SlideShare uma empresa Scribd logo

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

Transferir como PPT, PDF
Jason Hong
Jason Hong

A talk I gave at a local ISSA meeting, looking at how to teach people not to fall for phishing attacks.

TecnologiaNegócios
1 de 73
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish
Everyday Privacy and Security Problem
This entire process known as phishing
How Bad Is Phishing? Consumer Perspective • Estimated ~0.5% of Internet users per year fall for phishing attacks • Conservative $1B+ direct losses a year to consumers – Bank accounts, credit card fraud – Doesn’t include time wasted on recovery of funds, restoring computers, emotional uncertainty • Growth rate of phishing – 30k+ reported unique emails / month – 45k+ reported unique sites / month • Social networking sites now major targets
How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data
How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data – Loss of intellectual property
How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data – Loss of intellectual property – Fraud – Disruption of network services • Indirect damage – Damage to reputation, lost sales, etc – Response costs (call centers, recovery) • One bank estimated it cost them $1M per phishing attack
General Patton is retiring next week, click here to say whether you can attend his retirement party Phishing Increasing in Sophistication Targeting Your Organization • Spear-phishing targets specific groups or individuals • Type #1 – Uses info about your organization
Phishing Increasing in Sophistication Targeting Your Organization • Around 40% of people in our experiments at CMU would fall for emails like this (control condition)
Phishing Increasing in Sophistication Targeting You Specifically • Type #2 – Uses info specifically about you – Social phishing • Might use information from social networking sites, corporate directories, or publicly available data • Ex. Fake emails from friends or co-workers • Ex. Fake videos of you and your friends
Phishing Increasing in Sophistication Targeting You Specifically Here’s a video I took of your poster presentation.
Phishing Increasing in Sophistication Targeting You Specifically • Type #2 – Uses info specifically about you – Whaling – focusing on big targets Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. -- New York Times Apr16 2008
Phishing Increasing in Sophistication Combination with Malware • Malware and phishing are becoming combined – Poisoned attachments (Ex. custom PDF exploits) – Links to web sites with malware (web browser exploits) – Can install keyloggers or remote access software
Protecting People from Phishing • Research we have done at Carnegie Mellon – http://cups.cs.cmu.edu/trust.php • Human side – Interviews and surveys to understand decision-making – PhishGuru embedded training – Micro-games for security training – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm – Evaluating effectiveness of existing blacklists – Machine learning of blacklists
Results of Our Research • Startup – Customers of micro-games featured include governments, financials, universities – Our email filter is labeling several million emails per day • Study on browser warnings -> MSIE8 • Elements of our work adopted by Anti-Phishing Working Group (APWG) • Popular press article in Scientific American
Outline of Rest of Talk • Rest of talk will focus on educating end-users • PhishGuru embedded training • Anti-Phishing Phil micro-game
User Education is Challenging • Users are not motivated to learn about security • Security is a secondary task • Difficult to teach people to make right online trust decision without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html
But Actually, Users Are Trainable • Our research demonstrates that users can learn techniques to protect themselves from phishing… if you can get them to pay attention to training P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMU CyLab07003, 2007.
How Do We Get People Trained? • Solution – Find “teachable moments”: PhishGuru – Make training fun: Anti-Phishing Phil – Use learning science principles throughout
PhishGuru Embedded Training • Send emails that look like a phishing attack • If recipient falls for it, show intervention that teaches what cues to look for in succinct and engaging format • Multiple user studies have demonstrated that PhishGuru is effective • Delivering same training via direct email is not effective!
Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information Please login and enter your informationPlease login and enter your information
Evaluation of PhishGuru • Is embedded training effective? – Study 1: Lab study, 30 participants – Study 2: Lab study, 42 participants – Study 3: Field trial at company, ~300 participants – Study 4: Field trial at CMU, ~500 participants • Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.
Study #4 at CMU • Investigate effectiveness and retention of training after 1 week, 2 weeks, and 4 weeks • Compare effectiveness of 2 training messages vs 1 training message • Examine demographics and phishing P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. 2009. SOUPS 2009.
Study design • Sent email to all CMU students, faculty and staff to recruit participants (opt-in) • 515 participants in three conditions – Control / One training message / Two messages • Emails sent over 28 day period – 7 simulated spear-phishing messages – 3 legitimate (cyber security scavenger hunt) • Campus help desks and IT departments notified before messages sent
Effect of PhishGuru Training Condition N % who clicked on Day 0 % who clicked on Day 28 Control 172 52.3 44.2 Trained 343 48.4 24.5
Discussion of PhishGuru • PhishGuru can teach people to identify phish better – People retain the knowledge • People trained on first day less likely to be phished • Two training messages work better – People weren’t less likely to click on legitimate emails – People aren’t resentful, many happy to have learned • 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future • “I really liked the idea of sending CMU students fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....” • Contrast to US DOJ and Guam Air Force Base
