Changing Times

Dear Readers As more and more forms of cyber crimes get reported, it makes our job difficult on one hand and easy on the other! Difficult because, as a dedicated society of committed individuals we have to constantly update ourselves and harness our efforts more in the task of enhancing the level of awareness amongst the public dovetailing ourselves with other stake-holders in the society. Easy because, in a lighter vein, we have so many to write about in our eZine and a flood of cases and news items to choose from. We have introduced some changes in the content and the editorial board of our eZine in this issue. Some more changes including some design and layout changes are in the pipeline. Suggestions are most welcome. Readers interested in contributing articles in this niche area of cyber crimes, e-Security, IT Laws etc are invited to send in their original views and stories to us (editor@cysi.in). Anyone interested in drawing cartoons for our eZine? Tap your potential, be ready with paper and pencil, sketch and shades to make our eZine a shade better…. Enjoy reading and as usual, feel free to express your comment, more freely if it is an adverse one! V. Rajendran (venkrajen@yahoo.com)

President’s Column

CySI is organizing a 1-day Workshop on Cyber Crimes in Chennai. Date: 29 April 2014 (Tuesday) - 10 AM to 5 PM Venue: Andhra Social and Cultural Academy, T Nagar, Chennai 600017 His Excellency Dr K Rosaiah, Governor of Tamil Nadu will inaugurate the event. Many distinguished speakers will address the participants on various issues concerning cyber crimes, cyber laws, security concerns in electronic banking channels, digital evidence etc CySI will utilize the opportunity to honor those who have been instrumental in the growth of CySI. Please watch our website www.cysi.in for more details and registration.

eSecure

Secure and be Aware!

An e-zine from CySI

[[Volume 1, Number 7] April 2014

President’s Column

Editorial Board

Publishers: Cyber Society of India (Regd No: 245/04; http://www.cysi.in)

Editor-In-Chief: Rajendran V

(Ex-officio – President of CySI)

Editor:

Kapaleeswaran V

Editorial Committee:

Dr. Ramamurthy N

Murugan R

Panchi S

Advisors:

Srinivasan K Na Vijayashankar

This Issue

1. President’s Column 1 2. Editorial 2 3. Heart Bleed Virus 3 4. Cyber updates 4 5. Dummy’s Corner 6 6. Ethical but Illegal 8 7. China stops mobile payments 10

*****

Announcement

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 2

Awareness, the need of the hour

We live in an era of speed, instant responses, on the spot transactions and immediate decisions. At this rate, very soon the word "later" will be banished from our lexicon. With instant resolutions, it is inevitable that more and more people are getting addicted to the channels of immediate solutions, by adapting themselves to the World Wide Web. The web is so attractive that it does not require any formal education to operate and derive benefits out of it. Any common man, literate or not, can access through this and derive benefits, be it banking transactions or online information search and retrieval.

Not a day passes without the children browsing the internet ostensibly for their project work. The elders not wanting to be left behind are logging into their bank account periodically to check for their account status, pension credit or returns on their investments. The homemakers use the net to keep themselves busy with micro blogging, online discussions and so on. The educationists use the net to spread literacy and awareness. The media effectively uses the net to publish instant and on the spot reporting of happenings across the Globe.

Invariably attractions and advantages always come with some price and considering the benefits achieved such costs are normally ignored and accepted. But, the costs that seemed to be paid over here is much more than financial in nature and that brings to the fore the need to create awareness among 'netizens' , common term for internet surfing community. The innocent and the gullible are targeted by 'cyber rogues ' to exploit their ignorance on basic safety. These cyber rogues are always on the prowl looking for victims and lure them with attractive, hard to resist offers such as an email informing about a huge lottery for them. Some tempt the users with a link, when clicked promises them to reveal the worldly pleasures. When once a victim is hooked, within minutes they are cheated either by swindling from their internet banking related accounts, or getting vital information such as their user Id and password. The same speed which was so attractive to the users also helps these ' cyber rogues' to milk the innocents in no time. Under the dicey situation, where speed and secrecy are essence, it is very important for the internet users to be aware of the perils in unprotected browsing. Every user organization should feel that it is also expected of them to educate and thereby empower the common man to ward off such evils that are lurking at every corner of the cyber world. For, this war of a different kind in the cyber world could be met and thwarted, only with better knowledge

and spread of information.

