E-crime against Stilianos - Assignment Example

?E-crime Introduction Electronic crime is a new phase of technological mishap that to a large extent thwarts the effort of achieving secured information system and network system running. Electronic crime or e-crime basically refers to a situation whereby crime is committed by the use of technology. In most cases, these crimes are committed by against information systems and other technologically enhanced systems. Typical examples can be given as the invasion of a person’s bank details by the use of technology or breaking into the database system of a university by the use of technology. It is in this direction that Crime Wales (2012) notes that “e-Crime generally refers to a criminal activity where a computer or computer network is the source, tool, target, or place of a crime.” Crime Wales therefore concerns a deliberate attempt to invade or harm a computer system. This is very common today because of the general growth and use of technology and technology tools. It can be observed that modern growth in technology use has resulted in a situation whereby all major global institutions are hooked unto a network in one form or the other. Very common among these network systems are the use of the systems to create electronic commerce and protection of data from public domain. E-crime is a major form of cyber threat that has resulted in a lot of advocacy programs to combat the situation. The e-crime Bureau (2012) therefore notes that “The development of appropriate legislations and policies across corporate and government departments is an integral aspect of mitigating the cyber threat.” All these efforts not withstanding, it is common knowledge that electronic crime keeps going on in daily technology use and interaction. a) Your understanding of the case study and what really took place. The basic understanding underlining the case study is that there has been an attempted electronic crime against Stilianos. A person who is familiar with the basic operations of the Linux functionality might have attempted to gain entry into his system without his notice. The first suspicion of what took place is that someone who is very familiar with the basic operations and functions of Linux system concepts has attempted to take advantage of the flexibility allowed in the use of Linux to invade the privacy of Stilianos’ system. It will be noted that “Linux is a multitasking, multiuser operating system, which means that many people can run many different applications on one computer at the same time” (Grove, 1998). By this, there is a very high change of taking advantage of the multiplex nature of the accessibility core of the Linux. But indeed, the mere fact that Linux allows for multiuser system does not permit just any person to break into the system of other people. From the case study, it can be noticed that there is a particular hub that has been invaded by whoever is behind the plot. There confirmation that there was a specific target on one of the hubs is the fact that when nmap scan of the suspect system was done using the IT technician’s laptop, there were conflicting output listings as against the running of the lsof program to list the open transport layer network file descriptors on the same suspect system. Basically, Linux operates with a shell. A shell has been explained as “a program that takes the commands you type and translates them into instructions to the operating system” (Grove, 1998). In the person’s effort to invade Stilianos’ system without Stilianos’ notice, it is very much likely that the shell was the first system component to be tampered with. It is for this reason that according to the case study, two listening services on TCP ports 3457 and 32411 did not show up when viewed from within the system. b) Answers to the following questions: When and how Stilianos’ machine was initially compromised? The indication has already been given that the shell might have been tempered with as the first move to invade Stilianos’ system. As far as the shell of the Linux system is concerned, whoever attempted the invasion worked with the command shell, which is “separate software program that provides direct communication between the user and the operating system” (Microsoft Corporation, 2012). At the receiving end of the user system, which was supposed to be for Stilianos, and attempt had been made to prevent the communication from getting to the operating system and thus getting to Stilianos. The general attempt was therefore to ensure that the command shell did not carry out its program and show its output on the screen by the use of specific characters that are very related to the MS-DOS command interpreter Command.com (Microsoft Corporation, 2012). As far as the period for this is concerned, it is very likely it was accomplished on the 18th of September 2000. This is because as indicated in the case study, the whole system was installed on September 7th and so there is no way the invasion could have been done before then. According to the results from the forensic sound copies also, the most immediate data of entry apart from 29th September 2000 was 18th September 2000. Another answer that can be given with reference to how the machine was initially compromised is the striking of the nmap. This is because it was in the nmap output readings or listings that certain ports did not show up at all. Specifically, the TCP ports 3457 and 32411 did not show up in the reading altogether. Writing on the nmap and the role it performs in the Linux system network, the Nmap Organisation (2012) explains that “Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing.” This explanation alone gives an indication of how the