MIT researchers attack wireless shortcomings, phishing

MIT proposes opportunistic coding and Web Wallets.

CAMBRIDGE, MASS. -- MIT Assistant Professor Dina Katabi says incremental increases in wireless network throughput just aren't going to cut it. Colleague Rob Miller says phishing attacks continue to get trickier and more threatening, and that a "Web wallet" could be the answer to safer e-commerce.

They are two of more than a dozen MIT faculty members presenting their latest research this week at the MIT Information Technology Conference to an audience of business representatives whose companies partner with the university to exchange ideas and transfer technologies from labs into the real world.

Katabi, a member of MIT's Department of Electrical Engineering and Computer Science, focused during her presentation Tuesday on a project to boost wireless network performance that involves a practice called opportunistic coding, or COPE. To meet expanding demands on wireless networks, she says a breakthrough is needed: one that won't just involve a 10% increase in throughput or even what the latest 802.11 iterations might bring. "We need a severalfold increase," she said.

Key to pulling this off is treating wireless like…. wireless, and taking advantage of its shared nature and broadcast capabilities rather than force-fitting it to work like a point-to-point wired nets. She also is advocating a system that gives routers responsibility for mixing or coding the packets it receives and then shooting them out to a dynamic set of senders and receivers that all take a listen for new traffic to determine if the traffic is for them or a neighbor.

Early experiments with the wireless technique have shown significant throughput increases. She said her group saw a doubling of throughput in a very small setting and as much as fourfold in an experiment using UDP traffic involving 34 nodes on three floors of an MIT building. In response to a question about whether the technology has made it into any commercial products, Katabi stressed that the work is still in its early stages.

Assistant Professor Miller, in his presentation, concentrated on phishing, which he acknowledged "seems to be pretty effective" judging by the number of people who have acknowledged falling prey to such schemes and the fact that the number of phishing sites on the Web has skyrocketed over just the past year.

His group has examined the effectiveness of assorted anti-phishing systems, such as toolbars that aim to block phishing messages or alert users that they might be getting played by a crook by signaling "red" or stop at the sign of a questionable site. One experiment involved bringing users into a lab where they were told security was to be a key part of their "job" as a personal assistant handling e-mails sent to their employer. Some toolbars worked better than others, such as those featuring SSL verification or providing an indicator of a potentially fraudulent site. But at least a third of the spoofs worked in all cases before users were given a security tutorial and even after they were educated, between 15% and 35% of the spoofs still worked. "The upshot was that toolbars don't really work too well," he said.

The researchers found that users had all sorts of excuses for getting fooled. Some assumed that funky-looking URLs were the result of a company outsourcing its business. Others found it difficult to distinguish between fraudulent sites and "ordinary weirdness" of the Web, Miller said.

Given that phishing schemes are so tricky, Miller's team is concentrating its efforts on redesigning browsers so that a user's intentions are clear to them. In other words, if a user wants to go to the site of a certain retailer, the browser would confirm the real URL for the retailer rather than letting the user go to a similar-looking, but bogus site. Key to doing this is improving not just security but usability, as Miller noted that enough roadblocks have already been thrown in front of users -- in the name of security -- when they try to conduct transactions on the Web.

Miller described his team's Web wallet project, which features such concepts as showing a user a list of proposed sites to visit, enabling the user to choose the site he really wants to visit. The wallet would also provide the user a place to fill in his personal information, banning the user from putting such information directly into forms on Web sites. Miller and colleagues have conducted a study on the wallet that found it did cut down significantly on spoof rates using current phishing attacks (7% of Internet Explorer users in the study fell victim to spoofs while using the wallet, whereas 63% without the wallet fell for the scams). But Miller warned that when its group added in some new phishing scams, such as presenting users with a fake Web Wallet, the overall percentage of users duped rose to 29%.

Miller concluded that security solutions need to respect user goals since "they're going to try to plow ahead and achieve those goals despite what security software is trying to tell them." Making security part of the natural workflow is key, he said.

  • For the latest on network-oriented research at university and other labs, go to Network World’s Alpha Doggs blog.
From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies