I’m back from Lille (France) where was organized the 4th edition of “FIC” – “Forum International sur la Cybercriminalité” – during two days. This was my first edition and I was pleasantly surprised: I was a bit afraid to attend an event organized in France for French speaking people about French topics. Certainly not! It was multi-national and people visiting the event came from a lot of different countries. The FIC is not a “technical” event (New exploits or new attack vectors are not presented by hackers like common security conferences). Visitors and speakers are: police departments, authorities, mayors of cities, politicians, etc… and the topics were oriented to legal aspects. There was a lot of interesting sessions and it was difficult to attend all them as usual.
My first choice was an open discussion organized by the OSCE about “A comprehensive approach to cyber-security”. The OSCE (“Organization for Security and Co-operation in Europe“) is an organization which has a lot of different activities around security and one of them is more and more cyber-security. After a presentation of the OSCE, six speakers had ten minutes of presentation about their view of the cyber-security to end with a questions-answers session. Some facts given during the talks:
- The Council of Europe is involved in lot of project to address the move to a trans-national dimension of cyber-crime (with a lot of juridictions issues).
- A good balance must be kept between security and freedom of speech.
- Problem with electronic evidences: they are often “volatile” (quick reaction needed)
- More cooperation between countries is a requirement.
Another potential issue: critical infrastructure (like power-plants) are controlled by computers. They are prone to failures, human errors. But computer help us to find evidences (ex: with DNA and fingerprints databases). Cyber-crime activities occur below the radar and are automated. It’s easier to steal 100000 x 1€ instead of 1 x 100000€. A member of Scotland Yard (Keith Verralls) spoke about the operation “Mazhar” and explained how evidences were used to track criminals. Finally the EuroISPA (“European Internet Service Providers Association“) explained the role of ISP in the fight against online crime. The conclusions of this discussion were:
- To have a global vision of the issues.
- To keep to police dept updated with new threats and new technologies.
- To never underestimate the cyber-criminals.
After a break, I followed a presentation of 2centre (“Cybercrime Centre of Excellence Network for Training, research and Education“). This organization defines methods of training law enforcement in forensics investigations. At the moment, they are two members: the University College Dublin Centre for Cybercrime Investigation and the University de Technologie de Troyes. But others could join in a near future (they spoke about Belgium?).
The next talk was the most interesting: Fighting the download of illegal material. It started with a presentation of the current status in France (you know the famous “HADOPI” law). A member of the Japanese cyber-police explained how they fight the download of illegal files on P2P networks. I learned that the first P2P application used in Japan is: “Winny“. The countermeasures applied in Japan are:
- Act amendment
- Communication (“We are watching what you are sharing”)
A representative of Advestigo explained how they track the files on P2P networks using hashes. But new techniques will allow to generate a finger print of the data. Tests on video files reported a successful detection in 96% of the checks). Then, the legal aspect of the HADOPI law was explained and of course the major issues the authorities are facing. To resume: it’s impossible to apply this law in a correct way. And of course, IP addresses are still the focus of debate: are they considered as private data or not? But, one thing is clear: they cannot identify a user with a 100% accuracy.
After the HADOPI fun, a talk covered the future of the Internet (what else after the Web 2.0?). The speakers reviewed the differences between the Web 1.0, Web 2.0 and explained that people change! And the mentality of young people is not the same as 20 years ago. Teenagers found normal to put private pictures on Facebook and do not realize that those pictures could be reused against them in a few years.
To end the day, the closing plenary conference spoke about the rights to see its wrongdoings erased from the Web. All speaker agreed on a golden rule: the right to keep our privacy. And this must enforced via education. Interesting statistic: In the USA, 70% of the recruiters already decide to not hire a candidate based on the information found on social networks. New applications must be developed using the principle of “privacy by design”.
The talks were interesting and listening to legal aspects of cyber-security is interesting . It changes from the classic “bits & bytes” presentation. In the main room, there was some exhibitors which presented some technical solutions (I saw nice devices to perform forensics investigation on mobile phones)! or legal services. BTW, there was a huge presence of policemen in the area and on the exhibition. For sure, the place was safe 😉