2 | Cyberoffenses: How Criminals Plan Them Learning Objectives After reading this chapter, you will be able to: ‘Understand different types of cyberattacks. @ Learn about the role of cybercafes in ‘Get an overview of the steps involved in plan- cybercrime. : ning cybercrime. Understand what cyberstalking is. «Understand tools used for gathering informa- Learn about Botnets and attack vector. tion about the target. ‘© Get an overview on cloud computing ~ what © Get an overview on social engineering - what and how. and how, 2.1 Introduction Technology is a “double-edged sword” as it can be used for both good and bad purposes, People with the tendency to cause damages or carrying out illegal activities will use i for bad purpose. Computers and tools available in IT are also no exceptions; like other tool, they are used as either target of offense or means for committing an offense. In today’s world of Internet and computer networks, a criminal activ- ity can be carried out across national borders with “false sense of anonymity”; without realizing, we seem co pass on tremendous amount of information about ourselves. Are we sure cis will never be misused? Figure 2.1 gives us an idea about all chose agencies that collect information about the individuals (ie., Personally Identifiable Information such as date of birth, personal E-Mail address, bank account details andlor credit card details, etc, explained in Section 5.3.1, Chapter 5). Chapter 1 provided an overview of hacking, industrial espionage, ing, computer viruses, etc. They are the most commonly occurring Domains. Filetype: This wil search within the text of a particular type of file. The fie type to search must be typed after the colon. Link: The query [link] wil ist the webpages that have links to the specified webpage. For instance link: werw. google.com} wil list webpages that hove links pointing to the Google homepage. Noe that there can be no space between the “link” and the webpage URL. This functionally & 089 accessible from the advanced search page, under Page Specific Search > Links. ggCyberoftenses: How Criminals Plan Them _51 Box 2.4 \ Tips for + (Continued) Inurt: If you include [inurt} in your query, Google will restrict the results to documents contain- ing that word in the URL, For instance, [inutl:google search] will return documents that mention the word “google” in their URL, and mention the word “search” arywhere in the document (URL or no) Note that there should be no space between the "inurl:” and the following word. Putting “inurl” in front of every word in your query is equivalent to putting “alinur:” in front of your query; this implies jinuri google inurlsearch] is the same as (allinurl: google search} Cache: It you include other words in the query, Google will highlight those words within the cached document. For instance, (cache: www.google.com web] will show the cached content with the word "web" highlighted. This feature is also accessible by clicking on the "Cached" link on Google's Main results page. The query [cache:] will show the version of the webpage that Google has in its Cache. For instance, [cache: www.google.com] will show Google's cache of the Google homepage. Note that there should be no space between the “cache:” and the webpage URL Related: The query [related] will ist webpages that are “similar” to a specified webpage. For instance, [related: www.google.com] wil st webpages that are similar to the Google homepage. Note that there should be no space between the “related:" and the webpage URL. This feature is aiso accessible by clicking on the “Similar Pages" link on Google's main results page, and from the advanced search page, under Page Specific Search > Similar. Info: The query [info:] will present some information that Google has about that webpage. For insionce, [info: www.google.com] will show information about the Google homepage. Note that there should be no space between the “info:” and the webpage URL. This feature is also accessible by typing the webpage URL directly into a Google search box Define: The query [define:] will provide a definition of the word/phrase you enter after it, gathered from various online sources. The definition will be for the entire phrase entered (i... it will include all the words in the exact order you typed them) Stocks: if you begin a query with the [stocks:] operator, Google will treat the rest of the query terms as stock ticker symbols and will ink to. page showing stack information for those symbols. For instance, (stocks: intc yhoo] will show information about intel and Yahoo. (Note that you must type the ticker symbols, not the company name.) This feature is also available if you search just on the stock symbols (e.g., fintc yhoo]) and then click on the "Show stock quotes” link on the results page. Allintile: If you start a query with [allintitle:]. Google will restrict the results to those with all of the query words in the title. For instance, allintiie: google search} will return only documents that have ‘oth “google” and “search” in the fitle, This feature is also available through advanced Search page. under Advanced Web Search > Occurrences. Intitle: If you include [infitle:] in your query. Google will restrict the results to documents contain- ing that word in the title. For instance, [infitle:google search} will return documents that mention the word “google” in their title and the word "search" anywhere in the document (title or no). Note that there should be no space between the “intitle:” and the following word. Putting [intitle:] in front of every word in your query is equivalent to putting [aliintitle:} at the front of your query; this implies that [intitle:google intitle:search] is the same as [allintitle: google search] Allinurt: If you start o query with (allinur], Google will restrict the results to those with all of the ‘auery words in the URL. For instance, [allinur!: google search] will return only documents that have both “google” and “search” in the URL. Note that [allinurt)] works on words, not on URL components. In particular, it ignores punctuation. Thus, [allinurt: fo0/baN] will restrict the results to page with the words “foo” and “bar” in the URL, but won't require that they be separated by a slash within that URL, that they be adjacent, or that they be in that particular word order. There is curently no way to enforce these constraints Source: http://www google.com tw/help/operators him! Network sniffing is another means of passive attack to yield useful information such as Internet Protocol (IP) address ranges, hidden servers or neeworks, and other available services on the system or newwork. The network traffic is sniffed for monitor What time certain transactions take place and where the traffic is going, the traffic on the network attacker watches the flow of data to see52_ Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives Along