How to Conduct Email Phishing Experiments

Õngitsusrünnete hulk on aasta-aastalt kasvanud ja ründed on muutunud keerumkamaks kui kunagi varem, põhjustades ettevõtetele rahalist kahju. Akadeemilistes ringkondades on kasvanud huvi simuleeritud õngitsusrünnete vastu, kuid uuringud keskenduvad peamiselt spetsiifilistele aspektidele, nagu näiteks eetilised kaalutlused ja mitte õngitsuseksperimendi läbiviimisele. Autor ei leidnud olemasolevate teadustööde hulgast konsolideeritud juhised,mis kirjeldaksid, kuidas viia läbi õngituskirjade eksperimenti. Käesoleva lõputöö eesmärgiks on uurida, kuidas viia läbi simuleeritud õngitsuskirjade eksperimenti ja luua konsolideeritud juhiseid, mida ettevõtted saaksid lihtsalt rakendada ettevõtte X2 näitel. Lõputöö uurimisküsimused on järgnevad: mida peaksid ettevõtted arvestama õngitsuseksperimendi läbiviimsel? Mis seos on õngitsuskirja raskusastme ja klikkimise sageduse vahel? Kuidas inimesed reageerivad simuleeritud õngitsuseksperimentidele? Antud uurimistöös kasutati nii kvantitatiivseid kui ka kvalitatiivseid meetodeid. Esiteks sai loodud konsolideeritud juhised simuleeritud õngitsuseksperimentide läbiviimiseks, mis baseeruvad eelevatel uurimustöödel. Teiseks viidi läbi õngitsuseksperiment (Eksperiment I) 53 osaleja hulgas, kasutades ristuva uuringu disaini. Töötajad jaotati juhuslikult kaheks grupiks: (Grupp K) ja (Grupp L).Neile saadeti erinevatel kuupäevadel kaks e-kirja erinevate raskusastemega: (Tüüp X) ja (Tüüp Y). Esimeses kampaanias saadeti Grupile K keerulisem kiri (Tüüp X) ja Grupile L lihtsam kiri (Tüüpi Y) ja teise kampaania ajal oli see vastupidi. Raskemad (Tüüp X) e-kirjad olid sihipärased, grammatiliselt korrektsed ja relevantse sisuga. Kergemad e-kirjad (Tüüp Y) olid üldisemad ja nähtavate grammatikavigadega. Suunatud õngitsuseksperiment (Eksperiment II) viidi läbi kahe osaleja hulgas, kasutades üksikosaleja kvaasi eksperimentaalset uurimustöö disaini. Tüüp Z e-kirjad, mis saadeti välja suunatud õngitsuseksperimendi ajal, olid personaalsed ja relevantse sisuga ning baseerusid kahe osaleja taustauuringutel. Kolmandaks kavandati ja viidi läbi kvalitatiivsed intervjuud osalejatega, kes osalesid simuleeritud õngitsusrünnetes, et uurida, kuidas nad sellistele eksperimentidele reageerivad ja parandada lähtuvalt nende tagasisidest õngituskirjade eksperimendi juhiseid. Antud uurimistöö kinnitas, et väljatöötatud juhised on piisavad, et viia läbi õngituskirjade eksperimenti ettevõttetes. Uurimistöö tulemused näitasid, et 23% töötajatest klikkisid raskemini äratuntavale e-kirjale (Tüüp X) ja 11% lihtsamini ära tuntavale e-kirjale (Tüüp Y). Lisaks raporteeriti lihtsamini ära tuntavat kirja sagedamini (22,6%) kui raskemini ära tuntavat kirja(18.9%). Suunatud õngitsuseksperiment osutus edukas ja osalejad ei saanud aru simuleeritud pettusest. Käesolev lõputöö näitab, et õngitsusrünnede edukus on suurem, kui e-kirja sisu on sihitud ja relevantne. Töötajate raporteerimise teadlikkuse tase oli madal ja üks peamisi klikkimise põhjuseid oli uudishimu. Selle uuringu tulemused viitavad sellele, et inimesed reageerivad simuleeritud õngitsusrünnetele positiivselt, kui need viiakse läbi viisil, mis ei tekita osalejatele psühholoogilist kahju või stressi.Phishing attacks are on the rise and more sophisticated than ever before inflicting major financial damage on businesses. Simulated phishing attacks are of growing interest in academia, however, the studies are mainly focusing on the specific angles of the phenomenon, e.g. ethical considerations; and not on the implementation itself. Author was not able to find consolidated guidelines that would walk through the whole process of conducting email phishing experiments. The aim of this study is to explore how to conduct simulated phishing experiments and to create consolidated guidelines that companies could easily implement on the example of Company X1. The research questions postulated for this study are: What should companies consider when conducting phishing experiments? What is the correlation between the phishing email difficulty level and the click through rate? How people react to simulated email phishing experiments? Both quantitative and qualitative research methodswere applied to find answers to the research questions. Firstly, based on the existing studies, guidelines on how to conduct phishing experiments in companies were created. Secondly, phishing experiment (Experiment I) was designed and conducted among 53 participants applying a crossover research design. The employees were randomly divided into two groups (Group K) and (Group L); and they were sent in two distinct time periods two emails whichcorresponded to the different difficulty levels (Type X and Type Y). During the first campaign Group K was sent Type X email and Group L was sent Type Y email and during the second campaign it was vice versa. Type X email messages were designed to be targeted, grammatically correct and with relevant content. Type Y email messages were designed to be general and with visible grammar mistakes. Additionally, a spear phishing experiment (Experiment II) was conducted among two participants applying a single-subject quasi-experimental research design. The third type of emails (Type Z) that were sent out during thespear phishing experiment were personalized and relevant based on the pre-conducted research about the two targets. Thirdly, qualitative interviews were designed and conducted with the employees who participated in the simulated phishing experiments to investigate how they react to such experiments and to improve the guidelines based on their feedback.This research confirmed that the proposed guidelines are sufficient for conducting phishing experiments in a company setting. The results of this research show that 23% of the employees clicked on the link embedded to the more complex (Type X) phishing email and 11% of the employees clicked on the link embedded to the simpler (Type Y) email. Furthermore, Type Y emails were reported as phishing emails more frequently (22,6%), whereas Type X, emails were reported less (18,9%). The spear phishing experiment was successful,and the participants did not recognize the deceptiveness of the simulated phishing emails.This research shows that the phishing success rate is higher when the content is targeted and relevant. The employee awareness level about reporting phishing was low and the main stimuli for clicking on phishing links was curiosity. The findings of this study imply that people react positively to phishing experiments if these are conducted in a manner that it does not pose psychological damage or distress for the participants

