Academia.eduAcademia.edu

Cyber Security: Challenges and the Way Forward

gesj.internet-academy.org.ge

The high level of insecurity on the internet is becoming worrisome so much so that transaction on the web has become a thing of doubt. Cybercrime is becoming ever more serious and prevalent. Findings from 2002 Computer Crime and Security Survey show an upward ...

GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 CYBER SECURITY: CHALLENGES AND THE WAY FORWARD Azeez Nureni Ayofe, Barry Irwin Department of Computer Science, Rhodes University, P.O. Box 94 Grahamstown 6140 South Africa, E-mail: [email protected], [email protected] Abstract The high level of insecurity on the internet is becoming worrisome so much so that transaction on the web has become a thing of doubt. Cybercrime is becoming ever more serious and prevalent. Findings from 2002 Computer Crime and Security Survey show an upward trend that demonstrates a need for a timely review of existing approaches to fighting this new phenomenon in the information age. In this paper, we provide an overview of Cybercrime and present an international perspective on fighting Cybercrime. This work seeks to define the concept of cyber-crime, explain tools being used by the criminals to perpetrate their evil handiworks, identify reasons for cyber-crime, how it can be eradicated, look at those involved and the reasons for their involvement, we would look at how best to detect a criminal mail and in conclusion, proffer recommendations that would help in checking the increasing rate of cyber-crimes and criminals. Keywords: Cyber security; information; Internet; technology; people 1. INTRODUCTION Over the past twenty years, unscrupulous computer users have continued to use the computer to commit crimes; this has greatly fascinated people and evoked a mixed feeling of admiration and fear [10]. This phenomenon has seen sophisticated and unprecedented increase recently and has called for quick response in providing laws that would protect the cyber space and its users. The level of sophistication has gone high to the point of using the system to commit murder and other havoc (1). The first recorded cyber murder committed in the United States seven years ago according to the Indian Express, January, 2002 has to do with an underworld don in hospital to undergo a minor surgery. His rival went ahead to hire a computer expert who altered his prescriptions through hacking the hospital’s computer system. He was administered the altered prescription by an innocent nurse, this resulted in the death of the patient. This work gives a brief overview of cyber-crime, explains why people are involved in cybercrime, look at those involved and the reasons for their involvement, we would look at how best to detect a criminal mail and in conclusion, proffer recommendations that would help in checking the increasing rate of cyber-crimes and criminals. These guides provide general outlines as well as specific techniques for implementing cyber security (http://en.wikipedia.org/wiki/Cyber_security). 2. METHODOLOGY This study was carried out purposely to explain clearly the concept of Cybercrime and Cybersecurity and provide adequate and sufficient ways of getting out of these problems in the present days of internet usage and applications. The instruments used were questionnaires, personal interviews, observation, and information on the internet as well as report from both radio and electronic media. 56 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 The authors conducted personal interviews with twenty two internet users to gather their views on the causes and their experiences with Cybercrime and Cybersecurity. In addition, fifty three questionnaires were distributed to the following categories of internet users: bankers, students, directors and university lecturers with aim of seeking their views and opinions on these issues. Consequently, the information gathered through all the above instruments were analyzed and the approach towards ameliorating these phenomenon were proffered for both the government and corporate bodies for implementation. 3. WHAT IS CYBER – CRIME? Cyber-crime by definition is any harmful act committed from or against a computer or network, it differs according to McConnell International, “from most terrestrial crimes in four ways: they are easy to learn how to commit, they require few resources relative to the potential damages caused, they can be committed in a jurisdiction without being physically present in it and fourthly, they are often not clearly illegal. Another definition given by the Director of Computer Crime Research Centre (CCRC) during an interview on the 27th April, 2004, is that “cyber-crime (‘computer crime’) is any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them. In essence, cyber-crime is crime committed in a virtual space and a virtual space is fashioned in a way that information about persons, objects, facts, events, phenomena or processes are represented in mathematical, symbol or any other way and transferred through local and global networks. From the above, we can deduce that cyber crime has to do with wrecking of havoc on computer data or networks through interception, interference or destruction of such data or systems. It involves committing crime against computer systems or the use of the computer in committing crimes [2]. This is a broad term that describes everything from electronic cracking to denial of service attacks that cause electronic commerce sites to lose money. Mr. Pavan Duggal, who is the President of www.cyberlaws.net and consultant, in a report has clearly defined the various categories and types of cybercrimes. Cybercrimes can be basically divided into 3 major categories 1. 