with Google search, various other tools are also used for gathering information about ¢ victim (Table 2.1) Table 2.1 | Tools used during passive attacks he targery Name of the Tool Google Earth Internet Archive Professional Community People Search Domain Name Confirmation Brief Description Google Earth is a virtual globe, map, and geographic information program. It maps the Earth by the superimposition of images obtained from satellite imagery and provides aerial photography of the globe. Its available under three different licenses: Google Earth, a free version with limited functionality; Google Earth Plus (discontinued), with additional features; and Google Earth Pro intended for commercial use. The Internet Archive is an Internet library, with the purpose of offering permanent access for researchers, historians and scholars to historical collections that exist in digital format. It includes texts, audio, moving images, and software as well as archived webpages in our collections. Linkedin is an interconnected network of experienced professionals from around the world, representing 170 industries and 200 countries. People Search provides details about personal information: date of birth, residential address, contact number, etc. ‘To perform searches for domain names (©. website names) using multiple keywords. ‘This helps to enable to find every registered domain name in “com,” “net,” “org,” “edu,” “biz,” ete, Remarks For more details on this tool, vias hetp://earth.google.com/ Like “Google Earth,” similar details can be obtained from http://yyuny, wikimapia.org/ Indian Space Research Organization (ISRO) unveiled its beta version of Bhuvan (meaning Earth in Sanskrit), a Web-based tool like Google Earth, that promises better 3-D satellite imagery of India than is currently being offered by Google Earth and that too with India-specific features such as weather information and even administrative boundaries of all states and districts, visie: htep:// bhuvan.nrsc.gov.in/ An attacker gets the information about latest update made to the target's website as well as can dig the information which maybe available in the history (e.g., contact list of executives and higher management officials are always updated). For more details on this tool, visit: http://wwwarchive.org/ index.php One can find details about qualified professionals. For more details on this tool, visit: heep://www. Jinkedin.com/ To name a few, visit: + heep://www.whitepagesine.com www.incelius.com/ :/ www. whitepages.com! For more details on this tool, visit: + heep:/Awww.namedroppers.com! + hep://www.binarypool.com/bytes. huml (Continued)Cyberotfenses: How Criminals Plan Them 53 eole 2.1 | (Continued) Name of the Tool WHOIS Nslookup Dnsstuff ‘Traceroute VisualRoute Trace eMailTrackerPro HT Track Website Watcher Compet ive Intelligence Brief Description This is a domain registration lookup tool. This utility is used for communicating with WHOIS, servers located around the world to obtain domain registration information. WHOIS supports IP address queries and automatically sclects the appropriate WHOIS server for IP addresses, This tool will lookup information on a domain, IP address, or a domain registration information, You can select a specific WHOIS server, of you can use the “Default” option which will select a server for you. “The name nslookup means “name server lookup.” ‘The tool is used on Windows and Unix to query domain name system (DNS) servers to find DNS details, including IP addresses of a particular computer and other technical details such a5 mail exchanger (MX) records for a domain and name server (NS) servers of a domain. Using this tool, it is possible to extract DNS information about IP addresses, mail server extensions, DNS lookup, WHOIS lookups, etc “This is the best rool to find the route (i., computer network path) to a target system. It determines the route taken by packets across an IP network. “This is a graphical tool which determines where and how virtual traffic on the computer network is flowing between source and target destination. eMailTrackerPro analyzes the E-Mail header and provides the IP address of the system that sent the mail. This tool acts like an offine browser. It can mirror the entire website to a desktop. One can analyze the entire website by being offline. “The tool can be used to keep the track of favorite websites for an update. When the website undergoes an update/change, this tool automatically detects it and saves the last nwo versions onto the desktop. Competitive intelligence can provide information related to almost any product, information on recent industry trends, or information about geopolitical indications. Effective use of ‘competitive intelligence can reveal attack against the website or an industrial espionage. Note: IP is Internet Protocol her. Remarks For more details on this tool, visit + htep://whois.domaintools.com/ * http://www.whois. net! + hetp://wwrw.samspade.org/ For further details of this lookup utility, visit: + heep:/resellers.tucows.com/ opensrs/whois! + heep://www.nsauditor.com/docs! heml/tools/ Whois. hem For more details on this tool, visit: + heep://www.kloth.net/services! nslookup.php + hetp://nslookup downloadsoftwaredfree.com/ For more details on this tool, visit: herpilfwwwednsstuff.com! For more details on this tool, visit: beep:/vorrjsmith com tracert heel For more details on this tool, visit: hepi(/wnwew.visualware.com/ For more details on this tool, visit: hep: //wwwcemailtrackerpro.com/ For more details on this tool, visit: hurp:/Avwwehetrack.com/ For more details on this tool, visit: hitp:(fiwwwaignes.com! To name a few, visit: + epi! /bigital.com! «+ heep:!/wwwwamiry.edulaic!54 6) 'yber Security Understanding Cyber Crimes, Computer Forensics and Legal Perspectives 2.2.3 Active Attacks An active attack involves probing the network to discover individual hosts to confirm the information and services on the network) gathered in the passive atcack phase. It involves the risk of detection and is also called “Rateling the doorknobs"or “Active reconnaissance, to an attacker about security measures in place (e.g ‘an also increase the chance of being caught or raise (IP addresses, operating, system type and version, Active reconnaissance can provide confirmation whether the front door is locked?), but the process © suspicion Table 2.2 gives the list of tools used for active attacks ~ some of the tools are also used during, “vulnerabilicy assessment” and/or "penetration resting,” Refer 9 Appendix Ein CD. Table 2.2 | Tools used during active attacks Name of Brief Description Remarks the Tool Arphound ‘This isa tool that listens to al raffic on an Ethernet This is open-source software. For more network interface. It reports IP/media access control details on this tool and download, visi: (MAC) address pairs as well as events, such as IP huep://www.nottale.net/index. conflicts, IP