How Cyber Security is implemented

how cybersecurity is important and how to remove cyber security virus and how cyber security is helpful in controlling crime and how to learn cyber security
Dr.MohitBansal Profile Pic
Dr.MohitBansal,Canada,Teacher
Published Date:26-10-2017
Your Website URL(Optional)
Comment
Cyber Crime, Cyber Security and Cyber Warfare The digital world has become a battleground for the forces of good and evil. There is an ever increasing awareness that the digital world provides an unlimited opportunity to further one’s goals. Newly constituted police cyber squads battle organized crime groups online in what has become a never ending conflict due to the ability of organized crime to operate remotely through untraceable accounts and an endless supply of compro- mised computers. Scarce police resources are being redirected to the fight against online crime gangs. The paucity of arrests highlights just how difficult it is to find and bring international criminal gangs that operate on the Internet to justice. Nation states are constantly battling online to gain a military advantage and to portray opponents as evil hackers in an effort to gain an advantage for their cause in international public perception. Traditional soldiers with guns and bullets have been supplemented by bright young geeks with computers and a tool chest with the latest viruses, worms and malware. For many people the battle rages around them and they continue their online activities blissfully unaware of the darker side to the Internet. When this dark side crosses over into the lives of ordinary people the effect can be devastating. Protection from online criminal organisations should be a high priority that prompts regular reviews of security and privacy measures. 3.1 You’ve Got Mail: How to Stop Spam and Reduce Cyber Crime 52 3 Cyber Crime, Cyber Security and Cyber Warfare 1 Imagine a world where spam didn’t exist. It isn’t hard to do. Source: David Hegarty We’ve all received them: emails offering special prices on Viagra, offering fortunes we didn’t know we had, offering links to fantastic websites we simply must visit right away. Annoying as But the technology to stop spam and other undesirable emails not only exists, it’s been around for years. 2 With cyber crime costing Australia more than a billion dollars a year , it’s well and truly time we did something to improve our defences. And what better way to start than by securing email: a piece of technology that most of us use every day. 3.1.1 Cyber-C rime for Dummies One of the easiest methods for carrying out cyber-crime is to send an unsolicited or spam email which contains: a virus; an attempt to acquire an individual’s sensitive 3 information (known as “phishing” ); or some other mechanism for perpetrating internet crime. 3.1 Y ou’ve Got Mail: How to Stop Spam and Reduce Cyber Crime 53 The current worldwide email system is based on a standard called the Simple Mail 4 Transport Protocol (SMTP) which was created in 1982 and last updated in 2008. The system has served us well for decades, but it also allows fake emails to be sent and received with no way of tracing them to their point of origin. In the last 30 years there have been a number of updates to SMTP, including two methods that can be used to improve security and fight spam. 3.1.2 Sign-In to Send 5 The first update, released in 1995, was an extension of SMTP called SMTP-AUTH . This was introduced to allow authentication of email clients. Say your email system at work uses SMTP-AUTH. Whenever your email client (such as Microsoft Outlook or Apple Mail) communicates with the server that stores, receives and sends your emails, the server would ask the client for a password. In this way, all email traffic sent through an email server is authenticated and can be traced in the case of fake or malicious emails. While SMTP-AUTH is a great idea in theory, it hasn’t been adopted in practice because many organisations use email systems that either don’t implement SMTP- AUTH correctly or don’t specify that it should be turned on. Worryingly, it’s also possible to fake the credentials required by the SMTP- AUTH rules in an email message and to make matters worse mail servers may be setup on hijacked computers solely for the purpose of sending fake or malicious emails. As a result, SMTP-AUTH is practically useless if used alone. 6 SPAM song by Monty Python Spam…not always what the discerning customer wants. 3.1.3 Loc kdown The second extension to SMTP that can be used to fight spam—Secure SMTP (also known as SMTPS)—was introduced in 1997. SMTPS has the benefit of using the 7 encrypted Secure Sockets Layer (SSL) communication protocol, an approach used to secure e-commerce and online banking services today. 54 3 Cyber Crime, Cyber Security and Cyber Warfare If your workplace wanted to utilise SMTPS, it would need to: 8 � Choose one of the many SSL certificate providers (such as VeriSign ) � Complete a verification process to prove the identity of the business � Pay the price for the SSL certificate (around 50 a year) � Install the SSL certificate on the company’s email server With the SSL certificate installed on the email server, all communication between the server and the client (and with other mail servers) would be both authenticated and encrypted. 