Muhammad Salim (Ism)

8/8/2019 Muhammad Salim (Ism)

1/34

A

RESEARCH REPORT

on

CYBER CRIMESUnder the subject

INFORMATION SYSTEM MANAGEMENT

Submitted to

Submitted by

Ms. Vanisha Malik Muhammad Salim (07217003909)

Faculty, MBA Sunil Kumar Gupta (07417003909)

TIAS Praveen Kumar (05617003909)

SESSION: 2010 - 2011

TECNIA INSTITUTE OF ADVANCED STUDIES(Approved by AICTE, Ministry of HRD, Govt. of India)

Affiliated To Guru Gobind Singh Indraprastha University, DelhiINSTITUTIONAL AREA, MADHUBAN CHOWK, ROHINI, DELHI- 110085

E-Mail:[email protected], Website: www.tecniaindia.orgFax No: 27555120, Tel: 27555121-24


2/34

ACKNOWLEDGEMENTS

At the outset, we wish to express our sincere thanks to almighty for showering his

blessing on us to develop this report. We wish to thank our parents who always believed in usand have faith in us in whatever we wished to do.

We would like to acknowledge our sincere thanks to Ms. Vanisha Malik, Faculty of

Information System Management, Tecnia Institute of Advanced Studies for her excellent

guidance and supervision for the completion of this report successfully.

Last but not the least we wish to thank each one of us to do so much wonderful teamwork

with trust and faith.

Muhammad Salim

Sunil Kumar Gupta

Praveen Kumar


3/34

INDEX

SR. No. PARTICULARS PAGE No.1 Evolution of cyber crime 12 Definition 23 Cyber criminals 24 Modes of committing cyber crime 3

5Some case studies

Pune Citibank Emphasis Call Centre Fraud

State of Tamil Nadu Vs Suhas Katti

SONY.SAMBANDH.COM Case

Nasscom vs. Ajay Sood & OthersSMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra

Online Stock Exchange Fraud

Fake Travel Agent

Illegal Data Mining

Brute force

Shoulder Surfing: District Data Breach

9

9

11

1214

15

16

17

18

18

6 Classification of effects of cyber crimeAgainst Individuals

Against Organization

Against Society at large

20

7 Statutory provisions 258 The access and security trade-off 269 Prevention of cyber crime 299 Conclusion 30

10 References 31


4/34

EVOLUTION OF CYBER CRIME

The first recorded cyber crime took place in the year 1820 !

That is not surprising considering the fact that the abacus, which is thought to be the

earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era

of modern computers, however, began with the analytical engine of Charles Babbage.

In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom.

This device allowed the repetition of a series of steps in the weaving of special fabrics. This

resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood

were being threatened. They committed acts of sabotage to discourage Jacquard from further use

of the new technology. This is the first recorded cyber crime!

Today, computers have come a long way with neural networks and nano-computing

promising to turn every atom in a glass of water into a computer capable of performing a billion

operations per second.

In a day and age when everything from microwave ovens and refrigerators to nuclear

power plants are being run on computers, cyber crime has assumed rather sinister implications.

Cyber crime can involve criminal activities that are traditional in nature, such as theft,

fraud, forgery, defamation and mischief. The abuse of computers has also given birth to a gamutof new age crimes such as hacking, web defacement, cyber stalking, web jacking etc. A simple

yet sturdy definition of cyber crime would be unlawful acts wherein the computer is either a

tool or a target or both .

The term computer used in this definition does not only mean the conventional desktop or

laptop computer. It includes Personal Digital Assistants (PDA), cell phones, sophisticated

watches, cars and a host of gadgets.

Recent global cyber crime incidents like the targeted denial of service attacks on Estoniahave heightened fears. Intelligence agencies are preparing against coordinated cyber attacks that

could disrupt rail and air traffic controls, electricity distribution networks, stock markets,

banking and insurance systems etc. Unfortunately, it is not possible to calculate the true social

and financial impact of cyber crime. This is because most crimes go unreported.

Page | 1


5/34

CYBER CRIMECyber crime is the latest and perhaps the most complicated problem in the cyber world.

Cyber crime may be said to be those species, of which, genus is the conventional crime, and

where either the computer is an object or subject of the conduct constituting crime.

Any criminal activity that uses a computer either as an instrumentality, target or a

means for perpetuating further crimes comes within the ambit of cyber crime.

A generalized definition of cyber crime may be unlawful acts wherein the computer is

either a tool or target or both. The computer may be used as a tool in the following kinds of

activity- financial crimes, sale of illegal articles, pornography, online gambling, intellectual

property crime, e-mail spoofing, forgery, cyber defamation, cyber stalking. The computer may

however be target for unlawful acts in the following cases- unauthorized access to computer/computer system/ computer networks, theft of information contained in the electronic form, e-

mail bombing, data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web

jacking, theft of computer system, physically damaging the computer system.

CYBER CRIMINALS

The cyber criminals constitute of various groups/ category. This division may be justified on

the basis of the object that they have in their mind. The following are the category of cyber

criminals-

1. Children and adolescents between the age group of 6 18 years

The simple reason for this type of delinquent behaviour pattern in children is seen mostly due

to the inquisitiveness to know and explore the things. Other cognate reason may be to prove

themselves to be outstanding amongst other children in their group. Further the reasons may

be psychological even. E.g. the Bal Bharati (Delhi) case was the outcome of harassment of

the delinquent by his friends.

2. Organised Hackers -

Page | 2


6/34

These kinds of hackers are mostly organised together to fulfil certain objective. The reason

may be to fulfil their political bias, fundamentalism, etc. The Pakistanis are said to be one of

the best quality hackers in the world. They mainly target the Indian government sites with the

purpose to fulfil their political objectives. Further the NASA as well as the Microsoft sites is

always under attack by the hackers.

