Cyber Crime & Security

Presenter : Vineet Kumar,

CEH, ECSA, LPT, CHFI, MCSE, MCSA,
MCDBA
Chief Technology Officer(CTO) & Head
Cyber Defence Research Centre (CDRC)
Jharkhand Police

About
CDRC
Cyber Defense Research Centre (CDRC) is a
Jharkhand Government & Jharkhand Police
initiative to create awareness in Cyber Crimes &
Cyber Security. CDRC got operational in January,
2012
Approved by Chief Minister Arjun Munda and
cabinet in September, 2011
1st in the country, Probably 9th in the whole

world

Cyber Security Initiatives

(Jharkhand Police)
Public Outreach, Cyber security Awareness in schools and Colleges

through E-Raksha Mission

Public and Industry awareness

Critical Infrastructure Protection (Road/Rail/Water/Power etc),

Cyber Warfare ready

Cyber Security Research (Honeynet, Hardware Security, Malware

analysis)

Cyber Intelligence, Cyber Crime Investigation

Cyber Security Services (Vulnerability Assessment, Penetration

Testing, Web Application Security etc.) on request

Cyber Security Initiatives

(Jharkhand Police)
Cyber Crime Review meetings (Every district of Jharkhand)
Cyber Cafe Controls, ATM Security, Wifi Wardriving exercise,

Cyber Patrol Operations

Trainings/Bootcamps/Seminars/Awareness (Police, Judiciary,

Government Employees)

Cybercrime Helpline, Web Helpline (eSamadhan), Toll free (in

process)

Panel of Experts
National/International tie-up to further our capabilities in these

domains

Me
Joined Jharkhand Police in January 2012 as a Chief Technology Officer (CTO).
Member, Crime and Criminal Tracking Network System (CCTNS), Jharkhand
Advised Ministry of Home Affairs (MHA), Indian Army Western Command prior
to joining JH Police
Guest Lecturer at College of Millitary Engineering(CME),Jharkhand Judicial
Academy, IIM Ranchi, IIT Kharagpur, Vellore Institute of Technology, BIT Sindri,
NIT Jamshedpur, BIT Mesra, Mecon, Indian Army (Core of Signals), CISF, CRPF,
MKCL, DPS, Loyolla School, Army School etc
Speaker at International Security Conferences like Marcus Evans, Hacktrix,
cOcOn etc
Had been awarded 5 International , 10 National Awards, 12 State awards
Prominent ones being United Nations Youth Achievement Award 2008,
Worlds Top 5 student Entrepreneur (GSEA 2010, Kansas City), National IT
Excellence Award 2007-2008, Young Achiever Award, Karmaveer Chakra 2008
etc

Agenda
Trends in Cyber Crime & Cyber Security
Case Studies
Practical Demonstrations

To stop a hacker is to think

alike!

Cyber Crime Chart

Going Up
Websites Hosting Crimeware in May Shot Up 7.4% Higher Than Previous Record

Month
Source : Anti Phishing Working Group (APWG)

Everything will be in
Cyberspace
covered by a hierarchy of computers!
Cell

Continent

Body

Home

Region

Car

Campus

Building

World
OriginalbyGordonBell

ItistheEraofTechnology
Technology

Rateofchange

Companies
Business
Society
People
LegalSystems
Governments
Time

Today

Cyberspace as a
Battleground?

Each day, there is an increase in the number of threats against our

nation's critical infrastructures.
These threats come in the form of computer intrusion (hacking),
denial of service attacks, and virus deployment.

Recent Trends in Cyber

Crime
Cyber crime occurs when information technology is
used to
commit or conceal an offence.
Nigerian Scam / Fake Job offers / Call Spoofing
Child Porn / Social Network Frauds
Online Auction/Retail
Non-delivery of Goods/Services
Identity Theft
Credit/Debit Card Fraud
Business/Employment Schemes
Spoofing / Phishing / ATM frauds

Hacker VS
Cracker
A Hacker :

Lots of Knowledge & Experience.

Good Guy.
Strong Ethics.
Never Indulges in Crime.
Catches Computer Criminals.

A Cracker :

Lots of Knowledge & Experience.

