http://www.aviary-mag.com/Martin/SOI_Attacks/soi_attacks.html
Subversion of Information Attacks
The Real Threat
What is the absolute worse consequence of hackers on the Internet?
Defacing high profile sites? Deleting a dozen machines effectively
shutting down an entire business? Flooding subnets and denying access to
an ISP of five thousand people? None of the above.
One of the above threats touches on a much more sinister threat some
hackers may pose to the Internet today. Unfortunately no one has the
ability to say "at least it hasn't happened yet" because the nature of
this threat prevents us from knowing. When it is discovered media outlet
will reel in shock, stumbling over themselves trying to comprehend and
report the full implications of such a beast. That threat is what some
people call a 'Subversion of Information' (SoI) attack. It is a style of
web defacing that leaves no obnoxious 'elite speak', doesn't consist of
poorly written rants about unrelated topics, nor does it warn anyone that
an intrusion has taken place.
I for one have no doubt it has occurred in a limited fashion at some point
in recent history, yet no one can cite a specific example of it. The
concept of the attack is simple. An intruder on a web server has the
ability to edit any file on the system. Most defacements we see are bold
and brazen, leaving no doubt the page was altered. A handful of these
defacements actually use the base design of the original web page for
their alteration. If these intruders were to take it one step further,
they could make subtle alterations to the page that may not be noticed
until serious and qualifiable damage has occurred.
Serious Repercussions
Without a solid case history to build on, it is difficult to assess the
full damage that can be done with a well executed Subversion of
Information attack. At this point, we can only go by speculation and well
founded examples based on the information available to be altered, and how
people react to it.
The first and most often discussed SoI attack centers around large media
outlets. Looking at sites like ABC News, Wired and the New York Times (all
defaced in the past), an obvious attack becomes apparent. What if
intruders were to make subtle changes to various stories without being
noticed? Editors at Wired could find out when lawsuits are leveled at them
for libel. Staff at ABC could be forced to print numerous retractions
calling their integrity into question. The New York Times might find
themselves supporting ultra radical militia groups that they denounced a
day before.
Security professionals typically bring up the obvious threat of financial
manipulation. What if a single stock price was altered on a site catering
to investors? A price dropped just a few dollars long enough to make a
sound investment from a company. Shortly after, popping the price up a few
dollars higher than the real market value. While these events are
unlikely to occur because of various failsafes, they could lead to massive
chaos for investors trying to handle the request for buying and selling.
Another subtle but highly profitable attack could come in the form of
sites with banner ads or reseller programs. OSALL is a reseller of
Amazon books. By linking to them to share resources, Amazon is able to
track these links and kick back a very small profit to OSALL in return
for book sales made through them. Rather than getting a check for one
hundred dollars every year, what if the Amazon site was altered so that
every fourth link automatically credited OSALL regardless of where the
link came from? The next year would be highly profitable to say the least.
In the future
If any serious SoI attacks have occurred to date, there has been little to
no media attention surrounding them. That, or no one has noticed such an
attack yet. That begs the question of how you would recognize this type of
attack if it were to occur. The trick is having a source to verify
information on one site from another. Since this attack could affect any
site on the net, that leaves us comparing magazines and papers to web
sites. Kind of defeats the purpose and convenience of a web site.
Adequate internal security and auditing would be a good start. Knowing
that a company goes under intense certification and auditing at periodic
intervals is definitely reassuring. But even then, what if an intruder
slips by the defenses in between audits? Mechanisms like strong Intrusion
Detection Systems (IDS) need to be in place. Not only would they detect an
intruder and hopefully boot him off, they would monitor the integrity of the
pages or information they protect, ready to rewrite a page with the
original information if necessary.
We have hopefully been lucky so far. Mostly inexperienced kids running
canned scripts against web sites, uploading their own pages for bragging
rights. The serious intruders may enter and exit your system a dozen times
a day completely undetected. How do you know they didn't change your
product's price to eight cents, forcing you to honor advertised prices?
Perhaps they changed some other bit of information that hasn't been
detected. This is just the beginning.
Brian Martin
Copyright 1999 Brian Martin