Title: Teaching%20you%20NOT%20to%20fall%20for%20Phish
1Teaching you NOT to fall for Phish
- Carnegie Mellon
- Beth Cueni
2Internet addiction
- People do get addicted to the Internet
- What are the signs?
3Fighting Cybercrime
- http//www.nsf.gov/cise/csbytes/newsletter/vol1i12
.html - View these images.
- Only one is an actual web site.
- How can you tell?
4Password Protection
Number of Characters Possible Combinations Human Computer
1 36 3 minutes .000018 seconds
2 1,300 2 hours .00065 seconds
3 47,000 3 days .02 seconds
4 1,700,000 3 months 1 second
5 60,000,000 10 years 30 seconds
10 3,700,000,000,000,000 580 million years 59 years
- Possible characters A-Z and 0-9
- Human discovery assumes 1 try every 10 seconds
- Computer discovery assumes one million tries per
second - Average time assumes the password would be
discovered in approx half the time it would take
to try all possible combinations
5Characteristics of Phish scams
- Sense of urgency
- No specific person signs the email
- Links do not take you to a valid address
- Dear eBay member they should know your name!
6Phishing Works
- 73 millions US adults received more than 50
phishing emails each year in the year 2005 - 3.6 million adults lost 3.2 billion dollars in
phishing attacks in 2007 - Financial institutions and the military are also
victims
7Why phishing works
- Phishers take advantage of Internet users trust
in legitimate organizations - Lack of computer and security knowledge
- People do not protect themselves
8Anti-phishing strategies(What industry is doing)
- Silently eliminate the threat
- Find and take down the phishing sites
- Detect and delete phishing emails
- Warn users about the threat
- Anti phishing toolbars and web browsers feature
(IE 7.0 and Firefox) - Train users not to fall for attacks
9Users education is challenging
- Users are not motivated to learn about security
- Security is a secondary task
10Web Site Training
- Lab study 28 non-expert computer users
- Evaluate 10 sites
- Take a break (read training material or play
games) - Evaluate 10 more sites
- People who read the training material identified
phishing sites better
11PhishGuru
- http//phishguru.org/
- http//wombatsecurity.com/antiphishingphil
- YouTube http//www.youtube.com/watch?vc1Es2qza1II
- http//cups.cs.cmu.edu/antiphishing_phil/
12Students are most vulnerable
- Students more likely to fall for phish than staff
- 18-25 age group were consistently more vulnerable
to phishing attacks
13Wombat Security
- Purchased the Anti Phishing game from Carnegie
Mellon and is now using it to train others
14Play the game!
- http//cups.cs.cmu.edu/antiphishing_phil/