Hacker5 is a book which throws light on the different aspects of the Cyber risks.

The evolution of cyber world, new technologies & latest hacking techniques has
introduced great opportunity and significant risk to our lives. Everyone from IT personals,
youth & common users are confronted by complex and critical choices of ethics and
responsibility for which they may be little prepared. Hacker5 presents the reality of those
choices and their consequences.
Hacker5 directly addresses to the key issues to influence youth, IT personals & common
users toward personal safety and socially acceptable use of cyber tools. The main objective
of Hacker5 is to help the user to understand how cyber world, new technologies & latest
hacking techniques contribute to their lives and to the lives of their family, community,
nation and society. Hacker5 concentrate to understand individual and corporate
responsibility for maintaining the integrity and availability of cyber commerce.
Hacker5 also focuses on "Cyber Awareness" & understand the ethical considerations
associated with the use of cyber technologies. Our motive is to expose hidden &
underground threats mainly caused by using Internet & to spread awareness among the
people.
Indias first
magazine on
Hacking
NEWSMAKERS BROADCASTING & COMMUNICATION PVT. LTD.
M umbai
Written by VAIDEHI SACHIN
Researched by VAIDEHI SACHIN & AM ARJIT SINGH
Exclusive Inputs Aditya
First reader Aditi Taman
Sub-editor Prakash Subramanian
Proof reading Sandeep Kumar
Illustration Rajendra M aharana
Designers Rajendra M aharana
M ayank Agarwal
Marketed and Distributed by CNA- M umbai
Admin Support Rohini Joshi
Copyrights@ NBC Pvt. Ltd. 2010
First Edition Published on 30th October 2010
Published by Newsmakers Publications Pvt. Ltd.
Sales centres -
M umbai, Delhi, Chennai, Hyderabad, Jaipur, Kolkata, Allahabad, Bhopal
All right reserved with the author of this book.
No part of the book may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying recording or by
any information storage and retrieval system, without permission in
writing from the author.
Newsmakers Broadcasting & Communication Pvt. Ltd.
425, 4th Floor, Gundecha Industrial Complex Premises Co-op Society Ltd.
Akruli Road, Kandivali (E), M umbai - 400101
Tel : +91-22-32229881-2
MRP . Rs. 300/-
Printed in India by Quality Printers
Credits
DEDICATED TO
Anil Kumar Gaykwad, whom we call Anna for his
unconditional support. And also to the entire Newsmakers
team, without their support this wouldnt be possible.
Acknowledgements
No creation in this world is a solo effort... neither is this book. I
would thank all the people that were associated with this book
by playing some or the other role. Right from the person
making photocopies of the drafts to the office assistant
preparing tea and serving. Also to be delivery boy who ensure
that the book reaches to the shops at time. Particularly I would
like to thank:
wGod, for his love and blessings.
wM y Hacker5 Rahul Tyagi, Parul, Ajay Anand, Rishab and all
face book friends specially Chandresh, Arunpreet and
Aditya.
wPrakash, the sub-editor of this book.
wAditi.. my inspiration for her wonderful suggestions and
pranks.
wRajendra and M ayank, who gave shape to this book by
adding pictures and colours.
wRohini for great assistance.
wTo all my precious readers.
I n d e x
1. Beginning of my new invention 15
2. Hacking-the new battling lingo 30
3. In todays world 34
4.
All Indian Hackers till date... Indian Hackers Group 40
5. The Good bad and Ugly Hackers 45
6. The Hackers M entality 50
7. The Hackers Language 53
8. Cyber War: Its Childs Play 58
9. The fairer side of Hackers 61
10. Facing mans world 66
11. Understanding Hackers 69
12. Cyber Hack 71
13. Ways of compromising with the system 78
14. Cyber Law 81
15. The FBI definition of Cyber Terrorism 88
16. Amazing hackers 93
17. Ordinary forms of cyber terrorism 98
18. Hacktivism 103
19. Cyber War and Cyber Terror 107
20. Call Spoofing 114
21. Controversy and ambiguity 119
22. Pakistani and patriotic hackers 122
23. Ten most famous hackers 126
24. Warmongers on Ride 132
25. Hacking: Underworld mafias new venture 134
26. Strange Hackers of dark world 136
27. M astermind In Hacking 138
28. Consumer security trends 145
29. India needs to strengthen cyber security 147
30. Cyber children on the rise 149
31. Swiss bank and hackers 152
32. Unethically ethical 155
33. Stuxnet Computer Worm Exposes
Potentially Disastrous Vulnerabilities 157
34. Iran Fights M alware Attacking Computers 160
35. List of hacking tools 164
36. Hacker Vs Cracker 169
37. How hackers get caught 171
38. Vulnerability in Yahoo 172
39. Fake subject notifications 174
40. The wonder Hacker of India 175
41. Pakistans internal conflicts 178
42. Unite Indian Hackers 179
Best wi shes from
Dalai Lama
aking of this book has an interesting story to share. We have a
fortnightly magazine named ' Beyond the news and for the
M first time we had published a cover story on Pakistani hackers.
In the same article, we had mentioned something about learn hacking
website which was owned by an ethical hacker who is none other than
my co-writer. I received a call from him to print an apology for publishing
his name in the magazine. I was adamant and refused to do so because
we too had enough grounds to do. Later, he sent me an e-mail
mentioning ' I will drag you to court.' I replied saying ' Please, come let' s
proceed.' By this time, the hacker was into fumes. After half an hour he
dropped me an e-mail with a link. Oh my god! ! I yelled after clicking the
link. I was shocked to read and the see a defaming post that said, Vaidehi
Sachin to print bogus news. With all the screen shots of my website,
highlights and prominent displays he tried explaining his point. He wrote
that his site gains lots of traffic and over a period of time this news will
spread in the entire web world. Our mail box was jammed, but
miraculously one best thing that happened was that our website fell into
one of the hacker' s attention. From here a war began between these
hackers and my fellow journalists. Every day I received hundreds of
comments and was stressed initially but then slowly I too started loving it.
However, this act became a blessing in disguise for me as I managed to
gain immense online publicity. All my fraternity members pounced on
that post with best possible attacks as this hacker went on an interaction
mode with me. The attacks continued and it was literally a fight between
hackers and journalists. This was my first encounter with hackers.
M eanwhile I searched him on Face Book, and went through his friends
list of all different hackers with weird profile pictures and coded name. I
started studying about hackers, their lifestyles and wondered who these
people are etc. I was thrilled to see all young techies applying their brains
in cyber expertise but at the same time I was horrified to see the
preparations of Gen next war. I started adding these guys to my profile,
but no one entertained me. The moment they get to know that I am
journalist, they used to refuse my request. One thing I would like to
mention here is that hackers do lots of blogging. M any of the hackers
maintain ten to fifteen blogs each. Their optimizing skills are amazing.
They function in chain, one hacker passes the news to other hacker and in
no time the news gets spread everywhere. These blogs are their tools to
defame the enemy and or to publicize themselves. I have never seen such
trained traits of blogging. Forums is another place where all these hackers
generally discuss many a things like latest hacking tools, queries, gossips,
whose doing what. To enter in that forum you need to have compulsorily
a coded name and some hacking knowledge and should not reveal the
Myfirst encounter withahacker
FromVaidehis Desk...
i denti ty. That' s how cattechi e was born.
Cattechie is my coded name in hackers' zone. At
one side, interaction with hackers, chatting,
sleepless nights and investigations were going on
while on the other side Amarjit (co-writer) and I
developed a good rapport clearing off all the
misunderstandings.
With the help of Amar, I started understanding
this alien world and learnt that these Hackers are
Faceless people who deface government
websites and can peek into your computer
without your knowledge. It' s a secret world with
hidden, horrible faces on social networking site,
weird language. M ost people are unaware of the
difference between hacking and crime. A hacker
is simply someone who finds a novel way of doing
something. When a website is " hacked, " the
correct term which can be used is " defaced . The
hackers try to deface your online existence for a
while. The part where the site code talks to the
database in the backend, like a log-in form, or a
page which fetches data based on some numeric
ID. Using specially-crafted code, malicious users
try to extract data from the database itself. There
are a lot of easy-to-use tools available, and lots of
vulnerable websites, so this is one of the most
preferred modes of attacks. A variation is to insert
malicious links which can infect the computers of
the site' s users. The hackers use most dangerous
ways which tampers with control systems for
mechanical or electrical devices, like lifts,
assembly lines and medical devices etc. All these
kids involved in hacking are charming and
talented. They are teenagers and can take on
anything in the world. They are Faceless people
who deface government web sites, who can peek
into your computer without you being aware of it.
The other side of it they also restore your
defaced sites unknowingly, because in forum
there were many senior hacker who used to
assign these jobs to their junior hackers to resort
sites or the site which have holes to patch them. I
got fascinated towards such hacking group. They
are so much patriotic that they not only guard you
without your knowledge, but also seek revenge if
someone attacks your site. For me, the definition
of hacker turned positive. These days I became
very close to some of the hackers who are all from
middle class families, having no background,
hiding from legal clutches and unaware of the
outer world. Then I thought of uniting them.
M yself and Amar used to sit over night discussing
on this issue and finally both of us came to the
conclusion to unite them for a cause, to form a
strong hacker' s army and restore them in the
mainstream employment as security experts. We
decided to assign them task and provide them a
platform to serve this nation with pride and
candidly. I had decided to uncover their masks and
give them their identity which they had lost.
That' s how we started our task. Initially no one
was ready to join us and was rather scared to talk
to me. Some of them even accused me of using
them for publicity. Some of them thought I am an
undercover intelligence persona and here I was to
put a trap on these hackers. Then to take them in
confidence and provide them the platform, I
started Hacker5 magazine which is a very unique
magazine and truly one of its kind. The first
magazine is run by a team of hackers. This is
something to their belonging and a resource to
voice their opinion. All big, small hackers came
forward for launch of this magazine and was a
pleasant surprise for us to be gracefully accepted
by a huge number of hackers. This magazine is a
unique venture by hackers and journalists, a
platform for young techies to explore their talent,
voice opinion, and an attempt to unite hackers
under one roof.
Well began is half done..
I realized that these people are no less than
heroes of computer revolution. The only way to
prevent hackers from venturing into crime is to
provide a platform for their existence and an
outlet to display their skills. I made an appeal to all
the hackers to unite. M y objective was to bring at
least young tech minds into the fold. I inspired
young people to take up a career in hacking; we
need to address all the issues concerning with
cyber-security in the same manner. Rush to train,
recruit elite hackers.
By one estimate, India currently has about
thousands of elite cyber-security experts. It needs
to recruit 20, 000 people, train and deploy a new
generati on of cyber-securi ty experts for
protecting and defending our digital borders.
While crores of rupees are being spent to secure
cyberspace, the number of elite cyber-security
experts needed to protect and monitor this area
for the government and the private sector is
dangerously inadequate. There is the need for
better cyber-education and more experts as part
of core i ni ti ati ves, but i ts large-scale
implementation will take time.
M y journey started by having interaction with
different hackers. I had good, bad and ugly
experiences, many a times my websites were
defaced, my emails were hacked, and my blogs
were encroached by them. M ay be I failed to give all
of them the required confidence. Every day few
used to join us but few used to trouble. M any a
timesI gave up, but my team membersAmar, Rahul
Tyagi, Parul Khanna and recent acquaintance Lucky
who were actively working as a content provider
and team of unite hacker boosted my confidence.
They used to resolve problems between me and
hackersand protect me from attacks. Amarjit also
taught me social engineering and simple methods
to deal with hackers. I believe everything in my life
just happened effortlessly without me having to
make thingshappen. That may be because I have
always been a spontaneous and an impulsive
person. I go with the flow. Planning, deciding,
wanting, hoping, trying, thinking way ahead, these
are the thingsI have never been able to do. Today, I
have big Hackers family and they all are my little
soldiersof Unite Hackers. Our aim isto secure this
country from cyber war, to stop war. There are
many such hackerswho help hackersfrom other
countriesand ask them not to attack Indian sites.
M any a times, these hackers do inform the
concerned authorities to secure their sites by
showing vulnerabilities. M ost of the time these
hackersare abused and punished or they take ideas
but never patch their sites. Our country hasgot so
much potential in thisyoung world but we never
take them seriously. If given an opportunity they
will definitely prove asa blessing for nation.
People tell me that I wear my heart on my sleeve
and I guess I do. I am open with my feelings to
others and to myself which is why the most
important occasion in my life happened the way it
did. Gradually, I started receiving support from my
Editorial desk. Amarjits' s encouraging force and
hacker friend' s trust in me became a mantra
which worked well for the success of Cyber Terror.
Here I want to make an appeal to everyone, India
has best of hackers. They are very much advanced
in security skills and have proficiency in their field.
They can be a cyber arm force to control cyber war
and make our country networking protected. We
appoint security forces at office, bank, malls and
business centers to prevent attacks at our
business, asset, data, and intellectual properties.
We spend thousands of rupees in the installation
of CCTV camera, alarming systems to protect
ourselves from visible terror to tackle threat then
why we don t employ such highly skilled hackers
for this purpose?
Whi le wri ti ng thi s book I di d lots of
investigations, started understanding how these
people used these resources for stealing, the life
style of black hat hackers. That was another
horrifying stage for me. They use to send me
anonymous mails warning about my limits. Some
hacker joined me on face book to explain how
these hackers make pornography out of your
pictures and defame if you go against them.
Some of them openly warned me to finish my
online existence. After launching this book if you
witness any of such things then please don' t be
surprised. I am mentally prepared and you to
prepare yourself. I decided not to take this and
went ahead with my investigations, one side I was
working on issues over night while the other side
blogging. Anonymous mails and virus attacks
continued to come, but my hacker friends
protected me and my computer and online
existence by tracing the culprits.
However, we have alwayssidelined the invisible
threat to your networking and internet securities.
There are cyber terroriststo ruin your existence. By
recruiting this particular force you can make
difference, you can assure yourself hundred
percent security. Thousandsof young mindswould
like to pursue a career in hacking, but unfortunately
the word Hacker is abused in our country. If a
Pakistani hacksyour site, there isno law applicable
to punish that hacker but when an Indian hacker
retaliates, they are punished due to the existence of
stringent cyber laws. Hence, hackersare living in a
dark world of their own, hiding their facesfrom the
so called white collared world. They are the
upcoming generation of our country. We don' t
have recognized universitiesfor seeking education
in securitiesand hacking. In thisbook I have tried
writing the facts which may be similar to your
experience, or some of you may not agree to what I
have written. Whatever it is, one thing isfor sure
that thisbook isnot written to defame anyone or
sabotage anybody' sinterest.
It' s high time we need to think for this
neglected community of our cyber society..I have
decided to unite them, are you with me?
afay Baloch is an Ethical Hacker and a
Security expert from Pakistan; then Adnan
RAnjum whom I call asmy Pakistani brother,
then Junaid, Umer rock they all chat with me every
day. Not only this, we also shared tremendous
comfort level while chatting. M any a times I try
doing social engineering with them to dig about
pak cyber info but they just avoid commenting.
They have become my distinct family. While this
venture in-between I was bed ridden but I never
thought that these friendsto be so restless. Thier
M essageswere flooding where ever I waslogging
in be it face book, mailbox, blogsevery where I was
so happy because I never expected them to be so
caring.
I started reading my
messagesand in a while I
came acr oss one
message, which after
reading I couldn' t hold
back my tears. The
message said, hey sister
your brot her f rom
Pakistan wants you to
live long with all the
happiness. Today I cried
for and made prayersto Allah saying that to make
you fit as soon as possible meri umar tummhe
lagjayee. I never expected any Pakistani hacker to
be so kind to me.
One day one more face book friend a Pakistani
hacker asked me do you know where I am? I
thought he will say I am in India. But he replied that
I am in Poland ,
Hmmmm when did go there?? I asked; he
said just aapse chat karte karte. After some time he
told me that he ishacking some site and have already
rooted it and planning to deface that site. I just
popped out of my window and thought to myself
my god such a bull shit. He came back to my
window gave me link and said hey! Look at
this when I clicked the link, it was some of the
defaced site. I couldn' t
resist and started fighting
with him, he just went
offli ne, the another
Pakistani friend asked me
what happened told him
that so and so had
happened, later even he
disappeared from chat
box and joined me after
an hour
Pakistani hacker-
kaise mazaz hai apke
Me- not good
Pakistani hacker- want to laugh for a while???
Me- no
Pakistani hacker- dekh too lo ekk bar
Before I could type anything he sent me link
when I clicked in I saw that the site wasrestored. At
that moment my happinessknew no bound I was
like WwWooOoowWwwW
Then he wrote ' choti si baat pe dil udas mat
karna tumhara bhaii hai na?
Rafays blog generateslotsof traffic because he
providesall kind of hacking tutorialson hisblog and
young aspiring hacker beeline at hisblog. He isa
hero of blogging and his sense of optimizing is
quite excellent. He wanted me to interview him and
publish it in my magazine. Initially I hesitated I was
like why do I that , and then I thought let me have
experience interviewing a Pakistani hacker. I asked
him many questionswhich could have easily put me
into some scoop later I and Amar did lotsof social
engineering with him. Finally he mailed me his
interview but smartly replied only to those
questionswhich were safe to answer. I published
hisinterview, gave him the link of my site. He also
published that interview on hisblog, next day my
site got heavy traffic. Gradually my magazine was
attracted by all the hackers. I have already told you
about the blogging culture of hackers. Each and
every blog started carrying my newsand that' show
Rafay Baloch
Profile Picture
My Pakistani
facebook friends
Profile Picture
Junaid
we got good online publicity.
Over the period of time I got many Pakistani good
bad and ugly hackerson my friend list. Whenever I
had any argument with some of the Pakistani hacker
they use to send me nasty anonymousmailsor they
left abusive commentson my blog post. Once they
also hacked my gmail account. But I also had very
good friendswho thought me to take back up also
taught me to secure password, to protect my mails
nicely. All kind of tutorial on security wasgiven to me.
Few of them taught me team viewer software in
which they came into my
PC and did the needful.
Team Viewer isa software
for free remote access
and remote desk top
sharing over internet.
Since all the forums
co mp et e t o ha ve
maxi mum number of
users, most of such
underground f orums
give the option of free
registration to receive more traffic. Though one
can register to these forums for free, it does not
guarantee access to all the sections of it. There are
few sections that are hidden and the normal users
are unaware about it. Few black hat sites to
remain anonymous block every traffic and only
allow few IP addresses.
<= SHAK= > is Pakistani hacker and very much
famousamongst young Indian hackers, for these
kidsthere were two heroesone c0d3br34k3r and
<= SHAK= >, c0d3br34k3r and <= SHAK= > were
never easily available to anyone for chat. They use
to only attend those forums. M y name got famous
amongst pak hackers.
I use to be on computer on IRC, face book,
forumsto explore hacker' sdark world. One thing
was very horrifying. These teenagers they use to
passthe messagesof thisside to that side just to
earn some good will. and if caught they used to be
humiliated worst that an anti national criminal, his
online existence use to be at stake. Some hacker
used to test my hacking skills; they use to ask me
different questions. I used to be scared of getting
caught. Immediately I used to seek help from my
friend hacker or most of the time Amarjit used to
help me. I simply use to do cut paste businessand
once the person isconfirmed that I am well versed
with hacking that day onwardsI used to earn some
respect in their eyes.
They are Pakistanis. I know we have threat from
them if cyber war starts, but all these dayswhen I
waswith them; they were just my face book friends
and family. Itshard to believe and I don' t want to
believe that every hacker isan enemy.
Finally what I want to share with you ison bolder
level we have disputes, on cyber level we have
disputes, but uncertain level they are the best
buddiesone could ever have, they share tools, they
share knowledge, they make you feel special, they
love you asyou love your family, and in thishackers
world I wasdid to them today when thischapter
got finished writing. Believe me I wassuffering with
withdrawal symptoms. asif I am going away from
that world, I logged on to net had long chat with
them and finally disclosed that I am publishing book
on cyber terrors, they are were amused and gave
me best of compliments.. I don' t know what one
think isgood and what isbad but I know there isno
replacement to honest relations and committed
emotions
There' sone more friend of mine on my face book
profile whose coded name is Cyber Swati. Don' t
mistake him for a girl. He isa guy and hisoriginal
name is Hasan Ali Khan Swati. He is the nastiest
hacker I have ever seen. Every third day he will
defiantly deface some or the other site and provoke
me to inform Indian hackersabout hisdefacement.
Whenever he defaced a site, Indian Cyber Army kept
restoring the defaced sites.
One day he sent me a message asking for my
contact detailsbut, I wasreluctant to share any of my
detailswith him since I feared he would play some
prank on me too. Out of frustration, he asked me
once again and with thishe forwarded me a link too
of hisrecently defaced site. After clicking on the link, I
wastaken aback to see because that he had defaced
website of The Timesof India.
Earlier he had disguised himself asSwati just for the
reason to join Indian forum. Fortunately, Indian Cyber
Army caught him and threw him out. Today, he has
joined pakjunun.com forum. Till the end he did not
scrape ' Swati' asto maintain hisidentity.
He isknown asthe best and most vitiated example
of unethical hacking.
You will be surprised to know that the maximum
cyber war takes place on face book, blogs, and
especially on IRC. IRC isthe most preferred site by the
hidden hackers for the communication purpose.
M aximum of them use some of the part of defense
server and creates hidden forum where they
rendezvousand remain out of the reach from law.
Profile Picture
Umar
01
he day I started with my research I had to track down many
hackers which was quite a diffi cult task. What I have observed
Ttill now is that apart from those so called ethical hackers no
other hackers are identified by their original name , usually they are
coded with some different name or number. None of the hackers
who possess an account on social websites have uploaded their
original pictures except a few.
While browsing every account from beginning to end I came
across one familiar filament , the profile pictures. Every picture you
see expresses a kind of harsh, rude and cruel message and I couldn' t
make out the motive. Step by step I became friendly with one of the
hackers , first time when I found him online I just busted him with my
question which he wasn' t ready to divulge. M aybe he never
expected this from an anonymous person . During that point I
realized that the belligerence level is quite high in almost every
hacker. With the passage of time I started clarifying my concept
with him gradually and after knowing me well he uncovered his past
to me which wasn' t quite pleasant to hear. Their history is also one
of the grounds to compose them what they are in the present day.
M ost of the hackers had a troubled juvenile period , all the answers
for their vague query could be seized only with the help of cyber.
While in this epoch they don' t even comprehend that this is where
they have begun acquiring an odd knowledge of hacking. O nce they
become familiar about their actions, no one can bring them to an
end. The reason for this is that it ensures to be an ultimate weapon
with which they progress to the lead.
During this journey I came across an abundance of new concepts
which no normal intelligence can even imagine of; one of them is
' Cyber War' . The initial thoughts that wallop my mind is that maybe
this might be a combat between the hackers from all over the
country. However later as I started to explore I was jeopardi ze
because I realized that virtual war is more harmful than any kind of
Beginning
of my new
invention
physical war since there are highly talented
hackers across the world who can be a serious
threat including the safety of our Indian
government, Indian economy and also Indian
infrastructure.
ICW (Indian Cyber Warriors) is a group of
hackers from India, and once upon a time all the
core members worked at very senior posts in
various security firms . During their free time,
they mostly utilized the ni ght ti me for R& D and
reading. All the three hackers of PCA (Pakistan
cyber army, a group from Pakistan) were working
at reputed software companies.
Today if you look at all the new emerging
groups, all are college going students, and that' s
the main reason why they sometimes lack
maturity and cannot see the future impact of their
actions. They just jump into this because of the
extra excitement and to impress others. Still
whatever it maybe , they are doing a good job and
they are working hard on polishing their skills.
Beginning of Cyber War
Cyber War was started by the Pakistani group
of hackers named ' pakbugs' whi ch was
maintained by zombie_ksa and his fellow team
mates. Zombie_ksa is known to be one of the
highly endowed hackers from Pakistan , few of
them mark him as a legend and his identity is still
a mystery. Amongst everybody, the major
components or hackers of this group were
Spo0fer, xO O mxO O m, big smoke, and cyber
crime (these are the coded names used by
them). Due to the hatred for India, this group
started targeting young Indian girls and more
over the Indian Gods were abused which was no
longer tolerated by the Indian hackers. To
retaliate them Indian hackers also formed a
group which was named as ICW i. e. , Indian
Cyber Warrior the founder of this group were
R4scle (Gaurav Singh), Sai Satish, and Smart
(keval). As per now this group is over loaded
with three hundred members. They started
attacking Pak cyber space but never wrote
anything ill or against their Almighty God
neither did they insult any gender. This gave rise
to the defacement of the
si tes from both the
count ri es. Wi t h t he
growing hatred towards
each other, it led to the
formation of two more
new groups namely the
PCA, the founder of this
group was M r. Harun
from Pakistan and Indian
Nat i onal G as orga-
ni zati on f rom I ndi a.
Again there was rapid
i n cr em en t i n t h e
defacement from both
the sides. O ne fine day
bot h t he opponent
groups realized that only
defacement is not the
solution and so the graph of hacking went down
and thus here this phase ended with the signs of
maturity.
But was this an end??? NO.
The actual war started in 2008; it' s a kind of
long story but I would tell you in brief. There
were few communities and groups on O rkut
(HM G was also one of them), where the battle
began. Gradually it turned grimy as a small
group of Pakistani hackers who started abusing
innocent girls, by posting their morphed nude
pictures along with the pictures of their family
members and also their personal details. Initially
the group HM G tried to chat with those
Pakistani hackers and tried to convince them
that not to target blameless girls in this mess.
However HM G failed to convince them. During
that time, the users were not that regular on
O rkut or any other social networking sites.
16
M eanwhile, ICA had participated in few cyber
wars like in the war between Georgia and
Russia, then Albania and Serbia. The owner of
HM G gave offer to Gaurav to join their group
and to witness the happenings going around.
This is how Gaurav , owner of ICA started
forming a team with the brilliant hackers to
deface Pakistani sites. One day, they successfully
hacked OGRA (Oil and Gas Regulatory Authority),
later it was expected that the Pakistani hackers
would target O NGC (O il and Natural Gas
Corporation).
They browsed well through the si te of ONGC
and i nf ormed aut hori t i es about t he
vulnerabilities or loopholes about the site. Later,
in spite of informing them, the O NGC web
developer did not fix the escapes and this was
how the site got defaced by PCA, and after that
we all know what had happened.
This time it was quite a major issue. After few
mont hs a guy named ' xO O mxO O m'
regenerated the conflict by hacking our Prime
M i ni ster' s si te www. manmohansi ngh. org.
Cyber war was revived but this time ICW did not
retaliate maybe it was the question of their ego.
Hackers are known to maintain principles and so
they do not wish to go against.
By this time ICW and Paksbug were only two
active groups. This was the time when zombie
realized his skill and gradually he started
hacking bigger sites like national internet back
bone of M orocco then google. co. in, and
hotmail. ug. He almost ended up hacking all the
si tes from Uganda country and stopped
attacking India. Thus ICW was dead for now.
Indishell was the group formed and the
founder of this group was ' Hack M y PC' who
was basically from London. The major platform
of the group was patriotism. He trained many
ordi nary minds to expert hacking. Patriotism of
this group was immense and was intensely
mounting day by day.
17
Flag used for defacing sites by Indian cyber warrior
What xO O mxO O m did was ignored but
addition to this was not expected. Addition was
nothing but another formation of group of
Pakistani hackers named ' Pak hackers' the
founder of this group called himself as a ' spider'
who was from Afghanistan. He is the leader of
Afghan Cyber Army and once again the filthy
game of defacing Indian sites was about to hit
the top. However Indishell was quite calm and
did not reciprocate but this was high time as the
defacing of Indian sites went beyond par.
Two new strong Indian hackers started
retaliating these Pakistani hackers. They were
M . XXX and SiLeNtpO isO n. Along with them
another new brilliant hacker was thrown i n the
battle, his name is ' Lukcy' who was trained by
' hack my pc' and he was the new heir of
I ndi shell. ' Si lent poi son'
appr o ached l uck y f o r
discussion in which nation' s
pride was the most important
topic this is the phase in which
Indishell came into highlight.
Day by day new groups were
out in the fire of revenge again
a group was formed called
whi ch was
super moderated by a hacker
called ' <=SHAK=>'and his
partners in this group was
' Netcracker'. This was formed
due to the disputes between
<= SHAK= > and the member
of Pak hackers group.
These three groups were on
the top of the list of cyber war and with the rush
of patriotism Indishell ended cyberhacker.net.
The complete backup or old data was erased by
Indishell so that there wouldn' t be any chance of
them coming back. It' s been three months and
no trace of these hackers has been found. Now
the only person left was <= SHAK= > and few
others who are acquainted with the technique
of SQ L injection and Google hacking. None of
the members of this group was partially related
to ethical hacking .
<= SHAK= > and NutCracker took undue
advantage of hacking and they started targeting
common man who regularly did internet
shopping. These hackers hacked their credit
cards by introducing server of Pakistan into
Germany even this was suspended when the
cyberhacker. net
credit card holders started giving back. But
nobody could stop these hackers from
committing the same crime once again so they
came in with new servers and hacked new credit
cards.
Even this wasn' t suffi cient for those hackers
so they started online institution for teaching
credit card hacking, after some time they were
forced to stop these traits due to legal problems
but the institution was still going strong behind
the eyes of law.
Indishell couldn' t stop them immediately and
reported deeds of the Pakistani hackers to the
CM O offi ce. Unfortunately the offi cer was blind
folded. There was no other option for Indishell
to wait till 14th august as it is celebrated as
Pakistan' s Independence Day.
When Indian hackers defaced nearly about
2000 Pakistani websites, on that day Pakistani
hackers too defaced 18 Indian sites with all sorts
of abusive language they did only abuse India
but also insulted the lord Ram by pasting his face
to a dog' s body with this dirty approach all the
Pakistani hackers were into nerves of Indishell.
To give them back ICA was ready which
consisted of hackers like M r. XXX, SiLeNtpO isO n,
inX_rO ot and by that time Indishell became an
open door for every hacker around the world.
ICA was started by lucky and silent poison is the
part of Indishell but it' s only for Indian hackers
as hackers from other countries cannot be asked
to support India. That' s how Indishell came into
existence as patriotic hackers group and so far
they have never commi tted any cri mi nal
18
activities such as credit card theft, or money
transfers or sabotaging somebody' s intellectual
property. They just deface those sites of Pakistan
which spreads wrong messages about India.
Politicians and bureaucrats talk a lot and
make a lot of promises that we are conducting a
peace dialogue or make statements like We are
a peace loving country and blah blah blah .
Because of the kind of job hacker' s are used to
do and the kind of info and real inside stories
they dig about, it is sure that this is an issue
which is never going to be resolved. The only
possible way one can see regardi ng the solution
to this problem is if the government really comes
forward and at least allows hackers to do
something about this issue and to prevent it also
in the future. But it' s really sad that the
government still doesen' t take this problem
seriously.
The real beauty of hacking is that after a
certain point when you really understand the
meaning of hacking, you will realize it' s not the
reli gi on, colour, language, appearance or
anything which matters. The only thing which
matters is knowledge and skill. The concept is
very similar, just as being an Indian, I love my
country, same way they love their country. See,
the people of all the places are very nice; it' s just
t he di rt y poli t i cs and somet i mes t he
irresponsible way of reporting and portraying
things by the news media, which actually
creates the real problems.
Take the case of the site defacement of Vijay
M allya, the hacker had posted the name of PCA
on the hacked page, but who will guarantee
that M allya' s site is not defaced by Pakis. About
the resources with the governments of both the
countries to hire good hackers, governments
lack the resources , the infrastructure and other
things which we need in case if we want to work
for the government and protect our critical
infrastructure. But they are simply not interested
in it and the worst part; they don' t understand
the danger and the scale of damage which can
be caused in case a cyber war happens between
the countries like India-Pak or India-China.
Today, Pakistan is not a threat for us, but it' s
China. The Chinese govt. has a group of 10, 000
19
skilled hackers working for their govt. and you
can' t see anything like that in any of the
agencies i n India. China i s a tougher target too
because of the language problem, all their work
is in Chinese, so it makes it very diffi cult for
Indian hackers to understand and figure out the
things. This is a very sad situation and I feel really
bad to say that if we talk about our capabilities
and the amount of preparation for such kind of
situations, we stand nowhere in front of China.
Pakistan is a different case, so there is nothing
much to worry about it. The internet is often
seen as the domain of dissidents and free spirits.
But the Iranian regime like many others has long
recognized the importance of winning the
virtual propaganda war, and the talk for the last
couple of years has been of an Iranian Cyber
Army , a band of dedicated regime loyalists
who attack opposition websites and other
virtual targets. But untangling myth from reality
in this murky world is diffi cult. The years 1999 to
2009 were a golden decade for freelance
hackers in Iran, an era of chaos , as a network
security expert i n the country describes i t. With
no comprehensive internet legislation or other
barriers, groups of young hackers operated at
wi ll, even attacki ng sensi ti ve government
websites belonging to the army, the prosecutor
general and even the space agency.
