EYE ON SECURITY

The World of Secure Development.

September 2007

Security experts will go to all sorts of extremes to teach people how to better recognize and avoid email phishing and other Internet scams. And rightly so. Researchers at the Carnegie Mellon Usable Privacy and Security Lab, for instance, have turned to interactive, online games. Anti-Phishing Phil is a fish (that's a pun, right?) that helps users better identify fraudulent Web sites.

To play the game, participants are asked to take a short quiz, play the game, and then take another quiz. Those who leave their email address and participate in a follow-up quiz a week later are eligible for a raffle prize of a $100 Amazon.com gift card.

"We believe education is essential if people are to avoid being ripped off by these phishing attacks and similar online scams," said Lorrie Cranor, associate research professor in the School of Computer Science’s Institute for Software Research and director of the CUPS Lab. "Unlike viruses or spyware, phishing attacks don’t exploit weaknesses in a computer’s hardware or software, but take advantage of the way people use their computers and their often-limited knowledge of the way computers work."

Phishing attacks attempt to trick people into revealing personal information or bank or credit card account information. Often, they involve emails that appear to be from a legitimate business, such as a bank, and direct recipients to visit a Web site that likewise appears to belong to that business. There they are asked to "verify" account information. In addition to spoof emails and counterfeit Web sites, some attacks even mimic parts of a user’s own Web browser.

"We designed the game to teach people how to use Web addresses, or URLs, to identify phishing Web sites,” said Steve Sheng, a Ph.D. student in CMU's Engineering and Public Policy Department and lead developer of Anti-Phishing Phil. “"That tactic can also be useful in analyzing suspicious email messages."

In addition to Cranor and Sheng, Anti-Phishing Phil developers include faculty members Jason Hong and Alessandro Acquisti, and students Bryant Magnien and Ponnurangam Kumaraguru. CUPS has also collaborated with Portugal Telecom to develop a Portuguese version of the game called Anti-Phishing Ze.

Posted by Jon Erickson at 09:29 AM  Permalink |

IBM's Internet Security Systems (ISS) X-Force research and development has released a report that measures the volume of malware on a year to year basis. Surprise, surprise. Compared to the first half of 2006, the first half of 2007 revealed an increase in the amount of sophistication of malware.

The report, entitled Cyber Attacks on the Rise: IBM X-Force 2007 Midyear Report states that Trojans (seemingly legitimate files that are actually malware) comprise the most voluminous category of malware so far in 2007, accounting for 28 percent of all malware.

"The X-Force security statistics report for 2006 predicted a continued rise in the sophistication of targeted, profit-motivated cyber attacks," said Kris Lamb, director of X-Force for IBM Internet Security Systems. "This directly correlates to the rise in popularity of Trojans that we are witnessing this year, as Trojans are often used by attackers to launch sustained, targeted attacks."

For more information, go here.

Posted by Jon Erickson at 09:42 AM  Permalink |

A number of security-related books have recently been released by Cisco Press, including:

• Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition by David Hucaby. Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition, is a guide for the most commonly implemented features of the Cisco firewall security solutions.

• End-to-End Network Security: Defense-in-Depth, by Omar Santos. End-to-End Network Security gives you a comprehensive look at the mechanisms to counter threats to each part of your network.

• Cisco NAC Appliance: Enforcing Host Security With Clean Access, by Jamey Heary, Jerry Lin, Chad Sullivan, and Alok Agrawal. This book provides you with information about designing, configuring, deploying, and troubleshooting the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access.
  
  
• LAN Swith Security: What Hackers Know About Your Switches, by Eric Vyncke, Christopher Paggen. This book explains the vulnerabilities in a network infrastructure related to Ethernet switches.
  

Posted by Jon Erickson at 10:13 AM  Permalink |