Anti-Phishing Working Group: CeCOS IV

The Anti-Phishing Working Group has asked its members to publicize the forthcoming Counter eCrime Operations Summit in Brazil, which I’m pleased to do. Apologies to those who will have come across this elsewhere, including some of my other blogs.

This year the APWG is hosting it’s fourth annual Counter eCrime Operations Summit (CeCOS IV) on May 11, 12 & 13 in São Paulo, Brazil.  The Discounted Early Bird Registration rate will end on April 9th.  Do not miss this opportunity to join our host with APWG Members from around the globe at this one of a kind event. Counter-eCrime professionals will meet for sessions and discussion panels that look into case studies of organizations under attack and deliver narratives of successful trans-national forensic cooperation.

This is APWG’s first visit to South America and will help build our network of trusted friends worldwide.  The discounted registration rate of $250 USD covers all three days of content, lunch, breaks and the Wednesday night reception.  (NOTE: APWG Members will receive an additional discount during registration) This “Early Bird” rate will end on April 9th, after that through the beginning of the event on 11 May registration is $325 USD.

A partial agenda is posted at the link below.  Translation services for English, Spanish and Portuguese will be available for all session.

Register Here:

Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:

Mac Malware

You may be aware that I have a long-standing love/hate relationship with the Mac community (love Macs, hate the maulings I get whenever I comment on Mac security: somehow I keep forgetting that Macs are 100% secure and Mac users are 100% more intelligent that Windows users. Sigh…)

If you have an interest in Mac issues, you might find my Securiteam blog interesting. Or not.

AVIEN Guide published

Good day to you, my loyal readers.

How are you both?

It’s been a long time since I posted anything here, which doesn’t mean things have been happening (too many things have been happening!)

The “AVIEN Malware Defense Guide for the Enterprise” was published in the US by Syngress early in August, 2007. This is a major publishing project I put together with AVIEN (Anti-Virus Information Exchange Network) and AVIEWS (Anti-Virus Information and Early Warning System) members. It will be published in the UK in early September. Read more on the book’s own web site here. Some of the authors will be at Infosec New York (11th-12th September) signing copies at the ESET stand, and at the Virus Bulletin conference in Vienna later in September (where Andrew Lee and I are presenting a phishing paper, by the way).

I also got somewhat irritated by a poor, misleading comparative test of antivirus products presented by at the Linuxworld expo: so irritated that I put a white paper here and a blog entry at Technet on the subject of testing. This is probably not the last you’ll hear of this from me.

Talking of AVIEN, as of 15th August I became the interim Administrator there. Essentially, my job is to keep order while the membership decide whether they want to change the structure of the organization. More about that on the AVIEN site in due course.

Phish Quizzes

Andrew Lee and I are presenting a paper on phishing quizzes at the Virus Bulletin conference in September 2007. While I already have pretty strong opinions on these, I’d appreciate some input from others with an interest in phishing education. The paper has to be submitted by the beginning of June, but this is an ongoing hobby horse of mine, so comments too late to be incorporated into the paper will not be wasted. This isn’t a formal research study (at the moment) so this isn’t a particularly structured survey: I’m looking for qualitative rather than quantitive data.

Do as much or as little as you like, by cutting and pasting the bits you want to comment on into the comments field, and feel free to expand. If you find the length of it a bit much, try going straight to the last couple of questions. If you don’t want to comment here, feel free to email me at david (dot) a (another dot) harley (at) gmail (yet another full stop) com.

1) Which quizzes have you looked at, if any?

2) Which did you feel were useful/useless/interesting/misleading/accurate/whatever?

3) Which format do you consider most useful?

  • multiple choice text questions
  • multiple choice identification of phish messages
  • multiple choice identification of non-phish messages
  • multiple choice identification of phish sites
  • multiple choice identication of non-phish sites
  • other (please describe)

 4) If you tried multiple choice phish message/site identification quizzes, how well did you do overall? Which of the following did you do better on?

  • phish messages
  • legitimate messages
  • phish sites
  • legitimate sites

5) How useful do you think comparisons of static images are?

6) Do you expect to be able to ID a suspicious site or message from a static image? What supporting information is it useful to supply with static images (site or message image)?

7) What information do you expect to get back from a quiz site? Is a simple right or wrong enough?

8) What is (or should be) the purpose of a phish quiz?

9) What sort of question should a multiple choice text quiz ask?

10) How important is entertainment value in a quiz?

11) What heuristics do you use to identify a suspect site or message? How well does that map to phishing quiz answers, when they include an heuristic explanation? How convincing do you find quiz explanations?

12) What supporting material (eg FAQs) do you find or expect to find on quiz sites?

13) In principle, do you consider that phish quizzes are educationally useful?

14) Should a phishing quiz use real examples, either as modified samples or using controlled live access?

15) How should a quiz be constructed? Are the following useful?

  • Static images
  • Static images with supplementary info, eg annotations
  • Animated content
  • Role playing info
  • Shortcuts to the end of the quiz
  • Continuous feedback on the accuracy of your responses as opposed to a final score with no feedback during the test
  • Detailed explanation of correct answer
  • Detailed explanation with heuristic guidance

16) How do your rate your own expertise in this area?

  • Specialist
  • Security professional but not specialist
  • Knowledgeable non-pro
  • Not particularly knowledgeable.

Thanks for your help.