3. Professional hackers / crackers

Their work is motivated by the color of money. These kinds of hackers are mostly employed

to hack the site of the rivals and get credible, reliable and valuable information. Further they

are van employed to crack the system of the employer basically as a measure to make it safer

by detecting the loopholes.

4. Discontented employees -

This group include those people who have been either sacked by their employer or are

dissatisfied with their employer. To avenge they normally hack the system of their employee.

MODE AND MANNER OF COMMITING CYBER CRIME

1. Unauthorized access to computer systems or networks / Hacking-

This kind of offence is normally referred as hacking in the generic sense. However the

framers of the information technology act 2000 have no where used this term so to avoid any

confusion we would not interchangeably use the word hacking for unauthorized access as

the latter has wide connotation.

2. Theft of information contained in electronic form-

This includes information stored in computer hard disks, removable storage media etc. Theft

may be either by appropriating the data physically or by tampering them through the virtual

medium.

Page | 3


7/34

3. Email bombing-

Email bombing refers to sending a large number of emails to the victim resulting in the

victim's email account (in case of an individual) or mail servers (in case of a company or an

email service provider) crashing. In one case, a foreigner who had been residing in Simla,

India for almost thirty years wanted to avail of a scheme introduced by the Simla Housing

Board to buy land at lower rates. When he made an application it was rejected on the grounds

that the 169 schemes were available only for citizens of India. He decided to take his

revenge. Consequently he sent thousands of mails to the Simla Housing Board and repeatedly

kept sending e-mails till their servers crashed.

4. Data diddling-

This kind of an attack involves altering raw data just before it is processed by a computer and

then changing it back after the processing is completed. Electricity Boards in India have been

victims to data diddling programs inserted when private parties were computerizing their

systems.

5. Salami attacks-

These attacks are used for the commission of financial crimes. The key here is to make thealteration so insignificant that in a single case it would go completely unnoticed. E.g. a bank

employee inserts a program, into the bank's servers, that deducts a small amount of money

(say Rs. 5 a month) from the account of every customer. No account holder will probably

notice this unauthorized debit, but the bank employee will make a sizable amount of money

every month.

To cite an example, an employee of a bank in USA was dismissed from his job. Disgruntled

at having been supposedly mistreated by his employers the man first introduced a logic bomb

into the bank's systems.

Logic bombs are programmes, which are activated on the occurrence of a particular

predefined event. The logic bomb was programmed to take ten cents from all the accounts in

Page | 4


8/34

the bank and put them into the account of the person whose name was alphabetically the last

in the bank's rosters. Then he went and opened an account in the name of Ziegler. The

amount being withdrawn from each of the accounts in the bank was so insignificant that

neither any of the account holders nor the bank officials noticed the fault.

It was brought to their notice when a person by the name of Zygler opened his account in that

bank. He was surprised to find a sizable amount of money being transferred into his account

every Saturday.

6. Denial of Service attack-

This involves flooding a computer resource with more requests than it can handle. This

causes the resource (e.g. a web server) to crash thereby denying authorized users the serviceoffered by the resource. Another variation to a typical denial of service attack is known as a

Distributed Denial of Service (DDoS) attack wherein the perpetrators are many and are

geographically widespread. It is very difficult to control such attacks. The attack is initiated

by sending excessive demands to the victim's computer(s), exceeding the limit that the

victim's servers can support and making the servers crash. Denial-of-service attacks have had

an impressive history having, in the past, brought down websites like Amazon, CNN, Yahoo

and eBay!

7. Virus / worm attacks-

Viruses are programs that attach themselves to a computer or a file and then circulate

themselves to other files and to other computers on a network. They usually affect the data

on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to

attach themselves to. They merely make functional copies of themselves and do this

repeatedly till they eat up all the available space on a computer's memory. The

VBS_LOVELETTER virus (better known as the Love Bug or the ILOVEYOU virus) was

reportedly written by a Filipino undergraduate.

In May 2000, this deadly virus beat the Melissa virus hollow - it became the world's most

prevalent virus. It struck one in every five personal computers in the world. When the virus

Page | 5


9/34

was brought under check the true magnitude of the losses was incomprehensible. Losses

incurred during this virus attack were pegged at US $ 10 billion.

The original VBS_LOVELETTER utilized the addresses in Microsoft Outlook and emailed

itself to those addresses. The e-mail, which was sent out, had "ILOVEYOU" in its subject

line. The attachment file was named "LOVE-LETTER-FORYOU. TXT.vbs". The subject

line and those who had some knowledge of viruses did not notice the tiny .vbs extension and

believed the file to be a text file conquered people wary of opening e-mail attachments. The

message in the e-mail was "kindly check the attached LOVELETTER coming from me".

Since the initial outbreak over thirty variants of the virus have been developed many of them

following the original by just a few weeks. In addition, the Love Bug also uses the Internet

Relay Chat (IRC) for its propagation.

It e-mails itself to users in the same channel as the infected user.

Unlike the Melissa virus this virus does have a destructive effect. Whereas the Melissa, once

installed, merely inserts some text into the affected documents at a particular instant during

the day, VBS_LOVELETTER first selects certain files and then inserts its own code in lieu

of the original data contained in the file. This way it creates ever-increasing versions of itself.

Probably the world's most famous worm was the Internet worm let loose on the Internet by

Robert Morris sometime in 1988. The Internet was, then, still in its developing years and this

worm, which affected thousands of computers, almost brought its development to a complete

halt. It took a team of experts almost three days to get rid of the worm and in the meantime

many of the computers had to be disconnected from the network.

8. Logic bombs-

These are event dependent programs. This implies that these programs are created to do

something only when a certain event (known as a trigger event) occurs. E.g. even some

viruses may be termed logic bombs because they lie dormant all through the year and

become active only on a particular date (like the Chernobyl virus ).

Page | 6


10/34

9. Trojan attacks-

A Trojan as this program is aptly called, is an unauthorized program which functions from

inside what seems to be an authorized program, thereby concealing what it is actually doing.

