Synopsis

Hacking: Its Different Modes and Legal Consequences

Introduction

Review of literature

Research methodology

Hacking In India

Different Modes of Hacking

Ethical Hacking

Laws on Hacking and its legal consequences In India

International law related to hacking as cyber crime

Introduction

In today’s world, most people see hacking as unauthorized access into computer systems and
networks. Initially hacking was all about studying programming languages and computer
systems with the hope of creating new innovations and program codes to solve problems. It
was a kind of tinkering which people engaged in order to produce something new. It was
about understanding computers thoroughly, and making innovation and technological
breakthroughs. Ethical hacking is not about breaking laws. Ethical hacking is authorized and
therefore aligns with regulations. In today’s world, some nerds indulge in malicious hacking.
They identify weaknesses in computer systems and gain access into them by exploiting the
weaknesses. These unauthorized hacking is carried out by malicious hackers. The malicious
hackers are threat agents who engage in hacking based on motivation, opportunity and
capability. The threat agents (hackers) engage in hacking, having the capability or power to
hack. They have hacking tools and they are very skilled and can carry out a threat. The threat
agents also act based on motivation. The hackers carry out threats based on different motives.
The motivation could be gain, power, revenge, curiosity or politics. The motive behind their
actions could also be terrorism or religion etc.

In the era of computers, our life oscillates between cyber threats and cyber security. Hacking
is the sour reality of this era wherein an unauthorized person enters into a computer or a
network by using his computer knowledge and skills. It is done to cause wrongful loss to
other, the person who indulges in such activity is called a hacker or black hat hacker or
cracker.
 Hacking in India

India is ranked third among countries which are facing highest number of cyber threats as per
security software firm Symantec. The same research also ranked second in terms of targeted
attacks.

“India emerged as the third most vulnerable country in terms of risk of cyber threats, such as
malware, spam and ransomware, in 2017, moving up one place over previous year, according
to a report by security solutions provider Symantec. In 2017, 5.09% of global threats detected
were in India, slightly less than 5.11% in 2016. The U.S. (26.61%) was most vulnerable to
such attacks, followed by China (10.95%), according to ‘Internet Security Threat Report’.

The global threat ranking is based on eight metrics — malware, spam, phishing, bots,
network attacks, web attacks, ransomware and cryptominers. As per the report, India
continues to be second most impacted by spam and bots, third most impacted by network
attacks, and fourth most impacted by ransomware.

The report also pointed out that with the threat landscape becoming more diverse, attackers
are working harder to discover new avenues of attack and cover their tracks while doing so.”1

As the country progresses towards a digital age where everything would be available with the
click of a button, the threat of data and private information being stolen has constantly been
disturbing. It is ironical to see that the most trusted source of information and a store for data
can turn out to be a wide platform for some to steal information. The Information and
Technology Act, 2000 (IT Act) covers all types of cyber crime committed in the country
including hacking.

The invention of Computer has made the life of humans easier, it has been using for various
purposes starting from the individual to large organizations across the globe. In simple term
we can define computer as the machine that can stores and manipulate/process information or
instruction that are instructed by the user. Most computer users are utilizing the computer for
the erroneous purposes either for their personal benefits or for other’s benefit since decades.
This gave birth to “Cyber Crime”. This had led to the engagement in activities which are

1
5 April 2018 www.thehindu.com/news/national/india-third-most-vulnerable-country-to-cyber-threats/article
 illegal to the society. We can define Cyber Crime as the crimes committed using computers
or computer network and are usually take place over the cyber space especially the Internet2
and hacking is one of a form of cyber crime. The UN’s General Assembly recommended the
first IT Act of India which was based on the “United Nations Model Law on Electronic
Commerce” (UNCITRAL) Model3.

2
https://www.tutorialspoint.com/information_security_ cyber_law/introduction.htm
3
http://www.academia.edu/7781826/IMPACT_OF_SOCI AL_MEDIA_ON_SOCIETY_and_CYBER_LAW
 Different Modes of Hacking

Website Hacking 4

Hacking a website means taking control from the website owner to a person who hacks the
website.

Network Hacking 5

Network Hacking is generally means gathering information about domain by using tools
like Telnet, Ns look UP, Ping, Tracert, Netstat, etc… over the network.

Ethical Hacking

Ethical hacking is where a person hacks to find weaknesses in a system and then usually
patches them

Email Hacking

Email hacking is illicit access to an email account or email correspondence.

Password Hacking

Password Hacking Password cracking is the process of recovering secret passwords from
data that has been stored in or transmitted by a computer system.

Online Banking Hacking6

Online banking Hacking Unauthorized accessing bank accounts without knowing the
password or without permission of account holder is known as Online banking hacking.

Computer Hacking

Computer Hacking is when files on your computer are viewed, created, or edited without
your authorization.

4
23 Nov 2013 https://www.slideshare.net/sairanisakoji/hacking-its-types
5
ibid
6
ibid
 Types of Hackers7

White hat:-A hacker who gains access to systems with a view to fix the identified
weaknesses. They may also perform penetration testing and vulnerability assessments.