APWG Landing Page • CMU and Wombat helped Anti-Phishing Working Group develop landing page for taken down sites – Already in use by several takedown companies – Seen by ~200,000 people in past 27 months
Anti-Phishing Phil • A micro-game to teach people not to fall for phish – PhishGuru about email, this game about web browser – Also based on learning science principles • Goals – How to parse URLs – Where to look for URLs – Use search engines for help • Try the game! – Search for “phishing game” S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, 2007.
Anti-Phishing Phil
Evaluation of Anti-Phishing Phil • Is Phil effective? Yes! – Study 1: 56 people in lab study – Study 2: 4517 people in field trial • Brief results of Study 1 – Phil about as effective in helping people detect phishing web sites as paying people to read training material – But Phil has significantly fewer false positives overall • Suggests that existing training material making people paranoid about phish rather than differentiating
Evaluation of Anti-Phishing Phil • Study 2: 4517 participants in field trial – Randomly selected from 80000 people • Conditions – Control: Label 12 sites then play game – Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) • Participants – 2021 people in game condition, 674 did retention portion
Anti-Phishing Phil: Study 2 • Novices showed most improvement in false negatives (calling phish legitimate)
Anti-Phishing Phil: Study 2 • Improvement all around for false positives
Anti-Phishing Phyllis • New micro-game just released by Wombat Security • Focuses on teaching people about what cues to look for in emails – Some emails are legitimate, some fake – Have to identify cues as dangerous or harmless
Summary • Phishing is already a plague on the Internet – Seriously affects consumers, businesses, governments – Criminals getting more sophisticated • End-users can be trained, but only if done right – Use a combination of fun and learning science – PhishGuru embedded training uses simulated phishing – Anti-Phishing Phil and Anti-Phishing Phyllis micro-games • Can try PhishGuru, Phil, and Phyllis at: www.wombatsecurity.com
Acknowledgments • Ponnurangam Kumaraguru • Steve Sheng • Lorrie Cranor • Norman Sadeh
Screenshots Internet Explorer – Passive Warning
Screenshots Internet Explorer – Active Block
Screenshots Mozilla FireFox – Active Block
How Effective are these Warnings? • Tested four conditions – FireFox Active Block – IE Active Block – IE Passive Warning – Control (no warnings or blocks) • “Shopping Study” – Setup some fake phishing pages and added to blacklists – We phished users after purchases (2 phish/user) – Real email accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds
How Effective are these Warnings?
Discussion of Phish Warnings • Nearly everyone will fall for highly contextual phish • Passive IE warning failed for many reasons – Didn’t interrupt the main task – Slow to appear (up to 5 seconds) – Not clear what the right action was – Looked too much like other ignorable warnings (habituation) – Bug in implementation, any keystroke dismisses
Screenshots Internet Explorer – Passive Warning
Discussion of Phish Warnings • Active IE warnings – Most saw but did not believe it • “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” – Some element of habituation (looks like other warnings) – Saw two pathological cases
Screenshots Internet Explorer – Active Block
Internet Explorer 8 Re-design
A Science of Warnings • See the warning? • Understand? • Believe it? • Motivated? • Can and will act? • Refining this model for computer warnings
Outline • Human side – Interviews and surveys to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm – Machine learning of blacklists Can we improve phish detection of web sites?
Detecting Phishing Web Sites • Industry uses blacklists to label phishing sites – But blacklists slow to new attacks • Idea: Use search engines – Scammers often directly copy web pages – But fake pages should have low PageRank on search engines – Generate text-based “fingerprint” of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS 2007. Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW 2007. G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.
Robust Hyperlinks • Developed by Phelps and Wilensky to solve “404 not found” problem • Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed – Ex. http://abc.com/page.html?sig=“word1+word2+...+word5” • How to generate signature? – Found that TF-IDF was fairly effective • Informal evaluation found five words was sufficient for most web pages
Fake eBay, user, sign, help, forgot
Real eBay, user, sign, help, forgot
Evaluating CANTINA PhishTank
Machine Learning of Blacklists • Human-verified blacklists maintained by Microsoft, Google, PhishTank – Pros: Reliable, extremely low false positives – Cons: Slow to respond, can be flooded with URLs (fast flux) • Observation #1: many phishing sites similar – Constructed through toolkits • Observation #2: many phishing sites similar – Fast flux (URL actually points to same site) • Idea: Rather than just examining URL, compare content of a site to known phishing sites
Machine Learning of Blacklists • Approach #1: Use hashcodes of web page – Simple, good against fast flux – Easy to defeat (though can allow some flexibility) • Approach #2: Use shingling – Shingling is an approach used by search engines to find duplicate pages – “connect with the eBay community” -> {connect with the, with the eBay, the eBay community} – Count the number of common shingles out of total shingles, set threshold
Machine Learning of Blacklists • Use Shingling • Protect against false positives – Phishing sites look a lot like real sites – Have a small whitelist (ebay, paypal, etc) – Use CANTINA too
Tells people why they are seeing this message, uses engaging character Tells people why they are seeing this message, uses engaging character
Tells a story about what happened and what the risks are Tells a story about what happened and what the risks are
Gives concrete examples of how to protect oneself Gives concrete examples of how to protect oneself
Explains how criminals conduct phishing attacks Explains how criminals conduct phishing attacks
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