Bad Guy.
Low Ethics.
Mostly Indulges in Crime.
Is a Computer Criminal himself.

Categories of Hackers:
Blackhat Hackers / Crackers :
Work for Illegal/Offensive purposes
Whitehat Hackers:
Work as Penetration Testers protecting Blackhats
from Penetrating into the networks
Greyhat Hackers:
Combination of whitehat and Blackhat i.e they work
for Both Offensive as well as defensive purpose
when needed

Why
Security ?
Based on CDRCs research: Over 80% of

corporate, government and financial sector

websites are open to serious attacks in India.
Most frequent problems
Web Application Vulnerability (Sql Injection,

XSS, CSRF, Upload injection)

DOS, DDOS
Botnets, Trojans, Viruses
Web Page defacements
Source: 2002 CSI/FBI Computer Crime and Security Survey
All Rights Reserved, Copyrighted to NAG & Security Brigade

Ethical Hacking / Penetration

testing
Definition -- It also known as penetration testing or white-hat
hacking involves the same tools, tricks, and techniques that
hackers use, but with some major differences:
Ethical hacking is legal.
Ethical hacking is performed with the targets permission.
The intent of ethical hacking is to discover vulnerabilities from a

hackers viewpoint so systems can be better secured.

CDRC provides Penetration Testing, Vulnerability

Assessments and a wide range of services.

Term
s
Vulnerability Weakness
Exploit
Honeypot Trap
Honeynet Two or more Honeypot
0 days (Zero Days) Unknown Vulnerabilities
Vulnerability Assessment
Penetration testing

Penetration testing
Process
Step
Step
Step
Step
Step
Step
Step
Step
Step
Step

1 : Scope of the Target

2 : Information Gathering
3 : Target Discovery
4 : Enumerating the target
5 : Vulnerability Assessment
6 : Social Engineering (Optional Step)
7 : Target Exploitation
8 : Privilege Escalation
9 : Maintaining Acccess
10: Documentation and Reporting

Penetration testing
Process
Step 1 : Scope of the Target

Single Entities or set of entities

Step 2 : Information Gathering

A tester uses a number of publically available

resources to know more about his target
(forums, bulletin boards, blogs, social networks,
Google , Yahoo, MSN Bing)
DNS Servers, traceroutes, whois databases,
email address, phone numbers, personal
informations and user accounts. The more
information is gathered it will increase the
chances of a successful penetration testing

Penetration testing
Process
Step 3 : Target Discovery

This phase deals with identifying the target

network status,operating system and its
relative network architecture. Live network
hosts, OS running on these host machines, OS
fingerprinting etc
Step 4 : Enumerating the target

Finds open ports on the target system by using

various scanning techniques

Penetration testing
Process
Step 5 : Vulnerability Assessment

Analyze the vulnerabities based on disclosed

ports and services
Step 6 : Social Engineering (Optional

Step)
Step 7 : Target Exploitation

Exploitation of found vulnerabilities

Penetration testing
Process
Step 8 : Privilege Escalation

Once the target is acquired then Privilege

escalation to obtain higher privileged accounts
by making use of local exploits
Step 9 : Maintaining Acccess
Step 10: Documentation and Reporting

Vulnerabilites found, verified and exploited will

conclude our PT process

So How Does a Defacement

Occur?
Same

Penetration testing
used for Web Defacement.

methodology

How to Prevent
Defacement
Constant

Vulnerability
Assessment
and
Penetration testing required
Intrusion Detection System (IDS) / Intrusion
Prevention System (IPS)
Web App Firewall (WAFs), WIDS, WIPS
Source code audting required
Follow good security practices on your
network n Application
Keep your system up-to-patch
Keep
in touch with diverse security
newsgroups,
newsletters
and
other
information so you know what vulnerabilities

Example of
Website
Defacement

CBI HACKED

PMS WEBSITE HACKED

Case Studies

Case
Studies
Financial Frauds (ATM hacking)
Aashka Garodia case
Fake Facebook profile / page
Facebook threat
Facebook suicide
Facebook location mapping case
Email hacking
Phishing lottery case

ATM
Frauds
Card Skimming A special device put in front of the ATM

card reader in such a way that it seems like a part of the

ATM and records all info of the card.

Shoulder Surfing A technique of viewing the pin number by

peeping over the victims shoulder.

Fake ATMs A fake ATM designed to swallow cards

temporarily located at busy locations such as fair grounds

etc.

Special Promotions at ATM sites A sweet young lady stands

next to ATM offering an entry into a lottery for all ATM users
who put in a copy of their signed ATM slips.

ATM
Frauds
Card jamming / Lebanese Loop where an ATM machine

card reader is deliberately tampered with so that a

customers card will be held in the card reader and cannot
be removed from the machine by the customer. The criminal
removes the card once the customer has departed.

Vandalism where an ATM machine is deliberately damaged

and/or the card reader is jammed preventing the customers

card from being inserted.

Physical attacks where an ATM machine is physically

attacked with the intention of removing the cash content.

Mugging where a client is physically attacked whilst in the

process of conducting a transaction at an ATM machine.

Cash Diversion where a fake plate is made to cover the

cash slot and the plate collects all the cash and it seems as
if no cash has come out of the machine.

ATM machine as
usual ?

Is there an additional
slot?

A monitor and pamphlet holder at the side...nothing

wrong

wait ..... Is it really a pamphlet

holder ....

False pamphlet box affixed to the ATM cubicle

side

The micro camera

at the side can
view the KEYPAD
and
also
the
monitor to send
wireless picture up
to 200metres.

Inside the pamphlet

box

Practical
Demonstration

Practical
Demonstrations
Email Spoof
IP Spoofing
Password cracking
Vulnerability Assessment
Email Hacking
Facebook hacking
Securing Email Accounts (2 step verification)

Security Tips

General
Security
Install the latest Antivirus Software on all your computers and never disable

them. Popular antivirus softwares includeKaspersky, Bit Defender, Nod32,

Avira, AVGandQuickheal.

Install a personal firewall and an anti-spyware solution. Popular firewalls

includeComodo Firewall, IP Copand Sonicwall.

Update antivirus/ anti-spyware/ firewall at least everyday. Carry out a

complete system scan with your anti-virus at least once a week, or better,
auto-schedule it to run every Friday.
Don't download or open attachments from unknown senders. Even if the

sender is trusted, ensure that the content is relevant. Even non-executable

files like *.doc files can contain macro viruses andTrojans. There are some
dangerous programmes called worms, which don't need human interaction.
You can be infected by simply opening an e-mail or by visiting a Web site and
that's it. So always stay alert. Avoid opening e-mail attachments that
contain .vbs, .scr, .exe, or .pif file extensions. Files that end in these
extensions are most likely to contain some sort of viruses.

General
Security
Use secure Web browsers such asGoogle Chrome or Firefox. It is

also necessary to update old browsers to their latest versions so

that the vulnerability gets
Never

download any files especially executable files over

P2P sharing networks(peer-to-peer), as you can never be
absolutely certain as to what they really are. P2P file sharing
programmes can lead to the installation of a lot ofadwareand
spyware. Try downloading executables from authentic and wellknown Web sites; don't download files from any random Web site.

Try not to visit warez, porn sites or Web sites that provide cracks

and serials because most of them have a lot of spyware, trojans

and viruses. A single visit and you are most likely infected with
hundreds of malicious programmes.

Be familiar with the programmes installed on your computer. If you

notice that a new programme is installed without your permission,

possibilities are that it might be something malicious.

General
Security
Back-up your computer on a regular basis, at least weekly. Copy

your important documents and files onto a USB drive, CD or a DVD

for safekeeping. Don't wait for the disaster to happen, take the
precautions beforehand. Create system restore points periodically.
Never respond to unsolicited e-mail. To those who send spam, one

response or 'hit' from thousands of e-mails is enough to justify the

practice. Additionally, it validates your email address as active,
which makes it more valuable, and therefore opens the door to
more spam.

General
Security
Beware ofphishingattacks. Sites like AntiPhishing offer latest updates on

phishing along with some good security tips.

