The third wave of network attacks By Bruce Schneier, CTO, Counterpane Internet Security Inc., Special to ZDNet October 3, 2000 4:53 AM PT On Aug. 25, the press release-distribution service Internet Wire received a forged e-mail that appeared to come from Emulex Corp. and said that the CEO had resigned and the company's earnings would be restated.

Internet Wire posted the press release, not bothering to verify either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61 percent (from $113 to $43) before the hoax was exposed.

This is a devastating network attack. Despite its amateurish execution (the alleged perpetrator, trying to make money on the stock movements, was caught in less than 24 hours), $2.54 billion in market capitalization disappeared, only to reappear hours later. With better planning, a similar attack could do more damage and be more difficult to detect.

It's an illustration of what I see as the third wave of network attacks -- which will be much more serious and harder to defend against than the first two waves.

History of attacks The first wave of attacks was physical: attacks against the computers, wires and electronics. These were the first kinds of attacks the Internet defended itself against.

Distributed protocols reduce the dependency on any one computer. Redundancy removes single points of failure. We've seen many cases where physical outages -- power, data or otherwise -- have caused problems, but these generally are problems we know how to solve.

Over the past several decades, computer security has focused around syntactic attacks: attacks against the operating logic of computers and networks. This second wave of attacks targets vulnerabilities in software products, problems with cryptographic algorithms and protocols, and denial-of-service vulnerabilities -- pretty much every security alert from the past decade.

It would be a lie to say that we know how to protect ourselves against these kinds of attacks, but I hope that detection and response processes will give us some measure of security in the coming years. At least we know what the problem is.

Semantic attacks The third wave of network attacks comprises semantic attacks: attacks that target the way we, as humans, assign meaning to content. In our society, people tend to believe what they read. How often have you needed the answer to a question and searched for it on the Web? How often have you taken the time to corroborate the veracity of that information, by examining the credentials of the site, finding alternate opinions, and so on? Even if you did, how often do you think writers make things up, blindly accept "facts" from other writers, or make mistakes in translation?

On the political scene we've seen many examples of false information being reported, getting amplified by other reporters, and eventually being believed as true. Someone with malicious intent can do the same thing.

In the book "How to Play With Your Food," Penn and Teller included a fake recipe for "Swedish Lemon Angels," with ingredients such as five teaspoons of baking soda and a cup of fresh lemon juice, designed to erupt all over the kitchen. They spent considerable time explaining how you should leave their book open to the one fake page, or photocopy it and sneak it into friends' kitchens. It's much easier to put it up on cookinclub.com and wait for search engines to index it.

People are already taking advantage of others' naivete. Many old scams have been adapted to e-mail and the Web. Unscrupulous stockbrokers use the Internet to fuel their "pump and dump" strategies. On Sept. 6, the Securities and Exchange Commission charged 33 companies and individuals with Internet semantic attacks (they called it fraud) such as posting false information on message boards.

It's not only posting false information; changing old information can also have serious consequences. I don't know of any instance of someone breaking into a newspaper's article database and rewriting history, but I don't know of any newspaper that checks, either.

Fooling computers Against computers, semantic attacks become even more serious. Computer processes are much more rigid in the type of input they accept; generally this input is much narrower than a human making the same decision would get.

Falsifying input into a computer process can be much more devastating, simply because the computer cannot demand all the corroborating input that people have instinctively come to rely on. Indeed, computers are often incapable of deciding what the "corroborating input" would be, or how to go about using it in any meaningful way.

Despite what you see in movies, real-world software is incredibly primitive when it comes to what we call "simple common sense." For example, consider how incredibly stupid most Web filtering software is at deriving meaning from human-targeted content.

Can airplanes be delayed, or rerouted, by feeding bad information into the air traffic control system? Can process-control computers be fooled by falsifying inputs? What happens when smart cars steer themselves on smart highways?

It used to be that you had to actually buy piles of books to fake your way onto the New York Times best-seller list; now, it's a lot easier just to change a few numbers in booksellers' databases. What about a successful semantic attack against the NASDAQ or Dow Jones databases? The people who lost the most in the Emulex hoax were the ones with preprogrammed "sell" orders.

None of these attacks is new; people have long been the victims of bad statistics, urban legends and hoaxes. Any communications medium can be used to exploit credulity and stupidity, and people have been doing that for eons. Computer networks make it easier to start attacks and speed their dissemination, or for one anonymous individual to reach vast numbers of people at virtually no cost.

In the near future, I predict that semantic attacks will be more serious than physical or even syntactic attacks. It's not enough to dismiss them with the cryptographic magic wands of "digital signatures," "authentication" or "integrity." Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet.

Only amateurs attack machines; professionals target people. And any solutions will have to target the people problem, not the math problem.

http://www.zdnet.com/zdnn/stories/comment/0,5859,2635895,00.html

-- Martin Thompson (mthom1927@aol.com), October 03, 2000