There are many simple ways of installing a Trojan in someone's computer. To cite and

example, two friends Rahul and Mukesh (names changed), had a heated argument over one

girl, Radha (name changed) whom they both liked. When the girl, asked to choose, chose

Mukesh over Rahul, Rahul decided to get even. On the 14th of February, he sent Mukesh a

spoofed e-card, which appeared to have come from Radha's mail account. The e-card actually

contained a Trojan. As soon as Mukesh opened the card, the Trojan was installed on his

computer. Rahul now had complete control over Mukesh's computer and proceeded to harass

him thoroughly.

10. Internet time thefts-

This connotes the usage by an unauthorized person of the Internet hours paid for by another

person. In a case reported before the enactment of the Information Technology Act, 2000

Colonel Bajwa, a resident of New Delhi, asked a nearby net caf owner to come and set up

his Internet connection. For this purpose, the net caf owner needed to know his username

and password.

After having set up the connection he went away with knowing the present username and

password. He then sold this information to another net caf. One week later Colonel Bajwa

found that his Internet hours were almost over. Out of the 100 hours that he had bought, 94

hours had been used up within the span of that week. Surprised, he reported the incident to

the Delhi police. The police could not believe that time could be stolen. They were not aware

of the concept of time-theft at all. Colonel Bajwa's report was rejected.

He decided to approach The Times of India, New Delhi. They, in turn carried a report about

the inadequacy of the New Delhi Police in handling cyber crimes. The Commissioner of

Police, Delhi then took the case into his own hands and the police under his directions raided

Page | 7


11/34

and arrested the net caf owner under the charge of theft as defined by the Indian Penal Code.

The net caf owner spent several weeks locked up in Tihar jail before being granted bail.

11. Web jacking-

This occurs when someone forcefully takes control of a website (by cracking the password

and later changing it). The actual owner of the website does not have any more control over

what appears on that website In a recent incident reported in the USA the owner of a hobby

website for children received an e-mail informing her that a group of hackers had gained

control over her website. They demanded a ransom of 1 million dollars from her. The owner,

a schoolteacher, did not take the threat seriously. She felt that it was just a scare tactic and

ignored the e-mail. It was three days later that she came to know, following many telephone

calls from all over the country, that the hackers had web jacked her website. Subsequently,

they had altered a portion of the website which was entitled 'How to have fun with goldfish'.

In all the places where it had been mentioned, they had replaced the word 'goldfish' with the

word 'piranhas'. Piranhas are tiny but extremely dangerous flesh-eating fish. Many children

had visited the popular website and had believed what the contents of the website suggested.

These unfortunate children followed the instructions, tried to play with piranhas, which they

bought from pet shops, and were very seriously injured!

12. Theft of computer system

This type of offence involves the theft of a computer, some part(s) of a computer or a

peripheral attached to the computer.

13. Physically damaging a computer system

This crime is committed by physically damaging a computer or its peripherals.

Page | 8


12/34

SOME CASE STUDIES

1. Pune Citibank Emphasis Call Centre Fraud

US $ 3,50,000 from accounts of four US customers were dishonestly transferred to bogus

accounts. This will give a lot of ammunition to those lobbying against outsourcing in US. Such

cases happen all over the world but when it happens in India it is a serious matter and we cannot

ignore it. It is a case of sourcing engineering. Some employees gained the confidence of the

customer and obtained their PIN numbers to commit fraud. They got these under the guise of

helping the customers out of difficult situations. Highest security prevails in the call centres in

India as they know that they will lose their business. There was not as much of breach of security

but of sourcing engineering. The call centre employees are checked when they go in and out so

they cannot copy down numbers and therefore they could not have noted these down.

They must have remembered these numbers, gone out immediately to a cyber caf and accessed

the Citibank accounts of the customers. All accounts were opened in Pune and the customers

complained that the money from their accounts was transferred to Pune accounts and thats how

the criminals were traced. Police has been able to prove the honesty of the call centre and has

frozen the accounts where the money was transferred. There is need for a strict background

check of the call centre executives. However, best of background checks can not eliminate the

bad elements from coming in and breaching security. We must still ensure such checks when a person is hired. There is need for a national ID and a national data base where a name can be

referred to. In this case preliminary investigations do not reveal that the criminals had any crime

history. Customer education is very important so customers do not get taken for a ride. Most

banks are guilt of not doing this.

2. State of Tamil Nadu Vs Suhas Katti

The Case of Suhas Katti is notable for the fact that the conviction was achieved successfully

within a relatively quick time of 7 months from the filing of the FIR. Considering that similar

cases have been pending in other states for a much longer time, the efficient handling of the case

which happened to be the first case of the Chennai Cyber Crime Cell going to trial deserves a

special mention.

Page | 9


13/34

The case related to posting of obscene, defamatory and annoying message about a divorcee

woman in the yahoo message group. E-Mails were also forwarded to the victim for information

by the accused through a false e-mail account opened by him in the name of the victim. The

posting of the message resulted in annoying phone calls to the lady in the belief that she was

soliciting. Based on a complaint made by the victim in February 2004, the Police traced the

accused to Mumbai and arrested him within the next few days. The accused was a known family

friend of the victim and was reportedly interested in marrying her. She however married another

person. This marriage later ended in divorce and the accused started contacting her once again.

On her reluctance to marry him, the accused took up the harassment through the Internet. On 24-

3-2004 Charge Sheet was filed u/s 67 of IT Act 2000, 469 and 509 IPC before The Honble

Addl. CMM Egmore by citing 18 witnesses and 34 documents and material objects. The same

was taken on file in C.C.NO.4680/2004.

