Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Based Attacks in a Physical World

Posted by Hemos on from the too-bad-it's-not-internet-based-attacks-on-The-Real-World dept.

scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"

2 of 290 comments (clear)

  1. The solution is with the mailers by mlush · · Score: 4, Interesting

    It would be very simple for a company to defend against being used in a scripted mail DOS attack.

    • Move the order forms to another location and slap a robots.txt on them to try and keep them out of Google et al
    • Some simple question/answer system to demonstrate the user is human
      • What is this a picture of? (multiple choice)
      • Enter the word in this picture
      • Could you type the company name in backwards (for lynx users)
      • etc
    • Use obscure names for the CGI paramaters
    • Perhaps some sort of tripwire paramater called 'postcode' that actually holds the phone number, if a postcode is entered it causes the submission to fail

    With a bit of imagination the authentication could be turned into a compatition...

  2. 250,000+ catalog forms? Try 839. by rednox · · Score: 5, Interesting

    I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:

    Schneier discovered that by typing "request catalog name address city state zip" into Google, a person gets links to more than 250,000 sites containing subscription and request Web forms.
    Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839. Including the omitted, very similar pages, there are still only 997.

    I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.