Cyber Security - Unit 3

Cyber Security (Rajiv Gandhi Proudyogiki Vishwavidyalaya)

Scan to open on Studocu

Downloaded by vishakha soni

Studocu is not sponsored or endorsed by any college or university

Downloaded by vishakha soni

CS- 503 (C) Cyber Security Unit III
Chameli Devi Group of Institutions, Indore
Department of Computer Science and
Engineering CS- 503 (C) Cyber Security
Unit III Subject Notes

Topics: Cyber Crime and Criminal justice: Concept of Cyber Crime and the IT Act, 2000, Hacking, Teenage
Web Vandals, Cyber Fraud and Cheating, Defamation, Harassment and E-mail Abuse, Other IT Act
Offences, Monetary Penalties, jurisdiction and Cyber Crimes, Nature of Criminality, Strategies to tackle
Cyber Crime and Trends.

Cyber-crime
Cyber-crime is a crime which is conducted by the use of computer, electronic devices, and network
(Internet) to offences against individual or group of individuals. A person, who is involved in such type of
crime, called as cyber-criminal. The motive of cyber-criminal may be:
1. To intentionally harm the reputation of the victim
2. Cause physical or mental harm
3. Loss, to the victim directly or indirectly, using Internet and mobile phones (Bluetooth/SMS/MMS)
4. Threaten a person
5. Nation's security
6. Financial health
7. Creating and distributing viruses

Cyber-crime and criminal justice

Criminal justice, is the system through which crimes and criminals are identified, apprehended, judged,
and punished. A criminal justice system is comprised of law, the courts, and corrections. When a crime is
committed, law enforcement investigates. Once a suspect is apprehended, the courts take over. If the
accused is found guilty, they are sentenced and turned over to corrections.

In the digital age, new technologies and methods of interaction with other humans and devices came into
play. A cyber-crime investigator is primarily concerned with gathering evidence from digital systems that
can be used in the prosecution of internet-based, or cyberspace, criminal activity. All cyber-crime includes
the uses of the World Wide Web. A cyber-crime investigator can use the crucial evidences to solve cyber-
crimes.

Concept of cyber-crime and the IT Act, 2000

Cyber-crime is criminal activity that either targets or uses a computer, a computer network or a
networked device. Cyber-crime is committed by cybercriminals or hackers who want to make money.
Cyber-crime is carried out by individuals or organizations.

Cyber law is the part of the overall legal system that deals with the internet, cyber-space, and their
respective legal issues. Cyber law covers a fairly broad area covering several subtopics including freedom
of expression, access to and usage of the internet, and online privacy. Cyber law is referred to as the Law
of the Internet.

In 1996, the United Nations Commission on International Trade Law (UNCITRAL) adopted the model law
on electronic commerce (e-commerce) to bring uniformity in the law in different countries. The
Information Technology Act, 2000 or ITA, 2000 or IT Act, was notified on October 17, 2000. It is the law
that deals with

1
Downloaded by vishakha soni
 CS- 503 (C) Cyber Security Unit III
cyber-crime and electronic commerce in India. India became the 12th country to enable cyber law after it
passed the Information Technology Act, 2000.

While the first draft was created by the Ministry of Commerce, Government of India as the E Commerce
Act, 1998, it was redrafted as the ‘Information Technology Bill, 1999’, and passed in May 2000. Further,
this act amended the Indian Penal Code 1860, the Indian Evidence Act 1872, the Bankers’ Books Evidence
Act 1891, and the Reserve Bank of India Act 1934.

Cyber-crimes under the IT Act

 Tampering with computer source documents - Section 65
 Hacking with computer systems, data alteration - Section 66
 Publishing obscene information - Section 67
 Un-authorized access to protected system - Section 70
 Breach of confidentiality and privacy - Section 72
 Publishing false digital signature certificates - Section 73

Cyber-crimes under IPC (Indian Penal Code) and special laws

 Sending threatening messages by e-mail - Section 503 IPC
 Sending defamatory messages by e-mail - Section 499 IPC
 Forgery of electronic records - Section 463 IPC
 Bogus websites, cyber frauds - Section 420 IPC
 Email spoofing - Section 463 IPC
 Web-Jacking - Section 383 IPC
 E-mail abuse - Section 500 IPC

