Cyber crimes on the increase...:

Cyber Security, a must credo

By Kurulu Kariyakaranawana

The Sri Lankan cyber situation is now getting out of hand with users being affected by hacking into websites and social networking sites. Many innocent lives especially the younger generation have fallen prey to somebody with a disturbed mindset through these social networking sites or on the other hand organisations being subjected to organised cyber attacks from foreign entities.

Senior Information Security Engineer SL CERT CC, Roshan Chandraguptha

Robert Tappan Morris

The banking sector too is at risk but counter measures have been taken to a certain extent to minimise it being affected. That is why it is high time that cyber security is taken into serious consideration and is a vital factor to be taken note of.

Two weeks ago we talked about how cyber crimes are a potential risk to the world and how it will even simultaneously affect developing nations like us. Last week Sri Lanka marked Cyber Security Week 2013 between from September 18 to October 8 where a series of awareness programs, workshops and seminars were organised to identify future cyber threats and to find solutions to tackle them.

With the imminent threat looming in the horizon, awareness was also brought to the fore as to understanding how prepared we are in the event of a future cyber attack which could cripple an entire system. Hacking into social networking websites, maintaining fake profiles on such websites as well as to carry out fraudulent activities on someone else’s bank account through online banking facilities are some of the most common cyber crimes reported in the local history so far.

This also includes hacking into state and private sector information websites from time to time.

It is learnt that over 100 complaints relating to social networking website Facebook are received every month by the authorities responsible for cyber security in Sri Lanka and monitoring cyber crimes. Around 80% of these complaints are about fake Facebook profiles created by various individuals and the rest is about hacking into other people’s accounts.

During the past three years the number of complaints relating to Facebook was gradually on the rise. In 2010, 80 complaints of fake accounts were received and in 2011, it shot up to 1425. Last year 1100 complaints reported.

Computer Emergency Readiness Team

These complaints were received by SL CERT CC or (Sri Lanka – Computer Emergency Readiness Team – Coordination Centre) the competent authority to monitor cyber security in Sri Lanka.

The SL CERT is a subsidiary of Information and Communication Technology Agency (ICTA) which was established in 2006 under the Government Information Centre Project launched under the e-Sri Lanka concept in 2004. SL CERT was primarily established to monitor the government departmental information website projects being undertook by the ICTA and to invent security systems to them.

SL CERT is a member of FIRST (Forum of Incident Response and Security Teams) the global body of its nature.

It is the global leader for incident response and bring together a variety of computer incident response teams from government, commercial and educational sectors in number of countries in the world. Its chief target is to develop cooperation and coordination in computer related incident prevention, to stimulate rapid reaction to incident as well as to share information among its members.

In other words if a cyber related problem rises or a malicious cyber attack is being directed from a foreign organisation, SL CERT can coordinate with the FIRST to cooperate with a Computer Emergency Readiness Team in that part of the world to deal with the problem.

History of CERT

The first- ever CERT was established in the USA following the first ever computer virus namely "Morris Worm" was distributed via the internet in 1988 by a student of Cornell University named Robert Tappan Morris.Although the virus was written not with the intention of causing damage, CERT was formed by the Software Engineering Institute of the University of Carnegie Mellon in Pennsylvania to prepare for such potential risks relating to the internet and the cyber world in the future.

The established unit was named as Computer Emergency Response Team at the beginning. The word Response was changed to Readiness in the recent past following the notion that it should not be a response team but a readiness team in the future.FIRST forum is a result of this project and Asia Pacific Computer Emergency Readiness Team (AP CERT) was formed afterwards to unite the CERTunits in the Asia Pacific region. SL CERT is currently a member of the AP CERT that organise drills related to cyber crimes and security with its members. These drills are helpful to us in a way of identifying future threats, how to face them and to react before a damage is being done. It also helps to understand how to coordinate with other CERTs in the member countries and organisations in a cyber emergency.

Explaining how these operations take place Senior Information Security Engineer of Sri Lanka CERT - CC Roshan Chandraguptha said SL CERT Coordination Center is backed by a team of well qualified skilled IT specialists designated as Information Security Engineers. These engineers monitor the on going web systems of country, identify the risks they face everyday and find solutions to tackle the problems.

