Introduction to Cybercrime

Syllabus

Cybercrime definition and origins of the world, Cybercrime and information security, Classifications of cybercrime,
Cybercrime and the Indian ITA 2000, A global perspective on cybercrimes

1,1 Cybercrime Definition and Origins of the World

- The definition of cybercrime is not defined in Information Technology Act, 2000 and also its expressions are not used.
The IT Act, 2000 only gives the definitions of certain offences and punishments for certain offences.
- If we define cyber crime narrowly, then cybercrime is defined as the crimes which are mentioned in Information
Technology Act, 2000. The cybercrimes are restricted to tamper done with the computer source code, cyber
pornography, hacking, email abuse, harassment, defamation, IPR theft, cyber fraud etc.
If we define cyber crime broadly, then cybercrime is any act of commission committed on or via or with the help of
internet, whether connected directly or indirectly, which is prohibited by law and for which punishment, monetary
and/or corporal is provided. This definition is applied for and punishes only certain cyber offences and is not
. ■ s.
exhaustive of all the cyber crimes.
For example, if a person is giving death threat through the internet, he is liable for offence of criminal intimidation
under Section 506 of Indian penal code 1860 and no offence under the IT Act this, offence is still known as cyber crime
as per the broad definition.
In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called
phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance
ca,,s>
In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to
organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not
originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in
1980 estimated that the damage could have been as high as $10,000,000.00.
- 1989 brought us the first known ransom ware attack, which targeted the health care industry. Ransom ware is a type
of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a
cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks
across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors
for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a
message requiring the user to pay for a software license. Ransom ware attacks have evolved greatly over the years
with the health care field still being a very large target.
- The 90s brought the web browser and email to the masses, which meant new tools for cyber criminals to exploit. This
allowed the cyber criminal to greatly expand their reach. Up till this time, the cyber criminal needed to initiate a
physical transaction, such as providing a floppy disk. Now cyber criminals could transmit virus code over the internet
in these new, highly vulnerable web browsers. Cyber criminals took what they had learned previously and modified it
to operate over the internet, with devastating results. Cyber criminals were also able to reach out and con people
from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could
attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to
make a lot of money as a cyber criminal.
^ftreyberSecurit^nd^w^M^

The 2000s brought us social media and saw the rise of Identity theft. A bullseye was painted for cyber criminals with
the creation of databases containing millions of users' Personal Identifiable Information^ PI I), making identity theft the
new financial piggy bank for criminal organizations around the world.
- This information coupled with a lack of cybersecurity awareness from the general public allowed cyber criminals to
commit all types of financial fraud such as opening bank accounts and credit cards In the name of others.
Today we see that cyber criminal activity has only gotten worse. As computer systems have gotten faster and more
complex we see that the cyber criminal has become more sophisticated and harder to catch. Today we have botnets,
which are a network of private computers that are infected with malicious software and allow the criminal element to
control millions of infected computer systems across the globe. These botnets allow the criminal element to overload
organizational networks and hide the origin of the criminals:
o We see constant ransom ware attacks across all sectors of the economy.
o People are constantly on the lookout for identity theft and financial fraud.
o Continuous news reports regarding the latest point of sale attack against major retailers and hospitality
organizations.
Cybercrime is crime committed within cyberspace or where elements from/of cyberspace are used as a vehicle to
commit a crime, and so on for other derived terms.
n

Today, the word "cyberspace" is used in many contexts, but it is not always clear what exactly that term describes and
what it means. The reason why the term "cyberspace" is chosen is that all other terms (e.g., cyber security,
cybercrime, cyberwarfare, cyberterrorism, etc.) are based on, or derived from, cyberspace itself. So, it is necessary to
know what is cyberspace, cybersquatting, cyberterrorism, cyber warfare, cyberpunk. Let's see it one by one.

I. Cyberspace
c
The term 'Cyberspace' was coined by William Gibson in his book 'Neuromancer' written in 1984. He defined the term
as a consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being
taught mathematical concepts. Cyberspace does not have a standard, objective definition. Instead, it is used to
describe the virtual world of computers. For example, an object in cyberspace refers to a block of data floating around
a computer system or network. With the advent of the Internet, cyberspace now extends to the global network of
computers. So, after sending an e-mail to your friend, you could say you sent the message to her through cyberspace.
However, use this term sparingly, as it is a popular newbie term and is well over used.

Cybersquatting

Cybersquatting is registering, selling or using a domain name with the intent of profiting from the good will of
someone else's trademark, it generally refers to the practice of buying up domain names that use the names of
existing businesses with the intent to sell the names for a profit to those businesses.

. Cyberterrorism
*

Cyberterrorism is committed and planned activity in cyberspace via computer networks. It consists of the usage of
e-mail for communications among co-conspirators to communicate records for use in violent activities as well a5
recruiting terrorist institution individuals through internet sites.

It also includes :

a. Air visitors control computer systems, which reason the planes to collide or crash.

b. Infiltrating water treatment plant computer structures to reason infection of water supplies.
 Introduction toCybercrime^

c. Hacking into medical institution databases and changing or deleting facts that could result In Incorrect, risky
remedy of a patient or sufferers.

d. Disrupting the electric power grid, this will motive lack of air conditioning In summer and warmth in iciness or
result in the dying of folks.

4. Cyberpunk

The term, combining "cyber" and punk, possibly originated In 1980 with Bruce Bethke's short story, "Cyberpunk." The
people who are specialized in cryptography and crackers are those people who crack into computer security system.
Several categories of groups associated with cyberpunk:

o Hacker, who represent the best kind of cyberpunk

o Cracker, who attempt to break into computer systems

o Phreaker, who attempt to break into telephone systems

o Cyber-punks, who attempt to break codes and foil security systems

5. Cyberwarfare

Cyberwarfare is computer- or network-based conflict involving politically motivated attacks by a nation-state on

another nation-state. In these types of attacks, nation-state actors attempt to disrupt the activities of organizations or
nation-states, especially for strategic or military purposes and cyber espionage.

Although cyberwarfare generally refers to cyber attacks perpetrated by one nation-state on another, it can also
describe attacks by terrorist groups or hacker groups aimed at furthering the goals of particular nations. Cyberwarfare
can take many forms, including:

o Viruses, computer worms and malware that can take down water supplies, transportation systems, power grids,
critical infrastructure and military systems.

o Denial-of-Service (DoS) attacks, cyber security events that occur when attackers take action that prevents
legitimate users from accessing targeted computer systems, devices or other network resources..

o Hacking and theft of critical data from institutions, governments and businesses.

o Ransomware holds computer systems hostage until the victims pay ransom.

1.2 Cybercrime and Information Security

- Cybercrimes are increasing due to Lack of information security. From an Indian viewpoint, the new ITA 2008 gives a
new focus on Information Security in India.
- Cybersecurity means protecting information, communication device, equipment, devices, computer, computer
resource, and information stored in that from unauthorized access, use, revelation, interruption, alteration or
damage.
- Cybersecurity includes both the physical security of devices and the information stored in that. It covers protection
from unauthorized access, use, disclosure, disruption, modification and destruction.
Where financial losses to the organization due to insider crimes are concerned for example, leaking customer data,
often some difficulty is faced in estimating the losses because the financial impacts may not be detected by the
victimized organization and no direct costs may be associated with the data theft.
- Cybercrimes take up a vital space in information security domain because of their impact. For anyone trying to
compile data on business impact of cybercrime, there are number of challenges.
 Introduction to Cybercrlrne
ter Security and Laws (MU-Sgm_7) 1 -4
Ci
One of them comes from the fact that organizations do not explicitly incorporate the cost of the vast majority Of
1. computer security incidents into their accounting as opposed to, say, accounting for the shrinkage of goods from

retail stores.
The other challenge comes from the difficulty in attaching a quantifiable monetary value to the corporate data
2.
and yet corporate data get stolen or lost.
to these reasons, reporting of financial losses often remains approximate. In an attempt to avoid negative
Due abstain from revealing facts and figures about security incidents including cybercrime.
publicity, most organizations
..,,3 to be different than that made out by security solution
- Usually, organizations perception about insider attacks seems
u„ in most organizations. When we speak of financial losses to
vendor. Awareness about data privacy too tends to be low in
leaking customer data, such crimes cannot be detected by the
the organization and significant insider crimes, such as I
victimized organization and no direct costs may be linked with the theft.

Cybercriminals

The activities carried out by cybercriminals are :

Password trafficking
Copyright (software, movie, sound recording) piracy

Trademark counterfeiting
Counterfeiting of currency
Data transfer theft
Misuse of computer time
Computer intrusion (i.e. hacking)
Computer output theft
Desktop forgery
- Wrongful programming
Child pornography or exploitation.
Child exploitation and internet fraud matters that have a mail nexus.

Internet fraud.
Internet harassment.
Cyberstalking

Cybercriminals are those who conduct such acts. They can be categorized into three groups that reflect their
motivation :

1. Hungry for recognition : These are the cybercriminals which are Hobby hackers, IT professionals, politically motivated
hackers, terrorist organizations.
2. Not interested in recognition : These are the cybercriminals which are psychological perverts, financially motivated
hackers, state-sponsored hacking, and organized criminals.
3. The insiders: These are the cybercriminals .which are unhappy or ex- employees seeking revenge, rival compan,eS
using employees to get economic advantage through damage or theft.

So, the usual purpose behind cybercrime seem to be greed, want to get power or publicity, desire for revenge; aserlS
of adventure, in search of thrill to access prohibited information, destructive mindset and desire to sell network secu^
services.
 Cyber Security and Laws (MU-Sem 7)
1-5 Introduction to Cybercrime
1.3 Classifications of Cybercrime
1.3.1 Cybercrime against Individual
»• ii £
- E-mail spoofing and other online frauds
o Email spoofing is the forgery of an email header so that the message annnarc m , ■ . .r
. i r- u appears to have originated from someone or
somewhere other than the actual source. Email spoofing is a popular tactic ucpH in nhien
e_ ... - . ... H p iactlc used ln phishing and spam campaigns
because people are more l.kely to open an ema.l when they think It has been sent by a iegltimate er familiar
source. The eoal of ema,I spoofing ,s to get recipients to open, and possibly eyen respond to, a solicitation. Spoof
emads sometunes contain attachments that Install malware such as Trojans or viruses when opened. In many
cases, the malware is designed to go beyond infecting your computer and spread to your entire network.
o This aspect of spoofing relies heavily on social engineering the ability to convince a human user to believe that
what they’re seeing is legitimate, prompting them to take action and open an attachment, transfer money, et
cetera.
- Phishing, spear phishing

o Phishing and spear phishing are very common forms of email attack designed to you into performing a specific
action typically clicking on a malicious link or attachment. The difference between them is primarily a matter of
targeting.
• . . ■ ■ • '1 • ■ •

o Phishing e-mails are sent to very large numbers of recipients, more or less at random, with the expectation that
only a small percentage will respond. An apparently official email from, say, a well-known delivery company might
arrive, saying that "Your package has been delayed, click here for details." Click the link and malware might be
downloaded onto your device, or you might go to a fake website where you're asked to enter your name, address,
and social-security number. That information would then be sold on the black market or used for fraud or identity
theft.
o Spear phishing emails are carefully designed to get a single recipient to respond. Criminals select an individual
target within an organization, using social media and other public information and craft a fake e-mail tailored for
that person. For example, share online that you will be traveling to Manali soon, and you might get an email from
a colleague (apparently), saying "Hey, while you're in Manali you've got to eat at Harry's Grill, check out their
menu." Click the link, and while you're studying the menu, malware is inserted into your computer. Another
version might apparently come from your CEO, who's travelling abroad and says his phone and wallet and brief
case have been stolen, can you wire five thousand dollars to this number right away ?

- Spamming
o Spamming uses electronic messaging systems, most commonly e-mails in sending messages that host malware,
fake links of websites, and other malicious programs. Email spamming is very popular. Unsolicited bulk messages
from unfamiliar organizations, companies, and groups are sent to large numbers of users. It offers deals, promos,
and other attractive components to deceive users.

- Cyber defamation
o Cyber defamation means, whoever, by words either spoken or intended to be read, or by signs or by visible
representations, makes or publishes any imputation concerning any person intending to harm, or knowing or
having reason to believe that such imputation will harm, the reputation of such'person, is said, except in the cases
hereinafter expected, to defame that person . In simple language defamation means damage done to the
reputation of person. For example, If Meena is writing a mail to Neeta which is derogatory of Neeta it is not
considered as defamation. But if Meena is writing a mail to Neeta which contains derogatory comments about
Reema then it is considered as defamation.

TtdiKnoahdgi
” Pubiitatlons
 Cyberstalking and harassment
o This kind of cybercrime involves online harassment where the user is subjected to a embarrassment of On|^
messages and e-mails. Typically cyberstalkers use social media, websites and search engines to intimidate a
and instill fear. Usually, the cyberstalker knows their victim and makes the person feel afraid or concerned fOr
their safety.
Computer sabotage
Computer sabotage means, making use of the Internet to hamper the normal functioning of a computer system
through the introduction of worms, viruses or logical bombs.
Pornographic offenses
o Cyber pornography is the act of using cyberspace to create, display, distribute, import, or publish pornography or
obscene materials. With the advent of cyberspace, traditional pornographic content has now been largely
replaced by online/digital pornographic content.
o Cyber pornography is banned in many countries and legalized in some. In India, under the Information Technology
Act, 2000, this is a grey area of the law, where it is not prohibited but not legalized either.

The following are the pornographic offences :

a. Publication : Which would include uploading on a website, what's app group or any other digital portal where
third parties can have access to such content.
b. Transmission : This includes sending obscene photos or images to any person yia email, messaging, what's app or
c. Causing to be published or transmitted : This is a very wide terminology which would end up making the
intermediary portal liable, using which the offender has published or transmitted such obscene content. The
intermediary guidelines under the information technology act put anonus on the intermediary/service provider
to exercise due diligence to ensure their portal is not being misused.
- Password sniffing
o Password sniffing is a technique used to gain knowledge of passwords that involves monitoring traffic on a
network to pull out information. There are several softwares available for automatic password sniffing.

1.3.2 Cybercrime against Property

- Credit card frauds

o Credit card fraud is when someone uses your credit card or credit account to make a purchase you didn't
authorize. This activity can happen in different ways.
o If you lose your credit card or have it stolen, it can be used to make purchases or other transactions, either in
person or online.
o Fraudsters can also steal your credit card account number, PIN and security code to make unauthorized
transactions, without needing your physical credit card. (Unlawful transactions like these are known as
card-not-present fraud.)
- Intellectual property (IP) crimes
These include software piracy, copyright infringement, trademarks violations, theft of computer source codes etc
- Internet time theft
o Internet time theft is a crime where the internet connection of one person is used by an unauthorized person. T*1'5
2 is usually done by getting access to the user's internet account details, such as user name and password, given W
internet service provider. This access can be given voluntarily by the user for a stipulated time period, or it can be
gained fraudulently. Wireless internet has made this theft more prevalent. It is easy to commit this crime ifthe
victim is using an open Wi-Fi connection for internet access.
 Cyber Security and Laws (MU-Sem 7) 1-7 Introduction to Cyborcrime

1.3.3 Cybercrime against Organization

— Unauthorized accessing of computer

o Unauthorized access is when someone gains access to a website, program, server, service, or other system using
someone else's account or other methods. For example, If someone kept guessing a password or username for an
account that was not theirs until they gained access, It Is considered unauthorized access.

Password sniffing

o Password sniffing is a technique used to gain knowledge of passwords that involves monitoring traffic on a
network to pull out information. There are several software's available for automatic password sniffing.
- Denial-Of-Service attacks (DoS attacks)

o A Denial-of-Service (DoS) attack is an explicit attempt by attackers to deny service to intended users of that
service. It involves flooding a computer resource with more requests than it can handle consuming its available
bandwidth which results in server overload.

o This causes the resource (e.g. a web server) to crash or slow down significantly so that no one can access it. Using
this technique, the attacker can render a web site inoperable by sending massive amounts of traffic to the
targeted site. A site may temporarily malfunction or crash completely, in any case resulting in the inability of the
system to communicate adequately. DoS attacks violate the acceptable use policies of virtually all internet service
providers.

o Another variation to a denial-of-service attack is known as a "Distributed Denial of Service" (DDoS) attack where in
a number of geographically wide spread perpetrators flood the network traffic. Denial-of-Service attacks typically
target high profile web site servers belonging to banks and credit card payment gateways. Websites of companies
such as Amazon, CNN, Yahoo, Twitter, and eBay! are not spared either.

- Virus attack/dissemination of viruses

o Computer viruses are small software programs that are designed to spread from one computer to another and to
interfere with computer operation. A virus might corrupt or delete data on the victims computer, use the victims
e-mail program to spread itself to other computers, or even erase everything on the victim's hard disk. Viruses are
easily spread through email attachment or instant messages. Viruses can be disguised as attachments of funny
images, greeting cards, or audio and video files. Worms unlike the viruses do not need the host to attach
themselves. They merely make functional copies of themselves and do this repeatedly till they bring the system or
a application to halt.

- E-mail bombing/mail bombs

o Email bombing is characterized by an abuser sending huge volumes of e-mail to a target address resulting in the
victim's e-mail account or mail servers crashing. The message is meaningless and excessively long in order to
consume network resources. . • '
o If multiple accounts of a mail server are targeted, it may have a denial-of-service impact. Such mail arriving
frequently in your inbox can be easily detected by spam filters. E-mail bombing is commonly carried out using
botnets (private internet-connected computers whose security has been compromised by malware and under the
attacker's control) as a DDoS attack.
o This type of attack is more difficult to control due to multiple source addresses and the bots, which are
programmed to send different messages to defeat spam filters.

xir TithKiw«M|«
” Publication*
 , ... /»inc«Am-n 10 Introduction to Cyberm-r.
Cyber^ecuntyand_^ws_(MU^Sem7£________V8__________________—==^===8-^^

Salami attack/salami technique

o Salami Attack (also known as Salami Slicing) refers to as fraudulent action by alternation of systems either
modification or insertion of malicious program and the main purpose of this for financial gain. A salami attack jj
considered a minor attack that can be repeated many time, a simple example is referred to as stealing of specify

small amount of money from every customer's bank account in a particular bank.
o It is very hard for such attack to be notice by customers and such attack are reportedly mostly conducted by crime
minded bank's officials. This cyber crime usually go undetected and unnoticed because of nature and form of the

crime, because only small amounts are deduct severally in a specific period of time.
I

Logic bomb
o A logic bomb, also known as "slag code", is a malicious piece of code which is intentionally inserted into software
to execute a malicious task when triggered by a specific event. It's not a virus, although it usually behaves in a
similar manner. It is stealthily inserted into the program where it lies dormant until specified conditions are met
Malicious software such as viruses and worms often contain logic bombs which are triggered at a specific payload

or at a predefined time.
o The payload of a logic bomb is unknown to the user of the software, and the task that it executes unwanted.
Program codes that are scheduled to execute at a particular time are known as "time-bombs . For example, the
infamous "Friday the 13th" virus which attacked the host systems only on specific dates it "exploded (duplicated
itself) every Friday that happened to be the thirteenth of a month, thus causing system slowdowns. Logic bombs
are usually employed by disgruntled employees working in the IT sector.
o You may have heard of "disgruntled employee syndrome" wherein angry employees who have been fired use
logic bombs to delete the databases of their employers, stultify the network for a while or even do insider trading.
Triggers associated with the execution of logic bombs can be a specific date and time, a missing entry from a
database or not putting in a command at the usual time, meaning the person doesn't work there anymore,
o Most logic bombs stay only in the network they were employed in. So in most cases, they're an insider job. This
makes them easier to design and execute than a virus. It doesn't need to replicate which is a more complex job. To
keep your network protected from the logic bombs, you need constant monitoring of the data and efficient anti­
virus software on each of the computers in the network.

o There's another use for the type of action carried out in a logic bomb "explosion" to make restricted software
trials. The embedded piece of code destroys the software after a defined period of time or renders it unusable
until the user pays for its further use. Although this piece of code uses the same technique as a logic bomb, it has a I
non-destructive, non-malicious and user-transparent use, and is not typically referred to as one.
Trojan horse

o Trojan horse is a program downloaded and installed on a computer that appears harmless, but is, in fart
malicious. Unexpected changes to computer settings and unusual activity, even when the computer should be
idle, are strong indications that a trojan is residing on a computer.

o *'tbhe T hT ” “de" innocent-|ooki"8 email attachment or free download, when the i*

X coZu„?d 7 TZ*free Pr°8ram-,he malware th« “ i-KWen inside Is transferred"!
the userout
t0 carry s computing device. Once inside,' the maliHnnc
a"CI0US code can execu»e whatever task the attacker designedj if*

* , isH
Data diddling
o It is a illegal or unauthorized data alteration. These . vt
output. It has affected banks, payrolls, inventory records h- n,°CCUr before and during data input or be
' Cre 11 records, school transcripts and virtually a*1 ot
form of data processing know.
^_Cybe^Security^nd_Laws_(MU^SemJ)________J_9______________—

- Crimes emanating from Usenet newsgroup

• Usenet is a trendy means of sharing and distributing Information on the web with respect to specific subjects or topic.

The Usenet is used for.following crimes :

o To distribute or sale pornographic material

o To distribute or sale pirated software package

o To distribute hacking software

o To sale stolen credit card number

o To sale stolen data/stolen property

Industrial spying/industrial espionage

o Industrial espionage is the covert and sometimes illegal practice of investigating competitors to gain a business
advantage. The target of investigation might be a trade secret such as a proprietary product specification or
formula, or information about business plans. In many cases, industrial spies are simply seeking any data that their

organization can exploit to its advantage. , .

o An industrial spy may be an insider threat, such as an individual who has gained employment with the company
with the purpose of spying or a disgruntled employee who trades information for personal gain or revenge. Spies
may also infiltrate through social engineering tactics, for example by tricking an employee into divulging privileged

information.

Computer network intrusions ’

o In computer network intrusion the Crackers can break into computer systems from anywhere in the world and
steal data, change username and passwords, create backdoors, plant viruses, insert trojan horse.

Software piracy
o Software piracy means copying of copyrighted software in illegal manner. For example, music, movies, art, books
etc. This act will result in loss of revenue to the legitimate owner of the copyright.

1.3.4 Cybercrime against Society

- Forgery: <rc.
o Forgery means counterfeit currency notes, postage and revenue stamps, mark sheets, academic certificate, etc are
made by criminals using sophisticated computer, printers and scanners.
- • ■' . ■
Cyberterrorism .
Cyberterrorism is committed and planned activity in cyberspace via computer networks. It consists of the usage of
e-mail for communications among co-conspirators to communicate records for use in violent activities as well as
recruiting terrorist institution individuals through internet sites. It also includes •

a. Air visitors control computer systems which reason the planes to collide or crash

b. Infiltrating water treatment plant computer structures to

reason infection of water supplies.
c. Hacking into medical institution databases and changing
or deleting facts that could result in incorrect, risky
remedy of a patient or sufferers.

d. Disrupting the electric power grid, this will

result in the dying of folks *Ve 3'r cor*ditioning in summer and warmth in iciness or

■tl
 Web/aching access and contro| over the web site of another. He may even change th,
o in „eb jacking m be for fuffilliog p0|it|Ca| objectives or for money, e.g. recently the site «
* informatlon Technology) was hacked by the Pakistani hackers and some obscene matter wJS
‘XZ Further the site of Bombay crime branch was also web Jacked. Another ca e of web lack,ng Is thit
o the *old fbh' case. In this case the site was hacked and the Information pertaining to gold fish was changed.

1.3.5 Crimes Emanating from Usenet Newsgroup

Usenet is the precursor of discussion forums. As such, everything is based on messages which can contain either text
of binary files. Usenet users can upload or post messages and files as well as they can down oa them. These
messages and files are stored on Usenet servers, also called news servers. There are numerous servers throughout the
world and they constantly replicate their contents with each other, ensuring that a post done on one server will be
available on other servers. Usenet posts are organized in newsgroups. There are literally hundreds, possibly thousands
of newsgroups and users can add some as they need. Cyber criminals distribute/sale pornographic material, pirated
software package, hacking software, stolen credit card number, data or stolen property.

1.4 Cybercrime and the Indian ITA 2000

The I.T. Act 2000 includes the following offences:

Tampering with the computer source documents.
Hacking with computer system.
- Publishing of information which is obscene in electronic form.
- Powerof controller to give directions.
Directions of controller to a subscriber to extend facilities to decrypt information.
Protected system.
- Penalty for misrepresentation.
Penalty for breach of confidentiality and privacy.
Penalty for publishing Digital Signature Certificate false in certain particulars.
Publication for fraudulent purpose.
Act to apply for offence or contravention committed outside India confiscation.
Penalties or confiscation not to interfere with other punishments.
Power to investigate offences.

Table 1.4.1
Punishment j
Section

65 Tampering with computer source code Imprisonment up to 3 years or fine up to

? 2 lakhs.

66 Computer related offences Imprisonment up to 3 years or fine up to

? 5 lakhs.

66-A Sending offensive message through Imprisonment up to 3 years and/or fine up to

communication device ? 1 lakh.

66-B Dishonestly receiving stolen computer resource or Imprisonment up to 3 years and/or fine up to
communication device. ? 1 lakh.
------------------------- ■—
CyberSecurityand Laws (MU-Sem7)
1-11 Introduction to

Seefon
Offence Punishment
66-C Identify Theft
Imprisonment of either description up
and/or fine up to lakhs.
66-D Cheating by personation by using computer Imprisonment of either description up
resource. and/or fine upto ? 1 lakhs.

66-E Violation of privacy Imprisonment up to 3 years and/or

? 2 lakhs.

66-F Cyber terrorism Imprisonment extend to imprisonment

67 Publishing or transmitting obscene material in On first conviction, imprisonment up

electronic form. and/or fine up to ? 5 lakhs. On s
conviction imprisonment up to 5 ye
fine up to ? 10 lakh.

67-A Publishing or transmitting of material containing On first conviction imprisonment up

sexually explicit act, etc... in electronic form. and/or find up to
t
10 lakh .on subsequent conviction im|
up to 7 years and/or find up to ? 10 lai

67-B Publishing or transmitting of material depicting On first conviction imprisonment

children in sexually explicit act etc., in electronic description up to 5 years and/or
form. ? 10 lakh, on subsequent
imprisonment of either description u[
and/or fine up to ? 10 lakh.

67-C Intermediary intentionally or knowingly Imprisonment up to 3 years and fine.

contravening the directions about preservation
and retention of information.

68 Failure to comply with the directions given by Imprisonment up to 2 years and/o

controller. ? 1 lakh.

Failure to assist the agency referred to in sub Imprisonment up to 7 years and fine.
69
Section (3) in regard interception or monitoring or
decryption of any information through any
computer resource.

Failure of the intermediary to comply with the Imprisonment up to 7 years and fine.
69-A
direction issued for blocking for public access of
any information through any computer resource.

Intermediary who intentionally or knowingly Imprisonment up to 3 years and fine

69-B
contravenes the provisions of sub-Section (2) in
regard monitor and collect traffic data or
information through any computer resource for
cyber security.
 Cyber Security and Laws (MU-Sem 7) j.12 Introduction to Cybercrf^

> . ■ Punishment "^1

Section Offence ■' . ■.---- —-—
. • ■'

70 \ny person who secures access or attempts to Imprisonment of either description up to lQ

I secure access to the protected system in years and fine.

contravention of provision of Sec. 70.

70-B Indian computer emergency response team to Imprisonment up to 1 year and/or fine up t0
serve as national agency for Incident response. ? 1 lakh.
Any service provider, Intermediaries, data centres,
etc, who fails to prove the information called for a
comply with the direction issued by the ICERT.

71 Misrepresentation to the controller to the Imprisonment up to 2 years and/or fine up to? i

certifying authority. lakh.

72 Breach of confidentiality and privacy. Imprisonment up to 2 years and/or fine up to

?1 lakh.

72-A Disclosure of information in breach of lawful Imprisonment up to 3 years and/or fine up to

contract. ? 5 lakh.

73 Publishing electronic signature certificate false in Imprisonment up to 2 years and/or fine up to

certain particulars. ?llakh.

74 Publication for fraudulent purpose. Imprisonment up to 2 years and/or fine up to

T1 lakh.

1.5 A Global Perspective on Cybercrimes

- In Australia, cybercrime has a slender legal meaning as used in the Cyber Crime Act 2001, which details offenses
against computer data and systems.
- At international level cybercrime has a broad meaning.
- One example of cybercrime is, cyber criminals tried to celebrate the valentine 's day in advance in the year 2000 so
they chose the dates 6, 7 and 8 February to greet the e-commerce site happy valentine’s day in advance that is before
the 14th of February, the e-commerce sites buy.com, Yahoo, eBay, and amazon.com were slow and shut down for
hours. -

- At that time the cyber criminals also send one virus called "I love you" this virus spread very rapidly and results in
great loss.

- In year 1999 Melissa virus spread around, this virus affects the e-mail system and results in a huge loss.
In recent time some hackers group were also active. One group from Pakistan called 'G' hacked and defeated more
than 40 Indian websites.
The websites they hacked were: Agricultural University of Maharashtra, National Research Centre Asian Age
newspaper, Indian Science Congress, Indian Institute of Management Ahmadabad, the Gujarat government Indian
Institute of Technology Madras Centre for electronics design and Technology, Glaxo welcome, the Gujarat
government and some other websites.

- The second group called 'Doctor Nuker' which is founder of Pakistan hackers club hacked sites of Indian Parliament,
Ahmadabad telephone exchange, engineering export, Promotion Council, and United Nations (India).
 Cyber_Securjtyand Laws (MU-Sem 7)____________________________________________________
1-13 Introduction to Cybercrime

- The third group called 'nightman* hacked websites owned by government and website set up by the Indian companies.
X 1

- Some of the sites this group has ruined are Blue Star InfoTech, Lal Bahadur Shastri National Academy of
Administration and Mahindra and Mahindra.
- Every year Indian government is spending lots of money on e-security. Actions are taken against the cybercrime but
still day by day it is growing. ~ •*’
- The Council of Europe's (CoE's) cybercrime treaty, includes the cyber criminal activity like copyright offenses,
computer-related offenses, offenses against computer data and systems, and content offenses.
- Cybercrimes wide definition is divided into white-collar crime and economic crime.
There are countries like Argentina, Australia, Brazil, and Canada etc which are taking action against spam. These
countries are restricting the use of email spam.
Spam legislation is non-existent in India The existing law in the form of the Information Technology Act 2000 does not
contain any provision concerning regulation of spamming, though it does regulate obscenity which covers publishing,
transmitting or causing to be published in electronic form any material which is lascivious or appeals to the prurient
interest. h ’ " ‘ ”

- About 30 countries have enacted some form of anti-spam legislation. The internet service providers and end users
have also given some technical solutions. However, yet, until now there has been no important impact on the volume
of spam with spammers sending hundreds of millions of messages per day.
- The spam activities are leading to the criminal and fraudulent activities like:
1 ' r.‘- I X ,0 ’ ' :r- i. f . ?
o Try to get the financial information e.g. account numbers and passwords by masquerading messages as originating
r - - I 11 '. \ J V 4 ,J 1 1• ’. in _. . • • . l_ .
from trusted companies. This is also known as brand-spoofing or phishing.
o Spreading viruses and worms.
• - » ‘ r .
o On mobile networks, bulk unsolicited text messages are sent to generate traffic to premium-rate numbers.
The most important thing is cybercrime has no boundaries it needs international cooperation between those who
seek to enforce anti-Spam laws.
Thus, there is a lot to do toward building confidence and security in the use of Information and Communication
Technologies (ICT) and moving toward international cooperation agenda..
The ICT growth and the dependencies leading to shift in perception of cyber security threats. Cyber security has
become a big issue in many countries as it is growing day by day. J t c '

, S , (J ■ "J ’

n ■». in
’I i

Q.1 Write the definition of cybercrime? What is cyberspace, cybersquatting, cyberterrorism, cyberpunk and cyberwarfare
(Section 1.1)

Q.2 Write short note on cybercrime and information security ? (Section 1.2)
*.£».• X ’ r*.l, • ’ f* \ r7*
Q.3 Who are cybercriminals ? (Section 1.2) 4
f
■J

Explain the classification of cybercrime in detail ? (Section 1.3) I

Q.4
I
i

Q.5 Explain cybercrime and Indian ITA 2000. (Section 1.4)

.c
I
Q.6 Write a short note on a global perspective on cybercrimes ? (Section 1.5)

□□□
2
i.0? .*
i
. " - . '* . J

. To '
 Cyber Offenses and Cybercrime

sks, Social engg, Cyber stalking, Cyber cafd and cybercrimes, Botnets, Attack vector, Cloud

mobile and wireless devices, Trends in mobility, Credit card frauds in Mobile and wireless
lallenges posed by mobile devices, Registry settings for mobile devices, Authentication service
/cell phones, Mobile devices: Security implications for organizations, Organizational measures
ss-related security issues, Organizational security policies and measures in mobile computing

»Plan the Attacks

ds and tools used by criminals tools to locate the vulnerabilities of their target. The criminals
ual and/or an organization.

les of attacks against the target. They are passive and active attacks. In the active attacks
tern (i.e., computer network) and in passive attacks they try to gain information about the

»an effect on the integrity, availability, and authenticity of data,

'eaches of confidentiality. •• • I 1 •. ■■ • ’

:ks are also categorized as inside and outside attack.

i within the security perimeter of an organization then it is an inside attack,

Usually an insider
more resources than expected attempts this attack. ;

d by a source outside the security perimeter then this attack is known as passive attack. The
ider or outs.der who is indirectly connected with the organization. The attack is attempted
a remote access connection.
nlnrv Pi/harAi’l
 ^^Cybe£Securi^a2dLaws (MU-Sem 7) Cybe^ffense^nc^ybercrinw
2-2
During this phase the hackers find Important Information such as old passwords, names of Important employees
(such as head of network department) and performs an active Investigation on how the Information flows
through the organization and how the organization performs the functions.
Subsequently, the hacker completes the process called foot printing In which the hacker collects data on security
policies and focuses on the specific IP addresses and protocols used by the network, identifies the vulnerabilities
in the target system and draws a network map to know how the network infrastructure works to break into it
easily.

Foot printing also provides information about the domain names, system names, active TCP and UDP services and
passwords. The hacker can also use a search engine to extract information about the organization and use the
information of current employees for impersonation. The Information is collected in two phases:

gI ..
a. Passive attack |

a.
—Z.
b. Active attack

Passive Attacks

In passive attack the attacker collect the information about the target without individual for company's
knowledge. For example, an attacker keep watch on an employee at what time is entering the building and
leaving the premises attacker can also keep.watch internet search for by using Google name get the information
about an individual. The attacker can also monitor the network traffic for the emails sent using the monitoring
tools. Attacker can get the General information from the following ways.

Attacker can get the information from the following ways or using the following tools.
(I) Search engines - Searching the information about an employee on search engines like Google and Yahoo
search engines
(ii) Social websites - By Surfing the social websites like Facebook Instagram, Orkut etc an attacker and get the
information about an individual.
I
(iii) Organization website - The organizational websites also provide personal information about the employees
like their contact details email addresses etc. An attacker can also get the information from blogs, press
releases, newsgroup about the company.
(iv) Job posting: An attacker can go through the job posting in a particular job profile for a technical person who
gives information about the type of Technology, it means, the server and infrastructure devices the company
is using on its network.
(v) Network sniffing : In this attack, the attacker gives the information about the internet protocol address
ranges, hidden servers or networks and other services on the system or network. The attacker monitors the
flow of data check at what time certain transactions are taking place and where the traffic is going.

(vi) People search : It gives details about personal information like date of birth, residential address, contact
number, etc.
(vil)Domain name confirmation : To carry out searches for domain names (e.g., website names) using multiple
keywords. It helps to enable to find every registered domain name in "com," "net," "org," "edu," etc.

b. Active Attacks

- An active attack includes examining the system or network to find individual hosts to affirm the data (IP
addresses, working framework type and form, and administrations on the system) accumulated in the passive
attack stage.
 CyberSecurjtyjind^ayire^MLASemZl^—__Cybfl^ffenaesand_C^bercrlnrie

— It includes the danger of identification and is additionally called active reconnaissance. Active reconnaissance can
give confirmation to an attacker about security measures set up, however the procedure can likewise expand the
opportunity of being gotten or raise a doubt.

Tools used during active attacks

Table 2.1.1

TOO! Description

Bing This tool is used for Bandwidth Ping. It measures the point-to-point bandwidth. The raw throughput between
any two network links can be measured by this tool. Bing determines the real throughput on a link by
measuring ICMP echo requests roundtrip times for different packet sizes for each end of the link.

Dig This tool is used to perform detailed queries about DNS records and zones, extracting configuration, and
administrative data about a network or domain.

Arping This tool is a network tool. It broadcasts ARP packets and receives replies similar to "ping." This tool is for
mapping a local network and finding used IP space. To find the arp packet it broadcasts a "who-has ARP
packet" on the network and prints answers. It can be also used to pick an unused IP for a net to which routing
does not exist as yet.

Hping This tool is able to send custom TCP/IP packets and to display target replies. You can also do firewall resting,
remote uptime guessing, advanced port scanning etc.

Fping This tool Uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is
r ■'
responding.

Hackbot This tool is used for host exploration. It scans the simple vulnerability and banner logger.

Netcat This tool is used to read and write custom TCP/ UDP(User Datagram Protocol) data packets across a network
connection which helps in network debugging or exploration.
j •’ 'if.
Hunt This is a tool is used to exploit the well-known weaknesses in the TCP/IP protocol suite.

Ping This tool is used to send ICMP packets to a target host. n - u T._ . .
j. ■
2. Scanning and scrutinizing collected information
»'*■ ?ji no - e* »i
Scanning involves taking the information gathered during reconnaissance phase and examining the network. There are
three methods for scanning—pre-attack, port sniffing/scanning and information extraction. Each phase gives a specific set
of vulnerabilities that the attacker can then use to understand the weaknesses and violate security policies.

Pre-attack method - In the pre-attack method, the attacker scans the network based on the data discovered during
the reconnaissance phase.

br Port scanning - In the port scanning method, scanning is performed to search for vulnerability scanners, dialers, port
scanners and other data-gathering equipments.

c. Information extraction - In the information extraction method the hacker collects information about the ports made
available during establishing the connection, live machines present to service the requests for the clients and the
operating system used. . • ■ » ir

vgv TtckKMWl^y*
“ public****"
 Cyber Security and Laws (MU-Sem 7) 2-4 CyberOffensas^ndCvbercrime

Scrutinizing

This phase is also known as enumeration in the hacking world. The following are the objective behind this step:
o To identify the valid user accounts or groups.
- o To identify network resources and shared resources.
o To identify the Operation System as well as different applications that Is running on the OS.

3. Launching an attack

After the scanning is completed, the hacker designs the blueprint of the network of the target with the help of data
collected during the reconnaissance and scanning phase. This is the phase where the real hacking takes place. The hacker
gains access to the system, applications, and network, and escalates their user privileges available to control the
systems connected to it. The attacker launches the following attacks :

a. Password cracking

b. Exploiting the privileges

c. Executing the malicious code

d. Hiding the files

e. Cover the tracks : The hackers which have gained and maintained access, they cover their tracks or activities to avoid
detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid
legal action. Hackers try to remove all traces of the attack, such as log files or Intrusion Detection System (IDS)
alarms.

2,2 Social Engineering

- Social engineering is the art of manipulating users of a computing system into revealing confidential information that
can be used to gain unauthorized access to a computer system. The term can also include activities such as exploiting
human kindness, greed, and curiosity to gain access to restricted access buildings or getting the users to installing
backdoor software. Knowing the tricks used by hackers to trick users into releasing vital login information among
others is fundamental in protecting computer systems.
- There are two types of social engineering.

1. Human-based social engineering

2. Computer -based social engineering

1. Human-based social engineering

Human-based social engineering involves person-to-person interaction to gain the required information. For example,
calling the help desk and trying to find out a password.

a. Impersonating a valid user: Impersonation is a common social engineering attack. In this, it take the advantage
of the fact that most people are basically helpful, so it appears to be innocuous to advise somebody who seems,
by all accounts, to be lost where the computer room is found, or to give somebody access to the structure who
"overlooked" his/her identification, and so forth, or claiming to be a worker or substantial client on the system.

lgr T.diKM,liiH
v Publications
 CybgrSgcurit^^____________ 2-5 Cyber Offenses and Cybercrimg

b. Calling technical support: The help desk and technical support people are trained,to help users, when a person
call for the technical support for assistance they may be good prey for social engineering attacks.

c. Posing as an Important user: The attacker pose himself as a higher authority to gain the access to the system.
The attacker uses pressure on low level employees for gaining access to the system. The fact is that many low-
level employees will not ask any question to higher position authority.

d. Shoulder surfing : Shoulder surfing refers to the act of obtaining personal or private information through direct
observation. Shoulder surfing involves looking over a person's shoulder to gather pertinent information while the
victim is unaware. This is especially effective in crowded places where a person uses a computer, smartphone or
ATM.

e. Using a third person : An attacker can pretend to have permission from the authorized source to use a system
when the authorized person is not present and out of reach to contact for verification.

f. Dumpster diving : it is also referred to as trashing. Dumpster diving is the practice of digging through a
company's or individuals trash bins or dumpsters to gain information. This act is carried out for number reasons,
from seeking passwords for a network attack, to personal information for social engineering. Dumpster
diving depends on a human weakness: the lack of security knowledge. Many things can be found dumpster diving

(e.g., CDs, DVDs, hard drives, company directories, and so forth).

2. Computer-based social engineering

«•
Computer-based social engineering involves the attempts made to get the required information by using computer
software or Internet. For example, sending a fake E-Mail to the user and asking him to re-enter a password in a webpage to
confirm it.

a. Fake e-mails

The attacker send fake email to many users and the users find this mail as legitimate mail. This is also known as
phishing. This type of social engineering attack commonly uses emails to trick users in getting credentials to their bank
accounts or maybe email accounts. The email mostly claims to be from a well known source, a highly reputed
organization, and asks the user to click on a link that takes the users to a site similar to the organizations web site but
this site is a fraudulent website that harvests users credentials. The fraudsters use these credentials to gain access to
bank or email accounts and steal important information and money.

b. E-Mail attachments

The attacker sends the email attachment to the users which contains the malicious code. When the user opens the
email and clicks on the given link the malicious code gets executed. Viruses, worms and Trojans are included cleverly
in the email attachments to attract the victim to open the attachment.

c. Pop-up windows

Same as email attachments popup windows are used by the attackers. The popup Windows contains special offers or
free stuff which attracts the users to install the malicious software.
 J^CyberSecuritymicKaw^M^^em7)^^^^^^^2-6^^^^^^^^^^^^C^beMDffense^nc^^bercrim^

2.3 Cyberstalking __________ _________

Cyberstalking is stalking that takes place using electronic devices or the Internet. It is the technological harassment
directed towards a specific individual. There are several forms of cyberstalking that can take place Including :
- Placing orders for delivery in someone else's name
Gathering personal information on the victim
Spreading false rumors
- Encouraging others to join in the harassment
- Threatening harm through email
- Creating fear and paranoia for someone else
Hacking into online accounts

Cyberstalking can cause extreme distress for the victim. It can impact their career, personal relationships, and quality
of life. Often time's victims do not know who the perpetrator is and start wondering if they are being watched or followed.

Types of stalkers

There are two types of stalkers online stalkers and offline stalker
- Online stalkers : The online stalkers interact with the victim directly with the 'help of internet. Most of the
communication medium used by stalkers is email and chat rooms. In online stalking the stalker make sure that the
victim recognizes the attack done on him or her. To harass the victim stalker make the use of third party.
- Offline stalkers : In offline stalking the stalker make the use of traditional methods like following the victim, observing
the daily routine of the victim, etc. The stalker searches the victim on message boards, personal websites, people
finding services, and on the websites to collect information about the victim.

How stalking works ?

- The stalkers gather personal information about the victim that is weekends name family background details,
residential and office address e-mail address and date of birth etc.
Then the stalker tries to establish contact with the victim through telephone and make the call to threaten or harass
the victim.
Stalker establishes contact with the victim through e-mail. The letters send this top for me I have the tone of
threatening loving or can be sexually explicit. Stalker can use multiple names while contacting the victim.
- There are few stalkers who can send the repeated malls who the victim for asking different types of favors or threaten
the victim.
Cyberstalker post false information or rumors about an individual to damage the victim's social standing, interpersonal
relationships, and/or reputation
A few stalkers subscribe or register the e-mail account of the victim to numerous pornographic and sex sites, because
of which victim will start receiving such kind of unwanted E-Mails
• J

2.4 Cyber Cafe and Cybercrimes

Information security and governance is also Important in cyber cafe. In past many instances have come In focus where
cyber cafes were used for real or false terrorist communication. In the cyber cafe, crimes like stealing password sending
obscene mails to harass people. There are two types of risk involved in using the cyber cafe computer.

WW TKkKiwMti
v Pu blit at loot
 ^^^Cybe^ecurit^n^^ws^MU-Sem_7)______^_^2_7^^^^^^^^^^^^___CyberOffense^an^CybercrirTie

1. The user is not aware about the programs installed on the computer. So there might be possibility of programs like
spyware and keyloggers installed on the system.

2. Shoulder surfing may happen to find out your password.

Many cybercriminals prefer cyber cafes to perform their activities. The cyber criminals identify a particular computer
for the use. Then the cyber criminals can install malicious programs such as keyloggers or spyware or launch an attack on
the target.

When the observation of cyber cafes in the following things are found :

— Many cyber cafes are making use of pirated operating systems browsers and other pirated applications.
• r • * ‘ T. ’

In many system anti-virus were not updated.

Several cyber cafes have installed deep freeze software to protect the computer from malware attack. This software
delete details of all the activities carried out on the computer when one click on the restart button. Cyber criminals
take advantage of this it becomes a challenge for the police in crime Investigation when they visit the cyber cafe.
— Annual maintenance contract were not done properly as well as hard disk of all computers are not formatted until the
computer is down.
— Pornographic web sites are not blocked.
— Cyber cafe owners not having necessary knowledge about information security and IT governance.
— It governance guidelines to the cyber owners are not given properly by the government for internet service providers
or state police.
— Periodic visits to the cyber cafes are not given by police as well as cyber cafe organization.

Some precautions are given for safety and security while using the computer in a cybercafe :

o Always logout :Whenever, you are using any internet service that requires a username and password. Ensure that
you have clicked on sign out or logout button before leaving the system.

o Stay with the system : When you are surfing the internet do not leave your system attended if you are leaving the
system log out first and then leave.

o Clear history and temporary files : The Internet Explorer saves the pages which you have visited. This information
is saved in history folder or in the temporary file folder. It may be possible that you password me also get saved if
the option is enabled in the browser. So before surfing the internet always perform the following things :

1. Go to Tools -> Internet options click the Content tab -> click AutoComplete. If the checkboxes for
passwords are selected, deselect them. Click OK twice.

2. To clear the history and temporary Internet files folders. |

3. Go to Tools -> Internet options again click the General tab -> go to Temporary Internet Files -> click Delete >
Files and then click Delete Cookies. ”

Under history, click clear history.

o Be alert: While browsing the websites on public computer you should be alert as there are chances one may be
able to see your username and password via shoulder surfing. I

o Try to avoid online financial transactions : It is advisable to avoid the online financial transactions using credit
card or debit card that needs to enter sensitive and confidential information. Try to change the passwords as soon
^^Cybe^Securityand_Laws_(MU-Sem7) Cyber Offenses and Cybercrime
2-8

as possible. Try to perform online transactions from your trusted computers like home and office computers.
Periodically change passwords of your credit card, net banking and debit card.

o Change passwords : Change your bank account passwords frequently or after transaction.

o Virtual keyboard : Instead of using your keyboard use a virtual keyboard.

o Security warnings : Whenever you are accessing the website of any bank or financial institution follows the
security warnings.

2.5 Botnets

The word botnet is derived from the phrase "network of robots". It is essentially a widespread collection of a large
number of infected computer systems. Each infected system runs a piece of software program called as a "Bot". This is also
known as zombie network.

Working of botnet:

Fig. 2.5.1: Botnet Attack Structure

As shown in Fig 2.5.1 there is a Bot-Master system which keeps a track of total number of machines infected and the
tasks they should perform. For carefully arranged systems, which need orchestration between millions of such
systems, another layer of Bot-Managers is created too.
Bot-Managers perform the tasks to accept commands from the master, to spread out those commands to the bots
and also to report the number of systems infected under its jurisdiction. The manager botnets are also found to be
sending updated software patches to fix bugs or improve functionality, very similar to a security patch management
system.
WW TadiKMaMi*
” Publications
 Cyber Security and Laws (MU-Sem 7) 2-9 Cyber Offenses^n^Cybercrirne

The Bot-Master is in control of the hacker who has evil intentions to create this army. However since the hacker is
supposed to be hiding from getting caught, the master systems and software running on it are always operating in a
stealth mode. In few modern botnet attacks, the botmasters were found to delegate and rotate the master's role
between its bot-managers, thus making it extremely tough to detect.
- These role changes were further found to be rotating their ownership based on the country of presence, in order to
ensure vast infractions across the globe. Usually botnets are designed for a specific operating system, and if a wider
spread has to be achieved, botnets prefer web code, or java language, to infect all the possible operating system
platforms.

Execute Define role

commands ownership
remotely

? Command'5^ Control
module
module i - ; ■■■
| Botnet j

Kihfection^"" Stealth
modules module

Hide and
prevent
Spread across detection
LAN-WAN ■ •
Fig.2.5.2: Modules of Botnet
— There are 4 main modules of a botnet. Command module sends commands to the child botnets, whereas the control
module controls the ownerships, to decide who should listen to whom. The infection module carries important
responsibility of finding non-patched servers in the network and infecting those with the most updated copy.
The stealth module is essentially a set of software programs which does the crucial job such as disabling antivirus;
achieve root access or kernel access. It also ensures that its own footprint on the infected machine is invisible in terms
of running processes and disk space, and also keeps a watch on new antivirus software being installed.
- In some cases, the stealth module and control module work together to fetch a most recent patch of itself from the
master or manager, and seamlessly upgrades itself. Some stealth modules are also capable of erasing themselves
using a self-destruct mechanism or shutdown the system, to thwart the aggressive detection techniques.

Preventing botnet attack:

Most people who are infected with botnets aren't even aware that their computer's security has become
compromised. However, taking simple, common-sense precautions when using the Internet can not only remove botnets
that have been installed, it can also prevent them from being installed on your computer, tablet and phone in the first

place.
- Internet security suite - Good security begins with an internet security suite that detects malware that has been
installed removes what's present on your machine and prevents future attacks.

— Update your computer's operating system : Always update your computer's operating system as early as possible*
Hackers often utilize known flaws in operating system security to install botnets. You can even set your computer to
install updates automatically. The same is true of applications on your computer, phone and tablet. Once weakness
are found and announced by software companies, hackers rush to create programs to exploit those weaknesses.

Don't download attachments or click on links : Do not download attachments or click on links from e-mail addresses
you don't recognize. This is one of the most common vectors for all forms of malware.
 Cyber Security^ and Laws (MU-Sem 7) 2-10 Cyber Offenses and Cybercrime
_ Firewall . Use a firewall when browsing the Internet. This Is easy to do with Mac computers, as they come with
firewall software pre-installed. If you're using a Windows-based machine, you might need to Install third-party
software.
- Avoid visiting malware websites : Don't visit websites that are known distributors of malware. One of the things that
a full-service Internet security suite can do is warn you when you're visiting such sites. When in doubt, check
with Norton Safe Web.
- Disconnect the system from the Internet when not In use : It is not possible for the attacker to get into your system
when the system is’disconnected from the internet. Firewall, antivirus, and anti-spyware software's are not fool proof
mechanisms to get access to the system.
- Take an urgent action if your system is Infected : if you found that your system got infected then immediately
disconnect it from the internet. Then scan the system using antivirus software and also change the password of your
system.

2.6 Attack Vector

- An attack vector is a method or pathway used by a hacker to access or penetrates the target system. Hackers steal
information, data and money from people and organizations by investigating known attack vectors and attempting to
exploit vulnerabilities to gain access to the desired system.
- Once a hacker gains access to an organization's IT infrastructure, they can install a malicious code that allows them to
remotely control IT infrastructure, spy on the organization or steal data or other resources. Attack vectors incorporate
e-mail attachments, viruses, webpages, instant messages, pop-up windows, chat rooms, and fraud.
- The attack vectors can be blocked using firewalls and antivirus software but they cannot assure total security,
viruses, worms, trojan horses, and spyware are the most common malicious payloads.
The following are the few attack vectors :

o Viruses: It is a malicious code and it includes e-mail attachments, downloaded files, worms, etc.

o E-Mail: The attackers embed the aggressive content in the mail message or link to by the message. Spam is used
to carry out frauds and scams.

o Attachments : The files are sent as an attachment in the mail. Search files may contain viruses Trojan horse
spyware any other kind of Malware.

o Attack by webpage : Fake websites are used to gain the personal information. These websites are the imitation of
the real website.

o Attack of the worms : A lot of worms are sending E-Mail attachments, however network worms use holes in
network protocols directly. Remote access services, such as file sharing, are vulnerable to this type of worm.
Many worms install trojan horses. The infected computer scan the internet to infect other computers connected
to the internet. Worms spread very fast.
o Foistware/sneakware : Foistware is the software that adds secret components to the system cleverly. Spyware is
the form of foistware. Foistware is quasi-legal software. It comes with the bundled attractive software. Sneak
software often seizes your browser and redirects you to some "income opportunity" that the foistware has set up.
o Hackers : Hackers are a terrible attack vector because they use a variety of hacking tools, heuristics, and social
engineering to gain access to computers and online accounts. They frequently install a trojan horse to hijack the
computer for their own use.

WirT(chKiml<i|(
v Pvbhtitlont
jF_Cybe£Securityand^Laws2MU^SeiT ^^^^^^^^_2-11__ Cyber OffensesandCybercrirna

2.7 Cloud Computing

- Cloud computing is a model to give ubiquitous, on-demand access to a shared pool of resources and these resources
can be provisioned and released with minimal management effort.

- The major advantages of cloud computing are :

1. Cost-effective

Cloud computing is known to be a cost effective method to store the data on the cloud. Rather than having desktop
software, businesses can store the confidential business information in the cloud. There's no need to pay the licensing
fees for multiple users. One can pay one-time cost or pay-as-you-go for maintenance of the data.

2. Unlimited storage space

Storing information in the cloud gives you unlimited space capacity. Hence, one does not need to worry about running
out of storage when cloud computing is used. You can easily increase your current storage space availability also.

3. Backup and recovery

As all your data would be stored in the cloud, backing it up and recovering it as when required would be much easier
rather than storing it on a physical device. Most of the service providers can handle the restoration of the data too
and reduce the risks of confidential information.

4. Scalability

This is a built-in feature for cloud deployments. The business owners need to pay for the applications and data storage
they require. Clouds can be scaled as per your specific needs and the ever-changing IT system demands.

5. Device diversity

Cloud computing services can be accessed from anywhere, at any time via internet. The data can be accessed from
traditional desktops, smartphones, tablets, etc. "Bring your own device (BYOD)" policy can be implemented in the
organization to bring mobility to the business operations. The employees would be able to access the information
from their own mobile devices from any location. Hence, cloud computing solutions offer great flexibility and location
independence.

6. Faster deployment
The companies would be able to get their applications running quickly as cloud computing offers improved
manageability and lower maintenance needs. The IT departments can adjust the resources with the fluctuating
demands when they use cloud computing services.

7. Work from anywhere

With cloud computing, if you've got an internet connection you can be at work. And with most serious cloud
services offering mobile apps, you're not restricted by which device you've got to hand.

Cloud computing models

Cloud Computing has following Models

- Infrastructure as a Service (laaS): This Is the lowest of all layers and In this model customer owns the software and
purchases the virtual power to execute it.
 _____________________Cyber Offenses and Cybercrlnw
- Platform as a Service (PaaS): This is the middle layer and In this layer platform is provided which include API's, portal
etc. on which the customer can develop their applications.
Software as a Service (SaaS): This is the topmost layer. It provides everything and simply rent out the software to
user.

2.7.1 Types of Attacks on Cloud Computing

1. Cloud malware injection attacks

Malware injection attacks are done to take control of a user's information in the cloud. For this purpose, hackers add
an infected service implementation module to a SaaS or PaaS solution or a virtual machine instance to an laaS
solution. If the cloud system is successfully deceived, it will redirect the cloud user's requests to the hacker's module
or instance, initiating the execution of malicious code. Then the attacker can begin their malicious activity such as
manipulating or stealing data or eavesdropping.

2. Abuse of cloud services

Hackers can use cheap cloud services to arrange DoS and brute force attacks on target users, companies, and even
other cloud providers. For instance, security experts Bryan and Anderson arranged a DoS attack by exploiting
capacities of Amazon's EC2 cloud infrastructure in 2010. As a result, they managed to make their client unavailable on
the internet by spending only $6 to rent virtual services.

3. Denial of service attacks . < w

DoS attacks are designed to overload a system and make services unavailable to its users. These attacks are especially
dangerous for cloud computing systems, as many users may suffer as the result of flooding even a single cloud server.

4. Side channel attacks

A side channel attack is arranged by hackers when they place a malicious virtual machine on the same host as the
target virtual machine. During a side channel attack, hackers target system implementations of cryptographic
algorithms.
•1 i , •-f p -J -f
pj . -» mV • ' j •
5. Man-in-the-cloud attacks
W * • j J * . • ’ k, » •

During this type of attack, hackers intercept and reconfigure cloud services by exploiting vulnerabilities in the
synchronization token system so that during the next synchronization with the cloud, the synchronization token will
be replaced with a new one that provides access to the attackers. • -■

2.8 Proliferation of Mobile and Wireless Devices

- Today, there is increase in mobile devices. As many smaller devices are having more processing power. Now the buyer
is having the choice between high-end PDAs with integrated wireless modems and small phones with wireless web
browsing capabilities. Many options are available for the mobile users.
- A simple hand-held mobile device also provides sufficient computing power to run small play games, applications, and
music, and make voice calls.
~ There is a rapid growth of business solutions into hand-held devices.
- Mobile computing is taking a computer and all necessary files and software out into the field.
- There are many types of mobile computers are available.

WT.diKMBM|.
v Public atloni
 Cyber Security and Laws (MU-Sem 7) 2-13 Cyber Offenses and Cybercrima

- These devices are as follows :

1. Personal Digital Assistant (PDA): PDA is a pocket sized computer. It has limited functionality.

2. Portable computer : It is a general-purpose computer. This computer can be that moved from one place to
another easily. This computer needs some setting up and AC power supply so it cannot be used in transit.

3. Tablet PC: A tablet PC is a portable PC that is a hybrid between a Personal Digital Assistant (PDA) and notebook
PC. Equipped with a touch screen interface, a tablet PC usually has a software application used to run a virtual
keyboard. However, many tablet PCs support external keyboards.

4. Ultra mobile PC: It is a PDA sized computer with all the features. It runs on the general-purpose Operating
System (OS).

5. Smartphone: It is a PDA with incorporated cell phone functionality. The recent smart phones are having a broad
range of features and installable applications.

6. Carputer: A carputer is a computer with specializations to run in a car, such as compact size, low power
requirement, and some customized components. The actual computing hardware is typically based on standard
PCs or mobile devices. Because they are computer based they typically have many standard interfaces such as
Bluetooth, USB, and WiFi.

7. Fly fusion pentop computer: This computing device has pen size and shape. It is used as MP3 player, writing
device, language translator, calculator and digital storage device.

8. Internet tablet: It is also like a tablet but as compared to tablet PC internet tablet have low computing power
and it has limited application suite. The feature of internet tablet includes web browser, a chat application,
picture viewer and MP3 and video player.

- Wireless means transferring the information between computing device and data source without any physical
connection. It is not necessary that all the wireless communication technology should be mobile .For example when
data is transfer.
- Mobile devices are not restricted to a desktop. Many mobile devices are available and they are coming with many
benefits but there are also becoming threats to enterprise.
- It is not always in mobile computing that wireless communication is needed. Wireless subset of mobile in many cases
even application can be mobile without being wireless.
■ I ’ ■ ‘ ' * ■

2.9 Trends in Mobility

- There is a great evolution in mobile computing. New applications and greater network speed is available now a days.
Examples of today's trending mobile phone are: Apple, Google, Android etc. The biggest fan of these growing
technology are attackers.
The different types of mobility and their implications are shown In the Fig. 2.9.1.

- There are many challenges in mobility domain. For example, we have come across cases like many mobile phones,
laptops, gadgets are lost. People have to understand that the mobile or hand held devices look harmless but they are
causing the serious cyber security issues to the organization.

- The 3G technology is completely built with IP data security. But IP data world was new to the mobile operator when
compared with the voice centric security threats. Many attacks are performed against mobile network.
 Cybgi^ecurityand Laws (MU-Sem 7) 2-14 Cyber Offenses and Cybercrime

Mobility types and its Implications

What is tho difference?

User mobility User Interaction

Small, battery driven devices,

multiple heterogeneous
Mobility network or often no network
position

Distribution issues

k Distributed lifecycle
(^Service mobility^ ez£> management security is

Fig. 2.9.1: Types of Mobility and its Implications

- The attacks are done from outside the mobile network or inside the mobile network. For the outside mobile network
attack public internet, private network, and other operator's network are used. For the internal attack capable
handset, smart phone, notebook computers, desktop computers connected to 3G network are used.
- The following are few popular attacks on mobile network are:

1. Malware viruses and worms

2. Overbilling attack

3. Signaling-level attacks i c

4. Spoofed policy development process

5. Denial-of-service

1. Malwares, viruses and worms :

The mobile devices are prone to malware, virus and worm attack. People should be aware about such type of attack.
The following are examples of malware specific mobile devices :
o Skull Trojan : This virus targeted the new series 60 phones. This Trojan will basically render your phone useless.
Once the virus has taken effect, everything on your phone will not function and you will only be able to make and
receive calls.
o Cablr Worm : It is designed to infect mobile phones running Symbian OS. It is believed to be the first computer
worm that can infect mobile phones. When a phone is infected with Cabir, the message "Caribe" is displayed on
the phone’s display and is displayed every time the phone is turned on. The worm then attempts to spread to
other phones in the area using wireless bluetooth signals. v '
o Lasco Worm : it's a Symbian OS worm, based on Cabir source code that spreads itself via Bluetooth. It also has file
infection functionality. Upon execution, the virus searches for nearby Bluetooth devices and tries to transmit itself
to any accessible ones.
o Brador Trojan : Brador is one of the first trojans to affect handhelds. Brador is sent as an attachment in an e-mail
or may be downloaded to wince devices. The hand held must have an arm processor for the backdoor to work.
Once it has infected the device, the trojan e-mail the device's IP address back to the attacker and opens TCP port
2989, allowing him or her to access the hand held.
o Mosquito Trojan : This virus also affects the Series 60 smart phones and is a cracked version of Mosquitos mobile
phone game.
W&r TadiKMwled|i
“ Publications
2. Denlal-of-servlce (DoS): The denial of service attack makes the system unavailable to the intended users to do this
virus attacks can be used to damage the system and make it unavailable to the intended user. Distributed Denial of
Service (DDoS) attack is also a common security threat to wired internet service provider. DDoS are used to flood the
target system with the data it results in no response from the target system, Botnets/zombies are used to create

enough traffic to impose that kind of damage

3. Overbilling attack: In this attack the attacker hijacks scribers IP address and use it to initiate downloads that are not
free or and simply use it for his or her own purpose. The legitimate user gets charged for the activity which was not

done by him or her.

4. Spoofed Policy Development Process (PDP): The GTP (General Packet Radio Service (GPRS) Tunneling Protocol)

vulnerabilities are exploited by this attack.

5. Slgnallng-level attacks: The SIP (Session Initiation Protocol) is a signaling protocol used in IMS (IP multimedia
subsystem) networks to offer Voice over Internet Protocol (VoIP) services. The SIP-based VoIP systems have several

vulnerabilities.

2.10 Credit Card Frauds in Mobile and Wireless Computing Era

The use of electronic credit cards made the process a lot faster. The terminals could dial banks automatically and
verify the cards electronically in a matter of a few seconds. However, the magnetic medium of data storage on credit cards
proved to have many problems. The magnetic strips can only hold a limited amount of information; also the information on
the strips is easy to read with the right electronic devices even easy to copy and erase.

Types and techniques of credit card frauds

1. Traditional techniques

The first type of credit card fraud to be identified by this paper is application fraud, where an individual will falsify an
application to acquire a credit card. Application fraud can be split into assumed identity, where an individual pretends
to be someone else; and financial fraud, where an individual gives false information about his or her financial status to
acquire credit. This investigation then goes on to look at intercept fraud, where a card is applied for legitimately, but is
stolen from the post service before it reaches its final destination. There is also the illegal use of lost and stolen cards,
which makes up a significant area of credit card fraud.

a. Assumed identity

- Assumed identity is a long-standing traditional form of credit card fro.,a ■ . . .. r

, r . . * ° , reair card fraud- Assuming someone else's identity for
the purpose of receiving credit cards can be a very effective wau .
K HL * v ectlve way of accumulating cards. An individual uses a false
name with a temporary address.
The individual may look for someone who has moves recentlv «« .
. „ recently, so that the electoral register will be out of date.
Banks often
,
check the electoral register to confirm addrpccoc «f„„. .
"rm addresses of new customers. . .
The individual may also be friend
an e derly
I person,
. .. apartment under a fak» name< ,n order
or urent an j
t0 8,ve them access to an untraceable
address that mail can be sent to.
- This sort of fraud is fairly straight forward to conduct i-
wary of .Ns son. of fraud. Banks have vafroubC“me
banks require account references for new customers. VSS r°m th'S type of frauc^* MoSt

Banks will check these account details to ensure they are not false Banks
passport or drivers license before handing over any credit cards may also wish to see a birth certificate,
 Cyber Segurlty and Laws (MU-Sem 7) 2-16 Cybe^ffense^n^ybercrlme

b. Financial fraud

- This occurs when an Individual seeks to gain more credit than he or she Is entitled to. An Individual will apply for a
credit card under his or her own name. The individual in this scenario will give false information with regards his
or her financial status. Most commonly an individual exaggerates Income, or under values his or her outgoings.

- Banks try to safeguard themselves from this sort of fraud by requiring the provision of documents to support an
individuals financial claims. For example, a card issuer may ask an individual to provide 3 months of up-to-date
account statements, or may ask to see mortgage statements. Banks have also been known to telephone
employers of individuals to confirm their employment.

- However, the fraudsters have been known to get around all these security procedures. Fraudsters have and will
forge documents and even give false telephone numbers. Another security check that card issuers carry out to
safeguard themselves is credit checking.

- Credit checking reveals an individual's financial status, as well as the individual's current address. It Is already
plain to see that card issuers are fighting a difficult battle against fraudsters.
x ■ * • ' • cin1 sp . - /’ j ? p 3 -• * • -
2. Modern techniques

There are then the more sophisticated credit card fraudsters, starting with those who produce fake and doctored
cards, there are also those who use skimming to commit fraud. This is where the information held on either the
magnetic strip on the back of the credit card, or the data stored on the smart chip is copied from one card to
another. Site cloning and false merchant sites on the internet are becoming a popular method of fraud for many
criminals with a competent ability for hacking. Such sites are designed to get people to hand over their credit card
details without realizing they have been scammed.

a. Triangulation

- Triangulation is also a new phenomenon. Triangulation is when a merchant offers a product at a very cheap price
through a web-site. When a customer seeks to buy the product the merchant tells to customer to pay via e-mail
once the item is delivered.
- The merchant uses a fraudulent card number to purchase the product from a Web site and sends the product to
the consumer, who then sends the merchant his or her credit card details via e-mail. The merchant goes on
operating in this way using the credit card numbers that have been sent from the consumers to purchase
products, appearing for a short time to be a legitimate merchant before he or she closes the web site and starts a
new one.

b. Credit card generators

- There is also the more sophisticated fraudsters, who use credit card generators computer emulation software
that creates valid credit card numbers and expiry dates.
- These generators are highly reliable at creating valid credit card details and are available for free download off
the internet. Making them available to many individuals who run fraudulent operations.

2.11 Security Challenges Posed by Mobile Devices

- There are two main challenges brought by the mobility to cybersecurity:

1. Due to the use of the hand-held devices, information can be taken outside the physically controlled environment.

2. For the protected environment remote access is being granted.

vSv T(diKMalH|«
nr Publications
 Cyber Security and Laws (MU-Sem 7) 2-17 Cyber Offenses and Cybercrime

- It is important that the organizations should be aware about these cybersecurity challenges in developing suitable
security operating procedure.
- Day by day mobile users are increasing and due to this there are two challenges :
o The first problem is at the device level. It is also known as microchallenges.
o The second problem is at the organizational level. It is also known as macrochallenges.
- There dre few well-known technical challenges in mobile security.

o Managing the registry settings and configurations

o Authentication service security, cryptography security
o Lightweight Directory Access Protocol (LDAP) security

o Remote Access Server (RAS) security, media player control security

o Networking Application Program Interface (API) security

The above challenges are explained in next sections.

2.12 Registry Settings for Mobile Devices ____________________

- Microsoft Activesync is designed for synchronization with windows powered personal computers and Microsoft
Outlook. Microsoft Exchange ActiveSync is a synchronization protocol that enables users of mobile devices to access
e-mall, calendar, contacts, and tasks from their organization's Microsoft Exchange server. Exchange ActiveSync is
based on XML, and works on HTTP and HTTPS. Exchange ActiveSync allows users to access their data even when
offline. In this situation, registry setting becomes an essential issue given the ease with which various applications
allow a free flow of information.
Therefore, creating trusted groups through suitable registry settings becomes very important. The most common
areas where this awareness to security is applicable are within group policy. Group policy is one of the core operations
that are performed by the Windows Active Directory.

Fig.2.12.1 : Browsing of Registry Value

TKkKMalrfP
Pu o lie atl«n*
 Cyber Security and Laws (Mu-sem 7) 2-18 Cyber Offenses and Cybercrirng_

Fig.2.12.1 shows how some tools allows user to browse to a required resistor value on their mobile devices. There is
anot er e ement to mobile device security. The new mobile applications provide protection against spyware, viruses,
worms, ma ware and other malicious codes. Microsoft and other companies are trying to build up solutions as fast as
they can, ut the core problem Is still not being addressed. The core problem Is baseline security Is not configured
properly. When you install a computer or use the mobile device for the first time It Is hundred percent secure. If you
want to bring the windows computer to the security level then you have to do additional registry changes that are not
exposed through an Interface.
Different ways are available to do the registry changes every computer out of damn few are efficient. When you start
researching or investigate different registry hacks then overall problems become common.

2.13 Authentication Service Security

Security in mobile computing has two components:

1. Security of devices 2. Security in networks.

- A secure network access involves mutual authentication between the device and the base stations or Web servers.
This is to ensure that only authenticated devices can be connected to the network for getting the requested services.
No Malicious Code can imitate the service provider to trap the device into doing something it does not mean to.
Therefore, the networks also play a vital role in security of mobile devices. Some well-known kinds of attacks to which
mobile devices are subjected to are :

1. Push attacks

2. Pull attacks
■ r
3. Crash attacks
* .. . ■ ■ *
- Authentication services security is significant specified the typical attacks on mobile devices through wireless
networks: eavesdropping, man-in-the-middle attacks, DoS attacks, traffic analysis, and session hijacking.
- Modern computer systems provide service to multiple users and require the ability to accurately identify the user
making a request. ■ ,, .. .
- Password based authentication is not suitable for use on computer network as it can be easily intercepted by the
eavesdropper to impersonate the user.
- There are 2 components of security in mobile computing :
o Security of Devices : A secure network access involves mutual authentication between the device and the base
station or web servers. So that authenticated devices can be connected to the network to get requested services.
In this regard Authentication Service Security is important due to typical attacks on mobile devices through WAN:

, ! !?r \
1. DoS attacks

2. Traffic analysis

3. Eavesdropping

4. Man-in-the-middle attacks
o Security in network: Security measures in this regard come from

1. Wireless Application Protocol (WAP)

2. Use of Virtual Private Networks (VPN)

3. MAC address filtering

--- ------ ----------------- —--------- ■ " " Wr

 Cyber Security and Laws (MU-Sem 7) 2-19 Cybe^ffense^n^ybercri^g

2.13.1 Cryptographic Security for Mobile Devices

- Cryptographically Generated Addresses (CGA) is Internet Protocol version 6 (IPv6) that addresses up to 64 address bits
that are created by hashing owner's public-key address.
- The address the owner uses is the matching private key to state address ownership and to sign messages sent frorn
the address without a Public-Key Infrastructure (PKI) or other security infrastructure.
- Deployment of PKI offers many advantages for users to secure their financial transactions initiated from mobile
devices.
- CGA-based authentication is used to protect IP-layer signaling protocols including neighbor discovery and mobility
protocols.

- It can also be used for key exchange in opportunistic Internet Protocol Security (IPSec).
- Palms are one of the most common hand-held devices used in mobile computing. Cryptographic security controls are
deployed on these devices. For example, the Cryptographic Provider Manager (CPM) in Palm OS5 is a system-wide
suite of cryptographic services for securing data and resources on a palm-powered device.
- The CPM expands encryption services to any application written to take benefit of these capabilities, permitting the
encryption of only chosen data or of all data and resources on the device.

2.13.2 LDAP Security for Hand-Held Mobile Computing Devices

- LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations,
individuals, and other resources such as files and devices in a network, whether on the public internet or on a
corporate Intranet.
- LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP) which is part of X.500, a
standard for directory services in a network.
- In a network; a directory tells you where in the network something is located. On TCP/IP networks (including the
internet), the Domain Name System (DNS) is the directory system used to relate the domain name to a specific
network address (a unique location on the network).
''J m . . .

- However, you may not know the domain name. LDAP allows you to search for an individual without knowing where
they're located (although additional information will help with the search).
An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
o The root directory (the starting place or the source of the tree), which branches out to

o Countries, each of which branches out to

o Organizations, which branch out to
o Organizational units (divisions, departments, and so forth), which branches out to (includes an entry for)
o Individuals (which includes people, files, and shared resources such as printers)

2.13.3 RAS Security for Mobile Devices

RAS is an important consideration for protecting the business-sensitive data that may reside on the employees'

mobile devices.
In terms of cybersecurity, mobile devices are sensitive. Figure shows how access to an organization's sensitive data
can happen through mobile hand-held devices carried by employees.
As mobile devices are vulnerable to unauthorized access on their own, mobile devices also offer a route into the
systems with which they connect.
 CyberSgcurityand Laws (MU-Sem 7) 2-20 Cyber Offenses andCybgrgrim^

- By using a mobile device to impersonate as a registered user to these systems, a would-be cracker is then able to steal
data or compromise corporate systems in other ways.
- Another threat comes from the practice of port.
o First, attackers use a Domain Name System (DNS) server to locate the IP address of a connected computer. A
domain is a collection of sites that are related in some sense.
o Second, they scan the ports on this known IP address, working their way through its TCP/UDP stack to see what
communication ports are unprotected by firewalls. For example, File Transfer Protocol (FTP) transmissions are
typically assigned to port 21. If this port is left unprotected, it can be misused by the attackers.
- Protecting against port scanning necessitate software that can trap unauthorized incoming data packets and stop a
mobile device from revealing its existence and ID.
- A personal firewall on a pocket PC or smart phone device can be an effective protective screen against this form of
attack for the users connecting through a direct internet or RAS connection.
For situations where all connections to the corporate network pass through a gateway, placing the personal firewall
on the gateway itself could be the simplest solution, because it avoids the need to place a personal firewall on all
mobile device.
In any case, deploying secure access techniques that implement strong authentication keys will offer an additional
protection.

’t

Fig. 2.13.1: Communication from mobile customer to organization information store

2.13.4 Media Player Control Security ■f 1

- Today's young generation is embracing the mobile hand-held devices as a means for information access, remote
working and entertainment. The most important aspect for the young generation is music and video.
- It is easy to understand how this can be a source for cybersecurity breaches. Potential security attacks are done on
mobile devices through music gateways.
- There are many examples to show how a media player can turn out to be a source of threat to information held on
mobile devices. For example, in the year 2002, Microsoft Corporation had cautioned individuals that a series of flaws
in its windows media player could enable a malicious hacker to hijack individuals 'computer systems and carry out a
variety of actions. As indicated by this notice from microsoft, in the majority severe exploit of a flaw, a hacker could
capture a computer system and perform any commission the computer's owner is permitted to do, for example,
opening files or accessing specific parts of a network.

Publication*
J^^^gybe£_Secunty_andJ_aws^MU2Sern2j^^ 2.21 Cyber Offenses and Cybercrim.

- There are three vulnerabilities :

(a) Files could be produced that will open a website on the user's browser from wh^re remote JavaScript can be
operated

(b) Files could be produced which permit the attacker to download and use the code on a user's machine or

(c) Media files could be produced that will create buffer overrun errors.

- Registry of a computing device is a vital concept; it stores information essential to configure the system for
applications and hardware devices. It too has information that the OS repeatedly mentions during an operation. Inside
the registry, a few keys control the behavior of the Windows Media Player control. Microsoft, through its developer
network MSDN, describes details of registry value settings on the mobile devices.

2.13.5 Networking API Security for Mobile Computing Applications

- With the start of e-commerce and its further result in m-commerce, online payments are turning into a typical marvel
with the payment gateways got to remotely and perhaps wirelessly.
- Moreover, with the coming of Web services and their utilization in mobile computing applications, the API turns into a
significant thought.
- Already, organizations are declaring the advancement of different APIs to empower software and hardware
developers to compose single applications that can be utilized to focus on numerous security platforms present in the
scope of gadgets, for example, mobile telephones, compact media players, set-top boxes and home gateways.
The majority of these improvements are focused on explicitly at verifying a scope of inserted and buyer items,
Including those running OSs, for example, Linux, Symbian, Microsoft Windows CE, and Microsoft Windows Mobile.
Technological advancements, for example, give the capacity to altogether improve the cybersecurity of a wide scope
of customers just as mobile gadgets. Giving a typical software framework, APIs will turn into a significant empowering
agent of new and higher value services.

2.14 Attacks on Mobile/Cell Phones

2.14.1 Mobile Phone Theft

- Now a day's mobile phone is an integral part of everyone's life. Due to this there is increase in mobile phones'
- Mobile phone theft has also risen over the past few years. The theft occurs in public transport, bus stops, railway
stations and traffic signals.
- Due to the large number of false claim many insurance companies have stopped offering mobile theft insurance.

The stolen mobile phones may contain personal information that really matter.

- Cell phones are also often attacked by viruses.

There is increase in cell phone user due to the availability of internet, demand for Wi-Fi zones and wide usage of cell
phones in the youths with lack of knowledge about the vulnerabilities of the technology.

The following factors contribute for outburst on mobile devices :

1. Adequate target terminals : When the palm OS devices reached 15 million then the first Palm OS virus was seen.
During June 2004 the first incidence of mobile virus was noticed. An organization "Ojam" had engineered
antipiracy trojan virus in older versions of their mobile phone jgame known as Mosquito. This virus used to sen*
SMS text messages to the organization without the users awareness.
 W Cyber Security and Laws (MU-Sem 7)
2-22 Cyber Offenses and Cybercrime
2. Adequate functionality : Mobile devices are equipped with office functionality and It also carries sensitive data
and applications, which are time and again not protected sufficiently or not at all. The extended functionality also
increases the possibility of malware.

3. Adequate connectivity : several communication options are offered by smart phones for example, SMS, MMS,
synchronization, bluetooth, infrared and WLAN connections. So, the Increased amount of freedom also offers
more options for virus writers.

2.14.2 Mobile Viruses

- A mobile virus is same as a computer virus that targets mobile phone data or applications or software installed in it.
Total 40 mobile virus families and more than 300 mobile viruses have been identified.
- First mobile virus was identified in 2004 and it was the beginning to understand that mobile devices can act as vectors
to enter the computer network.
- Mobile viruses get spread through two dominant communication protocols:

1. Bluetooth

2. MMS

- Bluetooth virus can easily spread within a distance of 10-30 m, through bluetooth-activated phones.
MMS virus can send a copy of itself to all mobile users whose numbers are available in the infected mobile phones
address book.
The mobile phone virus hoax messages will be sent through e-mail or through SMS to the mobile users. For example,

"All mobile users pay attention!!!!!!!!! If you receive a phone call and your mobile phone displays (XALAN) on the
screen don't answer the call, END THE CALL IMMEDIATELY, if you answer the call, your phone will be infected by a
virus. This virus WILL ERASE all IMEI and IMSI information from both your phone and your SIM card, which will make
your phone unable to connect with the telephone network. You will have to buy a new phone. This information has
been confirmed by both Motorola and Nokia. There are over 3 Million mobile phones being infected by this virus in all
around the world now. You can also check this news in the CNN website. PLEASE FORWARD THIS PIECE OF
INFORMATION TO ALL YOUR FRIENDS HAVING A MOBILE PHONE."

How to protect from mobile malwares attacks :

Following are some tips to protect mobile from mobile malware attacks:

1. Download or accept programs and content from a trusted source.

2. If a mobile is equipped with Bluetooth, turn it OFF or set it to non-discoverable mode when it is not in use or not
necessary to use.
3. If a mobile is equipped with beam that is infra red let It to receive incoming beams only from the trusted source.

4. Download and install antivirus software for mobile devices.

2.14.3 Hacking Bluetooth

- Bluetooth is an open wireless technology standard used for communication. It is used to exchange over small
distances using short length radio waves between fixed and mobile devices.
Bluetooth uses the 2.4-GHz frequency range for its transmission or communication.
Bluetooth 1.0 has 1 Mbps transfer speed. Bluetooth 2.0 has 3 Mbps transfer speed.
 as-—^^^^^^ybe^ffense^nc^ybercrir^

- When bluetooth is enabled on a device, it basically broadcasts "I'm here, and I'm able to connect" to any othe
bluetooth-based device within range. This makes bluetooth use simple and straight forward, and it also makes easier
to identify the target for attackers.
- The attacker installs particular software on a laptop and then installs a bluetooth antenna.
- Whenever an attacker moves around public places, the software installed on laptop constantly scans the nearby
surroundings of the hacker for active bluetooth connections. Once the software tool used by the attacker finds and
connects to a vulnerable bluetooth-enabled cell phone, it can do things like download address book information,
photos, calendars, SIM card details, make long-distance phone calls using the hacked device, bug phone calls and
much more.

Bluetooth hacking tools:

Table 2.14.1
Sr. No. Name of the Tool Description

1 BlueSniff This is a GUI-based utility used to discover bluetooth device.

2 BlueScanner This tool enables to search for Bluetooth enable device and will try to extract as
much information as possible for each newly discovered device after connecting it
with the target.

3 BlueBugger The buggers exploit the vulnerability of the device and access the images,
phonebook, messages and other personal information.

4 Bluesnarfer In case, Bluetooth of a device is switched ON, then bluesnarfing makes it possible to
connect to the phone without changing the owner and to gain access to restricted
portions of the stored data.

5 BlueDiving Bluediving is testing Bluetooth access. The attacks like bluebug and blueSnarf are
implemented by blueDiving.

The common attacks that appeared as bluetooth-specific security issues are : Bluejacking, Bluesnarfing, Bluebugging
and Car Whisperer

1. Bluejacking:

- Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled
devices within a certain radius. First, the hacker scans his surroundings with a Bluetooth-enabled device,
searching for other devices.
- The hacker then sends an unsolicited message to the detected devices. Bluejacking is also known as blue hacking.
Bluejacking exploits a basic Bluetooth feature that allows devices to send messages to contacts within range.
Bluejacking does not involve device hijacking, despite what the name implies. The bluejacker may send only
unsolicited messages.
Hijacking does not actually occur because the attacker never has control of the victim's device. At worst,
bluejacking is an annoyance. Bluejacking is harmless, as bluejacked users generally do not know what has
’ happened and hence they may think that their phone is not working.

2. Bluesnarfing : Bluesnarfing is the theft of information from a wireless device through a Bluetooth

connection. Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop
and mobile computers, Personal Digital Assistants (PDAs), and other devices. By exploiting a vulnerability in the way
^^Cybe^ecun^and^Law^MU-Sen^______ 2-24 Cyber Offenses and Cybercrime_

Bluetooth is implemented on a mobile phone, an attacker can access Information for example, the user's calendar,
contact list and e-mail and text messages without leaving any evidence of the attack

3. Bluebugging : If a hacker Bluebugs your phone, they gain total access and control of your device. This makes it capable
for them to access all info including photos, apps., contacts, etc. Bluebugging can happen when your device is left in
the discoverable state. From here hackers gain access to your phone at the same point they do when performing
Bluejacks. This is a much harder form of hacking than Bluesnarfing and Bluejacking.

4. Car Whisperer : It is a hacking technique which can be used by attackers to hack handsfree Bluetooth in-car system
and connect it to a Linux system to inject audio to or record audio from a bypassing car. Car Whisperer can easily be
used by the attackers to invade privacy and listen to conversation inside a car and exploit that to illegitimate purposes

2.14.4 Mishing

Mishing is a blend of cell phones and Phishing.

- Mishing attacks are endeavored to utilize cell phone technology.
M-Commerce is quick turning into"a piece of regular day to day existence. In the event that you utilize your cell phone
for acquiring merchandise/administrations and for banking, you could be progressively vulnerable to a mishing scam.
- A usual mishing attacker uses call named as vishing or message (SMS) known as smishing.
■>

- The attacker will profess to be a representative from your bank or another association and will guarantee a
requirement for your own subtleties. Assailants are inventive and they would attempt to persuade you with different
reasons why they need this data from you.

2.14.5 Vishing

Vishing, is short form of 'voice phishing'. In vishing, attacker try to extract your confidential information over the
phone.

- Attacker 'phish' (seek to extract) for your confidential information like passwords, Personal Identification Number
(PIN), CVV and OTP. They then use this information to defraud you. While phishing happens over e-mail, 'vishing1
happens over the phone and SMiShing (also called SMiShing) happens through SMS.

How Vishing works ?

- A confident voice at the other end of the phone line claims to call from your bank, card company, the RBI or some
such powers-that-be. He or she may possess some of your basic personal details, and uses this to convince you about
the genuineness of the call, and to part with critical details.

- Similarly, the messages purporting to be from your bank or from the RBI can goad you to share such confidential
Information. Some messages may also carry malicious links or phone numbers that you are egged on to click or call.

- The excuses employed by fraudsters are many. They may say that the information is needed to claim your windfall or
special offer, keep your card or account active or verify details as part of regulatory procedure.

- If you part with your confidential data, you could see your card being charged or your account being debited in quick

time.

Prevention
- Primarily, never share your details such as passwords, PIN, CW and OTP with anyone. Be on the alert, and don't pass
on this critical information in a weak moment.

TechKntwIHii
” Pv lilt atient
 Cyber Security and Laws (MU-Sem 7) Cyber Offenses and Cyba,
2-25
- Your bank or card provider will never ask for such information. Nor will the RBI So, such calls or messages shOu|
immediately raise a red flag. Cut them off and ignore them. Keep off links or attachments that come from unknown (
suspicious sources. Report such instances to your bank, card company or the RBI.

2.14.6 Smlshing

- SMiShing Is a security attack in which the user is tricked into downloading a trojan horse, virus or other malware Ont

his cellular phone or other mobile device. SMiShing is short form of "SMS phishing.

- You receive a fraudulent text claiming to be from a trusted organization or individual being impersonated by criminals

including the following:

o Your bank, informing you that there is a problem with your account such as irregular activity or lack of funds.

o A retailer, offering vouchers or gift cards.

o A technology provider such as Apple or Google, notifying that you need to validate an account.

o A parcel delivery company, notifying you that you need to confirm that you want a parcel to be delivered..

o HMRC, informing you that you are due a tax refund.

What all smlshing messages have In common is ?

- They instruct you to either go to a website or make a phone call to a specified number.

- They play on your basic human emotions and needs, such as trust, safety, fear of losing money, getting something for
nothing, eagerness to find a bargain or desire to find love or popularity/status.

They generally state or imply the need for your urgent action to either avoid an issue or take advantage of an offer.

Websites you visit via smishing messages generally either request confidential details or cause your internet
connected mobile device to be infected with malware. Phone calls you make in response can either result in confidential
details being requested, or be to a premium rate number resulting in very high charges being added to your phone bill.

How to avoid becoming a victim of smlshing ?

- Do not click on links in text messages unless you are 100% certain that they are genuine and well-intentioned.

Take time to consider your actions before responding to text messages.

- Ask yourself if the sender, if genuine, would really contact you via this text.

Recognize threats of financial issues or offers that seem too good to be true, for what they really are.

- If in doubt, call the correct number of the organization or individual from whom the text claims to have been sent, to
; check its authenticity.

Remember that even if the text message seems to come from someone you trust, their number may have been
hacked or spoofed.
Do not respond to the text message. Doing so could result in your details being added to a 'suckers' list' and you will
be inundated with similar messages.
- Generating spam : including scam texts on their networks, and report them to the regulators.

- Report spam text messages directly to your mobile phone provider.

J^y^^Cyber^Security^and^LawsJJ^U-Sgm 7) 2-26 Cyber Offenses and Cybgrcrlrng_

2.15 Mobile Devices: Security Implications for Organizations

2.15.1 Managing Diversity and Proliferation of Hand-Held Devices

- There are securities threats to information system through the use of mobile devices, the organizations need to setup
security practices at level appropriate to their security objectives, subject to legal and other external constraints. Few
organizations implement security procedures and tools extensively where other organizations less more value on cost
and convenience are.
- The chief executive officer president or director should start the efforts of policy making. If there Is no organization
policy about the security then best security technology features will also worthless to the organization. Sometimes in
an organization senior executive have given some special access rights to the corporate network which can be
circumvent standard security procedures.
- Most of the time it happens that organizations fail checks the long term significance of keeping track of owns what
kind of mobile device. It is necessary to register mobile devices of employees in corporate asset register irrespective of
whether or not the device has been provided by the organization. Close monitoring of these devices is needed in
terms of their uses. When an employee leaves it is necessary to remove his or her logical as well as physical access to
corporate resources because employees may use their mobile devices to connect into the corporate network.
- If the mobile device is belongs to the company then it should be returned to IT department and after that this device
should be deactivated and cleansed. Organizations to encourage the employees to register any device they use to the
IT department. Does the access can be provision in a controlled manner and provision appropriately when the
employee leaves the organization.
- Many young employees of the enterprises embrace the mobility solutions. This employee prefers instant messaging
instead of e-mail and very often uses social networking services like Facebook, Twitter. These employees also prefer
use personal consumer oriented devices in the work environment and adapt quickly new technology. On the other
hand the old employees are slow in accepting mobility solutions most probably they rely on voice communication and
e-mail. Different points of view between old employees young employees give rise to mobility generation gap.

2.15.2 Educating the Laptop Users

Corporate laptop users could be put their company's networks at risk by downloading the non work related software
which spreads viruses and spyware. This is due to the software accessing on laptops become more complex as more
applications are used on an increasingly sophisticated operating system with various connectivity options.
- It has been observed that many employees are using their laptops for downloading illegal music and movies and also
accessing peer to peer web sites that influence their laptop as well as the business network when they connect to the
corporate system.
- Despite of these, only half of the companies are using tools to manage internet access on laptop. The policies and
procedures related to laptop have been evolved over the years to be able to cope with managing laptops connected
by wireless means.

2.15.3 Protecting Data on Lost Devices

- Protection of the data mobile android device is important. Cyber security need to address this issue because there Is
some data on the devices stored is persistent and always running application. Protect the data stored on persistent
device. There are two precautions that an individual can take to prevent the disclosure of the data stored In the
mobile device:
o Encrypt the sensitive data
o Encrypt the entire file system _____________________________________________________________
” Puhliiitioni
 _Cyber_Security_and_^ws^MU-Sem_7)__________2-27__^^
- The data stored on hard disc non removable memory can be protected. There are many third party tools available to
protect data on the lost devices, including encryption of the database files stored on the server. An individual
implement self destructive policy to destroy privilege data on lost device using suitable tool. The important point here
is organizations must have a policy on how to respond to the loss of a device whether it is data storage, a PDA Ora
laptop. There should be proper provisions for the device owners too quickly report the loss and device owners should
aware about this provisions. One can also write emergency contact information on the device itself that will be al^

helpful.

2.15.4 Unconventional/Stealth Storage Devices

- The employees use Compact Disc (CD) and Universal Serial Bus (USB) drives. With the advancement of the technology
the size of the storage devices is decreasing. It is very difficult to detection devices for organizational security. So, it is

advisable employee not to use these devices.

- Antivirus software's and firewalls are no defense against the threat of open USB port. The viruses, worms and trojans
enter Into the organizational network and destroy the valuable data in organization network.
- Organization has the policy to block this phone when they issue asset to the employee. Sometimes Windows
operating system's standard access controls do not permit the assignment of permission for USB ports and restricting

these devices becomes next to impossible.

- An unhappy employee can connect USB or small digital camera or MP3 player to USB port of any unattended
computer and will be able to download confidential data or upload harmful viruses. If the malicious attack launched
within the organization then Firewall and antivirus software are not altered.
- The device lock software can be used to control the unauthorized access to plug and play devices the features of the

software permits system administrator to :

o Monitor which users can access USB ports, Wi-Fi and bluetooth adaptor CD read only e memories and other

removable devices.
o Devices in read only mode.
o It protect disk from accidental formatting.
o It creates a y list of USB devices which permits you to authorise only specific devices that will not be locked

regardless of any other settings.

o It controls the access of devices based on the time of the day and day of the week.
One more aspect in cyber security complications is the falling prices of the mobile devices. The modern mobile device
is good productivity tools. So, many organizations are allowing employees use the mobile devices. The device
management should include user awareness education and as they should encourage the employees to take some
personal responsibility for physical security of their devices.

, 15 5 Threats through Lost and stolen Devices

,ravelli„g It happens that mobile hand-held devices set lost. Lost mobile devices are a large
When the people are pu, on serlous risk df damage, exploitation or damaC
security risk to corporations. wirele5s tQ a corporata network and have vety ,itt|e securW. It
to Its professional Integrity. Ma v security admlnl5,rators. If the lost device is personal, then It results »
makes them a weak link and. a d( „nsitlve imorm.tlon with very few concerned about backing it«
privacy exposure. Many people store

or protecting it-
^^yberJecurityandLaw^MU-SemT) Cyber Offenses and Cybercrime
2-28

2.16 Organizational Measures for Handling Mobile Devlces-Related Security Issues

It is also important for the organizations to safeguard their Information system in mobile computing paradigm.

1. Encrypt organizational database

_ Database stores critical and sensitive information and it is not difficult to access this information using hand held
devices.

- Encryption is required to prevent the organizations data loss.

- Two algorithms are used for strong encryption, they are :

a. Rijndael : it is a block encryption algorithm, selected as the new Advanced Encryption Standard (AES) for
block ciphers by the National Institute of Standards and Technology (NIST).

b. Multi-Dimensional Space Rotation (MDSR) algorithm, this algorithm is developed by Casio.

- The Database file encryption algorithm AES and MDSR makes the database file inoperable without the key
(password).

- When the database is encrypted the information of the main database file i.e. temporary and transaction log file
is get scrambled. So, the information cannot be deciphered by looking at the files using a disk utility.
■

- If the weak form of encryption is used then its performance impact is negligible. On the other hand, the
performance impact of strong encryption is high.
When you are using the strong encryption then do not store the key on the mobile device. If you lose the key,
your data are completely inaccessible. '
i• •

- The key should be entered correctly to access the database as it is case-sensitive. The key is needed whenever
you are accessing the database or you want to use service on your database.
- To provide the greater security the database server display a dialog box where the user can enter the encryption
key.
- An additional security measures are used to enforce a self-destruct policy that is controlled from the server to
protect from the attack or stealing through the mobile device that is connected to the corporate databases.
- When a device that is identified as lost or stolen connects to the organization server, IT department can have the
server send a package to destroy privileged data on the device.

2- Include mobile devices in security Strategy

- Now a day's mobile workforce is increasing and organizational IT departments have to take the responsibility for
cyber security threats that are coming from wrong access to organizational data from mobile device user

employees.
~ By using security as an excuse many organizations do not want to include mobile devices in their environments.
The organization says that they fear loss of sensitive data that could result from a PDA being stolen or an
unsecured wireless connection being used.
~ But to secure the mobile devices many technologies are available and for many organizations these technologies
are enough There are many ways to lock the devices or to destroy the lost data by sending a special message to
the machine There are few mobile devices available that have high powered processors, these processors

support 128 bit encryption.

To handle the cyber security challenges users can use Integrated security programs for mobile and wireless

systems into the overall security blueprint.

 Cybe^Offenses_and_Cybercr^Q I

2-29
Cyber Security and
Enterprises can also use the following things :
a. to prohibit unauthorized access and the entry of corrupted data implement virus checking, strong asset

management, loss prevention and other controls for mobile systems.

b. Study alternatives that permit a secure access to the company data through a firewall for example, mob||e

VPNs.
For mobile devices develop a system of more recurrent and thorough security au
c.
d. In the mobile training and support program include security awareness program.
e. Change the password and inform the right law enforcement agency. Monitor the user accounts closely for a

period of time for any unusual activity.

2.17 Organizational Security Policies and Measures in Mobile Computing Era

1. Significance of security policies relating to mobile computing devices

- As the use of the hand-held devices is increasing it makes the cybersecurity issue bigger than our imagination.

- Now a day, the youth is using the hand-held devices like wallets. People storing confidential information on
mobile computing devices. They are listening listen to music using their hand-held devices.

- People should think before storing credit card and bank account numbers, passwords, confidential e-mails and
planned information about organization, merger or takeover plans and also additional important information that
could impact stock values in the mobile devices.

- If an employee's laptop, USB, pluggable drive get stolen or lost and it reveals the sensitive customer information
like credit report, contact information, social security numbers, it will highly impact the business. It will be a
Public Relation (PR) failure and also violate laws and regulations.

- There will be a very big legal trouble to the public companies whose data got stolen. If there are no controls
implemented for data protection then way out is to prevent users from storing proprietary information on
platforms considered to be inadequately secure. It is difficult to enforce such type of policy, but, it will be
effective if user awareness get increased. Policies related to the information handling and classification should be
defined clearly that what kind of data should be store on mobile device. If there are no controls available then
avoid to store confidential data on mobile devices.

- Cel! phone voice call Interception Is potting many businesses are putting at risk. There are 6 situations involved
the use of cell phones to communicate sensitive and confidential Information occurring in organizations .
- The situations illustrated the following :

o A CEO’s executive assistant utilizes a PDA m

Identity and location. orchestrate ground transportation that uncovers the CEO'S

o A call center s representative helps a client utilizing a phone to set up a record and rr.
(counting SSN). rd an^ gathers individual data

O A team lead directing business In Asia utilizes his /her mobile phone to speak with th h
O The finance and accounting staff talks about profit of official statement ">e
a cell phone. one member on the call is utilizing
o A conference call among senior pioneers in the organization in which .
otHltea. Wh'cl> mobile phones are now and again

o An outer legal advisor requests restrictive and secret data whilp n.-r
------------------------------------------- -------------------------------- --------- utilizing his mobile phone.

TechKn«ule<|«
Publication*
 ___________ 2-3Q_________________ Cyber Offenses anc^Cybercnme^

2. Operating guidelines for Implementing mobile device security policies

- In the situations given above, the solution is ban all confidential data from being stored on mobile devices, but
practically it is not completely possible. Organizations can, on the other hand, decrease the risk that confidential
information will be accessed from lost/stolen mobile devices through the following steps :
- Decide if the workers in the organization need to utilize mobile computing devices by any stretch of the
imagination, in light of their dangers and advantages inside the organization, business, and administrative
condition.

a. Expel information from computing devices that are not being used or before re-appointing those devices to
new proprietors. This is to block incidents through which individuals acquire '’old” computing devices that still
had confidential organization information.

b. Execute extra security advances, as fitting to fit both the organization and the sorts of devices utilized. Most
mobile computing devices should have their local security enlarged with so many apparatuses as solid
encryption, gadget passwords, and physical locks. Biometrics methods can be utilized for authentication and
encryption and can possibly dispense with the difficulties related to passwords.

c. Standardize mobile computing devices and the related security apparatuses being utilized with them. As an
issue of essential guidelines, security breaks down rapidly as the instruments and devices utilized become
progressively divergent.

d. Offer education and awareness training to staff utilizing mobile devices. Individuals can't be required to
properly verify their data in the event that they have not been told How.

e. Build up a particular structure for utilizing mobile computing devices, including rules for data syncing, the
utilization of firewalls and hostile malware software and the kinds of data that can be stored on them.

f. Set up fixing methodology for software on mobile devices. This can regularly be improved by incorporating
fixing with syncing or fix the executives with the centralized stock database.

g. Set up techniques to debilitate remote access for any mobile devices announced as lost or taken. Numerous
devices enable the clients to store usernames and passwords for online interfaces, which could enable a
cheat to access significantly more data than on the gadget itself.

h. Unify the administration of your mobile computing devices. Keep up a stock with the goal that you realize
who is utilizing what type of devices.
i. Mark the devices and register them with appropriate assistance that helps return recovered devices to the
proprietors.
Organizational policies for the use of mobile hand-held devices
* Creating company policies that deal with the unique issues of the mobile devices is the first step in securing
mobile devices.
- Using different ways policy creation for mobile devices can be handled.

a. Create a distinct mobile computing policy.

b. Include such devices under existing policy.
' One approach is to check whether mobile devices fall under both existing general policies and a new one
~ Hybrid approach is used to create the policy related to the specific needs of the mobile device. For example,
what to do if they are lost or stolen.
 . . n Cyber Offenses and Cybercrima
^_Cybe^Securit^incH-awsj(M^■======^^^==

- In IT policy many general issues are covered.

The acceptable use policy is extended to mobile devices for the other technologies.
- The wireless, LAN, and Wide Area Network (WAN) needs separate policies as a right written network policy can
cover all connections to the company data, counting mobile and wireless.
- The companies that are new to mobile devices may accept an umbrella mobile policy, however, they find over
time that they will require to change their policies to match the challenges posed by diverse kinds of mobile
hand-held devices. For example, the challenges posed by wireless devices are different than non-wireless devices.

It may happen that eventually, companies may require creating separate policies for the mobile devices on the
basis of whether they connect wirelessly and by means of differences for devices that connect to WANs and
LANs.
- It is, after all, an issue of new technology adoption for many organizations. By considering its uses, companies
may think of ways they can use it and, maybe just as significant, how their competitors will use it.

2.18 Laptops

- Now a day, Laptop use has become very common. Laptops pose large threat as they are portable. Due to wireless
ability cyber security worry to the information that is transmitted is increased as it is difficult to detect. So,
organizations have to take some measures for cyber security by the broad- spreading use of laptops. Laptop theft is
the major issue.

- Cyber criminals target the expensive laptops to enable them to fetch a quick profit in the black market. There are very
few thieves who are actually interested in the information that is contained in the laptop. Many laptops have sensitive
business information and personal information. Cyber criminals misuse this information.

- Many senior managers in the organization do not protect the information stored in the laptop as they think that
information stored in the laptop is only or them.

Physical security countermeasures

Organizations are heavily dependent upon a mobile workforce with access to information, no matter where they
travel. However, this mobility is putting organizations at risk of having a data breach if a laptop containing sensitive
information is lost or stolen.
- Hence, physics! security countermeasures are becoming very vital to protect the information on the employee^
laptops and to reduce the hkel.hood that employees will lose laptops. Management also has to take care of creating
awareness among the employees about physical security . L
. . t •.•!!.. V curity countermeasures by continuous training and stringent
monitoring of organizational policies and procedures about u ■ > . training a
res about these physical security countermeasures.
1. Cables and hardwired locks

- Make the use of cables and locks that are specially dnci t
popular brands in laptop security cables These cabl 1606 *aptOps' Kensington cables are one of the most
thus making these cables 40% stronger than made of aircraft-grade steel and Kevlar brand fiber,
u eer tnan any other conventional security cables
- One end of the security cable is fit into the universal security slot of , a
any fixed furniture or item, thus making a loop These * 1 °tthe laptop and the other end is locked around
locks, key locks and alarms. GSe cables c°me with a variety of options such as number

However, the downside of the security cables lies in the fact that
-
CD-ROM bay. Personal Computer Memory Card Industry a • 006 C3n easi^ rern°ve detachable bays such aS
and other removable devices from the laptop as the cahi SS1°Clation <Pcr^CIA) cards, Hard Disk Drive (HDD) baV
_____-------------------------------------------- ^^ecab.e onlv secures ,he |awop from

TecliKiwwI^y*
V pvtllt
(MU-Sem 7)
2-32 CyberOffense^n^ybercrime
age of security cables Is when the laptop Is locked to an object that is not fixed or is weak
□ rea it. In certain cases of laptop thefts, the thief dismantled or smashed the fixed item to
s attached to.

f polycarbonate. This material Is also used to riot shields, bulletproof windows, and bank
:erial can be used to protect the laptop.

ns

arms and motion sensors to track missing laptops in crowded places. These alarms and
oud and due to their loud nature, they help in deterring thieves. Modern alarm systems are
. This alarm device is attached to the laptop transmits radio signals to a certain range around

e laptop has a key ring device that communicates with the laptop alarm device. When the
e laptop and the key ring device crosses the specified range then the alarm gets triggered,
hat act as a motion detector, an alarm system, and too have the ability to fockdown the
is moved out of the selected range. They in addition secure the passwords and encryption
•s to the OS. Batteries are used in the card for power on even when the system is shutdown.
PS ' '
- *T ♦ • "• ’ I l ■ . •
. ' < ’ » L ’ -.4. ' '

aining tracking information and identification details can be fixed onto the laptop to deter
se labels cannot be removed easily and are a low-cost solution to a laptop theft.
i identification number that is stored in a universal database for verification, which in turn
stolen laptops a difficult process. . • • . .
lly recommended for the laptops issued to top executives and/or key employees of the

acting laptops are as follows :

h personal details.
ip near you wherever possible.
unusual and barely visible bag making it barely visible to potential thieves.
;s among the employees to understand the responsibility of carrying a laptop and also about
information stored in the laptop.
ptop serial number, purchase receipt and the description of the laptop,

nation in laptop install encryption software.

 ^Qffengesandr,
2-33
Cyber Security and Laws

Some logical access controls are as follows.

1. Protect from malicious programs.

2. Avoid weak passwords.

Monitor application security and scan for vulnerabilities.
3.
Make sure that unencrypted data/unprotected file systems do not crea
4.
Handle storage mediums/ removable drive/unnecessary ports properly.
5.

6. Use strong password by using suitable passwords rules.

7. Lock unwanted devices or port.

8. Install security patches and updates on regular basis.

9. Install antivirus software/firewalls/intrusion detection system (IDSs).

10.. Encrypt important file systems.

Other countermeasures

- Select a secure operating system

- Take the backup of data on regular basis.
- Register the laptop with the laptop manufacturer to track it in case of theft.
- Disable unwanted user accounts and rename the administrator account.
- Disable the display of last logged in username in the login dialog box.
- Take the backup of data on regular basis.
n.

Q.1 How Criminals Plan the Attacks? (Section 2.1)

Q.2 Explain Phases involved in planning Cybercrime? (Section 2.1)

Q.3 Tools used during active attacks

Q.4 Write short note on Social Engineering. (Section 2.2)

Q.5 What is Cyberstalking? Explain the types of cyberstalkinno u

,k"’a7 H~ s,alw"9 (Section 2.3)
Q.6 Write short note on Cyber caf6 and Cybercrimes? (Section 2 4)

Q.7 Write short note on Botnets. (Section 2.5)

Q.8 Write short note on Attack vector. (Section, 2.6)

Q.9 Explain attacks on cloud computing? (Section 2 7)

Q.1O Write short note on Proliferation of Mobile r- -

Qn Explain the Trends in Mobility? (Section 2.9)

q 1A Explain the techniques used for Credit Card Frauds ii

- in Mobile and Wireless Computing? (Sect'00
12 Explain the Security Challenges Posed by Mobile
Devices. (S«»«*‘’
 Tools and Methods used
in Cyberline

Syllabus >

Phishing, Password cracking, Key loggers and spywares, Virus and worms, Steganography, DoS and DDoS attacks; SQL
injection, Buffer over flow, Attacks on wireless networks, Phishing, Identity Theft (ID Theft)

3-1 Phishing

- Phishing is a technique used to gain victim's personal information generally for the purpose of identity theft. Phishing
involves using a form of spam to fraudulently gain access to victim's online banking details such as credit card details
etc. As well as it also involves targeting online banking customers, sending phishing emails. It may also aim online
sell-off sites or other online payment facilities.

- An example of a phishing e-mail will be where the mail asks a net-banking customer to visit a link in order to update
personal bank account details. When the user visits the link the victim downloads a program which seizes his/her
banking login details and sends them to a third party.

3.1.1 Features of Phishing Mail

1. Too good to be true - Lucrative offers and eye-catching or attention-grabbing statements are designed to attract
people's attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish
prize. Just don’t click on any suspicious e-mails. Remember that if it seems to good to be true, it probably is.

2. Sense of urgency - A favorite tactic amongst cyber criminals is to ask you to act fast because the super deals are only
for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come
across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be
suspended unless you update your personal details immediately. Most reliable organizations give ample time before
they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt,
visit the source directly rather than clicking a link in an e-mail.

3. Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be
directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for
instance www.bankofarnerica.com - the’m’ is actually an ’r’ and an ’n’, so look carefully.
4. Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it!
They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .trt

file.
5. Unusual Sender - Whether it looks like it's from someone you don't know or someone you do know, if anything see*15

out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!
 (MU-Sem 7) 3-2 Tools and Methods used in Cyberline

3.1.2 Phishing Techniques

1. Spear phishing

p shing uses a spray and pray' approach, meaning mass emails are sent to as many people as
possibe, pear phishing is a much more targeted attack in which the hacker knows which specific individual or
. organization they are after. They do research on the target in order to make the attack more personalized and
increase the likelihood of the target falling into their trap.

2. Session hijacking

In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a
simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant
information so that he or she can access the Web server illegally.

3. E-mail/spam
,! I1'’ ' ‘ ' j. ., •• • .• . • • ' ,

Using the most common phishing technique, the same e-mail is sent to millions of users with a request to fill in
personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an
urgent note which requires the user to enter credentials to update account information, change details, or verify
accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in
the e-mail.

4. Web based delivery

Web based delivery is one of the most sophisticated phishing techniques. Also known as "man-in-the-middle," the
hacker is located in between the original website and the phishing system. The phisher traces details during a
transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by
the phishers, without the user knowing about it.
I
5. Link manipulation
. . t. . ' .

Link manipulation is the technique in which the phisher sends a link to a malicious website. When the user clicks on
the deceptive link, it opens up the phisher's website instead of the website mentioned in the link. Hovering the mouse
over the link to view the actual address stops users from falling for link manipulation.

6. Keyloggers
Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who
will decipher passwords and other types of information. To prevent key loggers from accessing personal information,
secure websites provide options to use mouse clicks to make entries through the virtual keyboard.

7. Trojan
A trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually
allows unauthorized access to the user account to collect credentials through the local machine. The acquired
information is then transmitted to cyber criminals.

8. Malvertising
Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted
content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in

malvertisements. ------------ --------------------------------------------------------------------------------------------------------------

!SS*
 3.1.3 Preventing Phishing Attack

To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the message
software used to send the message and the appearance of the message to determine if it's spam. Occasionally, «
filters may even block emails from legitimate sources so It isn't always 100% accurate.
The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep a list of fa)(
websites and when you try to access the website, the address is blocked or an alert message is shown. The settings of
the browser should only allow reliable websites to open up.
Many websites require users to enter login information while the user Image is displayed. This type of system mayb6
open to security attacks. One way to ensure security Is to change passwords on a regular basis, and never use the
same password for multiple accounts. It's also a good Idea for websites to use a CAPTCHA system for added security
Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report phishing to
industry groups where legal actions can be taken against these fraudulent websites. Organizations should provide
security awareness training to employees to recognize the risks. • I
Changes in browsing habits are required to prevent phishing. If verification is required, always contact the company
personally before entering any details online.
If there is a link in an e-mail, hover over the URL first. Secure websites with a valid Secure Socket Layer (SSL) certificate
begin with "https". Eventually all sites will be required to have a valid SSL.

3,2 Password Cracking

Many times people use name and password to get the access of particular system. Passwords can be cracked by the
attacker and the attacker can use that password to impersonate the legitimate user. There are many ways to crack the
password : _______________________________ __________________

1. Use the brute force

2. Recover and exploit the password stored on the system

3. Make use of password decryption software

4. Social engineering

1. Brute force
— In the brute force attack the attacker will try all the possible combinations to crack the password until the
attacker get the success. The brute force attack is performed manually. This attack is also known as dictionary
attack. Password cracking is also used for legitimate use, for example, an employee make left the job suddenly/
an employee may die and it may be possible an employee may forget his/her password.
— So, to retrieve the important file password cracking is used. This is also known as password recovery. It is advised
to create ling and complex password. There are some tools available which allow dividing the task into partsand
also using many machines simultaneously to work on it, this technique is called distributed attack.
— In brute force attack the attacker guess the password. The examples of guessable password are :

o Blank
o Users birth place, DOB
o Vehicle number
o Users name or login name
 Tools and Methods used In Cyberline_
o Series of letters "QWERTY"
o Name of favourite celebrity

2. Exploitation of stored passwords

” Gu g P °rd is a tedious job. If the attackers list of the password which may be on the hard disk of a
comp e people use different password in the organization for different purposes so they store there
passwo on t e systems hard disk or somewhere, where they can get it in case if they lost the stored copy on
the system. The cracker just has to acquire these files.
" Some people do not store the password in the plain text format they store the password in encrypted or hashed
format. If the cracker can get the encrypted password file then the attacker use a software program. This
program uses all the hash function the system uses and encrypts possible passwords, then compare the result
with the encrypted passwords in the password file. This method is known as comparative analysis.

3. Interception of passwords

Crackers every time do not capture the password file or guess the password. When the password send across the
network through the remote access connection in the form of plain text, then that password may get intercepted
by the attacker. They use sniffer software for interception. Another technique to intercept the password is
keystroke logger. The keystroke logger is hardware device or a software program, it captures and records the
every character including password.
- A device time domain reflect meter (TDR) is used to detect the unauthorized packet sniffer on the wire. It sends
the pulse down the cable and generates a graph of reflections that are returned.
- By reading the graph we can find where the unauthorized devices are attached to the cable.
- There are also some techniques like PING, DNS and ARP also help to catch the unauthorized sniffers.

4. Password decryption software

- One byte patching -The one byte patching technique is used to decrypt the program. It decrypts the password
simply by changing one byte in the program.
- Known plain-text method - In this technique is used with algorithms. The attackers already have obtained one or
more decrypt files the attacker use same methods to decrypt the other files which contains the same algorithm.
This technique is used to attack the password protected files like .zip, .rar, and .arj files.

5- Social engineering
- Social engineering requires the social abilities and the individual communication to make somebody to uncover
security related data and maybe even to accomplish something that allows an attack.
- The fundamental thought process behind the social engineering is to convince the victim to be useful.

6‘ Man-ln-the-middle attacks

Man-in-the-middle attacks affect traffic being sent between communicating parties, and can include interception,
insertion, deletion, and modification of messages, reflecting messages back at the sender, replaying old messages and

redirecting messages.
3,2,1 Prevention and Response

Password is the main and the first line of defence in some system and networks. To prevent the password from
Cracking:

----- ^giong password

 Use special characters
_ Avoid actual names and words
- Do not tell your password to anyone
- Do not write the password
Change the password regularly

3.2.2 Protecting the Network against Social Engineers

Social engineering is a big challenge to the administrator. Some people on the network are vulnerable to the network
The intruder may woe the user by telling the stories of extra cost will incur if the user spends extra time for verify]

their identity.
The attacker may impose himself as a top authority of the company and he may threaten the employee with loss of
job or any other action if the employee doesn't cooperate. In social engineering prevention comes through the

education rather than technical solution.

3.2.3 Password Cracking Tools

Table 3.2.1

Tools I Description

Brutus is one of the most popular remote online password cracking tools. It claims to be the
Brutus fastest and most flexible password cracking tool. This tool is free and is only available for
Windows systems.

Rainbow Crack is a hash cracker tool that uses a large-scale time-memory trade off process for
faster password cracking than traditional brute force tools. Time-memory trade off is a
computational process in which all plain text and hash pairs are calculated by using a selected
Rainbow Crack
hash algorithm. After computation, results are stored in the rainbow table. This process is very
time consuming. But, once the table is ready, it can crack a password must faster than brute force
tools.

Wfuzz is another web application password cracking tool that tries to crack passwords with brute i

forcing. It can also be used to find hidden resources like directories, servlets and scripts. This tool
Wfuzz
can also identify different kind of injections including SQL Injection, XSS Injection, LDAP Injection,
etc in Web applications.

THC Hydra is a fast network logon password cracking tool. When it is compared with other similar
THC Hydra tools, it shows why it is faster. New modules are easy to install in the tool. You can easily add
modules and enhance the features. It is available for Windows, Linux, Free BSD, Solaris and OSX.

Aircrack-NG is a WiFi password cracking tool that can crack WEP or WPA passwords. It analyzes
wireless encrypted packets and then tries to crack passwords via its cracking algorithm. It uses the
Aircrack-NG
FMS attack along with other useful attack techniques for cracking password. It is available for
Linux and Windows systems. A live CD of Aircrack is also available.

3.3 Key Loggers and Spywares

3.3.1 Key-Loggers
- Keyloggers are also known as keystroke loggers. This is a program that runs all the time on your computer from the
minute that you start it up. The keylogger will either record every keystroke you make or just those made in specie
fields on websites to a log file, usually encrypted..
 Cvber Security and i /...._

Kcyuwaiu. inc lug rile created h th u 1 u ,

also record anv e-mail V e ey,og8er can then be sent to a specified receiver. Some keylogger programs will
y man addresses you use and Web site URLs you visit.

3.3.1(A) Types of Keylogger

There are two types of keyloggers available :

1. Software based

A softw y gger is a software made up of dedicated programs designed to track and log keystrokes that needs to
be installed on the computer. Once the keylogger is installed on a PC, it starts operating in the background (stealth
mode) and captures every keystroke of the target computer.

Advantages

There are lots of advantages of installing tis software program. They’re as follows :

You can monitor the websites that the person visits. You can also view all the talks on the social media websites
contributing to the trade associated with e-mails. You may also expose the actual passwords as well as be aware of
details of the online buying.

- The software automatically information all the keystrokes in a log document as well as submits this towards the host.
It can be as a contact or the destination drive chosen by the user.
- The actual logs have been in the actual encoded type therefore it is very a hardship on an individual apart from the
consumer to comprehend.
When the person gets the record, they’re instantly decrypted and obtain them in the form of html file or the source
selected.
- " ■' ■ •* *1, i. . ’ . .

- Installing the software is an extremely easy process as well as within couple of days, you will get used to this.

Disadvantages
- Software keyloggers have a disadvantage as they do not begin logging from the moment a computer is turned on and
are therefore not able to collect a BIOS password for instance.
- Software keyloggers can be easily detected by some anti-keylogger softwares.

Detection
The anti-keyloggers are used to detect software keyloggers. Anti-Keyiogger softwares examples are

# KEYSCRAMBLE

#ZEMANA ANTILOGGER

# KL-DETECTOR

Benefits

.. o tovloeeers that are running in yuui tuiupu™.

Remove Kevloeeer - It will remove the key &&
V gg vents your data from being revealed through keyloggers. Your all the activities
Privacy Protection - Anti-keylogger pre caiis and videos remain private unless you would reveal them
like, file download, email, website visits, messages.

yourself.
Wf T«diKiu«l»4p
▼ Publications
 Tools and Methods used in Q
kevlo88e'not °nlv p,ovldesd'sab"ne fca,ure " also pro','des a warnlng whe"'^

logging IS being launched In your computer.

Reliable ■ The Antl-keyloggers are easy to use that Is they are user friendly.

2. Hardware based
A Hardware keyloggers comes in USB models. Hardware keyloggers commonly have storage capacity ranging
64KB to 4MB. Unlike the software keylogger, a hardware keylogger do not depend on any of the software program
its operation as they function at the hardware level itself. A hardware keylogger acts as an interface between th,
computer and the computers keyboard. The device has a built-in memory in which all the recorded keystrokes are
stored. They are designed to work with PS/2 keyboards, and more recently with USB keyboards.

Advantages
Hardware keyloggers are easy to install and uninstall.
- Since it operates at the hardware level itself. It is fully compatible with all the operating systems like windows and

UNIX.
- Unlike a software keylogger, it cannot be detected by anti-spywares and anti-keyloggers.
— Hardware keyloggers are also known to come in the form of a spy keyboard where the keylogger unit is built into the
keyboard itself. This will eliminate the need to Install a separate device between the keyboard and the computer.

Disadvantages:
- Hardware keyloggers are only limited to capturing keystrokes while a high-end software keylogger can capture
screenshots, browser activities, IM conversations and many more.
- Physical access to the target computer is a must in order to install the hardware keylogger, whereas some software
keyloggers come with a remote install/uninstall feature.
- In case of a software keylogger, it is possible to access the logs remotely as they are emailed on a regular basis whie
this is not possible in case of a hardware keylogger.

Detection

Hardware keyloggers cannot be detected by software. If you suspect a hardware keylogger is present on your systent
inspecting the keyboards connection to the computer, or replacing the keyboard will solve the problem.

3. Acoustic keylogger

- Acoustic cryptanalysis can be used to monitor the sound created by someone typing on a computer. Each key t*
the keyboard makes a subtly different acoustic signature when struck.
- It is then possible to identify which keystroke signature relates to which keyboard character via statist
methods such as frequency analysis.
The repetition frequency of similar acoustic keystroke signatures, the timings between different keyboard stro^
and other context information such as the probable language in which the user is writing are used in this analY0
to map sounds to letters.
- A fairly long recording (1000 or more keystrokes) is required so that a big enough sample is collected.

3.3.1(B) Spreading

A keylogger can be Installed when a user opens a file attached to an e-mail

A keylogger can be installed when a file is launched from
an open-access directory on a P2P network.
 3-8 Tools and Methods used in Cyberline
- A keylogger can be Installed via a web --------------------------------------------------------
automatically be launched when a user visits^*386 exp'oits a browser vulnerability. The program will
A keylogger can be installed by another 6 S*tS
capable of downloading and installing othe^m0'^5 Pr°grarn already Present on the victim machine, if the program is

3.3.1(C) Prevention
_ Use caution when opening attachments - files r
messages (for mobile devices) can be embedded. ema"' P2P networks' chat' social networks, or even text
. . W|m malicious software that has a keylogger.
- Watch your passwords - Consider using one tima .
verification. g 1 me passwords and make sure key sites you log into offer two-step

layout so Ifvou Cuse ^ml!»aVdU? " M°St °f the keylogger software available is based on the traditional QWERTY
converted ay°Ut suc^ as DVORAK, the captured keystrokes does not make sense unless

- Using antl-Keylogglng softwares - Some antispyware programs detect keyloggers.

- A final defense against keyloggers is a firewall that detects outbound traffic. A firewall can alert the user to
unauthorized attempts to transmit data to the Internet

3.3.1(D) Keylogger Tools

Table 3.3.1

Tools Description

Kidlogger Kidlogger provides attackers with keystroke info. Kidlogger captures periodic screenshots and
webcam images when using chat programs like Skype, while simultaneously logging application
and webpage usage info.

Revealer Revealer Keylogger records every keystroke typed on a target computer, regardless of the

Keylogger programs that are used, while also allowing you to customize the application's startup settings.

Spyrix Keylogger Spyrix gives you the ability to capture any keystrokes that are typed on a target computer, with
the ootion to take periodic screenshots as well.

3-3.2 Spyware
- Spyware Is any software that obtains information from a PC without the user’s knowledge. It performs certain
behaviors, generally without appropriately obtaining your consent first, such as

1- Advertising

2. Collecting personal information

3- Changing the configuration of your computer
„ . rw that displays advertisements (called adware) or software that tracks
Spyware is often associated with software tnai ur>p
personal or sensitive information.
Working
can monitor the keystrokes, scan through the files on the hard drive,
Once downloaded on the computer, spyw inforrnatjOn over the Internet to an unknown third party. Profiles set
read cookies or open applications and trans’ appear on the computer without a browser being open.
UP by the spyware allow for pop-up advertise
” Publications
 Tools and Methods used inc
3-9
the computer to function, collect data and relay information 0Ve
- Spyware uses the memory and resources on
Internet. This results in a loss of system stability on the computer.

Spreading _are comes attached to free programs or content consumers

Downloading onUne paying for a iegltlmate copy. Identity thieves may prey on that

download from the we in o programs.

^'"^’"’Tposttble ~ ,oad spyware onto a computer by plugging In a USB drive that has the maS

External devices . It s p
installed.
- Phishing: Phishing is a broad term designed to describe instances in which a hacker looks to deceive computer uSer$

through deceptive emails, websites or other content.

There are four main types of spyware. Each uses unique strategy to track you.
Adware : This type of spyware tracks your browser history and downloads, with the intent of predicting what products
or services you're interested in. The adware will display advertisements for the same or related products or services to
entice you to click or make a purchase. Adware is used for marketing purposes and can slow down your computer.

Trojan ; This kind of malicious software disguises itself'as legitimate software. For example, Trojans may appear to be
a Java or Flash Player update upon download. Trojan malware is controlled by third parties. It can be used to access
sensitive information such as Social Security numbers and credit card information.

- Tracking cookies : These track the user's web activities, such as searches, history, and downloads, for marketing
purposes.

- System monitors: This type of spyware can capture just about everything you do on your computer. System monitors
can record all keystrokes, emails, chat-room dialogs, websites visited, and programs run. System monitors are often
disguised as freeware.

Spyware Tools

Table 3.3.2
-
Tools Description |
. .-v

Remotespy It does remote computer monitoring, silently and invisibly.lt monitors and records users' PC without
any need for physical access. It also records keystrokes, screenshots, E-Mail, passwords, chats, instant
messenger conversations and websites visited.

Flexispy This tool can be installed on a cell/mobile phone. This tool secretly records and send the conversation
that happens on the phone to a specified E-Mail address.

Wiretap It Is used for monitoring and capturing all activities on the system. It captures the entire Internet
Professional actMty. This spy software can monitor and record E-Mail, chat messages and websites visited.
Moreover, it also monitors and record keystrokes, passwords entered and all documents, pict*
ana folders viewed.

PC This software tracks and locates lost or stolen laptop and desktop computers. Every time a comp^
PhoneHome system on which PC PhoneHome has been instalied, connected to the Internet, a stealth E-Mail is
to a specified E-Mail address of the users choice and to PC PhoneHome Product Company
 'tf^C^berSecurit^an^La^(MU-Sem7) Tools and Methods used in Cyberline
3-10
3.4 Virus and Worms

3.4.1 Virus

_ Virus is a piece of self-replicating code embedded within another program (host). Viruses are associated with program
files like Hard disks, floppy disks, CD-ROMS and Email attachments.
- Virus spread through Diskettes or CDs, Email or Files downloaded from Internet. Virus deletes or modifies files.
Sometimes a virus also changes the location of files. Virus is slower than worm.
_ Some types of viruses are :

o File Infector

o Resident Program Infector - y - r .

o Boot Sector Infector

o Multi-Partite Virus : ■ 6 ... C UZ. Srt* - fl i ' • .< “ • & •

. r ‘ -1 . -*. ...
o Dropper

o Stealth Virus

o Companion Virus
•
o Polymorphic Virus

o Mutation Engine
• / i . d • ' ’ ' • **
o Application or program viruses

o Macro viruses /- •
, •r ■ - . - • • • . • r ' 1

o Time bombs

Active X and Java control

1. File Infector : File infector acts on executable files. File infector insert their code at the starting of the executable files.
Everytime the program executes, the different codes place a copy of themselves in another executable file, because
of which a large number of files get infected. - .

2. Resident Program Inferior : A resident program infector starts by infecting an executable file. Virus is placed in the
memory when the host file is executed and from then until the computer is rebooted, the virus will infect each
executable file that executes on the computer. The only difference between file infector and resident program

infector resides in memory.

3. Boot Sector Infector : It infects the hard drive's master boot record. After infecting the boot record it will also infect
the boot sector of any floppy disk placed in the floppy drive. Through the vector of the floppy disk boot sector
inferiors spread between computers. So any infected floppy disk will infect the boot sector of the hard drive of any

computer it is used in.

4- Multi-Partite Virus : A multi partite virus is a combination of boot sector and file infector characteristics. It can infect

both the other files and boot sector.

5- Dropper: Droppers are nothing but small infected files. Dropper infects the boot sector. When Dropper execute it
replicates its virus code to the host's boot sector. Dropper may be considered to be a multi-partite virus as it also is a

file infector.
 a- ij
3-11 Tools and Methods used |n Cvk
yandLaws(MU-Sem7)
>er Seem
. It is a virus which cannot get detected. To hide itself from not getting detected it uses
6. Stealth Virus
methods like:
interrupt and misguides a scanner around itself. The scanner, therefore, never knows that the
o it "hooks" an
exists.
„ Make a copy of the portion of the legitimate program code the virus replaces. It places the copy In another Mn
the host program and, when scanned, directs the scanner to the legitimate code Instead of Itself. Stealth v,^

are very hard to detect.

Companion Virus : DOS executes files of the same name in a particular order. Companion viruses take advantage of
7.
this feature of DOS. So, .com files always execute before .exe files of the same name. The companion is nothing but
simply a .com file with the same name as an .exe file. The .com file is more than the virus embedded In a small
executable file. When the program is called by the user, the .com (virus) file executes first and infects the system.

Polymorphic Virus : Polymorphic viruses morph themselves into a different virus to evade from detection,
8.
Polymorphic viruses don't do any change in their code. Instead, they use a sophisticated form of encryption to

disguise themselves.
Mutation Engine : Mutation Engine is invented by a virus writer calling himself Dark Avenger. It is a program which
9.
can make any virus polymorphic.

10. Application or program viruses: Application programs are executable programs. When the application program runs
they infect the system. Viruses are also attached with some harm less program, when these programs get installed at

the same time the desirable program gets installed.

11. Macro viruses: Macro viruses are embedded in documents, which are using macros, for example Microsoft Word
documents.

12. Time bombs: Viruses that are programmed to "go off "or are activated and destroy data or files on a mentioned date
are called time bombs or logic bombs.

13. Active X and Java control: The web page designers use ActiveX and Java for giving effects to web pages in other won
to animate the web pages. These ActiveX controls and Java applets require gaining the access of hard disk to work the
effects on web page properly. Inadequate memory and bandwidth problems demand this approach. The desktop
access gives beneficial application of these controls and applets, but malicious code developers get the same access.
They use it to access RAM, read and delete or corrupt files, and access files on computers attached via a LAN.

3.4.2 Worms

- The worm is code that replicate itself in order to consume resources to bring it down through computer network. It
exploits security holes in networked computers. It exploits a weakness in an application or operating system by
replicating itself.

For spreading it can use a network to replicate itself to other computer systems without user intervention. Usually it
does not infect files, Worms usually only monopolize the CPU and memory. Worm is faster than virus.
The worm is code that replicate itself in order to consume resources to bring it down through computer network. It
Exploits security holes in networked computers. It exploits a weakness in an application or operating system bf
replicating itself. For spreading it can use a network to replicate itself to other computer systems without user
Intervention. Usually it does not infect files, Worms usually only monopolize the CPU and memory. Worm is f**
than virus. E.g. the code red worm affected 3 lack PCs in just 14 Hrs.
 >ber Security and Laws (MU-Sem 7] Tools and Methods used inCyberline
3-12
Some examples of worm are:

1. Instant message worms : This type of

computer worms emerges In Instant messaging applications and sends
links of infected sites to your contacts.

2, File sharing network worms . These types of worms copy themselves into shared folders and they appear as a
safe name. When the file get spread on the network simultaneously the worm also spreads and infect other
systems in a similar fashion.

3, |RC worms . IRC means Internet Relay Chat. It targets chat channels by sending links of infected WebPages or files
to consumers.

4, Internet worms . By using the local running system service these worms scan network resources to find the
vulnerable machines. After finding the vulnerable machine it tries to connect and gain the complete access to
those machines. Besides, scanning the systems with usable exploits, a number of which allow the worm to send
info packets or request to install itself.

3,4,3 Difference between Virus and Worms

tesl. for comparison Virus z Worms , .

Meaning The Virus attaches itself to executable A Worm is a malicious program that replicates
files and transfers from one system to the itself and can spread to different computers
other. via Network.

Human Action Needed Not Required

Speed of Spreading Slower as compared to Worm Fast

Requirement of host Host is needed for spreading. It doesn't need a host to replicate from one
computer to another.

