Cyber crimes trends to watch-full book-lDocument Transcript
1cyber crimesTrends to watch...Dr K Rama SubramaniamChairman, Valiant Voora Center of Excellence in Digital Forensics, ChennaiDirector and CEO, Valiant Technologies, India and UAEAdjunct Professor, Department of Criminology, University of Madras
3Dr. K Rama SubramaniamMBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CFIP, CEH, CHFI, Security+Chairman,ValiantVooraCenterof ExcellenceinDigitalForensics,ChennaiChairman, Center of Excellence in Digital Forensics, ChennaiDirector & CEO, Valiant Technologies - India and UAE.Executive Director, Baker Tilly MKM, Abu DhabiAdjunct Professor – Dept. of Criminology, University of Madras.Global Chair, International Institute of Certified Forensic InvestigationProfessionals (IICFIP), USAIBM GIO Alumni.India’s country representative at International Federation of InformationProcessing (IFIP); serving on their Technical Committee TC-11 dealingwith information security& privacy.Awarded the ISC-Prof S S Srivatsava Prize for Excellence in Social ScienceResearch and Teaching.Information security and GRC consultant, audit and assuranceprofessional, trainer and educator for over two decades. Certified andexperienced professional in the areas of creating and implementing fullcycle business continuity and disaster recovery plans; secure informationsecurity architecture; risk management systems and processes; internalcontrols systems and processes; anti-money laundering processes andframeworks; security audits and certification of network infrastructure,GRC systems, ERP application controls review, multifactor authentication(including PKI and X.509 compliant certification infrastructure); andassurance processes for SOX, COSO, COBIT, ITIL, PCI-DSS, ISM3,ISSAF, ISO-27001, ISO-22301, BS-25999, ISO-31000 and ISO-15408compliant information security management systems.Trained experts in BCP and DRP domains, risk management andinformation security domains across Gulf nations, India, Far East andthe author
4Africa and is a consultant to a number of organizations in the commercial,government, armed forces, judiciary and law enforcement segments inthese countries.Currently providing consulting support to a number of organizations inthe BFSI, Manufacturing and Telecom sector in the GCC countries, Africaand South Asia in the areas of Business Continuity and Disaster RecoveryManagement Systems, Enterprise Risk management, Information security,Anti Money Laundering, DLP, Audit and Assurance and compliance withnorms of various central banks and global ‘best-practices’ framework,Digital Forensics and fraud investigation.Served earlier as Global Chair of the Education and Awareness PrinciplesExpert Group of Globally Accepted Information Security Principles(GAISP), based in the United States and is former Global Chair of theAccreditation Process committee of Open Information Systems SecurityGroup (OISSG), based in the UK where he established their certificationand accreditation processes. Charter President of the first chapter ofISSA (Information Systems Security Association) in Asia and also CharterPresident of ISC2’s first Chapter in India. Served on the boards of Dubai,Chennai and Bangalore chapters of ISACA.Former Managing Director of Thewo Corporate Services based in Lusaka,Zambia; Group Operations Director of Benetone Group of Companiesbased in Bangkok, Thailand and Commercial Director of DynaspedeIntegrated Systems Ltd, based in Mumbai.
5First word----------------------------------------------------------070 Net game from the Net-------------------------------------091 Sandy and the Hacker---------------------------------------132 PATCO Ruling – Wake up call for banks?---------------193 Will the Real Hacker please stand up?--------------------234 Juvenile Hackers----------------------------------------------275 ZERO IQ…--------------------------------------------------316 Operation High Roller--------------------------------------377 CITADEL: The collaboration suite of cyber criminals-----------------------------------------438 They promised. They delivered!---------------------------499 The case of Insider Fraud----------------------------------5510 Clipping the butterfly’s wings------------------------------6111 The new threat vector---------------------------------------6712 … and They are Back Again…Wave 3-------------------7113 PATCO Ruling reversed??----------------------------------7714 Digital Forensics – an IT Governance Attribute-------8115 ICT – Tomorrow is here------------------------------------89INSIDE
7first wordCyber Crime was a novelty among criminologists abouta decade ago. Today, it is commonplace. The speed of itsevolution and the rise in its degree of sophistication has leftmany wondering about the perspectives of this form of crime.The initial hackers were keener on the kick of playing aroundwith technology. True, in a sense, they too were criminals;but they had no motives of defrauding people. Soon theygave way to organized criminals who saw in this the ultimatedream of the cheat: least risk with highest rewards plus thejoy of committing the crime in a comfortable and congenialenvironment.The risk of getting caught is low due to a number of factorsincluding the not-so-mature digital forensic processes. Thereis also this issue of privacy and the lack of trans-bordercooperation. Secondly, the risk of being punished is stilllower due to the significant differences between speed ofdevelopment in crime sophistication and the legal processesattempting to play catch up. To further minimize the overallrisk of crime consequences, the attackers have chosen towork on the most liquid of assets – money in electronic form.The spate of successful attacks on banks and financialinstitutions in the recent past bear testimony to this shrewdcrime risk assessment being carried out by cyber criminalsattacking the BFSI sector.During the past few months, I have been writing a regularcolumn commenting on Cyber Crimes and the emergingtrends both in Industrial Economist and K-Mart. I havepresented those articles in this monograph. The Industrial
8Economist is a 45-year-old Chennai (India) based businessmagazine. I am indeed grateful to Mr. S Viswanathan, Editorand Publisher of the magazine for permission to publishthese articles. The K-Mart is an Internet only magazinefrom Prime Academy, the pioneering institution, which isin the Knowledge dissemination space. I am grateful to theAcademy for allowing me to publish the articles. I have alsopresented in this monograph, with substantial modifications,a paper of mine published earlier by ISACA, UAE Chapter.I thank my long-standing friend V Pattabhi Ram, a charteredaccountant, for bringing in his editorial skills in giving thismonograph its final shape.This monograph would have served a useful purpose ifit draws the attention of various stake holders in the cybercrime management cycle, to the need for each of us to playour roles in thwarting the efforts of cyber criminals who takeaway what genuinely is ours – our money, our privacy, ourintellectual property and our freedom on the Net.K Rama Subramaniamrama@valiant-technologies.com
90Net gain from the NetWhen the history of modern world is written, theworld-wide-web will receive a primordial position. For, theInternet has changed our lives the way nothing else has; noteven the invention of “fire” that altered forever the lives ofour forefathers.Who would have thought that knowledge would be availableat the click of a mouse? That, sitting in one part of the world,it would be possible to access, draw, use and return literatureavailable in another part of the world? That, you could sit inthe comfort of your study room at home and listen to topglobal professors deliver talks to you at real time and that youcould have two way interactivity with him and with fellowstudents, again in real time.We today have an entire generation that has not walked intoa bank to draw money from a teller; a generation that has notplaced an order with a stock broker; that has not stood in aqueue at a railway station or a theater to buy a ticket. You
10can do transactions while on the move. Importantly, the newgeneration is making friends on the Internet; it’s no morelove at first sight, its love first on the site. It’s a wired world.OMG how did we live without the Internet in the pre-Internet days?But like with all things good and beautiful, there is a darkerunderbelly to the Internet. The massive developments intechnology now mean that you can lose everything in a jiffy,and without trace. That wasn’t how it was earlier. Then,if your accounting data had to be lost, someone had tophysically carry away the ledger from your office. Or takecopious photocopies. Today, he simply has to transfer it ona drive that’s the size of your thumb and no one would bewiser. Yes, valuable data can be stolen with impunity. The newgeneration criminal is a white collared tech savvy man-next-door. It’s brain power, not muscle power, which wins here.The worst part is that things are getting far more dangerous.Look at some of the remarkable things that have happened.Even as the weather Gods were busy drowning their furyon hapless America hackers were busy trying to break intoUSA’s pristine banking system. Read about it in Sandy and theHacker. The irony is that no one was sure what they wereupto; namely stealing information or just getting the kick outof a denial or a distributed denial of service attack!Are the bankers careful in ensuring that the customers’ dataand money is not lost? Do they take adequate care? Dothese meet the test of commercial reasonableness? Theseare questions that have baulked the customer. In PATCORuling – Wake up call for Banks we search for some answers.
11Even as the ink on the PATCO rulinghadn’t dried, a fresh ruling came thatseemed to suggest that the PATCOruling might not be final. We capturethat in PATCO Ruling reversed?? Noone seems to be bothered about thedictum that the Apex Court’s verdictis final not because it is right; but it isright because it is final!Hacking is criminal. Yet hackers enjoya holy halo of being Mr. Brains. Thereis no naming and shaming when itcomes to them. Will the Real Hackerplease stand up tells you just that. Worsestill, hacking has now become kid’sstuff. In Juvenile Hacker read on to how“illiterate children”, yes illiterate children, in Ethiopia of allplaces, hacked the Android! And you thought technologywas rocket science.Is it possible to track those who steal cards on the Net? Theanswer is “Yes.” The FBI cracked it with gusto in the ZeroIQ case. Criminals go where the money is; bank robbers goonline! In a new brand of innovation, money mules are usedto do money laundering and it may happen in your accountwithout you even knowing about it. In the end, you may endup in prison for no fault of yours. Operation High Roller hasinsights into this. You have to be careful about messages thatyou receive on the Net. This can trap both the amateur and theseasoned security professional. “Citadel” is a case in point. Therogues are becoming increasingly daring. Like in the movies,they promise that they will break into banks and do a DDOSDO YOU KNOW?For the year 1938,Time had chosenAdolf Hitler as theman who “for betteror worse” (as Timefounder Henry Luceexpressed it) hadmost influencedevents of thepreceding year. Ifthere is an award forthe most importantdevelopment of thelast 100 years thatwould “for better, notfor worse” go to theInternet.
12at a specified date at a specified time on the Internet; and theydeliver on that promise! That’s what we speak in They promised.And they delivered. If they can stirike with a fore-warning I amsure they can do anything.The thief is within. The case of the Insider fraud is a telling storyof how a combination of good deterrence and technologythat responds to human behavioral tendencies can saveour banks millions and increase the sagging confidence intechnology systems. Nothing, nothing, is safe; not even supplychain. Read about it in “The new threat vector” to get a ringsideview of how cyber infractions have gone beyond computers,Internet, internal networks and wireless applications.Botherds collectively control a mind-boggling 11 millioncompromised computer systems leading to a staggering lossof over $850 million through stolen credit card and bankaccount credential and compromised Personally IdentifiableInformation. On 12th December 12, the FBI had crackedthis case thus effectively “Clipping the butterfly’s wings”.On March 12, customers of six major US banks couldn’tbank on the Net. This was the largest number of institutionsto be targeted on a single day. For a fuller focus move to …and They are Back Again. How the future would look like iswhat you get to know in the compulsive read “ICT-Tomorrowis here.” In the end the best way to catch the criminal is to gostrong on Digital Forensics. That’s where the future lies.The Internet is a lovely medium. We cannot imagine lifewithout it; for, we are addicted. But there are pitfalls. Yet,we cannot throw the baby along with the bath water. It’s timeto build great security that would trap the best of criminals.Are we headed towards it?
131Sandy and the Hacker…LIKE everyone else, the BFSI segment told the worldthat it had adequate disaster management mechanism tominimize the impact of Hurricane Sandy. Almost everybank revisited the well-articulated publication of the FederalFinancial Institutions Examination Council, Lessons learnedfrom Hurricane Katrina: Preparing your institution for a catastrophicevent. Just as the bankers were getting prepared to meet anyeventuality that Hurricane Sandy may throw out, so were theHackers. The purpose of their preparedness was, of-course,different. The attackers saw a great opportunity to intrudeSandy took many by storm towards the end ofOctober 2012. Ha, we are referring to Sandy storm(a k a Hurricane Sandy) that swept USA in endOctober.
