Saturday, June 9, 2012

IP Address Spoofing And Its Defenses


Internet Protocol Address (IP Address) plays a very significant role in our day to day lives. Whether it is Cyber Security or Cyber Forensics, IP Address has a crucial role to play. IP Address is also the Starting Point for any Cyber Crime Investigation. So it is of utmost importance that an IP Address must be correctly ascertained.

Similarly, the Crackers and Cyber Criminals are interested in hiding their “Digital Footprints” through various means. IP Spoofing, use of Proxies, utilising Botnet for nefarious activities, exploiting Unsecured Wireless Access Points and Connections, etc are some of the methods that are used by Cyber Criminals.

IP Address is also the starting point to determine the “Authorship Attribution” that is a must before an accused is “Convicted” by a Court of Law. For instance, if a single Computer of Internet connection is used by multiple users, it is absolutely essential to ascertain who in fact used the Computer/Connection for the “Offending Act”.

Similarly, it is absolutely essential to ensure that the owner of a Wireless Connection is actually the person who committed the Cyber Crime or Cyber Contravention. In the majority of cases, such an Unsecured Wireless Connection is misused by others and the IP Address of the owner is reflected for that activity.

Thus, Authorship Attribution is an important aspect of “Determining the Culpability” of an Offender where the means to commit the Offence are common and accessible to many people simultaneously. Data Mining and Profiling of the accused to “Attribute Culpability” to him/her alone is an emerging area of Cyber Crime Investigation.

IP Spoofing is one of the methods used by Cyber Criminals to deny “Authorship Attribution” to them. A Cyber Crime Investigator would first ascertain the IP Address and then after analysing the E-Mail Headers/Logs, She would come to a conclusion that the IP Address reflected in the communication is a Forged or Spoofed one. Ascertaining the true and correct IP Address is required to proceed further in such case. 

IP Address Spoofing requires creation of IP packets with a forged source IP Address with a purpose of concealing the real identity of the sender or impersonating another System. The most common Protocol for data exchange over Internet is the TCP/IP. The header of each IP Packet contains, among other things, the numerical source and destination address of the Packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different Computer.

However, there is a “Limitation” to such a use. To establish a Connection, TCP uses a “Three Way Handshake” and IP Spoofing by its very nature fails to satisfy this handshake. So the purposes of IP Spoofing are limited in nature. For instance, IP Spoofing can be used for Denial of Service Attacks (DOS) as the attacker is least bothered to receive a “Response”. IP Spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP Addresses. IP Spoofing can also be used for Session Hijacking or Host Impersonation.

There are some services that are vulnerable to IP Spoofing. These include RPC (Remote Procedure Call services), any service that uses IP address authentication, the X Window System, the R services suite (rlogin, rsh, etc.), etc.

IP Spoofing can take many forms. In Non-Blind Spoofing the attacker is on the same subnet as the victim and this enables him to perform session hijacking. Using this technique, an attacker could effectively bypass any authentication measures that have taken place to build a connection.

In Blind Spoofing several packets are sent to the target machine in order to sample sequence numbers. Computers in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most Operating Systems (OSs) implement random sequence number generation, making it difficult to predict them accurately.

In Man in the Middle Attack (MITM) the attacker intercepts a legitimate communication between two Computers. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “Spoofing” the identity of the original sender, who is presumably trusted by the recipient.

There is a “General Consensus” that IP Spoofing does not allow gaining Anonymous Internet Access, which is a common misconception for those unfamiliar with the practice. Any sort of Spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

However, some believe that if a Website is not using syncookies and is using predictable initial sequence numbers, it is possible to create a live TCP connection without actually revealing the original IP Address. This may be possible as the attacker may be least interested in getting back the “Responses”. I would deal with this issue separately and in greater details subsequently.

IP Spoofing can be prevented and defended against through methods like Packet Filtering, Websites using syncookies and unpredictable initial sequence numbers, use of multiple authentication protocols so that they do not exclusively rely on the IP Address for authentication, use of Encryption, etc.

Some upper layer protocols provide their own defense against IP Spoofing attacks. For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

There is an urgent need to do more in depth research in the field of IP Spoofing and I would try to cover this field in great details in my subsequent posts.

Thursday, May 31, 2012

IP Address Should Not Be The Sole Criteria For Arrest And Conviction


The Indian Approach to Cyber Forensics has not been very encouraging. Despite many claims and promises, Cyber Forensics in India has still not evolved properly. There are very few Law Enforcement Personnel who are aware of Cyber Law and even fewer are those who know about Cyber Forensics.

