Article Content

IU STUDY: MORE INTERNET USERS MAY BE TAKING 'PHISHING' BAIT THAN THOUGHT

A higher-than-expected percentage of Internet users are likely to fall victim to scam artists masquerading as trusted service providers, report researchers at the Indiana University (IU) School of Informatics.

 

Designing Ethical Phishing Experiments: A Study of eBay Query Features simulated "phishing" tactics used to elicit online information from eBay customers. The online auction giant was selected because of its popularity among millions of users and because it is one of the most popular targets of phishing scams.

 

Phishers send e-mail to Internet users, pretending to be legitimate and well-known enterprises such as eBay, financial institutions, and even government agencies in an attempt to dupe people into surrendering private information. Users are asked to click on a link where they are taken to a site appearing to be legitimate. Once there, they are asked to correct or update personal information, such as bank, credit card, and Social Security accounts numbers.

 

Surveys by the Gartner Group, a consulting firm based in Stamford, CT, report that about 3% of adult Americans are successfully targeted by phishing attacks each year, an amount that might be conservative given that many are reluctant to report they have been victimized and others may be unaware of being victimized. Other surveys may result in overestimates of the risks because of misunderstanding of what constitutes identity theft.

 

In contrast, experiments such as the one conducted by IU researchers Markus Jakobsson and Jacob Ratkiewicz have the advantage of reporting actual numbers. Their study, one of the first of its kind, reveals that phishers may be netting responses from as many as 14% of the targeted populations per attack, as opposed to 3% per year.

 

Ratkiewicz and Jakobsson devised simulated attacks where users received an e-mail appearing to be legitimate and providing a link to eBay. If recipients clicked on the link, they were in fact sent to the eBay site, but the researchers received a message letting them know the recipient had logged in. The researchers specifically designed the study so that all they received was notification that a login occurred, not the login information (such as the recipient's eBay password) itself-unlike a real phishing attack, which is designed to harvest passwords and other personal information.

 

The study was approved in advance by the IU-Bloomington Human Subjects Committee, which is responsible for reviewing and approving research activities involving human subjects and data collection. The experiment was unusual in that it did not involve debriefing of subjects, given that this step was judged to be the one and only aspect of the experiment that could potentially pose harm to subjects, who might be embarrassed over having been "phished" or wrongly conclude that sensitive information had been harvested by the researchers.

 

One experiment they devised was to launch a spear phishing attack in which a phisher sends a "personalized" message to a user who might actually welcome or expect the message. In this approach, the phisher gleans personal information readily available over the Internet and incorporates it in the attack, potentially making the attack more believable.

 

The researchers used three types of approach statements: "Hi can you ship packages with insurance for an extra fee? Thanks," "HI CAN YOU DO OVERNIGHT SHIPPING? THANKS!" and "Hi, how soon after payment do you ship? Thanks!" In a large portion of the messages, the user's eBay username was included in the message to make it appear more similar to those eBay would send.

 

"We think spear phishing attacks will become more prevalent as phishers are more able to harvest publicly available information to personalize each attack," Ratkiewicz said. "And there's good reason to believe that this kind of attack will be more dangerous than what we're seeing today."

 

The results of the IU researchers' latest phishing study were shared with eBay officials.

 

Jakobsson was the author of a 2004 report that detailed worst-case phishing scenarios and attacks and possible ways to prevent them. It was cited positively by various information technology leaders, including eBay officials.

 

To read Designing Ethical Phishing Experiments: A Study of eBay Query Features, go to http://www.informatics.indiana.edu/markus/papers/ethical_phishing-jakobsson_ratk.

 

Users of eBay should forward any message they think is fraudulent to spoof@ebay.com.

 

For more information about antiphishing research activities at IU, go to http://www.indiana.edu/~phishing.

 

SANDIA'S JESS 7.0 RULE ENGINE RELEASED AND AVAILABLE FOR LICENSING

Jess 7.0, a popular rule engine created by Sandia National Laboratories that enables software developers to embed intelligence in the form of business rules directly into their Java applications, is now available for licensing.

 

"Jess 7.0 includes new tools, improved features, and enhanced performance that allows users to manage and control business rules in an enterprise environment."

 

Among the new features is an integrated development environment (IDE) for rules that increases programmer productivity and enhances collaboration. The IDE is based on the award-winning Eclipse platform (http://www.eclipse.org) and features tools for creating, editing, visualizing, monitoring, and debugging rules.

 

Jess is the only enterprisecapable rule engine to offer both the convenience of an IDE and an unprecedented level of flexibility and openness that makes it easy for developers to add the power of heuristic rules into applications that run on everything from handheld devices to enterprise servers. Jess supports the industry-standard JSR94 Java Rule Engine API, as well as its own rich interface. Jess executes rules written both in its own expressive rule language and in XML.

 

Jess is licensed commercially and is being used in enterprise applications at dozens of Fortune 500 companies, including many in the finance, insurance, security, transportation, and manufacturing sectors. Sandia also offers Jess licenses to academic and government institutions. Jess (along with the textbook Jess in Action) is used as a teaching tool at hundreds of universities around the globe.

