S E C T I O N
Newsletter
About Newsletter
Editorial
IISSM News
Training Programme
Book Review
Book Reference
Responses
Article
Monthly Summary
Print Newsletter
HomeNewsletterArticle
Volume No. 4,   Issue No. 10,   March 2006

Fraud Investigations
Investigating Source Of Malicious Chain E-Mails

By Sanjay Sharma. CFE, CPO, Country Security Manager,
DHL Express, India

The Computer Crime and Abuse Report (India) 2001 – 2002, published in 2003 by the Asian School of Cyber Laws, has come out with startling data related to computer crimes. The report analyses 6,266 incidents of computer crime and abuse that affected 600 organizations spanning IT, manufacturing financial services, education, telecommunications, healthcare and other services sectors in India during this period. Some of the findings of the report:

  • A disgruntled former employee is more likely to commit a computer crime than a business rival.

  • Overall, 21% of the reported incidents were traced back to employees, while 31% were traced to former employees of the victim organization.

  • Another interesting fact is that more than half the incidents (52%) are attributable to employees (current as well as former).

  • 60% of the incidents of email abuse related to obscene emails. Out of these obscene emails, almost all (97%) were sent to women employees. 25% of the incidents of email abuse related to threatening emails. Most of these were targeted towards the top management of the victim organization. The balance incidents (15%) related to emails that sought to defame
    employees of the victim organization.

  • Over 60% of the victims did not report the incidents because of the fear of negative publicity. 23% did not know whether the police in their area were technically equipped to handle computer crime cases.

The Indian Law

The passage of the Information Technology Act, 2000 followed by the subsequent amendment to the Indian Penal Code and the Evidence Act, amongst other laws, have paved the way for stringent penalties for computer crimes.

Sending pornographic or obscene emails are punishable under Section 67 of the IT Act.
An offence under this section is punishable on first conviction with imprisonment for a term, which may extend to five years and with fine, which may extend to one lakh rupees.
In the event of a second or subsequent conviction, the recommended punishment is imprisonment for a term, which may extend to ten years and also with fine which may extend to two lakh rupees.
Emails that are defamatory in nature are punishable under section 500 of the Indian Penal Code (IPC), which recommends an imprisonment of up to two years or a fine or both.
Threatening emails are punishable under the provisions of IPC pertaining to criminal intimidation, insult and annoyance.

However, the number of computer crime and abuse incidents that are not reported to the law enforcement authorities are staggering. At a low cost and with virtually no technical know how, anyone can misuse the Internet to send malicious anonymous e-mails.

Case: This case (based on a real investigation with details changed) illustrates how e-mail fraud has become potential security vulnerability.

The senior management as well as various employees of a company had been getting anonymous chain e-mails since long. The number of anonymous communications sent was very large and they ranged in importance all the way from obscene jokes to threats. The sender of these mails had also indulged in character assassination of the employees mainly at a particular facility of the company.

When I was asked to investigate the source of these malicious e- mails the situation had worsened as these mails were being circulated to various outside agencies including newspapers, prompting the company to issue denials. This put the jobs of many senior managers on the firing line and the credibility and reputation of the company was in jeopardy. Apart from this much mental distress was caused by these communications and wholly unwarranted accusations had led to much sorrow.

Investigation Methodology

This type of forensic tracing of e-mail is similar to traditional investigate on work. By verifying each point through which e-mail passed the investigator can work step by step back to the originating computer and the perpetrator.

Anonymous chain e-mails receive little attention initially, with most of them being deleted. But most of the times such communications are important links in chains of evidence pointing to the perpetrator. It is usually advisable to preserve them for a while, as such mails may continue their unwelcome visits and in an investigation it is important to have in hand all e-mails, especially the first. In this instance, many of the mails were deleted on account of their obscene nature. Therefore, the first step was to collect as many such mails as were available with people who had preserved it.

I decided to follow the following approach in this particular anonymous mail investigation. The first of these steps is a study of the content in the message and the second step is a careful listing of all the probable and possible writers, and the third step is to take the help of outside agencies such as Documents experts, ISP’s, law enforcement.

Examining content and establishing the motive
A hard copy of most of these mails was collected to determine the purpose and motive from the content of the mails themselves. The idea being to determine the provocation for the mails with a view to narrow the field of possible writers. Caution may be exercised, as the real provocation may be unknown for the reason that it may be some trivial thing that is unknown to the victims of the mails.

The most common motives of such mails which indulge in character assassination are: seeking of money by blackmailing, unrequited love, jealousy, envy, actual or imagined slight, slow promotion, discharge or insane desire to cause suffering. Finally it must be said that such mails sometimes contain truth telling warnings and accusations of actual moral or other lapses on the part of recipient.