2. 3. Cybercrimes Cybercrimes Cybercrimes against against against persons. property. government. 3.1. Cybercrimes against persons: Cybercrimes committed against persons include various crimes like transmission of child-pornography, harassment of any one with the use of a computer such as e-mail. The trafficking, distribution, posting, and dissemination of obscene material including pornography and indecent exposure, constitutes one of the most important Cybercrimes known today. The potential harm of such a crime to humanity can hardly be amplified . This is one Cybercrime which threatens to undermine the growth of the younger generation as also leave irreparable scars and injury on the younger generation, if not controlled. A minor girl in Ahmedabad was lured to a private place through cyberchat by a man, who, along with his friends, attempted to gangrape her. As some passersby heard her cry, she was rescued. Another example wherein the damage was not done to a person but to the masses is the case of the Melissa virus [7]. The Melissa virus first appeared on the internet in March of 1999. It spread rapidly throughout computer systems in the United States and Europe. It is estimated that the virus caused 80 million dollars in damages to computers worldwide. 57 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 In the United States alone, the virus made its way through 1.2 million computers in one-fifth of the country's largest businesses. David Smith pleaded guilty on Dec. 9, 1999 to state and federal charges associated with his creation of the Melissa virus. There are numerous examples of such computer viruses few of them being "Melissa" and "love bug". Cyber harassment is a distinct Cybercrime. Various kinds of harassment can and do occur in cyberspace, or through the use of cyberspace. Harassment can be sexual, racial, religious, or other. Persons perpetuating such harassment are also guilty of cybercrimes. Cyberharassment as a crime also brings us to another related area of violation of privacy of citizens. Violation of privacy of online citizens is a Cybercrime of a grave nature. No one likes any other person invading the invaluable and extremely touchy area of his or her own privacy which the medium of internet grants to the citizen [11]. 3.2. Cybercrimes against property: The second category of Cyber-crimes is that of Cybercrimes against all forms of property. These crimes include computer vandalism (destruction of others' property), transmission of harmful programmes. A Mumbai-based upstart engineering company lost a say and much money in the business when the rival company, an industry major, stole the technical database from their computers with the help of a corporate cyberspy. 3.3. Cybercrimes against government: The third category of Cyber-crimes relate to Cybercrimes against Government. Cyberterrorism is one distinct kind of crime in this category. The growth of internet has shown that the medium of Cyberspace is being used by individuals and groups to threaten the international governments as also to terrorize the citizens of a country. This crime manifests itself into terrorism when an individual "cracks" into a government or military maintained website. In a report of expressindia.com, it was said that internet was becoming a boon for the terrorist organizations. According to Mr. A.K. Gupta, Deputy Director (Co-ordination), CBI, terrorist outfits are increasingly using internet to communicate and move funds. "Lashker-e-Toiba is collecting contributions online from its sympathizers all over the world. During the investigation of the Red Fort shootout in Dec., 2000, the accused Ashfaq Ahmed of this terrorist group revealed that the militants are making extensive use of the internet to communicate with the operatives and the sympathizers and also using the medium for intra-bank transfer of funds". Cracking is amongst the gravest Cyber-crimes known till date. It is a dreadful feeling to know that a stranger has broken into your computer systems without your knowledge and consent and has tampered with precious confidential data and information. Coupled with this the actuality is that no computer system in the world is cracking proof. It is unanimously agreed that any and every system in the world can be cracked. The recent denial of service attacks seen over the popular commercial sites like E-bay, Yahoo, Amazon and others are a new category of Cyber-crimes which are slowly emerging as being extremely dangerous [6]. Cyber crime can be broadly defined as criminal activity in which computer or computer networks are a tool, a target or a medium for the crime. 4. Various types of cyber crimes include: 4.1. Unauthorized access of hosts- more commonly known as hacking. Hacking can take various forms, some of which might not always involve deep technical knowledge. ¾ Social engineering involves “talking” your way into being given access to a computer by an authorized user. ¾ A divide exists between individuals who illegally break into computers with malicious intent, or to sell information garnered from the compromised computer, known as “crackers” or black hats”, and those who do it out of curiosity or to enhance their technical prowess- known as “hackers” or “white hats”. 58 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 4.2. Spamming – involves mass amounts of email being sent in order to promote and advertise products and websites. ¾ Email spam is becoming a serious issue amongst businesses, due to the cost overhead it causes not only in regards to bandwidth consumption but also to the amount of time spent downloading/ eliminating spam mail. ¾ Spammers are also devising increasingly advanced techniques to avoid spam filters, such as permutation of the emails contents and use of imagery that cannot be detected by spam filters. 