SlideShare una empresa de Scribd logo

User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007

Descargar como PPT, PDF
Jason Hong
Jason Hong
Tecnología
1 de 81
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University
Everyday Privacy and Security Problem
This entire process known as phishing
Phishing is a Plague on the Internet • Estimated 3.5 million people have fallen for phishing • Estimated $350m-$2b direct losses a year • 9255 unique phishing sites reported in June 2006 • Easier (and safer) to phish than rob a bank
Project: Supporting Trust Decisions • Goal: help people make better online trust decisions – Currently focusing on anti-phishing • Large multi-disciplinary team project at CMU – Six faculty, five PhD students, undergrads, staff – Computer science, human-computer interaction, public policy, social and decision sciences, CERT
Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Automate where possible, support where necessary
Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm What do users know about phishing?
Interview Study • Interviewed 40 Internet users (35 non-experts) • “Mental models” interviews included email role play and open ended questions • Brief overview of results (see paper for details) J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
Little Knowledge of Phishing • Only about half knew meaning of the term “phishing” “Something to do with the band Phish, I take it.”
Little Attention Paid to URLs • Only 55% of participants said they had ever noticed an unexpected or strange-looking URL • Most did not consider them to be suspicious
Some Knowledge of Scams • 55% of participants reported being cautious when email asks for sensitive financial info – But very few reported being suspicious of email asking for passwords • Knowledge of financial phish reduced likelihood of falling for these scams – But did not transfer to other scams, such as an amazon.com password phish
Naive Evaluation Strategies • The most frequent strategies don’t help much in identifying phish – This email appears to be for me – It’s normal to hear from companies you do business with – Reputable companies will send emails “I will probably give them the information that they asked for. And I would assume that I had already given them that information at some point so I will feel comfortable giving it to them again.”
Summary of Findings • People generally not good at identifying scams they haven’t specifically seen before • People don’t use good strategies to protect themselves • Currently running large-scale survey across multiple cities in the US to gather more data • Amazon also active in looking for fake domain names
Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Can we train people not to fall for phish?
Web Site Training Study • Laboratory study of 28 non-expert computer users • Asked participants to evaluate 20 web sites – Control group evaluated 10 web sites, took 15 min break to read email or play solitaire, evaluated 10 more web sites – Experimental group same as above, but spent 15 min break reading web-based training materials • Experimental group performed significantly better identifying phish after training – Less reliance on “professional-looking” designs – Looking at and understanding URLs – Web site asks for too much information People can learn from web-based training materials, if only we could get them to read them!
How Do We Get People Trained? • Most people don’t proactively look for training materials on the web • Companies send “security notice” emails to employees and/or customers • We hypothesized these tend to be ignored – Too much to read – People don’t consider them relevant – People think they already know how to protect themselves • Led us to idea of embedded training
Embedded Training • Can we “train” people during their normal use of email to avoid phishing attacks? – Periodically, people get sent a training email – Training email looks like a phishing attack – If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007.
Embedded training example Subject: Revision to Your Amazon.com Information Please login and enter your information http://www.amazon.com/exec/obidos/sign-in.html
Intervention #1 – Diagram
Intervention #1 – Diagram Explains why they are seeing this message
Intervention #1 – Diagram Explains what a phishing scam is
Intervention #1 – DiagramExplains how to identify a phishing scam
Intervention #1 – DiagramExplains simple things you can do to protect self