On the prosecution side 12 witnesses were examined and entire documents were marked as

Exhibits. The Defence argued that the offending mails would have been given either by ex-

husband of the complainant or the complainant herself to implicate the accused as accused

alleged to have turned down the request of the complainant to marry her. Further the Defence

counsel argued that some of the documentary evidence was not sustainable under Section 65 B

of the Indian Evidence Act. However, the court relied upon the expert witnesses and other

evidence produced before it, including the witnesses of the Cyber Cafe owners and came to theconclusion that the crime was conclusively proved. Ld. Additional Chief Metropolitan

Magistrate, Egmore, delivered the judgement on 5-11-04 as follows:

The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act 2000

and the accused is convicted and is sentenced for the offence to undergo RI for 2 years

under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to

undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67

of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to runconcurrently.

The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered

as the first case convicted under section 67 of Information Technology Act 2000 in India.

Page | 10


14/34

3. SONY.SAMBANDH.COM Case

India saw its first cybercrime conviction recently. It all began after a complaint was filed by

Sony India Private Ltd, which runs a website called www.sony-sambandh.com, targeting Non

Resident Indians. The website enables NRIs to send Sony products to their friends and relativesin India after they pay for it online. The company undertakes to deliver the products to the

concerned recipients. In May 2002, someone logged onto the website under the identity of

Barbara Campa and ordered a Sony Colour Television set and a cordless head phone. She gave

her credit card number for payment and requested that the products be delivered to Arif Azim in

Noida. The payment was duly cleared by the credit card agency and the transaction processed.

After following the relevant procedures of due diligence and checking, the company delivered

the items to Arif Azim. At the time of delivery, the company took digital photographs showing

the delivery being accepted by Arif Azim. The transaction closed at that, but after one and a half

months the credit card agency informed the company that this was an unauthorized transaction as

the real owner had denied having made the purchase. The company lodged a complaint for

online cheating at the Central Bureau of Investigation which registered a case under Section 418,

419 and 420 of the Indian Penal Code. The matter was investigated into and Arif Azim was

arrested.

Investigations revealed that Arif Azim, while working at a call centre in Noida gained access to

the credit card number of an American national which he misused on the companys site. The

CBI recovered the colour television and the cordless head phone. In this matter, the CBI had

evidence to prove their case and so the accused admitted his guilt. The court convicted Arif

Azim under Section 418, 419 and 420 of the Indian Penal Code this being the first time that a

cybercrime has been convicted. The court, however, felt that as the accused was a young boy of

24 years and a first-time convict, a lenient view needed to be taken. The court therefore released

the accused on probation for one year. The judgment is of immense significance for the entire

nation. Besides being the first conviction in a cybercrime matter, it has shown that the Indian

Penal Code can be effectively applied to certain categories of cyber crimes which are not

covered under the Information Technology Act 2000. Secondly, a judgment of this sort sends out

a clear message to all that the law cannot be taken for a ride.

Page | 11


15/34

4. Nasscom vs. Ajay Sood & Others

In a landmark judgment in the case of National Association of Software and Service Companies

Vs Ajay Sood & Others, delivered in March, 05, the Delhi High Court declared `phishing on

the internet to be an illegal act, entailing an injunction and recovery of damages. Elaborating onthe concept of phishing, in order to lay down a precedent in India, the court stated that it is a

form of internet fraud where a person pretends to be a legitimate association, such as a bank or

an insurance company in order to extract personal data from a customer such as access codes,

passwords, etc. Personal data so collected by misrepresenting the identity of the legitimate party

is commonly used for the collecting partys advantage. court also stated, by way of an example,

that typical phishing scams involve persons who pretend to represent online banks and siphon

cash from e-banking accounts after conning consumers into handing over confidential banking

details.

The Delhi HC stated that even though there is no specific legislation in India to penalise

phishing, it held phishing to be an illegal act by defining it under Indian law as a

misrepresentation made in the course of trade leading to confusion as to the source and origin of

the e-mail causing immense harm not only to the consumer but even to the person whose name,

identity or password is misused. The court held the act of phishing as passing off and tarnishing

the plaintiffs image. The plaintiff in this case was the National Association of Software and

Service Companies (Nasscom), Indias premier software association. The defendants were

operating a placement agency involved in head-hunting and recruitment. In order to obtain

personal data, which they could use for purposes of headhunting, the defendants composed and

sent e-mails to third parties in the name of Nasscom. The high court recognised the trademark

rights of the plaintiff and passed an ex-parte adinterim injunction restraining the defendants from

using the trade name or any other name deceptively similar to Nasscom.

The court further restrained the defendants from holding themselves out as being associates or a

part of Nasscom. The court appointed a commission to conduct a search at the defendants

premises. Two hard disks of the computers from which the fraudulent e-mails were sent by the

defendants to various parties were taken into custody by the local commissioner appointed by the

court. The offending e-mails were then downloaded from the hard disks and presented as

evidence in court. During the progress of the case, it became clear that the defendants in whose

Page | 12


16/34

names the offending e-mails were sent were fictitious identities created by an employee on

defendants instructions, to avoid recognition and legal action. On discovery of this fraudulent

act, the fictitious names were deleted from the array of parties as defendants in the case.

Subsequently, the defendants admitted their illegal acts and the parties settled the matter throughthe recording of a compromise in the suit proceedings. According to the terms of compromise,

the defendants agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of

the plaintiffs trademark rights. The court also ordered the hard disks seized from the defendants

premises to be handed over to the plaintiff who would be deceptively similar to Nasscom. The

court further restrained the defendants from holding themselves out as being associates or a part

of Nasscom. The court appointed a commission to conduct a search at the defendants premises.

Two hard disks of the computers from which the fraudulent e-mails were sent by the defendants

to various parties were taken into custody by the local commissioner appointed by the court. The

offending e-mails were then downloaded from the hard disks and presented as evidence in court.

