Catching the cyber criminal

Print edition : June 18, 2004

The proliferation of cyber crime around the world poses new challenges to law enforcement agencies.

A BOY in his teens operating from a remote village in northern Germany brought the computer giant Microsoft and millions of computer users to their knees very recently. The virus "Sasser" that Sven Jaschan, possibly working in tandem with a few others, unleashed on the computer world, caused an astronomical loss to businesses and individuals that is yet to be accurately assessed. At least one large bank in Finland closed down more than 100 of its branches to avoid its system getting infected, reflecting an utter lack of faith in its anti-virus programme. Unlike many other viruses, Sasser moved from machine to machine through the Internet and not via e-mail attachments. Home computers, more than those in offices, bore the brunt of the attack, a phenomenon that most experts failed to predict.

Ironically, a few days before Sasser produced major damage, Microsoft highlighted a hole in its Operating System and advised users to take immediate action by using a patch. (It is possible that Microsoft had been tipped off or its monitors had detected patterns suggesting an impending catastrophe.) Not many took this warning seriously, and this cost them dearly. Fortunately, the virus did not delete files, but merely switched off systems frequently causing tremendous disruption and inconvenience.

Sven has been arrested by the German Police and questioned. While we do not know the outcome, including whether the Federal Bureau of Investigation will seek his extradition, he is described as a "computer freak" and a loner. His computer teacher speaks of his impressive technical knowledge, but admits that his student had overreached himself. Interestingly, Sven boasted to his father several months earlier that he had, in fact, released a worm. He had possibly spent several days and nights sitting in the basement of his house and fine-tuning his diabolic operation. His parents either took little note of such labour or just did not know how to handle him.

The fact is, law-enforcement officials all over the world are going to face younger and younger offenders who just do not know the gravity of their actions. Coupled with this lack of awareness is the certainty that many of them are going to use modern technology that is easily available at affordable prices.

A German police official calls Sven a common criminal, whose youth does not give him any licence or the privilege of kid-glove treatment. Such a hard posture is not surprising, coming as it does from a law-enforcement perspective. It could, however, be utterly insensitive to the growing phenomenon of technology-savvy youngsters going berserk but remaining unidentified. There are not many clues as to what motivates young people to stray away from family values. Is it the thrill of adventure or the need for money to cope with the ever-rising requirements of fashionable living?

I must confess that my knowledge of technology-aided crime is nothing to boast of. Exposure, therefore, to a day-long presentation on the subject recently by experts to an international police gathering at the Bramshill Police Training Centre in Hampshire was beneficial. There were many revelations that could make policemen as well as law-abiding citizens sit up and take notice of the dangerous ambience that surrounds all of us. The first characteristic of the current scene is that more than individuals, it is the well-welded multinational gangs that account for substantial high-profile computer-based crime these days. (Normally, only hackers operate all by themselves, although lately one can detect their invisible collusion with virus writers.)

This explains the numerous operations in the areas of trafficking in human beings, especially women and children, drug peddling, pornography and money-laundering that have been unearthed recently. The Internet provides a vehicle for intra-gang communication as well as for deceiving the victims.

The United Kingdom (U.K.) has been dogged lately by controversies relating to rising immigration, both legal and illegal, from eastern Europe. It was just a couple of months ago that a member of the Blair Cabinet had to resign, following the allegation that large numbers of people had been allowed to come into the country from Romania and Bulgaria through authorised channels, without proper verification of their credentials, despite the opposition of a senior U.K. diplomat based in Bucharest. It is against this backdrop that one must look at the prevalent view that many east European countries are contributing a lot to crime in the U.K., particularly of the hi-tech variety. This phenomenon is difficult to explain. Is there a spurt in young men and women coming out of polytechnics in eastern Europe, alongside a lack of opportunities to use their knowledge? Poverty and unemployment alone cannot explain this.

FINANCIAL institutions are a major target for computer criminals. The expansion of online banking facilities has been beyond belief. Banks have benefited greatly by making them more and more attractive to customers and have seen a large number of their clients using and feeling comfortable with them. The emphasis is on making such access more and more customer-friendly, but this comes with a price. There is a feeling that many banks tend to underplay the simultaneous need for making their systems more secure. This is out of sheer ignorance, as well as a reluctance to make a heavy investment in IT security. This unhappy situation has been exploited by many crooks who do not hesitate to buy skills in the market - gadgets as well as human resources - to break into online banking systems. According to a recent CSO magazine survey conducted in collaboration with the United States Secret Service and the Cyber Security Centre of the Carnegie Mellon University, electronic crime during 2003 accounted for a loss of $666 million.

Customer negligence has also contributed to valuable information such as User IDs and passwords falling into wrong hands. While major break-ins have not been either frequent or well publicised, what is most appalling is that many banks have refused to let cyber investigators probe such breaches. This apathy is prompted by the fear that an admission of system vulnerability would result in the loss of customer confidence and could even lead to a run on the bank. Many are deterred also by the tortuous processes of the criminal justice system and the loss of valuable business time if incidents are reported to the police. "Phishing" is the name given to activities such as the illegal copying of an authorised, well-established website for a dishonest purpose, such as identity theft. (Here, frauds originate bogus mails to unsuspecting customers and ferret out valuable personal data such as computer IDs and passwords that are later used to withdraw deposits.) This modus operandus is now quite popular with many gangs. Organisations dealing in money are a particular target. A study by an Anti-Phishing Working Group, Tumblewood (an Internet security firm) in the U.S., reveals a 75 per cent increase in phishing crime during the past year. The study reported 1,125 such cases. It is difficult to prevent phishing, but what is required is a swift response to such attempts when an organisation is alerted by its customers.

