Asian School of Cyber Laws, Pune (ASCL)

I came across this article today at the ASCL Cyber Laws website, several posts today are based on articles from this Asian Cyber Crimes Law School site. This particular article has prompted me to add my extensive in-line comments. Interested readers are advised to read my HACKING COMPLAINT and associated rejoinders after perusing this article and my comments.

---

Banking Frontiers September, 2002

by Rohas Nagpal, Asian School of Cyber Laws

MYTH 1 – “Email messages are confidential can be trusted”.

In a world where email spoofing is literally becoming child’s play this statement is no longer a myth – it is a lie. In the past email spoofing, where an email appears to be sent by someone but has actually been sent by some other person, has brought many to financial ruin.

Take the case of an Indian bank which recently faced a run because email, supposedly sent by its manager, informed customers that the bank was facing financial troubles. In another case, a Pune based businessman was conned out of Rs 10 lakhs by a Nigerian who was pretending to be the Vice President of the African Development Bank. The businessman trusted the senders email address as was showing in the email that he received.

The only way to protect yourself is to digitally sign and encrypt all email messages.

---

YEAH, except that it costs Rs.25,000 to obtain a digital signature with umpteen hassles and paperwork every year. PLUS every computer in every Bank branch will need a unique digital signature => loads of revenue for the government.

MYTH 2 – “We have firewalls installed. We are totally safe.”

Untrue. In reality almost all firewalls, in the past, have been broken into. Bugs have been discovered in some of the best firewalls in the world. A new version is introduced as soon as the bugs in the earlier version become public. Then a newer version is introduced as soon as the bugs in the earlier version become public and so on…

Instead of trying to secure your position by installing criminally expensive firewalls, prefer using Virtual Private Networks based on Public Key Infrastructure.

---

So what if VPNs are illegal in India, and that DoT only allows maximum 40 bit encryption ?

MYTH 3 – “We are using the best antivirus. There’s no way we can get infected”.

Now let us face the facts. Suppose your company buys the latest anti-virus package. The anti-virus company provides you with regular updates. So, you update once a month. Each day 30-50 new viruses are created and released into ‘the wild”. What if you get infected between upgrades? Anti-viruses, and by this we mean all anti viruses work on a reactive basis. So first the virus attacks then the patch is made. No anti-virus anticipates the new viruses it will have to face.

To drive home the point, consider that case of the idiot virus. This virus would scan all your communication and wherever it found the words Sir or Madam it would change them to IDIOT. Imagine bank statements going out to thousand of customers that start with the words “Dear Idiot,”!

Another virus, the ILOVEYOU virus, enjoys the distinction of having been the most prevalent virus in the world. This virus was created in the Visual Basic language. Losses incurred due to this virus were pegged at US $ 10 billion! The virus used the addresses in the victim’s Microsoft Outlook and e-mailed itself to those addresses. The email, which was sent out had “ILOVEYOU” in its subject line. The attached file was named “LOVE-LETTER-FOR-YOU.TXT.vbs”. people wary of opening email attachments were conquered by the subject line and those who had some knowledge of viruses, did not notice the tiny .vbs extension and believed the file to be a text file. The message in the email was “kindly check the attached LOVELETTER coming from me”. this virus first selected certain files and then inserts its own code in lieu of the original data contained in the file. This way it creates ever-increasing copies of itself.

The 5% virus – that is what the original version was called. This virus affected mainly financial institutions. Its effect was tht it would take all the figures in your computers and alter them by either increasing or decreasing them by 5%. Later versions changed the percentage of alteration to 1.35 or 2.7% making it even more difficult to trace the alterations.

The solution. Do not blindly trust any anti-virus package. Set down inviolable rules about email attachments – whether they may be opened from office computers or not. No computer that has even remotely important data on it should have any connectivity to the Internet. If this computer is on a network the entire network should have no connection whatsoever with the Internet Employees should not be allowed to use their floppies on office computers.

---

Read my Hacking Complaint and weep to discover that the RBI ONLY permits Banking data to be transferred over floppy disks (??) entered by Bank Employees for their sensitive Electronic Clearing Systems and all Electronic Fund Transfers.

MYTH 4 – “If something is password protected, I bet it cannot be broken into.”

If you make this bet, you’d feel sorry. Most passwords are short and very simple to crack. To stop it most passwords are based on common names, birth dates, telephone numbers etc. these are, of course, the first passwords that any hacker will try. It’s easy enough to crack passwords; such users just make the hacker’s job easier.

The hacker could actually pretend that they are really close to you till you trust them. And obviously, since they are from the rusted gang you wouldn’t think twice about “mistakenly” telling them your password. Why would they possibly want to harm you, right? Then there are those who are experienced in the use of computers but can’t always remember their password. So, what do they do? They put these passwords on POST-IT notes and stick them on their monitors thinking, “No one would really think of looking for passwords there, would they?”