Don't chat with strangers or accept any file, especially executables from an

unknown person on chat. Don't click on any links given by someone you
don't know.
Do not accept links or downloads from strangers even if it is tempting.

There have been cases where spyware like trojans andkey-loggershave

been hidden in simple picture files with .jpg extensions. You never really
know what is contained inside a file which looks attractive.
Be cautious while displaying your profile, especially your personal details,

photographs, videos and contacts on social networking sites. Your profiles

and contacts may be misused by other people.
Install parental-control or filtering softwares like those fromWebsense

(LINK) that helps you choose what can be seen on the Internet and monitor
the activities of any users.

Password
Security
Use different passwords for different Web sites. Maintain separate

passwords for e-mail, work and other important Web sites and
routine web-surfing.
Use difficult-to-guess password by taking the first alphabet from

each word of a phrase. What is a good password? It is a password

which is at least 8 characters long, not easily guessable, contains
mixture of uppercase and lowercase letters as well as numbers,
and preferably contains special characters like $, *, %, !, * etc.
Some examples of a good password are: &(^.3235*cRack&.^).
Always use alphanumeric passwords with special characters and

try to adopt phrasing technique to construct passwords which are

easy to remember, hard to guess and impossible to crack. Create a
unique acronym. Never use a dictionary based password like guest,
home etc. It takes little time for a good cracker to crack the
password.

Internet Safety E-mail Tips

Get two email accounts, one for business and one for personal use. Only
give out your personal address to family and friends to help reduce unwanted
emails (otherwise known as "spam"). A more comprehensive approach would
be to use a service which checks for spams , service like spamex is available
to manage the same.

Try to memorize your password rather than writing it down. Use an

acronym of a favourite saying or something that as true about you such as I
Don't Like Driving In The Snow password = idldits. You can then take that
password and substitute some numbers for letters such as: id1dit5. Now
that's a good a password!

Don't give the password to your e-mail service or to anyone that you don't
know or trust. Try to avoid using services that do not allow you to change
your password, but rather set it for you.

Don't download any attachments from people you don't know, or from
people you don't trust.

Scan attachments with a virus program before downloading them, even if

they come from a friend.

Internet Safety E-mail Tips

Try to avoid sending private or secret information through e-mail.
If you absolutely have to send private or secret information through e-mail, make
sure you encrypt it first.
Don't spam people, you could get into trouble with your ISP and have your account
terminated. In fact, this is becoming common practice as more services implement nospam policies.
If you don't like getting ads in your e-mail, choose to opt out of all unnecessary
mailing lists. You should know however that Opt-Out still keeps a cookie on your
machine.
Try to determine whether or not an e-mail is a hoax or a scam.

Using Smartphone safely

You probably store a lot of personal and
financial information on your smartphone that
you would not want revealed if it is lost or
stolen. Follow these guidelines which will
help you to increase mobile phone safety
and secure your smartphone.

Do's

Don'ts

Ensure that you dont leave your

Do not save passwords, PINs or other account

Smartphone unattended

information

in public spaces.

Enable the smartphone's

as Contacts or in Notes.

password/passcode protection

shopping and

setting;

banking activities; Wi-Fi sniffing is a common

occurrence

Avoid using open Wi-Fis, especially for

that can have significant consequences like

lost credit card
Install operating system updates

numbers.
Avoid opening suspicious e-mail or SMS text

whenever they become

messages,

available to reduce the number of system especially from unknown sources. Incautious
vulnerabilities;

readers may

be unwillingly tricked into phishing by entering

sensitive
Information from online prompts.

Do's
Install an anti-malware protection app (if available for the device) to prevent infection
from malicious apps and websites;
When using the smartphone's web browser, avoid suspicious/questionable websites
that can be the source of malicious code.
Be selective when buying or installing apps; wait for app reviews, download only from
trusted sources and be cautious/suspicious of free apps
Understand and control each downloaded apps "access to smartphone data and
personal information;
Turn the Bluetooth access feature off when not needed and avoid Bluetooth use in
busy public areas.
Utilize a PIN to access voice-mail and avoid using the carrier's default PIN setting.
Insure that smartphone e-mail account access is through either a SSL or HTTPS
connection so that transmitted data is encrypted.