changes and IP addresses with no reverse php?project=arphourtd DNS, various Address Resolution Protocol (ARP) Spoofing and packets not using the expected gateway Arping “This is a network tool that broadcasts ARP packets ‘This is open-source software. For more and receives replies similar to “ping.” It is good for details on this tool and download.visie: mapping a local network and finding used IP space. _http://www.habets.pp.se/synscan/ It broadeasts a “who-has ARP packct” on the network — programs.php?prog=arping and prints answers. It is very useful when trying to pick an unused IP for a Net to which routing does not exist as yet. Bing “This is used for Bandwidth Ping, It is a point-to-point This is open-source software. For installa- bandwidth measurement rool based on ping. It can tion and usage information, visit: measure raw throughput between any two network heep://ai3.asti.dost gov. ph/sat/bing. hem links. Bing determines the real (raw as opposed to :vailable or average) throughput on a link by measur- ing Internet Control Message Protocol (ICMP) echo requests roundtrip times for different packet sizes for ‘each end of the link Bugtraq This is a database of known vulnerabilities and exploits This software is for free usage. Visit the providing a large quantity of technical information and following site for more details: resources. heep://www.securityfocus.com/bid Dig This is used to perform detailed queries about DNS. ‘This is open-source software. For records and zones, extracting configuration, and additional technical details, visit: administrative information about a network or domain. _heep://www.isc.org/index.pl?/sw/bind! DNStracer This is a tool to determine the data source for a given This is also open-source software. For of DNS servers back additional technical details, visit: DNS server and follow the ch: to the authoritative sources. hucp://www.maverju.org/unin/dnstracet php (Continued)Cyberoffenses: How Criminals Plan Them _ 55, table 2.2 | (Continued ) News of Britf Description the Tool Remarks Denif This isa network anditing tool to capnre w his is¢ wi se peck aug tue username, “This is opep-source software. For paso ‘ation information on a local additional technical details, visi hutp://monkey.org/-dugsong/dsniff/ Fie Thea nemo andlving tool to capture file transfers Ths is alo open-source software. For and file sharing trafic on a local subnet. additional technical details, visit: ; hitp://monkey.org/-dugsong/dsniff FindSMB This is used to find and describe server message block Ie s open-source software visi the (SMB) servers on the local network. following site for downloads: : huep//us3.samba.org/sambal Foing This i a utility similar co ping used to peyform parallel For this open-source softwae, vst network discovery. hpel/wwwfping.com! Fragroure This intercepts, modifies and rewrites egress trafic This is another open-source material: vse destined for a specified host, implementing several tp! /www.monkey.org/-dugsong/ inerusion detection system (IDS) evasion techniques. _fragroute! Frageest_ This tests che IP fragment reassembly behavior of the For more details on this open-source ‘Transmission Control Protocol (TCP) stack on a target. software, vist: Ieintercepts, modifies and rewrite egress trafic destined _hep:!/www.monkey.org/-dugsong! fora specified host, implementing most ofthe attacks, _fragroute/ Hackbor This is a host exploration tool, simple vulnerability Another open-source software, whose scanner and banner logger. details can be found at huep/feshmeat.nev projects/hackbot! Hmap- This is used to obtain detailed fingerprinting of Details ofthis open-source software can web servers to identify vendor, version, patch level, be found at: including modules and much more. Hmap isa web hep//ujeni.murkyroc.com/hmap! server fingerprinting tool Hping This is a TCP/IP packer assembler and analyzer I can perform firewall ruleset testing, port scanning, network type of service/quality-of-service (TOS/QOS) testing, maximum transmission unit (MTU) discovery, ~ alternate-protocol traceroute, TCP stack auditing, and much more. Using hping you can do the following: + Firewall esting; + advanced port scanning; + network testing, using different protocols, TOS, fragmentation; * manual path MTU discovery; advanced traceroute, under al the supported protocols; remote OS fingerprinting; remote uptime guessing: TCP/IP stacks auditing: hping can also be useful co students that are learning, TCPAP. This is open-source software. For additional technical decals, visit: hutp://swwaehping.org/ KLETECH-HUBBALLI 1 T-04004 363.25 GOD WAM (Continued)56 Cyber Security: Understanding Cyber Crimes, Computer Forensic ics and Legal Perspectives ‘Name of Brief Description Remarks eee OO ere ike systems! Heping, Hunt Libwhiske Mailsnarf Msgsnarf NBTScan Nessus Netcat Nikto Nmap 7 the following Uni Hping works on NetBSD, OpenBSD, Linux, FreeBSD, ‘MacOs X, Windows. Thins simula co “ping.” chat ping, but for HTTP Jong a URL will rake 10 requests. It shows how aaamct send a request, and receive 2 ep This is a rool for exploiting well-known weakness the TCP/IP protocol suite. Solaris, cs in “This is an application library designed co assist in scannabiliies ing tool to capture SMTing for ,OP3 E-Mail traffic (including chments) on a local This is a neework audit CGl/web vulner? and P ‘message headers, bodies, and arta “subnet. > “This isa nerwork auditing tool to ca message (Yahoo, MSN, ICQ, iChat, more) traffic on a local subnet. This isa utility for scanning networks for NetBIOS jnformaton:e reports IP address, NetBIOS name, logged-in username, and MAC address. jprure instant ‘AIM, and many Thisis a powerful, fast, and modular security scanner that tess for many thousands of vulneral ControlScans’ system can also be used to create custom Nessus reports. This is a utility co read and write custom TCP/ User Datagram Protocol (UDP) data packets across 4 network connection for necwork debugging ot exploration. “Tis is a web server vulnerability scanner that tests over 2,600 potentially dangerous files/CGIs on over 625 types of servers. Ths tool also performs comprehensive tests against web servers for multiple items and vetsion-specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). ‘This is a pore scanner, operating system fingerprinter, serviceversion identifier, and much more, Nmap is designed to rapidly scan large neworks ‘This is operrsource software. For additional technical details, visic: hetp:vwwvanheusden.com/htping! “Thisis also open-source software, For additional technical details vist beep: Min id.cvut.ce!