IU tips from the DIMACS cybersecurity conference
FOR IMMEDIATE RELEASE
TUESDAY, APRIL 12, 2005
Industry and academic cybersecurity experts will convene Thursday and Friday (April 14-15) in Piscataway, N.J., to discuss new and as-yet-unresolved threats to safe and secure e-commerce. Their meeting is the first scientific conference devoted specifically to phishing and related e-commerce issues. It will be hosted by the Center for Discrete Mathematics and Theoretical Computer Science (DIMACS) at Rutgers University. J.P. Morgan Chase Senior Vice President for Consumer Risk Management Richard A. Parry is an invited speaker.
"Messin' with Texas" reveals President Bush's not-so-personal information
Mothers' maiden names may seem like a safe way to authenticate the identity of an Internet user, but Indiana University School of Informatics research assistant Virgil Griffith and IU Bloomington computer scientist Markus Jakobsson will show how easy it is to mine online public records for this information using President George W. Bush and 3,773,882 other Texans as faux-victims. The researchers were able to retrieve the names despite the removal of online birth and death records in 2000 and 2002, respectively, as ordered by the Texas legislature. Because mothers' maiden names are so easily retrieved, the researchers urge American businesses to use other means of authentication. Jakobsson is an associate director of the IU Center for Applied Cybersecurity Research.
"Messin' with Texas: Deriving mothers' maiden names using public records"
Thursday, April 14, 3:45 p.m.
CoRE Building, DIMACS Center
Distributed phishing attacks could evade authority
The easiest way for Internet service providers (ISPs) to end a phishing attack is to pull the plug on the phisher's fake Web site. This protects future victims from revealing their personal information. But what if phishers use their computer savvy to make endless copies of their false Web sites, each one hosted in a different place? Many of these sites may be unwittingly hosted by companies and individuals whose firewalls have been compromised by the attacker. Indiana University Bloomington computer scientist Markus Jakobsson and LEGC LLC Senior Managing Consultant Adam Young will discuss how phishers might go about hijacking users' accounts to stay one step ahead of ISPs. They'll also explain how ISPs might protect themselves -- and their clients. Although this type of phishing attack has not yet been seen, Jakobsson and Young believe it is inevitable unless something is done preemptively to stop it. Jakobsson is an associate director of the IU Center for Applied Cybersecurity Research.
"Distributed phishing attacks"
Friday, April 15, 11:45 a.m.
CoRE Building, DIMACS Center
A better way to can spam: block it, don't screen it
Experts estimate 60 to 80 percent of today's e-mails are unsolicited junk, and that's because e-mail "spammers" are playing the averages. For a mere $100, spammers can buy a list of 30 million e-mail addresses. If a mere 0.001 percent of those who receive a spam message respond favorably to a $10 scam, that still earns the spammer a $2,900 net profit. If the spammer is an e-mail phisher, a similarly low success rate still yields personal information from 300 victims. Indiana University Bloomington computer scientist Minaxi Gupta says a better way of preventing spam e-mails from ever reaching their intended recipients is to perform active "spam management" by creating criteria that block or delay spam, turning the local incoming mail server into a sort of nightclub bouncer. Today's spam filtering software does not stop spam at the door. Instead it screens and deletes unwanted messages only after they've been copied to the local server. Gupta says this method of spam prevention is costly -- in terms of both hard drive space and Internet bandwidth use.
"Blocking phishing spam: Pitfalls and future directions"
Thursday, April 14, 2:30 p.m.
CoRE Building, DIMACS Center
Rating trustworthiness on the Internet
Phishing is a feasible social engineering mechanism because of the ease of impersonation on digital networks. Impersonation is easy because web sites are presented without social, geographical or physical context. Multiple mechanisms which create a single trusted entity have failed to resolve phishing problems, in part because single trusted third parties themselves lack context. IU Bloomington Associate Professor of Informatics Jean Camp and colleagues propose a system that embeds social context in trust decisions by combining individual histories, social networks, and explicit ratings. This social context allows an individual to select their own trusted sources of information, rate particular sites as trustworthy (or not), and leverages pre-existing social networks. Their proposal is informed by previous work in reputation systems, interaction design, social networks, social browsing, computer security, and peer production of knowledge. The researchers begin their presentation with an high level overview of the social science findings on human trust decisions that inform this proposal. They present the proposed implementation, including screenshots and an overview of the reputation mechanism.
"Social Networks and Trust Networks"
Friday, April 15, 3:30 p.m.
CoRE Building, DIMACS Center
To speak with Jakobsson, Gupta or Griffith, please contact David Bricker, IU Media Relations, at 812-219-8308 or brickerd@indiana.edu. For general information about the conference or for credentials, please contact Carl Blesch, Rutgers University Media Relations, at 732-932-7084 x616 or cblesch@ur.rutgers.edu.