Recomendados

Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
 
The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015Jason Hong
 
Designing the User Experience for Online Privacy, at IAPP Navigate 2013
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Designing the User Experience for Online Privacy, at IAPP Navigate 2013
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
 
PrivacyGrade and Social Cybersecurity, talk at FTC July 2015
PrivacyGrade and Social Cybersecurity, talk at FTC July 2015PrivacyGrade and Social Cybersecurity, talk at FTC July 2015
PrivacyGrade and Social Cybersecurity, talk at FTC July 2015Jason Hong
 
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Jason Hong
 

Recomendados

Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
 
The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015The Role of Social Influence In Security Feature Adoption, at CSCW 2015
The Role of Social Influence In Security Feature Adoption, at CSCW 2015Jason Hong
 
Designing the User Experience for Online Privacy, at IAPP Navigate 2013
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Designing the User Experience for Online Privacy, at IAPP Navigate 2013
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
 
PrivacyGrade and Social Cybersecurity, talk at FTC July 2015
PrivacyGrade and Social Cybersecurity, talk at FTC July 2015PrivacyGrade and Social Cybersecurity, talk at FTC July 2015
PrivacyGrade and Social Cybersecurity, talk at FTC July 2015Jason Hong
 
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014
Privacy, Ethics, and Big (Smartphone) Data, at Mobisys 2014Jason Hong
 
Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsJason Hong
 
How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...Jisc
 
Digital reputations
Digital reputationsDigital reputations
Digital reputationsConnectSafely
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Online Safety 3.0: From Fear to Empowerment
Online Safety 3.0: From Fear to EmpowermentOnline Safety 3.0: From Fear to Empowerment
Online Safety 3.0: From Fear to EmpowermentConnectSafely
 
e-Safety webinar - Nov 2013
e-Safety webinar - Nov 2013e-Safety webinar - Nov 2013
e-Safety webinar - Nov 2013Jisc Scotland
 
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Jason Hong
 
Higher Education Social Media for Emergency Management
Higher Education Social Media for Emergency ManagementHigher Education Social Media for Emergency Management
Higher Education Social Media for Emergency ManagementElizabeth King - MHA, MEP
 
Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud Jim Adler
 
Increasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingIncreasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingCiarán Mc Mahon
 
Appreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information SecurityAppreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information SecurityCiarán Mc Mahon
 
In defence of the human factor
In defence of the human factorIn defence of the human factor
In defence of the human factorCiarán Mc Mahon
 
Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001Jisc
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
Film project 2
Film project 2Film project 2
Film project 2alexapadovani
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
Information exchange through social media (NCVO Annual Conference 2012)
Information exchange through social media (NCVO Annual Conference 2012)Information exchange through social media (NCVO Annual Conference 2012)
Information exchange through social media (NCVO Annual Conference 2012)NCVO - National Council for Voluntary Organisations
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies David Strom
 
Detection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social NetworkDetection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social NetworkIRJET Journal
 
LIFARS - Financial Cybercrime
LIFARS - Financial CybercrimeLIFARS - Financial Cybercrime
LIFARS - Financial CybercrimeLIFARS
 
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Jason Hong
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
 

Mais conteúdo relacionado

Mais procurados

Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsJason Hong
 
How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...Jisc
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Online Safety 3.0: From Fear to Empowerment
Online Safety 3.0: From Fear to EmpowermentOnline Safety 3.0: From Fear to Empowerment
Online Safety 3.0: From Fear to EmpowermentConnectSafely
 
e-Safety webinar - Nov 2013
e-Safety webinar - Nov 2013e-Safety webinar - Nov 2013
e-Safety webinar - Nov 2013Jisc Scotland
 
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Jason Hong
 
Higher Education Social Media for Emergency Management
Higher Education Social Media for Emergency ManagementHigher Education Social Media for Emergency Management
Higher Education Social Media for Emergency ManagementElizabeth King - MHA, MEP
 
Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud Jim Adler
 
Increasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingIncreasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingCiarán Mc Mahon
 
Appreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information SecurityAppreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information SecurityCiarán Mc Mahon
 
In defence of the human factor
In defence of the human factorIn defence of the human factor
In defence of the human factorCiarán Mc Mahon
 
Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001Jisc
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies David Strom
 
Detection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social NetworkDetection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social NetworkIRJET Journal
 
LIFARS - Financial Cybercrime
LIFARS - Financial CybercrimeLIFARS - Financial Cybercrime
LIFARS - Financial CybercrimeLIFARS
 

Mais procurados (20)

Privacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of ThingsPrivacy and Security for the Emerging Internet of Things
Privacy and Security for the Emerging Internet of Things
 
How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...
 
Digital reputations
Digital reputationsDigital reputations
Digital reputations
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Online Safety 3.0: From Fear to Empowerment
Online Safety 3.0: From Fear to EmpowermentOnline Safety 3.0: From Fear to Empowerment
Online Safety 3.0: From Fear to Empowerment
 
e-Safety webinar - Nov 2013
e-Safety webinar - Nov 2013e-Safety webinar - Nov 2013
e-Safety webinar - Nov 2013
 
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
 
Higher Education Social Media for Emergency Management
Higher Education Social Media for Emergency ManagementHigher Education Social Media for Emergency Management
Higher Education Social Media for Emergency Management
 
Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud Drexel University: Business and Privacy in the Cloud
Drexel University: Business and Privacy in the Cloud
 
Increasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
Increasing Sophistication - The Cyberpsychology of Online Fraud and PhishingIncreasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
Increasing Sophistication - The Cyberpsychology of Online Fraud and Phishing
 
Appreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information SecurityAppreciating Contradications: The Cyberpsychology of Information Security
Appreciating Contradications: The Cyberpsychology of Information Security
 
In defence of the human factor
In defence of the human factorIn defence of the human factor
In defence of the human factor
 
Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001Runshaw College and the journey towards ISO 27001
Runshaw College and the journey towards ISO 27001
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 
Film project 2
Film project 2Film project 2
Film project 2
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
 
Information exchange through social media (NCVO Annual Conference 2012)
Information exchange through social media (NCVO Annual Conference 2012)Information exchange through social media (NCVO Annual Conference 2012)
Information exchange through social media (NCVO Annual Conference 2012)
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies
 
Detection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social NetworkDetection and Minimization Influence of Rumor in Social Network
Detection and Minimization Influence of Rumor in Social Network
 
LIFARS - Financial Cybercrime
LIFARS - Financial CybercrimeLIFARS - Financial Cybercrime
LIFARS - Financial Cybercrime
 

