law enforcement. Some governments have passed specific legislation to address this problem; others are still studying the issue, unsure whether to attach more weight to the beneficent use of cryptography in safeguarding information security or to its nefarious use by criminals. Cryptography is a necessary tool in the information society. Yet if criminals use it, wiretaps and computer searches will become useless. So, there is a clash of concerns: how to ensure that the police can still catch criminals, while respecting the essential uses of cryptography in information security?
What is Cryptography
Definition Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication.
Cryptography is not the only means of providing information security, but rather one set of techniques. Cryptography presents various methods for taking legible, readable data, and transforming it into unreadable data for the purpose of secure transmission, and then using a key to transform it back into readable data when it reaches its destination. Cryptography is about scrambling data so that it looks like babble to anyone except those who know the trick to decoding it. Almost anything in the world can be hidden from sight and revealed again.
Cryptographic goals
The following four form a framework upon which the other will be derived.
1. Privacy or Confidentiality.2. Data Integrity.
3. Authentication.
4. Non-repudiation.
A fundamental goal of cryptography is to adequately address these four areas in both theory and practice. Cryptography is about the prevention and detection of cheating and other malicious activities.
HOW MUCH CRYPTO IS ENOUGH?
Enough to make attacks too expensive to be practical. The traditional competitors in crypto have been governments: one hides its secrets while the other tries to go through them. With political and military objectives at stake the threat has few limits.
The traditional mantra of the US National Security Agency (NSA) has been:“ Never underestimate the time, money, and effort an adversary will spend to read your traffic.” At the other end of the scale we have casual e-mail between acquaintances. Who would bother to read or manipulate the plaintext of such messages, much less take the effort to penetrate an encrypted version? Crypto requires special facilities, and it takes extra time and effort to apply crypto protections correctly. It is simply an expensive bother when it isn’t really needed. The risk for commercial traffic falls somewhere between these extremes, and so does its practical application.
CRYPTO IS HARD TO USE :
Popular imagination traditionally associates crypto with diplomats, soldiers and spies. In fact, crypto techniques have been used for centuries to protect business and commercial messages. With the evolution of computer communications, strong crypto techniques were developed for commercial purposes as well as for protecting government messaging. Initially , these techniques were only used by institutions that had a lot at risk and were willing to invest a lot in protection. While the history of crypto holds many stories of weak codes overcome by clever adversaries, it is also has many stories about codes overcome by improper use. Though many stories are of wars and armies, the lessons apply to the private and commercial worlds, too. All modern histories of World War II credit various Allied victories to code breaking : cracking enemy codes. The US Navy’s successful attack on the Japanese in the Battle of Midway is credited largely to decrypted Japanese radio messages. The US Navy also cracked the Japanese convoy code and waged a devastating submarine campaign against their convoys. In the Atlantic, the Allies used knowledge of German codes to track their submarines. However, this was not a one-sided success. Thanks to what some have called “sloppy” behavior by Allied coding clerks, the Germans were equally effective in reading dispatches sent to Allied convoys. Thus, the German submarines played the same game in the Atlantic that the US Navy played in the Pacific.
The Navy appreciated both the value of code breaking and their own vulnerability to it. A classified dispatch was distributed in late 1943 to alert communications personnel to the risk and to repeat various rules for correct operation. While the rules of the 1940’s for secure radio communication are hardly relevant, the rationale behind them still holds true.
Confidentiality was crucial to the achievement of the Navy’s objectives, and they relied on communications security measmures to provide it. They also realized that subtle mistakes, especially when repeated, could provide an “entering wedge” for cracking the system. All crypto systems are vulnerable to the entering wedge – the careless mistakes that give adversaries the opening they need to crack your system.
Historical Examples
Codes and ciphers have been used since ancient times 1900 BC. Actually the word cryptography means the science of codes came from the Greek words Kryptos (secrect) and graphos (writing). In 405 BC the Greek general LYSANDER OF SPARTA was sent a coded message written on the inside of a servent’s belt. When Lysander wound the belt around a wooden baton the message was revealed. The message warned Lysander that Persia was about to go to war against him. He immediately set sail and defeated the Persians. The Greeks also invented a code which changed letters into numbers. A is written as 11 and B as 12 and so on. So WAR would read as 52 11 42. A form of this code was still being used two thousand years later during the First World War.
Marry queen of scots : cryptanalysis example
In Elizabethan England MARY QUEEN OF SCOTS sent coded messages to her supporters who were plotting to murder Queen Elizabeth one. The messages intercepted by the head of Elizabeth’s secret service, Sir Francis Walsingham. He deciphered them and discovered the plot. Mary was executed for treason in 1587.
German spies n null ciphers
Null Ciphers are some of the oldest cited examples of modern steganography, and are some of the few steganographic algorithms that use either synthetic or immutable carriers. In contrast, the vast majority of today's steganographic algorithms use mutable carriers where the embedding process requires modifying the carrier in some way. The main deficiency with mutating the carrier during the embedding process is that the algorithms will leave some sort of signature. We explore algorithms that use Variable Interval Symbol Aggregation (VISA) for both text and binary data.
