Safeguarding against internet crime:

Keeping ‘virtual criminals’ at bay

By Manjula FERNANDO

What will you do if your National Identity Card is lost or stolen? Gone are the days when you panicked over such a ‘trivial’ matter. Just an ‘official’ police complaint and a fresh application addressed to the Registrar of Persons for a new ID will settle the whole issue!

But what will you do if your ‘virtual ID’ is stolen? This may flabbergast many an internet user in Sri Lanka, especially the ordinary surfers who expect no evil from the World Wide Web. And many are yet to know ‘what to do’ or ‘where to turn to for help’ in such a calamity, which is still a novel experience for most local users.

Experts warn that losing your virtual ID could be precarious as imposters could use this stolen ID to commit crimes such as financial fraud or to attack personal or commercial websites and send dirty emails, which are serious offences punishable under the Penal Code and the Computer Crimes Act of 2007.

Chief Operations Officer of TechCERT, Dr. Chandana Gamage who specialises in information communication security and senior lecturer attached to the University of Moratuwa, told the Sunday Observer that many people in Sri Lanka now have a physical presence as well as a virtual presence.

“If you lose your national ID you know what to do. But many don’t know what to do if they find their virtual IDs stolen. This is critical since the imposter may be a criminal,” he said.

Internet hacking and blackmailing are increasingly becoming common in Sri Lanka. It is vital that everyone is aware about the precautions to take and how to maintain foolproof accounts when using social networking and email sites. TechCERT is part of the ‘LK’ domain registry and their services are free for people who find themselves victims in a virtual world. Major commercial entities present in Sri Lanka including 60 percent of the banking sector and 80 percent of mobile and fixed line operators have partnered with TechCERT to profit from the technological know-how, knowledge base, and cost-effectiveness it offers over maintaining their own IT security and incident response teams, Dr. Gamage said.

“It is among individual users that we are trying to enhance awareness,” Janantha Marasinghe, Systems Security Specialist with TechCERT who is an expert on digital forensics and incident response said. TechCERT provides help to find the ‘source’ of the problem and help police solve cases connected to computer crimes and unearth ‘virtual evidence” admissible in court cases. Even individuals can contact them to solve their problems related to the World Wide Web (www).

TechCERT has helped companies and the police to collect virtual evidence to prosecute internet criminals successfully.

Marasinghe said they have seen a rise in complaints regarding stolen IDs from those who use social networking sites (Facebook, twitter, etc.), especially over the past six to seven months. The hacker could be an office associate, a bad friend or a total stranger in Sri Lanka or even overseas. A fellow journalist at Lake House opted to close down her Facebook account after she found out that an unknown individual had used her name to create a new account. He had stolen her pictures and other content.

She was distressed and disturbed by this incident, but TechCERT assured her that the hacker had not been able to penetrate her email so the contents there were safe.

Nevertheless, she closed down her account which was used to interact with close friends in Sri Lanka as well as overseas. “Why should I take a risk?” she said.

This would not be the case with everyone. I was told that another person who contacted TechCERT had to helplessly watch a hacker use a fake profile (in her name) to post filthy responses on the Facebook wall. Adding insult to injury, the Facebook Team blocked the original account. Her desperate attempts to warn her friends about the imposter had given rise to suspicion.

Ultimately, TechCERT intervened and the second Facebook account run by the imposter was removed and the original account was re-activated. But by then the damage had been done.

TechCERT wants the active contribution of the public to help police trace and apprehend internet criminals so that they could put a stop to these vile actions once and for all. But in some instances, the victims had been reluctant to let them pursue a case. “They even plead with us not to investigate the case for the fear that their embarrassing secrets will be out for all to know”, Dr. Gamage said.

He said many hackers do it for the fun of it and to show off their technical skills to their associates. “We have not come across internet stalkers and crackers who get paid to do such jobs for a third party in Sri Lanka so far. But that era may not be far away,” he warned.

To prevent IDs being stolen TechCERT suggests a few tips:

* Keep your passwords a closely guarded secret - Surfers must keep their passwords a closely guarded secret even from their closest associates if they do not want intimate information in their emails being widely circulated, or worse, get threatening or blackmailing emails in their inboxes. The password should consist of alphanumeric characters and the length should exceed eight characters. The periodic changing of passwords will also thwart any attempt to steal one’s ID.

