[ISN] The Enterprise Strikes Back (reverse hacking/errata)

From: mea culpa (jerichoat_private)
Date: Mon Dec 07 1998 - 05:15:59 PST

  • Next message: mea culpa: "[ISN] Portable Excel 97 .CSV Export Bug"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    
    --------------608F73102E9C
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981207061130.28562Kat_private>
    
    
    [Moderator: *sigh* I hate for this kind of article to be the first to hit
     your mailbox on the new week, but this needs to be addressed. Much like
     the rash of "blitzkrieg" articles a few months back, we have claims of
     defensive software that retaliates against hackers. Instead of dragging
     up the past arguments against this 'technology', I'll point you to an 
     excellent rebuttal by Crypt Magazine on the last round. Please understand
     that if any company actually deploys anything like this, they are
     breaking the law as much as the person attempting to hacking them:
     http://www.attrition.org/errata/www/pd.001.html]
    
    
    http://www.internetwk.com/news1298/news120498-12.htm
    
    Friday, December 4, 1998, 5:15 p.m. ET.
    The Enterprise Strikes Back
    By RUTRELL YASIN                  
    
    Stung far too many times by hackers, IT managers are fighting back. 
    
    An increasing number of large companies are arming themselves with systems
    designed to launch debilitating counteroffensives when attacks are
    detected, according to a security study to be released next month. 
    
    In an 18-month study of 320 Fortune 500 companies, 30 percent said they
    have installed software capable of launching counterattacks after
    suffering security breaches, according to WarRoom Research president Mark
    Gembicki, an author of the study.
    
    The report, titled "Corporate America's Competitive Edge,"  focuses on
    security and business intelligence practices. Gembicki will share
    preliminary findings at several conferences next week in the Washington,
    D.C., area. 
    
    The method known as "strikeback"  gained wider attention during the past
    few months as the Pentagon reportedly thwarted a series of attacks with
    software that disabled browsers used by the attackers. 
    
    Strikeback runs the gamut from passive collection of information about
    hackers to deter further intrusion to a "Ping of Death"  and flooding a
    hacker's system beyond its capacity, both of which shut down the hacker's
    system. Strikeback can even be escalated to the network level, where a
    victimized company alerts its firewalls and routers to cut off all
    external access or to flood the hacker's system. 
    
    Users and security experts said there is a need for strikeback
    capabilities but also warn that taken too far it could pose serious legal
    and technical problems. 
    
    "The idea of striking back is good, but there are legal issues that need
    to be resolved," said Dean Rich, who heads network protection as vice
    president of security at an Internet technology developer. 
    
    For example, you must ensure that a counterstrike is aimed at the correct
    system. 
    
    Jeff Moss, the director of penetration services at Secure Computing Corp.,
    said he agreed. 
    
    "I'm a big fan of using equal force. If someone hits you with a stick, hit
    him back with a stick," Moss said. "The Defense Department was right in
    defending itself. It didn't break into any machines nor did it delete
    files." 
    
    However, "the DOD was lucky it knew who was attacking and could get the
    right people," Moss said.  "In many cases, you can't be completely sure of
    who's attacking." 
    
    Once a hacker detects a retaliation, he can forge the headers on packets
    and make it seem as though the attack is coming from another address or
    location, experts said. And if a company launches a countermeasure using
    hostile applets or code that denies services or wreaks havoc on an
    innocent user, the results could be disastrous. 
    
    Gembicki would not comment on whether any of the surveyed companies had
    actually inserted hostile applets to disable any attacker systems. 
    
    But he did say many companies would rather rely on their own strikeback
    capabilities than call in the FBI or state law enforcement agencies. They
    view strikeback as a right, just as the law protects physical self-defense
    by way of force, he said. 
    
    Security vendors are treading carefully, incorporating strikeback-like
    features in their products at a deliberate pace. 
    
    "Personally, I don't know of any [commercial] software in place that truly
    does strike back,"  Rich said. But he cited a case in which a company was
    being spammed through e-mail, and it returned fire by sending a denial of
    service that flooded the culprits' systems with traffic and virtually shut
    them down. 
    
    But any strikeback "certainly has to be done with caution," said Patrick
    Taylor, director of strategic business marketing at Internet Security
    Systems Inc. 
    
    The company's RealSecure intrusion detection system can send a command
    that kills a TCP/IP connection when an intrusion is detected. It also can
    e-mail an administrator or have an Internet service provider revoke an
    account that is launching an attack. 
    
    "It doesn't have the immediate gratification of [a person] saying 'Hey I
    blew that guy out of the water,' " Taylor said. But it can set the stage
    for a company to launch a more controlled counteroffensive, he added. 
    
    But it's an ominous sign if companies adopt an attitude of shoot first and
    ask questions later, said Drew Williams, manager of intrusion detection at
    computer security developer Axent Technologies Inc. A passive approach is
    better, he said, in which IT managers can gather complete information
    about the intruders and then strike. 
    
    Some reports have indicated that 80 percent of intrusions occur inside an
    organization, and 65 percent to 70 percent of those are mistakes, Williams
    said. It would be regrettable to launch a counterstrike against someone
    who has mistakenly keyed something, he added. 
    
    Gembicki agreed there should be controls on the use of strikeback
    technology. A code of ethics controls how government agencies such as the
    Pentagon use strikeback measures. However, many of the Fortune 500
    companies are motivated by profits and protecting corporate assets. 
    
    "These companies are truly borderless" and are moving into uncharted
    territory, Gembicki said. 
    
    As a result, Rich expects to see "a lot of information security cases
    going to court in the next few years, and these [cases] will set the
    foundation." 
    
    
    --------------608F73102E9C--
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:28 PDT