Sunday, April 26, 2009

Cool way to check for Conflicker

Conflicker is the latest worm infecting Windows-based computers. And while worms aren't really my area of specialty and I wouldn't normally comment on them, a clever person came up with a way to use this to test to see if your computer has a conflicker infection just by visiting a website that I wanted to give kudos to.

If you visit that site you should see a set of images like these below (without the word "SAMPLE"):

If you only see a subset of the images, you might have a problem (see the site for details). The page also gives suggestions for cleaning conflicker from your system.

How does this work? One of the things conflicker does is block the computer it infects from connecting over the network to various anti-virus websites to prevent the computer from installing software that might remove conflicker. The images on the web page are actually loaded from the websites of the security companies and since conflicker will block any connections to those sites, it will block the images from being loaded by your browser and you won't see all of them.

Pretty clever in my opionion and I wanted to pass it on.

Wednesday, April 8, 2009

Good SciAm article on Phishing

On a recent flight I had an opportunity to catch up on my reading and found a Scientific American article on How to Foil "Phishing" Scams to be a good read. For those of you not familiar with the term phishing, it has nothing to do with the band Phish, but instead refers to the malicious practice of sending email in order to trick people into revealing personal information, usually by directing them to a website masquerading as their bank.

I thought the following point in the article was particularly interesting. Basically people are more likely to learn from educational material about phishing once they have fallen for a phishing scam.
With some of these insights in mind, members of my team, Ponnurangam Kumaraguru, Alessandro Acquisti and others, developed a training system called PhishGuru, which delivers antiphishing information after users have fallen for simulated phishing messages. The program incorporates a set of succinct and actionable messages about phishing into short cartoons, wherein a character named PhishGuru teaches would-be victims how to protect themselves. In a series of studies, we demonstrated that when people read the cartoons after falling for the simulated phishing e-mails that we sent to them, they were much less likely to fall for subsequent attacks. Even a week later our test subjects retained what they had learned. In contrast, those who read the PhishGuru cartoons sent to them by e-mail, without experiencing a simulated attack, were very likely to fall for subsequent attacks.
The article then goes on to describe attempts to create training that simulates being phished, hopefully kicking in the increased chance of learning without the consequences of falling for a phishing scheme first.

I think this pattern is typical across security education - until someone has been harmed by a security failure, they don't see the motivation to try and improve things, by learning or other means. Perhaps the idea of incorporating simulation into security training to kick in this response might have good application across other aspects of security as well?