Wednesday 31 December 2003

Bruce Schneier on Semantic Attacks

Bruce Schneier asks if we are sophisticated enough to recognize an Internet scam and categorises the recent attacks into three waves. To quote in part:

The first wave of attacks against the Internet was physical: against the computers, wires and electronics. The Internet defended itself through distributed protocols, which reduced the dependency on any one computer, and through redundancy. These are largely problems with a known solution.

The second wave is syntactic: attacks against the operating logic of computers and networks. Modern worms propagate and can infect millions of computers worldwide within hours. Traditional computer security has focused on this second wave, which aims to exploit programming errors in software products. It would be a lie to say that security experts know how to protect computers absolutely against these kinds of attacks, but we're getting better. Better software quality, more pro-active patching capabilities and better network monitoring will give us some measure of security in the coming years.

But this new wave of semantic attacks targets the way people assign meaning to content.

Meanwhile, the Institute for Security Technology Studies has a project on Semantic Hacking. To quote:

A semantic attack is one in which the attacker modifies electronic information in such a way that the result is incorrect, but looks correct to the casual or perhaps even the attentive viewer. IRIA is developing a categorization of semantic attacks, as well as implementing a set of techniques for detecting semantic attacks.

Most of the work at the moment seem to consist of related documentation on Semantic Hacking which should keep you occupied.