Removing Malware Antivirus, formatting Virus removal tool, formatting

Protect the System using Antivirus software Antivirus, firewall

Consequences Corrupt and erase a file or program. Consumes system resources and slows down
it, and can halt the system completely.

3-5 Steganography

* Steganography is a technique of hiding the communication by concealing the secret message into a fake message. The
term steganography has Greek influences which mean "covered writing". The main idea behind the steganography is
to prevent the suspicion about the existence of the information.
Earlier, invisible ink, pencil impressions on the handwritten characters, small pin punctures are the methods used to
hide the message. Simplest technique of hiding a message is to create a message in which only a few significant
characters contains the secret message.

The steganography technique involves a cover carrier, secret message, stego key and stego carrier. Text, audio, image
^nd video behaves as cover carriers which contain the hidden information embedded in it. Stego carrier is generated
using a cover carrier and embedded message. Stego key is also used as supplementary secret information like a
Password used by the recipient to extract the message.
 3-13 Tool^n^Jethodsuse^nCyberiine
JgF^yber^ecurit^aniWiw^M^em^’

Forms of steganography
Text • in this steganography, the text can be used as a cover media. To hide the message a word or line can be shlfte

1. whitespaces can be used, even the number and position of the vowels are utilised to conceal the secret message. '

Audio: Audio stenography can conceal the secret message in the audio file with the help of its digital representation
2. It can be achieved easily as a typical 16-bit file has 216 sound levels, and a few levels difference could not be

detectable by the human ear.

Video : Video steganography brings more possibilities of disguising a large amount of data because it is a combination
3. of image and sound. Therefore, image and audio steganography techniques can also be employed on the video.

Image: It is the most pervasively used form of steganography, the reason behind this is that it causes least suspicion,
4. The main disadvantage of using the steganography is a significant amount of overhead it produces for hiding a small
amount of information. Additionally, the system must not be discovered otherwise it is useless.

3.5.1 Cryptography
The cryptography provides several encoding schemes for achieving the security while communicating in a public
network. The word cryptography originated from a Greek word, which signifies "secret writing". The cryptography can be
understood by an example, where a sender sends a message which initially exists in the plaintext. Before the transmission
of the message over the network, it is encrypted and converted into the ciphertext. When this message is received at the

receiver's end, it is again decrypted back into the plaintext.

Types of the cryptography

Symmetric key cryptography (Secret key cryptography): This type of cryptography uses a key for encrypting and
decrypting the plain text and cipher text respectively. The only condition here is that it shares the same key for the
encryption and decryption and it also consumes less execution time.
" ATnTtri?eV T°g,aphV (Public ke* crYPtography): This scheme uses two keys named as a private key and
P i d hby
apphed P
h rece.ver
Y’ the V ‘S to
itself Vlded bV
Pr°decrypt thetHe r6CeiVerThe
message. the‘*can
t0 keys ender
be t0 encrypt
reused withthe message
other en^eswhile the private key is

3.5.2 Difference between Steganography and Cryptography

 >er Security and Laws (MU-Sem 7)
3-14 Tools andMethods used in Cyberllne
3.6 DoS and PDoSAttankc

3.6.1 DoS Attack

A Denlal-of-ServIce (DoS) attark k i

intanrlod iicorc Hat n attac^ meant to shut down a machine or network, making It Inaccessible to Its
rrach in hnth incta 3 accomplish this bV flooding the target with traffic, or sending it information that triggers a
ira nr racm th65'1 6 D°S 3ttaC,< ^ePr>ves legitimate users (i.e. employees, members, or account holders) of the
service or resource they expected.
Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce, and media
companies, or government and trade organizations.
Though DoS attacks do not typically result in the theft or loss of significant information or other assets, they can cost
the victim a great deal of time and money to handle.
There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the
system receives too much traffic for the server to buffer, causing them to slow down and eventually stop.
The types of DoS attacks are as follows :

1. Smurf attack : a previously exploited DoS attack in which a malicious actor utilizes the broadcast address of
vulnerable network by sending spoofed packets, resulting in the flooding of a targeted IP address.

2. Ping flood : this simple denial-of-service attack is based on overwhelming a target with ICMP (ping) packets. By
inundating a target with more pings than it is able to respond to efficiently, denial-of-service can occur. This
attack can also be used as a DDoS attack.

3. Ping of Death : often conflated with a ping flood attack, a ping of death attack involves sending a malformed
packet to a targeted machine, resulting in deleterious behavior such as system crashes.

4. Buffer overflow attacks : the most common DoS attack. The concept is to send more traffic to a network address
than the programmers have built the system to handle. It includes the attacks listed below, in addition to others
that are designed to exploit bugs specific to certain applications or networks

5. SYN flood : sends a request to connect to a server, but never completes the handshake. Continues until all open
ports are saturated with requests and none are available for legitimate users to connect to.

6. Teardrop Attack : The teardrop attack exploits flaws in a manner similar to how older operating systems handled
fragmented Internet Protocol packets. The IP specification allows packet fragmentation when the packets are too
large to be handled by intermediary routers, and it requires packet fragments to specify fragment offsets. In
teardrop attacks, the fragment offsets are set to overlap each other. Hosts running affected OSes are then unable
to reassemble the fragments and the attack can crash the system.
7. TCP attacks : This attack occur when an attacker targets the state tables held in firewalls, routers and other
network devices by filling them with attack data. When these devices incorporate stateful inspection of network
circuits, attackers may be able to fill the state tables by opening more TCP circuits than the victim system can
handle at once, preventing legitimate users from accessing the network resource.

Signs of a DoS Attack

The United States Computer Emergency Readiness Team (US-CERT) provides some guidelines to determine when a
DoS attack may be underway. US-CERT states that the following may indicate such an attack :

~ Degradation in network performance, especially when attempting to open files stored on the network or when

accessing websites;
An inability to reach a particular website;
 3-15 Tools and Methods used In
Cyber Security and Laws_(MU^£^^— — n£berK

Difficulty accessing a website; and

A higher than usual volume of spam email.

Preventing a DoS attack

To defend against DoS and DDoS attacks, starting with preparing an Incident response plan well in advance.

When an enterprise suspects a DoS attack Is underway, It should contact Its Internet service provider (ISP).
determine whether the incident is an actual DoS attack or degradation of performance caused by some other factor
The ISP can help with DoS and DDoS mitigation by rerouting or throttling malicious traffic and using load balancerst0

reduce the effect of the attack.

- Enterprises may also want to explore the possibility of using denial-of-service attack detection products fOr oo$
protection; some intrusion detection systems, intrusion prevention systemsand firewalls offer DoS detection
functions. Other strategies include contracting with a backup ISP and using cloud-based anti-DoS

3.6.2 DDos Attack

- A Distributed Denial-of-Service (DDoS) attack is an attack in which multiple compromised computer systems attack a
target, such as a server, website or other network resource, and cause a denial of service for users of the targeted
resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to
slow down or even crash and shut down, thereby denying service to legitimate users or systems.
- A DDoS attack requires an attacker to gain control of a network of online machines in order to carry out an attack.
Computers and other machines {such as loT devices) are infected with malware, turning each one into a bot (or
zombie). The attacker then has remote control over the group of bots, which is called a botnet.
- Once a botnet has been established, the attacker is able to direct the machines by sending updated instructions to

r each bot via a method of remote control. When the IP address of a victim is targeted by the botnet, each bot will
respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity,
resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack
traffic from normal traffic can be difficult.

3.6.3 Types of DDoS Attacks

L Application Layer Attacks

‘ tj

Sometimes referred to as a layer 7 DDoS attack (In reference to the 7th layer of the OSI model) the goal of these
attacks Is to exhaust the resources of the target. The attacks target the layer where web pages are generated on *
server and delivered In response to HTTP requests. A single HTTP request Is cheap to execute on the client side, aO
can be expensive for the target server to respond to as the server often must load multiple files and run database
queries in order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to
malicious.

2. HTTP Flood

This attack is similar to pressing refresh in a web browser over and a - latf
and over on many different comouters at once
numbers of HTTP requests flood the server, resulting In denial-of-service.

3. Protocol Attacks

Protocol attacks, also known as a state-exhaustlon attacks, cause a service dlsruntlon >, ■ .11 the atra"’1’1'
state table capacity of web application servers or Intermediate resources like f ’ proto"*
^gfjcsuti**zcwea*(n^f££j2.lalfer3?2£}gVg£^2ftheprotocolstacl^^^d^^^^lgeSt^^^^^^nCe^^^x
 receives a request, goes and Ret th • reiving requests from tne Tront ot me store, me
The worker then gets manv ml? P3'*38®' and walts for confirmation before bringing the package out front,
y more package requests ixul
package rpmioe^ ...*.confirmation
without ___ n____ ____ ____ «.n xi
until ___ _____
they can't mnrp
-inwcarry any more
packages, become overwhelmed andreoup* 7
P neo, ana requests start going unanswered.

Volumetric Attacks
5.
This category s attempts to create congestion by consuming all available bandwidth between the target and
the larger Inter e arge amounts of data are sent to a target by using a form of amplification or another means of
creating massive traffic, such as requests from a botnet.
6i oNS Amplification
A DNS Amplification is like if someone were to call a restaurant and say "I'll have one of everything, please call me
back and tell me my whole order, where the callback phone number they give is the target's number. With very
little effort, a long response is generated.
- By making a request to an open DNS server with a spoofed IP address (the real IP address of the target), the
target IP address then receives a response from the server. The attacker structures the request such that the DNS
server responds to the target with a large amount of data. As a result, the target receives an amplification of the
attacker's initial query.

Process for mitigating a DDoS attack

- The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic. For example, if a
product release has a company's website swamped with eager customers, cutting off all traffic is a mistake. If that
company suddenly has a surge in traffic from known bad actors, efforts to alleviate an attack are probably necessary.
The difficulty lies it telling apart the real customer and the attack traffic.
~ In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single
source attacks to complex and adaptive multi-vector attacks. A multi-vector DDoS attack uses multiple attack
Pathways in order to overwhelm a target in different ways, potentially distracting mitigation efforts on any one
trajectory. An attack that targets multiple layers of the protocol stack at the same time, such as a DNS amplification
(targeting layers 3/4) coupled with a HTTP flood (targeting layer 7) is an example of multi-vector DDoS.
Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories.
Generally speaking, the more complex the attack, the more likely the traffic will be difficult to separate from normal
traffic - the goal of the attacker is to blend in as much as possible, making mitigation as inefficient as possible.
Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad,
and the attack may also modify and adapt to circumvent countermeasures. In order to overcome a complex attempt
disruption, a layered solution will give the greatest benefit.
1 Blacl< Hole Routing

One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route,
in lts
ln Its simplest form, when blackhole. filtering ie implemented without specific restriction criteria, both leeitimat^
is imnlnmented legitimate and
Mcious network traffic is routed to a null route or blackhole and dropped from the network. If an Internet property
‘S fencing a DDoS attack, the property's Internet service provider (ISP) may send all the site’s traffic into a

as a defense. __________________________ - __________

 Tonis and Methods used In Cyberline
Cyber Security and Laws (MU-Sem 7) 3-17

2. Rate Limiting

3. Web Application Firewall

A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF
between the Internet and a origin server, the WAF may act as a reverse proxy, protecting the targeted server from
certain types of malicious traffic. By filtering requests based on a series of rules used to ide fy
attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in

response to an attack. Learn about Cloudflare's WAF

4. Anycast Network Diffusion

This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers
to the point where the traffic is absorbed by the network. Like channeling a rushing river down separate smaller
channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes
manageable, diffusing any disruptive capability.

Tools used to launch DDoS attack

1. Tribe Flood- It Is a set of computer programs to conduct various DDoS attacks such as ICMP

2. Network (TFN) - this tool is used for flood, SYN flood, UDP flood and Smurf attack.

3. Shaft- This is used for a packet flooding attack and the client controls the size of the flooding packets and duration of
theattack. t'

* •’ * H. V. ’ • If* ’ ’ ,

3.7 SQL Injection

- SQL Injection (SQL!) is a type of an injection attack that makes it possible to execute malicious SQL statements. These
statements control a database server behind a web application.

database.

Attackers can also use SQL Injection to add, modify, and delete records In the datable

SQL Injection Example

application security and authenticate as the administrator.

 ^yber Security and Laws (MU-Sem 7) 3,18 Tools and Methods used in Cyberljne.

The following script is pseudocode executed on a web server. It Is a simple example of authenticating with a username
and a pas The example database has a table named users with the following columns :
username and password.
F^Pefine POST variables ~
V

uname - request. POSTrusemame']

pssw-d = reqaesl.POSTfpassword'J

# SQL query vulnerable to SQLi

x \ X s s'''?

sql — SELECT id FROM usd's WHERE username—4- uname + “AND password—’” + passwd +

■J*'' ' ■ , ' ' -j'- ' < ' '4-' ' A; ' ■' ,'•<'</' ’ f -> '

# Execute the SQL statement

database.execute(sql) •

- These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the input in a way that
would alter the SQL statement executed by the database server. For example, they could use a trick involving a single
quote and set the passwd field to:

As a result, the database server runs the following SQL query:

- Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no matter what
the username and password are. The first user id in a database is very often the administrator. In this way, the
attacker not only bypasses authentication but also gains administrator privileges. They can also comment out the rest
of the SQL statement to control the execution of the SQL query further:

!• In-band SQLi (Classic)

2- Inferential SQLi (Blind)

3- Out-of-band SQLi
 Tools and Mothod^JsecH^Cyberljn*

1 In-band SQLI (Classic) .

i meh their attacks and to gather their results. In-band
- The attacker uses the same channel of communication to launo gttack There are two sub-variations of
SQLi's simplicity and efficiency make it one of the most common types

th‘S meth°d: thp database to produce error messages. The attacker can
- Error-based SQLi: the attacker performs actions that cause tne mation about the structure of the database
potentially use the data provided by these error messages.to gat enr.

- Union-based SOLI .this technique takes advantage of the UNION hu H da(a that can be |everaged
generated by the database to get a single HTTP response. Th P
the attacker.

Example of Union based SQL Injection

.. i iMifiN nnprator It allows the attacker to combine the
- One of the most common types of SQL Injection uses the UNIO P , . cni ininrtinn
results of two or more SELECT statements into a single result. The technique is calle uni -
- The following is an example of this technique. It uses the web page testphp.vulnweb.com, an intentionally vulnerable

website hosted by Acunetix.

The following HTTP request Is a normal a user would send

testPhP’vulnweb‘com/arttsts.php?arti5t=1

A acunetix a c u art
VEST atKl DemoiixtraifmsWa Acun&tsx Web VotaerahSBy Scanner
home j categories j artists j chsclaimer i your cart7 guestbook T AJAX Derno

t search art > artist: r4w8173

Browse categories j
Browse artists -> ' ;
Lorem fpsum dolor sit ametr consectetuer adlnisHno r\
Your cart 7J sem ut arcu. Phasellus sofflcftudln. Vestlbulum 1 J300?0 Sed allquam
Signup ' j habttasse platea dirtumst. Nulla nonummy ^cilisis nulla. In hac
"V '•■'‘Ny'rrr ,t^ls»pede- Nu,,am Wn9>»a uma idteVprna T ?tras ven«natls. Allquam
Your profile , j thrill d^ir^e enV^.qU8 a ma9na a maurls vulputate al,9ust Pretlum erat. Praesent
.....guestbook
Our ad tora tor9u®nt per conubta nostra ~ ?a Aenean viverra. Class aptent
lacus. Mauris magna eros, sempTa, temZhymenaeos. Allquam
> AJAX
y . .a Demo v AX. '
J Links ' v/ I Lorem fpsum dolor sit arnet cons&rt^f
Security art ,
Fractal Explorer
?»''’»!u ’A"xiV 11
s
posuere lobortis pede h£il^ frin^mrny Cras
non ocflo Pellentesque a mannq^ a u7la ld leo Praesent
°uWa ,n hac
ven®natis. Allquam
tacftl sodosqu ad lltora torau^? 3 maurts vulputate taclr>i=? alit*uel pretium erat. Praesent
g® lacus. MauriTmagna :ro°Xm2!r “nubfa vfvwa- C,aSS aPtafrt
8 ' temper et, ru^, £hymenaeos. Allquam
r •> ‘VI
v. u
view pictures of the artfsl
 _CyberSecurit^andLaws (MU-Sem 7) TboteandMe^jodausedlnCjrberllne
3-20
The artist parameter is vulnerable to SQL Injection. The following payload modifies the query to look for an inexlstent
record. It sets the value In the URL query string to -1. Of course, it could be any other value that does not exist In the
database. However, a negative value Is a good guess because an Identifier In a database Is rarely a negative number.
In SQL Injection, the UNION operator Is commonly used to attach a malicious SQL query to the original query Intended
to be run by the web application. The result of the Injected query will be joined with the result of the original query.
This allows the attacker to obtain column values from other tables.

UNION SELECT iffif

<sw a cu netix
i **” ** Ae‘**«* WrtWtoaHfc ..... ""I
_J
home categories 5 artists' i disefafmer j your cart f guestbook T AJAX Oemo
search art artist:®-

view 'pictures of the artist

••Xx\.,s .-A . -.yx A^-.yy^.x •->
Your cart comment on this artist
Signup
Yourprofile
•> V,,......... ■. X,
Our guestbook
AJAX Demo
-....... -
Links
f Security art ' •" ?
Fractal Explorer
•i
f

8 .X-
—I
i About Us ; Privacy Policy * Contact Us ? &Q&8& AemSx IJri I
i , i

The following example shows how an SQL Injection payload could be used to obtain more meaningful data from this
intentionally vulnerable site :

2. Inferential SQLI (Blind)

- The attacker sends data payloads to the server and observes the response and behavior of the server to learn
more about its structure. This method is called blind SQLi because the data Is not transferred from the website
database to the attacker, thus the attacker cannot see Information about the attack in-band.
- Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to
execute but may be just as harmful. Blind SQL injections can be classified as follows:
o Boolean—that attacker sends a SQL query to the database prompting the application to return a result. The
result will vary depending on whether the query Is true or false. Based on the result, the Information within
the HTTP response will modify or stay unchanged. The attacker can then work out If the message generated a
true or false result.
 Tool^^nc^^othod^JSOcn^^ybQ^^
^.ffiV^UwstMU-Semr;--------------------------- 1°’ which makes the database wait (for a periM|

O Time-based : attacker sends a SQL query to the data , database takes to respond, whether,
seconds) before it can react. The attacker can see from the rated instantly or after a waitin
is hue orfa.se. Based on the result, an HTTP -^ Xd true or fa.se, without relying

period. The attacker can thus work out if the message they use ia

from the database.

3. Out-of-band SQL!
- The attacker can only carry out this form of attack when certain features are enabled on the database server used
by the web application. This form of attack is primarily used as an alternative to t e in an an in erential SQu

techniques.
- Out-of-band SQU is performed when the attacker can't use the same channel to launch the attack and gather
information, or when a server is too slow or unstable for these actions to be performed. These techniques count
on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.

SQLI prevention and mitigation

There are several effective ways to prevent SQLI attacks from taking place, as well as protecting against them, should
they occur.

The first step is input validation (a.k.a. sanitization), which is the practice of writing code that can identify illegitimate
user inputs. While input validation should always be considered best practice, it is rarely a foolproof solution. The
reality is that, in most cases, it is simply not feasible to map out all legal and illegal inputs—at least not without
causing a large number of false positives, which interfere with user experience and an application's functionality.
- A web application firewall (WAF) is commonly employed to filter out SQLI, as well as other online threats. To do so, a
WAF typically relies on a large, and constantly updated, list of meticulously crafted signatures that allow it to surgically
ZhXT'r'T S m ,“eriK |Us;al1''’ s“h a lin hoWs <° address specific attack vectors and Is regularly
patched to introduce blocking rules for newly discovered vulnerabilities.
Imperva cloud-based WAF uses signature recognition. IP reoutatinn ,
block SQL injections, with a minimal amount of false positives The WAF's caDahJV^ methodologles to ldentlfy an
a custom security rule engine that enables granular customization^f deZaUgmented by lncaPRuleS'
additlonal case-specific security policies. k secuntY settings and the creation of

SQL Injection tools

The following are the most popular SQLi Tools:

1. SQLMap : Automatic SQL Injection And Database Takeover Tool

2. JSQL Injection : Java Tool For Automatic SQL Database Injection
3. BBQSQL: A Blind SQL-Injection Exploitation Tool
4. NoSQLMap: Automated NoSQL Database Pwnage
5. Whitewidow: SQL Vulnerability Scanner
6. DSSS: Damn Small SQLi Scanner

7. explo : Human And Machine Readable Web Vulnerability Testing Format

8. Bllnd-Sql-Bitshiftlng: Blind SQL-Injection via Bitshifting
9. Leviathan : Wide Range Mass Audit Toolkit
10. Blisqy: Exploit Time-based blind-SQL-injection in HTTP-Headers (MySQL/MariaDB)
 . P 2 memory with smal1 s,ze which holds the data. Many software programs use buffer memory to
spee up p g uffer is also used to store changes to data, the Information In the buffer is copied to the disk. Buffer
overflow more information is put Into the buffer than its capacity to handle. The hacker deliberately
overflows the buffer and exploits to run the malicious code.

Buffer Overflow attack types:

1. Stack attack 2. Heap attack -

3. Arithmetic attack 4. Format attack

1. Stack attacks : The buffer here is the stack, a fairly small chunk of memory that programs use to manage call returns
(among other things). By overwriting key areas of the stack with too much data, the attacker manages to trick the
program to return to (that is, execute) his own code, located elsewhere in RAM, as opposed to the correct code. Stack
overflows are the most common, well-known of all buffer overflow attacks.

2. Heap attacks : The heap is a much larger chunk of memory used to store more complex data such as images, or text,
that relates to the program. The premise here is similar to the previous, but is trickier for the attacker to implement
because the heap isn't directly used to determine where In memory executable code Is located.
. c. <■. 1 • • ' ■ * .

3. Arithmetic attacks : These buffer overflow attacks emerge from the way C handles signed vs. unsigned numbers.
Specifically, it's possible to convert a negative (signed with -) number that requires little memory space to a much
larger unsigned number that requires much more memory. A crash subsequently occurs and can be leveraged to yield
an attack.
4. Format attacks : Text strings, rather like signed numbers, are sometimes converted automatically from a smaller
format to a larger (such as by operating systems that require Unicode values). This means attackers can design a
buffer overflow attack that exceeds the buffer length if the programmer hasn't been careful to take into account the

larger format.

Prevention Techniques

Some host based mechanisms to prevent Buffer Overflow Attacks are mentioned below:

1. Detection and elimination : detection and elimination of the vulnerable code is necessary before someone takes
advantage of that code. In this technique there are ways in which software searches for some specific type of code.
2. Compiler modifications : A technique to avoid buffer overflow attack is to modify the way the data is stored in the
memory. StackGuard is a type of a compiler which can be used to add gaps in the memory in between, these gaps are

known as Canaries
3- Array bounds checking : Each time an operation needs to be performed on an array, we can do the boundary
checking. If boundary is reached it won't allow writing into the array, thus avoiding the buffer overflow.

Non-Executable Stack: marking of the stack as Non-Executable can help stopping Buffer Overflow. But this in turn also
stops genuine programs from executing directly from the stack.

4- Address space layout randomization : Earlier the attacker used to insert a large number of nop instructions, to work
around the memory location. ASLR randomly allocates memory locations to the code and data, thus making it difficult .

for the attacker to find the instructions.

” Publications
 Cyber Security and Laws (MU-Sem 7) 3-23 Tools and Methods used in Cybe^

5 smashGuard : This technique uses a modification of the normal call & rets instructions. Whenever a call instruction |s
encountered along with the actual entry of the return address on the stack another entry on the data stack within the
processor. Then when it encounters the ret instruction It matches both the return addresses. If it matches it gOej
ahead with the execution else if a match Is not found then It terminates the program. Also no changes are made to the

data. This is a technique which works well with Brute Force Attack.
6. Split stack: Split Stack or Secure Address Return Stack (SAS) is a proposed technique to prevent buffer overflow attack.
In this technique two software stacks are used, one for control information and another for data information. Hence
even if an attacker gains access to the data stack, he cannot affect the control stack. Although it might need to read

and write from 2 stacks it is worth the time.

7. Write correct code: To avoid any kind of attack if to write good and correct code. It is a human s tendency to write

and forget the code, but that same code can be checked by someone else as well.

3.9 Attacks on Wireless Networks

- Wireless attacks have become a very common security issue when it comes to networks. This is because such attacks
can really get a lot of information that is being sent across a network and use it to commit some crimes in other
networks.
- Every wireless network is very vulnerable to such kinds of attacks and it is therefore very important that all the
necessary security measures are taken so as to prevent the mess that can be caused by such attacks. These attacks are
normally carried out to target information that is being shared through the networks.
It is therefore very important to know of such attacks so that one is in a position to identify it in case it happens. Some
of the common network attacks have been outlined below.

Types of wireless attacks

Wireless Attacks can come at you through different methods. For the most part you need to worry about WiFi. Some
methods rely on tricking users, others use brute force, and some look for people who don't bother to secure their
network. Many of these attacks are intertwined with each other in real world use. Here are some of the kinds of attacks
you could encounter:

- Packet sniffing : When information is sent back and forth over a network, it is sent in what we call packets. Since
wireless traffic is sent over the air, it's very easy to capture. Quite a lot of traffic (FTP, HTTP, SNMP, etc.) is sent in the
clear, meaning that there is no encryption and files are in plain text for anyone to read. So using a tool
like Wireshark allows you to read data transfers in plain textl This can lead to stolen passwords or leaks of sensitive
information quite easily. Encrypted data can be captured as well, but it's obviously much harder for an attacker to
decipher the encrypted data packets.

- Rouge access point: When an unauthorized access point (AP) appears on a network, it is referred to as a rouge access
point. These can pop up from an employee who doesn't know better, or a person with III intent. These APs represents
vulnerability to the network because they leave It open to a variety of attacks. These include vulnerability scans for
attack preparation, ARP poisoning, packet captures, and Denial of Service attacks.

- Password theft: When communicating over wireless networks, think of how often you log into a website. You send
passwords out over the network, and if the site doesn't use SSL or TLS, that password is sitting in plain text for a”
attacker to read. There are even ways to get around those encryption methods to steal the password. I'll talk about
this with man in the middle attacks.
 Cyber Security and Laws (MU-Sem 7) Tools and Methods used in Cyberline

- Man In the middle attack : it’s possible for hackers to trick communicating devices Into sending their transmissions to
the attacker's system. Here they can record the traffic to view later (like In packet sniffing) and even change the
contents of files. Various types of malware can be Inserted Into these packets, e-mail content could be changed, or the
traffic could be dropped so that communication Is blocked.
jamming : There are a number of ways to Jam a wireless network. One method is flooding an AP with
deauthentication frames. This effectively overwhelms the network and prevents legitimate transmissions from getting
through. This attack is a little unusual because there probably isn't anything In it for the hacker. One of the few
examples of how this could benefit someone Is through a business jamming their competitors WiFi signal. This Is
highly illegal (as are all these attacks), so businesses would tend to shy away from it. If they got caught they would be
facing serious charges.

War driving : War driving comes from an old term called war dialing, where people would dial random phone
numbers in search of modems. War driving is basically people driving around looking for vulnerable APs to attack.
People will even use drones to try and hack APs on higher floors of. a building. A company that owns multiple floors
around ten stories up might assume nobody is even in range to hack their wireless, but there is no end to the
creativity of hackers I

- Blueooth attacks : There are a variety of Bluetooth exploits out there. These range from annoying pop up messages,
to full control over the a victims Bluetooth enabled device.
- WEP/WPA attacks : Attacks on wireless routers can be a huge problem. Older encryption standards are extremely
vulnerable, and it's pretty easy to gain the access code in this case. Once someone's on your network, you've lost a
significant layer of security. APs and routers are hiding your IP address from the broader Internet using Network
Address Translation (unless you use IPv6 but that's a topic for another day). This effectively hides your private IP
address from those outside your subnet, and helps prevent outsiders from being able to directly attack you. The
keyword there is that it helps prevent the attacks, but doesn't stop it completely.

Securing Wifi

Now that you don't trust anything on the Internet anymore, let's build that confidence back up. There are a lot of
ways to make yourself less susceptible to wireless attacks.
- Use WPA2 security : This takes enough work to crack that most hackers will look for an easier target. Make sure WPS
is turned off 1
~ Minimize your networks reach ; Try to position your router in the center of your home or building. There are tools
available to measure the reach of your network, and you can adjust the signal level. Try to make it so that the signal
beyond your walls is degraded enough that it isn't usable. You may also consider using a directional antennae if
central placement is not an option.
~ Use firewalls : Make sure your APs firewall is enabled. If you can afford a hardware firewall and feel you need the
extra security, go ahead and install one. Household networks generally can get away with the standard router firewall,
and operating system firewalls.
~ Use a VPN on open networks : If you really must use public WiFi, set up a VPN. Most smartphones have this
capability. You can set one up on your PC. This allows you to communicate through an encrypted tunnel back to your
home or office. You can even send web traffic through a VPN.
Update software and firmware : Keep your system up to date with the latest patches, and make sure any online
applications you use are updated as well. Check for AP firmware updates related to security flaws, and implement
them as soon as possible. Remember to follow best practices for network modification to ensure you don't interrupt a
critical task. Check out your updates in a test lab to make sure that they don't Interfere with an Important application.
Don't perform updates during normal operating hours if possible, and if you must update during work hours make
SUre everyone is aware that network connectivity could slow down, or be cut off temporarily while you work.
 helD vour network fly under the radar.

authorized device to gain access. However, this is another annoyance for them to deal with.

Tools for hacking wireless networks

1. Aircrack
Aircrack is used as 802.11 WEP and WPA-PSK keys cracking tool around the globe. It first captures packets of the
network and then try to recover password of the network by analyzing packets. It also implements standard FMS
attacks with some optimizations to recover or crack password of the network. Optimizations include KoreK attacks
and PTW attack to make the attack much faster than other WEP password cracking tools.
2. AirSnort

AirSnort is wireless LAN password cracking tool. It can crack WEP keys of Wi-Fi 802.11b network. This tool basically
operates by passively monitoring transmissions and then computing the encryption key when enough packets have
been gathered.
3. Kismet

Kismet Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and intrusion detection system. This tool is basically used
in Wi-Fi troubleshooting.
4. Caln and Able

Caln and Able tool used for cracking wireless network passwords. This tool was developed to intercept the network
traffic and then use the brute forcing to discover the passwords.
5. WlreShark

3.10 Identity Theft (ID Theft)

 3-26
o Social Security number
o Full name, address and birth date
o Credit card or bank account numbers

° car insurance or medical Insurance account numbers

o Details that can tip off people to vour
home town recovery questions, such as your mother's maiden name or your

' —* W - a~ W W
number of a deceased person, ™ ««•

3.10.1 Types of Identity Theft

you've probably heard about-or have experienced - thieves stealing credit card numbers or money from a bank
account. To help catch this kind of identity theft, set up account alerts, scan your credit card and bank statements, and look
for charges you don't recognize.

But there are other types of identity theft to look for.

- Criminal identity theft: happens when someone commits a crime and gives the police false identifying information

- Medical identity theft: when a thief steals a health insurance card and gets medical care or prescription drugs

- Tax identity theft: when a crook files a tax return in your name and nabs your refund
- Child identity theft: when a thief opens accounts using a child's Social Security number

3.10.2 Techniques used for Identity Theft

- Shoulder surfing - happens when thieves peek over your shoulder as you type sensitive information into a computer,
phone or ATM. Or they may listen as you make a call and provide your account info.
- Dumpster diving — when a thief sifts through your garbage can. Discarded checks credit cards are just two sources of
valuable personal information.
- Public WI-FI - Public Wi-Fi usually doesn't encrypt data, so anyone with the Wi-Fi password and some hacker know­
how can monitor what you see and what you send. The hacker could commit identity theft if he or she intercepts your
info.
“ Unencrypted websites - Make sure a website is encrypted before you use it for a financial transaction. Typically, you’ll
see a picture of a lock in the URL field, and the URL will contain "https," meaning it's secure.
“ Phishing - Watch out for identity thieves who contact you from a phone number or email address tailored to look

familiar and trustworthy. The goal is to get personal information from you.

3.10.3 Warning Signs of Identity Theft

Certain clues could indicate that you're a victim of identity theft. It's a good idea to watch for those indicators so you
Can act quickly and take action to help minimize the damage. The FTC cites some of the comm g 8 ,

You notice withdrawals from your bank account that you didn't make.

You don't receive bills or other mail.

You get calls from debt collectors about debts you didn't incur.
You see unfamiliar accounts or charges on your credit report.
You receive medical bills for services you didn't receive.
 Tools and Methods used In C

condition you don't have.

- A health plan won't insure you because your medical records Indicate a
, mod in vour name. Or the IRS notifies you that o
- The IRS sends you a letter saying more than one tax return was filed in y at

have income from an employer you never worked for.

- A company where you do business notifies you that your personal information was accessed t breach.

3.10.4 Recovery from Identity Theft

Identity theft happens. Reacting quickly may be the most important thing you can do. Here are steps you can take If

you've been a victim of identity theft.

- Contact the business where your information was misused, let them know there was fraudulent activity on your

accounts, and close them.

File a police report.
- Contact the three major credit reporting bureaus TransUnion, Equifax and Experian and consider putting a fraud alert
on your credit. This ensures future creditors will take extra steps to verify your identity.
Consider a credit freeze, which is stronger than a fraud alert and ensures no one can use your credit to open new
accounts. You'll still need to monitor existing accounts.
If you don't have a credit monitoring account, consider setting one up.

Change your password, so they're strong and unique, for all your online.

Q.1 What is Phishing? What are the different Phishing techniques? How to prevent the phishing attack? (Section 3.1)

Q.2 Explain Password cracking in detail? (Section 3.2)

Q.3 What is keyloggers? What are the different types of keylogger? (Section 3.3.1 and 3.3.1 (A))

Q.4 Write a short note on Spyware. (Section 3.3.2)

Q.5 Write a short note on Virus and Worms? (Section. 3.4)

Q.6 What is virus? What are the types of viruses? (Section 3.4.1)

Q.7 What is worm? What are the types of worms? (Section 3.4.2)

Q.8 What is the Difference between Virus and Worms? (Section 3.4.3)

Q.9 Write short note on Steganography? (Section 3.5)

Q.10 Write the difference between Steganography and Cryptography? (Section. 3.5.2)

Q.11 Explain the DoS and DDoS Attacks? (Section. 3.6)

Q.12 Write a short note on SQL Injection? (Section. 3.7)

Q.13 Write a short note on Buffer Over flow? (Section. 3.8)

Q.14 What are the Attacks on Wireless Networks? (Section. 3.9)

Q.15 What is Identity Theft (ID Theft)? What are the types of identity theft? (Section 3.10 and 3.10.1)

Q.16 What Techniques are used for Identity Theft? (Section. 3.10.2)

□□□
 The Concept of Cyberspace

Syllabus '

E-Commerce , The contract aspects in cyber law ,The security aspect of cyber law, The intellectual property aspect in
cyber law, The evidence aspect in cyber law , The criminal aspect in cyber law, Global trends in cyber law , Legal
framework for electronic data interchange law relating to electronic banking , The need for an Indian cyber law

4.1 E- Commerce

E-commerce in simple language is defined as buying and selling good and rendering the services on the internet.
Nowadays the speed of internet transaction is phenomenal. The e-commerce transactions are of 4 types that blend and
correlate:

Fig. 4.1.1 : Types of E-commerce transactions

1. Information access

It gives the user search and retrieves facility.

2. Interpersonal communication

It provides the methods to exchange information discuss ideas and improve their co-operation.

3- Shopping services

It permits the user to seek and purchase good on the internet or to avail the services through the internet.

4- Virtual enterprises

- These are the business arrangements where trading partners who are separated by geography and expertise are
able to engage in joint business activities.
Every e-commerce transaction is like any other transaction but there involves a contractual relationship between
transacting parties. The Indian Contract Act 1872 States the law of contracts and the sales of goods act 1930
states the law pertaining to the sale of goods. In information technology act 2000 some provisions have been
incorporated related to the distance nature of e-commerce transaction.
 Cyber Security and Laws (MU-Sem 7) 4-2 TheConcep^Cyberspace

- In these important implications on a contract formation Is given. Every contract needs to be tailored in
accordance with the need of transaction.
-• In India many people are not paying attention to draft contracts they normally copy others contract which will be
harmful at the time of the dispute.
- So, it is important to take care in drafting the contract. The lawyer which is responsible for drafting a contract
should have properly understood the brief on the needs of the transaction and appraised of the potential areas
of dispute which may arise so that these aspects are fully covered in the contract.
- The industries that are using information technology in their setup should be aware of various legal aspects of
e-contracts the same way every consumer must understand the terms of the contract before entering into a
transaction.
- In e-commerce, e-contracts are used. A e-contract is any kind of contract form in the course of e-commerce by
the interaction of two or more individuals using electronic means such as e-mail the interaction of an individual
with an electronic agent, such as a computer program or the interaction of at least two electronic agent that are
program to recognize the existence of a contract.
- An e-contract is a contract modeled, specified, executed and deployed by a software system.

4.2 The Contract Aspects in Cyber Law

A contract is an agreement made by two or more persons that is enforceable by law. It consists of voluntary promises
to do or not to do certain things. When people make a contract their promises become legal obligations.
In a contract, two parties are involved: originator and addressee. According to IT Act the definitions of originator and
addressee are as follows :

1. Originator I

2. Addressee !

1. Originator ...

Originator is a person who sends, generates, stores or transmits any electronic message to be sent, generated, stored,
or transmitted to any other person and does not include an intermediary.

2. Addressee

- An address is a person who is intended by the original to receive the electronic record but does not include any
intermediary.
The important points in a e-contract are :
a. The parties do not meet physically in most of the cases. 51 2 * *
b. There are no physical boundaries no handwritten signature and in most times no handwriting is required.
c.
d. Jurisdictional issues are a major setback on contracts in case of breach.
e. There is no authority to monitor the process.
f. Digital signatures are used.
g. Electronic documents are used as evidence In the court.
h. Three main methods of contracting electronically are e-mail, World Wide Web and cyber contracts.
 4-3 The Concept of Cyberspace
I. The subject matter includes:
(i) Physical goods, where goods are order online and paid over Internet and physical delivery is made.
(ID Digital products such as software which can also be ordered.
(iii) Services like electronic banking sale of shares financial advisor etc.
y?
4.2.1 Elements of Contract

I
Elements of contract
I f

i
1. Offer

2. Acceptance |
i

3. Lawful consideration |

..... q
4. Lawful object

5. Competent parties i
i• ** j n

l
< c ’
.9 J I I . •W »*• « •r

6. Free consent
*'»

«
7. Certainty of terms

Fig. 4.2.1: Elements of Contract

I y

Ir •v
The elements of a contract are:
>
1. Offer

- In section 2(a) of Indian Contract Act offer is defined as website advertisements are invitation to offer except
specified clearly. ’ ’ • ’
- When a person respond by mail fill out online forms built into a web page they make an offer which can be either
accepted or rejected and so an invitation to offer is not capable of making a binding contract on its own until it is
accepted. • i •' > ■'
- Thus, an offer made must carry the intention of entering into a binding contract. This is also applying to online
contracts.

2. Acceptance > .
- Once an offer is accepted a contract is concluded except the postal acceptance rule applies.
- The postal acceptance rule is an exception to the general rule that acceptance of a contract must be
communicated to the offer or before a contract can be in existence. Under the rule acceptance of a contract is
said to occur at the time the acceptance is posted. • .fc<
• Hence the communication of acceptance is complete against the proposer when it is put in the course of
transmission to him and as against the acceptor when the acknowledgement enters into the designated

computer resource. A
> i£
3. Lawful consideration

Lawful consideration should be there in contract as per Indian contract act problems may arise at a time when
consideration is merely executory like when an online shopping site promises to supply an item. Another problem is
that such laws cannot apply when an anonymous computer is used. __________

P w till It I«ni
jfi^Cybe^ecurit^ncH-aw^MU^Sem7)^^^^ 4-4 TheConcegtofCyberagace

4. Lawful object

- The contract purpose should be lawful one.

- Courts will not enforce contracts that are illegal or violate public policy. Such contracts are considered void.

5. Competent parties
- Competent parties are the natural and legal persons. A computer is neither a natural or a legal person and so the

operator of a computer comes into the picture.

- The autonomous computer cannot be a contractual party.

6. Free consent

- Autonomous computer, however, clearly cannot be contractual party.

- This is quite difficult to determine because sometimes the margin used to determine the strict rule of free

consent gets narrower under electronic contracts.

7. Certainty of terms

The certainty of the terms given in the contract should be lawful

4.2.2 Legal Prerequisites of an E- Contract

- The offer and acceptance of an offer are expressed in the form of electronic records.
- Electronic records are used for the formation of a contract. The validity and enforceability of the contract is in the
form of electronic record. Facilitate the e-contracts the following provisions have been legally recognized.

1. The concepts of originator and addressee.

2. The concept of acknowledgment of receipt of Record/data/information as part of the legal process.

3. The concept of time and place of dispatch and receipt.

1. The concepts of originator and addressee

Section 11 in The Information Technology Act, 2000 is given as follows:

- Attribution of electronic records
- An electronic record shall be attributed to the originator.
a. If it was sent by the originator himself.

b. By a person who had the authority to act on behalf of the originator in respect of that electronic record.
c. By an information system programmed by or on behalf of the originator to operate automatically.

2. The concept of acknowledgment of receipt of record/data/Informatlon as part of the legal process

- Section 12 in The Information Technology Act, 2000 is given as follows

- Acknowledgment of receipt

a. Where the originator has not stipulated that the acknowledgement of receipt of electronic record be given in a
particular form or by a particular method, an acknowledgement may be given by:

(i) Any communication by the addressee, automated or otherwise.

(ii) Any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been
received.
'ty Cyber Securityand Laws (MlPSen^7) 4-5 The Concept of Cyberspace,

b. Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgement
of such electronic record by him, then, unless acknowledgement has been so received, the electronic record shall be
deemed to have been never sent by the originator.

c. Where the originator has not stipulated that the electronic record shall be binding only on receipt of such
acknowledgement and the acknowledgement has not been received by the originator within the time specified or
agreed or if no time has been specified or agreed to within a reasonable time, then, the originator may give notice to
the addressee stating that no acknowledgement has been received by him and specifying a reasonable time by which
the acknowledgement must be received by him and if no acknowledgement is received within the aforesaid time limit
he may after giving notice to the addressee, treat the electronic record as though it has never been sent.

The following are the questions pertaining electronic messages:

(i) Identity of originator.

(ii) E-message receipt.

(iii) The identity of the message as fed into the computer for transmission by the originator with the message as
received by the addressee.

(iv) The contents of electronic messages are not change.

(v) Contents of electronic.

As the e-mail messages sent by the originator digital signature so it is identity of the originator and the message. The
digital signature in world hash function and encryption of the data. So, the integrity of the evidence can be proved
using digital signature.

3. The concept of time and place of dispatch and receipt

> -< v - «< «• *t

Section 13 in The Information Technology Act, 2000 is given as follows:

Time and place of dispatch and receipt of electronic record

a. Save as otherwise agreed to between the originator and the addressee the dispatch of an electronic record occurs
when it enters a computer resource outside the control of the originator.

b. Save as otherwise agreed between the originator and the addressee the time of receipt of an electronic record shall

be determined as follows, namely:

- If the addressee has designated a computer resource for the purpose of receiving electronic records.

(I) Receipt occurs at the time when the electronic record enters the designated computer resource.

(ii) If the electronic record is sent to a computer resource of the addressee that is not the designated computer
resource, receipt occurs at the time when the electronic record is retrieved by the addressee.

- If the addressee has not designated a computer resource along with specified timings if any, receipt occurs when
the electronic record enters the computer resource of the addressee.

c. Save as otherwise agreed to between the originator and the addressee an electronic record is deemed to be
dispatched at the place where the originator has his place of business and is deemed to be received at the place
where the addressee has his place of business.
 The Concept of Cyberspace
Cvber Security and Laws (MU-Sem 7) . .
uyperbecuniy where the computer resource is located
The provisions of sub-section (2) shall apply not with standing t a been received under sub-section (3).
d.
may be different from the place where the electronic record is eem

e. For the purposes of this Section jncipal p|ace of business, shall be the
If the originator or the addressee has more than one place o u
(i)
place of business. cinp« his usual place of residence shall be deemed
If the originator or the addressee does not have a place of u
(H)
to be the place of business. ' •
(Hi) "Usual place of residence", in relation to a body corporate means the place where it is registere .

