Cyber Crime – Hiring Professional Hackers and Beyond

Cyber Crime – Hiring Professional Hackers and Beyond.

Abstract

Today we are living in cyber space. Cyber space is a new dimension of space where we live in virtual world. Crime happens where we live. Hence with evolution of cyber space Cyber crime has also evolved. Cyber crime is no different crime but just a new extension of the conventional crime having use of technology. AS per Crime figures maintained by NCRB, it can easily be observed that cyber crimes covered under IT act and IPC are on rise. With the evolution of Information communication technology our dependency on them has also increased manifolds. Now financial institutions, bank, share market, Railways, power plants, Defense system, Astronomical department, Atomic energy department, Investigating agencies are exclusively dependent on ICT. Whole of country can be brought down to stand still if an attack is made on such critical infrastructure. The Annual report of CERT India also indicates that ICT security related incidents are on rise. Hence we have to deal with cyber crime in dual manner One is to protect critical infrastructure and second is to investigate crimes in cyberspace. For the investigation we take help of experts and technology and also source. Police regulations also make provision for special police officer. Technology is changing day by day. Many a time law enforcement agencies are not in tune with the technology Hence they may take help of tech savvy professional who may be called hacker. When a hacker is hired he may be a person with authority but no responsibility. Hence the option to hire a Professional hacker may be used judiciously. Effective control procedures may be ensured prior to hiring a professional hacker. Selecting technical staff from within and getting them trained or getting technical person on deputation may be a viable option. Computer security policy of India also talks of capacity building by training, spreading awareness and Public private partnership to enhance computer security. International cooperation is the need of the day for quick and complete investigation. If the procedure for request of information crosses border can be simplified and mutual agreement between different countries is established then our dependency on professional hacker may decrease.   

What is cyber space?

New dimension to space has been added to conventional definition of space that is “Cyberspace”. Cyberspace' is a complex environment consisting of interactions between people. Software and services supported by worldwide distribution of Information and communication technology (ICT) devices and networks. Now almost every one of us has got a virtual identity in Cyber space it may be in the form of Mobile number, email ID, website, internet banking account, social networking profiles, messenger apps etc. The evolution of Cyber space has not only led to new kind of cyber crime but also increased the use of Information communication technology (ICT) in conventional crimes. Now every crime may not be Cyber crime but it certainly involves digital evidences or footprints in cyber space.

Critical Infrastructure and Need for security in Cyberspace

The increased use of ICT has increased our dependencies on ICT resources.           -----------------------------------------------------------------------------------------------------------           1 lSO /  IEC 27032-2012

Nowadays major institutions like Atomic Energy, power stations, Space technology, Banks, Share Market, Railways, hospitals etc. are totally dependent on their ICT infrastructure. Any harm to these ICT infrastructures may lead to collapse of the whole system. Hence these ICT infrastructures may be defined as Critical Information infrastructure.

As per ITU “Critical infrastructure means the computers, computer systems, and/or networks, whether physical or virtual, and/or the computer programs, computer data, content data and/or traffic data so vital to a country that the incapacity or destruction of or interference with such systems and assets would have a debilitating impact on security, national or economic security, national public health and safety, or any combination of those matters.”  

Hence prevention of crime against the Critical infrastructure has to be ensured. Government has got the responsibility of formulating policies and departments shall take necessary actions to ensure compliance of the same. Government of India has                           already formed a National security Policy. The Cyber Security Policy aims at protection of information infrastructure in cyberspace, reduce vulnerabilities, build capabilities to prevent and respond to cyber threats and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation risk involved to department and to professional.

The policy calls for effective public and private partnership and collaborative engagements through technical and operational cooperation. The stress on public-private partnership is critical to tackling cyber threats through proactive measures and adoption of best practices besides creating a think tank for cyber security evolution in future.

