I wrote this page with a web editor. I also used several other programs to prepare this page, including a text editor, a spell checker and an image editor. Similarly, you are using a web browser to read this page. Perhaps you're connected to the Internet via a dial-up program, and you may also be using word processors, image viewers, or accounting software.
Each of these programs requires access to files stored on our computers. These programs also require access to our network, to a variety of configuration files and to other resources. Isn't it dangerous to give programs full access to your computer, to all of your files, and perhaps even to your most private information? In general, the answer is an emphatic yes. We've all heard about many harmful programs written by criminals. If you do not know what a program does or who wrote it, you should carefully consider whether you really want to use that program. It just might be harmful in some way.
There are a variety of risks we take, using software programs. These risks are usually classified according to the form of attack employed by the harmful program:
Integrity attacks damage the information
stored in the computer's files.
Privacy attacks copy information stored on the computer's disk without your permission.
Denial of service attacks prevent you from using the computer.
Let's examine each of these forms of attack.
A malicious computer program can scramble your disk and remove all your files. This is called an integrity attack, because it damages the integrity of your system. You can recover from such an attack if you have back up copies of your files. Some information may be lost forever if there is no back up.
Integrity attacks can also be directed towards the computer's hardware and peripherals, although this is very rare. For example, an integrity attack could exploit a known deficiency in a display driver to burn out a computer's display.
Integrity attacks are usually very damaging, and are detected right away. Finding the culprit is not always easy, because the attacker could erase itself along with all the other files and leave no trace.
Privacy attacks have the effect of making information that should be private available to others who are not allowed by you to have access to it. For example, a privacy attack could watch your keyboard and record the keystrokes you type when you give your password to log on to an online service. Then, after the password is obtained, the attacking software transmits it to the criminal who instigated the attack.
These attacks are, like integrity attacks, very damaging. Additionally they are not recoverable (you can not regain the confidentiality of information once leaked), and they are also not easily detectable. For example, you may only learn that your password for logging on to your online service provider is no longer your private knowledge when you notice that someone has used your account and has racked up huge bills for usage.
The attacker may use her ability to break into your files or observe what you do while using the computer to obtain information about you: your habits, tastes, sexual preferences, investment goals, political affiliation or any other information you trust to computers and files. Information transmitted over email is especially vulnerable to being compromised by a privacy attack.
Privacy attacks can appear to be relatively innocuous, but they really are rather insidiuous sometimes. For example, I heard recently about a privacy attack by an employer on her employees, measuring the speed with which employees typed on their keyboards and their typing habits in general. How would anyone use such information, and why do I consider this a privacy attack? Well, in this case, it is claimed that the information was used to promote fast typing employees. It is also claimed that the information was used to demote employees who were deemed to be at risk of developing RSI (a work related disease that prevents one from effectively using a keyboard to enter information into a computer).
An example of a non-computer related privacy attack: Long distance calling cards are a prime target for such attacks, usually in airports. The thieves position themselves to be able to see when you type in your access code and make a call. Later, they steal the card and use it to run up huge long distance bills. Some especially sophisticated and daring criminals just borrow the card and later return it after using it, claiming to do you a favor by returning the card you supposedly dropped.
Denial of service attacks intend to prevent you from fully using your computer's capabilities. They are usually a nuisance, but most of the time they do not do permanent damage. For example, the attacker may display an obnoxious message on the screen of your computer every five seconds, or append a derogatory statement about you to every file on your disk. Or she may consume every free byte on your disk, leaving no space for you to save the files you have just been editing.
Some denial of service attacks are obvious and immediately detectable. Others are much more difficult to detect. For example, the attacker consumes CPU time on your computer when there is a lot of work for it to do, but nearly no CPU time when the computer is idle. This has the effect of slowing down the computer when you most want to use it, but being nearly undetectable when you stop working to go looking for the cause of the slowness.
In some situations, denial of service attacks are very dangerous and damaging. For example, in a combat control station, if the computer displaying the battle-field situation is even temporarily incapacitated, the enemy troops may be able to use this to good advantage.
Most computer users agree that preventing integrity attacks is of the utmost importance. We all want the information we store on the computer's disk to be there when we need it.
However, some situations require the prevention of privacy attacks over protection against integrity attacks. This occurs when the information can be recovered easily, but must be kept private at all cost.
In some cases, users require protection against denial of service attacks but privacy attacks or integrity attacks need not be prevented. This usually occurs when the information can be easily computed but its value declines rapidly over time -- online stock brokers are a prime example of this situation.
So there really is no one way to assign relative importance to the prevention of these attacks. Each situation warrants careful examination, taking into account what risks you are exposed to and what you are trying to do with the computer.