network mapper could easily be used by hackers or invaders because it works in an open source system. Though it is generally used for auditing and therefore for detecting electronic crime, electronic criminals use the component of Nmap that makes it possible to “determine what hosts are available on the network, what services those hosts are offering and what operating systems (and OS versions) they are running” to find the best times to attack. Given that the machine’s binaries were verified to be clean, what would account for the two extra services that didn’t show up with a local lsof, but did with the remote scan with nmap? On the whole, the local lsof was supposed to be able to show up all the extra services that when on the system. This is because the fundamental purpose of role of Lsof has been identified to be the listing of information about files opened by processes for specific UNIX (Haas, 2012). There are several categories of files that when opened on a system, the Lsof should be in a position to detect. Haas (2012) lists some of these files as “a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket).” Based on these arguments put forth by Haas (2012), it will certainly be out of place that there were very active and properly functioning binaries and yet the two extra services did not show up with the local lsof. In the situation therefore, the lsof of the local system would have been to blame for not showing up the extra services when the extra services were shown with the remote scan with nmap. There are a couple of factors that could account for the situation above. The first is that the file systems that did not show up did not fall under the stipulated files that the local lsof is normally supposed to show. In the explanation given by Haas (2012), it would be noted that there are the names of specific files that are given. This means that even in the event that the machine’s binaries were verified to be clean, the files that did not show up were outside the range of files detected by the local lsof used by Stilianos. Another cause is that the extra services were not specific in the list request option. This is because in an event when requesting any list options, all remaining list requests also need to be exclusively requested. Haas (2012) gives example of this situation as “if -U is specified for the listing of UNIX socket files, NFS files won't be listed unless -N is also specified.” In simple terms, Stilanos did not request for those extra files by using lsof -i –U (Chirico, 2004). . What sort of traffic was found on TCP/32411? First, it is important to establish that Steve first had to transfer the tcpdump log from the system Andy had set up to capture traffic to his analysis laptop and use ngrep to show what TCP traffic had flown by on port 32411. The first step in identifying the sort of traffic that was found on TCP/32411 is therefore to diagnose why there had to be the transfer of the tcpdump log from Andy’s system to the analysis laptop and use ngrep to show the kind of traffic that had flown by the port 32411. In explaining the cause, tcpdump has been identified to have a characteristic of using promiscuous mode in order to be sure to have sufficient privileges on a network device or a socket (Open Maniak, 2010). The simple implication is that the tcpdumnp could be misleading in its results or traffic log. The ngrep on the other hand recognizes several expressions, together known as hexadecimal expression. These expressions include “IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces” (Ritter, 2006). This means that the ngrep was going to be more reliable to reading all the traffic on the system. Having made all the points on the traffic situation above, it would point to one fact and that is, the traffic found on TCP/32411 could very much be described as an Active Directory Domain traffic. The first suspicion that give rise to the selection of the active directory domain traffic is the fact that the active directory domain traffic has the characteristic of causing several replications on a given system and domain. In its regular function, the Microsoft Technet (2012) opines that “the new Active Directory model uses an updated replication architecture to meet the needs for an enterprise directory service.” This submission was made in relation to the active directory domain traffic, which has a regularized role to play in the system. But as with all system dysfunctions, The Cable Guy (2012) notes that there is a greater possibility that the functioning of the replication may not be within the regular format, causing some of the listening services not to show up on TCP ports. Knowing that the port in question, which is the 32411 is a TCP port, nothing more can be said than to say that the type of traffic found on that port was as an Active Directory Domain traffic. A very useful advise is given by the Cable Guy (2012) stating that “you can test your network paths for domain traffic on an individual port basis with the Portqry.exe tool if the domain controller is already in place.” This was a means that Stilianos could have checked for the traffic. What was the ipv6.o module? From the operation of the Internet Protocol Version 6 that manifested itself in the IPV6.o, it can confidently be said that the IPV6.o module was an autonomous start up script. In a very regular manner, dd-wrt (2012) notes that “Internet Protocol version 6 (IPv6) is a network layer IP standard used by electronic devices to exchange data across a packet-switched internetwork.” There are however unpredictable cases where autonomous IPV6 are created. With those autonomous IPV6 found in Microsoft Windows, they have been characterised by the dynamic