Intervention #2 – Comic Strip
Embedded Training Evaluation #1 • Lab study comparing our prototypes to standard security notices – EBay, PayPal notices – Intervention #1 – Diagram that explains phishing – Intervention #2 – Comic strip that tells a story • 10 participants in each condition (30 total) – Screened so we only have novices • Go through 19 emails, 4 phishing attacks scattered throughout, 2 training emails too – Role play as Bobby Smith at Cognix Inc
Embedded Training Results • Existing practice of security notices is ineffective • Diagram intervention somewhat better • Comic strip intervention worked best – Statistically significant – Combination of less text, graphics, story?
Evaluation #2 • New questions: – Have to fall for phishing email to be effective? – How well do people retain knowledge? • Roughly same experiment as before – Role play as Bobby Smith at Cognix Inc, go thru 16 emails – Embedded condition means have to fall for our email – Non-embedded means we just send the comic strip – Had people come back after 1 week – Improved design of comic strip intervention • To appear in APWG eCrime Researchers’ Summit (Oct 4-5 at CMU)
Results of Evaluation #2 • Have to fall for phishing email to be effective? • How well do people retain knowledge after a week? 0.07 0.18 0.64 0.14 0.04 0.68 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 before immediate delay Training set Meancorrectness Non-embedded condition Embedded condition Correctness
Results of Evaluation #2 • Have to fall for phishing email to be effective? • How well do people retain knowledge after a week? 0.07 0.18 0.64 0.14 0.04 0.68 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 before immediate delay Training set Meancorrectness Non-embedded condition Embedded condition Correctness
Anti-Phishing Phil • A game to teach people not to fall for phish – Embedded training focuses on email – Our game focuses on web browser, URLs • Goals – How to parse URLs – Where to look for URLs – Use search engines for help • Try the game! – http://cups.cs.cmu.edu/antiphishing_phil
Anti-Phishing Phil
Evaluation of Anti-Phishing Phil • Test participants’ ability to identify phishing web sites before and after training up to 15 min – 10 web sites before training, 10 after, randomized order • Three conditions: – Web-based phishing education – Printed tutorial of our materials – Anti-phishing Phil • 14 participants in each condition – Screened out security experts – Younger, college students
Results • No statistically significant difference in false negatives among the three groups – Actually a phish, but participant thinks it’s not – Unsure why, considering a larger online study • Though game group had fewest false positives
Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Do people see, understand, and believe web browser warnings?
Screenshots Internet Explorer – Passive Warning
Screenshots Internet Explorer – Active Block
Screenshots Mozilla FireFox – Active Block
How Effective are these Warnings? • We tested four conditions – FireFox Active Block – IE Active Block – IE Passive Warning – Control (no warnings or blocks) • “Shopping Study” – Setup some fake phishing pages and added to blacklists – Users were phished after purchases – Real email accounts and personal information – Spoofing eBay and Amazon (2 phish/user) – We observed them interact with the warnings
How Effective are these Warnings?
Improving Phishing Indicators • Passive warning failed for many reasons – Didn’t interrupt the main task – Wasn’t clear what the right action was – Looked too much like other ignorable warnings • Now looking at science of warnings – How to create effective security warnings
Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Can we automatically detect phish emails?
PILFER Email Anti-Phishing Filter • Philosophy: automate where possible, support where necessary • Goal: Create email filter that detects phishing emails – Spam filters well-explored, but how good for phishing? – Can we create a custom filter for phishing? • I. Fette, N. Sadeh, A. Tomasic. Learning to Detect Phishing Emails. In WWW 2007.
PILFER Email Anti-Phishing Filter • Heuristics combined in SVM – IP addresses in link (http://128.23.34.45/blah) – Age of linked-to domains (younger domains likely phishing) – Non-matching URLs (ex. most links point to PayPal) – “Click here to restore your account” – HTML email – Number of links – Number of domain names in links – Number of dots in URLs (http://www.paypal.update.example.com/update.cgi) – JavaScript – SpamAssassin rating