4.3. Computer Fraud/ “Phishing” scams- South Africa has recently been afflicted by an onset of intricate scams that attempt to divulge credit and banking information from online banking subscribers. ¾ These are commonly called “Phishing’ scams, and involve a level of social engineering as they require the perpetrators to pose as a trustworthy representative of an organization, commonly the victims bank. 4.4. Denial of Service Attacks- Not to be confused with unauthorized computer access and hacking. ¾ Denial of Service or DoS attacks involve large volumes of traffic being sent to a host or network, rendering it inaccessible to normal users due to sheer consumption of resources. ¾ Distributed Denial of Service attacks involve multiple computers being used in an attack, in many cases through the use of “zombie” servers, which are trojanised programs that attackers install on various computers. ¾ Often legitimate computer users have no idea they are involved in denial of service attacks due to the stealthy nature of the zombie software. 4.5. Viruses, Trojans and Worms- These three all fall into a similar category as they are software designed to “infect” computers- or install themselves onto a computer without the users permission, however they each operate very differently. ¾ Many computer users have experienced the frustration of having a malicious virus wreck havoc upon their computers and data, but not all viruses have a malicious payload. ¾ Trojan is a program that allows for the remote access of the computer it’s installed on. Trojans exist for multiple performs and have varying degrees in complexity. ¾ Worms make use of known vulnerabilities in commonly used software, and are designed to traverse through networks- not always with destructive ends, historically however worms have had devastating effects such as the infamous Code Red and Melissa worms. ¾ Intellectual Property Theft- Intellectual property theft in relation to cyber crime deals mainly with the bypassing of measures taken to ensure copyright- usually but not restricted to software. 4.6. Other types of cyber crime could be categorized under the following: 1. Unlawful access to computer information - 8002 crimes. 2. Creation, use and distribution of malware or machine carriers with such programs1079. 3. Violation of operation rules of computers, computer system or networks- 11. 4. Copyright and adjacent rights violation- 528. 59 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 5. CAUSES OF CYBER – CRIME There are many reasons why cyber-criminals commit cyber-crime, chief among them are these three listed below: ™ Cyber crimes can be committed for the sake of recognition. This is basically committed by youngsters who want to be noticed and feel among the group of the big and tough guys in the society. They do not mean to hurt anyone in particular; they fall into the category of the Idealists; who just want to be in spotlight. ™ Another cause of cyber-crime is to make quick money. This group is greed motivated and is career criminals, who tamper with data on the net or system especially, e-commerce, e-banking data information with the sole aim of committing fraud and swindling money off unsuspecting customers. ™ Thirdly, cyber-crime can be committed to fight a cause one thinks he believes in; to cause threat and most often damages that affect the recipients adversely. This is the most dangerous of all the causes of cyber-crime. Those involve believe that they are fighting a just cause and so do not mind who or what they destroy in their quest to get their goals achieved. These are the cyber-terrorists. 6. HOW TO ERADICATE CYBER – CRIME Research has shown that no law can be put in place to effectively eradicate the scourge of cyber-crime. Attempts have been made locally and internationally, but these laws still have shotcomings. What constitutes a crime in a country may not in another, so this has always made it easy for cyber criminals to go free after being caught. These challenges notwithstanding, governments should in the case of the idealists, fight them through education not law. It has been proven that they help big companies and government see security holes which career criminals or even cyber-terrorist could use to attack them in future. Most often, companies engage them as consultants to help them build solid security for their systems and data. “The Idealists often help the society: through their highly mediatised and individually harmless actions, they help important organizations to discover their high-tech security holes….”( The enforcement of law on them can only trigger trouble, because they would not stop but would want to defy the law. “ Moreover, if the goal of the cyber-crime legislation is to eradicate cyber-crime, it mint well eradicate instead a whole new culture….” Investments in education is a much better way to prevent their actions. Another means of eradicating cyber-crime is to harmonize international cooperation and law, this goes for the greed motivated and cyber-terrorists. They can not be fought by education, because they are already established criminals, so they can not behave. The only appropriate way to fight them is by enacting new laws, harmonize international legislations and encourage coordination and cooperation between national law enforcement agencies [21]. 