KGB one timer pads
A KGB one-time pad is a cryptosystem invented by Vernam. It is a very simple system and is unbreakable if used correctly. To use a one-time pad, you need two copies of the ‘pad’ which is a block of random data equal in length to the message you wish to encode. The word ‘random’ is used in its most literal possible sense here. If the data on the pad is not truly random, the security of the pad is reduced, potentially near to zero. If used properly a one-time pad must be truly random data and must be kept secure in order to be unbreakable.
Modern Examples
Enabling wiretaps with mobile phones (mobile pone encryption)
We call it as Cryptophone by which mobile phone encryption is done. The use of wiretapping has become so widespread, simple and uncontrolled that we must assume that the records of our private calls end up in the wrong hands. Equipment for wireless interception of mobile phone calls has become available at low prices that it is deployed frequently even in comparatively small business conflicts. So using encryption to protect
your privacy is the prudent choice. Now there is a solution that we can trust, because it can be verified by our known experts. GSMK CryptoPhone, the first secure mobile phone that comes with full source code available for independent review is available now. Finally, we can perform a independent assessment to ensure that there is no weak encryption and no backdoors in the device we entrust our telecommunications security.
Examples of phone enemy
THE PROBLEM :
Wiretapping : It is considered by many law enforcement people an necessary investigation measure. It is considered particularly effective in fight organized crime, since criminal organizations have a high communication need.
In the United States, there are over 1,000 federal law-enforcement wiretaps a year. In Germany and the Netherlands, the figure is much higher, well over 3,000 wiretaps a year. There are not many figures on the efficacy of wiretaps. A German study of US wiretaps in the late 1980s found that in 95% of the cases, incriminating conversations were recorded; in 47% of wiretap cases, there were arrests, and in 33%, there were convictions. A 1996 Dutch report by the WODC concluded that wiretapping is an effective investigation measure.
Cryptography used for encrypting telephone conversations and e-mail communications will hamper wiretapping; this will be particularly relevant in organized crime and computer crime cases. Crypto phones and crypto fax machines are readily available; moreover, Internet telephony can also use cryptography, such as PGPfone. Note, however, that it only slows down retrieving the content of messages.
RSA
How RSA works: One commonly used cipher of this form is called ``RSA Encryption'', where ``RSA'' are the initials of the three creators: ``Rivest, Shamir, and Adleman''. It is based on the following idea: It is simple to multiply numbers together, especially with computers. But it can be difficult to factor numbers. For example, if we multiply together 34537 and 99991, it is a simple matter to put those numbers into a calculator and 3453389167. But the reverse problem is much harder.
Suppose if we take a number 1459160519. I'll even tell you that I got it by multiplying together two integers. Can you tell me what they are? This is a very difficult problem. A computer can factor that number fairly quickly, but it basically does it by trying most of the possible combinations. For any size number, the computer has to check something that is of the order of the size of the square-root of the number to be factored. In this case, that square-root is roughly 38000.
Now it doesn't take a computer much time to try out 38000 possibilities, but what if the number to be factored is not ten digits, but rather 400 digits? The square-root of a number with 400 digits is a number with 200 digits. The lifetime of the universe is approximately 10^{18}seconds - an 18 digit number. Assuming a computer could test one million factorizations per second, in the lifetime of the universe it could check 10^{24} possibilities. But for a 400 digit product, there are 10^{200} possibilities. This means the computer would have to run for 10^{176}times the life of the universe to factor the large number. It is, however, not too hard to check to see if a number is prime--in other words to check to see that it cannot be factored. If it is not prime, it is difficult to factor, but if it is prime, it is not hard to show it is prime. So RSA encryption works like this. In a real RSA encryption system, keep in mind that the prime numbers are huge. These are few more topics in RSA to be known.
digital certification
digital signature
forging digital signature
DES
The Data Encryption Standard (DES) was jointly developed in 1974 by IBM and the U.S. government to set a standard that everyone could use to securely communicate with each other. It operates on blocks of 64 bits using a secret key that is 56 bits long. The original proposal used a secret key that was 64 bits long. It is widely believed that the removal of
these 8 bits from the key was done to make it possible for U.S. government agencies to secretly crack messages.
DES started out as the "Lucifer" algorithm developed by IBM. The US National Security Agency (NSA) made several modifications, after which it was adopted as Federal Information Processing Standard (FIPS) standard 46-3 and ANSI standard X3.92.
How DES works: Encryption of a block of the message takes place in 16 rounds. From the input key, sixteen 48 bit keys are generated, one for each round. In each round, eight so-called S-boxes are used. These S-boxes are fixed in the specification of the standard. Using the S-boxes, groups of six bits are mapped to groups of four bits. The contents of these S-boxes has been determined by the U.S. National Security Agency (NSA). The S-boxes appear to be randomly filled, but this is not the case. Recently it has been discovered that these S-boxes, determined in the 1970s, are resistant against an attack called differential cryptanalysis which was first known in the 1990s.