PILFER Evaluation • Ham corpora from SpamAssassin (2002 and 2003) – 6950 good emails • Phishingcorpus – 860 phishing emails
PILFER Evaluation
PILFER Evaluation • PILFER now implemented as SpamAssassin filter • Alas, Ian has left for Google
Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Can we do better in automatically detecting phish web sites?
Lots of Phish Detection Algorithms • Dozens of anti-phishing toolbars offered – Built into security software suites – Offered by ISPs – Free downloads – Built into latest version of popular web browsers – 132 on download.com
Lots of Phish Detection Algorithms • Dozens of anti-phishing toolbars offered – Built into security software suites – Offered by ISPs – Free downloads – Built into latest version of popular web browsers – 132 on download.com • But how well do they detect phish? – Short answer: still room for improvement
Testing the Toolbars • November 2006: Automated evaluation of 10 toolbars – Used phishtank.com and APWG as source of phishing URLs – Evaluated 100 phish and 510 legitimate sites Y. Zhang, S. Egelman, L. Cranor, J. Hong. Phinding Phish: An Evaluation of Anti-Phishing Toolbars. NDSS 2006.
Testbed System Architecture
Results 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0 1 2 12 24 Time (hours) Phishingsitescorrectlyidentified SpoofGuard EarthLink Netcraft Google IE7 Cloudmark TrustWatch eBay Netscape McAfee 38% false positives 1% false positives PhishTank
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0 1 2 12 24 Time (hours) Phishingsitescorrectlyidentified SpoofGuard EarthLink Netcraft Firefox w/Google IE7 Cloudmark TrustWatch eBay Netscape CallingID Firefox APWG
Results • Only one toolbar >90% accuracy (but high false positives) • Several catch 70-85% of phish with few false positives
Results • Only one toolbar >90% accuracy (but high false positives) • Several catch 70-85% of phish with few false positives • Can we do better? – Can we use search engines to help find phish? Y. Zhang, J. Hong, L. Cranor. CANTINA: A Content- Based Approach to Detecting Phishing Web Sites. In WWW 2007.
Robust Hyperlinks • Developed by Phelps and Wilensky to solve “404 not found” problem • Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed – Ex. http://abc.com/page.html?sig=“word1+word2+...+word5” • How to generate signature? – Found that TF-IDF was fairly effective • Informal evaluation found five words was sufficient for most web pages
Adapting TF-IDF for Anti-Phishing • Can same basic approach be used for anti-phishing? – Scammers often directly copy web pages – With Google search engine, fake should have low page rank Fake Real
How CANTINA Works • Given a web page, calculate TF-IDF score for each word in that page • Take five words with highest TF-IDF weights • Feed these five words into a search engine (Google) • If domain name of current web page is in top N search results, we consider it legitimate – N=30 worked well – No improvement by increasing N • Later, added some heuristics to reduce false positives
Fake eBay, user, sign, help, forgot
Real eBay, user, sign, help, forgot
Evaluating CANTINA PhishTank
Summary • Whirlwind tour of our work on anti-phishing – Human side: how people make decisions, training, UIs – Computer side: better algorithms for detecting phish • More info about our work at cups.cs.cmu.edu
Acknowledgments • Alessandro Acquisti • Lorrie Cranor • Sven Dietrich • Julie Downs • Mandy Holbrook • Norman Sadeh • Anthony Tomasic Supported by NSF, ARO, CyLab, Portugal Telecom • Serge Egelman • Ian Fette • Ponnurangam Kumaraguru • Bryant Magnien • Elizabeth Nunge • Yong Rhee • Steve Sheng • Yue Zhang
CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/
Embedded Training Results 0 10 20 30 40 50 60 70 80 90 1003:Phish 5:Training 7:Real 8:Spam 11:Training 12:Spam 13:Real 14:Phish 16:Phish 17:Phish Emails which had links in them Percentageofuserswhoclicked onalink Group A Group B Group C
Is it legitimate Our label Yes No Yes True positive False positive No False negative True negative
Minimal Knowledge of Lock Icon “I think that it means secured, it symbolizes some kind of security, somehow.” • 85% of participants were aware of lock icon • Only 40% of those knew that it was supposed to be in the browser chrome • Only 35% had noticed https, and many of those did not know what it meant