-keraindex hem of this open-source software can Dewi be found at heep:/vwrwaviterip.ned/fplw.asp For this open-source software, you can visit: hep: monkey.org/-dugsong/ sniff! Same as above Details of this open-source material can be found at hep! wwrcinercat.org/sofeware/abrscan hem! To know more about this open-source utility, visic heep://www.nessus.org! Explore more details of this open-source utility at: hep: //wwwwnatstake.com/esearch/tools! network_utilities! Niko is an open-source web server scanner; visit the following site for more denal: hep://wwww.cirt.net/code/nikto sheml For details of this open-source sofware, visit: heep:/finsecure.org/nmap/ (Continued)Cyberoffenses: How Criminals Plan Them 87 gable 2.2 | (Continued) ‘Name of the Tool Pathchar Ping ‘ScanSSH SMBelient SMTPscan ‘TCPdump TCPreplay Brief Description This is a network tool for inferring the characteristica of Internet paths, including Layer 3 hops, bandwidth capacity, and autonomous system information, This is a standard network utility to send ICMP packets to a target host. This supports scanning a list of addresses and networks for open proxies, SSH Protocol servers, and Web and SMTP servers. Where possible, it displays the version number of the running services Scan$SH supports the following features: * Variable scanning speed: per default, ScanSSH sends our 100 probes per seconds * open proxy detection; + random sampling: it is possible to randomly sample hosts on the Internet. This helps a client co talk to an SMB (Samba, Windows File Sharing) server. Operations include getting files from the server, putting files on the server, retrieving directory information, and much more. Te is an open-source/free software suite that has, since 1992, provided file and print services to all types of SMB/common Internet file system (CIFS) clients, including the numerous versions of Microsoft ‘Windows operating systems. Samba is frecly available under the GNU General Public License. This isa tool to determine the type and version of a remote Simple Mail Transfer Protocol (SMTP) mail server based on active probing and analyzing error codes of the target SMTP server. Ie is a network tool for the protocol packet capture and dumper program. “This is a utility to read captured TCPdump/pcap data and “replay” it back onto the network at arbitrary speeds. “TCPreplay isa suite of licensed tools written by ‘Aaron Turner for Unix operating systems. It gives you the ability to use previously captured traffic to test a lows you to classify traf- variety of network devices. It all fic as client or server; rewrite open system interconnec- tion (OSI) Layers 2, 3and 4 headers; and finally replay the traffic back onto the network and through other Remarks For further details, visit beep: tee lb. gov! For further details, visit hep://www.controlsean.com! auditingtools.heml# The first version of the ScanSSH Protocol scanner was released in September 2000. For further derails and downloading the current version, visit: hep:!/www.monkey.org!-provos/scanssh/ For further details, visit: beep://www:greyhats.org/ourils/smepscan. For further derail, visit: hetp:/lee.lbl gov! TCPreplay suite includes the following cools: + TCPprep: It is a multipass packet capture (pcap) file preprocessor which determines packets as client of erver and creates cache files used by replay and TCPrewrte + 1CPrewrite: Ie is a peap file editor which rewrites TCP/IP and Layer 2 packet headers, (Continued)Table 2.2 | (Continued) ‘Name of the Tool THC- Amap Traceroute URLsnarf XProbe2 Brief Description devices such as switches, routers, firewalls, network-based intrusion detection system (NIDS), and intrusion prevention system (IPS). TCPreplay supports both single and dual NIC modes for testing both sniffing and inline devices. TCPreplay is used by numerous firewalls, IDS, IPS, and other networking vendors, enterprises, universities, laboratories, and open-source projects. This is a scanner to remotely fingerprint and identify network applications and services. This is a standard network utility to trace the logical path to a target host by sending ICMP or UDP packets with incrementing tunneled transport layer security (TTLs). This is a network auditing tool to capture HTTP traffic ona local subnet. This is a tool employing several techniques to actively fingerprint the operating system of a target host. Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives Remarks + TCPreplay: It replays peap files at arbitrary speeds onto the network + TCPreplay-edit: It replays and edits pap files at arbitrary speeds onto the network. + TCPbridge: It bridges two network segments with the power of TCPrewrite For further details, visit: heep://tcpreplay.synfin.net/trac/ For further details, visit: hetp://freeworld.che.org/releases.php For further details, vi heep://ee.lbl.gov! For further details, visit: hetp://monkey.org/-dugsong/dsniff! For further details, visit: heep://wwwesys-security.com/heml/ projects/X.html Note: IP is Internet Protocol here. Sou Wiley India. ina Godbole (2009), Information Systems Security: Security Management, Metrics, Frameworks and Best Practices (Table 35.2), 2.2.4 Scanning and Scrutinizing Gathered Information Scanning is a key step to examine intelligently while gathering information about the target. The object” of scanning are as follows: 1. Port scanning: Identify open/close ports and services. Refer to Box 2.5. Network scanning: Understand IP Addresses and related inform: systems 3. Vulnerability scanning: Understand the existing weaknesses in the system. Box 2.5 Ports and Ports Scanning universally to communicate on th from 2° to 2"* for binary address Cale york 11 about the computer ner ite A port is an interface on a computer to which one can connect a device. TCP/IP Protocol suite made out of the two protocols, TCP and UDP. is used Each of these has ports 0 through 65536 (i.€., the range is The port numbers are divided into three ranges fe interne! ulation:Cyberoffenses: How Criminals Plan Them 59 Box 2.5 \ Ports and Ports... (Continued) 1, Well-known ports (trom 0 to 1023); 2. registered ports; 3. dynamic and/or private ports the Es of wot ‘known por T numbers and short description about the services offered by each of these Table 2.3 | Well-known port numbers Port Port Description Ee a tuoeee Number Nansber 1 TCP port service multiplexer 118 Structured query language (TCPMUX) (SQL) services 5 Remote job entry (RJE) 9 NNTP (Newsgroup) 7 ECHO 137 NetBIOS name service 18 Message Send Protocol (MSP) 139 NetBIOS datagram service 20 FTP - Data 143 Internet Message Access Protocol (IMAP) a FTP Control 150 NetBIOS session service 2 Secure shell (SSH) remote 156 SQL server log-in protocol 23 Telnet 161 Simple Network Management Protocol (SNMP) 25 Simple Mail Transfer Protocol 179 Border Gateway Protecol (BGP) (SMTP) 29 MSG ICP 190 Gateway Access Control Protocol (GAcP) 37 Time 194 Internet relay char (IRC) 42 Namesery (host name server) 197 Directory location service (DLS) 43 WHOIS 389 Lightweight Directory Access Protocol (LDAP) 49 Log-in (log-in host protocol) 396 Novell nerwate over 1? 