Systems should be sold secure, says Interpol

Cybercrime could be drastically cut if computers were sold with security software pre-installed, according to experts

Computers should always be sold with security systems pre-installed to cut down on cybercrime, police and security experts said this week.

Activities such as phishing and pharming would be drastically reduced if PCs were sold with security software ready and running, the National Hi-Tech Crime Unit's E-Crime Congress in London was told.

"I would like to see boxes with operating systems sold with complete pre-installed security systems. Phishing and pharming wouldn't be possible if there was pre-installed security software on a machine," said Bernhard Otupal, a crime intelligence officer for financial and high-tech crime at Interpol.

Many criminal gangs use the Internet to try to defraud people, he said. Phishing — luring users to sites to steal banking information, and pharming — redirecting users from bona fide Web sites to fakes while spoofing the address, are now recognised as major security problems by experts.

Otupal told ZDNet UK that individual user responsibility and awareness was needed to cut phishing and pharming attacks.

"There needs to be some responsibility from users. Recently a number of users fell victim to phishing attacks from a group claiming to be a well-known bank. The group claimed they were updating their servers, and they needed the users' bank details to be re-entered. People entered bank details who weren't even the bank's customers," said Otupal, who asked ZDNet UK to withhold the bank's name.

"Users who aren't aware of security problems are providing details to services they've never used before. Users should be able to prove they have some security features on their machines before they can bank online," Otupal added.

Interpol said pre-installed security software would not necessarily make systems completely secure.

"Everyone thinks they are creating secure systems, but as long as there are criminals they will find security leaks. There is no such thing as a secure system," said Otupal.

However, individual users should expect high levels of security from those providing Web services, Otupal said.

"If you buy a car, a warranty is normally in place. I think users should expect the same online. If users use a service like Yahoo this service should offer a certain level of security, which Yahoo does offer — it's a question of if users are using it. The big players have dozens of advice lists, but the question is whether users are looking at the pages," said Otupal.

Experts from the SANS Institute — a security professional training body — agreed that pre-installed security systems could cut cybercrime.

"The users' job should be to act responsibly. Everything they need should come with the system. If they need a firewall enabled, computers should come with that," Alan Paller, director of SANS, told ZDNet UK.

Vendors should also automatically update all of their systems in a uniform way so businesses and individual users know their systems are as secure as can be.

"Applications should be configured to automatically update. There is no excuse for not doing this. Symantec automatically update their antivirus software but with their backup products from Veritas, you're on your own. It's crazy they don't automatically update BackupExec. Without that, your backup can be vulnerable for months because you don't have a clue it's not automatically updated," said Paller.

The security industry should "stop blaming the user, and start emphasising the role of vendors and ISPs. A partnership between them will solve security problems," said Paller.