Internet Based Attacks in a Physical World

scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"

Re:stop terrorism paranoia

[Luguber123]

This is NOT terrorism, it IS a crime!

I guess that depends more or less on what country it ends up in and who you send it to and most of all who sent it :)

usps doesn't help things, but that's the way it go

[supernova87a]

take for example the post office -- you'd think that one of their aims would be to promote less junk mail for all of us. But that's not how it works in a society where the bottom line is how much money you can rake in. And god forbid the government take an "anti-business" stance.

So what is their pricing scheme? It costs 37c to mail a single letter, but if you're a physical spammer, you can get huge bulk discounts, effectively making it more attractive to spam. I say, why not make junk mail *more* expensive?

Will email, if charged per-piece, be any different?

Utter Nonsense

[ePhil_One]

A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.

What a load of self serving crap. Which of course is completely shocking coming from such a community oriented guy such as a Spammer.

When I read this, I expected it to be about something a bit more substantial, such as using the internet to have someones electricity turned off, or altering a sattelite tragectory to include someones house in its path; or maybe even taking over Dr Evil's Moon Laser to burn nasty messages in someones lawn.

But really, taking out the postal service with a series of mass mailings? What kind of fool thinks that an attack that works on one person will scale large enough to take out the post office, or hinder any sort of criminal investigation?

My solution

[goldcd]

Spam exists purely because the time spent by the spammer is of less value than the reward he gets. We don't need to completely eradicate spammers, just slow then down until it's no longer worth the effort and they quit. Try mposing limits on the amount of email that can be sent per ISP user. If it's set high emough then it'll very rarely bother a legitimate user, but make it stop it being cost effective for spamming. Say 500 emails per 7 days from one user on an SMTP or 1000 from a mailserver running on an ADSL. If you're having to send 1 million mails then signing up for/hijacking 2000 accounts is going to slow you down a bit. This would hopefully stop spamming from 'friendly' services.
Rogue ISPs are trickier to deal with, perhaps the throttling could be used? e.g. AOL trusts MSN, therefore anything originating from MSN would be allowed straight through. AOL is slightly more warey of rogueisp.cn so throttles the acceptance of messages from them to say 50,000 a day before it starts bouncing them. If rogueisp.cn behaves then everything will work perfectly, if they allow their network to hammer AOL then AOL will start chucking the emails back at rogueisp.cn clogging up their system. A perceived problem with this is that legitimate email gets bounced - tough. Rogueisp.cn gets to explain to their customers why "AOL has returned this message because of flood of crap sanctioned by your ISP" is attached to the message that's just been returned unsent. RogueISP can now decide to enforce sendmail throttling as mentioned at the top, or lose its customers.
Tweak the quotas so the better an ISP behaves, the higher it's quota goes and vica-versa and we can polarise connected ISPs, and it's then not to hard just to blanket ban the bad guys.

The solution is with the mailers

[mlush]

It would be very simple for a company to defend against being used in a scripted mail DOS attack.

• Move the order forms to another location and slap a robots.txt on them to try and keep them out of Google et al
• Some simple question/answer system to demonstrate the user is human
  • What is this a picture of? (multiple choice)
  • Enter the word in this picture
  • Could you type the company name in backwards (for lynx users)
  • etc
• Use obscure names for the CGI paramaters
• Perhaps some sort of tripwire paramater called 'postcode' that actually holds the phone number, if a postcode is entered it causes the submission to fail

With a bit of imagination the authentication could be turned into a compatition...

Hang on a second chaps

Given the theme here you bet Im posting as AC.

If you geeks are so clever, how come you are indulging in such fatuous behaviour and generally behaving like "the mob" in a Hammer Horror film.

Oddly you never trust the media yet (FUD is the trendy word at the moment), when this comes out, its read the article, or not(!) (don't check secondary sources or anything) and wade in.

Reminds me of a wave of Paedophilia related mini-riots we had in the UK stirred up by the papers, where a Paedeatrician was attacked (although I find it darkly amusing that the mob thought someone would advertise their illegal proclivities via a brass name plate attached to their house, and claim to have a number of higher degrees in it, but i degress here).

God help you when someone maliciously points the finger at you as a "spamking" for a laugh... all you who posted above with your emails and webaddresses better bear in mind it would be rather easy (about as hard as my typing this post
now).

"Don't piss off nerds" you cry. Just goes to show the circles you move in. Or what, you'll send the guy a Radio Shack catalogue? Phone him up in the middle of the night and tell him your GPA? Scarey. Better that than piss any other sector of society off; they'll come round and beat the shit out of you. Better hope this spam guy doesn't remember how to give wedgies or you're in for some serious pain.

Basically, you make yourselves look like stupid knuckleheaded thugs and at the same time rather puny. A rare feat indeed.

Flamebait? I'd like to think I'm commenting about the hotheads already ignited.

250,000+ catalog forms? Try 839.

[rednox]

I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:

Schneier discovered that by typing "request catalog name address city state zip" into Google, a person gets links to more than 250,000 sites containing subscription and request Web forms.

Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839. Including the omitted, very similar pages, there are still only 997.

I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.

Re:Who trusts the US Mail anyway?

I've never lost anything in the mail, and personally think the USPS is pretty reliable. However, it's never been exactly all that fast. I once sent some things at the media mail rate, a box, and it took about a month to arrive. This is shipping from one end of California (SF area) to the other (LA area), from myself to myself.

I mainly view certified mail and things as a way to make sure that the receiver doesn't shift the blame when he loses the letter in his system or something, not as a way to make the mail delivery more reliable. It's still the same system, after all. :)

A slightly unrealistic way to prevent mail attack

[Speequinox]

One way to prevent a scripted catalog-signup attack would be to centralize the processing of the signup forms. If all signup requests were routed through a single source, that source could easily detect a spike in signups. At that time, a confirmation phone call or letter could be sent to the recipient to determine whether they actually want all the junk, much in the same way that email list signups often generate an email that requests confirmation.

Of course, there are privacy concerns, centralization vulnerability concerns, and the issue of getting people to use the system. There is a collective action problem because normal members of the public don't have much of a reason (or way) to pay for this, and the catalog companies don't have much incentive to pay for it either since it's probably cheaper to send the occasional unwanted catalog than it is to restructure and pay more for their signup system.

-Mason

What about mistakes?

[leighton]

Of course, none of this takes into account what happens when an overexcited script kiddie targets the wrong address for attack. This happened in the Ralsky case--if you go back, you'll see that people mistakenly posted his old address, the wrong phone number, etc. So some poor innocent sap (who could just as well be you) gets a dozen subscriptions to Hot Wet Naked Shaved Teenage Catholic Schoolgirls and Buff Biker Bears that he has to explain to his wife.

I guess that's just "collateral damage," right?

Chris Crawford and Terrorism

[Jeremy+Erwin]

In his book Balance of Power (1986, the game designer Chris Crawford describes Terrorism thusly:

Terrorism: The first step [in the development of an insurgency] comes when some hothead carries out an act of violence against the government. It is neccesarily rather puny; after all we can't expect every hothead to have much military power at his disposal (thank heaven!). This act serves to galvanize opposition. Once people realize that there are others willing to fight back, they gravitate towards each other, and the insurgency begins to take shape, During this early stage, the insurgents will lack any real military power. They operate as part-time rebels, living during the day as regular citizens, but plotting their revolution in secrecy and making occasional strikes.

It's a little dated, but it's a straight definitiom. Terrorists strike at target of opportunities in urban areas. The goal of their attacks is usually not to go after military targets--in most cases the're too well defended (although see Beirut, Khyber Towers, Pentagon and if you're willing to split hairs. the King David Hotel) but to inspire confidence in those who would support them ("We can win this struggle!") and inspire fear in their enemies ("They came out of nowhere. How could we let this happen?").

Many terrorist organizations don't have a sufficiant grasp of political reality to transform their terrorist activities into an effective opposition. Al Quada's goal was something along the lines of "worldwide Islamic Revolution"-- something that can probably be characterized as "pure fantasy." Although bin Laden's "simultaneous , multiple target" signature may have won him respect from other terrorist organizations, his tactics did little, if anything, to secure his stated political goals, and have instead (deservedly so) marked him as a mass murderer.

Christopher Hitchens defined terrorism as the tactic of demanding the impossible, and demanding it at gunpoint. It's a interesting definition, but, of course it all depends on what one views as impossible.

The USPS must defend itself

[robj]

[An open letter to the paper authors:]

Your paper "Defending against an Internet-Based Attack on the Physical World" describes a number of coutnermeasures, almost all of which are focused on the Internet level of the attack.

Since most of the actual bad consequences of the attack come due to the "mail implosion" at the target address, it seems to me that there are other defensive possibilities based on detecting and averting the mail implosion before it happens.

The only entity in a position to do this is the post office itself. But the post office is already in the business of knowing the destination address of every piece of mail in its system. If the post office were able to mine the addressing data in its system to such an extent as to be able to detect sudden service-threatening implosions targeted at a particular address, the post office itself would be able to flag such mail as "nondeliverable due to system abuse" (perhaps with a notification to the target address that their mail was too voluminous to be delivered).

This would of course require exceptional investment in real-time tracking systems by the post office, although since all that is really required is a count of "number of mailings addressed to target" (and not an actual index of what the mailings themselves *are*), it is possible to avoid the overheads of constructing a full per-package tracking system.

This defense, it seems to me, would be performed by the actual victim of the attack -- the post office itself. Moreover, it is hard to see what countermeasures an attacker could employ to circumvent the post office's own monitoring of its traffic.

(I would imagine similar techniques at the email level are likely already used by ISPs to protect users against email implosion attacks...?)

What would you consider the strengths and weaknesses of this defense?

Thank you for a thought-provoking paper.
Sincerely,
Rob Jellinghaus
rob@helium.com
http://www.helium.com