Cyber security and cyber law

Cyber Security and Cyber Law
By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
Cyber Security
WINDOWS SECURITY FEATURES
User Account Control is a new infrastructure that requires user consent before
allowing any action that requires administrative privileges. With this feature, all users,
including users with administrative privileges, run in a standard user mode by default,
since most applications do not require higher privileges. When some action is attempted
that needs administrative privileges, such as installing new software or changing system
settings, Windows will prompt the user whether to allow the action or not.
BitLocker Drive Encryption
Formerly known as "Secure Startup", this feature offers full disk encryption for the system
volume. Using the command-line utility, it is possible to encrypt additional volumes.
Bitlocker utilizes a USB key or Trusted Platform Module (compliant with the version 1.2 of
the TCG specifications) to store its encryption key. It ensures that the computer running
Windows Vista starts in a known-good state, and it also protects data from unauthorized
access. Data on the volume is encrypted with a Full Volume Encryption Key (FVEK), which is
further encrypted with a Volume Master Key (VMK) and stored on the disk itself.
Windows firewall.
The firewall to address a number of concerns around the flexibility of Windows Firewall in
a corporate environment:
* IPv6 connection filtering
* Outbound packet filtering, reflecting increasing concerns about spyware and viruses
that attempt to "phone home".
* With the advanced packet filter, rules can also be specified for source and destination
IP addresses and port ranges.
* Rules can be configured for services by its service name chosen by a list, without
needing to specify the full path file name.
* IPsec is fully integrated, allowing connections to be allowed or denied based on
security certificates, Kerberos authentication, etc. Encryption can also be required for any
kind of connection. A connection security rule can be created using a wizard that handles
the complex configuration of IPsec policies on the machine. Windows Firewall can allow
traffic based on whether the traffic is secured by IPsec.
* A new management console snap-in named Windows Firewall with Advanced Security
which provides access to many advanced options, including IPsec configuration, and
enables remote administration.
* Ability to have separate firewall profiles for when computers are domain-joined or
connected to a private or public network. Support for the creation of rules for enforcing
server and domain isolation policies.

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
Windows Defender
Windows Vista and windows 7 includes Windows Defender, Microsoft's anti-spyware
utility. According to Microsoft, it was renamed from 'Microsoft AntiSpyware' because it not
only features scanning of the system for spyware, similar to other free products on the
market, but also includes Real Time Security agents that monitor several common areas of
Windows for changes which may be caused by spyware. These areas include Internet
Explorer configuration and downloads, auto-start applications, system configuration
settings, and add-ons to Windows such as Windows Shell extensions. Windows Defender
also includes the ability to remove ActiveX applications that are installed and block startup
programs. It also incorporates the SpyNet network, which allows users to communicate
with Microsoft, send what they consider is spyware, and check which applications are
acceptable.
Cryptographic API
Windows Vista and windows 7 features an update to the Crypto API known as
Cryptography API: Next Generation (CNG). The CNG API is a user mode and kernel mode
API that includes support for elliptic curve cryptography (ECC) and a number of newer
algorithms that are part of the National Security Agency (NSA) Suite B. It is extensible,
featuring support for plugging in custom cryptographic APIs into the CNG runtime. It also
integrates with the smart card subsystem by including a Base CSP module which
implements all the standard backend cryptographic functions that developers and smart
card manufacturers need, so that they do not have to write complex CSPs. The Microsoft
Certificate Authority can issue ECC certificates and the certificate client can enroll and
validate ECC and SHA-2 based certificates.
Network Access Protection
Windows introduces Network Access Protection (NAP), which makes sure that computers
connecting to a network or communicating over a network conform to a required level of
system health as has been set by the administrator of the network. Depending on the
policy set by the administrator, the computers which do not meet the requirements will
either be warned and granted access or allowed a limited access to network resources or
completely denied access. NAP can also optionally provide software updates to a noncompliant
computer to upgrade itself to the level as required to access the network, using
a Remediation Server. A conforming client is given a Health Certificate, which it then uses
to access protected resources on the network.
(2) nETWORK SECURITY cHALLENGES
1. Verifying User Identity
How can others know it's you? Communication is approaching near continuous between

