Participants in the eCrime Researchers Summit and the General
Members Meeting are invited to the APWG eCrime reception at
Carnegie Mellon University on the evening of Wednesday, October
3 at 7:30 PM.
Join us for a dinner buffet, drinks, and an eCrime cabaret
performance.
8:00 am |
Registration and Breakfast
|
|
9:00 am |
Welcome and Keynote
Gary McGraw, Cigital -
Exploiting Online Games
|
|
10:15 am |
Break
|
|
10:45 am |
Refereed Paper Presentations:
EXAMINING THE IMPACT OF WEBSITE TAKE-DOWN ON PHISHING
Tyler Moore and Richard Clayton
FISHING FOR PHISHES: APPLYING CAPTURE-RECAPTURE TO PHISHING
Rhiannon Weaver and Michael Collins
|
Session Chair:
Alessandro Acquisti
|
12:00 pm |
Lunch
|
|
1:00 pm |
Panel:
From Research to Reality: What Does it Take to Get our Technology
Solutions Adopted?
The research community has come up with a variety of innovative ideas for combatting eCrime, but few of these ideas are ever adopted. Sometimes technology that works great in the research lab is too expensive or infeasible to implement in a large scale production environment. Sometimes new technology requires businesses to make too many changes to their IT infrastructure or introduces too many new risks. Often, concerns about potential harm to customer relationships or increases in customer support costs can hamper adoption. This panel will focus on the needs and requirements companies have for multi-factor authentication, mutual authentication, and anti-phishing tools.
|
Moderator:
Dan Geer
VP and Chief Scientist, Verdasys
Panelists:
Jon Callas
CTO/CSO
PGP Corporation
Dan Schutzer
FSTC
Cormac Herley
Microsoft Research
Mike Aisenberg
EWA Information and Infrastructure
Technologies
|
2:30 pm |
CERT Network Situational Awareness Group
Report out and Panel
Uncleanliness: Quantifying network reputation
|
Moderator/Speakers:
Tim Shimeall
CERT/NetSA
Markus De Shon
CERT/NetSA
Panelists:
Sid Faber
CERT/NetSA
Rhiannon Weaver
CERT/NetSA
Mike Collins
CERT/NetSA
Jeff Janies
CERT/NetSA
|
3:30 pm |
Break
|
|
4:00 pm |
Refereed Paper Presentations:
EVALUATING A TRIAL DEPLOYMENT OF PASSWORD RE-USE FOR PHISHING PREVENTION
Dinei Florencio and Cormac Herley
BEHAVIORAL RESPONSE TO PHISHING RISK
Julie S. Downs, Mandy B. Holbrook and Lorrie Faith Cranor
|
Session Chair:
Norman Sadeh
|
5:15 pm |
Break
|
|
6:30 pm |
|
|
7:30 pm |
Bowling for eCriminals with the APWG
eCrime-Fighters
Join the APWG eCrime-Fighters for sustenance and
bowling. Immediately following the Poster Presentations, we
will serve drinks and munchies as we host the APWG Bowling Tournament of eCrime Experts.
Prizes for best team and individual score will be awarded.
|
|
 |
|
|
8:00 am |
Breakfast
|
|
9:00 am |
Refereed Paper Presentations
FIGHTING OBFUSCATED SPAM
Changwei Liu and Sid Stamm
A COMPARISON OF MACHINE LEARNING TECHNIQUES FOR PHISHING DETECTION
Saeed Abu-Nimeh, Dario Nappa, Xinlei Wang and Suku Nair
GETTING USERS TO PAY ATTENTION TO ANTI-PHISHING EDUCATION: EVALUATION OF RETENTION AND TRANSFER
Ponnurangam Kumaraguru, Yong Rhee, Steve Sheng, Sharique Hasan, Alessandro Acquisti, Lorrie Cranor and Jason Hong
|
Session Chair:
Rachna Dhamija
|
10:45 am |
Break
|
|
11:15 am |
Panel:
Does User Education Work?
When currently available technology cannot fully address
security threats, the security community often turns to user
education to help fill in the gaps. We've tried to educate users
to install the latest security updates, not to open dangerous
attachments, not to trust phishy emails, and a number of other
security lessons. While education efforts continue, some people
argue that user education is ultimately a losing proposition
because it is largely ineffective and might actually be counter
productive. Furthermore, in order to be effective, user training
needs to keep up with ever-changing security threats. In this panel we will examine some approaches to anti-phishing education and some of the studies that measure their effectiveness. We will address the question of whether user education can ever really work, and if so, under what circumstances. When is user education appropriate? How can it be done most effectively? What things can/should we teach users? What things are we better off not teaching users? When should we give up on user education entirely?
|
Moderator:
Susanne Wetzel
Stevens Institute of Technology
Panelists:
Lorrie Cranor
Carnegie Mellon University
Richard A Parry
Consumer Risk Management
JPMorganChase
Markus Jakobsson
Indiana University
Aaron Emigh
Radix Labs
|
12:45 pm |
LUNCH
|
|
1:45 pm |
Panel:
Political Phishing - A Threat to the 2008 Campaign?