Apart from analyzing the contents of the mail, interviews were also conducted with most of the connected people with a view to calmly, thoroughly, and frankly consider all the various motives so that the identity of the sender could be recalled or correctly guessed. It is a good practice to write down names of all possible writers. If the whole subject and all the circumstances are carefully considered the trail of the writer often can be found. This is true because from the very nature of the problem, the number of possible writers of the series of anonymous mails cannot be very great. Obviously it was not necessary to consider every employee in the subject company as a possible writer. The motive, the opportunity, the location and the extent of circle of acquaintance, all limit the number of possible writers. Then the facts and information in the mails themselves narrowed the circle until the group became very small.

The initial mails suggested that the writer was out to discredit a woman employee and alleged that she was having a relationship with a senior manager. The intention seemed to be to persuade another male colleague not to marry this woman employee; alternatively, if married the marriage would result in a disaster. These mails made the male colleague an obvious victim. These mails also spoke of certain incidents at another location, when purportedly this manager was seen with the woman employee. One of the mails specifically mentioned an ex- employee. Many of these mails had Hindi phrases written in English.
The educational and cultural qualities shown in the mails also restricted the number of possible writers.

One of the mails stated “ I received a mail fro this woman employee’s brother which is quite surprising, how did he get my email address and he is asking for those photographs”. According to this woman employee her brother had written to this ex- employee.

The mails seemed to have increased in frequency and vehemence after four months of the first mail, maybe until then there was no indication that they had attracted positive attention and caused pain, annoyance or fear. These mails although sticking to the same subject, the allegation of a relationship between manager and woman employee became more pronounced. In fact it was justified by raising issues such as her promotion, the company’s HR policy, incidents at other locations and that there were witnesses. Even male colleagues depiction as a victim was highlighted. However the basic content remained the same as in the earlier mails.

After the above, during the end of the year, the mails for the first time started going to senior management of the company and increased in vehemence, probably the author realizing that some attention was being given but was not enough. The basic content of the mails remained the same, only the corruption angle was added. Also around this time the conduct of the mail colleague became unusual. After few such mails the author openly accused the male colleague of writing these mails.

These mails had been coming in such large numbers and over a very long period of time, it is usual that the disguise employed is apt to be partly disregarded, or almost entirely forgotten, after all these mails which may be prepared with great care and initially very effectively disguised.

It also transpired during investigation that when the services of another employee were terminated, his PC was examined and reportedly it contained lot of pornographic material apart from mails. Unfortunately none of these had been preserved. However one such mail copy could be retrieved which was written by this person to another friend. The contents of this mail not only mentioned the incident but also talked about similar circumstances. Reportedly, the person to whom this mail was sent happened to be a close friend the ex- employee.

A typed letter was also received at the office on the similar lines as the mails. The envelope contained a word in the handwriting of the sender that would have been good evidence to track the sender. Unfortunately the envelope had not been preserved.

As mentioned earlier, after analyzing various circumstances, contents of the mails and interviews with employees collectively led me to list the names of three possible suspects. It is also important to point out that in a large number of such cases the actual writer is one of a number who has received one or more of such mails and is supposed to be one of several victims of the work of someone else. This is a natural defense and is often employed.

Forensic analysis – next step was to use forensic tools to connect the perpetrator with these mails. Before I proceed it is necessary to understand the various web related terms such as domain names, IP (Internet Protocol) addresses, mail headers and computer logs. These terms identify distinct concepts and provide information sources about those entities, which are likely to be used by the originator of malicious e-mails.

Domain name - A domain name is a word or series of words that is registered to a particular person or organization that identifies that entities web presence. IP addresses are the Internets underlying system of numerical addresses. With www.yahoo.com, the domain name can be inferred simply by dropping www prefix, which leaves yahoo.com.

URLs identify specific resources within a particular domain name (for example,www.cnn.com/library/001465html refers to a particular document in www.cnn.com. In order to locate the resource web browsers must resolve the URL to a numerical address. This numerical address is the IP address.

To register a domain name, one must pay a fee to a registrar. One must provide the company with certain information, such as the name of the registered owner, as well as contact information including name, address, and phone numbers.

An initial inquiry about a particular domain name can be done at the web site of any registrar by using a service called Whois. The Whois search result will provide some of the registration information available including the name of a specific registrar that issued the domain name. This contact information gathered from the registry gives a lead to follow.


IP address - Whenever you get online your computer is assigned an IP address. IP address is the Internet Protocol (IP) address given to every computer connected to the Internet. An IP address is needed to route information much like a street address or PO box is needed to receive regular mail. . An IP address specifies a connection to the Internet and identifies the computer that is using the connection. IP addresses are four numbers between 0 and 255, separated by periods.