A member of Emperor , one of these
groups, says it was once commissioned by a
local firm to destroy a government database,
while in the 2005 presidential election, it was
asked to hack into two candidates' websites.
Globally, hackers are not connected with the
government machinery and are known to
supply intelligence to their governments. Like
snipers on a tall building, computer hackers
often act as cyber vanguards. Working in
tandem with like-minded people worldwide,
Indian and Pakistani hackers fight this silent
battle round-the-clock. They keep tabs on each
other' s possible vulnerabilities and send in
worms, vi ruses and other malware once
20
vulnerabilities are confirmed. Hackers fighting
for any country are of three kinds: Black hats,
white hats and grey hats. In cyber parlance,
black hats are hackers whose professional lives
are spent trying to attack other systems. White
hats defend against attacks. The grey hat not
a professional hackers but they pursue it
seriously as a hobby and out of patriotism.
Another group, known as Iran Hackers
Sabotage , consi sted of two 21-year-old
software engineering students and one 18-year-
old mathematics student who rose to fame for
defacing the Guantanamo prison website.
Hackers continue to be active a few weeks
ago, Irani an poli ce announced they had
identified four hackers responsible for the cyber-
theft of five million dollars from banks in Iran.
But the best-known groups have since faded
away, replaced in the public imagination by
hackers of a different breed. The term Iranian
Cyber Army first emerged when a number of
opposition websites abroad as well as Twitter
and Baidu were hacked last year. Although the
attack resulted in no more than a brief
disruption of activity, the name and reputation
were made though what they refer to precisely
remains unclear. No government agency has
acknowledged control of the cyber army, but it
is commonly believed that the Revolutionary
Guards are behind it. In M ay 2010, Ebrahim
Jabbari, a provincial Revolutionary Guards
commander, went as far as to claim that the
IRGC had the world' s second-largest cyber army
at it' s disposal. A 2008 report on the US website
defencetech. org suggested that the IRGC' s
cyber warfare capacity placed it in the world' s
top five. The report was a threat assessment
from a US perspective, but when it was
translated eight months later, the Iranian
authorities took it as a compliment and turned it
to their advantage for propaganda purposes.
M any of the old freelancers co-opted into the
new army , in some cases in return for having
past si ns overlooked. Whi le i ts li nks to
aggressive hacking are unconfirmed, the IRGC
does have a publicly-acknowledged defensive
arm. Set up in 2007, its existence was first
publicized the following year in a news item on
the arrest of managers of online porn sites. In
the wake of last year' s election, it showed it had
political aims as well, announcing
the detention of members of two
internet networks. O ne of them,
I ranproxy, had di stri buted 86
mi lli on sets of free software
allowing users to create virtual
private network and use proxy
sites to get round web blocking.
Together it was run by civil rights
act i vi st s who di ssemi nat ed
information about political arrests
and detentions.
In addition to paid cyber warriors
and web monitors, the Iran regime
also has an ally in the shape of the
private IT firm Ashiyane Security
Group, which regularly makes the
headlines with coordi nated cyber-
attacks. During the Israel incursion
into Gaza few years ago, Ashiyane took down
500 websites in the country, including those
belonging to M ossad and the then defence
minister Ehud Barak. It claimed to have hacked
into 700 Israeli websites including the postal
services. At about the same time, Ashiyane also
attacked the website of NASA, the US space
agency, which it said had shown a lack of
respect for the late Ayatollah Ruhollah
Khomeini. It uploaded a picture of Khomeini to
the NASA site, with the inscription, O ur war is
an ideological war and knows no borders or
geography. As long as there is blasphemy and
apostasy, there will be battle, and where there is
21
battle, so are we.
When Sunni Arab hackers brought down the
Ahl al-Bayt site a server that hosts most Shia
religious websites in Iran, including those of
leading ayatollahs, Ashiyane also responded in
kind, attacking five servers and defacing 300
websites in the Arab world. The talk on the web
is that Ashiyane was closely li nked to the IRGC,
but no documentary evidence proving or
disproving this has yet come to light. The
group' s head, Behrouz Kamaliyan, has also
indicated that it is not linked to the purported
cyber army. Kamaliyan, 28, started hacking at
the age of 16. Like many of his peers, he hacked
into government websites, but in his case it was
to persuade them they needed his help to
improve web security. He later went on to set
Ashiyane up as a legitimate business, offi cially
specialising in net security and unoffi cially, in
undermining Iran' s enemies on the web. Then
his company designed and produced a firewall
system called Apadana, intended to protect
web-based information from hackers. He told
the Fars news agency that the system will allay
any concerns that confidential data could be
lifted from Iranian security, intelligence and
defence websites if they use firewall systems
designed abroad. Like President Ahmadinejad,
Kamaliyan was deeply hostile to Israel. He has
vowed to undermi ne that country' s e-
government system, and believes that the Israeli
state has no right to exist and should therefore
be denied a virtual existence, in the shape of it' s
country domain name. Some analysts argue that
the might of the Iranian regime' s cyber-allies is
overstated. While Ashiyane boasts of attacking
hundreds of websites at a time, other experts
say it does so without much effort, by
penetrating a single server where the sites are
hosted. Analysts interviewed for this report said
exaggerated reporting in the state-run media
had succeeded in persuading Iranians that the
IRGC was a power to be reckoned with in
cyberspace. Yet the extraordi nary feats claimed
by these cyber-warriors were technically simple
and could have been done by a teenager with
no specialist training. A journalist whose own
blog fell victim to state filtering, believes there is
an element of PR in all the offi cial talk about
cyber-warfare, adding that he thinks the main
aim is to cow dissidents who use the web to
express their views. As for the regime' s ability to
protect its own sites from attack, the truth is
that the majority of servers and government
websites in Iran were as full of holes as Swiss
cheese, and until these holes were filled, i t was
better not to annoy the mice.
The United States was under attack from an
unknown enemy. Legions of enterprising foes,
both forei gn and domestic, are lurking in
cyberspace. They threatened to take down
defense networks and power grids, along with
o u r b a n k i n g , t r a n sp o r t a t i o n a n d
communi cati ons systems. Presi dent Barack
O bama called this escalating cyber threat . The
House Armed Services Committee asserts that
the Pentagon' s computers are targeted at least
5, 000 times every 24 hours. There is evidence
that other nations regularly infiltrate the
networks that control our country' s critical
infrastructure, looking for leverage should they
ever want to use it. And let' s not forget the
millions of Americans who have had their
i denti ti es stolen or thei r health records
intercepted by enterprising cyber thieves. Cyber
vulnerability is now a risk to our economy. A
recent report from the Center for Strategic and
International Studies (CSIS) outlines a serious
skills gap in the cyber security workforce. There
are about 1, 000 security people in the U. S. who
have the specialized security skills to operate
effectively in cyberspace. It seems logical, then
at a time when hundreds of thousands of
Americans are looking for work that the need
for trained cyber security specialists is not just a
challenge but also an opportunity. O ne answer
lies in high quality cyber education. Not simply a
course or two; our nation too needs full-scale
degree and certificate programs designed to
produce " complete" professionals, armed with
the requisite knowledge to conquer a threat
that is more complex and volatile than any we
have ever faced. There is a critical demand for
programs with rigorous academic standards and
clearly articulated outcomes such as those
recently launched at the University O f M aryland
University College (UM UC). Hackers from India,
Pakistan in all out war in cyberspace while you
were enjoying the Independence Day spirit and
probably flying kites, an all out war was on
between India and Pakistan. Fortunately, i t was
not on the border but in cyberspace where
22
hackers from the two countries were engaged in
pitched battles to outdo each other. Accordi ng
to hackers more than a thousand websites were
hacked into and defaced on August 14 and 15
when Pakistan and India celebrated their
Independence respectively. The Day came as a
nightmare for some of the webmasters website
owners from the two nations. Pakistani hackers
were first to strike on August 14 when they
defaced Indian websites. The Indian side
returned fire the following day. Indian cyber
army hackers did not sleep for 15 days to root
the server access. Hackers from both the nations
hacked the websites and posted flags of the
respective countries on the targeted websites.
Two Pakistani groups Pak Cyber Army and
PakHaxors started the attack. As per zone-h
data, these groups have defaced around 10-20
websites. The counter attack from the Indian
side was led by Indishell and Indian Cyber Army
who claim to have defaced 1, 226 Pakistani
websites. Zone-h data confirms the figure is
more than 1, 000 website. In retaliation the
Pakistani hackers intensified the volume and
nature of the attack resulting in the hacking of
the website of UB group chairman and Rajya
Sabha M P Vijay M allya. The dates of historic
importance always see an increase in attacks.
Vol ume of at t ack i ncreasi ng duri ng
Independence Day and Republic Day and Now
hackers have started expressing their rage on
7/11 and 26/11 too. Zone-h site where hackers
post hacked website screenshots shows more
than 1000 websites. ICA (Indishell) has planned
to hack Bangladesh and Pakistan' s ten thousand
websites on 26/11 this year. Hackers make
merry at the cost of website owners. A number
of websites are hacked but most go unreported.
There will be many Indian and Pakistani groups
who are involved in this but the Indian side is
mainly represented by ICW (Indian cyber
warriors), ICA (Indian Cyber Army) and HM G
(Hindu M ilitant Group) and Indishell. PCA
(Pakistan Cyber Army), Pakbugs and Pakhaxors
lead the Pakistani side.
With cyber criminals adopting newer ways of
attacking consumers and corporate via social
networking sites, security solutions need to
evolve from just providing anti-virus protection,
software maker Symantec has said. Accordi ng
to a study, in 2009 Indian enterprises lost Rs 58
lakh and in 2010 they lost near about some
crores to cyber attacks. This is set to increase
further if companies do not take appropriate
measures to protect themselves from various
threats that lead to not just financial setbacks
but also loss of crucial data. Cyber criminals are
using various means such as social networking
and posti ng mali ci ous li nk s i n i nstant
messengers (IM s) along with spam mails. With
the increasing popularity of social networking
sites, Symantec expects frauds against site users
to grow as well, in such crises China' s cyber
warriors are the biggest challenge for India.
China posed a new set of challenges to India
with i ts growing capabilities i n outer space and
its frenzied search for new resources. But an
equally potent and dangerous challenge is the
new threat of Chinese cyber-nationalism. China
has in recent times witnessed staggering growth
in cyber-nationalism, a new ki nd of nationalism
wi th i mmense and someti mes dangerous
power. This cyber-nationalism could be also
described as a part of China' s psychological
warfare. It encapsulates the strategy of China' s
Sun Tzu (722-481 BC) of defeating the enemy
without waging a war. China had 210 million
Internet users at the end of 2007 and their
online populations become the world' s largest
in 2008, and by this year it has increased in high
23
volumes. Along with these impressive figures, if
overseas netizen groups are also added, then
the enormi ty of Chi na' s global neti zen
population and its potential impact is incredible.
At present, the Internet plays a key role in
promoti ng Chi nese nati onali sm. Thi s was
particularly discernible in the 2008 Tibetan
uprising and the Beijing Summer O lympic
Games in August. O n both the occasions, the
power and scale of nationalistic responses of the
Chinese spread through Internet chat rooms,
mobile text messages and blogs was eye-
catching and unprecedented.
The power of cyber-nationalism is manifold. It
instantly links people all across the globe and
mobilizes them at a minimal cost. The immense
speed and maxi mi zed i mpact of cyber-
nationalism was glimpsed by the anti-CNN
website that was launched in response to the
alleged Western media bias on the news
coverage of the M arch Tibetan uprising. Almost
at blitzkrieg speed, the si te became the leading
engi ne for Chi nese cyber-nati onali sm i n
appealing for all Chinese to boycott Western
commerci al outlets and stage demonstrations.
Cyber-nati onali sm can also be lethal, as
nationalist messages can be amplified to
generate hatred between countries. During the
M arch Tibetan uprising, Chinese nationalism
assumed a significant anti-Western character.
The obscene and abrasive words used by the
netizens to give vent to nationalistic feelings
snowballed into a wave of hatred and united
most Chinese across the globe in a war of
words. The O lympic torch relay was thus
effectively portrayed as a war between " pro-
and anti-China forces" . Further, the cyber-
nationalists are not only techno-savvy people
but also young and impressionable minds and
therefore amenable to influence. Thus, during
the Tibetan uprising, the Chinese government
could easily mobilize public opinion and churn
up historical memories and weave it into a
nationalist historiography and propaganda-style
literature. M oreover, in the case of China, where
netizens do not have the freedom of speech,
cyber-space often gives them virtual freedom.
Therefore, cyber-zealots often do not act at the
behest of the government. At times such
messages are liable to go out without the
government ' s cont rol. C hi nese cyber-
nationalism is a new challenge for India' s
security and strategic interests. While India-
China relations have witnessed a period of
growing rapprochement, the issues of border
dispute and Tibet remain primary irritants.
Arguably, as both countries were victims of
imperialism, they uphold territorial integrity and
soverei gnty as their supreme national interests.
Rooted in their competing territorial claims is
the fact that before their encounter with the
West both were civilizational states and not
political nation states with fixed boundaries. In
their quest for modernity, both India and China
approached t he not i ons of t erri t ori al
nationhood from their respective definitions of
nationalism imbued with strong historical and
civilizational underpinnings. Therefore, there
exi sts a strong di fference i n percepti ons
between the countries on the border issue and
the Tibetan question. Their differences in the
perception of the concepts of nation and
territoriality caused friction between the two in
the 1960s and led to the 1962 war. In the
contemporary peri od, thi s di fference i n
perception persists. Today, due to a revolution in
information technology and globalization, there
is a new contingent of Chinese cyber-warriors,
millions in number, spreading across the globe.
In the post-O lympic China, with its burgeoning
confidence, the power of cyber-nationalism is
likely to be immense. Chinese cyber-nationalism
24
could exert enough pressure to demoralize and
agonize the Indian psyche. That means without
a war, China could defeat India and recreate its
borders accordi ng to its strategic interests. The
challenge of Chinese cyber-nationalism is a new
security threat for India, which will need more
sophisticated ways of dealing with the " new
China.
The real threat to U. S. networks comes not
from sleeper software planted by state-
sponsored cyberspies, but from a combined
attack of atoms and bits, or from cyber-enabled
radical groups or criminals engaged in what' s
more properly called " cyberterrorism. "
We need to distinguish between cyberwar
and cyberterror, as well as cyber-espionage and
cybercrime--even while we unify our defense
against each of those looming problems. Why
China is far from our most dangerous potential
cyber adversary, and the danger of the American
military engaging in pre-emptive cyber attacks?
There is no legal status for cyber war. War is a
kinetic attack, an armed attack. That' s the only
defi ni ti on i n any treaty. What we call
" cyberwar" i s an area that' s extremely
malleable right now.
Theoretically, you could discuss a virtual war
between nation states, but non-state actors like
radical groups and criminals are much more
likely to be a threat. O verall I advocate breaking
down the silos between our approach to
cybercrime aimed at financial institutions, cyber-
espionage, cyberwarfare and cyberterrorism. All
of these should be looked at in building an
overall cyber response strategy.
North Korea is a bigger threat. China is also
much more rational. You can deal with them.
North Korea is like a crazy person. You can' t deal
with a lunatic with a bomb in his hands.
Similarly, it' s much harder to deal with terrorist
groups and criminal organizations. They have
the money, and they have the motives, and
should be serious concern much more than
China. The recent China-based cyber attacks on
more than 30 Silicon Valley companies including
Google -- in which source code and user
information were targeted and stolen -- are the
beginning of a new stage in the evolution of
cyber warf are accordi ng to the mi 2g
Intelligence Unit. The sophistication and scope
of the attacks has led security experts to
conclude that state sponsored actors were
behind them. Behind all the handshakes and
warm fuzzy feelings, we are in the midst of a
Cold Cyberwar, which straddles the trans-
national corporate sector, major governments,
defence industry players and global criminal
syndicates.
Top companies targeted digitally from within
China include a list of who' s who. In parallel, a
few days ago a group calling itself the Iranian
Cyber Army brought down China' s biggest
search engine: baidu. com. The China digital
attacks represent a turning point in cyber
conflict for a variety of reasons. Largest and
most sophisticated cyber attacks targeted at
speci fi c corporati ons i n many years; and
Targeted and coordi nated cyber attacks with the
most visible goals of controlling information
flows in- and out- of China and acquiring core
intellectual property and digital identities of
forei gn competitor entities. Google has said
that as a result of the incidents:
The exploit code for a zero-day hole in
M icrosoft' s Internet Explorer (IE), which has
been linked to the attacks, was released on the
Internet last week. M icrosoft is working on a
patch and has warned that IE 6, 7, and 8 on all
the modern versions of Windows, including
Windows 7, are affected by the vulnerability.
The German and French governments have just
responded by advising their agencies to halt use
of the IE browser and warning their citizens of
their continuing vulnerability when using IE. The
German authorities have, in effect, identified a
key weakness in the web of an excessively
concentrated and homogeneous use of the
Internet Explorer browser as a potential weak
link. This enables intruders to target penetration
and concentrate attacks. Hidden deeper in
Berlin and Paris leadership is growing awareness
that Beijing has been able to acquire critical
parts of source code not only of IE but much of
the underlyi ng platform and propri etary
software. There is growing apprehension of an
economi c Pearl Harbour for Western
intellectual property and digital identities in the
context of all information flows concentrated
within one proprietary software umbrella, just
like the extremely vulnerable US Navy anchored
together at Pearl Harbour in December, 1941.
For the moment, what the world sees is a
25
Google-China dispute, primarily about Chinese
successes in penetrating the Google-mail (G-
mail) cloud and using access to it to pursue
people whom it designates as threatening
political activists. This by itself is no small matter,
and has been amply debated on ATCA by
distinguished members. At the same time, the
G -mai l cloud has become wi dely used
throughout the world as an overflow eM ail
system. Even the US military web system has
been overburdened by quasi-offi cial digital
traffi c, with the result that G-mail has become a
maj or over f l ow syst em f or pr i vat e
communi cati on amongst members of the
armed forces.
The potential of cyber warfare goes far beyond
infiltration into the communications systems of a
potential adversary. If we look back at the height
of the Cold War with the USSR, nuclear missile
technology and weaponry were focused on
physical destruction of the infrastructure of
adversaries, with psychological deterrence as one
objective but decimation of the functioning of the
economies of potential adversaries as an
alternati ve i n the event confli ct became
inevitable. Today, it is becoming increasingly
evident that cyber-attacks have the capability to
render modern economies severely dysfunctional.
Increasingly, the advanced economies of the
world have become dependent on the worldwide
web for managi ng banki ng and fi nance,
telecommunications, energy flows and power
grids, transportation and delivery systems,
industrial processes and inventory management,
emergency services, remote diagnostic medical
assistance, and so on.
An economic Pearl Harbour is no longer just a
hypothetical but a low probability high impact
outcome. Bear in mind that this type of
unanticipated attack can be carried out by
proxies or mercenaries with the assistance of
first rate cyber warfare groups in China.
Eleven years after the mi2g initial forecast,
and 14 years after we began to do research into
the vulnerabi li ty of the f ragi le di gi tal
environment, the world has arrived at another
predicted precipice brought to the global
consciousness via the unfolding China-Google
impasse. In January 1999, after three years of
research and development , t he mi 2g
I ntelli gence Uni t publi shed an i nternal
memorandum titled, " Cyber Warfare: The
Threat to Government, Business and Financial
M arkets. " In the i nternal memorandum,
released in the public domain post the NATO -
Serbia first cyber war in April 1999, it was
stated, " Historically war has been classified as
physical attacks with bombs & bullets between
nation states. It was beyond the means of an
individual to wage war. Today, in the Information
Age, the launch pad for war is no longer a runway
but a computer. The attacker is no longer a pilot or
soldier but a civilian Hacker. An individual with
relatively simple computer capability can do
things via the internet that can impact economic
infrastructures, social utilities and national
security. This is the problem we face in moving
from the industrial world to the Information
Age, which is the essence of Cyber War. "
In the Estonia-Russia Cyber War in M ay 2007,
which the mi2g Intelligence Unit followed
closely, there was a significant degradation to
t he Est oni an di gi t al eco-syst em and
infrastructure for a protracted period of nearly
one month. During this period of cyber war, the
nat i ve def ence f orces, gover nment
departments, businesses and individuals all
suffered over and beyond their imagination by
way of expectati ons for di gi tal servi ces'
reliability, availability and sustainability. The
digital attackers used a giant network of bots
(enslaved computers) -- perhaps as many as one
million slave computers in places as far away as
North America and the Far East -- to amplify the
impact of their assault. In a sign of their financial
resources, there is evidence that they rented
time from trans-national criminal syndicates on
Botnets.
The combination of very, very large packets of
information streams -- generated by tens of
thousands of machi nes -- provi des the
mechanism for very damaging Distributed
Denial-of-Service (DDoS) attacks. O n several
occasions during that conflict, traffi c spiked to
thousands of times the normal flow. This forced
Estonia' s biggest bank to shut down its online
service for more than an hour. O n subsequent
days, the bank, HansaBanka, remained under
assault and continued to block access to 300
suspect Internet addresses. Finally, on 10th M ay
that year, it would appear that the attackers'
time on the rented servers expired, and the
botnet attacks fell off abruptly.
In November 2002, almost fi ve years before
26
the debi li tati ng Estoni a cyber attacks, the
mi 2g Intelli gence Uni t released a publi c
bri efi ng ti tled " G overnment backed counter-
attack-forces necessary i n future, " whi ch
stated, " As the damage done by radi cal,
cri mi nal and i ntellectually moti vated hackers
conti nues to ri se, about si x Bi lli on Dollars of
economi c value was destroyed worldwi de by
overt and covert di gi tal attacks i ncludi ng
vi ruses and worms i n O ctober alone. As a
result, the mi 2g Intelli gence Uni t predi cts
there wi ll be a growi ng requi rement for
G overnments to i ntervene and to mobi li se
counter-attack-forces that protect economi c
targets and cri ti cal nati onal i nfrastructure
consti tuents on a 24/7 basi s. " The 2002 mi 2g
I nt el l i gence U ni t bri ef i ng cont i nued:
" Hi stori cally, poli ti ci ans i n ci vi li sed Western
democraci es have challenged thei r defence
forces to provi de adequate defence capabi li ty
wi thi n li mi ted resources. The focus has been
on the four physi cal di mensi ons - land, sea, ai r
and outer space - and not on the new 5th
Di mensi on, whi ch i s cyberspace. There i s no
real di gi tal defence capabi li ty deployed so far -
- other than occasi onal si mulati ons and
exerci ses whi ch are to uncover gaps i n the
nati onal cri ti cal i nf rastructure' s di gi tal
defences. The redressal li es pri mari ly i n
developi ng counter-attack -f orces, whi ch
would begi n to arrest the i mbalance of power
between i ll-moti vated hackers on the one
hand and li ttle-prepared busi nesses on the
other. It i s unreali sti c to expect that any
defence department can provi de ' counter-
attack-forces' agai nst di gi tal attacks for an
enti re nati on' s economi c targets i mmedi ately
and, i n any case, the experti se needed i s
relati vely fast movi ng and cannot be ' trai ned'
i nto would be combatants i n a short peri od of
ti me.
The Pandora' s box of full scale cyber war i s
open now and the world i s far more
dependent on di gi tal networks than i t was
eleven years ago, when the mi 2g Internal
M emorandum was placed i n the publi c
domai n i n the wake of the NATO -Serbi a cyber
war. Where are the soluti ons? G oi ng back to
the mi 2g Intelli gence Bri efi ng from November
2002, governments and large busi nesses are
sti ll i n need of followi ng the recommendati ons
made nearly ei ght years ago: In the future,
when seek i ng t o prot ect t he cri t i cal
i nfrastructure consti tuents and busi ness
di gi tal systems at a nati onal level, the
economi cally prudent way forward would be
to combi ne k nowledge management ,
analysi s and counter-attack tools wi th on-
the-ground human i ntelli gence sources.
Survei llance and reconnai ssance dashboards
of di gi tal systems would need to be managed
by experi enced counter-attack-forces on a
24/7 basi s. mi 2g beli eves that thi s war. . . can
be won deci si vely and effecti vely. As i n all
wars, our collecti ve nati onal defences must
excel i n enemy aggressi on. M obi li sati on of
resources i ncludi ng new i nvestment wi ll
become necessary on i nt eroperabl e
di stri buted knowledge management and
analysi s systems, whi ch allow data to be
shared easi ly from and between di fferent
sources and agenci es collecti ng i ntelli gence.
A lso, i nvestment i n more local human
i ntelli gence across the globe wi ll be essenti al.
The experti se of the very few avai lable people
who are profi ci ent i n the technologi es of the
5th di mensi on would need to be uti li sed to
trai n the counter-attack-forces through the
establi shment of nati onal centre( s) of
excellence for di gi tal defence. Nothi ng
si gni fi cant can be achi eved wi thout thi s
cohesi ve shari ng capabi li ty bei ng made
avai lable to the future counter-attack-forces,
who would be able to ensure reli abi li ty,
avai labi li ty, mai ntai nabi li ty and scalabi li ty of
busi ness systems i n the event of protracted
hacker attacks. We must ulti mately hope that
the pace of di ssemi nati on of real ti me
i nf ormati on throughout the world wi ll
outpace the determi nati on of a f ew
governments and thei r proxi es to di srupt our
freedom and way of li fe.
27
02
ealing with sites that promote violence, sex, cruelty and
extreme groups like al-Qaeda on the Internet is a concern for
Dgovernments around the world, in the absence of universal
legislation that clearly defines ways of dealing with sites that violate
the laws. Pakistan has thousands of such websites online which not
only inspires youth against violence who fall prey to attractive
incentives. Everyday hundreds of Indian websites are hacked by
Pakistani hackers and the so called cyber war has given jolt to crucial
database of government. There are many business houses, corporate
sectors, unaware of this threat and the fact that someone has
penetrated into their machine. There is always a hidden threat from
neighbouring country. Nowadays even China is doing the same and
they are fully equipped with their cyber army to attack Indian
domains. Unfortunately, if some neighbour country hacks our
website and steals our intellectual property then it is not considered
as a crime in our country. But, if Indian patriotic hackers or for that
matter any hacker teaches them same lesson by hacking their
websites, then they are prosecuted under stringent laws. Crippled
judiciary and inefficient police have always failed to stop online
crime. When this is the case, then why not hackers groups in India
such as ' Indian cyber soldiers should be allowed to deface such sites
and prevent terror, violence and crime?
The issue of the promotion of violence and terrorism on the
Internet has always garnered the attention of security services, but
interest in it has increased dramatically since a failed plot to blow
up a commerci al US airliner in December 2006 at the hands of
young Nigerian Umar Farooq, who was influenced by Anwar
Awlaki, the Yemeni-American activist who is currently hiding in
Yemen from where he promotes al-Q aeda in his online sermons.
Recently, the Secretary-General of International Police (Interpol),
Ronald K. Noble, hinted at the diffi culty that security services
encounter in tackling this type of sites on the Internet, the number
of extremist websites rose from just 12 sites in 1998 to 14500 sites
in 2010. The jihadis use internet discussion forums focused on
Arabic-language forums since they are the principal platform
Hacking-the new
battling lingo
promoting the ideology of al-Q aeda. This is
attributed to the organisation not having an
offi cial site speaking for it, relying instead on
sites that promote and publish its statements
and the statements of its branches around the
world. Some of the most prominent forums
that promote al-Q aeda (topped by the al-
Fallujah and Shumoukh al-Islam forums) and the
number of participants, noting that there are
two different trends of sites adherent to al-
Q aeda, the first is the traditionalists' trend,
which includes participants in the forums of
those who follow the i deology expressed by al-
Q aeda leaders such as O sama Bin Laden and Dr.
Ayman al-Zawahiri. These appear to be mostly
people eager to participate in what they see as
an act of " jihad" without actually learning
about differing views that could enable them to
change their convictions, or at least re-consider
them.
There are now about 15, 600 Web sites
spreading al Q aeda' s ideology worldwide, and
1000 more are appearing each year. These kinds
of websites are challenge to Information
Technology and National Security and it is
diffi cult to track most of the sites as these
hardcore al Q aeda sites often change addresses
to avoid detection or start up again elsewhere
once infiltrated.
' O ne member wrote of suicide missions: If
you can blow dozens of people up at the same
time, great, absolutely great.
In another vile message a member praised a
beheading video of British hostage Ken Bigley. It
said: I like the beheading videos of the prisoners
of war especially the Daniel Pearl and Ken Bigley
one.
But the Department for Communities and
Local Government agreed to fund the group' s
film on problems faced by UK M uslims. We can' t
prevent violent extremism if we aren' t prepared
to talk about the issues Pakistan is no stranger
to state-sancti oned censorshi p. Si nce the
1950s, successive governments, both military
and civilian, have taken pains to ensure that the
media has been scrutinised, censored and
harassed. '
Even as the twenty-first century has dawned
upon Pakistan, the cycle continues. In 2009, the
Pakistan government removed videos, of a
Pakistan Army officer allegedly beating a Swat
resident, from YouTube. Later on, videos of
29
President Zardari saying shut up to a supporter
at a public gathering were erased off YouTube. In
2009, following a petition in the courts, the
Lahore High Court slapped a ban on Facebook,
w h i c h w a s l a t e r l i f t e d . E v e n
www. thepersecuti on. org, whi ch documents
crimes committed against the Ahmadi sect, is
r o ut i nel y banned by t he P ak i st an
Telecommuni cati ons A uthori ty ( PTA ) . Whi ch
makes it even all the more surprising that with
such stringent control over the media and the
internet, the Pakistan government has so far,
turned a blind eye to the abundance of religious
hate material that is floating around and readily
available on the internet.
Ansar Al Jihad Network' s website is another
popular jihadi website that is accessible in
Pakistan. The forum has been closed for
membership, but features videos, press releases
and discussion about the war in Afghanistan
and Pakistan. While one could not see the
discussion on the forums, it is astounding to see
the sheer number of videos that have been
produced by the As-Sahab Foundation for
Islamic M edia Publication, Al-Q aeda' s media
cell, featuring members of the Taliban that have
been killed, or messages from current Taliban
l eaders f i ght i ng i n A f ghani st an and
Pakistan. M ajahden2. org has archival footage of
As-Sahab productions, with multiple links to
download, for example Ayman-Al-Zawahiri
videos. And if you can' t find what you' re looking
for, one can even ask a mujahedeen. The
conditioning of young minds towards violence
has rampaged.
In a telephonic interview, PTA spokeman
Khurram M ehran said that it is not the PTA that
decides which websites are to be blocked, but
rather the decision is made by a committee set
up by the M inistry of IT and Telecom.
Accordi ng to the Secretary for the M inistry of
IT and Telecom, there is a mechanism in place for
blocking such websites that is enforced by the
co mmi t t ee. T he member s i ncl ude
representati ves from the Interi or M i ni stry,
M inistry of Religious Affairs, and intelligence
and law enforcement agencies. Whenever we
get reports about something that is anti-state or
anti-Islam, we ask PTA to block the URL.
The committee' s secretary M udassir Hussain
has this to say about the committee, which has
been operational since 2006, We have a
standing order that any organisation that has
been proscribed, their websites will be blocked.
Regardi ng jihadi websites, either the agencies
refer them to us or we have our own mechanism
to find out about them, the Interior M inistry
deliberates over the content and then we ask
PTA accordi ng to block it. Hussain says that
organi sati ons' websi tes that have been
proscribed by Pakistani law or international law
have been blocked.
The irony is that no such website is banned
except a few by FBA. That these websites are
accessible in Pakistan is of grave concern. M ultiple
terror attacks have wreaked havoc all over the
country, and websi tes such as the ones
mentioned above are not helping the security
si tuati on. It' s a problem of legali ty and
understanding how active the religious ministry
is. The religious ministry has to give information to
the Information M inistry about them. Religion is
such a sensitive issue so it' s not clear when they' re
about religion and when they' ve crossed over into
extremism. There is also the question of freedom
of expression and religious schools of thought.
Where do you draw the li ne between
constitutional rights and religious freedom?
While freedom of expression is a fundamental
right and there may only be a small percentage of
the population that is accessing these websites,
there is a genuine fear among many that such
websites could be used to indoctrinate the
confused amongst the younger generation, who
have access to the internet and are looking for a
way to join a cause that may seem to be the right
way . While a military operation continues in the
tribal areas of the country and thousands have
died in terror attacks and have been displaced due
to the war, it is time for the government to
redouble their efforts to block websites that are
propagating hatred against religious sects and
inciting violence against the people of Pakistan.
Ban Jihadi websites in Pakistan; several jihadi
organizations are once again at the forefront of
flood relief efforts and this is how they gain
sympathy of the poor M uslims across the country.