Facebook complaints

Until the SL CERT CC came into lime light few years back the problems generated in the Facebook accounts were an unsolvable issue. Issues like creating fake accounts under a different name to defame somebody or hack into others' accounts could only be dealt with whoever the victimised party reporting the matter to the Facebook management through a commonly

facilitated security setting tool within the account. Since there is no practice within the Facebook to consider individual complaints and take action for the aggrieved party (Facebook has a tendency to listen to public complaints only if it is being reported in great numbers by many individuals even though it is a matter pertaining to one individual) the Facebook users had nowhere to report their grievances. Now the SL CERT CC is there the users of this social networking website could directly report their complaint and wait for a solution. The CERT act as a mediation body between the complainant and the Facebook to get their problems resolved in a quick manner.

As mentioned before SL CERT CC receives about 100 such complaints a month and 80% of it is about fake accounts or profiles created to defame a targeted group or an individual. When somebody complaints that their account is being hacked or a fake account is being operated by someone the CERT require certain personal details of the complainant for identification purposes. Whether the actual person is lodging a complaint about his or her account or an account made for his or her identity. If the complainants send right identification proof like a National Identity Card details it is only a matter of two to three days time to deal it with the Facebook management and to deactivate the faked or hacked account.

Even large global social networking agencies like Facebook has a much tendency to consider a complaint brought forward by a responsible organisation like CERT than listening to an individual cry of a person. The number of Facebook related complaints received by the SL CERT through out the last three years show the growing faith the public has placed in it.

*Online banking frauds *

Apart from the cyber issues related to the social networking sites the other growing problem is reported from the internet banking sector where electronic frauds are being carried out. Specially the instances like transferring money online or paying a bill with a credit or debit card are mostly subjected to these frauds. It is not once or twice reported that cyber criminals tried to create "Phishing sites" to deceive the online bank customers and to steal their personal logging details. To log on to one's personal bank account through online a username and a password is required.

Once these details are entered anybody can log on to their personal bank account like accessing a simple email account.

Phishing is the act of attempting to acquire information such as usernames, passwords and credit card details and sometimes, indirectly money by masquerading as a trustworthy entity in an electronic communication. It is reported that certain entities have sent fake URLs similar to of the one issued by the respective bank and try to get the mentioned personal details saying for an update of the personal information and so on. But it is noteworthy that none of these banks deal with electronic banking facilities ever ask to reveal these personal details over the internet or phone for technical purposes. And that the users must be aware of these security features for not to get in trouble in dealing with their funds.

SL CERT CC has so far received about seven complaints related to these Phishing emails and internet banking frauds in this year. A special unit isalso set up in the CID as Counterfeit Currency Bureau (CIB) to look into these financial frauds and especially to investigate into credit and debit card frauds.

*Hacking websites *

Hacking into information website in both the state and the commercial sector is another challenge faced today. According to Chandraguptha anytype of website could be hacked due to negligence of four main factors.

They are vulnerability in the website, (which is not protected with appropriate coding or virus protection systems), server operating system problems (problem with the operating system used for server), a site development software problem or a problem with the content management password (the passwords used by the web managers to update its information is too weak).

Most of the websites in Sri Lanka are information providing sites of the government, private or commercial sector. By hacking these websites a grave damage cannot be intended except for misguidance of wrong information to the public or desired audience. But hacking crucial websites like banking and related financial sites could incur a great loss within minutes. The CERT has a service to assess the vulnerability of these websites to realise potential threats it could receive due to its own technical and security weaknesses. These services are free of charge for the government websites and at a fee for none governmental websites including commercial ones.

SL CERT offers expertise knowledge as awareness programs to schools and educational institutes. To educate the public especially the next generation how to act smart in a future electronic world where social networking is a primary thing.

According to experts in this field Sri Lanka is still in the developing stages of cyber security. Although cyber security related to the banking field is not much of a problem, because of the many security features being added one measures taken by people in modern social networking is not satisfactory.