Semelhante a Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Jason Hong
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Jason Hong
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Jason Hong
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009Jason Hong
 
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Beth Sallay
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.Pratum
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Jason Hong
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Potential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastPotential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastJisc
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Cyberattacks the-next-healthcare-epidemic
Cyberattacks the-next-healthcare-epidemicCyberattacks the-next-healthcare-epidemic
Cyberattacks the-next-healthcare-epidemicKate Barney
 
Naughty or nice 2007 version
Naughty or nice 2007 versionNaughty or nice 2007 version
Naughty or nice 2007 versionJohan Koren
 
A criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkA criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkSameer Dasaka
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Naughty or nice 2003 version
Naughty or nice 2003 versionNaughty or nice 2003 version
Naughty or nice 2003 versionJohan Koren
 
Building a professional digital identity
Building a professional digital identityBuilding a professional digital identity
Building a professional digital identityLisa Harris
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 

Semelhante a Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011 (20)

Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
 
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009
Teaching Johnny not to Fall for Phish, at APWG CeCOS 2009
 
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
Leveraging Human Factors for Effective Security Training, at FISSEA Mar2012
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
 
Potential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - MimecastPotential vulnerabilities to e-learning - Mimecast
Potential vulnerabilities to e-learning - Mimecast
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Cyberattacks the-next-healthcare-epidemic
Cyberattacks the-next-healthcare-epidemicCyberattacks the-next-healthcare-epidemic
Cyberattacks the-next-healthcare-epidemic
 
Naughty or nice 2007 version
Naughty or nice 2007 versionNaughty or nice 2007 version
Naughty or nice 2007 version
 
A criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkA criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative framework
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Naughty or nice 2003 version
Naughty or nice 2003 versionNaughty or nice 2003 version
Naughty or nice 2003 version
 
Building a professional digital identity
Building a professional digital identityBuilding a professional digital identity
Building a professional digital identity
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 

Último

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Último (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