14when the bank was busy fighting the possible consequencesof Sandy.Sandy leaves its trail of damageThe New York Stock Exchange that generally doesn’t closeand definitely not due to inclement conditions, closed fortwo days.On October 31, when Sandy had weakened, the financialinstitutions took stock. Secretary of US Homeland Security,Janet Napolitano, told Washington Post, “Right now financialinstitutions are actively under attack.” That very day also sawthe Citigroup experience an online and mobile outage thatlasted around an hour.In this background, the following questions deserve acloser look.• Was there a fraud dimension to this outage?• Was this outage planned and executed by hackers knowingwell that Citigroup would be too busy recovering fromthe aftermath of Sandy?• Was this yet another of the distributed denial of service(DDOS) attack continuing the earlier pattern that affectedover ten banks?There are multiple views on what brought down theCitigroup’s online and mobile services. One view is that itwas a DDOS and a front for attempted fraud. These DDOSpatterns point to a pattern of attack when the organization isotherwise busy getting their services back to normalcy. In thecontext of her stating that financial institutions are actively
15under attack, Janet Napolitano wasasked if the attackers were stealinginformation or money from the banks.She said “Yes” but quickly added that“I really don’t want to go into that perse. All I want to say is that there areactive matters going on with financialinstitutions.” So, one line of thoughtis that this DDOS could have, as thedriving force, a fraud perpetrated onthe assets of the bank.If the attackers had wanted the DDOSattack to divert the attention resultingin less guarded logical perimeter to thebank’s information assets, then theytimed it pretty well. The Bank wasalready busy coming out of the effectsof Hurricane Sandy and the attackersbrought down the services forcing the bank to thinly spreadits response capability. If this DDOS attack is a continuationof the ten earlier attacks on the Banks in the past coupleof months, then clearly the intention cannot be fraud. For,the Izz ad-din al-Qassam that claimed responsibility forthe earlier attacks wanted to use it as an attention-grabbingtactic and there were no fraudulent intentions. In a Pastebinpost, the group said, “Due to approaching Eid and tocommemorate this breezy and blessing day, we will stop ourattack operations during the coming days”. If this were true,the attack is not part of the series of DDOS by this group.So, does this DDOS point to potential fraudulent intentionsrather than being merely hactivism?DO YOU KNOW?Hurricane Sandy wasthe deadliest tropicalcyclone of the 2012hurricane season. Itcaused an estimateddamage of $75billion, and to thatextent is the second-costliest hurricane inU S history, behindHurricane Katrina.At least 285 peoplewere killed in sevencountries. Becauseof the widespreaddamage the stormcaused, the medianicknamed it as“Super-stormSandy”.
16Mike Smith, a Security Evangelist with Akamai, says that thedegree of automation found on DDOS attacks suggests fraudas the motive. Referring to the process where the attackersare looking for targets that have footprints on employees’desktops, Smith argues that finding such footprints increasesthe amount of information that can be scanned from thetarget’s network. This can lead one to the proposition thatCitigroup outage on 31 October probably had fraud as themotive and is not a continuation of the earlier DDOS attacks.A counter to this proposition comes from another set ofresearchers who believe that Hurricane Sandy was responsiblefor the outage and it is not a DDOS. Their argument: theoutage is the result of the impact of Hurricane Sandy onthe infrastructure that supported the servers at the Bank.Leading this thought is John Walker, a member of EuropeanNetwork and Information Security Agency (ENISA)security experts’ team. Interdependencies between networks,especially cellular networks and service providers means thatwhen one of them is affected, the others too are and thiscomplicates outages during natural disasters, argues Walker.These dependencies will at best bring down mobile bankingas it happened to Citigroup but it cannot account for theoutage of on-line systems. To that extent, Walker has someexplanations to do if his theory is to be validated.Presenting another dimension to this debate is the dataavailable from the research work at the Nottingham TrentUniversity’s Computing and Informatics Department.Analysis of Internet traffic patterns point to the fact that asHurricane Sandy was attacking the physical infrastructure ofthe Banks on the east coast, vectors of cyber attack increasedin the Midwest and along the East Coast. On this statistic,
17Walker agrees that internet trafficdata for October 31 suggests thatattackers went on to hit institutionsthat were struggling to recover fromthe Hurricane.There is a third view; that it is incorrectto pinpoint to any one factor ascausing an outage of Citigroup mobileand on-line services. A strong votaryof this approach is Matt Wilson ofVeriSign. Wilson believes that “thereare literally thousands of possiblereasons for an outage. Anyonesuggesting that it’s DDOS or tied to any particular externalevent is literally guessing unless Citi verifies it.” AndrewBrent, Citi spokesman declined to comment.The cause of this outage will remain a mystery with multipleevidences pointing to different reasons and it can only beunderstood when Citi clarifies the cause. The common userof banking services, ones like you and I, are more worriednow; if the traffic patterns during the disastrous Hurricaneare to be believed, are the banks capable of managing thecombined onslaught of future versions of Sandy and theHacker. DO YOU KNOW?The technologybehind the Internetbegan back in the1960’s at MIT. Thefirst message everto be transmittedwas LOG. Why? Theuser had attemptedto type LOGIN, butthe network crashedafter the enormousload of data of theletter G.
18Do we have to say it?Yes, the world is nowin our hands; thanksto the Internet.
192PATCO Ruling –Wake up call for banks?PATCO was obviously happy at the reversal of the order ofthe District Court’s judgment in a case where PATCO suedtheir bankers for negligence resulting in ACH and wire fraudrelated loss of over half a million dollars; $ 588,851 to beprecise. The bankers, People’s United, formerly Ocean Bank,contended that they had met the security requirements andthat PATCO had agreed to this set of security implementationwhile signing the electronic banking agreement.In response to PATCO’s specific charge that the Bank didnot fully comply with the FFIEC requirements for security of“It is a wakeup call for the Banks”, said MarkPatterson, co-owner of PATCO Construction Inc.,while reacting to the judgment of the United StatesCourt of Appeals for the First Circuit in Boston.
20electronic banking systems, the Bank argued that it had imple-mented serious security and authentication features like: UserID and Password; Device Identification; Risk Profiling; Chal-lenge Question; Dollar Amount Rule; and e-Fraud Network.The lower court accepted this position while dismissingPATCO’s claims against the Bank. The judgment raised a fewother questions of law but agreed with what the Bank haddone in terms of security as being ‘commercially reasonable.’The Appeals Court overruled the lower court’s judgment andmaintained that the security was ‘commercially unreasonable.’The fact that this ruling came from a Federal Court is “a bigthing” says Avivah Litan at Gartner. The ruling points to thefailure of the Bank evidenced in its not implementing thekey security measures that are used regularly by the bankingcommunity. Namely, Out of Bank Authentication; UserSelected Picture function; Tokens; and Monitoring.This is the second case in the recent past when the judiciaryhas found fault with the Banks for not doing enough toprevent frauds happening via their Net banking system. Inthe earlier case involving Commercial Bank, the customerExperi Metals Inc. sued the bank for negligence resulting inwire / ACH fraud and the court ordered financial restitution.In PATCO’s case, the Appeals Court applied the test of‘commercial reasonableness’ as defined in Article 4A ofUniform Commercial Code and ruled against the bank.A close study of this case brings home two important lessons.First, banks must understand the conceptualization of thesecurity measures. Secondly, they must build a process tocorrectly and completely interpret reports and alerts from thesecurity systems. People’s United had implemented a system
21that will force the User to go throughan additional authentication processwhen the transaction value exceeds abase value. This had been earlier set to$ 100,000 but was reduced to $ 1. Thisliterally killed its risk scoring system,which considered multiple variablesincluding additional authenticationprocess triggered by values exceeding acut off amount. As the Appeals Courtobserved, “When Ocean Bank loweredthe dollar amount rule from $ 100,000 to $ 1, it deprivedthe complex Jack Henry Risk Scoring system of its corefunctionality.” The lowering of this threshold dollar valueresulted in the challenge questions and responses beingentered more frequently thus increasing the probability ofkey loggers capturing it and abusing it.I have seen this happen elsewhere too – implementingsecurity with scant regard to its underlying conceptualization.Recently, I was speaking to a security professional whosaid she had a very comprehensive password policy in herorganization; also a Bank. I was interested and wanted toknow details and she rattled off eleven different rules thatconstituted the password policy. She said that the passwordhad to be changed every thirty days and I asked if she wouldencourage shorter life for a given password. Her responsewas typical. She said no one would like to do that since thatwould be inconvenient. Persistent as I was, I asked what shewould do if one were to change it every Monday. She wouldbe happy, she said and I asked if she would be happier ifit happened daily. She agreed she would be happier at thestronger security. I pointed to the password history policy ofDO YOU KNOW?The lowering ofthis threshold dollarvalue resulted in thechallenge questionsand responsesbeing enteredmore frequentlythus increasing theprobability of keyloggers capturing itand abusing it.
22ten past passwords, which was interpreted to mean that thesame password would not repeat for 300 days – 30 days andten unique passwords. But if she permitted change every oneday, the password will repeat every 10 days; at least in theorythis is possible. And that would defeat the very purpose thatit sought to serve!Ocean Bank’s reduction of the threshold amount for furtherauthentication to $ 1 was similar to the password changepolicy – a clear case of not getting to the grips of theconceptual foundation of the security process. Another viewis that any “one-size-fits-all” approach, as it happened in theOcean Bank case, will not work in security implementationsand each security implementation has to be tailor-made.Next, we have the question of interpreting the reportsprovided by security systems. In the PATCO case, OceanBank did not react to the high-risk scores that were generatedby the Risk Scoring system in respect of each of thefraudulent transactions. The red flags appear to have madeno impact at all. Mark it, the court, the risk score for normaltransactions of PATCO had never crossed 214 on a scale of1-1000. In respect of each of the fraudulent transaction, therisk scoring system had thrown up a risk score around 750.This is surely abnormal compared to the highest score of 214in the normal course; but these red flags were just ignored.As Joe Burton, a former Assistant US Attorney said: “It’s notenough just to have a generally accepted security procedurein place if that procedure is not implemented in a way thatmakes sense. That’s the conduct aspect that has to do withthe actual security and not just the check-box.”These two factors appear to have weighed heavily in favourof PATCO in the Court of Appeal.
233Will the Real Hackerplease stand up?TWO events that happened in December 2012 startledme. First was the release of Version 2.0 of the coursewarefor “Hackers High School” by ISECOM. The second wasNicholas Negroponte telling the MIT Technology ReviewConference about how “illiterate children” in Ethiopiahacked the Android! Both took some time to assimilate sincethey exposed a totally new dimension to hacking. We willlook first at the attempts to sensitize normal computer usersto the nuances of hacking.Many people who have been called hackers, especiallyby the media, or who have gotten in trouble for“hacking” were not, in fact, hackers.
24All through, we have decried hacking as a crime, an evilattitude, something to be dealt with sternly, etc. I have alwaysspoken about the serious financial damages done to banksby people who hacked into BFSI information systems. Then,why are “Hackers High Schools” being run? Will it generatea new generation of hackers or train a new breed of peoplewith hacking skills? The introduction to “Hackers HighSchool” program has this to say, for a start: Many peoplewho have been called hackers, especially by the media, orwho have gotten in trouble for “hacking” were not, in fact,hackers. So, we are now a bit confused and would like toknow who are the hackers the society is targeting?The term “hacker” has been understood differently basedon the profile of the person who “hacks.” Applied in thecomputer security context, it retains its notorious connotationof a person who circumvents or damages the controls to gainaccess to computer resources. In the programming world, ahacker resorts to a non-authoritarian approach to softwaredevelopment, and they are the ones who create and spearheadthe free software movement. Interestingly, some even have“Hacker” as a surname. We have Col. Francis Hacker whofought in the English Civil War in the seventeenth century;we have Katrina Hacker, the American figure skater andGeorge Hacker, head of Alcohol Policies Project!The “Hackers High School” project is based on the beliefthat hacking is research. It is a kind of challenge-responsesituation where the “hacker” is challenged by network securityimplementations and wants to know if the system is reallysecured. This has some similarities to destructive testing ofmetals to determine how much stress the metal can standbefore breaking down. But the comparison stops there. In
25destructive metal testing, only a smallsample is tested while the “hacker” hasbefore him a live production systemprocessing real time data. While thehacking process is sought to be givenits due status of legitimacy from aresearch, the intent is to distinguishbetween the research-driven hackerand the crime-driven hacker. Hackingwith a criminal intent is surely crime,but how do we go about establishingor demonstrating this? We fall back onthe extensive judicial thought and pronouncements relatingto mensrea and actusrea, the two very important elements in thecriminal justice dispensation.Drawn from a complex Latin maxim of common law, mensreapropounds the principle that the act does not make a personguilty unless the mind is also guilty. “Hackers High School” isbased on this belief when they teach the young participantsthe principles of computer architecture, networking and theprocess of analyzing attacks on systems. Will someone stopwith only researching or will they abuse this? That’s hard toanswer. But the “Hackers High School” has a point. If youeducate the young on the process and perils of attacks oninformation systems, they tend to keep their systems secureor even end up evangelizing secure computing.The formal and structured exposure to information systemsarchitecture and vulnerabilities is likely to ensure that theparticipants do not seek this knowledge from those whoentice them into becoming malicious intruders. In additionto the guilty mindedness, we have another essential conditionDO YOU KNOW?“I’m still a hacker. Iget paid for it now. Inever received anymonetary gain fromthe hacking I didbefore. The maindifference in what Ido now comparedto what I did then isthat I now do it withauthorization.”– Kevin Mitnick
26to be satisfied for criminal liability, vizactusrea, which refersto the criminal act being actually committed. The project tomake the next generation understand the perils of hackingand to orient them towards being better and well informednetizens, steers clear of any possible damage, by taking theparticipants through a process of discovery, research andunderstanding the limits.Igetanumberof graduatestudentswhowanttodoInternshipwith us. The first question I ask them relates to their interestin security, their objective of doing the internship with asecurity consulting organization, and their expected takeawayat the end. I have more than 85 percent of them telling mefrankly that they want to learn hacking! In the same breath,they will also tell me that they want to learn hacking so thatthey can defend the information assets from being abused.Interestingly, none of these young security aspirants evertold me that they want to understand the network protocolsor the IP packet architecture or the realms of cryptographyto keep their systems secure.I was recently talking to a group of senior uniformed officersand sprang a surprise by asking all those who have eitherhacked a system or have at least attempted to hack a systemto raise their hands. Understandably, none did. But aftersome persuasive talk, I got about a dozen of them admittingthat they have tried but did not go far. Neither these graduatestudents nor the officers had malicious intentions, but theattraction to look through a secure network drives many andthis attraction will continue unabated.In such a societal context, it will make sense to determinewho is a hacker and who is hack-curious.