7. WHO ARE INVOLVED Those involved in committing cyber-crimes are in three categories and they are: 7.1 THE IDEALISTS (Teenager). They are usually not highly trained or skilful, but youngsters between the ages of 13 – 26 who seek social recognition. They want to be in the spotlight of the media. Their actions are globally damageable but individually negligible. “Like denying a lot of important e-commerce servers in February, 2000 is said to have caused high damages to these companies”. Most often they attack systems with viruses they created; their actual harm to each individual is relatively negligible. By the 60 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 age of 26 to 26 when they have matured and understood the weight of their actions, they lose interest and stop. 7.2 THE GREED – MOTIVATED (Career Criminals). This type of cyber-criminals is dangerous because they are usually unscrupulous and are ready to commit any type of crime, as long as it brings money to them. “They started the child pornography often called cyber-pornography which englobes legal and illegal pornography on the internet”. They are usually very smart and organized and they know how to escape the law enforcement agencies. These cyber-criminals are committing grievous crimes and damages and their unscrupulousness, particularly in child-pornography and cyber-gambling is a serious threat to the society. Example to show how serious a threat they pose to the society is “the victim of the European bank of Antigua are said to have lost more than $10million” “…theft of valuable trade secrets: the source code of the popular micro-soft windows exploration system by a Russian based hacker could be extremely dangerous… the hackers could use the code to break all firewalls and penetrated remotely every computer equipped with windows were confirmed. Another usage could be the selling of the code to competitors”. 7.3 THE CYBER – TERRORISTS. They are the newest and most dangerous group. Their primary motive is not just money but also a specific cause they defend. They usually engage in sending threat mails, destroying data stored in mainly government information systems just to score their point. The threat of cyber-terrorism can be compared to those of nuclear, bacteriological or chemical weapon threats. This disheartening issue is that they have no state frontiers; can operate from any where in the world, and this makes it difficult for them to get caught. The most wanted cyber-terrorist is Osama Bin Laden who is said to “use stegranography to hide secret messages within pictures, example, a picture of Aishwarya Rai hosted on the website could contain a hidden message to blow up a building”. A surprising fact is that these hidden messages do not alter the shape, size or look of the original pictures in any way [17]. 8. A CRIMINAL MAIL Another type of Cybercrime which is being currently researched on but not as popular as those stated above is a criminal mail. A criminal mail is usually sent to networks with the aim of either corrupting the system or committing fraud. The way to detect such mails is by putting security measures in place which would detect criminal patterns in the network. News Story by Paul Roberts, of IDG News Service says that Unisys Suite has a system called the “Unisys Active Risk Monitoring System (ARMS) which helps banks and other organizations spot patterns of seemingly unrelated events that add up to criminal activity”. Actimize Technology Ltd based in New York has developed technology that enables organizations to do complex data mining and analysis on stored information and transaction data without needing to copy it to a separate data warehouse. “The actimize software runs on the Microsoft Corp. Windows NT or Windows 2002 platform and can be developed on standard server hardware with either four to eight processors, Katz said”. Eric J. Sinrod in his article ‘What’s Up With Government Data Mining’ states that the United States “Federal Government has been using data mining techniques for various purposes, from attempting to improve service to trying to detect terrorists patterns and activities”. The most effective way to detect criminal mails is to provide security gadgets, educate employees on how to use them, and to be at alert for such mails, above all, making sure no security holes is left unattended to. The world over Cybercrime has taken deep root and the use of cyberspace by sophisticated cyber criminals has assumed serious portion today. Criminals and terrorists associated with drug trafficking, terrorist outfits are employing internet for anti social, anti national and criminal activities with impunity. 61 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 Terrorist groups are deftly using internet for passing on information with regard to executing various terrorist acts having serious negative impact on human life. The cyber-terrorists have even acquired the capability to penetrate computer systems using “logic bombs” (coded devices that can be remotely detonated), electro magnetic pulses and high-emission radio frequency guns, which blow devastating electronic wind through a computer system. The hackers have gone to the extent of distributing free hacking software—Rootkit, for instance—to enable an intruder to get root access to a network and then control as though they were the system’s administrators[12]. Cyber crime levels are on the rise in Nigeria, examples of large scale cyber crimes over the past few years include: • The phishing scams that have recently afflicted many of Nigeria’s larger banks and their clients. • Key logging software that was able to capture banking and other details of online bankers. Statistical research performed in the UK revealed that cyber crime and software flaws