ebook img

Personal Internet Security - United Kingdom Parliament PDF

449 Pages·2007·3.67 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Personal Internet Security - United Kingdom Parliament

HOUSE OF LORDS Science and Technology Committee 5th Report of Session 2006–07 Personal Internet Security Volume II: Evidence Ordered to be printed 24 July 2007 and published 10 August 2007 Published by the Authority of the House of Lords London : The Stationery Office Limited £price HL Paper 165–II CONTENTS Oral Evidence Mr David Hendon, CBE, and Mr Geoff Smith (Department of Trade and Industry—DTI); Mr Tim Wright and Mr Stephen Webb (Home Office) Written Evidence from the Home Office and the DTI 1 Oral Evidence (29 November 2006) 11 Supplementary Evidence from the Home Office 27 Mr Colin Wittaker and Ms Sandra Quinn (APACS); Mr Matthew Pemble (Royal Bank of Scotland); Ms Sandra Alzetta and Mr Robert Littas (VISA) Written Evidence from APACS 28 Written Evidence from VISA Europe 35 Oral Evidence (13 December 2006) 40 Mr Philip Robinson and Mr Rob Gruppetta (Financial Services Authority) Written Evidence from the Financial Services Authority 53 Oral Evidence (13 December 2006) 56 Mr Jim Gamble and Ms Sharon Girling (Child Exploitation and On-Line Protection Centre); Mr Tim Wright (Home Office) Oral Evidence (10 January 2007) 65 Supplementary Evidence from Mr Gamble 77 Supplementary Evidence from Mr Gamble 78 Mr John Carr (Children’s Charities’ Coalition on Internet Safety—CHIS) Written Evidence from CHIS 81 Oral Evidence (10 January 2007) 84 Mr Jerry Fishenden and Mr Matt Lambert (Microsoft) Written Evidence from Microsoft 89 Oral Evidence (17 January 2007) 99 Mr Alan Cox; Mr Adam Laurie Written Evidence from Mr Cox 110 Written Evidence from Mr Laurie 112 Oral Evidence (17 January 2007) 116 Mr Nicholas Bohm (The Law Society); Professor Ian Walden (Society for Computers and Law); Mr Phil Jones (Information Commissioner’s Office) Written Evidence from the Society for Computers and Law 124 Written Evidence from the Information Commissioner’s Office 131 Oral Evidence (24 January 2007) 131 Mr Mike Haley (Office of Fair Trading); Mr Phil Jones (Information Commissioner’s Office) Oral Evidence (24 January 2007) 143 Mr Roy Isbell and Mr Ilias Chantzos (Symantec); Mr Mark Sunner and Mr Paul Wood (MessageLabs) Written Evidence from Symantec 149 Written Evidence from MessageLabs 154 Oral Evidence (31 January 2007) 159 Supplementary Evidence from Symnatec 174 Mr Bruce Schneier Oral Evidence (21 February 2007) 175 Mr Garreth Griffith and Mr Alasdair McGowan (eBay UK Ltd); Mr Michael Barrett (PayPal); Mr Jeremy Beale (Confederation of British Industry—CBI) Written Evidence from eBay UK Ltd 185 Written Evidence from CBI 190 Oral Evidence (21 February 2007) 195 Professor Ross Anderson (Foundation for Information Policy Research—FIPR); Professor Mark Handley Written Evidence from FIPR 209 Oral Evidence (28 February 2007) 213 Supplementary Evidence from Professor Anderson 231 Ms Camille de Stempel, Mr Matthew Henton and Mr James Blessing (Internet Services Providers’ Association—ISPA); Mr John Souter and Mr Malcolm Hutty (London Internet Exchange—LINX) Written Evidence from ISPA 233 Written Evidence from LINX 237 Oral Evidence (14 March 2007) 237 Mr Kim Thesiger (Internet Telephony Services Providers’ Association—ITSPA) Written Evidence from ITSPA 250 Oral Evidence (14 March 2007) 253 Ms Margaret Hodge MP, Minister of State for Industry and the Regions and Mr Geoff Smith (DTI); Mr Vernon Coaker MP and Mr Stephen Webb (Home Office) Oral Evidence (28 March 2007) 257 Supplementary Evidence from the DTI 275 Supplementary Evidence from the Home Office 277 Mr Achim Klabunde, Mr Merjin Schik, Ms Margareta Traung, Ms Zinaida Yudina, Mr Andrea Servida and Mr Rogier Holla (Directorate-General for Information Society and Media, European Commission) Oral Evidence (17 April 2007) 279 Commissioner Viviane Reding (Directorate-General for Information Society and Media, European Commission) Oral Evidence (17 April 2007) 288 Professor Jonathan Zittraine; Mr Andrew Cormack (UKERNA) Written Evidence from Professor Zittraine 295 Written Evidence from UKERNA 298 Oral Evidence (18 April 2007) 299 Supplementary Evidence from Mr Cormack 311 Mr Tim Suter, Mr Ben Willis and Mr Jeremy Oliver (Ofcom) Written Evidence from Ofcom 311 Oral Evidence (18 April 2007) 313 Supplementary Evidence from Ofcom 319 Supplementary Evidence from Ofcom 320 Commander Sue Wilkinson (Metropolitan Police Service); Mr Bill Hughes and Ms Sharon Lemon (Serious Organised Crime Agency—SOCA) Oral Evidence (25 April 2007) 327 Written Evidence AOL 345 Apache 349 The British Computer Society 351 BT 358 Mr Duncan Campbell 363 Mr Duncan Campbell 364 East Midlands Broadband Consortium 365 EURIM 368 Federation of Small Businesses 376 Mr Michael Forster 377 Professor Steven Furnell and Dr Andy Phippen 380 Hewlett Packard 385 Mr Nick Hubbard 388 Ilkley Computer Club 392 Institute for the Management of Information Systems 393 Institute of Information Security Professionals 395 National Computing Centre 396 National Education Network 403 Mr Paul O’Nolan 407 Orange UK 409 PAOGA 411 ReadyTechnology 415 Research Councils UK 420 Royal Academy of Engineering 426 Secure Trading 430 Ms Margaret Smith 433 THUS 435 Mr Brian Tompsett 438 Mr Paul Winstone 439 Note: The Report of the Committee is published in Volume I (HL Paper 165-I). 