Another video from the M uslim world add
more evidence that Islamic violence and jihad are
not some fringe element. Neither interspersed
with readings from the Quran and featured on
M uslim blogs and boards, nor is it some non-
30
existent extremist or radical version of Islam. It' s
the next generation of M ujahedeen who are
expected to fight and kill infidels to establish
global Islamic rule. US lawmakers lamented their
inability to shutter Internet websites set up by
violent Islamist groups such as Al-Qaeda that aim
to inspire, recruit and train would-be extremists. I
don' t know how much money YouTube makes,
how much its executives make, but they are
endangering people throughout America for
their own profit.
Bureaucratic wrangling and free speech
advocates were the main obstacles to giving the
US government legal tools to eliminate the sites.
Sherman lashed out during the hearing at
popular video-sharing website YouTube for
allowing Yemen-based Al-Q aeda in the Arabian
Peninsula (AQ AP) to post videos with English
subtitles that promotes a " jihadist ideology"
from its own channel.
No concerted government effort to shut
down jihadist websites because there was no
legal avenue that allows it. The best way to take
them down i s to go through blackli sts
maintained by the US Treasury and State
Department for terrorist organizations, adding
the approach would be diffi cult as authorities
would have to verify the websites were
mai ntai ned by those desi gnated
groups. There' s always a challenge
between drawing the line between
merely informative speech and speech
that facilitates a crime with the intent
of doing so. The rise of extremist
groups employing online media to
attract followers and give tips on how
to pursue jihad against targets was
highlighted this year with the launch
of an Engli sh-language A l-Q aeda
magazine from AQ AP -- removing the
language barri er for non-A rabi c
speakers to the group' s ideology. The
first edition of " Inspire" magazine in
June ran articles such as one entitled
" M ake a Bomb in the Kitchen of Your
M om" and featured sleek pictures of
Al-Q aeda leaders accompanied by
sophisticated graphics.
Pete Hoekstra, the top Republican
on the House Intelligence Committee,
said upon the magazine' s launch that AQ AP' s
effort was " unfortunately well done, " and
proof " Al-Q aeda and its affi liates have launched
a direct appeal for Americans to launch small-
scale attacks here at home. "
The only avenue for pursuing extremists online
was to pressure the Internet service that hosts
their websites, and hope they voluntarily remove
them. A Pennsylvania-based Web hosting service
in July shut down a website used by some 70, 000
bloggers after US law enforcement officials
pointed out Al-Qaeda material on its platform.
There are lots of such Extreme group Hindu sites,
Christian sites and Khalsa sites openly booked on
Indian domain too. The laws are stringent but
excruciation is quite lethargic. M ost of the time
cyber cell cannot define online crime due to lack
of up gradation in their knowledge. But it urged
that Internet users' free speech and privacy rights
be maintained. Not only is censorship inconsistent
with Indain values, it also is counterproductive to
preventing extremist violence. There are critical
constitutional limits even when it comes to
fighting the so-called War on terror' online.
Should those hackers who in response to a
hack hack their website with the only i ntention
to safeguard the nation' s pride? If they do so,
will they be prosecuted?
31
03
ndia stands nowhere in terms of counter offensive against the
attacker' s networks, the online crime is on rise. Hackers are next
Igen online terrors. The government should employ hackers to do
network penetration testing regularly to check whether networks
and applications are vulnerable to the latest exploits or not. The
hackers deface websites or download sensitive information (credit
cards, databases) from vulnerable websites and put their own page
in place of index page of victim. Though Indian hackers say cyber
laws in the country are good, they also believe that awareness and
preparedness of the Indian government to face and fight cyber crime
and cyber terrorism is quite low. The problem is that police offi cials
who are supposed to enforce the cyber laws have not been trained
properly. Look at engineering colleges across the country. There are
no courses on computer security. This is the primary reason for lack of
experts in the country. Recently I interviewed M umbai cyber crime
expert Vijay M ukhi unfortunately he was not aware of Indian
hackers; he believes hackers are only from Pakistan. We need to
make our cyber systems as secure and as non-porous as possible. At
the same time we need to focus on Indian hackers too. There are
many online websites now a day teaches how to hack face book
account password. 40 percent of Indian youth, qualified IT
professionals got in these traits. Unemployed and adventurous youth
are evolved into such activities and due to over enthusiasm they
landed doing wrong by sabotaging our own countries online security
system.
The hacking group in question is likely to choose web servers based
on a particular server operating system, as seen in over 95% of all
their previous exploits dating back to 2006. M ass defacers' usually
target blocks of Internet addresses to find vulnerable systems and
then proceed to exploit the vulnerabilities, in this case with
defacements. Such attackers are purely opportunistic, and tend to
target operating systems or web servers that they are technically
well-versed with or use attack tools to assist them in their exploits.
Whilst this hacker group defaced four websites in the UAE around
the same time, it is interesting to note that there have been over 30
publicly known defacements of websites in the UAE since the start of
the year. Such attacks against organisations anywhere in the world -
regardless of whether they are painted under the veil of hacktivism,
extortion or political activism - are, at the end of the day, j ust cyber
crimes perpetrated by cyber criminals. Globally, organisations can do
little to control or mitigate an attacker' s motivations; in depth
In todays world
security assessments, testing and sound security
practices, and an increased 24x7 security
vigilance are the essential prerequisites to
thwarting these and other similar attacks in
future. Although there i s a lot of speculation on
various forums, etc about this incident; people
should not read more into this incident other
than it was simply an opportunistic attack. It in
no way indicates state sponsored cyber attacks
of any kind, and more interestingly the vast
majority of this hacker group' s previous website
defacements targeted countries as far and wide
as Brazil, Norway, China, the US and other
countries all with defacement messages stating
their affection for Iran and Azerbaijan. The
global need for improved, more stringent web
application security design, and effective patch
management are vi tal to the conti nued
uninterrupted delivery of services by Internet-
facing organisations in the era of Web 2. 0 and
the ever evolving risks that organisations will
continue to face. India has to step up on its
cyber offensive to match Chinese and Pakistani
hackers breaching the Indian cyber networks,
the man who made his name as India' s youngest
and first certified ethical hacker. The Indian
intelligence and military agencies regularly use
Indian hackers to carry out counter offensives.
However, the quantum of such work being
carried out here is a lot less than it is in countries
such as China and Pakistan. A few Canadian
and American cyber-security researchers had
claimed that China-based online espionage
gangs have accessed classified documents from
several I ndi an def ense and securi t y
establishments. In todays world of ubiquitous
computi ng, cyber attacks are becomi ng
morevirulent, costly, and larger in scope than
ever before. Unlike previousincarnations of
hacking, current attacks on computer systems
are professi onallycoordi nated, multi faceted,
and motivated by the prospect of profits on a
massi vescale. By descri bi ng a number of
hacki ng trends, K urt i denti fi es areas of
weakness in mobile and embedded systems and
advises designers on how tominimize these
security risks. With millions of new electronics
devices connecting to the Internet every day,
hackers arei ncreasingly focusing on a new type
of target: mobile and embedded systems. Such
systemsinclude point-of-sale terminals, Wireles s
routers, smart phones, networked offi ce
machi nes suchas pri nters, and the uti li ty
infrastructure. Cutting-edge hackers are acutely
aware that many of the security procedures and
applications inuse today are designed for PC
workstations and thus unable to thwart attacks
on mobile andembedded systems. For example,
smart phones remain notoriously insecure, yet
they are gainingpopularity as platforms for
exchanging confidential data and conducting
financial transactions. Billions of dollars are at
risk as people complete more and more of their
everyday banking andshopping on mobile and
wireless devices. Even pacemakers have joined
the networked worldand are now vulnerable to
hacking. Perhaps most ominous of the new
hacking trends is the upsurge in cyber attacks
against the utility infrastructure. If hackers
continue to attack the smart grid, which
connects sensors and control systems with
sophisticated computers and networks, they
could bring commerce to a standstill, endanger
lives, and put national security at risk. Since the
early 1990s, hackers have developed a rapidly
mutating and increasingly cleverrepertoire of
attack strategies. They have embedded rogue
programs in legitimate applications, installed
keystroke recorders on unwi tti ng users
computers, spoofed websites to phish for
personal data, hijacked database information
through SQ L injection attacks, and enlisted
massive armies of zombie computers (botnets)
to spew out phishing e-mails and spam. Today,
all classes of cyber crooks, from small-time con
artists out to make a quick buck to international
crime syndicates, are logging into the global
marketplace to buy and sell malware kits, stolen
credit card numbers, how-to-hack manuals, and
criminalized software development services.
This shadow economy was worth more than
$750 million in 2007 (accordi ng to Symantec),
whi le onli ne fraud cost busi nesses and
individuals more than $10 billion last year alone.
Now, wi th the advent of what some
technologists call the Internet of things, we
are encountering a new wave of hacking, one
that encompasses not only wired computers
and networks, but also intelligent devices
including smart phones, routers and switches,
printers, smart grid components, Supervisory
Control and Data Acquisition (SCADA) systems,
33
and even medical devices (see Figure 1). This
new type of infiltration is poised to bypass the
amateur street-cred phase and move di rectly to
wel l -honed, massi vel y coordi nat ed,
sophisticated attacks. It is becoming clear that
hackings latest surge will almost certainly
include terrorist cyber strikes against the smart
grid, which is a danger that can no longer be
dismissed as a spy movie scenario. The following
discussion will provide an overview of recent
hacking trends and explain what measures can
be taken to protect embedded devices from
these attacks. Trend #1: Hackers are targeting
soft i nfrastructure Because securi ty for
personal computers is improving, hackers are
increasingly looking for
softer targets. In their sights are the millions
of industrial control and coordi nation devices
that can be programmed li ke computers. These
SCADA devices have finally become numerous
and networked enough to make it profitable for
hackers to attack. By targeti ng a ci tys
i nfrastructure, hackers can gai n poli ti cal
notoriety, intimidate the public, and extort large
amounts of money from busi nesses or
governments. At a conference in January 2008,
a senior CIA analyst shocked his audience by
revealing that cyber extortionists in another
country had caused a power outage affecting
multiple cities. CADA devices are key players in
the smart grid, the network of sensors and
computerized systems that makes up the utility
infrastructure in the United States. These
devices monitor and control power generators,
refi neri es, water treatment faci li ti es, oi l
pipelines, and electrical power systems. They
also comprise an essential component of the
nat i on s i ndust ri al , t echnol ogy, and
communi cati ons i nfrastructure, controlli ng
building security, manufacturing plants, airport
traffi c, and military vessels. The more SCADA
devices that come online, the more the nations
health, economy, and securi ty become
vulnerable to cyber attacks.
Installed SCADA devices are sometimes decades
old and operate wi th legacy computer
hardware. They tend to be configured with off-
the-shelf networking software and have weak
i nternal securi ty protecti ons. A lthough
industrial facilities are guarded by a hard shell on
the outside with locks, gates, and security
personnel, they contain a soft center their
computerized control systems an easily
penetrable core exposed to the outside world
through the Internet. O ne of the problems with
assessing the prevalence of SCADA attacks is
that they are rarely reported in any detail for fear
of encouragi ng f urt her at t ack s and
compromising national security. Companies and
governments understandably do not want any
information about SCADA breaches to fall into
the wrong hands, so they fail to share
information freely. Furthermore, attacks against
SCADA devices are being carried out by enemy
nations as part of a greater cyber warfare
strategy to sabotage the U. S. economy and
i nfrastructure. I n the Uni ted K i ngdom,
government agenci es report that attacks
against infrastructure targets have increased
dramati cally. I n June 2008, the Uni ted
Kingdoms National Infrastructure Security Co-
ordi nation Centre issued a public advisory about
a series of targeted attacks against the U. K.
cent ral gover nment and commerci al
organizations for the purpose of gathering and
transmitting otherwise privileged information.
Long-predicted threats to mobile phones are
being carried out Researchers are predicting
that 2009 will be a significant year for mobile
attacks. With the rise of unlimited data plans,
open networks, and readily downloadable
applications, hackers, spammers, and phishers
are beginning to recognize the profit potential
of mobile phones. Adding to the allure of mobile
hacki ng for cybercri mi nals are the fraud
opportunities presented by the burgeoning
mobile financial services market. The number of
active users of mobile banking and related
financial services worldwide is expected to rise
from 20 million in 2008 to 913 million in 2014.
The latest mobi le phones are the most
vulnerable to attack. Smart phones such as
Apples iPhoneand Googles Androi d come with
browsers run by JavaScript engines, exposing
them to traditional browser attacks including
cross-site scripting, clickjacking, phishing, and
other malicious techniques. These phones are
also susceptible to man-in-the-middle attacks,
in which a hacker comes between the phone
and a Web server and offers malware in the
guise of a legitimate update to one of the users
trusted applications. O ther vectors for smart
34
phone attacks include e-mail, attachments,
Web pages, multimedia messaging service,
Facebook, Wi-Fi, Bluetooth, and Twitter. As the
iPhone and other smart phones continue to gain
market share at a rapid rate, hackers will
increasingly focus their efforts on mobile
devices. However, it is doubtful that this new
wave of infiltration will go through an extended
phase of nuisance hacking, as was the case with
PCs, i nstead ski ppi ng strai ght to for-profi t
hacking. Accordi ng to researchers, the latest of
the 420smart phone viruses identified since
2004 have reached a state of sophistication that
took personal computer viruses about two
decades to achieve. Several features of smart
phones make them parti cularly tempti ng
targets. For one, mobile users tend to be less
guarded than computer users about clicking on
links, enabling SM S phishers( SM ishers ) to
gain information or send malware via a link in a
legitimate-looking text message. In addition,
mobile phones are a treasure trove of personal
information such as phone numbers and
addresses, which criminals can extract and sell in
the ID fraud marketplace. And, to make things
even easier for cyber crooks, location- enabled
smart phones let spammers personali ze
malware, prompti ng users to cli ck on
information about a disaster that supposedly
occurred i n their area, for example. [4]The most
worrisome trend in mobile hacking is the
specter of the mobile bot net, that infamous
army of zombified computers programmed to
follow a hackers bidding. In the words of one
expert, No one should be surprised if we see
the first major migration of botnets from
tradi ti onal computi ng devi ces to mobi le
platforms. Some smart phones already have
more memory and higher processing power
than laptops from just a few years ago. A
constantly moving and adapting mobile botnet
presents a compelling business proposition for
hackers and an interesting real-world case study
in chaos theory.
The rush to network medi cal devi ces i s
outpacing security Another concerning attack
trend is the growing offensive against medical
devices. Several types of medical devices such as
pacemak ers, I mplant able C ardi overt er-
Defibrillators (ICDs), bedside monitors, M RI
machines, and portable drug-delivery pumps
have a CPU and an IP address that enable them
to transmit and receive information, as well as
expose them to attacks. M edical devices, which
far outnumber hospital PC workstations, are
usually the softest targets in a hospital network,
lacking firewalls, malware protection, strong
encryption, or even recent security patches or
O perating System (O S) updates. M edical devices
are increasingly leveraging IP and common O S
platforms that enable them to utilize large
software libraries and communicate more easily.
But in the rush to establish common platforms
and network these devices, security concerns
have been poorly addressed. M any of the
methods hackers have used to attack consumer
electronics and other sectors are now being
targeted at medical devices, with potentially
fatal consequences. Attacks directed at medical
devices include:
Sni f f i ng ( also called snoopi ng) or
eavesdropping. Theft of sensitive information.
Data destruction. Zombification. A zombie is
a device attached to the Internet that has been
compromised by a hacker, virus, or Troj an horse
and can be used remotely without the owners
knowledge to perform malicious tasks.
Bricking. This usually involves damage to
software or firmware that would require a
complete system wipe and rei nstallation to
regain use of the device. In the case of medical
devices, this could entail sending the product
back to the manufacturer. In a paper published
last year by the M edical Device Security Center
about pacemakers and ICDs, researchers
described how they were able to hack into an
ICD and intercept private data transmissions.
They revealed that ICDs could be hacked to alter
pati ent data or reset how shock s are
administered. Besides these vulnerabilities, the
medical industry might face additional cyber
security threats as things heat up on the health
care compl i ance f ront . T he O bama
administration is pushing for online electronic
medical records, which could increase the risk of
data breaches and provide motivation for
hackers to gain access for profit despite
regulations that expand the security and privacy
provisions stipulated by the Health Information
Portability and Accountability Act.
Easily hacked RFID technology is opening doors
to identity theft O ne of the most common
attacks on wireless networks is war driving, in
35
which hackers drive around a neighborhood,
hunting for unsecured wireless nodes. In the
latest twist on war driving, a security expert
armed with a cheap RFID scanner and low-
profile antenna managed to clone half a dozen
electronic passports in an hour while cruising
around Fishermans Wharf in San Francisco. The
researcher who conducted this experiment
asserts that the attempt at war cloning was
successful because the type of RFID in the
Homeland Security version of a passport emits a
real radio signal, which could conceivably be
tracked from a couple of miles away. Although
no criminal hacks of passports or e-licenses have
been detected to date, this insecure technology
poses a strong risk for identity theft and invasion
of privacy. In another type of RFID attack,
anyone with $8 worth of equipment bought on
eBay can sni ff the credi t card number,
cardholder name, and other personal
information off an RFID-equipped credit card
without physically coming into contact with the
card. The problem with these contactless credit
cards is that the data is decrypted at the point of
sale by a machine rather than at the card
companys secure data center.
Everyday devices are providing a gateway to
home and offi ce networks In todays hyper net
worked corporate environment, more and more
offi ce machines are equipped with an IP
address, which means that even a seemingly
harmless and mundane peripheral such as a
shared printer can pose a dangerous security
risk. Hackers are exploiting long-forgotten or
ignored printers, fax machines, and scanners to
bypass firewalls and penetrate a network. If an
amateur hacker can gain access to an unsecured
printer using Google and a Web browser,
imagine what a professional hacker could do
with access to a fax machine and an outside
phone line. No matter how ordi nary it is, every
device in a network needs robust security.
Getting a home network up and running is
complicated. M ost are set up by homeowners
that have little to no computer experience. While
they may think they have enabled the Wi-Fi
security features correctly, the complexity of
many home networks guarantees that the
systems are not adequately secure, leaving the
door open for outsi ders to access thei r
information. Boosting device security Although
these trends paint a bleak pi cture, all is not lost
in the fight to secure mobile and embedded
devices. Industry efforts are under way to
establi sh securi ty recommendati ons. The
N at i onal I nst i t ut e of St andards and
Technologies, the National Security Agency, and
the Trusted Computing Group are a few of the
organi zati ons that are worki ng to keep
embedded electronics safe.
M any compani es of f er product s t hat
developers can use to ensure that thei r
products are protected. For example, M ocanas
Devi ce Securi ty Framework secures all aspects
of devi ce data access and communi cati ons for
any connected devi ce. Fi gure 2 shows a block
di agram of the software archi tecture. The best
defense The latest attack trends threaten our
pri vacy, data, money, nati onal securi ty, and
even our li ves. When the possi bi li ty of hackers
controlli ng pati ents pacemakers i s a topi c of
seri ous research, i ts apparent that we re i n a
new world, one that holds the great promi se of
connecti vi ty and ubi qui tous computi ng, but
also the potenti al for mi sconduct and
di srupti on on a grand scale. To defend agai nst
the new wave of attacks, we need a strategy
that i s equal to the adversary multi layered,
complex, well-organi zed, and focused on the
mobi le and embedded devi ces that make up
the Internet of thi ngs. The alternati ve to
protecti ng these devi ces mobi le botnets,
compromi sed water systems, out-of-sync
pacemakers, and stolen i denti ti es presents
an unacceptably hi gh ri sk.
36
ocial Engineering is the biggest factor or sometimes a threat to
hacker. Without the skill of social engineering hackers are
crippled. Earlier I did not know what this term mean. When I S
started the project Unite Hackers, many ethical hackers volunteered
and joined my project. Through them, all the hidden identities and
faces started approaching in and automatically their identities were
revealed to me. Then onwards I started facing big challenges that came
on my way. Earlier the hackers used to get scared of me and used to say
that if somebody does social engineering with me then I would vomit
out everything about them. In each and every meeting this social
engineering term came my way and I wondered how this term is related
to hackers.
M ost of the articles I' ve read on the topic of social engineering
begin with some sort of definition like the art and science of getting
people to comply to your wishes an outside hacker' s use of
psychological tricks on legitimate users of a computer system, in
order to obtain i nformation he needs to gain access to the system
(Palumbo), or getting needed information (for example, a
password) from a person rather than breaking into a system (Berg).
In reality, social engineering can be any and all of these things,
depending upon where you sit. O ne thing that everyone seems to
agree upon is that social engineering is generally a hacker' s clever
manipulation of the natural human tendency to trust. The hacker' s
goal is to obtain information that will allow him/her to gain
unauthorized access to a valued system and the information that
resides on that system. Securi ty i s all about trust. Trust i n protecti on
and authenti ci ty. G enerally agreed upon as the weakest li nk i n the
securi ty chai n, the natural human wi lli ngness to accept someone
at hi s or her word leaves many of us vulnerable to attack. M any
experi enced securi ty experts emphasize this fact. No matter how
many articles are published about network holes, patches, and
firewalls, we can only reduce the threat to an extent but then it' s up
again.
Social engineering is nothing but make people believe what you have
said or expressed and trap. Now let us come to the criminal side of
social engineering. The most prevalent type of social engineering
attack is conducted by phone. A hacker will call up and imitate
someone in a position of authority or relevance and gradually pull
information out of the user. Help desks are particularly prone to this
C
r
h
a
p
t
e

1
Hackers and
Social Engineering
04
type of attack. Hackers are able to pretend they
are calling from inside the corporation by playing
tricks on the PBX or the company operator, so
caller-ID is not always the best defense. Here' s a
classic PBX trick, care of the Computer Security
Institute: ' Hi, I' m your so and so rep, and here' s
an even better one: They' ll call you in the middle
of the night: ' Have you been calling so and so
place for the last six hours?' ' No.' And they' ll say,
' well, we have a call that' s actually active right
now, it' s on your calling card and it' s so and so
place and as a matter of fact, you' ve got about
9, 000 Rupees worth of charges from somebody
using your card. You' re responsible for the 9, 000
Rupees and hence you have to pay that...' They' ll
say, ' I' m putting my job on the line by getting rid
of this 9, 000 charge for you. But you need to read
off that SIM card number and PIN and then I' ll get
rid of the charge for you.' People fall for it.
(Computer Security Institute).
Help desks are particularly vulnerable because
they are in place specifically to help, a fact that
may be exploited by people who are trying to gain
illicit information. Help desk employees are
trained to be friendly and give out information, so
this is a gold mine for social engineering. M ost
help desk employees are minimally educated in
the area of security and get paid peanuts, so they
tend to just answer questions and go on to the
next phone call. This can create a huge security
hole. The facilitator of a live Computer Security
Institute demonstration, neatly illustrated the
vulnerability of help desks when he dialed up a
phone company, got transferred around, and
reached the help desk. ' Who' s the supervisor on
duty tonight?' ' Oh, it' s XYZ.' ' Let me talk to XYZ.'
[He' s transferred.] ' Hi XYZ, having a bad day?'
' No, why?...Your systems are down.' She said,
' my systems aren' t down, we' re running fine.' He
said, ' you better sign off.' She signed off. He said,
' now sign on again.' She signed on again. He said,
' we didn' t even show a blip, we show no change.'
He said, ' sign off again.' She did. ' XYZ, I' m going
to have to sign on as you here to figure out what' s
happening with your ID. Let me have your user ID
and password.' So this senior supervisor at the
Help Desk tells him her user ID and password.
Brilliant. A variation on the phone theme is the
pay phone or ATM . Hackers really do shoulder surf
and obtain credit card numbers and
PINs this way. People always stand
around phone booths at airports, so
this is a place to be extra cautious.
T he basi c goal s of soci al
engineering are the same as hacking
in general: to gain unauthorized
access to systems or information in
order to commit fraud, network
i ntrusi on, i ndustri al espi onage,
identity theft, or simply to disrupt the
system or network. Typical targets
include telephone companies and
answeri ng servi ces, bi g-name
cor por at i ons and f i nanci al
institutions, military and government
agencies, and hospitals. The Internet
boom had its share of industrial
engineering attacks in start-ups as
well, but attacks generally focus on larger entities.
Finding good, real-life examples of social
engi neeri ng attack s i s di ff i cult. Target
organizations either do not want to admit that
they have been victimized (after all, to admit a
fundamental securi ty breach i s not only
embarrassing, it may be damaging to the
organization' s reputation) and/or the attack was
not well documented so that nobody is really sure
whether there was a social engineering attack or
not. As for why organizations are targeted
through social engineering well, it' s often an
easier way to gain illicit access than are many
forms of technical hacking. Even for technical
people, it' s often much simpler to just pick up the
38
phone and ask someone for his password. And
most often, that' s just what a hacker will do.
Social engineering attacks take place on two
levels: the physical and the psychological. First,
we' ll focus on the physical setting for these
attacks: the workplace, the phone, your trash,
and even on-line. In the workplace, the hacker
can simply walk in the door, like in the movies,
and pretend to be a maintenance worker or
consultant who has access to the organization.
Then the intruder struts through the office until
he or she finds a few passwords lying around and
emerges from the bui ldi ng wi th ample
information to exploit the network from home
later that night. Another technique to gain
authentication information is to just stand there
and watch an oblivious employee type in his
password.
Dumpster diving, also known as trashing, is
another popular method of social engineering. A
huge amount of information can be collected
through company dumpsters. The LAN Times
listed the following items as potential security
leaks in our trash: company phone books,
organizational charts, memos, company policy
manuals, calendars of meetings, events and
vacations, system manuals, printouts of sensitive
data or login names and passwords, printouts of
source code, disks and tapes, company letterhead
and memo forms, and outdated hardware.
These sources can provide a rich vein of
information for the hacker. Phone books can give
the hackers names and numbers of people to
target and impersonate. Organizational charts
contain information about people who are in
positions of authority within the organization.
M emos provide small tidbits of useful information
for creating authenticity. Policy manuals show
hackers how secure (or insecure) the company
really is. Calendars are great they may tell
attackers which employees are out of town at a
particular time. System manuals, sensitive data,
and other sources of technical information may
give hackers the exact keys they need to unlock
the network. Fi nally, outdated hardware,
particularly hard drives, can be restored to provide
all sorts of useful information.
The Internet is fertile ground for social
engineers looking to harvest passwords. The
primary weakness is that many users often repeat
the use of one simple password on every account:
Yahoo, Travelocity, Gap.com, whatever. So once
the hacker has one password, he or she can
probably get into multiple accounts. One way in
which hackers have been known to obtain this
kind of password is through an on-line form: they
can send out some sort of sweepstakes
information and ask the user to put in a name
(including e-mail address that way, she might
even get that person' s corporate account
password as well) and password. These forms can
be sent by e-mail. US M ail provides a better
appearance that the sweepstakes might be a
legitimate enterprise.
Another way hackers may obtain information
on-line is by pretending to be the network
administrator, sending e-mail through the
network and asking for a user' s password. This
type of social engineering attack doesn' t
generally work, because users are generally more
aware of hackers when online, but it is something
of which to take note. Furthermore, pop-up
windows can be installed by hackers to look like
part of the network and request that the user
reenter his username and password to fix some
sort of problem. At this point in time, most users
should know not to send passwords in clear text
(if at all), but it never hurts to have an occasional
reminder of this simple security measure from the
System Administrator. Even better, sys admins
might want to warn their users against disclosing
their passwords in any fashion other than a face-
to-face conversation with a staff member who is
known to be authorized and trusted. E-mail can
also be used for more direct means of gaining
access to a system. For instance, mail attachments
sent from someone of authenticity can carry
viruses, worms and Trojan horses. A good
example of this was an AOL hack, documented by
VIGILANTe: In that case, the hacker called AOL' s
tech support and spoke with the support person
for an hour. During the conversation, the hacker
mentioned that his car was for sale cheaply. The
tech supporter was interested, so the hacker sent
an e-mail attachment ' with a picture of the car' .
Instead of a car photo, the mail executed a
backdoor exploit that opened a connection out
from AOL through the firewall.
The hack ers themselves teach soci al
engineering from a psychological point-of-view,
emphasi zi ng how to create the perfect
psychological environment for the attack. Basic
39
methods of persuasion include: impersonation,
i ngrat i at i on, conf ormi t y, di f f usi on of
responsi bi li ty, and plai n old fri endli ness.
Regardless of the method used, the main
objective is to convince the person disclosing the
information that the social engineer is in fact a
person that they can trust with that sensitive
information. The other important key is to never
ask for too much information at a time, but to ask
for a little from each person in order to maintain
the appearance of a comfortable relationship.
Impersonation generally means creating some
sort of character and playing out the role. The
simpler the role, the better it is. Sometimes this
could mean just calling up, saying: Hi, I' m xyz in
abc and I need your password, but that doesn' t
always work. Other times, the hacker will study a
real individual in an organization and wait until
that person is out of town to impersonate him
over the phone. According to xyz, a hacker who
has written extensively on the subject, they use
little boxes to disguise their voices and study
speech patterns and org charts. I' d say it' s the
least likely type of impersonation attack because
it takes the most preparation, but it does happen.
Some common roles that may be played in
impersonation attacks include: a repairman, IT
support, a manager, a trusted third party or a
fellow employee. In a huge company, this is not
that hard to do. There is no way to
know everyone - IDs can be faked.
M ost of these roles fall under the
cat egory of someone wi t h
authori ty, whi ch leads us to
ingratiation. M ost employees want
to impress the boss, so they will
bend over backwards to provide
required information to anyone in
power. Conformity is a group-based
behavi or, but can be used
occasionally in the individual setting
by convi nci ng the user that
everyone else has been giving the
hacker the same information now
requested, such as if the hacker is
i mpersonati ng an IT manager.
When hackers attack in such a way
as to diffuse the responsibility of the
employee giving the password
away, it alleviates the stress on the
employee. When in doubt, the best
way to obtain information in a social engineering
attack is just to be friendly. The idea here is that
the average user wants to believe the colleague
on the phone and wants to help, so the hacker
really only needs to be basically believable.
Beyond that, most employees respond in kind,
especially to women. Slight flattery or flirtation
might even help soften up the target employee to
co-operate further, but the smart hacker knows
when to stop pulling out information, just before
the employee suspects anything odd. A smile, if in
person, or a simple thank you clenches the
deal.
A final, more advanced method of gaining illicit
i nformati on i s known as reverse soci al
engineering . This is when the hacker creates a
persona that appears to be in a position of
authority so that employees will ask him for
information, rather than the other way around. If
researched, planned and executed well, reverse
social engineering attacks may offer the hacker
an even better chance of obtaining valuable data
from the employees; however, this requires a
great deal of preparation, research, and pre-
hacking to pull off. The three parts of reverse
soci al engi neeri ng attacks are sabotage,
advertising, and assisting. The hacker sabotages a
network, causing a problem arise. That hacker
then advertises that he is the appropriate contact
40
to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of
information from the employees and gets what he really came for. They never know it was a hacker,
because their network problem goes away and everyone is happy.
The following table lists some common intrusion tactics and strategies for prevention:
Yes, real prevention is a daunting task. Let' s be realistic, most companies don' t have the financial or
human resources to do all of what' s listed above. However, some of the money spent on plugging
network holes can be redirected. The threat is as real, if not more real as most network holes; however,
we don' t want to create militant help desk staff. Just be smart and reasonable. It is possible to keep
morale high and have a fun company culture without sacrificing security. By slightly changing the rules
of the game, the intruders no longer take the wheel.
Area of Risk Hacker Tactic Combat Strategy
Phone (Help Desk) Impersonation and persuasion Train employees/help desk to
never give out passwords or other
confidential info by phone
Building entrance Unauthorized physical access Tight badge security, employee
training, and security officers
present
Office Shoulder surfing Don t type in passwords with
anyone else present (or if you
must, do it quickly! )
Office Wandering through halls Require all guests to be escorted
looking for open offices
M ail room Insertion of forged memos Lock & monitor mail room
M achine room/ Attempting to gain access, Keep phone closets, server
Phone closet remove equipment, and/or attach rooms, etc. locked at all times
a protocol analyzer to grab and keep updated inventory on
confidential data equipment
Phone & PBX Stealing phone toll access Control overseas & long-distance
calls, trace calls, refuse transfers
Dumpsters Dumpster diving K eep all trash i n secured,
monitored areas, shred important
data, erase magnetic media
Intranet-Internet Creation & insertion of mock Continual awareness of system
software on intranet or internet and network changes, training
to snarf passwords on password use
Office Stealing sensitive documents M ark documents as confidential
& require those documents to be
locked
General-Psychological Impersonation & persuasion Keep employees on their toes
through continued awareness
and training programs
41
05
ndian Cyber Army (Indishell + I.W) - I. C. A is like the bigger
part of Indishell & I. W. O n Indishell, the members come to learn
and grow their hacking skills. Lucky And Silentp0ison Started I
I. C. A. Atul Dwivedi and Neo from I. W joined later. Both Atul Dwivedi
and Neo used to run the Indian Warriors (IW). So basically INDISHELL
+ IW = I. C. A
In Separate terms both Team indishell & Team Indian Warriors are
different. They individually can do anything they want. But I. C. A will
only come into action against ANTI-INDIANS.
