NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0282 Gone Phishing:
A cybersecurity researcher and professor at Indiana University in Bloomington, spends much of his time perpetrating online attacks of unsuspecting Web surfers, without actually harming them, to see what types of ruses people will fall for and to predict potential new techniques phishers might pursue. Typically his research subjects are told about the research after they've unknowingly participated. In one experiment, he and his students sent emails to about 20 people directing them to a site authenticated only by a self-signed certificate, an identity certificate signed by its creator. Many people accepted the certificate even though anyone knowledgeable in computer security should not have. They were on four continents within a day with a starting point of 20 of these messages. In another study, he found that while people often won't click on a suspicious link within an email, they will go to the site if they are instructed to copy and paste the same URL into their browsers. 'People know they're not supposed to click on suspicious links, but they haven't been told not to copy and paste the same links into an address bar.' He also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent emails if the attacker correctly identifies the 'first four digits' of their account numbers, even though the first four are not random and are based on who issued the card. Another experiment targeted Indiana University professors, prompting them to use their university-issued passwords to get onto a site that appeared to be hosted outside of the school. Most were duped. One finding could have been predicted by anyone: Men are more likely to click on a link sent to them by a female than by a male. But the study dug up some more surprising facts by targeting email addresses from a social networking site that listed political affiliations, he found that people on the far left and far right were much more vulnerable than people in the middle. The professor explains that all these experiments can help researchers predict trends by discovering what human vulnerabilities haven't been exploited yet. Although some argue users can't be taught to avoid online attacks, he thinks his research can lead to better education methods.
(Network World 10AUG07)
Last Modified: Saturday, 01-Sep-2007 12:44:46 EDT