Recomendados

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
Jason Hong
 
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Beth Sallay
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
Chad olivard internet safety powerpoint presentation itc 525
Chad olivard internet safety powerpoint presentation itc 525Chad olivard internet safety powerpoint presentation itc 525
Chad olivard internet safety powerpoint presentation itc 525
chadolivard
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
CBIZ, Inc.
 

Recomendados

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
Jason Hong
 
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Why Do Some People Fall for Phishing Scams and What Do I Do About it?
Beth Sallay
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Cyber Agency
 
Chad olivard internet safety powerpoint presentation itc 525
Chad olivard internet safety powerpoint presentation itc 525Chad olivard internet safety powerpoint presentation itc 525
Chad olivard internet safety powerpoint presentation itc 525
chadolivard
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
CBIZ, Inc.
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 
Securityguide
SecurityguideSecurityguide
Securityguide
Oleg Kostyukevich
 
Social engineering
Social engineeringSocial engineering
Social engineering
Maulik Kotak
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
KidSafe - Parental Training Presentation
KidSafe - Parental Training PresentationKidSafe - Parental Training Presentation
KidSafe - Parental Training Presentation
OCTF Industry Engagement
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
Jahangirnagar University
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
Marin Ivezic
 
Online safety for children
Online safety for childrenOnline safety for children
Online safety for children
Kumar Manish
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Richard Common
 
Compass Ky
Compass KyCompass Ky
Compass Ky
cynthia.warner
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
Luke Rusten
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
William Gregorian
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
Nicholas Davis
 
Puna 2015
Puna 2015Puna 2015
Puna 2015
Salaj Goyal
 
Tot edu eng.
Tot edu eng.Tot edu eng.
Tot edu eng.
Mohamed ElGabry
 
Keeping Your Child Safe On The Internet
Keeping Your Child Safe On The Internet Keeping Your Child Safe On The Internet
Keeping Your Child Safe On The Internet
Eanes isd
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Nicholas Davis
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
David Willson, Attorney, CISSP, Security +
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
Tzar Umang
 
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
Jason Hong
 
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Jason Hong
 

Más contenido relacionado

La actualidad más candente

Keeping Your Child Safe On The Internet
Keeping Your Child Safe On The Internet Keeping Your Child Safe On The Internet
Keeping Your Child Safe On The Internet
Eanes isd
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 

La actualidad más candente (20)

Social engineering
Social engineeringSocial engineering
Social engineering
 
Securityguide
SecurityguideSecurityguide
Securityguide
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
KidSafe - Parental Training Presentation
KidSafe - Parental Training PresentationKidSafe - Parental Training Presentation
KidSafe - Parental Training Presentation
 
Social engineering: A Human Hacking Framework
Social engineering: A Human Hacking FrameworkSocial engineering: A Human Hacking Framework
Social engineering: A Human Hacking Framework
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
 
Online safety for children
Online safety for childrenOnline safety for children
Online safety for children
 
Insiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest LinkInsiders Guide to Social Engineering - End-Users are the Weakest Link
Insiders Guide to Social Engineering - End-Users are the Weakest Link
 
Compass Ky
Compass KyCompass Ky
Compass Ky
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
Puna 2015
Puna 2015Puna 2015
Puna 2015
 
Tot edu eng.
Tot edu eng.Tot edu eng.
Tot edu eng.
 
Keeping Your Child Safe On The Internet
Keeping Your Child Safe On The Internet Keeping Your Child Safe On The Internet
Keeping Your Child Safe On The Internet
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Social engineering The Good and Bad
Social engineering The Good and BadSocial engineering The Good and Bad
Social engineering The Good and Bad
 

Destacado

A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
Jason Hong
 
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Jason Hong
 
A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...
A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...
A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...
Jason Hong
 
Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...
Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...
Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...
Jason Hong
 
Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...
Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...
Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...
Jason Hong
 
The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...
The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...
The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...
Jason Hong
 
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Jason Hong
 
WebQuilt: Capturing and Visualizing the Web Experience at WWW10
WebQuilt: Capturing and Visualizing the Web Experience at WWW10WebQuilt: Capturing and Visualizing the Web Experience at WWW10
WebQuilt: Capturing and Visualizing the Web Experience at WWW10
Jason Hong
 
Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014
Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014
Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014
Jason Hong
 
Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
Jason Hong
 
Satin, a toolkit for sketch-based applications at UIST 2000
Satin, a toolkit for sketch-based applications at UIST 2000Satin, a toolkit for sketch-based applications at UIST 2000
Satin, a toolkit for sketch-based applications at UIST 2000
Jason Hong
 
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Jason Hong
 

Destacado (20)

A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
A Study of Firefighting in the Coming Age of Ubiquitous Computing, 2002
 
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
Gurungo: Coupling Personal Computers and Mobile Devices Through Mobile Data T...
 