  • 1. Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish
  • 2. Everyday Privacy and Security Problem
  • 4. How Bad Is Phishing? Consumer Perspective • Estimated ~0.5% of Internet users per year fall for phishing attacks • Conservative $1B+ direct losses a year to consumers – Bank accounts, credit card fraud – Doesn’t include time wasted on recovery of funds, restoring computers, emotional uncertainty • Growth rate of phishing – 30k+ reported unique emails / month – 45k+ reported unique sites / month • Social networking sites now major targets
  • 5. How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data
  • 6. How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data – Loss of intellectual property
  • 7. How Bad Is Phishing? Perspective of Corporations • Direct damage – Loss of sensitive customer data – Loss of intellectual property – Fraud – Disruption of network services • Indirect damage – Damage to reputation, lost sales, etc – Response costs (call centers, recovery) • One bank estimated it cost them $1M per phishing attack
  • 8. General Patton is retiring next week, click here to say whether you can attend his retirement party Phishing Increasing in Sophistication Targeting Your Organization • Spear-phishing targets specific groups or individuals • Type #1 – Uses info about your organization
  • 9. Phishing Increasing in Sophistication Targeting Your Organization • Around 40% of people in our experiments at CMU would fall for emails like this (control condition)
  • 10. Phishing Increasing in Sophistication Targeting You Specifically • Type #2 – Uses info specifically about you – Social phishing • Might use information from social networking sites, corporate directories, or publicly available data • Ex. Fake emails from friends or co-workers • Ex. Fake videos of you and your friends
  • 11. Phishing Increasing in Sophistication Targeting You Specifically Here’s a video I took of your poster presentation.
  • 12. Phishing Increasing in Sophistication Targeting You Specifically • Type #2 – Uses info specifically about you – Whaling – focusing on big targets Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. -- New York Times Apr16 2008
  • 13. Phishing Increasing in Sophistication Combination with Malware • Malware and phishing are becoming combined – Poisoned attachments (Ex. custom PDF exploits) – Links to web sites with malware (web browser exploits) – Can install keyloggers or remote access software
  • 14.
  • 15. Protecting People from Phishing • Research we have done at Carnegie Mellon – http://cups.cs.cmu.edu/trust.php • Human side – Interviews and surveys to understand decision-making – PhishGuru embedded training – Micro-games for security training – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm – Evaluating effectiveness of existing blacklists – Machine learning of blacklists
  • 16. Results of Our Research • Startup – Customers of micro-games featured include governments, financials, universities – Our email filter is labeling several million emails per day • Study on browser warnings -> MSIE8 • Elements of our work adopted by Anti-Phishing Working Group (APWG) • Popular press article in Scientific American
  • 17. Outline of Rest of Talk • Rest of talk will focus on educating end-users • PhishGuru embedded training • Anti-Phishing Phil micro-game
  • 18. User Education is Challenging • Users are not motivated to learn about security • Security is a secondary task • Difficult to teach people to make right online trust decision without increasing false positives “User education is a complete waste of time. It is about as much use as nailing jelly to a wall…. They are not interested…they just want to do their job.” Martin Overton, IBM security specialist http://news.cnet.com/21007350_361252132.html
  • 19. But Actually, Users Are Trainable • Our research demonstrates that users can learn techniques to protect themselves from phishing… if you can get them to pay attention to training P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. CyLab Technical Report CMU CyLab07003, 2007.
  • 20. How Do We Get People Trained? • Solution – Find “teachable moments”: PhishGuru – Make training fun: Anti-Phishing Phil – Use learning science principles throughout
  • 21. PhishGuru Embedded Training • Send emails that look like a phishing attack • If recipient falls for it, show intervention that teaches what cues to look for in succinct and engaging format • Multiple user studies have demonstrated that PhishGuru is effective • Delivering same training via direct email is not effective!
  • 22. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information
  • 23. Subject: Revision to Your Amazon.com InformationSubject: Revision to Your Amazon.com Information Please login and enter your informationPlease login and enter your information
  • 24.
  • 25. Evaluation of PhishGuru • Is embedded training effective? – Study 1: Lab study, 30 participants – Study 2: Lab study, 42 participants – Study 3: Field trial at company, ~300 participants – Study 4: Field trial at CMU, ~500 participants • Studies showed significant decrease in falling for phish and ability to retain what they learned P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.
  • 26. Study #4 at CMU • Investigate effectiveness and retention of training after 1 week, 2 weeks, and 4 weeks • Compare effectiveness of 2 training messages vs 1 training message • Examine demographics and phishing P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real-World Evaluation of Anti-Phishing Training. 2009. SOUPS 2009.
  • 27. Study design • Sent email to all CMU students, faculty and staff to recruit participants (opt-in) • 515 participants in three conditions – Control / One training message / Two messages • Emails sent over 28 day period – 7 simulated spear-phishing messages – 3 legitimate (cyber security scavenger hunt) • Campus help desks and IT departments notified before messages sent
  • 28. Effect of PhishGuru Training Condition N % who clicked on Day 0 % who clicked on Day 28 Control 172 52.3 44.2 Trained 343 48.4 24.5
  • 29. Discussion of PhishGuru • PhishGuru can teach people to identify phish better – People retain the knowledge • People trained on first day less likely to be phished • Two training messages work better – People weren’t less likely to click on legitimate emails – People aren’t resentful, many happy to have learned • 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future • “I really liked the idea of sending CMU students fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....” • Contrast to US DOJ and Guam Air Force Base
