[Moderator: As with other articles like this, remember that striking back
is either not being done and is nothing more than media hype, or these
companies are striking back illegally. I am just waiting for the first
time they strike back at the wrong host or an innocent ISP.]
Forwarded From: darek milewski <darekm@cmeasures.com>
Corporate vigilantes go on the offensive to hunt down hackers
http://www.nwfusion.com/news/0111vigilante.html
http://cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html
Striking back
Corporate vigilantes go on the offensive to hunt down hackers.
By Winn Schwartau
Network World, 01/11/99
In September 1998, the Electronic Disturbance Theater, a group of
activists that practices politically driven cyber civil-disobedience,
launched an attack aimed at disabling a Pentagon Web site by flooding it
with requests. The Pentagon responded by redirecting the requests to a
Java applet programmed to issue a counteroffensive. The applet flooded the
browsers used to launch the attack with graphics and messages, causing
them to crash.
The incident raises issues all user organizations will soon have to
grapple with, if they haven't already. When you detect a break-in, should
you launch a counterattack in order to protect your network? Is law
enforcement capable of stopping cybercrime and can it be trusted to keep
investigations quiet? If not, don't corporations have a right to defend
themselves?
Some emboldened user organizations are answering "yes." They are striking
back against hackers, sometimes with military efficiency and intensity, in
an effort to protect their self-interests. In the process, they are
fueling a debate over what is legal and ethical in terms of corporate
vigilantism.
One end of the opinion spectrum says law enforcement agencies are
generally not up to the task, so corporations have a fiduciary
responsibility to protect their interests. The only question for these
companies is how far they are willing to go. Will they break laws, and if
so, which ones?
The opposite view is corporate vigilantism is wrong: Taking the law into
one's own hands only makes things worse.
The First Vigilante Corp.
Lou Cipher (a pseudonym of his choice) is a senior security manager at one
of the country's largest financial institutions. "There's not a chance in
hell of us going to law enforcement with a hacker incident," he says.
"They can't be trusted to do anything about it, so it's up to us to
protect ourselves."
Cipher's firm has taken self-protection to the extreme. "We have the
right to self-help - and yes, it's vigilantism," he says. "We are drawing
a line in the sand, and if any of these dweebs cross it, we are going to
protect ourselves."
Cipher says his group has management approval to do "whatever it takes" to
protect his firm's corporate network and its assets.
"We have actually gotten on a plane and visited the physical location
where the attacks began. We've broken in, stolen the computers and left a
note: 'See how it feels?' " On one occasion, he says: "We had to resort to
baseball bats. That's what these punks will understand. Then word gets
around, and we're left alone. That's all we want, to be left alone."
A senior vice president of security at a major global financial firm
speaks of the matter in military terms. He equates a hacker intrusion to a
"first strike," and says defense is an appropriate response. "If you use
measures to restore your services, that's defense, not offense," he says.
When asked how far his company goes, he concedes only, "I am willing to
defend myself."
In interviews with dozens of companies, a surprising number are seriously
considering implementing "strike-back" capabilities. However, when asked,
most companies would not admit they have already taken such steps.
Bruce Lobree, an internal security consultant at a major financial
institution, is cautious about admitting his firm uses vigilante
activities and strike-back techniques. He says with a smile, "I can't
answer yes or no. That's proprietary. Besides, legally we can't. But I can
tell you that everything that occurs at our network perimeter and inside
our networks is recorded."
A recent study, "Corporate America's Competitive Edge," conducted by
Warroom Research, a competitive intelligence firm in Annapolis, Md., shows
that 32% of the 320 surveyed Fortune 500 companies have installed
counteroffensive software. Warroom President Mark Gembecki notes that not
every company will send out thugs to enforce their firewall policies.
Cyber-response is OK, he says, but Cipher's physical retaliation is "a
clear and overt violation of civil rights."
Such extreme counteroffensive methods raise the hackle of even the
staunchest corporate information warrior. Lloyd Reese, program manager of
information assurance for Troy Systems, a technical support company in
Fairfax, Va., has a criminal justice background and says physical response
is illegal and "doomed to failure." Such responses will only invite
further attacks - perhaps even more intense, he says. "Companies need to
follow the appropriate legal process. We already have chaos on the
Internet, why should we make it worse?"