The block of the message is divided into two halves. The right half is expanded from 32 to 48 bits using another fixed table. The result is combined with the sub key for that round using the XOR operation. Using the S-boxes the 48 resulting bits are then transformed again to 32 bits, which are subsequently permutated again using yet another fixed table. This by now thoroughly shuffled right half is now combined with the left half using the XOR operation. In the next round, this combination is used as the new left half.
PGPfone – Pretty Good Privacy Phone
PGPfone is a software package that turns our desktop or notebook computer into a secure telephone. It uses speech compression and strong cryptography protocols to give us the ability to have a real time secure telephone conversation. Secure voice calls are supported over the Internet, or through a direct modem-to-modem connection, or even over AppleTalk networks.
Cyber Crime or Fraud on Internet
This is a form of white collar crime. Internet fraud is a common type of crime whose growth has been proportionate to the growth of internet itself. The internet provides companies and individuals with the opportunity of marketing their products on the net. It is easy for people with fraudulent intention to make their messages look real and credible. There are innumerable scams and frauds most of them relating to investment schemes and have been described in detail below as follows:
Online investment newsletters Many newsletters on the internet provide the investors with free advice recommending stocks where they should invest. Sometimes these recommendations are totally bogus and cause loss to the investors.
Bulletin boards This is a forum for sharing investor information and often fraud is perpetrated in this zone causing loss of millions who bank on them.
E-mail scams: Since junk mail is easy to create, fraudsters often find it easy to spread bogus investment schemes or spread false information about a company.
Credit card fraud: With the electronic commerce rapidly becoming a major force in national economies it offers rich pickings for criminals prepared to undertake fraudulent activities. In U.S.A. the ten most frequent fraud reports involve undelivered and online services; damaged, defective, misrepresented or undelivered merchandise; auction sales; pyramid schemes and multilevel marketing and of the most predominant among them is credit card fraud. Something like half a billion dollars is lost to consumers in card fraud alone. Publishing of false digital signature .According to section 73 of the I.T. Act 2000, if a person knows that a digital signature certificate is erroneous in certain particulars and still goes ahead and publishes it, is guilty of having contravened the Act. He is punishable with imprisonment for a term that may extend to two years or with fine of a lakh rupees or with both.
Making available digital signature for fraudulent purpose: This is an offence punishable under section 74 of the above mentioned act, with imprisonment for a term that may extend to two years or with fine of two lakh rupees or with both.
Alteration And Destruction Of Digital Information The corruption and destruction of digital information is the single largest menace facing the world of computers. This is introduced by a human agent with the help of various programs which have been described in detail below as follows:
Virus just as a virus can infect the human immunity system there exist programs, which, can destroy or slow down computer systems. A computer virus is nothing but a program designed to replicate and spread, generally with the victim being oblivious to its existence. Computer viruses spread by attaching themselves to programs like word processor or spreadsheets or they attach themselves to the boot sector of a disk. When an infected file is activated or when the computer is started from an infected disk, the virus itself is also executed.
HACKING
It is the most common type of Cyber crime that is committed across the world. Hacking has been defined in section 66 of The Information Technology Act, 2000 as follows "whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means commits hacking". Punishment for hacking comes under the above mentioned section is imprisonment for three years or fine which may be upto two
lakh rupees or both. A Hacker is a person one who breaks in or trespasses a computer system. Hackers are of different types ranging from code hackers to crackers to cyber punks to freaks. Some hackers just enjoy cracking systems and gaining access to them as an ordinary pastime; they do not desire to commit any further crime. Whether this itself would constitute a crime is a matter of fact. At most such a crime could be equated with criminal trespass.
Fraud related Cryptography
Crypto Viruses : Deniel of service attack, info extortion attack
Here I describe the various laws and regulations on cryptography that currently exist or are being discussed around the world. I focus on cryptography that is used for confidentiality purposes; authentication cryptography, with which digital signatures can be made, in general does not hamper law enforcement. I shall first describe export and import rules in general, and then deal with the existing and domestic encryption laws and regulations per country. Next one is the developments taking place in international bodies, especially the European Union and the OECD.
Cryptographic Attacks: After all the work cryptographers put into testing their algorithms for holes, that modern crypto systems would be hard to break. Anyway in a sense it is hard to break these well-developed systems if u go at it with a sledgehammer approach. However, most of the modern attacks find ways to simply circumvent the security in an algorithm or crypto system instead of finding ways to “break” them. Because we are human, we sometimes make mistakes in hardware and software that makes it easier for attackers to find the weaknesses in a security mechanism. Sometimes crypto attacks are made easier because the vendor made a simple mistake in creating the encryption program. This has happened more often than you’d care to know. There are tons of people out there with time, energy, and spare computers around who love to find holes in crypto programs, and when they do, they take a fair amount of delight in publishing their results. If you do an Internet search on “cracking crypto” or “attacking cryptography,” you’ll find hundreds of highly technical papers and lots of freeware that will do the job for you. That’s not to say that encrypting your data and messages is a bad thing. It’s certainly more secure than not encrypting it. In fact, in one well-known case, an e-commerce site went to all the trouble of setting up SSL to encrypt credit card numbers for purchases, but they store those numbers unencrypted on the Web Server. The attackers did not need to attack the SSL sessions, they just found a path into the Web Server and stole the credit card numbers with no problem. Sometimes smart people do dumb things. It’s up to you to try to play it smart.
