Know who is doing what in your network
Jun 08 2009
As cyber crooks become more sophisticated, security on the net comes under renewed focus
Their company, called iViz was conceived even while the two were studying. Set up from the funds they could pool in, they found an angel investor in the first year itself. Second year revenue in 2008-09: Rs 9 crore. “We always wanted to do something on our own. While working on network security and simulation of ethical hackers, we found the deficiencies in the existing system or the solutions available. We thought if we could take care of these deficiencies we could stand out,” says Barai. He is already credited with several innovations in network security and has patents filed under his name.
Like Barai and De’s firm, several companies across the country, including large firms, are grappling daily with the real life game of cops and robbers, as online criminals get more sophisticated. “Internet criminals want you to provide your personal information instantly. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim,” says Govind Rammurthy, CEO & MD of MicroWorld an internet security firm based in the US.
One fine day when you click on a link to log in to your email or bank account, you might notice that the website asks some extra questions, looks a bit different. There may be something fishy about it. “In case of phishing in banking, the users are exposed to a fake website resembling the bank’s requesting them to log in for verification or safety purpose. They thus fraudulently acquire the personal account details,” says Rammurthy adding that as a precaution, one should always enter a bank’s or email address manually. Not through a link sent by someone.
The moment a computer connects to the internet it’s open to attack. Security of business computers is often high, but lax usage compromises the system. Criminals know this, and work unrelentingly to get in.
Among the dangers are viruses erasing your entire system, someone breaking into your system and altering files, someone using your computer to attack others, or someone stealing your credit card or bank information to steal money or make unauthorised purchases. Although, there's no guarantee that even the best precautions will secure you totally, there are steps you can take to minimize the chances.
Says Manish Bansal, Marketing Manager of Websense Software Services India: “Be wary of enticing offers. If they sound too good to be true, they probably are.” Don’t succumb to curiosity, double check with the ‘sender.’ And look at the web address: Many look-alike social networking sites or search tools – have at some point a mask to redirect you to malicious sites. Web 2.0 domains are usually easy to spot, because they contain the string from the parent domain — for example Facebook, MySpace, or Twitter. Read the full URL to make sure it’s the page you meant to visit. For example do not enter your Facebook login details unless the URL in your browser is ‘Facebook.com’. Other precautions to be taken:
Maintain a level of caution about any messages from within a website or that appears to be sent by the website.
Use complex passwords and unique ones for each site.
Use security software.
Be suspicious of requests to enter your account name and password
The government’s Indian Computer Emergency Response Team (Cert-In) says that it found that on an average about 250 systems get infected by bots and malware everyday, which then take control of the computers to infect others or steal sensitive information. A spokesman for Cert-In said cyber criminals were getting significant benefits because of the sophistication of their tools. He said the team is in touch with a large number of organisations across the country and regularly issues guidelines to secure systems in government organisations and private companies to obviate widespread attack.
Despite alertness among organisation, the weak and unstable cyber law in India may also have an impact on effective policing. The Information Technology Act of 2000 amendment has not yet been notified. Only 339 malicious attack cases were registered in 2007 and 311 in the year before. Even top Indian sites are not immune to attack. The Digital Journal reported last month that the website of Department of Telecommunication was found ‘malware infected’. If you try visiting the All India Congress Committee website through Google you would come across a warning that “this website may harm your computer”. Of the 301 pages Google tested on the site in the past three months, 33 resulted in malicious software being downloaded and installed without user consent.
Says Amit Nath country manager, Saarc of Trend Micro: “Cybercriminals use the reliability of existing infection methods, integrating them with new technological advancements. The results are hybrid-like web threats.”
Often attackers ‘converge’. In the case of Conficker virus, gangs of cyber criminals were found to be at work to find and attack a critical vulnerability in the Microsoft operating system. The company has since patched that up.
One reason for attacks becoming common is lack of enough data about the perpetrators. Say Partha Das Chowdhury, who passed completed his doctoral research on information security in Cambridge to set up Emotions Infomedia in Kolkata: “There is a lack of data sharing about vulnerabilities and attacks. Companies are hesitant to discuss their weaknesses with competitors even though a coordinated view could prompt faster mitigation.”
According to Mumbai-based Asheesh Raina, principal research analyst with Gartner, cyber crime is likely to become a bigger threat because of paucity of resources. . “There is a lack of trained people to deal with it.” Although the private sector is fast addressing the issue, in the public sector the momentum was slow, he said. The registration of internet users at cyber cafes has also helped. “Unlike in the past, it takes only a couple of hours for the cyber crime experts to trace the origin of an email in the event of a dangerous situation,” says Raina.
Although the openness of the web helps criminals, it also aids detection, says Bhavin Turakhia, founder and chief executive officer of Directi. Turakhia, who is a technical advisor to the Cyber Crime Investigation Cell of Mumbai police said the open web application security project, a worldwide free and open community focused on improving security of software, also keeps track of every kind of vulnerability that an application faces. This collaboration helps.
A new trend in the online security threat scenario is hackers targeting social networking sites. Orkut and Facebook have come under increasing attacks because a lot of private data is available on these sites. According to Symantec’s VP of India Product Operations, Shantanu Ghosh the company’s internet security threat report released in 2008, showed that social networking sites topped the list when it came to targets phished. “Targeting these sites is another mechanism to use social engineering to spread malware and get into a network. Hackers are trying to get more bang for the buck,’’ says Jeff Green, senior VP at McAfee Avert Labs.
Information on “what is your pet’s name?” or “what’s your first child’s name?”, are available on social sites, which are often the security answers given to bankers for cross checking. Hackers sell this information to criminals.
Although frims quickly develop security solutions against various attacks, it’s the old cops and robbers game with the intruders having the whole world wide web to carry out their crimes. In the end, it will have to a combination of tough laws, tough policing and careful users which will defeat the growing criminal activity.
With inputs from Thanuja BM in Bangalore and Reji John in Mumbai