Joseph Broghamer, information assurance lead for the U.S. Navy's Office
of the Chief Information Officer, goes further, saying even the Pentagon
shouldn't have done what it did. "Offensive information warfare is not a
good thing . . . period. You want to block, not punish," he says. "There
is no technical reason to react offensively to a hacker attack." His
opinion is shared by precious few.
As part of its information security practice, Ernst & Young has been asked
about strike-back capabilities and how hostile perimeters might be used
for defense. Dan Woolley, national leader of market development for the
firm, says he knows of "companies in finance, insurance and manufacturing
that are developing and deploying the capability to aggressively defend
their networks." He is quick to point out, however, "We don't do it for
ourselves even though we are attacked regularly."
The questions security software vendors and consultancies like Ernst &
Young are now grappling with are wrenching: Should they develop offensive
software, offer it to their clients, deploy it and support it? And if so,
how open should they be about it?
How they do it
It's easy to understand why companies are interested in the idea of
corporate vigilantism. Even the best layers of defense - firewalls,
passwords and access control lists - can't work alone for many reasons.
Among them:
Network topology, users and software are constantly changing. There is no
way to keep up.
New vulnerabilities are found - and exploited - daily.
A small number of individuals with little technical skill can launch
massive online attacks.
Once an attack is detected, corporate vigilantes have various methods of
evening the score.
The Navy's Broghamer argues that sometimes the best response to an attack
is to shut down the network connection altogether, although he
acknowledges the Navy is not as sensitive to uptime and customer
perception as the private sector.
Another approach is to send a strongly worded message to the source IP
address or to an ISP in the path. Traceroute is a tool that can identify
source IP addresses. But you have to get the assistance of ISPs down the
line to trace additional hops on the Internet, because each hop has to be
covered in order to find the real source. That's all legal, but you may
need to pressure the ISP into working with you quickly to identify the
next hop in the chain. Once you collect this data, it can be handed over
to law enforcement officials - who may or may not react.
In 1994, Secure Computing, a security vendor in Roseville, Minn.,
introduced Sidewinder, a novel firewall with strike-back capabilities. If
it senses an attack, it launches a daemon that will trigger the offensive
techniques of your choice. Other companies indicate they will soon be
offering a range of strike-back products.
A company crosses the line when it responds by unleashing a
denial-of-service attack against an intruder, as the Pentagon did. This
can be done via massive e-mail spamming, the Ping of Death and hostile
Java applets.
No matter what offensive mechanism you choose, the trick is to identify
the culprit before returning fire. Should you fail to recognize that the
attacker spoofed the identity of another company, you may find yourself
attacking J.C. Penney, NBC or General Motors. Innocent companies would
not take kindly to that sort of activity - no matter the reason - and ISPs
don't appreciate being the vehicle for Internet-based attacks.
Indeed, one of the big dangers with corporate vigilantism is how easy it
is to overreact to an apparent attack. In spring 1997, one of the Big Six
accounting firms used scanning tools from Internet Security Systems (ISS)
to assess the security of a major ISP that controlled a huge amount of
Internet traffic. When a network administrator on duty at the ISP noticed
a thousand simultaneous connections to his firewall, he reacted quickly
and shut down several routers. "His manual reaction took down 75% of the
Internet," says Tom Noonan, president of ISS. "Anyone using Sprint at that
time was in a world of hurt."
Even those with a strong inclination for vigilantism note that
counteroffensive responses are fraught with danger. "Talk to your
lawyers," Troy Systems' Reese advises. "Keep in mind that your strike
back has to go through a long path, and you might do damage at any place
along the way." Retribution can cause a hair-trigger response that could
cause damage to systems in the path from you to the attacker.
"You really have to understand what you're doing," says Ray Kaplan, a
senior information security consultant with Secure Computing. "Your first
response might invite further attack, exactly the opposite of what you
intended. You have to consider your firm's public relations posture and
how the Internet community as a whole will react to your actions."