274Juvenile HackersBUT what made me sit up, review and write this columnis the profile of the person who successfully hacked intoAndroid. No, it is not the typical geek with his snazzytechnology tricks nor is it a serious researcher looking to do avulnerability assessment of Android in order to strengthen it.It is the most unexpected profile of a hacker – five to sevenyear olds who had no formal instructions in computing! Yes;it all happened as an unexpected fall out of the OLPC (Onelaptop per child) project in Ethiopia.Here is what OLPC founder Nicholas Negroponte told MITTechnology Review’s Em Tech Conference: “We left theboxes in the village. Closed. Taped shut. No instruction. NoWe have heard of Android attacked and hacked anumber of times in the recent past. Hacking into theAndroid is in itself not newsworthy.
28human being. I thought the kids would play with the boxes!Within four minutes, one kid not only opened the box butfound the on/off switch. He’d never seen an on/off switchbefore in his life. He powered it up. Within five days, theywere using 47 apps per child per day. Within two weeks,they were singing ABC songs [in English] in the village.And within five months, they had hacked Android. Someidiot in our organization or in the Media Lab had disabledthe camera! And they figured out it had a camera, and theyhacked Android.”The findings of the OLPC Project in Ethiopia are indeedan eye-opener. OLPC, started with a view to deliveringtechnology as a means of improving traditional curricula,has been trying to help the kids ‘learn’ rather than ‘read.’OLPC has realized in their five plus years of work that it isimportant for the children to learn by teaching themselves.The children really taught themselves and one of the thingsthey taught themselves resulted in hacking the Android!Surely there is no mens rea in this hacking effort by the kidin Ethiopia; so we are not taking that kid Android hackerto court but this sets me thinking of the power of curiosity.This child is unlikely to emerge as a malicious hacker sinceit has seen the ‘good’ thrill in hacking. It is more likely tochannel its energies in the positive aspects of this processrather than try and damage computer systems; or so I wouldlike to believe. Contemporary studies on the anthropologyof hacking may take a different position and people likeGabriella Coleman may take a different view. If we wentby the popularity of DefCon Kids, in its third year now, itwould appear that a large number of those concerned withjuvenile hacking strongly believe that it is better to teach
29them hacking as it happens and alsolet them understand the perils ofindulging in it and the ways to defendagainst it. But have all those who hadlearnt hacking as youngsters reallyused that knowledge for defendingtheir systems against hackers or havethey ‘abused’ that knowledge?This takes me back to understandingthe myriad of perceptions on hacking.In the last chapter, I had talked of theHackers High School and wondered ifit will provide the desired results it sought to get or would it bea fertile ground for creating a new generation of hackers whohave also been taught the traditional approaches to counterthe hackers’ exploits. This fear about the fall out of ‘catch-them-young and train-them-correct’ is credible if we were tolook at an FBI indictment dated the 26th of June 2012. Itnames twelve arrested defendants arraigned before the courtat the end of a two year undercover operation that is said tohave protected over 400,000 potential cybercrime victims andprevented over $205 million in losses. Interestingly, of the 12arrested, five are in their teens and the rest are just barelyabove 20. Add to this various high profile minor hackerslike ‘Cosmo the God’ who was handed a rather unusualsentence last November. A juvenile court in Long Beach, CAsentenced him to what Sam Biddle, writing in Gizmodo, callsthe ‘hacker’s death sentence.’Cosmo the God, a juvenile who will take six long years toreach his age of 21 for release, has been sentenced “…not touse the internet without prior consent from his parole officer.DO YOU KNOW?OLPC has realizedin their five plusyears of work that itis important for thechildren to learn byteaching themselves.The children reallytaught themselvesand one of thethings they taughtthemselves resultedin hacking theAndroid!
30Nor will he be allowed to use the Internet in an unsupervisedmanner, or for any purposes other than education-relatedones. He is required to hand over all of his account loginsand passwords. He must disclose in writing any devicesthat he has access to that have the capability to connect toa network. He is prohibited from having contact with anymembers or associates of UG Nazi or Anonymous, alongwith a specified list of other individuals. He forfeits all thecomputers and other items seized in the raid on his home.”Hannah Sweet tweeted in protest: You cannot arrest an idea.Jay Leiderman, a LA attorney who represented allegedmembers of ‘Anonymous’ opined that they could have lockedhim up for three years straight and then released him onjuvenile parole; but to keep someone away from the Internetfor six years seems unduly harsh.Now this brings us to the voices being heard around theglobe for a revisit of Sentencing Guidelines, particularlywhen it concerns cyber criminals. Today, there is no clarity onthe considerations that will guide punishing cyber criminals.Three years ago, I pleaded at the International CriminologyCongress in Stockholm for the judiciary to recognize that thecyber criminal is not to be locked up as a traditional criminalas his competencies and skills can be used while still beingsentenced. Moreover, he can be made to be a useful memberof the society after release. Leiderman argues,“At some pointafter getting on the right path, he could do some really goodthings.”Sentencing juvenile cyber criminals by asking them not toconnect to the Internet is viewed by some as the equivalentof taking away Mozart’s piano.
315ZERO IQ…US MAGISTRATES issuing warrants of arrest is nothingnew but this warrant was for a cyber crime against a namedindividual; something not often done in view of the manydifficulties encountered in identifying the accused.Jarand Moen Romtveit, a Norwegian now in the FBI net, alsoknown as ‘Zero’ or ‘ZeroIQ’ in the underground cardingforums, ran a successful underground shop; selling stolencredit cards. He can be regarded as a small player in theunderground economy that has both one-man enterprisesOn 20 June 2012, a magistrate in the Southern Districtof New York issued a warrant of arrest againsta person whose nick name, amongst others, wasZeroIQ.
32like Jarand’s as also multi-men unincorporated enterprises,whose owners are hard to identify.FBI carried out a well-orchestrated sting operation thattrapped Jarand. This case raises the question: “on theInternet, how anonymous can anonymous be?” Somewheredown the line, the FBI succeeded in piercing the veil ofanonymity afforded by the Net. That process is interestingas it reinforces the overarching human failings that neutralisethe anonymity offered by technology.The trap and the crimeFBI set up an undercover carding forum enticing all playersin the stolen credit card business to use it as an electronicclearing house to offer, discuss and put through deals instolen credit cards and bank account information. It is notknown how many could FBI, successfully entice to use theirunderground forum but they surely succeeded in gettingJarand hooked to it. Not only did Jarand advertise his stolencredit card information for sale but also got dangerouslyclose to the administrator of the forum, who was a specialagent of the FBI. One wonders, how stupid one can get.Jarand would ‘brute force’ his way through passwordprotected databases of credit cards. He brute - forcedthrough hotels and restaurant data bases that had customercredit card details and in a couple of instances, he alsosuccessfully bypassed the security perimeter of banks to gobeyond credit card numbers – he got through to accountholder information. He also managed to penetrate throughweb site security and collected information stored on webback-ends. Being a one man show, he had limited time and
33resources at his disposal and traded inbatches of 30 to 40 credit cards.The underground carding forum runby FBI collected the IP addressesfrom which each of the participantslogged in and communicated with theforum. As part of the pre-conditionfor registration at the forum, a valide-mail ID was required to which wassent the validation code. Jarand useda valid mail ID and that containedsome pointers to his identity. Thiswas his second give-in; the firstbeing his misjudging the cardingforum administrator’s true identity.FBI continued to keep an activeconversation going with Jarand andmoved to a point where the accused started sharing his attackscreen shots with the carding forum administrator, namelythe undercover FBI agent. He threw caution to winds andat once shared his Facebook page with the FBI agent whocontinued to pose as the organiser of the undergroundcarding forum.The noose tightensThe FBI started to tighten the noose around Jarand’s neckby offering him an Apple laptop in return for his givingvalid stolen credit card ‘dumps;’ i.e., complete informationavailable on the magnetic strip on the reverse of the creditcards. Jarand walked into the trap by giving them the relevantdetails. The FBI had its authenticity verified with the cardBrute forceattackIt is a listing ofcommonly usedpasswords. Theprogramme triesthese and alsoruns throughcombinations ofletters and numbersuntil it gets a match.These attacks cantake several hours,days, months, andeven years to run.It depends on howcomplicated thepassword is andhow well the attackerknows the target.
34issuing company and more than 80 per cent of the ‘dumps’data sent in by Jarand were found to be “valid, current andwith credit available for use.”The FBI then alerted the card issuers, who in turn cautionedthe card holders of the compromise and replaced theircards. To trap Jarand fully and to establish his identity, theundercover agent wanted him to pay for the shipping ofthe laptop which is done through Western Union and theremitter details match with what FBI already knows aboutJarand. The laptop is delivered to an address mentionedby Jarand and with the help of Norwegian police, it isestablished that a person by name Jarand Moen Romtveitactually lives at the place where the laptop was delivered.The courier who delivered the laptop to Jarand identifieshim from a photograph of Jarand picked up from publiclyavailable sources in Norway. Jarand is completely identifiedas the person who trades as ‘ZeroIQ’ on the undercovercarding forum established by FBI.Special agent John Leo Jr. appeals to US Magistrate AndrewJ Peck for a warrant of arrest of Jarand Moen Romtveit,which was readily issued.Lessons and questionsThis case brings both the “painstaking investigation” by theSpecial Agent John Leo and the ‘behaviour’ of Jarand. Crimerisk theory in criminology tells us that every criminal carriesout a risk assessment of his proposed action. Theory arguesthat every criminal assesses the risks involved in the proposedaction barring spur of the moment crimes which have moreto do with an unstable mind that was emotionally disturbed
35at the point of crime. In the case ofcyber crimes, one of the factors thatis favorable to committing crime andhence weighs heavily when assessingthe risks involved, is the anonymityover the Internet. Jarand gave in andvindicated Edmond Locard whofamously said, “every contact leaves atrace.” This is often quoted by crimeinvestigators who say: “every criminalleaves some evidence.”Surely, law enforcement has reason to cheer after arraigningJarand but a number of issues will remain difficult to resolvewhen dealing with cyber crimes.First, will be the difficulty in piercing the veil of anonymitythat the Internet so conveniently offers since not all whouse the Internet’s underground economy are as gullible asJarand. We cannot resist wondering whether his Net name‘ZeroIQ’ was a premonition of how he would behave!Second, is the growing interest in the underground economywith some ‘entrepreneurs’ having established manufacturingfacilities for card skimming devices and are exporting itworldwide.Third is something that can be dangerous – the shift incontrol over cyber crimes from techies and script kiddies toorganised crime gangs. This brings in the power of money,reach and silencing to the otherwise technology centricactivity – cyber crimes.DO YOU KNOW?It was G KChesterton whosaid: “It isn’t thatthey can’t see thesolution. It is thatthey can’t see theproblem.” That’sincreasingly truetoday of quite a fewproblems that weface on the Internet.
36“The battle between the cyber copsand the cyber criminals is a mindgame; like the game of chess.”
376Operation High RollerYEARS ago, Willie Sutton, who had robbed US $2 millionduring a criminal career that spanned four decades whenasked, “Why did you rob the bank?” famously told journalistMitch Ohnstad, “Because, that is where the money is!”Prof. Helmbrecht was responding to a new form of onlinerobbery happening in the banking systems called ‘HighRecently, Prof. Udo Helmbrecht, Executive Directorof the European Network and Information SecurityAgency (ENISA), did a Willie Sutton when he said,“Criminals go where the money is; Bank robbersgo online.”