Several freely available tools can be used to resolve a URL into its IP address. The most frequently used are the nslookup, Whois, ARIN/APIC. Given a URL as input the utility returns the IP addresses associated with the URL as output. With the IP address in hand an investigator can query IP registries for publicly available information. The purpose of the WHOIS data is to identify the entity (person or company) to which blocks of addresses have been delegated. It is essentially an ISP Map, rather than an IP Address Map There are services available which searches location of any IP address. The service searches the City, State, Country, longitude & latitude of where the computer with that particular IP address is located and can also Includes name and address of the owner of IP address.

As a result of these searches the ISP and the geographical location of the computer was traced. The investigation was able to trace companies that had leased these lines from the Internet service provider. It also transpired that this ex- employee had worked with all the companies and was currently working for one of them.

Mail Headers - Most tracing of external e-mail starts at the receiving PC with emails Internet message header information. A message header is text at the top of an e-mail in the “from” line, while in the “received” lines, the header lists every point the e-mail passed through on its journey, along with the date and time. It’s like having each post office that handles a letter print an identity, date and time on the envelope.

The “Received” line is the most important line in a header. They form a list of all sites through which the message traveled in order to reach you. Received lines are read from bottom to top. That is, the first received line is your own system or mail server and the last received line is where the mail originated. Many mailers have the IP address of the sending system also added.

The message header provides an audit trail of where e-mail has been. Finding the individual who sent the email is a matter of walking back up the audit trail point by point gathering evidence, that the message passed each point.

Logs - Forensic tracing of e-mail relies on computer logs. A computer log is a record of each e-mail message that passes through a computer in a network. Ideally I needed prove that e-mail traveled through a machine by looking up the message ID on a log of email transaction together with date, time and the address that was recorded.

Finding the person behind the computer becomes a matter of determining who used the machine at the time the message was sent.

Limits of private investigations – the ISP’s vary in their willingness to help private investigations. Most ISP’s refuse to give up logs without a court order or a police case. For private investigators without the backing of a police case, getting a civil court order may be difficult or impossible. To overcome this impediment to progress, investigators can work with law enforcement. If law enforcement officers contact the ISP and inform them that a certain user is being investigated, the ISP is obligated to preserve and provide any information they would normally have.

The case was registered with the local law enforcement and all the material collected thus far was handed over to them. Continuing the investigation, the police obtained the computer log from the ISP’s corresponding to the date and time on the mail headers and tracked the computer from which most of the mails were sent. This turned out to be a cyber café in the locality of the ex-employee. Who used the computer was determined from the sign on logs maintained at the cyber cafe.

Whether the case could be proved in the court is not particularly relevant, since as a result of this enquiry these malicious e-mails permanently stopped visiting the company and have not revisited since then, fulfilling the objective of the company. Few of the employees also had to exit the company. However the hardship and mental distress caused by cyber defamation to the innocent victims is irreparable. One of the important lesson learnt is that the one first suspected of writing anonymous mails is not the actual writer and frequently the actual writer is one who for some time wholly escapes even suspicion. Hence it is particularly important in such cases to protect the innocent from unwarranted accusations and not jump to conclusions with preliminary facts.

Go Top

A Day in the Life of Mobile Data

Author: Martin Allen – MD Pointsec Mobile Technologies
20 September 2005
http://www.it-observer.com/articles.php?id=895

Very few companies worry about the cost of replacing mobile devices, it’s more about the value and amount of data that resides of mobile devices and the adverse consequences to the company if the data on these devices falls into the wrong hands.

According to a recent Gartner study over 80% of new and critical data is now stored on mobile devices -- so securing these devices is becoming a business necessity and one that can no longer be ignored.

Let’s take Ben a typical mid-level executive for EMEA and look at how much data he uses in a working day and how easily he can jeopardize the company if this data goes missing.

  1. Ben wakes early Monday for a big day that will include a quick stop at the office, two airline flights, a client sales presentation, and a dinner meeting with a potential partner firm.

  2. Before leaving home, he copies the sales presentation he worked on over the weekend from his home computer to a 250 MB USB data storage device for transport to the office.

  3. After arriving at the office he boots up his notebook PC, and then logs in to the network to update his CRM files and download the revised product roadmap and the new price sheet.

  4. He almost goes through the familiar steps of synchronizing his contacts, calendar and certain documents with his smartphone, but then remembers that the new Bluetooth enabled version transfers that information automatically. Still, he must manually load the sales presentation from the USB device.

  5. Feeling sleepy, he dozes briefly on the train out to the airport, then sits in the gate lounge area making sales calls and setting appointments while logged in to a “hotspot” for email access.

  6. After the aircraft reaches cruising altitude Ben uses his notebook PC to finalize his sales plan for a meeting with the company CEO. He saves the proposal on the notebook, and, just in case, also copies it to the USB device.