Cyber Society of India is also glad that it has enshrined as one of its objectives to educate and empower

people towards creating better netizens.

Kapaleeswaran, V (mail2kapali@gmail.com)

* * *

Editorial

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 3

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week. The extent of damage caused by the "Heartbleed" bug is currently unknown. The security hole exists on a vast number of the Internet's Web servers and went undetected for more than two years. While it is conceivable that the flaw was never discovered by hackers, it is nearly impossible to tell how much financial loss occurred earlier.

There is not much that people can do to protect themselves until the affected websites implement a fix.

Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e- commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.

It's unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.

On the technical side, Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred. The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet. The fixed version of OpenSSL has to be implemented by the website administrators. Panchi, S (panchisubramanian@gmail.com)

* * *

A guy went for an interview at a big IT company for the position of 'Computer Hacking Investigator.' The boss asked him, "So, what makes you suitable for this job?" "Well," he replied, "I hacked into your computer and invited myself to this interview".

Heart Bleed Virus- Bleed of SSL

Smile Corner: Height of Hacking !

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 4

Grand Data theft

Germany has confirmed its biggest Data theft in the country's history with usernames and passwords of some 18 million email accounts stolen and compromised by hackers. Authorities in the northwestern city of Verden unearthed a treasure of personal information, a list of about 18 million stolen email addresses and passwords, and seized it just after only two months from the previous major data breach, when researchers came across 16 million compromised email accounts of German users while conducting research on a botnet, a network of computers infected with malware.

According to Investigators, some of the accounts are used to send spam emails and some combinations of email and password are used for online shopping portals, as these mass of stolen personal information could also be used to obtain the financial details of users account. Refer: http://thehackernews.com/2014/04/worst-data-breach-in-german-history-18.html

Zeus, again ! The infamous ZeuS Malware has been causing financial theft all across the globe. More disturbing is the way the virus has been able to bypass Microsoft detection check–points. Evidently, the virus had found a new home in Social Media portal Facebook. ZeuS is quite known to patiently wait for its next victim and strike when least suspected. The irony is the fact that despite

being over 6 years old, the malware is still very potent and continues to evade detection.

In its current avatar, the virus is said to be taking advantage of Facebook’s underlying structure to infect millions of computers not just in the United States, but across the globe. Read more at http://www.inquisitr.com/1202481/how-the-zeus-malware-is-wreaking-havoc-for-windows-users-and-draining-bank-accounts-2/#zxUzE6kjbdcBkDOQ.99

Customer : “You’ve got to fix my computer. I urgently need to print document but the computer won’t boot properly.” Tech Support : “What does it say?” Customer : “Something about an error and non-system disk.” Tech Support : “Look at your machine. Is there a floppy inside?” Customer : “No, but there’s a sticker saying there’s an Intel inside.”

Cyber Updates

Smile corner - Tech support

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 5

One-third of phishing attacks aimed at financial institutions

Customer information is a valuable commodity to cybercriminals, with the ability to steal identities, transfer money from accounts, and financially ruin victims. Cybercriminals enjoy using the brand names and logos of well-known companies, making it easier to lure users into clicking fraudulent links.

"Phishing attacks are so popular because they are simple to deploy and extremely effective," said Kaspersky Lab Senior Security Researcher, in a press statement. "It is often not easy for even advanced Internet users to distinguish a well-designed fraudulent site from a legitimate page, which makes it even more important to install a specialized protection solution." In the backdrop of ever growing threat of phishing and all forms of cyber attacks, banks are always looking for an improved and enhanced level of security in technology, including a growing number of financial institutions researching biometrics." Read more at http://www.tweaktown.com/news/36811/one-third-of-phishing-attacks-aimed-at-financial-institutions/index.html

Remembering all the Passwords Reset by you: If you’re like most people, the news of the Heartbleed bug and how broadly its security flaw spread is worrisome enough. But the list of sites where you absolutely have to change your passwords looks daunting for anyone. You probably have to change passwords on your email, your Facebook, and maybe even your online dating profile, not to mention potentially countless online shopping sites (depending upon the depth and breadth of your need to shop until you drop).