Here are some of the common attacks you are likely to come across in your reading or discussions about cryptography.Known Plaintext Attack.Chosen Ciphertext Attaks.Chosen Plaintext Attacks.The Birthday Attack.Man-in-the-Middle Attack.Timing Attaks.Rubber Hose Attack.Electrical Fluctuation Attaks.
Security Related Crimes:
With the growth of the internet, network security has become a major concern. Private confidential information has become available to the public. Confidential information can reside in two states on the network. It can reside on the physical stored media, such as hard drive or memory or it can reside in the transit across the physical network wire in the form of packets. These two information states provide opportunities for attacks from users on the internal network, as well as users on the Internet.
IP Spoofing :An IP attack occurs when an attacker outside the network pretends to be a trusted computer either by using an IP address that is within its range or by using an external IP address that you trust and to which you wish to provide access to specified resources on your network. Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data passed between client and server application or a peer to peer network connection.
Password attacks:Password attacks can be implemented using several different methods like the brute force attacks, Trojan horse programs. IP spoofing can yield user accounts and passwords. Password attacks usually refer to repeated attempts to identify a user password or account. These repeated attempts are called brute force attacks.
Distribution of sensitive internal information to external sources: At the core of these security breaches is the distribution of sensitive information to competitors or others who use it to the owners’ disadvantage. While an outside intruder can use password and IP spoofing attacks to copy information, an internal user could place sensitive information on an external computer or share a drive on the network with other users. Man-in-the-middle attacks. This attack requires that the attacker have access to network packets that come across the networks. The possible use of such attack are theft of information, hijacking an ongoing session to gain access to your internal network resources, traffic analysis to drive information about one’s own network and its users,
denial of service, corruption of transmitted data, and introduction of new information into network sessions.
Cryptography, privacy and National Security concerns in INDIA:
The Internet has provided its users with a new forum to express their views and concerns on a world wide platform. As a essential corollary to the freedom to communicate and speak is the fact that this must be allowed with as little State interference as possible; in other words, in the absence of State intrusion. This immediately raises the controversial issue of the right to privacy. It can be considered a logical corollary to the freedom of speech and expression. The practice of encryption and its study which is known as cryptography provides individuals with means of communication that no third party can understand unless specifically permitted by the communicators themselves. It would therefore seem that this practice is a legitimate utilization of the right to freedom of speech and expression and the right to have a private conversation without intrusion. Breach Of Confidentiality And Privacy Under The Information And Technology Act 2000. According to section 72 of the above mentioned Act, if a person has secured access to any electronic record, book, register correspondence, information, document or other material without the consent of the person concerned and discloses the same to any other person then he shall be punishable with imprisonment upto two years, or with fine which may extend to one lakh rupees, or with both. Encryption And Cryptography. Encryption is like sending a postal mail to another party with a lock code on the envelope which is known only to the sender and the recipient. This therefore has the effect of ensuring total privacy even in open networks like the internet. Encryption involves the use of secret codes and ciphers to communicate information electronically from one person to another in such a way that the only person so communicating, would know to use the codes and ciphers. The field of cryptography on the other hand deals with the study of secret codes and ciphers and the innovations that occur in the field. It is also defined as the art and the science of keeping messages secure. Thus while encryption is the actual process, cryptography involves a study of the same and is of wider connotation.
Restrictions On Cryptography In India :
The use of the cryptography and encryption in India is a relatively new phenomenon. The use of this technology for the purposes of communication has begun only over the last 15-20 years in India. According to a recent report in India there are very few companies involved in the development of cryptography. Further, cryptography remains within the domain of the defense sector. It is only as late as 1995 that India introduced a list of items that required licensing before export. The list only included encryption software for telemetry systems in specific and did not relate to encryption
software in general. The Information and Technology Act 2000 seeks to introduce some sort of control over the use of encryption for communication in India.
BANK FRAUDS IN INDIA BY USING CRYPTOGRAPHY
Bank Frauds-A chronic DiseaseSome relevant issues to tackle the bank frauds.An INDIA FORENSIC approach.
BANK FRAUDS – A CHRONIC DISEASE, byAnuradha A. Pujari
All the major operational areas in banking represent a good opportunity for fraudsters with growing incidence being reported under deposit, loan and inter-branch accounting transactions, including remittances.
