IU researchers discuss technological attacks

Ebay? Yahoo? Bank One? Amazon?\nYou might not remember what sites you've visited lately, and it's likely you don't care. \nBut someone out there might. \nFour IU researchers are working to fight Internet attacks before they start by putting themselves in the head of the "bad guys" and devising plans to take advantage of unsuspecting users. \nProfessor Markus Jakobsson, graduate student Tom Jagatic, graduate student Sid Stamm and senior Virgil Griffith demonstrated the dangers of "phishing" to members of the American Society of Naval Engineers at a conference this week. "Phishing" is a term used to describe a targeted, technological attack on Internet users in an attempt to acquire private information, such as credit card and bank account numbers. \nJakobsson, who spoke to naval engineers interested in security and defense issues, said these attacks could be evolved by developing nations to harm industrialized countries, either by obtaining confidential government information or shutting down bank systems. \n"They don't have the traditional weapons to attack us, but they've got enough resources," he said. "It just takes a handful of computers and one or two smart guys to develop terrifying electronic attacks that could cost us a lot." \nThese technological attacks, Jakobsson said, could also target areas hit by military offenses or natural disasters in order to stop rescue efforts from being carried out. \nJakobsson and his researchers demonstrated three possible ways phishers could exploit Internet users and discussed what users can do to protect themselves against these attacks. \nThe first of these methods involves making attacks using social networks. Phishers can use Web sites that reveal social connections between users, such as http://thefacebook.com, www.livejournal.com or a range of other sites, to send e-mails containing an unsafe link. This e-mail would appear to be from a friend in your social network, and could direct you to a Web site asking for a username and password or some other type of personal information. In a slightly more menacing situation, the hacker could pretend to be your bank and obtain access to your account. \nIn a second scenario, Jakobsson and Griffith used public records, such as birth and marriage certificates, to determine an individual's mother's maiden name -- a piece of information often used by banks for security. Once a database of these public records was created, Griffith said it took between five and 10 minutes to determine, with absolute certainty, the mother's maiden names of over 3.5 million people in the state of Texas. \n"When this was proposed to me, I said, 'No, it won't work. It's too easy,'" Griffith said. "And I was surprised. It was far more successful than I expected." \nThough he said he would be surprised if phishers were already taking advantage of this technology, Griffith warns that the threat will intensify as most states move to using large databases to store public records. A third possible vulnerability exists in the Web history of a user's Internet browser. Jakobsson, Jagatic and Stamm have developed a Web site that, in a single click of a mouse, can search an entire Web browser history and determine whe site, www.browser-recon.info, was created in an effort to alert the public to its own vulnerabilities. Though it does not record information, Internet users can go to the site and see which Web sites are discovered in their browser's history. \nThe site uses the same technology that marks which Web pages a visitor has already viewed, said Stamm. Though the technology was not designed to access private information, phishers can manipulate it for these purposes.