53 Domain name system (DNS) 443 Secure Hypertext Transfer Protocol (S-HTTP) 69 ‘Trivial File Transfer Protocol 444 Simple Network Paging Protocol (TFTP) (SNPP) 70 Gopher services 445 Microsoft-DS 79 Finger 458 Apple quick time 80 HTTP 546 DHCP client 103 X.400 Standard 347 DHCP server 108 SINA gateway access server 563 SNEWS 109 por2 569 MSN 0 PoP3 1080 Socks 15 Simple File Transfer Protocol (SFIP) Source: Nina Godbole (2009), /nformation Systems Security: Security Management, Metrics, Frameworks and Best Practices (Chapter 35, p. 774), Wiley India.tanding Cyber Crimes, Computer Forensics and Legal Perspectives Box 2.5\ Ports and Ports ee - ————— — There are some well-known IP ports (0-999) that require scanning owing to vulnerabilities known abou, them. In TCP/IP and UDP networks, a port is an endpoint to a logical connection and the way Client program specifies o specific server program on a computer in a network. Some ports have number, thot are preossioned to them by the Intemet Assigned Numbers Authority ANA, ON organization, working under the auspices of the Inteine! Architecture Board (1AB), responsible for assigning ney, Intemet-wide IP oddresses Deoee sea potts olong with the services run on them. Although public server are important for communication and data transfer over the Interriet, they open the door to poten. tial security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurence of these flaws, and generating a report of the findings that an individual or an enterprise can use 0 tighten the network's security. (Continued) Port Scanning : 4 “port” is ¢ place where information goes into and out of a computer and so, with port scanning one can identify open doors to a computer. Ports are basically entry/exit points that any computer has. 10 be able to communicate with external machines. Each computer is enabled with three or Tore extemal ports, These are the ports used by the computer to communicate with the other com. puters. printer, modem, mouse, video game, scanner, and other peripherals. The important char- acteristic about these “external ports" is that they are indeed external and visible to the naked eye. Port scanning is often one of the fist things an attacker will do when attempting fo penetrate © particular computer. Tools such as Nmap (Table 2.2 lists a few vulnerability assessment fo0\s) offer an automated mechanism for an attacker to not only scan the system to find out what ports are open” (meaning being used), but also help to identify what operating system (OS) is being used by the system. Port scanning is similar to a thief going through your neighborhood and checking every door and window on each house fo see which ones are open and which ones are locked. Port scanning is an 2c* of systematically scanning a computer's ports. In technological terms, “port scanning" refers to ‘ne act of using various open-ended technologies, tools, and commands to be able to communi- Cote with another remote computer system or network, in a stealth mode, without being apparent, {an¢ be able to obtain certain sensitive information about the functions of system and the properties of ie hardware and the software being used by the remote systems. in “portscan.” o host scans for listening ports on a single target host. In “portsweep,” a host scans muttipie hosts for @ specific listening port. The result of a scan on a port is usually generalized into one of the following three categories: 1. Open or accepted: The host sent a reply indicating that a service is listening on the port. 2. Closed or not listening: The host sent a reply indicating that connections will be denied to the port 3. Filtered or blocked: There was no reply from the host. ICFP sute of protocols is used to communicate with other computers for specific message formats. Hott of tnese protocols are tied to specific port numbers that are used to iransfer particular message formats 9s data, Security administrators as well as attackers have a special eye on few wellknown Ports and protocols associated with it, 1. Forts 20 and 21 - File Transter Protocols (FIP) - are used for uploading and downloading of information For 25-- Simple Mail Transfer Protocol (SMIP) ~is used for sending/receiving E-Mails Port 23 ~ Telnet Protocol ~ is used to connect directly to a remote host and internet control message. Port 80 iis used for Hypertext Transter Protocol (HTP) Intemet Conirol Message Protocol (ICMP) ~ It does not have a port abstraction and is used for checking network errors, for example, ping, 2. 3 oeBox 2.5 \ Ports and Ports . . . (Continued) open ports present fwo vulnerabilities of which administrators must be wary 1, Vulnerobilties associated with the program that is delivering the service 2° Vulnerabilities associated with the OS that is running on the host. Closed ports present only the latter of the two vulnerabilities that open ports do. Blocked ports do not present any reasonable vulnerabilities. There is also the possibility that there are no known vulnerat ties in either the software (program] or the OS at the given time.” The scrutinizing phase is always called “enumeration” in the hacking world, The objective behind this seep isto idencify: 1. The valid user accounts or groups; 2, network resources and/or shared resources; 3, OS and different applications that are running on the OS. Most of the tools listed in Table 2.2 are used for computer network scanning as wel. Usually, most of the attackers consume 90% of the time in scanning, scrutinizing and gathering information on a target and 10% of the time in launching the attack. 2.2.5 Attack (Gaining and Maintaining the System Access) Afeer the scanning and enumeration, the attack is launched using the following steps: Crack the password (we will address it in Chapter 4); exploit the privileges; execute the malicious commands/applications; hide the files (if required); cover the tracks — delete the access logs, so that there is no trail illicit activity. yep 2.3 Social Engineering Social engineering isthe “technique to influence” and “persuasion to deceive” people to obtain the information or perform some action, Social engineers exploit the natural tendency of a person to trust social engineers’ word, rather than exploiting computer security holes. It is generally agreed that people are the weak link in security and this principle makes social engineering possitle. A social engineer usually uses telecommunica- tion (i.e, telephone and/or cell phone) or Internet to get them to do something that is Practices and/or policies of the organization. Social engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders. It is an art of exploiting the trust of people, which is not doubted while speaking in a normal manner. The goal of a social engineer is to fool someone into provid- ing valuable information or access to that information. Social engineer studies the human behavior so that inst the securityBox 2.6 \ Social Engineering Example Mr. Joshi: Hello? some disk space con The Caller: Hello, Mr. Joshi. This is Geeta Thomas from Tech Support. fede isk. This octivity ae straints on the fle server, we will be moving few user's home directories fo nor TTC TT Atl Area nil be performed tonight at 8:00 p.m. Your account will be a part 0 e temporarily Mr. Josh: Ohh ... okay. | will be at my home by then, anyway: ae Caller: Great!!! Please ensure to log off before you leave office. We just nee ec ple o things. What is your username? Mr. Joshi: Username is "pjoshi." None of my files willbe lost in the move. right? ; Caller: No siz But we will have fo check your account fo ensure the same, What is Ine Password of that account? Mr. Joshi: My password is “ABCD1965, Caller: Ok, Mr, Joshi. Thank you for your cooper ‘Mr. Joshi: Thank you. Bye. Caller: Bye and have a nice day, * all characters in upper case, ration. We will ensure that all the files are there. people will help because of the desire to be helpful, the attitude to trust people, and the fear of getting into trouble, The sign of truly successful social engineers is that they receive information without any suspicion. [A simple example is calling a user and pretending to be someone from the service desk working on a network issue; the attacker then proceeds to ask questions about what the user is working on, what file shares he/she uses, what his/her password is, and so on (see Box 2.6). 2.3.1 Classification of Social Engineering Human-Based Social Engineering Human-based social engineering refers to person-to-person interaction to get the required/desired informa- tion. An example is calling the help desk and trying to find out a password. 1. Impersonating an employee or valid user: “Impersonation” (e.g., posing oneself as an employee of the same organization) is perhaps the greatest technique used by social engineers to deceive people. Social engineers “take advantage” of the fact that most people are basically helpful, so it seems harmless to tell someone who appears to be lost where the computer room is located, o to let someone into the build- ing who “forgot” his/her badge, etc., or pretending to be an employee or valid user on the system. 2. Posing as an important user: The attacker pretends to be an important user — for example, a Chief Executive Officer (CEO) or high-level manager who needs immediate assistance to gain access (0 agen, “The attacker uses intimidation so that a lower-level employee such as a help-desk worker will help him/her in gaining access to the system. Most of the low-level employees will not ask any {aston fo someone who appears to be ina postion of auchorty ; a ae eee ee to have permission from an authorized source to use contacted for verificainn | When the supposed authorized personnel is on vacation or cannot Pe 4. Calling techni : 0 i: eae See {he technical support for assistance is a classic social engineein& good prey for social engineering acacke, ns ME ftined 0 ep users, which makes 7Cyberoffenses: How Criminals Plan Them 63 ‘Shoulder surfing refers to “using direct observation techniques, such as looking ‘over someone'shoulder, to gat information.” Look around your desk, when you enter your passwords. The attacker ‘may be right next to you. Social Engineering may start right at work!!! Figure 2.3 | Social engineering - shoulder surfing. 5. Shoulder surfing: It is a technique of gathering information such as usernames and passwords by watching over a person's shoulder while he/she logs into the system, thereby helping an attacker to gain access to the system (Fig, 2.3). 6. Dumpster diving: It involves looking in the trash for information written on pieces of paper or computer printouts. This isa typical North American term; itis used to describe the practice of rum- maging through commercial or residential trash to find useful free items that have been discarded. Iris also called dumpstering, binning, trashing, garbing or garbage gleaning. “Scavenging” is another term to describe these habits. In the UK, the practice is referred co as “binning” or “skipping” and the person doing it is a “binner” or a “skipper.” . In practice, dumpstering is mote like fishing around than diving in. Usually, people dumpster dive to search the items, to reclaim those, which have been disposed of buc can still be pur to further use, for example, E-Waste furniture, clothes, etc. The term “dumpster diving” may have originated from the notional image of someone leaping into large rubbish bins, the best known of which are produced under the name “dumpster.” “Scavenging” is equivalent of “dumpster diving,” in the digital world. Ie is a form in which discarded articles and information are scavenged in an attempt to obtain/recover advantageous data, if cis possible ro do so. Consider, for example, going through someone’ trash to recover documentation of his/her critical data [e.g social security number (GSN) in the US, PAN number in India, credit card identity (ID) numbers, etc. According to a definition in the elossary of terms for the convoluted terminology of information warfare, “scavenging” means “searching through abject residue (eg, discarded diss, rapes, or paper) ro acquire sensitive data without authorization.” Computer-Based Social Engineering Computer-based social engineering refers to an attempt made to get the required/desired information by using computer software/Incernet. For example, sending a fake E-Mail ro the user and asking him/her to re-enter a password in a webpage to confirm it.64 _Cyber Security: Understanding Cyber Crimes, Computer Forensics and Legal Perspectives _ 1, Fake E-Mails: The attacker sends fake E-Mails (see Box 2.7) to numerous users i such that the user finds it as a legitimate mail. This activity is also called “Phishing” (we shall address it in Chapter 5). It is an attempt to entice the Internet users (netizens) to reveal their sensitive personal information, such as user- names, passwords and credit card details by impersonating asa trustworthy and legitimate organization and/or an individual. Banks, financial institutes and payment gateways are the common targets. Phishing is typically cartied out through E-Mails or instant messaging and often directs users to enter details t a website, usually designed by the attacker with abiding the look and feel of the original website. Thus, Phishing is also an example of social engineering techniques used to fool netizens. The term “Phishing” hhas been evolved from the analogy that Internet scammers are using E-Mails lures to fish for passwords and financial data from the sea of Internet users (i.e., netizens). The term was coined in 1996 by hackers ‘who were stealing AOL Internet accounts by scamming passwords without the knowledge of AOL users. ‘As hackers have a tendency of replacing “” with “ph,” the term “Phishing” came into being. Box 2.7 \ Fake E-Mails Free websites are available to send fake E-Mails. From Fig. 