The Semantic Web: Are You Scared Yet?

The idea of the semantic Web is an exciting one. Imagine the possibilities when the World Wide Web is truly open—open to integrating and combining data no matter where it comes from.

And now, imagine the security risks. If the semantic Web is ultimately all about the dynamic interoperability of data across applications, how can you be assured that data security is maintained? How can you be assured data sources will be reliable and the facts they send back can be trusted? How can you be sure that new security risks won’t be a boon to criminals and hackers?

The answer, says Anton Chuvakin the chief logging evangelist at log data management and intelligence vendor LogLogic, is that you can’t.

“You can't and you won't be assured,” says Chuvakin, an expert in computer forensics, intrusion detection, security information management, and security standards, among other specialties, in an email exchange. He regularly blogs on security issues and is the co-author of Security Warrior.

“That is why security in the ‘age of Web 3.0’ will be loads of fun. It will also be very different from today's security. To make the challenge even more ... well, challenging ... privacy concerns (e.g. can you use this data in such a way?) will be much more prominent and will overlap the security concerns (e.g. who stole the data?).”

In other words, security issues will revolve around things like:

What is this data, and is it confidential?

How is it used? Is there an authorization?

Who has this data now? Is that person supposed to have it?

How can this data be used? Is there a privacy violation in using this data?

Where/how was the data used for whatever e-crime may be committed?

“To top it off, many of the Internet protocols do not allow for any kind of a source validation,” he says. “IPv6 might, but Web 3.0 will likely happen before IPv6 becomes popular.”

Semantic Web discussion is impossible without a discussion of ‘semantic attacks,’ as they are defined by Bruce Schneier in his Oct 2000 CryptoGram newsletter , says Chuvakin. The definition is as follows: "The third wave of network attacks is semantic attacks: attacks that target the way we, as humans, assign meaning to content." He further states that, "In the near future, I predict that semantic attacks will be more serious than physical or even syntactic attacks."

Scared yet? Seems Chuvakin thinks you should be.

“Indeed,” he writes in his email, “this horrible time is coming soon: Why DDoS, why overflow, why XSS if you can simply change one part number with another in an airline parts database to a wrong but compatible one,” with the result that the wrong part is installed (since installers just look at what computer is saying), and then possibly have an airplane failure.

“Semantic attacks exploit a ‘business logic’ weakness, just as a buffer overflow exploit abuses an incorrectly coded buffer in a software application.”