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
friends, family, businesses & services. With current authentication standards, often we
take on faith that we're being contacted by the "real" sender the message claims. It's one
thing if the imposter is just sending e-mails, but what if it's your bank or retirement
account that doesn't know it's not you? Challenges five and three tie in closely with this,
the top challenge.
2. Protecting Against DDoS Attacks
Distributed denial of service attacks (DDoS) use force of numbers to overwhelm targets
with data and connection attempts. Individual users may be the target of such attacks, or
their systems may be usurped to use in such an attack against a company or organization.
Bots on infected machines may lie dormant until an attack is triggered.
3. Preventing User System Hijacking
Even with better and better firewalls and anti-malware software for users, malicious
programs (like viruses, worms or trojans) that take control of a user's computer and
programs are an ever-present threat. Once the malicious program has control it can wreak
havoc acting as the user, attacking friends, family, and other contacts while masquerading
as the hapless victim.
4. Protecting User Confidential Data
More and more services are moving to the Internet. Interoperation between the various
services is becoming more frequent and more complex. Financial transactions from sales
to investments online are becoming ubiquitous. The risk of sensitive & high-value data
exposure and criminal access to that data increases all the time.
5. Securing Web Applications
Developers and application providers want their applications to be available quickly and
easily to anyone in the world, from any platform from a phone to a kiosk. Having users
hassle with anything more than a simple password seems too much to ask. I'm asking it!
At least consider the option for certificates, multi-factor authentication, multi-stage
authentication and so forth.
Limitations of Today‟s Security Solutions
As threats become more sophisticated and workplace data leaks grow more prevalent,
today‟s security solutions struggle to keep up. Conventional technologies like firewalls,
IDS systems, and VPNs may prevent outside threats but fail to protect “inside threats”
from employees who accidentally infect the network.
Security solutions such as Network Access Controls (NAC) focus on initial posture

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
assessment and authentication of the employee‟s endpoint. Once a user is authenticated,
he or she is no longer monitored and can act in ways harmful to the network. In addition,
today‟s "borderless" organizations freely share information globally between employees
and partners. These enterprises attempt to balance openness and flexibility with security
risks as employees work from home, airports, and from other, non-secure, off-site
locations.
Workplace Changes
Greater numbers of telecommuting and traveling employees and the blurring between
home and work offices have increased mobile device use, creating the need for better
protection against the loss of sensitive corporate and user data. This mobile workforce
makes it harder for IT departments to maintain updated antivirus and software patches on
all computers, making it increasingly difficult to control how and where users connect.
Storage devices, such as USB sticks, and music players add new channels for infection. In
addition, inadequate remote office security, lack of security personnel, and lax policy
enforcement negatively impact security.
Unprotected channels, such as Web mail or wireless networks, and easily exploited
technologies, such as P2P file sharing, streaming media, and instant messaging, allow
malware to enter the network while draining valuable network bandwidth. In addition, hardto-
detect, zero-day malware require immediate attention and are beyond the means of most
antivirus applications, which rely on a pattern-based approach. Once inside, malware can
leak data to cybercriminals, posing problems both for the consumers who lose confidential
data and for businesses whose reputations are irreparably damaged when data is lost.
Damage clean-up costs and lost productivity create the need for a better solution to protect
against insider threats. Forrester Research estimates that up to 85 percent of enterprise
security breaches involve internal people and resources. And according to Gartner,
“organizational costs of a sensitive data breach will increase 20 percent per year over the
next two years.”
Lack of Information About Your Local Threat Environment
Today‟s security environment is ready for a new approach. Lack of visibility into the exact
location and cause of infections prevents your IT department from determining the most
appropriate remedy. To achieve more holistic coverage, security personnel need more
information to better understand how threats occur and exactly where they enter the
network.
Most security systems show that malware was detected—for example that irc bot activity
occurred— however, no information is provided about how or where the infection
happened. This creates a lack of visibility into the overall security threat posture, which
hampers the ability of IT personnel to identify network pain points and the origin of threats,
such as a company‟s marketing department or an organization‟s remote office. Companies
need greater detail about the threat environment, such as the type of threats residing in the
network, or the percentage that are malware or hacking attempts or that are caused by
disruptive applications. Determining the root cause of how these threats entered the

