Publishers: Cyber Society of India

(Regd No: 245/04; http://www.cysi.in)

Editor-In-Chief: Rajendran V

(Ex-officio – President of CySI)

Editor:

Kapaleeswaran V

Editorial Committee:

Dr. Ramamurthy N

Murugan R

Panchi S

Advisors:

Srinivasan K

Na Vijayashankar

This Issue

1. President’s Column 1

2. Editorial 2

3. 2013- Year of Cyber criminals 3

4. Cyber updates 5

5. News Analysis 7

6. Dummy’s Corner 9

7. You better Know-Identity Theft 10

*****

Dear readers

Recently I met a hapless parent who narrated a sordid tale about his

affectionate daughter. He said his daughter’s wedding is scheduled to be

celebrated next month and now suddenly an old friend (actually should be

called a foe and not a friend) has started a Facebook page in her name and

has posted some photos of her with many friends mostly men. Though not

obscene per se, the text with those photos speaks about her ‘good days with

her boyfriends in college’ and such related stuff which would certainly send

wrong signals about her especially at a crucial time of her life, with the

marriage about to take place next month. The entire text and all the

material with pictures are all fictitious. With much persuasion, I told the

parent to approach the police. The boy who posted it was traced (after

some technological training, character profiling, stylometrics, pattern

analyzing etc). Subsequently the matter was explained to the relatives

amicably and the wedding went on well.

Quo Vadis, technology? Is Facebook a boon or a bane, assistance or an

annoyance, a beneficial benevolence or an irritating inconvenience and a

discordant disruption? Then comes the question of removal of content

from a Facebook and other social networking sites. Even when the owner

himself genuinely wants to remove or delete the contents, can he be rest

assured that the moment he removes them, all traces are gone and the

contents are deleted? Certainly no, reasonably thinking of it. No one knows

how many copies of the contents were taken earlier. The same content may

reappear or other Facebook pages can be created with the same content in

a few moments. In a cyber crime, the question of evidence, digital

evidence, cyber forensics and its retrievability take entirely new dimension.

These are all points to ponder, at least for the tech-savvy and socially

conscious readers of CySI. Perhaps these are the areas that are going to

assume greater significance in the days to come.

As usual, this issue comes with some features, articles on law, latest in

cyber crimes and other material. Please enjoy reading and share with us

your feedback.

V.Rajendran - venkrajen@yahoo.com

eSecure

Secure and be Aware!

An e-zine from CySI [[Volume 1, Number 9]

June 2014

President’s Column

Editorial Board

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 2

Data, Data everywhere… While interacting with an investigating official, recently it was learnt that a youth sent highly obnoxious

messages to a girl whose number he got from a small shop engaged in cell phone, cell top-up as a payment

centre. The shopkeeper notes down the number whose cell phones are being topped up and this boy

whenever he knows any such number, sends obscene messages and pictures to that person. He does it a

few times and then forgets. Just for the heck of it. When one girl made a complaint with cyber crime police

and the investigators traced him and nabbed him, he confessed his modus operandi. He does it just for the

fun of it and does not even know who the receiver is.

A sadistic pleasure? My observation here is about the data.

Availability of data everywhere. The criminality of the act. And the purpose behind such crimes.

Mens rea? Gone are the days when boys needed to go to market places or bus stops for eve-teasing.

Nowadays no physical eve-teasing at all. It is all virtual.

Criminals are obscure, faceless and think the evidence is volatile and they can go scot-free. And data,

information call it classified or personal or whatever like name, mobile number, address, email id, mother’s

name, parent’s name, school name etc (all or some of these) are available everywhere like a social

networking site, in many private clubs’ directories, attendance sheets in conferences, railway reservation

forms, job portals etc. With so much data available everywhere and with so many youth anxious in learning

hacking tools just for the fun of it, it is only the moral strength of the nation that cyber crime rate in India is

still quite less ! With more and more communication software hitting the market, diverse networks,

unclassified gadgets, unsecured data, unprotected systems, innovative criminals and ever-chasing

investigators, it is always a race, where one has to keep running even to retain one’s place.

Tough time for the investigators.