3693461001 Page Type [Ex 1] 30-07-07 15:07:23 Pag Table: LOENEW PPSysB Unit: PAG1 Minutes of Evidence TAKEN BEFORE THE SELECT COMMITTEE ON SCIENCE AND TECHNOLOGY (SUB-COMMITTEE II) WEDNESDAY 29 NOVEMBER 2006 Present Broers, L (Chairman) Sharp of Guildford, B Howie of Troon, L Sutherland of Houndwood, L O’Neill of Clackmannan, L Young of Graffham, L Patel, L Memorandum by the Government (Home Office and the Department of Trade and Industry) Security issues affecting private individuals when using communicating computer-based devices, either connecting directly to the Internet or employing other forms of inter-connectivity Summary The Introduction sets out our approach to the written evidence and highlights some of the key issues around security issues aVecting private individuals when using the Internet. In Section 1, we define what we know about the problem of security threats to private individuals by discussing the emergence of virtual organised crime groups who are organised and operate exclusively via the Internet. We highlight some of the methods used by the groups to exploit the Internet and give some statistics to demonstrate the scale of the problem. We end this section by discussing research which suggests that users do not understand the nature of online threats. In Section 2, we discuss how we are currently tackling the problem of security issues aVecting private individuals. We highlight the potential concerns/trade-oVs. We detail some of the positive work being done via public and private initiatives, such as Get Safe Online (GSOL), to raise awareness of the risks online. GSOL brings together government, industry and law enforcement to give people advice, guidance and the tools they need to be safe online. We highlight the importance of national and international co-operation to the threats and the Serious Organised Crime Agency (SOCA)’s role in ensuring this. We discuss how software and hardware can play a fundamental role in reducing the risk of security breaches, but caveat this by pointing out that technical solutions alone will not work. We end this section by highlighting a new initiative to improve the standing of UK research in this area. In Section 3, we look at the issue of IT governance and regulation. In terms of IT governance, we discuss initiatives that both industry and government are undertaking that appear to be impacting on the security threat. We discuss how security breaches that take place in this country can be instigated in another jurisdiction and the global nature of this issue. We therefore draw attention to some of the work being done internationally to ensure international law enforcement co-operation. When looking at regulations we discuss the fact that the regulatory framework is a mixture of international, EU, UK and industry regulations, which means that at times enforcing these can be challenging. We stress that over-regulation could aVect our ability to create and maintain a flexible framework that keeps abreast of industry changes and could impact on the ability to provide innovative services and products. We end this section by discussing how cost and funding, timely assessments, technical ability and end use of systems are the main barriers to developing security systems and standards. We briefly discuss how these problems can be overcome. In Section 4, we look at crime prevention. We highlight the various activities through which the Government delivers crime prevention and discuss some of the current changes to legislation which will ensure that UK criminal law continues to meet the challenge of e-crime. We end this section by giving a flavour of the international actions on e-crime. 3693461001 Page Type [E] 30-07-07 15:07:23 Pag Table: LOENEW PPSysB Unit: PAG1 2 personal internet security: evidence 29 November 2006 Introduction The Government is working collaboratively to protect private individuals from Internet security threats. Reflecting this joined up approach, this evidence is submitted by Home OYce and DTI Ministers and encompasses work being undertaken by the key Departments and Agencies. These are: — Home OYce—responsible for public protection, including in this context policy on criminal law and policing; — the Department of Trade and Industry (DTI) responsible for promoting the business and consumer benefits of the information age and the regulatory framework for service providers; — the Serious Organised Crime Agency (SOCA), an intelligence-led agency with law enforcement powers, created to reduce the harm caused by organised crime to the UK; and — the Cabinet OYce responsible for the co-ordination of security policy overall and the delivery of the Government’s information assurance strategy. Together, the eVorts of these Departments and Agencies should help to create a culture of security online which maximises the benefits of using the internet, minimises the risks and tackles organised crime’s exploitation of it. This submission also recognises that changing the way