were costing Britain up to £10 billion in losses annually [16]. According to the survey 50% of all businesses [were affected by cyber crime, showing a giant increase in cyber crime occurrences in the UK when compared to a 2000 survey which revealed that only 25% of respondents had been cyber crime victims[16]. Table1 showing Internet Usage and World internet usage and population statistics as at March 30, 2009. World Region Population (2008 Est.) Internet usage, Latest Data % population (penetration) Usage % of world 941,249,130 3,733,783,474 801,821,187 192,755,045 334,659,631 569,133,474 Population % of world 14.2% 56.6% 12.1% 2.9% 5.1% 8.6% 44,361,940 510,478,743 348,125,847 33,510,500 238,015,529 126,203,714 4.7% 13.7% 43.4% 17.4% 71.1% 22.2% 3.4% 38.7% 26.4% 2.5% 18.0% 9.6% Usage Growth 2008 882.7% 346.6% 231.2% 920.2% 120.2% 598.5% Africa Asia Europe Middle East North America Latin America/Caribbean Australia 33,569,718 6,606,971,659 0.5% 100.0% 19,175,836 1,319,872,109 57.1% 20.0% 1.5% 100.0% 151.6% 265.6% World Total Source: [23] 8.1. Technology Viewpoint • Advances in high-speed telecommunications, computers and other technologies are creating new opportunities for criminals, new classes of crimes, and new challenges for law enforcement. 8.2. Economy Viewpoint • Possible increases in consumer debt may affect bankruptcy filings. • Deregulation, economic growth, and globalization are changing the volume and nature of anticompetitive behaviour. • The interconnected nature of the world’s economy is increasing opportunities for criminal activity. 8.3. Government Viewpoint 62 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 • Issues of criminal and civil justice increasingly transcend national boundaries, require the cooperation of foreign governments, and involve treaty obligations, multinational environment and trade agreements and other foreign policy concerns. 8.4. Social-Demographic Viewpoint • The numbers of adolescents and young adults, now the most crime-prone segment of the population are expected to grow rapidly over the next several years. 8.5. Computer as an instrument facilitating crime Computer is used as an instrument facilitating crime. Most vivid example of computers being used as an instrument of Cybercrime has been the recent attack on parliament where computer and internet was used in a variety of ways to perpetrate the crime. The terrorist and criminals are using internet methods such as e-mail, flash encrypted messages around the globe. Frauds related to electronic banking or electronic commerce are other typical examples. In these crimes, computer programmes are manipulated to facilitate the crimes namely, a. b. c. d. e. Fraudulent use of Automated Teller Machine (ATM) cards and accounts; Credit card frauds; Frauds involving electronic finds transfers; Telecommunication Frauds; and Frauds relating to Electronic Commerce and Electronic Data Interchange. The information technology (IT) infrastructure which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks[22]. The private sector has an important role in securing the Nation’s IT infrastructure by deploying sound security products and adopting good security practices. But the Federal government also has a key role to play by supporting the discovery and development of cyber security technologies that underpin these products and practices. Improving the Nation’s cyber security posture requires highly trained people to develop, deploy, and incorporate new cyber security products and practices. The number of such highly trained people is too small given the magnitude of the challenge. The situation has been exacerbated by the insufficient and unstable funding levels for long-term, civilian cyber security research, which universities depend upon to attract and retain faculty. 9.0. Phishing and Personal Experience Phishing is a social engineering scam that involves luring unsuspecting users to take a cyberbait much the same way conventional fishing involves luring a fish using a bait. Phishing deceives consumers into disclosing their personal and financial data, such as secret access data or credit card or bank account numbers, it is an identity theft. Identity theft schemes take numerous forms and may be conducted by e-mail (phishing), standard mail, telephone or fax. Thieves may also go through trash looking for discarded tax returns, bank records, credit card receipts or other records that contain personal and financial information so as to use someone’s personal data to steal his or her financial accounts[18]. Phishing scams are on the increase in Nigeria. The most recent phishing attacks were on the customers of Interswitch, the banking and financial system backbone organization with the highest customer base in electronic transactions in the country. According to APWG, The number of unique phishing websites detected during the second half of 2008 saw a constant increase from July – October with a high of 27,739 [19]. The Nigeria Deposit Insurance Corporation (NDIC) disclosed in its 2007 annual report and statement of account that under-hand deals by bank staff, among others, resulted in attempted fraud cases totaling N10.01 billion and 63 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 actual losses of N2.76 billion in 2007 [15]. With the present economic downturn and appropriate technology, fraudulent actions are most likely to increase and phishing remains one of the means of committing “fraudulent crimes without borders”. The case of three people, two of them Nigerians, who were arrested by the police after having conducting a phishing scheme with approximately 30 victims was reported in [2]. They posted