Another strategy which has been emphasized is the promotion of research and development in cyber security. Research and development of trustworthy systems and their testing, collaboration with industry and academia, setting up of ‘Centre of Excellence’ in areas of strategic importance from the point of view of cyber and R&D on cutting edge security technologies, are the hallmarks of this strategy laid down in the policy.

The policy also calls for developing human resource through education and training programmes, establishing cyber security training infrastructure through public private partnership and to establish institutional mechanisms for capacity building for law enforcement agencies.

          Government has enacted IT act 2000 and passed amendments in 2008. Section 66 F of IT act is a penal section for harming a Critical by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under Section 70” and Section 70 defines critical information infrastructure as “70. Protected system.- (1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system.”

Incidents related to security threats to ICT infrastructure are on rise the report of CERT INDIA clearly states the same

The year-wise summary of various types of incidents handled is given below:-

Security Incidents	2004	2005	2006	2007	2008	2009	2010	2011	2012
Phishing	3	101	339	392	604	374	508	674	887
Spam	--	--	--	--	305	285	181	2480	8150
Network Scanning / Probing	11	40	177	223	265	303	277	1748	2866
Virus / Malicious Code	5	95	19	358	408	596	2817	2765	3149
Website Compromise & Malware Propagation	--	--	--	--	835	6548	6344	4394	4591
Others	4	18	17	264	148	160	188	1240	2417
Total	23	254	552	1237	2565	8266	10315	13301	22060

Table 1. Year-wise summary of Security Incidents handled as per CERT India Annual report

Fig 1:- As per CERT India Annual report

These statistics from CERT are, however, only indicative without giving the actual picture of cyber crime in India. The agency merely maintains records of cases that are notified to it.

Dimensions of Cyber crime in Cyber space

The term 'cyber crime' has not been defined in any Statute or Act. The Encyclopedia Britannica defines 'cyber crime' as any crime that is committed by means of special knowledge or expert use of computer technology. Cyber Crime Cyber Crime could reasonably include a wide variety of criminal offences and activities.

CBI Manual defines cyber crime as:

(i) Crimes committed by using computers as a means, including conventional crimes.

(ii)Crimes in which computers are targets.

Cyber Crimes  can be of three categories :

• Against Property – Financial crimes – cheating on-line – illegal funds transfer.
• Against Persons – On-line harassment, Cyber Stalking, Obscenity.
• Against Nations – Cyber Terrorism – Damaging critical information infrastructures.

Cyber crimes are on rise. The use of anonymity, quick access to the system, integration of financial institutions has complicated the investigation. The crime figures maintained by NCRB India clearly states the same.

As per Crime in INDIA 2012 NCRB

As per Crime in INDIA 2012 NCRB

As per Crime in INDIA 2012 NCRB

Role of law enforcement agencies in Cyber space

Basic functions of Law enforcement agencies are Prevention and detection of Crime. The same applies to crimes committed in cyber space. The report of CERT India clearly state that ICT security related incidents is increasing almost every year. Similarly Cyber crimes covered under IT act and under IPC both are rising almost every year.

There has to be three pronged approach towards it

1 Creating awareness

Awareness about Cyber crime has to be spread amongst all the children students professional, business man through workshops seminar, radio, TV and Internet. Computer ethics has to be taught to them. Apart from these subject may be included in the curriculum  to make children aware of cyber crime since beginning.

2 Prevention

For prevention the government has passed pass Information technology act and further amended it in the year 2005, 2008 and has also formulate Cyber Security Policy. Nation Informatics Center  (NIC) is also coming with the Policy of email usage and usage of IT resources of government. But mere passing of law and formulating policy is not going to prevent the incidents of Cyber crime

3 Detection

For detection we have to rely on Law enforcement agencies that are Police. Whenever a technology comes in, it is the criminal minds which accept technology to its use.  Creation of Policy, law and readiness of law enforcement always lag behind.

In this paper we shall concentrate on the methods used by Police for Investigation of Cyber crime hurdles in investigation and other options available for help in investigation.

