Saturday, October 04, 2008

Attacks Upon Integrity

Earlier this year I wrote First They Came for Bandwidth, where I described the motivation behind different sorts of attacks in an historical context:

First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion. Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground. Now they are coming to make a difference... These are attacks on integrity, executed by degrading information starting at the beginning of this decade.

When I wrote those words, the sorts of attacks on integrity I imagined involved changes to legitimate data. As is often the case with predictions, the reality has taken a similar but not exact direction. Attacks upon integrity are currently appearing as the introduction of outright falsehoods, either by mistake, mischief, or malice. Examples include repostings about UAL bankruptcy; fake posts about Steve Jobs having a heart attack; a fake IAC press release; and so on.

The good news about these incidents is that they become easy to spot. As is often the case with the adversary, low-end means to achieve a goal are used first, followed by increasing sophistication as the targets become more vigilant and experienced. Think about the evolution of phishing as a popular example, but others abound. Currently fake news is being injected into the Internet as a complete package. I would expect the next round to involve subtle modifications to legitimate content. Once some sort of trust technology is applied (digital signatures and the like), then the adversary will have to find ways to subvert those mechanisms.

The winners will be those who best protect their brand by ensuring the integrity of information from them and about them.


jbmoore said...

Protection at what cost? The UAL incident was an accident that got out of control even though the mistake was caught within 15 minutes. But besides that, how far does a private firm protect itself? We don't know yet of any Bear Stearns, AIG, (insert failed broker-dealer here) employees who tried to warn management or tip off the SEC and got reprimanded, terminated, or worse for it. I know you are talking about malicious external threats to integrity, but as we've seen lately, some of these "too big to fail" institutions had no integrity or they'd still be in business. The harm their management caused affects everyone - you and me and children yet to be born.

In comparison, the false rumor mill agents are little fish and their effects are blips compared to this tsunami. Perhaps a fix to the integrity attacks is to make media outlets verify the story before making it public. People will have to learn to be skeptical of what they read and hear, and discern what is true or false. But that's the way it's always been, hasn't it? Unless our educational system doesn't teach critical thinking any more.

If you are thinking in terms of risk management, well, those programs are going to have to be rewritten anyway to take internal and external threats into account.

Anton Chuvakin said...

Have you thought about revisiting this? Have we started seeing such subtle integrity attacks?