One Fish, Two Fish, Red Phish, Blue Fish

hello so first of all I'm really sorry for people to attend besides Athens this year I really wanted to be there and enforce like this could not be helped the talk is one fish two fish red fish blue fish it's mainly a record of kind of my thoughts and processes through finalizing and doing my dissertation through my last year of university so kind of the first thing forced I guess is the introduction to me my name is caitlin kelly i recently started working as a security analyst at secureworks and here in Edinburgh and before that I studied ethical hacking and countermeasures at I've retained undie within that I was in the ethical hacking society you might athena's around we go

to converse is quite often a threat University I really struggled to find my main focus so every year the topic of my individual project changed quite a lot from first year where the focus was the cost of warfare comparing the cost to build and create Stuxnet to build and create attacks such as the m1 Abrams which I presented at be sighs London in 2012 then in second year looking at firewalls and then public Wi-Fi in third year to finally this year focusing on phishing attacks and why they happen in one thing that kind of remain clear to me throughout all four years that my focus was and it kind of always probably will be how to make security easy for

people to understand and kind of how they can rely on themselves upon instead of relying on everyone else so kind of keeping this in mind this talk my hope is to discuss the issue of fishing and to try and understand and show it from the other side this will involve the research techniques carried out by other people as well as ways in which people aim to combat fishing altogether after briefly looking at this I will look into my own dissertation and at the points that worked as well as those that just kind of really didn't and then lastly my plan is look at the future and how not only just my research about how everyone

kind of change little bits and obvious steps kind of really need to be taken so i plan to look into those okay so most people especially those probably listen to this talk have at least a simple understanding of phishing attacks however for me the anti-phishing working group has a clear definition that sums everything together and takes away the ifs and buts and they all die and here in there so fishing is a criminal mechanism employing both social engineering and technical subterfuge to steal customers personally identity data and financial like a potentials so for anyone that has been any time looking into fishing whether it's researching it reaching researching either side so or anything into the numbers or kind of

just on the news it's clear why it's an issue the numbers related to it are absolutely staggering so phishing scams make up over eighty percent of the emails coming into accounts every day so that's not your inbox that's just emails going into an account and with this at least twenty eight percent of the working day is spent dealing with emails according to mckinsey global institute so that's responding in any way so that's replying reading kind of looking at then the total number of unique phishing websites observed by the AP WG in the first three months of 2016 was 280 9370 one in those same three months 20 million new malware samples were captured this breaks down to two hundred

and twenty-seven thousand a day

so with numbers this high it's no surprise that in 2005 alone they meant people in the US that gave their information directly as a response to a fraudulent email was over two million this costs directly 1.2 billion dollars to kind of put it in for kind of our local no my local economy get safe online shorter twenty one percent rise in 2015 which resulted in a cost of 174 million pound over the space of a year for British consumers and then with that the average 10,000 employee company spends 3.7 million pound a year dealing with phishing attacks on the backlash so these are all just numbers relating to real life statistics when research figures are inputted as well it gets

scary to see how little people really do understand so we will look more into various research methods but for now just kind of food for thought seventy-two percent of 921 people clicked and follow the link when they appeared from a friend so this was a test group that had been told they were being tested they were fully aware that they were looking for phishing scams and they still clicked so kind of the real question I guess is well why does it work I I was always the same I every technical person I spoke to have been well how can people be that stupid but fishing works exceptionally well it isn't especially difficult to carry out

and can reap a massive benefits it relies on different factors all playing together to get the required result I'm not going to talk about the details and emails that make people click or the techniques into cloning to make them look real there talk is kind of based on the trust people have so it's instead it will look at even not even the reasons why people click but yeah I supposed to why it happens and multiple researchers and papers have found that where people know a phishing attacks are or spam emails are they they don't think about them the common misconception is that they won't fall prey because they don't have anything worth stealing or they believe

that others just kind of have more to steal or more to take it's easy for us to follow the kind of what's happening and it's easy for us to know at least a little about computers to say phishing emails are so common surely people know well unfortunately people really don't for the vast part people accept that their spam filter will protect them from all levels of emails and every site online is secure because otherwise why would it be allowed to be online fishing is something that most people are aware of whether it be simple knowledge that they shouldn't click the emails in their spam box or two people writing their own filters or rules the issue is like most

things in the fact that no one believes it's going to happen until it happens to them with such high numbers relating to fishing it's clear why so many people choose as their research topic the research people do tends to go two ways protect people from and remove phishing attacks completely and into the techniques and to carrying out a successful attack for this research and for my kind of papers and my just my dissertation I looked into the papers relating to preventing and protecting I had no real interest in the making of malware and phishing attacks so this research kind of breaks down into two ways and the common themes i find welcome to the papers was taking two