4.2.3 Click and Wrap Contracts •I?

- When an online buyers or user clicks on the 'I AGREE' button on a webpage to purchase or download a program.
- The term is derived from the fact that such agreements most times require clicking an on screen icon to signal

acceptance.
. < A1' iL/ i- . f I* <
There are two types of click wrap contracts:

1. Type and click and wrap contract

2. Icon clicking

1. Type and click and wrap contract

- Type and click is a type of click and wrap contract where the user must type I accept or other specified words in
an on-screen box and then click submit or similar button.
- It denotes acceptance of the terms before download can commence.
■’ ’ ygoli • ; '
2. Icon clicking

- Icon clicking is where the user must have to click on OK or I AGREE button on a dialogue box or popup window.
- The user rejects by clicking CANCEL or CLOSING THE WINDOW.

4.2.4 Shrink Wrap Contract

- Shrink-wrap agreements are usually the licensed agreement applicable in case of software products buying. In case of
shrink-wrap agreements with opening of the packaging of the software product, the terms and conditions to access
such software product are enforced upon the person who buys it.
- Shrink-wrap agreements are simply those which are accepted by user at the time of installation of software from a

j CD-ROM, for example, Nokia pc-suite.

- Sometimes additional terms can be observed only after loading the product on the computer and then If the buyer
does not agree to those additional terms then he has an option of returning the software product.
- As soon as the purchaser tears the packaging or the cover for accessing the software product, shrink-wrap agreement
gives protection by indemnifying the manufacturer of the product for any copyright or Intellectual property rights
violation. Though In India there Is no stable Judicial decision or precedent on the validity of shrink wrap agreements.

- Shrink wrap license Is an end user agreement (EUIA) once the end user opens the packaging the EUIA is considered to
be in effect it includes terms like:

o Licenses

public**1
 CybgrSecurityancH.aws (MU-Sem 7) ace
The Concept of
o Rights of use
o Fees and payments
o Forum clauses
o Warranties
o Limitations and liabilities.

4.2.5 Difference between Click and Wrap Contract and Shrink and Wrap Contract

Sr. No. Click and Wrap Contract

Shrink and Wrap ConVact

1. Consumers can go to the terms of the Consumer do not know the key terms of the contract.
contract. %

2. Allows user to read the terms of the People agree to the terms by using the software which
agreement before accepting them. they have already purchased.

3. They have gained Universal acceptance. They have questionable enforceability.

4. The simple act of clicking the accept button. Conclusion of the contract is made by breaking the seal
used to bind.

4.3 The Security Aspect of Cyber Law

- Electronic data and its transmission are vulnerable to attackers or cybercriminals. It is important to ensure the security
of the data the legal and technical means.
- The data transmitted over the network can be protected by coding this process is known as encryption.
- Encryption paper records and files are vulnerable to the threats on its privacy so many users have developed their
own course and data security systems as a measure against unauthorized access. With the growth of the internet
there is increasing financial transactions such as banking transactions. The Internet has become the default medium of
e-commerce. There are many organization on the Internet such as corporate bodies Government Universities banks
and other institutions apprehensive that occurs or unauthorized person enters their system and perform frauds
manipulate records or sabotage the computerized data. To protect the data on internet cryptography is used.
~ Cryptography is a science and art of secret writing which keeps the information secret. Cryptography helps protect
data from unauthorized people. Cryptography is anything which is written In the form of cipher.
~ Technically we can say that encryption is a process in which length x information is transformed into ciphertext. The
Process of deciphering and encrypted information is called decryption.
Encryption is done by using the algorithms and the encryption algorithms are the mathematical functions which
Perform the task of encrypting and decrypting the data.
Encryption keys are used encryption algorithms. The encryption key is a program that transforms the ciphertext back
into the plain text. There are different encryption systems available with different key lengths.
There are two types of encryption algorithms:

l- Private key cryptography

2- Public key cryptography

ln P^vate key cryptography, the same key is used to encrypt and decrypt the message this is also known as symmetric-
keV cryptography. .

TkHUnM*.
Mbiicatiem
 ------------------------------------------ h»c kev IS used and the private kev Is used for decrypting the
- In public-key cryptography for encrypting the message p
message. of each description key Is place insecure location
- For preserving the keys safe deposit box concept is introduced-PV < known as key escrow. The key
and can be accessed by onlv trusted users against warranty Is with independent safe deposit
is split into several parts using an appropriate algorithm and each split P

box this Is known as key splitting. tlon Standard (DES). Data Encryption standard Is
- Many encryption standards are used today one of them Is W bft b|(
basically a bit permutation substitution and recombina ion . , g study tables of permutations and
key. Initially, 64 bit of data is permuted J, thjs process , repeated 16

substitutions. The bits are permuted in combina ion algorithm performs the final
times, each time with a different set of tables and different bits from the key.

permutation and 64 bits of output are given.

1. Digital signatures
- A digital signature is an electronic method for illustrating the authenticity of a digital messag
A substantial digital signature gives the recipient motivation to trust that the message was ma e ya nown

sender and that it was not changed in transit.

- Digital signatures are regularly utilized for software conveyance, money related exchanges and in different

situations where it is imperative to recognize impersonation or altering.

- Following are the functions of digital signature :
a. To authenticate the document.
I'. 1

b. To identify the document.

c. Securing the document from forgery.
d. To make the contents of the document binding on person putting digital signature.
e. Evidence for identification of document.
- Digital signatures are used in e-commerce and by e-governance for the purpose of authentication. Digital
signature in IT Act, 2000 means authentication of electronic record. Section 3 of IT Act, 2000, describes
authentication of electronic records as follows:

a. Authentication of electronic records

(I) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his
digital signature. 6
(ii) The authentication of the electronic record shall be effected bv the use nf
function, which envelop and transform the inltia! electronic r^“ ™

b. Explanation of electronic record

For the purposes of this sub-section, "hash function" means an algorithm mapping
or translation of one sequence of
bits into another generally smaller set known as "hash result" such that
an electronic record yields the same hash
result every time the algorithm is executed with the same electronic record
-J as its input making it computationally
Infeasible.

a. To derive or reconstruct the original electronic record from the hash result produced b.,h. t
b. That two electronic records can produce the same hash result using the algorithm 8°n' "

(DAny person by the use of a public key of the subscriber can verify the electronic record.

TediKmMfi
Publication*
y Cyber Security and Laws (MU-Sem 7) 4-9 The Concept of Cyberspace

(ii) he private key and the public key are unique to the subscriber and constitute a functioning key pair.

• edigital signature system are available. Asymmetric crypto system and hash function are
recognized by the IT Act for authentication of electronic records.

2. Asymmetric cryptosystem

Asymmetric cryptosystem is also known as public key cryptography or ciphers. In this cryptosystem two keys are
used named public key and private keys.
Public key is used to encrypt the data and private key is used to decrypt the data. The keys are made up of large
numbers and are paired together but these 2 keys are not identical.

The private key is kept secret while the public key is chat with everyone. Private key is used to create the digital
signature and public key is used to verify the digital signature as given in IT act 2000.

It is important to secure the private key, to secure the private key store it in floppy or card or CD (Compact Disc)
or pen drive. Do not store the private key on hard disk as it is not considered a safe practice.

3. Hash functions

- The hash functions are used to check the integrity of the data which is send across the internet. Hash function
takes a message of any length as input and gives fixed length output. The examples of hash algorithms are MD5
and SHA.

Hash function is a mathematical function that maps the arbitrary size data to fixed length string. It is used to
check the integrity of the data that data is not altered.

- To validate the integrity, a hash of information is created. When data is send at that time its hash is computed at
the receivers side when data is received then hash of received data is computed then both the hash values are
compared if the hash value matches then there will be no change in data else data is changed.

4. Creating the digital signature and verification

The process of creating the digital signature and verification is given in Rules 4 and 5 of IT Rules, 2000 as follows :

Rule 4: Creation of digital signature

To sign an electronic record or any other item of information, the signer shall first apply the hash function in the
signer's software the hash function shall compute a hash result of standard length which is unique (for all practical
purposes) to the electronic record the signers software transforming the hash result into a digital signature using signers
private key the resulting digital signature shall be unique to both electronic record and private key used to create it and the
digital signature shall be attached to its electronic record and stored or transmitted with its electronic record.

Rule 5: Verification of digital signature

The verification of a digital signature shall be accomplished by computing a new hash result of the original electronic
record by means of the hash function used to create a digital signature and by using the public key and the new hash result

the verifier shall check :

a- If the digital signature was created using the corresponding private key.
b. If the newly computed hash result matches the original result, which was transformed into digital signature during the
signing process. The verification software will confirm the digital signature as verified if:

(I) The signer's private key was used to digitally sign the electronic record, which is known to be the case if the
signers public key was used to verify the signature because the signers public key will verify only a digital

signature created with the signers private key.-------------------------------------------------------------- - _______ -----------

 The Concept of Cyberspar*
ier Security and Laws (MU-Sem 7\ 4-10
(ii) The electronic record was unaltered which is known to be the case if the hash result computed by the verifier |$
identical to the hash result extracted from the digital signature during the verification process.

5. Digital signature certificate

- Digital signature certificates are the digital equivalent of physical signature. This certificate is used to prove the
r identity to access data and internet services. Digital signature certificate ensures that there is no alteration in

data and authenticates the electronic document.

- Digital certificates are issued by the certifying authorities who are having the license of issuing the digital

signature.
- In IT Act, 2000, in chapter 7 digital signature certificate related information is given and in IT rules, 2000 digital

signature certificates authorities rules are given.,

- The digital signature certificate form is issued by the certificate authorities along with the fees up to 25000

rupees. There may be different fees for different classes.

- Certification of the practice statement should be submitted along with digital signature certificate form. Digital
signature practice statement is defined in IT Act, 2000. It is necessary for the applicant to state in certificate of
practice statement the practices he wants to employ in using digital signatures.
- When the digital signature authority receives the application they do the enquiry and if they satisfy then they
issue the digital signature certificate.
- Applicant receives the digital signature certificate along with a key pair that private and public key. The applicant
hold the private key for creating digital signature and the public key is used to verify the digital signature.
- Before issuing the digital signature certificate the certifying authority should check that (IT Act, 2000,Rule 25 of
certify authorities rules). .

a. The user name is should not appear as a compromised users in its list.

b. Comply with the procedure as defined in his certification practice statement Including verification of
identification and/or employment.

c. gtComply with all privacy requirements.

d. Obtain consent of the person requesting the digital signature certificate, that the details of such digital
signature certificate can be published on a directory service.

- The Subsection (1) of Section 41 of IT Act, 2000 mention that a subscriber shall be deemed to have accepted a
Digital Signature Certificate if he publishes or authorises the publication of a digital signature certificate.

(i) To one or more persons.

(ii) In a repository, or otherwise demonstrates his approval of the digital signature certificate in any manner

■ lubseX^X,'2' r T'y 41 °' IT 2000 ,nen“On ,ha' by a“ep,i"8 a di8i,a' *** cenltata <he
certifies to al! who reasonably re,y on llle information contained In the digital signature certificate

kev corre5pondine

I
11,1 f' repre!en‘a"ora made b» ,he subscriber to the certifying authority and all material relevant to the
information contained in the digital signature certificate are true.

(Ill) All Information In the dlglta! signature certificate that is within the knowiedge of thesubscriber Is We.
^^Cyber^Securityand^Laws^fMU^Sem^ TheConceptofCybersgace
4-11
0 certification authority

The government appoints a controlling authority for the purpose of licensing, certifying, monitoring and
overseeing the activities of certification authorities. A licensed certificate authority is a certification authority
license by the controller to act in the capacity. The controller in consultation with the government appoints such
number of deputies and officers.
_ Section 35 in The Information Technology Act, 2000 says thus :

a. Any person may make an application to the Certifying Authority for the issue of an Digital Certificate in such
form as may be prescribed by the Central Government.
b. Every such application shall be accompanied by such fee not exceeding twenty five thousand rupees as may
be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while
prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants.
c. Every such application shall be accompanied by a certification practice statement or where there is no such
statement a statement containing such particulars as may be specified by regulations.
d. On receipt of an application under sub-section (1} the Certifying Authority may, after consideration of the-
certification practice statement or the other statement under sub-section (3) and after making such enquiries
as it may deem fit, grant the digital Certificate or for reasons to be recorded in writing, reject the application.

Suspension of digital signature certificate (The Subsection (1) of Section 37 of IT Act, 2000)

- The certifying authorities can suspend the digital signature certificate in one of the following situations:

a. On receipt of a request to that effect from

I
(i) The subscriber listed in the digitaisignature certificate.

(ii) Any person duly authorized to act on behalf of that subscriber.

b. If it is of opinion that the digital signature certificate should be suspended in public interest.
- A digital signature certificate shall not be suspended for a period exceeding 15 days unless the subscriber has been
given a chance of being heard in the matter.
“ On suspension of a digital signature certificate, the certifying authority shall communicate the same to the subscriber.

Revocation of digital signature certificate (The Subsection (1)(2)(3) of Section 38 of IT Act, 2000)

~ The certifying authority can revoke the digital certificate in following situations:

(I) Where the subscriber or any other person authorized by him makes a request to that effect.

00 Upon the death of the subscriber.

(iii) Upon the dissolution of the firmor windingu p ofthecompany where the subscri ber is a firm ora company.

~ Without prejudice to aforesaid certifying authority may revoke a digital signature certificate which has been issued by

at any time, if it is of opinion that

W Amaterlalfactrepresentedlnthedlghelslgnatureeertlflcatelsfalseorhasbeeneoneealed.

(«) A requirement for Issuance of the digital signature certificate was not satisfied.

K) The certifying authority’s private key or security system was compromised in a manner materially affecting the

digital signature certificate’s reliability.

M The subscriber has been declared insolvent or dead or where a subscriber Is a firm or a company which has been

------- -.dissolved wound-up or otherwise ceased to —

^FT'chKaraMai
 The Concept of Cyberspace
Cyber Security and Laws (MU-Sem 7) 4-12
Certifying Authorities and Liability In the Event of Digital Signature Compromise

The role of certifying authority Is very Important in digital signature environment, certifying authority.

1. Issues the digital signature certificates.

2. Manage the functioning of digital signature.

3. Provides evidence of proof in legal dispute.

For the regulation purpose of the certifying authorities the central government has appointed a controller of certifying

authorities.
They may appoint deputy controllers and assistant controllers as per requirement. The deputy controllers and
assistant controllers performs the functions given by controller of certifying authorities.
The Central Government decides the head office and the branch office of the controller to be located.
As given in Section 18 of IT Act, 2000, the functions of the controller of certifying authorities are as follows:

a. Exercising supervision over the activities of the certifying authorities.

b. Certifying public keys of the certifying authorities.

c. Laying down the standards to be maintained by the certifying authorities.
d. Specifying the qualifications and experience which employees of the certifying authority should possess.

e. Specifying the conditions subject to which the certifying authorities shall conduct their business.

f. Specifying the contents of written, printed or visual materials and advertisements that may be distributed or
used in respect of a [Electronic Signature] certificate and the public key.
g. Specifying the form and content of a 27 [Electronic Signature] certificate and the key.
h. Specifying the form and manner in which accounts shall be maintained by the certifying authorities.
i. Specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid
to them.

j. Facilitating the establishment of any electronic system by a certifying authority either solely or jointly with other
Certifying Authorities and regulation of such systems.

k. Specifying the manner in which the certifying authorities shall conduct their dealings with the subscribers.
l. Resolving any conflict of interests between the certifying authorities and the subscribers.
m. Laying down the duties of the certifying authorities.

n. Maintaining a database containing the disclosure record of every certifying authority containing such particulars
as may be specified by regulations which shall be accessible to public.

4.4.1 Recognition of Foreign Certifying Authorities

- As per Section 19 of IT Act, 2000, the controller of certifying authorities may, with the previous approval of the Central
Government, and by notification in the official gazette, recognize any foreign certifying authority as a certifying
authority. Certificate issued by certifying authority is valid under the Act.
- The controller can revoke the certificate of certifying authorities if he is satisfied that any certifying authority has
contravened any of the conditions and restrictions subject to which it was granted recognition.
- For license certificate authorities have to pay 25000 and for renewal of the licence of license 5000 rupees is charged
which is non-refundable.
- The license is valid for 5 years. When the application is done for renewal of license that application have to done not
 4-13
less than 45 days before the license expiry date.

The controller can refuse the erant nr

rules 2000)’ enewal of certifying authority license If (Rule 17 of the certifying authorities

1‘ PP . nOt provided the controller with such Information relating to its business, and to any
circumstances likely to affect its method of conducting business as the controller may require.

2. The applicant is in the course of being wound up or liquidated.

3. A receiver has, or a receiver and manager have, been appointed by the court in respect of the applicant.

4. The applicant or any trusted person has been convicted, whether in India or out of India, of an offence the
conviction for which involved a finding that it or such trusted person acted fraudulently or dishonestly, or has
been convicted of an offence under the act or these rules.

5. The controller has invoked performance bond or bankers guarantee.

6. A certifying authority commits breach of, or fails to observe and comply with, the procedures and practices as per
the Certification Practice Statement.
i. . ■
7. A certifying authority fails to conduct, or does not submit, the returns of the audit in accordance with rule 31.

8. The audit report recommends that the certifying authority is not worthy of continuing Certifying Authority's
operation.
;r
9. A certifying authority fails to comply with the directions of the controller.

4.4.2 Commencement of Operation by Licensed Certifying Authorities

(Rule 20 of Certifying Authority’s Rules, 2000)

The licensed certifying authority shall commence its commercial operation of generation and issue of digital signature
only after:
" It has confirmed to the controller the adoption of Certification Practice Statement.
~ It has generated its key pair, namely, private and corresponding public key and submitted the public key to the

"•c initaiiea Tacinues ana ------ .• .

signature certificate have been audited by the accredited auditor in accordance with the provisions of Rule 31.
It has submitted the arrangement for cross certification with other licensed certifying authorities within India to the

controller.
1- Suspension of license
—h— i. satisfied then he can suspend the license. The license cannot h«
» Cyber Security and Laws (MU-Sem 7) _________________________ The Concept ol Cyberspace

2. Database of certifying authorities

Rule 22 of certifying authorities rules states that The controller shall maintain a database of the disclosure record of
every certifying authority, cross certifying authority and foreign certifying authority, containing inter alia the following

details:
a. The name of the person/names of the directors nature of business, income tax permanent account number, web
address, if any, office and residential address, location of facilities associated with functions of generation of
digital signature certificate, voice and facsimile telephone numbers, electronic mail addresses administrative

contacts and authorized representatives.

b. The public key(s), corresponding to the private key(s) used by the certifying authority and recognized foreign

certifying authority to digitally sign digital signature certificate.

c. Current and past versions of certification practice statement of certifying authority.

d. Time stamps indicating the date and time.

3. Confidential Information
Rule 33 of certifying authorities rules states that the following information shall be confidential:

a. Digital Signature Certificate application, whether approved or rejected.

b. Digital Signature Certificate information collected from the subscriber or elsewhere as part of the registration and
verification record but not included In the digital signature certificate information.
c. Subscriber agreement.
- . Section 42 imposes some responsibility on subscriber of a digital signature. Every subscriber shall exercise
reasonable care to retain control of the private key corresponding to the public key listed in his digital
signature certificate and take all steps to prevent its disclosure.
If the private key of the subscriber gets compromised then the subscriber shall communicate the same
without any delay to the certifying authority.
r J ~ i n b
4.5 The Intellectual Property Aspect in Cyber Law
- World Intellectual Property Organization (WIPO) is an international agency that works for the protection of the legal
rights in the artistic and literary work, inventions, trademarks and other original creations.
- Such rights are called intellectual property rights.
- The WIPO words for the promotion of the international agreement on copyright, patents, trademarks and other
original creations.
- Three draft, treaties are prepared by WIPO In the conference organised In December 1996. These three treaties are as
follows: ? -

o Copyright of electronic records

o Protection of performers and producers -
o Phonograms ■.< . ■ j . ...
o New form of Sui-generis( of one’s own origin) protection of data bases 1 - ■
1. Copyright
- As per the copyright act 1957 copyright subsists in the following work:

a. Original literary, dramatic, musical and artistic works.

b. Cinematograph films and sound recording.

^g^C^b^SeciJrity^nd^Laws^CMU^Sem^T)^^^JS^^^^^^^^^^^^Concept^ofCyberspace,

- Copyright in the aforesaid works would not exist unless.

a. In the case of a published work, the work Is first published in India, or where the work is first published outside
India, the author is at the date of such publication, or In a case where the author was dead at that date was at the
time of his death the citizen of India.

b. In the case of an unpublished work other than the work of architecture, the author is at the date of the making of
the work a citizen of India or domiciled in India.

c. m the case of work of architecture the work is located in India.

_ The above rules do not apply for the foreign work but in the case of work of joint authorship the above conditions
conferring copyright must be satisfied by all the authors of the work.
- It is specified in Copyright act that copyright would not subsist (Section 13(3)):

a. In any cinematograph film if a substantial part of the film is an infringement of the copyright in any other work.

b. In any sound recording made in respect of a literary, dramatic or musical work if in making the sound recording
copyright in such work has been infringed.
It is specified that where there is a copyright in a cinematograph film or a sound recording, it does not affect the
separate component in any work in respect of which or a substantial part of which, the film of sound recording as may
be the case is made.
In architectural work copyright subsists only in the artistic character and design and does not extend to process or
methods of construction.
- The literary work includes computer programmers, tables and compilation including computer databases. The
copyright covers the source code and the object code. It also includes all representations of computer programs
weather in written form or in machine readable form.
- There are two levels of computer languages for developing software, when is a high level language and second is
machine level language. High level language is English like language and low level language is in the form of ones and
zeros.
- Statements in machine level language are referred as object code and statement same high level language is referred
as source code.
- Computer programs are covered under the category of literary works but audios, graphics and videos created by the
underlying computer programs may not necessarily be literary works.
- Copyright owners have the exclusive right to do or authorized the doing of any of the following acts in respect of the
work or any substation part.
2. In case of literary, dramatic or musical work, not being a computer program
- To reproduce the work in any material form including the storing of it in any medium by electronic means.
- To issue copies of the work to the public not being copy is already in circulation.
- To perform the work in public or communicate it to the public.
- To make any cinematography or sound recording in respect of the work.

* To make any translation of the work.

To make any adaption of the work.
To do. in relation to a translation for adoption of the work an, of the aforesaid acts.

In the case of a computer program. . r

Photo any of the acts specified about for literary, dramatic or mus.cal work.
To sell or glue on commercial rental, or office for sale or commercral rental a copy of the computer programs.

” Puaiicatiom
 A

In the case of an artistic work

in three dimensions of two dimensional or in
- To reproduce the work in any material form Including depiction

dimensions of a three dimensional work.

- To communicate the work to the public.
- To issue copies of the work to the public not being copy is already in clrcula

To include the work in any cinematograph film.

- To make any adaption of the work.
r • i r *.kQ firct four acts in the instant category of artistic work.
- To do in relation when adaption of the work any of the first four acts in

In the case of cinematograph film

- To make a copy of the film, including a photograph of any image forming part.
- To sell or give on hire, or offer for sale or higher, any copy of the film regardless of whether such copy has been

sold are given on hire on earlier occasions.

- To communicate the film to the public.
4. In the case of sound recording
- To make any other sound recording embodying it.
- To sell or give on hire, offer for sale or hire, any copy of the sound recording regardless of whether such copy has
been sold or given on hire on earlier occasions.
- To communicate the sound recording to the public.
- Corporate work is also extended to the work like, Form of the verb not the idea. Copyright subsists in published as
well as a published work.
- Registration of work is optional not mandatory under the law. If people do registration under the IT Act then it
will be evidence in the disputes.
’ ; 1
- To register copyright you have to fill the application form, payment of nominal fees and depositing 3 copies of the
work with the copyright office.
5. Copyright infringement, remedies and offences

Section 51 of copyright act States the various acts which among to copyright infringement as follows:

Section 51: When copyright infringed - :-- ’

r / f % , ..
• •*J. '• - J-

Copyright in a work shall be deemed to be infringed. When any person, without a license granted by the owner of the
copyright or the Registrar of Copyrights under this Act or in contravention of the conditions of a license so granted or of
any condition imposed by a competent authority under this Act:

(I) Does anything, the exclusive right to do which is by this Act conferred upon the owner of the copyright.

(II) Permits for profit any place to be used for the communication of the work to the public where such communication
constitutes an infringement of the copyright In the work, unless he was not aware and had no reasonable ground W
believing that such communication to the public would be an Infringement of copyright.

When any person:

(i) Makes for sale or hire, or sells or lets for hire, or by way of trade displays or offers for sale or hire.

(ii) Distributes either for the purpose of trade or to such an extent as to affect prejudicially the owner of the copyright.

(til) By way of trade exhibits in public. 11

(iv) Imports into India

 Cyber Security and Laws (MU-Sem 7) 4-17 The Concept of Cyberspace,

Explanation:

- For the purposes of this section, the reproduction of a literary, dramatic, musical or artistic work In the form of a
cinematograph film shall be deemed to be an "Infringing" copy.
_ Section 52 of copyright act States certain ads which do not constitute copyright infringement some of the important
exceptions are as follows:

(a) A fair dealing with a literary, dramatic, musical or artistic work not being a computer programme for the purposes of

Private use including research.

Criticism or review, whether of that work or of any other work.

(1) The making of copies or adaptation of a computer programme by the lawful possessor of a copy of such
computer programme from such copy

In order to utilize the computer programme for the purpose for which it was supplied.

To make back-up copies purely as a temporary protection against loss, destruction or damage in order only to
utilize the computer programme for the purpose for which it was supplied.
(2) The doing of any act necessary to obtain information essential for operating interoperability of an independently
created computer programme with other programmes by a lawful possessor of a computer programme provided
that such information is not otherwise readily available.
(3) The observation, study or test of functioning of the computer programme in order to determine the ideas and
principles which underline any elements of the programme while performing such acts necessary for the
functions for which the computer programme was supplied.
(4) The making of copies or adaption of the computer programme from a personally legally obtained copy for
non-commercial personal use.
(b) A fair dealing with a literary, dramatic, musical or artistic work for the purpose of reporting current events.
In a newspaper, magazine or similar periodical.
by broadcast or in a cinematograph film or by means of photographs, broadcast or in a cinematograph film or by
means of photographs.

6. Explanation

- The publication of a compilation of addresses or speeches delivered in public is not a fair dealing of such work
within the meaning of this clause.
- The defence of fair dealing is an integral part of copyright law. The fair dealing defence allowed certain usage of
literary works which would have otherwise been an infringement of copyrights.
- The fair dealing defence states that copyrights must not stifle the very creativity that law is meant to foster.
- The Indian Copyright Act under Section 52 makes fair dealing a valid defence for copyright infringement.
~ This defence places the burden of proof on the copyright owner to establish infringement. However, the
Copyright Act has not defined fair dealing which led the Indian court to rely on the definition of English
authorities.
- The Incidence of Indian Patent Act on Soft Proprietary work.
- Inventions are protected by Patents. It is a legal monopoly granted to the owner of new invention, for a limited
period of time. Many countries give time period 16 to 20 years. It can be granted for product as well as process,

regulatory framework.
~ The Indian Patents Act, 1970 and the Patent Rules, 2003 are the primary legislations on patents.

<7 TtcUKMaMf*
▼ Nblmtiont
 4-18 The Concept qfCyberspace
Cyber Security and Laws (MU-Sem 7)

- It regulates the grant, the operative period, revocation, and Infringement of Patents.
- To keep with the requirements of TRIPS Agreement (Trade Related Aspects of Intellectual Property Rights) the
Patents Act, 1970 was amended In 2005 and Patent Rules, 2003 were amended In 2006.
- The inventor first registers Its patent. Many manufacturers start production after filing the pattern over the delay

in getting the new product in the market.

- Copy the patent invention without permission is called infringement. The patent owner May sue for damages and

an injunction order the infringer to stop copying the invention.

- Inventor cancels all or part of the rights given by a patent. He or she may also license these rights to a
manufacturer. Licensing gives the inventor of fees or royalties or both.

- Patent laws vary from country to country.

7. Present provisions of Indian Patent Act

- As per the patents Act, the 1970 patent is granted only for an invention that is new and useful.
- It must be novel and useful. It must be the inventors own Discovery as opposed to mere variations of what is
already known in India.
- Patent once granted, confers on the grantee the exclusive privilege for making selling and using the invention and
also authorizing others to do so.
- For practical purposes of the patent is a legally created entry barrier, which prevents others from competing with
the inventor- a reward for disclosing the process.
- TRIPS agreement, which India is party, needs patent protection covers both product and process in every field of
Technology.
- The patents act allows process method but does not allow product patents for food, medicines, drugs, and
Chemicals.
- The new pattern region by 2005 complies with the World Trade Organization it is compared with the traditional
provisions as shown in the table.
Table 4.5.1
WTO Requirement Provisions of Patent Act,1970 Transitional Provisions
Patent duration must be for 20 The duration of process patents is five New patents bill to be passed.
years. years from the date of sealing or 7 Exclusive marketing rights for a
years from the date of filing. Duration mailbox patent can be granted for 5
of product patent is 14 years. years.
Both process and product Indian patents act allows process Product patent applications go into a
patents must be available in all patents only for food, medicines, mailbox to be open the latest by 2005.
fields of Technology drugs, and Chemicals However, this has no legal backing.
Microorganisms, a non-biological Patenting of life forms is not Patents will cover microorganisms,
processes must be patent permitted.
non-organisms, and non-biological
•J !.' • processes. The biodiversity
conservation bill to be passed.
There should be no The importation of a product is not
discrimination between equivalent to the working of a patent
imported and domestic products in India.
Plant varieties must be protected No protection of plant varieties. Plant varieties bill to be passed.
through the sui-generis patent
system by 1999.
---------------------------------------------------

Pubiita”01’
 TheConcegtofC^berepace,

8. New trends In IPR law

Indian has not taken any major initiatives from the last several years in the direction of protection of Intellectual
property rights in tune with Global development. The new patent law envisages Is the following:
- Patent protection will facilitate technology transfer
By establishing patents over their exclusive products, companies try to ward off competition. Patents will be used
as a strategy for entry barriers against Rivals.
- Indian companies will increase research and development budget and the emphasis will shift from technology
seeking to technology provides.
- More fruitful collaborations between universities for research laboratories and corporate.
Multinational companies will be tempted to set up more research and development centers in India due to cheap
intellectual manpower and better patent protection.
Patent protection will promote original product development and violation of patent laws will become
increasingly difficult.
- Patents held by the parent multinational companies will be recognized in india.
- Patents will be powerful instruments for converting knowledge into wealth. Commercialization of research will
start earning royalties.
Pharmaceutical companies can get genetically engineered products patented.
Piracy in drugs and pharmaceuticals will end; prices of those essential drugs which are covered by worldwide
patents will increase
- Products of better quality will be easily available to consumers.
• If
- Such a result will be patented before Publication.
- Software companies will be able to establish patent rights over customized products or programs.
Systematic changes will be needed on the part of patent administrators.
- Technologies developed are likely to be licensed out of the marketing of Technology will become a viable
business.
- The shift from process patents to product patents will transform the Pharmaceutical and Biotechnology
industries.

9. The IT Act 2000 and IPR law ~ ■

- There are no provisions related to Electronic copyright management systems, electronic copyrights, protection of
phonograms producers against unauthorized duplication of their phonograms etc in information technology
act 2000.
- Program copyright is not deal with the idea and the phonograms are yet to gain recognition in India.
* . r *> •
- Once the concept of online copyrights is included in Indian IPR legislations, performers and makers of
phonograms and software producers would be benefited from the following namely:

o Legal remedy against the misuse of copyright both direct and indirect in any manner or form.

o Right of the owner of the copyrights to make available to the public program performances stored in electronic
media by interactive, on-demand, online delivery method.

10. General v
- For global trade and Exchange Services, the internet is the most suitable medium.
- The services are available on internet ka software, entertainment, Information products, and professional

services. — ..
 The Concept of Gyba-
^Security and I rws (MU-Sem 7)_-------- --- 4'?° "tensive business cyberspace because ofi^

Still there are many business houses that are conducting ,

I•
Predictable legal environment governing transactions. nrotection privacy, security, and other
Such apprehensions result In concerns about Intellectual
Commerce on the internet Involves th. sell and llcenslns ’ d and buyers must know that th_.

Promote an effective environment Intellectual property will not ey»,

obtaining authentic products and not pirated copies.
Electronic copyrights are as follows:
There are few IPR issues which arise with regard to the
1
o The liability of online service providers.
o An effective patent system.
ti ■ ‘ o Litigation that may arise due to trademarks.
Fair uses of copyrighted material, effective management of copyright information.
o
o International standards for determining the validity of patent claims. *; v<
o The similarity of internet domain names and registered trademarks.
- Government should improvise the IPR Law School to address these issues according to International agreements
in such a way that our national interest gets protected and preserved.

it
4.6 The Evidence Aspect in Cyber Law
— Recording the evidence is the important function of the trial court. With the growth of the e-commerce the electronic
evidences have come in picture. Admissibility of electronic evidence, proving digital signature, relevance of proof is
important before giving the verdict. Provisions related to evidence are given in Indian Evidence Act, 1872.
— Now a day's Electronic agreements, electronic messages, and digital signatures are making a great impact on our lives.
It is a general perception that electronic evidence is not covered in Indian Evidence Act, 1872. The Indian Evidence Act,
1872 is amended by the IT Act, 2000.
— Let’s see the status of computer records or electronic records in the Indian Evidence Act 1872 before and after the IT
Act 2000.
— The Section 3 mentions the definition of evidence, proved and the fact.

1. Evidence : In evidence act the evidence are oral evidences that is statements of the witness and documentary
evidences. The two types of evidences recognized by the definition of evidence are oral evidence and documentary
evidence. The definitions of facts and proved gives things and object status of evidences.
Proved : A fact is said to be proved when, after considering the matters before it, the Court either believes it to exist
2.
or considers its existence so probable that a prudent man ought, under the circumstances of the particular case, toad
upon the supposition that it exists.

Facts : It includes things or objects.

3.
Tf)e definition of evidence In Indian Evidence Act, 1872 before th. amendment by the IT Act 2000 is:
Evidence means and Includes

a All statements which the court permits or requires to be marin „fhct

under inquiry, such statements are caiied oral evidence "“

b All documents produced for the inspection of the cour such doom
,n the given definition on,y the words -.nduding eiectronlc " ’ ” “"ed
ds is added in the IT Act, 2000 amendment
Apart from the definition of the evidence the
words like electronic record and electronic f°r(T13
Introduced alongside with documents In certain provision
 7) 4-21 The Concept of Cyberspacg_
The following are some provisions of the Indian evidence Act, 1872 which are altered in IT Act, 2000.
In Section 17 of the Indian evidence Act, 1872, for the words "oral or documentary," words "oral or
documentary or contained In electronic form* shall be substituted by IT Act, 2000.
In Section 34 of the Indian evidence Act, 1872, for the words "Entries in the books of account", the words
Entries in the books of account, including those maintained In an electronic form" shall be substituted by
IT Act, 2000.
In Section 35 of the Indian evidence Act, 1872, for the word "record", in both the places where it occurs, the
words "record or an electronic record" shall be substituted by IT Act, 2000.
- In Section 59 of the Indian evidence Act, 1872, for the words "contents of documents "the words" contents
of documents or electronic records" shall be substituted by IT Act, 2000.
Section 39 of the Indian evidence Act, 1872 is substituted vide the IT Act, 2000.
Section 39 What evidence to be given when statement forms part of a conversation, documents, electronic record,
book or series of letters or papers.
When any statement of which evidence is given forms part of longer statement, or of a conversation or part of an
isolated documents, or is contained in a document which forms part of a book, or is contained in part of
electronic record or of a connected series of letters or papers, evidence shall be given of so much and no more of
the statement, conversation, document, electronic record, book or series of letters or papers as the Court
considers necessary in that particular case to the full understanding of the nature and effect of the statement,
and of the circumstances under which it was made."
- Section 39 of the Indian evidence Act, 1872 is substituted vide the IT Act,2000.
"Section 131 Production of documents or electronic records which another person, having possession, could
refuse to produce
p
- No one shall be compelled to produce documents in his possession or electronic records under his control, which
any other person would be entitled to refuse to produce if they were in his possessions or control, unless such
last-mentioned person consents to their production."
Definition of document is given in Section 3 of Indian evidence act, 1872 is:

Document means any matter expressed or described upon any substance by means of letters, figures or marks, or
by more than one of those means, intended to be used or which may be used for the purpose of recording that

matter.

Illustration for documents

- A writing is a document; Words printed, lithographed or photographed are documents; A map or plan is a document.
An inscription on a metal plate or stone is a document; A caricature is a document.

~ Ingredients of the definition of the document are

1. Any matter expressed or described upon any substance by means of letters, figures or marks, or by more than
one of those means. .,
2. The aforesaid expression or description is intended to be used or which may be used for the purpose of recording

that matter.
The definitions of electronic record, data and computer system are given in Section 2(1) in IT Act, 2000.

a. Electronic record
. ‘”1* ‘ . Mr"' . ■ i »'• » Iff. .. j

b. Data
c. Computer system

If TachKM«letf|«
” Publications
 Tha Concept of Cybera
Cyber Security and Laws (MU-Sem 7) 4-22

a. Electronic record
"Electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic

form or micro film or computer generated micro fiche,

b. Data
Data means a representation of information, knowledge, facts, concepts or instructions which are being prepared or
have been prepared in a formalized manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network, and may be in any form (including computer printouts
magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the

computer.

c. Computer system
— "Computer system" means a device or collection of devices, including input and output support devices and
excluding calculators which are not programmable and capable of being used in conjunction with external fi^s
which contain computer programmers, electronic instructions, input data and output data that performs logic,
arithmetic, data storage and retrieval, communication control and other functions.
— From the definitions of the electronic record, data and computer system it is clear that electronic record can be
appear on the screen of the monitor or it can be stored on hard disk, CD or floppy and an expression or
description of matter upon any substance stored in them.
• •J • , ■•• r* t/r . t*. ~ J.
4.6.1 Characteristics of Electronic Records

1. The copy is practically indistinguishable from the original.

The original computer record is the one which is created first and stored in computer's memory. To prove this primary
evidence the computer has to brought to the court which causes hardship.

The primary evidence situation is covered in Section (2) of Section 63 and clause (D) of Section 65 and permits the
secondary evidences of electronic records through CD, floppy, printout etc.

Section 63: Secondary evidences

- Secondary evidence means and includes :

- Section (2) copies made from the original by mechanical processes which
\ . ... . -processes wmch in themselves insure the accuracy of the
copy, and copies compared with such copies. uieauu y

Section 65 : Cases In which secondary evidence relating to documents may be given

- Secondary evidence may be given of the existence, condition, or contpntc j

. .. , , 'a document in the following cases.
- Clause (D) When the original is of such a nature as not to be easily movable
- The Section 32 the Indian evidence Act, the second paragraph has ihrli.d^ ■ .id
not apply to electronic records. 'ndUded rule a«al™ »he hearsay evidence,

Proof and Management of Electronic Records; Relevancy, Admissibility and .

» no t-rooative Value of E-Evidence
- There are some certain computer outputs of the original electronic record wh' u u lltv as
documentary evidence in any proceeding without proof or production oftheori granted admissibl lW
_ The admissibility of electronic records Is given in Subsection (1) of Section esnlT' e'eCtr°niC reC°rd'
f the Indian Evidence Act, 1872.
4.6.2 Admissibility of Electronic Records

Section 65B : Admissibility of electronic records

- Subsection (1) Notwithstanding anything contained in this Act, any information contained In an electronic record
which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer
(hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned
in this Section are satisfied in relation to the information and computer in question and shall be admissible in any
proceedings, without further proof or production of the original, as evidence of any contents of the original or of any
fact stated therein or which direct evidence would be admissible.
- As per Section 65B any information contained in an electronic record if any of the following computer outputs what is
my computer, computer output shall also be deemed and documents which are admissible In law as evidence. On
compliance of certain conditions of the contents of the original electronic record stated any facts therein of which
direct evidence would be admissible:
- Computer printout.
- Stored, recorded or copy in optical or magnetic media that is floppy, CD etc. iPhone SE computer output are
admissible as proof without producing improving the original electronic record this condition is given in Section 2 of
Section 65B.

Subsection (2) of Section 65B of the Indian Evidence Act, 1872

1. The computer output containing the information was produced by the computer during the period over which the
computer was used regularly to store or process information for the purposes of any activities regularly carried on
over that period by the person having lawful control over the use of the computer.
2. During the said period, information of the kind contained in the electronic record or of the kind from which the
information so contained is derived was regularly fed into the computer in the ordinary course of the said activities.
3. Throughout the materiel part of the said period, the computer was operating properly or, if not, then in respect of any
period in which it was not operating properly or was out of operation during that part of the period, was not such as
to affect the electronic record or the accuracy of its contents.
4. The information contained in the electronic record reproduces or is derived from such information fed into the
computer in the ordinary course of the said activities.

There are different computers or combinations of computer involved for which the following is provided :

Subsection (3) of Section 65B of the Indian Evidence Act, 1872

* Subsection (3) Where over any period, the functions of storing or processing information for the purposes of any
activities of any regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly
Performed by computer, whether:
!• By a combination of computers operating over that period.

2- By different computers operating in succession over that period.

3- By different combinations of computers operating in succession over that period.

4- In any other manner involving the successive operation over that period, in whatever order, of one or more
computers and one or more combinations of computers.
' A" the computers used for that purpose during that period shall be treated for the purposes of this Section as
instituting a single computer; and references in this Section to a computer shall be construed accordingly.
 The Concept of Cyberspace
V Cyber Security and Laws (MU-Sem T. 4-24
T . mmDuter and production of computer output.
- Section 65B says regarding the mode of supply of information to a

Subsection (5) of Section 65B of the Indian Evidence Act, 1872

X. Information shaii be taken to be supplied to a computer if it is suppiied thereto in any

it is so supplied directly or (with or without human intervention) by means o any

. . , r Hz," Ic cimnlied with a view to its being stored or
2. Whether In the course of activities carried on by any oftoal, In orm course those activlties,
processed for the purposes of those activities by a computer opera f thncp artivitipc
that information, if duly supplied to that computer, shall be taken to be supplied to it in t e course o

3. A computer output shall be taken to have been produced by a computer whether it was produced by it directly or

(with or without human intervention) by means of any appropriate equipment.

Explanation:
- For the purposes of this Section any reference to information being derived from other information
reference to its being derived there from by calculation, comparison or any other process.
- The secondary evidence should be deemed to be a document and shall be admissible in any proceedings as evidence
of any content of the original electronic record or of the facts stated therein of which direct evidence would be

admissible.
- Section 65B in the fourth limb the provision. In any proceedings where it is desired to give a statement in evidence by
virtue of this Section, a certificate doing any of the following things, that is to say

1.” Identifying the electronic record containing the statement and describing the manner in which it was produced

2. . Giving such particulars of any device involved in the production of that electronic record as may be appropriate
I
for the purpose of showing that the electronic record was produced by a computer.

3. Dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be
.-'Hfc 1'
signed by a person occupying a responsible official position in relation to the operation of the relevant device or
s .*'JL
the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in
the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best
of the knowledge and belief of the person stating it.
J

4.6.3 Relevancy and Admissibility

As we know that under Section 65B, the computer outputs are admissible but we have to prove it as an evidence also.
Evidence may be given In any suit or proceedings of the existence or non-existence of every fact In issue and of such
other facts as are hereinafter declared to be relevant, and of no others (Section 5)
- sections says -facts in issue” means and includes any fact from which, either by itself or in connection with other
facts, the existence, non-existence, nature, or extent of anv right liabilitv nr .
or proceeding, necessarily follows. - 8 ' d'Sab"lty' 3SSerted or denied in suit

- For example : A is accused of the murder of B. At his trial the following facts may be in issue :
That A caused B's death. ■ ' ' • . •. f ■ . ■

• That A intended to cause B's death.