Cyber crime investigation

Cyber crime investigation in procedure is same as that of any conventional crime. We have to collect evidence, preserve them, collect information, documents, interrogate suspects, seize electronic evidences, arrest accused and produces them before court for trial. The investigation of cyber crimes is complex. The evidence is often in an intangible form. Its collection, appreciation, analysis and preservation present unique challenges to the Investigator. The increased use of networks and the growth of the Internet have added to this complexity. Using the Internet, it is possible for a person sitting in India to steal a computer resource in Brazil using a computer situated in USA as a launch pad for his attack. Distributed attacks are also not unheard of. The challenges in such cases are not only technological, but also jurisdictional. Internet provides anonymity and safety. Unlike other forms of crimes wherein the person undertakes considerable risk, cyber crime provides the criminal with a cover. He leaves no physical foot-prints, finger-prints or other tangible traces making it extremely difficult to track cyber criminals down.

Cyber police station Bhopal has been receiving several complaints related to Fake/obscene social networking profile, hacking of password, creation of anonymous email, hacking emails, impersonation through email, profiles, job frauds, Internet lottery frauds, hacking of internet banking accounts, cheating through Credit/Debit cards. For committing these crime common tools or tricks used by the accused was of obtaining databases from Job site, banks site, Website, sending fishing emails in the name of a company, firm, institutions or Bank, creation of domain name similar to genuine brands or creation of email id whose name may appear to be of a brand, sending Bulk SMS, calling in the name of Bank (termed as wishing attack) or intentionally creating fake identities for defamation.

Prima facie the Investigator shall collect and preserve the evidence because if evidence is lost we may not be able to achieve the end goal. Complainant statements and subsequently if the evidence are available on cyberspace like in case of fake social networking site profile, obscene profile, objectionable messages on the website, website defacement etc shall be seized. There is no standard procedure for seizing the data on web space visible on screen. The IT act section interprets that series of computer can be considered as a single computer. Hence when we are seizing a data available on internet it may be assumed to be seized from that source server. The data on screen may be recorded with the help of screen capture software like WINK which is freely available in front of two witnesses. The film generated by the WINK software of the data which prove the commission of crime may be recorded on CD/DVD. The HASH of Files of the seized evidence may be calculated and recorded in the CD/DVD. Once evidence is recorded certificate as per 65 B evidence act may be prepared by the person who seized such evidence. The signatures of the witnesses may be taken over CD/DVD with the help of marker. This may apply in case of fake profile, obscene profile, profile hacking, forming hate community on social networking sites etc.

For recording evidence on website programs like “httrack” may be used for copying the content of website. Once website is copied the above procedure may be repeated for the seized folder of website content. This may apply in case of defamation on website, website defacement.

For recording email same procedure could be followed or may be downloaded with the help of email clients like MS outlook, thunderbird, Eudora etc. This may apply in case crime involving phishing emails. If crime has not been registered then above evidences may be seized as per section 102 Criminal procedure code of India (CrPC), in suspicion of commission of a cognizable crime.

Law enforcement agencies can call for Information as per Section 91 CrPC from the person or institution storing Information. Such information is provided by Service providers like banks, payment gateways, online shopping gateway, Rediff, Yahoo, Google Hotmail, Orkut,  facebook , Youtube on receiving written request.

After receiving relevant information like IP, Mobile, registered email id etc contact person name and address can be acquired from the Internet service provider (ISP) or Mobile service provider. Once an accused is known or accused is traced he could be interrogated, arrested and electronics evidence may be seized. The electronic evidences may be seized in forensically manner and expert comments may be called from the empowered forensic labs. In such a way any cyber crime investigation may be conducted.

Hurdles in Cyber crime Investigation

Above procedure may seem to be simple for a technical person but it is not the same for a Police. In Indian context most of the investigation is done at the level of Sub Inspectors and below. The Policemen of such rank are generally not aware of the procedure to record digital evidence, seize them and analyse them. As stated earlier, it is the criminal mind that uses technology at first, to its use.

