what is----BLACK HAT HACKERS

A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. The term white hat is used for a person who is ethically opposed to the abuse of computer systems, but is frequently no less skilled. The term cracker was coined by Richard Stallman to provide an alternative to using the existing word hacker for this meaning.[1] The somewhat similar activity of defeating copy prevention devices in software which may or may not be legal in a country's laws is actually software cracking.
Terminology

Use of the term "cracker" is mostly limited (as is "black hat") to some areas of the computer and security field and even there, it is considered controversial. Until the 1980s, all people with a high level of skills at computing were known as "hackers". A group that calls themselves hackers refers to "a group that consists of skilled computer enthusiasts". The other, and currently more common usage, refers to those who attempt to gain unauthorized access to computer systems. Over time, the distinction between those perceived to use such skills with social responsibility and those who used them maliciously or criminally, became perceived as an important divide. Many members of the first group attempt to convince people that intruders should be called crackers rather than hackers, but the common usage remains ingrained. The former became known as "hackers" or (within the computer security industry) as white hats, and the latter as "crackers" or "black hats". The general public tends to use the term "hackers" for both types, a source of some conflict when the word is perceived to be used incorrectly; for example Linux has been criticised as "written by hackers". In computer jargon the meaning of "hacker" can be much broader.

Usually, a black hat is a person who uses their knowledge of vulnerabilities and exploits for private gain, rather than revealing them either to the general public or the manufacturer for correction. Many black hats hack networks and web pages solely for financial gain. Black hats may seek to expand holes in systems; any attempts made to patch software are generally done to prevent others from also compromising a system they have already obtained secure control over. A black hat hacker may write their own zero-day exploits (private software that exploits security vulnerabilities; 0-day exploits have not been distributed to the public). In the most extreme cases, black hats may work to cause damage maliciously, and/or make threats to do so as extortion.

Methods

Techniques for breaking into systems can involve advanced programming skills and social engineering, but more commonly will simply be the use of semi-automatic software. Common software weaknesses exploited include buffer overflow, integer overflow, memory corruption, format string attacks, race conditions, cross-site scripting, cross-site request forgery, code injection and SQL injection bugs

Read More

2 Sides of INDIAN Cyber Law or IT Act of INDIA

Cyber laws are meant to set the definite pattern, some rules and guidelines that defined certain business activities going on through internet legal and certain illegal and hence punishable . The IT Act 2000, the cyber law of India , gives the legal framework so that information is not denied legal effect, validity or enforceability, solely on the ground that it is in the form of electronic records.

One cannot regard government as complete failure in shielding numerous e-commerce activities on the firm basis of which this industry has got to its skies, but then the law cannot be regarded as free from ambiguities.

MMS porn case in which the CEO of bazee.com(an Ebay Company) was arrested for allegedly selling the MMS clips involving school children on its website is the most apt example in this reference. Other cases where the law becomes hazy in its stand includes the case where the newspaper Mid-Daily published the pictures of the Indian actor kissing her boyfriend at the Bombay nightspot and the arrest of Krishan Kumar for illegally using the internet account of Col. (Retd.) J.S. Bajwa.

The IT Act 2000 attempts to change outdated laws and provides ways to deal with cyber crimes. Let’s have an overview of the law where it takes a firm stand and has got successful in the reason for which it was framed.

1. The E-commerce industry carries out its business via transactions and communications done through electronic records . It thus becomes essential that such transactions be made legal . Keeping this point in the consideration, the IT Act 2000 empowers the government departments to accept filing, creating and retention of official documents in the digital format. The Act also puts forward the proposal for setting up the legal framework essential for the authentication and origin of electronic records / communications through digital signature.

2. The Act legalizes the e-mail and gives it the status of being valid form of carrying out communication in India . This implies that e-mails can be duly produced and approved in a court of law , thus can be a regarded as substantial document to carry out legal proceedings.

3. The act also talks about digital signatures and digital records . These have been also awarded the status of being legal and valid means that can form strong basis for launching litigation in a court of law. It invites the corporate companies in the business of being Certifying Authorities for issuing secure Digital Signatures Certificates.

4. The Act now allows Government to issue notification on the web thus heralding e-governance.

5. It eases the task of companies of the filing any form, application or document by laying down the guidelines to be submitted at any appropriate office, authority, body or agency owned or controlled by the government. This will help in saving costs, time and manpower for the corporates.

