O/S and Microsoft want to improve Cybercrime reporting

The House of Lords Science and Technology Committee, currently investigating personal Internet security, were told this week that the public face real difficulties in reporting internet based crime. Representatives of Microsoft and members of the open source community agreed that police lack the skills and expertise to deal effectively with cases of internet crime that are brought to them.

Jerry Fishenden, National Technology Officer for Microsoft UK pointed out that reporting cyber crime is extremely difficult and the public are confused as to how they should go about it. He said:

“We believe it is necessary to have as easy a reporting mechanism as possible so that when people are victims of cyber-crime or attempted cyber-crime there is a streamlined reporting structure and ideally one body with responsibility for receiving those complaints and having appropriate resources to investigate and potentially initiate prosecutions where appropriate.

“My understanding is that the United States does have a single point of reporting established by the FBI back in the late 1990s, the Internet Crime Complaints Centre, which takes some 10,000 plus complaints a year and has the authority and resources to actually look into those complaints….Establishing that type of scheme, as happened in the States, would also enable us to get a much better grip on the scale of the problem in the UK.

“If I walked in to a police station tomorrow to report an on-line phishing attack, would it be treated in the same way as an attempted pick-pocketing? Is that a model we want to move to or do we want to have cyber-crime handled at the centre?”

Alan Cox, called to give evidence on behalf of the open source community, appeared to echo that sentiment:

“If you walk up to the desk sergeant at a typical police station…he does not understand the problems (and why should he) and there is nowhere else to go.

“We need something which deals with electronic crime and computers, either an understanding in police stations or we need a central contact point.”

Mr Fishenden also commented that he would like to see more done to tackle the threat to Internet users’ security posed by spam:

“One of the things that would be clearer would be if a spammer is found guilty you can have a clear set of damages set down in the law. For example, you have got the US legislation which gives you the concept of statutory damages in this instance, so you have a per-spam fine which can be held against the spammer. That would, I think, act as a very considerable deterrent against spammers.”

Mr Fishenden was asked if Microsoft were more concerned with establishing market dominance by rushing out operating systems rather than ensuring their security. Mr Fishenden denied this:

“I guess I would take almost the opposite view, we have been waiting five years for Windows Vista. I certainly do not think it is true that we have been rushing out new operating systems without due account of security.”

Asked about the different levels of security offered by open and closed source software Adam Laurie, director of The Bunker, a secure hosting data centre, said:

“From an open source perspective we believe that [open source] is more secure because it is subject to more scrutiny and peer review and so on. You can look at the code yourself and see if it is secure or not.

“The other issue with closed source is there are often commercial factors involved in whether or not they release security information or fix a problem. If they believe that they are the only people who know that there is this particular security problem they may choose to do some damage limitation or not to admit to the problem because it will damage their image too much.

“The open source world has no such limitations because we do not care, we have no liability, so as soon as an issue comes to light we will publish, and usually that will be within hours of problem coming to light.”

Mr Laurie also raised concerns about the security of biometric data held on passports, which will also form a key element of the government’s proposed ID cards. He said:

“One of the main things that concerns me the most (is) the reliance on biometrics. Single centralised databases of personal information – the more that we gather this stuff together in one place the more vulnerable we make ourselves and the easier we make it for people to take our identities.”

Mr Laurie, went on to describe the way biometric keys such as finger prints can be duplicated and raised concerns about the inertia amongst the security industry in admitting biometrics were not a failsafe solution:

“If you spend millions on systems that say biometrics are foolproof and we are going to use these biometrics to prove our identities and we have spent lots of money on it and it is foolproof, that causes a real problem for somebody caught up in the system when their identity has been spoofed. How do I convince this huge industry that they have got it wrong?”