3.1.4 Tracing Spam and Other Nasties With SMTPS implemented, spam and malicious emails can then be tracked back to the source email server. If an email server is found to be the source of spam or other email-related crimi- nal activities, the authorities could issue a notice to the company that owns the email server. The notice would contain details of the infraction and identify actions to be taken to prevent the problem happening again. If an email server is found to be a constant source of problem emails, the authori- ties could act to: fine the company that owns the email server or revoke the SSL certificate issued for the email server domain, thereby removing the email server from service. Cyber crime is now a significant worldwide problem and every effort must be made to reduce or stop the problem: people’s lives are being negatively affected and the economy is being harmed. The Australian Government must act to reduce internet crime. Implementing the mandatory use of SMTPS would be a good start. The Australian Government could go one step further and send delegates to the United Nations—which controls the standards used for the internet—and lobby for the immediate introduction of SMTPS worldwide. One step at a time though… 3.2 Ei n Spy: Is the German Government Using a Trojan to Watch Its Citizens? 11 October 2011 8 Buy SSL Certificates, https://www.verisign.com.au/ssl/buy-ssl-certificates/index.html, Accessed online 29 June 2011. 3.2 E in Spy: Is the German Government Using a Trojan to Watch Its Citizens? 55 9 On October 8, Berlin’s hacking collective the Chaos Computer Club (CCC) 10 announced it had analysed a piece of software it believed had been written by the German Government. Once installed on a computer, the software could quietly listen to conversations 11 on Skype , log keystrokes and switch on the computer’s web-cam. It would then 12 report this data back to servers, two of which were identified —one in the US and the other in Germany. The program could also be remotely updated and potentially used to install and run 13 other programs. The security company F-Secure’s Mikko Hypponen reported its own 14 findings on the malware (malicious software) and confirmed the CCC’s analysis. 15 It dubbed the trojan “R2D2”, from the text “CRPO-r2d2-POE” used by the software to initiate data transfer. Regarding the German government’s involvement in the R2D2 trojan, Mikko wrote: “We have no reason to suspect CCC’s findings, but we can’t confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.” But the CCC believed it had found an example of a “Bundestrojaner” (Government trojan) which, from 2007, was being used to conduct online searches of suspects by law enforcement agencies without much restriction. In 2008, a ruling by a German 16 Constitutional Court restricted use to cases in which human lives or state property were in danger, and only after permission had been granted by a judge. The CCC maintains the German government used a different term for the spy software o get around the restrictions on online searches: “Quellen-TKÜ”. That means “source wiretapping”, listening to conversations on sources such as Skype, for example, in order to prevent a person from encrypting the conversation. But the capabilities of the R2D2 trojan allowed for much more than this. The trojan itself was poorly written and potentially allowed for others to take control of the software once installed. The concern here is that someone could take over the malware and capture information themselves or plant false evidence. 9 Chaos Computer Club, http://www.ccc.de/, Accessed on 11 October 2011. 10 Chaos Computer Club analyzes government malware, http://www.ccc.de/en/updates/2011/ staatstrojaner, Accessed on 11 October 2011. 11 Rebuilding the damaged brain: can stem cells be used as repair kits? http://theconversation. edu.au/rebuilding-the-damaged-brain-can-stem-cells-be-used-as-repair- kits-3557, Accessed on 11 October 2011. 12 Possible Governmental Backdoor Found (“Case R2D2”), http://www.f-secure.com/weblog/ archives/00002249.html, Accessed on 11 October 2011. 13 Possible Governmental Backdoor Found (“Case R2D2”), http://www.f-secure.com/weblog/ archives/00002249.html, Accessed on 11 October 2011. 14 Defining Malware: FAQ, http://technet.microsoft.com/en-us/library/dd632948.aspx, Accessed on 11 October 2011. 15 Defining Malware: FAQ, http://technet.microsoft.com/en-us/library/dd632948.aspx, Accessed on 11 October 2011. 16 Germany’s Highest Court Restricts Internet Surveillance, http://www.dw.de/germanys-highest- court-restricts-internet-surveillance/a-3152627-1, Accesse d on 11 October 2011. 56 3 Cyber Crime, Cyber Security and Cyber Warfare 3.2.1 Go vernment Use of Malware 17 The use of backdoor trojan software by law enforcement agencies came to the fore 18 in 2001 when the NSA or FBI were rumoured to have produced software known 19 as Magic Lantern . This software emerged as part of a Freedom of Information request filed by the 20 Electronic Privacy Information Center that revealed documents concerning a project called “Carnivore”. That project allowed for full online surveillance of a particular internet address. It was used in conjunction with a Magic Lantern backdoor trojan specifically targeted at capturing encryption passwords. This, in turn, would allow the FBI to unencrypt captured communication. At the time, anti-virus software companies were faced with the dilemma of whether to remove known government backdoor trojans. In 2001, various anti-virus 21 software vendors made declarations about whether their software would remove a suspected FBI backdoor trojan. 22 Companies such as F-Secure stated categorically they would never knowingly leave detected malware on a computer. Representatives of security software com- 23 pany Sophos agreed but Eric Chien, chief researcher at Symantec at the time stated 24 the company would not detect Government malware . The assumption was that the software would have enough protective mecha- nisms in place to prevent the wrong people gaining control of it. As has been dem- onstrated by the case of the R2D2 trojan, this is quite clearly not the case. The software has very few protective mechanisms and was open to hijacking, as 25 the CCC demonstrated . 17 What is a backdoor trojan? http://www.geekstogo.com/190/what-is-a-backdoor-trojan/, Accessed on 11 October 2011. 18 Welcome to the National Security Agency - NSA/CSS, http://www.nsa.gov/, Accessed on 11 October 2011. 