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
network helps IT formulate better security policies.
Internet Security
Network layer security
TCP/IP can be made secure with the help of cryptographic methods and protocols that
have been developed for securing communications on the Internet. These protocols
include SSL and TLS for web traffic, PGP for email, and IPsec for the network layer
security.
IPsec Protocol
This protocol is designed to protect communication in a secure manner using TCP/IP. This
is a set of security extensions developed by IETF and it provides security and
authentication at the IP layer by using cryptography. To protect the content, the data is
transformed using encryption techniques. There are two main types of transformation that
form the basis of IPsec: the Authentication Header (AH) and Encapsulating Security
Payload (ESP). These two protocols provide data integrity, data origin authentication, and
anti-reply service. These protocols can be used alone or in combination to provide desired
set of security services for the Internet Protocol (IP) layer.
The basic components of the IPsec security architecture are described in terms of the
following functionalities:
* Security protocols for AH and ESP
* Security association for policy management and traffic processing
* Manual and automatic key management for the internet key exchange (IKE)
* Algorithms for authentication and encryption.
Malicious software
Malwares :- Malware, short for malicious software, is software designed to secretly access
a computer system without the owner's informed consent. The expression is a general
term used by computer professionals to mean a variety of forms of hostile, intrusive, or
annoying software or program code. Software is considered to be malware based on the
perceived intent of the creator rather than any particular features. Malware includes
computer viruses, worms, trojan horses, spyware, dishonest adware, scareware,
crimeware, most rootkits, and other malicious and unwanted software or program. In law,
malware is sometimes known as a computer contaminant.
Viruses :-A computer virus is a computer program that can copy itself and infect a computer.
The term "virus" is also commonly but erroneously used to refer to other types of malware,
including but not limited to adware and spyware programs that do not have the
reproductive ability. A true virus can spread from one computer to another (in some form
of executable code) when its host is taken to the target computer; for instance because a
user sent it over a network or the Internet, or carried it on a removable medium such as a
floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
other computers by infecting files on a network file system or a file system that is
accessed by another computer.
Trojen Horse
A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the
user prior to run or install but instead facilitates unauthorized access of the user's
computer system. "It is a harmful piece of software that looks legitimate. Users are
typically tricked into loading and executing it on their systems", as Cisco describes. Trojan
horses may allow a hacker remote access to a target computer system. Once a Trojan
horse has been installed on a target computer system, a hacker may have access to the
computer remotely and perform various operations, limited by user privileges on the target
computer system and the design of the Trojan horse.
Spyware :- Spyware is a type of malware that can be installed on computers, and which
collects small pieces of information about users without their knowledge. The presence of
spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware
is secretly installed on the user's personal computer. Sometimes, however, spywares such
as keyloggers are installed by the owner of a shared, corporate, or public computer on
purpose in order to secretly monitor other users.
Worm :- A computer worm is a self-replicating malware computer program. It uses a
computer network to send copies of itself to other nodes (computers on the network) and it
may do so without any user intervention. This is due to security shortcomings on the
target computer. Unlike a virus, it does not need to attach itself to an existing program.
Worms almost always cause at least some harm to the network, even if only by consuming
bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Buffer Overflow :- In computer security and programming, a buffer overflow, or buffer
overrun, is an anomaly where a program, while writing data to a buffer, overruns the
buffer's boundary and overwrites adjacent memory. Buffer overflows can be triggered by
inputs that are designed to execute code, or alter the way the program operates. This may
result in erratic program behavior, including memory access errors, incorrect results, a
crash, or a breach of system security. They are thus the basis of many software
vulnerabilities and can be maliciously exploited.
Botnet :- A botnet is a collection of software agents, or robots, that run autonomously and
automatically. The term is most commonly associated with IRC bots and more recently
malicious software, but it can also refer to a network of computers using distributed
computing software. The main drivers for botnets are for recognition and financial gain.
The larger the botnet, the more „kudos‟ the herder can claim to have among the
underground community. The bot herder will also „rent‟ the services of the botnet out to
third parties, usually for sending out spam messages, or for performing a denial of service
attack against a remote target. Due to the large numbers of compromised machines within
the botnet huge volumes of traffic (either email or denial of service) can be generated.

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
Cryptography
Cryptography can be defined as the conversion of data into a scrambled code that can be
deciphered and sent across a public or private network. Cryptography uses two main
styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions,
or algorithms, use the same key for encryption as they do for decryption. Other names for
this type of encryption are secret-key, shared-key, and private-key. The encryption key can
be loosely related to the decryption key; it does not necessarily need to be an exact copy.
Symmetric Encryption
Symmetric encryption is the oldest and best-known technique. A secret key, which can be
a number, a word, or just a string of random letters, is applied to the text of a message to
change the content in a particular way. This might be as simple as shifting each letter by a
number of places in the alphabet. As long as both sender and recipient know the secret
key, they can encrypt and decrypt all messages that use this key.
Asymmetric Encryption
In Asymmetric encryption there are two related keys - a key pair. A public key is made
freely available to anyone who might want to send you a message. A second, private key is
kept secret, so that only you know it. Any message (text, binary files, or documents) that
are encrypted by using the public key can only be decrypted by applying the same
algorithm, but by using the matching private key. Any message that is encrypted by using
the private key can only be decrypted by using the matching public key. This means that
you do not have to worry about passing public keys over the Internet (the keys are
supposed to be public). A problem with asymmetric encryption, however, is that it is
slower than symmetric encryption. It requires far more processing power to both encrypt
and decrypt the content of the message.
Digital Signatures:-
A digital signature (not to be confused with a digital certificate) is an electronic signature
that can be used to authenticate the identity of the sender of a message or the signer of a
document, and possibly to ensure that the original content of the message or document
that has been sent is unchanged. Digital signatures are easily transportable, cannot be
imitated by someone else, and can be automatically time-stamped. The ability to ensure
that the original signed message arrived means that the sender cannot easily repudiate it
later.
A digital signature can be used with any kind of message, whether it is encrypted or not,
simply so that the receiver can be sure of the sender's identity and that the message
arrived intact. A digital certificate contains the digital signature of the certificate-issuing
authority so that anyone can verify that the certificate is real.
Assume you were going to send the draft of a contract to your lawyer in another town. You
want to give your lawyer the assurance that it was unchanged from what you sent and that
it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
contract.
3. You then use a private key that you have previously obtained from a public-private key
authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will
be different each time you send a message.)
At the other end, your lawyer receives the message.
1. To make sure it's intact and from you, your lawyer makes a hash of the received
message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.
SSL
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of
a message transmission on the Internet. SSL has recently been succeeded by Transport
Layer Security (TLS), which is based on SSL. SSL uses a program layer located between
the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP)
layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web
server products. Developed by Netscape, SSL also gained the support of Microsoft and
other Internet client/server developers as well and became the de facto standard until
evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets
method of passing data back and forth between a client and a server program in a network
or between program layers in the same computer. SSL uses the public-and-private key
encryption system from RSA, which also includes the use of a digital certificate. TLS and
SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is
on a server that supports SSL, SSL can be enabled and specific Web pages can be
identified as requiring SSL access. Any Web server can be enabled by using Netscape's
SSLRef program library which can be downloaded for noncommercial use or licensed for
commercial use.
HTTPS
HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket Layer (SSL) or
Transport Layer Security (TLS) as a sublayer under regular HTTP application layering.
HTTPS encrypts and decrypts user page requests as well as the pages that are returned by
the Web server. The use of HTTPS protects against eavesdropping and man-in-the-middle
attacks. HTTPS was developed by Netscape. HTTPS and SSL support the use of X.509
digital certificates from the server so that, if necessary, a user can authenticate the sender.
Unless a different port is specified, HTTPS uses port 443 instead of HTTP port 80 in its
interactions with the lower layer, TCP/IP. Suppose you visit a Web site to view their online
catalog. When you're ready to order, you will be given a Web page order form with a
Uniform Resource Locator (URL) that starts with https://. When you click "Send," to send
the page back to the catalog retailer, your browser's HTTPS layer will encrypt it. The
acknowledgement you receive from the server will also travel in encrypted form, arrive with

