Cyberattacks With Offline Damage

[Dave Farber <dave () farber net>]

-------------------------------------------------------/

Cyberattacks With Offline Damage

April 14, 2003
By JOHN SCHWARTZ 




 

WHAT'S virtual is virtual, and what's real is real. Right?


Maybe not. 

Most experts think of cyberattack as something that will
happen in the virtual world, with effects on, say, computer
networks or access to bank accounts. Cyberattacks involving
the use of online tools against the offline world would be
much harder. 

But a recent paper by a computer security researcher at
Johns Hopkins University suggests that there are plenty of
gateways that connect the cyberworld with the more familiar
terrain that some call "meatspace." And, since he is a
security researcher, he does it by showing the potential
for a cunning attack that crosses that gateway.

Aviel D. Rubin, the technical director of the Information
Security Institute at Johns Hopkins University, describes
in the paper with two co-authors a real-world attack that
uses computers to automate tasks and the power of the
Internet to disseminate information.

Using tools that have been published by search engines like
Google that allow programmers to automate searches on a
large scale, Mr. Rubin and his colleagues described a
relatively simple program that could set the victim up to
receive catalogs from hundreds of thousands of Web sites
that have sign-up forms.

In fact, something like what Mr. Rubin describes has
already happened. Last year, Alan Ralsky, a spam-sending
entrepreneur known as the "spam king," gave an interview to
The Detroit Free Press boasting about his 8,000-square-foot
house and all the money he made from sending unwanted
e-mail to hundreds of millions of people at a time. Shortly
after that article appeared on Slashdot.org, a major online
news source for technophiles, its readers signed Mr. Ralsky
up for thousands of catalogs, brochures and more. Soon he
was getting hundreds of pounds of mail every day.

That was a spontaneous effort by a large community. But Mr.
Rubin's paper suggests that anyone can get a computer to
stand in for the Slashdotters and bury someone in junk. And
Google shows hundreds of thousands of Web pages from which
anyone could request a catalog.

It sounds like a new version of the oldest prank in the
book - the cyberspace equivalent of the old
order-50-pizzas-for-your-enemies trick. But it's much
bigger than that. Mr. Rubin's attack could be enormously
disruptive to the target, and could paralyze the local post
office that has to deal with the onslaught. As the report
notes, the exploit could be used as a diversion to
accompany a deadly terrorist act, like mailing an envelope
containing anthrax spores.

Some experts have talked about hypothetical, sophisticated
cyberattacks on real-world facilities that are connected to
the Internet, like the power grid and dams. But the
situation described by Mr. Rubin suggests that a far more
low-technology approach could cross the barrier between
virtual and real realms.

Other automated attacks could easily follow, he said in an
interview, including automated orders for hundreds of
maintenance requests, package pick-ups and service calls.

Why risk unleashing such mischief by writing about it?
That's always the question security researchers face, and
Mr. Rubin said that he would never have released the paper
if he thought that the attack would not emerge otherwise,
or if there were no way to stop it. But the programming
tools are out there, he said, and sites are vulnerable.
It's only a matter of time before the "script kiddies" who
start cyberattacks from code that others develop and share
start trying to bury people in paper. "If we knew about it
and did nothing, and then the attack was launched, we would
be guilty of negligence," he wrote. "It is our judgment
that the time has come to reveal this threat."

In the report, he also describes ways that Web sites can
make the process of filling out forms hard for automated
programs to do, in some cases simply by asking the user to
answer an unexpected question or to solve a simple puzzle
before proceeding. One of the fathers of computer science,
Alan Turing, once suggested that artificial intelligence
could be tested by seeing if a program could be good enough
to fool a human being into thinking he was communicating
with another person.

A "reverse Turing Test" - already in wide use in computer
security to foil automated attacks - would stump a silicon
brain while letting people get the information they need
without much fuss, he said.

The paper, which can be found at
www.avirubin.com/scripted.attacks.pdf, has impressed Bruce
Schneier, a security expert who has been looking at these
issues. He is writing about it for the latest edition of
his widely read newsletter, Crypto-Gram. "This interstitial
area where cyberspace meets the real world is a ripe area
of attack," he said in an interview. He sees this problem
as being the real-world equivalent of a distributed "denial
of service" attack, in which the attacker gets computers
around the world to inundate a target machine with data,
messages and other electronic detritus that make it
impossible for legitimate users to get through to it.

A spokeswoman for the Postal Service, Sue Brennan, said the
attack described by Mr. Rubin might not work in practice.
"The concepts in the document, while compelling, appear to
be systematically flawed with regard to the controls our
major mailers would have in place to prevent such an event
from occurring," she said.

"That's good," Mr. Rubin said, but he argued that an attack
that ordered only one catalog from thousands of sources
might have serious effects before it could be detected. "I
hope she's right," he said. But he did not sound
optimistic. 

http://www.nytimes.com/2003/04/14/technology/14NECO.html?ex=1051567844&ei=1&;
en=2f65424067277e91



HOW TO ADVERTISE
---------------------------------
For information on advertising in e-mail newsletters
or other creative advertising opportunities with The
New York Times on the Web, please contact
onlinesales () nytimes com or visit our online media
kit at http://www.nytimes.com/adinfo

For general information about NYTimes.com, write to
help () nytimes com.  

Copyright 2003 The New York Times Company


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/