  • 30. APWG Landing Page • CMU and Wombat helped Anti-Phishing Working Group develop landing page for taken down sites – Already in use by several takedown companies – Seen by ~200,000 people in past 27 months
  • 31. Anti-Phishing Phil • A micro-game to teach people not to fall for phish – PhishGuru about email, this game about web browser – Also based on learning science principles • Goals – How to parse URLs – Where to look for URLs – Use search engines for help • Try the game! – Search for “phishing game” S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In SOUPS 2007, Pittsburgh, PA, 2007.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. Evaluation of Anti-Phishing Phil • Is Phil effective? Yes! – Study 1: 56 people in lab study – Study 2: 4517 people in field trial • Brief results of Study 1 – Phil about as effective in helping people detect phishing web sites as paying people to read training material – But Phil has significantly fewer false positives overall • Suggests that existing training material making people paranoid about phish rather than differentiating
  • 39. Evaluation of Anti-Phishing Phil • Study 2: 4517 participants in field trial – Randomly selected from 80000 people • Conditions – Control: Label 12 sites then play game – Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) • Participants – 2021 people in game condition, 674 did retention portion
  • 40. Anti-Phishing Phil: Study 2 • Novices showed most improvement in false negatives (calling phish legitimate)
  • 41. Anti-Phishing Phil: Study 2 • Improvement all around for false positives
  • 42. Anti-Phishing Phyllis • New micro-game just released by Wombat Security • Focuses on teaching people about what cues to look for in emails – Some emails are legitimate, some fake – Have to identify cues as dangerous or harmless
  • 43. Summary • Phishing is already a plague on the Internet – Seriously affects consumers, businesses, governments – Criminals getting more sophisticated • End-users can be trained, but only if done right – Use a combination of fun and learning science – PhishGuru embedded training uses simulated phishing – Anti-Phishing Phil and Anti-Phishing Phyllis micro-games • Can try PhishGuru, Phil, and Phyllis at: www.wombatsecurity.com
  • 44. Acknowledgments • Ponnurangam Kumaraguru • Steve Sheng • Lorrie Cranor • Norman Sadeh
  • 45.
  • 49. How Effective are these Warnings? • Tested four conditions – FireFox Active Block – IE Active Block – IE Passive Warning – Control (no warnings or blocks) • “Shopping Study” – Setup some fake phishing pages and added to blacklists – We phished users after purchases (2 phish/user) – Real email accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
  • 50. How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds
  • 51. How Effective are these Warnings?
  • 52. Discussion of Phish Warnings • Nearly everyone will fall for highly contextual phish • Passive IE warning failed for many reasons – Didn’t interrupt the main task – Slow to appear (up to 5 seconds) – Not clear what the right action was – Looked too much like other ignorable warnings (habituation) – Bug in implementation, any keystroke dismisses
  • 54. Discussion of Phish Warnings • Active IE warnings – Most saw but did not believe it • “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” – Some element of habituation (looks like other warnings) – Saw two pathological cases
  • 56. Internet Explorer 8 Re-design
  • 57. A Science of Warnings • See the warning? • Understand? • Believe it? • Motivated? • Can and will act? • Refining this model for computer warnings
  • 58. Outline • Human side – Interviews and surveys to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm – Machine learning of blacklists Can we improve phish detection of web sites?
  • 59. Detecting Phishing Web Sites • Industry uses blacklists to label phishing sites – But blacklists slow to new attacks • Idea: Use search engines – Scammers often directly copy web pages – But fake pages should have low PageRank on search engines – Generate text-based “fingerprint” of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS 2007. Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW 2007. G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.
  • 60. Robust Hyperlinks • Developed by Phelps and Wilensky to solve “404 not found” problem • Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed – Ex. http://abc.com/page.html?sig=“word1+word2+...+word5” • How to generate signature? – Found that TF-IDF was fairly effective • Informal evaluation found five words was sufficient for most web pages
  • 61. Fake eBay, user, sign, help, forgot
  • 62. Real eBay, user, sign, help, forgot
  • 63.
  • 64.
  • 66. Machine Learning of Blacklists • Human-verified blacklists maintained by Microsoft, Google, PhishTank – Pros: Reliable, extremely low false positives – Cons: Slow to respond, can be flooded with URLs (fast flux) • Observation #1: many phishing sites similar – Constructed through toolkits • Observation #2: many phishing sites similar – Fast flux (URL actually points to same site) • Idea: Rather than just examining URL, compare content of a site to known phishing sites
  • 67. Machine Learning of Blacklists • Approach #1: Use hashcodes of web page – Simple, good against fast flux – Easy to defeat (though can allow some flexibility) • Approach #2: Use shingling – Shingling is an approach used by search engines to find duplicate pages – “connect with the eBay community” -> {connect with the, with the eBay, the eBay community} – Count the number of common shingles out of total shingles, set threshold
  • 68. Machine Learning of Blacklists • Use Shingling • Protect against false positives – Phishing sites look a lot like real sites – Have a small whitelist (ebay, paypal, etc) – Use CANTINA too
  • 69. Tells people why they are seeing this message, uses engaging character Tells people why they are seeing this message, uses engaging character
  • 70. Tells a story about what happened and what the risks are Tells a story about what happened and what the risks are
  • 71. Gives concrete examples of how to protect oneself Gives concrete examples of how to protect oneself
  • 72. Explains how criminals conduct phishing attacks Explains how criminals conduct phishing attacks

