Wednesday, September 10, 2008

Cyber crimes need more attention

RIPAN KUMAR BISWAS

I WENT to a coffee shop for a cup of coffee and to utilize the shop’s Wi-Fi Hotspot to surf the web while I reached at Union Station, Washington D.C at around 4 o’clock in the morning. After connecting to the hotspot network, I found common news in almost all the national dailies in Dhaka. The website of Rapid Action Battalion (RAB) was hacked by an unknown person.

According to the news in the following days, RAB arrested four students of a private technology institute in the city's Mirpur in connection with hacking its website. Abu Musa Mirza Kamruzzaman Shahee, who claimed himself the lead hacker, told that they hacked the website of the elite crime-busting force just for adventure while RAB officials termed it as an irresponsible and regrettable work and they would continue their investigation to ascertain whether it is done out of fun or a criminal act.

Praising their IT experts, RAB Director General (DG) Hassan Mahmood Khandkar told that the hackers had boasted greater expertise than the RAB officials, but actually they are not that good because the RAB officials took only 24 hours to detect and arrest them whereas Shahee claimed that they are ten times better and genius than RAB experts.

Although it is now under investigation, but more or less it is clear that Shahee Mirza, who himself is a son of sub-inspector of police Mubashwer Ali Mirza, along with his other alleged friends, hacked the RAB website including Bangladesh Army and 22 others to boast their worth. Shahee and his friends complained against the existing cyber security in the country saying that most of agencies either don’t care maximum security features or don’t know how to protect them. On the other hand, RAB officials became satisfied as they detected them within 24 hours while the hackers left their real identity, their own computer, and their real IP address (Internet Protocol).

As it burgeoned, computer was hailed as an integrator of cultures and a medium for businesses, consumers, and governments to communicate with one another. It appeared to offer unparalleled opportunities for the creation of a forum in which the global village could meet and exchange ideas, stimulating and sustaining democracy throughout the world. Technology has forever changed the way commerce is conducted, virtually erasing geographic boundaries. While technology has made our lives much easier it has also created new vulnerabilities. Today, computer hacking and identity theft pose serious risks to our commercial, personal, and financial security.

The estimated number of internet users in the early years of the twenty-first century is over a billion. In this global village, consumers, companies, and governments from around the world must further develop ways to protect the sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain. RAB, however, assured that the hacking incident won't create any security hazard as it is an open website, but what about other sensitive fields that should be secured by any means.

As an end-user while I was surfing the websites at Union Station, it wasn’t virtually impossible for someone else to see my data, such as login information or credit card numbers if I did any online banking or online shopping. Since SSL (Secure Sockets Layer-A network protocol) is used most of the times and is hard to break, but a fatal mistake can subjected anyone to an SSL Man-in-the-Middle (MITM) attack. If a hacker was present at the coffee shop and was connected to the same Wi-Fi network I was connected to, he might run a number of other utilities to sniff the data, act as an SSL Certificate Server and to be the Man-in-the-Middle. It is pretty darn hard for a hacker to decrypt the data/credentials being transmitted, even if he/she is able to sniff the data, if there is a good certificate and is connecting directly to the website to which someone intends to use because all the data will be is encrypted from his/her browser to the SSL website where the bank’s website will use the information from the certificate it gave its client to decrypt his/her data/credentials.

This is a bad thing if someone receives a “fake” certificate being sent from the hacker, and he/she is actually connecting to the hacker’s machine, not directly to the bank’s website. In this case, client’s credentials are being transmitted between his browser and the hacker’s machine. The hacker is able to grab that traffic, and, because he gave him/her the certificate to encrypt the data/credentials, he can use that same certificate to decrypt client’s data/credentials. Since the hacker will be replacing the Bank's or online store’s valid certificate with his own fake one, he will turn on the utility to enable his system to be the Man-in-the-Middle for web sessions and to handle certificates. He is now ready to go to sniff the client’s data passing through his machine. If is encrypted with 128-bit SSL, no problem, since he has the key. What he simply needs to do now is decrypt the data using the certificate that he gave the client.