2.4, one can notice that “To” in the text box is a blank space. Hence, anyone can fil any E-Mail address with the intention of fooling the receiver of the E-Mail. In such a case when the receiver will read the mail, he/she would think that the E-Mail has been received from a legitimate sender. We will never ever send you junk E-Mail, or give your E-Mail address away to anyone. We hate Spam at least as much as you do- ‘maybe more (and that's why this page can't be used by spammers to send bulk E-Mail or any other funny stuf) | | | Figure 2.4 | Sending fake E-Mails. Source: http://deadtake. com/Send.aspx (2 April 2009). Wea e reza Cyberoffenses: How Criminals Plan Them _ 65 E-Mail attachments: E-Mail attachments are used to send malicious code to a vietim’s system, which will automatically (c.g., keylogger utility to capture passwords) get executed. Viruses, Trojans, and worms can be included cleverly into the attachments to entice a victim to open the attachment. We will address keylogger, viruses, Trojans, and worms in Chapter 4 3. Pop-up windows: Pop-up windows are also used, in a similar manner to E-Mail attachments. Pop-up windows with special offers or free stuff can encourage a user to unintentionally install malicious software. Social engineering indeed is a serious concern as revealed by the following past statistics on numbers: 1, As per Microsoft Corporation recent (October 2007) research, there is an increase in the number of security attacks designed co steal personal information (P!) or the instances of tricking people to provide it through social engineering. According to an FBI survey, on average 41% of security- related losses are the direct result of employees stealing information from their companies. The aver- age cost per internal incident was US$ 1.8 million, 2 The Federal ‘Trade Commission (FTC) report of 2005 shows that “more than one million consumer fraud and ID theft complaints have been filed with federal, state, and local law enforcement agen- cies and private organizations” (2005, Consumer Fraud and ‘dentity Theft section, para 1; we will discuss ID Theft in Chapter 5). According, to a 2003 survey [released on 2 April 2006 by the United States Department of Justice (Identity Theft Hits Three Percent, para 1)}, “An estimated 3.6 million ~ or 3.1% ~ of American houscholds became victims of ID thefi in 2004.” This means that now, more than ever, individuals are at a high risk of having their PI stolen and used by criminals for their own personal gain. ically, security mecl yy organizations have information valuable enough to justify expensive protection mechanisms/ nisms. Critical information may include patient records in the medical and healthcare domain {known as protected health information (PH1)], corporate financial data, electronic funds transfers, access to financial assets in the financial services domain, and PI about clients or employees. Compromising critical information can have serious consequences, including the loss of customers, criminal actions being brought against corporate executives, civil aw cases against che organization, loss of funds, loss of trust in the orga- nization, and collapse of the organization. To respond to the threats, organizations implement InfoSec plans to establish control of information assets. However, “social engineers’ try to device a way to Work their way around this to obtain the valuable information, an illicit act on ethical grounds Social engineering succeeds by exploiting the trust of the victim. Hence, continuous training/awareness sessions about such attacks are one of the effective countermeasures. Strict policies about service desk staff never asking for personally identifying information, such as username and passwords, over the phone of in person can also educate potential victims and recognize a social engineering attempt, Social engineering and dumpster diving are also considered passive information-gathering methods. 2.4 Cyberstalking ‘The dictionary meaning of “stalking” is an “act or process of following prey stealthily ~ trying to approach some- body or something.” Cyberstalking has been defined as the use of information and communications techno!- ogy, particularly the Internet, by an individual or group of individuals to harass another individual, groupity: Understanding Cyber Crimes, Computer Forensics and Legal Perspecy 66 Cyber Security: Understanding Cyber Crimes, Lomp —P dividuals, or organization. The behavior includes fale accusations, monitoring, transmission of Cee icitation of minors for sexual purposes, and ey . wipment, soiiation of minors for sexual purposes, and gather , ID theft, damage to data or equipt Binformaine ) "Sowing rte 10 the use of Inemet andor other eleconic communications another pewon Itinvolves harassing of shreatening behavior that an individual wil conde repeat example, following a person, visiting a person's home and/or at business place, making Phone calls j written messages, or vandalizing against the person's property. As the Internet has become an integra) our personal and professional lives, cyberstalkers take advantage of ease of communication and an jn, accesso personal information available with afew mouse clicks or keystrokes, 2.4.1 Types of Stalkers 04004 There are primarily two types of stalkers. devices tp ji talk, 1% for ‘ving Patt of creased 1, Online stalkers: They aim to start the interaction with the victim directly with the help of the Internet. E-Mail and chat rooms are the most Popular communication medium to get conneced with the victim, rather than using traditional instrumentation like telephone/cell phone. The stalker makes sure that the victim recognizes the attack attempted on him/her. The stalker can make use of a third party to harass the victim, 2 Offline stalkers: The stalker may begin the attack using traditional methods such as following te victim, watching the daily routine of the victim, etc, Searching on message boards/newsgroups, per sonal websites, and people finding services or websites are moet common ways to gather information about the victim using the Internet (see Table 2 1), The victim is not aware that the Internet has been used to perpetuate an attack against them, 2.4.2 Cases Reported on Cyberstalking ‘The majority of cyberstalkers are men and the ‘majority of their victims are women, Some cases also have been reported where women act as cyberstalkers and men as the victims as well as cases of same-sex cyberstalking. In many cases, the cyberstalker and the victim hold a prior relationship, and the cyberstalking begins when the victim attempts to break off the relationship, for example, ex-lover, ex-spouse, boss/subordinate, and neighbor. However, there also have been many instances of eyberstalking by strangers, 2.4.3 How Stalking Works? Icis seen that stalking works in the following ways: 1. Personal information gathering about the victim: Name; family background; contact details such as cell phone and telephone numbers (of residence as well as ofc), adeno? residence as well as of the office; E-Mail address; date of birth, etc. 2 Establish a contact with victim through telephonelcell phone. Once the contact i established, the stalker may make calls othe vieim to threaten/harass, 3. Stalkers will almost always establish a contact with the victims through E-Mail The letters may have the tone of loving, threatening or canbe sexually explicit. The stalker may we multiple while i 1e victim. 