________________________________________________________________________________ CRYPTO-GRAM October 15, 2000 Semantic Attacks: The Third Wave of Network Attacks On 25 August 2000, the press release distribution service Internet Wire received a forged e-mail that appeared to come from Emulex Corp. and said that the CEO had resigned and the company's earnings would be restated. Internet Wire posted the press release, not bothering to verify either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61% (from $113 to $43) before the hoax was exposed. This is a devastating network attack. Despite its amateurish execution (the perpetrator, trying to make money on the stock movements, was caught in less than 24 hours), $2.54 billion in market capitalization disappeared, only to reappear hours later. With better planning, a similar attack could do more damage and be more difficult to detect. It's an illustration of what I see as the third wave of network attacks -- which will be much more serious and harder to defend against than the first two waves. The first wave of attacks was physical: attacks against the computers, wires, and electronics. These were the first kinds of attacks the Internet defended itself against. Distributed protocols reduce the dependency on any one computer. Redundancy removes single points of failure. We've seen many cases where physical outages -- power, data, or otherwise -- have caused problems, but largely these are problems we know how to solve. Over the past several decades, computer security has focused around syntactic attacks: attacks against the operating logic of computers and networks. This second wave of attacks targets vulnerabilities in software products, problems with cryptographic algorithms and protocols, and denial-of-service vulnerabilities -- pretty much every security alert from the past decade. It would be a lie to say that we know how to protect ourselves against these kinds of attacks, but I hope that detection and response processes will give us some measure of security in the coming years. At least we know what the problem is. The third wave of network attacks is semantic attacks: attacks that target the way we, as humans, assign meaning to content. In our society, people tend to believe what they read. How often have you needed the answer to a question and searched for it on the Web? How often have you taken the time to corroborate the veracity of that information, by examining the credentials of the site, finding alternate opinions, and so on? Even if you did, how often do you think writers make things up, blindly accept "facts" from other writers, or make mistakes in translation? On the political scene we've seen many examples of false information being reported, getting amplified by other reporters, and eventually being believed as true. Someone with malicious intent can do the same thing. In the book _How to Play With Your Food_, Penn and Teller included a fake recipe for "Swedish Lemon Angels," with ingredients such as five teaspoons of baking soda and a cup of fresh lemon juice, designed to erupt all over the kitchen. They spent considerable time explaining how you should leave their book open to the one fake page, or photocopy it and sneak it into friends' kitchens. It's much easier to put it up on www.cookinclub.com and wait for search engines to index it. People are already taking advantage of others' naivete. Many old scams have been adapted to e-mail and the Web. Unscrupulous stockbrokers use the Internet to fuel their "pump and dump" strategies. On 6 September, the Securities and Exchange Commission charged 33 companies and individuals with Internet semantic attacks (they called it fraud) such as posting false information on message boards. It's not only posting false information; changing old information can also have serious consequences. I don't know of any instance of someone breaking into a newspaper's article database and rewriting history, but I don't know of any newspaper that checks, either. Against computers, semantic attacks become even more serious. Computer processes are much more rigid in the type of input they accept; generally this input is much less than a human making the same decision would get. Falsifying input into a computer process can be much more devastating, simply because the computer cannot demand all the corroborating input that people have instinctively come to rely on. Indeed, computers are often incapable of deciding what the "corroborating input" would be, or how to go about using it in any meaningful way. Despite what you see in movies, real-world software is incredibly primitive when it comes to what we call "simple common sense." For example, consider how incredibly stupid most Web filtering software is at deriving meaning from human-targeted content. Can airplanes be delayed, or rerouted, by feeding bad information into the air traffic control system? Can process control computers be fooled by falsifying inputs? What happens when smart cars steer themselves on smart highways? It used to be that you had to actually buy piles of books to fake your way onto the New York Times best-seller list; it's a lot easier to just change a few numbers in booksellers' databases. What about a successful semantic attack against the NASDAQ or Dow Jones databases? The people who lost the most in the Emulex hoax were the ones with preprogrammed sell orders. None of these attacks is new; people have long been the victims of bad statistics, urban legends, and hoaxes. Any communications medium can be used to exploit credulity and stupidity, and people have been doing that for eons. Computer networks make it easier to start attacks and speed their dissemination, or for one anonymous individual to reach vast numbers of people at virtually no cost. In the near future, I predict that semantic attacks will be more serious than physical or even syntactic attacks. It's not enough to dismiss them with the cryptographic magic wands of "digital signatures," "authentication," or "integrity." Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet. Only amateurs attack machines; professionals target people. And any solutions will have to target the people problem, not the math problem. The conceptualization of physical, syntactic, and semantic attacks is from an essay by Martin Libicki on the future of warfare. PFIR Statement on Internet hoaxes: Swedish Lemon Angels recipe: A version of it hidden among normal recipes (I didn't do it, honest): Mediocre photos of people making them (note the gunk all over the counter by the end): SatireWire: How to Spot a Fake Press Release Taking over the air-traffic-control radio: A version of this essay appeared on ZDnet: SlashDot commentary on it: CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit or send a blank message to crypto-gram- subscribe@chaparraltree.com. To unsubscribe, visit . Back issues are available on . Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net ________________________________________________________________________________ no copyright 2000 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. post to the list: mailto:inbox@rolux.org. more information: mailto:minordomo@rolux.org, no subject line, message body: info rolux. further questions: mailto:rolux-owner@rolux.org. home: http://rolux.org/lists - archive: http://rolux.org/archive