Even if you do not make any of these bloopers, all a hacker would need to break your passwords, is a good password cracker. Just a small piece of trivia – the good crackers are quite capable of checking 75 lakh passwords per second! The best way to avoid such ugly situations….keep long alphanumeric symbolic machine generated passwords (like a_7834ee*A98Y!$%), change passwords frequently and have a well defined organizational password policy.

---

Ho, Ho Ho, Infosys's Finacle Software ran at numerous branches of the Bank of India, and the default system password for many years was "SAFALTA" - BOI's slogan- and the employees either COULDN'T or WOULDN'T change this password.

MYTH 5 – “Operating systems have built in dependable security features”

That one is a joke. It is common knowledge that most operating systems (OS) will provide only a very basic level of security against breaches. If that’s what you are depending on, you might as well present all your critical data to the attackers on a CD ROM. The solution? Do NOT trust only your OS. Use a combination of electronic and information security techniques for data protection.

---

Is this infantile "Myth" even worth replying to?

MYTH 6 – “Once a month, we backup all our data on another drive.”

Big Mistake. Most institutions take regular backups onto another drive. What happens if a virus infects the computer on which regular backups are taken and all the files are destroyed? Backups should be taken in real-time, and additionally stored on removable media like CD-ROMs.

---

GREAT - Rohas would prefer that we backup storage of sensitive Banking information over the Internet? One of my grievances in the Hacking Complaint was that Standard Chartered Bank was storing all their Credit Card information for Indian Credit Card Holders in Malaysia. During the Hearings SCB lawyers refused to disclose where they are storing and maintaining sensitive Banking data on Indian credit card accounts and also where they were backing up their credit card information and also the mandatory information security measures they take. The RBI has f***ed SCB royally after I highlighted this.

MYTH 7 – “Since banks use it, banking software is absolutely bug-free.”

No software is completely bug-free. Time and again hackers have proven this fact much to the chagrin of the banks. The best banking software have been shown to have major flaws. In many cases the software developers deliberately leave flaws or backdoors in the software. And you have to consider the fact these are finally human. They can make mistakes. These vulnerabilities are later exploited to commit huge frauds. This one has no perfect tailor-made solutions. Choose a proven software solution and … pray.

---

SAFALTA at long last


MYTH 8 – “Anyways, if something goes wrong, our team of experts can handle it.”

Wrong. If a security breach occurs, brings in the experts. Do not try to investigate in house. You may end up doing irretrievable damage with nothing to show for it. Electronic evidence is inherently volatile and will disappear if you try to investigate without expert assistance. A team of the FBI’s (USA) topnotch cyber crime investigators raided the premises of a suspect and confiscated his computers. Keep in mind that these guys were some of the best in the world. When they reached their labs and reconnected the computers they found that there was nothing on them.

It was later found that the suspect had put extremely powerful magnetic coils around his door. When the computers were taken through that door, all the data on them was completely deleted and erased!!

---

When my Bank's PC hangs they have to wait for the guy with the AMC contract to walk in and take out the PC with this sensitive information to their "lab" where they can "dissect" the innards at leisure.

MYTH 9 – “OK. If a breach occurs, we will wait for the experts to come in before doing anything?

Wrong again. All your employees should be trained in basic emergency response. A security breach should not create FUD (Fear, Uncertainty or Doubt). All employees should know that panic would not help. They should be well aware of the countermeasures, which will need to be taken. These basic countermeasures are of course dependent upon the systems and software in use.

A bank in London was hacked into. Their intrusion detection system (IDS) immediately alerted them to the breach. The authorities of the bank called in a team of experts for investigation. This team arrivged one and a half hours later. By then the attacker had stolen tons of customer account information and erased most of the evidence. The Computer Emergency Respoonse Team (CERT) later said that had the bank employees disconnected the target computer from the network, 90% of the data could have been saved.

---

Whenever I see my Bankers (a nationalised Bank) I doubt very much if they even know what their systems and software are, leave alone the counter-measures to be taken. The second para fully justifies why are Indian Commies (CPI-M) are absolutely correct when they want to ban automation in the Banking sector.

MYTH 10 – “What’s the point in trying to report anything to the police? They can’t do anything anyway!”

This is one of the most blatant statements of ignorance. Many police departments today are well trained to handle cyber crimes and are aware of the legal provisions. Make sure that the local police are informed as soon as any breach is detected or suspected. If the collection of evidence is not done meticulously and as per the law, the criminals will walk free.

---

THIS IS THE BIGGEST CANARD OF THEM ALL. Run away from the Police as fast as you can. When I went to my local police thana initially to register my Hacking Complaint, the SHO told me "Sa'ab for me and my Investigation Officers IT ACT means Immoral Trafficking (in Women) Act, and me and my boys don't even have a PC and since we don't have a copy of your(!) IT ACT we can't register the FIR." Incidentally FIRs can only be registered by the SHO of Police Station, and going to the Cyber Cells of Police are an exercise in futility and corruption, because the cops there will contact the other side - take money - and then register an absolutely diluted FIR at some pliable police station - as it seems happened in the DPS:MMS-Baazee.com case.