Featured Research

from universities, journals, and other organizations

Web-Based Attacks Could Create Chaos In The Physical World; Computer Security Researchers Suggest Ways To Thwart New Form Of Cybercrime

Date:
May 1, 2003
Source:
Johns Hopkins University
Summary:
Most experts on computer crime focus on attacks against Web servers, bank account tampering and other mischief confined to the digital world. But by using little more than a Web search engine and some simple software, a computer-savvy criminal or terrorist could easily leap beyond the boundaries of cyberspace to wreak havoc in the physical world, a team of Internet security researchers has concluded.

Most experts on computer crime focus on attacks against Web servers, bank account tampering and other mischief confined to the digital world. But by using little more than a Web search engine and some simple software, a computer-savvy criminal or terrorist could easily leap beyond the boundaries of cyberspace to wreak havoc in the physical world, a team of Internet security researchers has concluded.

At a recent Association for Computing Machinery conference on privacy in an electronic society, the researchers -- including a Johns Hopkins faculty member -- described how automated order forms on the Web could be exploited to send tens of thousands of unwanted catalogs to a business or an individual. Such an onslaught would not only pose problems for the victim, but it could also paralyze the local post office charged with making such deliveries, the researchers suggested. After explaining how such attacks could take place, the researchers proposed several technological "fixes" that could help prevent them.

The rapid growth of the World Wide Web has enabled many merchants, government agencies and non-profit organizations to make sales catalogs and information packets available to anyone who can fill out a simple on-line form. But these forms, the researchers say, have also opened a gateway that could allow disruptive activity to spill out of cyberspace. "People have not considered how easily someone could leverage the scale and automation of the Internet to inflict damage on real-world processes," said Avi Rubin, technical director of the Information Security Institute at The Johns Hopkins University and one of the authors of the paper.

Rubin and two other researchers first determined that a popular search engine such as Google could be used to locate online order forms. They also discovered that simple software could be launched to automatically recognize and fill in fields such as "name," "address" and "city," and then submit the catalog request online. "It could be set up to send 30,000 different catalogs to one person or 30,000 copies of one catalog to 30,000 different recipients," said Rubin. "This could create a great expense for the sender, a huge burden for local postal facilities and chaos in the mail room of a business targeted to receive this flood of materials."

The technique could also be used to exploit the increasingly common Web-based forms used to request repair service, deliveries or parcel pickups, said Rubin, who also is an associate professor in the Department of Computer Science at Johns Hopkins. Tracking down the attacker could be difficult, he added. The offender could easily escape detection by loading the program onto a floppy disk or a small USB hard disk and paying cash for a few minutes of time at an Internet cafe. By the time the damage was discovered, the culprit would have vanished, Rubin said.

Because of the confusion and costs such attacks could inflict, Rubin and his fellow researchers wondered whether they should make public the technological weakness they'd uncovered; by doing so, they might provide a "blueprint" for people to launch such attacks. With this in mind, they did not publish their paper for some time after the initial research was done. However, after a popular search engine introduced its new Application Programming Interfaces, the researchers concluded that the attacks they envisioned were now much more likely to occur. In their paper they stated that "there is also a risk in not disclosing vulnerabilities for which there are known solutions. By not educating people who are in a position to defend against an attack, it can be more damaging to bury knowledge of a vulnerability than to announce it."

The researchers suggested several methods to deter the attacks they described. One is to set up online forms so that they cannot easily be picked up by a search engine. Another is to alter the HTML coding used to create an online form so that it no longer contains easily recognizable field names such as "name" and "address." (Such coding changes would not be visible to the person filling out the form.)

Yet another option is to include in each form a step that must be completed by a human computer user. This process, called a Reverse Turing Test, could display writing that could not easily be recognized by a computer, or it could require some other visual task that would trip up an automated ordering program. Other deterrents suggested by the researchers include client puzzles and monitored systems called "Honeypots," which are set up to attract cyber-attackers for early detections.

Hoping to prevent the type of cyber-attacks they've envisioned, the researchers have conferred with a top technology administrator from the U.S. Postal Service and have made their concerns and recommendations public on the Web. "To prevent these damaging activities," Rubin said, "we need to look at the interface between cyberspace and the real world and to make sure there is a real person submitting a legitimate request, not a computer program launching a disruptive attack."

The research paper can be viewed at: http://www.avirubin.com/scripted.attacks.pdf

###

Related Links:

Avi Rubin's Web Page: http://www.avirubin.com

Information Security Institute at Johns Hopkins: http://www.jhuisi.jhu.edu

Johns Hopkins Department of Computer Science: http://www.cs.jhu.edu


Story Source:

The above story is based on materials provided by Johns Hopkins University. Note: Materials may be edited for content and length.


Cite This Page:

Johns Hopkins University. "Web-Based Attacks Could Create Chaos In The Physical World; Computer Security Researchers Suggest Ways To Thwart New Form Of Cybercrime." ScienceDaily. ScienceDaily, 1 May 2003. <www.sciencedaily.com/releases/2003/05/030501081411.htm>.
Johns Hopkins University. (2003, May 1). Web-Based Attacks Could Create Chaos In The Physical World; Computer Security Researchers Suggest Ways To Thwart New Form Of Cybercrime. ScienceDaily. Retrieved September 19, 2014 from www.sciencedaily.com/releases/2003/05/030501081411.htm
Johns Hopkins University. "Web-Based Attacks Could Create Chaos In The Physical World; Computer Security Researchers Suggest Ways To Thwart New Form Of Cybercrime." ScienceDaily. www.sciencedaily.com/releases/2003/05/030501081411.htm (accessed September 19, 2014).

Share This



More Computers & Math News

Friday, September 19, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Virtual Reality Headsets Unveiled at Tokyo Game Show

Virtual Reality Headsets Unveiled at Tokyo Game Show

AFP (Sep. 18, 2014) Several companies unveiled virtual reality headsets at the Tokyo Game Show, Asia's largest digital entertainment exhibition. Duration: 00:48 Video provided by AFP
Powered by NewsLook.com
What HealthKit Bug Means For Your iOS Fitness Apps

What HealthKit Bug Means For Your iOS Fitness Apps

Newsy (Sep. 18, 2014) Apple has delayed the launch of the HealthKit app platform, citing a bug. Video provided by Newsy
Powered by NewsLook.com
Apple's iOS8 Includes New 'Killswitch' To Curb Theft

Apple's iOS8 Includes New 'Killswitch' To Curb Theft

Newsy (Sep. 18, 2014) Apple's new operating system, iOS 8, comes with Apple's killswitch feature already activated, unlike all the models before it. Video provided by Newsy
Powered by NewsLook.com
Let's Review Apple's Latest iPhone Reviews

Let's Review Apple's Latest iPhone Reviews

Newsy (Sep. 17, 2014) The tech press has shared its thoughts on the latest iterations of Apple's iPhone. We summarize the reactions to help you decide: iPhone 6 or 6 Plus? Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins