[ISN] Corporate vigilantes go on the offensive to hunt down hackers

From: mea culpa (jerichoat_private)
Date: Wed Jan 13 1999 - 09:44:50 PST

  • Next message: mea culpa: "[ISN] REVIEW: "Maximum Security", Anonymous"

    [Moderator: As with other articles like this, remember that striking back
     is either not being done and is nothing more than media hype, or these
     companies are striking back illegally. I am just waiting for the first
     time they strike back at the wrong host or an innocent ISP.]
    
    Forwarded From: darek milewski <darekmat_private>
    Corporate vigilantes go on the offensive to hunt down hackers
    
    http://www.nwfusion.com/news/0111vigilante.html
    http://cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html
    Striking back
    Corporate vigilantes go on the offensive to hunt down hackers.
    
    By Winn Schwartau
    Network World, 01/11/99
    
    In September 1998, the Electronic Disturbance Theater, a group of
    activists that practices politically driven cyber civil-disobedience,
    launched an attack aimed at disabling a Pentagon Web site by flooding it
    with requests. The Pentagon responded by redirecting the requests to a
    Java applet programmed to issue a counteroffensive. The applet flooded the
    browsers used to launch the attack with graphics and messages, causing
    them to crash. 
    
    The incident raises issues all user organizations will soon have to
    grapple with, if they haven't already. When you detect a break-in, should
    you launch a counterattack in order to protect your network? Is law
    enforcement capable of stopping cybercrime and can it be trusted to keep
    investigations quiet? If not, don't corporations have a right to defend
    themselves? 
    
    Some emboldened user organizations are answering "yes." They are striking
    back against hackers, sometimes with military efficiency and intensity, in
    an effort to protect their self-interests. In the process, they are
    fueling a debate over what is legal and ethical in terms of corporate
    vigilantism. 
    
    One end of the opinion spectrum says law enforcement agencies are
    generally not up to the task, so corporations have a fiduciary
    responsibility to protect their interests. The only question for these
    companies is how far they are willing to go. Will they break laws, and if
    so, which ones? 
    
    The opposite view is corporate vigilantism is wrong:  Taking the law into
    one's own hands only makes things worse. 
    
    The First Vigilante Corp. 
    
    Lou Cipher (a pseudonym of his choice) is a senior security manager at one
    of the country's largest financial institutions. "There's not a chance in
    hell of us going to law enforcement with a hacker incident," he says.
    "They can't be trusted to do anything about it, so it's up to us to
    protect ourselves." 
    
    Cipher's firm has taken self-protection to the extreme.  "We have the
    right to self-help - and yes, it's vigilantism," he says. "We are drawing
    a line in the sand, and if any of these dweebs cross it, we are going to
    protect ourselves." 
    
    Cipher says his group has management approval to do "whatever it takes" to
    protect his firm's corporate network and its assets. 
    
    "We have actually gotten on a plane and visited the physical location
    where the attacks began. We've broken in, stolen the computers and left a
    note: 'See how it feels?' " On one occasion, he says: "We had to resort to
    baseball bats. That's what these punks will understand. Then word gets
    around, and we're left alone.  That's all we want, to be left alone." 
    
    A senior vice president of security at a major global financial firm
    speaks of the matter in military terms. He equates a hacker intrusion to a
    "first strike," and says defense is an appropriate response. "If you use
    measures to restore your services, that's defense, not offense," he says.
    When asked how far his company goes, he concedes only, "I am willing to
    defend myself." 
    
    In interviews with dozens of companies, a surprising number are seriously
    considering implementing "strike-back" capabilities. However, when asked,
    most companies would not admit they have already taken such steps. 
    
    Bruce Lobree, an internal security consultant at a major financial
    institution, is cautious about admitting his firm uses vigilante
    activities and strike-back techniques. He says with a smile, "I can't
    answer yes or no. That's proprietary. Besides, legally we can't. But I can
    tell you that everything that occurs at our network perimeter and inside
    our networks is recorded." 
    
    A recent study, "Corporate America's Competitive Edge," conducted by
    Warroom Research, a competitive intelligence firm in Annapolis, Md., shows
    that 32% of the 320 surveyed Fortune 500 companies have installed
    counteroffensive software. Warroom President Mark Gembecki notes that not
    every company will send out thugs to enforce their firewall policies.
    Cyber-response is OK, he says, but Cipher's physical retaliation is "a
    clear and overt violation of civil rights." 
    
    Such extreme counteroffensive methods raise the hackle of even the
    staunchest corporate information warrior. Lloyd Reese, program manager of
    information assurance for Troy Systems, a technical support company in
    Fairfax, Va., has a criminal justice background and says physical response
    is illegal and "doomed to failure." Such responses will only invite
    further attacks - perhaps even more intense, he says.  "Companies need to
    follow the appropriate legal process. We already have chaos on the
    Internet, why should we make it worse?"
    
    Joseph Broghamer, information assurance lead for the U.S.  Navy's Office
    of the Chief Information Officer, goes further, saying even the Pentagon
    shouldn't have done what it did.  "Offensive information warfare is not a
    good thing . . . period. You want to block, not punish," he says. "There
    is no technical reason to react offensively to a hacker attack." His
    opinion is shared by precious few. 
    
    As part of its information security practice, Ernst & Young has been asked
    about strike-back capabilities and how hostile perimeters might be used
    for defense.  Dan Woolley, national leader of market development for the
    firm, says he knows of "companies in finance, insurance and manufacturing
    that are developing and deploying the capability to aggressively defend
    their networks." He is quick to point out, however, "We don't do it for
    ourselves even though we are attacked regularly."
    
    The questions security software vendors and consultancies like Ernst &
    Young are now grappling with are wrenching: Should they develop offensive
    software, offer it to their clients, deploy it and support it? And if so,
    how open should they be about it? 
    
    How they do it
    
    It's easy to understand why companies are interested in the idea of
    corporate vigilantism. Even the best layers of defense - firewalls,
    passwords and access control lists - can't work alone for many reasons.
    Among them: 
    
    Network topology, users and software are constantly changing. There is no
    way to keep up. 
    
    New vulnerabilities are found - and exploited - daily. 
    
    A small number of individuals with little technical skill can launch
    massive online attacks. 
    
    Once an attack is detected, corporate vigilantes have various methods of
    evening the score. 
    
    The Navy's Broghamer argues that sometimes the best response to an attack
    is to shut down the network connection altogether, although he
    acknowledges the Navy is not as sensitive to uptime and customer
    perception as the private sector. 
    
    Another approach is to send a strongly worded message to the source IP
    address or to an ISP in the path. Traceroute is a tool that can identify
    source IP addresses. But you have to get the assistance of ISPs down the
    line to trace additional hops on the Internet, because each hop has to be
    covered in order to find the real source. That's all legal, but you may
    need to pressure the ISP into working with you quickly to identify the
    next hop in the chain. Once you collect this data, it can be handed over
    to law enforcement officials - who may or may not react.
    
    In 1994, Secure Computing, a security vendor in Roseville, Minn.,
    introduced Sidewinder, a novel firewall with strike-back capabilities. If
    it senses an attack, it launches a daemon that will trigger the offensive
    techniques of your choice. Other companies indicate they will soon be
    offering a range of strike-back products. 
    
    A company crosses the line when it responds by unleashing a
    denial-of-service attack against an intruder, as the Pentagon did. This
    can be done via massive e-mail spamming, the Ping of Death and hostile
    Java applets. 
    
    No matter what offensive mechanism you choose, the trick is to identify
    the culprit before returning fire. Should you fail to recognize that the
    attacker spoofed the identity of another company, you may find yourself
    attacking J.C. Penney, NBC or General Motors.  Innocent companies would
    not take kindly to that sort of activity - no matter the reason - and ISPs
    don't appreciate being the vehicle for Internet-based attacks. 
    
    Indeed, one of the big dangers with corporate vigilantism is how easy it
    is to overreact to an apparent attack. In spring 1997, one of the Big Six
    accounting firms used scanning tools from Internet Security Systems (ISS) 
    to assess the security of a major ISP that controlled a huge amount of
    Internet traffic. When a network administrator on duty at the ISP noticed
    a thousand simultaneous connections to his firewall, he reacted quickly
    and shut down several routers. "His manual reaction took down 75% of the
    Internet," says Tom Noonan, president of ISS. "Anyone using Sprint at that
    time was in a world of hurt." 
    
    Even those with a strong inclination for vigilantism note that
    counteroffensive responses are fraught with danger.  "Talk to your
    lawyers," Troy Systems' Reese advises.  "Keep in mind that your strike
    back has to go through a long path, and you might do damage at any place
    along the way." Retribution can cause a hair-trigger response that could
    cause damage to systems in the path from you to the attacker. 
    
    "You really have to understand what you're doing," says Ray Kaplan, a
    senior information security consultant with Secure Computing. "Your first
    response might invite further attack, exactly the opposite of what you
    intended. You have to consider your firm's public relations posture and
    how the Internet community as a whole will react to your actions." 
    
