B'Cognizance » I Secure

Tampering with Source Code : Cyber Offence

utkarsh — Tue, 15 Apr 2014 03:37:11 +0000

“Tampering is Great Art of Creativity, but on the Cost of Others”

Introduction

I was to purchase an I Phone I was discussing this with my friend at the bus stop suddenly a boy approached me and said that he knows a dealer who could give me an I Phone with android applications working in it by just charging 2000 bucks extra than the market price.

I was very excited and happy, and share the same offer with my elder brother who was an MCA pursuing student. He suddenly asked my “Did you purchase that” I replied casually “no, I will tomorrow”. He said me not to as that may be a phone with Tampered Source code. Initially I did not accept it but after he showed me the licence, user and distribution agreement and conditions I realised that I could have committed a crime punishable under sec 63 of the IT Act. Woooooffff … I was saved.

Computer source code

lt is the listing of programmes, design and layout or computer commands and programme analysis of computer resource in any form. Computer source code need not only be in the electronic form but lt can be printed on a paper (example printouts of flowchart for designing a software application).[1]

Example:- as in the case above the operating system of the phone is designed with a source code that only allows the phone to use authentic Apple applications.

Tampering

It means to bring a change in the existing form and can be possibly done by Concealing, Alteration or Destruction where,

Conceal simply means to hide from.

Alters, in relation to source code, means modifies, changes, makes different etc. This change or modification could be in respect to properties, size, format, value, etc.

Destroys means to cause to cease to exist or make useless or nullify or demolish, or reduce to nothing. Destroying source code includes acts that are likely to render the source code useless for the purpose for which it may have been created.[2]

Example:- as in the case above the apple operating system could on accept authentic software and anything other than that provided by the company could only be done by tampering it’s source code.

As per codes
Section 65 of IT Act 2000 -
Tampering with computer source documents.
Whosoever

knowingly or intentionally conceals, destroys or alters or
intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer system, computer programme or computer network, when the computer source code is required to be kept or be maintained by law.

Punishment

Such a person may be punishment with imprisonment up to three years or with a fine up to two lakh rupees or with both[3]

Scope of Application

This section deals with only computer source codes that is either:

Required to be kept (example in a hard disk, a cell phone, server etc.), or
Required to be maintained by law

Section 63 Copyright Act

In case the tampered source code is a copyrighted material:-
Offence of infringement of copyright conferred by Copyright Act.
Any person who knowingly infringes or abets the infringement of- the copyright in a work may be

punished with imprisonment for a term not less than six months which may extend to three years and
fine which shall not be less than fifty thousand rupees but which may be extend to two lakh rupees.[4]

References

[1] Cyber Crime & Digital Evidence – Indian Perspective authored by Rohas Nagpal

[2] Cyber Crime & Digital Evidence – Indian Perspective authored by Rohas Nagpal

[3] Section 65 of the Information Technology Act, 2000

[4] Section 63 of The Copyright Act 1957

Hemant Kumar Singh
INSTITUTION: University of Petroleum & Energy Studies (UPES), Dehradun.

Starting a Network Architecture Review

utkarsh — Tue, 15 Apr 2014 03:36:03 +0000

Network Architecture, I am sure every one of us have heard it and often copied them from Internet for our assignments for network classes. But when it comes to reviewing them, it often becomes a confusing task for the new-comers in auditing.

So here I will share some of the basic tips on how to start with understanding a network architecture.

You must research about the organization and its business. Try to understand what is critical for their business in terms of CIA (Confidentiality, Integrity and Availability)

When understanding a network architecture first start with understanding the network diagram. Obtain a copy of the architecture from the client and sit with one of their members to understand what it is all about.

Draw their architecture in your own system (or notebook). Locate their key areas, their key nodes of business. For eg. Mark their data centre, their disaster recovery centres etc.

Mark the boundaries and divide them in zones. Eg. If the organization is spread across locations then they must be using the Internet to connect their locations. So each location is a zone, then their boundary is where they connect to internet. Then the Internet is a separate zone. Again their datacentre where all the locations connect is another zone having a boundary with Internet.

Now that you have to zones. Mark them in terms of Security and service. Eg. The Internet zone will not be a secure zone. The data centre or the LAN zone will be secure and service quality too should be good.

Analyse the boundary conditions. If any traffic is going from a secure zone to non-secure zone or vice versa is there some control to check the traffic. Any communication link between public and private network should have appropriate security controls. Eg. DMZ boundaries should have firewalls.

Now analyse the traffic in details. You should have a the basic understanding of the kind of data (and their criticality) will be traversing in the network. You should get this understanding from your own research and from the walk-through you have with the network team. Check the level and security of encryption they provide to the data, ensure they follow the industry best practices. Eg. I was recently auditing a bank, and found that they don’t use IPSec (or anything) in some of the branches to secure the communication!

