Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
Talk I gave at ISSA 2013 CISO forum, looking at some human factors issues in cybersecurity. I discuss some of our research in anti-phishing, user interfaces, mental models of cybersecurity, and ways of motivating people.
Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
June 2015
This talk looks at our team's ongoing work in using social psychology and diffusion of innovations to improve cybersecurity. It also reflects on the role of theory, in terms of offering inspiration for new ideas, a useful vocabulary, guidance for what to build and how to build things better, as well as insight into the problem space. This talk also offers some advice for people building theories, adapting Pasteur's quadrant and Diffusion of Innovations to theory, to help people who build and design systems.
The Role of Social Influence In Security Feature Adoption, at CSCW 2015Jason Hong
Social influence is key in technology adoption, but its role in security-feature adoption is unique and remains unclear. Here, we analyzed how three Facebook security features—Login Approvals, Login Notifications, and Trusted Contacts—diffused through the social networks of 1.5 million people. Our results suggest that social influence affects one’s likelihood to adopt a security feature, but its effect varies based on the observability of the feature, the current feature adoption rate among a potential adopter’s friends, and the number of distinct social circles from which those feature-adopting friends originate. Curiously, there may be a threshold higher than which having more security-feature adopting friends predicts for higher adoption likelihood, but below which having more feature-adopting friends predicts for lower adoption likelihood. Furthermore, the magnitude of this threshold is modulated by the attributes of a feature—features that are more noticeable (Login Approvals, Trusted Contacts) have lower thresholds.
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Jason Hong
Talk I gave at IAPP 2013 Navigate conference, on designing for the user experience of privacy. I give examples of why privacy is so hard to design for. I also talk about three ideas for improving privacy, including privacy nutrition labels, using crowdsourcing, and privacy placebos.
https://www.privacyassociation.org/events_and_programs/navigate_2013/
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
This talk looks at some of the CHIMPS research group's work on urban analytics and on analyzing smartphone apps, and offers a reflection on how we can improve the privacy landscape by focusing on key parts of the ecosystem.
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Jason Hong
Keynote talk I gave at the Mobile and Cloud Workshop at Mobisys 2014. I talk about my experiences and reflections on privacy, focusing on (1) Urban Analytics, (2) Google Glass, and (3) PrivacyGrade.
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
Talk I gave at ISSA 2013 CISO forum, looking at some human factors issues in cybersecurity. I discuss some of our research in anti-phishing, user interfaces, mental models of cybersecurity, and ways of motivating people.
Social Cybersecurity, or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
June 2015
This talk looks at our team's ongoing work in using social psychology and diffusion of innovations to improve cybersecurity. It also reflects on the role of theory, in terms of offering inspiration for new ideas, a useful vocabulary, guidance for what to build and how to build things better, as well as insight into the problem space. This talk also offers some advice for people building theories, adapting Pasteur's quadrant and Diffusion of Innovations to theory, to help people who build and design systems.
The Role of Social Influence In Security Feature Adoption, at CSCW 2015Jason Hong
Social influence is key in technology adoption, but its role in security-feature adoption is unique and remains unclear. Here, we analyzed how three Facebook security features—Login Approvals, Login Notifications, and Trusted Contacts—diffused through the social networks of 1.5 million people. Our results suggest that social influence affects one’s likelihood to adopt a security feature, but its effect varies based on the observability of the feature, the current feature adoption rate among a potential adopter’s friends, and the number of distinct social circles from which those feature-adopting friends originate. Curiously, there may be a threshold higher than which having more security-feature adopting friends predicts for higher adoption likelihood, but below which having more feature-adopting friends predicts for lower adoption likelihood. Furthermore, the magnitude of this threshold is modulated by the attributes of a feature—features that are more noticeable (Login Approvals, Trusted Contacts) have lower thresholds.