During the progress of the case, it became clear that the defendants in whose names the

offending e-mails were sent were fictitious identities created by an employee on defendants

instructions, to avoid recognition and legal action. On discovery of this fraudulent act, the

fictitious names were deleted from the array of parties as defendants in the case. Subsequently,

the defendants admitted their illegal acts and the parties settled the matter through the recording

of a compromise in the suit proceedings. According to the terms of compromise, the defendants

agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of the plaintiffs

trademark rights. The court also ordered the hard disks seized from the defendants premises to

be handed over to the plaintiff who would be the owner of the hard disks. This case achieves

clear milestones: It brings the act of phishing into the ambit of Indian laws even in the absence

of specific legislation; It clears the misconception that there is no damages culture in India for

violation of IP rights; This case reaffirms IP owners faith in the Indian judicial systems ability

and willingness to protect intangible property rights and send a strong message to IP owners thatthey can do business in India without sacrificing their IP rights.

Page | 13


17/34

5. SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra

In India's first case of cyber defamation, a Court of Delhi assumed jurisdiction over a matter

where a corporates reputation was being defamed through emails and passed an important ex-

parte injunction.In this case, the defendant Jogesh Kwatra being an employ of the plaintiff company started

sending derogatory, defamatory, obscene, vulgar, filthy and abusive emails to his employers as

also to different subsidiaries of the said company all over the world with the aim to defame the

company and its Managing Director Mr. R K Malhotra. The plaintiff filed a suit for permanent

injunction restraining the defendant from doing his illegal acts of sending derogatory emails to

the plaintiff.

On behalf of the plaintiffs it was contended that the emails sent by the defendant were distinctlyobscene, vulgar, abusive, intimidating, humiliating and defamatory in nature. Counsel further

argued that the aim of sending the said emails was to malign the high reputation of the plaintiffs

all over India and the world. He further contended that the acts of the defendant in sending the

emails had resulted in invasion of legal rights of the plaintiffs. Further the defendant is under a

duty not to send the aforesaid emails. It is pertinent to note that after the plaintiff company

discovered the said employ could be indulging in the matter of sending abusive emails, the

plaintiff terminated the services of the defendant.

After hearing detailed arguments of Counsel for Plaintiff, Hon'ble Judge of the Delhi High Court

passed an ex-parte ad interim injunction observing that a prima facie case had been made out by

the plaintiff. Consequently, the Delhi High Court restrained the defendant from sending

derogatory, defamatory, obscene, vulgar, humiliating and abusive emails either to the plaintiffs

or to its sister subsidiaries all over the world including their Managing Directors and their Sales

and Marketing departments. Further, Hon'ble Judge also restrained the defendant from

publishing, transmitting or causing to be published any information in the actual world as also in

cyberspace which is derogatory or defamatory or abusive of the plaintiffs.

This order of Delhi High Court assumes tremendous significance as this is for the first time that

an Indian Court assumes jurisdiction in a matter concerning cyber defamation and grants an ex-

parte injunction restraining the defendant from defaming the plaintiffs by sending derogatory,

defamatory, abusive and obscene emails either to the plaintiffs or their subsidiaries.

Page | 14


18/34

6. Online Stock Exchange Fraud

Background: A complaint was received from the director of a securities firm stating that there

was an unauthorized execution of a call option resulting in a loss to the complainant. The

complainant company was dealing in sale and purchase of shares on behalf of clients. As a broker of the stock exchange they were providing trading facilities of the equity and futures and

options markets to their sub-brokers/ high net worth individual clients. This was done at the

clients premises through ISDN lines/ normal telephone lines/ VPN with predefined passwords

and user IDs on their trading terminals. As per the complaint a fraudulent trade was executed by

selling a call option by using the user ID and password provided to one of the complainants

client. An interesting aspect was that this call option was the most inactive for trading purposes

and no trade had taken place except for the fraudulent trade.

The said call option was compulsorily exercised by the exchange thus resulting in a loss of INR

0.05 million to the complainant and wrongful gain to the culprits.

Investigation: The stock exchange provided the details of the trade log for call option of buyer

and seller. The user ID that was used to book the order could be traced from the information

provided. Some of the information that was provided was:

Date - Buy Client Name/Address

Trade Number - Sell Member Code Trade Time - Sell Trading Member Name Trade Quantity - Sell Client Code/Name/Address Buy Time - Buy Order Number Buy Name - Sell Order Number Buy Client Code

The complainants client was examined who stated that they had not executed this trade. The

data of the computer installed at their premises was scrutinized for system error log, access log,

event log and broadcast server log. The analysis of the logs revealed that the computer system of

the client was not logged during the days when the fraudulent trades were executed. The

configuration indicated that for executing the transaction through the internet, access to the

network was imperative. Such access was authorized by the firewall installed at the network of

the complainant.

Page | 15


19/34

The firewall (which generated the log details) provided the IP address used to logon to the

system to execute the transaction. The firewall details as well as the server of the complainant

were taken to the police computer lab and analyzed using forensic tools. The transactions logs

could not be recovered from the firewall server as the same was designed to be emailed to a

specific email ID. However, the information collected from a securities firm revealed the details

of an account through which the fraudulent transaction was executed.

The ownership details and logs for the email ID were collected from a web host company and

were found to be belonging to the very person who had designed the firewall for the complainant

company. Thereafter, the mobile phone details of the accused were collected which revealed that

he was in contact with the co-accused (the person who had designed the firewall for the

complainant company). This gave the first indication that a conspiracy existed between the

accused persons.

Based on this information simultaneous raids were conducted and the accused were arrested. The

interrogation of the accused revealed the modus operandi on how the fraudulent transaction had

been executed. The accused had provided the copy of the programme (which had access, firewall

file, password and other details that were required for configuring the computer system) to the

co-accused.

The Central Processing Unit was configured by the co-accused and the same was taken to cyber

cafe and on the pretext of downloading software. The accused downloaded the software from the

attachment in his e-mail account and executed the transaction by installing the software on the

computer.

Current status: Under investigation, the accused are in judicial custody.