19 Magic Lantern (software), http://en.wikipedia.org/wiki/Magic_Lantern_%28software%29, Accessed on 11 October 2011. 20 Error 404, http://epic.org/privacy/carnivore/foia_documents.html%5D, Accessed on 11 October 2011. 21 Antivirus vendors are wary of FBI’s Magic Lantern, http://gcn.com/articles/2001/12/06/antivirus- vendors-are-wary-of-fbis-magic-lantern.aspx, Accessed on 11 October 2011. 22 Policy on Detecting Government Spy Programs, http://www.f-secure.com/en/web/labs_global/ policies, Acc essed on 11 October 2011. 23 Norton from Symantec: You Need The Speed, http://www.symantec.com/norton/ps/2up_de_de_ nis360t3.html?om_sem_cid=hho_sem_ic:au:ggl:en:ekw0000006084 , Accessed on 11 October 2011. 24 AV Vendors Split Over FBI Trojan, http://www.securityfocus.com/news/292, Accessed on 11 October 2011. 25 Chaos Computer Club analyzes government malware, http://www.ccc.de/en/updates/2011/staat- strojaner, Accessed on 11 October 2011. 3.2 E in Spy: Is the German Government Using a Trojan to Watch Its Citizens? 57 As more human activity migrates to the internet, including criminal and terrorist activities, governments (and law enforcement agencies in particular) will be turning to every available technique to intercept and collect information. 26 Germany’s BND (foreign intelligence service), it was alleged by Der Spiegel , used spyware to monitor the Ministry of Commerce and Industry in Afghanistan and obtain confidential documents, passwords and email. 27 Surveillance trojans have also been used by the Swiss, and the Austrian Police . 3.2.2 An Open Barrel 28 The CCC has made a number of allegations about the origins and potential rami- fications of the R2D2 trojan. The group firstly assumed this was a “Bundestrojaner light” because it was sent the software from someone who presumably had cause to believe they were being subjected to a source wiretapping. 29 30 Also, according to senior technology consultant Graham Cluley of Sophos , there were comments in the code that were suggestive of a link with German author- ities, including the phrase “Ozapftis”—a Bavarian phrase meaning the “Barrel is open”, invoked when the first barrel is opened at Oktoberfest. Why this is indicative of a German government hacker rather than an independent German hacker who likes beer is open to debate. Even if the trojan is one the Government has deployed, it is again an assumption to believe they would utilise the extra capabilities without first seeking a judge’s permission, which, since the 2008 ruling, they are entitled to do in certain limited circumstances. Although, as has been seen in the US, laws that cover protection against terror- 31 ism, such as the Patriot Act are more commonly being used for a range of other purposes, including drug trafficking which made up 73.7 % of Patriot Act “sneak- 32 and-p eak” searches in 2009 . 26 German Spies Put Afghan Ministry under Surveillance, http://www.spiegel.de/international/ger- many/bnd-affairs-broadens-german-spies-put-afghan-ministry-u nder-s urveillance-a-549894.html, Accessed on 11 October 2011. 27 Austrian Police to use crime-busting Trojans, http://news.techworld.com/security/10446/aus- trian-police-to-use-crime-busting-trojans/ , Accessed on 11 October 2011. 28 Chaos Computer Club analyzes government malware, http://www.ccc.de/en/updates/2011/staat- strojaner, Accessed on 11 October 2011. 29 ‘Government’ backdoor R2D2 Trojan discovered by Chaos Computer Club, http://nakedsecurity. sophos.com/2011/10/09/government-backdoor-trojan-chaos/?utm_source=twitter&utm_ medium=gcluley&utm_campaign=naked%2Bsecurity, Accessed on 11 October 2011. 30 Sophos UTM, http://www.sophos.com/en-us/, Accessed on 11 October 2011. 31 USA PATRIOT Act (H.R. 3162), http://epic.org/privacy/terrorism/hr3162.html, Accessed on 11 October 2011. 32 Use of Patriot Act Sneak-And-Peek Powers for Drug War Further Eclipsed Terrorism Uses in 2009, h ttp://irregulartimes.com/index.php/archives/2011/02/04/use-of- patriot-act-power-for-drug-war- skyrockets/, Accessed on 11 October 2011. 58 3 Cyber Crime, Cyber Security and Cyber Warfare There are a number of observations that can be made from the CCC’s announcement: First, anti-spyware software from any company that would even contemplate not detecting malware, irrespective of its origins, would have to be treated with caution. Companies that have declared their approach to detecting all malware should be favoured. Second, it brings into question the use of government sponsored anti-virus initia- tives unless they give free choice of vendors to the public. Why would you trust a government sponsored anti-virus software package if they are also producing malware for general use? Finally, it’s interesting to note the R2D2 trojan would only work if the person being targeted was using a PC with Windows. So perhaps the easiest solution for anxious German citizens at present is to use Linux, an Apple Mac OSX computer or a smart phone? 3.3 Spying, Flying and Delivering Tacos: With Drones, the Sky’s the Limit 28 March 2012 33 The Federal Government is considering allowing the US to base military sur- 34 veillance drones on the Cocos Islands —an Australian territory located in the Indian Ocean between Australia and Sri Lanka. The news comes 4 months after the US and Australia agreed to a closer military 35 alliance during Barack Obama’s visit to Australia last year. 36 Aerial drones (otherwise known as unmanned aerial vehicles ) are now a fixture of the modern skyline and the Cocos Island discussion is only the most recent mention of drones in the media. The rise of drone technology is due largely to their flexibility—a drone need only be constructed to carry a camera for surveillance or a weapon. Not having to accom- modate a pilot makes a huge difference to the design and, more importantly, the costs of building and running the machine. While convenience and utility is driving the use of drones, important questions are being raised about their use for surveillance of civilian populations and in unmanned missions to target enemy combatants. 