 

Binary-only versions of Jess are available on a 30-day trial evaluation basis. Any other use of Jess, including commercial, internal, government, research and development and no-fee academic/student use, requires a license. To learn more about Jess, visit http://www.jessrules.com or contact Sandia's Craig Smith (casmith@sandia.gov, 925-294-3358) for information on licensing the software.

 

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin company, for the US Department of Energy's National Nuclear Security Administration. With main facilities in Albuquerque, NM, and Livermore, CA, Sandia has major research and development responsibilities in national security, energy and environmental technologies, and economic competitiveness.

 

EUROPEAN JOURNAL OF INFORMATION SYSTEMS ISSUES CALL FOR PAPERS FOR SPECIAL ISSUE

The European Journal of Information Systems (EJIS) is calling for papers for a special issue: "HIS Research, Revelations and Visions." The focus of this special issue is to demonstrate how the information systems (IS) discipline can aid in shaping the future of healthcare information systems (HIS) through empirical and theoretical research.

 

Hundreds of billions of dollars are spent each year by governments and organizations in an attempt to improve the quality and productivity of HIS, and an increasing body of academic research has been devoted to this area. The IS discipline is well-equipped to conduct research that contributes toward the HIS goals of improving the capabilities of physicians and clinical staff and providing increased services to patients, caregivers, and citizens. Yet little research in top-tier IS journals currently is directed toward HIS. Through this special issue, EJIS is offering the opportunity for IS researchers to address the future of HIS. General academic and professional literatures primarily focus on using HIS to consolidate and refine healthcare business processes. Although interesting research is published regularly in this area, it is clear that new approaches will be key to the future of HIS, and there is potential for many of these new ideas to arise from the IS perspective. This special issue is seeking high-quality articles that provide rich and innovative insights on HIS. Topics of special interest include (but are not limited to) the following:

 

* Development and management of emerging HIS

 

* Networked HIS, including health information networks (HINs) and community HINs

 

* Management and integration of HIS component applications

 

* Privacy, confidentiality, and security issues in HIS

 

* Adoption, diffusion, and implementation of emerging and innovative HIS

 

* Evaluating and measuring HIS performance and return on investment

 

* Knowledge management and HIS

 

* Incorporating evidence-based medical practices into HIS design

 

* Consumer-centric design of telemedicine, home health innovations, and healthcare Web sites

 

* Impact of HIS on people, organizations, services, patient safety, and medical error reduction

 

* Patient-centered electronic health, HIS and electronic health records

 

* HIS for patient support groups

 

* Human-computer interaction and usability issues in HIS

 

* Innovations in design and use of mobile devices and ubiquitous computing

 

 

This special issue seeks manuscripts utilizing diverse research approaches, including theoretical, qualitative, and quantitative research methods. Authors are strongly encouraged to contact the special issue editors via e-mail to ascertain fit of their work with the special issue in advance of the submission deadline. One onepage summaries of proposed papers should be sent to Vasiliki Mantzana at Vasiliki.Mantzana@brunel.ac.uk.

 

Manuscript submissions should be between 4000 and 6000 words in length, with all contributions being subjected to a double-blind review process. There should be a separate title page giving the names and addresses of the authors. Manuscripts must be sent electronically (ejis@brunel.ac.uk), together with one to five key words and an abstract of approximately 150 to 200 words. Please check the Web site at http://www.palgrave-journals.com/ejis/instructions.html for author guidelines including format and style.

 

Papers are due February 28, 2007. Final notice of acceptance will occur by August 15, 2007. Camera-ready submissions are due September 15, 2007.

 

SPYGLASS CONSULTING STUDY FINDS THAT CLINICIANS MUST CARRY MULTIPLE MOBILE DEVICES TO COMMUNICATE EFFECTIVELY

Clinicians are forced to carry multiple mobile devices to effectively communicate with colleagues and patients, according to a recent report from Spyglass Consulting Group, Menlo Park, CA. Spyglass conducted more than 100 in-depth telephone interviews with physicians and nurses working in inpatient and outpatient environments nationwide to better understand how mobile communications solutions could be used to improve clinician mobility and responsiveness, enhance patient safety, and reduce communications costs.

 

Spyglass found 67% of clinicians interviewed carry multiple mobile devices to manage communications with different groups of people or to address communication requirements for specific job functions. They are experimenting with a wide variety of different types of mobile devices, including pagers, cell phones, smart phones, and VOIP phones. The right mobile communications device is dependent upon the work environment, job responsibilities, and personal preferences.

 

Clinicians interviewed lack tools to filter, manage, and prioritize communications to and from colleagues and patients. Clinicians create artificial barriers to prevent unnecessary interruptions and tend to prioritize communications based on who they know.

 

Clinicians interviewed are also having difficulties communicating with colleagues because of a dependency on paper-based work flows and a lack of standardized tools and processes to collaborate with colleagues across the continuum of care.

 

The Spyglass report "Healthcare Without Bounds: Trends in Mobile Communications" provides a comprehensive look at the current state of mobile communications adoption by clinicians across the United States. For more information, go to http://www.spyglass-consulting.com.

 

Your contributions to Top Drawer (news, calendar items, products for review) are welcome. Send them to:

 

CIN: Editorial Office 10A Beach Street, Suite 2 Portland, ME 04101 Telephone: 207-553-7750 Fax: 207-553-7751 E-mail: edit@medesk.com