Home → Magazine Archive → December 2000 (Vol. 43, No. 12) → Inside Risks: Semantic Network Attacks → Full Text

Inside Risks: Semantic Network Attacks

By Bruce Schneier

Communications of the ACM, Vol. 43 No. 12, Page 168
10.1145/355112.355131


Save PDF

On August 25, 2000, Internet Wire received a forged email press release seemingly from Emulex Corp., saying that the Emulex CEO had resigned and the company's earnings would be restated. Internet Wire posted the message, without verifying either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61% (from $113 to $43) before the hoax was exposed.

This was a devastating network attack. Despite its amateurish execution (the perpetrator, trying to make money on the stock movements, was caught in less than 24 hours), $2.54 billion in market capitalization disappeared, only to reappear hours later. With better planning, a similar attack could do more damage and be more difficult to detect. It's an illustration of what I see as the third wave of network attackswhich will be much more serious and more difficult to defend against than the first two waves.

The first wave is physicalattacks against computers, wires, and electronics. As defenses, distributed protocols reduce the dependency on any one computer, and redundancy removes single points of failure. Although physical outages have caused problems (power, data, and the like), these are problems we basically know how to solve.

The second wave of attacks is syntactic, attacking vulnerabilities in software products, problems with cryptographic algorithms and protocols, and denial-of-service vulnerabilitiesdominating recent security alerts. We have a bad track record in protecting against syntactic attacks, as noted in previous columns here. At least we know what the problem is in these type of attacks.

The third wave of network attacks is semantic, targetting the way we assign meaning to content. In our society, people tend to believe what they read. How often have you needed the answer to a question and searched for it on the Web? How often have you taken the time to corroborate the veracity of that information, by examining the credentials of the site, finding alternate opinions, and so on? Even if you did, how often do you think writers make things up, blindly accept "facts" from other writers, or make mistakes in translation? On the political scene, we've seen many examples of false information being reported, getting amplified by other reporters, and eventually being believed as true. Someone with malicious intent can do the same thing.

People already take advantage of others' naiveté. Many old scams have been adapted to email and the Web. Unscrupulous stockbrokers use the Internet to fuel "pump-and dump" strategies. On September 6, 2000, the Securities and Exchange Commission charged 33 companies and individuals with Internet fraud, many based on semantic attacks such as posting false information on message boards. However, changing old information can also have serious consequences. I don't know of any instance of someone breaking into a newspaper's article database and rewriting history, but I don't know of any newspaper that checks, either.

Against computers, semantic attacks become even more serious. Computer processes are rigid in the type of inputs they acceptand generally much less than a human making the same decision would see. Falsifying computer input can be much more far-reaching, simply because the computer cannot demand all the corroborating input that people have instinctively come to rely on. Indeed, computers are often incapable of deciding what the "corroborating input" would be, or how to go about using it in any meaningful way. Despite what you see in movies, real-world software is incredibly primitive when it comes to what we call "simple common sense." For example, consider how incredibly stupid most Web filtering software is at deriving meaning from human-targeted content.

Can air-traffic control systems, process-control computers, and "smart" cars on "smart" highways be fooled by bogus inputs? You once had to buy piles of books to fake your way onto the New York Times best-seller list; it's a lot easier to just change a few numbers in booksellers' databases. What about a successful semantic attack against the Nasdaq or Dow Jones databases? The people who lost the most in the Emulex hoax were the ones with preprogrammed sell orders.

None of these attacks is new; people have long been the victims of bad statistics, urban legends, hoaxes, gullibility, and stupidity. Computer networks make it easier to start attacks and speed their dissemination, or for anonymous individuals to reach vast numbers of people at almost no cost.

In the future, I predict that semantic attacks will be more serious than physical and syntactic attacks. It's not enough to dismiss them with the cryptographic magic wands of digital signatures, authentication, and integrity. Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet. Amateurs tend to attack machines, whereas professionals target people. Any solutions will have to target the people problem, not the math problem.

Back to Top

Author

Bruce Schneier is CTO of Counterpane Internet Security, Minneapolis, Minn; www.counterpane.com.


©2000 ACM  0002-0782/00/1200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2000 ACM, Inc.

0 Comments

No entries found