A Disambiguation Cost Attack is an attack against the target’s personnel bandwidth, and is a tactical instance of a strategic Resource Consumption Attack(RCA).
When attacking one of your enemy’s processes, look carefully and see if there is any point of attack which will require human intervention to un-screw if you screw it up. Clearly, if you attack something which is automated, your attack can be repaired automatically. So, your question then becomes “how to make my attack resistant to repair automation?” The next consideration is “what are my enemy’s resources for repairing the damage from my attack?” If you can identify a target process where repair is not automatic, and the personnel responsible for repairing it are few (any highly technical processes, particularly those involving authentication, transactions, access controls updates, or system administration automation) then you have found a weak spot that will be painful if you exploit it.
Examples of ideal Disambiguation Cost Attacks are places where you can submit duplicate transactions that require manual intervention to sort from the real transactions. This will be especially damaging in processes where there are fraud-control systems in place, that can be further triggered to bring additional chaos onto the target. Think in terms of making your damage as difficult to repair as possible: don’t let them just restore a corrupted database from backup, submit a stream of bogus transactions that are indistinguishable from real transactions except for the amounts being randomized. Any process that has a “redress” option can be gamed to multiply the cost of an attack:
- Corrupt the target database slightly and leave the corruption in place for several months while you prepare the rest of the attack. This will drive up their repair cost because now they have a corrupted database that has been operationally used for a month or two, and they will have to sort legitimate transactions from corrupted entries. That will almost certainly be a manual process.
- Prepare for your attack by collecting a stream of transactions; analyze them and see if the process has the ability to automatically suppress duplicate transactions (they often won’t, generally only systems designed to do fraud control are coded to detect transaction errors).
- Study the redress process; when someone’s account gets screwed up, are they expected to call a telephone bank somewhere? Are they expected to go to a website and contest the screwed up transaction? Where are the linkages in the redress process and what prevents you from scatter-bombing them with fake redress requests after the first phase of the attack is complete?
- Launch your attack by increasing the amount of corruption in the database substantially, then back yourself out of the system. Perhaps they will notice, perhaps they will not. Your goal at this point will be to hide your tracks as well as possible while waiting for the attack to mature.
- Stuff the duplicate transactions into the transaction pipeline and go dark.
- Make a few redress calls based on the newly posted error transactions. This ought to trigger the target’s detecting that they have been compromised and their database is screwed up. At that point, you can submit spurious redress requests that will leave them flailing back and forth: presumably they will be getting real redress requests, as well. Imagine the fun when they realize they are getting contradictory redress requests and they have no way of telling which one(s) are real!
An ideal disambiguation cost attack can be launched against any financial or transactional system that is a) important, b) unpopular, c) important to the end customer, d) does not have built-in disambiguation. Consider the IRS’ ‘cyberfile’ tax system: it is heavily oriented toward the idea that some people might want to try to get tax refund checks sent to the wrong place (so they can cash them and get the money) – it is probably not oriented toward the idea that some cyberinsurgent might want to jam the entire system up by submitting gratuitous duplicate tax returns (showing a moderate debt) on behalf of real people. Now, the IRS has a problem: which return is real? Now, the taxpayer has a problem: they don’t know that the IRS has two returns under their name and they don’t know the IRS thinks they owe money. The taxpayer will only find out about this problem when they get computerized mail from the IRS warning them that they need to pay – at which point, the damage has been done and has had a long time to gestate. How does this situation get resolved? It’s going to take telephone calls, accountants, and a lot of people are going to get pissed off and frustrated. The beauty of such an attack is that it requires only paper, the social security numbers of high-ranking civil servants that are part of the mechanism of oppression, or oligarchs that you want to have annoyed at the IRS. The computerization of the underlying system makes it ripe for attack and there is even a “mail in” option that doesn’t require leaving traces on a network. The IRS only has a relatively small number of examiners for the entire United States (about 1,000) with its population of 170+ million taxpayers: a bump in their work-load by a factor of ten will cause their entire process to collapse. That is one example. Use your imagination.