38Roller,’ a term borrowed from the gambling world. HighRollers refer to those playing for very high stakes. In theonline banking world, High Rollers are those who maintainlarge balances in their accounts.Money mules...Manipulating and stealing using online transaction systemsare not new; but what is now making news is that theattackers are becoming selective in their approach. They arelooking into account balance databases and targeting onlythose whose balances are above a threshold that each hackersets for himself. The second unique characteristic of HighRoller attacks is the significant increase in the automationof the whole process and the use of anonymous muleaccounts to transfer and forward the ill-gotten money. Theshift to reliance on server side manipulation, in contrast toearlier client side manipulation, marks the third deviationfrom traditional online stealing. The rapidity of shift in thecommand and control centres used for the attack is the fourthsignificant differentiator of this new generation attack. Inthe sixty days before the attack landed on the laps of the USbanking system, the domain from where attacks originatedwas first registered in Ukraine and later reconfigured topoint to an ISP in Russia; then moved to an ISP in Arizona;shifted to Brazil and returned to California from where avictim bank in Ohio was successfully compromised. Eachof these shifts involved identification and control of activeand passive mule accounts, or money mules as they are morepopularly referred to.
39Dissecting Operations High-RollerA research report titled “Dissecting Operations High Roller”released by Guardian Analytics and McAfee is the firstavailable comprehensive study on Operations High Roller.This report released in June 2012 points to successful on-line heist in Italy, Germany and Netherlands later spreadingto the United States. As we carefully analyze the timeline ofsuccessful attacks being identified, we see the degree of attacksophistication and value-at-loss increasing with passage oftime. In the Italian attack, the attackers transferred a smallfixed percentage of the balance; around 3 per cent or a fixedsum of roughly €500 to bank accounts from where it wasinstantly withdrawn.Emboldened by the success in Italy, the stakes were uppedin Germany. Available log analysis of attack data point toMoney MulesA “money mule” is a person, an intermediate, that receives potentiallyillegally obtained money from someone and redirects them to someoneelse. Of course, the intermediary receives a share of the transaction. Inother words, this is nothing else than money laundering.The basic process of muling is relatively simple:• job advertisement offers work as ‘financial agent’ or similar service• job seeker signs up and opens, or allows access to, domestic bankaccount• fraudsters transfer money from scam victims to job seeker’s account• job seeker transfers money to fraudster overseas• job seeker receives ‘commission’• job seeker is open to prosecution by domestic authorities for moneylaundering
40the compromise of 176 accounts covering multiple banksand the average amount involved in the illegal transfer was€5499. The average balance in the compromised accountswas €47,924. The attack on the German Banks resulted ina total transfer of about a million Euros to various muleaccounts, mostly in Portugal, Greece and the UK.March 2012 saw a concerted attack on two Dutch banksand this time the attack came from servers hosted withinthe US. The stakes were significantly higher and the amountof transfers initiated to the mules aggregated €35.5 million.The attackers had shifted their focus from high net worthindividuals to corporate accounts, the primary benefit beinghigher threshold for corporate transactions contained inanti-money laundering legislations and lesser propensity toscrutiny since corporate accounts have a large number oftransfers happening on a regular basis. The server whichwas used to attack the banks in Netherlands were also usedto attack US banks, where 109 accounts were reportedlycompromised, though we have no details of the aggregateamount involved in the fraud.These fraudulent transactions elicited different kinds ofresponses from various stakeholders. One set of securityprofessionals argue that High Roller fraud is old hat and thatit is just a more sophisticated version of known on-line heists.Another set of professionals say that this represents a newgenre of on-line banking frauds since the attack processesused are significantly superior to the current knowledge andskills available.
41Infection of PCsIn response to these developments,ENISA has issued an advisory toEuropean banks containing three verysignificant recommendations. Thefirst is both important and interesting.It said that for a bank it is safer toassume that all of its customers’ PCsare infected – and the banks shouldtherefore take protection measures todeal with this. This blanket assumptionon the possible infection of all of thecustomers’ PCs may sound to be a good security precautionbut it deviates from the principle that is generally used tobuild end-to-end security mechanisms viz., the user has a roleto play in protecting his end of the network and that hiscontributory negligence in deviating from secure practicescan leave him with no recourse to relief in the case of an on-line fraud. However, even before ENISA had recommendedthat banks should assume that all PCs should be treatedas infected, judicial pronouncements have been movingin this direction where greater responsibility is cast on thebank to the extent of obligating them to monitor customertransactions and to act on pointers to fraud.Do banks monitor?Experi-Metals sued Comerica Bank in Michigan last yearin a case where fraudsters tried to move millions of dollarsfrom Experi-Metals account to mules in East Europe in amatter of few hours. By the time the bank’s fraud monitoringunit neutralised the attack, a sum of US $560,000 had beenTop HostingCountriesThe U.S. saw anincrease of ten percent in the numberof phishing attacksit hosted in May –increasing to 66 percent, or two out ofevery three attacks.Brazil remained a tophost with nine percent and Germanywith four percent.
42transferred. It was J P Morgan Chase that alerted Comericaabout abnormal transactions going through their servers andending up in East Europe. Fraudsters used J P Morgan serverssince being a much larger institution, the transfers could gounnoticed. Ruling in this case, Judge Patrick Duggan of theU.S. District Court for the Eastern District of Michigan saidthat the bank should have done a better job of stoppingthe fraud. A bank dealing fairly with its customers, underthese circumstances, would have detected and/or stoppedthe fraudulent wire activity earlier,” said the Judge and askedComerica to cover the losses.Losing battle on fraud prevention?With this judicial thought process and the advice of ENISA,a clear shift is happening; the responsibility will be fixed foron-line frauds in the future. Even assuming that banks buildan end-to-end security process, it will be impossible to doanything meaningful, unless there is far more internationalcooperation enabling quick shutting down of command andcontrol centers used by fraudsters.These centers have been moving across nations making italmost impossible for tracking them down. Are we headingtowards a losing battle with the on-line banking fraudsters orwill these developments motivate the banks to put in placea more robust fraud prevention system without making anyassumptions regarding end-user role in fraud prevention? Itis becoming increasingly clear that banks need to fight thebattle both technologically and legally, cutting across nationalboundaries.
437CITADEL: The collaborationsuite of cyber criminalsIN AUGUST 2012, the Federal Bureau of Investigation(FBI) sounded a stern alert about Citadel.Based on references from IC3 (Internet Crime ComplaintsCenter), FBI warned of a new ransomware called Revetondelivered through the malware platform Citadel.IC3 describes the threat as: “The ransomware lures thevictim to a drive-by download website, at which time theCyber criminals are beginning to have a ball. Theyare not only able to hoodwink the lay user. They areeven able to stump the tech savvy player. Welcome toa cyber crime collaboration suite – Citadel.
44ransomware is installed on the user’s computer. Onceinstalled, the computer freezes and a screen is displayedwarning the user they have violated United States FederalLaw. The message further declares that the user’s IP addresswas identified by the Federal Bureau of Investigation asvisiting child pornography and other illegal content”.Warning of fine and failterm!An infected web user gets a message that reads somethinglike the following:“Your IP address is: xxx.xxx.xxx.xxx. Your location isidentified as: xxxxx. Your PC is blocked due to at least oneof the following reasons:You have been viewing or distributing prohibited porno-graphic content (child porno etc.) thus violating Article 202of Criminal Code of United States of America. Article 202provides for deprivation of liberty for four to twelve years.Illegal access has been initiated from your PC with or withoutyour knowledge or consent. Your PC may be infected bymalware, thus you are violating the law on Neglectful useof Personal Computers, Article 210 of the Criminal Codewhich provides for fine up to $ 100,000 and/or deprivationof liberty for four to nine years.”Typical users are worried, particularly when they find thattheir location is correctly identified in the message and for atech savvy user, he sees his IP address accurately mentionedin the notice. The typical user panics and goes on to readingthe message further which identifies his residence, state anddirects him to pay a penalty, offering relief from jail term
45being first time offence. The fine,ostensibly paid to the US Departmentof Justice, is to be paid using a pre-paid card service which has to bepurchased using the computer user’scredit card or through an on-line banktransfer. This is the icing on the cakefor the cyber criminal. The ransomware has already installed a key loggerthat captures the banking and creditcard credentials and passes it on tothe perpetrator of this attack. In otherwords, the victim pays a ‘fine’ andalso offers his banking and credit cardcredentials to the attacker.Why not ignore?Why not ignore the warning message and go on as thoughnothing happened? Here’s why.The computer freezes with the display of the warning messageand gets back to normalcy only when the ‘fine’ is paid to theattacker who successfully masquerades as US Departmentof Justice collecting the ‘fine.’ Some security vendors whohave started researching the traffic and the process tell ussomething very interesting. They have found some traffic isencrypted to ensure that usage of digital forensic techniquesto trace the origin becomes difficult. If we were to agree withEtay Maor who heads RSA’s Fraud Action Research Lab,this “is a technically advanced Trojan” that combines thelethal powers of ransomware and stealth access to bankingcredentials.BE AWAREEven if you are ableto unfreeze yourcomputer on yourown, the malwaremay still operatein the background.Certain types ofmalware have beenknown to capturepersonal informationsuch as user names,passwords, andcredit card numbersthrough embeddedkeystroke loggingprogrammes.
46Can users be so very naïve to fall for this? Quite a fewconsiderations come up.One, the message appearing on victim screens looks real.There isn’t any sign of it being a fake.Secondly, the infected computers do not give you the choiceof ignoring it since the system freezes and can be broughtback to normalcy only upon paying the ‘fine.’Thirdly, as the victim is contemplating doing somethingsmart to thwart the attack, the Trojan is already searching forstored credentials.Fourthly, the correct location and IP address of the victimdisplayed on the message unnerves even some of the toughervictims who start thinking what if this were really from FBI.Fifthly, if the victim does decide to pay the ransom, he isforced to use a prepaid card service which collects the creditcard bank log-in and transactions credentials and passes it onto the cyber criminals.After paying the ‘fine’ and having the computer systemunfreeze, what is the guarantee that the key logger that wasclandestinely installed on the system has been removed?Users had tried to remove the Trojan using known methodsof malware removal. But to their discomfort, an FBI advisoryon Citadel issued in third week of August has this to say: “Beaware that even if you are able to unfreeze your computer onyour own, the malware may still operate in the background.Certain types of malware have been known to capturepersonal information such as user names, passwords, andcredit card numbers through embedded keystroke loggingprogrammes.”
47A lethal combination...Avivah Litan, a financial fraudanalyst with Gartner has a differentperspective. She says that the attackmethods are not uniquely differentfrom traditional key-logger and Zeusmethods. But, says Litan, what islethal here is the combination andpackaging of various tried-and-truehacking techniques. So, how do wesort this issue? The solution has tobe a combination of higher degree ofawareness and significant strides to bemade in Trojan research and creatinganti-malware solutions.I personally feel that the best oftechnology will not work till the userknows quite a bit more about thesystem; connectivity to internet andhis vulnerability. I recently showeda screenshot of a Revton infectedsystem to five people; each a successfuland distinguished person and gotinteresting responses. A commonresponse was to point to the capturedIP address and location and say thatclearly indicates how well FBI wasmonitoring illegal activity.When informed that whenever they book an airline ticketon-line, the ticket states that the booking was done from agiven IP address and also showed them the simple processDO YOU KNOW?The very first spammail was sent in1978. That yearDEC released anew product. Aninnovative DECmarketer sent a massemail to 600 usersand administratorsof the ARPANET(the precursor ofthe Internet). Thepoor guy whohad typed it all indidn’t understandthe system, andended up typing theaddresses first intothe SUBJECT:, whichthen overflowed intothe TO: field, the CC:field, and finally intothe email body too!The reaction of therecipients was muchthe same fury asusers today.It wasn’t until laterthough that the term“spam” would beborn.
48to determine geographical location using their log in, theysaid they knew it since they have seen it on their e-tickets!Despite this knowledge, they credited FBI with monitoringillegal activity effectively.Do we not have a very strong case for massive increase inawareness among users of on-line services?
498They promised. They delivered!AND THAT was exactly what many said when the RegionsFinancial Corporation was successfully attacked by aDistributed Denial of Service (DDOS) attack on 11 October2012. They were the eighth in a series of DDOS attacks thathad happened since the last week of September.What stands out in this attack is that this is last reportedin a series of three “announced” attacks. This follows whathappened in late September and early October when fourlarge banks suffered DDOS attacks – Bank of America,If you promise, you must deliver on the promise.Atleast that’s what the customer expects. But what ifyou promise a damage? Would the victim be happyif you deliver?