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
an https:// URL, and be decrypted for you by your browser's HTTPS sublayer. The
effectiveness of HTTPS can be limited by poor implementation of browser or server
software or a lack of support for some algorithms. Furthermore, although HTTPS secures
data as it travels between the server and the client, once the data is decrypted at its
destination, it is only as secure as the host computer. According to security expert Gene
Spafford, that level of security is analogous to "using an armored truck to transport rolls of
pennies between someone on a park bench and someone doing business from a
cardboard box."
FIREWALL
A firewall is a set of related programs located at a network gateway server that protects the
resources of a private network from potential intruders. Firewalls do not verify that
information is coming from a secure source. Instead, they enforce a set of rules that
determine what information is allowed to pass.
There are several types of firewall techniques:
1. Packet filter:
Packet filtering inspects each packet passing through the network and accepts or rejects
it based on user-defined rules. Although difficult to configure, it is fairly effective and
mostly transparent to its users. It is susceptible to IP spoofing. This type of packet filtering
pays no attention to whether a packet is part of an existing stream of traffic (i.e. it stores no
information on connection "state"). Instead, it filters each packet based only on
information contained in the packet itself. Packet filtering firewalls work mainly on the first
three layers of the OSI reference model, which means most of the work is done between
the network and physical layers, with a little bit of peeking into the transport layer to figure
out source and destination port numbers. When a packet originates from the sender and
filters through a firewall, the device checks for matches to any of the packet filtering rules
that are configured in the firewall and drops or rejects the packet accordingly. When the
packet passes through the firewall, it filters the packet on a protocol/port number basis
(GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall
will block the IP protocol for port number
2. Application gateway:
Applies security mechanisms to specific applications, such as FTP and Telnet servers.
This is very effective, but can impose a performance degradation. The key benefit of
application layer filtering is that it can "understand" certain applications and protocols
(such as File Transfer Protocol, DNS, or web browsing), and it can detect if an unwanted
protocol is sneaking through on a non-standard port or if a protocol is being abused in any
harmful way. An application firewall is much more secure and reliable compared to packet
filter firewalls because it works on all seven layers of the OSI reference model, from the
application down to the physical Layer. This is similar to a packet filter firewall but here we
can also filter information on the basis of content.
3. Circuit-level gateway:

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
Applies security mechanisms when a TCP or UDP connection is established. Once the
connection has been made, packets can flow between the hosts without further checking.
A circuit-level gateway is a type of firewall, circuit level gateways work at the session layer
of the OSI model, or as a "shim-layer" between the application layer and the transport layer
of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether
a requested session is legitimate. Information passed to a remote computer through a
circuit level gateway appears to have originated from the gateway. This is useful for hiding
information about protected networks. Circuit level gateways are relatively inexpensive
and have the advantage of hiding information about the private network they protect. On
the other hand, they do not filter individual packets.
4. Proxy server:
Intercepts all messages entering and leaving the network. The proxy server effectively
hides the true network addresses. In computer networks, a proxy server is a server (a
computer system or an application program) that acts as an intermediary for requests from
clients seeking resources from other servers. A client connects to the proxy server,
requesting some service, such as a file, connection, web page, or other resource, available
from a different server. The proxy server evaluates the request according to its filtering
rules. For example, it may filter traffic by IP address or protocol. If the request is validated
by the filter, the proxy provides the resource by connecting to the relevant server and
requesting the service on behalf of the client. A proxy server may optionally alter the
client's request or the server's response, and sometimes it may serve the request without
contacting the specified server. In this case, it 'caches' responses from the remote server,
and returns subsequent requests for the same content directly.
INTRUSION DETECTION SYSTEM
An intrusion detection system (IDS) is a device or software application that monitors
network and/or system activities for malicious activities or policy violations and produces
reports to a Management Station. Intrusion prevention is the process of performing
intrusion detection and attempting to stop detected possible incidents. Intrusion detection
and prevention systems (IDPS) are primarily focused on identifying possible incidents,
logging information about them, attempting to stop them, and reporting them to security
administrators. In addition, organizations use IDPSs for other purposes, such as
identifying problems with security policies, documenting existing threats, and deterring
individuals from violating security policies. IDPSs have become a necessary addition to the
security infrastructure of nearly every organization. IDPSs typically record information
related to observed events, notify security administrators of important observed events,
and produce reports. Many IDPSs can also respond to a detected threat by attempting to
prevent it from succeeding. They use several response techniques, which involve the IDPS
stopping the attack itself, changing the security environment (e.g., reconfiguring a
firewall), or changing the attack‟s content.
IDS Terminology
* Alert/Alarm: A signal suggesting that a system has been or is being attacked.

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
* True Positive: A legitimate attack which triggers an IDS to produce an alarm.
* False Positive: An event signaling an IDS to produce an alarm when no attack has
taken place.
* False Negative: A failure of an IDS to detect an actual attack.
* True Negative: When no attack has taken place and no alarm is raised.
* Noise: Data or interference that can trigger a false positive.
* Site policy: Guidelines within an organization that control the rules and configurations
of an IDS.
* Site policy awareness: The ability an IDS has to dynamically change its rules and
configurations in response to changing environmental activity.
* Confidence value: A value an organization places on an IDS based on past
performance and analysis to help determine its ability to effectively identify an attack.
* Alarm filtering: The process of categorizing attack alerts produced from an IDS in order
to distinguish false positives from actual attacks.
* Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to
information, inflict harm or engage in other malicious activities.
* Masquerader: A user who does not have the authority to a system, but tries to access
the information as an authorized user. They are generally outside users.
* Misfeasor: They are commonly internal users and can be of two types:
1. An authorized user with limited permissions.
2. A user with full permissions and who misuses their powers.
* Clandestine user: A user who acts as a supervisor and tries to use his privileges so as
to avoid being captured.
Limitations
Noise
Noise can severely limit an Intrusion detection systems effectiveness. Bad packets
generated from software bugs, corrupt DNS data, and local packets that escaped can
create a significantly high false-alarm rate.
Too few attacks
It is not uncommon for the number of real attacks to be far below the false-alarm rate.
Real attacks are often so far below the false-alarm rate that they are often missed and
ignored.
Signature updates
Many attacks are geared for specific versions of software that are usually outdated. A
constantly changing library of signatures is needed to mitigate threats. Outdated signature
databases can leave the IDS vulnerable to new strategies.
Cyber Forensic Tools
Cyber forensic is a field that is increasingly getting noted on higher levels so be it for
solving a local crime or be it that interests the security factors of a country. Let us look at

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
some of the best forensic tools used to investigate cases related to cyber crime or those
that are used for scientific purposes. Cyber forensic is an interesting domain which is
coupled with technical advances and the ability to use them effectively. Cyber forensic
primarily is used in the investigation of cyber crimes (i.e., crimes that occur over and on
the technology front). However this need not be the case, since most forensic techniques
and tools are also used for scientific purposes and research. With serious issues like
terrorism that threaten the national integrity of a country it is only wise to learn and know
the tools of the trade that terrorists use against the state. Cyber forensic tools aid not only
in investigating crime cases but also for drafting and creating hard evidences for the same.
Let us evaluate just some of these tools that have been used since long by forensic
investigators, scientists and some notorious elements alike:
X-Ways WinHex
WinHex is used as a universal hexadecimal editor and is primarily useful in low-level data
processing, file inspection, digital camera card recovery, recovery of files even from
corrupt files systems, etc. This is one heck of a powerful tool and can especially be used in
gathering digital evidence.
FirstOnScene (FOS)
FOS is the only one tool of its kind. It is rather a visual basic script code than a executable
binary file. First On Scene works with other tools such as PSTools, LogonSessions, FPort,
NTLast, PromiscDetect, FileHasher, etc. to gather an evidence log report. This log report
can further be analyzed by forensic experts to extract important information.
Rifiuti
Rifiuti is a unique tool that aids investigators in finding the very last details of your
system's recycle bin folders. Rifiuti is useful to gather critical information on all your delete
and undelete activities.
Pasco
Pasco is a Latin word for "browse". Pasco helps in the analysis of the contents of internet
explorer's cache. So in short it can be particularly useful to gather internet activity records
from a target computer.
Galleta
Galleta is a Spanish word that means "cookie". Galleta is useful in examining the contents
of cookie files on your machine. Cookie files are basically temporary internet files used by
websites to maintain their indigenous logs for tracking and other such purposes.
Forensic Acquisition Utilities (FAU)
Forensic Acquisition Utilities is a set of forensic tools such as md5 checker, file wiper, etc.
used for assorted purposes in research and investigation.
NMap
NMap is particularly associated with network security. NMap is a port scanner tool that
helps find open ports on a remote machine. What separates NMap from other tools is its