Credit card /Debit card / ATM guidelines

Credit card /Debit card / ATM guidelines

Do's

Don'ts

Only Friend people you know.

Dont share your password.

Create a good password and use it only for Facebook.

Dont paste script (code) in your browser address bar.

Change your password on a regular basis.

Beware of goofy posts from anyoneeven Friends. If it looks like

something your Friend wouldnt post, dont click on it.

Share your personal information only with people and companies

that need it.

Scammers might hack your Friends accounts and send links from their
accounts. Beware of enticing links coming from your Friends.

Log into Facebook only ONCE each session. If it looks like

Facebook is asking you to log in a second time, skip the links and
directly type www.facebook.com into your browser address bar.

Use a one-time password when using someone elses computer.

Log out of Facebook after using someone elses computer.

Use secure browsing whenever possible.
Only download Apps from sites you trust.
Keep your anti-virus software updated.
Keep your browser and other applications up to date.
Use browser add-ons like Web of Trust and Firefoxs No Script to
keep your account from being hijacked.

Latest news and information are one of

the common methods used by hackers !
False Death news of celebrities.
Anniversaries of Famous people and

celebrities.
Big News and information

Prevention
Don`t click suspicious links
Report anything that seems too good to be

true
Never share your password
Don`t indulge in freebies(attractive online
offers)
Keep your Anti-Virus/Spyware program upto-date(inspite it`s been bypassed)

 Get

E-mail
Security

two email accounts, one for business and one for personal use. Only give
out your personal address to family and friends to help reduce unwanted emails
(otherwise known as "spam"). A more comprehensive approach would be to use
a service which checks for spams , service like spamex is available to manage
the same.

Try to memorize your password rather than writing it down. Use an acronym of
a favourite saying or something that as true about you such as I Don't Like
Driving In The Snow password = idldits. You can then take that password and
substitute some numbers for letters such as: id1dit5. Now that's a good a
password!

Don't give the password to your e-mail service or to anyonethat you don't
know or trust. Try to avoid using services that do not allow you to change your
password, but rather set it for you.

Don't download any attachments from people you don't know, or from people
you don't trust.

E-mail
Security

Scan attachments with a virus program before downloading them, even if they
come from a friend.

Try to avoid sending private or secret information through e-mail.

When sending private or secret information through e-mail, make sure you
encrypt it first.

Don't spam people, you could get into trouble with your ISP and have your
account terminated. In fact, this is becoming common practice as more
services implement no-spam policies.

If you don't like getting ads in your e-mail, choose to opt out of all unnecessary
mailing lists. You should know however that Opt-Out still keeps a cookie on
your machine.

Online shopping
security

Online Shopping
Security
While purchasing online, look for signs that these are secure (SSL secured

sites or 128 bit encryption) like shopping.rediff.com. At the point when you
are providing your payment information, a golden-coloured lock appears
(for SSL secured sites) on the right hand side corner of the browser or the
beginning of the Web site address should change from http to https,
indicating that the information is being encrypted ie turned into code that
can only be read by the seller.
Your browser may also signal that the information is secure with a symbol,

such as a broken key that becomes whole or a padlock that closes.

Carefully use credit-cards and online banking for online shopping. Check

your credit card and bank statements at regular intervals. Notify the bank
immediately if there are unauthorised charges or debits. Avoid using credit
card details and online banking on public computers and in cyber cafes. It is
very unsafe because most of them are infected with viruses, trojans and
key loggers.
Some banks have launched their services like Net Safe to create temporary

credit cards with a limited value to transact online. Paypal is also a secure

Wireless
Security
If you have a wireless network, turn on the security

features: UseMAC filtering, turn offSSID broadcast, and

even use WPA2with the biggest key you can get.