Don't ask, don't tell
As for how law enforcement will view vigilantism, the answer from many
companies is a resounding, "Who cares?"
Vigilantism is emerging as a response to the intense frustration people
feel with law enforcement authorities they view as simply not up to snuff.
Complaints from top firms in the U.S. range from downright ineffectiveness
("clueless" is an oft-repeated word) to a lack of staff, lack of funding,
courts that are too crowded with cases and the snail-like speed at which
typical law enforcement investigations run.
"One reason you see vigilantism is because law enforcement doesn't get the
job done," says Fred Cohen, president of Fred Cohen and Associates and
principal scientist at Sandia National Laboratories. "Law enforcement
might investigate if you have a lot of political clout and you do all of
the leg work."
Companies are also fearful of what might happen if they do bring in law
enforcement. "It's a hell of a situation when victim companies are more
fearful of the FBI than they are of the attackers," says Michael Vlahos,
senior fellow at the U.S. Internet Council. He echoes the worry that
sensitive corporate information will not be protected if handed over to
law enforcement.
"Law enforcement is helpless," ISS's Noonan maintains.
"It's not like Israeli fighters who train every day for every contingency.
Conventional law enforcement just can't match the skills needed. Besides,
you can't trust law enforcement to keep your secrets from becoming public
knowledge."
Predictably, law enforcement does not favor the vigilante view - at least
publicly. "If someone were to attack us, we are not encouraged to swat
back," says Lt. Chris Malinowski of the New York Police Department, who
specializes in cybercrime. "If companies take any of these proactive
defensive steps, they are taking a big chance, subject to criminal
prosecution."
Dave Green, deputy chief of the Computer Crimes and Intellectual Property
Section for the U.S. Department of Justice, says he relates to the
frustration over law enforcement's inability to respond, but adds that his
department can only recommend protective measures. Yet he stops short of
advising against corporate vigilantism outright. When asked if companies
should hack back at attackers, Green responds, "no comment," as he does to
questions as to what could legally be considered an attack. "But I can say
that law enforcement is gearing up and is much better equipped to deal
with cybercrime," he adds.
When they are not speaking for attribution, law enforcement authorities of
all stripes go further than
Green. Local police, state police, the FBI, Secret Service, Interpol and
Scotland Yard members all say the same thing - unofficially: "We can't
handle the problem. It's too big. If you take care of things yourself, we
will look in the other direction. Just be careful."
Security consultant Lobree seems to understand the police mentality and
applies the red light theory to cybervigilantism. "Suppose it's the dead
of night on a country road, and you come upon a stop light. You can see
for miles in all directions. Are you going to run the light even knowing
there is virtually no chance of being caught?" Some, perhaps most, won't,
because they have an innate fear of being caught. Others will forge ahead.
"A lot of companies recognize that the chance of getting caught in a
vigilante cyberstrike is pretty darn low," he says.
It's your call
A number of sources suggest vigilantism might be a business opportunity
for a firm that wants to specialize in counteroffensive network security.
"In the 1860s, law enforcement was conducted by Pinkerton, a private
company," Vlahos says. Many suggest that privatization should be the case
in the cyberworld as well. The kind of offensive network security products
needed to make it happen are starting to find their way into corporate
tool kits and onto the Internet.
But the legal challenges that coexist with hostile perimeters and
counteroffensive measures are daunting.
The astute company will examine every aspect of its posture before
marching down the slippery slope of vigilantism. Sometimes the best
defense is not to overreact. In the worst case, do nothing until a proper
response can be developed.
Vlahos says courts may be the place to create new laws more attuned to the
technology. "This is a whole new arena, and I don't know how we can
explore it without trying new approaches, even if they are technically
illegal."
Cipher, the baseball-bat-bearing vigilante, is all for new approaches.
"Personal persuasion is always more effective than electronic persuasion,"
he says. "Personal persuasion virtually guarantees that a hacker will see
the error of his ways, scamper to please and turn over a new leaf."
No matter what path you choose, make sure it is well thought out and that
you have your legal ducks in a row. You just might need them
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 16:59:19 1999