A broad analysis of various frauds that have taken place throw up the following high-risk areas in committing frauds:1. Misappropriation of cash by dodging accounts. 2. Unauthorized withdrawal or transfers of funds, mostly from long dormant accounts. These kinds of frauds involve the forgery also. 3. Opening of fictitious accounts to misappropriate funds from illegal activities ie. Laundering through the fictitious accounts. 4. Use of interbank clearing for accommodation, kite flying and misappropriation. 5. Cheating in foreign exchange transactions by flouting exchange control provisions. 6. Over valuations of the securities and tampering with the security documents, which has lead to many of the co-operative bank failures in the recent past. 7. Fraud in collusion with bank staff in emerging areas and services under the computerized environment.
Frauds take place in a financial system only when safeguards and procedural checks are inadequate or when they are not scrupulously adhered to, leaving the system vulnerable to the perpetrators. Anecdotal evidence shows that whether the agency or individual committing the fraud works for the bank or deals with it, the culprit does careful planning before he attacks the system at its most vulnerable point.
The most effective defense banks could have against fraud is to strengthen their operational practices, procedures, controls and review systems so that all fraud-prone areas are fully sanitized against internal or external breaches. Anyway, the huge expansions in banking transactions consequent to the transition of banks to mass banking and the large-scale computerization have played a major role in the commit of the frauds. Hence mere reliance on the internal controls is of no use. Expect fraud, to expect the fraud one needs formal education to think on the given guidelines. Nowhere in the world the fraud can be avoided and the banks are no exceptions. It is a human trend of taking the risk to commit the frauds if he finds suitable chances or ways. So it is wise to expect
the occurrence of the fraud. When different schemes of frauds are classified it gives a broad idea of fraud schemes that are possible in the country. Unfortunately no Indian body does this work. If the fraud is expected, efforts can be concentrated on the areas, which are fraud prone. Fraud is the game of two. The rule makers and rule breakers. Whoever is strong in the anticipation of the situations wins the game of frauds. Fraud is a fact, which cannot be eliminated, but it needs to be managed.
Develop a fraud policy. The policy should be written and distributed to all employees, Borrowers and depositors. This gives a moral tension to the potential Fraudster. Maintain a zero tolerance for violations. The Indian bank needs to roar against the action that is taken against the Fraudsters. The media publicity against the fraudsters at all the levels is necessary. The announcement by US president George W. Bush that the “Corporate crooks will not be spared” gave the deep impact to the Corporate America. In India also we need to consider it as a sever problem and need to fight against it.
Assess Risk. Look at the ways fraud can happen in the organization. It is very important to study the trend and the style of frauds in the bank. The Basel-II accord deals in the assessment of various kinds of risk. Some of the big nationalized banks in India maintain the databases of the fraud cases reported in their banks. But the databases are dumb. They yield nothing unless they are analyzed effectively. Establish regular fraud-detection procedures. It could be in the form of Internal audit or it could also be in the form of inspections. These procedures alone discourage employees from committing fraud. In addition to this the Institute of Chartered Accountants of India has issued a “Accounting and Assurance standard on internal controls which is a real guideline to test internal controls. Controls break down because people affect them, and because circumstances change.
Segregate duties in critical areas. It is the absolutely basic principle of auditing a single person should not have the control of the books of accounts and the physical asset. Because this is the scenario which tempts the employee to commit the fraud. Hence it becomes essential to see that no one employee should be able to initiate and complete a critical transaction without involving someone else. Most of the banks in India have the well-defined authorization procedures. The allocation of the sanctioning limits is also observed in most of the cases. But still the bankers violate the authorities very easily. They just need to collude with the outside parties. However the detection of the collusions is possible in most of the cases if the higher authorities are willing to dig the frauds. Maintain the tone of Ethics at the top. The subordinates have the tendency to follow their superiors. When the signals are passed on to the middle management about the unethical behavior of the top management the fear of punishment gets reduced and the tendency of following the superior dominates. Fear vanishes when the tendency of “If I have to die I’ll take along the superior and die” tendency rises.
Review and enforce password security. The incidences of hacking and the Phishing have troubled the Indian Private sector banks to a great extent. In addition to this most of the Indian banks are running behind the ATM and credit cards to compete
with each other but have conveniently forgone the fact that ATM cards and the credit cards are the best tools available in the hands of the fraudsters. Inappropriate system access makes it possible to steal large amounts of money very quickly and, in many cases, without detection. Hence the review and the enforcement of the security policy is going to be a crucial.
Promote the Whistle blowing Culture. Many of the surveys on Frauds have shown that the frauds are unearthed by the “TIPS” from insider or may be from outsiders. Internal audits and internal controls come much later. The message about contacting the vigilance officers is flashed in most of the branch premises. However the ethics lines are very rarely seen. The ethics lines are the help lines to the employees or the well-wishers of the bank, which tells them whether a particular activity constitutes a fraud, or not.
Conduct pre-employment screening. Since the raw material of the Banks is cash the banker needs to be more alert than any other employer before they recruit. Only testing the aptitude of a person is not of any use. Know whom you are hiring. More than 20 percent of resumes contain false statements. Most employers will only confirm dates of employment. Some times post employment condition might create the greed in the minds of employee, hence atleast the bankers should test check the characters of their subordinates by creating real life scenarios such as offering the bribes by calling on some dummy borrower.
