Are you sophisticated enough to recognize an Internet scam?

Bruce Schneier
The Mercury News, December 19, 2003

Recently I have been receiving e-mails from PayPal. At least, they look like they're from PayPal. They send me to a Web site that looks like it's from PayPal. And it asks for my password, just like PayPal. The problem is that it's not from PayPal, and if I do what the Web site says, some criminal is going to siphon money out of my bank account.

Welcome to the third wave of network attacks, what I have named "semantic attacks." They are much more serious and harder to defend against because they attack the user and not the computers. And they're the future of fraud on the Internet.

The first wave of attacks against the Internet was physical: against the computers, wires and electronics. The Internet defended itself through distributed protocols, which reduced the dependency on any one computer, and through redundancy. These are largely problems with a known solution.

The second wave is syntactic: attacks against the operating logic of computers and networks. Modern worms propagate and can infect millions of computers worldwide within hours. Traditional computer security has focused on this second wave, which aims to exploit programming errors in software products. It would be a lie to say that security experts know how to protect computers absolutely against these kinds of attacks, but we're getting better. Better software quality, more pro-active patching capabilities and better network monitoring will give us some measure of security in the coming years.

But this new wave of semantic attacks targets the way people assign meaning to content.

Many worms arrive as e-mail attachments. A user receives an e-mail message from someone he knew. It has an enticing subject line and a plausible message body. Of course a recipient is going to click on the attachment. And that's exactly what causes the infection.

People tend to believe what they read. How often have you needed the answer to a question and searched for it on the Web? How often have you taken the time to corroborate the accuracy of that information, by examining the credentials of the site, finding alternate opinions or other means?

People have long been taking advantage of others' naivete. Many old scams have been adapted to e-mail and the Web. Unscrupulous stockbrokers use the Internet to fuel their "pump and dump" strategies. In 1999, a fake press release circulated on the Web caused the stock of the Emulex Corp. to temporarily drop 61 percent. More recently, we've seen newspaper archives on the Web changed and fake Web sites purporting to be something they're not.

Against computers, semantic attacks become even more serious, simply because the computer cannot demand all the corroborating data that people instinctively rely on. Despite what you see in movies, real-world software is incredibly primitive when it comes to what is known as simple common sense. Ever increasing numbers of sensors and data collection devices are on the Internet. What happens when hackers realize that these devices can be fed bad data?

People have long been the victims of bad statistics, urban legends and hoaxes. Any communications medium can be used to exploit credulity and stupidity, and people have been doing that for eons. The difference is the scale. A single forged e-mail, a single fake press release, can affect millions.

Current computer security technologies are largely irrelevant against semantic attacks. These attacks aim directly at the human-computer interface, the most insecure portion on the Internet. Defending against them will take more than technology -- it will take education, experience and skepticism. Too many Internet users don't have enough of those three qualities.

earlier essay: Blaster and the Great Blackout
later essay: Better Get Used to Routine Loss of Personal Privacy
categories: Computer and Information Security, Social Engineering
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..