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Jason Hong
Talk I gave at IAPP 2013 Navigate conference, on designing for the user experience of privacy. I give examples of why privacy is so hard to design for. I also talk about three ideas for improving privacy, including privacy nutrition labels, using crowdsourcing, and privacy placebos.
https://www.privacyassociation.org/events_and_programs/navigate_2013/
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
This talk looks at some of the CHIMPS research group's work on urban analytics and on analyzing smartphone apps, and offers a reflection on how we can improve the privacy landscape by focusing on key parts of the ecosystem.
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Jason Hong
Keynote talk I gave at the Mobile and Cloud Workshop at Mobisys 2014. I talk about my experiences and reflections on privacy, focusing on (1) Urban Analytics, (2) Google Glass, and (3) PrivacyGrade.
Privacy and Security for the Emerging Internet of ThingsJason Hong
Intel iSecCon2016 conference
I talk about the pyramid of IoT devices, sketch out some of the security and privacy issues, and present some of the ongoing work we are doing in this space at Carnegie Mellon University.
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingCiarán Mc Mahon
The cybersecurity environment is becoming increasingly aggressive, with Cybercrime as a Service blurring the distinction between Advanced Persistent Threats and minor criminality. Financial institutions need to understand the human factors of the online environments in which both they and their consumers operate. Cybercriminals are growing in sophistication and intelligence, so in order to protect the public, we must understand and appreciate the psychology of the victims of fraud and phishing.
Appreciating Contradications: The Cyberpsychology of Information SecurityCiarán Mc Mahon
Information security is at a critical juncture. How do we solve the weakest link - human psychology? Insight from cyberpsychology into leadership, power and persuasion are essential. These slides are from Dr Ciarán Mc Mahon's keynote at (ISC)² Security Congress EMEA, Sofitel Munich, October 2015
Since Kevin Mitnick coined the phrase in 2002, the cybersecurity industry has been awash with the phrase 'the human factor is the weakest link’. From vendors to researchers, engineers, hackers, and journalists, we are all fond of blaming the ‘dumb users’. In this talk I argue that when we say that the ‘human being is the weakest link in cybersecurity’, not only are we telling a lie, we are inevitably setting ourselves up for a fall.
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
More presentations from the NCVO Annual conference: http://www.ncvo-vol.org.uk/networking-discussions/blogs/20591
Social media is much more than an opportunity for you to share your messages and reach new audiences. It is a gold mine of experts and peers you can learn from in real time. This session will explore how social media channels bring new opportunities for learning and collaboration to your desktop or smart phone. You will hear how to use social media for your own professional development as well as find new ways to work together and share information more effectively.
Security disasters can emanate from many places but often the main contributor is the disconnect that exists between CIO’s (and executives in general) and the technical staff. This disconnect can give life to the scariest undead creature in the business world: <b>the bad idea zombie.
Where there is money, there is crime – and financial institutions are among the prime targets for cyber criminals. This session will cover the threat that cybercrime poses to financial institutions, our first-hand run-ins with advanced attackers, real-world case studies, and the rise of cheap and damaging "hacking-as-a-service" tools that we’re seeing with increasing frequency and the damaging effects they have on financial institutions.
Ondrej Krehel, CEO & Founder, LIFARS, LLC
Dusan Petricko, Incident Response Manager, LIFARS, LLC
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
In this position paper, we argue that usable privacy and security is a grand challenge that needs more attention from the HCI community. We also discuss benefits to and new challenges for HCI, and use our research experiences to provide a critique of HCI.
Privacy and Security for the Emerging Internet of ThingsJason Hong
Intel iSecCon2016 conference
I talk about the pyramid of IoT devices, sketch out some of the security and privacy issues, and present some of the ongoing work we are doing in this space at Carnegie Mellon University.
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingCiarán Mc Mahon
The cybersecurity environment is becoming increasingly aggressive, with Cybercrime as a Service blurring the distinction between Advanced Persistent Threats and minor criminality. Financial institutions need to understand the human factors of the online environments in which both they and their consumers operate. Cybercriminals are growing in sophistication and intelligence, so in order to protect the public, we must understand and appreciate the psychology of the victims of fraud and phishing.