in which individuals think about and use the Internet is a challenge, and Government, users and industry, all have a role to play. We therefore discuss the ways in which we work to ensure we deliver the right combination of informed users, appropriate regulation and relevant technology to promote a culture of security. We appreciate that without all three there is a danger that individuals will not understand and address the risks and that industry will put innovation above safety. This submission also seeks to demonstrate how we actively support awareness raising through joint industry/government projects such as the Get Safe On Line initiative. This submission deals only with security issues in the sense of users’ control of their technology or their personal information being compromised, rather than wider internet safety issues such as child protection or content regulation where there are many developments and a strong track record of Government and industry working together to develop self-regulatory solutions to issues like illegal images of child abuse. For consistency, we describe this as “e-crime”. Section 1: Defining the Problem 1. What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified? The last 3–4 years has seen the emergence of virtual organised crime groups (OCGs) who are organised and operate exclusively via the Internet. Their membership is geographically dispersed and multinational. Their main goal is the exploitation of the Internet to steal personal data and identity information (commonly called “identity theft”) to facilitate fraud. These groups are growing in size, number and sophistication. The UK has attracted the attention of these organised crime groups because of its relative aZuence and speed of adoption of the Internet by individuals to buy goods and services online. There are 17 million Internet bank accounts in the UK and over £20 billion was spent online last year by UK customers. Attacking English-speaking countries may also pose fewer linguistic challenges than similar attacks on, for example, Japan. These groups seek to compromise the integrity of personal data using a variety of methods, targeting both individuals and enterprises which hold customer records. Attacks against individuals can be considered in two main categories: malicious software and “social engineering”. Malicious software attacks are used to compromise home and small business machines. Once infected the malicious code is used to “harvest” personal data while the user is online. “Social engineering” refers to attacks, typically aimed at home users, which are intended to trick individuals into revealing sensitive personal information, such as bank login data and credit card details. 3693461001 Page Type [O] 30-07-07 15:07:23 Pag Table: LOENEW PPSysB Unit: PAG1 personal internet security: evidence 3 29 November 2006 In the past, attacks have tended to be large-scale and as a result attracted a higher profile. This tended to limit their eVectiveness, because users were more likely to become aware of the threat and update their anti-virus software, and because their high rate of incidence made them more readily detectable by anti- virus companies. Attack patterns appear to be changing—malicious software is now typically distributed on a smaller scale, making it harder to detect. The software has become more sophisticated, and is often designed to disable or evade anti-virus systems, work in a phased approach to open back doors to systems and, increasingly, embed itself in the operating system to avoid detection. Some aspects of online behaviour are inherently more risky than others: “unoYcial” file sharing sites oVering music or video files are often used to mount malicious software attacks. Pirated software applications are inherently riskier than licensed versions and obviously more diYcult to keep their security features up to date. Criminals are also targeting corporate networks to steal information, usually financial data, held on customer databases. Targets include e-Commerce sites, credit reference agencies and third party card processing agencies. Successful hacking attacks on these types of firm can yield huge amounts of personal information that can then be exploited by fraudsters. Globally, the worst reported incident is last year’s hack of CardSystems Inc, a US credit/debit card processing company which resulted in the compromise of 40 million credit card accounts, with fraud confirmed on a minimum of 250,000 accounts. Although fraudulent transactions can be readily identified by banks and other financial institutions, it is diYcult to assess what percentage of fraudulent activity is directly attributable to Internet attacks, as the exploitation of the Internet is one of several avenues used to obtain personal information. However, the financial services industry has made significant progress in identifying Internet attacks while they are underway, making eVective mitigating action a realistic prospect in more situations than previously. 