On August 25, 2000, Internet Wire received a forged email press release seemingly from Emulex Corp., saying that the Emulex CEO had resigned and the company’s earnings would be restated. Internet Wire posted the message, without verifying either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61% (from $113 to $43) before the hoax was exposed.
This was a devastating network attack. Despite its amateurish execution (the perpetrator, trying to make money on the stock movements, was caught in less than 24 hours), $2.54 billion in market capitalization disappeared, only to reappear hours later. With better planning, a similar attack could do more damage and be more difficult to detect. It’s an illustration of what I see as the third wave of network attacks—which will be much more serious and more difficult to defend against than the first two waves.
The first wave is physical—attacks against computers, wires, and electronics. As defenses, distributed protocols reduce the dependency on any one computer, and redundancy removes single points of failure. Although physical outages have caused problems (power, data, and the like), these are problems we basically know how to solve.
The second wave of attacks is syntactic, attacking vulnerabilities in software products, problems with cryptographic algorithms and protocols, and denial-of-service vulnerabilities—dominating recent security alerts. We have a bad track record in protecting against syntactic attacks, as noted in previous columns here. At least we know what the problem is in these type of attacks.
The third wave of network attacks is semantic, targetting the way we assign meaning to content. In our society, people tend to believe what they read. How often have you needed the answer to a question and searched for it on the Web? How often have you taken the time to corroborate the veracity of that information, by examining the credentials of the site, finding alternate opinions, and so on? Even if you did, how often do you think writers make things up, blindly accept "facts" from other writers, or make mistakes in translation? On the political scene, we’ve seen many examples of false information being reported, getting amplified by other reporters, and eventually being believed as true. Someone with malicious intent can do the same thing.
People already take advantage of others’ naiveté. Many old scams have been adapted to email and the Web. Unscrupulous stockbrokers use the Internet to fuel "pump-and dump" strategies. On September 6, 2000, the Securities and Exchange Commission charged 33 companies and individuals with Internet fraud, many based on semantic attacks such as posting false information on message boards. However, changing old information can also have serious consequences. I don’t know of any instance of someone breaking into a newspaper’s article database and rewriting history, but I don’t know of any newspaper that checks, either.
Against computers, semantic attacks become even more serious. Computer processes are rigid in the type of inputs they accept—and generally much less than a human making the same decision would see. Falsifying computer input can be much more far-reaching, simply because the computer cannot demand all the corroborating input that people have instinctively come to rely on. Indeed, computers are often incapable of deciding what the "corroborating input" would be, or how to go about using it in any meaningful way. Despite what you see in movies, real-world software is incredibly primitive when it comes to what we call "simple common sense." For example, consider how incredibly stupid most Web filtering software is at deriving meaning from human-targeted content.
Can air-traffic control systems, process-control computers, and "smart" cars on "smart" highways be fooled by bogus inputs? You once had to buy piles of books to fake your way onto the New York Times best-seller list; it’s a lot easier to just change a few numbers in booksellers’ databases. What about a successful semantic attack against the Nasdaq or Dow Jones databases? The people who lost the most in the Emulex hoax were the ones with preprogrammed sell orders.
None of these attacks is new; people have long been the victims of bad statistics, urban legends, hoaxes, gullibility, and stupidity. Computer networks make it easier to start attacks and speed their dissemination, or for anonymous individuals to reach vast numbers of people at almost no cost.
In the future, I predict that semantic attacks will be more serious than physical and syntactic attacks. It’s not enough to dismiss them with the cryptographic magic wands of digital signatures, authentication, and integrity. Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet. Amateurs tend to attack machines, whereas professionals target people. Any solutions will have to target the people problem, not the math problem.