groups in seeing their reactions to different emails and scenarios and then also developing training school tools such as games and apps to teach people about fishing taking the first group it's has the obvious flaw in that to test someone you generally have to tell them they're being tested and so the common test is to tell one group and to train one group that looking for phishing attacks and tell the other one give them no training and just kind of asked them to keep an eye out for anything that might happen surely the issue that's clear to me is clear to everyone and you're still telling them you're going to be testing them heightening someone's responses

lowers the accuracy the second common technique usually involves a lot more training so developing a method to naturally develop people's knowledge on fishing as if I would expect so many researchers researchers and people have attempted to perfect this it's such a broad topic to fully go into but there are some amazing papers and documentation on the different training people have developed the idea of using games and different interactive methods has exploded in recent years it has shown how when you engage people a lot more information seems to stick when they're ash asked about it later so I suppose spam filters the public save and grace and the issue is people relying on them fully one hundred percent they

don't know how they work or even really what they do and every email provider swears by theirs and you have to understand that they get rid of so many emails based on signatures email accounts different previous email history and things like that millions of emails are sent to our spam every day if this isn't just to protect people from putting information into fordland emails surely as well you've got to look at the side where it stops are important Gabriel's being hidden by the mass of fishing ones so with pop-up screen from just about every site we visit add-ons and browser extensions are becoming an obvious thing to use for everyone especially with app stores for

browsers making it easier for them to use then than ever I suppose the point I'm trying to kind of get to is the point IGEL and that was that something isn't working fishing is costing millions of pounds a year and still affects people from all knowledge backgrounds all kind of backgrounds all walks of life I suppose if it's not what people don't understand it's that they truly don't believe it would affect them it's the mentality of believing you're safe because you've never been robbed before people can't take away from the fact that they need that there doesn't need to be a link they can't understand that it's just someone not so even just someone it's a machine that's trying to

contact as many people as I can and get as many responses as they can they're not in it for a personal link so when I was thinking about how to approach my fourth year project I was pretty lost and I was for a while not having personally been affected by fishing at all probably like most people listening I had no idea what made people fall for attacks or what or kind of why anyone would almost be that stupid I suppose and so that was kind of the key reason I chose the subject the research I went into was kind of what I did him it looked a lot of different training techniques and how they had failed and

different ways that different things that can be taken from each one and kind of merged together and my research showed me that in many ways people really just didn't understand more than anything else and the things that tried to fix it such as toolbars and pop-ups they just kind of scared them and so what people are told about pop-ups is to leave them there probably malware don't click on them the presumption so the thing they're all bad everything led to trying to help people understand and knew what was kind of happening with their information the idea developed from looking at what people use so there was no kind of point in me doing a firefox on linux because

people use windows and cruel so i decided i was going to build a tool that worked by acting as an absolute filter that the user would have full control they would have to have full control the purpose was to ensure someone could live with and understand fishing it might it might be there and we might not be able to get rid of it but they need to understand it doesn't have to affect them so for me the tool split quite nicely into three sections aim your first section sign up was kind of just like every other application out there and you sign up for the services kind of type thing and this was made with an

email address a phone number and a password so unique codes were sent to both the email and the phone number you didn't put them link in your account you would then generate a password that i had to be 12 characters long and it was then secured in a kind of standard way so it made use of kind of how you'd expect to start standard two-factor authentication to use so then once you were all kind of signed up and it was installed on the machine in the browser you would kind of then give it permission to monitor your browser this is where kind of kind of the tricky bit came in really because to monitor arouser you kind of have to get someone

to trust the fact you're not just going to measure everything you type so to do this and ensure it was done in a secured way I used a pre-written tool this was a widely available on chrome too and has been for years it was called session buddy it was used as it's such it has straightforward user input and I tested a good few different kind of browser monitoring tools to see for the exports and for user input and this one I was able to generate the browser history and export it in a text list to be really easily added to the filter so the filter was then generated and continuously updated to have the latest browser

session involved so the list they installed all the sites visited it deleted duplicates and then moved the order to see regular visits and what people what people expect its kind of to use the most the user can then go through delete modify and change different things depending on the amount of emails they kind of require or want and if they want no emails from a site that they happen to go on they just move it into a blacklist where this will overwrite the whitelist and stop emails from coming in all together so the filters were then applied to directly to the email account this is done through the settings it's quite a simple process you once you've applied the filter you

just declare that it would be the only filter allowed so the only males that can come in are those on this list so the idea was to kind of keep it as simple as possible for the user so the tool worked in terms of filtering the emails and monitoring browser usage the only emails coming through were those on the whitelist and if something had been placed on the blacklist it wouldn't appear I tested on one of my own accounts so that I knew there were definitely emails kind of going in and out of the account and it worked there was I didn't have kind of I turned off my other filters and I had probably what