This group has best hackers from INDIA with very strong patriotic
feelings. The members of this group are:
[SiLeNtp0is0n]- , strangeR , inX_rO ot , NEO H4cK3R , DarkL00k,
G00g! 3 W@ rr! 0r , co0Lt04d , ATUL DWIVEDI , st1k3r , Th3 RDX,
Lucky
This is I. C. A. All the above Indians are Leets. They are Indians only
silver lighting in dark times
IGCOE_HACKER This is not a group. He is an individual hacker
form India mostly targeting Pakistani websites only. Pakistani Punjab
Police O ffi cial Website (http://www. punjabpolice. gov. pk/) Hacked
by Indian Hacker IGCO E_HACKER which become national news in
Pakistan & just after this, the cyber WAR has begun in between
Indian cyber army & Pakistani cyber army.
Well in real terms, that was not the real cyber war. The better term
we can say is it was an EGO war; the ego of knowledge and skills.
Just after this defacement of Pakistan Punjab police website, a lot of
All Indian
Hackers
Till Date...
Indian Hackers Group
websites has been defaced in both of the
counties. This was only limited up to website
defacements. Such things can not be termed as
a cyber war.
Punjabi Hacker - A Hacking group from
Punjab that mostly hack Pakistani websites.
During Cyber War started by IGCO E_HACKER,
this hacker group also hacked so many Pakistani
websites. This group mostly hacked websites
using SQ L injection attack O R dot net nuke
(DNN) attack. The hacking level was not very hi-
fi but used very basic method of attacks.
Accordi ng to PUNJABI HACKERS, they only
hack to show that this is the battle of
knowledge. . . . battle of skill & battle of mind.
Accordi ng to Punjabi Hackers, they don' t
believe in ABUSING statements. Hacking is an
ART and they respect it. By abusing on Hacked
website, Hacker only shows how abusive they
are and not how talented they are. (Thorough
details of Punjabi Hackers in chapter 08).
EDDY This group was activated somewhere
in 2008-09. DarkL00k, tr1gg3r and h3m@ n
were the founders of this. This group is not
active these days. They hacked only Pakistani
site. Now DarkL00k is in ICA (Indishell) and
tr1gg3r and h3m@ n both are busy in college
studies.
Virindia The most underground community
of Indian Virus Coders. M ost of the group
members are working in M NCs. Their main work
is to code viruses /Troj ans/Botnets and use them
against Anti-Indians. This group has India' s
biggest bot network. All members of this group
is in the top most wanted list of one Antivirus
company and CO M O DO Securities' s 2009 yearly
cyber cri mi nal' s li st. Some members are
GodZilla, NO X, Bomber man and Adil.
THIRD EYE ETHICAL HACKERS SOCIETY -
Parul Khanna, 18 years old, is an independent
computer securi ty and di gi tal i ntelli gence
consultant with definitive experience in the field
of Internet security based out in Jalandhar City
of Punjab (INDIA).
43
He has also conducted various different
training sessions on various topics related to
cyber security and M obile Hacking to an
audience comprising of top level management,
entrepreneurs, technical specialists, defense
personnel and students.
With the vision to create a more secure
Internet, Parul Founded a unique computer
securi ty Soci ety i . e THIRD EY E ETHICA L
HA CK ERS SO CI ETY. Thi rd Eye adopts a
comprehensive and a meticulously drafted
approach towards i nf ormati on securi ty
consultancy, ethi cal hacki ng, cyber cri me
investigations and forensics. Third Eye being a
knowledge platform also believes in sharing its
domai n experti se through i ts trai ni ng
programmes, public lectures, presentations and
seminars.
Currently Parul is Pursuing his High School in
Jalandhar City of Punjab and is Conducting
Seminars to impart knowledge to people about
harmful effects of threats available on internet.
O ther M embers in his team are: Rahul Tyagi,
Rishabh Dangwal, Prateek Singla, Yash Khanna,
Karan Sehgal
HMG (Hindu Militant Guard or Hindu
Militant Group)- An Indian group from IT
sector. This group mostly hacked Pakistani
websites and orkut communities. The leader of
this group was Sneak. The group defends its
hacking practices by saying, i ts revenge against
Pakistani hackers who are involved in hacking
Indian websites and orkut communities. Their
high profile target so far has been the O GRA (O il
& Gas Regularity Authority, Pakistan) website,
which they defaced and caused breaking news
on TV channels in Pakistan. Apart from that they
have hacked a number of orkut communities.
Websites & O rkut Communities Hacked by
HM G:
1 O GRA (Pakistani- O il & Gas Regularity
Authority)
2 Islami c Republi c of Paki stan O rkut
Community
3 Dr. Zakir Naik O rkut Community
4 Islam & M uslims O rkut Community
5 Benazir Bhutto - O rkut Community
6 Karachi O rkut Community
7 Indian Christian O rkut Community
8 Indi a Paki stan O rkut Fri ends O rkut
Community
NULLCON - Nullcon is an initiative by null -
The open security community.
It has the extreme level of knowledge. If you
want to share your hack with others and you
have an inquisitiveness to learn, then Nullcon is
the place for you. Here you will meet the real
GURU' s of hackers, researchers, phreaks and
similar guys.
As per the official website of nullcon, the below
44
warning appears on the main page of the site.
STATUTO RY WARNING: nullcon can cause
severe exposure to high octane gyan and could
leave participants exhausted with wild shack
parties. Beware, Be There.
Nullcon Dwitiya (2. 0) was also termed as The
Jugaad (hacking) Conference
A ccordi ng to these guys, Hackers are
JUGAADUS. JUGAADUS, one who know how to
beat the technology by any hook & crook
method, an extraordi nary person.
The last meeting was held on 6th & 7th Feb
2010. The next schedule has been finalized on
25 & 26 February, 2011 in Goa. The below tracks
will be the highlights of this conference on 25 &
26 February, 2011:
- Bakkar
- Tez
- Karyashala
- Desi Jugaad
National Anti-Hacking Group It' s a non
profitable organization which is a group of
ethical hackers and cyber security experts
involved into social service. A team of Hackers &
Security experts from across the globe are
involved into creating awareness in the field of
cyber security and to reduce the increasing
Cyber Crimes. Apart from creating awareness, it
also does researches in the field of IT security &
ethi cal hacki ng, di scoveri ng vulnerabi li ti es/
loopholes in websites, networks, developing
exploi ts and provi di ng the advi sori es to
overcome the exploit or loopholes. Its basically a
team of Professional Penetration Testers.
Andhra Hackers - Hackers of Indian Cyber
Warriors belongs to Andhra.
The Indian Hackers Club - This group was
active around 2004. Not active these days.
Members: R0xx, Ne0-X & <> WARRIOR <>.
The members of Indishell group formed
another group named Indian Warriors. It was
mai ntai ned by ATUL DWI VEDI . I ndi shell
approached Atul Dwivedi to join their group and
the proposal was accepted and thus the group
came into existence. Guys like co0Lt04d (cool
toad), Indian military, google warrior and
DarkL00k (Ajay Dhaka) too has joined the
Indishell group.
After this, the immediate process was the
formation gang bang proj ect. Accordi ng to
them this time the retaliation manner is suppose
to be big so that the results reach the Indian
government. The members of ICA (Indishell) are
working hard on this proj ect and are so serious
that they don' t mind bunking lectures.
One of the member of Indishell says, When we
started hacking, we never possessed this level of
knowledge what we are possessing today.
Indishell has defaced more 2000 websites of
Pakistan. It took them almost three days to
complete and the days were 14, 15, and 16 of
August. The defaced sites also included sites of
Press and Police. While defacing these websites
Indishell sent them a message about the deeds
of the Pak i stani hack ers. Zombi E_K sA
(zombie_ksa) couldn' t tolerate this and so he
himself hacked his own country' s site NR3CA
which is an FAI Crime Investigation Department.
In that he wrote a harsh message that said
whom should they contact pak bugs or
NR3CA . Immediately the department ended
the pakbugs domain and they caught people
like vergil, zum zum (xO O mxO O m), inject0r
(injector), and M r. A. Later they were recruited in
to FAI and were not charged for any crimes they
kept on committing till date. As per the records,
these hackers had hacked M SN, Google but yet
nobody could catch them. They have started
destroying our cyber space from within. They
aren' t showing us anything but later this brings
us a devastating situation like destruction of
infrastructure and in the Indian economy. They
were annoyed with the gang bang proj ect.
Accordi ng to the rating, Pakistan were rated 18
and Indishell were rated two thousand plus. Yet
there are many puny points about the Pakistani
hackers and they do not know how to destroy
cyber space completely. When they started
defacing Indian sites, Indishell restored them
and left the notification about the loop holes in
the securi ty servi ce. Ulti mately Paki stani
defacing Indian sites is helping our hackers to
know the major loopholes.
The next proj ect is on 26/11. It is quite sure
that there are chances of cyber war on this day,
may be this time it would be on the higher scales
as compared to past.
There is going to be a major involvement by
ZombiE_KsA, nut cracker, xO O mxO O m, big
smoke, Spo0fer, <= SHAK= >, rocky, DJ hacker,
from Pakistan.
From India it would be smart (keval), sai satish,
45
silent poison, lucky, co0Lt04d, Atul Diwedi, and
innex.
Pakistani usually hacked credit cards from U. K
and U. S by i ntroduci ng the servers of
Netherlands and Germany out of which they
bought new servers which cost' s approximately
near about 2-2. 5 lakhs. M any hackers belong to
poor families and don' t have enough money to
even have two times meal a day. But still they are
managing to buy such costly servers, thanks to
hacking M oreover if particular person' s credit
card has been hacked then they have to report
within the three months of time; if at all that
person fails to report then it won' t be
considered later. We can notice that after every
three months there are new servers. Not only
Pakistan but there are few Indian hackers who
are also involved into credit card hacking which
is spoiling the name of the country in forei gn
land.
Lifestyle of hackers: A dedicated hacker will
eat, sleep, and brush in front his PC itself. A
normal hacker would attend college and his
routine would be quite normal. The major
drawback of hackers is that they are short
tempered and aggressive. A hacker can be
hacked by making him angry as they it is a
known fact that in anger they reveal the details.
This skill is called as social engineering. Few
Indian hackers are also trying to hack satellite to
prove their talent.
Background of hackers: M ost of the hackers
belong to middleclass background and in many
cases, hackers from rich family posses little or
lower IQ level, whereas the poor hacker
possesses huge knowledge.
Earning source: Few hackers work for
underground hackers by clearing their mess
which gets paid for. There are also target lines
given to them and if they succeed to meet their
target on time they get paid. This is done by the
Indian hackers. Earning source of Pakistani
hackers is proven by the changes in the server
after every three months. Credit Card hacking is
the only source of earning.
There are few hack ers who consi der
themselves as the messenger of god and so they
hack to save Islam. They become jihadists hacker
and accordi ng to them as being the messengers
of god, usually these things are legal. The Urdu
hack website has been hosted on the Indian
server. There are many Pakistan hackers who
don' t know anything. But still if we are
becoming prey to them then it is due to the
loose security from our side.
China has the most powerful hackers and it is
the biggest threat to India. India is the only
country which have been attacked by all the
four sides of the world because India has no
government support. If at all they get support
then there can' t be any other country stronger
than India. China has the entrance into half of
the data centres of India and they keep their eye
on every step of ours.
The biggest insecurity of hackers is revealing
their identity, so usually you must have seen they
do not reveal their pictures.
Iscotropic from Turk, this is a team.
1923 Turk which consist 4k members
approximately
Net Devil Saudi Arabia biggest consists
100 and 200
TeamCDS/TeamLoGiC
Shivesh Kumar & Epsilon ran Team CDS &
actively posted stuff on DLM ANIA (Now closed),
they tried to make a comeback in 2007 as
TeamLoGiC, but later on the releases went
down. Shivesh Kumar is now a network admin &
TeamLO GiC is waiting to reborn.
Team T3
A Trivandrum based group who was quite
active in releasing cracks for some prominent
software, you can say they were one of the first
Indian crackers in the scene. However, the group
is now defunct.
Team Members
BiBiN. S. B - Founder/GFX/Reverse Engineer
AnAnD. S. S - SFX/GFX/Reverse Engineer
AKhiLESH. M . P - Reverse Engineer
AKhiL. R. S - Coder
ChAN-Du - Web Designer/Coder
HaRiKRiShNAN - Release Packer
JAYd3EP - H4X/Supplier
Crackers in Blue / CiB
Active in late 2008, they were a subdivision of
undergroundindians & worked along Hackers in
Blue (HiB) & Gamers In Blue (Gib). Formed by
Himanshu (him89), Anurag (DJ), UI is dead
today, its members include Rishabh Dangwal of
The biggest hackers
CRACKERS GROUP
46
theprohack. com, DJ of Warezfreaks. UI were
quite instrumental in its implementations &
even released its version of Linux at one time.
Paradox
PA RA DO X ( PDX) i s a warez/demo group; an
anonymous group of software engi neers that
devi se ways to defeat software and vi deo
game li censi ng protecti ons, a process known
as crack i ng, whi ch i s i llegal i n most
j uri sdi cti ons. They di stri bute cracks ( software
patches) , keygens ( key generators) , and
precracked versi ons of enti re programs. O ver
t he years, di st ri but i on met hods have
changed, starti ng out wi th physi cally
t r anspor t ed f l oppy di sk s and BBS
di stri buti on. Wi th the expansi on of the
i nternet they moved on to Usenet. Today
most of thei r fi les reach the publi c over
vari ous peer to peer fi le networks. Paradox
was ori gi nally formed i n late 1989 by
members of the Dani sh group Tri logy ( Bad
Boy, Black Hawk, Tas, Pcsu, Q RD) and the
French group M . A . D ( O li vi er, Sti nger, The
Surge, Clash, Tagada) In 2002, the team
recrui ted computer black hat, Evi lgood who
i s alleged to be one of the most quali fi ed
crackers of the ti me. Hi s i denti ty i s sti ll
unknown. They have cracked games for other
consoles and handheld devi ces li ke the
PlayStati on, PlayStati on 2, PlayStati on
Portable, Dreamcast, Ni ntendo 64, Ni ntendo
G ameCube, Wi i , and Xbox.
Razor 1911
Razor 1911 is the " oldest game software
piracy ring on the internet" , originally founded
as Razor 2992 by Doctor No, Insane TTM and
Sector9 in Norway on O ctober 1985, have been
one of the most prominent warez groups ever.
O n July 23, 1996, Razor 1911 released Q uake
the day after its release, O n O ctober 14, 2006,
Razor 1911 released Battlefield 2142 to the
scene four days before its offi cial release, In
2007, Razor 1911 was the first group to
successfully crack a Windows Vista-only game,
47
ShadowRun, to run on Wi ndows XP, O n
November 11, 2007, Razor 1911 cracked and
released the European version of Crysis five days
before i ts offi ci al store launch date, O n
December 7, 2008, Razor 1911 released Grand
Theft Auto IV five days after its release. In the
process they managed to crack the SecuRom
protection. Although a fix included in the
1. 0. 2. 0 patch i mpaired functionality for players
using cracked versions of the game (such as the
inability to finish certain storyline missions and
disabled in-game computer functions), the
group still managed to provide a complete
workaround. M ost recently, O n July 31, 2010,
Razor 1911 released a StarCraft II proper release
with a working single-player " skirmish" mode &
on September 21, 2010, Razor 1911 released
the F1 2010 (video game) 4 days before the
offi cial EU release of the game, the same day as
the American release of the game.
Team Members
acet1 - black panther - dubmood - desync - gb
- nerv - kohai - replay - rez
Revenge Crew
Developers of Serials 2000, Revenge crew are
one fo the best when it comes to cracking. They
deployed a database.
Team Members
Av0id - Cracker
DO LTO N - Cracker
kioresk - Cracker
M aximus - Cracker
M ixa - Supplier
NJO Y - Leader, Cracker
Phrozen Crew
Phrozen Crew was founded in 1993 by
Aphex Twin who recruited The Keyboard
Caper (tKC), who would eventually come to
lead Phrozen Crew. It was small to begin
with, containing only four members: tKC
(president), Psylocke (vice president ansi
coder), M utha (musician), and Lucido
(graphics)
A s per the i nformati on, there are
currently 5 active hackers group in Pakistan
as cited below.
TeaMp0isoN: TriCk aka Saywhat? - Luit -
Hex00010 - eXhAiL - -null (Almost dead &
very kiddish behavior by this group & its
members)
PakCyberArmy: < = SH A K = > -
root@ localhost - Net.Cracker - M indFreaK -
TaZii - KingLightning - z3r0 c0d3 (Bunch of
Oink Oink)
ZHC: Z. Sheapar - Zology - Xtremist - M LKY -
M r. Flirt Don (Reaching new levels of noobness
and stupidity)
UrduHack: Code5 - Dr.Trojan - Badoo - Usman
- ShozY - Dj_Zaheed - Hol3-te@ ch3r (Can' t spell
English words properly)
PAKBugs Crew: ZombiE_KsA - xO O mxO O m -
Spo0fer - [A] - inject0r (Half of the crew is
arrested and rest are in U. K)
48
06
acking has taken a distinctly commercial turn as entrepreneurial
outfits of contractors throughout the world are hiring
Hthemselves out to business and Government sites to highlight
their security flaws.
Hackers and crackers are often referred to across the world as the big
menace for e-business and the e-society. They are often painted with
the same broad brush as several other groups, like virus writers, as
waging a cyber war on the internet. Is this threat real or do we need
more differentiation when talking about hacking? From our point of
view hackers are the people who break into computer systems and
crackers are something that you eat! In the good old days a cracker was
someone who broke software copy protection code, and a hacker was
someone who found holes in systems that would allow him/ her to
explore other peoples systems. Since then things have changed as the
use of computer systems has grown and the material kept on machines
has become more valuable. The people attacking the systems have also
changed. It is for this reason that we break down the types of ' hackers'
into the following categories:
Hack into the Department of Defense, go to prison, come out and
get a high paid job as a security analyst. For a while there, it seemed this
was a hot career path for geeky, rebellious teenagers who might have
viewed spending four years sitting in college classrooms as not that
different from being behind bars, anyway. From the point of view of the
ex-con kids, it was a dream come true: they got paid--often very well--
to do what they were doing anyway, for free, and didn' t have to worry
that the FBI would come knocking at the door (or bust it down) late
some night.
From the point of view of the companiesdoing the hiring, who can
better do penetration testing than people whose skill levelshave been
proven in a court of law? It seemsto make sense, but the trend appearsto
have leveled off as many organizations have tightened their general
hiring criteria in a less robust economy. However, even if your HR
department isn' t bringing them on staff, a closer look at the employees
(and owners/founders! ) of that security consulting firm you' re
contracting with might reveal a few folkswhose backgroundsinclude
more than a few illegal activities. What are the argumentsfor and against
for allowing such people access to your network, and what are the
ramificationsif it goeswrong?
The Good bad and
Ugly Hackers
The good
The obvious argument for hiring reformed
black hat hackers to provide advice on network
security is that, when it comes to the network
intrusion game, they have real world experience
in playing offense. The typical IT pro only knows
about playing defense. There is a very big
difference in mindset between being someone
whose primary training is in protecting the
network and someone who has learned, usually
mostly through trial and error, all the little " tricks
of the trade" for breaking into networks. A good
hacker really loves the challenge and spends
many, many hours perfecting his craft.
There' s also the possibility that you can get the
hacker to work cheap--or at least, at a lower
salary than the computer science Ph.D. who' s
paying off US$100k in student loans--and who
doesn' t have a felony conviction on his/her
record. It' s not just the lack of conventional
credentials that can lower the ex-hacker' s
compensation expectations, though. Finding
vulnerabilities in networks and systems is
something that those with hacking in the blood
would happily do for no compensation at all.
Individuals and organisations conduct security
audits and research and publishing their findings
for the common good of the security industry. The
people who find vulnerabilities and help fix them,
and the people who develop security tools and
techniques, counteract such acts in the future.
C ompani es such as us t est securi t y
implementations to make sure that they are true
and complete and as secure as can be at any given
time. This is done by examining the systems and
examining software that is known to have
securi ty weaknesses, then i nformi ng the
customer so that they can close the hole. Advising
on new solutions and techniques can minimize
the work and effort of a hacker in the future.
The bad
Even if the hacker you' re considering hiring as
an employee or contractor i s completely
reformed, having a criminal onboard may not set
well with your clients. If your company has or
hopes to bid on government contracts that
require a security clearance, having a known
hacker associated with the company could count
against you.
Then there' s the question of whether the
hacker really is completely reformed. M aybe he' s
sworn off cracking DoD passwords and writing
viruses, but will he be tempted to dip into your
company' s confidential files and take a look
around, just because he can? Can you trust him
not to illegally download copy protected music
and movies or install warez on computers on your
network in his spare time? If he gets bored, might
he decide to peruse the personnel files just for
fun, or whip up a " harmless" little practical joke
script to turn everyone' s desktop wallpaper into a
graphic of the blue screen of death?
It all comes down to a question of trust. Giving
a person access to your network--especially the
kind of access that' s required to analyze your
security--is akin to giving someone access to your
bank accounts. It' s a position that carries a great
deal of responsibility. Would you hire a former
embezzler to oversee your money? Probably no,
because, that person has been shown to misuse
such kind of access in the past.
Those in favor of hiring hackers (and the
hackers hoping to be hired) will argue that " it
takes one to catch one" . However, you don' t see
law enforcement agenci es hi ri ng former
murderers to help them catch violent criminals or
former burglars to help thwart other breakers-
and-enterers. Oh, they might make use of those
people as confidential informants but they would
never put them into positions of trust where they
would have the opportunity to commit the same
crimes again. And also, people who break into
computer systems for criminal financial gain,
espi onage or poli ti cally moti vated reasons.
Despite what people think this does exist, and
there are examples that can be found such as the
famous City bank hack and the UK cash-point
hack that was successfully nipped in the bud
before any substantial harm was caused.
The ugly
What i f your hacker hasn' t reformed at all,
but has merely learned to play the game i n a
more sophi sti cated way. Soci al engi neeri ng i s
the art of mani pulati ng people, rather than or
i n addi ti on to code, to gai n entry i nto a
network or system. I' ve always found i t
i nteresti ng when supposedly ref ormed
hackers, who themselves go around preachi ng
the dangers of soci al engi neeri ng, are then
hi red by compani es i n spi te of the fact that
50
they' re basi cally telli ng you that what they' re
doi ng now could easi ly be another bi g soci al
engi neeri ng ploy. Posi ng as a reformed
hacker/consultant i s a great way to gai n access
to networks--much better than pretendi ng to
be a phone company employee or someone
from " headquarters" that you' re not. Not only
do you get a legi ti mate pass to get i nto the
network, you also get a paycheck from your
target for doi ng i t.
The possible ramifications of having a covert
hacker on the " inside" of your network range
from serious to devastating. He could use your
network to launch a botnet attack. He could send
out malware from your location. He could even
access files with your company' s confidential
financial data or trade secrets and sell the
information to one of your competitors.
If you' re in a regulated industry such as
healthcare or financial services, such an insider
security breach could put you in a precarious
position. It would be difficult to argue that you
practiced due diligence to protect your data if you
knowingly and voluntarily put it in the hands of a
known hacker.
You also need to consider whether the self-
proclaimed hacker really has the level of skill he
claimsto have. After all, if he' sbeen convicted, that
meanshe got caught--and if he were really good,
wouldn' t he have been able to cover his tracks?
Perhapshe' sjust a " script kiddie" who ripped off
hacks constructed by others and used them
clumsily. On the other hand, if he hasn' t ever been
arrested or convicted, what proof do you have that
he' s really a hacker at all?
M aybe he' sonly a wannabe
who talks the talk but
d o e sn ' t h a v e t h e
programmi ng chops to
walk the walk.
Bottom li ne i s that
someone who would
illegally access someone
else' s network may not
have a strong sense of
right and wrong and/or
might have a problem with
authority. If he had no
compunct i on about
breaking the law, why
would you think he would
be willing to abide by your
company' s policies and the
rules and boundaries that
you lay down for him as an
employee or consultant?
It' s also important to
remember that " birds of
same f eat her f l ock
together" . Hackers tend to be friends with other
hackers. They learn from each other, and it' s also a
culture in which members get a lot of gratification
out of impressing each other. Even if " your"
hacker doesn' t attempt to harm your network or
its assets, can you be sure that he won' t
inadvertently let slip information about it when
bragging to his hacker friends, that they might
use to get in and wreak havoc?
M isguided individuals, kids who have nothing
better to do with their time, take advantage of
security weaknesses in order to boost their
reputation. This is usually done using tools that
are available on the internet. A good example of
these types of people is website defacers. Once
they have compromised the security of a site
they work like graffi ti artists, painting the
website with their logo and publishing their
51
a ch i e v e m e n t s o n w e b si t e s l i k e
www. attrition. org. Alternatively the simple
redirecting of the website to that of their
competitors has the same effect. The Council of
Europe has drafted the first international
convention against cyber crime. O ne of the
goals is to make hacking a crime and to allow
the use of ' hacker tools' only for legitimate
purposes. Will this provision foster security on
the Internet?
Remember: All hackers are not
created equal
If you' re considering hiring a former hacker, it' s
a good idea to delve deeply into his background
and record and try to discern exactly what
category he fits into. That can give you a clue into
how much of a risk you would be taking on by
hiring him.
A former teenage hacker who stumbled i nto
a federally protected network wi th no real
i ntent to do harm mi ght very well have been
" scared strai ght" by getti ng caught. ( O n the
other hand, he may also have been embi ttered
by hi s experi ence behi nd bars, and he mi ght
have had hi s cri mi nal tendenci es rei nforced i n
an envi ronment where " bei ng bad" i s not
looked down on but i s rewarded wi th
admi rati on) . A more mature whi te collar
cri mi nal who was deli berately movi ng money
i nto hi s own account from another or
commi tti ng corporate espi onage as a " hacker
for hi re" i s li kely to have a more deeply
i ngrai ned cri mi nal mi ndset and atti tude that' s
not so easi ly changed.
There is always some element of risk in hiring
a person to do a job you don' t know how to do
yourself, because it makes it easy for that person
to put one over on you. There is a greater risk in
hiring someone who has committed illegal acts
in the past--but some hackers are more of a risk
than others.
Protecting your company from
your own "hired gun"
If you do make the decision to hire a former
hacker, take steps to protect your company from
the possible consequences:
Do a thorough background check. Don' t
assume that what the hacker tells you is true.
Believe it or not, some people will claim to be
criminals when they really aren' t, if they think
it will get them a high paying job that makes
them look " cool" to their friends.
Have the hacker sign an employment contract
(or independent contractor agreement) that
very explicitly sets boundaries and prohibits
any access not speci fi cally authori zed,
prohibits any use or sharing with others of
information gathered in penetration testing or
other parts of the job, and specifies the
penalties for violation.
Consider having the hacker covered by an
employee dishonesty/fidelity bond, or if the
hacker is a contractor, require that he
provi de proof of i nsurance that wi ll
rei mburse you if he steals from you, defrauds
you or otherwise deliberately causes a loss to
your business.
Don' t give the hacker access to any more
than he needs to do the job for which you' ve
hired him. Never give him administrative
passwords. If he can obtain those credentials
on his own, you know you have a security
problem, but you should not provide him
with them.
If the hacker leaves or when his contract work
is over, change passwords (even if you think he
didn' t have them) and make sure strong
intrusion detection/prevention controls are in
place.
M onitor network access while and after the
hacker works for you and be on the lookout
for any suspicious activity. Remember that
the hacker may use some other user' s
account, not necessarily one that you' ve
given him for his own use.
Summary
The practical reasons aside, those who set the
tone for a company must examine whether hiring
a hacker fits in with their own codes of ethics. Do
you want to encourage the practice of profiting
from one' s criminal background?
O n a fi nal note, I' ve used the masculi ne
pronoun throughout thi s column, not only
because I hate the grammati cally i ncorrect use
of " they" and " them" as a si ngular, but also
because the vast maj ori ty of black hat hackers-
-and especi ally convi cted ones--are male. G uns
don' t ki ll people, people ki ll people. The
i nternet i s out of control and people who want
to hack i nto a system wi ll always fi nd a way.
Currently, the most up-to-date mai li ng li st for
52
securi ty problems i s ' Bugtrack' whi ch i s mai led
freely to subscri bers on a dai ly basi s ( usually
over 200 mai ls a day) .
If the type of legislation proposed by the
Council of Europe were to be passed then it
would make services like ' Bugtrack' illegal- this in
turn would spell disaster for the whole security
industry. This type of legislation is what is required
in the M iddle East region where most countries
do not have appropriate laws in place to address
cyber crime and fall back on laws such as the
stealing or misuse of information which simply is
not enough to prevent hackers from ' having a
little fun' at all our expenses.
Outlawing hacking tools will make it difficult
for IT professionals to secure their systems. If you
cannot try out the hack you cannot know if you
are protected from it. It will also make education
in security nearly impossible.
Using hacking tools or anything at all to break
into other peoples computers is already illegal.
M aking the tools themselves illegal will actually
prevent people from using them legitimately.
Hackers: the good, the bad, the
ugly (In brief)
Computer hackers normally shun the spotlight,
but many of them came out into the open for the
recent Defcon convention in Las Vegas, offering
outsiders a rare chance to glimpse their distinctive
subculture.
While most of the year, hackers connect via
modems and e-mail, here they meet face-to-face.
Fueled by cigarettes and caffeine, they huddle in
groups around computers, swap strategies,
exchanged tactics and brief each other on the
latest technological developments.
No business clothes here. The standard apparel
was T-shirts and shorts (and forget about those
name tags saying " Hello, my name is ..." ). Others
opted for an in-your-face look: a spiky dog collar
here, a punk hairdo there; miscellaneous pierced
noses, tongues and other appendages.
" The staples, the stitches, they' re meant to
hurt, " said one hacker. (140K/8 sec. AIFF or WAV
sound)
Just as in cyberspace, the hackers are known
only by their screennames; " Reverend Greed, "
" Despair, " or " Opus, " to cite a few.( 112K/6 sec.
AIFF or WAV sound)
They start early
M ost hackers start practicing their craft by
tinkering as kids.
One hacker said he got his start at age 13, when
he broke into a credit card database.
" I knew I shouldn' t have been doing it. But I
figured: I' m under 15, I can' t get in that much
trouble, can I?" he said.
The hacker community is divided into two
categories. The " White Hat hackers" are those
paid by corporations and the federal government
to legally break into systems to find vulnerabilities
in computer software and then fix the flaws.
The other group, known as " Black Hat
hackers, " are malicious: They break into networks
illegally to steal bank account numbers or credit
cards in order to make money.
Third one is Gray Hat hackers which work as
both.
Chasing thrills
M any hackers say they do break-ins because it' s
addictive, a thrill -- and one feels the " power at
the fingertips."
" It' s so many things at the same time: you want
the knowledge, you want the power -- you just
want to be there. You don' t want to miss out, "
one of the few women hackers said of her
experience.
A hacker' s idea of having a good time is a race
to see which team can be first to break into a
computer network. The winning team gets a cash
prize.
" We own every one of these machines. It' s on
our network, not the Internet. So this is
completely legal, " said one convention-goer.(
112K/7 sec. AIFF or WAV sound)
From outcasts to experts
Even though they were once considered
outcasts, many hackers now hold critical and
hi gh-payi ng j obs wi th corporati ons and
governments.
One group of hackers, called Lopht, even
appeared before Congress recently to explain
flaws in computer security.
" It was actually a pretty monumental step
forward to see the Senate and large legislative
groups almost embracing hackers and saying:
' Hey, you guys have something that you' re
actually bringing to the table, ' " said Dr. M udge, a
member of the group.
53
07
' ve got a little story to share, about computersand hackers, and some
stuff that eventually relatesback to who I am and how I see the world
Iaswell as, I' m sure, how a bunch of other people out there see the
world. If you' re not one of these people (asyou probably aren' t, since
there are very few of these people, comparatively) then perhapsthiswill
give you some insight or at least amuse you for a while, and maybe even
enlighten you a little bit.
A timing circuit wasnecessary because computersdon' t think like we
do in streamsof thought that just flow. Computersthink in discrete
steps, one thing at a time, much like, say, a mechanical clock. A
mechanical clock doesn' t know that it isany one given time (say, 1:01
pm) it only knows that gear #1 hastooth number 42 meshed with
cog #4 at position 3 or something equally obscure like that. The position
of those gears and cogs is all the clock knows (if it can be said to
know anything). The fact that we recognize those positionsasa time is
strictly because we built the system to work that way the position of the
gearsand cogshasmeaning to usbecause we designed it to be so we
abstracted the concept of time asthe relationship of seconds, minutes,
and hours, into a set of physical objects the gears in such a way that
they would represent time aswe understand it. To the clock, none of
that matters. It just movesthe gearsin the way it wasdesigned, over and
over again. If the gears were designed improperly, the time would be
wrong, but the clock doesn' t care (again, if a clock can even be said to
care about anything we just use emotions as a metaphor for
machinesbecause that' show we work, and how our language works) it
just continuesto move the gearsand cogsin the way that it wasmade.
A computer worksthe same way. The electronic clock isreally just a
pulse of electricity that isregular it pulsesin a set pattern, say once every
1/10 of a second (our example wasa very slow computer). And on every
pulse of that clock, electricity would pulse down wires and through
resistorsand transistorsand diodesand so forth, in a very precise and
controlled manner. And those pulseswould have effectson certain things
a pulse through a certain diode would have the mechanical, electrical
effect of changing the path for electricity to flow through the system. This
change would be taking effect during the next pulse, when electricity
would move in a slightly different way, and so on, again and again just
like the gearsand cogsin a mechanical clock.
However, since electrical components are very small, we were
effectively creating a very, very complex mechanical clock, with lotsof
gearsand cogsinter-meshing in different ways. Some of these different
ways we (as humans) interpreted as ones and zeros the binary
The Hackers
Mentality
language on which all computersare built. (We use
binary in computersbecause it' seasy; computers
work with electricity, and it' s easy to design
electrical componentsto work one way or another,
which is to say, on or off, and that is, effectively,
binary. Designing componentsto work 3 or more
ways is really, really hard, and often imprecise,
which iswhy we don' t do it.)
So, building on this foundation of electrical
pulses, controlled by a clock signal (really just a
regular, timed pulse of electricity), we built up the
idea of binary code onesand zeros. We had an
adding chip that would interpret these pulses, 4 at a
time, into representations of numbers. It would
then according to a fairly simple design internally,
but more complex than we could build in our lab
produce an output of signals that were different
from the input it received. This output was
interpreted by usasnumbersthat had been added
together (again, because we -that isto say, humans
built it that way, again, just like our mechanical
clock).
Once we had a circuit that could, metaphorically,
add numbers together, we had the basic
requirements for a computer. We looped circuits
back onto one another, so that the output of some
numbersadded together would influence the next
operati on, and through some complex
manipulation (mostly just building electrical paths
in such a way that they followed the rulesof logic as
set out by us), we had a computer.
We programmed another chip called a PROM ,
for programmable read only memory, with some
numbersthat we had put together on paper. These
numbers were (according to a code designed by
humans) representati ons of i nstructi ons,
55
abstract conceptsthat we used to simplify working
with the computer. We wrote the instructionsto do
something, translated the instructions into their
numerical equivalents(you' ll understand now why
the first computerswere built by governmentsto
make and break codes), and then used electricity to
burn those numbers into the PROM , so that
when we were done, and electricity wasapplied to
the PROM , our numberswould come out the other
end (again, as just pulses of electricity). These
would be interpreted by our adding unit, which
would execute our instructions (computing is
just full of abstractionslike this abstractionsand
metaphorsbuild on top of one another) and send
out signals representing the results of our
instructions which would be interpreted by
another circuit, which would send the appropriate
signalsto our single LED block. If we had done our
work right, the LED block would light up in a certain
pattern which we would interpret asnumbersor (if
we had a better LED), letters.
This was really monumental, although you
might not think so. The thing we built was butt-
ugly, with wires popping out all over the place. It
could only display one digit at a time on the LED,
and to program it, you had to go through all those
steps and make the PROM which, once made,
could never be changed. If you made a mistake,
you had to throw out the PROM and make a new
one. Compared to the computer on which I' m
writing this (or to the one you are using to read
this), our computer was about as sophisticated as
smoke signals are to a Ferrari. (A bad analogy, I
know, but somehow appropriate, when you think
about it.)
What was important here was not the practical
applications of this exercise we certainly weren' t
going to go out and work for Intel and design
their next big chip or anything. M odern
computers are so phenomenally more complex
that it' s not even worth making an analogy. Just
trust me on this one they are way more complex.
But the important thing is that they still operate in
the same basic way, using the same basic rules. By
building this 4-bit monstrosity, we now had a
deep, fundamental understanding of how a
real computer worked, on a very low level. It' s
like a car, really (how I love car analogies) anyone
can learn to drive it, but a good driver, a really
good driver, knows a bit about everything in the
car. He may not be able to build one on his own,
but he knows (generally) how the engine works,
how the steering is designed, how the wheels
interact with the road, and so on. By knowing
these things, he can use the car more effectively.
Likewise, by knowing these things about how a
computer worked, we (as computer science
students, mostly destined to be computer
programmers in life, as I am) could use computers
more effectively. It was no longer just a black box
that did things it was real to us. We
understood it. There was meaning, logic, and
sense there. I may not need to know (in fact, I
don't need to know) how my CPU works to write
a program in VB or PHP or some other high-level
language but by knowing, generally, how it
works, I can program it more effectively.
Thisiswhere the essence of a hacker comesinto
play.
An average person might be satisfied to know,
very basically, how a computer works maybe they
know that there' sa CPU and it' sthe brain of the
computer, but that' s about it. They then quite
happily use their computer to write documents,
manage photos, listen to music, and do other stuff.
But to a hacker, that' snot enough. A hacker wants
to know how it works and not just in some
general, vague sense. A regular person might be
bored with that classthat I took they might think,
yeah, thisisall fine and dandy, but I' ll never use
this, so why do I need to do it? A hacker, on the
other hand, would be excited by that class; he' d
think yes, now I' ll finally understand how an APU
works and its relationship to the rest of the CPU
architecture, as well as why assembly language
works!
The sort of inquisitiveness, and sort of curiosity
about the world, iswhat leadsto a well-rounded
individual. Not just taking a few classes about
psychology and world history to fill a requirement,
but actually wanting to know something about
subjectsthat are new, even if they are completely
unrelated to computers.
That' swhat makesa hacker whether they hack
computers, sound equipment, music, sculpture,
cars, wood, or whatever. They' re the people that
want to know not just automatons following
instructions, but curious, intelligent people with a
desire to know thingsso that they can understand
them and use them more effectively.
56
08
his document is a collection of slang terms used by various
subcultures of computer hackers. Though some technical
Tmaterial is included for background and flavour, it is not a
technical dictionary; what we describe here is the language hackers
use among themselves for fun, social communication, and technical
debate.
The `hacker culture' is actually a loosely networked collection of
subcultures that is nevertheless conscious of some important shared
experiences, shared roots, and shared values. It has its own myths,
heroes, villains, folk epics, in-jokes, taboos, and dreams. Because
hackers as a group are particularly creative people who define
themselves partly by rejection of `normal' values and working habits, it
has unusually rich and conscious traditions for an intentional culture
less than 40 years old.
As usual with slang, the special vocabulary of hackers helps hold
their culture together -- it helps hackers recognize each other' s places
in the community and expresses shared values and experiences. Also
as usual, not knowing the slang (or using it inappropriately) defines
one as an outsider, a mundane, or (worst of all in hackish vocabulary)
possibly even a suit. All human cultures use slang in this threefold way -
- as a tool of communication, and of inclusion, and of exclusion.
Among hackers, though, slang has a subtler aspect, paralleled
perhaps in the slang of jazz musicians and some kinds of fine artists
but hard to detect in most technical or scientific cultures; parts of it are
code for shared states of consciousness. There is a whole range of
altered states and problem-solving mental stances basic to high-level
hacking which don' t fit into conventional linguistic reality any better
than a Coltrane solo or one of M aurits Escher' s `trompe l' oeil'
compositions (Escher is a favorite of hackers), and hacker slang
encodes these subtleties in many unobvious ways. As a simple
example, take the distinction between a kluge and an elegant
solution, and the differing connotations attached to each. The
distinction is not only of engineering significance; it reaches right back
into the nature of the generative processes in program design and
asserts something important about two different kinds of relationship
between the hacker and the hack. Hacker slang is unusually rich in
implications of this kind, of overtones and undertones that illuminate
the hackish psyche.
But there is more. Hackers, as a rule, love wordplay and are very
conscious and inventive in their use of language. These traits seem to
be common in young children, but the conformity-enforcing machine
The Hackers
Language
we are pleased to call an educational system
bludgeons them out of most of us before
adolescence. Thus, linguistic invention in most
subcultures of the modern West is a halting and
largely unconscious process. Hackers, by contrast,
regard slang formation and use as a game to be
played for conscious pleasure. Their inventions
thus display an almost unique combination of the
enj oyment of language-play wi t h t he
di scri mi nati on of educated and powerful
intelligence. Further, the electronic media which
knit them together are fluid, `hot' connections,
well adapted to both the dissemination of new
slang and the ruthless culling of weak and
superannuated specimens. The results of this
process give us perhaps a uniquely intense and
accelerated view of linguistic evolution in action.
Hacker slang also challenges some common
linguistic and anthropological assumptions. For
example, it has recently become fashionable to
speak of `low-context' versus `high-context'
communication, and to classify cultures by the
preferred context level of their languages and art
forms. It is usually claimed that low-context
communication (characterized by precision,
clarity, and completeness of self-contained
utterances) is typical in cultures which value logic,
objectivity, individualism, and competition; by
contrast, high-context communication (elliptical,
emotive, nuance-filled, multi-modal, heavily
coded) is associated with cultures which value
subj ecti vi ty, consensus, cooperati on, and
tradition. What then are we to make of
hackerdom, which is themed around extremely
low-context interaction with computers and
exhibits primarily " low-context" values, but
cultivates an almost absurdly high-context slang
style?
The intensity and consciousness of hackish
invention make a compilation of hacker slang a
parti cularly eff ecti ve wi ndow i nto the
surrounding culture -- and, in fact, this one is the
latest version of an evolving compilation called
the `Jargon Fi le' , mai ntai ned by hackers
themselves for over 15 years. This one (like its
ancestors) is primarily a lexicon, but also includes
topic entries which collect background or
sidelight information on hacker culture that
would be awkward to try to subsume under
individual slang definitions.
Though the format is that of a reference
volume, it is intended that the material be
enjoyable to browse. Even a complete outsider
should find at least a chuckle on nearly every
page, and much that is amusingly thought-
provoking. But it is also true that hackers use
humorous wordplay to make strong, sometimes
combative statements about what they feel.
Some of these entries reflect the views of
opposing sides in disputes that have been
genuinely passionate; this is deliberate. We have
not tried to moderate or pretty up these disputes;
rather we have attempted to ensure that
everyone' s sacred cows get gored, impartially.
Compromise is not particularly a hackish virtue,
but the honest presentation of divergent
viewpoints is. The reader with minimal computer
back ground who fi nds some references
incomprehensibly technical can safely ignore
them. We have not felt it either necessary or
desirable to eliminate all such; they, too,
contribute flavour and one of this document' s
major intended audiences --- fledgling hackers
already partway inside the culture -- will benefit
from them.
Because hackerdom is an intentional culture
(one each individual must choose by action to
join), one should not be surprised that the line
between description and influence can become
more than a little blurred. Earlier versions of the
Jargon File have played a central role in spreading
hacker language and the culture that goes with it
to successively larger populations, and we hope
and expect that this one will do likewise.
Of Slang, Jargon, and Techspeak
Linguists usually refer to informal language as
`slang' and reserve the term `jargon' for the
technical vocabularies of various occupations.
However, the ancestor of this collection was
called the `Jargon File' , and hacker slang is
traditionally `the jargon' . When talking about the
jargon there is therefore no convenient way to
distinguish it from what a linguist would call
hackers' jargon --- the formal vocabulary they
learn from textbooks, technical papers, and
manuals.
To make a confused situation worse, the line
between hacker slang and the vocabulary of
technical programming and computer science is
fuzzy, and shifts over time. Further, this
vocabulary is shared with a wider technical culture
of programmers, many of whom are not hackers
58
and do not speak or recognize hackish slang.
Accordingly, this lexicon will try to be as precise
as the facts of usage permit about the distinctions
among three categories:
`slang': informal language from mainstream
English or non-technical subcultures (bikers, rock
fans, surfers, etc).
`jargon': without qualifier, denotes informal
`slangy' language peculiar to or predominantly
found among hackers -- the subject of this
lexicon.
`techspeak': the formal technical vocabulary
of programming, computer science, electronics,
and other fields connected to hacking.
This terminology will be consistently used
throughout the remainder of this lexicon.
The jargon/techspeak distinction is the delicate
one. A lot of techspeak originated as jargon, and
there is a steady continuing uptake of jargon into
techspeak. On the other hand, a lot of jargon
arises from overgeneralization of techspeak terms
(there is more about this in the How Jargon Works
section below).
In general, we have considered techspeak any
term that communi cates pri mari ly by a
denotati on well establi shed i n textbooks,
technical dictionaries, or standards documents.
A few obviously techspeak terms (names of
operating systems, languages, or documents) are
listed when they are tied to hacker folklore that
isn' t covered in formal sources, or sometimes to
convey critical historical background necessary to
understand other entries to which they are cross-
referenced. Some other techspeak senses of
jargon words are listed in order to make the
jargon senses clear; where the text does not
specify that a straight technical sense is under
discussion, these are marked with `[techspeak]' as
an etymology. Some entries have a primary sense
marked this way, wi th subsequent jargon
meanings explained in terms of it.
We have also tried to indicate (where known)
the apparent origins of terms. The results are
probably the least reliable information in the
lexicon, for several reasons.
For one thing, it is well
known that many hackish
u sa g e s h a v e b e e n
i ndependently rei nvented
multiple times, even among
the more obscure and
intricate neologisms. It often
seems that the generative
processes underlying hackish
jargon formation have an
internal logic so powerful as
t o creat e subst ant i al
parallelism across separate
cultures and even in different
languages! For another, the
networks tend to propagate
innovations so quickly that
`first use' is often impossible
to pin down. And, finally, compendia like this one
alter what they observe by implicitly stamping
cultural approval on terms and widening their
use.
Despi te these problems, the organi zed
collection of jargon-related oral history for the
new compilations has enabled us to put to rest
quite a number of folk etymologies, place credit
where credit is due, and illuminate the early
history of many important hackerisms such as
kluge, cruft, and foo. We believe specialist
lexicographers will find many of the historical
notes more than casually instructive
Hacker Speech Style
Hackish speech generally features extremely
precise diction, careful word choice, a relatively
large working vocabulary, and relatively little use
of contractions or street slang. Dry humor, irony,
puns, and a mildly flippant attitude are highly
valued -- but an underlying seriousness and
59
intelligence are essential. One should use just
enough jargon to communicate precisely and
identify oneself as a member of the culture;
overuse of jargon or a breathless, excessively
gung-ho attitude is considered tacky and the
mark of a loser.
This speech style is a variety of the precisionist
English normally spoken by scientists, design
engineers, and academics in technical fields. In
contrast with the methods of jargon construction,
it is fairly constant throughout hackerdom.
It has been observed that many hackers are
confused by negative questions -- or, at least, that
the people to whom they are talking are often
confused by the sense of their answers. The
problem is that they have done so much
programming that distinguishes between
if (going) ...
and
if (! going) ...
that when they parse the question " Aren' t you
going?" it seems to be asking the opposite
question from " Are you going?" , and so merits
an answer in the opposite sense. This confuses
English-speaking non-hackers because they were
taught to answer as though the negative part
weren' t there. In some other languages (including
Russian, Chinese, and Japanese) the hackish
interpretation is standard and the problem
wouldn' t arise. Hackers often find themselves
wishing for a word like French `si' or German
`doch' with which one could unambiguously
answer `yes' to a negative question.
For similar reasons, English-speaking hackers
almost never use double negatives, even if they
live in a region where colloquial usage allows
them. The thought of uttering something that
logically ought to be an affirmative knowing it will
be miscarried as a negative tends to disturb them.
In a related vein, hackers sometimes make a game
of answeri ng questi ons contai ni ng logi cal
connectives with a strictly literal rather than
colloquial interpretation. A non-hacker who is
indelicate enough to ask a question like " So, are
you working on finding that bug now or leaving it
until later?" is likely to get the perfectly correct
answer " Yes! " (That is, " Yes, I' m doing it either
now or later, and you didn' t ask which! " ).
Email Quotes and Inclusion Conventions
One area where conventions for on-line writing
are still in some flux is the marking of included
material from earlier messages -- what would be
called `block quotations' in ordinary English. From
the usual typographic convention employed for
these (smaller font at an extra indent), there
derived a practice of included text being indented
by one ASCII TAB (0001001) character, which
under Unix and many other environments gives
the appearance of an 8-space indent.
Early mail and netnews readers had no facility
for including messages this way, so people had to
paste in copy manually. BSD M ail(1) was the first
message agent to support inclusion, and early
Usenetters emulated its style. But the TAB
character tended to push included text too far to
the right (especially in multiply nested inclusions),
leading to ugly wraparounds. After a brief period
of confusion (during which an inclusion leader
consisting of three or four spaces became
established in EM ACS and a few mailers), the use
of leading `>' or `> ' became standard, perhaps
owing to its use in ed(1) to display tabs
(alternatively, it may derive from the `>' that some
early Unix mailers used to quote lines starting with
" From" in text, so they wouldn' t look like the
beginnings of new message headers). Inclusions
within inclusions keep their `>' leaders, so the
`nesting level' of a quotation is visually apparent.
The practice of including text from the parent
article when posting a followup helped solve
what had been a major nuisance on Usenet: the
fact that articles do not arrive at different sites in
the same order. Careless posters used to post
articles that would begin with, or even consist
entirely of, " No, that' s wrong" or " I agree" or the
like. It was hard to see who was responding to
what. Consequently, around 1984, new news-
posti ng sof tware evolved a f aci li ty to
automatically include the text of a previous
article, marked with " > " or whatever the poster
chose. The poster was expected to delete all but
the relevant lines. The result has been that, now,
careless posters post articles containing the entire
text of a preceding article, followed only by " No,
that' s wrong" or " I agree" .
M any people feel that this cure is worse than
the original disease, and there soon appeared
newsreader software designed to let the reader
skip over included text if desired. Today, some
posting software rejects articles containing too
high a proportion of lines beginning with `>' -- but
this too has led to undesirable workarounds, such
60
as the deliberate inclusion of zero-content filler
lines which aren' t quoted and thus pull the
message below the rejection threshold.
Because the default mailers supplied with Unix
and other operating systems haven' t evolved as
quickly as human usage, the older conventions
using a leading TAB or three or four spaces are still
alive; however, >-inclusion is now clearly the
prevalent form in both netnews and mail.
Inclusion practice is still evolving, and disputes
over the `correct' inclusion style occasionally lead
to holy wars.
M ost netters view an inclusion as a promise that
comment on it will immediately follow. The
preferred, conversational style looks like this,
> relevant excerpt 1
response to excerpt
> relevant excerpt 2
response to excerpt
> relevant excerpt 3
response to excerpt
or for short messages like this:
> entire message
response to message
Thanks to poor design of some PC-based mail
agents, one will occasionally see the entire
quoted message after the response, like this
response to message
> entire message
but this practice is strongly deprecated.
Though `>' remains the standard inclusion
leader, `|' is occasionally used for extended
quotati ons where ori gi nal vari ati ons i n
indentation are being retained (one mailer even
combines these and uses `|>' ). One also sees
different styles of quoting a number of authors in
the same message: one (deprecated because it
loses information) uses a leader of `> ' for
everyone, another (the most common) is `> > > >
' , `> > > ' , etc. (or `>>>> ' , `>>>' , etc., depending
on line length and nesting depth) reflecting the
original order of messages, and yet another is to
use a different citation leader for each author, say
`> ' , `: ' , `| ' , `}' (preserving nesting so that the
inclusion order of messages is still apparent, or
tagging the inclusions with authors' names). Yet
another style is to use each poster' s initials (or
login name) as a citation leader for that poster.
Occasionally one sees a `# ' leader used for
quotations from authoritative sources such as
standards documents; the intended allusion is to
the root prompt (the special Unix command
prompt issued when one is running as the
privileged super-user).
International Style
Although the Jargon File remains primarily a
lexicon of hacker usage in American English, we
have made some effort to get input from abroad.
Though the hacker-speak of other languages
often uses translations of jargon from English
(often as transmitted to them by earlier Jargon File
versions! ), the local variations are interesting, and
knowledge of them may be of some use to
travelling hackers.
There are some references herei n to
`Commonwealth hackish' . These are intended to
describe some variations in hacker usage as
reported in the English spoken in Great Britain and
the Commonwealth (Canada, Australia, India, etc.
-- though Canada isheavily influenced by American
usage). There isalso an entry on Commonwealth
Hackish reporting some general phonetic and
vocabulary differencesfrom U.S. hackish.
Hackers in Western Europe and (especially)
Scandinavia report that they often use a mixture
of English and their native languages for technical
conversation. Occasionally they develop idioms in
their English usage that are influenced by their
native-language styles. Some of these are
reported here.
On the other hand, English often gives rise to
grammatical and vocabulary mutations in the
native language. For example, Italian hackers
often use the nonexistent verbs `scrollare' (to
scroll) and `deletare' (to delete) rather than native
Italian `scorrere' and `cancellare' . Similarly, the
English verb `to hack' has been seen conjugated in
Swedish. European hackers report that this
happens partly because the English terms make
finer distinctions than are available in their native
vocabularies, and partly because deliberate
language-crossing makes for amusing wordplay.
A few notes on hackish usages in Russian have
been added where they are parallel with English
idioms and thus comprehensible to English-
speakers.
61
09
yber war isnothing but an eye wash, actually speaking cyber war is
a created hype by some old kids, in which one thinkshimself a
soldier and othersastoy guns. And the computer ashisKingdome, C
little knowledge he possessishiswisdom, and toolshe possesfor hacking
are hisarmsand ammunitions. The so called cyber war soldiersare living in
their own imaginary world and each one of them thinkshe issuperior
amongst them. By giving too much importance to this particular term
Cyber War createsnothing but a fear in common public and hackers
aspiring this carrier as his living and passion. These so called war
participantsare nothing but notorioussmall time criminals. They should
be punished. If one particular group of hackersisclutched then maximum
can be traced and the authentic hackerscan sustain with integrity. Itshigh
time that the faces of these disguised hackers and expose them to
common masses.
The hacking rivalry between Pakistani and Indian hackersisknown to
almost everyone. Pakistani hackers are known to be most unethical
hacker by Indian hackers. Thiscyber war isnever going to stop. Because
the group of hackersthose who are hand in gloveswith each other are
making thistrait aspublicity gimmick. Itsjust asyou scratch my back and I
scratch yours. Thishasinfected several countriesacrossthe globe. In the
age of Technology warsthe battlesare not fought by weaponsor atomic
powersbut itson raise through the advent of Information Technology, the
Cyber War:
Its Childs Play
pace of cyber wars between Pakistan and India
have also been increased. All these low profile
hackers are either engineering students, or just
school going kiddos those who learned hacking
from various tools openly provided on search
engine. Itsitch in them to create a horrifying aura
and over hype the meager issues. One particular
group from north is doing this. I know after
publishing thisarticle they may create trouble for
me as their basic instincts are destructive. I give
damn because I am blessed with best hacker friends
and a brother to tackle these goons. Actually
Information isa source of learning. But unlessit is
organized, processed, and available to the right
people in a format for decision making, it is a
burden, not a benefit.
Actually the genuine Cyber wars between the
two countriesfirst started in M ay 1998, when India
conducted its nuclear tests. Soon after India
officially announced the test, a group of hackers
called milw0rm broke into the Bhabha Atomic
Research Center web site and posted anti-India and
anti-nuclear messages. This hacking had an
intention to protest the deal. Recently it seemslike a
Cyber war has become publicity tool between
Pakistani Hackersand Indian hackers. The irony is
that they use country flagsto display the bonding
of love for own country. If by hacking Indian sites
Pakistani hackersare doing crime then by doing the
same even Indian hackers are criminals. In the
recent past when I started interacting with hackers
for my forthcoming magazine cyber Ghosts , I
met different characters. They have got nothing to
do with your country; they have got nothing to say
expect displaying their credentials as some great
hacker. Some groups have made mockery of this
little knowledge, they peruse schoolsand collages
conduct seminars, charge the studentsand make
big money by making thissubject a taboo. Young
mindsnowhere take any participation in securing
system they just get attracted to word hacking, the
practice starts with hacking girlfriends mail,
password, then school website domain. And this
extends in to hacking all wanted and unwanted
arenas. By conducting these kind of unofficial
seminars, ( I am calling it unofficial because so far
government recognized such training centers are
hardly in existence} private so called ethical hacking
training campsare mushrooming in every part of
India. Blogging on learn hacking isanother blot to
this black trait. If you have glance at all these so
called sites and blogs, they all somewhat similar.
Hardly will you find something authentic. This
particular group of hackers are worst than
terrorists. They are misguiding youth of thiscountry.
They themselveshave divided in to variousgroups,
Andhra hackers, south hackers, Nepali hackers,
Punjabi hackers, M aharashtra hackers, tiger
hackers (from Kolkata) etc etc.. There is no
harmony amongst them; they all are Indiansbut still
big rivalsto each other. Some of them even created
Cyber army.The history says this all started when
IGCOE Hacker from India hacked Punjabi Pakistani
Police official website. In Response to it Pakistani
Hackers hacked India' s several official websites.
Cyber war has gone in so deep and hidden in
horrifying layers. Thistechno war hastaken a cruel
shape. There are so many Indian hackersworking
for Pakistan, and at the same time there are many
Pakistani hackers just committed to their work
having to bad or maliciousintention against India.
For me these Indian hackersare the biggest threat
for my country. Tracing these hackersisnot a big
issue but its difficult because they are operating
from other countries. But the question remains
here iswhy Government hasfailed to track down
Indian unethical or Pak agenciesagent hackersof
India? There should be a combing operation to
eradicate this evil. As per Indian constitution
hacking isa crime let it be ethical or unethical. The
irony isthat other nationsare using these hackersto
sabotage neighboring countriesaswell asprotect
their own cyber world. Actually if given a chance or
If Indian hackers taken into confidence they can
create wondersby protecting entire cyber network
of India because India hasmost efficient hackerson
the globe. But unfortunately they have gone
haywire. I would like to site an example here buying
domain isnot difficult, the demine owner keepsall
the security procedures, he possesall panelswith
him. Key panel excess is always with a demine
owner. Let any password or admin go here and
there but servers crucial info is always with the
domain owner and every activity istraced here. One
can hack http but not the domain WHICH IS EASILY
RECOVERABLE. The hacking is done on very
superficial level of these particular websites, but
hundredsof such low profile sitesare hacked and
yet not recovered. Why? Who isdoing it? Who the
supporters are? Its a big mystery of this hacking
industry.
No doubt Both Pakistani and Indian websitesgot
63
hacked which meansthat both the countriessuffered
security threats. This battle may result in loss of
innocent people who are not the part of war. So called
great hackerswebsite washacked In December 2009 it
wasFadiasbusinesssite, hackingmobilephones.com
washacked bya spammer promoting pharmaceutical
productsfor erectile dysfunction. The question remains
here is why this so called INDIAS BEST HACKER
couldnt protect hissite from other hackers? If given a
chance and assurance to capable hackers of this
countrytheycan do much much more than Fadia. Its
high time Government should take help of these
hackersto protect our own cyber network and use
them ascyber army. The recent Independence Daywas
a nightmare for some of the webmastersand website
owners of both India and Pakistan. The attack was
started by Pakistani hackers defacing some Indian
websiteson 14th August; thiswasfollowed bycounter
attack from Indian Hackers. In the counter attack from
both the sides lot of websites were hacked and
defaced. The attack wasstarted byPakistani groups
called Pak Cyber Armyand PakHaxors, these groups
have defaced around 10-20 websites .the counter
attack waslead byIndian hackerscalled Indishell and
Indian Cyber Armywho are claiming to deface more
than 2000 Pakistani websitesbut Zone-h data confirms
the 1000+ figure. Indian hackersalwaysthought they
were too sophisticated to fall into the handsof the
rough copsin thiscountry, whom varioushuman rights
groups routinely accuse of brutality. Why should
government and police is so merciless with the
hackers? Theywant to be on the official side of Internet
security now but they are scared because they are
treated asa criminal then it leavesan unpleasant taste.
Indian hackersdont have a strong united community,
so itsdifficult to tell if there isa drop in activitymaybe
thatsthe reason the hackersare lying low. Nobody
wantsto messagain.
64
Defaced site of security expert Ankit Fadia
10
n India there can be female hackers but hardly
any name is in news or lime light long back
Ione name was constantly heard was Tia
M alhotra of ICW, but in the recent past I have
seen girls as best of security persona, best at
reverse engineering, best at search engine
optimization, they are best of the techies but I
have hardly seen any one defacing sites with
messages on it. If we go back then within
computer culture, and especially hacker culture,
women are rare. There were (and perhaps still
are) a few women in the telephony related profession since it is
normally considered a female profession. (M ost switchboard operators
and such are women). Rave culture is a little more equal, with about a
third of the audience being female. Among the hobby hackers and the
criminal hackers, there' s only the occasional female enthusiast.
Fortunately (I think), more and more women, especially at the
universities, have discovered computers through the Internet. Often,
someone starts out using the computer as a typewriter, then she hears
of online discussion groups and forums for her major, and once she' s
tried communication over the Net, she' s bitten. The most famous
female hacker went under the pseudonym Susan Thunder. (Allow me
to jump back and forth a bit between the themes of the book). Susan
was a textbook example of a maladjusted girl. She' d been mistreated
as a kid, but was of the survivor kind. She became a prostitute as early
as her teens, and earned her living working LA brothels. On her time
off, she was a groupie, fraternizing with various rock bands. She
discovered how easy it was to get backstage passes for concerts just by
calling up the right people and pretending to be, for example, a
secretary at a record company. She became an active phreaker at the
very end of the 70' s, and was naturally an expert at social engineering.
Soon, she hooked up with a couple of guys named Ron and Kevin
M itnick, both notorious hackers, later to be arrested for breaking into
the computers of various large corporations. Susan' s specialty was
attacking military computer systems, which gave her a sense of power.
To reach her objectives, she could employ methods that would be
unthinkable for male hackers: she sought out various military
personnel and went to bed with them. Later, while they were sleeping,
she could go through their clothes for usernames and passwords.
(M any people kept these written down on pieces of paper in order to
remember them). Susan therefore hacked so that she could feel a
The fairer side of
hackers
sense of power or influence in this world, despite
her hopeless social predicament. For her, hacking
was a way to increase her self-esteem. She was
determined to learn the art of hacking down to
the finest details. When her hacker friend, Ron,
didn' t take her completely seriously, she became
angry and did everything she could to get him
busted. Another reason for her anger was,
supposedly, that she had had short relationship
with him but he had chosen another, more
socially acceptable girlfriend over her. It was
probably Susan who broke into U.S. Leasing' s
systems and deleted all the information off one
computer, filling it with messages such as " F* * K
YOU F* * K YOU F* * K YOU" , and programming
the printers to continuously spit out similar
insults. Among all the profanities, she wrote the
names Kevin and Ron. The incident led to the first
conviction of the legendary Kevin.
When Ron and Kevin were arrested, Susan was
given immunity from prosecution in return for
witnessing against them. Later, she referred to
herself as a security expert, and conspicuously
demonstrated how easily she could break into
military computers. It is beyond all doubt that
Susan really had enormous capabilities, and that
she really could access top-secret information in
military systems. It is less certain that she could fire
nuclear missiles. It is clear that she couldn' t do it
using only a computer. Possibly, with her access to
secret phone numbers, personal information, and
security codes, she might have been able to trick
the personnel at a silo into firing a missile. I really
hope that she couldn' t. Stories about hackers like
Susan provided the basic idea for the movie War
Games. Susan has currently abandoned hacking
in favor of professional poker playing, which she
engages in with great success. However, Susan is
more of the exception that confirms the rule
when it comes to hacking as a male endeavor. This
phenomenon has lots of candidate explanations,
rangi ng from moroni c proposi ti ons that
computers are unfeminine because
they were invented by men (like the
sewing machine, the coffee maker,
and the telephone); to suggestions
that women are somehow alien to
the internal competition for status
and arrogance that characterizes
hackers. All of this is naturally
bullshit. The real reason to the
inequality within the computing
world is probably that many women
are raised to fulfill passive roles.
While men learn to passionately
engage themselves in discussion
over, for example, things on the TV
screen, women learn to passively
observe and act as soci al
complements on the si deli nes. Passi on,
asserti veness, and arrogance, all typi cal
characteri sti cs of hack ers, are seldom
encouraged. Women are taught a superficially
passive demeanor, in which their only possibility
for action is by entrusting it to the hands of men.
All exploration of new territory apparently has to
be done by men. (Preferably young men). As an
example, look at our traditional way of handling
emotional and sexual relations, where the general
trend is still that men take the initiative and
women should provide the passive, nurturing
factor. Another factor is that men are more
solitary than women. It' s an open subject as to
why this is, but it is obvious that it is incredibly
difficult to break this pattern.