fake e-mails to the clients of a local bank in India asking them to visit a link which required them to enter private details such as credit card number, PIN and other information. Once the users entered the information, the phishers received and used it to transfer over $100,000 from the victims accounts. In their paper “why phishing works” Rachna et al [20] came up with the fact that good phishing websites fooled 90% of users and existing antiphishing browsing cues are ineffective. On daily basis, the number of fraudulent mail s being received is totaling around twenty five. The figures below show most of the received mails. Fig. 1: Lottery Winning and Financial Scam 64 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 Fig 2: Pure 419 Scam for Phishing 9.1. Software vulnerability Network connectivity provides “door-to_door” transportation for attackers, but vulnerabilities in the software residing in computers substantially compound the cyber security problem. The software development methods that have been the norm fail to provide the high-quality, reliable, and secure software that the IT infrastructure requires. Software development is not yet a science or a rigorous discipline, and the development process by and large is not controlled to minimize the vulnerabilities that attackers exploit. Today, as with cancer, vulnerable software can be invaded and modified to cause damage to previously healthy software, and infected software can replicate itself and be carried across networks to cause damage in other systems. Like cancer, these damaging processes may be invisible to lay person even though experts recognize that their threat is growing. And as in cancer, both preventive actions and research are critical, the former to minimize damage today and the latter to establish a foundation of knowledge and capabilities that will assist the cyber security professionals of tomorrow reduce the risk and minimize damage for the long term [4]. 9.2. Domestic and international law enforcement. A hostile party using an Internetconnected computers thousands of miles away can attack an Internet- connected computers in the United States as easily as if he or she were next door. It is often difficult to identify the perpetrator of such an attack, and even when a perpetrator is identified, criminal prosecution across national boundaries is problematic. 65 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 9.3. Education. We need to educate citizens that if they are going to use the internet, they need to continually maintain and update the security on their system so that they cannot be compromised, for example, to become agents in a DDoS attack or for “spam” distribution. We also need to educate corporations and organizations in the best practice for effective security management. For example, some large organizations now have a policy that all systems in their purview must meet strict security guidelines. Automated updates are sent to all computers and servers on the internal network, and no new system is allowed online until it conforms to the security policy. 9.4. Information security. Information security refers to measures taken to protect or preserve information on a network as well as the network itself. The alarming rise of premeditated attacks with potentially catastrophic effects to interdependent networks and information systems across the globe has demanded that significant attention is paid to critical information infrastructure protection initiatives. For many years governments have been protecting strategically critical infrastructures, however in recent times the information revolution has transformed all areas of life. The way business is transacted, government operates, and national defence is conducted has changed. These activities now rely on an interdependent network of information technology infrastructures and this increases our risk to a wide range of new vulnerabilities and threats to the nation’s critical infrastructures [4]. These new cyber threats are in many ways significantly different from the more traditional risks that governments have been used to addressing. Exploiting security flaws appears now to be far easier, less expensive and more anonymous than ever before. The increasing pervasiveness, connectivity and globalization of information technology coupled with the rapidly changing, dynamic nature of cyber threats and our commitment to the use of ICT for socio-economic development brings about the critical need to protect the critical information infrastructures to provide greater control [13]. This means that governments must adopt an integrated approach to protect these infrastructures from cyber threats[4]. 10.0. THE SCAMMERS TOOLS A combination of social engineering and programming skills are the most potent tools in the hands of the 419 scammers. In order to reach a large volume of users, the scammers require an equally large number of email addresses. These are usually collected by using programs known as spam-bots to search for email addresses listed on web sites and message boards, by performing a dictionary attack (pairing randomly generated usernames with known domain names to ‘guess’ a correct address) or by purchasing address lists from individuals or organizations. Once they have addresses, spammers can use programs known as “bulk mailers” to automate the sending of spam. These programs can send huge volumes of email messages in a small amount of time. Some bulk mailing programs engaged by the spammers use open-relays to send messages, effectively hiding the true address of the spammer. Bulk mailers can also fabricate the from address in email message headers