I am just sharing with you all some of my concerns. Let me share more of these in the later issues to

come. Enjoy reading this issue and as usual, share with us immediately your feed-back. -

Kapaleeswaran,V- mail2kapali@gmail.com

Editorial

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 3

When the history of computer security is written, 2013 is going to go down as something of a

watershed year. It was the year of the Target breach that exposed the credit and debit card

numbers of some 40 million consumers, and numerous attacks against Twitter, Facebook, Ever note

and others. In short, it was a year when computer security incidents became something that

mainstream people worried about a lot.

Yes, the number of overall attacks is on the rise. This is the bad news that you probably already

knew. But there’s some odd good news that may surprise you: Nearly all of the 1,300-plus data

breaches confirmed last year were carried out using only nine basic attack patterns. Learn to better

combat those nine patterns and you stand a better chance of resisting attacks — though as with all

things related to computer security, what at first seems logical and easy is always messier and more

difficult in practice.

The finding comes in a report from the

security arm of the telecom giant

Verizon set to be published on

Wednesday. The Verizon annual Data

Breach Investigations Report, one of

the most highly regarded in the

industry, is now in its tenth year. It

contains data on attacks from 50

companies and organizations,

covering more than 63,000 computer

security incidents and 1,347 confirmed

breaches in 95 countries. As these

things go, the report contains more

data to analyze than any other report

of its kind, said Jay Jacobs, a Verizon

analyst and one of the report’s co-

authors.

If combating nine kinds of attacks sounds too ambitious, then maybe this will make it sound a little

easier: On average, roughly 72 percent of all attacks were carried out using one of three methods,

though the specifics tend to vary by industry.

For example, in the financial industry, 75 percent of attacks involved hacking Web applications,

launching distributed denial of service (DDoS) attacks meant to overwhelm a server, or card

skimming, a technique where an attacker obtains a scan of a credit or debit card with the intention

of using it to commit fraud.

And while fraud and financial motivations still tend to dominate the spectrum of reasons behind

cyber-crime, believe it or not, they declined as a proportion of the whole in 2013. Meanwhile,

attempts to steal intellectual property rose: “It’s not all about money anymore but who has the

intellectual property”.

Year 2013- Busiest year for Cyber criminals !

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 4

So about that: Here’s something you may not have considered: Insider jobs. Verizon has collected

data on nearly 11,700 incidents of what it classifies as “insider and privilege misuse,” and of those,

there were 112 incidents where the attacker succeeded in making off with data. It’s not uncommon

for employees to email things to their personal addresses so they can work on them at home, or to

take things out on their personal thumb drives.

But when your company deals with sensitive information that can get dicey really fast. In most of

these cases — 85 percent — the employees carried out their data theft while in the office and right

under the noses of their co-workers. And there were two basic motivations: Sell the data to a

competitor, or start a competitive company. Nearly half of these thefts — 48 percent — were

discovered within days or hours. But a little less than one percent — a total of 70 incidents — went

undiscovered for years.

Documented incidents involving state-sponsored and politically motivated cyber espionage tripled.

Jacobs attributes the increase to Verizon having access to more data than before, and the category

still accounted for a relatively small number of the total incidents, only 511. In these cases, 54

percent of the organizations attacked were in the U.S., while 49 percent of the attackers were in East

Asia, mostly China.

Here’s another grouping of attacks that should make you nervous, especially if you handle security

for a retailer: The report documents 198 incidents involving attacks against point-of-sale terminals.

In each of those cases, attackers succeeded in disclosing data. Most of those — 85 percent —

involved RAM-scraping software similar to the type used in the Target breach. And most of the

time — 98 percent of these cases — the theft of data wasn’t discovered for weeks or months. The

only good news? The number of these attacks declined by about half from 2011.

Finally, here are major types of incidents:

1.) Hacking 2.) Copyrights Infringement 3.) Cyber Stalking 4.) ID Theft 5.) Malicious Software

Courtesy: http://recode.net/2014/04/21/its-official-2013-was-the-busiest-year-yet-for-cyber-

criminals/

Dr. Ramamurthy N – ramamurthy.n@gmail.com

"On the Internet you can be anything you want. It's strange that so many people choose to be stupid."

"If you don't want to be replaced by a computer, don't act like one." — Arno Penzias

"Why do we want intelligent terminals when there are so many stupid users?"

'Quote' hanger !

