[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] NYT, 17.4.03: Cyberattacks With Offline Damagea

To: ", infowar-Liste" <infowar - de -! - infopeace - de>
Subject: [infowar.de] NYT, 17.4.03: Cyberattacks With Offline Damagea
From: a - schmdt -! - t-online - de (Andreas Schmidt)
Date: Fri, 18 Apr 2003 17:35:57 +0200
Reply-to: infowar - de -! - infopeace - de
Sender: bendrath -! - zedat - fu-berlin - de

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Die URLs für die vorangegangenen Artikel: 

- "In the Skies Over Iraq, Silent Observers Become Futuristic Weapons": 
http://www.nytimes.com/2003/04/18/international/18PRED.html
- "On the Ground in Iraq, the Best Compass Is in the Sky": 
http://www.nytimes.com/2003/04/17/technology/circuits/17navi.html

-----------

http://www.nytimes.com/2003/04/17/technology/circuits/17next.html
Cyberattacks With Offline Damage
By JOHN SCHWARTZ


HAT'S virtual is virtual, and what's real is real. Right?

Maybe not.

Most experts think of cyberattack as something that will happen in the 
virtual world, with effects on, say, computer networks or access to bank 
accounts. Cyberattacks involving the use of online tools against the 
offline world would be much harder.


But a recent paper by a computer security researcher at Johns Hopkins 
University suggests that there are plenty of gateways that connect the 
cyberworld with the more familiar terrain that some call "meatspace." And, 
since he is a security researcher, he does it by showing the potential for 
a cunning attack that crosses that gateway.

Aviel D. Rubin, the technical director of the Information Security 
Institute at Johns Hopkins University, describes in the paper with two 
co-authors a real-world attack that uses computers to automate tasks and 
the power of the Internet to disseminate information. 

Using tools that have been published by search engines like Google that 
allow programmers to automate searches on a large scale, Mr. Rubin and his 
colleagues described a relatively simple program that could set the victim 
up to receive catalogs from hundreds of thousands of Web sites that have 
sign-up forms. 

In fact, something like what Mr. Rubin describes has already happened. 
Last year, Alan Ralsky, a spam-sending entrepreneur known as the "spam 
king," gave an interview to The Detroit Free Press boasting about his 
8,000-square-foot house and all the money he made from sending unwanted 
e-mail to hundreds of millions of people at a time. Shortly after that 
article appeared on Slashdot.org, a major online news source for 
technophiles, its readers signed Mr. Ralsky up for thousands of catalogs, 
brochures and more. Soon he was getting hundreds of pounds of mail every 
day.

That was a spontaneous effort by a large community. But Mr. Rubin's paper 
suggests that anyone can get a computer to stand in for the Slashdotters 
and bury someone in junk. And Google shows hundreds of thousands of Web 
pages from which anyone could request a catalog. 

It sounds like a new version of the oldest prank in the book ? the 
cyberspace equivalent of the old order-50-pizzas-for-your-enemies trick. 
But it's much bigger than that. Mr. Rubin's attack could be enormously 
disruptive to the target, and could paralyze the local post office that 
has to deal with the onslaught. As the report notes, the exploit could be 
used as a diversion to accompany a deadly terrorist act, like mailing an 
envelope containing anthrax spores.

Some experts have talked about hypothetical, sophisticated cyberattacks on 
real-world facilities that are connected to the Internet, like the power 
grid and dams. But the situation described by Mr. Rubin suggests that a 
far more low-technology approach could cross the barrier between virtual 
and real realms.

Other automated attacks could easily follow, he said in an interview, 
including automated orders for hundreds of maintenance requests, package 
pick-ups and service calls.

Why risk unleashing such mischief by writing about it? That's always the 
question security researchers face, and Mr. Rubin said that he would never 
have released the paper if he thought that the attack would not emerge 
otherwise, or if there were no way to stop it. But the programming tools 
are out there, he said, and sites are vulnerable. It's only a matter of 
time before the "script kiddies" who start cyberattacks from code that 
others develop and share start trying to bury people in paper. "If we knew 
about it and did nothing, and then the attack was launched, we would be 
guilty of negligence," he wrote. "It is our judgment that the time has 
come to reveal this threat."

In the report, he also describes ways that Web sites can make the process 
of filling out forms hard for automated programs to do, in some cases 
simply by asking the user to answer an unexpected question or to solve a 
simple puzzle before proceeding. One of the fathers of computer science, 
Alan Turing, once suggested that artificial intelligence could be tested 
by seeing if a program could be good enough to fool a human being into 
thinking he was communicating with another person. 

A "reverse Turing Test" ? already in wide use in computer security to foil 
automated attacks ? would stump a silicon brain while letting people get 
the information they need without much fuss, he said.

The paper, which can be found at www.avirubin.com/scripted.attacks.pdf, 
has impressed Bruce Schneier, a security expert who has been looking at 
these issues. He is writing about it for the latest edition of his widely 
read newsletter, Crypto-Gram. "This interstitial area where cyberspace 
meets the real world is a ripe area of attack," he said in an interview. 
He sees this problem as being the real-world equivalent of a distributed 
"denial of service" attack, in which the attacker gets computers around 
the world to inundate a target machine with data, messages and other 
electronic detritus that make it impossible for legitimate users to get 
through to it.

A spokeswoman for the Postal Service, Sue Brennan, said the attack 
described by Mr. Rubin might not work in practice. "The concepts in the 
document, while compelling, appear to be systematically flawed with regard 
to the controls our major mailers would have in place to prevent such an 
event from occurring," she said.

"That's good," Mr. Rubin said, but he argued that an attack that ordered 
only one catalog from thousands of sources might have serious effects 
before it could be detected. "I hope she's right," he said. But he did not 
sound optimistic. 
---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.

Prev by Date: [infowar.de] NYT, 17.4.03: On the Ground in Iraq, the Best Compass Is in the Sky
Next by Date: [infowar.de] wired: Planning for the Next Cyberwar
Previous by thread: [infowar.de] NYT, 17.4.03: On the Ground in Iraq, the Best Compass Is in the Sky
Next by thread: [infowar.de] wired: Planning for the Next Cyberwar
Index(es):
- Date
- Thread