Andrew Patrick

A new report from Trusteer has shown that phishing attacks are rarely successful, but still worth millions of dollars to the attackers.

Trusteer makes a browser plugin called Rapport which is given away for free to customers of certain banks (including some Canadian banks). The plugin monitors for phishing attacks and can detect when someone is submitting login information to a false banking site. Rapport has been installed on about 3 million computers in Europe and North America, and data collected by the plugin provides a valuable look into the damage caused by phishing attacks.

In the recent study, Trusteer monitored the data from the Rapport plugin during a three month period, and in that time it analyzed phishing attacks against 10 large banks in the US and Europe. The key findings were:

• each bank was targeted by an average of 16 phishing attacks per week (or about 832 attacks per year)
• out of every million bank customers, about 12 (0.00125%) are lured into visiting each false web site that was studied. This is a very low success rate, but…
• given that a bank experiences many phishing attacks in a year, about 1.04% of it customers were lured to one of the false web sites each year
• once people were lured to a false web site, about 50% of the time they entered and submitted their login information
• doing the math, this means that about 0.47% of a banks customers revealed their login information to criminals each year
• if the losses from stolen login information total $2,000 per case, then a bank with a million customers lost about $9.4 million per year
• …and that money is going to criminals

Whoever said that crime does not pay did not try phishing.

A Chinese woman managed to enter Japan illegally by having plastic surgery to alter her fingerprints, thus fooling immigration controls, police claim.

This is a case of a woman who underwent surgery to alter her fingerprints in order to get past Japanese immigration procedures. Apparently, the measures worked and she was only found out when arrested on an unrelated charge.

The surgery switched the fingerprints of the thumbs and index fingers between the two hands, presumably to allow the person to present the original or modified fingerprint when given the option of which hand to present to a scanner.

It makes me wonder if fingerprint transplants between people are also a viable threat. It is also not clear how 10-print systems that record fingerprints from all the fingers, such as those now used by US immigration, who handle such finger swapping.

There have been significant advances recently in understanding the biological basis of human behavior. Brain imaging technologies, such as Functional MRI (fMRI), allow researchers to study brain processes during complex thought processes. fMRI can be used to study a variety of behaviors, and some people have proposed that the scans can be used to detect lying, although it has never been accepted in court.

In this case, a murder trial, the fMRI evidence was used at the sentencing stage in an attempt to show that the defendant suffered from a brain disorder and should be spared the death penalty. The jury did not agree and the man was sentenced to death, although there may have been some doubts raised.

fMRI Evidence Used in Murder Sentencing

For what may be the first time, fMRI scans of brain activity have been used as evidence in the sentencing phase of a murder trial. Defense lawyers for an Illinois man convicted of raping and killing a 10-year-old girl used the scans to argue that their client should be spared the death penalty because he has a brain disorder.

Studying the behavior of people in crowded conditions has always been interesting. This article from Slate describes the history of Social Psychology research in subway systems areound the world.

Psychologists have been watching us on the subway. Here’s what they’ve learned.

“About 4,450 men and women who traveled on the 8th Avenue IND in New York City, weekdays between the hours of 11:00 A.M. and 3:00 P.M. during the period from April 15 to June 26, 1968, were the unsolicited participants in this study.”

Why most suicide bombers are Muslim, beautiful people have more daughters, humans are naturally polygamous, sexual harassment isn’t sexist, and blonds are more attractive.

When I was an undergraduate, my first mentor was an expert on the psychology of categorization — how we make sense of the world by deciding what belongs with what. This professor was the most eccentric one I had in a long university career, and probably the most brilliant. One of his many lines, which I will never forget, was: “stereotypes develop for a reason”.

A stereotype is a generalization or commonly-held belief about a group of people, and stereotypes are often considered to be politically incorrect. But, in the absence of any information about a particular individual, information about a stereotype for the group is often quite valuable. Just as in statistics, in the absence of specific information about all the data, information about central tendency and variance can be very useful. Stereotype are not always negative, although we tend to only use the word when referring to negative characteristics

By rejecting stereotypes because they are often used negatively, we are forgetting the valuable role that they can play in making sense of the world. An older Psychology Today article from 2007 reviews some of the stereotypes we have about human behavior, and the truth behind them.

Today I am launching NetSafetyGuide.com, an ad-supported site offering practical, up-to-date news and tips about Internet safety and security.

I believe that there is very little down-to-earth, practical information available for individuals and small businesses who want to stay secure on the Internet, but don’t know how to do it. My intention with this site is to provide current, direct advice and news that people will find useful.

Drop by and check it out.

It seems that the military in Iraq has discovered a magical way to detect bombs, and they are spending millions of dollars to deploy it a checkpoints around the country.

The technology, however, is well known to be the equivalent of a dowsing rod and it is completely useless. Making fun of other people’s stupid beliefs can be fun, but when lives are on the line you have to be concerned.