Black hat:-A hacker who gains unauthorized access to computer systems for personal gain.
The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank
accounts etc.

Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks into
computer systems without authority with a view to identify weaknesses and reveal them to
the system owner.

Hacktivist: A hacker who use hacking to send social, religious, and political, etc. messages.
This is usually done by hijacking websites and leaving the message on the hijacked website.

Type of Cybercrime via hacking

 Computer Fraud: Intentional deception for personal gain via the use of computer
systems.
 Privacy violation: Exposing personal information such as email addresses, phone
number, account details, etc. on social media, websites, etc.
 Identity Theft: Stealing personal information from somebody and impersonating that
person.
 Sharing copyrighted files/information: This involves distributing copyright protected
files such as eBooks and computer programs etc.
 Electronic funds transfer: This involves gaining an un-authorized access to bank
computer networks and making illegal fund transfers.
 Electronic money laundering: This involves the use of the computer to launder money.
 ATM Fraud: This involves intercepting ATM card details such as account number and
PIN numbers. These details are then used to withdraw funds from the intercepted
accounts.

7
2011 http://www.ripublication.com/ijepa.htm
 Denial of Service Attacks: This involves the use of computers in multiple locations to
attack servers with a view of shutting them down.
 Spam: Sending unauthorized emails. These emails usually contain advertisements.
 Ethical hacking8

As diamond cuts diamond, ethical hacking is a pre-emptive action for hacking and the person
who performs it is called an ethical hacker. Theoretically, both are the same because the
underlying principle in both is to intrude upon the computer data of another but the
difference lies in the intention and permission. Black hat hackers intrude with bad intention
and without permission whereas white hat hackers work with authorization and good
intention. Before going into the legality of ethical hacking, we have to keep in mind that
hacking and ethical hacking are different. Hacking is a wrongful act under Indian legal
system. Although ethical hacking is not so prevalent in India yet it is an evolving profession.
There are various institutes and colleges in different cities of India which offer courses of
ethical hacking. India emerged as the third most vulnerable country in terms of risk of cyber
threats, such as malware, spam, and ransomware, in 2017, moving up one place over the
previous year, according to a report by security solutions provider Symantec.

Although Indian laws do not specifically deal with ethical hacking yet hacking is a
punishable offense in India. The act of Hacking contravenes the underlying principles of
India legal system. The subject of ethical hacking has not been dealt with explicitly in Indian
laws, therefore, it enjoyed neutral status under Indian legal system.

Ethical Hacking is identifying weakness in computer systems and/or computer networks and
coming with countermeasures that protect the weaknesses. Ethical hackers must abide by the
following rules.

 Get written permission from the owner of the computer system and/or computer
network before hacking.
 Protect the privacy of the organization been hacked.
 Transparently report all the identified weaknesses in the computer system to the
organization.
 Inform hardware and software vendors of the identified weaknesses.

8
26 January 2018 www.iosrjournals.org
 Laws on Hacking and its legal consequences In India

Section 43 and section 669 of the IT Act cover the civil and criminal offenses of data theft or
hacking respectively.

Under section 43, a simple civil offense where a person without permission of the owner
accesses the computer and extracts any data or damages the data contained therein will come
under civil liability. The cracker shall be liable to pay compensation to the affected people.
Under the ITA 2000, the maximum cap for compensation was fine at Rs. One crore.
However in the amendment made in 2008, this ceiling was removed. Section 43A was added
in the amendment in 2008 to include corporate shed where the employees stole information
from the secret files of the company.

Section 66B10 covers punishment for receiving stolen computer resource or information. The
punishment includes imprisonment for one year or a fine of rupees one lakh or both. Mens
rea is an important ingredient under section 66A. Intention or the knowledge to cause
wrongful loss to others i.e. the existence of criminal intention and the evil mind i.e. concept
of mens rea, destruction, deletion, alteration or diminishing in value or utility of data are all
the major ingredients to bring any act under this Section.

The jurisdiction of the case in cyber laws is mostly disputed. Cyber crime does not happen in
a particular territory. It is geography less and borderless. So it gets very difficult to determine
the jurisdiction under which the case has to be filed. Suppose a person works from multiple
places and his data gets stolen from a city while he resides in some other city, there will be a
dispute as to where the complaint should be filed.

Essentials

Intention-whoever with a malicious intention breaks into the computer of the other to tamper
or steal the data or destroy it has a wrong intention.

A wrongful act or damage to the data or tries to diminish the value of the data will cover
under hacking.