computation of IPv6 and using by default and hence the IPv6.o module (dd-wrt, 2012). It has even been argued that these autonomous start up scripts “can cause some trouble under certain conditions where the server needs a unique and static IPv6 (containing the EUI-64) (dd-wrt, 2012). What was the rpc.status file? The rpc.status file that showed up is an external XPL file. The basis for this selection is that in the status system, “if the method was loaded from an external XPL file, the file path and modification-time are also displayed” (Black Perl, 2003). It will be noted that in the binary files that were checked by Steve, the file path and modification times for all the services that did not show up were displayed. This makes the rpc.status file an external XPL file instead of an internal XPL file. Conclusions identifying and analysing the different types of E-Crime In conclusion, it would be said that there are several types of E-Crime that can be identified in modern technological circles. Some of these range from high profile crimes to low profile crimes. But whatever the situation or level of the crime may be, crimes are illegal and so never right. First, there are e-crimes that deals with the manipulation of records stored in a computer. These crimes are common in organisations and institutions and easily practiced by staff on the lower rank that may be suspicious of data any them stored by their superiors. Some of these criminals succeed in tampering with the records, changing facts and at times deleting some of the records that go against them. There are also e-crimes that spamming. Spamming has been explained by AWeber Communications (2012) as “the sending of an unsolicited email.” Some of these emails are aimed at making unsuspecting people pay huge sums of money into unknown accounts on the cover up that they have won lotteries and need to make down deposits. Another form of e-crime has to do with the distribution of harmful computer programs such as viruses. These viruses cause serious harm to the operations and functions of the computers involved. In some cases, they can lead to total crash or collapse of the computer’s operating system. There is also the ever troubling act of hacking and cracking. This takes place in the form of trying to break into a computer security by invading passwords or security codes. In most cases, once the hacker breaks into the security system, he or she creates a new lock code, making the whole system inaccessible to the original owner. Then also there is “intellectual property theft including software piracy” (Computer Crime Research Centre, 2011). Each of the forms electronic crimes discussed above has devastating effect on the victims. It can be said that electronic crimes are common in almost every type of organisation or business. The worse sufferers of intellectual property crimes are those in the creative arts industry such as movies, music and software design. Banks also suffer a lot of system hacking and cracking to go into the account details of people. For the modern small and medium scale business, it is important to be particularly careful above forms of electronic crime that will expose their strategic plans to other competitors. This is because strategic plans are important tools for ensuring competitive advantage. There also is the risk of losing volumes of data and in some cases, suffering system crash, that makes information systems such as online payment and ordering systems impossible. As much as possible, there should be the constant review of security systems to ensure that electronic criminals are tricked on the particular codes that may give them entry into the systems. There should also be the practice of extensive backup system to avoid permanent data loss. REFERENCE LIST AWeber Communications, 2012, What is Spamming? [Online] http://www.aweber.com/faq/questions/159/What+is+Spamming%3F [Accessed February 28, 2012] Black Perl, 2003, Apache::RPC::Status - A status monitor similar to Apache::Status for RPC. [Online] http://www.blackperl.com/RPC::XML/man/Apache/RPC/Status.html [Accessed February 27, 2012] Chirico M., 2004, Linux Tips. [Online] http://souptonuts.sourceforge.net/how_to_linux_and_open_source.htm [Accessed February 287 2012] Computer Crime Research Centre, 2011, Types of computer crimes. [Online] http://www.crime-research.org/news/26.11.2005/1661/ [Accessed February 29, 2012] Crime Wales, 2012, What is E-Crime? [Online] http://www.ecrimewales.com/server.php?show=nav.8856 [Accessed February 29, 2012] DD-WRT, 2012, IPv6 (tutorial). [Online] http://www.dd-wrt.com/wiki/index.php/IPv6 [Accessed February 28, 2012] E-crime Bureau, 2012, Cyber Governance and Cyber Security Policy, [Online] http://e-crimebureau.com/index.php?id=cyber-governance-and-cyber-security-policy [Accessed February 28, 2012] Grove C, 1998, Linux Tutorial [Online] http://tldp.org/LDP/gs/node5.html [Accessed February 27, 2012] Haas J., 2012, Linux / Unix Command: lsof. [Online] http://linux.about.com/library/cmd/blcmdl8_lsof.htm [Accessed February 28, 2012] Microsoft Corporation, 2012, Command shell overview [Online] http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds_shelloverview.mspx?mfr=true [Accessed February 27, 2012] Microsoft Technet, 2012, Active Directory Replication Traffic. [Online] http://technet.microsoft.com/en-us/library/bb742457.aspx [Accessed February 27, 2012] Nmap Organisation. 2012, Nmap Security Scanner. [Online] http://nmap.org/ [Accessed February 28, 2012] Open Maniak, 2010, TCPDUMP Easy Tutorial. [Online] http://openmaniak.com/tcpdump.php [Accessed February 29, 2012] Ritter J, 2006, ngrep - network grep, [Online] http://ngrep.sourceforge.net/ [Accessed February 28, 2012] Read More