2. What is the scale of the problem? There are many varying statistics referring to the scale of the problem. For example: — one in every 52 emails in January and one in 28 emails in June 2005 were aVected with malicious content (IBM); — in 2004, total losses from online banking fraud were recorded for the first time and reached £12.2 million (APACS 2005). In 2005, online banking fraud grew to £23.3 million, an increase of 90 per cent from 2004; — when asked which of a series of crimes individuals felt most at risk of in their everyday lives, 21 per cent identified Internet crime (higher than burglary 16 per cent, mugging 11 per cent or 1 car theft 8 per cent) (GSOL survey Oct 2006); — the 2003–04 British Crime Survey found that 27 per cent of adults who used the Internet at home reported their computer had been aVected by a virus (a third of those reported the computer had been damaged) in the previous 12 months. Two per cent of adults who used the Internet at home reported their computer had been accessed or files hacked into on their home computer in the 2 previous 12 months. These statistics must be set against the increasing level of transactional usage of the Internet by the general public and small businesses: — the UK is now one of the leading e-commerce economies in the world. The volume of online card payments has increased five-fold over the last five years, reaching 310 million for a total of £22 billion. This accounts for five per cent of all personal card payments. There are over 17 million Internet bank accounts in the UK; and — more than 50 per cent of small businesses conduct transactions over the Internet on a regular basis (APACs September 05). It should be noted that we are also seeing a significant shift in the Internet being used socially. A recent statistic from the IMRG (Interactive Media in Retail Group) indicates that the average web user spends more time online than watching television. Broadband “chat” now competes with daytime TV for the attention of women. This all means that people are spending more and more of their daily lives on the Internet. 1 www.getsafeonline.org/media/GSO Cyber Report 2006.pdf – – – 2 www.homeoYce.gov.uk/rds/pdfs06/rdsolr0906.pdf 3693461001 Page Type [E] 30-07-07 15:07:23 Pag Table: LOENEW PPSysB Unit: PAG1 4 personal internet security: evidence 29 November 2006 3. How are security breachers affecting the individual user detected and recorded? Not all personal users will be immediately aware that there has been a security breach. Increasingly, breaches are designed to run clandestinely on the machine and to evade firewall and anti-virus detection. On machines that do not have up to date protection, breaches are even less likely to come to light. Even where the user identifies they have been the victim of a breach, there is a great variation in response. According to the British Crime Survey, fewer than four in 10 of those who knew their computers were infected by a virus reported the incident at all. Of them, nine per cent reported to an ISP, 13 per cent to a website administrator and one per cent to the police. A number of private sector companies regularly comment on the changing nature and the extent of internet problems and industry bodies such as the the US-based SysAdmin, Audit, Network, Security (SANS) Institute do annual reviews of the key vulnerabilities. The DTI’s biennial surveys measure the impact of information security breaches on UK business—not just those that arise from connection to the Internet— and the measures that are being taken to prevent damage. 4. How well do users understand the nature of the threat? This is almost impossible to quantify, but see paragraph 6 for known information relating to the level of public awareness. 3 However, the OYce of Fair Trading has commissioned a wide-ranging market study into Internet Shopping due to be published in spring 2007. The market study is exploring, through consumer research and stakeholder consultation, the scale of any mismatch between consumer fears and actual risks, as well as how these fears might be addressed. Section 2: Tackling the Problem 5. What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs? Both Government and industry have roles in ensuring that people are aware of the general risks online. Both also have a critical role to play in ensuring that the public are conducting online transactions with them safely. The nature of the Internet means that it is our collective responsibility to ensure that people are doing what they can to make themselves and their families safe online so that they can enjoy the real benefits of the Internet. Information, understanding and appropriate training are among the primary challenges in tackling the growing risk of Internet security threats, e-crime and online fraud. Simple, clear advice from one source is required to eVectively improve the public’s understanding of these threats and to encourage people to protect their personal information and electronic devices when online. Get Safe Online brings together Government, industry and law enforcement in a partnership to resource a campaign to give people the advice, guidance and the tools they need to be safe online (see next section). Increasingly computer retailers and manufacturers are providing additional security and safety software as part of a home computer package. Furthermore, many