A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...
A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...
A Framework of Energy Efficient Mobile Sensing for Automatic Human State Reco...
 
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
Achieving Behavioral Change, for ISSA 2011 in San Francisco Feb 2011
 
Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...
Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...
Rethinking Location Sharing: Exploring the Implications of Social-Driven vs. ...
 
Applying the Wisdom of Crowds to Usable Privacy and Security, CMU Crowdsourci...
Applying the Wisdom of Crowds to Usable Privacy and Security, CMU Crowdsourci...Applying the Wisdom of Crowds to Usable Privacy and Security, CMU Crowdsourci...
Applying the Wisdom of Crowds to Usable Privacy and Security, CMU Crowdsourci...
 
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
 
Big Data for Privacy, at NSF Workshop on Big Data and Privacy, April 2015
Big Data for Privacy, at NSF Workshop on Big Data and Privacy, April 2015Big Data for Privacy, at NSF Workshop on Big Data and Privacy, April 2015
Big Data for Privacy, at NSF Workshop on Big Data and Privacy, April 2015
 
Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...
Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...
Wave to Me: User Identification Using Body Lengths and Natural Gestures, at C...
 
The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...
The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...
The Livehoods Project: Utilizing Social Media to Understand the Dynamics of a...
 
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
Making Sense of Cyberspace, keynote for Software Engineering Institute Cyber ...
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
 
WebQuilt: Capturing and Visualizing the Web Experience at WWW10
WebQuilt: Capturing and Visualizing the Web Experience at WWW10WebQuilt: Capturing and Visualizing the Web Experience at WWW10
WebQuilt: Capturing and Visualizing the Web Experience at WWW10
 
Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014
Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014
Toss ‘N’ Turn: Smartphone as Sleep and Sleep Quality Detector, at CHI 2014
 
Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
 
Designing the User Experience for Online Privacy, at IAPP Navigate 2013
Designing the User Experience for Online Privacy, at IAPP Navigate 2013Designing the User Experience for Online Privacy, at IAPP Navigate 2013
Designing the User Experience for Online Privacy, at IAPP Navigate 2013
 
Sketch Recognizers from the End-User’s, the Designer’s, and the Programmer’s ...
Sketch Recognizers from the End-User’s, the Designer’s, and the Programmer’s ...Sketch Recognizers from the End-User’s, the Designer’s, and the Programmer’s ...
Sketch Recognizers from the End-User’s, the Designer’s, and the Programmer’s ...
 
Satin, a toolkit for sketch-based applications at UIST 2000
Satin, a toolkit for sketch-based applications at UIST 2000Satin, a toolkit for sketch-based applications at UIST 2000
Satin, a toolkit for sketch-based applications at UIST 2000
 
Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phis...
Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phis...Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phis...
Statistical Analysis of Phished Email Users, Intercepted by the APWG/CMU Phis...
 
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
Phinding Phish: An Evaluation of Anti-Phishing Toolbars, at NDSS 2007
 

Similar a User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007

People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
Evan Francen
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Alexandre Sieira
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Shawn Tuma
 

Similar a User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007 (20)

Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
Usable Privacy and Security: A Grand Challenge for HCI, Human Computer Inter...
 
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.What is Social Engineering? An illustrated presentation.
What is Social Engineering? An illustrated presentation.
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Cyberattacks the-next-healthcare-epidemic
Cyberattacks the-next-healthcare-epidemicCyberattacks the-next-healthcare-epidemic
Cyberattacks the-next-healthcare-epidemic
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007