That A had received grave and sudden provocation from B. -
That A at the time of doing the act which caused B's death was hv
knowing its nature. ’ bV reas0" °f u"“^dnKS of mind, incapable of

WW TeckKwaM"
” p u&lic
* Cyber Security and Laws fMu
:Sem 7)
_ The fact is saidI to be relevant to a ~ 7,19 Concept of cybersPac^
the provisions of this Act relating to the reley6" °n6 'S COnnected wit*1 other *n anY of the ways referred to In
- In the IT Act 2000, two new Sections "
. rtlnn 22A • When oral d ntr°dUCed related t0 relevancy, they are 22A and 47A:
Section 22A. When oral admissions as tn .
as to contents of electronic records are relevant
Oral admissions as to the contents of el
record produced is in question. r6C°rdS relevant' unless the genuineness of the electronic

Section 47A : Opinion as to digital signature when relevant

- When the Court has to form an ooininn . . .

.. h h__ . 1IQ. .. .. , . the digital signature of any person, the opinion of the certifying authority
which has issued the digital signature certificate Is a relevant fact.

- According to Section 47 when the Court hoc .

UR nas t0 form an opinion as to the person by whom any document was written
or sig , t e opinion of any person acquainted with the handwriting of the person by whom it is supposed to be
written or signed that it was or was not written or signed by that person, is a relevant fact.

All the provisions of the Indian Evidence Act which are applicable to document are also applied automatically to
electronic records.

4.6.3(A) Relevancy for Business Community

r
I I
The relevancy for business community is given in Section 16,32(Para 2), and 34.
I
I

1. Existence of course of business when relevant:

When there is a question whether a particular act was done, the existence of any course of.business, according to
which it naturally would have been done, is a relevant fact. Illustrations

a.. The question is, whether a particular letter was dispatched. The facts that it was the ordinary course of business
for all letters put in a certain place to be carried to the post, and that particular letter was put in that place are

relevant.
The question is whether a particular letter reached A. The facts that it was posted in due course and was not
b.
returned through the Dead Letter Office are relevant.

4.6.3(B) Authorship of an Electronic Record

1 ra nf rnmDuter output the next step is to prove the authorship of the electronic record.
~ After admissibility and relevance of co p ror+ifirato
u # an olprtronic record is a person who may give the certificate.
Under Section 65B the author of an electronic recur
t- in relation to the operation of the computer or the management of the activities
The person who has official posi ion computer was usec| regularly to store or process the information for
regularly carried out during the perio ovjdes the evidence of the authorship of the electronic record.
such activities, then only sue P witness the person who had executed or signed it or who
- The normal method of proving a docomen the document.
is qualified or competent to express is
who saw it being executed or who Is otherwise familiar with the
' The person who executed the electronic record or •’ ‘ »

execution would be required to prove the exe

then the digital signatures need to be proved.
' If the electronic record Is signed with the digital signa ,.r. •
. .Jr.

WW TechKaawledfi
v Publication*
 ^^^^^Maa^HB|BTheConcegto^C^beragac^

4.6.4 Probative Value of Electronic Evidence

- Probative value of electronic evidence Is the weight to be given to It which has to be judged haying regard to the facts

and circumstances of the case.

- The nature of the computer generated evidence would also assume importance In determining its probative value.
There are oral, documentary, circumstantial, direct and real evidences.

Types of electronic evidence

1 .Oral evidence j

2. Documentary evidence |

3. Circumstantial evidence |

4. Direct evidence • |
5. Real evidence (physical) |

Fig.4.6.1 : Types of Electronic Evidence

1. Oral evidence

- Section 60 of the Indian Evidence Act, 1872 prescribed the provision of recording oral evidence.
- All those statements which the court permits or expects the witnesses to make In his presence regarding the
truth of the facts are called oral evidence.
- Oral evidence is that evidence which the witness has personally seen or heard.

2. Documentary evidence

Section 3 of The Indian evidence act says that all those documents which are presented in the court for inspection
such documents are called documentary evidences.

3. Circumstantial evidence

A form of evidence that allows a judge or jury to infer or accept a fact based on a set of known circumstances. A fact
that can be used to infer another fact.

Example : The cookie monster is found standing by an open cookie jar with cookie crumbs on his face The
circumstantial evidence would Indicate that the cookie monster ate a cookie. However, he was not actually seen
eating the cookie.

4. Direct evidence

' A" TT°r h'ard ,h' a"e8ed °r some ,cal is which P'«"s a <a« “
question. (The fact in question must prove the guilt of the accused.)
- Example: Someone sees cookie monster eat a cookie out of the cookie jar.

5. Real evidence (physical)

- Evidence that consists of physical objects that can be offered Into evidence. Real evidence means real or mated*
evidence. Real evidence of a fact Is brought to the knowledge of the court by Inspection of a physical object and
not by information derived from a witness or a document.

•* •*•••*
 V Cyber Security and Laws (MU-Sem 7) 4-27 The Concept of Cyberspace

- Example : The cookie Jar with the cookie monster's fingerprints on It. Other typical examples... weapons, tools,
tool markings, fingerprints, blood, hair, skin samples.
- To enhance the probative value of the electronic evidence, the kind of software's used would also assume
importance.

a. Cases in which statement of relevant fact by person who Is dead or cannot be found etc. Is relevant

- When it relates to cause of death. When the statement is made by a person as to the cause of hls death, or as to
any of the circumstances of the transaction which resulted in his death, in cases in which the cause of that
person's death comes into question.
- Such statements are relevant whether the person who made them was or was not, at the time when they were
made, under expectation of death, and whatever may be the nature of the proceeding in which the cause of his
death comes into question.
1*. *i' f'■ '•* '
b. Entries in books of account including those maintained in an electronic form when relevant
j,‘-' • - _ 'it' ■ i

Whenever they refer to a matter into which the court has to inquire, but such statements shall not alone be
sufficient evidence to charge any person with liability. Illustration A sues B for ' 1,000, and shows entries in his
account-books showing B to be indebted to him to this amount.
- The entries are relevant, but are not Sufficient, without other evidence, to prove the debt. COMMENTS
Admissibility Entries in account books regularly kept in the course of business are admissible though they by
themselves cannot create any liability. rjr ’ 9-

' " ■ ' : " r<. - ■/ -" ■•••• • • ....

4.7 The Criminal Aspect in Cyber Law

- Crime : A violation of criminal law is called crime. The examples of crime are: murder, rape, forgery, stealing etc. these
crimes threaten to the society. ’ -o. • '' .1

- Criminology: Criminology is the study of criminal behavior.

- Computer crime :
o Any illegal action in which a computer is a tool of a crime is known as computer crime or any crime, the means or
purpose of which is to influence the function of computer.
o Any event related with computer technology in which a victim suffered or could have suffered loss and a
perpetrator, by intention, made or could have made a gain.
o Computer crime Is any criminal offense, activity or issue that involves computers. Computer is used in illegal
activities: child pornography, threatening letters, e-mail spam or harassment, extortion, fraud and theft of

intellectual property, embezzlement.

Categorizing computer-related crime
o A single category cannot accommodate the wide divergence of conduct, perpetrators, victims, and motives found
In examining computer crimes. Adding to this confusion Is the fact that computer crimes also can vary depending
upon the jurisdiction criminalizing the conduct. Computers serve In several different roles related to criminal
activity The three generally accepted categories speak In terms of computers as communication tools, as targets,

and as storage devices.

1. The computer as a communication tool presents the computer as the object used to commit the crime. This
category Includes traditional offenses such as fraud committed through the use of a computer. For example,
the purchase of counterfeit artwork at an auction held on the Internet uses the computer as the tool for
committing the crime. While the activity could easily occur offline at an auction house, the fact that a
 Cyber Security and Laws (MU-Sem 7) 4-28 The Concept of Cyberspace^

computer is used for the purchase of this artwork may cause a delay in the detection of it being a fraud. The
use of the Internet may also make it difficult to find the perpetrator of the crime.
2. A computer can also be the target of criminal activity, as seen when hackers obtain unauthorized access to
Department of Defense sites. Theft of information stored on a computer also falls within this category. The
unauthorized procuring of trade secrets for economic gain from a computer system places the computer in

the role of being a target of the criminal activity.

3. A computer can also be tangential to crime when, for example, it is used as a storage place for criminal
records. For example, a business engaged in illegal activity may be using a computer to store its records. The
seizure of computer hard drives by law enforcement demonstrates the importance of this function to the

evidence gathering process.

4. in some instances, computers serve in a dual capacity as both the tool and target of criminal conduct. For
example, a computer is the object or tool of the criminal conduct when an individual uses it to insert a
computer virus into the Internet. In this same scenario computers also serve in the role of targets in that the
computer virus may be intended to cripple the computers of businesses throughout the world.

Causes/ Factors contributing to computer crime

Cyber criminals always opt for an easy way to make big money. They target rich people or rich organizations like
banks, casinos and financial firms where a huge amount of money flows daily and hack sensitive information. Catching such
■*
criminals is difficult. Hence, that increases the number of cyber-crimes across the globe. Computers are vulnerable so laws
are required to protect and safeguard them against cybercriminals. We could list the following reasons for the vulnerability
of computers:

Easy to access: The problem behind safeguarding a computer system from unauthorized access is that there are many
possibilities of breach due to the complex technology. Hackers can steal access codes, retina images, advanced voice
recorders etc. that can fool biometric systems easily and bypass firewalls can be utilized to get past many security
systems.

- Capacity to store data in comparatively small space -,The computer has the unique characteristic of storing data in a
very small space. This makes it a lot easier for the people to steal data from any other storage and use it for own
profit.

Complex:The computers run on operating systems and these operating systems are programmed of millions of
codes. The human mind is imperfect, so they can do mistakes at any stage. The cybercriminals take advantage of these
gaps. ... .
Negligence : Negligence is one of the characteristics of human conduct. So, there may be a possibility that protecting
the computer system we may make any negligence which provides a cyber-criminal the access and control over the
computer system.
- Loss of evidence: The data related to the crime can be easily destroyed. So, Loss of evidence has become a very
common and obvious problem which paralyzes the system behind the investigation of cyber-crime.

4.7.1 Strategy for Preventing Computer Crime

To prevent the crime there are 2 main aspects of the strategy.

1. Systemic methodology

- Computer crime is a new way of criminal offence that provides through transnational borders.
- Concerted International Corporation is needed to successfully address this crime
- international collaboratl.nS and exchange of Technology related ,0 data secunty should be ______
JjT^Cyber Security and Laws (MU-Sem7)^^^^^^^^^TheConraMnfCvbereDace

It has become very important to develop concepts or guidelines for computer security.

- The implementation of such manual, at all levels within an organization and between organizations should be
made obligatory. Such guidelines or manual when sincerely implemented, hold greater prospects of success than,
enacting new legislation for data protection.

It should be made obligate tree on the part of companies or Institutions to give in their annual reports a
affirmation to the effect that data security standards are described by the manual have been adopted a
transaction oriented system need permit only read only for enquiry only access this offers a great degree of
protection than a system of access for programming.

2. Legal deterrents

- Separation of the activities which composed of resources which are non offences.

- Amendment of the domestic criminal law based on an international understanding, to meet the requirement of
prevention of computer related crime.

- Effective prosecution inter-alia by adopting the existing criminal procedure and related provisions.
•• • c *10 rJ i • t

- The formulation and adoption of a procedure for the investigation of computer crime is Cardinal to the effective
translation into action of any new piece of legislation for amendment or supplementation of existing law.

- The guidelines rules should be spell out the procedural aspects relating to search of premises seizure of
incriminating documents for materials the duty of witnesses etc.

- In addition to the above considering the fast changing nature of computer related crime it is desirable to adopt
the guidelines and classification suggested by the Organization for Electronic Cooperation and Development
(OECD) with necessary amendments to suit National requirements

4.7.2 Amendments to Indian Penal Code 1860

1. Electronic Record (section 29a)

The words "electronic record" shall have the meaning assigned to them in clause (t) of sub-section.

1- Public servant framing an incorrect document with intent to cause Injury (section 167)

Whoever, being a public servant, and being, as l[such public servant, charged with the preparation or translation of
any document or electronic record, frames, prepares or translates that document or electronic record] in a manner
which he knows or believes to be incorrect, intending thereby to cause or knowing it to be likely that he may thereby
cause injury to any person, shall be punished with imprisonment of either description for a term which may extend to
three years, or with fine, or with both.

Absconding to avoid service of summons or other proceeding (section 172)

Whoever absconds in order to avoid being served with a summons, notice or order, proceeding from any public
servant legally competent, as such public servant, to issue such summons, notice or order, shall be punished with
simple imprisonment for a term which may extend to one month, or with fine which may extend to five hundred
ruPees, or with both; or, if the summons or notice or order Is to attend In person or by agent, or to (produce a
document or an electronic record in a court of justice) with simple imprisonment for a term which may extend to six
months, or with fine which may extend to one thousand rupees, or with both.
3. Preventing service of summons or other proceeding, or preventing publication thereof (section 173)

Whoever in any manner intentionally prevents the serving on himself, or on any other person, of any summons, notice
or order proceeding from any public servant legally competent, as such public servant, to issue such summons, notice
or order, or intentionally prevents the lawful affixing to any place of any such summons, notice or order, or
intentionally removes any such summons, notice or order from any place to which it is lawfully affixed, or intentionally
prevents the lawful making of any proclamation, under the authority of any public servant legally competent, as such
public servant, to direct such proclamation to be made, shall be punished with simple imprisonment for a term which
may extend to one month, or with fine which may extend to five hundred rupees, or with both; or, if the summons,
notice, order or proclamation is to attend in person or by agent, or l[to produce a document or electronic record in a
Court of Justice], with simple Imprisonment for a term which may extend to six months, or with fine which may extend

to one thousand rupees, or with both.

4. Omission to produce l(document or electronic record) to public servant by person legally bound to produce it
(section 175)

Whoever, being legally bound to produce or deliver up any l[document or electronic record] of any public servant, as
such, intentionally omits so to produce or deliver up the same, shall be punished with simple imprisonment for a term
which may extend to one month, or with fine which may extend to five hundred rupees, or with both, or, if the
l[document or electronic record] is to be produced or delivered up to a Court of Justice, with simple imprisonment for
a term which may extend to six months, or with fine which may extend to one thousand rupees, or with both.
Illustration A, being legally bound to produce a document before a District Court, intentionally omits to produce the
same. A has committed the offence defined in this section.

5. Fabricating false evidence (section 192)

Whoever causes any circumstance to exist or 1 makes any false entry in any book or record, or electronic record or
makes any document or electronic record containing a false statement] intending that such circumstance, false entry
or false statement may appear in evidence in a judicial proceeding, or in a proceeding taken by law before a public
servant as such, or before an arbitrator, and that such circumstance false entry or false statement, so appearing in
evidence, may cause any person who in such proceeding is to form an opinion upon the evidence, to entertain an
erroneous opinion touching any point material to the result of such proceeding, is said "to fabricate false evidence".
Illustrations
(a) A, puts jewels into a box belonging to Z, with the intention that they may be found in that box, and that this
circumstance may cause Z to be convicted of theft. A has fabricated false evidence.
(b) A makes a false entry in his shop-book for the purpose of using it as corroborative evidence in a Court of Justice.
A has fabricated false evidence.
(c) A, with the intention of causing Z to be convicted of a criminal conspiracy, writes a letter in imitation of Z’s
handwriting, purporting to be addressed to an accomplice in such criminal conspiracy, and puts the letter in a
place which he knows that the officers of the Police are likely to search. A has fabricated false evidence.

6. Destruction of l[document or electronic record] to prevent its production as evidence (section 204)

Whoever secretes or destroys any l[document or electronic record] which he may be lawfully compelled to produce
as evidence in a Court of Justice, or in any proceeding lawfully held before a public servant, as such, or obliterates or
renders illegible the whole or any part of such l[document or electronic record] with the intention of preventing the
same from being produced or used as evidence before such Court or public servant as aforesaid, or after he shall have
been lawfully summoned or required to produce the same for that purpose, shall be punished with imprisonment of
either description for a term which may extend to two years, or with fine, or with both.
jfr Cyber Security and Laws (MU-Sem 7)__________ 4-31 ■ The Concept of Cyberspace

7. Forgery (section 463)

Whoever makes any false documents or false electronic record or part of a document or electronic record, with Intent
to cause damage or injury], to the public or to any person, or to support any claim or title, or to cause any person to
part with property, or to enter into any express or Implied contract, or with intent to commit fraud or that fraud may
be committed, commits forgery.

8. Making a false document (section 464)

A person is said to make a false document or false electronic record.

a. First who dishonestly or fraudulently

(i) Makes, signs, seals or executes a document or part of a document.

(ii) Makes or transmits any electronic record or part of any electronic record.

(iii) Affixes any electronic signature on any electronic record.

(iv) Makes any mark denoting the execution of a document or the authenticity of the electronic signature, with the
intention of causing it to be believed that such document or part of document, electronic record or electronic
signature was made, signed, sealed, executed, transmitted or affixed by or by the authority of a person by whom
or by whose authority he knows that it was not made, signed, sealed, executed or affixed.

b. Secondly who, without lawful authority, dishonestly or fraudulently, by cancellation or otherwise, alters a document
or an electronic record in any material part thereof, after it has been made, executed or affixed with electronic
signature] either by himself or by any other person, whether such person be living or dead at the time of such
alteration.

c. Thirdly who dishonestly or fraudulently causes any person to sign, seal, execute or alter a document or an electronic
record or to affix his electronic signature on any electronic record knowing that such person by reason of unsoundness
of mind or intoxication cannot, or that by reason of deception practiced upon him, he does not know the contents of
the document or electronic record or the nature of the alteration.

Illustrations

a. A has a letter of credit upon B for rupees 10,000 written by Z. A, in order to defraud B, adds a cipher to the 10,000,
and makes the sum 1, 00, 000 intending that it may be believed by B that Z so wrote the letter. A has committed

forgery.

b. A, without Z’s authority, affixes Z's seal to a document purporting to be a conveyance of an estate from Z to A, with
the intention of selling the estate to B, and thereby of obtaining from B the purchase-money. A has committed

forgery.
c. A picks up a cheque on a banker signed by B, payable to bearer, but without any sum having been inserted in the
cheque. A fraudulently fills up the cheque by inserting the sum of ten thousand rupees. A commits forgery.

d. A leaves with B, his agent, a cheque on a banker, signed by A, without inserting the sum payable and authorizes B to
fill up the cheque by inserting a sum not exceeding ten thousand rupees for the purpose of making certain payment. B
fraudulently fills up the cheque by inserting the sum of twenty thousand rupees. B commits forgery.
 The Concept of Cyberspace
* Cybor Security and Laws (MU-Sem7) < |( „ , ge„„,nc

A draws a bill of exchange on himself In the name o A the bi|| with intent to deceive the
e.
with a banker and Intending to take vp the bill on Its mat V- . fe gu||ty of forgerv.
banker by leading him to suppose that he had the security of B, and thereby .. djVjded between Al Bat'dC "A

Z's will contains the these words-"! direct that all my remaining prop V himself and C. A has
f. dishonestly scratches out B's name. Intending that It may be be.le.ed that the

committed forgery. writing on the bill the words "Pay

A endorses a Government promissory note and makes it paya e o
g- to Z or his order" and signing the endorsement. B dishonestly erases the words Pay to

converts the special endorsement into a blank endorsement. B commits forg ry

J • ■ ( defraud Z of his estate, executes a conveyance of the
h. A sells and conveys an estate to Z. A afterwards, in order to
r-» 7 intending it to be believed that he
same estate to B, dated six months earlier than the date of the conveyan
had conveyed the estate to B before he conveyed it to Z. A has committed forgery.
Z dictates his will to A. A intentionally writes down a different legatee from the legatee named by Z, and by represent
i.
ing to Z that he has prepared the will according to his instructions, induces Z to sign the will. A has committed forgery.

A writes a letter and signs it with B's name without B's authority, certifying that A is a man of good character and in
J-
distressed circumstances from unforeseen misfortune, intending by means of such letter to obtain alms from Z and
other persons. Here, as A made a false document in order to induce Z to part with property. A has committed forgery.

k. A without B's authority writes a letter and signs it in B's name certifying to A’s character, intending thereby to obtain
employment under Z. A has committed forgery in as much as he intended to deceive Z by the forged certificate, and
thereby to induce Z to enter into an express or implied contract for service.

Explanation 1: A man's signature of his own name may amount to forgery

a. A signs his own name to a bill of exchange, intending that it may be believed that the bill was drawn by another
person of the same name. A has committed forgery.

b. A writes the word "accepted" on a piece of paper and signs it with Z's name, in order that B may afterwards write on
the paper a bill of exchange drawn by B upon Z, and negotiate the bill as though it had been accepted by Z. A is guilty
of forgery; and if B, knowing the fact, draws the bill upon the paper pursuant to A's intention, B is also guilty of
forgery.

c. A^k, up a b!H o, exchange payaMe to the order of . different person of the same name. A endorses the bill In bls
has comXfX “USe <0 be"eVed ,ha' “ WaS SndOrSed ‘he PerS°n Wh0K °rd6r 11A

d. A purchases an estate sold under execution of a decree against B a after th

executes a lease of the estate of z at a nomine, rent ooZ'C°“°"

seizure, with Intent to defraud A, and to cause It to be believed that the leas S'X m°n'hS P"'°r “ ‘"e
though he executes the lease in bls own name, commits forgery by antedating It. 8ran‘ed <hC

e.
and *h -—*—
received, and antedates the note, intending that it may be believedtohaVbe"8 B 3 SUm'fOr Va'Ue
................................................ evedtohave been made before. A was on the point of
insolvency. A has committed forgery under the first head of the definition

M&r TechKMWI^M
 Cyber Security and

Explanation 2 . he making of a false document in the name of a fictitious person, intending it to be believed that the
document was made by a real person, or in the name of a deceased person, intending it to be believed that the document
was made by t e person in his lifetime, may amount to forgery. Illustration A draws a bill of exchange upon a fictitious
person, and fraudulently accepts the bill In the name of such fictitious person with intent to negotiate it. A commits
forgery.

Explanation 3 . For the purposes of this section, the expression "affixing 2 [electronic signature]" shall have the meaning
assigned to it in clause (d) of sub-section (1) of section 2 of the Information Technology Act, 2000.

9. Forgery of record of Court or of public register, etc (section 466)

Whoever forges a document of an electronic record], purporting to be a record or proceeding of or in a Court of

Justice, or a register of birth, baptism, marriage or burial, or a register kept by a public servant as such, or a certificate
or document purporting to be made by a public servant in his official capacity, or an authority to institute or defend a
suit, or to take any proceedings therein, or to confess judgment, or a power of attorney, shall be punished with
imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.

Explanation 1: For the purposes of this section, "register" includes any list, data or record of any entries maintained in the
electronic form as defined in clause (r) of sub-section (1) f section 2 of the Information Technology Act, 2000.]

Explanation 2 : For the purposes of this section, the expression "affixing 2 [electronic signature]" shall have the meaning
assigned to it in clause (d) of sub-section (1) of section 2 of the Information Technology Act, 2000.

a. Forgery for purpose of cheating (section 468)

Whoever commits forgery, intending that the l[document or electronic record forged] shall be used for the purpose
of cheating, shall be punished with imprisonment of either description for a term which may extend to seven years,
■ **i ’ ' ' : ‘ ’• . j*. •'IC • ■) '*• ' ' ’
and shall also be liable to fine.

b. Forgery for purpose of harming reputation (section 469)

Whoever commits forgery, l[intending that the document or electronic record forged] shall harm the reputation of
any party, or knowing that it is likely to be used for that purpose, shall be punished with imprisonment of either
description for a term which may extend to three years, and shall also be liable to fine.

c. Forged document (Section 470)

A false document made wholly or in part by forgery is designated "a forged document"

Using as genuine a forged documentfsection 471)

Whoever fraudulently or dishonestly uses as genuine any document which he knows or has reason to believe to be a
forged document, shall be punished in the same manner as if he had forged such document.

e. Having possession of document described in section 466 or 467, knowing it to be forged and intending to use it as

genuine (section 474) i

Whoever has in his possession any document, knowing the same to be forged, and intending that the same shall
fraudulently or dishonestly be used as genuine, shall, if the document is one of the description mentioned in section
466 of this Code be punished with imprisonment of either description for a term which may extend to seven years,
and shall also be liable to fine; and if the document is one of the description mentioned in section 467, shall be
Punished with (imprisonment for life), or with imprisonment of either description, for a term which may extend to
seven years, and shall also be liable to fine.

” Publications
 4^^^^=_i=s=s_==^h^onceg^^yberspac^

f counterfeiting device or mark used for authenticating documents other than those described in section 467, or
possessing counterfeit marked material! section 476))

Whoever, counterfeits upon, or in the substance of, any material, any device or mark used for the purpose of
authenticating l[any document or electronic record] other than the documents described in section 467 of this Code,
intending that such device or mark shall be used for the purpose of giving the appearance of authenticity to any
document then forged or thereafter to be forged on such material, or who, with such intent, has in his possession any
material upon or in the substance of which any such device or mark has been counterfeited, shall be punished with
imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.

g. Falsification of accounts (section 477A)

Whoever, being a clerk, officer or servant, or employed or acting in the capacity of a clerk, officer or servant, willfully,
and with intent to defraud, destroys, alters, mutilates or falsifies any 2 book, electronic record, paper, writing,
valuable security or account which belongs to or is in the possession of his employer, or has been received by him for
or on behalf of his employer, or willfully, and with intent to defraud, makes or abets the making of any false entry in,
or omits or alters or abets the omission or alteration of any material particular from or in, any such 2 book, electronic
record, paper, writing, valuable security or account, shall be punished with imprisonment of either description for a

term which may extend to seven years, or with fine, or with both.

Explanation:

it shall be sufficient in any charge under this section to allege a general intent to defraud without naming any
particular person intended to be defrauded or specifying any particular sum of money intended to be the subject of
the fraud, or any particular day on which the offence was committed.

4.8 Global Trends in Cyber Law

4.8.1 The Contract Aspect

In contract aspect no much debates and deliberations have taken place. In a lot of cases when security measures
through encryption etc are adopted, the basic necessity of authenticity, witnessing, signatures, non repudiation,
origination, acknowledgement extra is taken care of. So, two of the three main concepts related to e-commerce that are
originator, addressee and acknowledgement of receipt of record automatically attended to while implementing a legal
Framework for encryption or digital signatures. The concept of time and place of dispatch and received is probably the only
area which has been relegated to the background.

4.8.2 The Security Aspect

1. Initiatives by International Organizations

- Many countries have come to pass laws related to digital signature Mar™ . . .
lines. United Nations Commission on International Trade Law (UNICITRAL) is working^n 030 00
law ' u KALIls working on a model digital signature

Few guidelines related to Cryptography have been adopted by Organization for □

X'Tnd Uni0ECD “mP,OmlKS °' indUS‘rla"Kd “* Australla EuXn Nations

TkMImwMI*
Publicitl®"*
 CyberSgcurity_andLaws (MU-Sem7) The Concept of Cyberspace
4-35

- The OECD guidelines are considering the following important points.

o Cryptographic methods: The cryptographic method should be trustworthy in order to generate confidence
among the uses of information and communication systems.
o Choice of cryptographic methods: Users should have a right to choose any cryptographic method and it
should be subject to the relevant law.
o Market driven development of cryptographic methods: Cryptographic methods should be developed in
response to the needs and demands of individuals, business houses and governments.
o Standards for cryptographic methods: technical standards, criteria and protocols for cryptographic methods
should be developed and promulgated at National and international level.
o Protection of privacy and personal data: The fundamental rights of individuals to privacy including secrecy
of communication and protection of personality it should be respected in National Cryptography policies
and in the implementation and use of cryptographic methods.
o Lawful access: National cryptographic policies Mein allow access by lawful means plain text for
cryptographic keys of encrypted data.
o Liability: Weather established by contract our legislation the liability of individual and institutions that offer
cryptographic services should be clearly stated.
o International Corporation: government should co-ordinate Cryptographic policies. Governments should
avoid creating unjustified of circles to international trade in the name of enforcing cryptography policy.
- The OECD members review this guidelines at least every five years with a view to improving International
cooperation on issues related to Cryptography policy.

2. Initiatives by the United States of America

- Many states in the United States have either passed or propose legislation on digital signature.
- The Utah digital signature act of 1995 offers legal Framework for the use of cryptography as a tool for data
authentication purpose.
- California and Arizona have passed digital signatures legislation enabling electronic transactions with state
Enterprises.
- Minnesota is established licensing criteria for certification authority and defines their legal responsibilities to third
parties.
- Nevada has passed a law authorizing the use of electronic symbols as a alternate for supplement for certain
signatures.
•-z • ■ • ’ •

- Department of Commerce is responsible for licensing cryptographic devices used for dait authentication access
control proprietary software automatic tailor machines excetra.
• Cryptography devices and the technical data of these devices are subject to US government export control as
specified in title 22 of the code of Federal regulations.
• US government has made out a policy paper for global Electronic Commerce and title 'A' Framework for global
Electronic Commerce. It helps to accelerate the growth of global, through the internet.
~ US government permits companies to export encryption products using 56b Data Encryption Standard (DES) or
equal algorithm.
3* Initiatives by European Union

The European Commission has launched a study on the legal aspect of digital signatures. The study give the overview
of policies of European Union as well as an insight into the existing rules regulations and the de facto practices related
to digital signatures and enable message new rules regulations and practices among the members of European union's
and its main trading partners.
 4-36 The Concept o£Cyberspace
Cyber Security and Laws (MU-Sem 7)

4. Initiatives by the G-7 countries

The G-7 countries have suggested following things

Garments industry and users must agree on the cryptographic techniques and products to be used in the Global
information infrastructure. There should be agreement on the procedure for verifying that these tec mques or

products conform to the standard so agreed.

- The great techniques at the great verification procedures must be made public.
- Agreed techniques must be based on private sector Led, voluntary International standards arrived at by

agreement.
- The products conforming to the agreed techniques should be free from

o Import controls
o Legal restrictions on its use
o Licensing restrictions
- The products meeting the requirements to the agreed techniques should be export table to all countries except
those which are subject to Union embargo and users and suppliers of products meeting the requirements to the
agreed techniques should be free to make technical and economic selection about modes of implementation and
operation. The choice of hardware and software should also be allowed.

4.8.3 The Intellectual Property Aspects

- US initiatives: Digital Era copyright enhancement Act 1997, the digital corporate clarification and Technology
Education Act of 1997, the no electronic theft act 1998, these legislations are taking care of IPL aspects with regard to
the Electronic medium.
- Nil copyright Protection Act of 1995, specific provisions are done related to digital network environment.
- The Global Information Commission (GIIC) has recommended the intellectual property law. It supports the efforts for
the development of suitable technology to prevent activities which infringe on exclusive rights. A precise definition of
demarcates between legal and illegal activities is given to identify the actions that result in infringement of intellectual
property right.

4,9 Legal Framework for Electronic Data Interchange

4.9.1 The Electronic Data Interchange Scenario in India

The EDI mechanism:

- According to UNCITRAL the definition of EDI is: "Electronic data interchange means the electronic transfer from
computer to computer of information using and agreed standard fee structure the information "
- For the conduct of International Trade electronic email and electronic data interchange is increasing rapidly
- There are legal obstacles in the communication of legally significant information in the form of paoerless messages
There is also uncertainty to their legal effect or validity. P P 55 messages.
- So set of internationally acceptable statue is provided by the cyber law remove the number of legal obstacles The
cyber law also secure the legal environment created for Electronic Commerce. 8 obstacles. The

- The UNICITRAL the decision to formulate model legislation on Electronic Commerce beraiicp in
the existing legislation governing communication and storage of information is insufficient or outdated because^
does not consider the use of Electronic Commerce. a Decaus

- In definite cases, existing legislation imposes restrictions on the use of modern means nf .
by recommending the use of written, sign, or original documents. common,cation, for example.

XSf TtdiKnewMl*
V Publications
jT Cybflr Security and Laws (MU.Sem y) 4.37 The Concept ofCyberspace,

- Though new countries have adopted particular provisions to deal with certain aspects of Electronic Commerce, there
exists no legislation dealing with Electronic Commerce as a whole. This may result in uncertainty as to the legal nature
and va 1 ity 0 in ormation presented in a form other than a traditional paper document.
_ Additionally, while sound laws and practices are necessary In all countries where the use of EDI and electronic mail is
becoming extensive, this need is also felt in many countries with respect to such communication techniques as
telecopy and telex.
_ Electronic data interchange definition is given in Article 2, but The meaning of the Electronic Commerce is not
specified by the model law.
- At the time of preparing the model law the commission decided that in addressing the subject matter before it, it
would have in mind a broad notion of EDI , covering the variety of trade related uses of EDI that may be referred
broadly under the term of Electronic Commerce.
Among the means of communication encompass in the notion of Electronic Commerce are the following modes of
transmission based on the use of electronic techniques:

1. Communication by means of EDI defined narrowly as computer-to-computer transmission of data in a

standardized format. ■ c

2. Transmission of electronic messages involving the use of either publicly available standards or proprietary
standards

3. Transmission of preformatted text by electronic means for example through the internet.
- Certain types of acknowledgement for example UN/EDIFACT message establishing that the data message received is
syntactically correct that is it can be processed by the receiving computer.
The reference to technical requirement which is to be construed primary as a reference to data syntax in the context
of EDI communication may be less relevant in the contacts of the use of other means of communication such as
Telegram or telex.
- Moreover mere consistency with the rules of data Syntax technical requirements set forth in applicable standards may
include, for example, the use of procedures verifying the integrity of the content of data messages.
- Robust communication network would offer the channel for instant transmission of the message. The message
transmitted over the network should make sense to the receiver of the message and this is possible only if the
transmitter as well as the receiver is adopting the same message formats. Message format is necessary for achieving
the standardization.
The Ministry of Commerce is the nodal agency for the implementation of Electronic Data Interchange (EDI) in India.
India joined the EDI movement in early 1992, when it obtained the observer status in the Asia EDIFACT Board (ASEB).
India became a member of ASEB in August 1992. In order to promote the use of EDI in India the Ministry of Commerce
has taken initiatives to develop EDI infrastructure. The following are the agencies that cater to the EDI infrastructure

1- EDI council of India 2. India EDIFACT committee

3- Working group 4. Education and awareness

5- VAN service providers 6. EDI implementation in government regulatory agencies

EDI council of India

EDI council is the apex body consisting of all the key government departments and representatives of trade and
industry. It is responsible for laying down the policy frame work and direction for-

~ Promotion and propagation of EDI and Electronic Commerce.

V T«chKMaM|«
” VHIicatiui
 Cyber Security and Laws (MU-Sem 7) 4-38 TheConceptolCyber3p.ee

Creating awareness and education among the potential EDI functionaries and users

- streamlining procedures and practices

- Attending to legal issues.

- Human resource development.
- Any other issue connected with EDI and Electronic Commerce. ___________________________________

Chairman: Secretary, Ministry of Commerce

Secretariat: EDI Division

Ministry of Commerce

1 Udyog Bhawan,

New Delhi -1100011 ________J_ — -----

2. India EDIFACT committee

- The India ED1FACT Committee (IEC) is responsible for formulating standards, streamlining the procedures in line
with UN/EDIFACT and maintain liaison with UN/EDIFACT bodies.
- Message
To addressDevelopment
all the information are working-
Groupsneeded on different sectors and its interface with UN/EDIFACT standards following
o Ports Message Development Group under Indian Ports Association (IPA).
o Airports Message Development Group under Airports Authority of India (AAI).
o Financial Message Development Group under Indian Banks Association (EBA).
o Customs Message Development Group under Central Board of Excise and Custom (CBEC).
o Private Sector Message Development Group under Federation of Indian Export Organisations (FIEO). -
A Technical Support Group is also working under National Informatics Center (NIC) which is responsible for
helping users in EDI related software development and for providing technical support..
Chairman-.Additional Secretary, Ministry of Commerce
1 Secretariat: EDI Division
Ministry of Commerce
Udyog Bhawan,
New Delhi-1100011

3. Working group

The working group Is responsible for motivating venous functionaries In the government and ensure scheduled
implementation of program.
^F__Cybe£Security^ndLawsJT^-Sem 7) 4-39 ^__ThaConceptofC^bersgac^

4. Education and awareness

- Federation of Indian Export Organisations (FLEO) is organising regular workshops and seminars throughout in
India. FIEO has identified large automotive, chemical, textile and engineering concerns that had already
implemented EDI. These Organisations would perform as model organisation for the EDI implementation in their
own sectors.

- The All India Management Association (ALMA) of New Delhi is offering courses on EDI, including a Masters
program. An HRD group is also working to investigate the needs for EDI related human resource development.

5. VAN service providers

- The two major VAN operators in India providing EDI services are NIC and VSNL.
- National Informatics Center (NIC) has set up a nation-wide computer communication network with over 600
nodes connecting the national capital, the state capitals and district headquarters. NICNET provides high speed
information highway nodes within the country and connectivity to Internet as well as to other foreign networks
outside the country.

- Videsh Sanchar Nigam Ltd. (VSNL) has established the GEDIS TradeNET Network service for EDI. It is connected to
two international EDI VAN operators, GEIS and INS UK.

6. EDI Implementation in government's regulatory agencies

- The Ministry of Commerce has selected government regulatory and facilitatory organisations for co-ordinated EDI
implementation.
- These organisations are Customs, Directorate General of Foreign Trade (DGFT), Regional Licensing Authorities,
Airports Authority of India (AAI), Scheduled Banks, Airlines, Reserve Bank of India, Directorate General of
Commercial Intelligence & Statistics (DGCI&S), Chamber of Commerce, Inspection Agencies, Export promotion
organisations, Port Trusts, Container Corporation of India Ltd. (CONCOR), Insurance Agencies.

4.10 Law Relating to Electronic Banking

1- The history of payments

A "bill of exchange" is an instrument in writing containing an unconditional order, signed by the maker, directing a
certain person to pay a certain sum of money only to, or to the order of, a certain person or to the bearer of the
instrument. The payment instruments are paper based and need to be tendered at specific bank for payment either
in person or through another bank in clearing or through collection. The cheque ot the instrument has to be
Presented to the drawer under Negotiable act 1881. The disadvantage of this system is cheque or demand draft have
to be physically presented and it often leads to delay in payment.
2- The clearing house mechanism

The clearing process begins with the deposit of a cheque in a bank. The cheque (along with other cheques) is delivered
t0 the bank/branch where it is drawn. The cheque is passed for payment If the funds are available and the banker is
satisfied about the genuineness of the Instrument. The cheques that are unpaid are returned to the presenting bank
through another clearing called the Return Clearing. The realisation of the funds occurs after the completion of return
clearing and by the absence of an unpaid cheque.
 Cyber Security and Laws (MU-Sem 7) 4-40 The Concept of Cyberspace

3. Electronic Clearing System (ECS)

Electronic Clearing System (ECS) is an electronic method of fund transfer from one bank account to another. It is
generally used for bulk transfers performed by institutions for making payments like dividend, interest, salary,
pension, etc. ECS can also be used to pay bills and other charges such as payments to utility companies such as
telephone, electricity, water, or for making equated monthly installments payments on loans as well as SIP

investments.

a. ECS credit
ECS credit is used for allowing credit to a large number of beneficiaries by raising a single debit to the customer's
account, such as dividend, interest or salary payment. ECS payments can be performed by any institution
(ECS user) that has to make bulk or repetitive payments to a number of recipients or beneficiaries. They initiate
the transactions after registering themselves with an approved clearinghouse. ECS users also have to obtain a
consent such as the account particulars of the beneficiaries for engaging in the ECS clearings..
Under the scheme, the beneficiaries of the repetitive or regular payments can also require the paying institution
to make ECS (credit) for payment. The ECS users expect to effect payments and to present the data in a
■ prescribed format to any one of the recognized clearinghouses. The clearinghouse will debit the account of the
ECS user through the user’s bank on a particular day and credit the accounts of the recipient banks, for providing
onward credit to the accounts of the ultimate beneficiaries. The benefits of ECS credit given to the clients are as
follows:
o The end beneficiary need not make frequent visit to his bank for depositing the physical paper instruments,
o Delay in the realization of proceeds, which used to happen in the receipt of the paper instrument is eliminated,
o The ECS user helps to save on administrative machinery for printing, dispatch and reconciliation.
o Provides the ability to make payment and ensure that the beneficiaries account gets credited on a designated
date.

b. ECS debit

- ECS debit is used for raising debits to a number of accounts of consumers or account holders for affording a single
credit to a particular institution, in cases such as utility payments like electricity bills and telephone bills. ECS
debit is a scheme in which an account holder can authorise an ECS user to recover a prescribed amount by raising
a debit on his account. The ECS user has to receive an authorisation which is called ECS mandate for raising such
debts. These mandates have to be approved by the bank branch maintaining the account.
- Any ECS user participating in the scheme has to register with an approved clearinghouse, an ECS user should
receive the mandate forms from the participating destination account holders with the bank's acknowledgement.
A certified copy of the mandate should be available with the drawee bank.
- The ECS user has to submit the data in a specified form through the sponsor bank to the clearinghouse. The
clearinghouse would pass on the debit to the destination account holder through the clearing system and credit
the sponsor bank's account for onward crediting the ECS user. All the unprocessed debits have to be returned to
the sponsor bank's account for onward crediting the ECS user. All the unprocessed debits have to be returned to
the sponsor bank, within the time frame specified. Banks treat the electronic instructions received through the
clearing system at par with the physical cheques.The benefits of ECS debit given to the clients are as follows :
o Trouble-free: Eliminates the need to go to the collection centres or banks and the need to stand in long queues
for payment.

Wjr
 Cyber Security and Laws (MU-Sem 7)
Thf^ConcepLoTCyberepace
° °traC^' rs are not required to track down payments by last dates. The ECS users would monitor
The ECS user saves on administrative machinery for collecting the cheques by monitoring their
realisation and reconciliation.
o Better cash management. Chances of frauds due to fraudulent access to paper instruments and encashment
are avoided.

o The realisation of payments on a single date is enabled instead of fractured receipt of payments.

4, Cheque truncation

Cheque Truncation is a method of payment processing where under movement of the paper instrument is
truncated by substituting with electronic transmission of the cheque details or data. The Shere Committee had
examined the legal issues pertaining to cheque truncation and had indicated that the definition of presentment In
the Negotiable Instruments Act may have to be amended for adoption of cheque truncation system in India.
Under the Negotiable Instruments Act, 1881, cheques would have to be presented for payment to
drawee / drawer bank. Without such presentment, no cause of action arises against the drawer.
- In default of presentment of a cheque to the drawee for payment, other parties to the cheque are not liable to
the holder. It is by banking practice and under the Uniform Rules and Regulations for Clearing Houses that banks
have agreed for presentment at any place other than the branch, such as the clearing house.
Besides, the implications of the definition of payment in due course under the Negotiable Instruments Act, 1881
may make it difficult for banks to introduce cheque truncation system simply by agreement among themselves.
- The right of the paying bank to require physical presentation and possession of the cheque are designed to
provide the bank with an opportunity to examine the signature and other authentication of the cheque.
- This is meant essentially to protect the interest of the drawer. Therefore, in UK, the cheque truncation system
started with customer consent agreements and was eventually introduced after a fair degree of familiarization
with imaging technology by the banks.
- Thus, introduction of cheque truncation system may require adoption of a fairly standardized imaging technology
and appropriate amendments to the Negotiable Instruments Act, 1881.

5. Electronic Fund Transfer (EFT): Present set up

- An Electronic Funds Transfer (EFT) is a transaction that takes place over a computerized network, either among
accounts at the same bank or to different accounts at separate financial institutions.
- efts Include direct-debit transactions, wire transfers, direct deposits, ATM withdrawals and online bill pay
services. Transactions are processed through the Automated Clearing House (ACH) network, the secure transfer
system of the Federal Reserve that connects all U.S. banks, credit unions and other financial institutions.
- For example, when you use your debit card to make a purchase at a store or online, the transaction Is processed
using an EFT system. The transaction Is very similar to an ATM withdrawal, with near-lnstantaneous payment to

the merchant and deduction from your checking account.

' Direct deposit Is another form of an electronic funds transfer. In this case, funds from your employer's bank
account are transferred electronically to your bank account, with no need for paper-based payment systems.

6. EFT In future: Electronic funds transfer act

. for ProDosing Legislation on Electronic Funds Transfer and
- In 1993, the Reserve Bank bad set up the e committee had recOmmended a set of EFT
other Electronic Payments (Chairperson : Snt^Sh« ,„d|a Act,1934 and amendme„t t0 the Bankers'
Regulations by the Reserve Bank under the Re
Books Evidence Act,1881 as short term measures ano promoi
Act, the Computer Misuse and Data Protection Act etc. as long term measures.

