I may be a couple of days late with this one, but this is one of those few times, when I am truly amazed by the malicious intent of an internet exploit. Hackers defacing a website, frequented by epileptics, to intentionally cause seizures.
Epilepsy, a chronic neurological disorder, with a prevalence of approximately 1 in 100 (3 million people) is characterized by a storm of abnormal electrophysiological activity in the brain. Normal cognitive function is temporarily disrupted, due to this excessive firing, and hypersynchronous discharge of cortical neurons. The results of this disturbance, commonly known as a seizure, are episodic occurrences for people with epilepsy. The clinical appearance depends on the extent and region of brain involvement, but can range from headaches to violently uncontrolled muscle spasticity.
Seizures are often elicited by a stimulus or event. Photic induced seizures, are those triggered by visual stimuli. These usually appear as flashing or flickering light, in both contrasting solids (photosensitive) and certain geometric patterns (pattern-sensitive). Individual characteristics are known, which lower the threshold for inducing seizures. Specifically, the effectiveness increases with brightness and contrast ratio, and is most potent at flash rates between 15-25 Hz.
The Epilepsy Foundation, a non-profit organization with 53 national affiliates, is an agency that conducts numerous programs to help those afflicted with epilepsy. Last weekend, their eCommunities forum section was hacked. These forums provided a community support network for people to discuss various topics related to living with epilepsy. Like most forums, interaction consisted of posting questions and answers within a topic group. Viewing the forum source, reveals that it's Cold Fusion based and apparently, allows HTML to be embedded into user postings. Hackers exploited this function and used JavaScript to manipulate several links in this section of their site. Unsuspecting users, found themselves clicking on forum messages, which contained flashing animated gifs, providing the visual trigger for seizures in photosensitive epileptics. Following that incident, they used a redirection attack, which sent forum users to sites containing flashing patterns, targeting pattern-sensitive individuals as well.
This is not the first time that flickering visual imagery from a TV or computer monitor have induced seizures. In 1981 there was a case of "Space Invader Epilepsy" reported in the Lancet medical journal. During the late 80's through the mid-90's, several cases of video game and TV related seizures were reported, due to their display of flashing imagery. In December of 1997, a four second rocket launch sequence, from the Japanese cartoon, Pokémon, consisted of flashing blue and red light. This resulted in the hospital treatment of 685 children, for related symptoms, approximately 80% of which were seizures.
However, this is the first time that this was carried out intentionally. This has also been reported as, the first type of internet based attack, that has caused direct physical harm to the end user. This is truly a new low in malicious activity carried out online. It's hard to categorize the legal classification for this act, in terms of cyber-crime. However, it should be considered a form of physical assault. I can understand the mindset of the criminal hacker with financial motives, but this cruel misuse of the internet is beyond logical comprehension. Unfortunately, without any financial loss or theft of personal information, this crime will probably not be extensively pursued by the authorities.
So, how can one protect themselves from these types of attacks?
In this case, there are two options. Block any content that displays a trigger stimulus, or prevent the exposure of such material to the individual.
While production guidelines and pre-screenings have been employed for years, to prevent potential hazards from video games and TV, this would not prevent the kind of incident displayed last week.
In this case, a form of proactive and defensive security must be utilized. Research is being conducted into automated screening algorithms, which would monitor the timing sequence, brightness and contrast of internet imagery. If it detected content that met the predetermined parameters for seizure stimulation, it would be blocked prior to presentation on the users monitor. Furthermore, adaptive temporal filters have been developed for attenuation of flickering imagery. These automated self adjusting displays, change their output refresh rate to accommodate a wide range of originating frequencies. Lastly, research in visual perception, has produced several types of cross-polarized glasses and lens filters, which act as optical shields, to the offending stimuli. These have been successful at seizure prevention by reducing the roles that color modulation and contrast have, as stimulus triggers.
Although, these security methods place the burden on the affected individuals-a responsibility they should not bear. They are temporary defensive measures, not long term solutions.
The security community primarily focuses on protecting the network infrastructure and the data it carries, as these are the targets of attack. But when the system we are protecting, is used as an instrument of physical attack, perhaps we need to think about how to protect the most important element of the internet....people.
Any ideas or solutions? Send them to:
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
very interesting blog
very interesting blog
No punishment too great
This kind of behavior is despicable and cannot and must not be tolerated. I can think of no punishment that is too severe for any individual who willfully participates in any on-line activities that bring physical harm to fellow human beings. These are NOT harmless or "simply malicious" acts. The global community outrage, reaction, identification and persecution of the soulless individuals involved should be swift, cooperative and definitive to let like-minded people considering future similar acts understand that these actions are UNACCPTABLE!
No punishment too great
I apologize, if I seemed to trivialize the severity of this attack. I wanted readers to know that this was not just a cyber attack, but "a form of physical assault", to quote myself. I agree that this was not "simply malicious", and my usage of "cruel", was not properly emphasized towards the suffering of the viewers. As a physician, I can understand the consequences a little better than your typical IT blogger. In contrast to all of the other blogs and articles I read, I tried to provide a more thorugh medical description of epilepsy and seizures, as well as, some of the methods of protection and prevention. Although, due to my blog's focus on IT security, I mostly cover technical issues related to internet threats. However, I agree with all of your statements. So please forgive me, and don't misinterpret my blog entry as the writing of an uncaring individual. Thanks.
No apology necessary
My strong words match my emotions that were elicited by your post. I had/have no intent of directing the words towards you. I am grateful that you brought this situation to this forum.
I have Epilepsy and I am on
I have Epilepsy and I am on this page a LOT. In fact I was on there right when it all started and I notified the folks at EFA. It was not last weekend, It was the Saturday before Easter. It was not just flashing images there were also a LOT of really disgusting images of porn and dismembered bodies, most pointing to ebaums world.
It's a shame we were attacked by low life trolls. But know that the folks on EFA's eCommunities are awesome and moving on.
I think EFA and the company they have outsourced the boards to are going about tightening up security. They have taken away pretty much all of the features that place had. No more images, no icons, heck we cant even post smilies anymore. In reality what they need is email verification to all new users, and a CAPTCHA system such as the one below. bots were clearly used in the attack.
Everyone Needs to Take a Stand
While everyone can't know how to defend or protect against everything bad. Hopefully everyone will look at their own value system and determine those things they can stand for and get active about them.
Stand for Something, or You'll Fall for Anything.
This incident is terribly unfortunate. Thanks for reminding us all how many different ways there are that people attack us each and everyday.
I agree with the author's
I agree with the author's intent, but his poor use of grammar and punctuation made the article very difficult to read.
difficult to read?
Seriously?
A few extra commas here and there
But let's not get bogged down in that.
The research he is talking about is interesting and for a good cause.
I agree with the author's
I agree with the author's intent, but his poor use of grammar and punctuation made the article very difficult to read.
yea, because that's an important point to bring up when discussing physical damage to people with epilepsy.
good greif.....@@
thank you very much captain correction
Post new comment