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 5

Tips for cleaning up your digital life With so much of our time spent online nowadays,

protecting our digital lives should be a top priority—but it’s

hard to stay ahead of the hackers…..To help protect your

identity, experts suggest giving your online activities a

thorough cleaning, and they recommend starting with your

social media actions.

Any accounts that you no longer use should be shutdown.

“One of the biggest reasons to get rid of those things is you just don’t know what’s happening on them,”

says Thompson. “For example, there could be a privacy setting change or the social media provider may now

be different.”

For social media sites that you use often, be sure to review their privacy settings at least once a year

(experts prefer more often) to make sure you understand any changes and know the best way of safe

guarding your information. You should also check out what your profiles look like to other viewers. . . ..

Online passwords should be changed frequently. Many consumers were forced to change their passwords

because of Heartbleed security flaw, but it shouldn’t take a big exposure to remind you to have difficult

passwords and to change them often.

“How many times have you typed a password into the user name field by accident and hit submit?” says

Thompson. “*That password+ is sitting in a log somewhere.”

Along with changing passwords, take the time to update your security questions as well.

More details at: http://news360.com/article/242378192

Hackers use weak passwords like everyone else us! Analysis by security researchers at anti-virus firm Avast has revealed that hackers appear to be using weak

passwords just like everyone else. Using a sample of nearly 40,000 passwords collected from years of

analyzing malware, Avast’s Antonín Hýža found that only 10 percent of passwords were "beyond normal

capabilities of guessing or cracking." The rest provide some interesting statistics around hackers password

choices. Almost none of the unique passwords from the samples contained uppercase characters, despite

regular warnings by security experts to use a mix of upper- and lowercase characters for passwords.

Most use English words, and common phrases include variations of pass, root... The most frequently used

word is hack, an apt phrase given the subject. Surprisingly, the average password length was just six

characters, and only 52 passwords were longer than 12 characters. Hackers could be using simple passwords

because they don’t fear being attacked by fellow hackers, or simply to avoid using their real passwords for

malware activities.

Either way, hackers clearly aren’t always as security conscious as you might assume.

Read more at: http://www.theverge.com/2014/6/10/5796170/hackers-use-weak-passwords-just-like-everyone-else

Cyber Updates

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 6

World Cup related cyber crime …. The World Cup starts Thursday and criminals are exploiting the start of the event.

Phishing websites have increased their spam campaigns

targeting Brazilians and others. Criminals will also target visitors

through open wifi networks and fake charging points. Kaspersky

Labs offers tips to visitors.

More details at: http://www.hacksurfer.com/posts/world-cup-

related-cyber-crime-increasing

Cyber Security: Protection at home

With attacks on the rise, cyber security experts have their hands full trying to keep up protection for business and home networks. Because users keep everything from tax information to brokerage statements on their home PCs, it is important for people to be aware of potential threats, install a reliable antivirus program, and to run anti-spyware software on a regular basis to clear their machines of malware. The widespread havoc wrought by Heartbleed earlier this year has every CEO turning to their IT staff and asking, “Are we secure?” People

need to ask the same question about their personal computers. Here are four steps anyone can take to improve the security of their home network: Step 1: Beef up security on home computers. Step 2: Secure access to the network. Step 3: Understand how to protect your data. Step 4: Keep computers and software up to date. More details at: http://guardianlv.com/2014/06/cyber-security-protection-at-home/

File not found. Nobody leave the room!

Have a nice day - unless you've made other plans

Cyber Instructions

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 7

Teens Hack Into ATM Just to Let Everyone Know They Can

A pair of Canadian high schoolers decided to spend their lunch hour finding out if they could successfully hack into a nearby Bank of Montreal ATM. Turns out they totally could. “We thought it would be fun to try it, but we were not expecting it to work,” one of the hackers, Matthew Hewlett, told the Winnipeg Sun. “When it did, it asked for a password.” They don't steal any money. Instead, they kindly inform the bank that it should tighten up its security. Staff members

didn’t believe them, so they went back to the machine to get proof. They printed off documentation about withdrawals, and even changed the surcharge amount to one cent. The boys did manage to have a bit of fun, though. They changed the ATM’s home screen greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.” Eventually, the branch manager came out to chat with the teens and essentially treat them as one-time security consultants. Then he sent them back to school with a note excusing their tardiness because oh yeah they’re in high school and yet they’re so much smarter and more helpful than most adults we know. Read more at: http://time.com/2857440/teens-hack-into-atm-just-to-let-everyone-know-they-can/

It is commonly believed that "thousand criminals could get away but not a single innocent should be

punished", for that will be the ultimate failure of the judiciary.