In these attacks, hackers don’t have to guess one password, or even try out a few easy ones (like the word “password,” which you should always avoid), to get into one account. Instead, they go after a site’s database of all users’ logins and passwords and, no matter how strong you think yours is, they’ve got it. More details at : http://blog.credit.com/2014/04/remember-all-the-passwords-80368/

Kapaleeswaran V (mail2kapali@gmail.com)

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 6

Dummy’s Corner The questions below may seem silly, but they carry lot of messages. They are meant for laymen and not for experts.

Question 1. I am getting so many emails about my winning lottery, offer of foreign jobs etc., why can't I just respond and say that I am not interested?

Answer: It is a basic thumb rule: Never respond to any unsolicited mails. Never respond to any mail that is not specifically addressed to you or addressed to “Undisclosed recipients” or when you are under a “bcc” from a wholly unknown sender. Never be lured by statements like “your email id has won” or “your mobile number has won” or “as part of our business promotion, we are offering you under a random selection scheme” etc in a mail, which seeks some details like your name, address, age. When the sender is not known to you, please do not provide even such innocuous and routine

particulars like name, age and address also, leave alone confidential data like bank account number, user id or password. Sometimes the mail may be just a communication giving you news about some latest developments in the form of some social information, with a line at the bottom reading as: “If you do not want to receive any more mails, please click the ‘Unsubscribe’ button below.” It is wiser NOT to click this ‘Unsubscribe’ button also, because by clicking it, you are indirectly falling into the first level of trap by indicating that such a recipient exists, when your response is traced to you (with your corporate or personal mail server or PC). It is always BETTER to simply delete such mails and it is BEST to delete even before opening them.

Question 2. I find that my debit card has been compromised and already a certain amount has been withdrawn. Please advise the immediate and next steps to be taken. Answer: Immediately contact the card-issuer bank and block the card, to prevent further loss, and get the

acknowledgement either a system generated number or other manual confirmation. Get the name of the

official in the help-desk registering the complaint and record the same. Nowadays most of the banks

provide 24 x 7 help-desk facility (by phone, by email or by SMS from your registered mobile number) to

register the card misuse and request blocking the card. To seek redress for the grievance and get

compensation for the loss already incurred, you may have to contact the bank and get details of the debits

and depending upon the facts and circumstances of the case, prove your innocence and obtain refund of the

money as per procedures laid down by Reserve Bank of India, Banking Ombudsman, the bank’s own internal

guidelines and other legal and regulatory avenues available. We will be publishing an article shortly in our

ezine titled “Victims of cyber crimes in Banking” in which all the avenues available to a victim of an online or

ATM or other form of banking transaction will be dealt with in detail.

Answers by Rajendran V

(venkrajen@yahoo.com)

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 7

This man has a habit of keeping his brain active by accumulating knowledge and also filling his cabinets with international certifications. Close on the heels of our reporting in these columns in Jan 2014 Mr. Ramesh Bhasyam's selection as one of the Next Gen Top 100 CEOs of the nation, he has done it again. This time, he has earned the right to be called 'Certified Practitioner in Project Management' by going after the 'Prince 2 Methodology', successfully. As the readers may be aware, most of the UK based projects adhere closely to this methodology. On a chat, he revealed that he still has plans

to equip himself with more Industry recognized certifications and he appears to be a man in thirst. CySI is proud of not only his achievements but also in having such an erudite scholar as its Secretary. Please join in wishing Mr. Ramesh Bhashyam, the best in all his further endeavors too.

1. Make sure your firewall is working

2. Run an antispyware program.

3. Keep your antivirus software active. If you feel, run an antivirus scan weekly to be sure nothing is missed.

4. Sort through your My Documents files and get rid of those you don’t need any more.

5. Back up all of your files to an external drive or cloud storage.

6. Empty the trash folder. Don’t even look in it. If you haven’t missed a file by now, it won’t be in there.

7. Go through your programs and delete the ones you no longer use.

8. Update any software that needs it. Not BUY a newer version. Click the free update that’s been nagging at you (Adobe Reader and Windows, for example)

