Jason Hong's Confabulations

Sasha Romanosky points me to a story about a security analyst dressing up as a phish to educate students. This reminds me of that time Randy Pausch dressed up as some character from Alice in Wonderland and gave away Alice CDs. I have to admit, this is definitely going to be memorable for the students. Tech-Security Official at U. of Virginia Wears Fish Costume to Raise Awareness of 'Phishing' When Karen McDowell dressed up in a purple fish costume and walked around the University of Virginia’s campus last month, she got plenty of attention for her cause, even though she had to explain the meaning of her outfit. Ms. McDowell is a security analyst for the university, and her goal was to raise awareness about e-mail phishing schemes, in which con artists send e-mail messages hoping to lure people into giving out their passwords or other personal information.

A sad, funny, and frustrating story about phishing education. Don't know if this is true or not, but I can see it happening. http://thedailywtf.com/Articles/Go-Phish.aspx Auburn University's CIO sends out a warning to students, faculty, and staff about phishing, and includes an example of phishing in his email. A few days later, he sends out another email, excerpt below: "In my previous alert, I included the text of a phishing email as an example. Some students misunderstood that I was asking for user name and password, and replied with that information. Please be aware that you shouldn’t provide this information to anyone."

Some colleagues and I talked about this potential threat a few months ago, and it looks like it's finally starting to happen. http://www.wired.com/politics/security/news/2008/01/facebook_phish Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords. Soon after, the hackers post messages containing the same URL on the public "walls" of the users' friends. The technique is a powerful phishing scam, because the link seems to be coming from a trusted friend. ... Hackers can use the compromised profiles to host Trojan horses

The next version of Internet Explorer 8 will have new features to protect people from phishing attacks . Some of these features were developed by CMU's very own Serge Egelman . Nice work Serge! Some highlights include: Better warning messages (based on our past work on warnings in web browsers [PDF] ) Better heuristics for detecting scams (I'd be interested in learning more about how these work) Anti-malware support

I didn't expect to have two posts in a row about World of Warcraft, but I found this one too interesting to resist. It looks like Blizzard will be making physical tokens available for customers to purchase, to increase the security of their accounts. Apparently, there have been many hacked accounts, leading to the loss of (virtual) gold and items. This was a venue for phishing and malware that I didn't see coming, but it makes sense once you see how the value chain eventually ends up as cash. http://us.blizzard.com/support/article.xml?articleId=24660&rhtml=true

Microsoft has hired Paul Laudanski, the man behind the anti-phishing Castlecops.com website, to help with the software company's phishing and spam investigations. Laudanski, a former volunteer firefighter, announced the move on Castlecops.com last week, saying that he's looking to find someone else to run the site that he founded in 2002. http://www.techworld.com/security/news/index.cfm?newsID=101724&pagtype=samechan

You know phishing has become a mainstream problem when Walt Mossberg writes about it . When most people think about Internet security problems, they focus on viruses and spyware -- technological attacks that can usually be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software...These types of attacks are called "social engineering," and they are used by criminals to steal your money and identity, and to plant on your computer malicious software that can be used to keep ripping you off.

Business Week has a really interesting article on the growing threat of e-spionage. The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. ... On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."

Well, this was bound to happen sooner or later, but there was a recent phishing attack targeting members of the CMU community. And, no, this wasn't an experiment from our research team. SCS Computing Facilities has received the following announcement from campus Computing Services. *** To verify the authenticity of this message, see Security News & Events at *** WHO: Everyone WHAT: Phishing Emails Sent to Carnegie Mellon Accounts WHEN: Feb 21, 2008 HOW: Fraudulent emails have recently been sent to Carnegie Mellon email accounts claiming to be from the "CMU SUPPORT TEAM " asking people to reply with their "CMU Webmail account" passwords. ...

As someone who has been involved in the development of some user interface toolkits, I have to admit I'm simultaneously amused and really annoyed at this latest development, namely phishing toolkits that lower the barriers to entry for criminals. http://news.netcraft.com/archives/2008/01/22/mrbrain_stealing_phish_from_fraudsters.html The tools and code provided by Mr-Brain are designed to make it extremely easy for other fraudsters to deploy realistic phishing sites. Only a very basic knowledge of programming is required to configure the PHP scripts to send victims' details to the fraudsters' chosen electronic mail address. Deploying one of these fully working kits can be done in as little as one minute – another factor that adds to their appeal. This one toolkit, however, is somewhat humorous in that it tries to scam the scammers. Careful inspection of the configuration script reveals deceptive code that hides the true set of electronic mail addresses that are contacted by

http://www.cmu.edu/homepage/collaboration/2007/fall/to-spot-a-scam.shtml Carnegie Mellon University computer scientists have developed an interactive, online game featuring a little fish named Phil who teaches players cybersecurity tips. "Anti-Phishing Phil" helps users to better recognize and avoid email "phishing" and other Internet scams.

Just heard about this, our game Anti-Phishing Phil is being used in a high school class, where the topic is "things that can get you in trouble online". I like this excerpt from the teacher: I’m doing a unit right on about plagiarism, scams, spam, phishing, urban legends, and all sorts of other things that can get you in trouble online. Students are fascinated by anything that’s illegal, so it’s actually going pretty well. ... Even with a minimal game structure, students focus on the play and don’t seem to notice that they are being taught a whole set of skills and knowledge. But when it’s over, they can answer my questions. Great stuff.

Wow, this is really cool! Portugal Telecom has taken our Anti-phishing Phil game, but has replaced our fish with a frog. It's like I'm reliving my Frogger days! http://seguranca.sapo.pt/phishingze/

Our work on Anti-Phishing Phil is mentioned in a news article by AP

http://www.techworld.com/security/news/index.cfm?newsID=7386&pagtype=all By contrast, the new study, Finding Phish: An Evaluation of Anti-Phishing Toolbars [jih - we actually spelled it "Phinding Phish"] , was conducted by researchers at Carnegie Mellon University in Pittsburgh, backed by organisations as worthily anodyne as the US National Science Foundation and the US Army Research Office. ... Even the best of the bunch - Earthlink, Netcraft, Google, Coudmark, and Explorer 7 - detected only 85 percent of fraudulent websites, a good but far from secure level of effectiveness. The rest scored under the 50 percent mark, with McAfee’s SiteAdvisor unable to spot any. Here's a link to our study, Phinding Phish: An Evaluation of Anti-Phishing Toolbars

A new study by the CyLab at Carnegie Mellon University, "Phinding Phish: An Evaluation of Anti-Phishing Toolbars" shows that anti-phishing browser toolbars are generally not up to the task. The research, carried out by Lorrie Cranor, Serge Egelman, Jason Hong, and Yue Zhang, examined 10 of the 80-90 free anti-fraud toolbars currently available. http://www.heise-security.co.uk/news/81635 Here's a link to our study, Phinding Phish: An Evaluation of Anti-Phishing Toolbars