Thursday, December 22, 2016

Cross-Examination in cyber crime matters


Cross-Examination in cyber crime matters

Cross-examination almost always ventures into dangerous territory. The reason for this is that the witness is usually adverse or hostile to your client’s position.

Therefore, the cyber lawyer must control the witness and, more particularly, the witness’ testimony. This can be accomplished by following certain guidelines during the cross-examination.

1. Do not ask a question unless you are reasonably certain that you already know the answer. (Some would say do not ask the question unless you are certain you know the answer). Cross-examination is not the time to discover new facts. It is not the time to be curious. Remember, curiosity killed the cat. It may likewise kill your case.

2. Treat the witness fairly. You should not be hostile, especially if you want to gain concessions from the witness, including that he/she may have been mistaken in his/her testimony on direct examination.

3. Use leading questions. A leading question suggests the answer, which is usually “yes” or “no.”
For eg : Is it true that the computer had Anti-virus installed in it?
Was it licensed ?

4. Never ask open-ended questions—questions that ask “how” or “why” or that require the witness to explain. These types of questions can lead to disaster. Never allow a witness to explain anything on cross-examination.

5. Listen to the answers. Do not mechanically ask one question after another without listening to the witness’ answers. The answers may contain the favorable testimony that you are seeking to obtain in the crossexamination. When this happens, you have accomplished your task and you should consider ending your cross-examination. On the other hand, if you do not listen to the answers you may not hear damaging testimony that should be addressed.

6. Do not allow the witness to repeat (and therefore reinforce in the mind of the judge) the testimony given on direct examination. There is no reason to ask a question that allows the witness to repeat his testimony. The odds are very small that the witness will testify differently on cross examination. You know the testimony given on direct examination, the witness knows the testimony, the judge knows the testimony. So just dive into your cross-examination.

7. Keep your questions “short and sweet” and in plain English. Your goal is to obtain one fact with each question. Ideally, each question should be posed as a declaratory statement of a single fact calling for affirmation by the witness. This will make the cross-examination much more manageable for you, prevent objections from your adversary (for example,that you are asking compound questions), and allow the judge to more easily follow and understand your cross-examination.

8. Ask the important questions at the beginning and end of your cross-examination. People, including jurors, remember best what they hear first and last. Conclude your cross-examination on a high note—your strongest point.

9. Your cross-examination should be brief. Remember, you are trying to “score points” to be used in your closing argument. In a lengthy crossexamination, your strongest points will be lost and the less significant points will be forgotten by the judge.

10. Control the witness’ answers. The best way to control the witness’ answers is to ask simple and clear questions. By doing so, you will not give the witness an opportunity to provide harmful testimony. If your question calls for a “yes” or “no” answer and the witness provides additional testimony that is harmful to your case, you should ask the court to strike the testimony as being nonresponsive to your question. Although you cannot “unring a bell,” the judge eventually will understand that the5 witness’ conduct is improper. If the witness answers a question other than the one you asked, ask it again, and yet again if necessary.

11. Do not ask one question too many. Remember the purpose of crossexamination—you are trying to obtain favorable testimony so it can be used in your closing argument. You need not ask the ultimate question that will drive your point home

Wednesday, December 21, 2016

STAGES OF CYBER CRIME TRIAL in COURT


STAGES OF CYBER CRIME TRIAL in COURT

1. Registration of FIR under The IT Act,2000 or IPC
2. Commencement of investigation and collection of evidence and Electronic/Digital evidence by investigating
agency. During this time, at any stage decided by investigating agency, accused
persons can be arrested
3. Production of accused before Magistrate (within 24 hours)
Remanded to police custody for further investigation; or
Remanded to judicial custody.
Note:- Remand does not mean that the police can misbehave or beat the
person. Remand means interrogation by the police.
4. Bail hearing before appropriate court – Arguments of the defence is denied by the
public prosecutor.
5. After investigation is completed:
If investigating agency feels a prima facie case is made out, chargesheet is
filed in Court through the public prosecutor.
If police feels that no prima facie case is made out, a final report filed in
Court. Which could be C-Final which effectively closes the case without trial.
6. Decision is taken by the Court after hearing the public prosecutor and the counsel for defence:
On question of Chargesheet:-
Court can reject chargesheet, in which case the accused is discharged.
Court can accept that a prima facie case is made out, frame the charges, and
post the case for trial. Case goes to next stage 
(7).On Final Report
Court can accept the final report- case is closed and accused is discharged
Court can reject the final report, and
Direct the police to further investigate the case. Case goes back to Stage (2)
Direct the case to be posted for trial. Case goes to next stage (7).
7. Framing of Charge by Court
Accused pleads guilty to the Charge. Depending on the seriousness of the crime,
the Court may either convict on the basis of plea or post the case for trial.
Accused pleads not guilty. Case is posted for trial.
8. Trial commences – examination of witnesses and other evidence
Examination of prosecution witnesses by public prosecutor, marking of exhibits,
and cross-examination by defence counsel.
9. Statement of Accused under section 313, CrPC.
10. Defence Evidence: if defence wants to, it examines defence witnesses, who are
cross examined by the public prosecutor, and exhibits defence evidence.
11. Final Arguments – Public Prosecutor (Government Lawyer) and the defence counsel present their
arguments.
12. Judgment and sentence by the Court:
Acquittal of accused, or
Conviction, in which case
• Arguments of public prosecutor and defence counsel on sentence.
• Judgment of Court passing sentence.
13. Appeal (within specified period of limitation) - Can be filed by party aggrieved by judgment on acquittal/ conviction/ reduction of sentence.
14. On notice being issued to the opposite parties, arguments are placed before Appeal
court of defence counsel and the public prosecutor.
15. Judgment of Appeal in higher Court.

Tuesday, December 6, 2016

How Cyber Parents should Behave with there Real Children?


How Cyber Parents should Behave with there Real Children?

Why children today are so bored , cannot concentrate on studies, cannot wait, get easily frustrated and have no REAL friends

Children are getting worse in  many aspects.  
We  have seen and continue to see a decline in children’s social, emotional, academic functioning, as well as a sharp increase in learning disabilities, depression and aggression.

Today’s children come to school emotionally unavailable for learning and many factors in our modern lifestyle contribute to this.

1. *Technology*

“Free babysitting service" 
Compared to virtual reality, everyday life is boring. When kids come to the classroom, they are exposed to human voices and inadequate visual stimulation as opposed to being bombarded with graphic explosions and special effects that they are used to seeing on the screens. After hours of virtual reality, they are  unable to process lower levels of stimulation. Technology also hinders parents' emotional availability.

Limit the use of technology. 
Have fun times together. Go for a picnic, trekking, a walk in the garden....

2.  *Instant Gratification*.

Kids get everything they want the moment they want.

“I am Hungry!!” 
Here is the ready snack (packets of junk)
“I am Thirsty!” 
Here is the drink (bottle of soft drink). “I am bored!” 
Use my phone. Watch TV.
The ability to delay gratification is one of the key factors for future success. We have all the best  intentions in mind to make our children happy, but unfortunately, we make them happy at that moment but miserable in the long term.  
To be able to delay gratification means to be able to function under stress. 
Our children are gradually becoming less equipped to deal with even minor stressors and "frustrations " which eventually become huge obstacles to their success in life.

Teach the kids to delay gratification. Do not give in to demands INSTANTLY unless it is urgent

3. *Kids' rule*

“My son doesn’t like vegetables” 
" He doesn’t like going to bed early” “He doesn’t like to eat breakfast” 
“He doesn’t like toys, but she is very good at his IPAD” .....
Children dictate parents.
If we leave it to them, all they are going to do is eat pasta, noodles, pizza and chips,  watch TV, play on their tablets/smartphones and never go to bed. 
We are giving them what they WANT even when we know that it is not GOOD for them.
Without proper nutrition and a good night’s sleep, our kids go to school irritable, anxious, and inattentive.  
In order to achieve our goals,  we have to do what NEEDS to be done.
If a child wants to be an 'A' student, he *needs* to study hard. 
If he wants to be a successful soccer player, he needs to practice every day. Our children know very well what they WANT  but not what is NEEDED to achieve that goal. This results in unattainable goals that leaves the kids disappointed.

Teach the difference between WANT & NEED

4. *ONLY Fun*

We have  created a fun world for our children. 
Endless Activites!! There are no dull moments. The moment it becomes quiet, we run to entertain them again because otherwise we feel that we are not doing our parenting duty.  
Why aren’t children helping us in the kitchen or with laundry? Why don’t they tidy up their cupboards? This is basic monotonous work that trains the brain to work and function under “boredom”.

Teach them to do "boring" chores like folding the laundry, setting the table, tidying up after meals, packing and unpacking their own bags....

Let them have unstructured time. 

Set limits. 
Make schedules for meals, sleep, study,  outdoor play, technology usage.....

5. *Limited social interaction*

Kids used to play outside, where in the  unstructured, natural environment, they learned and practiced their social skills.  
Competition (tuition/coaching), Structured Activites (painting, music, karate, zumba, etc) and  Technology replaced the outdoor time.  
Successful people have great social skills. 
Social skills have to be learned and practiced just like other skills.
Teach them social skills, (manners, cooperation, team work, ...)

We are *responsible* for creating the next generation of healthy, happy and successful people.

Tuesday, November 29, 2016

Sextortion and Laws in India


What is SEXTORTION?

A form of sexual exploitation that employs non-physical forms of coercion by threatening to release sexual images or information to extort monetary or sexual favors from the victim.
Modus Operandi
1) The scammers persuade the dater to send sexually explicit photos. Once they get the photos, the scammers identify themselves as law enforcement, telling the dater they sent the pictures to a minor.
They then tell the person to pay up in order to avoid arrest.
The scammers are not only identifying themselves as law enforcement, they are also using actual names of officers.
“These people are being contacted by Detective Don Peterson and it isn’t me,” Peterson told the paper.
More than 100 people have paid between $500 to $1,500 to try to avoid arrest.
2) The groups is to create online accounts of females and post pictures of attractive ladies to draw clients. They would then post pornographic images and entice their victims to have video chats with them, usually with lewd content and conversation.
Once they obtain the incriminating videos, the groups would threaten to send the video chats to the victim's friends or relatives unless they send money.
The victims are allegedly forced to send $500 to $2,000 – or P20,000 to P90,000 – through Western Union in exchange for the removal of the online video chat.


How to prevent sextortion?
Talk about sextortion
Sextortion thrives on silence; spread knowledge. Talk to two people and ask them to spread the word to two more. Keep the chain going.
Spread the word
Without a name – SEXTORTION – it is difficult to lift an abuse out of the realm of bad things we know happen and passively accept as the way of the world, and into the realm of things we will no longer tolerate and actively seek to change.
Learn more about sextortion
Once you become aware of sextortion, you see how pervasive it is. Gather and share information about sextortion.


Laws in INDIA:
1) Section 66E of Information Technology Act,2000
Violation of Privacy - Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person
2) Section 67 of Information Technology Act
Punishment for publishing or transmitting obscene material in electronic form
3) Section 67A of Information Technology Act
Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form
4) Section 67B of Information Technology Act
Punishment for Child Pornography in electronic form
Interpol investigation
5) Section 387 of Indian Penal Code,1860  for Extortion is also applicable

6) Section 506 of The IPC,1860 2nd Para is applicable if the extortionist is imputing the chastity of the girl. 

India case law for sextortion [ Bail Stayed]

The Supreme Court on 01/02/2016 stayed the anticipatory bail given to sextortion case accused M. Satyanandam, suspended APSPDCL, Divisional Engineer. Satyanandam, who was working as DE in electricity department was booked for active involvement in the gang that sexually exploited women and resorted to extortion. 

He was fourth accused in the case registered at Machavaram on December 11, 2015 following a complaint given by a woman to the commissioner of police.  


An INTERPOL-coordinated operation targeting organized crime networks behind ‘sextortion’ cases around the world has resulted in the arrest of 58 individuals, including three men linked to the group which harassed Scottish teenager Daniel Perry.
Perry, a 17-year-old victim of an online blackmail attempt, died after jumping off the Forth Road Bridge near Edinburgh in July last year.

In the first operation of its kind, information shared between the INTERPOL Digital Crime Centre (IDCC), Hong Kong Police Force, Singapore Police Force and the Philippines National Police (PNP) Anti-Cybercrime Group led to the identification of between 190 and 195 individuals working for organized crime groups operating out of the Philippines.


Wednesday, November 23, 2016

Maharashtra Cyber Project first batch training


I am involved in coaching the Police officers from all Districts in the State of Maharashtra under the Maharashtra Cyber Project. I have trained them in Cyber crimes with applicable Cyber Laws and intricacies of Electronic Evidence. hese police officers would be placed at 30 different cyber crime cells at each district level in the state of Maharashtra. This is my contribution to make Maharashtra Cyber Safe, and get more convictions in cyber crime matters .
#cybercrime #evidence #law #courts # cyberlaw #cybersecurity
#cybersafe #maharashtra #prashantmali

Wednesday, November 2, 2016

IoT Malware and its Types 2017

IoT Malware Types Revealed 

The Internet of Things (IoT) is creating a new environment where malware can be used to create powerful botnets. Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

Linux.Darlloz
The Linux.Darlloz was discovered in late 2013. The worm exploited an old PHP vulnerability (CVE-2012-1823) to access a system, it escalated privileges through default and common credential lists, it propagated through the network, and it established a backdoor on the system. While the original malware only infected computers running Intel x86 chip architectures, other versions were designed to target ARM, PPC, MIPS and MIPSEL chip architectures commonly used in IoT devices. The worm also scanned systems for Linux.Aidra and attempted to remove any files related to the threat and to block any ports used by Aidra for communication [1].

Aidra
Aidra was discovered after the publication of the 2013 research paper that described the results of the 2012 Internet Census. The malware was designed to search for open telnet ports that could be accessed using known default credentials [2]. According to its author, Federico Fazzi, the malware was introduced in early 2012 as an IRC-based mass scanning and exploitation tool. The code can be compiled for MIPS, MIPSEL, ARM, PPC, x86/x86-64 and SuperH. Aidra is designed to target IoT devices that run embedded forms of Linux with active Telnet connectivity and default or no password. Some variants of Aidra can retrieve router passwords through the /cgi-bin/firmwarecfg bug found on some outdated D-Link and Netgear devices.
The malware attempts to connect to a telnet port using default credentials and if it succeeds, it downloads and executes a script called getbinaries.sh, which removes other malware binaries and prevents the device from being compromised by other competing malware. Some variants attempt to change the device credentials. Malware binaries are downloaded to /var/run, /var/tmp, /var/etc. Consequently, the malware can be removed by rebooting the device because the directories are stored in RAM. Then the infected device connects to an IRC server, joins a channel, reads a topic, and follows the instructions. Aidra is capable of scanning, flooding, and spoofing targets randomly or recursively. Further, its code can be easily tailored to a threat actor’s needs [3].
Qbot/ Qakbot
Qbot is a network-aware worm capable of harvesting credentials and creating backdoors [4]. The Qbot malware, first discovered around 2009, continues to be adapted and employed by script kiddies and cybercriminals [5]. Qbot leverages the Rig exploit kit against vulnerable websites to gain write access on the backend and to inject malicious JavaScript onto the site. To avoid suspicion, the malicious JavaScript may be appended onto the beginning or end of a legitimate JavaScript. The Rig exploit kit is a two-tier model consisting of a gate and a landing page. While a new set of domains are used for each IP address, the dense population of each IP address with many subdomains allows for a degree of undesired visibility into the botnet structure. The majority of the gate and landing page domains are registered through GoDaddy accounts; many of which are believed to be exploited compromised accounts. The Rig Gate URL returns the main_color_handle variable is returned. It contains a large string of characters that are used to determine the Rig exploit kit landing page. The string is passed through a function that replaces all illegal characters in HEX notation (0-9 and a-f) and then translates the result to ASCII and embeds the current page with an i frame with the landing page loaded with the exploit. Random variable names, dynamically generated from the Rig Gate URL contained in the kit, are used in the malicious script to obfuscate the functionality.
Users’ Windows sessions are injected with the malware via a watering-hole attack or a drive-by download; alternately, modified Qbot derivatives deliver the malware through malicious emails. Once installed on the system, the malware runs a network speed test and it sends an initial beacon, containing a list of installed software, user privileges, and the infected network external IP address, to the FTP server. The malware injects itself into a running explorer.exe process and it infects processes as they start up. The bot injects a DLL into processes that will extract its strings, configuration, APIs, and critical strings block into heap-allocated buffers, when run. Qbot contains its configuration parameters, such as FTP credentials, C2 settings, and timestamps, in an internal table. The malware places system-wide inline hooks to intercept or modify network traffic, to modify or redirect browser queries, to infect new processes, and to hide its presence. Qbot uses a domain generation algorithm for all C2 communications [31].
Upon installation, modern variants contact the C2 infrastructure to receive instructions, to update, and to mutate the appearance of the malware by self-recompiling or self-re-encrypting the malware as a server-based polymorphism, an obfuscation mechanism meant to confound anti-malware application and research efforts. The server-based polymorphism enables Qbot to avoid most anti-virus products because the malware updates itself to a new version every few days, and re-encrypts itself to remain undetectable for long periods of time. The malware can detect whether it is running in a Virtual Machine sandbox and it can alter its behavior to avoid detection [32].
Once Qbot has infected a system, it begins harvesting credentials contained in Windows Credential Store (Outlook, Windows Live Messenger, Remote Desktop, Gmail Messenger) and password stored by the Internet Explorer credential manager. Further credentials are sniffed from network traffic. The attackers can use the stolen credentials and system information to access FTP servers or to infect vulnerable websites to further spread the malware [32]. Qbot attempts to spread to open shares across the network through brute force password attempts or through attempts to access the Windows Credential Store. Qbot is also capable of intercepting browser information, such as banking information, and writing the data into named pipes and then sending it to a remote server [31].
Over a two-week investigation, BAE Systems discovered over 54,517 machines infected in a Qbot botnet. Most these systems (85%) were located in the United States. The explosive popularity of Mirai and subsequent oversaturation of the IoT threat landscape has led to a decline in Qbot botnets. 

BASHLITE/ Lizkebab/ Torlus/ gafgyt
BASHLITE botnets are responsible for enslaving over 1 million devices. One security firm estimates that of compromised devices, 95 percent were IP cameras or DVR units, 4 percent were home routers, and less than 1 percent were Linux servers. DVRs are high value bots because the devices are configured with open telnet and other web interfaces, often rely on default credentials, and are able to process high bandwidth, as is required to stream video. The majority of the infected devices were located in Taiwan, Brazil, and Columbia. Due to compartmentalization, the size of a monitored botnets is often difficult for security researchers to estimate. Oppositely, the C2 IPs associated with campaigns are often hardcoded into the malware and are easier to monitor [33].
The BASHLITE source code was leaked in early 2015 and has since been adapted into over a dozen variants. The malware conducts two scans to discover vulnerable devices to infect. The first attack vector utilizes the bots to port scan IP ranges for telnet servers and then it instructs them to brute force credentials in order to access and infect the device. The second attack vector employs external scanners to detect vulnerable devices and then infects those devices by using brute force on the credentials, by exploiting known security vulnerabilities, or by leveraging another attack vector [8]. Once the attacker has compromised a device, the malware tools execute the “busybox wget” and “wget” commands to retrieve the DDoS payloads. The malware does not identify the architecture of the compromised device; instead, it attempts to run different versions that have been compiled for different architectures, until one executes. Most BASHLITE attacks are simple UDP and TCP floods, though the malware does support a less used feature to spoof source addresses and some variants support HTTP attacks [6]. BASHLITE is a predecessor to Mirai, and the botnets are now in direct competition for a diminishing pool of vulnerable IoT devices
 [7].