6. The act also provides statutory remedy to the coporates in case the crime against the accused for breaking into their computer systems or network and damaging and copying the data is proven. The remedy provided by the Act is in the form of monetary damages, not exceeding Rs. 1 crore($200,000).

7. Also the law sets up the Territorial Jurisdiction of the Adjudicating Officers for cyber crimes and the Cyber Regulations Appellate Tribunal.

8. The law has also laid guidelines for providing Internet Services on a license on a non-exclusive basis.

The IT Law 2000, though appears to be self sufficient, it takes mixed stand when it comes to many practical situations. It looses its certainty at many places like:

1. The law misses out completely the issue of Intellectual Property Rights, and makes no provisions whatsoever for copyrighting, trade marking or patenting of electronic information and data. The law even doesn’t talk of the rights and liabilities of domain name holders , the first step of entering into the e-commerce.
2. The law even stays silent over the regulation of electronic payments gateway and segregates the negotiable instruments from the applicability of the IT Act , which may have major effect on the growth of e-commerce in India . It leads to make the banking and financial sectors irresolute in their stands .
3. The act empowers the Deputy Superintendent of Police to look up into the investigations and filling of charge sheet when any case related to cyber law is called. This approach is likely to result in misuse in the context of Corporate India as companies have public offices which would come within the ambit of "public place" under the Act. As a result, companies will not be able to escape potential harassment at the hands of the DSP.
4. Internet is a borderless medium ; it spreads to every corner of the world where life is possible and hence is the cyber criminal. Then how come is it possible to feel relaxed and secured once this law is enforced in the nation??

The Act initially was supposed to apply to crimes committed all over the world, but nobody knows how can this be achieved in practice , how to enforce it all over the world at the same time???

* The IT Act is silent on filming anyone’s personal actions in public and then distributing it electronically. It holds ISPs (Internet Service Providers) responsible for third party data and information, unless contravention is committed without their knowledge or unless the ISP has undertaken due diligence to prevent the contravention .
* For example, many Delhi based newspapers advertise the massage parlors; and in few cases even show the ‘therapeutic masseurs’ hidden behind the mask, who actually are prostitutes. Delhi Police has been successful in busting out a few such rackets but then it is not sure of the action it can take…should it arrest the owners and editors of newspapers or wait for some new clauses in the Act to be added up?? Even the much hyped case of the arrest of Bajaj, the CEO of Bazee.com, was a consequence of this particular ambiguity of the law. One cannot expect an ISP to monitor what information their subscribers are sending out, all 24 hours a day.

Cyber law is a generic term, which denotes all aspects, issues and the legal consequences on the Internet, the World Wide Web and cyber space. India is the 12th nation in the world that has cyber legislation apart from countries like the US, Singapore, France, Malaysia and Japan .

But can the cyber laws of the country be regarded as sufficient and secure enough to provide a strong platform to the country’s e-commerce industry for which they were meant?? India has failed to keep in pace with the world in this respect, and the consequence is not far enough from our sight; most of the big customers of India ’s outsourcing company have started to re-think of carrying out their business in India .Bajaj’s case has given the strongest blow in this respect and have broken India ’s share in outsourcing market as a leader.

If India doesn’t want to loose its position and wishes to stay as the world’s leader forever in outsourcing market, it needs to take fast but intelligent steps to cover the glaring loopholes of the Act, or else the day is not far when the scenario of India ruling the world’s outsourcing market will stay alive in the dreams only as it will be overtaken by its competitors.

Read More

Asia Pacific Cyberlaw Forum (APCF)

Asia Pacific Cyberlaw Forum (APCF) is committed to the cause of development of strong, logical and vibrant Cyberlaws in different countries of Asia Pacific. Historically speaking, Internet has been basically a United States phenomenon. The early adoption and widespread usage of Internet by the western world made sure that some of the early Cyberlaws came into being in the western world. Asia Pacific as a region seems to be far behind in the field of enacting Cyberlaws for regulating activities of netizens in cyber space. Barring a handful of countries in Asia Pacific, most of the countries in this region have low Internet penetration and consequently, have not felt the need to legislate Cyberlaws. However, given the way Internet is rapidly growing, it would only be a matter of time before all the countries in Asia Pacific will be constrained to enact and adopt Cyberlaws.