Appreciating Contradications: The Cyberpsychology of Information SecurityCiarán Mc Mahon
Information security is at a critical juncture. How do we solve the weakest link - human psychology? Insight from cyberpsychology into leadership, power and persuasion are essential. These slides are from Dr Ciarán Mc Mahon's keynote at (ISC)² Security Congress EMEA, Sofitel Munich, October 2015
Since Kevin Mitnick coined the phrase in 2002, the cybersecurity industry has been awash with the phrase 'the human factor is the weakest link’. From vendors to researchers, engineers, hackers, and journalists, we are all fond of blaming the ‘dumb users’. In this talk I argue that when we say that the ‘human being is the weakest link in cybersecurity’, not only are we telling a lie, we are inevitably setting ourselves up for a fall.
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
More presentations from the NCVO Annual conference: http://www.ncvo-vol.org.uk/networking-discussions/blogs/20591
Social media is much more than an opportunity for you to share your messages and reach new audiences. It is a gold mine of experts and peers you can learn from in real time. This session will explore how social media channels bring new opportunities for learning and collaboration to your desktop or smart phone. You will hear how to use social media for your own professional development as well as find new ways to work together and share information more effectively.
Security disasters can emanate from many places but often the main contributor is the disconnect that exists between CIO’s (and executives in general) and the technical staff. This disconnect can give life to the scariest undead creature in the business world: <b>the bad idea zombie.
Where there is money, there is crime – and financial institutions are among the prime targets for cyber criminals. This session will cover the threat that cybercrime poses to financial institutions, our first-hand run-ins with advanced attackers, real-world case studies, and the rise of cheap and damaging "hacking-as-a-service" tools that we’re seeing with increasing frequency and the damaging effects they have on financial institutions.
Ondrej Krehel, CEO & Founder, LIFARS, LLC
Dusan Petricko, Incident Response Manager, LIFARS, LLC
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
In this position paper, we argue that usable privacy and security is a grand challenge that needs more attention from the HCI community. We also discuss benefits to and new challenges for HCI, and use our research experiences to provide a critique of HCI.
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009Jason Hong
An overview of our group's work on teaching people not to fall for phishing attacks, using simulated phish. The summary is that simulated phish work surprisingly well, in terms of learning and retention.
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Beth Sallay
Why do certain users fall for phishing attacks? What's going on? Are they on auto-pilot, not fully engaged in their online activities? Are they lacking critical thinking abilities? The short answer is no, they are in fact fully aware of what they are doing and reading but lack the experience to know they are being scammed. There are also several personality traits that contribute to their increased likelihood of victimization.
What is Social Engineering? An illustrated presentation.Pratum
Social engineering relies profoundly on human interaction and often involves the misleading of employees into violating their organization’s security procedures. Humans are naturally helpful, but when it comes to protecting an organization’s security, being helpful to an outsider can do more harm than good.
These slides discuss social engineering, the most common attack methods, and the best means for defending against a social engineering attack.
For more helpful cyber security blog articles, visit www.integritysrc.com/blog.
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Jason Hong
I discuss a range of human factors issues for cybersecurity, in particular cybersecurity awareness and education. Topics include mental models, user interfaces, and simulated attacks.
Healthcare is the #1 most targeted industry and the widest array of cyber attacker behaviors. For as much effort as organizations put into locking down systems and patching applications, the number one way that systems are compromised is an attacker convincing a user to give up information for free and phishing is the primary way that they do that. Phishing does not rely just on subterfuge; it relies heavily on psychology.
A criminological psychology based digital forensic investigative frameworkSameer Dasaka
It’s been more than 30 years since digital forensics came into existence and started to evolve. United States first started finding the importance of digital forensics to catch the criminals and started adopting multiple investigative frameworks and strategies to improvise the investigation process.