WW T«chKM«lii|i
” Puilitatiom
 The Concept of Cyberspace
4-42
y Cyber Security and , itiated steps for framing ofEFT Regulations. The Government of India have also

■ "Tt'epXpromoting Information and Technofogy Act, 1999 and consequential amendments to the

111113 6 a nk of India Act 1934, the Bankers' Books Evidence Act, 1831 etc.
Reserve Bank of India Act, ivo intended to be general
- The proposed Information Technology Bill, 1999 and Electronic Commerce B H, 1999a"
purpose^legislation covering mainly issues like secure electronic records ndatoms, P
signatures, duties of certification authority, liability of network service providers, comp

- Both the bills deal with electronic contracts and they are being promoted by thea^equal'ly
facilitate introduction of Electronic Data Interchange In the “<nmerc1alse«on However they q
applicable for electronic funds transfer already launched by the Reserve Bank and ,s gomg increasingly

resorted to by the user banks of the VSAT based network, the INFINET.
- However, there Is still a need for a separate Act for electronic funds transfer because certain
like payments finality, rights and obligations of the parties Involved In electronic funds transfer etc. ca not be
z*

covered in general purpose bills like the proposed Information Technology Bill or t e propose e ron c

Commerce Bill.
- The EFT Regulations being framed by the reserve bank would address only the specific type of EFT system that the
Reserve Bank would be involved with as a service provider as also a regulator. The EFT Regulations would,
moreover, cover only credit transfer related transactions and not Debit Clearing transactions. A separate
legislation on the lines of Electronic Funds Transfer Act of USA is, therefore, required which would be consumer
protection oriented and would at the same time address transactional issues like execution of payment order,
settlement finality, etc.
- The reserve bank has taken the help of a consultant in drafting a new legislation on electronic funds transfer
System and proposing amendment to the Reserve Bank of India Act 1934. The Committee, after a careful
examination of the issue, has endorsed the view that the proposed Electronic Funds Transfer Act should cover all
forms of electronic payments.

- The committee supports the view that the reserve bank, at an appropriate time, consider operating the
inter-bank payment systems through an agency or subsidiary so that its regulatory role is rendered distinct from
its supervisory role. Retail payment systems such as the ECS and the EFT Remittance Processing Scheme presently
operational may be managed by a group of large banks with country wide branch network and technical
capability, with settlement assistance from the reserve bank.
' ?rr<Tld te'PRBI ‘° "S C"°r,S °nlV °" l3rse valuc *ime critiral tra^'ers to be settled on an
RTGS basis. In the ongoing debate on the role of central bank In payment systems the trend Is towards
distinguishing the central bank role as a regulator from that of service nr™ u- L 1 ° towardS
banks themselves or the entitles under the centre! o7 “““

necessary that the iegal framework for payment system takes Into account this Internin'“trend' “ ‘

Law of netting/settlement

Real Time Gross Settlement (RTGS) - A funds transfer function in which transfer r
bank to another on a real-time basis without delaying or netting with any other transXm P'a“

RTGS is regarded as the centerpiece of the integrated system. The rtcs i. - .

which all dispersed settlement system will flow. centralized settlement system into

The RTGS will enable real time and online fund management for the financial
environment Is the main objective of payments system reforms In most countries oHhe wortd^"0" ‘° a"
Access to cross border settlement system such as the TARGET Europe Is condir™.. ' T
domestic RTGS for each of the participating country. 3 °n the ava'lability of fulfill a

WW TnkltMal^l*
” Public •tloM
 ier Security and Laws (MU-Sem 7)
i^___________===^^TheConcep^^yberspace^
Main International Finance
environment. centers like New York London Tokyo and Hong Kong etc update In the RTGS

— RTGS is critical for an effectivenpic mn.>- i

Payments system was in the net cetti ° * rategV‘ The dSk lnherent in a net settlement system is well-known,
on Domino effect on system. ement system are such that the default by one bank will lead to the knock

Gross sett ent reduces the risk frequently as transactions are settled one by one on bilateral basis in real time
moae.

In cross border context, RTGS become even more 11:00 as Cross Country race are more difficult to manage as
compare o omestic transaction. Concepts like payment versus payment are especially relevant in cross
currency transactions.

RTGS provides both the technology and the process controls to manage the series better. The communication
network forms the backbone for the domestic RTGS system. A national RTGS facility would help promote an
integrated National payment system covering:

■1 o Wide array of payments products and services with a mix of paper and electronic payments.

o ATM, smart/credit transactions.

o National clearing system on deferred net settlement basis.

c

o National DvP system , .

o Cross currency Clearing and settlement system.

i f
o Money market dealing system.

o Debt and capital market segments. u

o National online government account system.

o National RTGS system.

•J

o National currency management and accounting system.

satellite based closed user group network providing the communication backbone the proposed
o Wide area
integrated
••••-o. ------------------- t payment
National
--- r system.
~ The basic issue in writing system is that of settlement and the Systemic risk borne by the participants if one or
The basic issue in writing system is
some of the participants fail to meet the clearing liability..
“ In case of Transformers settle on gross basis the parties involved are only two and principal risk, if any, is only for
specific transaction. But in multilateral netting systems, where claims are obligations over a period of time,
incoming and outgoing payments are set off against each other in case of failure of a party in meeting the
clearing liability. The methodology of identifying the counterparties and determining the exposure level becomes

difficult.
Encryption of messages transmitted over PSTN lines
- The Committee understands that at present banks In both the public and private sectors use a code book for
Purposes of coding and decoding TT messages. For transmitting messages involving transfer of huge sums, the
ending branch codifies the message and the receiving branch decodes the message after Its receipt with the help
of the cipher code book. Though the public telephone / wireless network is used, the code .s adopted oniy for
Inter-branch transfers of the same bank. However, If the messages of funds transfer are to be electromcally
cn transiers country, it is necessary that a common code for encryption is
transmitted to different bank branches all over tnecounuy,
^ed and adopted for all banks involved in inter-bank transactions.
- Th. r . . L thP pxisting policy of DoT, the use of PSTN lines for connecting with other
ommittee is aware that as pe xpmntion is given by DoT. The Committee strongly recommends the
Private network is prohibited unless spec.fic exemption is g.ven oy ________
------------------------------------------------------------------------------------------------
" Ptftlicaticftfc
 The incept of Cyberspace
^.^,.wrilv and Laws (MU-SemT) therefore, necessary that
use of PSTN lines between branches and the INFINET network for Its optimum use. fm
banks are permitted to encrypt the messages on the PSTN lines as we».
connectivity to INFINET should coincide with the permission to encrypt the me B

- AS regards possible deiay on account of use of PSTN lines. It may be£annot be assured by the
any liability on account of delay, since efficiency of the public telephone netw

service providers.
9 Admission of electronic files as evidence and preservation of records
9. Aamwswii vi evidence and of preserving
- The Shere Committee had discussed the issues of admitting e ectr0"'C Evicjence Act, 1881 on the lines of
electronic records and recommended the need to amend ‘ « Bankers Boo s Evidence A

the Customs and Central Excise Laws (Amendment) Act, an amending the Bankers' Books Evidence
purpose. It is learnt that Government of India is processing hedr of acceptance of contracts,
Act, 1881. This is a welcome development and would meet the legal q
documents etc. in electronic form as evidence.
- The Committee considered certain provisions of the proposed Electronic Commerce Bill for admitting e nic
records / signatures as evidence. Clauses 9, 10, 11, 12 and 14 of this proposed Bill which are.relevant in this
connection are given in Annexure 16. It is worth mentioning that while clauses 9,10 an o is i are ase
on the UNCITRAL Model Law, clauses 12 and 14 are based on Singapore Electronic Transactions Act. As and when
the Electronic Commerce Bill is passed, these provisions will be made applicable, ipso facto, to electronic funds
transfer transactions as well.

10. Funds transfer through (EFT) systems from tax compliance angle

- The Shere Committee had recommended that the Central Board of Direct Taxes (CBDT) may be requested to take
up the question of clarifying and, if required, amending the relative provisions of the Direct Tax Laws like Section
40A of the Income-Tax Act, 1961.
- The Committee however felt that, for according the funds transfer under the EFT system the same status of
payment as one made by an A/c payee cheque, suitable technology may have to be developed for treating such
transfers as A/c payee transfers. A mere recognition to that effect by the CBDT may not be adequate to treat such
transfer as A/c payee cheques.
- Legal provisions need to be made if such recognition has to be given. The first test would arise when paper
instruments like cheques are used along with the use of EFT system. So long as both the systems are In existence
at the same time it would require either amendments to the Negotiable Instrnmanr. . ■
to deal with the matter. Negotiable Instruments Act or a separate legislation
? « J • i • 1£,t j,-, .

4.11 The Need for an Indian Cyber Law I

1. The ambitious plan of NITP -1

_ X'Xr'Z^d^S XXmtSXastrnX"' ""'OdUCed aga"’M a"d

Commerce, ^*0
- There is a need to do changes Evidence Act recogmte di ita's a **

- Indian Penal Code 1860 and Indian Patent Act general ch. /
Technologies, keeping in view of the following: S/ WUld be u"d*rtaken to recognize emerging

o Prevention of computer crime

o Digital signature especially related to electronic fund transfer.

” Public I t I o l» •
 J? Cyber Security and Laws (MlJ-Sem 7)

o Copyright and digital ,ntellectu7T . ----------------- The Concept of Cyberspace

O Electronic governance. Rlghts especia,|y with regard the internet and World Wide Web.

o Computerization of land records.

o Barcoding of all consumer coorfc ri
encryption. an re ated amendments in the weights and measures act Cryptography and

o Privacy of data.

2. The need of protection of data

Data protection Please define include the ioa3i cn^ ,
computer database and the protection from th ft t ? 'nformation held about them in a
computer's memory P * 1 f theft' instruct'°n, or damage of software and data held in the

For example, government departments and commercial companies hold personal data in computers. For
example, a company that contains a database has names and addresses of customers. Income tax officer may
have a similar computerized list of everyone who pays income tax.
Data Protection Act 1984 of the UK safeguards individual rights to see his or her database entries, alter
inaccuracies or in some cases deletes it. As per this act organization which are holding personal data must
register with the Data Protection Registrar. If any organization is not registering then it is considered as a criminal
offence.
- The absence of law related to digital signature and encryption prevents our country from implementing electronic
fund transfer in a big way.
- The absence of law and legal deterrents relating to computer crime emboldens many computer criminals in the
country to indulge in computer crime.
- The absence of provisions enabling electronic data as admissible evidence in courts has put our country decades
back of other Nations.

loss of stamp duty due to compensated :

- The loss of revenue from stamp duty that the country may suffer while encouraging e- contracts.
- E- contracts are forged in the electronic medium and one is unable to affix stamps on the short documents.
- To compensate for the loss of revenue the contract in parties liable to stamp duty could ask to limit the

appropriate value in cash in the exchequer.

rnnid cprve as evidence of Duty paid in a court of law where the soft
* Acknowledgment for such payment could serve as eviuc
document has to be exhibited as evidence.
iccuine securities. The depositories act, 1996 has done some
- The companies have to remit stamp duty issuing secun
amendments to the following corporate and commercia egis

o The Indian stamp duty act 1899 u

c
o The Companies Act 1956
19. •
o The Securities Contract Act 1956
1
o The Income Tax Act 1961
o The Benami transactions Act 1988
'kJ
o The Securities and Exchange Board of India Act 1 j.'Ti
♦r
3. Tran I . 13 I

actions in Securities . . stock exchange. The transactions are either directly or

transactions occur in dematerialized secur ie aret0 the cyber medium.
trough the internet, is a commercial activity taking place to —-
 4-46 The Concept of Cyberspace
,er security and Laws (MU-Sem 7)—
““er law has become slgnlRcant for legal validation of transactions In electronic settles.
L transactions are worth millions of rupees and if any misadventure In the cyber medium can lead to

damaaes to the capital market In particular and the economy In general.

X context, the level of applicability of Cyber Law In transactions Involving soft securities has to be analyzed

and loopholes plugged.

Electronic banking
- At the application level, cyber law has an important role due to the critical nature of financial data transfer.

- Financial messages should have the following features:

o Data transmlssion-The receipt of the message at the intended destination.
o Data Integrlty-The content of the message will be the same as the transmitted one.
o Data acknowledgment- Sender of the information should be able to verify it's receipt by the recipient.

o Data authentldty-Reciplent of the message could verify that the sender is indeed the person.
o Data security - information in transit should not be observed, altered or extracted. Any attempt to tamper

with the data in transit will need to be revealed.

o Nonrepudiation- non-repudiation of data.

- These features boiled down essentially to authentication, authorization, confidentiality, integrity, and

nonrepudiation.
- There should be an appropriate institutional arrangement for key management and authentication.
- This is normally done by the certification agencies. For the banking and financial sector, the RBI should appoint a
suitable agency as a certification agency.
- The proper assessment of the participants of the financial network should be there in terms of their
creditworthiness, financial soundness, etc.
- Initially, the Indian Financial Network (INFINET) will be Closed Used Group (CUG) network, but in due course, this
network will have to be connected to public networks like the Society for Worldwide Interbank Financial
Telecommunication(SWIFT), etc. So it is necessary to look at the possibility of having Firewall implementations
and they need to meet the following criteria :

o All in and out traffic must pass through the firewall. The firewall should check and authorize the traffic. The
firewall in itself should be immune to penetration.

o Implementation of firewalls can be done using packet filtering routers, application, and circuit-level Gateway
and also network translation devices.

o Stateful multilayer inspection gateways combine the advantages of the above and give a better performance,
flexibility, and security. This environment can handle all kinds of applications like the transmission.
o Transport Control protocol (TCP), User Datagram Protocol (UDP), Remote Procedure Call (RPC), Internet
Control Message Protocol (ICMP), etc. New applications can be added easily and this environment is totally
transparent to end-users.

o Firewalls are used to implement access control security as well as to provide for user authentication and to
ensure Data integrity by using encryption. It is important that the banks have their own security policy and
then design security solutions accordingly. Regular reviews of security policies and their implementation are
also Important. Highly secured, secured, non-secured messages should be clearly demarcated in the security
policy. Banks are therefore advised to have a dedicated group with enough competence and capability
 Indian IT Act

Syllabus
Cyber crime and criminal justice: Penalties, Adjudication and appeals under the IT Act, 2000, IT Act. 2008 and its

J Cyber Crime and Criminal Justice

5amendments __
5.1.1 Concept of ‘Cyber Crime’ and the IT Act, 2000
- The definition of cybercrime is not defined in Information Technology Act, 2000 and also its expressions are not used.
The IT Act, 2000 only gives the definitions of certain offences and punishments for certain offences.
- If we define cyber crime narrowly, then cybercrime is defined as the crimes which are mentioned in Information
Technology Act, 2000. The cybercrimes are restricted to tamper done with the computer source code, cyber
pornography, hacking, email abuse, harassment, defamation, IPR theft, cyber fraud etc.
- If we define cyber crime broadly, then cybercrime is any act of commission committed on or via or with the help of
internet, whether connected directly or indirectly, which is prohibited by law and for which punishment, monetary
and/or corporal is provided. This definition is applied for and punishes only certain cyber offences and is not
exhaustive of all the cyber crimes. ■>
- For example, if a person is giving death threat through the internet, he is liable for offence of criminal intimidation
under Section 506 of Indian penal code 1860 and no offence under the IT Act this, offence is still known as cyber crime
as per the broad definition.

Classification of cyber crime :

The cyber crimes are classified as :

1. Old crimes 2. New crimes I

1. Old crimes

- These crimes are committed on or via the new medium of internet, for example fraud, defamation, threats,
misappropriation, cheating etc. All the mentioned crimes are old but the place of operation is new and the new
place is internet. Because of the high speed of the internet and the global access, it is easy, risk free and efficient
to perform such crimes.
- These crimes are cheap and profitable to commit. These crimes can be called the crimes on the internet.

2. New crimes

- These crimes are created with the internet itself for example planting viruses hacking IPR theft etc. such crimes
are also known as crimes of the internet.
- New crimes are used for the commission of old crime. For example to carry out the cyber frauds hacking *
committed.
 Cyber Security and Laws (MU-Sem7)
5-2 Indian IT Act
Computer crimes are also classified based on the nature of the usage of the computer.

frtant fnr Wh'Ch are committed properly for example hacking in hacking computer and networks
important for commission of the offence.
Crimes which are assisted by computer for example cyber pornography where the medium is computer.
The crimes where the computer is only secondary for commission for example cyber fraud.

There are some crimes related to cyberspace which are given in the Indian penal code 1860.
It has been observed that in many offences In IPC the definition of document is not included within its
boundary
'electronic records'.

Document

Document under IPC Section 29 denotes any matter expressed or describe upon in a substance by means of letters,
figures or marks or, by more than one of those means intended to be used or it may be used as evidence of that
matter.

- It is explained in IPC Section 29 that it is immaterial by what means or upon what substance the letters, figures or
marks, are formed or whether the evidence is intended for or may be used in a court of justice or not.

Electronic records

— The definition of the electronic record is given in Section 2(l)(t) in The Information Technology Act, 2000 as follows:

(t) "Electronic record" means data, record or data generated, image or sound stored, received or sent in an electronic
form or microfilm or computer generated microfiche.

5.1.2 Hacking
The definition of hacker is, the people whose profession or hobby of working with computer is known as hackers or
they also known as crackers.
- Another definition of hacker is a person who enjoys exploring the details of the programming system and how to
stretch their capabilities as opposed two most users who prefer to learn only the minimum necessary, or one who
programmes enthusiastically is also known as hacker.
— The definition which is more commonly used for hacking is breaking into computer systems.

There are following types of hackers :

Types of hackers

— ' -

1. Code hackers
.................... -........

2. Phreakers !

3. Cyberpunk and Crackers |

Fig. 5.1.1 : Types of Hackers

1. Code hackers
Tkn u . . having the knowledge of intricacies of computer system and their
The code hackers are the people who are having i
operations.

2. Phreakers
„ Ln^ipdee of the internet and telecommunication system.
Phreakers are those people who have deep knowledge orj.
----- ---------------------- r --------------------------------------------------------- TidiKiual<i|i
” Publications
 H■■■■———■- Indian|T^

3. Cyberpunk and crackers

- The people who are specialized in cryptography and crackers are those people who crack into computer security

system.
- Criminal hacking is the biggest threat to the Internet and e-commerce. Many netlzens think that In Internet 1$
vulnerable and weak. If hacking is uncontrollable then it will raise question on technology so it is necessary to
check for the hacking in all the circumstances if internet is used for e-commerce.
If hacking remains unchecked and uncontrollable, then it will bring down the spirit of web entrepreneurs from
entering the IT industry by putting up the websites and as a result it affects the future of e-commerce.
- E-commerce has become costlier as there is a huge cost in world for installing systems guard against hackers. For
example the Pakistani hackers have hacked Indian websites. An another example is in SEBI website link of
pornographic website was inserted. Nothing is also used for doing the product again Institutions and
governments.
- Hacking is done for the following purposes :
a. Teenagers are obsessed with internet for doing hacking for fun as a hobby.

b. The businessman does hacking to damage the business of competitor.

c. Hacking is also done with the intention for committing fraud and misappropriation.
d. Hacking is also done by the internet security companies for testing their clients systems and winning the
confidence.
- There are many websites available on internet which tells how to crash computers and hijack control of computer
systems.
- The IT Act, 2000 defines and publishes hacking as follows :

Section 66 Hacking with Computer System :

(1) Whoever with the intent of cause or knowing that is likely to cause wrongful loss or damage to the public or any
person destroys or deletes or alters any information residing in a computer resource or diminishes its value or
utility or affects it injuriously by any means, commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend
up to 2 lakh rupees, or with both. -

- It is necessary to prove the following ingredients before holding a person guilty for the offence of hacking in India:
o An act which destroys or delete or changes any information residing in a computer resource or diminishes its
value of utility or affects it's ingeniously by any means.
o The afore said act is committed with the intent to cause or knowing that it is likely to cause wrongful loss or
damage to the public or any person.
- Like other criminal offence lease hacking needs intent or knowledge and the act of commission as given under
Section 66 (1) of the IT Act, 2000.
. - If hacking is done innocently or unintentionally if it causes a loss or damage to public or any person would not
amount hacking.
- The internet to commit the offence or knowledge of its likely loss is the question of the fact to be gathered in
fault from the circumstances of each particular case.
- Punishment for criminal hacking is imprisonment up to 3 years or sign up to 2 lakh or both. Victim can also claim
for the damages from the hacker under civil law.
 Cyber Security and Laws (Mu.Setn ?|
5-4 Indian IT Act
Planting virus in computer c0„s|dered

o Access to such computer, computer system or computer network. (Section 43(a) of IT Act, 2000).

ge to any computer, computer system or computer network, data, computer database or any other
programs residing in such computer system or computer network. (Section 43(d) of IT Act, 2000).
o Disruption of any computer, computer system or computer network. (Section 43(e) of IT Act, 2000).
o Assistance to any person to facilitate access to a computer, computer system or computer network in
contravention of IT Act rules and regulations made there under. (Section 43(g) IT Act,2000).
o Hacking for the purposes of it is only defined in Section 66 one of the act which has already been discussed,
o For determining the quantum of compensation Where are there or more of the four FedEx approved the
adjudicating officer would be required to have safeguard to(Section 47 of the IT Act):
1. The amount of gain of unfair advantage, whenever quantifiable, made as a result of the default.
2. The amount of loss caused to any person as a result of the default.
3. The repetitive nature of the default.

5.1.3 Teenage Web Vandals

- The attraction of internet has given birth to teenage cyber criminals. Now a days cyber hacking has become attraction
for the teenagers. How to hack CDS are available in the market in the cheap rate and easily.
- This CD's are having the information about hacking the internet and hijacking computer. The motivation which the
teenage cyber criminals are as follows:
1. Many teenagers are hungry for fame and publicity because of the access of the internet.
2. Many teenagers are having excitement of achieving something great for doing something different.
3. Some teenagers want to demonstrate their knowledge of internet and computer programming.
4. Many teenagers are not having the knowledge of the adverse effect of the act of hacking they have perception
that there will be no loss due to hacking.
5 Teenagers obsession for computer programming and internet has not got the right direction.
6. Lack of fear of law and its enforcement because of anonymity given by the various system of the internet you can
say it is considered as risk free adventure.
7. Tools reaulred committing the hacking are cheap and getting easily.
7.
to avoid the

society.
- The elder member of the family has to monitor the teen s activities.
- Parents and teachers can effectively act as policeman to prevent the teenage.

5.1.4 Cyber Fraud and Cyber Cheating

and business.
lSrT.ckXMKl.Oi
” Publication*
 Indian IT Act

1872.

2. The active concealment of a fact by one having knowledge or belief of the fact.

3. A promise made without any intention of performing it.

4. Any other act fitted to deceive.

5. Any such act or omission as the law specially declares to be fraudulent.

Explanation: ,
Mere silence as to facts likely to affect the willingness of a person to enter into a contract is not fraud, unless the
circumstances of the case are such that, regard being had to them, it is the duty of the person keeping silence to speak
2, or unless his silence, is, in itself, equivalent to speech.
- The expression cyber fraud is used for the purpose of criminal law; it is used for the cross under the law of contract
and other civil laws. For claiming damages and compensation under the civil law, cyber fraud expression is used.
- The expression cyber cheating is used for the crime entailing corporal punishment and fine. All the frauds can be
considered as cheating but it is not vice versa. Cheating offence is popularly called 420 in India cheating is defined in
Indian Penal Code under Section 415 as follows :

5.1.4(B) Section 415 : Cheating

- Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property
to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived
to do or omit to do anything which he would not do or omit if hp were not so deceived,
he uuara J—:. and....
which act or omission
.
causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to cheat.
-------
- Explanation: A dishonest concealment of facts is a deception within the meaning of this section.

1. Ingredients of Cheating

The ingredients of cheating are as follows :

a. The accused must have induced fraudulpntlv nr dkhnr^+i..-----------

c.

d.

WJr TadiKMvMf*
“ p u b 11 c a 11 9 n*
 Cyber Security and Laws (MU-Sem 7) 5-6 Indian IT Act

e. A dishonest concealment of facts is also treated as a cheating.

Illustrations

The cheating offences re a explained using following Illustrations:

a. A, by falsely pretending to be in the civil service, intentionally deceives Z, and thus dishonestly induces Z to let
him have on credit goods for which he does not mean to pay. A cheats.

b. A, by putting a counterfeit mark on an article, intentionally deceives Z into a belief that this article was made by a
certain celebrated manufacturer, and thus dishonestly induces Z to buy and pay for the article. A cheats.

c. A, by exhibiting to Z a false sample of an article, intentionally deceives Z into believing that the article
corresponds with the sample, and thereby dishonestly induces Z to buy and pay for the article. A cheats.

d. A, by tendering in payment for an artfcle a bill on a house with which A keeps no money, and by which A expects
that the bill will be dishonored, intentionally deceives Z, and thereby dishonestly induces Z to deliver the article,
intending not to pay for it. A cheats.

e. A, by pledging as diamonds articles which he knows are not diamonds, intentionally deceives Z, and thereby
dishonestly induces Z to lend money. A cheats.

f. A intentionally deceives Z into a belief that A means to repay any money that Z may lend him and thereby
dishonestly induces Z to lend him money, A not intending to repay it. A cheats.

g. A intentionally deceives Z into a belief that A means to deliver to Z a certain quantity of indigo plant which he
does not intend to deliver, and thereby dishonestly induces Z to advance money upon the faith of such delivery.
A cheats; but if A, at the time of obtaining the money, intends to deliver the indigo plant, and afterwards breaks
his contract and does not deliver it, he does not cheat but is liable only to a civil action for breach of contract.

h. A intentionally deceives Z into a belief that A has performed A's part of a contract made with Z, which he has not
performed and thereby dishonestly induces Z to pay money. A cheats.

i. A sells and conveys an estate to B. A, knowing that in consequence of such sale he has no right to the property,
sells or mortgages the same to Z, without disclosing the fact of the previous sales and conveyance to B, and
receives the purchase or mortgage money from Z. A cheats.

2. Punishment for Cheating

- The punishment for simple cheating is imprisonment which can be extend up to one year or fine or both.
For the personating the punishment is imprisonment for a term which can be extend up to 3 years or with fine or
both.
- If any person is- deceived to deliver any property to any person then the punishment for that person is
imprisonment for a term which can be extend up to 7 years with fine.

5.1.5 Virus on the Internet

• I. . " ■ ' ' *-■

1. Computer Virus
- Computer virus means any computer instruction, information, data or programme that destroys, damages,
degrades or adversely affects the performance of a computer resource or attaches itself to another computer
resource and operates when a programme, data or instruction is executed or some other event takes place in
that computer resource (Section 43,explanation (III)).
- Example of viruses are 'I love you' virus. The cousins of the virus and contaminants are bugs, worms, logic bombs
and trojan horse. They destroy the computer systems, programs and the data residing therein.
 5-7 IndianTT Act
Cyber Security and Laws (MJJ^SemjQ

2. Damage
- Damage means to destroy, alter, delete, add, modify or rearrange any computer resource by any means
(Section 43, explanation (IV)).

3. Computer contaminant
- Computer contaminant means any set of computer instructions that are design to modify, destroy, record,
transmit data or programs residing within a computer, computer system or computer network
• • •r . , -
(Section 43,explanation(l)).
4. The penalty and compensation
If any person without permission of the owner or any other person who is incharge of a computer, computer
system or computer network introduces or causes to be introduced any computer contaminant or computer virus
into any computer, computer system or computer network will be liable to pay damages by way of compensation
not exceeding rupees one corer to the person affected (Section 43(c)).
- If any person, dishonestly or fraudulently does any act referred to in Section 43 (c), he shall be punishable with
imprisonment for a term which may extend to three years or with fine which may extend to five lakhs rupees or
with both (Section 66). . -
- The factors to be taken into account for determining quantum of compensation are the amount of gain of unfair
advantage the amount of loss caused the repetitive nature of the default. The act of planting virus and
contaminants is amount to the criminal offence of mischief.
5. Mischief (IPC 425)
- Whoever with intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or to any
person, causes the destruction of any property, or any such change in any property or in the situation thereof as
destroys or diminishes its value or utility or affects it injuriously commits "mischief".
- Explanation 1 : It is not essential to the offence of mischief that the offender should intend to cause loss or
damage to the owner of the property injured or destroyed. It is sufficient if he intends to cause or knows that he
is likely to cause wrong-ful loss or damage to any person by injuring any property whether it belongs to that
person or not.
- Explanation 2 : Mischief may be committed by an act affecting property belonging to the person who commits
the act, or to that person and others jointly.
Mischief causing damage to the amount of fifty rupees. Whoever commits mischief and thereby causes loss or
damage to the amount of fifty rupees or upwards, shall be punished with Impris-onment of either description for
a term which may extend to two years, or with fine, or with both (IPC 427)

5.1.6 Defamation, Harassment and E- mail Abuse

The freedom of speech and expression is given by the constitution of India is
misused by few people. The criminal
abuse of internet is min light in India.
As internet is cost friendly and easily available many cases of defamation and harassments are reported. It has
become a major cyber crime.
There are websites available containing concocted nude photographs of Indian bollywood
defamation, harassment is and e-mail abuse. y stars. So let's see what
jT Cyber Security and Laws (Mli-Sam
5-8 Indian IT Act
A. Defamation

- Whoever, by words either spoke

publishes any imputation concerni ntGnded t0 be read' or by signs or bV visible representations, makes or
such imputation will harm, the re VT PerS°n 'ntending t0 barm, or knowing or having reason to believe that
defame that person (IPC 4991 in t|PU °f SUCb person' ls sald< excePt in the cases hereinafter expected, to
The imnutatinn , .u P 80386 defamation means damage done to the reputation of person.
- The imputation cannot be said tn ,
estimation of others, lowers the moral S repUtatlon' unless that lmputation directly or Indirectly, in the
person In respect of his caste or of his cam T'""' charac,er of ,hal pe™"- °r >he character of that
the body of that person is In a loathsome ,he "et"'of that pe,son'“ causes " “ ba belta'"1 ,ha'
me state, or in a state generally considered as disgrace-ful.
If Meena is writing a letter to Neeta which Is derogatory of Neeta It is not considered as defamation. But if
eena is writing a etter to Neeta which contains derogatory comments about Reema then it is considered as
defamation.

B. Punishment

- The law provides that whoever prints or engraves any matter, knowing or having good reason to believe that such
matter is defamatory of any person shall be punished with simple imprisonment for a term which may extend to
2 years or with fine, or with both (IPC 501).
- Publishers and the editors who publish the defamation matter are also liable for defamation. There are 10
exceptions, if imputation falls under this 10 exceptions then it won't be an offence of defamation.

Exceptions of defamation 1
1. First exception

2. Second exception

3. Third exception

4. Fourth exception

5. Fifth exception
. 'K '

6. Sixth exception

7. Seventh exception

8. Eighth exception

9. Ninth exception

-> 10. Tenth exception

Fig. 5.1.2 : Exceptions of Defamation

1- First exception
be made or published. It is not defamation to impute anything
Imputation of truth which public good requires to - . that the jmputation should be made or published,
which is true concerning any person if it be
Whether or not«Is for the public good Is aoueshonoffect.
ifir TKkKmlrir
” Publications
 Indian IT Act
h0r Security and Laws (MU-Sem7j

Second exception jn g opjnjon whatever respecting the

2.
-ZX dXe^ his public functions, or respecting his character so far as his character

appears in that conduct and no further.

Third exception
3.
„ .rhino anv nublic Question. It is not defamation to express in good faith any opinion
whatevermZZthe conduct of any person touching any public question, and respecting his character so far as his

character appears in that conduct and no further.

Illustrations:
It is not defamation in A to express in good faith any opinion whatever respecting Z's conduct in petitioning
Government on a public question in signing a requisition for a meeting on a public question in presi ing or atten ing a
such meeting, in forming or joining any society which invites the public support in voting or canvassing for a particular
candidate for any situation in the efficient discharges of the duties of which the public is interested.

I.
4. Fourth exception
Publication of reports of proceedings of courts. It is not defamation to publish substantially true report of the
proceedings of a court of justice or of the result of any such proceedings.
Explanation : A Justice of the peace or other officer holding an inquiry in open court preliminary to a trial in a court of
Jus-tice, is a court within the meaning of the above section.

5. Fifth exception

Merits of case decided in court or conduct of witnesses and others concerned. It is not defamation to express in good
faith any opinion whatever respecting the merits of any case, civil or criminal, which has been decided by a court of
justice or respecting the conduct of any person as a party witness or agent, in any such case or respecting the
character of such person as far as his character appears in that conduct and no further.

Illustrations:
a. A says : "I think Z's evidence on that trial is so contradictory that he must hp ct. „ u- u
exception Oe s8ys ,hl! is 60od faith, ln as much as (he ™ h Zr " C‘ 'WS
appears in Z's conduct as a witness, and no further. expresses respects Z s character as it
b. But if A says: “I do not believe what Z asserted at that trial because I know him tn h
not within this exception, in as much as the opinion which he express of Z's ch t " """ * **
on Z s conduct as a witness. • haracter, is an opinion not founded

6. Sixth exception

Merits of public performance. It is not defamation to express in good faith

performance which its author has submitted to the judgment of the h opin,on respecting the merits of any
so far as his character appears In such performance, and no further. r6SPeCting the chara«er of the author

Explanation : A performance may be substituted tn th« i.

author which imply such submission to the judgment of the public.0 °r bY 3CtS °n the Part of the

Vy TithbaaMp
” Publications
^^Cybe^Securityan^Laws(MU^Sem7) 5-10 Indian IT Act

Illustrations:

a. A person who publishes a book, submits that book to the judgment of the public.

b. A person who makes a speech In public, submits that speech to the Judgment of the public.

Ci An actor or singer who appears on a public stage, submits his acting or signing In the judgment of the public.

d. A says of a book published by Z. "Z's book is foolish; Z must be a weak man. Z's book is indecent; Z must be a man
of Impure mind . A is within the exception, if he says this in good faith, in as much as the opinion which he
expresses of Z respects Z's character only so far as it appears In Z's book, and no further.

e. But if A says I am not surprised that Z's book is foolish and indecent, for he is a weak man and a libertine". A is
not within this exception, in as much as the opinion which he expresses of Z's character is an opinion not founded
on Z's book.

7. Seventh exception

Censure passed in good faith by person having lawful authority over another. It is not defamation in a person having
over another any authority either conferred by law or arising out of a lawful contract made with that other to pass in
good faith any censure on the conduct of that other in matters to which such lawful authority relates.

Illustrations:

A Judge censuring in good faith the conduct of a witness or of an officer of the court a head of a department censuring
in good faith those who are under his orders; a parent censuring in good faith a child in the presence of other children
a school master, whose authority is derived from a parent censuring in good faith a pupil in the presence of other
pupils a master censuring a servant in good faith for remissness in service a banker censuring in good faith the cashier
of his bank for the conduct of such cashier as such cashier are within this exception. >■

8. Eighth exception

Accusation preferred in good faith to authorized person. It is not defamation to prefer in good faith an accusation
against any person to any of those who have lawful authority over that person with respect to the subject matter of
accusation.

Illustration:

If A in good faith accuse Z before a Magistrate; if A in good faith complains of the conduct of Z, a servant, to Z's
master; if A in good faith complains of the conduct of Z, and child, to Z's father A is within this exception.

9. Nlneth exception
Imputation made in good faith by person for protection of his or others interests. It is not defamation to make an
imputation on the character of another provided that the imputation be made in good faith for the protection of the
interests of the person making it or of any other person or for the public good.

Illustrations:
a. A, a shopkeeper, says to B, who manages his business "Sell nothing to Z unless he pays you ready money, for I
have no opin-ion of his honesty". A is within the exception, if he has made this imputation on Z in good faith for

the protection of his own interests.

 Indian IT Act
of his own superior officer casts an Imputation on the character of Z. Here, If

b' XXX In good fattb, and for the public good. A Is within the exception.

m Tenth exception □ £ fn u/hn rnnvpved or for public good. It is not defamation to convey a
' caution iMboX to oneXn against another provided that such caution be intended for the good of the
"“io w' on, It is conveyed, or of some person in whom that person Is interested, or for the pubhc good.

- The cyber criminals having violent minds to threaten and intimidate others are punishable under IPC 503. The

Indian Penal Code 503 explains criminal intimidation as follows:

Criminal Intimidation
Whoever threatens another with any injury to his person, reputation or property, or to the person or reputation of
any one in whom that person is interested, with intent to cause alarm to that person, or to cause that person to do any act
which he is not legally bound to do, or to omit to do any act which that person is legally entitled to do, as the means of

avoiding the execution of such threat, commits criminal intim-idation.

Explanation : A threat to injure the reputation of any deceased person in whom the person threatened is interested, is

within this section.

Illustration : A, for the purpose of inducing B to desist from prosecuting a civil suit, threatens to burn B's house. A is

guilty of criminal intimidation.

Punishment for criminal intimidation (Section 506)

■ is imprisonmen' * ei,her dKcrip"on ,or •*2

' “CaUS' ehher °"e °' fe“n8 ,he",he PU"IShme"' “ ""Prisonmeot up to 7 years, or with fine, or

o Death or grievous hurt, etc.

o If the threat be to cause death or grievous hurt.
o Cause the destruction of any property by fire. •1

o Cause an offence punishable with death or imprisonment for life, or with imprisonment for a term which may
extend to 7 years..
o To impute, unchastely to a woman, shall be punished with imprison-ment of either description for a term which
may extend to 7 years, or with fine, or with both.

’ SS-X* ”ome"harassment ,or ,aki"B thc reven8e are s° -•>««are

- If any person insults the modesty of women, utters anv u/nrd maine ,
a woman then that person is punishable under Section 509. ' g6StUre °r ‘ntrU<JeS the priV3CV °
The punishment Is simple imprisonment up to one year, with fine or with both.

; 5.1.7 Cyber Pornography

I
- Cyber pornography is the act of using cvbersDacP m ji. . u,
obscene materials. With the advent of cyberspace tradition l P Import’ or Publish pornography or
onllne/dlgltal pornographic content. °"a' "ow been largely replaced by

- Cyber pornography is banned in many countries and legalizeri in cnmn ir* i

2000, this is a grey area of the law, where it is not prohibited but not legalizedekhen 6 lnfOrmation Technology Act,

'l&r TachKMvMH
” Publication*

I
I
 Cyber Security and Laws (MU-Sem 7)
5-12 Indian IT Act
Under Sect on 67 of the Information Technology Act, 2000 makes the following acts punishable with imprisonment up
to 3 years and fine up to 5 lakhs :

1. Publication . Which would Include uploading on a website, what's app group or any other digital portal where
third parties can have access to such content.

2. Transmission . This includes sending obscene photos or images to any person via email, messaging, what's app or
any other form of digital media.

3. Causing to be published or transmitted : This is a very wide terminology which would end up making the
intermediary portal liable, using which the offender has published or transmitted such obscene content. The
intermediary guidelines under the information technology act put anonus on the intermediary/service provider
to exercise due diligence to ensure their portal is not being misused.

- Section 67A of the Information Technology Act makes publication, transmission and causing to be transmitted and
published in electronic form any material containing sexually explicit act or conduct, punishable with imprisonment up
to 5 years and fine up to 10 lakhs.
An understanding of these provisions makes the following conclusions about the law of cyber pornography in India
extremely clear:

a. Viewing cyber pornography is legal in India. Merely downloading and viewing such content does not amount to
an offence.

b. Publication of pornographic content online is illegal.

c. Storing cyber pornographic content is not an offence.

d. Transmitting cyber pornography via instant messaging, emails or any other mode of digital transmission is an
offence.

5.2 Monetary Penalties, Adjudication and Appeals under IT Act 2000

- IT Act provides certain contraventions for which a person has to pay for damages by the way of compensation or
penalty. Section 43 of IT Act, 2000 is for penalty and compensation.
- It states that, if any person without permission of the owner or any other person who is in-charge of a computer,
computer system or computer network.

a. Accesses or secures access to such computer, computer system, computer network or computer resource.

b. Downloads copies or extracts any data, computer data base or information from such computer, computer
system or computer network including information or data held or stored in any removable storage medium.

’c. Introduces or causes to be introduced any computer.contaminant or computer virus into any computer,

computer system or computer network.

d. Damages or causes to be damaged any computer, computer system or computer network, data, computer data
base or any other programs residing in such computer, computer system or computer network.

e. Disrupts or causes disruption of any computer, computer system or computer network.

f. Denies or causes the denial of access to any person authorized to access any computer, computer system or

computer network by any means.

8. Provides any assistance to any person to facilitate access to a computer, computer system or computer network
____ In contravention of the provisions of this Act, rules or reeulatlons madeti.ere under.------------------------------------------
T<ckKMMlK|«
t Public atlonc
 1
I

5-13 Indian IT Act

,er Security and Laws (MU-Sem_7)___^

h Charges the services availed of by a person to the account of another person by tampering with or manipulating

any computer, computer system, or computer network.

The following are the monetary penalties given by the IT laws Section 44
For every failure to furnish any document, return or report to the controller or the certifying authority shall be liable
a.
to a penalty not exceeding ? 1.50 lakh rupees.
b. File any return or furnish any information, books or other documents within the time specified therefore in the
regulations fails to file return or furnish the same within the time specified therefore in the regulations, I be

liable to a penalty not exceeding ? 5,000 rupees for every day during which such failure continues.
If fail to maintain books of account or records, then he shall be liable to a penalty not exceeding 10,000 rupees for
c.
every day during which the failure continues.
- There is a separate adjudicating authority created for the adjudication of contraventions for which
compensations are provided. The central government shall appoint any officer not below the rank of a director to
. the government of India or an equivalent officer of a state government to be an adjudicating officer for holding

an inquiry in the manner prescribed by the central government.

- The adjudicating officer appointed shall exercise jurisdiction to adjudicate matters in which the claim for injury or
damage does not exceed ? 5 crore provided that the jurisdiction in respect of the claim for injury or damage
exceeding rupees five crore shall vest with the competent court.
- If evidence is produced related to the penalty to the adjudicating officer, he may order in writing to impose the
penalty. Where more than one adjudicating officers are appointed, the central government shall specify by order
the matters and places with respect to which such officers shall exercise their jurisdiction.
»
Every adjudicating officer shall have the powers of a civil court which are conferred on the
Cyber Appellate Tribunal and (Section 46 (3)(2)(4)(5), IT Act,2000).
An adjudicating officer appeal to a Cyber Appellate Tribunal having jurisdiction in the matter. No appeal shall file to
the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties.
Every appeal shall be filed within a period of 45 days from the date on which a copy of the order made by the
controller or the adjudicating officer is received by the person aggrieved and it shall be in such form and be
accompanied by such fee as may be prescribed: Provided that the cyber appellate tribunal may entertain an appeal
after the expiry of the said period of 45 days if it is satisfied that there was sufficient cause for not filing it within that
period (Section 57(1)(2)(3), IT Act, 2000).
Section 58 provides that, the Cyber Appellate Tribunal shall not be bound by the procedure laid down by the code of
civil procedure, 1908 but shall be guided by the principles of natural justice and, subject to the other provisions of this
Act and of any rules, the Cyber Appellate Tribunal shall have powers to regulate its own procedure including the place
at which it shall have its sittings.
The Cyber Appellate Tribunal shall have same powers as are vested in a civil court under the Code of Civil Procedure;
while trying a suit, in respect of the following matters namely :

(a) Summoning and enforcing the attendance of any person and examining him on oath.

(b) Requiring the discovery and production of documents or other electronic records.

(c) Receiving evidence on affidavits.

(d) Issuing commissions for the examination of witnesses or documents.

(e) Reviewing its decisions. J

1
 Cyber Security and Laws (MU-Sem 7) 5-14 Indian IT Act

(f) Dismissing an application for default or deciding It ex parte.

(g) Any other matter which may be prescribed.

Section 61 provides that, no court shall have jurisdiction to entertain any suit or proceeding in respect of any matter
which an adjudicating officer appointed under this act or the Cyber Appellate Tribunal constituted under this act is
empowered by or under this act to determine and no Injunction shall be granted by any court or other authority in
respect of any action taken or to be taken in pursuance of any power conferred by or under this act.

- Section 62 provides that, any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an
appeal to the high court within 60 days from the date of communication of the decision or order of the Cyber
Appellate Tribunal to him on any question of fact or law arising out of such order: Provided that the high court may, if
it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it
to be filed within a further period not exceeding sixty days.

