Monthly Archives: October 2008

Crossing the Street in Cyberspace: Michael Kaiser and the National Cyber Security Alliance

If you grew up in a small town, you’d likely cross the street without stopping to look each way. Try that in New York City, and you’ll end up in the hospital. Similarly, most of us grew up in meatspace and clicking on any old link in cyberspace often ends up with our bank account in the hospital.

OK, that was my mangled simile, but it illustrates what Michael Kaiser and the National Security Alliance are trying to do: educate the public about what to do and not do in cyberspace without losing their audience with technical details or lengthy pedantic instructions. In his talk at APWG he had all sorts of interesting points, such as address different audiences (K-12, small business, elderly, etc.) differently, and that it’s not just unlearning bad habits (including ones that would be good habits in other contexts), it’s teaching good habits. ANd changing habits of any kind requires repetition and persistence. As Kaiser said, look at the CDC and its ongoing campaigns of prevention of HIV, domestic violence, etc.

Personally, I think could use more graphics and less text, or, more importantly, more storyline. It seems a tad pedantic to me. More poets in prevention! Or more marketing in staying safe. Or something.

But it’s a useful site already.

Teachable Moment: APWG/CMU Phishing Education Landing Page program

Phishing? Fail!

When you take down a phishing domain or server, don’t just take it off the net: redirect it to this education page so victims of phishing can learn in the act of being suckered by a phisher that they should be more careful what they click on.

As someone in the audience pointed out, whatever you do don’t redirect phishing pages back to the actual sites being phished, i.e., if the phisher was pretending to be a bank, don’t take down the phisher’s redirect and replace it with a redirect to the bank itself. THat just teaches people the wrong thing, to follow a bad link.

Instead, link to the APWG/CMU landing page. Which could use a catchier name (how about Phishing: Fail!), but it’s already a really good service.

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.