Now check the resources in each zone. Ask questions like why is a server is in ‘this’ domain? Check if it can be moved to a more secure zone. Eg. If there is a server in DMZ which is not accessed by the public directly then it can be a recommendation.

Last but not the least get a list of security incidents, and the service requests raised for networks. Check those issues, try to see if the cause of the issues lie in the architecture. If so address them.

These are basic few steps which, I recommend when performing a network architecture review. However ensure you are very sure and comfortable about the network diagram and understanding. You will face resistance often from the network team of the client, but ensure you work your way to get the right information from them.

Rahul Das
Consultant, Risk Advisory Services
PwC, Mumbai
MS-CLIS, (2011-2013)

Email Phishing and Attacks

utkarsh — Tue, 15 Apr 2014 03:35:14 +0000

Phishing was a word in the beginning used to portray email attacks that were used to rob your online banking username and security password. On the other hand, the term has evolved and now refers to almost any email-based attack. Phishing uses social engineering, a method where cyber attackers try to fool you into performing an action. These attacks often start with a cyber unlawful person sending you a mail faking to be from someone or an identity you know or have faith in him, such as a friend/colleague, your bank or your favorite online website. These emails then tempt you into taking a step, such as clicking on a link/word opening an attachment or replying to a message. Cyber criminal’s technique these mails to look persuasive, sending them out to literally billions of people around the globe. The criminal’s don’t specifically target a person or have a mindset, nor do they know precisely who will fall victim of their attacks. They simply know the more emails they send, the more public they may be able to trick. Phishing attacks works in four ways:

• Harvesting Information: The cyber attacker’s aim is to prey you into clicking on a link/word and taking you to a website/blog that asks for your login and security password, or even your credit and debit card or ATM number. These websites look legitimate and lawful, with exactly the same pattern with originality, imagery and feel of your online bank, but they are frivolous websites designed by the cyber invader to steal your data.

• Infecting your computer system with malicious links: Once again, the cyber invader’s goal on you is to click on a link/word so that you fall a victim of their attack. However, instead of harvesting your information, their goal is to infect your personal computer. If you click on the link, you are connected to a website that without a sound launches an attack against your personal computer which if successful, will infect your computer.

• Infecting your personal computer with malicious attachments: These are phishing mails that have malicious attachments, including PDF files or Microsoft Office Documents. If you open these attachments they attack your laptops/computer and, if victorious, give the attacker complete control and power.

• Scams: These are attempted by criminal experts to swindle you. Typical examples include notices and messages that you have won the lottery, charitable institutions requesting donations after a recent disaster happened or a dignitary that needs to transfer billions of dollars into your nation and would like to pay you to aid them with the transfer. Don’t be trapped, these are scams prepared by criminal experts who are after your money.

PROTECTING YOURSELF AND BEWARE OF PHISHING

In most cases, simply opening a mail is safe and sound. For most attacks to work to one has to do something after reading the mail (such as opening the attachment, clicking on the word/link or replying to the request for information and). Here are some hints if an email is an attack:

• Be suspicious and aware of any email that requires “instant action” or creates a sense of emergency. This is a common technique used by criminal experts to rush public into making an error.
• Be suspicious and aware of emails that addresses “Dear Customer” or some other generic greeting. If it is your bank institution they will know your name and identity.
• Be suspicious of grammar or spelling errors; most business class proofread their messages carefully before sending the same.
• Never click on links. Instead, copy the URL from the mail and paste it to your browser. still better is to simply type and write the destination name and address into your browser.
• Hover your mouse over the link or URL. This will show you the real destination where it leads to if you actually clicked on it. If the true destination of the link and address is different and unlike than what is shows in the mail, this may be an indication of fraud and tricking you.
• Be suspicious and aware of attachments and only open that you were expecting.
• Just because you got n mail from your friend, colleague does not mean they have sent it. Your friend’s computer may have been infected with or their account may have been compromised with security and loosing password and malware is sending the mail to all of your friend’s contacts and lists. If you get a suspicious e-mail from a genuine friend, call them to verify that they sent it. Always use a contact number that you already know or can independently confirm, not the one that was included in the message for you.

If after reading an mail you are of opinion it is a phishing attack or scam might take place, simply delete the mail. Ultimately, using mail safely and secure is all about common sense. If something seems and is visible of suspicious or too good to be true, it is most likely an attack and trap for you. Simply delete the mail.

Resources:

Kanika seth, Computers Internet and New Technology laws 2013, 2013 ed.
Priti Suri and Associates, Open Sources and the Law, 1^st ed. 2006.
https://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201302_en.pdf

Vinod Kapoor
INSTITUTION: University of Petroleum & Energy Studies (UPES), Dehradun.