Since hackers are normally of an age in which it
is very important to externally display one' s
gender i denti ty, many women di stance
themselves from computers out of fear of
seeming " unfeminine" . This act, which is
perceived as an autonomous decision by the
i ndi vi dual, i s actually part of the soci al
indoctrination of traditional gender roles. Parents
and relatives add to this by giving computers
almost exclusively to boys, and almost never to
66
girls. Among the home computer hackers during
the period of 1980-89, about 0.3 % were female,
according to rough estimates. In the U.S., there
was a female Apple II cracker who managed to
liberate around 800 games from their copy
protection. In Europe, the most famous female
hackers were part of the TBB (The Beautiful
Blondes) group, which specialized in C64 and
consisted of four women under the pseudonyms
of BBR, BBL, BBD, and TBB, of which BBR and TBB
were programmers. They became known on the
Scene through a number of demos toward the
end of the 80' s. Cynically enough, both BBR and
TBB died in 1993, not even reaching the age of
20. Among today' s Amiga and PC enthusiasts,
the proportion of women is a little higher,
somewhere around 1%
( Source: The M i stress i n
Skyhigh " 17, 1995).At M IT,
the cradle of hacker culture,
there weren' t any women at
all. T here were f emale
programmers who used the
machines, and even really
good ones, but they never
developed the obsessi on
found among the young men
at M IT. These hackers thought
it had to be a matter of genetic
differences that caused the
women to not fall into this
obsession. This is a dangerous
opinion and absolutely untrue.
According to statistics, most boys who become
intensively engaged in computing are around 14-
15 years old. The same preoccupation occurs in
women too, but usually about two years earlier,
since their biological clock dictates it. M ost people
know what 12-year-old girls can get caught up in
with such intense interest that they forget social
duties and just concern themselves with the
hobby for its own sake. The women' s (or, rather,
the girls' ) equivalent of the rather fickle but
enchanting object known as the computer, is
another object with similar characteristics - a four-
legged one, which we usually call a horse. In
many cases the similarities are striking, even
though it is difficult to prove that the same
mechanisms lie behind it. Programming a
computer is really not that different from teaching
a horse to jump fences. It includes the same
measure of competition, control, and ceremony.
With the boys in front of the computer, there' s an
almost empathic passion, just like it is with the
girls in the stables.
It' s completely obvious that if this trend
continues, men will acquire the power in a future
society largely built on computer technology. It
would be a good thing if more women used
computers. Even hackers are generally positively
of a positive attitude towards seeing more
women in their male-dominated fields. The few
women that exist on the Scene have been very
successful, and received lots of attention as
" exotic" phenomena. The respect for female
hackers is very great. Supposedly, there are also
female hackers who have hidden their gender
and are assumed to be male by their hacker
friends. The thrill of playing out such a role isn' t
hard to understand. For the first time in history,
it' s been possible to assume a gender opposite of
one' s own without great difficulty, and for a
woman to really be treated like a man.
The German police sometimes use this respect
for female hackers to bust hackers and software
pirates. By publishing posts and ads on BBSs and
in computer magazines, using female names,
they attract the attention of their targets. It is a
matter of argument whether it' s ethically correct
to exploit people' s emotions in this manner in
order to fight crime, and it obviously does no
service to equality. It becomes even more difficult
for women to break into a sub-culture where they
might be suspected of being law enforcement
moles.
67
Pornography
One cannot fail to note the preponderance of
male chauvinism on the Internet and in the home-
computing world. Basically, it all started with the
game Soft porn for the Apple II, by the Sierra On-
Line computer company, and the even more
successful sequel for the IBM PC: Leisure Suit
Larry. The object of the two games is the same:
getting women into bed. The fact that the
Internet is crawling with soft- and hardcore
pornography doesn' t help things either. Whether
or not this is a sign of a screaming need for sexual
stimulation among male computer users is hard
to say. (In any case, there' s no shortage of pictures
of naked men). Naturally, it' s less embarrassing to
download pictures to your computer than going
out and buying porn mags - since no one can see
what you' re doing. (As far as you know, at least).
A large part of the pictures available on the
Internet are marketing tools for different pay-
BBSs, from which you can retrieve even more
pictures - if you pay As usual there is, in the
porn industry, a ruthless commercial interest in
the Internet. Sex sells, and the Net is used as bait
in a new and lucrative market. I' m going to
emphasize that this is mostly a trend in the U.S. I
have yet to hear of a Swedish BBS that works this
way - instead, in Sweden it' s free to download the
pictures, which the users engage in with
abandon. A few porn magazines have opened
their own Internet zones which users have to pay
to gain access to. Some PC enthusiasts have
gotten a bug for collecting porn pictures, and
collect them in the same manner as others collect
stamps or trading cards. Actually, this hobby isn' t
anything strange. During the early years of
hacking, many collected thousands of computer
games just to have them. It was forbidden, since
the manufacturers claimed that copying the
games was prohibited. Pornography is both
taboo and copyright-protected, since they are
almost always scanned from porn magazines. It
should be added that the porn industry is less than
pleased with this type of distribution.
Censoring these pictures on the network is
virtually impossible, and not necessarily desirable.
The Internet is based on the supposition that you
search for the information that you' re interested
in, and that you thereby bypass information that
you find irrelevant, and this is the philosophy that
colors the attitude of those who maintain the
network. Whoever publishes the information
holds the responsibility, and the middleman
cannot be blamed for anything. It would be just as
consistent to accuse Telia or the postal service of
being accessories in crime for not conducting
enough survei llance and letter-scanni ng.
Communication should be free.
SUNET (Swedish University NETwork), under
the command of Bjrn Eriksen, distributes the
Internet in Sweden. They have so far consistently
refused to interfere with the flow of information.
( A nd I hope they never wi ll) . Indi vi dual
universities, however, have (following public
awareness) started to block certain discussion
groups with themes such as piracy, sex, suicide,
and drugs. Blocking pictures in general, however,
is much trickier, not to say impossible. If someone
encrypts the pictures, it becomes completely
impossible to stop them. The only thing you can
do is monitor the pictures stored on the
computers inside your own organization, which
has led to publi c i nterventi on agai nst
pornography at the Lund and Ume universities,
among others.f you really wanted to crush the
68
market for the porn industry, you could simply
remove its entitlement to copyrights for its
products. This would immediately ruin the market
for the established industry, and force the
companies to go bankrupt in just a couple of
years. I will, for the sake of clarity, add that most
women who are actively involved with BBSs and
the Internet take the whole thing in good stride. If
someone insults them with profanities, they
usually respond with the text version of a pat on
the head - " There, there, calm down now" , or
something similar. Even if cyberspace is male-
dominated, we can comfort ourselves with the
fact that the world' s first programmer, George
Byron' s daughter Ada Lovelace, was a woman.
Ada was a real hacker, by the classic definition.
She was the product of a failed marriage between
Byron and Annabella M ilbanke. Just like many
contemporary hackers, she escaped painful
emotions by dedicating herself to the natural
sciences together with her friend Charles
Babbage, and completely immersed herself in the
quest to construct the analytical machine. In India
Tia M alhotra of Indian cyber warriors was one of
the famous hackers and now Recently A student
from Russia, who has been accused of a plot to
defraud British and U.S. banks of millions, has
been dubbed as the ' world' s sexiest computer
hacker' .
Kristina Svechinskaya, 21, who was part of a
gang aiming to steal 220 million dollars, appeared
in court wearing leather boots and skin-tight
jeans, the Daily M ail reported.
She is set to make another appearance in court
after being charged with conspiracy to commit
bank fraud and false use of passports, and if
convicted, she could be jailed for up to 40 years.
In total, 37 people have been accused in New
York over an East European-based plan to use an
Internet virus to siphon money from the online
accounts of small businesses and individuals.
Svechinskaya was one of four students at New
York University said to have acted as " money
mules" by opening hundreds of accounts.
Prosecutors claim she opened at least five bank
accounts, which received 35, 000 dollars of the
stolen money.
The Eastern European gang made 2 million
pounds a month from online accounts by stealing
vi ctims' log-in details using ' Trojan horse'
software which can be bought for just 300
pounds over the Internet. According to the FBI,
the ring managed to rake in around 70 million
dollars of the huge amount it targeted.
69
11
he experience of women at the entry levels of the hacking
scene, mostly in online chat groups, is one of relentless sexual
Tharassment. It is a hard battle for women to be respected in a
culture dominated by teenage boys for women hackers, there' s a
different kind of glass ceiling to break.
Hacking has traditionally been a man' s world. But women are
quietly breaking into the hacker subculture, a loose group of computer
enthusiasts who meet in online chat rooms and at real-life
conventions.
Not surprisingly, as in other male-dominated spheres, these women
are often harassed and mocked by certain insiders though here it is
by teenage boys, who make up most of the entry levels of
hackerdom.
The chat rooms where beginner hackers often learn technical tricks
are stocked with little hacking boys from hell how awfully rude
they are, and how intelligent they are, according to a hacker who
goes by the handle Natasha Grigori and heads antichildporn.org, an
organization of hackers who track down child pornographers on the
Net.
R-E-S-P-E-C-T
But the few female hackers don' t network with each other in
fact, some of their greatest trouble comes from other women, called
scene whores hacker groupies who use sex to get ahead.
Fortunately, the few women who break through to the elite ranks of
hacking find that at the top, what matters is your technical skills, not
your gender.
If you can match their [male hackers' ] skill level and better it, they' ll
give you every ounce of respect. It' s when a female comes in and
tries to play on her being feminine, that doesn' t get you anything,
says Blueberry, a 32-year-old woman from Brisbane, Australia, who
founded condemned.org, another anti-child porn organization.
ABCNEWS.com spoke to more than a dozen female hackers from the
United States, Australia and New Zealand for this two-part series. They
looked at who the female hackers are; this week, we examine the
challenges they face.
A note about names: Like most hackers, these women choose to go
by online handles. Real names will be specifically marked as such.
Hackers vs. Scene Whores
Courtnee, a 20-year-old hacker from the Pacific Northwest, says the
prevalence of hacker groupies makes it more difficult for true
female hackers to get respect. (www.twistedlens.com).
There are plenty of women at hacker conventions they' re just not
all hackers. Some are girlfriends, some wives. But the female hacker' s
nemesis is the scene whore. These latex-clad hacker groupies haunt
Facing man s world
conventions and offer teenage boys cyber sex in
chat rooms to boost their own self-esteem,
female hackers say.
The average woman, in today' s society, could
remain unnoticed, says Blaise, a 29-year-old
woman from New Zealand. Looking at an
average woman in a computer society that
consists of mainly antisocial men, she will be the
center of attention. It' s those girls that give every
woman a reputation...and that is what you have
to prove yourself against before you gain any
respect.
And the prevalence of scene whores has
shattered any female solidarity that might exist
among the hacker community, as groupies fight
over the most highly skilled men and real female
hackers fight the boys' assumption that all
women in the scene are groupies.
When I first started in the scene, this one
person said, you know, you can be my
cyberwhore and you' ll be eli te through
association, says Blueberry, who says she
rejected the advance.
Dark Tangent, head of Defcon and a prominent
male hacker, remembers a scene whore having
videotaped sex with a male hacker in an elevator
at the convention' s Las Vegas hotel. He warns of
evil groupies who condition poorly adjusted
male hackers to think of women as sex toys.
Natasha says she regularly has to throw women
out of the IRC chat room that she hosts because
they disrupt the tech talk by offering cybersex to
her teenage charges.
It' s really bad as far as the women ripping each
other to shreds. This whole cybersex thing really
bothers me, Natasha says.
A_ki tten, a 34-year-old woman from
California whose Web site features sexy photos of
herself, has been described as everything from a
scene whore to a cult leader by terrified male
hackers unwilling to give names to a reporter for
fear of her legion of groupie script kiddies who
used to crash si tes on her command.
She doesn' t deny using her femininity to get her
way in a male-dominated society.
People just assume that since I am a girl and I
have that power that I must be abusing it, she
says. I think some guys are intimidated or
offended by the natural power that women
possess.
But St. Jude M ilhon, a prominent hacker
from Berkeley, Calif., doesn' t see using feminine
wiles as part of the spirit of hacking. It wouldn' t
be sporti ng. Si mply be present, honest,
reasonably competent, female, and everyone' s
aghast.
Fighting to Be Heard But it' s a hard battle for
women to be respected in a culture dominated by
teenage boys. The experience of women at the
entry levels of the hacking scene, mostly in
online chat groups, is one of relentless sexual
harassment.
British sociologist Paul Taylor, author of
Hackers: Crime in the Digital Sublime, terms this
the Wild, Wired West, a rough-and-tumble
social environment determined by the attitudes of
insecure teenage boys trying to impress each
other with typed testosterone.
It' s almost like some Lord of the Flies-type
environment, he says, referring to William
Golding' s novel about a group of teenage boys
who descend into feral savagery when cut off
from civilization.
The anonymity of online interaction also fuels
sexual harassment, making it more difficult to
enforce social rules and freeing the most
maladjusted young men to take out their sexual
frustrations on people with feminine handles,
71
Taylor says.
The first time I posted, I posted with a
woman' s nickname. I was ripped to shreds:
' You' re a woman, get off here, we' re not going to
help you, ' Natasha says. When RosieX, founder
of the Australi an cyberfemi ni st magazi ne
GeekGirl, got into the online bulletin board scene
in 1990, she found women so intimidated by that
attitude that they pretended to be male to avoid
harassment.
I was frustrated, because I wanted to learn
skills and all the boys wanted to do was f---, she
says.
Even a_kitten, who takes pride in her power
over t hose boys, sneer s at t hem.
For every 50 jerks on IRC, I stumble upon one
nice guy that I can talk to, she says.
Non-Sexist Elite
But the sexual gantlet seems to fade with
experience. Defcon' s Dark Tangent says top-rank
hackers generally stay away from the IRC
channels, waiting to see whose thirst for
knowledge is great enough to survive the savage
atmosphere. To them, skill is all that matters, not
the body it comes in. When you interact with
people such as the L0pht, or the cDc or the most
experienced members of the hacker culture,
gender is a non-issue. It' s what you know that
matters, and less who you are, says Javaman, a
Philadelphia-area hacker. There is sexism at the
lowest levels, but among the more skilled people,
the more able people, it really is a non-issue.
And at conventions, hackers seem to love
nothing more than a woman who can fix a
network breakdown. Though they' re tormented
online, for some reason the rare women in
hacking are treasured in person, female hackers
say.
Girls are victimized only in the bodiless state
in the flesh, they' re objects of wonder and
fascination, says M ilhon.
Hacker Hangouts
There' s much debate among hackers as to
what exactly is the hacker scene. There are
plenty of hackers who aren' t part of the scene,
and plenty of people - such as scene whores,
girlfriends and just hangers-on - who aren' t
hackers but who also hang out with them. Here
are some places hack ers congregat e:
IRC chat rooms: Hackers largely eschew AOL chat
and Instant M essenger for this older form of chat.
Rooms like #hackphreak are full of script
kiddies, aggressive teenage boys who form the
bottom of the hacker food chain. M ore
experienced hacker groups have invitation-only
rooms to which they invite promising techies.
Scene whores are common here, and female
hackers often have to fight off the foul-mouthed
boys.
2600 meetings: A step above the IRC bunch,
this in-person, scheduled meetings (named after
a hackers' magazine) let young hackers around
the country socialize with their nearby peers.
Conventions: At annual meetings like Defcon in
Las Vegas and HOPE in New York, thousands of
male and female hackers get together to discuss
computer security. Top hacking groups give
lectures, people trade lots of software and script
kiddies try to prove their skills to their elders.
Private clubs: This is where the top minds trade
information. On Web pages, through e-mail and
in person, groups of experienced hackers push
their machines to the limit in the search for
advanced technical knowledge.
72
12
aximum hackers are young men in India who think they' re
doing the system a favor by exposing flaws, according to
M police, researchers and hackers. According to psychiatrists,
hackers and computer-security experts, they represent the vanguard
of cybercrooks: young, misguided males who rationalize that they' ve
done nothing wrong. I have almost five hundred online hacker
friends. They are between the age group of 15 to maximum 25. If you
see their profile pictures, you will be surprised and forced to think over
their mental status. They use all horrifying, and weird pictures as their
profile pictures, the profile is almost full of F word and abuses, these
kids have lots of attitude and they understand only one language that
is the hacker' s language. Probably they don' t like people having clear
cut info and revealed info about oneself. The negative thoughts are
attached to the word hacker. In the beginning there were hackers
(people who worked on computers, programmed and made things
work) and crackers (people who would use computers for nefarious
purposes, crimes, viruses, etc), these were two distinct camps, with
some miscreants jumping the hence back and forth to confuse the
issue. Regardless, somewhere along the way popular culture (movies,
news, your teachers probably) began to equate hacking as being the
bad, crime ridden activity that cracker was supposed to cover. There is
a community, a shared culture, of expert programmers and
networking wizards that traces its history back through decades to the
fi rst ti me-shari ng mi ni computers and the earli est ARPAnet
experiments. The members of this culture originated the term
`hacker' . Hackers built the Internet. Hackers made the Unix operating
system what it is today. Hackers run Usenet. Hackers make the World
Wide Web work. If you are part of this culture, if you have contributed
to it and other people in it know who you are and call you a hacker,
you' re a hacker. The hacker mind-set is not confined to this software-
hacker culture. There are people who apply the hacker attitude to
other things, like electronics or music actually you can find it at the
highest levels of any science or art. Software hackers recognize these
kindred spirits elsewhere and may call them hackers too and
some claim that the hacker nature is really independent of the
particular medium the hacker works in. But in the rest of this
document we will focus on the skills and attitudes of software
hackers, and the traditions of the shared culture that originated the
term `hacker' .
Understanding
Hackers
There is another group of people who loudly
call themselves hackers, but aren' t. These are
people (mainly adolescent males) who get a kick
out of breaking into computers and phreaking
the phone system. Real hackers call these people
`crackers' and want nothing to do with them. Real
hack ers mostly thi nk crack ers are lazy,
irresponsible, and not very bright, and object that
being able to break security doesn' t make you a
hacker any more than being able to hotwire cars
mak es you an aut omot i ve engi neer.
Unfortunately, many journalists and writers have
been fooled into using the word `hacker' to
describe crackers; this irritates real hackers no
end. The basic difference is this: hackers build
things, crackers break them
To make friendship with these hackers, I made
my profile as ' cattechie' which was my coded
name. Full of attitude, dialogues in profile, some
info on hacking tools, some links of hacked
websites. All weird status I prepared and started
adding one by one all hackers to my profile. Eighty
percent of them were nubs. They are not even
hacker but the term of hacking is far away from
them. Almost every one of them wants to be
billionaire over night by learning hacking tools.
The co author of this book and Indishell' s
c0de3reaker helped me understand the psyche of
these kids around. They do all these kinds of R& D
secretly since they are scared of their parents,
community and police. They sit over night on
computers experimenting on hacking; they are
unsuccessful most of the time. They join forums
and communities and their whole world revolves
around hackers and tools.
M ost of the hackers you will find possessing lots
of ego and attitude and totally a different
mindset. At early stage it was very much difficult
for me to interact with these people but, as time
passed, slowly I learned their way of interaction,
attitude and late night forums and chatting. After
few time, I too became one of the active member
like them and explored new hidden world of
hackers. Cattechie became famous since it was
the only female hacker on face book. I started
getting good number of friends following. Their
motivation is money, money and money and for
that they cover a huge vulnerability in the
Internet' s design that lets cybercrooks silently
redirect traffic to websites under their control.
M ost hackers do not see themselves as criminals.
They si mply beli eve they are showi ng
vulnerabilities in the system. M any are adamant
but are innocent. " These are rattlesnakes without
the rattles. M ost of the hackers are even exploited
by nearby cyber cell to hack or dig info as directed
by police. If you remember the movie A
Wednesday, a hacker was called to trace
Naseeruddin shah. Actually it was just a film but,
in reality the hackers are not like what is been
portrayed.
They celebrate their birthday by hacking a site
displaying message on that site, they dedicate
hacked sites to fellow hackers. That is nothing but
an exchange of emotions for them. Whatever
their appearance reflects as a hacker, they are the
best friends one can ever have on this earth. For
me they are the heroes of computer revolution.
74
13
am always surprised by the big claims made by cyber crime cell. Few
months ago we spok e to V i j ay M uk hi about one
Idonotdial100.web; the website was against M umbai police and
M aharashtra Police. The person who created this blog is very much
infamous journalist. But mr.M ukhi avoided saying this site is created in
Pakistan and we can do nothing. M umbai Cyber Lab is a unique
initiative of Police-Public collaboration for training of police officers of
M umbai police in investigation of cyber crime. Conceived during the
year 2004, M umbai Cyber Lab was made operational on 8th M arch
2004. It imparts basic training to the officers posted at different Police
Stations and has trained 842 officers till date. This is what their
website says but actually speaking recently this website itself was
hacked by some young guys and police was unaware of the same.
Objectives of M umbai Cyber Lab can be anything but the department
is not only inefficient also lacking on various fronts.
M umbai Cyber Lab is jointly operated by M umbai Police and some
ITcompany. It has one server and nine states of art computers. One
officer from Cyber Crime Cell along with one computer trained
constable has been attached to the Lab. a Project M anager, who is the
over all in-charge of the lab. Training is imparted by cyber cell officers
and volunteers. The kind of training is given is just an average
information for which you do not required any sort of show off.. They
need to know about intellectual property theft in cyberspace; in other
words, what is going on with the " Advanced Persistent Threat"
(APT)? Just this past year, it seems like the APT acronym has really
emerged as the catch-phrase for the security industry. This activity can
be called as cyber espionage or new generation can call it APT.
This year there have been so many public demonstrations of large
APT-styled attacks: Google, the Indian Government. iDefense sources
tell us that the actual target numbers, the ones that are not being
reported, are in the thousands. The point is that, thanks to Google
going public with its incident, a lot of organizations are now aware of
this style of threat. They were ignorant about it before and didn' t
understand that these kinds of activities have really been going on for
the past decade. That' s the good news. The more people that
understand the threat, the better we can all protect our enterprises.
The bad news is that there is not a lot of consensus about what we are
supposed to do about it. Our M umbai police jump right to detection.
They think the most important thing you can do to defend yourself
against the APT is to detect and eradicate the activity on your network.
I don' t disagree that we all should be doing that, but I would like to
make an argument for putting some significant effort into prevention.
If it is true that the number of victims that have been penetrated by
Cyber Hack
some APT group is in the thousands, shouldn' t we
pretty much assume that we can all be had by
these players and that we all might have
something useful that they want? If thousands of
victims exist, doesn' t that mean that our
traditional cyber security defenses are not
worki ng? And the so called experti se i s
inefficient?
Off the top of my head, here are some things
network defenders should consider. Assuming
that some APT organization is attacking your
enterprise, what do they want? Two things come
to mind: they want the secret sauce that makes
your company unique and they want leverage in
any contract deal that is currently underway. To
protect this Physical separation between the
corporate networks, the secret sauce, any M erger
& Acquisition (M & A) groups and any contract
deals. Defend the walls of these networks
rigorously. Ruthlessly enforce the " Need to
Know" rule for each separate network. If you do
not need to know about an M & A Deal, you don' t
get into that network. Encrypt everything in
transit and at rest. This included data on your
smartphone.
If you are traveling in foreign countries, Use
throw-away laptops and phones Label all
documents and e-mail with the appropriate data
classi fi cati on. Do not allow desi gnated
classifications out of each separate network. For
the exceptionally paranoid, install beacons in all
documents; small snippets of code layered into
headers or footers that call home every time a
user opens them. I know these
remedies are not as sexy as catching
the APT groups in the act. Sometimes,
the least sexy remedies are the most
effective. In addition, these remedies
seem a little paranoid; however, if the
victim list is in the thousands, isn' t it
ti me to be a li ttle paranoi d?
Although the attackers targeted
victims from around the world, they
were most interested in government
officials in India, like The Indian
National Security Council Secretariat,
A ny and all Indi an Di plomati c
M issions, Indian M ilitary Engineer
Services.The first is that " political
espi onage net work s may be
deliberately exploiting criminal kits,
techniques and networks both to distance
themselves from attribution and to strategically
cultivate a climate of uncertainty."
iDefense has no proof of this either but I think it
is highly likely. In fact, another security research
group called Damballa suggested that the Google
Aurora attacks were nothing more then a cyber
criminal attack based solely on the techniques
used by the attackers.
I' d say this is highly likely too. It has been my
experience over the years that cyber espionage
groups throw a large net out initially to see what is
there. Then they seek targets of opportunity as
they are discovered. This is what happened here in
India. The bad guys went after the Dalai Lama and
eventually found their way over to Indian
Government officials through mutual social
networking connections.
What it means exactly is not clear. It could
mean that that perpetrators contracted multiple
hacker groups to go after the same targets on
purpose or it could mean that the perpetrating
organization is so large that they don' t know
what everybody is doing. Regardless, the fact that
two separate, highly publicized cyber espionage
attacks in two completely different regions of the
world involved multiple hacking groups at the
same time that may or may not have known
about each other is very interesting indeed.
M umbai Cyber Lab has completed two years and
has been working as an extension of Cyber Cell. It
has been noted that while registration of criminal
cases is very low, the officers are mainly kept busy
76
in enquiries involving misuse of internet. But the
actual status is quite different. Every day an
average ten government website are hacked but
the same is not noticed by cybercrime cell. As
usual police is just pretending to do its duty
without applying brains. There is definite threat to
our crucial sites but you cannot rely on these so
called cyber cells in our country. At this moment
also M umbai cyber cell website is hack able if a
hacker can notice then why not the crime experts.
In India maximum sites are hosted on shared
servers, if one website' s Vulnerability traced them
entire server can be hacked with in no time.
Adding onto the routine menaces posed by the
Pakistanis, the Urdu Hackers have turned out to
be an extended arm of the Pakistani wicked think-
tank. The M umbai Police was the latest victim of
their foul play. Their Cyber Cell Website fell prey
to the new age crime, as this self-proclaimed
Hacker group, earlier known as M afiaboyz
hacked their site. The group also hacked the
Indian site reportcrime.com and other websites of
the I ndi an Engi neeri ng I nsti tuti ons li k e
www.skce.ac.in (a website of Selvakumaran
College of Engineering) and www.kpriet.ac.in (a
website of KPR Institute of Engineering and
Technology) both from Coimbatore. This hacker
group also deleted essential database of some of
the websites and also totally ruined some servers.
The Urdu Hackers the owner of this group is
gay, and that gay take pride in the fact that they
were able to disrupt or intrude into the normal
functioning of the Indian Websites. They have
also challenged the Indian Government by openly
admitting that should the Indian Hackers hack
any of their sites in future, they wouldn' t lag
behind. They would have a stronger counter re-
action as they could even go on to the extent of
di sabli ng BSE. When Cyber Terror asked
Urduhack, the reason for these misdemeanors, a
member responded via email stating Well we are
IT students and not professional hackers. We are
hacking servers and networks because Indian
hackers are defacing Pakistan' s websites by
adopting unfair methods. We had reported about
this matter to the Anti-Cyber Crime authorities
but they failed to take any action against the
culprits. Hence we are giving an appropriate reply
to them. We are not terrorists and are not
targeting any country. We want peace but with
those who deserve it.
Urduhack doesn' t support terrorist activities
77
but are unhappy with the Indian government' s
policies. According to the group, the Indian
government is instigating them to commit such
crimes.
When asked whether the group has ever
contributed anything significant towards the
development of their country, they said Did the
Indian hackers try to do something good for their
country? We can shut down the telecom
company BSNL within a span 2 days and also
attack BSE in no time. We want to teach a lesson
to the Indian hackers who had earlier hacked the
Karachi Stock Exchange (KSE).
The Urdu Hack group is aware about cyber laws
and regulations in India but they are unafraid of
the Indian police. When asked if they are worried
about being nabbed by the police, a group
member replied We can send remote desktop
connection information of the Indian CID or
bharat-rakshak servers. We have not committed
any crime. These are just warnings and don' t
mean anything for us.
I don' t handle such cases.
The members not only hacked the web site but
also went a step ahead and uploaded the videos
on Youtube explaining the hacking procedure.
For more information, readers can also click on
the below menti oned li nk http: //www. -
youtube. com/watch?v= iVry9BphLUY& feature= r
elated
They are not deterred by the Indian police. They
are seen sarcastically mimicking the working style
of the department. In their post, the group has
openly challenged CID and Indian Cyber Army
against interfering in their matters. The group
also has threatened of dire consequences against
the Indian government if it interferes in their
operations.
Cyber Terror spoke to M ajid M emon, renowned
Criminal Lawyer about the legal action which can
be taken against the hackers, he said The Cyber
Crime cell of M umbai police is designated to
handle such cases. They conduct investigations
and if found guilty obligatory actions will be
initiated.
The message contains, After defeating Indian
cobras in 2001 we decided to switch back from all
this stuff. After the arrest of pakbugs crews we
have decided to come back. Our recent hits were
cyber crime department of M umbai to serve a
warning for India. We have defaced several
universities of India and will soon leak the result
and their databases. These M afiaboyz even
guide people for becoming ethical hackers. Learn
Ethical Hacking Tools Free Hacking Tricks How To
Hack Passwords & Email
In the advertisement the group has mentioned,
We aim at helping people new to Ethical Hacking
and Free Penetration Testing. Learning Ethical
Hacking has not been so fast until now. Learn
how to hack, free ethical hacking, hacking tricks,
hacking passwords Accounts, Email Hacking and
how to hack websites. Download free hacking
tools. And almost every hacker provides these
tolls on his site or blog very openly. The group' s
credential has not been questioned because the
reports say that they had even hacked the social
networking site Facebook on 25th June this year.
M umbai, being the Financial Capital of India has
been vulnerable to a variety of crimes so a Cyber
Crime Investigation Cell has been set up to
address the booming cyber crime activities in the
city and state. The government has recruited
Information Technology experts and cyber crime
professionals to tackle such types of crimes. The
Police too are trained in Cyber Laws and
Technology and have succeeded in ripping off
some of the cyber criminals.
The M umbai Cyber Lab is jointly operated by
the M umbai Police and NASSCOM . It has one
server and nine state of the art computers. One
officer from Cyber Crime Cell along with one
computer trained constable has been attached to
the Lab. NASSCOM pays for a Project M anager,
78
who is the over all in-charge of the lab. Training is
imparted by cyber cell officers and volunteers
selected by NASSCOM and students from the
M umbai University.
However, Cyber Experts are worried that in the
coming years cyber crimes are going to increase
manifold. They have asked the government to
upgrade the cyber laws and make all possible
efforts towards safeguarding the servers and
networks. M oreover, the websites of government
organizations, defense and other important
institutions must be made fool proof to avoid a
recurring of such crimes.
What is Cyber Law?
Cyber Law (THE INFORM ATION TECHNOLOGY
ACT, 2000) has 13 chapters and 96 clauses in it.
A n act to provi de legal recogni ti on for
transactions carried out by means of electronic
data interchange and other means of electronic
communi cati on, commonly referred to as
" electronic commerce" , which involve the use of
alternati ves to paper-based methods of
communication and storage of information, to
facilitate electronic filing of documents
with the Government agencies and
further to amend the Indian Penal Code,
The Indian Evidence Act, 1872, The
Bankers' Books (Evidence Act, 1891 and
the Reserve Bank of India Act) 1934 and
for matters connected therewith or
incidental thereto.
Whereas the General Assembly of the
United Nations by resolution A/ RES/ 51/
162, dated the 30th January, 1997 has
adopted the M odel Law on Electronic
Commerce adopted by the United Nations
Commission on International Trade Law
and whereas the sai d resoluti on
recommends inter alias that all States give
favourable consideration to the said
M odel Law when they enact or revise their
laws, in view of the need for uniformity of
the law applicable to alternatives to paper-
based methods of communication and
storage of information and whereas it is
considered necessary to give effect to the
said resolution and to promote efficient
delivery of Government services by means
of reliable electronic.
What is Hacking?
Hacking in simple terms means an illegal
intrusion into a computer system and/or network.
There is an equivalent term to hacking i.e.
cracking, but from Indian Laws perspective there
is no difference between the term hacking and
cracking. Every act committed towards breaking
into a computer and/or network is hacking.
Hackers write or use ready-made computer
programs to attack the target computer. They
possess the desire to destruct and also get a kick
out of such destruction. Some hackers hack for
personal monetary gains, such as stealing the
credit card information, transferring money from
various bank accounts to their own account
followed by withdrawal of money. They extort
money from some corporate giant threatening
him to publish the stolen information which is
critical in nature.
Government websites are the hot targets of the
hackers due to the press coverage, it receives.
Hackers enjoy the media limelight.
M otive behind the Crime
? Greed
? Power
79
? Publicity
? Revenge
? Adventure
? Desire to access forbidden information
? Destructive mindset
? Wants to sell n/w security services
What information is required to lodge a
complaint?