Features of the Information Technology Act, 2000

 All electronic contracts made through secure electronic channels are legally valid.
 Legal recognition for digital signatures.
 Security measures for electronic records and also digital signatures are in place.
 A procedure for the appointment of adjudicating officers for holding inquiries under the Act is finalized
 Provision for establishing a Cyber Regulatory Appellant Tribunal under the Act. Further, this tribunal
will handle all appeals made against the order of the controller or adjudicating officer.
 An appeal against the order of the Cyber Appellant Tribunal is possible only in the High Court.
 Digital signatures will use an asymmetric cryptosystem and also a hash function.
 Provision for the appointment of the Controller of Certifying Authorities (CCA) to license and regulate
the working of certifying authorities.
 The Act applies to offences or contraventions committed outside India.
 Senior police officers and other officers can enter any public place and search and arrest without
warrant.
 Provisions for the constitution of a Cyber Regulations Advisory Committee to advise the Central
Government and Controller.

Hacking
Hacking is the act of finding the possible entry points that exist in a computer system or a computer
network and finally entering into them. Hacking is usually done to gain unauthorized access to a
computer system or a computer network, either to harm the systems or to steal sensitive information
available on
2
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
the computer. Hacking is identifying weakness in computer systems or networks to exploit its weaknesses
to gain access.

Hacking is usually legal as long as it is being done to find weaknesses in a computer or network system for
testing purpose. This sort of hacking is called Ethical Hacking. A computer expert who does the act of
hacking is called a "Hacker".

Figure 3.1: Types of hacking

Purpose of hacking
There could be various positive and negative intentions behind performing hacking activities. Here is a list
of some probable reasons why people indulge in hacking activities –
1. Just for fun
2. Show-off
3. Steal important information
4. Damaging the system
5. Hampering privacy
6. Money extortion
7. System security testing
8. To break policy compliance.

Types of hackers
Hackers can be classified into different categories such as white hat, black hat, and grey hat, based on their
intent of hacking a system.

1. White hat hackers

White hat hackers are also known as Ethical hackers. They never intent to harm a system, rather they try
to find out weaknesses in a computer or a network system as a part of penetration testing and
vulnerability assessments. Ethical hacking is not illegal and it is one of the demanding jobs available in
the IT industry. There are numerous companies that hire ethical hackers for penetration testing and
vulnerability assessments.

2. Black hat hackers

Black hat hackers, also known as crackers, are those who hack in order to gain unauthorized access to a
system and harm its operations or steal sensitive information. Black hat hacking is always illegal because

3
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
of its bad intent which includes stealing corporate data, violating privacy, damaging the system, blocking
network communication etc.
3. Grey hat hackers
Grey hat hackers are a blend of both black hat and white hat hackers. They act without malicious intent
but for their fun, they exploit a security weakness in a computer system or network without the owner’s
permission or knowledge. Their intent is to bring the weakness to the attention of the owners and
getting appreciation or a little bounty from the owners.

4. Miscellaneous hackers
Apart from the above well-known classes of hackers, we have the following categories of hackers based
on what they hack and how they do it –

A. Red hat hackers: Red hat hackers are again a blend of both black hat and white hat hackers. They are
usually on the level of hacking government agencies, top-secret information hubs, and generally
anything that falls under the category of sensitive information.

B. Blue hat hackers: Blue hat hacker is someone outside computer security consulting firms who is used
to bug-test a system prior to its launch. They look for loopholes that can be exploited and try to close
these gaps. Microsoft also uses the term blue hat to represent a series of security briefing events.

C. Elite hackers: This is a social status among hackers, which is used to describe the most skilled hacker.
Newly discovered exploits will circulate among these hackers.

D. Script kiddie: A script kiddie is a non-expert who breaks into computer systems by using pre-packaged
automated tools written by others, usually with little understanding of the underlying concept, hence
the term Kiddie.

E. Hacktivist: A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious,
or political message. In general, most hacktivism involves website defacement or denial-of-service
attacks.