33 Government won’t rule out Aussie base for US drones, http://www.abc.net.au/news/2012-03-28/ gillard-tight-lipped-on-us-drones-claim/3916460 , Accessed on 28 March 2012. 34 Cocos (Keeling) Islands, http://en.wikipedia.org/wiki/Cocos_%28Keeling%29_Islands, Accessed on 28 March 2012. 35 Obama and Gillard boost US-Australia military ties, http://www.guardian.co.uk/world/ video/2011/nov/16/obama-gillard-us-australia-military-video, Ac cessed on 28 March 2012. 36 Unmanned aerial vehicle, http://en.wikipedia.org/wiki/Unmanned_aerial_vehicle, Accessed on 28 March 2012. 3.3 S pying, Flying and Delivering Tacos: With Drones, the Sky’s the Limit 59 Drones come in many shapes, sizes and capabilities. An Israeli-made Eitan drone (see video above) for instance, is the size of a Boeing 737 (with a wingspan of 26 m), can stay in the air for 20 h and reach an altitude of 40,000 ft (roughly 12,000 m). 37 At the other extreme, the Nano Hummingbird (see video below) is constructed to look like a real hummingbird, has a 6.5-in. (roughly 17 cm) wingspan and can fly for 8 min using the power of an AA battery. 38 US Predator B drones have wingspans of 66 ft (roughly 20 m), can reach an altitude of 50,000 ft (roughly 15,000 m) and stay in flight for 30 h. 39 These are drones that have been regularly used in Afghanistan and Pakistan for targeted assassinations by the CIA. In the past 8 years, the CIA’s drone program has been responsible for the assassinations of 2,223 alleged Taliban, al-Qaeda and other militants in 289 strikes. The US police, and other countries’ police forces are using drones for surveillance 40 operations with suggestions it is only a matter of time before they are equipped with non-lethal and lethal weapons. 41 Drones have also found their way into civilian use. In the US, a federal law 42 allows the Federal Aviation Administration to use drones for commercial uses, include selling real-estate, monitoring oil spills, dusting crops and filming movies. But possibly the most original drone applications include their use to play musical 43 44 instruments and to deliver fast food . 45 San Francisco-based (where else?) start-up Tacocopter has set up a business in which orders for Mexican fast food made on a smartphone are delivered to the cus- tomer, wherever they are, by drone. Unfortunately for the company, the use of drones for delivering fast food has not received FAA approval. This is perhaps unsurprising, given the difficulties involved in delivering a food package without maiming or killing the recipient. 37 Nano Hummingbird, http://www.avinc.com/nano, Accessed on 28 March 2012. 38 General Atomics MQ-9 Reaper, http://en.wikipedia.org/wiki/General_Atomics_MQ-9_Reaper, Accessed on 28 March 2012. 39 U.S. and Pakistan bargain over CIA drones,http://www.ctvnews.ca/u-s-and-pakistan-bargain-over- cia-drones-1.787129 , Accessed on 28 March 2012. 40 Police drones to be equipped with non-lethal weapons?, http://rt.com/usa/news/drone-surveil- lance-montgomery-weapon-507/ , Accessed on 28 March 2012. 41 Drones Set Sights on U.S. Skies, http://www.nytimes.com/2012/02/18/technology/drones- with-an-eye-on-the-public-cleared-to-fly.html?pagewanted=all, Accessed on 28 March 2012. 42 Federal Aviation Administration, http://www.faa.gov/, Accessed on 28 March 2012. 43 Robot Quadrotors Perform James Bond Theme, http://www.youtube.com/watch?v=_sUeGC- 8dyk&feature=youtu.be , Accessed on 28 March 2012. 44 Tacocopter Aims To Deliver Tacos Using Unmanned Drone Helicopters, http://www.huffingtonpost. com/2012/03/23/tacocopter-startup-delivers-tacos-by-u nmanned-drone-helicopter_n_1375842. html?1332538432, Accessed on 28 March 2012. 45 Tacocopter, http://tacocopter.com/, Accessed on 28 March 2012. 60 3 Cyber Crime, Cyber Security and Cyber Warfare But it isn’t the just the military and small businesses that are employing drone technology. You or I can head to our local store and purchase, say, the popular Parrot 46 AR. Drone for around US300. 47 This 380-g “quadrotor” can be flown using an iPhone or iPad controller that displays pictures from on-board cameras. Although flying the drone still takes some skill, it has on-board electronics including an ultrasound device that enables it to hover when the controls are released. It is not clear what the average person would use a drone for other than for spying on their neighbours or terrorising their dog. But in Poland, a drone was recently 48 used to film police tackling rioters in Warsaw. CNN has even used consumer-level 49 drones to film a town that suffered extensive storm damage. Despite the obvious benefits of drone technology for a range of uses, there are some considerable drawbacks. Although drones are uninhabited and some can even fly missions without control 50 from the ground, one of the problems faced by the US Air Force has been, ironically, the lack of trained staff to fly them. 51 Another, more serious threat is the use of malware (or malicious software), 52 such as the virus that infected US drone-control systems . And then there’s the possibility someone could capture your drone, as was the 53 54 55 case of Iran’s capture of a US RQ-170 stealth drone , possibly by fooling its GPS system. As well as the technical and operational concerns about drone technology, there are also significant privacy concerns that need to be addressed. To concerned citizens, drones pose a danger of increased surveillance. 46 Parrot AR.Drone, http://ardrone.parrotshopping.com/us/p_ardrone_main.aspx, Accessed on 28 March 2012. 47 Parrot AR.Drone iPad Controlled Remote Control Aircraft Test Flight Demo Linus Tech Tips, htt p://www.youtube.com/watch?feature=endscreen&NR=1&v=bkKeijmgXW0, Accessed on 28 March 2012. 