Jason Hong is an assistant professor in the Human Computer Interaction Institute. He works in the areas of ubiquitous computing and usable privacy and security, focusing on location-based services, anti-phishing, mobile social computing, and end-user programming. He is also an author of the book The Design of Sites, a pattern-based approach to designing customer-centered web sites.
posted by Richard Power
CyLab Chronicles: In your research you have done a significant amount of work on issues relating to phishing, what is happening in regard to this phenomena? Is it increasing? And if so, in what ways? How is it changing? How is it evolving?
Jason Hong: Currently, there are two major trends in phishing scams. First, phishing is growing in scope. Previously, criminals used phishing primarily to steal money from people's accounts. Today, phishing is a vector for botnets and malware, and is used to steal sensitive information from corporations and governments. Phishing, which used to be done only through email, is now present in instant messaging, VOIP, SMS, and social networking sites. Criminals are also becoming more sophisticated in their attacks. Imagine receiving an email for a conference for your field, with a PDF attachment that claims to have the schedule. The problem is that this PDF is crafted to make use of software exploits to infect computers with malware. As you can see, this kind of attack is quite easy to fall for. The second major trend is that the good guys are getting better organized. Previously, there was a lot of confusion between industry, government agencies, and law enforcement as to how to coordinate their efforts to combat phishing. Now, we have clearer procedures for identifying and taking down phishing sites, more sharing of data between various groups, as well as forums to share knowledge about attacks and discuss the best ways of combating phishing scams.
CyLab Chronicles: What are the most effective ways for corporations and individuals to thwart phishing attacks? Are the strategies for corporations and individuals different? To what extent are the strategies of corporations dependent on its users?
Jason Hong: There are two basic strategies for protecting oneself from phishing attacks, namely email filters and user training. Filters are the first line of defense, blocking phishing emails before they reach people's inbox. Here, corporations have a few choices as to which email filters to install. However, individuals don't have many options here, since this is more of an infrastructure issue. User training is the next line of defense. Filters are necessary, but not sufficient to protect both corporations and individuals, because as the attacks evolve, filters are not 100% accurate, and because phishing is expanding beyond just email. As such, user training is an essential part of computer security for any organization. The problem with most training, however, is that it is boring, gives people little opportunity to test what they have learned, and happens completely out of the context in which attacks would normally happen. A lot of our research at CyLab has focused on how to make training fun and effective.
CyLab Chronicles: Tell us more specifically about the benefits of embedded training in regard to the problem of phishing?
Jason Hong: The core idea behind embedded training is that people should be trained in the regular context of use. More concretely for phishing, rather than requiring all your employees take an all-day course in computer security, you might periodically send them simulated phishing attacks. If someone falls for a phish, then they are shown training that explains what just happened, how to identify phish, and how and why criminals use these kinds of attacks. It turns out that falling for a simulated phish first is really important, as it leads to a teachable moment that makes the training effective. Just sending the training isn't useful, because people (incorrectly) think they already know how to protect themselves. We've also run a series of studies showing that embedded training is quite effective in reducing the rate of people falling for phish. (NOTE: Jason Hong is a co-founder of Wombat Security, a spinout from Carnegie Mellon University that sells embedded training and micro-games for cyber security awareness.)
CyLab Chronicles: Let's explore your research into "Visualizing Home Networks" and how it fits into the CyLab research thrust on "Secure Home Computing." How would you define this vital space, and what kind of work are you doing in it?
Jason Hong: Home networks are sprouting up everywhere. It's relatively easy to get an Internet connection to one's home, and more and more devices are becoming wirelessly networked. Today, we have networked desktop computers, mobile phones, game consoles, and DVRs. Tomorrow, it will also include toys, stereos, home media systems, security systems, medical sensors, and more. The challenge here is that these home networks are maintained by home owners who don't necessarily know a great deal about computer security, nor do they want to. However, unless we help home owners get a better understanding of what's going on, they will be at risk to being victims of malware like keyloggers, be part of large-scale botnets, as well as risk losing sensitive documents from work. What we've been doing is creating and evaluating tools to help home owners control what devices can talk to each other. We're assuming that there will one day be a common communication substrate for all devices, and are instead focusing on the access control issues. We've been testing our mockups for common scenarios, such as adding a new device, configuring a device for children, and having visitors come over. We have some early results here, and are continuing to refine our interfaces and evaluating them with more people.
CyLab Chronicles: Your work in "User Controllable Security & Privacy for Mobile Social Networking" should also be of great interest to our readers. It is an area where several of CyLab's major research thrusts intersect, e.g., Usable Privacy and Security, Mobility, etc. Tell us about your work in this space?
Jason Hong: Our main line of work here has been to develop better ways to help lay people manage their privacy in mobile settings. Our particular focus has been on location-based services. On the one hand, it can be useful to share one's current location information, for "okayness" checking, micro-coordination, awareness of friends, and social chatting. On the other hand, people have legitimate concerns about being monitored, the potential for stalking, and undesired social obligations. To address these problems, we have been developing better user interfaces to help people maintain control over what information is disclosed to others. This includes better interfaces for specifying rules (e.g., Alice can see my location if it is during work hours and I am in the office), auditing logs, as well as alternatives to showing your location on a map. Regarding this last point, several of our participants have stated that they don't want to share a map showing their home, but would be okay sharing the label "home" with others. Towards this end, we have been studying how people describe where they are to others, and what factors influence what they say.
See all CyLab Chronicles articles