4. Seme naen kesp on sending repeated E-Mails asking for various kinds of favors or dheaen che victimCyberoffenses: How Criminals Plan Them _67 Box 2.8 \ Cyberbullying The National Crime Prevention Council defines Cyberbullying as “when the Intemet, cell phones or other devices oe used fo send or pos tet or images nfonded fo hu or emibarass another eso www.StopCyberbullying.org, an expert organization dedicated to internet safety, security, and privacy defines cyberbullying as “a situation when a child, tween, or teenis repeatedly ‘tormented, threatened, harassed, humiliated, embarrassed, or otherwise targeted’ by another child, tween, or teen using text messaging, E-Mail instant messaging, or any other type of digital technology.” The practice of cyberbullying is not limited to children and, while the behavior is identified by the same definition in adults, the distinction in age groups is referred to os cyberstalking or cyberharass- ment when perpetrated by adults toward adults.) Source: http://en.wikipedia.org/wiki/Cyber-bulling (2 Apri 2009). 5, The stalker may post the victim's personal information on any website related to illicit services such as sex-workers’ services or dating services, posing as if the victim has posted the information and invite the people to call the victim on the given contact details (telephone numbers/cell phone numbers/E-Mail address) co have sexual services. The stalker will use bad and/or offensive/actractive language to invite the interested persons, 6. Whosoever comes across the information, start calling che victim on the given contact details (telephone/cell phone nos), asking for sexual services or relationships. 7. Some stalkers subscribe/register the E-Mail account of the victim to innumerable pornographic and sex sites, because of which victim will start receiving such kind of unsolicited E-Mails (refer to Chapter 5). 2.4.4 Real-Life Incident of Cyberstalking Case Study The Indian police have registered first case of cyberstalking in Delhi” ~ the brief account of the case has been mentioned here. To maintain confidentiality and privacy of the entities involved, we have changed their names. Mrs. Joshi received almost 40 calls in 3 days mostly at odd hours from as far away as Kuwait, Cochin, Bombay, and Ahmadabad. The said calls created havoc in the personal life destroying mental peace of Mrs. Joshi who decided to register a complaint with Delhi Police. ‘A person was using her ID to chat over the Internet at the website www.mirc.com, mostly in the Delhi channel for four consecutive days. This person was chatting on the Internet, using her name and giving her address, talking in obscene language. The same person was also deliberately giving her telephone number to other chatters encouraging them to call Mrs. Joshi at odd hours. “This was the first time when a case of cyberstalking was registered. Cyberstalking does not have a standard definition but it can be defined to mean threatening, unwarranted behavior, or advances directed by one person toward another person using Internet and other forms of online communication channels as medium. 2.5 Cybercafe and Cybercrimes In February 2009, Nielsen survey" on the profile of cybercafes users in India, it was found thar 90% of the audience, across eight cities and 3,500 cafes, were male and in the age group of 15-35 years; 52% were graduates and postgraduates, though almost over 50% were students, Hence, itis extremely important to understand the IT security and governance practiced in the cybercafes.Cyber Security: Understanding Cyber Crimes, Computer Forensics and Lega Perspect 68 Cyber Sect ——— Neg, several years, many instances have been reported in Inia, Fes a ae Cybercrimes such wren ren withdrawal of money have aso happened throu been used regula for sending obscene mais to harass people, Public computers, usually refered tothe systems, available in we do not know what programs ae installed on the computer ~¢ Aeploggers or Spyware, (we will discus it in Chapter 4) hate Certs ey 3s stealing of bank Pas oh th beats, pg a rey a, cybercafes, hold rw hati, tsk of malic which maybe running atthe confidential informa DP ori US programy nga the bickgounn that’ tion and/or monitor hey eeping (i, shoulder surfing) can enable othen find passwords, Therefore, one has to be extremely careful about Protecting his/her privacy on such out) one doesnot know who will use the computer after him/her Systems, 3, Indian Information Technology Act (ITA) 2000 (iis discussed in great detail in Chapter 6) doesnot Internet options -> click the Content tab —> click AutoComplete. Ifthe checkboxes for passwords are selected, deselect them. Click OK twice. + After you have finished browsing, you should clear the history and temporary Internet files fold- ers, For this, go to Tools —> Internet options again ~> click the General tab —> go to Temporary Internet Files ~> click Delete Files and then click Delete Cookies. + Then, under history, click clear history. Wait forthe process to finish before leaving the computer. 4, Be alert: One should have to stay alere and aware of the surroundings while using a public com- puter, Snooping over the shoulder isan easy way of geting your username and password, 5. Avoid online financial transactions: Ideally one should avoid online banking, shopping or other transactions that require one to provide personal, coafidential and sensitive information such as credit card or bank account details. In case of urgency one has to do it; however, one should rake the precaution of changing all the passwords as soon as possible, One should change the passwords using a more trusted computer, such as at home and/or in office. 6. Change passwords: ‘The screenshot displayed in Fig. 2.5 by ICICI Bank about changing the bank account/transaction passwords is the best practice to be followed.”! 7. Virtual keyboard: Nowadays almost every bank has provided the virtual keyboard on their website The advange of utilizing virtual keyboard and its functions are displayed in the screenshot shown in Fig, 2.6." 8. Security warnings: One should take utmost care while accessing the websites of any banks/financial institution. The screenshot in Fig, 2.7 displays security warnings very clearly (marked in bold rect- angle), and should be followed while accessing these financial accounts from cybercafe.