http://online.wsj.com/public/article/0,,SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817,00.html By DAVID BANK Staff Reporter of THE WALL STREET JOURNAL August 17, 2005 To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys. In recent months, nearly 10,000 New York state employees have received email messages that appeared to be official notices asking them to click on Web links and provide passwords and other confidential information about themselves. Those who complied received gentle slaps on the wrist from William Pelgrin, New York's chief information security officer, who explained that the seemingly authentic messages were crafted by state officials "to demonstrate how realistic attackers' fake emails can seem." The exercise, along with similar ones conducted at the U.S. Military Academy at West Point, N.Y., and at least two other organizations, represents a new -- and controversial -- approach to fending off computer hackers. By using some of the same "social engineering" techniques as the attackers, defenders hope to train users to be more careful about sharing sensitive information online. Mr. Pelgrin plans to brief officials from other states about the exercise in a conference call today. "This is not a one-shot deal," Mr. Pelgrin says. "I've got to reinforce that behavioral change to make it permanent." Such change is important because hackers are increasingly exploiting the weakest link in computer security -- humans. Most computer users have become savvy enough to avoid obvious attempts at what security experts call "phishing" -- phony email messages, often purportedly from financial institutions, that ask for personal information such as account or Social Security numbers. But many are still succumbing to a new wave of more sophisticated attacks, dubbed "spear phishing," that are targeted at specific companies and government agencies. In such exploits, attackers create email messages that are designed to look like they came from the recipient's company or organization, such as an information-technology or a human-resources department. More than 35 million of these targeted email messages to steal critical data and personal information were launched in the first half of the year, according to a report this month from International Business Machines Corp. And use of these scams is soaring: The number of such email messages sent rose more than 1,000% from January to June, the company said. The mock phishing exercises demonstrate how effective such attacks can be. In June 2004, more than 500 cadets at West Point received an email from Col. Robert Melville notifying them of a problem with their grade report and ordering them to click on a link to verify that the grades were correct. More than 80% of the students dutifully followed the instructions. But there is no Col. Robert Melville at West Point. The email was crafted by Aaron Ferguson, a computer-security expert with the National Security Agency who teaches at West Point. The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. Mr. Ferguson, who runs similar exercises each semester, said many cadets have been victimized by real online frauds. "There have been quite a few cadets who have been duped," he says. Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." Some computer-security experts say the bogus phishing exercises can help "inoculate" users against falling for real phishing scams, much like vaccines use a broken version of a real disease to provide immunization. "This is a key defense against large-scale theft of confidential information," says Alan Paller, research director of the SANS Institute, a computer-security clearinghouse based in Bethesda, Md., who helped devise the New York state exercise. Still, there are potential pitfalls, including the possible loss of trust among employees for their organizations' own information-security staff. "My initial thoughts when I heard about it was 'Whoa, this sounds questionable,' " says David Jevans, chairman of the Anti-Phishing Working Group, an industry consortium. He says that although employers are within their rights to train their employees, companies should be careful before they intentionally use mock email on their customers. "You're playing with fire," he says. "Are people ever going to trust your email?" Mr. Jevans, chief executive of a computer-security firm called IronKey Inc., argues that technical methods for authenticating email are likely to be more effective than such user education. In New York, Mr. Pelgrin says he took pains to carefully design the exercise, including hiring an outside Web consultant to design the mock email pitch. "We wanted to make sure it was not too good," he says. He also enlisted AT&T Corp. to route the email messages so that they came from outside the state's own computer network, just like a real phishing attack. In the first phase, in March, nearly 10,000 employees received an email with the logo of the state's Office of Cyber Security and Critical Infrastructure Coordination. The note directed employees to a special "password checker" site. "You are required to check your password by clicking on the link below and entering your password and email address by close of business today." About 15% of the recipients tried to enter their passwords before being stopped by the automated program, which sent them a note explaining the exercise. An additional 3% tried to enter the Web address in their own browsers, a sound security practice that can deflect most attacks. In July, a second message, purportedly from the employee's own agency, asked for help fixing an Internet problem "due to a suspected cyber security event." A link took employees to a Web page that asked their email address, agency, network user name and password, and phone number. This time, only 8% of the recipients tried to interact with the fake Web site, while 5% were careful enough to enter the Web address themselves. It is too early to declare the program a complete success, but Mr. Pelgrin says he plans to repeat the exercises. "Repetition is important. Vigilance is critical," he says. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information." _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Thu Aug 18 2005 - 00:13:55 PDT