Asia Pacific Cyberlaw Forum (APCF) aims to become the focal point for giving appropriate inputs to all governments of Asia Pacific in the field of drafting, enacting and adopting Cyberlaws. APCF is committed to the fact that Asia Pacific nations should not reinvent the wheel. Asia Pacific nations should learn from the previous wisdom and practical experiences of other nations in the world who have enacted and implemented Cyberlaws APCF aims to become a rallying point for research, brainstorming, information and all kinds of matters concerning Cyberlaw in Asia and Pacific.

APCF would coordinate with Cyberlaw Asia, being Asia's premier membership based Cyberlaw body, in spreading more awareness about different facets of Cyberlaw.

The Chairman of APCF is Mr. Pavan Duggal, Asia's leading authority and expert on Cyberlaw.

The secretariat of APCF is based in Delhi and would be located at C2/60, Janak Puri, New Delhi - 110058, India.

Read More

LINKS WHERE YOU CAN COMPLAIN ABOUT THIS CRIME

                                     INDIAN CYBER LAWS
Chapter-I

New Delhi, the 9th June, 2000 / Jyaistha 19,1922 (Saka)

The following Act of Parliament received the assent of the President on the 9th June, 2000, and is hereby published for general information :-

Chapter II

DIGITAL SIGNATURE

3. Authentication of electronic records.

(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.

Chapter III

4. Legal recognition of electronic records.

Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is :-

Chapter-IV

11.Attribution of electronic records.

An electronic record shall be attributed to the originator :

(a) if it was sent by the originator himself;

(b) by a person who had the authority to act on behalf of the originator in respect of that electronic record, or

Chapter-V

14. Secure electronic record.

Where any security procedure has been applied to an electronic record at a specific point of time. then such record shall be deemed to be a secure electronic record from such point of time to the time of verification.

Chapter-VI

17. Appointment of Controller and other officers.

(1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifyin

g Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deems fit.

Chapter-VII

(1) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government.

(2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority.

Chapter-VIII

40. Generating key pair.

Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, then, the subscriber shall generate the key pair by applying the security procedure

Chapter-IX

43. Penalty for damage to computer, computer system, etc.

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network. :-

(A) Accesses or secures access to such computer, computer system or computer network.


Chapter-X

48. Establishment of Cyber Appellate Tribunal.

(1)The Central Government shall, by notification, establish one or more appellate tribunals to be known as the Cyber Regulations Appellate Tribunal.

(2)The Central Government shall also specify, in the notification referred to in sub-section (1), the matters and places in relation to which the Cyber Appellate Tribunal may exercise jurisdiction.

Read More

CYBER CRIME-------Cyber Law Cases in India and World

MYSPACE CATCHES A MURDERER

MySpace has played an important role in helping Oakland police apprehend a 19-year old man accused of shooting a San Leandro High School football player Greg "Doody" Ballard, Jr.

Oakland police had a street name of a suspect and were able to identify Dwayne Stancill, 19 of Oakland from a picture they found on a gang's MySpace page. Police brought the suspect to their headquarters where detectives say he confessed. What was most troubling to investigators was the lack of motive for the killing.

OFFICIAL WEBSITE OF MAHARASTRA GOVERNMENT HACKED

MUMBAI, 20 September 2007 — IT experts were trying yesterday to restore the official website of the government of Maharashtra, which was hacked in the early hours of Tuesday.

Rakesh Maria, joint commissioner of police, said that the state’s IT officials lodged a formal complaint with the Cyber Crime Branch police on Tuesday. He added that the hackers would be tracked down. Yesterday the website, http://www.maharashtragovernment.in, remained blocked.

Deputy Chief Minister and Home Minister R.R. Patil confirmed that the Maharashtra government website had been hacked. He added that the state government would seek the help of IT and the Cyber Crime Branch to investigate the hacking.

“We have taken a serious view of this hacking, and if need be the government would even go further and seek the help of private IT experts. Discussions are in progress between the officials of the IT Department and experts,” Patil added.

The state government website contains detailed information about government departments, circulars, reports, and several other topics. IT experts working on restoring the website told Arab News that they fear that the hackers may have destroyed all of the website’s contents.