7. Fake Travel Agent

Background: The accused in this case was posing to be a genuine railway ticket agent and had been purchasing tickets online by using stolen credit cards of non residents. The accused created

fraudulent electronic records/ profiles, which he used to carry out the transactions.

The tickets so purchased were sold for cash to other passengers. Such events occurred for a

period of about four months.

Page | 16


20/34

The online ticket booking service provider took notice of this and lodged a complaint with the

cyber crime investigation cell.

Investigation: The service provider gave the IP addresses, which were used for the fraudulent

online bookings, to the investigating team. IP addresses were traced to cyber cafes in twolocations.

The investigating team visited the cyber cafs but was not able to get the desired logs as they

were not maintained by the cyber caf owners. The investigating team was able to short list the

persons present at cyber cafes when the bookings were made. The respective owners of the cyber

cafes were able to identify two persons who would regularly book railway tickets.

The investigating team then examined the passengers who had travelled on these tickets. They

stated that they had received the tickets from the accused and identified the delivery boy whodelivered the tickets to them. On the basis of this evidence the investigating team arrested two

persons who were identified in an identification parade.

Current status: The charge sheet has been submitted in the court.

8. Illegal Data Mining

The owner of Snipermail, a business that distributes advertisements via the Internet to e-mailaddresses on behalf of advertisers or their brokers was indicted for conspiracy, unauthorized

access of a protected computer, access device fraud, money laundering and obstruction of justice.

It was alleged that Scott Levine and other Snipermail employees illegally accessed a computer

database owned and operated by Acxiom Corporation, a company that stores, processes, and

manages personal, financial, and corporate data on behalf of its clients. On numerous occasions,

Levine and others illegally entered into an Acxiom file transfer protocol (ftp) server and

downloaded significant amounts of data. The intrusions were traced back to an internet protocol

address that belonged to one of Snipermails computers. The downloading of the databases lasted

for period of a year and a half and represented 8.2 gigabytes of data. While the stolen data

contained personal information about a great number of individuals and could have resulted in

tremendous loss if the information were used in a fraudulent way, there was no evidence to date

that any of the data was misused in this way. Acxiom, immediately notified law enforcement

Page | 17


21/34

upon discovery of intrusions into its system and assisted with the investigation which was

conducted by a task force formed the Federal Bureau of Investigation (FBI) and the United

States Secret Service (USSS).

9. Brute force

In cryptography, a brute force attack or exhaustive key search is a strategy that can in theory be

used against any encrypted data by an attacker who is unable to take advantage of any weakness

in an encryption system that would otherwise make his task easier. It involves systematically

checking all possible keys until the correct key is found. In the worst case, this would involve

traversing the entire search space.

Hackers used brute force password cracking program to break into the districts computers and

initiated a batch of bogus transfers out of the schools payroll account. The transfers were kept

below $10,000 to avoid the anti-money laundering reporting requirements. The hackers had

almost 20 accomplices they had hired through work at home job scams. Over $100,000 was

successfully removed from the account. Two days later a school employee noticed the bogus

payments. Unfortunately, unlike consumers who typically have up to 60 days from the receipt of

a monthly statement to dispute any unauthorized charges, organizations and companies have

roughly two business days to spot and dispute unauthorized activity. This is because schoolorganizations that bank online fall under the Uniform Commercial Code. Due to this law, the

district was able to get less than $20,000 of the transfers reversed.

10. Shoulder Surfing: District Data Breach

A Washington State man has been sentenced to 10 years in prison after pleading guilty to 31

counts of criminal activity, most related to a school district data breach. Christopher Berge, now

21, was a student at Mountain View High School in Evergreen Public Schools when he

"shoulder surfed"--physically observed--a password used by a district employee.

Berge later used the password to gain access to the district's student information system, hosted

by the Washington School Information Processing Cooperative (WSIPC). From there, he was

able to gain access to the payroll data of another district in the state, Vancouver Public Schools.

Page | 18


22/34


23/34

CLASSIFICATION OF EFFECTS OF CYBER CRIME

The subject of cyber crime may be broadly classified under the following three groups. They are-

1. Against Individuals

a. Their person &

b. their property of an individual

2. Against Organization

a. Government

b. Firm, Company, Group of Individuals.

3. Against Society at large

The following are the crimes, which can be committed against the followings group

Against Individuals:

I. Harassment via e-mails.

II. Cyber-stalking.

III. Dissemination of obscene material.

IV. Defamation.

V. Unauthorized control/access over computer system.

VI. Indecent exposure

VII. Email spoofing Cheating & Fraud

Against Individual Property: -

I. Computer vandalism.II. Transmitting virus.

III. Netrespass

IV. Unauthorized control/access over computer system.

Page | 20


24/34

V. Intellectual Property crimes

VI. Internet time thefts

Against Organization: -

I. Unauthorized control/access over computer system

II. Possession of unauthorized information.

III. Cyber terrorism against the government organization.

IV. Distribution of pirated software etc.

Against Society at large: -

I. Pornography (basically child pornography).

II. Polluting the youth through indecent exposure.

III. Trafficking

IV. Financial crimes

V. Sale of illegal articles

VI. Online gambling

VII. Forgery

The above mentioned offences discussed in brief as follows:

1. Harassment via e-mails-

Harassment through e-mails is not a new concept. It is very similar to harassing through letters.

Recently I had received a mail from a lady wherein she complained about the same. Her former

boy friend was sending her mails constantly sometimes emotionally blackmailing her and also

threatening her. This is a very common type of harassment via e-mails.

2. Cyber-stalking-

The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking involves

following a person's movements across the Internet by posting messages (sometimes threatening)

Page | 21


25/34

on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the

victim, constantly bombarding the victim with emails etc.

3. Dissemination of obscene material/ Indecent exposure / Pornography (basically child

pornography) / Polluting through indecent exposure-Pornography on the net may take various forms. It may include the hosting of web site

containing these prohibited materials. Use of computers for producing these obscene materials.