Mirai
Mirai’s (Japanese for "the future") name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox a common tool for IoT embedded devices.
Mirai uses the default password for the telnet or SSH accounts to gain shell access. Once it’s able to get access to this account, it installs malware on the system. This malware creates delayed processes and then deletes files that might alert antivirus software to its presence. Because of this, it’s difficult to identify an infected system without doing a memory analysis.
Mirai opens ports and creates a connection with bot masters and then starts looking for other devices it can infect. After that, it waits for more instructions. Since it has no activity while it waits and no files left on the system, it is difficult to detect.
The low detection ratio can also be explained by the Mirai feature to delete all malware files once it successfully sets the backdoor port into the system. It leaves only the delayed process where the malware is running after being executed.
Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks. Mirai’s C&C (command and control) code is coded in Go, while its bots are coded in C.
Like most malware in this category, Mirai is built for two core purposes:
  • Locate and compromise IoT devices to further grow the botnet.
  • Launch DDoS attacks based on instructions received from a remote C&C.
To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed via easily guessable login credentials—usually factory default usernames and passwords (e.g., admin/admin).
Mirai uses a brute force technique for guessing passwords a.k.a. dictionary attacks.
On September 30, 2016, a script kiddie using the moniker “Anna-senpai” posted the Mirai source code on Hack Forums, in a claimed attempt to “retire” due to acquired wealth and due to a dissolving botnet base resulting from ISP intervention. 

Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. these were mostly CCTV cameras—a common exploit of DDoS botnet herders. Other victimized devices included DVRs and routers.
Overall, IP addresses of Mirai-infected devices were spotted in 164 countries, appearing even in such remote locations as Montenegro, Tajikistan and Somalia

How to Prevent Infection

To prevent infection:
  • Stop the telnet service and block TCP port 48101 if you’re not currently using it
  • Set Busybox execution to be run only for a specific user
  • Scan for open telnet connections on your network
Mitigation
In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:
  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware.
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. 
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.
Preventive Steps
In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:
  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.(link is external)
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
References :
[1] "The Internet of Things: New Threats Emerge in a Connected World," in Symantec, Symantec, 2014. [Online]. Available: https://www.symantec.com/connect/blogs/internet-things-new-threats-emerge- connected-world-0. Accessed: Oct. 25, 2016.
[2] M. Mimoso, C. Brook, and T. Spring, "New IoT Botnet Malware borrows from Mirai," Threatpost, 2016. [Online]. Available: https://threatpost.com/new-iot-botnet-malware-borrows-from- mirai/121705/. Accessed: Nov. 1, 2016.
[3] "Lightaidra 0x2012," in House of Vierko, 2012. [Online]. Available: http://vierko.org/tech/lightaidra- 0x2012/. Accessed: Nov. 10, 2016.
[4] "The Return of Qbot," in BAE Systems, 2016. [Online]. Available: https://resources.baesystems.com/pages/view.php?ref=39115&k=46713a20f9. Accessed: Oct. 26, 2016.
[5] G. Cluley, "Mutating Qbot worm Infects over 54, 000 PCs at organizations worldwide," in Tripwire, Tripwire, 2016. [Online]. Available: https://www.tripwire.com/state-of-security/featured/qbot- malware/. Accessed: Oct. 26, 2016.
[6] T. Spring, K. Carpenter, and M. Mimoso, "BASHLITE family of Malware Infects 1 Million IoT devices," in Threat Post, Threatpost, 2016. [Online]. Available: https://threatpost.com/bashlite-family-of- malware-infects-1-million-iot-devices/120230/. Accessed: Oct. 25, 2016.
[7] B. Krebs, "Source code for IoT Botnet ‘Mirai’ released," in KrebsonSecurity, 2016. [Online]. Available: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/. Accessed: Oct. 23, 2016. 
[8] B. Krebs, "KrebsOnSecurity hit with record DDoS," in KrebsonSecurity, 2016. [Online]. Available: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/. Accessed: Oct. 23, 2016.
Compiled Version by Author

Thursday, October 27, 2016

Cyber Frauds and Laws in India

Stop Cyber Frauds.. Share & help.

Fraud Internet Websites and Phishing knowledge


1. Before checking name of any website, first look for the domain extension i.e .com,  .org,  .co.in,  .net,  .in etc.

The name just before extension is the *DOMAIN NAME* of the website. 

Eg: www.domainname.com


E.g., in http://amazon.diwali-festivals.com, the word before .com is *"diwali-festivals"* (and NOT "amazon"). 