According to sources, the hackers may be from Washington. IT experts said that the hackers had identified themselves as “Hackers Cool Al-Jazeera” and claimed they were based in Saudi Arabia. They added that this might be a red herring to throw investigators off their trail.

According to a senior official from the state government’s IT department, the official website has been affected by viruses on several occasions in the past, but was never hacked. The official added that the website had no firewall.

Three people held guilty in on line credit card scam

Customers credit card details were misused through online means for booking air-tickets. These culprits were caught by the city Cyber Crime Investigation Cell in pune. It is found that details misused were belonging to 100 people.

Mr. Parvesh Chauhan, ICICI Prudential Life Insurance officer had complained on behalf of one of his customer. In this regard Mr. Sanjeet Mahavir Singh Lukkad, Dharmendra Bhika Kale and Ahmead Sikandar Shaikh were arrested. Lukkad being employeed at a private institution, Kale was his friend. Shaiklh was employed in one of the branches of State Bank of India .

According to the information provided by the police, one of the customer received a SMS based alert for purchasing of the ticket even when the credit card was being held by him. Customer was alert and came to know something was fishy; he enquired and came to know about the misuse. He contacted the Bank in this regards. Police observed involvement of many Bank's in this reference.

The tickets were book through online means. Police requested for the log details and got the information of the Private Institution. Investigation revealed that the details were obtained from State Bank of India . Shaikh was working in the credit card department; due to this he had access to credit card details of some customers. He gave that information to Kale. Kale in return passed this information to his friend Lukkad. Using the information obtained from Kale Lukkad booked tickets. He used to sell these tickets to customers and get money for the same. He had given few tickets to various other institutions.

Cyber Cell head DCP Sunil Pulhari and PI Mohan Mohadikar A.P.I Kate were involved in eight days of investigation and finally caught the culprits.

In this regards various Banks have been contacted; also four air-line industries were contacted.
DCP Sunil Pulhari has requested customers who have fallen in to this trap to inform police authorities on 2612-4452 or 2612-3346 if they have any problems.