Another favourite crime that has been spawned largely by business rivalries - so much a part of modern commerce - is the Distributed Denial of Service (DDOS). Many huge organisations such as the FBI, Yahoo, America-online, eBay and Amazon.com (the popular online bookseller) were subjected to this type of attack in February 2000. Here, the aggressor, with the help of a secret software programme, manipulates a sudden flood of unexpected visits at a designated time from a large number of computers located at different sites, to a popular website, thereby denying access to many genuine customers. The damage caused is incalculable, and if a website is attacked repeatedly within a short spell of time, the loss of revenue could prove ruinous. This is somewhat analogous to the spam mail that we receive each day that involves cleaning up our Inboxes on a daily basis. Imagine one of our adversaries suddenly deciding to hurt us by initiating about a thousand unsolicited messages every day. All our time would be lost only in eliminating them, without getting a moment for the normal use of the e-mail facility. Total incapacitation of a business rival or an adversary is what an aggressor aims at, and he achieves this often without getting caught.

It has been recognised the world over that crime prevention calls for a two-pronged approach: target hardening and deterrence. A host of studies by experts such as Prof. Ron Clarke (whose specialisation is in the area of situational crime prevention) of Rutgers University in the U.S. have proved that heightened efforts to make the object of crime less accessible and therefore harder to hit at, contribute to a definite reduction in crime. Modern emphasis of criminology has, therefore, been on proactively making systems and facilities difficult to penetrate. The growth in sophistication of computer security systems has been remarkable, although there are sceptics who believe that no amount of security can put off a determined intruder. Another piece of criticism has been the enormous cost of many computer security products.

This negative feeling has been engendered by the almost weekly arrival in the market of anti-virus packages. The reporting of new viruses such as Sasser only buttresses the argument against further investment in computer security. This cynical stand is blind to the fact that viruses are a class apart, and that, being programme-based, there is no limit to human ingenuity in creating and floating viruses by the dozen. Just as we cannot put a cap on programmes or programmers, so can we hardly prevent new viruses from being invented. Setting aside the issue of viruses, there is so much that is available to keep intruders at bay from committing other types of assaults on the computer system. Firewalls situated imaginatively within a network, intrusion detection systems (IDS), cryptography, digital signatures and logical controls that restrict access to protected systems are all measures that lower risks of an intrusion. These will necessarily have to be supplemented by user sensitivity to possible mischief. Such sensitivity is brought about by repeated indoctrination through training. For all this to happen in a large organisation, there is a need for a comprehensive security policy drawn on the lines suggested by many security standards, most prominent of which is the British Standards (BS) 7799. It is regrettable that the learning of many reputed corporations in this regard has been painfully slow. Such tardiness only encourages the underworld to design more attacks on flimsily guarded systems.

Finally, deterrence involves honing of the existing criminal justice system in response to an increasingly computer-savvy criminal of our times. This would call for a realistically framed cyber crime law, which makes penalties stiffer and more certain. While most of the developed world has generally succeeded in this respect, others have lagged behind.

In India, the Information Technology Act, 2000, is a great march forward. We must, however, remember that being basically a law to regulate e-commerce, it deals only incidentally with cyber crime. While it lists offences such as tampering with computer source documents, hacking and publishing obscene information electronically, several other important offences such as cyber stalking have been ignored. There is, therefore, a cry from experts and law enforcement agencies that India should have an exclusive law against such crime. Meanwhile, several amendments have been suggested to the existing IT Act to make it more oriented to cyber crime. It is not known whether the government will act on these.

An important requirement amidst all this is the need to train police officers so that they face the new challenges squarely and effectively. A small beginning has been made in India, with the Central Bureau of Investigation giving a thrust to cyber investigation, which is complicated. It requires greater perseverance than ordinary crime. More than this, an anxiety to keep track of global developments in offender ingenuity is the sine qua non for achieving results. It is here that liaison with outfits such as the FBI and the U.K.'s Hi-Tech Crime Unit becomes meaningful. I am certain that somebody in the Indian Police, particularly the CBI, will establish this link. Collaboration with other agencies in the world that are known for their professional excellence can bring in learning of great value to India's cyber crime investigators.

A letter from the Editor


Dear reader,

The COVID-19-induced lockdown and the absolute necessity for human beings to maintain a physical distance from one another in order to contain the pandemic has changed our lives in unimaginable ways. The print medium all over the world is no exception.

As the distribution of printed copies is unlikely to resume any time soon, Frontline will come to you only through the digital platform until the return of normality. The resources needed to keep up the good work that Frontline has been doing for the past 35 years and more are immense. It is a long journey indeed. Readers who have been part of this journey are our source of strength.

Subscribing to the online edition, I am confident, will make it mutually beneficial.

Sincerely,

R. Vijaya Sankar

Editor, Frontline

Support Quality Journalism
This article is closed for comments.
Please Email the Editor
×