Downloading through the Internet, obscene materials. These obscene matters may cause harm to

the mind of the adolescent and tend to deprave or corrupt their mind. Two known cases of

pornography are the Delhi Bal Bharati case and the Bombay case wherein two Swiss couple

used to force the slum children for obscene photographs. The Mumbai police later arrested them.

4. Defamation

It is an act of imputing any person with intent to lower the person in the estimation of the right-

thinking members of society generally or to cause him to be shunned or avoided or to expose

him to hatred, contempt or ridicule. Cyber defamation is not different from conventional

defamation except the involvement of a virtual medium. E.g. the mail account of Rohit was

hacked and some mails were sent from his account to some of his batch mates regarding his

affair with a girl with intent to defame him.

5. Unauthorized control/access over computer system-

This activity is commonly referred to as hacking. The Indian law has however given a different

connotation to the term hacking, so we will not use the term "unauthorized access"

interchangeably with the term "hacking" to prevent confusion as the term used in the Act of 2000

is much wider than hacking.

6 . E mail spoofing-

A spoofed e-mail may be said to be one, which misrepresents its origin. It shows it's origin to be

different from which actually it originates. Recently spoofed mails were sent on the name of Mr.

N a.Vijayashankar (naavi.org), which contained virus.

Rajesh Manyar , a graduate student at Purdue University in Indiana, was arrested for threatening

to detonate a nuclear device in the college campus. The alleged e- mail was sent from the

Page | 22


26/34

account of another student to the vice president for student services. However the mail was

traced to be sent from the account of Rajesh Manyar .

7 . Computer vandalism-

Vandalism means deliberately destroying or damaging property of another. Thus computer vandalism may include within its purview any kind of physical harm done to the computer of any

person. These acts may take the form of the theft of a computer, some part of a computer or a

peripheral attached to the computer or by physically damaging a computer or its peripherals.

8. Intellectual Property crimes / Distribution of pirated software-

Intellectual property consists of a bundle of rights. Any unlawful act by which the owner is

deprived completely or partially of his rights is an offence. The common form of IPR violation

may be said to be software piracy, copyright infringement, trademark and service mark violation,

theft of computer source code, etc.

The Hyderabad Court has in a land mark judgement has convicted three people and sentenced

them to six months imprisonment and fine of 50,000 each for unauthorized copying and sell of

pirated software.

9 . Cyber terrorism against the government organization

At this juncture a necessity may be felt that what is the need to distinguish between cyber terrorism and cyber crime. Both are criminal acts. However there is a compelling need to

distinguish between both these crimes. A cyber crime is generally a domestic issue, which may

have international consequences, however cyber terrorism is a global concern, which has

domestic as well as international consequences. The common form of these terrorist attacks on

the Internet is by distributed denial of service attacks, hate websites and hate emails, attacks on

sensitive computer networks, etc. Technology savvy terrorists are using 512-bit encryption,

which is next to impossible to decrypt. The recent example may be cited of Osama Bin Laden ,

the LTTE , attack on Americas army deployment system during Iraq war.

Cyber terrorism may be defined to be the premeditated use of disruptive activities, or the threat

thereof, in cyber space, with the intention to further social, ideological, religious, political or

similar objectives, or to intimidate any person in furtherance of such objectives

Another definition may be attempted to cover within its ambit every act of cyber terrorism.

Page | 23


27/34


28/34

STATUTORY PROVISIONS

The Indian parliament considered it necessary to give effect to the resolution by which

the General Assembly adopted Model Law on Electronic Commerce adopted by the United Nations Commission on Trade Law. As a consequence of which the Information Technology Act

2000 was passed and enforced on 17th May 2000. the preamble of this Act states its objective to

legalise e-commerce and further amend the Indian Penal Code 1860, the Indian Evidence Act

1872, the Bankers Book Evidence Act1891 and the Reserve Bank of India Act 1934 . The

basic purpose to incorporate the changes in these Acts is to make them compatible with the Act

of 2000. So that they may regulate and control the affairs of the cyber world in an effective

manner.

The Information Technology Act deals with the various cyber crimes in chapters IX &

XI. The important sections are Ss. 43,65,66,67. Section 43 in particular deals with the

unauthorised access, unauthorised downloading, virus attacks or any contaminant, causes

damage, disruption, denial of access, interference with the service availed by a person. This

section provide for a fine up to Rs. 1 Crore by way of remedy. Section 65 deals with tampering

with computer source documents and provides for imprisonment up to 3 years or fine, which

may extend up to 2 years or both. Section 66 deals with hacking with computer system and provides for imprisonment up to 3 years or fine, which may extend up to 2 years or both. Further

section 67 deals with publication of obscene material and provides for imprisonment up to a term

of 10 years and also with fine up to Rs. 2 lakhs.

Page | 25


29/34

THE ACCESS AND SECURITY TRADE-OFF

Today, extending access to applications for the users who need them is no longer a "nice to

have" - but a key determinant of who will win and who will lose. Legacy applications and

databases, for example, contain invaluable customer information and provide a great resource for

partners and other trusted third parties; email and other messaging applications are indispensable

for seemingly instantaneous communication; and 'emerging' applications, such as audio and

video conferencing, are now the critical enabler of 'real-time business,' resulting in huge gains in

both productivity and profitability. Facilitating the rollout and accessibility of these applications,

IP networks - both private and public, wired and wireless - make access to applications possible

for any user from any corner of the globe. Why, then, are CIOs constantly refereeing a tug-of-

war between the lines of business who want to realize the value of their applications by

extending them to the users who need them and the network administrators who want to insulate

their network from attack by increasingly limiting access for untrusted third parties?

What is driving this zero sum game where any access gained by the business results in a

corresponding decrease in network security? The answer lies in the use of network security to

deploy applications. That is, network security, which by its design disrupts and limits

connectivity between networks, is also used to enable connectivity. These products - while

critical for protecting the physical network - were not intended to protect and extend applications

and consequently using them to deploy applications inevitably results in the access and security

trade off.