* Know your friends on Facebook - It is essential to know your friends on the net and be careful when adding ‘unknown friends’.

If you want to add new friends, make a list of the people you do not want seeing your personal information and contact details. You can limit the exposure by adjusting the ‘privacy’ settings. This way, unknown friends could be restricted to viewing only a subset of your information.

* Never use the same password for all your accounts - TechCERT advises against using the same password for different e-mails and social networking sites.

This is a convenient habit among internet users so that they do not have to remember many passwords or mix them up when trying to log in. No matter how annoying or troublesome it is, if you have more than one account, different passwords will keep you away from trouble. Passwords that are parent’s names, pet’s names or children’s names are a dead giveaway.

* Secure wireless connections - If you don’t secure wireless connections with a password, a neighbour can use it as his own. A man in India was arrested after a string of deadly explosions. Unknown to him, a mail had been sent by an imposter acknowledging the attacks, using his wireless connection. The police which traced the origins of the email arrested the innocent man.

* Beware of Facebook games - Marasinghe also said that installing unknown applications on Facebook can be harmful since they can write various messages on the Wall with links to virus sites on your friends’ walls . It is best to do an internet search on the Facebook applications before installing them.

It is also important to update your Virus Guard every now and then. Many virus guards indicate a prompt to update, usually when there is a new worm or a virus in circulation. You should never ignore such prompts. Changing your password from time to time will also secure your account from hackers.

Switching to ‘https’ instead of the ‘http’ which is mostly in use now can give you a secure connection channel for interaction via the www. This foolproof encrypted version is supported by Facebook, Google, Yahoo and Hotmail. When you log into your Facebook or other network sites in future, type https:\www.facebook.com

Dr. Gamage said the implementation of the Computer Crimes Act of 2007 (brought into operation with effect from July 2008 had helped immensely to fight internet crime as it had given space to recognise virtual evidence during criminal prosecutions in a court of law.

Under this law, TechCERT recently helped crack a case involving a multimillion rupee fraud in a BOI export company. Their task was to filter through computer files to trace the people who had issued fraudulent invoices.

TechCERT found out the time and the machines used to issue the forged invoices and the company was able to link them to the persons who used the machines at the given times. They were later apprehended and prosecuted.

How hackers crawl in

One of the easier ways for a hacker to enter your account is through the ‘Forgot your password?’ prompt. The experts say the questions and answers you feed this setting should be your own original work and must consist of hard-to-guess answers. For example, you could set the prompt to ask for your pet’s name, and feed an entirely different answer, such as the name of the city you live in.

That way a hacker finds it difficult to guess the answer. Facebook too has initiated a new security tool to counter this irksome hitch. Everytime someone logs into Facebook, they will send an SMS to the users’ mobile phones. This will tip off the user if an imposter has logged in. This is still in the process of being introduced.

“If an email from an unknown source talks about money, you’ve got to be careful, because often it beckons trouble.”

There is no one who has not got the widely circulating email which has a photograph of an acutely burnt child on a hospital bed with a footnote asking that it be forwarded to as many others so that her mother will get money for treatment from Microsoft. All these are spam. Their objective is to collect email addresses to sell the data to online marketing campaigners and cyber criminals. For others it has become a hobby.

Substandard cyber cafes

Danger lurks in cyber cafes in Sri Lanka, no proper laws govern these places. Many use these places for their routine IT needs and the places harbour criminals as well.

“We are aware that certain cyber cafes have installed key loggers.This is a software that can record every key stroke of a user of a particular machine and email the data to a third party. This will include personal email content as well,” Marasinghe said. If the machines in the cyber cafes are not password-protected, outside users can also install such software and get hold of users’ passwords to commit crimes.

“So the users have to be extremely cautious and avoid such dubious places,” he said.

“Anyway, nothing is 100 percent safe. So it is best if you don’t use the Net to post your secrets and intimate information or pictures,” he concluded.

The Chief Executive Officer of TechCERT is Dr. Shantha Fernando, a senior lecturer at the Computer Science and Engineering Department of the Moratuwa University.

In a virtual emergency, internet users can contact TechCERT on 0114216061, 0112650705 or 0114219125 (hotline). Incidents can be reported to them via [email protected] as well.