50Chase Bank, Wells Fargo and PNC Bank. This list by itselfwould have created some sensation; the four banks sufferedDDOS attacks and were brought down, albeit for a few hours,in a short span of two weeks. What happened as a follow-onis not just sensational but disturbing, to say the least.A hitherto unknown group Izz ad-Din al-Qassam, claimedcredit for these four successful DDOS attacks on AmericanBanks. The group would probably have got some presscoverage and a bit of attention had they stopped justthere. They did something further that amazed cyber crimeanalysts. On 8 October, this group posted a warning that itwill hit Capital One on 9 October, bring down Sun Trust on10 October and attack Regions Bank on the 11th. And theydelivered precisely on their promise.‘It is Down Right Now,’ an outage monitoring site publishedthe following status graph on Regions Bank pointing to theprecision in the timing of the attack, as warned by this group.The bars in the table indicate the time taken by the server torespond to a ‘ping’ or connect request by a user. The smallerthe bars, the faster the response time. Zero value bars, asit happened on 11 October between 10.09 and 14.14 PST
51indicate there was no response or theserver was down and inaccessible.To help interpret the chart better, I rana tool to find how quickly the websitewww.industrialeconomist.com isresponding to user requests and got anaverage ping response time of 651.61ms over a four hour period. Comparethis with the average of ping responsetime of 1,065.42 ms for Regions Bankwebsite. This establishes that theRegions web response was still prettybad even after ostensibly recoveringfrom the attack; at half the speed ofresponse of the website of IndustrialEconomist! Site Down, another sitethat monitors global sites and theiraccessibility, reports that RegionsBank site was completely reset onlyat 07.05 PST on 12 October. Thereare, therefore, multiple independentconfirmations that Regions Bankwas successfully brought down, ascautioned by Izz ad-Din al-Qassam.As the banking community is eagerlywaiting to see who the next target isand awaiting their announcement, Izzad-Din al-Qassam has stated that it isnow spending time on planning for theattacks over the next few weeks raisingthe anxiety levels among cyber crimeDO YOU KNOW?Consultants believein under-promiseand over-deliver.Marketers too shouldfollow that. Let megive you an example.Suppose on a scaleof 10 you promiseto deliver 8 but endup delivering 7. Thecustomer is unhappy.However, if on thesame scale of 10 youpromise 5 but deliver6, the customer ishappy. Notice, thatin the first case youdelivered 7 and in thesecond you delivered6; yet the customersatisfaction levels inthe second is higher.Phew!Twenty hours ofvideo from aroundthe world areuploaded to YouTubeevery minute. Thefirst ever YouTubevideo was uploadedon April 23rd2005,by JawedKarim (one of thefounders of the site)and was 18 secondslong, entitled “Me atthe Zoo”.
52watchers and ensuring that a few IT and Web administratorshave sleepless nights.What does the attacking group want to achieve or what dothey want to convey?The claim is that they are upset over the Anti-Islam movietrailer run on YouTube. This is quite understandable but afew cyber crime analysts have other versions for the attackmotive. One such view comes from Gartner analyst AvivahLitan who points to “anecdotes about money loss duringthese attacks. Example: through calls to call centres to get wiretransfers done while the website is down.” In an interviewearlier this year, she had cautioned about not being in fullconformance with the updated authentication guidelines ofFFIEC and predicted that the new attack vectors will waitfor websites to be down and use employee accounts as accesspoints in addition to call centres becoming the preferredroute for illegal money transfers.Has this DDOS attack on the eight banks actually resultedin any fraudulent activity or has it just been an attentiondirecting technique for a cause dear to the group that hasclaimed responsibility for these attacks? As of now, none ofthe victim banks have reported any fraud during or related tothese outages.One common view is that even if the banks did find that abreach had occurred, they are unlikely to share it with thepublic. At best they could be talking to law enforcement. Notdisclosing the real consequences of an attack is a standardpractice in financial institutions since such disclosure willseriously jeopardise their credibility and credit worthiness.
53Not just financial institutions; itappears to be the norm for almost allorganisations that are victims of cyberattacks. More evidence of this attitudeof not disclosing cyber attacks can befound in the various annual surveyson cyber crime, conducted by theComputer Security Institute (www.gocsi.com). This is perhaps natural.Who will like to come forward to saythat she has been assaulted?The Jester, a well-known andcontroversial hacker has spoken ofan interesting dimension to theseattacks. He opines that anonymoushas provided technical support toIzz ad-Din al-Qassam to launch thesuccessful attacks. He has talked ofthe owner of a pay-per-use DDOSsystem claiming that members ofAnonymous had used his system tosupport the recent DDOS attacks onthe eight US banks. The Jester goes onto allege that Anonymous are actuallyoffering this service to the highestbidder which till now happens to beIzz ad-Din al-Qassam, implying that the real force behind theattacks is Anonymous.As analysts are asking for more stringent regulatory controlsover the banking system and FFIEC pushing for suchenhanced controls at least at the technology level, there is aDO YOU KNOW?Of the 247 BILLIONemail messages sentevery day, 81% arepure spam.According tolegend, Amazonbecame the numberone shopping sitebecause in the daysbefore the inventionof the search giantGoogle, Yahoowould list the sitesin their directoryalphabetically.Google estimatesthat the Internettoday containsabout 5 millionterabytes of data(1TB = 1,024GB),and claims it hasonly indexed a mere0.04% of it all! Youcould fit the wholeInternet on just 200million Blu-Ray disks!
54voice of dissent heard at Washington DC. Jamie Dimon, awell - known Banker and Chairman and CEO of JP MorganChase, spoke before the Council of Foreign Relations wherehe strongly criticised regulators for inhibiting business.The Press quickly surmised his views as that coming froma person who, while denying any interest in becoming theTreasury Secretary, actually spoke like one!I have heard this from many of my banking clients who keeptelling me that the cost of technology use is stringent controlsthat can stifle growth. I keep repeating today’s bankingtechnology has resulted in higher customer empowermentand the computer cannot distinguish between a good and abad customer to be empowered. This justifies the need forgreater blanket controls.Izz ad-Din al-Qassam’s successful, time-tabled attacks oneight well - known US banks vindicates the long held beliefof many of us that banks need to do more in rolling outand enforcing stringent technology controls to protect theircustomers.
559The case of Insider FraudRECENTLY in a round table session at a professional body,a member from the audience asked me if there is any cyberthreat that existed across sizes and geographies.I would have probably thought for a while before answeringthis question, but for the fact that the response was glaringat me from what has been shaking us up in the recent past– Insider Fraud. The series of sentencing of senior formermanagers of banks in the US has made many sit up andwonder what was happening behind the scenes at the banksA combination of good deterrence and technologythat responds to human behavioural tendencies cansave our banks millions and increase the saggingconfidence in technology systems.
56and financial institutions. The cases coming to light nowdon’t fit into any size.At the lower end, we have Willard Scott, former Presidentof Texas’ Huntington State Bank, pleading guilty to a chargeof $7400. At the end we have the mammoth embezzlementof $22 million, over an eight-year period by Gary Foster,former employee of Citigroup’s treasury finance department.Willard Scott did it as a single transaction, while Gary Fosterdid it over eight years. In between these, there are manyothers. Matthew Walker perpetrated a 16 month operationat Farmers and Merchants Bank in California where he wasVice President and netted $2 million. We then have BarbaraRechtzigel charged with stealing hundreds of thousands ofdollars from Minnwest Bank, over 14 years!Insider threats...At almost the same time these startling revelations weretrying to shake our belief that banks have strong internalcontrol systems. Software Engineering Institute of CarnegieMellon University published their findings of research intothe Insider Threats in the US Financial Services Sector.An Insider Threat needless to say is one that comes frompeople within the organization; like employees, present andformer; contractors or business associates, with access to thecompany’s security practices, data and computer systems.This fairly elaborate study sought to answer one key question,viz. What are the observable technical and behaviouralprecursors of insider fraud in the financial sector and whatmitigation strategies should be considered as a result? The
57study presents six substantiated findings and two of them areof interest and concern.The low and slow fraudsters...Firstly, the study finds that fraudsters who adopted the“low and slow” approach inflicted more damage and wentundetected for longer periods of time. Secondly, the meansadopted by insiders were not technically very sophisticated.The combination of these two attributes kept the crimeactivity under wraps as far as normal fraud investigationswere concerned. To use a technical jargon, the clippinglevels were understood by the perpetrators of fraud and theyoperated well within it, thus escaping detection by fraud radarsystems. This may be a valid finding of the research surveyby Carnegie Mellon but if we looked at Gary Foster, heappeared to have gone well past the clipping levels: betweenJuly and December 2010, he moved around $14 million fromthe bank’s debt adjustment account to the cash accountand from there, he made eight separate wire transfers to hispersonal accounts maintained outside the bank.This should surely have raised a wholeseries of red alerts as most analysts,including Shirley Inscoe, believe. Butit didn’t. Inscoe who authored thewidely read book Insidious: How TrustedEmployees Steal Millions and Why it’s sohard for Banks to Stop them says that“Citi is not alone. Most banks havedone a poor job of keeping withinternal threats.” According to the
58FBI indictment, Foster allegedly used his knowledge of thebank operations to commit the ultimate inside job.United States Attorney Lynch expressed her appreciationto Citigroup which brought the matter to the attention ofthe FBI and the US Attorney’s office. Some eyebrows wentup. Reporting a crime is normal and natural and will sucha normal and natural action warrant an appreciation fromthe United States Attorney? Reporting insider fraud has notreached a point of full reporting.The Association of Certified Fraud Examiners (ACFE)in their 2012 report to the Nation state that many of thevictims do not report fraud cases to Law Enforcement. JohnWarren, Vice President and General Counsel at ACFE feelsthat the “many institutions don’t report these crimes to lawenforcement, in part because they fear reputational damage.”Carnegie Mellon report referenced earlier agrees on the lackof reporting, but points out that fear of reputational damageis only part of the reason for non-reporting. In many cases,the victim organisation may not have enough and relevantdetails to relate a fraud to specific individual or a group. Thisadds to the reluctance to report an insider fraud.Based on a sample of 80 cases, the Carnegie Mellon studyalso points to another disquieting trend. The average timetaken to detect an insider fraud from the time of its startis 32 months and where reported, it has taken another fivemonths to complete the process; a total of around threeyears to report a fraud since the time it started! Withoutconsidering what such long elapsed time could do to evidence;particularly when they are digital in nature, we need to ask ifearly detection could not have arrested significant damage tothe bank’s assets quite early in the fraud cycle.
59Why no early warningsystems?The one question on everyone’s mindis why can’t the players in the BFSIsegment put in some early warningsystems?Theuseof anomalydetectionsystems and behavioural analytics cansurely detect potentially fraudulentevents in real time or near real time.But the problem often occurs dueto the way we have designed mostinternal controls. For instance, if thedetection system is programmed toraise an attention directing flag whenthe amount involved exceeds a givenamount, the insider plays within thatamount to escape attention since theinsiders know those thresholds.Technology implementation in fight-ing frauds must be combined withappropriating non-technology prac-tices like segregation of duties; peri-odic audits and reduced time betweenaudit findings and implementationof correction mechanisms. Whilethese will not totally eliminate insiderfrauds, it will bring them to light fast-er than the current average lead-timeof 32 months, if the sample chosen isrepresentative of the population.DO YOU KNOW?An insider mayattempt to stealproperty orinformation forpersonal gain, orto benefit anotherorganization orcountry.A report publishedin July 2012 onthe insider threat inthe U.S. financialsector says 80% ofthe malicious actswere committedat work duringworking hours; 81%of the perpetratorsplanned their actionsbeforehand; 33%of the perpetratorswere describedas “difficult” and17% as being“disgruntled. Theinsider was identifiedin 74% of cases.Financial gain wasa motive in 81%of cases, revengein 23% of cases,and 27% of thepeople carrying outmalicious acts werein financial difficultiesat the time.
60Surely, we cannot have technology, deterrence or other formsof control to eliminate all insider frauds but a combinationof good deterrence and technology that responds to humanbehavioural tendencies can save our banks millions andincrease the sagging confidence in technology systems.
6110Clipping the butterfly’s wingsTHESE BOTHERDS (called so in line with shepherds andcowherds since they ‘herd’ Bots) collectively and effectivelycontrolled a mind-boggling 11 million compromisedcomputer systems. Their actions resulted in a staggering lossof over $ 850 million through stolen credit card and bankaccount credentials and compromised Personally IdentifiableInformation (PIIs).Bots is an abbreviation referring to robot network. Theseconsist of compromised computer systems and are oftenOn the rare date 12-12-12, the FBI announced that ithad cut off the wings of the ‘Butterfly.’ It announcedthe arrest and arraignment of a group suspected ofrunning the Butterfly Botnet.