9. Clean the junk off of your desktop. Put it in folders or create a folder for ‘Working on’ or ‘Desktop Stuff’.

10. Clean up your Start Button. Remove short keys you no longer use

For more details look at: http://www.examiner.com/article/12-spring-cleaning-steps-for-your-

computer

* * *

CySIan - Achiever of the month

10 Easy steps for cleaning your computer

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 8

Often we come across activities which are either forbidden or at least looked down upon by society from its

traditional values, but are not specifically declared illegal or unlawful. We travel in a public transport or are

in some queue and see our former school teacher somewhere behind, and respectfully offer our place to

him/her. Or in a public place, we leave right of place in favour of some senior citizen. These are acts of

ethics and general culture which are not specifically required by law and even if we do not make such offers,

we are still law abiding citizens only and are not committing anything unlawful. Of late, we come across one

specific activity which is declared illegal and is punishable but often comes with a prefix “Ethical”. Let us see

what.

The word “Hacking” was defined in the earlier version of Information Technology Act, 2000 (Section 66).

Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public

or any person destroys or delete or alters any information residing in a computer resource or diminishes its

value or utility or affects it injuriously by any means, commits hack. Hacking is punishable with

imprisonment up to three years, or with fine which may extend upto two lakh rupees, or with both.

Though this definition has since been removed from I.T. Amendment Act 2008, effective from October 2009,

the contents and punishment for hacking still remains. Unauthorized access to computer is of course,

punishable. The revised section still deals with the offence of unauthorized access to a computer resource,

data theft, combining it with the civil offence of data theft dealt with in Section 43, and the punishment

stipulated as three years’ imprisonment or a fine of five lakh rupees or both.

Teaching an illegality? Of late “Ethical Hacking” as a subject is gaining in importance and getting fancied

towards this caption, more and more youth are attracted towards learning this technique (as an art or a

science?) Some institutes advertise stating clearly that “while these hacking skills can be used for malicious

purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical

hack, on your organization.” Some institutes also advertise like “this website will help you gain entry into

the minds of seasoned computer criminals, so that you can forestall their attempts and pre-empt all harmful

intents and activities.” Sounds too good and good Samaritan isn’t it? But is there any check on the syllabus

taught, admission criteria and the knowledge imparted and above all the purpose for which the knowledge

so gained is to put to.

Comparison with other crimes: Crimes such as murder, rape, robbery etc are all well defined and have been

accepted as offences which any one would shun and are not only just legally but also morally and ethically

treated as crimes only. On the same plane, take the offence called ‘hacking’. Here lies the difference.

While hacking itself is a crime and recognized as one, with well-defined punishments for it, how can there be

a course or training programmes called ‘ethical hacking’? The protagonists say that like any other computer

knowledge or programming skill, hacking too is a part of the knowledge and at least to protect your

computer from being hacked, you should be taught and trained in hacking. To protect ourselves from

robbery or cheating or chain-snatching or eve-teasing, no institute conducts a course called ‘ethical eve-

teasing’ or ‘ethical assault’ or ‘ethical robbery’.

Ethical- but Illegal ?

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 9

Besides, admission to such courses is by advertisements and wide publicity and in their eagerness to enroll

more and more candidates, such institutes admit semi-literate professionals, teen-aged students and

inquisitive youngsters whose antecedents are not known or verified.

No doubt, hacking is still an offence, though the academicians and institutes teaching it may like to

differentiate that doing it with the permission of the owner of the system (ie for good purposes) is hacking

and doing it in an unauthorized manner i.e., malicious intent (or mens rea, to use a legal term meaning

criminal intent of mind) will be called cracking. The act per se ultimately and ab initio, remains the same.

Such spread of knowledge called under the fancy names of “Ethical Hacking” or “Knowledge of hacking

tools” or “Hands-on sessions in hacking” etc has led to increase in cyber crimes in the country. It is quite

clear that the cyber crime police are getting more and more cases of data theft, hacking, attempted id theft,

unauthorized access to systems often resulting in offences like cyber stalking etc.

It is time that the governments and other regulators like RBI, TRAI and the Ministry of I.T. and CERT-In

(under the control of Ministry of I.T. with its legal position now recognized under Sec 70-B of I.T.

Amendment Act 2008) brought some regulations on these by taking initiatives to ban such courses with

these fancy or misleading names like “Ethical Hacking” and enforce regulations before knowledge about

hacking tools is imparted to misguided youngsters.