Apart from performing the technical investigations, it is also equally important to understand and address the thought process of the criminal when the crime was committed.
Every crime that has been committed is always done with a specific disastrous purpose in mind and to fulfil that purpose, the criminal finds multiple loopholes and builds his/her way to such an extent that the line between right and wrong gets negligible.
Understanding what made the criminal think to commit the crime is just as important in producing future preventative measures.
Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Similar to Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011 (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
4. How Bad Is Phishing?
Consumer Perspective
• Estimated ~0.5% of Internet users per year
fall for phishing attacks
• Conservative $1B+ direct losses a year to consumers
– Bank accounts, credit card fraud
– Doesn’t include time wasted on recovery of funds,
restoring computers, emotional uncertainty
• Growth rate of phishing
– 30k+ reported unique emails / month
– 45k+ reported unique sites / month
• Social networking sites now major targets
5. How Bad Is Phishing?
Perspective of Corporations
• Direct damage
– Loss of sensitive customer data
6. How Bad Is Phishing?
Perspective of Corporations
• Direct damage
– Loss of sensitive customer data
– Loss of intellectual property
7. How Bad Is Phishing?
Perspective of Corporations
• Direct damage
– Loss of sensitive customer data
– Loss of intellectual property
– Fraud
– Disruption of network services
• Indirect damage
– Damage to reputation, lost sales, etc
– Response costs (call centers, recovery)
• One bank estimated it cost them $1M per phishing attack
8. General Patton is retiring next week,
click here to say whether you can
attend his retirement party
Phishing Increasing in Sophistication
Targeting Your Organization
• Spear-phishing targets specific groups or individuals
• Type #1 – Uses info about your organization
9. Phishing Increasing in Sophistication
Targeting Your Organization
• Around 40% of people in our experiments at CMU
would fall for emails like this (control condition)
10. Phishing Increasing in Sophistication
Targeting You Specifically
• Type #2 – Uses info specifically about you
– Social phishing
• Might use information from social networking sites,
corporate directories, or publicly available data
• Ex. Fake emails from friends or co-workers
• Ex. Fake videos of you and your friends
11. Phishing Increasing in Sophistication
Targeting You Specifically
Here’s a video I took of your
poster presentation.
12. Phishing Increasing in Sophistication
Targeting You Specifically
• Type #2 – Uses info specifically about you
– Whaling – focusing on big targets
Thousands of high-ranking executives
across the country have been receiving
e-mail messages this week that appear
to be official subpoenas from the United
States District Court in San Diego. Each
message includes the executive’s name,
company and phone number, and
commands the recipient to appear before
a grand jury in a civil case.
-- New York Times Apr16 2008
13. Phishing Increasing in Sophistication
Combination with Malware
• Malware and phishing are becoming combined
– Poisoned attachments (Ex. custom PDF exploits)
– Links to web sites with malware (web browser exploits)
– Can install keyloggers or remote access software
14.
15. Protecting People from Phishing
• Research we have done at Carnegie Mellon
– http://cups.cs.cmu.edu/trust.php
• Human side
– Interviews and surveys to understand decision-making
– PhishGuru embedded training
– Micro-games for security training
– Understanding effectiveness of browser warnings
• Computer side
– PILFER email anti-phishing filter
– CANTINA web anti-phishing algorithm
– Evaluating effectiveness of existing blacklists
– Machine learning of blacklists
16. Results of Our Research
• Startup
– Customers of micro-games featured include
governments, financials, universities
– Our email filter is labeling several million
emails per day
• Study on browser warnings -> MSIE8
• Elements of our work adopted by
Anti-Phishing Working Group (APWG)
• Popular press article in
Scientific American
17. Outline of Rest of Talk
• Rest of talk will focus on educating end-users
• PhishGuru embedded training
• Anti-Phishing Phil micro-game
18. User Education is Challenging
• Users are not motivated to learn about security
• Security is a secondary task
• Difficult to teach people to make right online trust
decision without increasing false positives
“User education is a complete waste of time. It is
about as much use as nailing jelly to a wall…. They
are not interested…they just want to do their job.”