62used by cyber criminals for a variety of activities with varyingdegree of criminality, resulting in different kind and amountof losses to the owners of the compromised systems.Bots are the favourites for executing distributed denial ofservice attacks or DDoS attacks; send spam e-mails, conductunderground criminal activity and malware distribution. Thislist is not exhaustive as botherds are quite innovative in theusage of their ‘assets.’Facebook - an easy target...At this stage let us introduce Facebook. The very mention ofFacebook conjures up different reactions in different minds.The trendy see it as a way of keeping in touch; the tech savvysee it as a mixed bag with significant potential for loss ofPIIs; the marketing professional sees its great opportunity toreach out while some security conscious are sceptical – forvalid and perceived reasons.With a billion messagesflowing through Facebookon a monthly basis, this socialnetworking site has also been afavourite spot to harvest PIIs;both directly and indirectly.Between 2010 and 2012, it wasestimated that over a millionFacebook accounts werecompromised using variantsof Yahoo malware and thesecompromised accounts werelinked to Butterfly Botnet.Facebook is acknowledged
63for helping the law enforcement incracking down on those who hackedinto the user accounts resulting in thesuccessful crackdown on ButterflyBotnet.And to many Facebook has really andtruly made the world a global villagethat helps connect people in real time.Butterfly Botnet...Butterfly Botnet is the latest in a family of abuse ofcompromised computer systems for fraudulent purposes.Starting off with Ramnit in early 2010, we saw the ZeuSFacebook worm recking havoc in mid-2011 and now we havethe notorious gang of 10 herding the Butterfly Botnet. Whenwe all screamed at ZeuS Facebook worm having supposedlyinfected over 45,000 Facebook users, the number pales intoinsignificance when we see 11 million compromised systemsin the Butterfly Botnet.Almost 70 per cent of the infection by Ramnit happenedon UK users of Facebook; around 26 per cent were Frenchwhile the balance 4 per cent were in other countries. Afterthis was the famous taking down of the Zeus malware, in adramatic move that involved the US Marshals. This operationwas carried out when the U.S. District Court for the EasternDistrict of New York approved the operation while ruling ona plea by Microsoft and its partners to seize the computers andsue a John Doe (as-yet-unnamed) defendant. The operationalportion of the Court order speaks volumes of the way thejudiciary has considered the intricacies in a search and seizureDO YOU KNOW?At 1:21:02 am,people celebratedthe second, whichmarks a date-timecombination whichwill be read the sameboth backwards andforwards. 2012-12-12 1:21:02.
64operation involving high technology that has the potentialto move the malware across the internet anywhere, anytime.A forensic icing on the cake...The order, in part, said that “the United States Marshals andtheir deputies shall be accompanied by plaintiffs’ attorneysand forensic experts at the foregoing described seizure, toassist with identifying, inventorying, taking possession ofand isolating defendant’s’ computer resources, commandand control software, and other software components thatare seized.” Interestingly, the Court also asked the Marshalsto preserve up to four hours of Internet traffic beforedisconnecting the computers from the Internet. This was aforensic icing on the cake, in the court order.Microsoft had been instrumental in taking down threeBotnets earlier. The operation of bringing down of Botnetsdriven by the ZeuS and its variants was very different fromthe three earlier operations due to three factors; firstly, itwas not an action by only Microsoft – there were partnerswho closely cooperated with Microsoft. The partners wereInformation Sharing and Analysis Center, a trade grouprepresenting 4,400 financial institutions, and NACHA, theElectronic Payments Association, which operates the systemfor electronic funds transfer.Secondly, the objective of this action was different from theearlier actions. The earlier actions of taking down the threeBotnets were aimed at shutting them down. In this case, inthe words of the initiators of the action, “the goal here wasnot the permanent shutdown of all impacted targets. Rather,our goal was a strategic disruption of operations to mitigate
65the threat in order to cause long-term damage to the cybercriminalorganisation that relies on thesebotnets for illicit gain.” This thoughtprocess, commonly referred to as“Hack Back” or “Getting even withthe Cyber Scum,” is gaining popularitythough it is not accepted by everyoneas the best solution to fight cybercriminals.Thirdly, the law suit, instead of merelyaccusing the three accused John Doe,goes on to introduce an unknown corporate entity and claimthat the three accused formed “The Zeus RacketeeringEnterprise” for the purposes of squandering the resourcesof compromised computers. As an example, it is alleged thatspam emails infringing NACHA’s trademarks were as highas 167 million emails in a 24-hour period in contrast to thenormal volume of 1500 outbound emails per day!So, what do we learn from this?As always, we are back to the same music – the users ofInternet connected computing equipment need to exercisemore caution than what they are now used to. Attempts bydifferent organizations in making the users security-consciousare showing some results; but they remain ‘some’ results. Anidea gaining ground globally is to catch’em young.Many organisations are working on these using differentapproaches. One set of people are looking at empowering theschool goers with a good grounding in hacking process so thatDO YOU KNOW?12 has been asignificant numbersince its creation.12 months in theyear, 12 hours ofnight and day, 12astrological signs,12 Olympic godsand goddesses, 12days of Christmas,and Shakespeare’sTwelfth Night.
66they identify any attempt to compromise their computers andnegate it. This appears to be the philosophy behind runningthe Hacker High Schools (HHS), an initiative by a few not-for-profit bodies in North America. Another approach is toteach the school goers and their parents various Safe SurfingOptions (SSO), an approach preferred by ISC2, the globalcertification body for Security Professionals.It surely emerges that there is an urgent need to catch theyoung users and get them to grow with a mindset thatcombines security, caution and the ability to balance betweenthe convenience of the ubiquitous Net and its inherent risks.
6711The new threat vectorWHEN WE TALK of cyber infractions and frauds, we havetraditionally looked at computers, internet, internal networksand wireless applications to find the threat vectors.We then added ‘people’ as another threat vector and startedfocusing all research and development efforts at handling thedevastating consequences of a combination of these threatvectors exploiting a whole range of vulnerabilities. The likesof Stuxnet were still operating within the contours of thesethreat vectors until we woke up recently to a series of threatsthat emanate from a hitherto unknown origin – supply chain.We woke up recently to a series of threats thatemanate from a hitherto unknown origin – supplychain. And that’s catastrophic.
68We had heard stories of malware embedded in printers duringthe recent Gulf war but these accusations were dismissed astechnology fairy tales. Of late, the consequences of securitycompromise via supply chain embedded threats is a reality.The attack vectors have always looked for new attack pathsand such a search yielded the desired results when Stuxnetinfected SCADA systems that were till then thought to beinvincible. Now a larger scale exploit is on the anvil with theattackers using various unprotected parts of the supply chainto embed the malware or other forms of threats.Security threat by Chinese telecom companiesIn October 2012, a special investigative report by thePermanent Select Committee on Intelligence of the USHouse of Representatives addressed the specific threat toUS Security posed by Chinese Telecom companies in generaland two companies in particular – Huawei and ZTE. Apartfrom a number of recommendations, it carries a stronglyworded advice to the US companies to avoid Chinesenetworking hardware. Should the users be worried only aboutthe Chinese networking hardware or take precautions aboutany hardware coming in for use in critical infrastructure, isa question that deserves consideration. It is possible thatthere are other groups who are either actually doing or areplanning to use the supply chain vulnerabilities to introducespyware or newer genre of threats.Supply chain led threatsSince 2005, several countries have taken a clear call oncombating supply chain led information threats by effectingseizures of counterfeit networking hardware and other
69telecom components. This exercisewas built around the faith that anyproduct with a malicious payloadwill only come via deployment ofcounterfeit components. The 2011operation of seizing US$ 143 millionworth of counterfeit networkingand telecom components by the USauthorities lend credence to the beliefthat spread of malicious hardware happens via counterfeit.That belief has been busted by the findings in the October2012 report where it is found that even companies that sellapparently genuine products may infect their componentswith undesirable malware.When supply chain is totally insecureWhile these reports point a finger to China for supply ofcounterfeit or malware infected components, the Chinesecomputer market itself is battling counterfeits locally. WhenMicrosoft successfully launched an all-out effort to eliminateNitol Botnets, they got trusted people to go out and buylaptops and desktops in China and of the 20 systems theyprocured, all had some counterfeit component. Each ofthese purchased systems had been configured in such away to reduce security and four of these systems alreadyhad malware installed! Just imagine you are getting a brandnew computer system with all its box seals in tact and findthat you are starting off with a low security configurationalong with an embedded malware. The worst part of thisscenario is that many of the users may not be aware of thisscenario and will be happily typing away on their keyboardsnot knowing they are vulnerable to become either zombiesDO YOU KNOW?We can behopelessly wrong.Like: 9 out of 10people believeThomas Edisoninvented the lightbulb. This isn’t true;Joseph Swan did.
70or are otherwise vulnerable to attack and damage. Thisscenario is well summarised by Boscovich who said that the“supply chain is broken; it is totally insecure, and it is easyfor criminals to inject what they want into that supply chain.”Three point responseHow does the business react to insecurity of supply chain?A report published Georgia Tech Information SecurityCenter and Georgia Tech Research Institute has classifiedthe responses into three categories. First, we have a majorityof the companies who do nothing about it other than tolimit their purchases to what they regard as ‘trusted’ vendors.Secondly, a small number of companies carry out randomtests on devices and determine if there are any indicationsof serious forms of vulnerabilities. Depending on thetest results, further action is initiated. Thirdly, a very smallnumber of companies are taking a paranoid approach ofnot trusting the supply chain at all. Their security stance isbased on the premise that any device that comes through thefront door has already been compromised. These companiescontinuously monitor the devices for abnormality.Andrew Howard of Georgia Tech Research Institute perhapshad the most realistic of assessment when he said: “This isa problem that is extremely expensive and difficult to solve.Solve may not even be the right word.” I sincerely hope thatwhat Howard said later does not become a reality. “It is goingto take a bad event to have the momentum necessary to fullytackle the problem.”One silver lining here is that the problem appears to havebeen recognized though it is too ubiquitous in its reach forany one set of stakeholder to manage it completely.
71While Herberger refused to name these six banksciting confidentiality clauses in his company’s agreementwith the Banks, there were others who pointed to the targets.Keynote Systems, which monitors Internet and Cloudservices said that traffic pattern analysis point to the onlineoutage suffered by JP Morgan Chase, BB&T and PNC onMarch 12. All the Banks that appear to have been attackedOn March 12, customers of six of the major USBanking institutions experienced disruption totheir Net banking services and if Carl Herberger ofRadware is to be believed, this is the largest numberof institutions to be targeted on a single day.12… and They are Back Again…Wave 3
72and compromised had refused to comment about theattacks and also refused either to confirm or to deny theattacks. While the suspected victim Banks formally refusedto comment, the first indication of something going wrongcame from Chase Services tweet.A tweet on Chase Twitter Feed said on March 12 “*ALERT*We Continue to work on getting Chase Online back to fullspeed. In the meantime, pls. use Chase Mobile app or stopby a branch.” The next day, Chase tweeted “We’re sorry itwas such a rough day and we really appreciate your patience.”This is yet perhaps the most direct admission of any of thevictims that they were attacked.Keynote Systems gave more precise data on the attacks laterin the day. They said that the outage at Chase resulted ina nearly 100 percent failure between 2pm and 11pm ET.BB&T suffered outage between 12.30pm and 2.30 pm ETand also later in the day at 5.30 pm ET, thought this wasa brief interruption. PNC’s site was down for about 30minutes at 3.30 pm ET on the same day. Keynote Systemshowever said it was not commenting on the cause of thedowntime; it could only confirm the outage.Commenting on these attacks, Harberger felt that “thething that’s kind of frustrating to all of us is that we aresix months into this and we still feel like this is a game ofchess.” He wondered how is it that an industry that has beenadorned with so many resources – with more than any otherindustrial segment in the US missed the threat of hacktivistconcerns?On the day of the attack - March 12, the hactivits groupIzz al-Din al-Qassam Cyber Fighters (IDQ) said in a
73Pastebin post that the third phase oftheir attacks against the US bankinginstitutions was about to begin. Thisgroup claimed in that post that theywere waging the attacks against USbanking institutions over a Youtubevideo deemed offensive to Muslims.IDQ identified nine targets for theirPhase – 3 attacks that started onMarch 12: Bank of America, BB&T,Capital One, Chase, Citibank, FifthThird Bancorp, PNC, Union Bankand US Bancorp.I had written earlier about thesuccessful attacks by IDQ who hadused DDOS to disrupt the on-lineservices of Banks in the US. Thegroup’s posts in Pastebin had thenclaimed that these attacks wereattention-directing methods to warnthe US powers-that-be to remove aparticular movie and all its clippingsfrom the Internet since this movie wasoffending the religious sentiments ofMuslims. Other forms of protestswere witnessed across the globe onthe same issue and the offendingmovie did find its way out. Every group that had protestedtriumphantly claimed a causa proxima between their protestand the movie going out of the Internet. So did IDQ CyberFighters and they declared a cease fire.DO YOU KNOW?The most commonform of “cyberterrorism” is aDDOS, or DistributedDenial of Serviceattack, wherebythousands ofsystems around theworld simultaneouslyand repeatedlyconnect to a websiteor network in orderto tie up the serverresources, oftensending it crashingoffline. Anonymousreleased a tool thisyear that userscould downloadand set on autopilotto receive attackcommands from aremote commandsource. SimilarDDOS attacks areoften performed bythe use of malwareinstalled on userscomputers withouttheir knowledge.