Screen and monitor Borrowers. Bad borrowers cause the biggest losses to the banks. What are they? Who they represent themselves to be? Look at their ownership, clients, references, and litigation history. In many cases the potential fraudsters have history of defaulting in some other bank or Financial Institution. The more realistic approach is to maintain the centralized databases of the defaulters and the properties offered by them, which would give the banks very easy access to the list of defaulters, which in turn could be used to take the decisions regarding the disbursements and all other issues. This ten-fold approach to combat the frauds is an endeavor to reduce the operational risks of the banks in the wake of the coming BASEL-II norms. These norms have identified the operational risks to be one of the biggest threats to the progress of the banking sector. Complying with these norms yields the definite results.
A survey of cryptography laws and regulations
Cryptography is a necessary tool in the information society. Yet if criminals use it, wiretaps and computer searches will become useless. So, there is a clash of concerns: how to ensure that the police can still catch criminals, while respecting the essential uses of cryptography in information security?
Criminal Law :
In these heady days of the Internet, other forms of global communication, and multinational corporations, the need for privacy in electronic communications is greater than ever. Without it, consumers will not make credit card purchases, and companies and individuals will be extremely reluctant to disseminate confidential information to their worldwide offices and to their clients, lest such information fall prey to hacking competitors and criminals.
Encryption not only is valuable in terms of ensuring privacy, but also facilitates "authentication" in that it creates non-forgeable "digital" signatures on electronic documents and also provides a fool-proof way of detecting whether anybody has attempted to alter a communication while in transition.
(1) Thus, in many ways, "paperless" electronic transactions are, at least potentially, both more efficient and safer for the consumer and the seller of goods and services than more standard transactions. The art and science of cryptography is old as civilization, during the time of Julius Caesar, who sent encrypted messages, replacing each letter by the third later letter in the Latin alphabet, to his field generals in battle.
(2) Cryptography has proven particularly valuable during times of war, enabling our country, for example, to crack the German’s "Ultra" codes and the Japanese’s "Purple" codes during World War II, thereby substantially shortening the war and saving thousands of lives.
(3) In addition to military applications, cryptography plays a vital role within the intelligence community, helping us stay one step ahead of international terrorists and the like. While computers have played an important role in the area of code-breaking, they have likewise played an important role in the area of code-making. Through the encryption process, readable data (plaintext) is run through a computer program, which uses algorithms, and is converted into unreadable format known as "ciphertext". Decryption is the process whereby the ciphertext is translated back to plaintext by someone possessing the appropriate code or "key."Generally speaking, the strength of a particular cryptographic system is gauged by the length of its key and the complexity of its algorithm.
(4) As this statement implies, there are encryption products already in existence that contain codes that are so complex that they are virtually impossible to break without the proper key, which are oftentimes in the sole possession of the recipient of the information. As one might expect, the international market for encryption hardware and software is huge, and getting bigger, its demand being limited only by the demand for computers and cellular telephones. FBI Director Louis Freeh bluntly stated that, "law enforcement remains in unanimous agreement that the widespread use of robust non-recovery encryption will destroy our ability to fight crime and terrorism."
(5) One good example, encryption to prevent our intelligence community from collecting data was detected in the Aldrich Ames spy case, and Ramzi Yousef, the convicted
mastermind of the World Trade Center bombing and other despicable acts, used encryption products to protect his computer files that related to terrorist activities.
(6) Encryption has also been used by child pornographers to transmit obscene images over the Internet, and by major drug traffickers, violent gangs, and domestic anti-government groups seeking to stifle government investigators.
(7) For this reason, ever since its "Clipper Chip" initiative in 1993, the Clinton Administration’s policy and proposals have all involved the concept of "escrowed" encryption. An escrowed encryption system is one in which "key" to the system is kept "in escrow" by a designated, government-approved agency or third party who can be served with a request or court order .
(8) to turn the key over to law enforcement officials without notifying the user. As one might expect, each of these proposals has met with a negative reaction from the computer industry and from civil libertarians. In addition to escrowed encryption proposals, the other response by the Clinton Administration has been an attempt to forge a compromise by permitting unregulated and unlimited domestic use and distribution of encryption technology, despite objections from the FBI, but severely regulating and limiting the exportation of encryption products. Prior to 1996, the exportation of encryption products was governed by the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR).
(9) In late 1996, the Clinton Administration transferred authority over the export of non-military encryption to the Commerce Department, which issued its own set of regulations. These regulations provided for exceptions to export restrictions for certain encryption products, including non-recovery encryption software up to a 56-bit key length.
(10) The Clinton Administration and the law enforcement community face a wide array of formidable opponents. In addition to groups such as the American Civil Liberties Union, the Electronic Frontier Foundation, the Center for Democracy and Technology, and the Electronic Privacy Information Center, a coalition of over 100 business and associations, including Intel, Microsoft, Sun Microsystems, and the Business Software Alliance, recently formed Americans for Computer Privacy (ACP), whose sole goal is to promote pro-encryption legislation.