- Section 63 provides that, any contravention may, either before or after the institution of adjudication proceedings, be
compounded by the controller or such other officer as may be specially authorized by him in this behalf or by the
adjudicating officer, as the case may be, subject to such conditions as the controller or such other officer or the
adjudicating officer may specify. Provided that such sum shall not, in any case, exceed the maximum amount of the
penalty which may be imposed under this act for the contravention so compounded. Any contravention shall apply to
a person who commits the same or similar contravention within a period of three years from the date on which the
first contravention, committed by him was compounded.

No proceeding or further proceeding as the case may be shall be taken against the person guilty of such contravention
in respect of the contravention so compounded.

5.3 IT Act. 2008 and its Amendments

The Indian Information Technology Act 2000 "Act" was a based on the Model Law on Electronic Commerce adopted
by the United Nations Commission on International Trade Law the suggestion was that all States intending to enact a law
for the impugned purpose, give favorable consideration to the said model law when they enact or revise their laws, in view
of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of
information. Thus the Act was enacted to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as "electronic commerce", which
involved the use of alternatives to traditional or paper-based methods of communication and storage of information, to
facilitate electronic filing of documents with the government agencies. Also it was considered necessary to give effect to
the said resolution and to promote efficient delivery of government services by means of reliable electronic records. The
Act received the assent of the President on the 9th of June, 2000.

The Act was subsequently and substantially amended in 2006 and again in 2008 citing the following objectives:

~ With proliferation of information technology enabled services such as e-governance, e-commerce and e-transactions,
Protection of personal data and information and implementation of security practices and procedures relating to
these applications of electronic communications have assumed greater importance and they require harmonization
with the provisions of the Information Technology Act. Further, protection of Critical Information Infrastructure is
pivotal to national security, economy, public health and safety, so it has become necessary to declare such
Infrastructure as a protected system so as to restrict its access.
 Indian IT Act
JfCyberSecuiit^n^-aw^MU^Senrw^5===_—mm
A rapid increase in the use of computer and internet has given rise to new forms of crimes like publishing sexually
explicit materials in electronic form, video voyeurism and breach of confidentiality and leakage of data by
intermediary, e-commerce frauds like personation commonly known as Phishing, identity theft an o ensive
messages through communication services. So, penal provisions are required to be included in the In ormation
Technology Act, the Indian Penal Code, the Indian Evidence Act and the code of criminal procedure to prevent such

crimes.
- The United Nations Commission on International Trade Law (UNCITRAL) in the year 2001 adopted the M w on
Electronic Signatures. The General Assembly of the United Nations by its resolution No. 56/80, dated 12t Decern er,
2001, recommended that all states accord favorable consideration to the said model Law on electronic signatures.
Since the digital signatures are linked to a specific technology under the existing provisions of the Ir.fo mation
Technology Act, it has become necessary to provide for alternate technology of electronic signatures for bringing

harmonization with the said model law.

The service providers may be authorized by the central government or the state government to set up, maintain and
upgrade the computerized facilities and also collect, retain appropriate service charges for providing such services at

such scale as may be specified by the central government or the state government.

5.3.1 IT Act 2008 Amendments

l. Electronic signatures introduced

- In IT ACT 2008 the term 'digital signature' has been replaced with 'electronic signature' to make the Act more
technology neutral.
- Therefore, allowing forms of authentication that are simpler to use such as retina scanning can be quite useful
ineffective implementation of the Act. However, the challenge it poses is accessibility to authentication tools and
imparting education to people to use the same.
- It is a challenging task for the Central government to prescribe conditions for considering
o reliability of electronic signatures or electronic authentication techniques under Section 3A (2),
o the procedure for ascertaining electronic signature or authentication under Section 3A(3),
o The manner in which information may be authenticated by electronic signatures in Section 5.
o It also involves expenditure as such authentication tools will require purchase. Installation & trainins,
SXrfL’e Th T WhCre " iS Pr0P0Se‘l 10 be used- E’us* -I be the
drafting of dunes of subscriber of electronic signature certificate under Section 40 A of the Act which will need
to incorporate security measures subscribers can adopt depending on electronic signature being used for
signatures. Further, in a move to secure the flow of data and information on the Internet and promote
ecommerce & e- governance, the amended Act in Section 84A has r.mn„, a ... ’’ ° pr°
prescribe modes or methods for encryption. empowered the Central Government to

2. Corporate responsibility introduced in S. 43A

- A new section 43A has been inserted to protect sensitive personal data. Any business entity • •
or is dealing or handling any sensitive personal data or information in a comm Y o is in possess,
entity owns, centre! o, operates, is neghgent In implementingX mlXg’XoTbT d

thus causes wrongful loss or gain to any person, the business entity shall be liable for oaWnT ""T the
person so affected. D e tor PaYing damages to the

The corporate bodies handling sensitive personal information or data in a comoutPr » J „

°bllgation to^nsure adoption of reasonable security practices to maintain its ~ i^”^ £

TkKKmvMI"
™ p lib 111111 ® n ‘
 ^^yberSecurityan^^ Indian IT Act
5-16

liable to pay damages. Also, there is no limit to the amount of compensation that may be awarded by virtue of
this section. This section must be read with Section 85 of the IT Act,2000 whereby all persons responsible to the
company for conduct of its business shall be held guilty incase offence was committed by a company unless no
knowledge or due diligence to prevent the contravention is proved.
- The damages of Rs. One Crore prescribed under section 43 of the earlier Act of 2000 for damage to computer,
computer system etc. has been deleted and the relevant parts of the section have been substituted by the words,
’he shall be liable to pay damages by way of compensation to the person so affected.

3. Important definitions added

In IT ACT 2008 two important definitions are added :

o Communication Device : "Communication Device" means Cell Phones, Personal Digital Assistance (Sic), or
combination of both or any other device used to communicate, send or transmit any text, video, audio, or image.
Although cell phones and other devices used to communicate would fall under the definition of computer in the IT
Act. This amendment removes any ambiguity and brings within the domain of the Act all communication devices,
cell phones, ipods or other devices used to communicate, send or transmit any text,video,audio or image,
o Intermediary : It clarifies the categories of service providers that come within its definition that includes telecom
service providers, network service providers, internet service provider, web hosting service providers, search
engines, online payment sites, online auction sites, online marketplaces and cyber cafes.

4. Legal validity of electronic documents re-emphasized

- Two new sections Section 7A and 10A in the amended Act reinforce the equivalence of paper based documents
to electronic documents.
- Section 7A in the amended Act makes audit of electronic documents also necessary wherever paper based
documents are required to be audited by law.
- Section 10A confers legal validity and enforceability on contracts formed through electronic means.
- These provisions are inserted to clarify and strengthen the legal principle in Section 4 of the IT Act,2000 that
electronic documents are attar with electronic documents and e-contracts are legally recognized and acceptable
in law. This will facilitate growth of e-commerce activity on the internet and build netizens confidence.

5. The role of adjudicating officers under the amended act

- The Adjudicating officers power under the amended Act in Section 46 (1 A) is limited to decide claims where claim
for injury or damage does not exceed 5 crores.
- Beyond 5 crore the jurisdiction shall now vest with competent court. This has introduced another forum for
adjudication of cyber contraventions.
- The words "competent court" also needs to be clearly defined. As per Section 46(2),the quantum of
compensation that may be awarded is left to the discretion of Adjudicating officers.
- In the IT Act,2000 the office of adjudicating officer had the powers of civil court and all proceedings before it are
deemed to be judicial proceedings. A new change is incorporated in Section 46(5) whereby the Adjudicating
officers have been conferred with powers of execution of orders passed by it, including order of attachment and
sale of property, arrest and detention of accused and appointment of receiver.

6- Composition of CAT

— The amended Act has changed the composition of the Cyber Appellate Tribunal (CAT).
~ The Presiding officer alone would earlier constitute the Cyber Regulations Appellate Tribunal which provision has
now been amended. ’ ' '
 „ -» 5-17 Indian it Act

The tribunal would now consist of Chairperson and such number of members as Central Government may

appoint-
The qualifications for their appointment, term of office salary, power of superintendence, resigna ion n

removal, filling of vacancies have been incorporated.

- The decision making process allows more objectivity with Section 52 D that provides that the decision shall be

taken by majority.

7. New cyber crimes as offences under amended act

Sections 66A to 66F have been added to Section 66. The cybercrimes covered by these sections are as follows.

a. Sending of offensive or false messages (s 66A)

b. Receiving stolen computer resource (s 66B)

c. Identity theft (s 66C)

d. Cheating by personation (s 66D)

e. Violation of privacy (s 66E) .

f. Cyber terrorism (Section 66 F)

Computer related offences under section 66 :

Computer related offences under section 66 Dishonestly and fraudulently committing contraventions under section 43

ofthe Act by any person. ,,

Punishment: imprisonment for a term which may extent to three years or with fine which may extent to five lakh

rupees or with both.

a. Sending offensive messages through communication service, under Section 66A :

I - Sending information which is grossly offensive or has menacing character.
- Mailing false information to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal
intimidation, enmity, hatred or ill will.
- Sending mail for the purpose of causing annoyance or inconvenience or to deceive, mislead the addressee about
the origin of such messages. . ‘ -
Punishment: for a term which may extend to three years and with fine.

b. Receiving stolen computer resource or communication device, under Section 66B:

- Receiving stolen computer resource or communication device, under section 66B Under section 66B, whoever
dishonestly received or retained any stolen computer resource or communication device with knowledge or have
reasons to believe the same to be stolen computer resource or communication device.
- Punishment: Imprisonment for a term which may extent to three years or with fine which may extent to one lakh
rupees or with both.

c. Identity Theft, under Section 66C:

- fraudulently or dishonestly making use of the electronic signature, password or any other unique identification
feature of any other person.
- Punishment: Imprisonment for a term which may extent to three years or with fine which may extent to one lakh
rupees.

T'ckKataMl*
» Publication*
 CyberSecurityandLaws(MU-Sem 7) 5-18 Indian IT Act

d. Cheating by personation by using computer resource, under Section 66D:

- Cheating by personation by using computer resource, under section 66D. Cheating by Personation by means of
any communication device or computer resource.
- Punishment. For a term of which may extent to three years and fine which may extent to one lakh rupees.

e. Violation of privacy, under Section 66E:

Intentionally or knowingly capturing, publishing or transmitting the images of a private area of any person
without the consent of the later.
- Punishment: Term of imprisonment may extent to three years or with fine not exceeding two lakh rupees, or
with both.

f. Cyber terrorism, under Section 66F:

- Cyber Terrorism, under Section 66F A- Whoever with intention to threaten the unity, integrity, security or
sovereignty of India or to cause terror in the people or any section of people by:
i) Causing denial of access to authorized person.
ii) Attempting to penetrate or access a computer resource without authorization or by exceeding authorized
access.
lii) Introducing or causing to introduce computer contaminant The conduct causes or likely to cause death or
injuries to persons or damage or causes or likely to cause destruction of property or damage or disruption to
supplies or services essential to life.
- Penetration or access to computer resource without authorization or exceeding authorized access, with
knowledge and intention, and thus obtains access to information, data or computer database.
Punishment: Term of imprisonment may extent to life.

8. Amendments in section 67

Section 67 of the IT Act, 2000 has been amended to reduce the term of imprisonment for publishing or transmitting
obscene material in electronic form.

Publishing or transmitting obscene material in electronic form section 67 :

- Publishing or transmitting or causing same to be published or transmitted in electronic form, material which is
obscene.
- Punishment: imprisonment may extent to three years and with fine which may extent to five lakh rupees. For
subsequent conviction the term of imprisonment may extent to five years with fine, which may extent to ten lakh

rupees.
Publishing or transmitting of material containing sexually explicit act, under section 67A:

~ Publishing or transmitting or causing to be published or transmitted In electronic form any material which contains

sexually explicit act or conduct.

- Punishment- For first conviction; imprisonment for a term which may extent to five years and with fine which may
extent to ten lakh rupees. Second conviction: imprisonment which may extent to seven years and fine which may

extent to ten lakh rupees.

Publishing transmitting of material depicting children In sexually explicit act, under section 67B:

- Publishes or transmits or causes the publishing or transmitting the material In electronic form, which depicts children
engaged in sexually explicit act or conduct.
 Cyber^ecurityand_Laws_(MU^Sem_7,’ 5-19 Indian IT Act

Depicting children
collecting, seeking, in obscenedownloading,
browsing, or Indecent or sexually explicit
advertising, manner,
promoting, by wayorofdistribution
exchanging creating text d’ ’
ofsuchma'teriar

To entice, induce children to get into online relationship with other children for and on sexually explicit act or manner
in which a reasonable adult may get offended.

Facilitates abusing children online.

- Recording in electronic form own abuse or that of others pertaining to sexually explicit act with children.
- Punishment: for first conviction imprisonment for a term which may extent to five years and with fine which may
extent to ten lakh rupees For second conviction imprisonment which may extent to seven years and with fine which

may extent to ten lakh rupees.

9. Section 69B added to confer power to collect, monitor traffic data

- In view of the increasing threat of terrorism in the country, the new amendments include an amended section 69
giving power to the state to issue directions for interception or monitoring of decryption of any information
through any computer resource. Further, sections 69A and B, two new sections, grant power to the state to issue
directions for blocking for public access of any information through any computer resource and to authorize to
monitor and collect traffic data or information through any computer resource for cyber security.
- Section 69 B of IT Act 2008 confers on the Central government power to appoint any agency to monitor and
collect traffic data or information generated transmitted, received, or stored in any computer resource in order
to enhance its cyber security and for identification, analysis, and prevention of intrusion or spread of computer
contaminant in the country.
- The Information Technology (procedure and safeguard for monitoring and collecting traffic data or information )
Rules, 2009 have been laid down to monitor and collect the traffic data or information for cyber security
purposes under Section 69B.

10. Section 79

Section 79 of the Act which exempted intermediaries has been modified to the effect that an intermediary shall not be
liable for any third party information data or communication link made available or hosted by him if.
I
5
a. The function of the intermediary is limited to providing access to a communication system over which
j
information made available by third parties is transmitted or temporarily stored or hosted.

b. The intermediary does not initiate the transmission or select the receiver of the transmission and select or
modify the information contained in the transmission.
■

c. The intermediary observes due diligence while discharging his duties. However, section 79 will not apply to an
intermediary if the intermediary has conspired or abetted or aided or induced whether by threats or promise or
otherwise in the commission of the unlawful act or upon receiving actual knowledge or on being notified that any
information, data or communication link residing in or connected to a computer resource controlled by it is being
used to commit an unlawful act, the intermediary fails to expeditiously remove or disable access to that material
on that resource without vitiating the evidence in any manner.

11. Cyber Cafe

A new section has been added to define cyber cafe as any facility from where the access to the internet is offered by
any person in the ordinary course of business to the members of the public.

T«chKMWlU|«
” Publication*
 Cyber Security and Laws (MU-Sem 7)
5-20 Indian IT Act
12. Section 10 A

A new section 10A has been inserted to the effect that contracts concluded electronically shall not be deemed to be
unen orcea e solely on the ground that electronic form or means was used.

13. Section 81

A provision has been added to Section 81 which states that the provisions of the Act shall have overriding effect. The
provision states that nothing contained in the Act shall restrict any person from exercising any right conferred under
the Copyright Act, 1957.

Table 5.3.1
1 Imprisonment Up to 1
i section Contents ' -
1 Fine Upto
1 '4 ''
65 1 Tampering with computer source code documents
3 years or/and 200,000

66 Hacking with computer system dishonestly or fraudulently 3 years or/and 500,000

66B receiving stolen computer resource 3 years or/and 100,000

66C Identity theft fraudulently or dishonestly make use of the 3 years and 100,000
electronic signature, password or any other unique |
identification feature of any other person

66D cheating by personation by using computer resource 3 years and 100,000

66E Violation of privacy . , . 3 years or/and 200,000

Imprisonment for Life

66F 1 Whoever,-
with intent to threaten the unity, integrity, security or
sovereignty of India or to strike terror in the people or any
section of the people by
Deniaf of Access 1
Attempting to Penetrate computer resource *• ’ • ’■' ; L
Computer containment J
knowingly or intentionally penetrates and by means
such conduct obtains access to information, ata 1
computer database that is restricted for reasons of the
security of the State or foreign relations, or li e y o z
injury to the interests of the sovereignty and integrity
I
ndia _________
years and 5 00,000
67 ’ubllsh or transmit Obscene material - 1st time -
years and 1 0,00,000
1 <Subsequent Obscene in elec Form. |

Publishing or transmitting material containing Sexually 5 years and 1 0,00,000

67A F
years and 1 0,00,000
EExplicit Act - 1st time Subsequent |

TsthKnamhdaa
 5-21 Indian IT Act

Imprisonment Up to Fine Up to
Contents

Publishing or transmitting material containing Children in 5 years and 10,00,000

7 years and 10,00,000

Sexually Explicit Act - 1st time Subsequent

Not Defined
Contravention of Retention or preservation of Information 3 years and

by intermediaries
100,000
Controller's directions to certifying Authorities or any 2 years or/and
employees failure to comply knowingly or intentionally

Not Defined
Failure to comply with directions for Intercepting, 7 Years and
monitoring or decryption of any info transmitted through
any computer system/network

Not Defined
Failure to comply with directions for blocking for public 7 Years and
access of any information through any computer resource

Failure to comply with directions to monitor and collect 3 Years and Not Defined

traffic data

Protected system. Any unauthorized access to such system. 10 years and Not Defined

Failure to provide information called for by the *I.C.E.R.T I year or 1,00,000

or comply with directions.

Penalty for misrepresentation or suppressing any materia 2 years or/and 100,000

fact.

Penalty for breach of confidentiality and privacy of el. 2 years or/and 100,000
records, books, info, etc. without consent of person to
whom they belong.

Punishment for disclosure of information in breach ol 3 years or/and

-
7 lawful contract.

Penalty for publishing false Digital Signature Certificate.

2 years or/and
Fraudulent publication.
2 years or/and
Act also to apply for offences or contravention committed
outside india if the act or conduct constituting the offence
involves a computer, computer system or computer
network located in India.

Confiscation of any computer, computer system, floppies,

CDs, tape drives or other accessories related thereto In
contravention of any provisions of the Act, Rules
Regulations or Orders made.

TechKMwIe^H
” publication*
 7) 5-22
Indian IT Act
■ :■ ■ -
Contents '■ <
Imprisonment Up to
Penalty and Confiscation shall not interfere with other
punishments provided under any law.

Power to investigate offences by police officer not below

rank of Dy. Superintendent of police.

q. 1 Explain the term Document and Electronic record. (Section 5.1.1)

Q. 2 What is hacker ? What are the different types of hackers ? (Section 5.1.2)

Q, 3 Explain how IT act defines and publishes hacking. What is the punishment for hacking? (Section 5.1.2)

Q. 4 Explain teenage web vandals. (Section 5.1.3)

Q. 5 Explain cyber fraud and cyber cheating. (Section 5.1.4)

Q. 6 Explain computer virus, damage and computer contaminant and mischief. (Section 5.1.5)

Q. 7 Explain defamation, harassment and email abuse. (Section 5.1.6)

Q. 8 Explain the 10 exceptions of defamation. (Section 5.1.6)

Q. 9 Explain cyber pornography. (Section 5.1.7)

Q. 10 Explain some IT offences and punishment for those offences. (Section 5.1.8)

Q.11 Exolain Monetary Penalties, Adjudication and Appeals Under IT Act, 2000. (Secti_on_5.2)-------------------------------------------
—---------- ----------------------- --------------------------- □□□
 Information Security Standard
Compliances
Unit VI

Syllabus

SOX, GLBA, HIPAA, ISO, FISMA, NERC, PCI. I

6.1 SOX (Sarbanes-Oxley Act) Compliance------------------------------------------------------------------

- in 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to shield investors and the common public
from accounting mistakes and deceitful practices in enterprises and to Improve the precision of corporate revelations.

The act set deadlines for compliance and publishes rules on necessities.
- The act is drafted by Congressmen Paul Sarbanes and Michael Oxley. Its objective was to improve corporate

administration and responsibility, in light of the financial scandals.

SOX covers a range of topics from criminal penalties to corporate board responsibilities and the issues like
independent auditing requirements, corporate governance, internal control assessment and enhanced financial
disclosure.
All the public companies have to comply with SOX both on IT side and financial side. SOX have changed the way of
storing IT departmental electronic records.

- The SOX act does not specify how a business should store records. It specifies which record to be stored and the
length of timefor storage of record.

- The corporate have to store all the business.records, including electronic records and electronic messages for not less
than 5 years to comply with the SOX. Penalty for noncompliance Include fines or imprisonment, or both.
- IT departments are accountable for creating and maintaining an archive of corporate records. Three rules in Section
802 of SOX affect the management of electronic records.

1. First rule concerns the destruction, change, or forgery of records and the resulting penalties.

2. Second rule defines the retention period for records storage.

3. Third rule outlines the type of business records that need to be stored including all business records,
communications and electronic communications.

- For SOX compliance have the correct security controls In place to ensure that financial data Is accurate and protected
agamst lossjt . achieved by developing best practices and relying on the appropriate tools helps businesses
automate SOX compliance and reduce SOX management costs.
- Data classification tools are commonly used to aid In addressing compliance challenges by automatically spotting and
classifying data as soon as It Is created and applying .persistent classification tags to the data Solutions that
are context aware have the ability to classify and tag electronic health records, card holder and other financial data,
confidential design documents, social security numbers, PHI, PH, and other structured and unstructured data that Is
 Cyber Securi^and^Laws_(MU-Sem 7) 6-2 Information Security Standar^Compliances

1, Section 906 of the SOX Act

- Section 906 of the SOX Act requires a written statement to be submitted by the Chief Executive Officer (CEO) and
the Chief Financial Officer (CFO).

- This statement is to be submitted with a periodic report, also required by the act.
The content of the written statement, according to section 906 shall certify that the periodic report containing
the financial statements fully complies with the requirements of section 13(a) or 15(d) of the securities exchange
act of 1934. and that information contained in the periodic report fairly presents in all material respects the
financial condition and results of operations of the issuer.
- The penalties for violations are for either

a. Knowingly certifying a report that does not comport with the requirement of section 906

b. Willfully certifying a report that does not comport with the requirement of section 906

- The fine for a knowing violation will be not more than $1,000,000 or imprisoned not more than 10 years in prison
or both. A will ful violation is significantly more costly at not more than $5,000,000 or 20 years in prison or both.

2. Data protection and compliance

Data classification enables security teams to more easily monitor and enforce corporate policies for data
handling. ‘ p . . .
- Depending on the sensitivity of data and its applicable regulations it may need to be encrypted, compressed or
saved to a different file format. .• T . ..
- With the correct policies in place corporations can prevent unauthorized users even those with administrative
rights to the system from viewing regulated data.
- The best solutions also prevent data egress through copying to removable storage devices.
- Another feature of security solutions that are worth the investment is its ability to safeguard shared data. These
so called masking features give users access to necessary information while ensuring compliance with
regulations.

3. Compliance and audits

- Correct security solutions are needed in SOX compliance and complying with other regulatory standards.
- Providing evidence of compliance is even worse because evidence must prove written controls are in place
communicated and enforced while supporting non repudiation.
- The correct security software solution provides the supportable evidence so that all of your compliance efforts

are worthwhile.
- A software solution for meeting compliance requirements should be able to monitor data, enforce policies and
log every user action. With evidentiary quality trails all of the data needed for compliance is in place.
- Protect your data and your business with a.software solution that ensures SOX compliance and rest a little easier

during your next audit.

I
GLBA Compliance _________
' The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999.
- It is a United States federal law that requires financial institutions to explain how they share and protect their

customers' private information.

 -berSecurity_andLaws_(MU^e2Ji 6-3

act consists of three sections :

The
The financial privacy rule, which regulates the collection and disclosure of private financial Information,
1.
The safeguards rule, which stipulates that financial institutions must implement security programs to protect
2.
such information.
The pretexting provisions, which prohibit the practice of pretexting (accessing private information using false
3.
pretenses).
financial institutions to give customers written privacy notices that explain their information
- The act also requires
sharing practices.

GLBA compliance benefits

- Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by
“ uchoXed sharing or loss of private customer data. There are also several privacy and security benefits required by

the GLBA safeguards Rule for customers, some of which include : I j - ’ . i* -

o Private information must be secured against unauthorized access.

Customers must be notified of private information sharing between financial institutions and third parties and
o
have the ability to opt out of private information sharing.

o User activity must be tracked including any attempts to access protected records.
Compliance with the GLBA protects consumer and customer records and will therefore help to build and strengthen
consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution
safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business and other benefits for
financial institutions.

6.2.1 Working of GLBA Compliance

- The GLBA needs that financial institutions act to ensure the confidentiality and security of customers' nonpublic
personal information or NPI.

- Nonpublic personal information includes social security numbers, credit and income histories, credit and bank card
account numbers, phone numbers, addresses, names, and any other personal customer information received by a
financial institution that is not public.
- The safeguards rule states that financial Institutions must create a written Information security plan describing the
program to protect their customers information.
r

'.T"7 Pla" n’US'.be t8il°red SPeCite"y “ 'he inSti,Utlons sl“- o^ratlons and complexity as well
as the sensitivity of the customers mformatlon. According to the safeguards rule covered financial institutions must:

1. Designate one or more employees to coordinate its Information security program.

2. Identify and assess the risks to customer information in each relevant area nf tk . ■
evaluate the effectiveness of the current safeguards for controlling these risks C°mP3n'eS °Pera"°n

3. Design and implement a safeguards program, and regularly monitor and test it.

4. Select service providers that can maintain appropriate safeguards make s..rO „
maintain safeguards, and oversee their handling of customer information. 1

5. Evaluate and adjust the program in light of relevant circumstances Include ,k

operations, or the results of security testing and monitoring. ' ° 30665 10 the firm S busineSS °
 Information Security Standard Compliances
To achieve GLBA compliance thp f
management and training inform^68^ S rule requires that financiaHnstitutions pay special attention to employee
implementation. 100 sVstems ar|d security management in their information security plans and

GLBA penalties

wnsequences. 00 C°mphanCe alle8atl0n is proven the punishment can have business altering and even life altering

- Some non-compliance penalties include:

1. Financial institutions found in violation face fines of $100,000 for each violation.

2. Individuals in charge found in violation face fines of $10,000 for each violation.

3. Individuals found in violation can be put in prison for up to 5 years.

Non-compliance allegations examples

- Since the act has gone into effect, there have been several allegations including :

o Paypal (operating as Venmo) allegedly violated both the Federal Trade Act and the GLBA. According to one source,
The FTC also asserts that the privacy practices it alleges violate the GLBA and its privacy rule and that the security
failures it alleges violate the GLBA and the safeguarding rule.

o Early in the Acts existence the FTC invoked the GLBA against several mortgage companies for a number of
violations.
However, by taking steps to safeguard NPI and comply with the GLBA organizations will not only benefit from
improved security and the avoidance of penalties but also from increased customer trust and loyalty.

6.3 HIPAA Compliance _ _______________________

- The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection.
Companies that deal with protected health information (PHI) must have a physical, network, and process security
measures in place and follow them to ensure HIPAA compliance.
- Health and Human Services (HHS) point out that as health care providers and other entities dealing with PHI move to
computerized operations, Including Computerized Physician Order Entry (CPOE) systems, Electronic Health
Records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever.
- Similarly health plans provide access to claims as well as care management and self-service applications. While all of
these electronic methods provide Increased efficiency and mobility, they also drastically Increase the security risks

facing health care data.

thp nrivacv of individuals health information, while at the same time allowing
- The security rule Is In place to proted th P^rme the quality and efficiency of patient care.
covered entities to adopt new technologies to improve q
vihle enough to allow a covered entity to implement policies, procedures and
The security rule by design, is e organizational structure and risks to patients and consumers e-PHI.
technologies that are suited to the entity s size, organizai
t Physical and technical safeguards, policies and HIPPA compliance

- The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These

physical safeguards include:

j frrsd authorized access in place.
o Limited facility access and con , media
L access to workstations and electronic media.
o Policies about use disposing, and re-using electronic media and e-PHI.
o Restrictions for transferring, rem------ - ------------------------------- - - ---------
--------------------------------------------- ———-------------------------------------- W
 r.r Information Security Standard Compliances
Cyber Security and Laws (MU-Sem 7) ■ ii» ,
the same lines, the technical safeguards of HIPAA require access control allowing only for authorized

person to access ePHI. Access control includes :

o Using unique user IDS, emergency access procedures, automatic log off, encryption and decryption.

o Audit reports or tracking logs that record activity on hardware and software.

2. Protocols and expectations for breaches and HIPAA violations

_ Based on the breach notification rule health care providers and plans must report any possible exposure of
protected health information whenever data is stolen, lost or otherwise compromised.
- if the exposure includes more than 500 people the HIPAA CE must also quickly contact the HHS secretary.
- Local media must be notified in a state or jurisdiction in which 500 or more affected individuals reside.
- If fewer than 500 people are impacted the individuals must be alerted and the HHS secretary must be sent a

report within 60 days following the end of the calendar year. *

- HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can
range from $100 to $50,000 per violation (or per record) with a maximum penalty of $1.5 million per year for
violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

- Fines will increase with the number of patients and the amount of neglect. The lowest fines start with a breach
where you didn't know and by exercising reasonable diligence would not have known that you violated a
provision.
- At the other end of the spectrum are fines levied where a breach is due to negligence and not corrected in 30
days. In legalese this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn't
know) to assumed mens rea (willful neglect).
- The fines and charges are broken down into 2 major categories: Reasonable Cause and Willful Neglect.
Reasonable cause ranges from $100 to $50,000 per incident and does not involve any jail time.
- Willful neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

3. Data protection for healthcare organizations and meeting HIPPA compliance

- The data security need has grown with an increase in the use and sharing of electronic patient data. Today
high-quality care requires health care organizations to meet this accelerated demand for data while complying
with HIPAA regulations and protecting PHI. Having a data protection strategy in place allows healthcare
organizations to: 1
o Ensure the security and availability of PHI to maintain the trust of practitioners and patients.
° ““X'PAA a"d HITECH rCeUla,'°nS ,Or aC“SS' aUdlt' inte8rl,y da(a '™smission. and <"*1“

o Maintain greater visibility and control of sensitive data throughout the organisation.
The best data protection solutions recognize and protect Datient data in ,n /
unstructured data, e-mails, documents, and scans while allowing health ear T’ ' 8 «™«ured and
ensure the best possible patient care. Patients entrust the" data to heal.: '° Share da‘a ”,
these organisations to take care of their protected health Information. and It Is the duty of

6.4 ISO Compliance

- The International Organization for Standardization (ISO) produces thousands of

topics and disciplines. thousands of standards every year covering multiple

Techltattlril’
” Public
 tg tyberr Security -------------
y^Cybe (MU-Sem 7)
and Lawsx---------------- 6-6 Information Security Standard Compliances
6-6
- certain group ose standards known as management system standards are designed to support organizations in
delivering products and senates which are higher in quality, safer, more more ,K„ient a„d em|ronmenB||y
friendly.
- These standards are well known such as ISO 9001 (Quality Management), ISO 27001 (Information Security), ISO 14001
(Environmental), ISO 22301 (Business Continuity) and the soon to be launched ISO 45001 (Health and Safety).

- ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies
and procedures that includes all legal, physical and technical controls involved in an organizations information risk
management processes.

_ According to its documentation, ISO 27001 was dpueinn^

operating, monitoring, reviewing, maintaining end improvingen WoZZsZ^ZaZeXr''"''’""’'

’ ZZX: t0P d°W"' nSk’baSed 3PPr°aCh iS defines a six-part

1. Define a security policy.

2. Define the scope of the ISMS.

3. Conduct a risk assessment.

4. Manage identified risks.

5. Select control objectives and controls to be implemented.

6. Prepare a statement of applicability.

- The specification includes details for documentation, management responsibility, internal audits, continual
improvement, corrective and preventive action. The standard requires cooperation among all sections of an
organization.
- The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls
that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes
a comprehensive set of information security control objectives and a set of generally accepted good practice security
controls.
~ The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization
implement, maintain, and improve its information security management.
~ ISO 27002 provides hundreds of potential controls and control mechanisms that are designed to be implemented with

guidance provided within ISO 27001.

“ The suggested controls listed in the standard are intended to address specific issues identified during a formal risk
assessment. The standard is also intended to provide a guide for the development of security standards and effective

security management practices. J ‘

.. . Drcanization
'SO 27002 is published by the International rur Standardization ISO and the International Electro
Organization for
Technical Commission (IEC). . .
'SO 27002 was originally named ,30/IEC 1779, and published In 2000. It was updated In 2003, when rt was

accompanied by the newly published ISO 27001.

Ttle Iwo standards are Intended to be used together with one complimenting the other. ,

nrnorate references to other ISO/IEC issued security standards such as

® standards are updated regularly to nc information security best practices that emerged since previous
«VIEC 27000 and <SO7.EC 27003 n a. «" to add
Publications. These include the selection, impiemen
Unique information security risk environment.

” Publications
 .. . „ 6-7 Information Security standard Compliances
Cyber Security and Laws (MU^Senn)=____J__Bia=Bg==a^—

ISO 27002 contains 12 main sections:

1. Risk assessment

2. Security policy

3. Organization of information security

4. Asset management

5. Human resources security

6. Physical and environmental security

7. Communications and operations management

8. Access control
9. Information systems acquisition, development and maintenance

10. Information security incident management

11. Business continuity management

12. Compliance

Benefits of ISO:

The organization can easily prove compliance to customers and interested parties.

- The organization is independently recognized for its efforts.

- The level of auditing from customers can often be significantly reduced as independent certification can increase
assurance.
Many organizations are now demanding that their suppliers are certified to ISO standards.

6.5 FISMA Compliance .

- The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it
a requirement for federal agencies to develop, document, and implement an information security and protection
program. FISMA is part of the larger E-Government Act of 2002 introduced to improve the management of electronic
government services and processes.

1. FISMA compliance benefits

- FISMA compliance has increased the security of sensitive federal information.

- Continuous monitoring for FISMA compliance provides agencies with the information they need to maintain a
high level of security and eliminate vulnerabilities in a timely and cost effective manner.
- Companies operating in the private sector particularly those who do business with federal agencies can also
benefit by maintaining FISMA compliance.
- This can give private companies an advantage when trying to add new business from federal agencies and by
meeting FISMA compliance requirements companies can ensure that they're covering many of the security best
practices outlined in FISMA's requirements.

2. FISMA non-compliance penalties

The penalties for the government agencies or associated private companies that fail to comply with FISMA are:
censure by congress, a reduction in federal funding and reputational damage.

TechKtwalttfii
» Public atlon*
 Cyber Security and Laws (Mu.s 7)
6-8 Information Security Standard Compliances
3. Best practices for FISMA compliance

Obtaining FISMA compliance doesn t need to be a difficult process. The following are some best practices to help
your organization meet all applicable FISMA requirements. While this list Is not exhaustive It will certainly get you on the
ricK4a----
way to achieving FISMA compliance,

o
Classify information as It Is created: Classifying data based on its sensitivity upon creation helps you prioritize
security controls and policies to apply the highest level of protection to your most sensitive information.
o
Automatically encrypt sensitive data: This should be a given for sensitive Information. Ideally, you should arm
your team with a tool that can encrypt sensitive data based on its classification level or when it is put at risk.
o
Maintain written evidence of FISMA compliance: Stay on top of FISMA audits by maintaining detailed records
of the steps you've taken to achieve FISMA compliance.

6.6 NERC Compliance

- The North American Electric Reliability Corporation (NERC) is a nonprofit corporation based in Atlanta, Georgia, and
formed on March 28, 2006, as the successor to the North American Electric Reliability Council (also known as NERC).

NERC’s major responsibilities: It include working with all stakeholders to develop standards for power system
operation, monitoring and enforcing compliance with those standards, assessing resource adequacy, and providing
educational and training resources as part of an accreditation program to ensure power system operators remain
qualified and proficient. NERC also investigates and analyzes the causes of significant power system disturbances in
order to help prevent future events.
- Compliance monitoring: It Is the process used to assess. Investigate, evaluate and audit In. order^to measure
compnance with NERC rehahHitv -

“ “Xs.™:nstaX responsibility Is set forth In section 215(e) of the federa, Po„er Act as

well as 18 C.F.R. §39.7. „hich NERC Issues sanctions and ensures mitigation of confirmed
- Compliance enforcement: It is the process y efforts, NERC can also issue directives to
violations of mandatory NERC reliability standards, s pa ~ their presence or status (i.e., confirmed or
immediately address and deter new or further vio ations, ir the NERC sanction guidelines and is based
alleged). Sanctioning of confirmed violations is determine P standards requirements violated and the
heavily upon the violation risk factors and violation seventy le-ft*g forapprovalby NERCand

violations duration. Entities found in violation of any standard m

once approved, must execute this plan as submitted. organization registration function and the
~ Organization registration and certification: It• id°entifies and registers bulkP^
organization certification function. Organization g re|iabi|ity functions to whic NERC
and operators who are responsible for performing ^T^^^ation function is the process
NERC reliability standards are applicable. The ore standards for certain U" certified as having the
monitors and enforces compliance with NER r s. These three function QUt these important
coordinators, transmission operators, and balanC,ng and other qualificationsprogram are embodied
necessary personnel, knowledge, facilities, pr°gr ' ation registration and'cert FERC.approved NERC
responsibilities. Requirements and activities for n) and Appendices
ln Section 500 (Organization Registration and e
 D-a
6-9 Information Security Standard Compliances
Cyber Security and Laws (MU-Sem 7) ----------

Regional entity compKance monitoring and enforcement programs

° relies on the Regional Entitles to enforce the NERC reliability standards with bulk power system owners,
operator and users throueh approved regional delegation agreements.
p . x temrinn rrtmnliancp of the registered entities within their regional boundaries,
' Xng X«”"Vfea^oLtL0so7appro,ed reliability standards, assessing penalties and sanctions for failure to

- Zona' toms Rrocesses are aM“ablc “ resolve con"S,C<l Vl°latl°"S “ SanCti0"S' ” ’ reK"U”°"
cannot be achieved at the regional level, NERC maintains an appeals process to hear disputes.
Registered entitles or other relevant industry stakeholders can report any perceived Inconsistency In the method,
practices or tools of two or more regional entitles through the consistency reporting tool located ERO

enterprise program alignment process page.

6.7 PCI (Payment Card Industry) Compliance

- The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL
companies that accept, process, store or transmit credit card information maintain a secure environment.
- The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the
ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account

security throughout the transaction process.

- The PCI DSS is administered and managed by the PCI SSC an independent body that was created by the major
payment card brands. (Visa, MasterCard, American Express, Discover and JCB)
- It is important to note that the payment brands and acquirers are responsible for enforcing compliance not the PCI
council. . * .. .
- The PCI DSS applies to ANY organization regardless of size or number of transactions that accepts transmits or stores
any card holder data
- All merchants will fall into one of the four merchant levels based on visa transaction volume over a 12-month period.
Transaction volume is based on the aggregate number of visa transactions (inclusive of credit, debit and prepaid) from
a merchant Doing Business As ('DBA'). In cases where a merchant corporation has more than one DBA, Visa acquirers
must consider the aggregate volume of transactions stored processed or transmitted by the corporate entity to
determine the validation level. If data is not aggregated such that the corporate entity does not store process or
transmit card holder data on behalf of multiple DBAs, acquirers will continue to. consider the DBA's individual
transaction volume to determine the validation level.

Table 6.7.1

Meieveint Description ' '

Any merchant regardless of acceptance channel processing over 6M visa transactions per year.
1 Any merchant that visa, at its sole discretion, determines should meet the Level 1 merchant
requirements to minimize risk to the visa system.

2 Any merchant regardless of acceptance channel processing IM to 6M Visa transactions pt>r v««r

3 Any merchant processing 20,000 to IM Visa e-commerce transactions per year.

Any merchant processing fewer than 20,000 visa e-commerce transactions per year and all
4 other merchants regardless of acceptance channel processing up to IM Visa transactions er
year. C l0nS pef

WW TachKMwMM
^f^gyberJecurityandLaws^MU-Semj)^ q
Information Security Standard Compliances
- The level 4 merchants that are small to medium sized h • ----------- —=
requirements of PCI: usiness must complete the following steps to satisfy the

1. Determine which Self- Assessment Questionnaire

2. complete the Self- Assessment Questionnaire (SAQ) acwdlng^Sh0Uld Va"da'e COmp"ance-
to the instructions it contains.
3' "scan with . pc. ssc Approved
(ASV). Note scanning does not apply to all merchants. It is
required for SAQ A-EP, SAQ 8-IP, SAQ C, SAQ
D-Merchant and SAQ D-Service provider.

4. Complete the relevant attestation of compliance In Its entirety (located In the SAQ tool).

5. Submit the SAQ, evidence of a passing scan (if aoDlicablel and the
other requested documentation to your acquirer °' a'°"‘ a"’

6.7.1 GOALS of PCI

1. Building and maintaining a secure network

o Install and maintain a firewall configuration to protect cardholder data : Companies must create their own
firewall configuration policy and develop a configuration test procedure designed to protect cardholder data. Your
hosting provider should have firewalls in place to protect and create a secure, private network.
o Do not use vendor supplied defaults for system passwords and other security parameters: This means creating,
maintaining and updating your system passwords with unique and secure passwords created by your company,
not ones that a software vendor might already have in place when purchased.

2. Protect card holder data

- Protect stored data : This requirement only applies to companies that store card holder data. Specifically
companies that do not automatically store cardholder data are already avoiding a possible data security breach
often targeted by identity theft. A PCI compliant hosting provider should provide multiple layers of defense and a
secure data protection model that combines physical and virtual security methods. Virtual security includes
authorization, authentication, passwords, etc. Physical includes restricted access and server storage and
networking cabinet locks according to computer world.com.
“ Encrypt transmission of cardholder data across open, public networks : Encrypted data is unreadable and
unusable to a system intruder without the property cryptographic keys according the PCI security standards
council. Cryptographic keys refers to the process in which plaintext, like the words seen here are transformed
into ciphertext. Ciphertext contains information unreadable to those without the cipher or the specific algorithm
that can decode the text. As an added security measure, sensitive authentication data, including card validation
codes or PIN numbers must never be stored after authorization even if this data is encrypted.

3. Maintain a vulnerability management program

- Use and re6ular|v update anti-virus software : Ao anti-virus software service needs to be frequently updated to
protect against the most recently developed malware. If your data Is being hosted on outsourced servers, a
managed server provider Is responsible for maintaining a safe environment including genembng audit logs.
- n- i j esnriiiratlans • This Includes discovering newly identified security
Develop and maintain secure systems and applications . inis inc 0
U11. UH, . w on romnliant hostine prov der should be monitoring and updating their
vulnerabilities via alert systems. Your PCI compliant nosting p
systems to accommodate any security vulnerabilities.
 rher Security and Laws (MUjtertT^ JnformatlonMSecurit^Standard Compliances

4. implement strong access control measures

- Restrict access to card holder data by business need-to-know: Limiting the number of person that have access to
card holder data will lessen the chances of a security breach.
- Assign a unique ID to each person with computer access} User accounts with access should follow best practices
including password encryption, authorization, authentication, password updates every 30 days, log-in time limits,

etc.
Restrict physical access to cardholder data : If your data Is hosted in an off-site data center your data center
provider should have limited personal with access to the sensitive information. PCI compliant data centers should
have full monitoring, including surveillance cameras and entry authentication to ensure a secure and PCI
compliant hosting environment.

5. Implement strong access control measures

- Track and monitor all access to hetwork resources and cardholder data : Logging systems that track user activity
and stored archives can help your hosting provider pinpoint the cause in the event of a security breach or other
issue.
- Regularly test security systems and processes : With regular monitoring and testing processes in place, your data
hosting provider should be able to assure you that your customers card holder data is safe at all times.

6. Maintain an information security policy

- Maintain a policy that addresses information security : This policy should include all acceptable uses of
technology reviews and annual processes for risk analysis, operational security procedures, and other general
administrative tasks.
- If you are choosing a data-hosting provider ask for documentation of the processes that ensure the 12 PCI
compliance requirements can be met.

Q.1 Write short note on SOX ? (Section 6.1)

Q.2 Write short note on GLBA ? (Section 6.2)

Q.3 What is HIPAA compliance ? Explain in detail ? (Section 6.3)

Q.4 Write short note on ISO ? (Section 6.4)

Q.5 Write short note on FISMA ? (Section 6.5)

Q.6 Explain NERC compliance ? (Section 6.6)

Q.7 What is PCI ? (Section 6.7)

Q.8 What are the goals of PCI ? (Section 6.7.1)