9
Information Technology Act 2000
10
Ibid
International law related to hacking as cyber crime

Cyber crime is becoming ever more serious. Findings from the 2002 Computer Crime and
Security Survey show an upward trend that demonstrates a need for a timely review of
existing approaches to fighting this new phenomenon in the information age. In this paper,
we provide an overview of cybercrime and present an international perspective on fighting
cybercrime. We review current status of fighting cybercrime in different countries, which
rely on legal, organizational, and technological approaches, and recommend four directions
for governments, lawmakers, intelligence and law enforcement agencies, and researchers to
combat cybercrime. The United States, to protect the interests of internet businesses, the U.S.
Congress has created new laws to regulate activities on the internet. With the first digital
signature law in the world, the U.S. has established a number of regulations on cybercrime,
such as the “National Infrastructure Protection Act of 1996”, the “Cyberspace Electronic
Security Act of 1999” and the “Patriot Act of 2001”. In addition a number of agencies have
set up in the U.S. to fight against cybercrime, including the FBI, National Infrastructure
Protection Center, National White Collar Center, Computer Hacking and Intellectual
Property Unit of the Doj, and so on. The FBI has set up special technical units and developed
Carnivore. England two cyber crimes related Acts have been passed by the British
parliament: the Data Protection Act of 1984 and the Computer Misuse Act of 1990. The
former one deals with actual procurement and use of personal data while the latter defines the
laws, procedures and penalties surrounding unauthorized entry into computers. The British
government has applied technologies of filtering and rating to protect manors from
inappropriate material on the Web. Canada in 2001, the Canadian parliament passed the
Criminal Law Amendment Act that has tow sections. The first section defines unlawful entry
into a computer system and interception of transmissions. The second section criminalizes
the actual destruction, alteration, or interruption of data. The Kenya Communications
(Amendment) Act was passed by the Kenyan Parliament and signed into law by the President
on January 2. The Act includes legislation on cybercrime in Sections 83 W-Z and 84 A- F on:
unauthorized access to computer data, access with intent to commit offences, unauthorized
access to and interception of computer service, unauthorized modification of computer
material, damaging or denying access to computer system, unauthorized disclosure of
passwords, unlawful possession of devices and data, electronic fraud, tampering with
computer source documents, and publishing of obscene information in electronic form.
InNorway a Bill on a new Criminal Law (2008-2009) has in 202 introduced a provision on
identity theft, using the term Identity Infringements that reads as follows:“With a fine or
imprisonment not exceeding 2 years shall whoever be punished, that without authority
possesses of a means of identity of another, or acts with the identity of another or with an
identity that easily may be confused with the identity of another person, with the intent of a)
procuring an economic benefit for oneself or for another person, or b) causing a loss of
property or inconvenience to another person.” The Norwegian Parliament has on May 28
adopted the New Penal Code, including several provisions on cybercrime. Cyber law in
United Kingdom-The Police and Justice Act 2006 Chapter 48 declares the amendments of
the Computer Misuse Act 1990, Part 5 sections 35 to 38. The new amendments came into
force on October 1, 2008. In China many cybercrime issues are covered in laws and
regulations that refers to Internet related crimes. The two most important organizations
responsible for internal and external security are the Public Security Bureau (PSB),
responsible for the internal security, and the Ministry State Security (MSS), which handles
external security. The responsibilities of the Public Security Bureau (PSB) are formally
codified in “Computer Information Network and Internet Security, Protection and
Management Regulations”, approved by the State Council, December 11, 1997, and
published December 30, 1997. Article 285 says whoever violates state regulations and
intrudes into computer systems within formation concerning state affairs, construction of
defense facilities, and sophisticated science and technology is be sentenced to not more than
three years of fixed-term imprisonment or criminal detention. Article 286 says whoever
violates states regulations and deletes alters, ads, and interference in computer information
systems, causing abnormal operations of the systems and grave consequences, is to be
sentenced to not more than five years of fixed-term imprisonment or criminal detention;
when the consequences are particularly serious, the sentence is to be not less than five years
of fixed-term imprisonment. Whoever violates state regulations and deletes, alters, or adds
the data or application programs installed in or processed and transmitted by the computer
systems, and causes grave consequences, is to be punished according to the preceding
paragraph. Whoever deliberately creates and propagates computer virus and other programs
which sabotage the normal operation of the computer system and cause grave consequences
is to be punished according to the first paragraph. Article 287 says whoever uses a computer
for financial fraud, theft, corruption, misappropriation of public funds, stealing state secrets,
or other crimes is to be convicted and punished according to relevant regulations of this law.

Many countries find themselves unable to tackle cracking and cyber-crimes because of lack
of resources and ambiguous legislation, resulting in repeat-offending because of lack of
deterrence. Therefore, to cover such loopholes I propose that countries assist each other in
dealing with aspects related to cybercrimes. With mutual international co-operation a
Cyberspace Assistance & Regulatory Authority (C.A.R.A.) should be established under the
aegis of United Nations. The reason why U.N. should initiate such an establishment is
because of its universal character. It should have the leading role in inter-governmental
activities for the functioning and protection of cyberspace so that it is not abused or exploited
by criminals, terrorists and states for aggressive purposes. 11 The C.A.R.A shall derive its
enforcement and functionary powers through the convention. The primary objectives that it
seeks to achieve are: (a) Achieving a comprehensive consensus on Law of cyberspace. (b)
Advance the harmonisation of National cybercrime laws through Model prescription (c)
Establish procedure for international co-operation and mutual assistance. (d) Facilitate
information exchange between member countries with a careful view to not violate privacy
rights. (e) Assist those member countries which lack adequate resources with the help of
technology transfer agreements.