Wednesday, August 25, 2010
In the danger zone are those who frequently update their online personal information, particularly details of bank accounts and passwords. Inside one of the laboratories at C-DAC's Development Centre complex at Jawaharlal Nehru Technological University Hyderabad. THOSE who frequently update their online personal information, particularly details of bank accounts and transaction passwords, should beware. The “e-mail alert” seeking to update personal details could have been sent by conmen out to dupe gullible personal computer users. Cyber space criminals have devised several new ways to cheat people and rob them of their hard-earned money. One needs to be alert and check the authenticity of e-mail alerts from not just dubious companies but also major banks.One click on the link provided will take one to what appears to be the bank's website but which could actually be a perfect replica of the original website. Websites of banks in particular and other agencies such as the Income Tax Department are morphed to such perfection that it is difficult for a user to differentiate between the original and the fake. But experts in the software arena aver that users could ascertain the genuineness of the alerts by tracing the origins of the e-mail through the links provided to them. If users copy and paste these links on the address bar, it will take them to non-existent or prohibited sites.The same could be the case with alerts on job offers and those informing users about winning a lottery. “Gullible users have been duped to the tune of Rs.6 crore in the Hyderabad circle alone in the last six months after they responded to the false e-mail alerts,” said Ch. A.S. Murty of the Centre for Development of Advanced Computing (C-DAC), Hyderabad.
Technology has developed at a searing pace, bringing with it threats from cyber criminals, who work overtime to get a hang of the latest technologies so that they can misuse them. The attacks on websites give rise to security concerns pertaining to the classified data available in banks and in defence and other vital establishments.The Department of Information Technology (DIT) is getting increasingly worried about the threat posed by such attacks. Attacks targeted at PC users in general are basically aimed at cheating people of their money. But hacking the websites of banks or defence establishments and tampering with the information in them could jeopardise the economy and pose a general threat to the country's defence establishments.
The Internet as a free medium for exchange of information enables real-time communication between people of different regions and this has become a major concern for the DIT. The prime reason behind the concern is the possibility of PCs being used to attack networks of vital establishments.The DIT also has concerns about social networking sites such as Facebook and Orkut as users unsuspectingly share information with “friends”. Social networking sites may provide users connectivity across the globe, but they give criminals the scope to dump malware, viruses and other software that could prove dangerous to systems operated in a secured environment.
These sites expose young people to new types of risks such as online bullying, disclosure of private information, cyber stalking, access to content inappropriate for their age, online grooming and child abuse. These social networking sites serve as platforms for youngsters to vent their likes and dislikes about people (their teachers, for instance) while the information posted by unsuspecting employees of some vital establishments could come in handy for cyber criminals.
This is in addition to “cyber bullying”, a phenomenon where the users taunt others who unsuspectingly reveal their feelings about the atmosphere in their companies. “We have received information about a woman employee being sacked just for posting on the website that there was no activity in her company for the present. The company head got to know about the information posted on the social networking site and sacked the woman,” Murty said.
In many cases, it has been observed that teenagers, housewives and senior citizens fall prey to cyber offenders. “Students and housewives and senior citizens are most vulnerable to these kinds of attacks. There is a need to create adequate awareness among these sections first,” he said.
While security threats are one facet of cyber crimes, deploying viruses to impair systems altogether is another area of concern for the IT establishment. These viruses are “logic bombs”, and the effect of viruses such as Trojan will not be felt for at least six months. “Several e-mails in Facebook contain Trojan,” said D.K. Jain, the Director of C-DAC Hyderabad. Viruses that find a place in individual systems can automatically force their way into other systems if the “launch system” is connected through social networking sites.The “botnet”, as it is called in technology parlance, is one of the predominant threats of the cyber world, where users can be lured to open websites that have been morphed or manipulated. Hackers could target an individual PC attached to a social networking site to use it as a launch pad to attack other sites. “They [the users] are not expected to know the nitty-gritty of data transmission, but they could be the unsuspecting victims for propagation of malware and viruses into the network,” Jain said.Phishing is one new area of deception designed to steal personal information such as credit card numbers, passwords and account data. Attackers have become more sophisticated. The mails sent by these cyber criminals often include official-looking logos from real organisations and other identifying information taken directly from legitimate websites. These make the messages look more legitimate. Attackers could place a link that appears to go to the genuine website but which actually takes users to a phony site or possibly a pop-up window that looks exactly like the official website. They keep sending data relevant or irrelevant to block the system as well as the network, and this allows the attackers to intrude into the systems.