to further hide the identity of the spammer [3]. Another technique spammers utilize to send emails is with the use of zombie networks, also known as bot networks. Zombie is the term given to a computer that has been infected by a virus, worm, or Trojan Horse], which allows remote entities to take control and use it for their own (usually illegal) purposes. A large amount of these computers, usually called a network or army can be co-opted to send spam emails, requiring little of the spammer’s own computing power and network bandwidth. This technique is also popular as it protects the identity of the spammer [18]. Another popular method employed by scammers is the use of dating sites as a powerful tool to get attention and e-mail addresses. A number of victims have fallen victim to dating scams. Religious persuasions and emotional-laden mails are designed to attract attention and sympathy from religious organizations. Just as the web security community 66 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 developed personalized electronic mail filtering systems, scammers also develop tactics that are personalized. They profile individuals, trace their business history with individuals they have been involved with in the past. The knowledge of old business acquaintances abroad are employed to compose emotion-laden letters with bogus business proposals from Nigerians purportedly in government looking for opportunities to launder money abroad through a friend or two. Keystroke loggers are also used by these criminals to carefully collect personal information from unsuspecting victims. This trick is employed when unsuspecting users log on to the wrong website during a request for program update. This is particularly targeted at financial organizations. Most phishing attacks from either state that there has been some sort of fraud detected on bank accounts or that for security reasons the company just wants everyone to validate their usernames and passwords. In either event, the attack preys on fear and naiveté to get people to respond by providing sensitive information such as usernames, passwords, account numbers, etc. Cyber criminals can combine phishing with the 'Nigerian Bank Scam' to use greed rather than fear as the driving force to prey on individuals [18]. 11.0. RESULTS AND DISCUSSION The study revealed that three categories of people are involved in committing Cybercrime (The idealists, the Greed-motivated and the cyber-terrorist). It was equally gathered that these categories of people have contributed in no small measure to cyber terrorism. During the course of interview, it was learnt that four out of twenty two people interviewed were victims of Cybercrime and seven others have their relatives affected in one way or the other. It is equally obvious that that Cybercrime committed against person, property and government have claimed millions of US Dollarv and has affected up to 56% of e-commerce globally. Against this backdrop, the authors offered the recommendations in this paper as panacea for Cybercrime and Cybersecurity with a view of having a reliable and consistent internet usage in the world). 12.0. CONCLUSION Cybercrime and Cyber security has become a subject of great concern to all governments of the world. Nigeria, representing the single largest concentration of people of Africa decent has an important role to play. This situation has almost reached an alarming point, according to various studies and countries which neglects and /fail to respond timely and wisely, will pay very dearly for it. It has been deduced from this study that reliance on terrestrial laws is still an untested approach despite progress being made in many countries, they still rely on standard terrestrial laws to prosecute cyber crimes and these laws are archaic statutes that have been in existence before the coming of the cyberspace. Also weak penalties limit deterrence: countries with updated criminal statutes still have weak penalties on the criminal statutes; this can not deter criminals from committing crimes that have large-scale economic and social effect on the society. Also a global patchwork of laws creates little certainty; little consensus exist among countries regarding which crimes need to be legislated against. Self protection remains the first line of defense and a model approach is needed by most countries; especially those in the developing world looking for a model to follow. They recognize the importance of outlawing malicious computer-related acts in a timely manner or in order to promote a secure environment for e-commerce. Cyber-crime with its complexities has proven difficult to combat due to its nature. Extending the rule of law into the cyberspace is a critical step towards creating a trustworthy environment for people and businesses. Since the provision of such laws to effectively deter cyber-crime is still a work in progress, it becomes necessary for individuals and corporate bodies to fashion out ways of providing security for their systems and data. To provide this self-protection, organizations should 67 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 focus on implementing cyber-security plans addressing people, process and technology issues, more resources should be put in to educate employees of organizations on security practices, “develop thorough plans for handling sensitive data, records and transactions and incorporate robust security technology- -such as firewalls, anti-virus software, intrusion detection tools and authentication services”. 