  • 1. User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University
  • 2. Everyday Privacy and Security Problem
  • 4. Phishing is a Plague on the Internet • Estimated 3.5 million people have fallen for phishing • Estimated $350m-$2b direct losses a year • 9255 unique phishing sites reported in June 2006 • Easier (and safer) to phish than rob a bank
  • 5. Project: Supporting Trust Decisions • Goal: help people make better online trust decisions – Currently focusing on anti-phishing • Large multi-disciplinary team project at CMU – Six faculty, five PhD students, undergrads, staff – Computer science, human-computer interaction, public policy, social and decision sciences, CERT
  • 6. Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Automate where possible, support where necessary
  • 7. Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm What do users know about phishing?
  • 8. Interview Study • Interviewed 40 Internet users (35 non-experts) • “Mental models” interviews included email role play and open ended questions • Brief overview of results (see paper for details) J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
  • 9. Little Knowledge of Phishing • Only about half knew meaning of the term “phishing” “Something to do with the band Phish, I take it.”
  • 10. Little Attention Paid to URLs • Only 55% of participants said they had ever noticed an unexpected or strange-looking URL • Most did not consider them to be suspicious
  • 11. Some Knowledge of Scams • 55% of participants reported being cautious when email asks for sensitive financial info – But very few reported being suspicious of email asking for passwords • Knowledge of financial phish reduced likelihood of falling for these scams – But did not transfer to other scams, such as an amazon.com password phish
  • 12. Naive Evaluation Strategies • The most frequent strategies don’t help much in identifying phish – This email appears to be for me – It’s normal to hear from companies you do business with – Reputable companies will send emails “I will probably give them the information that they asked for. And I would assume that I had already given them that information at some point so I will feel comfortable giving it to them again.”
  • 13. Summary of Findings • People generally not good at identifying scams they haven’t specifically seen before • People don’t use good strategies to protect themselves • Currently running large-scale survey across multiple cities in the US to gather more data • Amazon also active in looking for fake domain names
  • 14. Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Can we train people not to fall for phish?
  • 15. Web Site Training Study • Laboratory study of 28 non-expert computer users • Asked participants to evaluate 20 web sites – Control group evaluated 10 web sites, took 15 min break to read email or play solitaire, evaluated 10 more web sites – Experimental group same as above, but spent 15 min break reading web-based training materials • Experimental group performed significantly better identifying phish after training – Less reliance on “professional-looking” designs – Looking at and understanding URLs – Web site asks for too much information People can learn from web-based training materials, if only we could get them to read them!
  • 16. How Do We Get People Trained? • Most people don’t proactively look for training materials on the web • Companies send “security notice” emails to employees and/or customers • We hypothesized these tend to be ignored – Too much to read – People don’t consider them relevant – People think they already know how to protect themselves • Led us to idea of embedded training
  • 17. Embedded Training • Can we “train” people during their normal use of email to avoid phishing attacks? – Periodically, people get sent a training email – Training email looks like a phishing attack – If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007.
  • 18. Embedded training example Subject: Revision to Your Amazon.com Information Please login and enter your information http://www.amazon.com/exec/obidos/sign-in.html
  • 20. Intervention #1 – Diagram Explains why they are seeing this message
  • 21. Intervention #1 – Diagram Explains what a phishing scam is
  • 22. Intervention #1 – DiagramExplains how to identify a phishing scam
  • 23. Intervention #1 – DiagramExplains simple things you can do to protect self
  • 24. Intervention #2 – Comic Strip
  • 25. Embedded Training Evaluation #1 • Lab study comparing our prototypes to standard security notices – EBay, PayPal notices – Intervention #1 – Diagram that explains phishing – Intervention #2 – Comic strip that tells a story • 10 participants in each condition (30 total) – Screened so we only have novices • Go through 19 emails, 4 phishing attacks scattered throughout, 2 training emails too – Role play as Bobby Smith at Cognix Inc