On-the-Fly Establishment of Multi-hop D2D Communication based on Android Smartphones and Embedded Platforms: Implementation and Real-Life Experiments

Masteroppgave informasjons- og kommunikasjonsteknologi - Universitetet i Agder, 2015(Konfidensiell til/confidential until 01.07.2020

Wrong Turn in Cyberspace: Using ICANN to Route Around the APA and the Constitution

The Internet relies on an underlying centralized hierarchy built into the domain name system (DNS) to control the routing for the vast majority of Internet traffic. At its heart is a single data file, known as the root. Control of the root provides singular power in cyberspace. This Article first describes how the United States government found itself in control of the root. It then describes how, in an attempt to meet concerns that the United States could so dominate an Internet chokepoint, the U. S. Department of Commerce (DoC) summoned into being the Internet Corporation for Assigned Names and Numbers (ICANN), a formally private nonprofit California corporation. DoC then signed contracts with ICANN in order to clothe it with most of the U. S. government\u27s power over the DNS, and convinced other parties to recognize ICANN\u27s authority. ICANN then took regulatory actions that the U. S. Department of Commerce was unable or unwilling to make itself, including the imposition on all registrants of Internet addresses of an idiosyncratic set of arbitration rules and procedures that benefit third-party trademark holders. Professor Froomkin then argues that the use of ICANN to regulate in the stead of an executive agency violates fundamental values and policies designed to ensure democratic control over the use of government power, and sets a precedent that risks being expanded into other regulatory activities. He argues that DoC\u27s use of ICANN to make rules either violates the APA\u27s requirement for notice and comment in rulemaking and judicial review, or it violates the Constitution\u27s nondelegation doctrine. Professor Froomkin reviews possible alternatives to ICANN, and ultimately proposes a decentralized structure in which the namespace of the DNS is spread out over a transnational group of policy partners with DoC

Wrong Turn in Cyberspace: Using ICANN to Route Around the APA and the Constitution

The Internet relies on an underlying centralized hierarchy built into the domain name system (DNS) to control the routing for the vast majority of Internet traffic. At its heart is a single data file, known as the root. Control of the root provides singular power in cyberspace. This Article first describes how the United States government found itself in control of the root. It then describes how, in an attempt to meet concerns that the United States could so dominate an Internet chokepoint, the U. S. Department of Commerce (DoC) summoned into being the Internet Corporation for Assigned Names and Numbers (ICANN), a formally private nonprofit California corporation. DoC then signed contracts with ICANN in order to clothe it with most of the U. S. government\u27s power over the DNS, and convinced other parties to recognize ICANN\u27s authority. ICANN then took regulatory actions that the U. S. Department of Commerce was unable or unwilling to make itself, including the imposition on all registrants of Internet addresses of an idiosyncratic set of arbitration rules and procedures that benefit third-party trademark holders. Professor Froomkin then argues that the use of ICANN to regulate in the stead of an executive agency violates fundamental values and policies designed to ensure democratic control over the use of government power, and sets a precedent that risks being expanded into other regulatory activities. He argues that DoC\u27s use of ICANN to make rules either violates the APA\u27s requirement for notice and comment in rulemaking and judicial review, or it violates the Constitution\u27s nondelegation doctrine. Professor Froomkin reviews possible alternatives to ICANN, and ultimately proposes a decentralized structure in which the namespace of the DNS is spread out over a transnational group of policy partners with DoC