13.0. RECOMMENDATION By way of recommendations, these kinds of actions (both in form of security, education and legislation) are suggested following the weak nature of global legal protection against cyber crime (Azeez, 2009): A. Legislation approach: • Laws should apply to cyber-crime—National governments still are the major authority who can regulate criminal behavior in most places in the world. So a conscious effort by government to put laws in place to tackle cyber-crimes would be quite necessary. • Review and enhance Nigeria cyber law to address the dynamic nature of cyber security threats; • Ensure that all applicable local legislation is complementary to and in harmony with international laws, treaties and conventions; • Establish progressive capacity building programmes for national law enforcement agencies; • There should be a symbiotic relationship between the firms, government and civil society to strengthen legal frameworks for cyber-security. An act has to be crime in each jurisdiction before it can be prosecuted across a border. Nation must define cyber-crimes in similar manner, to enable them pass legislation that would fight cyber-crimes locally and internationally. B. Security approach • Strengthening the trust framework, including information security and network security, authentication, privacy and consumer protection, is a prerequisite for the development of the information society and for building confidence among users of ICTs; • A global culture of Cyber security needs to be actively promoted, developed and implemented in cooperation with all stakeholders and international expert bodies; • Streamlining and improving the co-ordination on the implementation of information security measures at the national and international level; • Establishment of a framework for implementation of information assurance in critical sectors of the economy such as public utilities, telecommunications, transport, tourism, financial services, public sector, manufacturing and agriculture and developing a framework for managing information security risks at the national level; • Establishment of an institutional framework that will be responsible for the monitoring of the information security situation at the national level, dissemination of advisories on latest information security alerts and management of information security risks at the national level including the reporting of information security breaches and incidents; • Promote secure e-commerce and e-government services; • Safeguarding the privacy rights of individuals when using electronic communications and • Develop a national cyber security technology framework that specifies cyber security requirement controls and baseline for individual network user; • Firms should secure their network information. When organization provides security for their networks, it becomes possible to enforce property rights laws and punishment for whoever interferes with their property. 68 GESJ: Computer Science and Telecommunications 2010|No.6(29) ISSN 1512-1232 C. Education/Research Improving awareness and competence in information security and sharing of best practices at the national level through the development of a culture of Cybersecurity at national level. • Formalize the coordination and prioritization of cyber security research and development activities; disseminate vulnerability advisories and threat warnings in a timely manner. • Implement an evaluation/certification programme for cyber security product and systems; • Develop, foster and maintain a national culture of security standardize and coordinate Cybersecurity awareness and education programmes. • REFERENCES 1. Douglas A. Barnes. Deworming the internet. Texas Law Review, 83:279_329, November 2004. 2. Aaron J. Burstein. Towards a culture of cybersecurity research. Harvard Journal of Law and Technology, 22:230_240, 2008. 3. Van J Garcia F, Hoepman J and Nieuwenhuizen J. Proceedings of 19th i_p international information security conference, wcc2004-sec, toulouse, france. In Spam _lter analysis. Kluwer Academic Publishers., 2004. 4. Hammond and Allen. The 2001 council of European convention on cybercrime. In an E_cient Tool to Fight Crimes in Cyber-Space?, June, 2001. 5. http://www.asianlaws.org/press/cybercrime.htm. Cyber crime is here to stay. Indian Express, 4, 2002. 6. Daniel J. Solove and Chris Jay Hoofnagle. A model regime of privacy protection. University of Illinois Law Review, 7:1083_1167, 2002. 7. Berkley l Joseph P, Liu. The dmca and the regulation of scienti_c research. Technology Law Journal, 18:501, 2003. 8. Paulson LD. Spam hits instant messaging. Computer and Internet Security, 37 no 4:18, 2004. 9. Tygar J Rachna D and Marti Hearst. Proceedings of the conference on human factors in computing systems. In Why Phishing Works, 2006. 10. Jansweijer W Schreiber G, Wielinga B. IJCAI workshop on eradicating cybercrime in the world. In Towards Cybercrime Eradication, August 19-20th 1995. 11. Goodman Symour E and Herbert S. Towards a Safer and More Secure Cyberspace. National academies Press, 2007. 12. Euguene Volokh. Crime-facilitating speech. Stanford Law Review, 57:1095_1222, March 2005. 13. http://www.asianlaws.org/press/cybercrime.htm 14. http://www.dailytrust.com, 2008 15. http://news.softpedia.com/news/Nigerian-Phishers-Arrested-83024.shtml 16. http://www.crime-research.org/Golubev_interview_052004/ 17. www.mcconnellinternational.com/services.cybercrime.htm 18. http://www.irs.ustreas.gov 19. http://www.antiphishing.org 20. http://netsecurity.about.com/b/2005/02/20/nigerianbank-scam-meets-phishing-attack.htm 21. http://www.cybesecurity.org/Research/2004.06.dissertation.Pdf . 22. http://www. The Menace Of Cyber Crime - Author - Anusuya Sadhu.htm) _______________________ Article received: 2010-05-20 69