  • 26. Embedded Training Results • Existing practice of security notices is ineffective • Diagram intervention somewhat better • Comic strip intervention worked best – Statistically significant – Combination of less text, graphics, story?
  • 27. Evaluation #2 • New questions: – Have to fall for phishing email to be effective? – How well do people retain knowledge? • Roughly same experiment as before – Role play as Bobby Smith at Cognix Inc, go thru 16 emails – Embedded condition means have to fall for our email – Non-embedded means we just send the comic strip – Had people come back after 1 week – Improved design of comic strip intervention • To appear in APWG eCrime Researchers’ Summit (Oct 4-5 at CMU)
  • 28.
  • 29. Results of Evaluation #2 • Have to fall for phishing email to be effective? • How well do people retain knowledge after a week? 0.07 0.18 0.64 0.14 0.04 0.68 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 before immediate delay Training set Meancorrectness Non-embedded condition Embedded condition Correctness
  • 30. Results of Evaluation #2 • Have to fall for phishing email to be effective? • How well do people retain knowledge after a week? 0.07 0.18 0.64 0.14 0.04 0.68 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 before immediate delay Training set Meancorrectness Non-embedded condition Embedded condition Correctness
  • 31. Anti-Phishing Phil • A game to teach people not to fall for phish – Embedded training focuses on email – Our game focuses on web browser, URLs • Goals – How to parse URLs – Where to look for URLs – Use search engines for help • Try the game! – http://cups.cs.cmu.edu/antiphishing_phil
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. Evaluation of Anti-Phishing Phil • Test participants’ ability to identify phishing web sites before and after training up to 15 min – 10 web sites before training, 10 after, randomized order • Three conditions: – Web-based phishing education – Printed tutorial of our materials – Anti-phishing Phil • 14 participants in each condition – Screened out security experts – Younger, college students
  • 39. Results • No statistically significant difference in false negatives among the three groups – Actually a phish, but participant thinks it’s not – Unsure why, considering a larger online study • Though game group had fewest false positives
  • 40.
  • 41.
  • 42. Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Do people see, understand, and believe web browser warnings?
  • 46. How Effective are these Warnings? • We tested four conditions – FireFox Active Block – IE Active Block – IE Passive Warning – Control (no warnings or blocks) • “Shopping Study” – Setup some fake phishing pages and added to blacklists – Users were phished after purchases – Real email accounts and personal information – Spoofing eBay and Amazon (2 phish/user) – We observed them interact with the warnings
  • 47. How Effective are these Warnings?
  • 48. Improving Phishing Indicators • Passive warning failed for many reasons – Didn’t interrupt the main task – Wasn’t clear what the right action was – Looked too much like other ignorable warnings • Now looking at science of warnings – How to create effective security warnings
  • 49. Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Can we automatically detect phish emails?
  • 50. PILFER Email Anti-Phishing Filter • Philosophy: automate where possible, support where necessary • Goal: Create email filter that detects phishing emails – Spam filters well-explored, but how good for phishing? – Can we create a custom filter for phishing? • I. Fette, N. Sadeh, A. Tomasic. Learning to Detect Phishing Emails. In WWW 2007.
  • 51. PILFER Email Anti-Phishing Filter • Heuristics combined in SVM – IP addresses in link (http://128.23.34.45/blah) – Age of linked-to domains (younger domains likely phishing) – Non-matching URLs (ex. most links point to PayPal) – “Click here to restore your account” – HTML email – Number of links – Number of domain names in links – Number of dots in URLs (http://www.paypal.update.example.com/update.cgi) – JavaScript – SpamAssassin rating
  • 52. PILFER Evaluation • Ham corpora from SpamAssassin (2002 and 2003) – 6950 good emails • Phishingcorpus – 860 phishing emails
  • 54. PILFER Evaluation • PILFER now implemented as SpamAssassin filter • Alas, Ian has left for Google
  • 55. Our Multi-Pronged Approach • Human side – Interviews to understand decision-making – PhishGuru embedded training – Anti-Phishing Phil game – Understanding effectiveness of browser warnings • Computer side – PILFER email anti-phishing filter – CANTINA web anti-phishing algorithm Can we do better in automatically detecting phish web sites?