The Cyber Forensics Capabilities of India are still evolving. Stakeholders like Police, Lawyers, Judges, etc are still not comfortable with Cyber Forensics. In the absence of even basic level Cyber Forensics adoption in India, Cyber Forensics Best Practices have also not evolved in India.

This absence of “Best Practices” and “Cyber Forensics Methodology” in India has resulted in “Improper Use” of Cyber Forensics for Legal, Judicial and Law Enforcement purposes. Even Internet Protocol (IP) Address Tracking in India has become a mammoth task for Law Enforcement in India.

Tracking of an IP Addresses is the “First Step” in the Cyber Forensics Investigations. However, IP Tracking must be done with great caution and with good application of mind. A casual IP tracking exercise may not only provide wrong results but can also implicate an innocent person. 

Take the example of Lakshmana Kailash K who was kept in the Indian Jail for 50 days because the Internet Service Provider (ISP) made an “Apparent but very Common Mistake” while providing details of the person who used the IP Address that resulted in the Commission of the Offense. This is the “Casual Approach” that I have discussed earlier and that should be avoided in all cases. Since there were no “Best Practices” adopted by either the ISP or the Police, this result in the imprisonment of an innocent Citizen of India.

Lakshmana was released after spending 50 days in jail, three weeks after the Police claimed to have nabbed the "Real Culprits". There is no doubt that this is a clear example of violation of his Fundamental Rights in general and Human Rights in Cyberspace in particular.

Criticising the Police Investigation Methodology and the ISP’s “Misleading Information” that led to his imprisonment, the State Human Rights Commission ordered the ISP to pay Rs 2 lakh to Lakshmana as Damages. However, this Damage is “Too Less and Too Late” and this amount cannot offset the ordeal that Lakshmana faced. Now the Information Technology Act, 2000 (IT Act 2000) carries Provisions that can allow the “Victim” to claim “Damages and Compensation” to the tunes of Crores of Indian Rupees.

In this background, I am of the Opinion that an IP Address should NOT be the “Sole Criteria” for Arrest and Conviction of an accused. An IP address is the “Starting Point” and is at most a “Corroboratory Evidence” but it can never be the “Primary Evidence” on the basis of which a Person can be Arrested and Convicted.

It is the “Forensically Sound Image” of the Hard Disk (Preferably Bit by Bit Image), IP Address Details, Browser and Internet Logs, ISPs Logs pertaining to particular Cyber Activity, MAC Address of the Computer, etc that are “Collectively Relevant and Conclusive” while establishing the “Guilt” of an accused. Further, the guilt of an accused must be “Proved Beyond Reasonable Doubt” and Arresting and Convicting an accused on the basis of IP Address alone is not even close to “Proving” the guilt, forget about Beyond Reasonable Doubt.

It would be a “Dangerous Trend” to follow to Arrest or Detain suspects on the basis of mere “IP Addresses” or “E-Mail Addresses” as they are very easy to be “Spoofed and Forged”. Even MAC Addresses can be spoofed in certain circumstances and for many purposes, particularly for Identity Theft cases in wireless connections.

It is important to apply “Common Sense” and first ascertain the “Identity of Real Culprit”. Of course, it requires tremendous Cyber Forensics Expertise to correctly trace the offender. The case of wrongfully arresting Lakshmana and imprisoning him for a considerable time is a glaring example of faulty and novice Cyber Forensics application in India. The inability of the Government of India to meet these conspicuous deficiencies of the Legal Enablement of ICT Systems in India is stifling the growth Cyber Law and Cyber Forensics in India.

Interestingly, the popular concepts of Indian Criminal Justice System like Establishment of Guilt “Beyond Reasonable Doubt”, “Right to Fair Trial”, Right to Legal Representation, Protection of Privacy Rights etc are simply treated as non-existent in cases of Cyber Crimes and Terrorism related cases.

The requirements of Search and Seizure Warrants for Computers and allied Hardware, Individuals and Places must be as per the Constitutional and Statutory requirements. The lack of Cyber Forensics Expertise in India is resulting in violation of these Constitutional and Statutory provisions. It is high time for Indian Government to give these aspects a “Serious Consideration”.

Tuesday, May 29, 2012

The Basics Of Internet Protocol (IP) Address System


An Internet Protocol (IP) Address is an important aspect of not only the World Wide Web (WWW)/Internet but is also required for conducting a successful Cyber Forensics Analysis. So it is important to have a basic knowledge about IP Address. In this Article I would try to cover the most significant aspects of IP Address and a detailed and technical analysis is beyond the scope of this Article.