How cyber crime operations work – and why they make money

Hackers are no longer motivated by notoriety – it's now all about the money. Guillaume Lovet, Threat Response Team Leader at security firm Fortinet, identifies the players, their roles and the returns they enjoy on their investments.
Cybercrime which is regulated by Internet Law  (Cyber Law) or IT Act has become a profession and the demographic of your typical cybercriminal is changing rapidly, from bedroom-bound geek to the type of organised gangster more traditionally associated with drug-trafficking, extortion and money laundering.
It has become possible for people with comparatively low technical skills to steal thousands of pounds a day without leaving their homes. In fact, to make more money than can be made selling heroin (and with far less risk), the only time the criminal need leave his PC is to collect his cash. Sometimes they don't even need to do that.
In all industries, efficient business models depend upon horizontal separation of production processes, professional services, sales channels etc. (each requiring specialised skills and resources), as well as a good deal of trade at prices set by the market forces of supply and demand. Cybercrime is no different: it boasts a buoyant international market for skills, tools and finished product. It even has its own currency.
The rise of cybercrime is inextricably linked to the ubiquity of credit card transactions and online bank accounts. Get hold of this financial data and not only can you steal silently, but also – through a process of virus-driven automation – with ruthlessly efficient and hypothetically infinite frequency.
The question of how to obtain credit card/bank account data can be answered by a selection of methods each involving their own relative combinations of risk, expense and skill.
The most straightforward is to buy the ‘finished product’. In this case we’ll use the example of an online bank account. The product takes the form of information necessary to gain authorised control over a bank account with a six-figure balance. The cost to obtain this information is $400 (cybercriminals always deal in dollars). It seems like a small figure, but for the work involved and the risk incurred it’s very easy money for the criminal who can provide it. Also remember that this is an international trade; many cyber-criminals of this ilk are from poor countries in Eastern Europe, South America or South-East Asia.
The probable marketplace for this transaction will be a hidden IRC (Internet Relay Chat) chatroom. The $400 fee will most likely be exchanged in some form of virtual currency such as e-gold.
Not all cyber-criminals operate at the coalface, and certainly don’t work exclusively of one another; different protagonists in the crime community perform a range of important, specialised functions. These broadly encompass:
Coders – comparative veterans of the hacking community. With a few years' experience at the art and a list of established contacts, ‘coders’ produce ready-to-use tools (i.e. Trojans, mailers, custom bots) or services (such as making a binary code undetectable to AV engines) to the cybercrime labour force – the ‘kids’. Coders can make a few hundred dollars for every criminal activity they engage in.
Kids – so-called because of their tender age: most are under 18. They buy, trade and resell the elementary building blocks of effective cyber-scams such as spam lists, php mailers, proxies, credit card numbers, hacked hosts, scam pages etc. ‘Kids’ will make less than $100 a month, largely because of the frequency of being ‘ripped off’ by one another.
Drops – the individuals who convert the ‘virtual money’ obtained in cybercrime into real cash. Usually located in countries with lax e-crime laws (Bolivia, Indonesia and Malaysia are currently very popular), they represent ‘safe’ addresses for goods purchased with stolen financial details to be sent, or else ‘safe’ legitimate bank accounts for money to be transferred into illegally, and paid out of legitimately.
Mobs – professionally operating criminal organisations combining or utilising all of the functions covered by the above. Organised crime makes particularly good use of safe ‘drops’, as well as recruiting accomplished ‘coders’ onto their payrolls.
Gaining control of a bank account is increasingly accomplished through phishing. There are other cybercrime techniques, but space does not allow their full explanation.
All of the following phishing tools can be acquired very cheaply: a scam letter and scam page in your chosen language, a fresh spam list, a selection of php mailers to spam-out 100,000 mails for six hours, a hacked website for hosting the scam page for a few days, and finally a stolen but valid credit card with which to register a domain name. With all this taken care of, the total costs for sending out 100,000 phishing emails can be as little as $60. This kind of ‘phishing trip’ will uncover at least 20 bank accounts of varying cash balances, giving a ‘market value’ of $200 – $2,000 in e-gold if the details were simply sold to another cybercriminal. The worst-case scenario is a 300% return on the investment, but it could be ten times that.
Better returns can be accomplished by using ‘drops’ to cash the money. The risks are high, though: drops may take as much as 50% of the value of the account as commission, and instances of ‘ripping off’ or ‘grassing up’ to the police are not uncommon. Cautious phishers often separate themselves from the physical cashing of their spoils via a series of ‘drops’ that do not know one another. However, even taking into account the 50% commission, and a 50% ‘rip-off’ rate, if we assume a single stolen balance of $10,000 – $100,000, then the phisher is still looking at a return of between 40 and 400 times the meagre outlay of his/her phishing trip.
In large operations, offshore accounts are invariably used to accumulate the criminal spoils. This is more complicated and far more expensive, but ultimately safer.
The alarming efficiency of cybercrime can be illustrated starkly by comparing it to the illegal narcotics business. One is faster, less detectable, more profitable (generating a return around 400 times higher than the outlay) and primarily non-violent. The other takes months or years to set-up or realise an investment, is cracked down upon by all almost all governments internationally, fraught with expensive overheads, and extremely dangerous.
Add phishing to the other cyber-criminal activities driven by hacking and virus technologies – such as carding, adware/spyware planting, online extortion, industrial spying and mobile phone dialers – and you’ll find a healthy community of cottage industries and international organisations working together productively and trading for impressive profits. Of course these people are threatening businesses and individuals with devastating loss, financial hardship and troubling uncertainty – and must be stopped.
On top of viruses, worms, bots and Trojan attacks, organisations in particular are contending with social engineering deception and traffic masquerading as legitimate applications on the network. In a reactive approach to this onslaught, companies have been layering their networks with stand alone firewalls, intrusion prevention devices, anti-virus and anti-spyware solutions in a desperate attempt to plug holes in the armoury. They're beginning to recognise it's a failed strategy. After all, billions of pounds are being spent on security technology, and yet security breaches continue to rise.
To fight cybercrime there needs to be a tightening of international digital legislation and of cross-border law enforcement co-ordination. But there also needs to be a more creative and inventive response from the organisations under threat. Piecemeal, reactive security solutions are giving way to strategically deployed multi-threat security systems. Instead of having to install, manage and maintain disparate devices, organisations can consolidate their security capabilities into a commonly managed appliance. These measures combined, in addition to greater user education are the best safeguard against the deviousness and pure innovation of cyber-criminal activities.

Read More