  • 56. Lots of Phish Detection Algorithms • Dozens of anti-phishing toolbars offered – Built into security software suites – Offered by ISPs – Free downloads – Built into latest version of popular web browsers – 132 on download.com
  • 57. Lots of Phish Detection Algorithms • Dozens of anti-phishing toolbars offered – Built into security software suites – Offered by ISPs – Free downloads – Built into latest version of popular web browsers – 132 on download.com • But how well do they detect phish? – Short answer: still room for improvement
  • 58. Testing the Toolbars • November 2006: Automated evaluation of 10 toolbars – Used phishtank.com and APWG as source of phishing URLs – Evaluated 100 phish and 510 legitimate sites Y. Zhang, S. Egelman, L. Cranor, J. Hong. Phinding Phish: An Evaluation of Anti-Phishing Toolbars. NDSS 2006.
  • 60. Results 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0 1 2 12 24 Time (hours) Phishingsitescorrectlyidentified SpoofGuard EarthLink Netcraft Google IE7 Cloudmark TrustWatch eBay Netscape McAfee 38% false positives 1% false positives PhishTank
  • 61. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0 1 2 12 24 Time (hours) Phishingsitescorrectlyidentified SpoofGuard EarthLink Netcraft Firefox w/Google IE7 Cloudmark TrustWatch eBay Netscape CallingID Firefox APWG
  • 62. Results • Only one toolbar >90% accuracy (but high false positives) • Several catch 70-85% of phish with few false positives
  • 63. Results • Only one toolbar >90% accuracy (but high false positives) • Several catch 70-85% of phish with few false positives • Can we do better? – Can we use search engines to help find phish? Y. Zhang, J. Hong, L. Cranor. CANTINA: A Content- Based Approach to Detecting Phishing Web Sites. In WWW 2007.
  • 64. Robust Hyperlinks • Developed by Phelps and Wilensky to solve “404 not found” problem • Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed – Ex. http://abc.com/page.html?sig=“word1+word2+...+word5” • How to generate signature? – Found that TF-IDF was fairly effective • Informal evaluation found five words was sufficient for most web pages
  • 65. Adapting TF-IDF for Anti-Phishing • Can same basic approach be used for anti-phishing? – Scammers often directly copy web pages – With Google search engine, fake should have low page rank Fake Real
  • 66. How CANTINA Works • Given a web page, calculate TF-IDF score for each word in that page • Take five words with highest TF-IDF weights • Feed these five words into a search engine (Google) • If domain name of current web page is in top N search results, we consider it legitimate – N=30 worked well – No improvement by increasing N • Later, added some heuristics to reduce false positives
  • 67. Fake eBay, user, sign, help, forgot
  • 68. Real eBay, user, sign, help, forgot
  • 69.
  • 70.
  • 72. Summary • Whirlwind tour of our work on anti-phishing – Human side: how people make decisions, training, UIs – Computer side: better algorithms for detecting phish • More info about our work at cups.cs.cmu.edu
  • 73. Acknowledgments • Alessandro Acquisti • Lorrie Cranor • Sven Dietrich • Julie Downs • Mandy Holbrook • Norman Sadeh • Anthony Tomasic Supported by NSF, ARO, CyLab, Portugal Telecom • Serge Egelman • Ian Fette • Ponnurangam Kumaraguru • Bryant Magnien • Elizabeth Nunge • Yong Rhee • Steve Sheng • Yue Zhang
  • 74. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/
  • 75.
  • 77. Is it legitimate Our label Yes No Yes True positive False positive No False negative True negative
  • 78.
  • 79.
  • 80.
  • 81. Minimal Knowledge of Lock Icon “I think that it means secured, it symbolizes some kind of security, somehow.” • 85% of participants were aware of lock icon • Only 40% of those knew that it was supposed to be in the browser chrome • Only 35% had noticed https, and many of those did not know what it meant

Notas del editor

  1. 2-3.5 million http://www.gartner.com/it/page.jsp?id=498245
  2. Web security pop-ups are confusing “Yeah, like the certificate has expired. I don’t actually know what that means.” Don’t know what encryption means
  3. Phil needs to score 6 / 8 to move on to the next rounds, and the end of the round, phil got a chance to reflect what he missed.
  4. In between rounds, we also have short tutorials to teach Phil better strategies to identify phishing. In this example, Phil’s father teaches Phil how to use a search engine.
  5. Email #16 was from CardMember Services with the subject "Your Online Statement Is Now Available" Email #17 was from [email_address] with the subject "Reactivate your PayPal Account"