application software providers are incorporating more security features in their programs and organisations heavily reliant on online money transactions have for sometime oVered free security products. However, although products are widely available and strongly marketed, there is reluctance amongst users to install and use them. The main reasons seem to be that installing packages is perceived by users: to be complex and cumbersome; to restrict choice by filtering sites/emails; to require regular time consuming security screening; costly (most work on the basis of monthly/annual subscription to receive regular updates). Even the take up of free programs oVered via reputable organisations such as banks has been disappointingly low with only about five per cent of online customers using this service. We actively encourage users to assess risks and to put in place measures to mitigate those risks. For most users, oV the shelf products provide the appropriate level of protection, however, in some circumstances such as banking online or registering tax returns more is required. In these cases, identity is the key issue and two factor authentication is becoming the preferred method of identifying the person or organisation you are interacting with. The Government is looking seriously at the whole issue of managing identity 3 http://www.oft.gov.uk/news/press!releases/2006/81-06.htm 3693461001 Page Type [O] 30-07-07 15:07:23 Pag Table: LOENEW PPSysB Unit: PAG1 personal internet security: evidence 5 29 November 2006 online. It is a key feature of Sir David Varney’s work on transforming Government and the Chancellor of the Exchequer has asked Sir James Crosby to lead a piece of work on identity and the respective interests of the private and public sectors. The ISPs have a particular role in relation to the security of their customers and many oVer security scanning and spam filtering services. We are in discussion with the ISPs as to how the industry might continue to make forward momentum in this area and demonstrate leadership in dealing with these problems. 6. What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness? There are a range of public and private sector initiatives underway to raise public awareness of e-crime and the basic steps users can take to protect themselves. These include Get Safe On Line (GSOL), Bank Safe On Line, IT Safe and Fraud Alert. Between them they represent an important step forward in reducing the public’s exposure to the risks of online fraud and data theft. 4 The Get Safe Online campaign launched in 2005 aims to raise awareness of the risks people face online and provide them with independent, authoritative advice, guidance and tools to help keep themselves and their families safe on the Internet. The campaign brings together several government departments and agencies (including the Cabinet OYce, Home OYce, DTI and SOCA) and involves some well-known UK and international private sector brand names including BT, Dell, eBay, HSBC, Lloyds TSB, MessageLabs, Microsoft, securetrading and Yell.com. Importantly, Get Safe Online has from the outset sought to measure public awareness to ensure that its messages are having an impact. The Get Safe Online website now has over 13,000 links to it. The 2005 campaign included road shows in 12 cities across the UK. Research was carried out before and after the campaign. The results showed that there was a very good level of awareness of the campaign and some indications of a shift in behaviour: — three per cent of respondents were aware of the campaign or logo within one month of the launch of the campaign, and of these: — 62 per cent recognised the need to be careful when being online; — 52 per cent recognised it was their responsibility to stay safe; — 52 per cent understood the potential risks; — 40 per cent said that they had been prompted to find out more; 5 — awareness of threats such as key-logging and phishing rose by 15 per cent and 12 per cent respectively; — behaviour change had the greatest impact on backing-up data (75 per cent of those aware of the campaign did compared with 53 per cent of the non-aware). After the campaign, respondents were: — more likely to have installed a firewall or anti-spy software; — Significantly more likely to back up their data; — significantly more likely to keep personal details private; — more likely to use and update anti-virus and anti-spyware tools regularly. 19 per cent of respondents felt less secure once aware of the risks whilst 24 per cent felt more secure through increased knowledge and reassurance that they were doing the right thing. A second phase of Get Safe Online activity was launched on 9 October 2006 and achieved a good level of national and local media coverage. Road shows were run in eight cities across the UK in shopping centres, libraries, community centres and town halls and providing training at UK Online centres. 4 www.getsafeonline.org 5 Phishing a type of fraud that tricks users into visiting malicious websites, typically through “spoofed” emails from well known banks, online retailers and credit card companies. Ofcom Online Protection Report June 2006.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.