*AMAZON* word is seperated with ( . ) dot So, this webpage *does _not_ belong to amazon.com*, but it belongs to *"diwali-festivals.com"*, which most of us haven't heard of before.


You can similarly check for fraudulent (so-called) banking websites.

Before your e-banking login, make sure that the name just before ".com" is the name of your bank. 


Eg:

"something.icicibank.com"  belongs to +ICICI*, 

but "icicibank.something.com" belongs to something and not icicibank.

"icicibank.com.nu"  belongs to "com"!


2. There can also be a typo in domain done purposely to confuse user to do phishing. eg: www.facebookk.com or faceb00k dot com does not relates to facebook.com


3. Nowdays you may have also seen various spam messages forwarded by users claiming to get free mobile or mobile phone at Rs.250/- or Free Talktime etc. 


Before attempting to forward such messages, always check for domain name and website. Inputing data and doing some task as said on their website may result in your smartphone infected by some malware. There are several scripts present on such website which may be executed. So Beware and dont fall in such trap. There is nothing *FREE* in this world.


4. Also please check before downloading apk or android apps for smartphone. http://googleplay.com/store/apps/com.ife.google

Does not belongs to *Google*, it belongs to googleplay.com which is not owned by Google. 

But http://play.google.com/store/apps/com.ife.google belongs to *Google*.


Please share this information widely and help your family and friends avoid falling for such tricks.

#cybersecurity #cybercrime #banking #fraud #cyberfraud #phishing #socialmedia #ecommerce

Friday, October 14, 2016

New age Cyber Crimes : 2016


New Age Cyber Crimes : 2016

New trends in cybercrime are emerging all the time, with estimated costs to the global economy running to billions of dollars.
In the past, cybercrime was committed mainly by individuals or small groups. Today, we are seeing highly complex cybercriminal networks bring together individuals from across the globe in real time to commit crimes on an unprecedented scale.
Criminal organizations turning increasingly to the Internet to facilitate their activities and maximize their profit in the shortest time. The crimes themselves are not necessarily new – such as theft, fraud, illegal gambling, sale of fake medicines – but they are evolving in line with the opportunities presented online and therefore becoming more widespread and damaging.

