Summit to address online threats to security

Carnegie Mellon University’s CyLab will be hosting the second annual Anti-Phishing Working Group e-crime Researchers’ Summit on Oct. 4–5, a meeting that will address the security threats in online multiplayer games and phishing on the World Wide Web.

Sponsored by the Anti-Phishing Working Group, an organization that fights phishing and crimeware, the summit will include the appearances of top experts who are involved in electronic crime (e-crime) research. One of these experts will be Carnegie Mellon’s Lorrie Cranor, an associate research professor of computer science, who is the general chair for the conference.

Gary McGraw, the chief technology officer of Cigital Inc., will deliver a keynote address about security threats that are posed by online multi-player computer games like World of Warcraft.

“With hundreds of thousands of interacting users,” McGraw stated on the eCrime Research website, “today’s online games are a bellwether of modern software yet to come. The kinds of attack and defense techniques I [will] describe are tomorrow’s security techniques.”

The summit will cover a number of topics relating to online security threats, including those posed by massive multiplayer online role-playing games (MMORPGs) and phishing. The conference will also touch on the precautions needed to prevent e-Crime and ways to determine the risk of a particular threat.

With regard to MMORPGs, the summit will touch on how these games can cause security breaches involving the private and financial accounts of players around the world.

In a Carnegie Mellon press release, McGraw claimed that MMORPGs threaten both the security of individual players and the welfare of the online gaming industry as a whole. McGraw will discuss both of these issues in his address.

Phishing, on the other hand, is classified as a type of fraud in which personal and financial information is stolen from individuals via e-mails. These e-mails are often disguised as e-mails from financial institutions.

Several panelists from the Harvard Center for Research on Computation and Society, Indiana University, and People for the American Way will address the issue of phishing.

These panelists will focus on the potential for phishing to negatively impact the 2008 elections. They will also touch on ways to prevent phishing that have been used in the past.

In addition to addresses by experts in the field of crime research, the summit will feature research paper and poster presentations.
These presentations are intended to inform attendees about people’s reaction to phishing e-mails, as well as the usefulness of anti-phishing education. Of the different paper presentations that will be shown at the summit, Cranor’s “Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer” will be among the featured readings.

Presentations will also cover the role that machine learning and the Internet play in phishing.

“On a social and deployment side,” said Markus Jakobsson, associate professor of informatics at Indiana University and program chair of the summit, “it is about raising awareness of the dire situation we are headed towards, and address problems before they turn into catastrophe.”

Proposed methods of user education will also be addressed in the presentations.

“One solution is to make it fun,” said Cranor. “We’ve developed a game called Anti-Phishing Phil. ...People seem to really enjoy playing the game and we’ve been contacted by several companies and the U.S. Air Force about using it for employee training.” In addition to informative games, Cranor’s research team developed a method that utilizes cartoons to inform its audience.

“Another thing we observed is that people who fall for phishing e-mails actually read them. So we’ve been experimenting with sending people fake phishing e-mails that we generate,” said Cranor.

“When they click on the link in the e-mail, we pop-up an educational cartoon that teaches them about how to avoid falling for phishing attacks. We’ve found it is very effective. Sending the cartoon to people directly in e-mail is not very effective, but if they see the cartoon after falling for our phish, it has a big impact.”

“This is not a battle that can be won by either side in a conclusive manner,” said Jakobsson, “and it is going to remain, but I have reasonable hope that we can control the problem better onwards.”

For further information on the summit and its participants, visit www.ecrimeresearch.org/2007/program.html.