74Was their ceasefire because they felt satisfied or was it toregroup and collect more strength to attack? The currentphase of attack points to their ceasefire being a plannedretreat to re-build their strongest weapon – the Brobot. Thisis said to be a 9,000-bot Botnet. While no precise numbersare available, industry experts like Avivah Litan of Gartnerand Dan Holden of ASER agree that it is close to 9,000bots. During the ceasefire, the hactivist group appears tohave learnt a lot about the defense strategies and capabilitiesof the Banking institutions.When they declared cease fire since the offensive moviewent out of the Internet, what made them come back? Didthey have a different demand? They are saying now thatsmall clippings of the movie that hurt the Muslims are stillon the Internet and they demand that it be totally removed.TheattacksduringOperationAbabilPhase-3,asthehactivistscalled their latest action, demonstrated two things; the attacksused more sophisticated methods than was used in earlierattacks and more importantly they deployed different attackmethods on different targets. This is in striking contrast totheir earlier attacks that saw the same attack vector used onall targets. This change in attack strategy makes it difficultto collaborate and share knowledge on counter measures,which was done successfully during earlier attacks.Another aspect of these attacks that warrants attention is thatmost attacks appear to have come from previously unknownInternet Protocol addresses, which is a clear indication thatthe Brobot is growing. It is still some wonder how thehactivists could put together a 9,000-bot Botnet that couldhe used to attack frontline banking institutions. If they hadmarshaled 9,000 bots in the short duration of their ceasefire
75lasting less than two months, it speaks volumes about howvulnerable the Internet user community is.Yet another angle being actively considered by investigatorsis to determine if there could be reasons other than whatis ostensibly stated by those claiming responsibility for theDDOS attacks. There had been instances of using Botnetsto launch an attack on financial services companies as ameans to distract them from focusing on a fraud that hadbeen committed. Crime management professionals knowthat the longer investigators take to start serious evidencesearch and forensic analysis, the better is the chance for theperpetrator of fraud to get away scot free or significantlyreduce the availability of incriminating evidence.While no source has suspected IDQ of adopting theirDDOS attacks as a smokescreen for fraud, there are seriousconcerns about using DDOS as a means of fraud cover-up. The National Credit Union Administration has recentlyadvised Credit Unions in the US to be cautious against“DDOS attacks (that) are often waged as tools of distractionto conceal fraud.” The concern of Richard Reinders, Headof Information Security at Lake Trust Credit Union pointsto this thought process gaining currency. “DDOS attacksmay also be paired with attempts to steal member funds ordata” said Reinders.Whatever be the real or apparent driving factor behindIDQ’s Ababil Phase-3, the fact remains that the perpetratorsof security infractions have once again gained a victory bybreaking into the fortresses within which we all want tobelieve that banks are located.
7713PATCO Ruling reversed??When the US Federal Court of Appeals for the FirstCircuit in Boston overturned a lower court judgment favoringPatco Construction Inc. in their fight to hold their bank,PeoplesUnitedBank,responsibleforfraudulentwiretransfers,the general feeling was that the Banks were correctly hauledup for their negligence in electronic funds transfer systems.The Appeals Court had applied tests of ‘commercialreasonableness’ as found in Article 4A of UniformCommercial Code (UCC). Patco case followed the generaltrend where the Courts looked into the transactions and askedif what the Banks had done as part of their security processwas commercially reasonable to stop the losses incurred bytheir constituents.A landmark judgment gets reversed. But it isn’t finalas yet since questions abound.
78In its ruling a Michigan district court holding Comerica Bankliable for the $560,000 loss incurred by Experia Metal Inc.found fault with the Bank’s account monitoring and frauddetection system. These did not convince the court as beingadequate to meet the requirements. Less than a year ago,Village View Escrow settled with their bankers, ProfessionalBusiness Bank, for an undisclosed amount to cover their lossof around $ 400,000. Their attorneys said that the settlementcovered the entire amount of loss. In this case too, theattorneys relied on Article 4A of the Uniform CommercialCode and referenced the judgment in Experia Metal Inc. case.The same Article 4A was referenced by another judge andthe Patco type judgement seems to have been reversed. OnMarch 18, 2013 Judge John Maughmer of the US DistrictCourt in Missouri ruled in favor of Bancorp South in theirdispute with Choice Escrow Land Title LLC. The essence ofthis case was well brought out by the Judge who wrote inhis summary judgment that “the tension in modern societybetween security and convenience is on full display in thislitigation. Choice understandably feels as though it did nothingwrong, but yet is out $400,000. Bancorp South, as well, feelsas though it has done nothing wrong. In essence, both partiesare correct – yet someone must bear the risk of loss.”Let’s look at Article 4A of Uniform Commercial Code whichholds the key to cases involving on-line or wire fraud cases.Article 4A has two key operational parts. The first deals withfunds transfer in general, emphasizes the need for uniformityand predictability while legalizing the funds transfer processand presents Article 4A as a response to this need. Thesecond part refers to how Article 4A will act as a guarantorof uniformity and predictability in funds transfer cases.
79Hyung J Ahn brings out the key issues in interpreting Article4A in a judicial context. In a good treatise published inVirginia Law Review (85 Va. L. Rev. 183), he opines that“Article 4A does not provide a perfect solution in everycase and the courts are tempted in such situations to importother legal doctrines or sources of law to craft a moresatisfactory response. Such individualized judicial treatment,however, runs counter to the drafter’s intent that Article 4be an exclusive source of law and undermines the goals ofpredictability and certainty that justified creating Article 4A inthe first place.” Dan Mitchell, the attorney who representedPatco Construction Inc. shares view point of Hyung Ahnwhen he says that the ruling in the Choice Escrow case is thefirst time that a court has based its decision, involving a wirefraud case, on the liability clause found in Article 4A.David Navetta, co-chairman of the American Bar Associa-tion’s Information Security Committee is more direct whenhe says candidly that “basically the bank was smart and hadgood lawyers…. they studied the procedure in UCC and ap-plied it and that allowed them to prevail.”Choice Escrow ruling has re-opened some questions thatwere thought to have been settled with Patco case which inturn laid to rest a few issues that were left lingering in theearlier cases of Experia Metals and Village View Escrow. Inall these recent cases of electronic funds transfers, the courtshad to come to grips with the issue of what is commerciallyreasonable when enforcing security measures that has acustomer interface. The Federal Appeal Court, in the Patcocase, had raised and answered some key questions on whatcan be done to determine the commercial reasonableness ofa security mechanism. In contrast to the detailed analysis of
80commercial reasonableness as found in the Patco judgment,the summary judgment in Choice Escrow case does not seemto explain as to ‘why’ the court felt that Bancorp’s securitymeasures were commercially reasonable. The consensusappears to be that there is a good case for appeal.A technical debating point relates to the actual practiceoffered by Bancorp which was not followed by ChoiceEscrow. The practice offered by Bancorp was to ask twopeople from Choice Escrow to authorize the transfer whichwas not followed by Choice Escrow. The court held thisdual control to be commercially reasonable and ruled infavor of Bancorp. However the Court also held that this dualcontrol meets the requirement of multifactor authentication.Referring to this, Mitchell says that “this is puzzling.”The debate now going on is whether dual controls aremulti factor authentication or are they merely multi layerauthentication. It would surely not appear to be multi factorauthentication since both parties involved were using thesame attribute viz.,‘what they know’ while by definition,multifactor authentication requires yet another attributebeyond ‘know’.Let us wait to see if Choice Escrow goes on appeal andchallenges the current judgment. It will also be interesting towatch the judicial process evolving on what is a commerciallyreasonable security mechanisms that will meet the intent ofArticle 4A of Uniform Commercial Code.
8114Digital Forensics – an ITGovernance AttributeThe traditional understanding of risk managementof information assets stopped at creating and implementingcomprehensive and relevant control mechanisms. Securityprofessionals stopped short of going a step beyondimplementing controls. Security professionals did see arole in reacting to the specific failure and revisit the controlmechanism but that role was restricted to specific incidents,and mostly post facto. Some of the most talked about controlDigital Forensics has come of age, at least at somelevel. Yet more things that have changed, the morethey remain the same. There is still some distance totravel.
82processes and their protagonists fitted into a frameworkwhere the role of information security was to put in placeeffective control systems and to ensure that it works the wayit was designed to work.This approach was quite correct when the role of informationsecurity was focused on the CIA triad. Later, whensecurity domain encompassed to include issues of sourceauthentication of messages and dovetail the underlyingtechnology into a legal framework, this approach to controlsappeared inadequate.Owners and custodians of enterprise information assetsstarted wondering if there was role to be played beyondrevisiting and strengthening security settings after an attackhad been successfully launched and damaged an informationasset. Despite the general concern about lack of reportingof information security violations, over the past few years,reporting of security incidents has increased; with that,understanding of the anatomy of security violations has alsoincreased. Corporate managers no longer looked at securityviolations as a technology issue but started seeing it as abusiness issue; albeit, a governance issue.They asked:• What happens after a security violation?• Do we claim to have good governance by simply statingthat we have revisited the control systems and haveimproved it after an attack?• If the attack on information assets resulted in a loss, havewe taken steps to recover lost assets or reset the distortedparameters?
83• If a loss has occasioned, have we found the perpetratorof the act and taken steps to bring him/her to book asrequired by the corporate policy of pursuing those whodestroy corporate assets, and seek appropriate punitive orother penalties?• Can we treat loss of corporate information assets anydifferently from loss of other classes of corporate assets?These questions arise more from a governance perspectivethan from an information security perspective and seek towiden the traditional view of information security cycle.A critical process has come to the attention of thoseevangelizing extension of information security cycles tocover issues arising from what is loosely called cybercrimes.This process involves the creation and management of digitalevidence mechanisms as part of a comprehensive digitalforensic process.All enterprise action to protect tangible or non-informationassets are reinforcement of a societal process that putsin place concepts of ownership, protection, defense andvictim response. When it comes to the protection cycle forinformation assets there are no traditional models to providean in-built mechanism. This is because loss of informationassets has emerged only during the past decade and astructured response life cycle is yet to emerge. Gearing upto meet this challenge involves understanding the need toadd a digital evidence dimension to enterprise informationsystems, integrating it into a forensic cycle. A quick lookat most enterprise information network architecture willreveal that they were built for functionality, performance,scalability, cost-effectiveness and availability; not necessarilyto meet digital evidence requirements. This would mean that
84we take a good re-look at most of the information networksand add the digital evidence dimension to existing networks.In addition, we need to add digital evidence possibility as aparameter while conceptualizing, designing and implementingfuture networks.Noenterprisecanclaimtohavebuiltagoodforensiccapabilityunless they can gather acceptable class of digital evidence.Digital evidence begs an academically rigorous definition.On the one hand, SWGDE defines it as “information ofprobative value that is stored and transmitted in binaryform” while another equally popular definition by IOCEis “information stored or transmitted in binary format thatmay be relied upon in court.” The former definition placesemphasisonthenatureof thecontentinwhatwewouldregardas evidence while the latter emphasizes the importance ofmeeting the legal requirements in an appropriate jurisdiction.We will confine our discussions to any evidence in digitalformat that will assist:• either an internal or external agency that is probing intothe nature of the incident in their attempt to determinethe source or origin of the attack on the informationsystem; and• in determining the methodology used to launch the attackand the path used by the attacker to reach the victimsystem.It is important that digital evidence of the attack orinfraction, whether successful or nor, should be gathered foranalysis and further action as part of a regular digital forensicprocess rather than finding if there could be some ways ofgetting this information after the attack has happened, on anad-hoc basis.