(11) These groups generally fear the possibility of "Orwellian snooping" by the government, and fervently believe that encryption restrictions violate fundamental rights to privacy, as well as the First, Fourth, and Fifth Amendments. Suffice it to say that many of these groups are well-financed and highly motivated. Some of the systems, designed to prevent crime, would, paradoxically, leave law abiding citizens and companies more susceptible to computer-savvy criminals who desire to steal and misuse sensitive information. If, as has been acknowledged by the Department of Defense, two 17-year-old hackers can penetrate the Pentagon’s computer system,
(12) Last December, Cylink Corp. was granted a license to export strong encryption without a key recovery to members of the European central bank network, and in February, the Commerce Department expanded its definition of "financial institutions" permitted to export strong encryption hardware to include credit card companies and securities firms.
(13) Despite the recent easing of export restrictions, the debate about encryption shows no signs of abating. There are currently pending before Congress no fewer than five bills dealing with encryption technology, some of which impose additional restrictions and some of which eliminate those restrictions that currently exist. In the House,some members have proposed the Security and Freedom through Encryption (SAFE) Act.
(14) As originally proposed, SAFE would prohibit mandatory key escrow and ease export controls. However, SAFE has been subjected to numerous revisions that offend civil libertarians, such as the addition of key-recovery provisions and a provision making it a crime to use encrypted communications. In the Senate, John McCain and Bob Kerrey have introduced the Secure Public Networks Act of 1996 which authorizes the export of encryption products without key recovery of up to 56-bit strength to certain buyers. The bill would allow the president to increase the encryption strength of exportable products and further provides that the president "shall take such action as necessary to increase the encryption strength for encryption products for export if similar products are marked by the President to be widely available for export from other Nations."
(15) In the absence of an executive order, the bill prohibits the exportation of encryption products with more than 56 bits unless they are "based on a qualified system of key recovery."
(16) Pro-CODE would essentially eliminate export controls of encryption technology products, by permitting the export of encryption technologies if products of similar strength are available anywhere else in the world and by prohibiting the imposition of mandatory key-recovery programs. The bill would also prohibit both the federal government and state governments from regulating the interstate sale of encryption devices. Patrick Leahy has introduced the Encrypted Communications Privacy Act of 1997,
(17) which, like Senator Burns’s bill, would eliminate export controls on encryption devices and technology. However, it also offers protection to any United States citizen or entity who uses encryption of any strength in any state or foreign country, and criminalizes the use of encryption when used in furtherance of a crime. Most recently, John Ashcroft and Senator Leahy introduced the Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace Act,
(18) which would allow companies to export advanced encryption products, after a one-time review of mass-market encryption products and after it is verified that comparable technology is already available in foreign markets; however, exports to certain countries, such as Iraq, Iran, and Libya, would still be banned.
When it comes to encryption technology and products, regardless of the hopes and wishes of the law enforcement community. This is not the first time, though, that the law enforcement community has faced challenges from emerging technologies. Law enforcement officers have managed to overcome the data processing difficulties posed by fax machines, communication networks, and other. In short, the law enforcement and intelligence community is ultimately going to have to rely, as it has done many times before, on being smarter, faster, and technologically superior if it is going to stay ahead of the curve and continue to be effective at cracking the crook’s code.
Easily available crypt tools
Cryptography tools provide command-line tools for code signing, signature verification, and other cryptography tasks.
Introduction to Code Signing : The software industry must provide users with the means to trust code including code published on Internet. Many of the Web pages contain only static information that can be downloaded with risk. Some pages, contain controls and applications to be downloaded and run on a user's computer. These executable files can be risky to download and run.
Packaged software uses branding and trusted sales outlets to assure users of its integrity, but these guarantees are not available when code is transmitted on the Internet. Additionally, the Internet itself cannot provide any guarantee about the identity of the software creator. Nor can it guarantee that any software downloaded was not altered after its creation. Browsers can exhibit a warning message that explains the possible dangers of downloading data of any kind, but browsers cannot verify that code is what it claims to be. A more active approach must be taken to make the Internet a reliable medium for distributing software.
One approach to providing guarantees of the authenticity and integrity of files is attaching digital signatures to those files. A digital signature attached to a file positively identifies the distributor of that file and ensures that the contents of the file were not changed after the signature was created. Digital signatures can be created and verified by using Microsoft's cryptography APIs. For background information on cryptography and the CryptoAPI functions, see Cryptography Essentials. For detailed information on digital signatures, certificates, and certificate stores, see the following topics:
Hashes and Digital Signatures Digital Certificates
Managing Certificates with Certificate Stores
Certificate Trust Verification
Currently, CryptoAPI Tools supports Microsoft Authenticode technology by allowing software vendors to sign the following types of files for Authenticode verification. The following are a couple of crypt tools.
crypt-xor_2.1-1_i386.deb
crypt-xor_2.1-1.tar.gz
Terrorism n Steganography
Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message, this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. Quite often, steganography is hidden in pictures.