More from the NY Times:

Iraq Swears by Bomb Detector U.S. Sees as Useless

Despite major bombings that have rattled the nation, and fears of rising violence as American troops withdraw, Iraq’s security forces have been relying on a device to detect bombs and weapons that the United States military and technical experts say is useless.

The small hand-held wand, with a telescopic antenna on a swivel, is being used at hundreds of checkpoints in Iraq. But the device works “on the same principle as a Ouija board” — the power of suggestion — said a retired United States Air Force officer, Lt. Col. Hal Bidlack, who described the wand as nothing more than an explosives divining rod.

John Watson, the founder of the behaviorism movement in Psychology, wanted to demonstrated that seemingly primitive emotions like fear were, in fact, learned and not instinctual. So he prepared a demonstration where a small child, known as Little Albert, was exposed to a number of small animals.

Albert showed no fear, but then Watson made a loud noise, a clang that Albert did fear, whenever Albert was shown the white rat. Soon enough, Albert was upset whenever he was shown the white rat, even without the clang. Watson argued that this was a demonstration of the importance of learning and the environment in child development, a lesson that changed developmental theory for years to come.

But what happened to Little Albert? Was he afraid of white rats, and other furry creatures, for the rest of his life? Was he forever traumatized by the simple experiment?

This article reports on a detective story to find Little Albert.

Little Albert, lost and found

One of the most famous and most mythologised studies in psychology concerns John Watson’s experiment to condition ‘Little Albert’ to be afraid of a white rat. ‘Little Albert’ and his mother moved away afterwards and no-one knew what happened to him, leading to one of the most enduring mysteries in psychology. Finally, it seems, his identity has been discovered.

I am working on building an encryption solution for novice Windows users who do not have administrator privileges on the machines they use. Giving the users admin access is not an option because of the environment they work in.

I have explored a couple of different technologies and I would like to hear what other people have done. Do you know of any good technologies for this problem?

The encryption solution would primarily be used for safely storing files on USB flash drives that are carried between work locations, but it might also be used for safe storage on laptop and office computers.

I am a big fan of TrueCrypt and have had a lot of success creating encrypted containers on USB drives. But TrueCrypt requires an admin account to install and run the software, so these users can’t use it. It seems that most encryption solutions also require administrator privileges.

I have tried FreeOTFE, which offers a no-install version called FreeOTFE Explorer. This software can be copied to a USB drive and then run by a non-admin user. The user can created an encrypted container, mount it, and then drag files and folders into the container using an Explorer-like interface. So far, so good.

The problem with FreeOTFE Explorer is that the users cannot work with the files within the secure container. They can’t, for example, double click on a .doc file in the Explorer-like window and launch Word to edit the file. The only thing they can do with files in the secure container is extract them to an unsecure disk.

This means that a workflow using FreeOTFE Explorer would have to be something like:

• open the container
• extract the file to an unsecure disk
• edit and save the file
• copy the file back to the encrypted container, using an overwrite option
• removing the copy on the unsecure disk

This is overly cumbersome and likely to lead to insecurities if the unsecure disk is not kept clean. I would really like these novice users to be able to work with files in the same way they are used to on unsecure disks.

The other option I have looked at is encrypted USB flash drives. Some drives, such as the ones from IronKey, have hardware encryption technology that can be used without administrator privileges. I don’t own one of these but, as far as I can tell, their operation should be transparent and users should be able to click on their files to open applications in the usual way.

IronKey drives, and other similar hardware encryption drives, are expensive, with prices being 4-5 times that of a normal USB drive. However, they may be the best solution to my problem, at least for securing files on USB drives. They would not provide a solution for secure storage on laptop hard drives or desktop computers.

Do you of any other encryption solutions for users without administrator privileges? Please post a comment below.

Here is an important article from the email newsletter of the Skeptics Society. J.D. Haines, a doctor and professor from the University of Oklahoma, describes the numerous cases where neck manipulations done by chiropractors have led to death and serious neurological injuries.

Fatal Adjustments: How Chiropractic Kills

When Kristi Bedenbaugh wanted relief from a bad sinus headache, the 24 year-old former beauty queen and medical office administrator made the mistake of consulting a chiropractor. An autopsy performed on Kristi revealed that the manipulation of her neck had split the inner walls of both vertebral arteries, resulting in a fatal stroke.
…
The real tragedy is that cervical spine manipulation is totally worthless in treating problems like Kristi Bedenbaugh’s. So, however rare the incidence of adverse outcome, the risk always outweighs any perceived benefit. There is no medically proven benefit whatsoever to chiropractic manipulation of the cervical spine.
…
The public is led to believe that physicians disparage chiropractors out of some sort of professional jealousy. Yet there is only one reason that physicians judge chiropractors so harshly. Medicine is scientifically based, whereas chiropractic is not supported by a single legitimate scientific study.