On the same vein, I feel that one should not find himself punished for an act of innocence. Though,

innocence is no excuse in the eyes of law, I would urge people to be all the more careful in expressing

oneself in the public domain.

In our country, one can freely express oneself and share one’s thoughts, as ours is a nation, which values the

freedom of speech and expression in true light and spirit. But, at the same time the onus lies squarely on the

individuals to carefully tread the path, being fully aware of the legal speed breakers laid on the way!

Some time back, a few were taken into custody in Maharashtra for expressing themselves about the

impediments caused to the public on the occasion of a prominent leader's demise. While our intention here

is not to discuss the veracity of the claims or legality of the action, the incident raises a flag on the need for

the awareness of legal restrictions on expressing oneself and the consequent necessity to exercise caution.

News Analysis

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 8

The same Maharashtra Govt has again reiterated that even 'Like'-ing a comment in social network can be

construed as being a party to that comment and hence liable to be legally proceeded against, if the

comment was considered objectionable.

More recently, it is reported that the daily trend reports on the social media could soon be the norm, in

India. One of the Ministries, it was reported in the leading daily Times of India, sought a trend report on

some specific acts of the Government, which underlines the intention to hear the voices on their actions.

Away from our own country, China has also proceeded against a person for having expressed on social

networking sites, points that are considered detrimental to the interest of that nation.

Social networking websites, as a matter of policy and practice, has little or virtually no restrictions while

accepting the personal details for membership.

This should not be construed as an unrestricted play field without a referee to score at will! The absence of

referees puts the onus on the players to be more responsible in adhering to the rules of the game and while

a free kick within the ambits of the game may be entertained, one below the belt that could hurt others will

certainly be not.

Such websites do not explicitly prevent member’s posts but are also bound by the laws of the land

pronounced from time to time. It is such unwritten rules that one need to be aware of to stay within the

line.

People posting one's thoughts on such social networking sites, must bear in mind that the expression of free

will at such sites though not restricted by the websites are still under the legal purview of the laws of the

land and there is a greater need to exercise caution, as one should not be caught unawares. After all, as the

famous saying goes "your freedom to walk swinging the walking stick ends at the nose tip of the walker

coming in the opposite direction".

So, if you wish to be careful, know the rules on expressing yourself, be aware of the Don'ts and better

modify the adage “look, before you leap” to “Think before you click” that mouse, to avoid being mouse

trapped .

- Kapaleeswaran V - mail2kapali@gmail.com

"Computers in the future may weigh no more than 1.5 tons." -- Popular Mechanics, forecasting the relentless march of science, 1949 "I think there is a world market for maybe five computers. -- Thomas Watson, chairman of IBM, 1943 "I have traveled the length and breadth of this country ….. and I can assure you that data processing is a fad that won't last out the year." -- The editor in charge of business books for Prentice Hall, 1957 "There is no reason anyone would want a computer in their home."-- Founder, Digital Equipment in 1977

Historical thoughts !

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 9

The questions below may seem silly, but they carry lot of messages. These are meant for laymen and not experts.

Question: I have installed a popular Antivirus software in my computer. Is that enough for me to relax that my website will not be hacked and that there is no cyber-threat whatsoever to my computer or the data in it?

Answer: The answer cannot be a clear, big YES to this. Any antivirus works on some specific principles (or algorithms, or detection techniques or pattern analysis). Sometimes the threat say hacker’s software or a malicious software popularly called malware or a spyware that enters into your system (and looks for critical data there at specific times when you are browsing or at specific locations in your computer) may be powerful than the antivirus you have installed. Perhaps your

antivirus itself is out-dated i.e. old one not capturing the latest virus with its license not renewed or is itself an unlicensed version etc, In all these cases, you cannot relax that you have an anti virus and are free from all cyber threats. In any case, much more than an anti-virus, it is a firewall i.e. a software program or a set of programs protecting your computer at the entry level or at the network entry level from another computer across network making an unauthorized access to your computer or its resources. Nowadays we get URL filtering software, UTM (Unified Threat Management), Intrusions Prevention System and Intrusion Detection System. All these are software programs sometimes with dedicated hardware boxes loaded, and depending upon the criticality like confidentiality, monetary value etc of the information resources we want to protect, we may go in for one or more of these, of course taking the budgetary constraints into account!