Many a time the website, Bank, payment gateway, email service providers are located outside India or there address in unknown. In such conditions the investigations gets blocked. Sometimes web service provider residing outside India asks for letter rogatory for providing information. The process of letter rogatory is very time taking and cumbersome.

During investigation of crimes involving ICT, investigator needs various kinds of logs like IP LOGIN LOGS, REGISTRATION DETAILS , CALL DETAIL RECORDS, IP ACCESS LOGS, FTP LOGS. These logs are maintained by servers for predefined period defined by the law or their internal administration which may range from few days to a year. If the logs needed are not requested at the earliest then there are chances of evidences being lost.

Need for Hiring professional Why ?  

Many a time we need information on urgent basis to prevent the immense damages foreseen we need access to certain information which is restricted. Foreign web service providers do not provide the content stating the privacy act, Financial institutions, web service provider, Internet service provider outside the boundaries of India, do not respond to law enforcement request. Hence need arises to hire a Professional hacker.

The Cyber security policy of India does insist for Public private partnership. Apart from it required person can be inducted as special police as per Police regulation. Hence hiring professional hacker may be can be viable option for investigation of Cyber crime because they have real world experience in playing offense. Common IT professional only knows about playing defense. There is a very big difference in mindset between being someone whose primary training is in protecting the network and someone who has learned, usually mostly through trial and error, all the little "tricks of the trade" for breaking into networks. The professional hacker do have expertise in finding vulnerabilities in networks and systems.

Risk involved

But there is risk involved in hiring professional hacker also because Even if the hacker is completely reformed Then there's the question of whether the hacker really is completely reformed. Maybe he's sworn off cracking DoD passwords and writing viruses, but will he be tempted to dip into our department’s confidential files and take a look around, because he will have access to them. Can we trust him not to illegally download copy protected music and movies or install applications on computers on our network in his spare time? If he gets bored, might he decide to peruse the personnel files just for fun, or whip up a "harmless" little practical joke script to create nuisance.

It all comes down to a question of trust. Giving a person access to our confidential case, network - especially the kind of access that's required to store confidential information - is akin to giving someone access to your bank accounts. It's a position that carries a great deal of responsibility. Would we hire a former embezzler to oversee our money? Probably not, because that person has been shown to misuse that type of access in the past. As we don't see law enforcement agencies hiring former murderers to help them catch violent criminals or former burglars to help thwart other breakers-and-enterers. They might make use of those people as confidential informants but they never put them into positions of trust where they would have the opportunity to commit the same crimes again.

If professional hacker has got the access to our network he can to launch a botnet attack, could send out malware from our location and could even access our confidential data. We need to consider whether the self-proclaimed hacker really has the level of skill he claims to have. It's also important to remember that "birds of a feather flock together." Hackers tend to be friends with other hackers. They learn from each other, and it's also a culture in which members get a lot of gratification out of impressing each other. Even if "our" hacker doesn't attempt to harm our information, network or its assets but we can’t be sure that he won't inadvertently let slip information about our office, when bragging to his hacker friends, that they might use to get in and wreak havoc?

If we are considering hiring a former hacker, it's a good idea to delve deeply into his background and record and try to discern exactly what has motivated him. That can give us a clue into how much of a risk we would be taking on by hiring him.

There is always some element of risk in hiring a person to do a job which we don't know how to do our self, because it makes it easy for that person to put one over on you. There is a greater risk in hiring someone who has committed illegal acts in the past - but some hackers are more of a risk than others.