85A well managed approach to building digital forensiccapability is to ensure that the following basic principles ofdigital evidence management are adhered to. The principlesdiscussed here are based on what have been developed byIOCE and discussed in the forensic science community.• Consistency with all legal systems This is important as most of the electronic transactionshave cross-border implications. Even otherwise, thenature of IP networks is such that data packets crossmultiple countries as they are transmitted via the Internetor through VPN connectivity. Evidence, therefore, willbe lodged and available at multiple locations across theworld.• Allowance for the use of a common language The evidence may come in different formats and begenerated by different applications. A common platformor language is required when issues like time stampcomparisons and digital notarization are to be assessedas part of evidence evaluation. Where the evidence isfrom multiple systems apparently disjointed but servingas corroborative evidence, the need for standardization issignificant.• Durability Evidence that has been gathered has to stand the testof time. It is important to consider the nature of someevidence that will cease to exist under certain conditions.For instance, if evidence is only available on a volatilestorage, there is a strong need to get it transferred toa stable media and at the same time be able to build
86sufficient process to ensure that the integrity of theevidence transferred is not questioned.• Ability to cross international boundaries We are moving more towards cross border evidence.A number of factors are contributing to it. Firstly, thetechnology used today to launch an attack on informationsystem is highly distributed as in the case of variouslayers of zombies being used. Secondly, the ability tomasquerade identifiers has created a huge virtual crossborder presence. Thirdly, attackers are looking to launchtheir attacks form safe havens, where the chance ofsuccessful prosecution and punishment is relatively less.• Ability to instill confidence in the integrity ofevidence This is perhaps the most significant of all requirements.Most countries that have modeled their e-commerce lawon UNCITRAL recommendations have also ensuredthat the digital evidence mechanism is in line with thetraditional evidence system of the jurisdiction. Animportant factor that will govern the acceptability ofdigital evidence is that it should be proven to have beengenerated in the “ordinary course of activities”. All goodsystems of digital forensics must have strong mechanismsto guarantee integrity of the evidentiary matter and itis equally important for system to be seen to guaranteeintegrity of contents. As with all evidence, there isstrong need to instill confidence among stakeholders ofthe digital forensic trail that the evidence is reliable andintegrity can be guaranteed.
87• Applicability to all forensic evidence Any process that is developed for collection of evidencein the case of information related incident should be suchthat it does not distinguish between the types of evidence.SOPs should be so developed and implementation gonethrough without having to change any part of the forensiccycle based on the type of evidenced being gathered. .• Applicability at every level, including that of indi-vidual, specific organizational unit and the organi-zationThe process of managing digital forensic trail includingproper handling of digital evidence should be ubiquitous,across the organization. If network monitoring orpermitted sniffing happens on a network, it cannot bedone selectively; for instance on only one subnet. Ifsuch selective evidence gathering has to be implemented,it should be transparent and should have formalapproval at a policy level from executive management.Most legal systems reject even the best of evidence ifit can be demonstrated that such evidence had beencollected without being in conformity with principles ofnondiscrimination and violation of privacy requirements.As part of good Information Technology Governancethere is a strong need to build a comprehensive forensiccapability in the organization. Good forensic processes in anorganization will also contribute favorably in determining iftop management has adequately addressed the requirementsof Value Governance, Portfolio Management and InvestmentManagement, as conceptualized in Val IT Framework.
88No discussion on digital forensics as a governance attributecan be complete without reference to a measurementmechanism and metrics for measuring the degree offorensics capability built as an organizational process. Asof now, digital forensics processes do not fit into any formalmeasurement mechanism. All that has happened now is toask whether or not the digital evidence gathered as part oforganization specific forensic process is acceptable in internaldisciplinary process and external legal proceedings. Metricsto measure digital forensic capability should go well beyondit. Any process of evolving a set of metrics for measuring therelevance and efficacy of digital forensic processes shouldaddress the seven basic principles briefly discussed earlier.This is a fertile area for further research.
8915ICT – Tomorrow is hereThe First World War started when this bulletkilled the heir to the Austrian-Hungarian throne. That warcascaded into the Second World War which ended circa 1944.Historians classify this as defining period in the politicalhistory of modern times.A parallel can be drawn to the past twenty years as being aperiod that revolutionized information and communicationtechnology (ICT) and more importantly made ICT allpervading; making its impact felt on every walk of humanlife. It redefined the way in which technology will impacthuman welfare forever.A single bullet fired on the 28th of June 1914 triggeredthe most tumultuous period in the geo-politicalhistory of Europe that had a significant fall-out inother parts of the world.
90These twenty years following the development of TCP/IP protocol by Vincent Cerf shook long held beliefs onboth the foundations and frontiers of networking. It gaveus the ubiquitous Internet that provided the synergy got byharnessing the power of two separately powerful technologies– information and communication.It took the human race many years to understand and believein the power, ubiquity and cost-effectiveness of the Internet.Like: In 2000, I was invited by a Chennai college to addresstheir students on the developments in Computer Science. Ispoke about the impact that the Internet would have on humanwelfare. Two feedbacks came through. One, that the talk wasnot technical. They expected me to speak of the architectureof RAM or about the importance the right wattage rating ofthe cooling fan in a laptop! To that audience, to tell about howthe Internet will improve the quality of life was too muchto expect. Two, was that the session was more like a sciencefiction being read out. Many thought I had just come out ofsleep and was continuing to dream! Surely, students of thesame college today are using the Internet for more than merelysharing scholarly views. They use if for anything from findinga lost link in the family tree to determining if the medicinecontained in the prescription for someone known to them,fit the symptoms. The power of this technology is makinggovernments run for cover (as with Wikileaks) and whip upglobal opinion on matters of importance (like Occupy WallStreet). It is hard to speak of any aspect of human life that isnot impacted by ICT.Let us see what is in store for this in the years to come.This technology has notoriety for surprises and no one canarrogate to himself the ability to gaze through the whole
91crystal ball. We will still look at some known trends and seewhat will happen with these trends becoming a reality.The Net RenaissanceInternet did to the human race what the printing press didduring the period of Renaissance. It has removed the conceptof knowledge and information being the preserve of theelite and to those who can afford to access it. Of-course,there are the attendant problems, the most serious beingthe issue of credibility and verifiability of information. Thiscaveat is assuming dangerous proportions to the point thata few institutions of higher learning have told me that whilereviewing or evaluating refereed work, to reject all Net basedreferences while accepting references to printed books withan ISBN number. One major change that will be heraldedin the next five years will be the building of credibility ofinformation on the Net. A careful balance must be maintainedbetween the idea of keeping information free versus. ensuringthat the ‘free’ information is free from errors and personalprejudices or other compulsions to keep it that way.These trends will continue…Some trends that have followed known patterns are likelyto continue.For instance, Moore’s law on the pattern of growth in costof computing power has not changed and is not expectedto change significantly. The ICT growth has only reinforcedwhat Gordon Moore predicted. So is the case with Kryder’slaw on storage and as predicted, we are seeing terabytedisks now. That’s something beyond the wildest imagination
92of those of us who grew up on a 9-inch floppy and wroteapplications using large RAMs of 128KB! I am seeingterabytes on portable drives now and we will soon witnessmajor revolution data storage capabilities. The advent ofStorage Area Networks and Cloud will make the concept ofspace constraints irrelevant. Costs are predicted to crash andenterprise managers of tomorrow will not have a line itemin their capital budget referring to cost of storage. It will beinsignificant in an organizational context since large userslike national level meteorology predictions and stochasticprocesses used for national demographic studies will drive theneed for very large storage which in turn will result in researchpushing for cost effective storage. Another user group ofmassive data storage is the digital forensics practitioners whostore and analyze data warranting huge storage space.BYOD to BYOTBring your own device (BYOD) is the nightmare of theInformation Security Manager (ISM) in most organizationstoday. Even as the ISM is grappling with the ways to takecharge of the BYOD issue, a new threat stares at him –BYOT or Bring your own Technology. This trend hastaken the industry by surprise since most of the controlsthat worked with BYOD do not seem to work with BYOT.One control on BYOD was the ability to classify them andidentify them which is almost impossible in the case ofBYOT. Secondly, the users of BYOT are building a strongbusiness case for it. Connie Moore of Forrester Researchreports of 53% of information workforce bring their owntechnologies to work. Based on a survey done on a sampleof 9,912 information workers spread across 17 countries
93in Americas, Europe, Asia and Australia, the results pointto another very disquieting trend which is that almost onethird of the survey participants reported that they would payfor the technology in case their employers did not buy it forthem. The attraction for the benefits of BYOT surpasses itscost burden on the worker. Emerging markets comprisingof Asia and South America report 74% of those surveyedstating that they would bring one or more BYOT device orprocess to workplace whether they were reimbursed for itor not. The corresponding figure for developed markets ofNorth America and Western Europe is lower at 44%.Mobile to drive developmentTwo developments are emerging in the interface between thePOCs (Plain Old Computers) and Mobile enabled devices. Itis predicted that between now and 2015, 90% of the new netgrowth in device adoption will come from smartphones andtablets. Mobile capabilities will integrate location, presence andsocial information to make it more useful. These capabilitieswill also be used as strategic differentiators in the crowdedmobile equipment market. As of now, multiple estimates putthe quantum of development projects targeting the PC marketto be at par with those targeting the Mobile market. This ratiowill change significantly and if Gartner predications are to bebelieved, mobile application development projects aimed atthe Smartphone and Mobile segment will outnumber projectsfor developing applications for the PC by a ratio of 4 to 1. Thiswill also mean a paradigm shift in the way skill sets are beingdeveloped and those who are training application developerswill have to quickly adapt to this surge in the requirements ofnew skills on new platforms.
94The Three Cs – Cloud, Crimes and ControlsCloud, Crime and Controls are attracting the attention ofpolicy makers; both at a macro level and at a micro levelor enterprise level. Cloud, like the Internet is driven by thecombination of ubiquity, cost effectiveness and convenience.2011-12 saw about one fifth of the large organizations inthe Global 1000 league store their customer data (includingsensitive customer data) on a hybrid cloud architecture. Thisarchitecture is a combination of a controlled on-premisesolution working with a third party cloud service provider.This emerged as a preferred solution since it was toutedas the best of breed solution combining the advantages ofcontrol through in-house applications and cost effectivenessof a cloud deployment. As the cost advantage patterns areemerging in favor of a public cloud and with large playersentering the market to offer reliable services, multipleestimates point to around half of the Global 1000 companieswill move massive data to the cloud and this could includesensitive customer data. One of the drivers for this move isthe compulsion on organizations to reduce operational costsand improve efficiencies. Controls as seen in the enterpriseIT environment is undergoing a significant change in orderto adapt their control systems and practices to match thethreats and vulnerabilities in the cloud.A second reason as to why enterprises will significantlychange their approach to controls comes from a growingrealization that most of the controls we have today werebuilt for a different set of threats and vulnerabilities thatwas pre-cloud and pre-cybercrime period. Another driver torevisit controls during the next few years will come from therealization that more and more of attacks on ICT systems
95come from exploiting application vulnerabilities as againstexploits of networks and databases. This, combined with therelative newness of Cloud, is resulting in enterprise securitymanagers seeking clear and pointed assurance that theapplications being used by them are free for vulnerabilities;at least vulnerabilities known as at the date of moving theapplication to live environment. Users of cloud and otherthird party services will insist on an independent testingof the applications and will seek a certificate to the effectthat the applications are free from known vulnerabilities.Predictions are that by 2016, at least 40% of the enterprisesthat will be using cloud or other third party applicationdriven services will make it compulsory for service providersto present evidence of independent assessment of securityin the application being used in the service.The underlying shift towards more controls are drivenby better understanding of cloud and application levelvulnerabilities but the primary concern comes from the wayin which cybercrimes are committed today. Three significanttrends fuel this concern. First is the increasing sophisticationof the crime process. The recent DDOS attacks on some ofthe leaders in the BFSI segment point to how sophisticatedthe crime process can become and leave some of the bestknown names in the industry red-faced. Second is theentry of hackers who are using cybercrimes as a means tosend out a message and enforce meeting of their demands.Conventional deterrents do not work with them as they aredriven by non-commercial considerations and are motivatedby a strong courage of conviction like found in an evangelist.Third is the fact that society is still refusing to recognizecybercrime as a ‘crime.’ The time tested shaming theory whichcriminologists tell us is a societal deterrent does not seem to
96work with cyber criminals. They continue to be ‘respected’as technically competent people and the societal compulsionthat acts on other criminals do not work in the case of cybercriminals. All these factors will compel enterprises to look fora new responses that are perhaps hitherto unknown, unusedand can hopefully blunt the unchallenged successful run ofthe cyber criminals.Shift in IT budget ownershipAt an organizational level, there is a significant possibilitythat a shift will occur in the way technology budgets will bemanaged. Technology budgets are the preserve of the CIOor the CTO as of today irrespective of which departmentsbenefit from these budgets. It is owned, controlled andmanaged by the head of IT. The emergence of a strong lobbydriven by those desiring to build a technology governancesystem is insisting that there be an alignment between IT andBusiness objectives. As part of such an alignment, a thoughtprocess gaining ground is that the line manager who benefitsfrom the proposed IT spend should be held responsible andaccountable for the budget. The budgeted expenditure is fora business purpose while IT could be at best a significantenabler, it is argued. If this were to be true, it is estimatedthat over a third of the IT projects in the next few years willbe redefined as business projects and the business head willmanage that budget...... .....