The solution, however, is not to increase the IT budget to buy more point solutions or deploy an

army of network administrators to provide the highly-oxymoronic 'brute force flexibility,' but to

deploy a new conceptual network called the Application Network. The Application Network is a

logical network that overlays the physical IP network and leverages its communicationsinfrastructure while not undermining its physical security. The Application Network also

underlies the applications that need the physical network for connectivity, providing robust and

extensible application-layer security. When deployed, the Application Networks allow

enterprises to use the applications their businesses require and securely extend those to the users

Page | 26


30/34

who need them - while taking advantage of, not compromising, the network security

infrastructure.

A Little History

Thirty years have passed since the U.S. Defense Advanced Research Projects Agency (DARPA)

initiated the project to determine a method of linking together many disparate packet networks to

enable cross-network communication. According to history, the initiative was referred to as the

Internetworking project and the resulting mesh of linked packet networks was called the Internet.

The Internet at that time was an aggregation of packet networks funded and hosted by

government and educational enterprises throughout the United States. Enabling this inter-

communication was the development of the Internet Protocol (IP), which defined how data

packets are routed across the various networks. Until the 1980's the Internet was a combination

of public networks that allowed primarily academic and government to communicate freely and

openly. Applications utilizing the TCP/IP protocol suite could be extended to users with routable

IP addresses, a requirement of the early Internet. Soon, however, and by design, the Internet and

its obvious business benefits began to get the attention of commercial enterprises as well as

foreign governments and soon these organizations began to adhere to the IP protocol and connect

their local networks to this public communications infrastructure. Now, users were diverse,

unknown and not necessarily trusted while the information accessible was no longer academic, but sensitive business and governmental intelligence. Network security was born.

The Purpose of Network Security

Necessity certainly bred invention with the advent of network security. At a very high level,

organizations needed to protect their physical networks from this 'untrusted' Internet and were

eager to find solutions that allowed them limited access to the public networks while insulating

their networks from potential attack and information theft. Answering this demand, firewallswere developed to protect the physical network. Firewalls, often utilizing Network Address

Translation (NAT) for non-routable addresses that are hidden from the outside,were designed to

limit network access by breaking the two fundamental rules of IP routing - that is that all

network nodes must know of other nodes and all addresses of devices must be known. From the

Page | 27


31/34

outset, the purpose of basic network security was to protect the physical network from attack by

limiting connectivity between the two networks.

Emergence of the Security and Access Trade Off

The unfortunate downside of physical security that limits connectivity for untrusted users is that

it also limits connectivity for trusted users. To provide access for trusted users,network

administrators were forced to start 'fixing' the networking rules broken by the physical security

as required by the users and the access they required. Opening holes in the perimeter security,

however, to allow ingress and egress is exactly that: opening holes. Network administrators

quickly realized that the amount of access granted to users was inversely proportional to the

security of their network. A seemingly zero sum game, this network security and application

access trade off is now a common dilemma within organizations large and small, domestic and

international.

Page | 28


32/34

PREVENTION OF CYBER CRIME

Prevention is always better than cure. It is always better to take certain precaution while

operating the net. A should make them his part of cyber life. Saileshkumar Zarkar, technical

advisor and network security consultant to the Mumbai Police Cyber crime Cell, advocates the5P mantra for online security : Precaution, Prevention, Protection, Preservation and

Perseverance. A netizen should keep in mind the following things-

1. To prevent cyber stalking avoid disclosing any information pertaining to oneself. This is

as good as disclosing your identity to strangers in public place.

2. Always avoid sending any photograph online particularly to strangers and chat friends as

there have been incidents of misuse of the photographs.

3. Always use latest and updated antivirus software to guard against virus attacks.

4. Always keep back up volumes so that one may not suffer data loss in case of virus

contamination

5. Never send your credit card number to any site that is not secured, to guard against

frauds.

6. Always keep a watch on the sites that your children are accessing to prevent any kind of

harassment or depravation in children.

7. It is better to use a security programme that gives control over the cookies and send

information back to the site as leaving the cookies unguarded might prove fatal.

8. Web site owners should watch traffic and check any irregularity on the site. Putting host-

based intrusion detection devices on servers may do this.

9. Use of firewalls may be beneficial.

10. Web servers running public sites must be physically separate protected from internalcorporate network.

Adjudication of a Cyber Crime - On the directions of the Bombay High Court the Central

Government has by a notification dated 25.03.03 has decided that the Secretary to the

Page | 29


33/34

Information Technology Department in each state by designation would be appointed as the AO

for each state.

CONCLUSION

Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from

the cyber space. It is quite possible to check them. History is the witness that no legislation has

succeeded in totally eliminating crime from the globe. The only possible step is to make people

aware of their rights and duties (to report crime as a collective duty towards the society) and

further making the application of the laws more stringent to check crime. Undoubtedly the Act is

a historical step in the cyber world. Further we all together do not deny that there is a need to

bring changes in the Information Technology Act to make it more effective to combat cyber

crime. We would conclude with a word of caution for the pro-legislation school that it should bekept in mind that the provisions of the cyber law are not made so stringent that it may retard the

growth of the industry and prove to be counter-productive.

Page | 30


34/34

References/Bibliography

1) www.cyberlawsindia.net

2) www.crime-research.org/

3) Cyber-crime: the challenge in Asia - By Roderic G. Broadhurst, Peter N. Grabosky

4) www.cyberlawclinic.org/casestudy.asp

5) http://thejournal.com/articles/2010/04/13/district-data-breach-leads-to-prison-time.aspx

6) http://en.wikibooks.org/wiki/Information_Security_in_Education/Case_Studies

7) http://www.spamlaws.com/

8) http://cybercrime.planetindia.net/application_security.htm

9) http://www.naavi.org/pati/pati_cybercrimes_dec03.htm

Documents

Muhammad Salim (Ism)