To date, most phishing attacks use the guise of an email from a financial institution to fool their
victims. Onwards, we may see emails looking like political campaign messages, asking for contributions and
information. Politics has already become a topic for fraudsters, and there are lots of typo squatters that use
domain names similar to campaigning websites to ridicule candidates or profit from advertisements. It is also
possible for attackers to use the Internet to sow misinformation aimed at lowering voter turnout among
targeted groups or make voters misunderstand the issues and priorities. Political parties may be able to
learn a lot from financial institutions regarding how to best protect their interests, and technical service
providers may find an important new problem to address.
|
Moderator:
Oliver Friedrichs
Symantec
Panelists:
Rachna Dhamija
Harvard University
Chris Soghoian
Indiana University
Celeste Taylor
People For the American Way
|
3:15 pm |
Closing Remarks
|
|
|
|
|
Keynote talk
Gary McGraw, Cigital
Exploiting Online Games
This talk (based on a book of the same title co-authored by Greg
Hoglund) frankly describes controversial security issues surrounding
MMORPGs such as World of Warcraft. This no-holds-barred approach is
fully loaded with code examples, debuggers, bots, and hacks. If you
are a gamer, a game developer, a software security person or an
interested bystander, this book exposes the inner workings of online
game security for all to see. In the talk, I will cover:
- Why online games are a harbinger of software security issues to come
- How millions of gamers have created billion dollar virtual economies
- How game companies invade your privacy
- Why some gamers cheat
- Techniques for breaking online game security
- How to build a bot to play a game for you
- Methods for total conversion and advanced mods
Ultimately, this talk is mostly about security problems associated
with advanced massively distributed software. With hundreds of
thousands of interacting users, today's online games are a bellwether
of modern software yet to come. The kinds of attack and defense
techniques I describe are tomorrow's security techniques on display
today.
Gary McGraw is the CTO of Cigital, Inc., a software security and
quality consulting firm with headquarters in the Washington,
D.C. area. He is a globally recognized authority on software security
and the author of six best selling books on this topic. The latest,
Software Security: Building Security In was released in 2006, with
Exploiting Online Games slated for release this year. His other titles
include Java Security, Building Secure Software, and Exploiting
Software; and he is editor of the Addison-Wesley Software Security
series. Dr. McGraw has also written over 90 peer-reviewed scientific
publications, authors a monthly security column for darkreading.com,
and is frequently quoted in the press. Besides serving as a strategic
counselor for top business and IT executives, Gary is on the Advisory
Boards of Fortify Software and Raven White. His dual PhD is in
Cognitive Science and Computer Science from Indiana University where
he serves on the Dean's Advisory Council for the School of
Informatics. Gary is an IEEE Computer Society Board of Governors
member and produces the monthly Silver Bullet Security Podcast for
IEEE Security & Privacy magazine.
Accepted posters
PAKE-based mutual HTTP authentication for preventing phishing attacks
Yutaka Oiwa, Hiromitsu Takagi, Hajime Watanabe and Hideki Imai
Crimeware-Resistant Authentication
Markus Jakobsson, Susanne Wetzel, Liu Yang and Erik Stolterman
Helping Users Protect Themselves from e-Criminals in Click-Based Graphical Passwords
Alain Forget, Sonia Chiasson and Robert Biddle
A Usability Study on the Net Trust Anti-Fraud Toolbar
Farzaneh Asgharpour, Alex Tsow, Preeti Hariharan and L. Jean Camp
Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic
Ricardo Villamarin-Salomon and Jose' Brustoloni
Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish
Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Cranor, Jason Hong and Elizabeth Nunge
CANTINA: A content based approach to detecting phishing websites
Yue Zhang, Lorrie Cranor, Jason Hong, Serge Egelman and Steve Sheng
You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings
Serge Egelman, Lorrie Cranor and Jason Hong
Phoolproof Phishing Prevention
Bryan Parno, Cynthia Kuo, Adrian Perrig
The My Secure Cyberspace Portal
Anna Maria Berta, Ann Ritchie, John Dolan, Dena Haritos Tsamitis
Detecting Phishing Emails Through Machine Learning Techniques Using Specialized Feature Set
Ian Fette, Patrick Kelley, Norman Sadeh, Anthony Tomasic, Umut Topkara