    Don't ask, don't tell
    
    As for how law enforcement will view vigilantism, the answer from many
    companies is a resounding, "Who cares?" 
    
    Vigilantism is emerging as a response to the intense frustration people
    feel with law enforcement authorities they view as simply not up to snuff.
    Complaints from top firms in the U.S. range from downright ineffectiveness
    ("clueless" is an oft-repeated word) to a lack of staff, lack of funding,
    courts that are too crowded with cases and the snail-like speed at which
    typical law enforcement investigations run. 
    
    "One reason you see vigilantism is because law enforcement doesn't get the
    job done," says Fred Cohen, president of Fred Cohen and Associates and
    principal scientist at Sandia National Laboratories. "Law enforcement
    might investigate if you have a lot of political clout and you do all of
    the leg work." 
    
    Companies are also fearful of what might happen if they do bring in law
    enforcement. "It's a hell of a situation when victim companies are more
    fearful of the FBI than they are of the attackers," says Michael Vlahos,
    senior fellow at the U.S. Internet Council. He echoes the worry that
    sensitive corporate information will not be protected if handed over to
    law enforcement. 
    
    "Law enforcement is helpless," ISS's Noonan maintains. 
    
    "It's not like Israeli fighters who train every day for every contingency.
    Conventional law enforcement just can't match the skills needed. Besides,
    you can't trust law enforcement to keep your secrets from becoming public
    knowledge." 
    
    Predictably, law enforcement does not favor the vigilante view - at least
    publicly. "If someone were to attack us, we are not encouraged to swat
    back," says Lt. Chris Malinowski of the New York Police Department, who
    specializes in cybercrime. "If companies take any of these proactive
    defensive steps, they are taking a big chance, subject to criminal
    prosecution." 
    
    Dave Green, deputy chief of the Computer Crimes and Intellectual Property
    Section for the U.S. Department of Justice, says he relates to the
    frustration over law enforcement's inability to respond, but adds that his
    department can only recommend protective measures.  Yet he stops short of
    advising against corporate vigilantism outright. When asked if companies
    should hack back at attackers, Green responds, "no comment," as he does to
    questions as to what could legally be considered an attack. "But I can say
    that law enforcement is gearing up and is much better equipped to deal
    with cybercrime," he adds. 
    
    When they are not speaking for attribution, law enforcement authorities of
    all stripes go further than
    
    Green. Local police, state police, the FBI, Secret Service, Interpol and
    Scotland Yard members all say the same thing - unofficially: "We can't
    handle the problem.  It's too big. If you take care of things yourself, we
    will look in the other direction. Just be careful." 
    
    Security consultant Lobree seems to understand the police mentality and
    applies the red light theory to cybervigilantism. "Suppose it's the dead
    of night on a country road, and you come upon a stop light. You can see
    for miles in all directions. Are you going to run the light even knowing
    there is virtually no chance of being caught?" Some, perhaps most, won't,
    because they have an innate fear of being caught. Others will forge ahead.
    "A lot of companies recognize that the chance of getting caught in a
    vigilante cyberstrike is pretty darn low," he says. 
    
    It's your call
    
    A number of sources suggest vigilantism might be a business opportunity
    for a firm that wants to specialize in counteroffensive network security.
    "In the 1860s, law enforcement was conducted by Pinkerton, a private
    company," Vlahos says. Many suggest that privatization should be the case
    in the cyberworld as well. The kind of offensive network security products
    needed to make it happen are starting to find their way into corporate
    tool kits and onto the Internet. 
    
    But the legal challenges that coexist with hostile perimeters and
    counteroffensive measures are daunting. 
    
    The astute company will examine every aspect of its posture before
    marching down the slippery slope of vigilantism. Sometimes the best
    defense is not to overreact. In the worst case, do nothing until a proper
    response can be developed. 
    
    Vlahos says courts may be the place to create new laws more attuned to the
    technology. "This is a whole new arena, and I don't know how we can
    explore it without trying new approaches, even if they are technically
    illegal." 
    
    Cipher, the baseball-bat-bearing vigilante, is all for new approaches.
    "Personal persuasion is always more effective than electronic persuasion,"
    he says. "Personal persuasion virtually guarantees that a hacker will see
    the error of his ways, scamper to please and turn over a new leaf." 
    
    No matter what path you choose, make sure it is well thought out and that
    you have your legal ducks in a row.  You just might need them
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:43 PDT