Every Computer that communicates on the Internet is allotted a unique IP Address. Through this unique IP Address the “Identity” of the Individual may be established. However, there are exceptions to this case. For instance using of a Proxy Server may not reveal the true IP Address of the Individual. Similarly, IP Address Spoofing may not provide the correct details of the Computer that has been used to send the communication. 

There are two Standards for IP addresses i.e. IP Version 4 (IPv4) and IP Version 6 (IPv6). Presently, most Computers are using IPv4 but soon the same would be migrated to IPv6 as IPv4 is no more able to cope up with the growing demands of IP Addresses.

An IP Address can be either Static or Dynamic. Generally, a Static IP Address is one that your Administrator/ISPs allots and configures by editing your Computer's Network Settings. It produces a single and constant identifiable IP Address that can be easily attributable to the Computer using the same.

A Dynamic IP Address is assigned by the Dynamic Host Configuration Protocol (DHCP), a service running on the Network. DHCP typically runs on Network Hardware such as Routers or dedicated DHCP Servers. A Computer using Dynamic IP Address is allotted a new IP Address for each “New Session” during its “Lease Period”.

A single IP Address may further be shared by different Computers using a “Router”. If you use a Router to share an Internet connection, the Router gets the IP Address issued directly from the ISP. Then, it creates and manages a Subnet for all the Computers connected to that Router. The Router would get the External IP Address and the Computers connected to the Router would get Internal IP Addresses to further “Identify” each Individual Computer.

The most common locations for finding IP Addresses are Log Files, in the Received Header fields of an E-Mail, Tcpdump Traces, etc. In some circumstances only a Host Name must have been recorded, but this can simply be translated into an IP Address.

IP Addresses are the “First Step” in the Cyber Forensics Investigations. However, IP Tracking must be done with great caution and with good application of mind. A casual IP tracking exercise may not only provide wrong results but can also implicate an innocent person.  I would cover these issues in more detail in my subsequent articles.

Tuesday, May 22, 2012

Cyber Forensics And Indian Approach


Cyber Forensics is an area that has not aroused much interest among the Governmental corridors of India. Even the Parliament of India and Indian Judiciary are not very enthusiastic about this much needed Science and Art.

Before I proceed further, it is pertinent to explain the concepts like “Cyber” or “Cyberspace” and “Cyber Forensics” as per my own understanding and with my own personal definitions.

In my opinion the word “Cyber” or “Cyberspace” signifies a “Combination of Information and Communication Technologies (ICT) that includes both Hardware and Software.

Similarly, according to me the word “Cyber Forensics” means “A Scientific and Forensics analysis of “Cyberspace” that includes ICT Components, Hardware and Software in such a manner that the end result is “Presentable and Admissible” in a Court of Law”.

Another concept that I would like to discuss pertains to Electronic Discovery (E-Discovery). According to me there is a difference between Cyber Forensics and E-Discovery. I believe that Cyber Forensics is a “Wider Concept” than E-Discovery. To put it on other words, Cyber Forensics includes E-Discovery but not Vice Versa.

For instance, a properly conducted Cyber Forensics Exercise is “Relevant and “Admissible” for all purposes including Litigation purposes. But E-Discovery may not be “Relevant” and “Admissible” while deciding a Criminal Litigation.

Now coming back to the Indian position, Cyber Forensics has not found favour with the Executive, Judiciary, Legislature and the Administrative Branches of India. We have no dedicated Cyber Forensics Laws in India. Even the Information Technology Act 2000 (IT Act 2000), which is the Cyber Law of India, is not covering Cyber Forensics. A going reference of Cyber Forensics may be found in the IT Act 2000 but that is nothing more than a reference with no actual “Utility” as on date.

This “Poor Condition” of Cyber Forensics in India is attributable to many factors. Firstly, we have no Legal Enablement of ICT Systems in India. Concepts like E-Courts, Online Dispute Resolution (ODR), etc are still missing in India. Secondly, the ICT Policies and Strategies of India are “Defective” and they do not cater the requirements of Cyber Law, Cyber Security, Cyber Forensics, etc. Thirdly, the Parliament of India is not “Comfortable” with ICT related issues. If Parliament is itself not aware of the Techno Legal Concepts like Cyber Law, Cyber Security, Cyber Forensics, etc not much development can take place.

I personally believe that Cyber Law of India should be repealed and a more comprehensive Cyber Law must be enacted. Similarly we need “Dedicated Laws” for Cyber Security and Cyber Forensics in India.

In my subsequent posts, I would try to cover every possible aspect of Cyber Forensics that is applicable to India and World Wide. Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that this Blog would prove useful to all Stakeholders.