Monday, December 07, 2009

Time for national steps to tackle cybercrime

The Irish Times has a good report of the recent IRISS Conference on Cybercrime. The comments of Paul Gillen were particularly interesting:
Det Insp Paul Gillen, head of the Garda computer crime investigation unit, said he was very concerned about the possibility of distributed denial-of-service attacks against Irish sites.

"I’m scared that Ireland will suffer what Estonia suffered," he said, referring to incidents in April and May 2007 when many Estonian government websites and critical systems were taken offline. "Ireland’s capability to react to something like that would worry me," said Det Insp Gillen...

Despite newspaper reports and regular warnings from banks, the phishing problem has got worse, added Det Insp Gillen. "We still have people who are willing to sit down and give their user name and password and are willing to write 100 PIN numbers from a code card that the bank gave them – and then they’ll go back to check they’re the right ones," he said. "Somewhere along the way, we’re obviously failing at getting the information out to the general public to make them more aware of hi-tech crime."

According to Det Insp Gillen, phishing scams usually happen in four stages: the hack is performed to infiltrate a person’s PC and steal their login details, or else the victim is tricked into revealing their pass codes by an e-mail that seems to have been sent by their bank. Criminals then gain access to the person’s bank account over the internet and use the codes to transfer money to an account in another part of the country.

Gangs then use "money mules" – other people who withdraw funds from ATMs. "The money mule is the first person to raise their head above the trench to have the back of their collar grabbed,” said Det Insp Gillen, who said gardaĆ­ have had some success stopping this.

"Everyone in this structure receives a percentage of the take in the crime," he said. "We’re dealing with highly organised crime here. The only way we’re in a position to deal with it is if IT security professionals, academics, law enforcement and a Cert join into a community to develop a task force, because everyone has information that could be a piece of evidence."
So what is currently being done to deal with the problems identified at the conference?

One promising development took place in August when the Minister for Communications announced that a report outlining a national cyber security strategy would be in place by the end of the year. (According to the Press Office in Communications, the report is currently being finalised.)

On the legislative front, however, the picture is gloomier. Irish law still has no general offence to deal with denial of service attacks (PDF) or online interception and implementation of the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is long overdue.

There is a Criminal Justice (Cybercrime and Attacks against Information Systems) Bill on the legislative agenda - but there's no date given for when we might see a draft. Given that we were initially promised implementing legislation in 2003 (PDF, p.25) and again in 2006, one might be forgiven for being sceptical as to whether any reform of the law relating to cybercrime will take place in the lifetime of this Government.

No comments:

Post a Comment