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
ability to evade source machine identity and to work without causing any Intrusion
Detection System (IDS) alarms to go of.
Ethereal
Ethereal is another network security tool which is not a port scanner but rather a network
packet sniffer. Ethereal sniffs data packets over the network and can provide investigators
with incoming/outgoing data that is sent over a network. However, ethereal itself cannot be
useful in cases where strong encryption algorithms are in place at the source and
destination computers.
BinText
BinText does not directly investigate but can be useful to browse through gathered
evidence files such as that of log files generated by other forensic tools. BinText can be
used for pattern matching and filtering these log files.
PyFlag Tools
PyFlag are a couple of tools used for log analysis and can be a very effective tool for
investigators if coupled and used with other forensic tools.
Miscellaneous Steganography Tools
Steganography is out of the scope of this article however they cannot be ruled out from the
forensic dimension. Steganography is an art to deceive by embedding text or data files in
an image file. Various steganography tools help achieve just that. There are some tools
however that help in detecting such injections. Recently, hackers and malicious users
have been coming up with ideas to inject data files not just in image files but also music
and video files and to our much discomfort they have been sucessful with these attempts.
Implement Cyber Security Plan
A computer network assessment will help you begin a cyber security plan to mitigate the
largest risks to your business. A cyber security plan needs to be developed by an
employee or a contractor that has a basic understanding of cyber security.
A comprehensive cyber security plan needs to focus on three key areas:
* Prevention. Solutions, policies and procedures need to be identified to reduce the risk
of attacks.
* Resolution. In the event of a computer security breach, plans and procedures need to
be in place to determine the resources that will be used to remedy a threat.
* Restitution. Companies need to be prepared to address the repercussions of a
security threat with their employees and customers to ensure that any loss of trust or
business is minimal and short-lived.
PART 'B' CYBER LAW
Scope of Cyber Law
Cyber law is gaining a stronger foothold and there are several job opportunities for those

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
who would like to be Sherlock Holmes" on the Internet. Everything is becoming cyber and
the concerns of maintaining security of the information on the internet is also growing.
Therefore there are tremendous career opportunities in almost every field, from law to the
IT Industry. You may be working in any field, knowledge of cyber law will definitely give
you an edge over the rest. Apart from being a full-fledged lawyer, one can get the job of
Cyber Consultant in an IT firm, police department or in banks, Research assistants in a law
firm, Research assistants in a technology firm, Advisors to the web developers, Advisors
in the Ministry of Information and Technology or in Corporate Houses, Security Auditors
and Network Administrators in Technology firms, Trainers in law schools and Multinational
Corporations. Since a cyber lawyer has to inevitably deal with criminal law, intellectual
property law, commercial and civil law in his cyber law cases, it is best to have a sound
and in-depth knowledge of these laws apart from cyber laws to give your practice a real
edge. Talwant Singh, Additional District and Sessions Judge, Delhi says, “Scope of cyber
law increases when combined with intellectual property rights laws as in many cyber law
cases, the question of violation of copy rights is also involved.” As far as job opportunities
are concerned, the field of cyber law is full of them. For example, you can choose from
private practice, litigation, corporate advising and international cyber law work. Although
litigation may take some time to firm its roots, consultancy has a lot of instant money to
offer.
ESSENCE OF DIGITAL CONTRACTS
* Quality, first and foremost - legal contracts and documents you'd expect from a top law
firm.
* You know the draftsman (not an unnamed "leading attorney").
* It's online, quick, and easy; no software to download and install.
* Free assistance with contract selection.
* Pay only once; then draft unlimited legal contracts and documents during your
subscription.
* Easy-to-use "Intelligent" wizard guides your drafting.
* "Intelligent" document assembly produces near-custom agreements.
* Free updates and new documents as they're released (unlike downloadable forms).
* You own your agreements - copy to your word processor; edit and customize as you
like.
* Safe and secure - your document data archived for limited time.
Digital Signature System ----- refer to digital signatures.....
Domain Name Issues
# Having a great domain name can be a valuable commodity. In 2008 the domain pizza.com
sold for $2.6 million and the year before that business.com sold for $350 million. There is a
lot of money in the domain business so sometimes people are willing to walk the line
between legal and illegal.
Cyber Squatting
# When someone registers a domain with trademarked phrases they do not own in bad
faith or to make a profit, it is called cyber-squatting. When someone who owns the