Improving Collection Understanding for Web Archives with Storytelling: Shining Light Into Dark and Stormy Archives

Collections are the tools that people use to make sense of an ever-increasing number of archived web pages. As collections themselves grow, we need tools to make sense of them. Tools that work on the general web, like search engines, are not a good fit for these collections because search engines do not currently represent multiple document versions well. Web archive collections are vast, some containing hundreds of thousands of documents. Thousands of collections exist, many of which cover the same topic. Few collections include standardized metadata. Too many documents from too many collections with insufficient metadata makes collection understanding an expensive proposition. This dissertation establishes a five-process model to assist with web archive collection understanding. This model aims to produce a social media story – a visualization with which most web users are familiar. Each social media story contains surrogates which are summaries of individual documents. These surrogates, when presented together, summarize the topic of the story. After applying our storytelling model, they summarize the topic of a web archive collection. We develop and test a framework to select the best exemplars that represent a collection. We establish that algorithms produced from these primitives select exemplars that are otherwise undiscoverable using conventional search engine methods. We generate story metadata to improve the information scent of a story so users can understand it better. After an analysis showing that existing platforms perform poorly for web archives and a user study establishing the best surrogate type, we generate document metadata for the exemplars with machine learning. We then visualize the story and document metadata together and distribute it to satisfy the information needs of multiple personas who benefit from our model. Our tools serve as a reference implementation of our Dark and Stormy Archives storytelling model. Hypercane selects exemplars and generates story metadata. MementoEmbed generates document metadata. Raintale visualizes and distributes the story based on the story metadata and the document metadata of these exemplars. By providing understanding immediately, our stories save users the time and effort of reading thousands of documents and, most importantly, help them understand web archive collections

Directory services for Internet telephony : creating a spanning layer over the Internet and telephone networks

Thesis (M.S.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1997.Includes bibliographical references (leaves 57-58).by Andrew Lester Sears.M.S

Aspects of the nature and online resolution of domain-name disputes

The thesis analyses selected aspects of domain-name law, mainly from the perspective of trade-mark law. It discusses the evolution of the domain-name system and how it operates as background to a more detailed discussion of the theoretical classification of domain names. The thesis then examines the interplay between trade marks and domain names, and the resolution of domain-name disputes resulting from the inherent tension between these two systems. The main principles of domain-name dispute resolution are identified by way of an analysis of the panel decisions handed down in terms of the international Uniform Dispute Resolution Policy (UDRP) and the South African domain name dispute resolution regulations. This analysis always addresses, too, the extent to which national trade-mark law principles (with reference to the laws of South Africa, the United Kingdom, and the United States of America) apply, and the extent to which this is appropriate.Private LawLL.D

Design principles and patterns for computer systems that are simultaneously secure and usable

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 429-464) and index.It is widely believed that security and usability are two antagonistic goals in system design. This thesis argues that there are many instances in which security and usability can be synergistically improved by revising the way that specific functionality is implemented in many of today's operating systems and applications. Specific design principles and patterns are presented that can accomplish this goal. Patterns are presented that minimize the release of confidential information through remnant and remanent data left on hard drives, in web browsers, and in documents. These patterns are based on a study involving the purchase of 236 hard drives on the secondary market, interviews conducted with organizations whose drives had been acquired, and through a detailed examination of modern web browsers and reports of information leakage in documents. Patterns are presented that enable secure messaging through the adoption of new key management techniques. These patterns are supported through an analysis of S/MIME handling in modern email clients, a survey of 469 Amazon.com merchants, and a user study of 43 individuals. Patterns are presented for promoting secure operation and for reducing the danger of covert monitoring. These patterns are supported by the literature review and an analysis of current systems.(cont.) In every case considered, it is shown that the perceived antagonism of security and usability can be scaled back or eliminated by revising the underlying designs on which modern systems are conceived. In many cases these designs can be implemented without significant user interface changes. The patterns described in this thesis can be directly applied by today's software developers and used for educating the next generation of programmers so that longstanding usability problems in computer security can at last be addressed. It is very likely that additional patterns can be identified in other related areas.by Simson L. Garfinkel.Ph.D