F. Phreaker: A hacker who identifies and exploits weaknesses in telephones instead of computers.

Teenage web vandals

Teenage vandalism can be defining as “willful or malicious destruction, injury, disfigurement, or
defacement of any public or private property, without the consent of the owner”. Vandalism includes a
wide variety of acts, including remove graffiti, damaging property (smashing mailboxes, trashing empty
buildings or school property, breaking windows etc.), stealing street signs, eggs, cap, toilet papers, and
other types of mischief.

There are a number of reasons why a teen might vandalize property

1. They could be bowing down to peer pressure.
2. Someone dared them to do it, or the girl they like admires someone else who vandalizes, or perhaps it
could be part of an initiation in a gang.
3. Sometimes teens make poor decisions when they are bored. For example, a teen might view stealing
a street sign as a fun way to pass time where no one gets hurt.
4. Another reason could be for revenge. A teen is angry on someone and tries to get back at that person
by damaging their property.

4
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III

Cyber fraud and cheating

Fraud is when trickery is used to gain a dishonest advantage, which is often financial, over another
person. Here are many words used to describe fraud: scam, con, swindle, extortion, sham, double-cross,
hoax, cheat, ploy, ruse, hoodwink, confidence trick. Fraud on internet, constitutes about one-third of all
cyber- crimes. It is the most profitable business on the Internet.
Some of the major areas of fraud and cheating on the Internet include:
a) Misuse of credit cards by obtaining passwords by hacking,
b) Bogus investment/get rich schemes,
c) Deceptive investment newsletters containing false information about companies,
d) Non delivery of goods purchased from online auctions and websites,
e) Misappropriation & transfer of funds etc.

Laws relating to cyber fraud & cheating

 IPC section 405, 406 (criminal breach of trust) - Imprisonment up to three years, or with fine, or both.
 IPC section 468 (Forgery) - Imprisonment up to seven years and fine.
 IPC section 477 A (Falsification of accounts) - Imprisonment up to seven years, or with fine, or both.
 IPC section 482 (using a false property) - Imprisonment up to one year, or with fine, or both.

Defamation
The term defamation is used to define the injury that is caused to the reputation of a person in the eyes
of a third person. The injury can be done by words oral or written, or by signs or by visible
representations. Cyber defamation is publishing of defamatory material against another person with the
help of computers or internet. If someone publishes some defamatory statement about some other
person on a website or send emails containing defamatory material to other persons with the intention to
defame the other person would amount to cyber defamation. The harm caused to a person by publishing
a defamatory statement about him on a website is widespread and irreparable as the information is
available to the entire world.

Laws relating to defamation

1. Section 499 of IPC: Section 499 of IPC says that whoever, by words either spoken or intended to be
read, or by signs or by visible representations, makes or publishes any imputation concerning any
person intending to harm. The offence of defamation is punishable and imprisonment up to 2 years or
fine or both.
2. Section 469 of IPC: Section 469 of IPC says that whoever commits forgery, intending that the
document or electronic record forged shall harm the reputation of any party, or knowing that it is
likely to be used for that purpose shall be punished with imprisonment of either description for a
term which may extend to three years and shall also be liable to fine.
3. Section 66A: The section 66A of the Information Act, 2000 does not specifically deal with the offence
of cyber defamation but it makes punishable the act of sending grossly offensive material for causing
insult, injury or criminal intimidation.

Defamation v. Freedom of speech

Freedom of speech and expression, as provided by the Constitution under Article 19 (1) (a), provides that
all citizens shall have the right to freedom of speech and expression. However, such freedom is subject to
reasonable restriction. The protection of reputation of another person falls within the ambit of

5
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
reasonable

6
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
restriction and any comment or remark which hampers the reputation of another person (unless the
statement is true) would invite liability under the law of defamation.
Harassment
Online harassment may involve threatening or harassing emails, instant messages, or posting information
online. It targets a specific person either by directly contacting them or by disseminating their personal
information, causing them distress, fear, or anger. It can involve behaviors such as:
1) Sending unsolicited and/or threatening e-mail.
2) Encouraging others to send the victim unsolicited and/or threatening e-mail or to overwhelm the
victim with e-mail messages.
3) Sending viruses by e-mail (electronic sabotage).
4) Spreading rumours.
5) Making defamatory comments about the victim online.
6) Sending negative messages directly to the victim.
7) Impersonating the victim online by sending an inflammatory, controversial or enticing message which
causes others to respond negatively to the victim.
8) Harassing the victim during a live chat.
9) Leaving abusive messages online, including social media sites.
10) Sending the victim pornography or other graphic material that is knowingly offensive.
11) Creating online content that depicts the victim in negative ways.

E-mail Abuse
E-mail Abuse, also known as junk e-mail, is a type of electronic spam where unsolicited messages are
sent by e-mail. Many email spam messages are commercial in nature but may also contain disguised links
that appear to be for familiar websites but in fact lead to phishing web sites or sites that are hosting
malware. Spam e-mail may also include malware as scripts or other executable file attachments (like
Trojans).

Other IT Act Offences- The offences included in the IT Act 2000 are as follows:
 Tampering with the computer source documents.
 Hacking computer system.
 Publishing of information which is obscene in electronic form.
 Penalty for misrepresentation
 Penalty for breach of confidentiality and privacy
 Penalty for publishing false digital signature certificate
 Publication for fraudulent purpose
 Act to apply for offence or contravention committed outside India
 Confiscation
 Penalties or confiscation not to interfere with other punishments.
 Power to investigate offences.

Monetary penalties
Monetary penalty is a civil penalty imposed by a regulator for a contravention of an Act, regulation or by
law. It is issued upon discovery of an unlawful event and is payable subject only to any rights of review. It
is regulatory in nature, rather than criminal and is intended to secure compliance with a regulatory
scheme, and it can be employed with the use of other administrative sanctions, such as demerit points
and license suspensions.
7
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III

S No Section Offence Punishment

Imprisonment up to 3 years or fine up to Rs 2
1 65 Tampering with Computer Source Code
lakhs
Imprisonment up to 3 years or fine up to
2 66 Computer Related Offences
Rs 5 lakhs
Sending offensive messages through
3 66-A Imprisonment up to 3 years and fine
Communication service, etc...
Dishonestly receiving stolen computer Imprisonment up to 3 years and/or fine up
4 66-B
resource or communication device to Rs. 1 lakh
Imprisonment of either description up to 3
5 66-C Identity Theft
years and/or fine up to Rs. 1 lakh
Cheating by Personation by using Imprisonment of either description up to 3
6 66-D
computer resource years and /or fine up to Rs. 1 lakh
Imprisonment up to 3 years and /or fine up
7 66-E Violation of Privacy
to Rs. 2 lakh
Imprisonment extend to imprisonment for
8 66-F Cyber Terrorism
Life
On first Conviction, imprisonment up to 3
Publishing or transmitting obscene years and/or fine up to Rs. 5 lakhs On
9 67
material in electronic form Subsequent Conviction imprisonment up to
5 years and/or fine up to Rs. 10 lakhs
Misrepresentation to the Controller to Imprisonment up to 2 years and/ or fine up
10 71
the Certifying Authority to Rs. 1 lakh.
Imprisonment up to 2 years and/or fine up
11 72 Breach of Confidentiality and privacy
to Rs. 1 lakh.
Disclosure of information in breach of Imprisonment up to 3 years and/or fine up
12 72-A
lawful contract to Rs. 5 lakh.
Publishing electronic Signature Imprisonment up to 2 years and/or fine up
13 73
Certificate false in certain particulars to Rs. 1 lakh
Imprisonment up to 2 years and/or fine up
14 74 Publication for fraudulent purpose
to Rs. 1 lakh

Table 3.1: Monetary penalties

Jurisdiction and cyber-crimes

The whole trouble with internet jurisdiction is the presence of multiple parties in various parts of the
world who have only a virtual nexus with each other. Then, if one party wants to sue the other, where
can he sue?

Traditional requirement generally encompasses two areas: -

 The Place where the defendant resides.
 Where the cause of action arises.
However, in the context of the internet or cyberspace (cyber-space is the electronic medium of computer
networks, in which online communication takes place), both these are difficult to establish with any
certainty. Considering the lack of physicalboundaries on the internet, is it possible to reach out beyond

8
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
the court’s geographic boundaries to haul a defendant into its court forconduct in “Cyberspace”. Issues of
this nature have contributed to the complete confusion and contradictions that plague judicial decisions
in the area of internet jurisdiction. Accordingly, in each case, a determination should be made as to
where an online presence will subject the user to jurisdiction in a distant state or a foreign company.