48 WATCH 2/2 drone launched by protesters at Warsaw, Poland, http://www.youtube.com/ watch?v=FmhV-ymivJk, Accessed on 28 March 2012. 49 CNN uses a small drone to shoot aerial footage of storm and tornado damage (05/07/2011), htt p://www.youtube.com/watch?v=SmpwTVvS67Y, Accessed on 28 March 2012. 50 Air Force Buys Fewer Drones—But Ups Drone Flights, http://www.wired.com/dangerroom/ 2012/02/air-force-drones/ , Accessed on 28 March 2012. 51 Malware, http://en.wikipedia.org/wiki/Malware, Accessed on 28 March 2012. 52 Exclusive: Computer Virus Hits U.S. Drone Fleet, http://www.wired.com/dangerroom/2011/10/ virus-hits-drone-fleet/, Accessed on 28 March 2012. 53 Why Iran’s capture of US drone will shake CIA, http://www.bbc.co.uk/news/world-us-canada- 16095823 , Accessed on 28 March 2012. 54 Lockheed Martin RQ-170 Sentinel, http://en.wikipedia.org/wiki/Lockheed_Martin_RQ-170_ Sentinel, Acc essed on 28 March 2012. 55 Link no longer goes to specified page, http://news.yahoo.com/blogs/technology-blog/iran-may- captured-u-stealth-drone-hacking-gps-030447469.html , Accessed on 28 March 2012. 3.4 F lame. A Weapon of the US-Led Cyberwar or Corporate Spyware? 61 56 In a society that is already monitored by fixed closed-circuit cameras, the abil- ity to increase that surveillance to any area is seen by some as yet another encroach- 57 ment on the privacy of the individual . But it would seem drone-related privacy concerns are being taken seriously in 58 some circles. The Electronic Frontier Foundation (EFF ) in the US has filed a 59 Freedom of Information Act request to gain access to records from the FAA detail- ing who is currently using drones. 60 In a similar vein, the American Civil Liberties Union (ACLU) has published a 61 report looking at the privacy issues around the use of drones and recommending courts impose limits on the use of drones for surveillance. Defence Minister Stephen Smith has described the Cocos Island drone base as “very much a long-term prospect”. It’s clear we’ll be hearing about this technology for some time yet. Further Reading 62 � H istory repeating: Australian military power in the Cocos Islands —Liam McHugh 63 � The Drone as Privacy Catalyst —Ryan Calo � Protec ting Privacy From Aerial Surveillance: Recommendations for Government 64 Use of Drone Aircraft —American Civil Liberties Union 3.4 Flame. A Weapon of the US-Led Cyberwar or Corporate Spyware? 2 June 2012 56 Closed-circuit television, http://en.wikipedia.org/wiki/Closed-circuit_television, Accessed on 28 March 2012. 57 What privacy do you have left to lose? Beware the drone, http://www.networkworld.com/ columnists/2012/031212-backspin.html , Accessed on 28 March 2012. 58 Electronic Frontier Foundation, https://www.eff.org/, Accessed on 28 March 2012. 59 Drone Flights in the U.S, https://www.eff.org/foia/faa-drone-authorizations, Accessed on 28 March 2012. 60 American Civil Liberties Union, http://www.aclu.org/, Accessed on 28 March 2012. 61 Report: “Protecting Privacy From Aerial Surveillance: Recommendations for Government Use of Drone Aircraft”, http://www.aclu.org/technology-and-liberty/report-protecting-privacy- aerial-surveillance-recommendations-government-use, Accessed on 28 March 2012. 62 History repeating: Australian military power in the Cocos Islands, https://theconversation.edu. au/history-repeating-australian-military-power-in-the-cocos-islands-4484, Accessed on 28 March 2012. 63 The Drone as Privacy Catalyst, http://www.stanfordlawreview.org/online/drone-privacy-catalyst, Accessed on 28 March 2012. 64 Link no longer goes to specified page, https://www.aclu.org/files/assets/protectingprivacyfro- maerialsurveillance.pdf , Accessed on 28 March 2012. 62 3 Cyber Crime, Cyber Security and Cyber Warfare Owni, Wikileaks and others’ site on surveillance software http://spyfiles.org Iran it seems has been the target of another novel form of malware christened 65 “Flame” . Much has been made of this new threat because of novel characteristics that set it apart from traditional malware. It is much larger in size that normal malware (20 MB vs a more traditional 1 MB) and consists of a modular architecture with components that have more in common with normal corporate software than with “regular” viruses and worms. It is Flame’s use of normal business technologies that made the malware look like regular corporate software and possibly helped it escape detection for so long. 66 Mikko Hypponen, CEO of security firm F-Secure, has commented that Flame basically “hid in plain sight” making itself indistinguishable from all other software running on the infected PCs. However, security companies also failed to detect the possibly related malware Stuxnet and Duqu and they were very different from everyday software. Illustrating perhaps, the general limitations of commercial grade anti-virus software in detecting highly specialised malware. Because of the countries targeted by Flame (Iran and its Middle East neighbours), suspicion has fallen on the US and Israel as Flame’s creators. It now seems that 65 Virus News, Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat, http:// www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_ Advanced_Cyber_Threat , Accessed online 1 July 2013. 66 Hypponen, Mikko, Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet, htt p://www.wired.com/threatlevel/2012/06/internet-security-fail/, Accessed online 1 July 2013. 