Martin Overton, IBM security specialist
http://news.cnet.com/21007350_361252132.html
19. But Actually, Users Are Trainable
• Our research demonstrates that users can learn
techniques to protect themselves from phishing…
if you can get them to pay attention to training
P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong.
Teaching Johnny Not to Fall for Phish. CyLab Technical Report
CMU CyLab07003, 2007.
20. How Do We Get People Trained?
• Solution
– Find “teachable moments”: PhishGuru
– Make training fun: Anti-Phishing Phil
– Use learning science principles throughout
21. PhishGuru Embedded Training
• Send emails that look like a phishing attack
• If recipient falls for it, show intervention that teaches
what cues to look for in succinct and engaging format
• Multiple user studies have demonstrated
that PhishGuru is effective
• Delivering same training via direct email is
not effective!
22. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
23. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
Please login and enter your informationPlease login and enter your information
24.
25. Evaluation of PhishGuru
• Is embedded training effective?
– Study 1: Lab study, 30 participants
– Study 2: Lab study, 42 participants
– Study 3: Field trial at company, ~300 participants
– Study 4: Field trial at CMU, ~500 participants
• Studies showed significant decrease in falling for
phish and ability to retain what they learned
P. Kumaraguru et al. Protecting People from Phishing: The Design and
Evaluation of an Embedded Training Email System. CHI 2007.
P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing
Education: Evaluation of Retention and Transfer. eCrime 2007.
26. Study #4 at CMU
• Investigate effectiveness and retention of
training after 1 week, 2 weeks, and 4 weeks
• Compare effectiveness of 2 training
messages vs 1 training message
• Examine demographics and phishing
P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong,
M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation
of Anti-Phishing Training. 2009. SOUPS 2009.
27. Study design
• Sent email to all CMU students, faculty
and staff to recruit participants (opt-in)
• 515 participants in three conditions
– Control / One training message / Two messages
• Emails sent over 28 day period
– 7 simulated spear-phishing messages
– 3 legitimate (cyber security scavenger hunt)
• Campus help desks and IT departments
notified before messages sent
28. Effect of PhishGuru Training
Condition N % who clicked
on Day 0
% who
clicked on
Day 28
Control 172 52.3 44.2
Trained 343 48.4 24.5
29. Discussion of PhishGuru
• PhishGuru can teach people to identify phish better
– People retain the knowledge
• People trained on first day less likely to be phished
• Two training messages work better
– People weren’t less likely to click on legitimate emails
– People aren’t resentful, many happy to have learned
• 68 out of 85 surveyed said they recommend CMU
continue doing this sort of training in future
• “I really liked the idea of sending CMU students fake
phishing emails and then saying to them, essentially,
HEY! You could've just gotten scammed! You should
be more careful -- here's how....”
• Contrast to US DOJ and Guam Air Force Base
30. APWG Landing Page
• CMU and Wombat helped Anti-Phishing Working
Group develop landing page for taken down sites
– Already in use by several takedown companies
– Seen by ~200,000 people in past 27 months
31. Anti-Phishing Phil
• A micro-game to teach people not to fall for phish
– PhishGuru about email, this game about web browser
– Also based on learning science principles
• Goals
– How to parse URLs
– Where to look for URLs
– Use search engines for help
• Try the game!
– Search for “phishing game”
S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a
Game That Teaches People Not to Fall for Phish. In SOUPS 2007,
Pittsburgh, PA, 2007.
38. Evaluation of Anti-Phishing Phil
• Is Phil effective? Yes!