Answers by Rajendran V- venkrajen@yahoo.com

There was once a young man who, in his youth, professed his desire to become a great writer.

When asked to define 'great' he said, “I want to write stuff that the whole world will read, stuff

that people will react to on a truly emotional level, stuff that will make them scream, cry, howl

in pain and anger”.

We are happy to report that the young man achieved his lofty goal.

He now works for a computer major, writing error messages!

Smile !!

Dummies Corner

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 10

The fastest growing crime in India that targets consumers.

Identity theft can happen to anyone. This rapidly growing crime affects more and more people with every day. Yet, surprisingly most people think it won’t or cannot happen to them.

What is Identity Theft?

It begins with illegally obtaining your vital information like credit card details, driving license, birth certificate, bank account details &/or other personal information. Once an identity has been “stolen” in this manner the thieves go on a shopping spree, indulging in frauds, forgeries, applying for loans, mortgages, or credit cards or taking over financial accounts, all in your name. But, you will be left to deal with the financial, legal and psychological costs.

How do these thieves obtain your identity? Shoulder surfing at Automatic Teller Machines (ATM) – Fraudsters stealthily

look through the shoulders while you type your Personal Identification Numbers (PIN),

credit card numbers or passwords.

Dumpster diving, re-cycle bins etc Thieves rifle through trash looking for loan

applications, credit card documents, financial documents and other personal information.

Theft of personal property: Just like wallets or purses containing private information, computers often contain information about web sites that you have visited or your e-mails

and possibly your financial information.

Skimming or Tampering: occurs at ATMs and Point of Sale terminals. Skimmers enable

thieves to read your credit or debit card numbers and personal identification number (PIN) through a data storage device. These are capable of gathering information that can be used

to reproduce cards for their use at your expense. Buying Information: Dishonest employees working for financial institutions or

companies that process financial information or workers at retail stores or medical offices pass on or sell through chat rooms or instant messaging sessions, the critical and

confidential financial data. Searching Public Sources: Id thefts also take place through information such as

newspapers (obituaries), phone books and other records open to the public.

Guard your personal information and documents. If any key documents such as Birth certificate, driver’s license, passport, bank card, or credit

cards are lost or stolen, notify IMMEDIATLEY the issuer and the police. Do not delay the process, as the thief will attempt to use the information as quickly as possible before the loss is reported.

Shred or destroy sensitive personal documents before tossing them into the garbage bin.

Identity Theft - Salient features, you better know

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 11

Shield the entry of your PIN and never give it to anyone else. Choose a PIN that is not easy to figure out. Do not use common passwords such phone or easy sequence of numbers like

123456 or 9999 etc.

Secure your physical mail box , with a lock . Follow your bills, financial statements and credit cards around their due dates of arrival and report non-receipt. Arrange to have a person you trust to pick up the mail. Go to the Post Office and with proper identification ask for their mail service.

Photocopy your Credit Cards, this will help you if you need to alert the company

should they be lost or stolen. Carry only Documents you absolutely need. Rarely do you need your birth certificate,

passport or Social Insurance Number card. Protect your Computer with a start –up password which you only know. Do not use

automatic login features that save your user name and password.

S. Balu- baluacp@gmail.com

Pictures are added to the articles of this ezine for effective reading/ understanding. Most of the pictures are taken from Internet. Our editorial board wishes to convey its thanks for the courtesy of whoever has taken strains to draw and uploaded the pictures.

This ezine and all the previous issues, as well, can be read from our web-site http://cysi.in/. The contents in this ezine are meant for sharing of knowledge and hence readers are requested to circulate this ezine in full or in part to anyone they like. Readers may acknowledge CySI while reproducing the articles or any part thereof. Readers are requested to send their feedback, articles, jokes, etc., to editor@cysi.in. Neither CySI nor the members of the Editorial Committee/ Board owns any responsibility for the views expressed by the authors in the articles. The views expressed are the concerned author’s individual views only. For any further clarification on any of the articles or stories in this eZine, kindly contact the author directly or email editor@cysi.in Editorial Board