As such, a single transaction may involve the laws of at least three jurisdictions:

 The laws of the state/nation in which the user resides,

 The laws of the state/nation that apply where the server hosting the transaction is located.
 The laws of the state/nation which apply to the person or business with whom the transaction takes
place.

Jurisdiction by Information Technology Act, 2000

Cyber law is the part of the overall legal system that deals with the internet, cyberspace, and their
respective legal issues. Cyber law covers a fairly broad area covering several subtopics including freedom
of expression, access to and usage of the internet, and online privacy. Generally, cyber law is referred to
as the law of the internet. The Information Technology Act, 2000 or ITA, 2000 or IT Act, was notified on
October 17, 2000.

Cyber-crime
Cyber-crime is a crime which is conducted by the use of computer, electronic devices, and network
(Internet) to offences against individual or group of individuals. A person, who is involved in such type of
crime, called as cyber-criminal.

Types of cyber-crime:
1. Hacking
2. Spoofing
3. Salami Attack
4. Spam
5. Malware dissemination
6. Denial of Service
7. Software Piracy
8. Threatening
9. Forgery
10. Obscene or Offensive
11. Cyber Terrorism Content
12. Drug Trafficking
13. Pornography
14. Cyber Stalking
15. Fraud
16. Cyber Defamation
17. Phishing

Nature of criminality
The focus on crime is more evident in the study of criminology. In the definition of criminology, it has
been described as the “systematic study of the nature, extent and control of law-breaking behavior”. The
focus on the assessment of the concept of crime is dealt by the aspect of ‘criminology’. The nature of
9
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
crime is

10
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
increasingly changing largely because of the changes in the society and the environment. Today, a crime
cannot be viewed on a single perspective alone. The concept of crime is explained on the basis of
different contending perspectives or theories. Two of the most popular perspective that explains the
nature of crime is its condition as being a social construct and being an individual criminality.

A. Crime as a social construct

It has been believed that criminality could be avoided if there are only prerequisites. Among these
prerequisites include presence of very good living conditions, real free will, not maltreatment from the
direct and indirect environment, family with principles and a job which can be considered as dignified. In
the absence of the noted prerequisites, it is likely that problematic or troubled individuals can be lured
into becoming criminals. Because of this, there is a need for the society to all the members the favorable
living conditions. If not, it would be almost unavoidable for the individuals to commit criminal acts.

B. An individual criminality
On the other hand, there is also the perspective that the individuals’ criminality is not a question. Scholars
and the researchers alike argue that genetic factories such as the wrong genes and chromosomes can
drive the individuals to absence of self-control, aggressive attitudes as well as generally criminal behavior.

Strategies to tackle cyber-crime and trends

 Protect your most visible asset- Websites are the most visible and vulnerable part of a company’s
infrastructure. Attackers can scan the Internet nonstop in search of weaknesses, companies should
not overlook this vulnerable entry point in their cyber security defense strategy. Products like
malware and vulnerability scanners and web-application firewalls can help you guard this important
asset that is the face of your brand.

 Focus on effects- It’s clear that organizations can’t prevent 100 percent of intrusions. A sophisticated
and determined adversary will eventually get in. This is why companies should focus on detecting the
effects (also called indicators of attack) of malware and adversary activity.

 Remember that people are your weakest link- Even the most advanced technology can't prevent a
great employee from accidentally opening your doors to cyber-crime. These unintentional slip-ups
happen; combat them by reiterating common sense practices to all of your employees.

 Prevention is always better than cure. It is always better to take certain precautions while working on
the net. One should make them a part of his cyber life.

 One should avoid disclosing any personal information to strangers, the person whom they don’t
know, via e-mail or while chatting or any social networking site.

 One must avoid sending any photograph to strangers by online as misusing or modification of
photograph incidents increasing day by day.

 An updated anti-virus software to guard against virus attacks should be used by all the netizens and
should also keep back up volumes so that one may not suffer data loss in case of virus contamination.

11
Downloaded by vishakha soni
CS- 503 (C) Cyber Security Unit III
 A person should never send his credit card number or debit card number to any site that is not
secured, to guard against frauds.

12
Downloaded by vishakha soni