By DAVID BANK
Staff Reporter of THE WALL STREET JOURNAL
August 17, 2005
To fight computer crime, the good guys are masquerading as bad guys
pretending to be good guys.
In recent months, nearly 10,000 New York state employees have received
email messages that appeared to be official notices asking them to
click on Web links and provide passwords and other confidential
information about themselves.
Those who complied received gentle slaps on the wrist from William
Pelgrin, New York's chief information security officer, who explained
that the seemingly authentic messages were crafted by state officials
"to demonstrate how realistic attackers' fake emails can seem."
The exercise, along with similar ones conducted at the U.S. Military
Academy at West Point, N.Y., and at least two other organizations,
represents a new -- and controversial -- approach to fending off
computer hackers. By using some of the same "social engineering"
techniques as the attackers, defenders hope to train users to be more
careful about sharing sensitive information online. Mr. Pelgrin plans
to brief officials from other states about the exercise in a
conference call today.
"This is not a one-shot deal," Mr. Pelgrin says. "I've got to
reinforce that behavioral change to make it permanent."
Such change is important because hackers are increasingly exploiting
the weakest link in computer security -- humans. Most computer users
have become savvy enough to avoid obvious attempts at what security
experts call "phishing" -- phony email messages, often purportedly
from financial institutions, that ask for personal information such as
account or Social Security numbers.
But many are still succumbing to a new wave of more sophisticated
attacks, dubbed "spear phishing," that are targeted at specific
companies and government agencies. In such exploits, attackers create
email messages that are designed to look like they came from the
recipient's company or organization, such as an information-technology
or a human-resources department.
More than 35 million of these targeted email messages to steal
critical data and personal information were launched in the first half
of the year, according to a report this month from International
Business Machines Corp. And use of these scams is soaring: The number
of such email messages sent rose more than 1,000% from January to
June, the company said.
The mock phishing exercises demonstrate how effective such attacks can
be. In June 2004, more than 500 cadets at West Point received an email
from Col. Robert Melville notifying them of a problem with their grade
report and ordering them to click on a link to verify that the grades
were correct. More than 80% of the students dutifully followed the
But there is no Col. Robert Melville at West Point. The email was
crafted by Aaron Ferguson, a computer-security expert with the
National Security Agency who teaches at West Point. The gullible
cadets received a "gotcha" email, alerting them they could easily have
downloaded spyware, "Trojans" or other malicious programs and
suggesting they be more careful in the future. Mr. Ferguson, who runs
similar exercises each semester, said many cadets have been victimized
by real online frauds.
"There have been quite a few cadets who have been duped," he says.
Nonetheless, he says the exercise upset some cadets, who felt it
exploited their inclination to follow an order from a colonel, no
questions asked. He says the new edict is, "Ask questions first, then
Some computer-security experts say the bogus phishing exercises can
help "inoculate" users against falling for real phishing scams, much
like vaccines use a broken version of a real disease to provide
immunization. "This is a key defense against large-scale theft of
confidential information," says Alan Paller, research director of the
SANS Institute, a computer-security clearinghouse based in Bethesda,
Md., who helped devise the New York state exercise.
Still, there are potential pitfalls, including the possible loss of
trust among employees for their organizations' own
information-security staff. "My initial thoughts when I heard about it
was 'Whoa, this sounds questionable,' " says David Jevans, chairman of
the Anti-Phishing Working Group, an industry consortium. He says that
although employers are within their rights to train their employees,
companies should be careful before they intentionally use mock email
on their customers. "You're playing with fire," he says. "Are people
ever going to trust your email?" Mr. Jevans, chief executive of a
computer-security firm called IronKey Inc., argues that technical
methods for authenticating email are likely to be more effective than
such user education.
In New York, Mr. Pelgrin says he took pains to carefully design the
exercise, including hiring an outside Web consultant to design the
mock email pitch. "We wanted to make sure it was not too good," he
says. He also enlisted AT&T Corp. to route the email messages so that
they came from outside the state's own computer network, just like a
real phishing attack.
In the first phase, in March, nearly 10,000 employees received an
email with the logo of the state's Office of Cyber Security and
Critical Infrastructure Coordination. The note directed employees to a
special "password checker" site. "You are required to check your
password by clicking on the link below and entering your password and
email address by close of business today."
About 15% of the recipients tried to enter their passwords before
being stopped by the automated program, which sent them a note
explaining the exercise. An additional 3% tried to enter the Web
address in their own browsers, a sound security practice that can
deflect most attacks.
In July, a second message, purportedly from the employee's own agency,
asked for help fixing an Internet problem "due to a suspected cyber
security event." A link took employees to a Web page that asked their
email address, agency, network user name and password, and phone
number. This time, only 8% of the recipients tried to interact with
the fake Web site, while 5% were careful enough to enter the Web
It is too early to declare the program a complete success, but Mr.
Pelgrin says he plans to repeat the exercises.
"Repetition is important. Vigilance is critical," he says. "The bottom
line lesson was: Even if the request comes from legitimate
individuals, never give out personal information."
Sept 16-18th, 2005
San Diego, California