Murugan, R (murugan.ramanathan@yahoo.co.in)

* * * Scammers aren't non-English speakers with computers. They're savvy manipulators who play off your emotions. That's why even the stupidest scams will work on the right vulnerable person. These online scams have been around forever—some, even before the Internet—yet thousands of people are still falling for them every day. Here's what you need to know so you're never conned again.

1. The Fake ticket scam 5. The perfect online girlfriend scam 2. The social media link scam 6. The kidnapping scam 3. The Caller Id scam 7. The Charity scam and 4. The Email phishing link scam 8. The Nigerian Prince scam

Read more at: http://www.menshealth.com/techlust/internet-scams#

Only Naive people fall for online scams? Think again

Some stupid Internet scams that people still fall for

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 10

In the last issue we discussed mobile devices and, close on the heels, comes this interesting news. Chinese officials are cracking down on mobile payments and the use of virtual credit cards after IT firms have moved further into traditional banking territory. China’s central bank has demanded that mobile payments and the use of virtual credit cards be halted immediately, amid concerns over the security in verification procedures by major internet firms Tencent, Baidu and Alibaba Group. The move comes just a day after Alibaba and Tencent launched virtual credit cards, which the central bank ruled too risky, state media said. It is the latest in a series of clashes between China’s finance sector and IT companies, which have pushed into the banks’ territory by offering financial services such as online payments and wealth management products. It is the latest in a series of clashes between China’s finance sector and IT companies Chinese officials have so far permitted the firms’ growing roles in the finance sector, viewing online and mobile payments as beneficial to ordinary consumers and as a potential booster for the economy. However, the incursion into traditional banking turf has caused banks to call for stricter regulations as opposition towards tech firms continues to mount. As such, the People’s Bank of China said in a statement that it has ordered the temporary halt of virtual credit cards and QR payment systems. “The level of risk control directly impacts the users’ information security and financial security,” the central bank said, adding that further research was needed to assess whether the virtual payment services could handle such risks. In addition, the companies have to submit detailed reports on their procedures. This follows recent tension between state-owned China UnionPay, the country’s monopolistic credit card provider, and the internet firms, which were set to launch virtual credit cards that could potentially hurt UnionPay’s revenues significantly. In February, Chinese and international media reported that UnionPay had put pressure on Alipay to route its new virtual card service through UnionPay’s system so it could increase its commission earnings on transactions. However, Tencent and Alibaba announced just this week that they would partner with Citic Bank to launch the virtual credit cards, thereby eliminating UnionPay from being able to charge fees on the online card transactions. Tencent, Alibaba and Citic have all confirmed to Reuters that they’ve received notice of the restriction, which has caused shares in all three firms to drop significantly. Spokespeople from both Alibaba and Citic said they had adhered to the correct application procedures before launching the virtual credit cards and that they would await further information from the PBOC. Reference: http://www.theneweconomy.com/technology/china-stops-mobile-payments-amid-security-concerns

Dr. Ramamurthy N (ramamurthy.n@gmail.com)

* * *

China stops mobile payments

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 11

Pictures are added to the articles of this ezine for effective reading/ understanding. Most of the pictures are taken from Internet. Our editorial board wishes to convey its thanks for the courtesy of whoever has taken strains to draw and uploaded the pictures.

This e-zine and all the previous issues, as well, can be read from our web-site http://cysi.in/. The contents in this e-zine are meant for sharing of knowledge and hence readers are requested to circulate this e-zine in full or in part to anyone they like. Readers may acknowledge CySI while reproducing the articles or any part thereof. Readers are requested to send their feedback, articles, jokes, etc., to editor@cysi.in. Neither CySI nor the members of the Editorial Committee/ Board owns any responsibility for the views expressed by the authors in the articles. The views expressed are the concerned author’s individual views only. For any further clarification on any of the articles or stories in this e-zine, kindly contact the author directly or email editor@cysi.in Editorial Board

On the occasion of CySI reaching a milestone in its journey, we are planning to introduce some exciting features involving even non CySI members too. Please look out for more details in these columns. We are also looking for enthusiastic readers who could contribute through cartoon for the e-zine. Interested persons are requested to write to editor@cysi.in Editorial Board