– Study 1: 56 people in lab study
– Study 2: 4517 people in field trial
• Brief results of Study 1
– Phil about as effective in helping people detect phishing
web sites as paying people to read training material
– But Phil has significantly fewer false positives overall
• Suggests that existing training material making people
paranoid about phish rather than differentiating
39. Evaluation of Anti-Phishing Phil
• Study 2: 4517 participants in field trial
– Randomly selected from 80000 people
• Conditions
– Control: Label 12 sites then play game
– Game: Label 6 sites, play game, then label 6 more,
then after 7 days, label 6 more (18 total)
• Participants
– 2021 people in game condition, 674 did retention portion
40. Anti-Phishing Phil: Study 2
• Novices showed most improvement in false negatives
(calling phish legitimate)
42. Anti-Phishing Phyllis
• New micro-game just released by Wombat Security
• Focuses on teaching people about what cues
to look for in emails
– Some emails are legitimate, some fake
– Have to identify cues as dangerous or harmless
43. Summary
• Phishing is already a plague on the Internet
– Seriously affects consumers, businesses, governments
– Criminals getting more sophisticated
• End-users can be trained, but only if done right
– Use a combination of fun and learning science
– PhishGuru embedded training uses simulated phishing
– Anti-Phishing Phil and Anti-Phishing Phyllis micro-games
• Can try PhishGuru, Phil, and Phyllis at:
www.wombatsecurity.com
49. How Effective are these Warnings?
• Tested four conditions
– FireFox Active Block
– IE Active Block
– IE Passive Warning
– Control (no warnings or blocks)
• “Shopping Study”
– Setup some fake phishing pages and added to blacklists
– We phished users after purchases (2 phish/user)
– Real email accounts and personal information
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An
Empirical Study of the Effectiveness of Web Browser Phishing
Warnings. CHI 2008.
50. How Effective are these Warnings?
Almost everyone clicked, even those
with technical backgrounds
52. Discussion of Phish Warnings
• Nearly everyone will fall for highly contextual phish
• Passive IE warning failed for many reasons
– Didn’t interrupt the main task
– Slow to appear (up to 5 seconds)
– Not clear what the right action was
– Looked too much like other ignorable warnings (habituation)
– Bug in implementation, any keystroke dismisses
54. Discussion of Phish Warnings
• Active IE warnings
– Most saw but did not believe it
• “Since it gave me the option of still proceeding to the
website, I figured it couldn’t be that bad”
– Some element of habituation (looks like other warnings)
– Saw two pathological cases
57. A Science of
Warnings
• See the warning?
• Understand?
• Believe it?
• Motivated?
• Can and will act?
• Refining this model for
computer warnings
58. Outline
• Human side
– Interviews and surveys to understand decision-making
– PhishGuru embedded training
– Anti-Phishing Phil game
– Understanding effectiveness of browser warnings
• Computer side
– PILFER email anti-phishing filter
– CANTINA web anti-phishing algorithm
– Machine learning of blacklists
Can we improve phish detection
of web sites?
59. Detecting Phishing Web Sites
• Industry uses blacklists to label phishing sites
– But blacklists slow to new attacks
• Idea: Use search engines
– Scammers often directly copy web pages
– But fake pages should have low PageRank on search engines
– Generate text-based “fingerprint” of web page keywords and
send to a search engine
Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish:
Evaluating Anti-Phishing Tools. In NDSS 2007.
Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based
approach to detecting phishing web sites. In WWW 2007.
G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity
Discovery and Keywords Retrieval. In WWW 2009.
60. Robust Hyperlinks
• Developed by Phelps and Wilensky to solve
“404 not found” problem
• Key idea was to add a lexical signature to URLs
that could be fed to a search engine if URL failed
– Ex. http://abc.com/page.html?sig=“word1+word2+...+word5”
• How to generate signature?