3.5 S CAMwatch: A Helping Hand Against Online Scammers 63 67 Stuxnet may have been part of an official US operation called “Olympic Games”, specifically targeting enemy countries’ critical infrastructure. It has been alleged that Flame was not part of this program. Stuxnet specifically targeted and aimed to damage nuclear facilities whilst Flame appears to be a more general espionage tool, recording conversations, keystrokes, screenshots and other information from its infected hosts. In this respect, Flame has more in common with the German Trojan software 68 R2D2 that was used by the German authorities to spy on its own citizens. It is somewhat surprising that no commentators have made the connection 69 between Flame and the dozens of commercially available spyware . The levels of sophistication between Flame and commercially available surveillance software are similar—the only difference being that Flame has the ability to replicate and infect other machines whereas surveillance software’s installation is normally targeted. In fact, there is nothing to say that Flame was not actually installed or being used by the Governments of the countries involved to spy on their own citizens. The belief that Stuxnet was of Israeli or US origin was held on the basis that the pro- gramming skills required and funding for the development would have only been 70 found in these countries. But as has been detailed on the Spyfiles site , the more general surveillance software is relatively inexpensive and can be bought “off-the- shelf”. So anyone could have been the originator, even private corporations. The origins and objectives of Flame will probably never be known. It reaffirms however, that cyber threats are increasingly common and real and that protecting ourselves and our infrastructure against them increasingly difficult. 3.5 SCAMwatch: A Helping Hand Against Online Scammers 4 July 2012 67 Sanger, David E. Obama Order Sped Up Wave of Cyberattacks Against Iran, http://www.nytimes. com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks- against-iran. html?pagewanted=1&_r=1&_r=0, Accessed online 1 July 2013. 68 Glance, David, Ein spy: is the German government using a trojan to watch its citizens? https:// theconversation.com/ein-spy-is-the-german-government-using-a-t rojan-to-watch-its- citizens-3765 , Accessed online 1 July 2013. 69 Link no longer goes to specified page, http://spyfiles.org/, Accessed online 1 July 2013. 70 Link no longer goes to specified page, http://spyfiles.org/, Accessed online 1 July 2013. 64 3 Cyber Crime, Cyber Security and Cyber Warfare 71 Thinking you know every trick in the book doesn’t mean you really do. Don Hankins CC0 Crimes of confidence, known as scams, are on the rise. You probably know the basics. The way the most common type of scam works involves you being presented with an offer, product or service for which you pay and then don’t receive anything. Scams have always been big business and perpetrators have adapted quickly to new technology. Telephone, mail and now the internet have provided an ever- growing platform for large-scale, and coordinated, scam attacks. Why should we be worried? What’s the real scale of the problem? 72 Well, the Director General of Britain’s MI5, Jonathan Evans last week warned that: Vulnerabilities in the internet are being exploited aggressively not just by crimi- nals but also by states,” and “the extent of what is going on is astonishing—with industrial-scale processes involving many thousands of people lying behind both State sponsored cyber espionage and organised cyber crime. Multinationals offering services online, with customer’s banking details logged on their servers, continue to get hacked at an ever increasing pace, and some more than once. 71 Hankins D., Flickr, http://www.flickr.com/photos/23905174N00/2524306151/in/photostream, Accessed online 21 December 2012. 72 Whitehead T., Cyber crime a global threat, MI5 head warns, The Telegraph, 26 Jun 2012, http:// www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/9354373/Cyber-crime-a-global-threat- MI5-head-warns.html , Accessed online 4 July 2012. 3.5 SCAMwatch: A Helping Hand Against Online Scammers 65 73 Many people will know the Apple iTunes and app store accounts were hacked recently. Such hacks go on all the time, but without the attendant publicity generated by a story involving a company of Apple’s stature. 74 75 A study by the Carnegie Mellon University’s Cylab found that only 13 % of companies had a privacy officer—someone whose job it would be to police online security. 76 According to Jody Westby, CEO of security firm Global Cyber Risk and adjunct distinguished follow at Carnegie Mellon: It’s no wonder there are so many breaches. Privacy, security and cybercrime are three legs of the same stool. The responsibility for the rise in organised crime does not solely lie with c orporations and the government. Everyone needs to take the time necessary to become aware of how organised criminals are going to try to effect a scam. One important first step towards learning how to deal with scams is to visit the 77 SCAMwatch website launched recently by the Australian Competition and 78 Consumer Commission (ACCC) . SCAMwatch provides information to consumers and small business about how to 79 recognise, avoid and report scams . What becomes immediately apparent at SCAMwatch is the large number of active scams found today. Scams are designed to target every aspect of our daily lives and focus on finding some weakness, need or desire that can be taken advan- tage of. 73 Cooper M., Hack warning on iTunes accounts, Fairfax, 19 June 2012, http://www.smh.com.au/ digital-life/consumer-security/hack-warning-on-itunes-accounts-20120619-20lps.html, Accessed online 4 July 2012. 74 Westby J.R., How Boards & Senior Executives are Managing Cyber Risks, CyLab, Carnegie Mellon University, 16 May 2012, http://www.rsa.com/innovation/docs/CMU-GOVERNANCE- RPT-2012-FINAL.pdf , Accessed online 4 July 2012. 75 CyLab, Carnegie Mellon University, http://www.cylab.cmu.edu/, Accessed online 4 July 2012. 76 Global cyber risk LLC, http://globalcyberrisk.com/, Accessed online 4 July 2012. 