Computerworld

E-crime reporting format draws closer to a standard

The data format would allow entities to exchange information on cybercrimes faster

The Internet Engineering Task Force is close to approving a specification for a common format for reporting e-crime, a step taken to allow security experts to react faster to cybercrime.

The Anti-Phishing Working Group is already collecting reports from organizations using the XML-based Instant Object Description Exchange Format (IODEF), which has been customized with extensions appropriate for e-crime reports, said Peter Cassidy, secretary general of APWG.

The format will allow for unambiguous time stamps, support for different languages and a feature to attach samples of malicious code.

The specification is now with the IETF, which has been looking at it for more than a year. If it is approved as a standard, the format will likely be taken up by banks, security organizations and other entities, Cassidy said. The format can be used to report crimes such as phishing and fraud incidents.

What the specification intends to solve is the inconsistent manner in which e-crime reports are now collected. Different organizations assemble data in a variety of ways, and frequently it is not widely shared, Cassidy said.

"Electronic crime is a smattering of data from places you haven't seen," said Cassidy, who is scheduled to give a presentation on Wednesday at the Council of Europe's conference on cybercrime, which runs through Thursday.

That's problematic since spotting e-crime trends requires broad visibility on incidents around the world. With a standard data format inputted into a database, investigators and experts will be able to mine the data and analyze it much faster using automated tools. The data is so voluminous that manual human analysis is impossible.

"Automated analysis is not an option, it's inevitable, which then allows for deterrence," Cassidy said. "You don't win with episodic data."

With a common reporting format, a bank could query the database to find out what range of IP (Internet Protocol) addresses have been used for fraud attacks, Cassidy said. Other parameters could be used, such as conducting searches by geography or even by grammar mistakes in phishing messages.

Criminals know how difficult it is for law enforcement to chase them electronically and use that to their advantage, Cassidy said. "Everything is against the good guys," he said.

The technical part is easy. The challenge is how the information can be legally shared, as data protection regulations differ by countries and regions. IP addresses, for example, can be considered personally identifiable information, but it's a crucial piece of information in cybercrime investigations, he said.

Once the IETF gives the specification a number, organizations are likely to begin using it, Cassidy said.

"I think the banks will embrace it," Cassidy said. "They're already exchanging data."