I'd expect in span wise I didn't have that I didn't have any from sites i had in it accessed however in my eyes it was about getting a balance between user experience and giving them the ball the ability to kind of understand what's going on so the functionality worked and it depends completely on what someone was expecting from the tool itself everyone's going to read into the dissertation the paper differently but on one hand the tool needed the user to manually do each step otherwise it was just another application that wouldn't help anyone to build knowledge and it was just running in the background and then you have you have to look at it for

another side of the spectrum technology is about making life easier and more accessible so why wouldn't that be the right way to do it so I supposed to kind of decide and not really decide but kind of come up with a kind of conclusion for my situation I had to break it down pretty much into good versus bad and so the email filtered correctly and the user knew exactly what was going on because they did each debt themselves they knew where all the pieces came together it was a simple process that they just followed so we all take our computer computing knowledge for granted and for granted sorry and even the most educated person can be completely

oblivious to anything to do with computers so with this the with this technique the user kind of gains their knowledge hands-on it's not about me telling someone oh this is how you'd find it this is this is how an email filter works it's them doing it and then using a simple process to do it themselves and then you've kind of got to look at the complete flip side where the tool wasn't seamless and this really made it less likely for people to use so every year phones tablets and computers are all being developed make people's life easier to be done quicker and because when we want things done we want them done now we're not

willing to wait so Ritter's like you me people actually are in into computers and into the knowledge behind them they're quite happy sitting running a scan and they're quite happy sitting checking settings just kind of make sure things are okay and running correctly regular kind of people not take people why would I even consider these things and then when pop-ups happen to tell them these things are happening they don't trust pop-ups they've been told not to trust pop-ups technology is just a dangerous circle I continuously goes round and round so in my eyes the tool wasn't seamless enough and it might just encourage people to be complacent and they do it that one time and then they'd

never update the filter that never update the database and finding that balance of where it does that itself and where a user has to do it was very difficult it's so kind of my what now type slide I suppose and instead of doing multiple different slides on where I kind of not see the future going but feel where we could go in the future and what kind of could happen I just did one so in the nicest way we need to be as an industry less ignorant to people not every plot people as in cultures and and things like that what people is in just kind of different knowledge levels in computing it's the same same way that we

can tell all this piece of malware it might be doing this from a computer it's the same premise in any profession being told what is wrong with you before you've had the x-ray or a mechanic knowing what is wrong wrong with the car by the side of the engine it's it's in the understanding we build and we develop both kind of through hard work and naturally I suppose there needs to be a new way to teach people from early on how to be secure if we can justify teaching programming and developing two children in primary schools surely we can teach them to develop the wrong way to be safe there are apps for everything these days

and if we can think of a fun interactive way that can naturally develop and progress through a child's life to be to make them secure and to make them know what security is surely we should be using that obviously teaching kids is one thing but then for adults that kind of needs to be an interactive way to learn as well it's we need to step away from the let's go in a corporate training day and just kind of give them a one-off training people need to be taught not to be complacent and kind of not to expect these things to happen they need to kind of take it all into their own knowledge and know-how to go

into their own way of doing it this is where for I for me the focus needs to be so computing is so easy we all know that it's just teaching people and showing people how easy it can be my idea was to develop the simplest way possible to teach people and I think that even the step I slightly missed out on was asking people how they'd find it helpful instead of just assuming they need a training course and assuming it's their own responsibility yes it's probably the responsibility but we expect a doctor to tell us why we're sick without patronising us surely it's time every other industry especially our one learns to do the same okay so kind of last kind

of the last thing before I finish and because you might have noticed I love numbers and if there ever is a time to teach people to look after themselves surely it's now so when I did this research it was the beginning of April in 2016 there was just under three and a half billion people using the internet across the world so forty-six percent of the world's population was online with that up between us all both legitimate and spam emails two million emails are sent a second surely it's about time we stopped just throwing thousands thousands of papers at it and kind of come together and think of any way to keep people safe so thank you for

listening and I suppose watching because it's a video and my twitter handle is on screen it is at Caitlyn 4495 feel free to message me and I can give everyone the references and figures for kind of everything above and things like that and I suppose kind of answer any questions you might have because obviously I'm not there to answer them and once again thank you so much for listening and I hope the conference is brilliant and I know it will be so have a nice day thank you