? Copy of defaced web page in soft copy
as well as hard copy format, if your website is
defaced
? If data is compromised on your server or
comput er or any ot her net work
equipment, soft copy of original data and
soft copy of compromised data.
? Access control mechanism details i.e.- who
had what kind of the access to the
compromised system
? List of suspects if the victim is having any
suspicion on anyone.
? All relevant information leading to the
answers to following questions
? What? (what is compromised)
? Who? ( who mi ght have compromi sed
system)
? W h e n ? ( w h e n t h e syst e m w a s
compromised)
? Why?(why the system might have been
compromised)
? Where?(where is the impact of attack-
identifying the target system from the
network)
? How many?( How many systems have
been compromised by the attack)
Online Safety Tips
Internet may be a cool place to hang with friends
and check out new things but it comes with its
own risksand dangers. If you' re going to use the
Web, do it safely! Here are some suggestions on
what you should and shouldn' t be doing online to
help protect you against the bad stuff.
Be careful online.
Never reveal personally i denti f i able
information online.
A lot of creeps use the Internet to take
advantage of other people, especially kids and
teens. Never reveal any personally-identifiable
If you are a victim of hacking then bring
the following information
Server Logs
information online, whether it' s on your profile
page or in a blog, chatroom, instant messenger
chat or email.
? Always use a screen name instead of
your real name.
? Never give out your address, telephone
number, hangout spots or links to other
web si t es o r p a g es wh er e t h i s
information is available.
? Be careful about sendi ng pi ctures to
people you do not know very well.
? Never discuss your personal or private
information about your friends or family
with strangers..
Never share your password with other people
Your passwords to websites, email accounts
and instant messenger services should not be
shared with strangers. They may misuse the
information for their own benefit.
Never arrange meetings with strangers.
Just because you' ve seen a person' s picture and
read his or her profile, does not mean you know
them. M any people online lie about who they are
and what their intentions are. Just because
someone seems nice online, they may be a
different person in real life. Never arrange a
meeting with a stranger you' ve met online. Avoid
meeting a stranger in a crowded place as they
may create troubles for you. In case you wish to
meet an online friend in person, inform someone
who is close to you about it.
Don't believe everything you read or see
online.
Be wary of everything you see online unless it is
from a reliable source. People lie about their age,
residence, appearance, interests and other
sensitive information. M oreover, a lot of websites
and emails contain misleading information which
a user must avoid at any cost.
Don't download files or software without
your parents' permission.
Lot' s of files present in the Internet are unsafe
and one must never download those on a
computer. Some fileswill bombard you with pop-
up adsall day long. While the otherswill actually
track everything you do on your computer,
including your logins, passwords and credit card
information. The hackers then will steal money
from your account which may create financial
problemsfor you. There isno mechanism to track
which filesare safe to download from the internet.
80
Don't respond to inappropriate messages
or emails.
Some people send inappropriate messages just
to see if you will respond. If you do, you are simply
encouraging them to send more inappropriate
material to you. Don' t respond to inappropriate
messages instead, lodged a complaint against
them with the concerned officials if the matter is
of a serious nature.
Don't post inappropriate content.
If you post inappropriate content or pictures,
you will attract people who have malicious
interests. If you post jokes, photos or other
content that contain sexual references you will
probably attract people who are only interested in
talking about sex. Don' t post any vulgar
comments on blogs and social networking sites.
Stop responding to personal questions
from strangers.
Strangers who ask personal questions on the
cyberspace are not good. Don' t continue
communicating with strangers who frequently
ask personal questions.
Don't be bullied into fights.
There have been instances when people have
taken their rivalry to the cyberspace. Some of
them also use social networking sites to settle
person scores. Such acts must be avoided at all
costs as it may have an adverse affect on your
character and career.
Avoid adult and porn sites
Parents must monitor the online activities of
their kids. They must ensure that the child uses
the internet only for educational purposes and
not for other immoral activities. Kids must be
taught about cyber safety and the dangers of
surfing porn sites.
Remember online content is eternal
Every post, comments you pass stays online
forever. M oreover search engines copy links of
websites and retrieve them even after the page
has expired. You must rethink before posting any
content online.
Are You A Safe Cyber Surfer?
M ake sure your passwords have both letters
and numbers, and are at least eight characters
long. Avoid common words: some hackers use
programs that can try every word in the
dictionary. Don' t use your personal information,
your login name or adjacent keys on the keyboard
as passwords-and don' t share your passwords
online or over the phone.
Protect yourself from viruses by installing anti-
virus software and updating it regularly. You can
download anti-virus software from the Web sites
of software companies, or buy it from the retail
stores, they best recognize old and new viruses
and update automatically.
Prevent unauthorized access to your computer
through firewall software or hardware, especially
if you are a high-speed user. A properly
configured firewall makes it tougher for hackers
to locate your computer. Firewalls are also
designed to prevent hackers from getting into
your programs and files. Some recently released
operating system software and some hardware
devices come with a built-in firewall. Some
firewalls block outgoing information as well as
incoming files.
Don' t open a file attached to an e-mail unless
you are expecting it or know what it contains. If
you send an attachment, type a message
explaining what it is. Never forward any e-mail
warning about a new virus. It may be a hoax and
could be used to spread a virus.
Protect Your Website
1. Stay informed and be in touch with security
related news.
2. Watch traffic to your site. Put host-based
intrusion detection devices on your web
servers and monitor activity looking for any
irregularities.
3. Put in firewall.
4. Configure your firewall correctly.
5. Develop your web content off line.
6. M ake sure that the web servers running your
public web site are physically separate and
individually protected from your internal
corporate network.
7. Protect your databases. If your web site
serves up dynamic content from database,
consider putting that database behind a
second interface on your firewall, with
tighter access rules than the interface to your
web server.
8. Back up your web site after every update.
81
any hackers use different ways to compromise different
kind of system that use operating systems such as
M Windows XP or Windows 7. Hackers use many things from
small stealers to private exploits for this purpose. Some of the ways
are as follows: - Basically hackers use Stealers, Keyloggers, Rat' s
(Remote Administration Tool) for basic level of hacking.
1) Stealers: - Stealers are the things which will be coded by some
online coders in languages like vb6, c#, and etc.
Usage: - Hackers use clients file and run those files in their PC to
create a file server.exe and binds it with any online free softwares
which attracts the people around the internet such as cracks,
keygenerator of software or they rename to any other stealer name
and spread online. When any person downloads the stealer, it
automatically grabs your password from your browser for example:
Whenever you login to Orkut or any site, when you insert your
password it will ask for saving your password, then if you click yes,
then it will be saved in a core part of browser. When person runs the
stealers then those password will be sent to FTP or PHP depending
upon the hacker' s choice.
Prevention: - Stop storing passwords in browsers - there is an
option " master password" in the browser by which you can set a
master password to access other passwords of the sites which will
not be stored in the browser.
Update your Anti-virus and Browser' s regularly
Stop downloading things which seems extraordinary and etc.
2) Key loggers: - Stealers and key loggers are a bit similar to each
other. All the process is the same but this will harm you more than
stealers as stealers only steal' s password which have been stored but
in case of key loggers, it grabs all the key strokes which will be fired by
the users. M ostly keyloggers are made on php based because of its
high memory.
Prevention: - Using some softwares like keysscramblers which
will encrypt your keystrokes, might not protect you fully but at least
you can give it a try. Updating your anti-virus and installing firewall
will stop some keyloggers. Use password managers to avoid getting
your password being caught.
3) RAT'S: This is the deadliest amongst all the tools. Rat' s (Remote
Administration Tools) contains Stealer, Keylogger, file transfer
option, installing and uninstalling applications. Restart and
shutdown windows, viewing webcam, operating PC on remote are
some other features. This tool to some extent is similar to stealer and
keylogger. At the beginning the requirement of the hacker is a
14
Ways of compromising
with the system
dynamic IP source to run RAT. Hence he uses the
applications like ' DYDNS' or ' NO-IP Duc' . The
function of this application is to force all the
incoming connection to the computer at port 80.
Later downloading the client is needed giving the
no-ip host name for e.g. ' choco.mickey.noip.org' .
Hackers download no-ip setup and then create a
server which demands for host name. During that
ti me the li nk whi ch i s already created
cho.mickey.noip.org is been filled. Ultimately it
becomes easy to spread server all over the
internet. Later in this case when a person
downloads the RAT server and runs it on the
victims computer, the victims IP address is
displayed to the client in which the further
procedure are explained. The server basically
injects the mutex to the default browser that is
only internet explorer which allows the hacker to
operate or to modify victim' s computer.
Prevention:-
- A legal version of antivirus with the
regular updates is the best prevention method.
- Turning the firewall to high level
- updating the internet explorer to latest
versions regularly
Detecting infected computer for the presence
of any toll that is mentioned above is not a tough
job. There are certain steps to be followed.
1. When you run a stealer, it creates a
temporary file in the temp folder and windows or
system32 folder. In case if a stealer and the
browser of keylogger get crashed some times,
then they don' t get updated
any further. There is a small
change created in the terms
look and feel of the computer. It
is vice-versa in the case of RATS.
2. As mentioned above
when the M utex is injected to
the i nternet explorer and
whenever a computer i s
infected, whether you use
internet explorer or any other
browser it will show errors
massage ' Internet explorer has
encount ered a ser i ous
problem.' View of the folder as
well as the screen resolution
would change automatically.
This can only be done by the
fresher in the field of hacking.
There are also some other advance hacking
techniques.
3. The major points of source for financial
support for a hacker are illegal acts. Their
methods to earn money are as follows:
1. Carding
2. M oney transfer
3. Phishing pages
4. SM TP servers
5. Pay pal Hacking
Carding: - Carding refers to hacking credit cards
and shopping online. This entire process is called
carding.
For hacking a credit card, hackers first target
the sites of those countries like UK, US, Australia,
Germany, Canada etc. where credit cards are
frequently used online.
Hackers mostly target sites which provide
online shopping. These sites are on shared
hosting that means on the same server where
other sites are also available. Hackers search for
the vulnerability from any of the site on the same
server and this is how they enter the particular
site. Wherever the vulnerability is pointed, from
that point they upload shell and root or they
simply buy the same servers of that site which is
the source of target assuming that the site is been
hacked. Now the question arises how to get the
cc (credit card) info? When they upload a shell to
the site, hackers get the ability to connect to the
M YSQL of the site. M YSQL is a database which
stores all the info of the site and so it becomes
83
easy for hacker to find its configuration file,
username and password of M YSQ L which is
connect ed t hrough shell lat er. Ent i re
information which is related to credit card can be
found in orders table. There will be different
tables in the M YSQL such as tbl_admins, users,
passwords, order details, orders and all they will
open the order table where the credit card details
will be available.
Hacker encrypt the credit card number for their
convenience but can see that the billing address,
first name, last name, phone number, and all the
details which are presented there. Hackers simply
copy paste or dump the database to upload it on
any hosting site and whenever they require they
use the information. Now the question is how the
hackers utilize information? Proper Research is
done by the hackers to know the sites accepting
credit card for the payment mode. They may buy
things like mobile, software, etc. Hackers use
droppers. Droppers are those guys who stay near
to the location where the shop is situated or the
delivery has to be done. Thus, the complete risk is
taken by a dropper. While ordering a product, the
company people give calls to confirm the order so
from receiving calls to the delivery, things are on
him. Later hackers pay them lump sum amount
for sharing the risk. The credit card owner has
three months of time to charge back if the owner
fails then there is no use.
Prevention: Whenever anybody wills to go for
online shopping, it is compulsory to check
whether the sites are using SSH keys. This means
the site will show httpS rather than http. These
kinds of sites do not share the server. Checking
the credit card balance every month is a must.
Money Transfers: - M ostly all the hackers use
Western Union M oney Transfer for transferring
money. Before the money gets transferred,
hackers usually hack the site of the western union
bank and change the address of the account
holder. For this kind of hacking hackers have to be
of elite level or a professional one. Once they get
money in their hands, the matter is closed. To
hack these sites there are numerous pro hacking
tools made that are easily available on net.
Hackers use hacked credit cards to transfer the
money to their home via western union. Since it
needs a verification for this the hackers skypes the
accounts which will be again created by the same
hacked credit cards and they will confirm the
payment and the transaction will be proceeded.
These hackers will transfer money to their own
address by hacking into the admin and changing
the delivery address which will be unnoticeable.
Phishing pages and SMTP servers:-
Well these two topics are interrelated to each
other.
First hackers create phishing pages of online
credit card banking, any shops or credit card
checking points. They gather an email list of the
millions of ids which are available on net which
just need to Google around. Combined the attack
they hide the link with the help of SM TP servers
and they send the M ail to the Email address
.Advantages of SM TP servers is that you can send
mail to people from any id even from the Prime
M inister' s id or any Bank id.
For example
Support@ hsbc.com
They' ll simply send a M ail that
Dear Coustomer,
As per new Rules kindly update your status at
our website you can find in this link ' phising link'
to match this some kind of matter is written.
Regards:-
Bank team
The person will simply login to that page and
the hackers will get details
Pay pal Hacking :-
Pay pal hacking is quite easy amongst all the
above steps. Hackers use the same e-mail list
which they gather from all over the cyber world.
They save all of them in a notepad and consider it
as " E-mail' s list .txt" and they simply use the
wordlists which is easily acquired online. They will
Start bruteforce which is a simple tool found
anywhere in the internet world. It will pop up
when a password is matched to the e-mail then
will save the login details and use them to transfer
money but these kinds of things can be done only
by normal level of hacker because in the paypal
system, there is an option to charge back anytime
it can be a problem to make big amount.
Black hat are the group of hacker who still do
this illegal things.
Inputs by c0d3b3r4k3r
84
15
any anti- terrorism experts have been concerned since 9/11
that if any act of terrorism involving nuclear material, it will
M most probably originate from Pakistan. Hence, their worries
about the security of Pakistan' s nuclear arsenal and about the possibility
of radicalised Pakistani scientists helping Al Qaeda or pro-Al Qaeda
organisations. Is there a similar danger of an act of cyber terrorism,
seeking to damage or destroy critical infrastructure, emanate from
India? India has availability of qualified information technology experts
in terror groups. This question is likely to occupy the attention of
terrorism experts following the announcement by the M umbai Police
on October 6, 2008, of the arrest of 20 suspected members of the so-
called Indian M ujahidin (IM ),
Blast in Ahmedabad
Who played a role in the serial blasts in Ahmadabad on July 26, 2008,
in the abortive attempts to organise similar blasts in Surat the next day
and in the serial blasts in New Delhi on September 13, 2008.
Blast in New Delhi
Among those arrested out if which four were IT-savvy members of
Cyber Law
the IM , who had played a role in sending the e-
mail messages in the name of the IM before, and
after the Ahmedabad blasts also before the New
Delhi blasts by hacking into Wi-Fi networks in
M umbai and New M umbai.
Mohammed Mansoor Asgar Peerbhoy aka
Munawar aka Mannu, 31 years old resident of
Pune, who was reportedly working for Yahoo,
India, on an annual salary of Rs. 19 lakhs (US $
45, 000).
Mubin Kadar Shaikh, 24-year-old graduate
of computer science from Pune.
Asif Bashir Shaikh, 22-year-old mechanical
engineer from Pune. Who was a helping hand in
sending the E-mail messages, reportedly he
played a major role in planting 18 Improvised
Explosive Devices (IEDs) in Surat, all of which
failed to explode.
Mohammed Ismail Chaudhary, a 28-year-
old computer mechanic, who is also suspected as
a helper in planting the IEDs in Surat. Peerbhoy is
reported to have joined the IM while he was
studying Arabic in Pune' s Quran Foundation,
which seems to have served as a favourite
recruiting ground for jihadi terrorism. The US
intelligence agencies would be interested to
know that he had allegedly visited the US twice in
recent months. Was he had been there with
personal intension or for the official work of
yahoo? Yet there are clear explanations.
During the intense investigation by M umbai
police it has come out that the Pune is an
important recruiting hub for jihadi terrorism. One
would recall with interest that Abu Zubaidah, the
Palestinian, who was supposedly No.3 in Al
Qaeda, was also reported to have studied
computer science in Pune before crossing over
into Pakistan and joining Al Qaeda. He was
arrested in the house of a cadre of the Lashkar-e-
Toiba (LET) in Faislabad in Pakistani Punjab in
M arch, 2002, and taken to the Guantanamo Bay
detention centre in Cuba by the US intelligence.
He was considered an IT expert of Al Qaeda.
Abu Zubaidah
Peerbhoy has been projected as self-radicalised
during a visit to Saudi Arabia for Hajj. Despite this,
86
certai n questi ons need to be gone i nto
thoroughly -- were he and others self-radicalised
or radicalised by Al Qaeda, which would welcome
more IT experts? Were they recruits or volunteers
as a result of their self-radicalisation? Were they
working only for the IM or were they also helping
Al Qaeda and other pro-Al Qaeda organisations?
Their capabilities as demonstrated till now are
rather primitive relating to sending E-mail
messages through hacked networks. M any
young students can do this. Did they have any
other capability of an ominous nature?
If the reports that Peerbhoy had visited the US
twice in recent months are correct, it shows that
he had a valid visa for the US, which he had
probably got on the recommendation of Yahoo. It
also shows that the Federal Bureau of
Investigation (FBI) had no adverse information on
him. Otherwise, the US would have not issued a
visa to him. If he had managed to get himself
transferred to one of the Yahoo offices in the US
or in West Europe, Al Qaeda would have had a
wonderful cyber sleeping cell in the West. Why
did he weaken the possibility of his getting posted
to the West one day by helping the IM in doing a
simple job of communications, which does not
require much expertise?
These questions along with other questions of
a similar nature require to be done in great detail,
if necessary by enlisting them with the help of the
cyber experts of US intelligence. Cyber Terrorism
of India is in limelight but for the incorrect motive.
It seems the media and law enforcement in India
is too much fascinated with the term Cyber
Terrorism which exhibits their untrue knowledge
about this particular subject. Recently, the anti-
terrorism squad (ATS) is busy investigating the
terror email and has decided not to book the
accused for cyber terrorism as there was no
intention to carry out any terror act. Further, the
news report also claims that according to an
amendment in the Information Technology Act,
which came into force in February this year,
anyone indulging in cyber terrorism could be
sentenced to life imprisonment. Prior to this, even
the sending of any kind of threat emails was
considered as hacking .
Let us first analyse the stand of ATS. It seems the
ATS has become the all powerful authority of
India and it has the power to make the laws, make
them operational, execute them and interpret
them as per their choice. This is so because they
have thought to invoke a provision that does not
exist in India. The Information Technology Act
2000 (IT Act 2000) is absolutely silent on the
aspect of Cyber Terrorism and the proposed
Information Technology Amendment Act 2008
(Amendments 2008) is still inapplicable in the
absence of a Notification by the Central
Government. Till now there has been no
notification by the Central Government in this
regard. So with the help of this law ATS could
have charged the accused with Cyber Terrorism is
still a great mystery.
Similarly, the reporter of this news item has no
hint whatsoever that the proposed Amendments
2008 have not yet come into force. So there is no
question of applying its provisions to this case.
Strangely enough, I cannot find any incidence
where sending offensive e-mail is considered to
be a case of hacking in India either as per the IT
Act 2000 or even by the Amendments 2008.Of
course, if the Amendments of 2008 have been
notified at the time of scripting the reported news
then the story could have been extra sense. The
fault lies with the Government of India that failed
to make clear the status of the amendments. It
seems there is a lack of cyber law awareness in
India. The law enforcement and media must be
responsible in their dealings and claims regarding
cyber law and other techno-legal issues. It is
necessary to acquire some quality knowledge
about the cyber law of India so that not only cyber
crimes may be dealt properly but also it maintains
culture of responsible journalism in India. The
crucial balance and equilibrium proposed by the
founding fathers of Indian Constitution has been
disturbed by the Executive branch of Indian
Constitution. The Executive branch has totally
hi j ack ed the Parli amentary Role and i s
i mplementi ng the Proj ects whi ch have
Consti tuti onal Impli cati ons wi thout any
Parliamentary Approval .
If Projects that violate the basic Human Rights
and Civil Liberties like Right to Privacy are
implemented without any Law and Parliamentary
approval, the role of Parliament in Indian
Constitution is highly debatable. Cyber law of
India is very frail and it treats all the cyber crimes
generously with a warm welcome attitude. The
cyber law of India considers almost all the cyber
crimes bailable where the cyber criminal is
87
entitled to bail as a matter of right. To aggravate
the situation India does not have good cyber
forensicsinstitutionsand adequate cyber forensics
capabilities. Cyber forensicsisa highly specialised
field that requiressound practical training. India is
at the infancy stage of acquiring good cyber
forensics capabilities. Cyber forensics is both
technical and legal field and absence of either
would not serve the purpose.
In India Perry4Law Techno Legal Base (PTLB) is
managing the exclusive techno legal cyber
forensicsresearch, training and educational centre
of India. PTLB isproviding cyber forensicstraining
coursesin India. It isalso providing cyber law and
other techno legal allied courses and those
trainingswhich include cyber security trainings. All
these trainings and educational courses are
provided through an online platform of PTLB. In
order to provide more effective and practical
trainingsto itstrainees, PTLB hasintroduced a cyber
forensicsrepository. The repository isa collection of
the best cyber forensicssoftware and tools.
It would be made available to cyber law, cyber
security and cyber forensics trainees at the final
stage of individual' strainings. These traineeswould
be provided with practical cyber forensics
application training by PTLB. The repository isalso
the exclusive techno legal cyber forensicsrepository
that would serve the purposesof law enforcement,
prosecuti on and defence lawyers, j udges,
governmental departments, etc
Despite of popular belief, Cyber Forensics is
different from E-Discovery, Digital Recovery or
other synonymousterms. Cyber Forensicsprimarily
caters the Legal Requirements whereas E-
Discovery meets the requirements of private
individualsand organizations.
Take an example of a security breach like hacking
in an organisation.
The management of the organisation decidesto
trace the origin of breach. After proper analysis
they come to know about the foul source. Till this
stage it is only an E-Discovery. The management
can take whatever preventive or remedial measure
asit may deem to be fit. If the management decides
to take a Legal Action against the offender; it has
to prove the acquired digital evidence before the
Court of Law. M ere E-Discovery may not be enough
to prove the guilt of the accused as legal
requirements regarding evidence and procedural
laws must also be complied with. When the E-
Discovery is Law Compliant it becomes Cyber
Forensics . Similarly, there are certain laws that
require individuals and organisation to exercise
Due Diligence and Statutory Compliances .
These requirementsmay fall either in the category
of E-Discovery or Cyber Forensicsasper the facts
and circumstancesof each case.
Cyber Forensics may be alive or dead.
Traditionally, Cyber Forensics was performed after
pulling the plug and then subsequently imaging
the media under investigation. The contemporary
practice is to perform live analysis to get useful
volatile data that is lost the moment computer is
turned off or after the pulling of the plug. India is
systematically eliminating the civil liberties in
cyberspace and introducing e-surveillance and
curbs upon freedom of speech and expression
and right to privacy. This seems to be the sole aim
of Home M inister P. Chidambaram, who is
making absurd decisions without any sort of
regard for human rights. In this guest column,
Praveen Dalal, M anaging Partner of Perry4Law
and the creator of HRPIC initiative, is analysing the
position of e-surveillance and its affect upon civil
liberties of Indians, He maintains that in India
Human Rights in Cyberspace are clearly outlawed
and only outlaws would have these Human
Rights.
Philip R. Phil Zimmermann Jr. (born February
12, 1954) is one of the greatest civil liberty
protectors in the cyberspace. Zimmermann is the
creator of Pretty Good Privacy (PGP), the most
widely used email encryption software in the world.
He is also known for his work in VoIP encryption
protocols, notably ZRTP and Zone. In hisrationale
for creating PGP he tellsthat using PGP isgood for
preserving democracy. He believesthat if privacy is
outlawed, only outlawswill have privacy. Thisisso
true not only in the context of America but also
India. India is passing through the worst era of
police state and e-surveillance society. Even worst is
the reliance upon American modelsthat have failed
i n A meri ca i tself . But Home M i ni ster
P.Chidambaram isnot discouraged by these failures
and he would stop only on the failure of these
models in India. Even the Department of
Information Technology (DIT) and Department of
Telecommunications (DOT) have joined this blind
and ignorant race and are trying to ban
telecommunication services like Blackberry and
Skype and Internet services like Gmail. These
88
departmentsare troubled by the strong and secure
encrypti on technology and other si mi lar
technologies that prevent unlawful and illegal e-
surveillance by the government and its agencies.
Criminalsand terroristsare already using these, and
much better options, and these ignorant actions
would only trouble and violate the civil libertiesof
law abiding citizens alone. All the limits in this
regard were crossed when the Information
Technology Amendment Act 2008 (IT Act 2008)
wasmade an enforceable law in India. The IT Act
2008 provides unregulated, unconstitutional and
illegal e-surveillance, Internet censorship and
website blocking powers in the hands of Indian
government and its agencies. There is no
mechanism at all that can prevent the abuses of
these powersand there isno accountability aswell.
India also doesnot have any dedicated Privacy Law
and Data Protection Law. With the proposed use of
Cloud Computing and Software asa Service (SaaS)
by Indian Government, more Privacy Violations
issueswould arise in future. Thisismore so when
Indian Government cannot even curb the highly
nuisance creating Telemarketing vice in India.
I firmly believe that Indian Government is not
going to change itsstand and we have to preserve
and protect our Civil Libertiesourselves. That iswhy
I dedicated a resource titled Protecting Human
Rightsin Cyberspace (PHRIC) to suggest Techno-
Legal M easure in thisregard.
Now with thisseries, I would discussthe available
Techno-Legal M easures to defeat illegal and
Unconstitutional e-surveillance by Governmental
Authorities and Agencies as well as by Private
Individuals. Of course, these measuresare available
against illegal and unconstitutional acts or
omissions alone and are not available against
Lawful Interceptions and other e-surveillance
activities authorised by a proper Court of Law. A
background articlesfor safeguarding against illegal
eavesdropping and sniffing has already been
provided by me and more in thisregard would be
discussed subsequently .A time hascome in India
when Human Rights in Cyberspace are clearly
89
outlawed and only outlaws(asper the normsand
standardsof Indian government) would have these
Human Rights. This is the main reason why I
dedicated a resource titled Human Rights
Protection in Cyberspace (HRPIC) to those law
abiding citizens who cherish and wish to protect
their civil libertiesin cyberspace
At last India hasdecided to take some action on
the front of protecting crucial and strategic
computer systemsand computer resources. India is
in the process of formulating a blueprint for
undertaking counter cyber warfare on unfriendly
countries.
Attackson the strategic and military computers
have been on rise in India. Various reports have
suggested that many mi li tary and cruci al
government departmentshave been systematically
and continuously targeted by cyber criminals.
The Nati onal Securi ty Counci l ( NSC) i s
considering a proposal that would enable the
Indian agenciesto enhance capabilitiesto exploit
weaknesses in the information systems of other
countriesand also collect online intelligence of key
military activities.
The project would be given effect to by National
Technical Research Organisation (NTRO), the
Defence Intelligence Agency (DIA) and the Defence
Research and Development Organisation (DRDO).
It isalso planned that laboratorieswould be set
up in research institutionsto simulate cyber attacks
with the help of ethical hackers. These laboratories
would also training intelligence agencies for
offensive and defensive cyber warfare techniques.
Even cyber forensics capabilities would also be
developed to analyse attacked computers.
Imported software and hardware would also be
analysed for backdoors and malware. A separate
Computer Emergency Response Team (CERT) for
variouscrucial sectorswould also be established.
Thisproposal isa good step in the right direction
provided it isnot just another promise with no will
and expertise to execute it.
Thanksto the weakest cyber law of the world,
India isheading towardsbecoming the cyber crime
nation of the world. Thisisnot the first time that
similar concerns have been raised. Previously,
Praveen Dalal, M anaging Partner of Perry4Law, the
leading techno-legal ICT law firm of India has
cautioned that India is not only suffering from
malware attacksbut isalso emerging asthe focal
point for cyber crime activities.
India is fast emerging as a major hub of
cybercrime asrecession isdriving computer-literate
criminals to electronic scams, claimed a study by
researchersat the University of Brighton.
Titled ' Crime Online: Cybercrime and Illegal
Innovation' , the study states that cybercrime in
India, China, Russia and Brazil is a cause of
particular concern and that there has been a
leap in cybercrime in India in recent years, partly
fuelled by the large number of call centres.
One recent report ranked India in 2008 asthe
fourteenth country in the world hosting phishing
websites. Additionally, the booming of call centres
90
in India has generated a niche for cyber criminal
activity in harvesting data , the report maintained.
It issad that India isdoing nothing to improve this
position. There isan emergent need to reformulate
Indian cyber lawslike IT act, 2000 and make them
more stringent and effective.
Human rightshave alwaysbeen neglected and
blatantly violated all over the world. These human
rights (hr) and fundamental rights (fr) have now
taken an altogether different shape in the
information and communication technology (ict)
driven world. The nations are increasingly
becomi ng poli ce states and endemi c
surveillance societies . The vices of illegal e-
surveillance, privacy violations, human rights
violations, fundamental rights violations, etc are
becoming common and widely spread all over the
world. Thisplatform istrying to provide techno-
legal remedies to netizens so that they may
protect themselves from the over zealous and
over cautiousstate actions that are by their very
nature illegal, unconstitutional and inhuman.
The crucial balance and equilibrium proposed by
the founding fathers of Indian Constitution has
been disturbed by the Executive branch of Indian
Constitution. The Executive branch has totally
hi j ack ed the Parli amentary Role and i s
implementing Projects having Constitutional
Impli cati ons wi thout any Parli amentary
Approval . If Projectsthat violate the basic Human
Rights and Civil Liberties like Right to Privacy are
implemented without any Law and Parliamentary
approval, the role of Parliament in Indian
Constitution is highly debatable. For instance,
purely E-Surveillance Projects like Aadhar/UID
Project, NATGRID, CCTNS, etc have far reaching
and adverse consequences for the Fundamental
Rightsof Indians. Still the Executive did not find it fit
to enact suitable laws and provide adequate
safeguardsagainst the same.
Further, Unconstitutional Authorities like the
Unique Identification Authority of India (UIDAI), etc
are also operating without any accountability,
transparency and legal authority. Further, there is
also no Parliamentary Scrutiny of these
authorities. With the passing of the Information
Technology Amendment Act 2008 (IT Act 2008),
the Cyber Law of India has been made an
instrumentality of illegal, unaccountable and
Unconstitutional e-surveillance in India. With
massive phone taping and e-surveillance history of
India, conferring such a power in the hands of
Executive and itsAgenciesisreally troublesome. In
thisscenario, only Outlaws would have Human
Rights in Indian Cyberspace. India also does not
have any dedicated Privacy Law and Data
Protection Law. With the proposed use of Cloud
Computing and Software as a Service (SaaS) by
Indian Government, more Privacy Violations
issueswould arise in future. Thisismore so when
Indian Government cannot even curb the highly
nuisance creating Telemarketing vice in India. I
firmly believe that Indian Government isnot going
to change itsstand and we have to preserve and
protect our Civil Liberties ourselves. That is why I
dedicated a resource titled Protecting Human
Rightsin Cyberspace (PHRIC) to suggest Techno-
Legal M easure in thisregard. Now with thisseries,
I would discuss the available Techno-Legal
M easures to defeat illegal and Unconstitutional e-
surveillance by Governmental Authorities and
Agenciesaswell asby Private Individuals. Of course,
these measures are available against illegal and
unconstitutional acts or omissions alone and are
not available against Lawful Interceptions and
other e-surveillance activities authorised by a
proper Court of Law. A background of articlesfor
safeguarding against illegal eavesdropping and
sniffing hasalready been provided by me and more
in thisregard would be discussed subsequently.
91
16
The premeditated, politically motivated attack against
information, computer systems, computer programs, and
"data which result in violence against noncombatant
targets by sub-national groups or clandestine agents. The
unlawful use of force or violence against persons or property to
intimidate or coerce a government, the civilian population, or
any segment thereof, in furtherance of political or social
objectives.""Premeditated politically motivated violence
perpetrated against noncombatant targets by sub-national
groups or clandestine agents"
Computers and the internet are becoming an essential part of our daily
life. They are being used by individuals and societies to make their life
easier. They use them for storing information, processing data, sending
and receiving messages, communications, controlling machines,
typing, editing, designing, drawing, and almost all aspects of life.The
tremendous role of computers stimulated criminals and terrorists to
make it their prefered tool for attacking their targets. The internet has
provided a virtual battlefield for countries having problems with each
other such as Taiwan against China, Israel against Palestine, India
against Pakistan, China against the US, and many other countries. This
transformation in the methods of terrorism from traditional methods to
electronic methods is becoming one of the biggest chalenges to
modern societies.