– Found that TF-IDF was fairly effective
• Informal evaluation found five words was sufficient
for most web pages
66. Machine Learning of Blacklists
• Human-verified blacklists maintained by Microsoft,
Google, PhishTank
– Pros: Reliable, extremely low false positives
– Cons: Slow to respond, can be flooded with URLs (fast flux)
• Observation #1: many phishing sites similar
– Constructed through toolkits
• Observation #2: many phishing sites similar
– Fast flux (URL actually points to same site)
• Idea: Rather than just examining URL, compare
content of a site to known phishing sites
67. Machine Learning of Blacklists
• Approach #1: Use hashcodes of web page
– Simple, good against fast flux
– Easy to defeat (though can allow some flexibility)
• Approach #2: Use shingling
– Shingling is an approach used by search engines to find
duplicate pages
– “connect with the eBay community” ->
{connect with the, with the eBay, the eBay community}
– Count the number of common shingles out of total shingles,
set threshold
68. Machine Learning of Blacklists
• Use Shingling
• Protect against false positives
– Phishing sites look a lot like real sites
– Have a small whitelist (ebay, paypal, etc)
– Use CANTINA too
69. Tells people why they are
seeing this message, uses
engaging character
Tells people why they are
seeing this message, uses
engaging character
70. Tells a story about what
happened and what the
risks are
Tells a story about what
happened and what the
risks are
71. Gives concrete examples of
how to protect oneself
Gives concrete examples of
how to protect oneself
72. Explains how criminals conduct
phishing attacks
Explains how criminals conduct
phishing attacks
Biz week http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.
Thus far, our work has generated a great deal of interest and collaboration from a number of partners. Our automated email filter is undergoing a field trial at ****** main email servers, where it is labeling several million emails per day. Our research evaluating anti-phishing toolbars has been cited by several companies, with ongoing evaluations being presented to the Anti-Phishing Working Group, a consortium of companies “committed to wiping out Internet scams and fraud.” Design suggestions from our studies to understand browser warnings have been incorporated into the latest version of Microsoft’s Internet Explorer 8. PhishGuru’s methodology of sending fake phishing emails to train individuals has undergone field trials at three different companies, and been cited by two different companies trying to commercialize the work. PhishGuru’s training materials have also been adopted by APWG on their landing page, a page that ISPs and web sites can show after taking down a phishing web site. Anti-Phishing Phil has been played by over 100,000 people, licensed by two companies, demoed at many security days meant to teach people about good security practices, and translated into Portuguese with several more translations underway. Finally, our group is commercializing all of this work through a startup we have founded, named Wombat Security Technologies.
ASSUME THAT THIS IS YOUR EMAIL INBOX AND AMONG OTHER EMAILS.. YOU THIS EMAIL FROM AMAZON THAT JUST LOOKS LIKE THE LEGITIMATE EMAIL FROM AMAZON. WHEN YOU OPEN THE EMAIL ….
YOU WILL SEE THIS.. WHICH LOOKS LEGITIMATE.. AND WITH THE DATA THAT WE HAVE .. WE KNOW THAT MOST OF THE USERS WILL CLICK ON THE LINK.. WHEN THEY CLICK ON THE LINK THEY WILL SEE ….
P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer . eCrime 2007.
TO ADDRESS SOME OF THE LIMITATIONS IN THIS STUDY, I AM CURRENTLY DOING THIS EXCITING STUDY AMONG CMU STUDENTS/FACULTY/STAFF WHERE I AM PHISHING THEM FOR THE LAST 4 WEEKS… I WAS INTERESTED IN STUDYING LONG TERM RETENTION .. MORE THAN 1 WEEK.. SO IN THIS STUDY WE ARE STUDYING 4 WEEK RETENTION.. IN PREVIOUS STUDY WE STUDIED 1 TRAINING MATERIAL… HERE WE ARE STUDYING 2 MESSAGES… THIS STUDY IS REALLY IN THE WILD AND WE ARE COLLECTING LOT OF DATA…. I M STILL IN THE DATA COLLECTION MODE IN A FEW WEEKS, I SHOULD HAVE SOME RESULTS FROM THIS STUDY…
Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
The idea in this slide is to show that training conditions did better than control conditions and it was significantdifferenc… There is an improvement of 50% among people in PhihsGuru training
200k people in past 20 months was in May 2010
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…