Semantic attacks

I'd heard of "social engineering" before; that's a form of hacking that involves breaking into computer systems by getting secure information from people who have it. It can be done by calling up users and claiming to be a sysadmin and asking for their passwords, for example. Hard to defend against, since such defenses require an alert and informed user base.

But now there's something new: the notion of a "semantic attack," which at base seems to consist of making a person or system believe something that isn't true. The general approach is certainly not new; lying is a form of semantic attack. What's new to me is the paradigm that this is an effective form of attack on a computer system.

Martin Libicki's interesting paper "What Is Information Warfare?" includes this key point in Chapter 9: "A system under semantic attack operates and will be perceived as operating correctly (otherwise the semantic attack is a failure), but it will generate answers at variance with reality." The rest of that chapter is interesting but not so relevant to the current reality of semantic attacks.

And semantic attacks of a variety of forms are real. The usual canonical example is the faux press release that caused a severe drop in the price of Emulex stock in 2000. The recent manipulation of posted Yahoo news stories is a similar kind of semantic attack. And in a different direction, I've been seeing a lot of URLs lately that look like they go to some site but actually go elsewhere; this Crypto-Gram posting explains what's going on with that.

For more on semantic attacks, see Google.

Join the Conversation