In order to combat this type of terrorism a lot of effort should be done at
the personal level, the country level, the regional level, as well as the
The FBI
definition
of Cyber
Terrorism
i nternati onal level to fi ght agai nst thi s
transnational type of crime.
The U.S. National Infrastructure Protection Center
defined the term as:
" A criminal act perpetrated by the use of
computers and telecommunications capabilities,
resulti ng i n vi olence, destructi on and/or
disruption of services to create fear by causing
confusion and uncertainty within a given
population, with the goal of influencing a
government or population to conform to
particular political, social or ideological agenda" .
From American point of view the most dangerous
terrorist group is Al-Qaeda which is considered
the first enemy for the US. According to US
offi ci als data from computers sei zed i n
Afganistan indicate that the group has scouted
systems that control American energy facilities,
water distribution, communication systems, and
other critical infrastructure. After April 2001
collision of US navy spy plane and Chinese fighter
jet, Chinese hackers launched Denial os Service
(DoS) attacks against American web sites. A study
that covered the second half of the year 2002
showed that the most dangerous nation for
originating malicious cyber attacks is the United
States with 35.4% of the cases down from 40%
for the first half of the same year. South Korea
came next with 12.8% , followed by China 6.2%
then Germany 6.7% then France 4% . The UK
came number 9 with 2.2% .
According to the same study, Israel was the most
active country in terms of number of cyber attacks
related to the number of internet users.There are
so many groups who are very active in attacking
their targets through the computers. The Unix
Security Guards (USG) a pro Islamic group
launched a lot of digital attacks in M ay
2002.Another group called World' s Fantabulas
Defacers (WFD) attacked many Indian sites. Also
there is another pro Pakistan group called Anti
India Crew (AIC) who launched many cyber
attacks against India. There are so many
Palestinian and Israeli groups fighting against
each other through the means of digital attacks.
Cyber terrorist prefer using the cyber attack
methods because of many advantages for it.It is
Cheaper than traditional methods. The action is
very Difficult to be tracked.They can hide their
personalities and location. There are no physical
barriers or check points to cross. They can do it
remotely from anywhere in the world. They can
use this method to attack a big number of
targets.They can affect a large number of people.
On Oct. 21, 2002, a distributed denial of service
(DDOS) attack struck the 13 root servers that
provide the primary road-map for all internet
communications. Nine servers out of these
thirteen were jammed. The problem was taken
care of in a short period of time. The internet
being down for just one day could disrupt nearly
$6.5 billion worth of transactions. At Worcester,
M ass, in 1997, a hacker disabled the computer
system of the airport control tower. In the same
93
year a hacker from Sweden jammed the 911
emergency telephone systems in the west-central
Florida. This indicates that an attck could be
launched from anywhere in the world. In 1998
attacks were launched against the NASA, the
Navy, and the Department of Defense computer
systems. In 2000, someone hacked i nto
M aroochy Shire, Australia waste management
control system and released millions of gallons of
raw sewage on the town. In Russia In the year
2000, a hacker was able to control the computer
system that govern the flow of natural gas
through the pipelines.Financial institutions have
been subject to daily attacks or attack attempts.
They are the most preferable targets for cyber
criminals. The Israeli cyber warfare professionals
targeted human rights and anti-war activists
across the U.S.A in late July and August 2002
disrupting communications, harassing hundreds
of computer users, and annoying thousands
more.
G eneral John G ordon, the Whi te House
Homeland Security Advisor, speaking at the RSA
security conference in San Francisco, CA Feb. 25,
2004 indicated that whether someone detonates
a bomb that cause bodily harm to innocent
people or hacked into a web-based IT system in a
way that could, for instance, take a power grid
offline and result in blackout, the result is
ostensibly the same. He also stated that the
potential for a terrorist cyber attack is real.
By the use of the internet the terrorist can affect
much wider damage or change to a country than
one could by killing some people. From disabling
a countries military defenses to shutting off the
power in a large area, the terrorist can affect more
people at less ri sk, than through other
means.Cyber terrorists can destroy the economy
of the country by attcki ng the cri ti cal
infrastructure in the big towns such as electric
power and water supply, still the blackout of the
North Western states in the US in Aug. 15, 2003 is
unknown whether it was a cterrorist act or not, or
by attckig the banks and financial institutions and
play with their computer systems. Senator Jon
K yl, chai rman of the senate j udi ci ary
subcommittee on terrorism, technology and
homeland security mentioned that members of
al-Qaeda have tried to target the electric power
grids, transportation systems, and financial
institutions. In England the National High-Tech
Crime Unit (NHTCU) survey showed that 97% of
the UK companies were victims to cyber crime
during the period from June 2002 to June 2003.
Cyber terrorists can endanger the security of the
nation by targeting the sensitive and secret
i nformati on ( by steali ng, di sclosi ng, or
destroying).
The Interpol, with its 178 member countries, is
doing a great job in fighting against cyber
terrorism. They are helping all the member
countries and training their personnel. The
Council of Europe Convention on Cyber Crime,
which is the first international treaty for fighting
against computer crime, is the result of 4 years
work by experts from the 45 member and non-
94
95
member countries including Japan, USA, and
Canada. This treaty has already enforced after its
ratification by Lithuania on 21st of M arch 2004.
The Association of South East Asia Nations
(ASEAN) has set plans for sharing information on
computer security. They are going to create a
regional cyber-crime unit by the year 2005.Cyber
terrorism is the next big form of terrorism that
India is likely to face, says the Intelligence Bureau.
Already, the agency has issued numerous
warnings on cyber attacks. The first signs of tech-
savvy terrorists came to light during the serial
blasts that rocked the country a year ago. The
question, however, is how geared up are we to
face the threat? Senior police officials told
rediff.com that though there is a lot of work
going on in this direction, there is always scope
for improvement. But while officers speak of
improvement and conducting multiple seminars
to counter this future threat, a reality check with
some cyber crime wings portrays a poor picture.
When cyber crime cells were set up in the country
most cases pertained to sleaze mails. Now the
complaints have become more sophisticated and
cyber crime officials say that there are, at an
average, four complaints of phishing mails that
reach them every day. The detection rate is not
something that one can be proud with only one
out of four cases solved. Also miserable is the
conviction rate. In India the cyber cells need to
keep updating and deploy new tactics.
When one talks of cyber crime, the problem is
whatever we may do is just not enough. We are
good as long as we prevent an attack and we
could also say that we are not good enough if we
don' t prevent oneThe kinds of attacks we can
expect are immediate threat to India is from our
immedi ate neighbors, Paki stan and China.
Pakistan can be easily handled but China is
definite threat, According to the IB, China may try
and destabilise our economy by launching attacks
on our banking sectors. Pakistan, on the other
hand, may attack essential commodity-related
services instead. Reports indicate that for a
terrorist organisation, the easiest way to launch
an attack on India would be through the cyber
route. It is high investment, but it saves them the
trouble of manpower on the field and the impact
such an attack could cause is immense.IB reports
also suggest that terrorist organisations could
start an Internet war by hacking into websites and
sending out viruses to destabilise the enemy
nation. The forms of cyber assaults would include
cyber vandali sm, destructi on of essenti al
commodi ty-related si tes ( ESC O M s) and
phishing.The cyber war on India is likely to be
fought in three stages. First the enemy would
bring down the control systems of defence
installations, Parliament, railways and airports.
Secondly, they would look to attack financial
services such as banks and stock markets. Finally,
ESCOM s and other utilities services will be taken
over.Cyber crime experts say this is a dangerous
scenario. It will surely create a lot of panic and if
they succeed, it could cause a lot of destruction
since it would take days before the services
actually recover. Experts also say that although
Pakistan-based terrorists will prove lethal, the
worst attack could come from China through the
use of the Distributed Denial of Services attacks.
In a DDOS attack, the bandwidth of a targeted
system is flooded. They keep attacking other
systems by multiplying and creating a botnet.
India has had its share of such attacks, but they
have not been on a large scale as yet. The sector
that has been targetted the most through such an
attack is the telecom sector, but they have
managed to survive it thanks to a strong
infrastructure. However, companies have to
constantly upgrade to be one up on the enemy.
What India needs is combined effort is needed to
counter the cyber threat, say experts. Also, cyber
95
crime police stations need to be revamped soon.
The process is already in motion, According to the
official; they had hired around 12 engineers from
a reputed IT firm to assist them. However, since
they cannot do this all the time, it was decided to
recruit professionals. The latest batch of
recruitments in a cyber cell will be computer and
law graduates. They should prefer having this
combination since it needs someone who has
expertise in both computer applications as well as
law since both are interlinked. Cyber terrorism is
the next big form of terrorism that India is likely to
face. Already, the agency has issued numerous
warnings on cyber attacks. The first signs of tech-
savvy terrorists came to light during the serial
blasts that rocked the country a year ago. The
question, however, is how geared up are we to
face the threat? The detection rate is not
something that one can be proud with only one
out of four cases solved. Also miserable is the
conviction rate. Proxy servers and ammoniums
surfing tools make it difficult for police to take
appropriate measures. The biggest Irony is that
the cyber cell websites frequently attacked by
hackers and in spite of known vulnerability police
has never made efforts to secure their sites.
Securi ty professionals have expressed thei r
increasing concern over not only the increase in
frequency of attacks against the Internet, but also
the increase in the level of sophistication of these
attacks.While the complexity of the attacks is
increasing, the skill level of the intruder that
launched the attack is decreasing.This is a very
troubling trend. As the terrorists learn from every
attack what works and what doesn' t, where the
vulnerabilities are, how we respond, and the
methods we use to detect these attacks, they gain
the knowledge that will increase their odds for
success.
Remember our new enemies are just a mouse
click away! A new batch of these graduates has
arrived and they are been sent to several training
programmes the official said, adding that these
persons will be appointed on a sub-inspector
level. The M inistry of Finance too has upgraded
its infrastructure to prevent cyber strikes. They
have introduced a two token system, which
mandates that a person carry with him a normal
password and also a token that generates pin
codes in real time. While logging-in the person
will have to apply both. in key areas such as
defence sectors, the use of a personal laptop has
been banned. Only few laptops have been
connected to both intranet and Internet.
There is a legal side to the problem too. Experts
point out that if India needsto cater to thisproblem
it cannot do so on itsown. It will need the help of
other countries. However, India isnot a signatory to
the 45-nation international convention on cyber
crimes. M oreover, India still awaits a legal
f ramework on cyber at t ack sFurt her,
Unconstitutional Authorities like the Unique
Identification Authority of India (UIDAI), etc are also
operat i ng wi t hout any account abi li t y,
transparency and legal authority. Further, there is
also no Parliamentary Scrutiny of these
authorities.With the passing of the Information
Technology Amendment Act 2008 (IT Act 2008),
the Cyber Law of India has been made an
instrumentality of illegal, unaccountable and
Unconstitutional e-surveillance in India. With
massive phone taping and e-surveillance history
of India, conferring such a power in the hands of
Executive and its Agencies is really troublesome.
In this scenario, only Outlaws would have
Human Rights in Indian Cyberspace.India also
does not have any dedicated Privacy Law and Data
Protection Law. With the proposed use of Cloud
Computing and Software as a Service (SaaS) by
Indian Government, more Privacy Violations
issueswould arise in future. Thisismore so when
Indian Government cannot even curb the highly
nuisance creating Telemarketing vice in India. I
firmly believe that Indian Government isnot going
to change itsstand and we have to preserve and
protect our Civil Liberties ourselves. That is why I
dedicated a resource titled Protecting Human
Rightsin Cyberspace (PHRIC) to suggest Techno-
Legal M easure in thisregard. Now with thisseries,
I would discuss the available Techno-Legal
M easures to defeat illegal and Unconstitutional
e-surveillance by Governmental Authorities and
Agencies as well as by Private Individuals. Of
course, these measuresare available against illegal
and unconstitutional acts or omissions alone and
are not available against Lawful Interceptions
and other e-surveillance activitiesauthorised by a
proper Court of Law. A background articles for
safeguarding against illegal eavesdropping and
sniffing hasalready been provided by me and more
in thisregard would be discussed subsequently.
96
17
elcome to the new world of snooping and espionage. Here,
hackers don' t need to intrude in your system to know what
Wyou are up to in the cyber space. All they have to do is to
make you click on a particular website while your Yahoo! mail is open
in the same browser. Rest will be taken care of by the ' extractor' who
will have access to all the tabs you have opened at one go. This is an
anomaly discovered by city-based cyber crime expert Sunny Vaghela
recently. Accordi ng to him, the loophole is widely used all over the
world by many hackers to keep an eye on the targets in lieu of money
or information. " It is a simple code by which the hacker grabs the
cookie from your browser. This can be done by sending you a link or a
photograph or a simple invite. We have registered it with Yahoo!
applications in which you are logged in - be it mail or messenger. It
enables a hacker to grab the cookie during transmission. O nce he
gets it, he can just refresh his window and see all your accounts on his
Amazing
hackers
screen, " says Vaghela. O nce the hacker gets
access to one account, it is not very diffi cult to
go hopping on to other windows. In this case, if
you have three accounts open simultaneously,
which is very common nowadays, consider them
hacked. The accounts can then be used as per
the hacker' s wish. " I can also be a silent
observer. I can go through your entire inbox and
private messages, without even letting you
know that I am your companion in social
networking and world of emails. It is a bit
different system adopted by Chinese hackers
who hacked into umpteen Indian sites with the
help of troj ans. However, it is as effective, " says
Vaghela. The trick is, the cookie will be accepted
as a standard HTM L script not detected by anti-
phishing, anti-spam fi lter or anti-virus. As every
visit on internet generates cookies, the user
cannot understand where all the data is going. If
hackers are to be believed, the vulnerability is
already exploited world over. Hackers also warn
against remaining logged in permanently.
A ccordi ng to them, the username and
passwords are then stored into a cookie that
gets refreshed every time you open it on your
browser. If the hacker is awaiting a crispy
cookie, he can get the data and enter your
account with ease. Yahoo! has acknowledged
the loophole, says Vaghela. " Compared to other
mailing services, Yahoo! has yet to plug some of
the bugs. The offi cials have shown interest in
the problem and have sent a mail on M onday. I
have explained to them the anomaly and also
how it can be solved. If it is implemented,
hackers will have to search for some other door
to enter, " he says.
India needs to strengthen cyber security
India stands nowhere in terms of counter
offensive against the attacker' s networks, the
online crime is on rise. Hackers are next
generation' s online terrors. The government
should employ hack ers to do network
penetration testing regularly to check whether
networks and applications are vulnerable to the
latest exploits or not. The hackers deface
websites or download sensitive information
( credi t cards, databases) from vulnerable
websites and put their own page in place of
index page of victim. Though Indian hackers say
cyber laws in the country are good, they also
believe that awareness and preparedness of the
Indian government to face and fight cyber crime
and cyber terrorism is quite low. The problem is
that police offi cials who are supposed to enforce
the cyber laws have not been trained properly.
Look at engineering colleges across the country.
There are no courses on computer security. This
is the primary reason for lack of experts in the
country. Recently I interviewed M umbai cyber
crime expert Vijay M ukhi unfortunately he was
not aware of Indian hackers; he believes hackers
are only from Pakistan. We need to make our
cyber systems as secure and as non-porous as
possible. At the same time we need to focus on
Indian hackers too. There are many online
websites now a day teaches how to hack face
book account password. 40 percent of Indian
youth, qualified IT professionals got in these
traits. Unemployed and adventurous youth are
evolved into such activities and due to over
enthusi asm they landed doi ng wrong by
sabotaging our own countries online security
system. The hacking group in question is likely
to choose web servers based on a particular
server operating system, as seen in over 95 per
cent of all their previous exploits dating back to
2006. ' M ass defacers' usually target blocks of
Internet addresses to find vulnerable systems
and then proceed to exploit the vulnerabilities,
in this case with defacements. Such attackers
are purely opportunistic, and tend to target
operating systems or web servers that they are
technically well-versed with or use attack tools
to assist them in their exploits. Whilst this hacker
group defaced four websites in the UAE around
the same time, it is interesting to note that there
have been over 30 publicly known defacements
of websites in the UAE since the start of the year.
Such attacks against organisations anywhere i n
the world - regardless of whether they are
painted under the veil of hacktivism, extortion
or political activism - are, at the end of the day,
just cyber crimes perpetrated by cyber criminals.
Globally, organisations can do little to control or
mitigate an attacker' s motivations; in depth
security assessments, testing and sound security
practices, and an increased 24x7 security
vigilance are the essential prerequisites to
thwarting these and other similar attacks in
future. Although there is a lot of speculation on
various forums, etc about this incident; people
should not read more into this incident other
98
than it was simply an opportunistic attack. It in
no way indicates state sponsored cyber attacks
of any kind, and more interestingly the vast
majority of this hacker group' s previous website
defacements targeted countries as far and wide
as Brazil, Norway, China, the US and other
countries all with defacement messages stating
their affection for Iran and Azerbaijan. The
global need for improved, more stringent web
application security design, and effective patch
management are vi tal to the conti nued
uninterrupted delivery of services by Internet-
facing organisations in the era of Web 2. 0 and
the ever evolving risks that organisations will
continue to face. India has to step
up on its cyber offensive to match
Chinese and Pakistani hackers
breachi ng the I ndi an cyber
networks, the man who made his
name as India' s youngest and first
certified ethical hacker. The Indian
intelligence and military agencies
regularly use Indian hackers to
carry out counter offensi ves.
However, the quantum of such
work being carried out here is a lot
less than it is in countries such as
C hi na and Pak i stan. A few
Canadian and American cyber-
security researchers had claimed
t hat C hi na-based o nl i ne
espionage gangs have accessed
classified documents from several
I ndi an def ense and securi ty
establishments.
Hacker' s are faceless people who deface
government Web sites, who can peek into your
computer wi thout you knowing. What are they
like? Hackers the good guys are different from
crackers, who have nefarious goals. Does it bug
you that everyone uses the term ' hacker' for
both? It used to. Then I realised that while some
can' t be bothered, most people just don' t know
the difference. A hacker is simply someone who
finds a novel way of doing something. When
people site has been " hacked, " the correct term
is usually " defaced. " Do you have a natural
tendency to ask the question " why?" If you
revel in the challenge of failing and asking why
these rules apply, what would happen if I try
Hacker's biggest fear?
something else, if you start getting answers
then you are already a hacker. To learn, get a
good grasp of Windows and Linux and at least
one scripting language. Learn the fundamentals
of TCP/IP. It will take some time but if you are
determined you will become skilled. What you
do with your skills after that is up to you. The
part where the site code talks to the database in
the backend, like a log-in form, or a page which
fetches data based on some numeric id. Using
specially-crafted code, malicious users try to
extract data from the database itself. There are a
lot of easy-to-use tools available, and lots of
vulnerable websites, so this is one of the most
tried attacks. A variation is to insert malicious
links which can infect the computers of the site' s
users. Anything that tampers with control
systems for mechanical or electrical devices, like
lifts, assembly lines, medical devices etc. For
example, there' s a rumour that when the Israelis
bombed a fairly inconspicuous place in Syria,
their hackers first disabled air defence radar
systems.
" Notorious" is subjective. If you went looking
for criminals who deal in stolen credit cards,
bank accounts they usually set up invite-only
forums. A famous example: Shadowcrew, which
was busted by USA' s FBI. M any folks interested
in web-related hacking and cracking follow
mailing lists like Full Disclosure and Bugtraq, and
websites like milw0rm. A lot of my friends are
99
part of null. co. in, where we learn, discuss
hacking techniques, get better at computer
security and take part in hacking challenges that
we set up. The ultimate hacker conference is
DefCon, which happens every year in Las Vegas.
Their " Capture The Flag" tournament would be
one competition most hackers would want to
win. For most of us here in India, going to
Defcon is a pipe dream. But there' s the pre-
nullcon hack challenge and the nullcon CTF. In
the last pre nullcon hack challenge, more than
2000 people started; eventually only 5 people
finished it fully. Name a country and it has
people doing malicious things for money,
ideology and many times just for fun. Accordi ng
to people who make it a business to know, even
Nepal and Bangladesh have very active hacker
communities. A lot of political hacking happens
due to the Israel/Palestine situation. M any
hackers from Turkey are also extremely active.
The TJ M axx incident: hackers stole over 45
million credit cards and debit cards. Just in terms
of number of accounts stolen, this was the
biggest theft ever. Almost everyone involved has
been apprehended, and they are serving long
jail sentences. Getting hacked. Hackers and
crackers are extremely paranoid about their
online activities; it would be the ultimate
embarrassment to get hacked themselves. It has
been known to happen. O ne of the most
respected security professionals, Dan Kaminsky,
was hacked a couple of years ago. The people
behind it posted his personal emails, torrent
history, filenames and lot of passwords on public
mailing lists.
M any! Google is your friend; they aren' t very
diffi cult to find. Time and again I end up
meeting from three cities more often than
others; Delhi, Pune and Hyderabad. No idea. But
most of Indian websites I encounter have major
security issues. M ost of them could have been
hacked many times over. A lot of networking
equipment owned and run by Indian ISPs is
vulnerable. Get off the internet! Seriously, if you
are worried about getting hacked, reduce your
vulnerable ' surface. ' This could mean not using
the most common operating system, web
browser or PDF reader. I don' t have any
i nf o r ma t i o n o n t hi s. M o st t i mes
hackers/crackers look at the easiest way in. Like
i nstalli ng spyware on your phone, or
compromising your Bluetooth service. I don' t
know any. And yes, being good at working the
press doesn' t make you legendary! The most
realistic hacking I have ever seen in a movie is in
The M atrix Reloaded. O n an old UNIX terminal in
a power station, Trinity uses a tool called nmap
to find a vulnerability in the software and
exploits it to get elevated privileges. The nmap
website has stills from that scene even now!

100
18
Privacy violation:
The law of privacy is the recognition of an individual' s right to be let
alone and to have his personal space inviolate. The right to privacy as an
independent and distinctive concept originated in the field of Tort law,
under which a new cause of action of damages resulting into unlawful
invasion of privacy was recognized. In recent times, however, this right
has acquired a constitutional status, the violation of which attracts both
civil as well as criminal consequences under the respective laws. The
intensity and complexity of life have rendered necessary some retreat
from the world. M an under the refining influence of culture, has
become sensitive to publicity, so that solitude and privacy have become
essential to an individual. M odern enterprises and inventions have,
through invasions upon his privacy, subjected him to mental pain and
distress, far greater than could be inflicted by mere bodily injury. Right
to privacy is a part of the right to life and personal liberty enshrined
under Article 21 of the Constitution of India. With the advent of
information technology the traditional concept of right to privacy has
taken new dimensions, which requires a different legal outlook. To
meet this challenge recourse of Information Technology Act, 2000 can
be taken. The various provisions of the Act aptly protect the online
privacy rights of the citizens. Certain acts have been categorized as
offences and contraventions, which have tendency to intrude with the
privacy rights of the citizens.
Secret information appropriation and data theft:
The information technology can be misused for appropriating the
Ordinary
Forms of
cyber
terrorism
valuable Government secrets and data of private
individuals and the Government and its agencies.
A computer network owned by the Government
may contain valuable information concerning
defence and other top secrets, which the
Government will not wish to, share otherwise.
The same can be targeted by the terrorists to
facilitate their activities, including destruction of
property. It must be noted that the definition of
property is not restricted to moveables or
immoveable alone. In R.K. Dalmia v Delhi
Administration the Supreme Court held that the
word " property" is used in the I.P.C in a much
wider sense than the expression " movable
property" . There is no good reason to restrict the
meaning of the word " property" to moveable
property only, when it is used without any
qualification. Whether the offence defined in a
particular section of IPC can be committed in
respect of any particular kind of property, will
depend not on the interpretation of the word
" property" but on the fact whether that
particular kind of property can be subject to the
acts covered by that section.
Demolition of e-governance base:
The aim of e-governance is to make the
interaction of the citizens with the government
offices hassle free and to share information in a
free and transparent manner. It further makes the
right to information a meaningful reality. In a
democracy, people govern themselves and they
cannot govern themselves properly unless they
are aware of social, political, economic and other
issues confronting them. To enable them to make
a proper judgment on those issues, they must
have the benefit of a range of opinions on those
issues. Right to receive and impart information is
implicit in free speech. This, right to receive
information is, however, not absolute but is
subject to reasonable restrictions which may be
imposed by the Government in public interest.
Di stri buted deni al of servi ces attack :
The cyber terrorists may also use the method of
di stri buted deni al of servi ces ( DDO S) to
overburden the Government and its agencies
electronic bases. This is made possible by first
102
infecting several unprotected computers by way
of virus attacks and then taking control of them.
O nce control i s obtai ned, they can be
manipulated from any locality by the terrorists.
These infected computers are then made to send
information or demand in such a large number
that the server of the victim collapses. Further,
due to this unnecessary Internet traffic the
legitimate traffic is prohibited from reaching the
Government or its agencies computers. This
results in immense pecuniary and strategic loss to
the government and its agencies. It must be
noted that thousands of compromised computers
can be used to simultaneously attack a single
host, thus making its electronic existence invisible
to the genuine and legitimate citizens and end
users. The law in this regard is crystal clear.
Network damage and disruptions:
The main aim of cyber terrorist activities is to
cause networks damage and their disruptions.
This activity may divert the attention of the
security agencies for the time being thus giving
the terrorists extra time and makes their task
comparatively easier. This process may involve a
combination of computer tampering, virus
attacks, hacking, etc.
The Impact of Cyber Terrorism- a brief idea
The intention of a cyber terrorism attack could
range from economic disruption through the
interruption of financial networks and systems or
used in support of a physical attack to cause
further confusion and possible delays in proper
response. Although cyber attacks have caused
billions of dollars in damage and affected the lives
of millions, we have yet witness the implications
of a truly catastrophic cyber terrorism attack.
What would some of the implications be?
Direct Cost Implications
sLoss of sales during the disruption
sStaff time, network delays, intermittent access
for business users
sIncreased insurance costs due to litigation
sLoss of intellectual property - research, pricing,
etc.
sCosts of forensics for recovery and litigation
sLoss of critical communications in time of
emergency.
Indirect Cost Implications
sLoss of confidence and credibility in our
financial systems
sTarnished relationships& public image globally
sStrained business partner relationships -
domestic and internationally
sLoss of future customer revenues for an
individual or group of companies
sLoss of trust in the government and computer
industry
G. Some incidents of cyber terrorism-
The following are notable incidents of cyber
terrorism:
In 1998, ethnic Tamil guerrillas swamped Sri
Lankan embassies with 800 e-mails a day over a
two-week period. The messages read " We are the
Internet Black Tigers and we' re doing this to
disrupt your communications. " Intelligence
authorities characterized it as the first known
attack by terrorists against a country' s computer
systems.
During the Kosovo conflict in 1999, NATO
computers were blasted with e-mail bombs and
hit with denial-of-service attacks by hacktivists
protesting the NATO bombings. In addition,
businesses, public organizations, and academic
institutes received highly politicized virus-laden e-
mails from a range of Eastern European countries,
according to reports. Web defacements were also
common.
Since December 1997, the Electronic the
Electronic Disturbance Theater (EDT) has been
conducting Web sit-ins against various sites in
support of the M exican Zapatistas. At a
designated time, thousands of protestors point
their browsers to a target site using software that
floods the target with rapid and repeated
download requests. EDT' s software has also been
used by ani mal ri ghts groups agai nst
organi zat i ons sai d t o abuse ani mals.
Electrohippies, another group of hacktivists,

103
conducted Web sit-ins against the WTO when
they met in Seattle in late 1999.
One of the worst incidents of cyber terrorists at
work was when crackers in Romania illegally
gained access to the computers controlling the
life support systems at an Antarctic research
station, endangering the 58 scientists involved.
M ore recently, in M ay 2007 Estonia was subjected
to a mass cyber-attack by hackers inside the
Russi an Federati on whi ch some evi dence
suggests was coordi nated by the Russian
government, though Russian officials deny any
knowledge of this. This attack was apparently in
response to the removal of a Russian World War II
war memorial from downtown Estonia.
H. Efforts of combating cyber terrorism-
The Interpol, with its 178 member countries, is
doing a great job in fighting against cyber
terrorism. They are helping all the member
countries and training their personnel. The
Council of Europe Convention on Cyber Crime,
which is the first international treaty for fighting
against computer crime, is the result of 4 years
work by experts from the 45 member and non-
member countries including Japan, USA, and
Canada. This treaty has already enforced after its
ratification by Lithuania on 21st of M arch 2004.
The Association of South East Asia Nations
(ASEAN) has set plans for sharing information on
computer security. They are going to create a
regional cyber-crime unit by the year 2005.
The protection of I.T.A can be claimed for:
(a) Preventing privacy violations,
(b) Preventing information and data theft,
(c) Preventing distributed denial of services
attack (DDOS), and
( d) Preventi ng network damage and
destruction.
Currently there are no foolproof ways to
protect a system. The completely secure system
can never be accessed by anyone. M ost of the
militaries classified information is kept on
machines with no outside connection, as a form
of prevention of cyber terrorism. Apart from such
i solati on, the most common method of
protection is encryption. The wide spread use of
encryption is inhibited by the governments ban
on i ts exportati on, so i nterconti nental
communication is left relatively insecure. The
Clinton administration and the FBI oppose the
export of encryption in favour of a system
whereby the government can gain the key to an
encrypted system after gaining a court order to do
so. The director of the FBI' s stance is that the
Internet was not intended to go unpoliced and
that the police need to protect people' s privacy
and public-safety rights there. Encryption' s
drawback is that it does not protect the entire
system, an attack designed to cripple the whole
system, such as a virus, is unaffected by
encryption.
Others promote the use of firewalls to screen all
communications to a system, including e-mail
messages, which may carry logic bombs. Firewall
is a relatively generic term for methods of filtering
access to a network. They may come in the form
of a computer, router other communications
device or in the form of a network configuration.
Firewalls serve to define the services and access
that are permitted to each user. One method is to
screen user requests to check if they come from a
previously defined domain or Internet Protocol
(IP) address. Another method is to prohibit Telnet
access into the system.
Here are few key things to remember to
protect from cyber-terrorism:
1. All accounts should have passwords and the
passwords should be unusual, difficult to guess.
2. Change the network configuration when
defects become known.
3. Check with vendors for upgrades and
patches.
4. Audit systems and check logs to help in
detecting and tracing an intruder.
5. If you are ever unsure about the safety of a
site, or receive suspicious email from an unknown
address, don' t access it. It could be trouble.
Indian law & Cyber terrorism-
In India there is no law, which is specifically
104
dealing with prevention of malware through
aggressi ve defence. Thus, the analogous
provisions have to be applied in a purposive
manner. The protection against malware attacks
can be claimed under the following categories:
(1) Protection available under the Constitution
of India, and
(2) Protection available under other statutes.
(1) Protection under the Constitution of
India:
The protection available under the Constitution
of any country isthe strongest and the safest one
since it isthe supreme document and all other laws
derive their power and validity from it. If a law
satisfies the rigorous tests of the Constitutional
validity, then itsapplicability and validity cannot be
a challenge and it becomesabsolutely binding. The
Constitutionsof India, like other Constitutionsof
the world, is organic and living in nature and is
capable of moulding itself as per the time and
requirementsof the society.
( 2) Protecti on under other statutes:
The protection available under the Constitution is
further strengthened by vari ous statutory
enactments. These protections can be classified
as:
(A) Protection under the Indian Penal Code
(I.P.C), 1860, and
( B) Protecti on under the I nf ormati on
Technology Act (ITA), 2000.
The problemsassociated with the use of malware
are not peculiar to any particular country as the
menace isglobal in nature. The countriesall over
the world are facing this problem and are trying
their level best to eliminate this problem. The
problem, however, cannot be effectively curbed
unless popular public support and a vigilant
judiciary backsit. The legislature cannot enact a law
against the general public opinion of the nation at
large. Thus, first a public support hasto be obtained
not only at the national level but at the international
level aswell. The people all over the world are not
against the enactment of statutescurbing the use
of malware, but they are conscious about their
legitimate rights. Thus, the law to be enacted by the
legislature must take care of public interest on a
priority basis. This can be achieved if a suitable
technology is supported by an apt legislation,
which can exclusively take care of the menace
created by the computers sending the malware.
Thus, the self-help measures recognized by the
legislature should not be disproportionate and
excessive than the threat received by the malware.
Further, while using such self-help measures the
property and rightsof the general public should not
be affected. It would also not be unreasonable to
demand that such self-help measures should not
themselves commit any illegal act or omission.
Thus, a self-help measure should not be such as
may destroy or steal the data or secret information
stored in the computer of the person sending the
malware. It must be noted that two wrongscannot
make a thing right. Thus, a demarcating line
between self-help and taking law in one' s own
hand must be drawn. In the ultimate analysiswe
must not forget that self-help measures are
watchdogs and not blood-hounds , and their
purpose should be restricted to legitimate and
proportionate defensive actions only. In India,
fortunately, we have a sound legal base for dealing
with malware and the public at large has no
problem in supporting the self-help measures to
combat cyber terrorism and malware.
105