Detailed
Guidelines
http://cdrc.jhpolice.gov.in/guid

elines/

Cyber Security Initiatives

(Jharkhand Police)
Public Outreach, Cyber security Awareness in schools and Colleges

through E-Raksha Mission

Public and Industry awareness

Critical Infrastructure Protection (Road/Rail/Water/Power etc),

Cyber Warfare ready

Cyber Security Research (Honeynet, Hardware Security, Malware

analysis)

Cyber Intelligence, Cyber Crime Investigation

Cyber Security Services (Vulnerability Assessment, Penetration

Testing, Web Application Security etc.) on request

Cyber Security Initiatives

(Jharkhand Police)
Cyber Crime Review meetings (Every district of Jharkhand)
Cyber Cafe Controls, ATM Security, Wifi Wardriving exercise,

Cyber Patrol Operations

Trainings/Bootcamps/Seminars/Awareness (Police, Judiciary,

Government Employees)

Cybercrime Helpline, Web Helpline (eSamadhan), Toll free (in

process)

Panel of Experts
National/International tie-up to further our capabilities in these

domains

Initiatives and
Projects
Cyber Caf Controls Guidelines and License policy after

conducting state-wide audit

ATM Security and guidelines for banks, cash vans, ATM
security guards and local police personnel
Critical Infrastructure Protection in the state of Jharkhand
presently in identification phase of Power, Water, Road,
Dams etc
Responsible Disclosure
Wifi Security
eRaksha public awareness program for schools, colleges,
PTA, public
Training Judiciary, LEA, State Government officers
Proposed - State CERT
Capacity building for Forensics (state CID and FSL)

Jharkhand State Cyber

Security
-

Web Application Security testing

Vulnerability Assessment / Penetration Testing (VA/PT)
Source Code Audit
BCP/DR
IT Security Management
IT Security Training and Awareness
PHQ Data Centre ISO 27001 assessment

Cyber Caf and ATM

Security
- Conducted survey across the state
- Assess current operational practices and security posture
- Created State Cyber Caf Guidelines with licensing system
aligned to IT Act and Cyber Caf Guidelines from MIT
- Created ATM Security guidelines addressing banks, guard
companies, local police
- Presently communicating / educating Cyber Caf owners to
implement guidelines

Misson
E-Raksha Mission to fosterawareness about various types of
cybercrimes, internet threats and risks and methods to be
secure
Cyber Security awareness and training is provided for school
children, parents , teachers and citizens of Jharkhand
Train the teacher program will carry eRaksha message to
schools across the state as a regular planned activity
Advise on various types of cyber crimes, impact in the society
and educate them in prevention of cyber crimes
Example program held at DPS, Ranchi provided training on
Password Security ,Social Networking, E-Mail, Stalking etc.

Mission

Cyber Security Training

Continuous Training Program in Cyber Crime, Security, Law
(ITA) for
- Police Department state wide
- Judicial officers, Judges across the state
- State Government Officers

Workshop for Police Officers

Initiatives
Cyber Surveillance

Internet Monitoring, Inputs from

cyber patrol and threat
intelligence

Critical
Infrastructure
Protection
Responsible
Disclosure and
Threat Intelligence
Public Helpline
Research

Inventory, response procedures

and proactive security training

Vulnerability disclosure and

intelligence information to
affected parties
Web based and toll free helpline
Indian Honeynet collection and
malware analysis

Panel of Experts
Inviting professionals to volunteer their time to help guide

our initiatives
We will welcome experts in
a) Cyber Security
b) Cyber Crime
c) Cyber Law
d) Vulnerability Assessment and Penetration Testing
e) Cyber Forensics
f) Criminology, Psychology, Sociology
g) IT and Business Management
h) Industry / Verticals specialists (finance, insurance, mfg,

trdg etc)

CDRC will be pleased to

assist other States
in their Cyber security
initiatives

E-Samadhan Web
helpline

A dedicated web link of CDRC is there to register complaints

related to cybercrimes.

http://esamadhan.jhpolice.gov.in/open.php

Thanks!
I can be reached at :
Vineet Kumar
Chief Technology Officer, Special Branch
CDRC Building, Jharkhand Police HQ
Dhurwa
Ranchi
Pin 834004

M : 97714-00453 Web : cdrc.jhpolice.gov.in

O : 0651-2400496 / 95 /94
F : 0651-2400494
E : cto@jhpolice.gov.in
e-raksha@jhpolice.gov.in

For any Queries Please Contact

Mail us at : cdrc@jhpolice.gov.in