When the MITM Hacker uses the “fake” certificate instead of the “good,” valid certificate, the end-user is actually alerted to this. Firewalls are the first and foremost thing people should do for their computers. It is advisable not to use the wireless network for emailing or sending messages, unless the wireless network has provided access to VPN (virtual private network.). VPN is a highly secure network that encrypts all the information that is sent from and to the computer.

Today most of the largest financial groups and other organizations use image as login information which is hard to break. But still there are skilled hackers who are trying their best to break it. Last month, there was the single largest and most complex identity theft case ever charged in USA. 11 men of different nationalities pulled a large-scale scam on nine major U.S. retailers, such as OfficeMax, Boston Market, Barnes & Noble, Sports Authority and Forever 21. The hackers stole more than 40 million credit and debit card numbers by using sniffers. In order to make the numbers usable at any ATM, the hackers encrypted them on blank cards.

Website Hacking is not uncommon. It is simply trying to break into a site unauthorized. Webmasters can use encryption to prevent this. However, as most website programmers do not use encryption their websites are easy targets. The whole planet is today terrorized by the web hackers to whom hacking seems a mode of getting pleasure by the way of gaining knowledge or mere entertainment. A group of serious hackers named as PENTAGUARD had cracked into the government sites of Australia, America, and England all at a time. According to the USA Today in May, 2008, Spanish police have arrested five hackers in various cities around Spain, who allegedly disabled internet pages run by government agencies in the U.S., Latin America, and Asia. The group refers to itself as D.O.M Team, attacked more than 21,000 web pages over the last two years. Among its victims, the group hacked the Venezuelan national telephone company's page, and rumours are circulating that they broke past NASA’s security as well.

With a proper understanding of the relevant programming languages such as C, C++, Pearl, java etc, one can be fully equipped with the technique of hacking into website. Shahee and his friends used Linux operating system as it clean up the tracks so that the feds fail to trace out the hacker. They just opened up a shell and typed some command. If any site does use a database, and has an administrator login who has rights to update the site, or indeed any forms which can be used to submit content to the site — even a comment form, there is a simple technique called SQL Injection to mess it up. It is not difficult to access any password protected websites if someone has enough html and JavaScript knowledge.

Webmaster should have to validate all inputs like page header, cookies, hidden fields that are used in forms etc and emails from users. HTML script helps to avoid any unwanted script elements. Sometimes webmaster forgets to disable his/her directory list. Before installing a web application, plug-in or script, research it online through Google, Yahoo, etc and see if there have been security issues. Application developers often find security holes, patch them and release regular updates to their product. Setting a file’s permission to 777 (Read/Write/Execute), is often dangerous.

According to the BSA (Business Software Alliance), no less than 35% of the world's computers have at least one pirated software program installed. Most of the computer firms in Bangladesh use pirated programs to design websites for their clients. Pirated software often lacks the important elements, documentation, and comes with no warranty protection or upgrade options. Counterfeit disks may be infected with viruses that can damage the hard drive or cripple the network, without the benefit of technical support.

Every email sent will have a point at which it was injected into the information stream. Even a person can monitor or spy other machine. But it’s not as easy as RAB did to locate the hackers. If so, most of the terrorist organizations in the world that have websites and maintaining liaison with one another can be traced out easily. There are a lot of programs in the market that can find the proxy sever available to a user and set it as his/her proxy server automatically.

Although RAB is not only one victim of cyber attack whereas there are lot of examples in the world including a portion of Pentagon Computer Network that was hacked in June, 2007, but the government of Bangladesh should have to aware enough and implement a comprehensive and proactive security programs that includes layered access controls and threat and vulnerability assessments. #

First published on September 09, 2008, New York Ripan Kumar Biswas is a freelance writer based in New York. Email: Ripan.Biswas@yahoo.com