[This was originally published on Aviary Magazine and mirrored on attrition.org.]
The Real Threat
What is the absolute worse consequence of hackers on the Internet? Defacing high profile sites? Deleting a dozen machines effectively shutting down an entire business? Flooding subnets and denying access to an ISP of five thousand people? None of the above.
One of the above threats touches on a much more sinister threat some hackers may pose to the Internet today. Unfortunately no one has the ability to say “at least it hasn’t happened yet” because the nature of this threat prevents us from knowing. When it is discovered media outlet will reel in shock, stumbling over themselves trying to comprehend and report the full implications of such a beast. That threat is what some people call a ‘Subversion of Information’ (SoI) attack. It is a style of web defacing that leaves no obnoxious ‘elite speak’, doesn’t consist of poorly written rants about unrelated topics, nor does it warn anyone that an intrusion has taken place.
I for one have no doubt it has occurred in a limited fashion at some point in recent history, yet no one can cite a specific example of it. The concept of the attack is simple. An intruder on a web server has the ability to edit any file on the system. Most defacements we see are bold and brazen, leaving no doubt the page was altered. A handful of these defacements actually use the base design of the original web page for their alteration. If these intruders were to take it one step further, they could make subtle alterations to the page that may not be noticed until serious and qualifiable damage has occurred.
Without a solid case history to build on, it is difficult to assess the full damage that can be done with a well executed Subversion of Information attack. At this point, we can only go by speculation and well founded examples based on the information available to be altered, and how people react to it.
The first and most often discussed SoI attack centers around large media outlets. Looking at sites like ABC News, Wired and the New York Times (all defaced in the past), an obvious attack becomes apparent. What if intruders were to make subtle changes to various stories without being noticed? Editors at Wired could find out when lawsuits are leveled at them for libel. Staff at ABC could be forced to print numerous retractions calling their integrity into question. The New York Times might find themselves supporting ultra radical militia groups that they denounced a day before.
Security professionals typically bring up the obvious threat of financial manipulation. What if a single stock price was altered on a site catering to investors? A price dropped just a few dollars long enough to make a sound investment from a company. Shortly after, popping the price up a few dollars higher than the real market value. While these events are unlikely to occur because of various failsafes, they could lead to massive chaos for investors trying to handle the request for buying and selling.
Another subtle but highly profitable attack could come in the form of sites with banner ads or reseller programs. OSALL is a reseller of Amazon books. By linking to them to share resources, Amazon is able to track these links and kick back a very small profit to OSALL in return for book sales made through them. Rather than getting a check for one hundred dollars every year, what if the Amazon site was altered so that every fourth link automatically credited OSALL regardless of where the link came from? The next year would be highly profitable to say the least.
In the future
If any serious SoI attacks have occurred to date, there has been little to no media attention surrounding them. That, or no one has noticed such an attack yet. That begs the question of how you would recognize this type of attack if it were to occur. The trick is having a source to verify information on one site from another. Since this attack could affect any site on the net, that leaves us comparing magazines and papers to web sites. Kind of defeats the purpose and convenience of a web site.
Adequate internal security and auditing would be a good start. Knowing that a company goes under intense certification and auditing at periodic intervals is definitely reassuring. But even then, what if an intruder slips by the defenses in between audits? Mechanisms like strong Intrusion Detection Systems (IDS) need to be in place. Not only would they detect an intruder and hopefully boot him off, they would monitor the integrity of the pages or information they protect, ready to rewrite a page with the original information if necessary.
We have hopefully been lucky so far. Mostly inexperienced kids running canned scripts against web sites, uploading their own pages for bragging rights. The serious intruders may enter and exit your system a dozen times a day completely undetected. How do you know they didn’t change your product’s price to eight cents, forcing you to honor advertised prices? Perhaps they changed some other bit of information that hasn’t been detected. This is just the beginning.