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
trademark sees they've been cyber-squatted, he can file a dispute with ICANN, the Internet
Corporation for Assigned Names and Numbers, which oversees domain names. Courts can
also handle domain disputes but because of the international nature of the Internet
jurisdiction isn't clear. Sometimes it's unclear whether the domain was registered in good
faith in the case of a man named Uzi Nissan, who owns a computer company, versus
Nissan Motor Company, who fought over nissan.com. As of 2010, Mr. Uzi Nissan still owns
the domain, but they've been fighting since 1999. Famous actors will also fight over
domains that have their name, as the singer Madonna did over madonna.com in the year
2000 when it became a pornography site.
Typo-Squatting
# Typo-squatting is when someone registers a domain for the purpose of getting visitors
who mistype a webpage name. Using the original domain name microsoft.com as an
example, a typo squatter could register wwwmicrosoft.com as one word to gain visitors
who forget to type a period between www and microsoft. The squatter could then place
advertisements on the page for profit or make a fake page replicating the original one for
the purpose of identity theft in the form of logins and other personal data. In 2008,
Microsoft sued a company called Domain Investments for typo-squatting on the domains
zunedrivers.com, windoesmobile.com, microsoft-games.com and wwwhotmajl.com.
Front Running
# Domain front running is when a domain registrar temporarily or permanently registers a
domain that someone recently searched to register when using their website. Although
this practice can be legal, it's frowned upon by those registering domains. A popular
domain registrar, Network Solutions, was accused of this in 2008. Whenever users
searched for a potential domain on their websites, Network Solutions registered the
domain for four days with a message in the whois data saying they can register it at
Network Solutions website. This forced users to register the domain with them instead of
their normal registrar or risk the registration of the domain by someone else. Some smaller
domain availability websites might outright register themselves permanently for your
domain they see you searching for, so search for your domain where you wish to register
and buy it right away so front runners won't have time to see if it's a good idea.
Copyright Laws for Digital Media
As more and more material gets digitized for preservation and for easier access by a
wider number of people, it's important to remember that the U.S. Copyright Office has a set
of laws pertaining exclusively to digital media. Digital media in this case has a number of
definitions, but most commonly it refers to a digital audio copied recording--that is,
digitally recorded music or sound.
Basic Copyright Law
The law that deals with digital media is Title 17. This states that copyright for creative
works lasts for the life of the author or creator plus 75 years. The Copyright Term
Extension Act is a controversial law, as it was amended in 1998 with help of musicianturned-
politician Sonny Bono. After the creator is dead for 75 years, the work passes into
the public domain, meaning that no one individual owns it and everyone can use it free of

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
charge. If a person is caught using a copyrighted work before it enters the public domain,
he is subject to injunction, fines and possibly jail time depending on the severity of the
infringement.
Reproduction and Distribution
Reproduction and distribution of copyrightedS works without permission is illegal.
Under provisions of copyright law, a person who is not the legal owner of a piece of digital
media is prohibited from copying or sharing that media. It is also illegal to import,
manufacture or distribute any device that allows others to copy digital media for purposes
of distribution. Persons seeking to use copyrighted material must be approved by the legal
owner before proceeding with copying.
Royalty Payments
Any person who obtains permission to copy and distribute copyrighted works of digital
media must pay royalties to the copyright holder. Royalties are defined under Section 1003
of the copyright code as three percent of the transfer price, but not less than one dollar.
Anyone found violating royalty agreements must cease distribution of all works until the
case is reviewed by a copyright royalty judge. The judge withholds the amount of money in
question until the case is resolved.
E-Governance
Under e-governance scenario, the
Government and its citizens/business houses should be able to transact all their activities
or at least majority of activities without meeting each other using Information technology
tools such as internet, public kiosks etc. For example, when a citizen wants to get a ration
card, he/she should be able to apply and get the ration card without physically going to the
Taluka office. Similarly, when a widow wants to get a widow pension she should be able to
get it by applying through the village or block level internet centre.
Or, a farmer wanting to get a land extract / cultivation extract should be able to do it
without going to any government official through the internet or public kiosks.
Going to the Government offices and waiting there to get these services should be only an
optional one. The citizens should have a choice of going to the internet centres or the
government offices to get their works done with the Government.
This can be achieved only through the following steps:
1. Government offices should be computerised using online workflow procedure. That
means all the paper based registers have to be given up and all government works have to
be carried out only through computers.
2. All Government employees working in the areas where e-governance is proposed have
to be computer trained and each one should be given user ID and password to operate the
system.
3. All these government employees have to be trained in their area of operation in the
software.
4. The Government servers should be connected to the internet so that the citizens and
business houses are enabled to access the Government information at any time and also