Steganography used in electronic communication include steganographic coding inside of a transport layer, such as an MP3 file, or a protocol, such as UDP. A steganographic message (the plaintext) is often first encrypted by some traditional means, and then a covertext is modified in some way to contain the encrypted message (ciphertext), resulting in stegotext. For example, the letter size, spacing, typeface, or other characteristics of a covertext can be manipulated to carry the hidden message; only the recipient can recover the message and then decrypt it. Francis Bacon is known to have suggested such a technique to hide messages .
Some of the modern steganography techniques
1. Chaffing and Winnowing
2. Invisible Ink
3. Null Ciphers
Terrorists and Steganography - Crypto-Gram Newsletter article by Bruce Schneier (30 Sept 2001): It doesn't surprise me that terrorists are using this trick. The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use. Most importantly, it can be used in an electronic dead drop.
Bin Laden: Steganography Master? - WIRED News article discusing USA TODAY report that bin Laden and others are using steganography to communicate.
Reference : For the above two terrorist activities
http://www.ic.arizona.edu/ic/humanities/september11/pages/Terrorism/Internet/Steganography/
Conclusion
It is clear from the above report and all the available that the availability of strong cryptography is a very mixed one, on one side it can be used in the development of electronic commerce and the maintenance of personal privacy, on the other it does provide a useful tool for the criminally minded. However as to whether the arguments for criminals using cryptography is a reasonable justification for the introduction of heavy handed regulation which would attempt to limit the availability and use of such products, hence the conclusion is clear. While the law enforcement communities case does hold unobtainable, it would in some cases make the conviction of the criminal somewhat easier, it might even mean that a few more were caught, but the price is simply too high. The infrastructure for strong encryption for the individual already exists on a transnational basis. If regulations are promulgated which require the use of Trusted Third Parties, lower strength encryption or even merely a heavy paperwork burden which increases costs what must happen is that those citizens who are law abiding in the first place will follow the new regulations, whereas those who are not will simply ignore then and continue to use the system which is currently in place anyway, of strong, virtually unbreakable encryption, unencumbered by any legal framework. The only way in which this could be made effective is to outlaw all non-regulated products and then trace any traffic which uses them. This is simply not technically feasible, and is also a great deal of effort when “the number of cases which actually involve cryptography is still very small” and “the files which are eventually decrypted often have little or no bearing on the outcome of the case.”
The reality if UK proposals as they stand is that they may provide a placebo for non technical business and private users but will create a cumbersome system with very flaws which flies in the spirit, if not the letter of the directives which it seeks to implement, to say nothing of the desire of the majority of informed users. The reality is that strong encryption is available to the ordinary user, and any government attempt to successfully control it will place on business, and the possible competitive disadvantage at which it will put them.
The reality is that misunderstanding surrounding issues of how electronic networks function and the available security measures, has resulted in this report being produced which merely show that there is confusion over many aspects of the situation.
Generally criminals using cryptography is an argument for its regulation. The internet is analogous to the high seas. No one owns it, yet people of all nationalities use it. It would perhaps be ideal if unification of internet laws could be so achieved so as to minimize the discrepancies in application of such laws. This is vital considering the growth of commercial activities on the internet. Changes need to be made to the existing
Information and Technology Act 2000 in order to combat the numerous problems caused by the internet.
References
Web References :
http://www.journals.cambridge.org/action/displayAbstract?fromPage=online&aid=152046
http://www.privacy.org/pi/activities/tapping/
http://rechten.uvt.nl/koops/crypcrim.htm#General
http://www.fed-soc.org/Publications/practicegroupnewsletters/criminallaw/
encryption-crimv2i3.htm
http://www.usdoj.gov/criminal/cybercrime/intl.html
http://www.usdoj.gov/criminal/cybercrime/oeback.htm
http://rechten.uvt.nl/koops/CLSR-CLS.HTM
http://www2.epic.org/reports/crypto2000/overview.html
http://www.legalserviceindia.com/articles/article+2302682a.htm
http://www.asianlaws.org/report0102.pdf
jjtc.com/stegdoc
www.theregister.co.uk
http://www.cellular.co.za/accessories/encryption/cryptophone_gsm_phone_encryption.htm
rechten.uvt.nl/koops
www.crystalinks.com
http://www.activemind.com
http://cs.georgetown.edu
http://wikipedia.org
http://mobileshop.org/howitworks
http://www.pgpi.org
http://cryptovirology.com
http://www.iusmentis.com/technology/encryption/des
http://webopedia.com
http://simonsingh.net
Book References :
INTERNET CRYPTOGRAPHY by RICHARD E SMITH, 1952,ADDISON-
WESLEY
AN Article by AVINASH W. KADAM, issue of september 2003
Cryptography for Dummies by CHEY COBB, CISSP copyright 2004 by Wiley
Publishing Inc.
RSA Security's Official Guide to CRYPTOGRAPHY by Steve Burnett and
Stephen Paine copyright 2001 by The McGraw-Hill Companies.
The Computer Law & Security Report, November-December 1996, pp. 349-355
Bert- Jaap Koops, 1996