  7. Arriving at the airport, he takes a cab to the client office and makes a few more calls on his Smartphone while referencing files from the notebook PC perched on his lap.

  8. The sales call goes well, but the client wants to know how long the project will take. Ben uses a local Internet connection to access and download the appropriate information on parts and labor availability. After signing an NDA, Ben is allowed to copy confidential information regarding the client’s new project from a floppy.

  9. The new client President invites Ben to lunch. He leaves his briefcase and PC at office, but takes the Smartphone with him.

  10. After a cab ride back to the airport, the familiar routine of waiting, loading routine and landing, Ben rents a car for a quick drive to the hotel.

  11. At the hotel, he briefly leaves his belongings in the car while he checks in at the front desk.

  12. At dinner, Ben’s CEO gives him advance notice of a favorable analyst rating of the company, but also discloses some potential litigation that might affect how the company may market is product. Ben makes some notes on the Smartphone for follow up. Ben then agrees with his boss to see a musical at a nearby theater. He leaves the notebook PC in his hotel room, but takes the Smartphone.

  13. Late that night he downloads a few more emails, make notes from his meetings and drops exhausted into bed. “Where is that USB device?”, he mutters as he falls asleep.

Although Ben is only a mid-level executive, he still has access to very sensitive company data which he is storing on numerous mobile devices.

This vignette clearly demonstrates that, for just this one executive on one day, the company had multiple risks of losing very valuable and sensitive information. Consider how easy it would have been easy to leave the notebook, the smartphone or the USB device on the train, in the cabs, at the airport, on the airplane, in a rental car or at the restaurant. Mistakes like that happen frequently.

But sometimes data loss is no mistake but instead is the result of planned or opportunistic theft. Ben’s catnap on the train might have tempted a watchful thief to swipe the phone, notebook or storage device. Other thieves are known to work airport lounges, rental car counters of hotel lobbies. Leaving a PC in a hotel room is a common occurrence that can also lead to theft. And how smart is it to leave a notebook PC sitting in the conference room of a client while out for lunch?

These are commonplace risks that people have learned to at least recognize, even though their behavior does not change. But there are other, subtle and less-known ways for data to leak out. Consider the Bluetooth personal area network technology built into the smartphone. If Ben inadvertently leaves his smartphone in Bluetooth’s “discover” mode, adept foragers can penetrate the device remotely to empty out the information that Ben thinks is still secure. For example, while at the airport can Ben be sure he logged onto a legitimate hotspot instead of an “evil twin” access point controlled by bad guys that monitor his communications? Could he have exposed his PC to the insertion of spyware or a Trojan when he used his client’s network?

Unquestionably, because of the scope and sensitivity of the data that he carries, Ben is a walking treasure trove for competitors or thieves, and a potential time-bomb for his own company.

The company must implement a mobile device security system with the following suggested properties:

  1. Automatic and transparent protection of all data

    Ben needs a system that will automatically and imperceptibly encrypt everything he stores on his PC, smartphone or USB device which will also maintain the security as he synchronizes the information between them.

  2. Robust operation with efficient help desk

    Ben’s should feel confident in the quality of the system and also know that if a problem develops he is not stuck, no matter where he is and that at the end of a phone he can get hold of authorized administrators who can recover data, or if he can access the online help desk, he can probably solve the problem himself.

  3. Enterprise enforcement of security policies

    It’s not all about Ben – the company bears the greatest risk. Company security officers understand the crucial importance of a mandatory and enforceable security system that assures compliance with company security policies. An enterprise security management infrastructure is required to deploy encryption and authentication capabilities on each mobile device, keep policies up to date, and to continuously monitor compliance. Just as importantly, the company must be able to centrally store all the keys and authorities necessary to access data on any personal computing device.

  4. Proof of security


    Today it is not sufficient to merely have purchased a security product, companies need to prove that the security system, including technology, policy and procedures, is properly implemented and continuously effective. Since few organizations have the expertise or budget to assess the technical merit of enterprise security products, they should seek products that have been independently evaluated by government-certified laboratories as complying to at least mid-level FIPS or Common Criteria standards. Further, the enterprise management infrastructure must maintain accurate logs of all security-related activity on mobile devices and provide alerts for events that contravene policy.

Summary

Mobile devices are an important, growing, and productive part of the information infrastructure of modern enterprises. However, greater efficiency in the field carries a heightened risk of compromising sensitive and confidential information via carelessness or opportunistic theft. Even the most diligent employees cannot adequately protect the company’s data, so the organization must provide an effective security system that automatically protects data according to central policies. Finally, look for automatic, transparent encryption with remote online help to assure user acceptance.

Courtesy - Sysman Computers Private Limited, Mumbai, India.

Go Top