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
enabled to file all their requests/applications online. The scope for meeting government
officials should be reduced to the extent that only where statutorily such physical
presence is required they should be asked to meet the government officials.
5. All applications or requests from citizens/business houses should be received only
through online procedure using internet as medium.
6. STD booths or similar public kiosks should be authorised to intermediate between the
citizens and the government. This includes online remittance facility too.
A similar facility should be made available to the business houses too.
Cyber Crimes
Spam
Spam, or the unsolicited sending out of junk e-mails for commercial purposes, which is
unlawful. New anti-spam laws are being passed in various countries which will hopefully
limit the use of unsolicited electronic communications.
Fraud
Computer fraud refers to the fallacious misrepresentation of fact conveyed with an
intention of inducing another to do or refrain from doing something that will ultimately lead
to some major kind of loss.
Obscene or Offensive Content
The contents of some of the websites and other electronic communications over the net
can be really distasteful, obscene or offensive for a variety of reasons. In many countries
such communications are considered illegal. It can be very troubling if your children are
exposed to adult content.
Harassment
This cyber crime encompasses all the obscenities and derogatory comments directed
towards a specific individual or individuals focusing for example on gender, race, religion,
nationality, and sexual orientation. Harassment is the cybercrime most commonly
encountered in chat rooms or through newsgroups.
Drug Trafficking
Drug traffickers use the Internet as a medium for trading their illegal substances by
sending out enciphered e-mail and other Internet Technology. Most of the drug traffickers
can be found arranging their illegal deals at internet cafes, using courier websites for the
delivery of illegal packages containing drugs, and sharing formulas for amphetamines in
restricted-access chat rooms.
Cyber Terrorism
Due to the increase in cyber terrorism, the hacking into official websites or the crashing of
official websites, government officials and Information Technology security specialists
have recently begun a significant increase their mapping of potential security holes in

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
critical systems in order to better protect information sensitive sites.
Common Sources of Cybercrime
Researchers at Sophos Labs claim to have created a language software that can figure out
the host country of malicious software by tracing the default language of the computer on
which it was programmed. According to their analysis of the default language linked up
with about 19,000 samples at the end of last year, Americans and other non-British English
speakers, surprisingly, produced a large proportion of malware. China produced 30%,
Brazil with 14.2% and Russia produced 4.1% of the world's malware.
Child Abuse Law USA
* ABA Center on Children and the Law
The ABA Center on Children and the Law, a program of the Young Lawyers Division, aims
to improve children's lives through advances in law, justice, knowledge, practice and
public policy. Our areas of expertise include child abuse and neglect, child welfare and
protective services system enhancement, foster care, family preservation, termination of
parental rights, parental substance abuse, adolescent health, and domestic violence.
* Chapter 419B — Juvenile Code: Dependency - Reporting Child Abuse
The Legislative Assembly finds that for the purpose of facilitating the use of protective
social services to prevent further abuse, safeguard and enhance the welfare of abused
children, and preserve family life when consistent with the protection of the child by
stabilizing the family and improving parental capacity, it is necessary and in the public
interest to require mandatory reports and investigations of abuse of children and to
encourage voluntary reports.
* Child Abuse Prevention and Treatment Act as Amended by the Keeping Children and
Families Safe Act of 2003
The basis for government's intervention in child maltreatment is grounded in the
concept of parens patriae—a legal term that asserts that government has a role in
protecting the interests of children and in intervening when parents fail to provide proper
care. Beginning in the late 19th century, States and local jurisdictions started initiating
mechanisms to assist and protect children. Then in 1912, the Federal Government
established the Children's Bureau to guide Federal programs that were designed to
support State child welfare programs as well as to direct Federal aid to families, which
began with the passage of the Social Security Act (SSA) in 1935. The child welfare policy of
the SSA layered Federal funds over existing State-supervised and administered programs
that were already in place.
* Definitions of Child Abuse and Neglect - Child Welfare Information Gateway
Child abuse and neglect are defined by Federal and State laws. The Child Abuse
Prevention and Treatment Act (CAPTA) is the Federal legislation that provides minimum
standards that States must incorporate in their statutory definitions of child abuse and
neglect. The CAPTA definition of "child abuse and neglect" refers to: * "Any recent act or
failure to act on the part of a parent or caretaker, which results in death, serious physical
or emotional harm, sexual abuse, or exploitation, or an act or failure to act which presents
an imminent risk of serious harm"

By:-
D!vy@nk Gupt@
CR [ITESM]
IIT DWARKA
2012-2013
*
Megan's Law
The U.S. Congress has passed several laws that require states to implement sex
offender and crimes against children registries: the Jacob Wetterling Crimes Against
Children and Sexually Violent Offender Registration Act, the Pam Lychner Sexual Offender
Tracking and Identification Act, and Megan's Law. On March 5, 2003, the United States
Supreme Court ruled that information about potential predators may be publicly posted on
the Internet.
* Sex Offender Registration and Notification Act
To provide for the registration of sex offenders and for appropriate notification of their
whereabouts, and for other purposes.
* US Code, Title 42, 13031 - Child Abuse Reporting
A person who, while engaged in a professional capacity or activity described in subsection
(b) of this section on Federal land or in a federally operated (or contracted) facility, learns
of facts that give reason to suspect that a child has suffered an incident of child abuse,
shall as soon as possible make a report of the suspected abuse to the agency designated
under subsection (d) of this section.

Cyber security and cyber law

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cyber security and cyber law

Similar to Cyber security and cyber law (20)

More from Divyank Jindal

More from Divyank Jindal (6)

Recently uploaded

Recently uploaded (20)

Cyber security and cyber law