77 SCAMwatch, Australian Competition and Consumer Commission, http://www.scamwatch.gov. au/, Accessed online 4 July 2012 78 Australian Competition and Consumer Commission, http://www.accc.gov.au/, Accessed online 4 July 2012 79 Report a scam, SCAMwatch, https://www.scamwatch.gov.au/content/index.phtml/itemId/694011, Accessed online 4 July 2012. 66 3 Cyber Crime, Cyber Security and Cyber Warfare 80 Sour ce: jepoirrier By definition, scammers create scams to look genuine. By convincing you that the scam is real you become more likely to carry out the actions necessary for the scam to succeed. SCAMwatch is an important education tool that provides examples of scams, descriptions of how the scammers will try to entice you and recent scam victim 81 stories that are provided to encourage Australians to learn from their experiences. There have already been criticisms of the service. If you use the SCAMwatch 82 scam report form the information you provide is sent to the ACCC and not to the Australian federal or state police. A better solution—many argue, and I tend to agree— would be for the scam report to be sent to all of the appropriate Australian authorities. A list of other organisations that you should contact to report a scam can be 83 found here . But, for any of its faults, SCAMwatch is an impressive educational tool that includes simple and easy-to-understand descriptions of common scams with excellent advice on how we can better protect ourselves, including: 84 � SCAMw atch email alerts . These provide warnings when a sharp increase in the execution of a particular scam is identified. Companies that do not have a person 80 Poirrier J.M., Flickr, http://www.flickr.com/photos/jepoirrier/2046188221/, Accessed online 21 December 2012. 81 Victim stories and latest news, SCAMwatch, http://www.scamwatch.gov.au/content/index. phtml/itemId/693979 , Accessed online 4 July 2012. 82 Report a scam, SCAMwatch, https://www.scamwatch.gov.au/content/index.phtml/ itemId/694011 , Accessed online 4 July 2012. 83 Report a scam to another organisation, SCAMwatch, http://www.scamwatch.gov.au/content/ index.phtml/itemId/854913 , Accessed online 4 July 2012. 84 Register for free: SCAMwatch email alerts, SCAMwatch, https://www.scamwatch.gov.au/con- tent/index.phtml/tag/ScamWatchEmailAlerts/, Accesse d online 4 July 2012. 3.5 S CAMwatch: A Helping Hand Against Online Scammers 67 responsible for security and privacy should nominate someone to receive the SCAMwatch email alerts. 85 � The little black book of scams is excellent reading. Ask for the printer version to be sent to you or download the PDF version to read on your computer, Kindle or iPad. 86 � See- a-scam samples provide details on a range of real scams and examples of how the scammers will try to trick you. 87 � The scam awareness videos are a light-hearted series of videos that take you through various scams. So that we get a reality check about the serious nature of the material presented 88 on SCAMwatch, the site includes recent scam victim stories . Personally, I don’t need to see the stories on SCAMwatch to know how heart- rendering the after-effects of being scammed can be. Members of my family, as with many other families, have been scammed and lost considerable sums of money. 89 Sour ce: B. Rosen 85 The little black book of scams, Australian Competition and Consumer Commission, http://www. accc.gov.au/content/index.phtml/tag/littleblackbookofscams, Accessed online 4 July 2012. 86 See-a-scam, SCAMwatch, http://www.scamwatch.gov.au/content/index.phtml/tag/ SeeaScamSamples , Accessed online 4 July 2012. 87 Scam awareness videos, SCAMwatch, http://www.scamwatch.gov.au/content/index.phtml/tag/ scamawarenessvideos, Accessed online 4 July 2012. 88 Victim stories and latest news, SCAMwatch, http://www.scamwatch.gov.au/content/index. phtml/tag/victimstories , Accessed online 4 July 2012. 89 Rosen, B., http://www.flickr.com/photos/rosengrant/3545047810/, Accessed online 4 July 2012. 68 3 Cyber Crime, Cyber Security and Cyber Warfare The collective disgust of society towards scammers will not stop them because today scammers often hide, operate and disappear again exclusively in cyberspace. Trying to slam a door in their face just won’t work. Take the time, visit SCAMwatch, learn and empower yourself and your organisa- tion in the fight against scams. 3.6 Obama’ s Not Dead, But Does Twitter Need Better Security? 13 July 2011 On July 4, a hacker took control of one of the Twitter accounts of US broadcaster FoxNews.com and sent out several tweets announcing President Obama had 90 been shot . Because it was a national holiday and nobody was available at Twitter to help, Fox News only regained control of the account some hours later and by that time the original tweets had spread around the world. 91 Even though the original posts were eventually removed, the hashtag ObamaDead continued, with people still resending the original message 6 days later. This act was followed by another Twitter account being hacked in the UK when 92 someone took over the account of PayPal UK and posted offensive tweets aimed at embarrassing the company. Identity theft is increasingly common, but the hacking of a news organisation and the tastelessness of the messages sent has brought into question the perceived 93 lack of security of Twitter. This has led several security analysts to suggest Twitter is lagging behind other services in robust security options. 3.6.1 Stepping It Up They have also argued that Twitter should make all access to the website secure by default and should also implement what is called two-step verification. Secure connections are the easy part: you simply replace “http” with “https” in the address. Twitter doesn’t make this the default, but you can personally change this in your settings. 90 Robbins, Liz & Stelter, Brian, Hackers Commandeer a Fox News Twitter Account, http://www. nytimes.com/2011/07/05/business/media/05fox.html?hp, Accessed online 1 July 2013. 