Fraudsters use such sophisticated methods that it sometimes takes users a while to realise the magnitude of the fraud. The salami attack is one such cyber crime. It involves the withdrawal of money from banks after stealing users' identities and passwords. “They withdraw Rs.5 a month from the user's account, which goes unnoticed by the individual user because of the negligible sum involved. But, imagine the amount if the fraudsters keep drawing the Rs.5 denomination from a few thousands of accounts every month,” Jain said.According to him, the threat will continue as long as the advances in the systems and operations continue. As technology advances, so do the threats, and the best way to secure systems is to protect them from vulnerabilities. All that users need do is update their anti-virus software, ensure that private information is not disclosed online and check the authenticity of the sites from where they receive information.On the use of anti-virus software for which users get frequent alerts to update, Jain said regular updating of anti-virus software is mandatory to protect systems, by and large, from attacks.But, the anti-virus software has a limited use if the threat of viruses continues. “Technological innovations will continue, so will the threats. The best thing a user can do is keep his/her PC secured from many viruses by updating the software and keeping a watch on the developments, if possible on a daily basis,” he said.
While a concerted effort is on to counter cyber threats, the department is faced with yet another problem: frauds in automated teller machines (ATMs). Fraudsters use “skimming devices” to capture and record information pertaining to accounts. They disable ATM machines and draw customers to a single machine to record their account details.According to Jain, information security is becoming synonymous with national security as computer networking has become the backbone of critical infrastructure such as banking, power, communication networks, and this calls for a secured computer system and network. The DIT identified information security as a critical area and formulated the Information Security Education and Awareness (ISEA) project for implementation over a period of five years.Providing access to the Internet in mobile PCs or mobile phones for official purposes has several benefits, but the access brings with it security concerns as an organisation's vital information could come under threat. Small amounts of wireless local area network (WLAN) signals can travel significant distances, and it is possible to peep into these signals using a “wireless sniffer”. A wireless sniffer can expose critical information if sufficient security has not been implemented.C-DAC, according to Jain, is equipped with tools to handle any attack or to detect any vulnerability. In addition to training, under the banner of e-Suraksha, over 500 system administrators to deal with emerging threats and protect government websites, C-DAC has posted information pertaining to e-learning methods on the Internet.
C-DAC has come out with comprehensive solutions for users and detailed the do's and don'ts and specified the measures to be taken to ensure the physical security of data and systems. These tools have been developed by IT giants such as Microsoft.The Microsoft Baseline Security Analyzer (MBSA), for instance, is one such easy-to-use tool designed for IT professionals. It helps small and medium businesses to determine the state of their security in accordance with the recommendations made by the IT giant. Built on the Windows Update Agent and MS Update Infrastructure, the MBSA ensures consistency with other MS management products and has the ability to scan, on an average, three million computers each week.C-DAC offers tips for safe online shopping, advising users to make sure that their PCs are secure with core protections such as anti-virus, anti-spyware and firewalls.It advises users to research the website they want to buy things from since there is every possibility of attackers trying to trap them with websites that look legitimate. After finishing transactions, they should take a print or screenshot of the transaction records and details of the product such as price, confirmation receipt and conditions of the sale.In addition, it is also essential to check the credit card statements as soon as the transaction is finished to know about the charges paid