[Moderator: *sigh* I hate for this kind of article to be the first to hit
your mailbox on the new week, but this needs to be addressed. Much like
the rash of "blitzkrieg" articles a few months back, we have claims of
defensive software that retaliates against hackers. Instead of dragging
up the past arguments against this 'technology', I'll point you to an
excellent rebuttal by Crypt Magazine on the last round. Please understand
that if any company actually deploys anything like this, they are
breaking the law as much as the person attempting to hacking them:
http://www.attrition.org/errata/www/pd.001.html]
http://www.internetwk.com/news1298/news120498-12.htm
Friday, December 4, 1998, 5:15 p.m. ET.
The Enterprise Strikes Back
By RUTRELL YASIN
Stung far too many times by hackers, IT managers are fighting back.
An increasing number of large companies are arming themselves with systems
designed to launch debilitating counteroffensives when attacks are
detected, according to a security study to be released next month.
In an 18-month study of 320 Fortune 500 companies, 30 percent said they
have installed software capable of launching counterattacks after
suffering security breaches, according to WarRoom Research president Mark
Gembicki, an author of the study.
The report, titled "Corporate America's Competitive Edge," focuses on
security and business intelligence practices. Gembicki will share
preliminary findings at several conferences next week in the Washington,
D.C., area.
The method known as "strikeback" gained wider attention during the past
few months as the Pentagon reportedly thwarted a series of attacks with
software that disabled browsers used by the attackers.
Strikeback runs the gamut from passive collection of information about
hackers to deter further intrusion to a "Ping of Death" and flooding a
hacker's system beyond its capacity, both of which shut down the hacker's
system. Strikeback can even be escalated to the network level, where a
victimized company alerts its firewalls and routers to cut off all
external access or to flood the hacker's system.
Users and security experts said there is a need for strikeback
capabilities but also warn that taken too far it could pose serious legal
and technical problems.
"The idea of striking back is good, but there are legal issues that need
to be resolved," said Dean Rich, who heads network protection as vice
president of security at an Internet technology developer.
For example, you must ensure that a counterstrike is aimed at the correct
system.
Jeff Moss, the director of penetration services at Secure Computing Corp.,
said he agreed.
"I'm a big fan of using equal force. If someone hits you with a stick, hit
him back with a stick," Moss said. "The Defense Department was right in
defending itself. It didn't break into any machines nor did it delete
files."
However, "the DOD was lucky it knew who was attacking and could get the
right people," Moss said. "In many cases, you can't be completely sure of
who's attacking."
Once a hacker detects a retaliation, he can forge the headers on packets
and make it seem as though the attack is coming from another address or
location, experts said. And if a company launches a countermeasure using
hostile applets or code that denies services or wreaks havoc on an
innocent user, the results could be disastrous.
Gembicki would not comment on whether any of the surveyed companies had
actually inserted hostile applets to disable any attacker systems.
But he did say many companies would rather rely on their own strikeback
capabilities than call in the FBI or state law enforcement agencies. They
view strikeback as a right, just as the law protects physical self-defense
by way of force, he said.
Security vendors are treading carefully, incorporating strikeback-like
features in their products at a deliberate pace.
"Personally, I don't know of any [commercial] software in place that truly
does strike back," Rich said. But he cited a case in which a company was
being spammed through e-mail, and it returned fire by sending a denial of
service that flooded the culprits' systems with traffic and virtually shut
them down.
But any strikeback "certainly has to be done with caution," said Patrick
Taylor, director of strategic business marketing at Internet Security
Systems Inc.
The company's RealSecure intrusion detection system can send a command
that kills a TCP/IP connection when an intrusion is detected. It also can
e-mail an administrator or have an Internet service provider revoke an
account that is launching an attack.
"It doesn't have the immediate gratification of [a person] saying 'Hey I
blew that guy out of the water,' " Taylor said. But it can set the stage
for a company to launch a more controlled counteroffensive, he added.
But it's an ominous sign if companies adopt an attitude of shoot first and
ask questions later, said Drew Williams, manager of intrusion detection at
computer security developer Axent Technologies Inc. A passive approach is
better, he said, in which IT managers can gather complete information
about the intruders and then strike.
Some reports have indicated that 80 percent of intrusions occur inside an
organization, and 65 percent to 70 percent of those are mistakes, Williams
said. It would be regrettable to launch a counterstrike against someone
who has mistakenly keyed something, he added.
Gembicki agreed there should be controls on the use of strikeback
technology. A code of ethics controls how government agencies such as the
Pentagon use strikeback measures. However, many of the Fortune 500
companies are motivated by profits and protecting corporate assets.
"These companies are truly borderless" and are moving into uncharted
territory, Gembicki said.
As a result, Rich expects to see "a lot of information security cases
going to court in the next few years, and these [cases] will set the
foundation."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 09:00:30 1998