Protecting our company from our own "hired gun"

If we do make the decision to hire a former hacker, we shall take steps to protect our department from the possible consequences:

• We shall do a thorough background check. We shall not assume that what the hacker tells us is true.
• Have the hacker sign a contract (or independent contractor agreement) that very explicitly sets boundaries and prohibits any access not specifically authorized, prohibits any use or sharing with others of information gathered in penetration testing or other parts of the job, and specifies the penalties for violation.
• We shall not give the hacker access to any more than he needs to do the job for which we have hire him. We shall never give him administrative passwords. If he can obtain those credentials on his own, we shall know we have a security problem.
• If the hacker leaves or when his contract work is over, we shall change passwords (even if we think he didn't have them) and shall make sure strong intrusion detection/prevention controls are in place.
• We shall monitor network access while and after the hacker works for us and be on the lookout for any suspicious activity.

What next

Some organization may visualizing risks involved in hiring Professional hacker may not opt for it. They need to recruit technically qualified persons and get them trained in best environment.  The International telecommunication Union (ITU) Global Cyber security Agenda (GCA) has seven main strategic goals, built on five work areas: 1) Legal Measures; 2) Technical and Procedural Measures; 3) Organizational Structures; 4) Capacity Building; and 5) International Cooperation.

The fight against cybercrime needs a comprehensive approach. Given that technical measures alone cannot prevent any crime, it is critical that law enforcement agencies are allowed to investigate and prosecute cybercrime effectively.45 Among the GCA work areas, “Legal measures” focuses on how to address the legislative challenges posed by criminal activities committed over ICT networks in an internationally compatible manner. “Technical and Procedural Measures” focuses on key measures to promote adoption of enhanced approaches to improve security and risk management in cyberspace, including accreditation schemes, protocols and standards. “Organizational Structures” focuses on the prevention, detection, response to and crisis management of cyberattacks, including the protection of critical information infrastructure systems. “Capacity Building” focuses on elaborating strategies for capacity-building mechanisms to raise awareness, transfer knowhow and boost cybersecurity on the national policy agenda. Finally, “International cooperation” focuses on international cooperation, dialogue and coordination in dealing with cyber-threats. Cybercrime often has an international dimension. E-mails with illegal content often pass through a number of countries during the transfer from sender to recipient or illegal content is stored outside the country Within cybercrime investigations, a close cooperation between the countries involved is very important The existing mutual legal assistance agreements are based on formal, complex and often time-consuming procedures.  The setting-up of procedures for quick response to incidents, as well as requests for international cooperation, is therefore vital.The process of letter rogatory for receiving information cross boundaries needs to be simplified. The world has taken steps for  international cooperation for prevention of money laundering. Cyber crime do involves money laundering in some form or the other hence if the money flow can be traced, the real cyber criminal could also be traced. International cooperation is also needed to make rules for authentication of email ids, domain names etc.

Cyber crimes occurring India usually involves different states, hence nodal agency for cooperation may be set up at state level for quick and better response. Permission of hoe secretaries is needed for interception of the concerned state. This permission usually takes a lot of time, Hence process for same needs to be smoothened and time period may be fixed for prompt response.  

As per IT act examiner of electronics evidence has to be set up for providing expert evidence related to digital evidence. Till date central government has not yet framed rules for setting up Examiner of electronics evidence. At present expert evidence related to digital evidence is rendered by CFSL, GEQD and some State FSL only but they too have limited strength. Due to which pendency of cases is increasing day by day. Hence Examiner of electronics evidence needs to be setup on priority and new FSL has to be setup and expert strength needs to be upgraded.

Conclusion:

There is no doubt that investigation of cyber crime is complex in nature. The volatility of evidences, storage retention limits of logs and data, involvement of different countries, facility of anonymity and non cooperation of organization in investigation add more to it. Hiring of professional hackers may be viable option but they have to judge properly. They should be monitored as they do have access to confidential data. Hence checks and balances needs to ensure while hiring a professional hacker. If legal processes are smoothened and international cooperation is brought to reality then our dependency of them may decrease to a reasonable extent.

References:-

1. Computer security policy of India
2. IT act 2000 and amendments 2008
3. Comments of DSCI on Computer security of India
4. www.techrepublic.com
5. http://www.itu.int/cybersecurity/gca/