Identity theft
Identity theft and fraud is one of the most common types of cybercrime. The term Identity Theft is used, when a person purports to be some other person, with a view to creating a fraud for financial gains. When this is done online on the Internet, its is called Online Identity Theft. The most common source to steal identity information of others, are data breaches affecting government or federal websites. It can be data breaches of private websites too, that contain important information such as – credit card information, address, email ID’s, etc.
Ransomware
Ransomware enters your computer network and encrypts your files using public-key encryption, and unlike other malware this encryption key remains on the cyber criminals server. Attacked users are then asked to pay huge ransoms to receive this private key via Bit Coins.
DDoS attacks
DDoS attacks are used to make an online service unavailable and bring it down, by bombarding or overwhelming it with traffic from multiple locations and sources. Large networks of infected computers, called Botnets are developed by planting malware on the victim computers. The idea is normally to draw attention to the DDOS attack, and allow the hacker to hack into a system. Extortion and blackmail could be the other motivations.
Botnets
Botnets are networks of compromised computers, controlled by remote attackers in order to perform such illicit tasks as sending spam or attacking other computers.  Computer Bots can also be used act like malware and carry out malicious tasks. Then can be used to assemble a network of computers and then compromise them.
Up to now, most botnets have been assembled by constantly roaming the internet probing for PCs that are unprotected. When a vulnerable machine is discovered, it is infected with malware that lies there undetected, awaiting the command to start pinging the site that has been chosen for an attack. For the more sophisticated cybercriminal, though, this way of doing things is beginning to look obsolete. The PC market has peaked, so zombie machines will become rarer and existing PCs tend to be better managed and protected from intrusion than they used to be. We are getting to the point, in other words, where PC-based botnets are soyesterday.
So where is the smart online criminal going to go next? Obligingly, the tech industry has provided him with the capability to assemble even bigger botnets with much less effort. The new magic ingredient is the IOT internet of things – small, networked devices that are wide open to penetration. The attacks will come from large numbers of enslaved devices – routers, cameras, networked TVs and the like. 
Spam and Phishing
Spamming and phishing are two very common forms of cybercrimes. There is not much you can do to control them. Spam is basically unwanted emails and messages. They use Spambots.  Phishing is a method where cyber criminals offer a bait so that you take it and give out the information they want. The bait can be in form of a business proposal, announcement of a lottery to which you never subscribed, and anything that promises you money for nothing or a small favor. There are online loans companies too, making claims that you can get insecure loans irrespective of your location. Doing business with such claims, you are sure to suffer both financially and mentally. 
Phishing has its variants too – notably among them are Tabnapping, Tabjacking, Vishing & Smishing.   Such spamming and phishing attempts are mostly emails sent by random people whom you did not ever hear of. You should stay away from any such offers especially when you feel that the offer is too good. Do not get into any kind of agreements that promise something too good to be true. In most cases, they are fake offers aiming to get your information and to get your money directly or indirectly.
Social Engineering
Social engineering is a method where the cyber criminals make a direct contact with you using emails or phones – mostly the latter. They try to gain your confidence and once they succeed at it, they get the information they need. This information can be about you, your money, your company where you work or anything that can be of interest to the cyber criminals.
It is easy to find out basic information about people from the Internet. Using this information as the base, the cyber criminals try to befriend you and once they succeed, they will disappear, leaving you prone to different financial injuries directly and indirectly. They can sell the information obtained by you or use it to secure things like loans in your name. The latter case is of Identity theft. You should be very careful when dealing with strangers – both on phone and on the Internet.
Malvertising
Malvertising is a method whereby users download malicious code by simply clicking at some advertisement on any website that is infected. In most cases, the websites are innocent. It is the cyber criminals who insert malicious advertisements on the websites without the knowledge of the latter. It is the work of advert companies to check out if an advertisement is malicious but given the number of advertisements they have to deal with, the malverts easily pass off as genuine ads.
In other cases, the cyber criminals show clean ads for a period of time and then replace it with malverts so that the websites and advertisements do not suspect. They display the malverts for a while and remove it from the site after meeting their targets. All this is so fast that the website does not even know they were used as a tool for cybercrime. Malvertising is one of the fastest, increasing types of cybercrime.
PUPs
PUPs, commonly known as  Potentially Unwanted Programs are less harmful but more annoying malware. It installs unwanted software in your system including search agents and toolbars. They include spyware, adware, as well as dialers. Bitcoin miner was one of the most commonly noticed PUPs in 2013.
Drive-By-Downloads
Drive By Downloads too, come close to malvertising. You visit a website and it triggers a download of malicious code to your computer. These computers are then used to aggregate data and to manipulate other computers as well.
The websites may or may not know that they have been compromised. Mostly, the cyber criminals use vulnerable software such as Java and Adobe Flash and Microsoft Silverlight to inject malicious codes as soon as a browser visits the infected website. The user does not even know that there is a download in progress.
Remote Administration Tools
Remote Administration Tools are used to carry out illegal activities. It can be used to control the computer using shell commands, steal files/data, send location of the computer to a remote controlling device and more.
Exploit Kits
A vulnerability means some problem in the coding of a software that enables cyber criminals to gain control of your computer. There are ready to use tools (exploit kits) in the Internet market which people can buy and use it against you. These exploit kits are upgraded just like normal software. Only difference is these are illegal. They are available mostly in hacking forums as well as on the Darknet.
Scams
Notable among Internet scams are (IRS Scams, Insurance Scams, Matrimonial website scams, Techsupport Scams), scams which misuse the Microsoft name and other general tech support scams. Scamsters phone computer users randomly and offer to fix their computer for a fee. Every single day, scores of innocent people are trapped by scam artists into Online Tech Support Scams and forced to shell out hundreds of dollars for non-existent computer problems. 
People should note that employees involved in call centre scams are prosecutable under Section 66(C) & (D) of The IT Act,2000 as well sections of IPC involving Extortion and Cheating are also applied which are non-bailable offences, currently employees working in Mira Road IRS call centre Scam fraud are in jail without bail from last 15 days.



Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...