Notas do Editor

  1. 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  2. 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  3. 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  4. 2-3.5 billion http://www.gartner.com/it/page.jsp?id=498245
  5. http://www.nytimes.com/2008/04/16/technology/16whale.html
  6. Biz week http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.
  7. Thus far, our work has generated a great deal of interest and collaboration from a number of partners. Our automated email filter is undergoing a field trial at ****** main email servers, where it is labeling several million emails per day. Our research evaluating anti-phishing toolbars has been cited by several companies, with ongoing evaluations being presented to the Anti-Phishing Working Group, a consortium of companies “committed to wiping out Internet scams and fraud.” Design suggestions from our studies to understand browser warnings have been incorporated into the latest version of Microsoft’s Internet Explorer 8. PhishGuru’s methodology of sending fake phishing emails to train individuals has undergone field trials at three different companies, and been cited by two different companies trying to commercialize the work. PhishGuru’s training materials have also been adopted by APWG on their landing page, a page that ISPs and web sites can show after taking down a phishing web site. Anti-Phishing Phil has been played by over 100,000 people, licensed by two companies, demoed at many security days meant to teach people about good security practices, and translated into Portuguese with several more translations underway. Finally, our group is commercializing all of this work through a startup we have founded, named Wombat Security Technologies.
  8. ASSUME THAT THIS IS YOUR EMAIL INBOX AND AMONG OTHER EMAILS.. YOU THIS EMAIL FROM AMAZON THAT JUST LOOKS LIKE THE LEGITIMATE EMAIL FROM AMAZON. WHEN YOU OPEN THE EMAIL ….
  9. YOU WILL SEE THIS.. WHICH LOOKS LEGITIMATE.. AND WITH THE DATA THAT WE HAVE .. WE KNOW THAT MOST OF THE USERS WILL CLICK ON THE LINK.. WHEN THEY CLICK ON THE LINK THEY WILL SEE ….
  10. P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer . eCrime 2007.
  11. TO ADDRESS SOME OF THE LIMITATIONS IN THIS STUDY, I AM CURRENTLY DOING THIS EXCITING STUDY AMONG CMU STUDENTS/FACULTY/STAFF WHERE I AM PHISHING THEM FOR THE LAST 4 WEEKS… I WAS INTERESTED IN STUDYING LONG TERM RETENTION .. MORE THAN 1 WEEK.. SO IN THIS STUDY WE ARE STUDYING 4 WEEK RETENTION.. IN PREVIOUS STUDY WE STUDIED 1 TRAINING MATERIAL… HERE WE ARE STUDYING 2 MESSAGES… THIS STUDY IS REALLY IN THE WILD AND WE ARE COLLECTING LOT OF DATA…. I M STILL IN THE DATA COLLECTION MODE IN A FEW WEEKS, I SHOULD HAVE SOME RESULTS FROM THIS STUDY…
  12. Spear phishing emails are targetted phishing emails COLLECTING VARIETY OF INFORMATION (HR, COMPLAINTS THAT ARE BEING LOGGED TO HELP CENTERS AND ISO) COUNTERBALANCING THE EMAILS COLLECTING DATA FOR LEGITIMATE EMAILS TO SEE WHETHER TRAIING INCREASES CONCERN
  13. The idea in this slide is to show that training conditions did better than control conditions and it was significantdifferenc… There is an improvement of 50% among people in PhihsGuru training
  14. 200k people in past 20 months was in May 2010
  15. S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
  16. Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
  17. In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
  18. S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
  19. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  20. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  21. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  22. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…
  23. THE USER WILL SEE THIS INTERVENTION… WHICH TELLS THEM HOW TO AVOID FALLING FROM PHISHING EMAILS… I WILL DESCRIBE IN DETAIL WHAT INFORMATION IS IN THIS INTERVENTION IN A COUPLE OF MINUTES. You have the printout of this intervention…