91 Parr, Ben, HOW TO: Get the Most Out of Twitter Hashtags, http://mashable.com/2009/05/17/ twitter-hashtags/ , Accessed online 1 July 2013. 92 Bennett, Shea, Paypal UK Twitter Profile Hacked By Angry Customer, http://www.mediabistro. com/alltwitter/paypal-uk-hacked-twitter_b11109 , Accessed online 1 July 2013. 93 Finkle, Jim & Strom, Roy, Twitter security lags some other sites: experts, http://www.reuters. com/article/2011/07/08/us-twitter-idUSTRE7667EL20110708 , Accessed online 1 July 2013. 3.6 O bama’s Not Dead, But Does Twitter Need Better Security? 69 Two-step verification is more sophisticated. It involves logging into a service using a password and a temporary number that is provided as a phone text message or from an application running on your phone. So even if a hacker got hold of the password, it would not be possible for them to get access to the number. Or would it? Nobody really knows how the hackers got access to the accounts of Fox News or PayPal UK. The most likely explanation is a lack of process in handling the accounts and their passwords at both Fox News and PayPal UK, making it relatively easy to 94 get the password details through phishing . 95 In 2002, the famous hacker Kevin Mitnick revealed his techniques in a book called The Art of Deception. He recounted how most of his hacks were carried out by using passwords and codes obtained through “social engineering”. In some cases this was just by phoning a user and asking them what their pass- word was Phishing is an extension of social engineering and simply involves getting users who know the password to reveal it. By pretending that you need to update account details and asking the user to fill out their security information on a fake web site, for example. 96 Bruce Schneier, a well-known security expert, blogged in 2005 about the limi- tations of two-step verification as a means of protecting access on the internet. Although more secure than a single password, two-step verification is not immune to phishing. It would be possible to fake a login page for Twitter and get the details of both the password and the temporary number. Schneier also described another weakness, from a so-called “Trojan-attack”—installing software on a user’s PC that is able to intercept usernames and passwords. 3.6.2 P eople Are Insecure The main point that Schneier made, though, is that no security mechanism is completely secure, as people always remain the weak point in any security scheme. There is also a balance between ease-of-use and the level of security. Google, for example, will allow a computer to remember the verification code for 30 days because of the inconvenience of having to enter the code each time you log in. Obviously this weakens the overall security offered by two-step verification. 94 De Neef, Matt, Zombie computers, cyber security, phishing … what you need to know, http:// theconversation.com/zombie-computers-cyber-security-phishing- what-you-need-to-know-1671, Accessed online 1 July 2013. 95 Wright, Robert, Brave New World Dept: HACKWORK, http://www.newyorker.com/arch ive/1996/01/29/1996_01_29_032_TNY_CARDS_000374975, Accessed online 1 July 2013. 96 Schneier, Bruce, Two-Factor Authentication: Too Little, Too Late, http://www.schneier.com/ essay-083.html , Accessed online 1 July 2013. 70 3 Cyber Crime, Cyber Security and Cyber Warfare In any organisation where an account is shared, two-step verification may be seen as too restrictive as multiple people will need to share the mechanism that generates the verification number. Security is as much about the perception of being secure as it is about the reality of being secure. What security analysts are asking Twitter to do is to fit an alarm system, put bars on their windows and a deadlock on their door. They are ignoring the fact that hackers can still find the front door keys under the mat. While services such as Twitter can find ways of improving the range of security mechanisms they offer, the most effective security strategy is always going to be about how individuals deal with their personal information, including passwords. There are basic security principles that everyone should always adopt (antivirus software, strong passwords, secure connections, etc.). But the single most important thing is to not reveal your password to anyone—nobody needs to know it—even the company whose service you are using. 3.7 Hiring James Bond 00.7…‘Illegal’ Hackers Need Not Apply 6 December 2011 It’s unlikely James Bond would have been recruited this way. The perks of this job do not include driving an Aston Martin, sipping martinis in exotic locations or saving the UK by shooting the cat-stroking villain. Nowadays, a secret service job involves a computer, possibly located in a base- ment, and the only thing you are going to be intimate with is low-level computer programming code. But recruitment to a secret service job was the intention of a mystery challenge 97 that appeared at (http://www.canyoucrackit.co.uk) last week. 98 Specifically, it was to work as a cybersecurity programmer for GCHQ . GCHQ— the Government Communications Headquarters—is one of the three UK Intelligence and Security Agencies, the other two being MI5 and MI6. 99 Once canyoucrackit was launched, word circulated on Twitter and solutions to 100 the three stages of the challenge started appearing on the net. 97 Can you crack it - behind the code, http://www.canyoucrackit.co.uk/, Accessed on 6 December 2011. 98 GCHQ - About us, http://www.gchq.gov.uk/AboutUs/Pages/index.aspx, Accessed on 6 December 2011. 99 Get instant updates on canyoucrackit, https://twitter.com/search/realtime?q=canyoucrackit, Accessed on 6 December 2011. 100 Can you crack it? Stage 2 Solution, http://www.silly-science.co.uk/2011/12/02/can-you-crack- it-stage-2-solution/ , Accessed on 6 December 2011.

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.