Slashdot Mirror
Is Retaliation the Answer To Cyber Attacks?
coondoggie writes "Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security."
No, retaliation comes *after* the attack. The attack comes first.
Makes about as much sense as conducting panty raids on shoplifters.
1. Attack your target. 2. Wait for counterattack. 3. Deny 1, or claim it was an attack launched by compromised computers without your knowledge. 4. Sue your target for the costs of their counterattack.
...if we stopped calling exploitation attempts "attacks." It's trickery; it's spying; it's occasionally even -- and this is stretching the word a little -- sabotage (in the case of DoS). But "attacks?" It makes it sound like some kind of assault that one can somehow "get even" for. The metaphor is all wrong.
Is the attack scenario one bad guy?
Then you should contact law enforcement. Also you should make sure your security set up is appropriate.
Is the attack scenario that you are an big company and people attack you because you are known?
Then you should make sure your security set up is appropriate. Attacking people is pointless because new ones will turn up all the time.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
No, retaliation comes *after* the attack. The attack comes first.
Which is exactly the problem; by the time you retaliate you've already taken damage. Do unto others BEFORE they do it to you.
If (Cyberattack){
Cyberattack;
}
Nobody see the problem?
The problem is that anyone can do a cyber attack, steal a ton of money by scamming it. It isn't tough, it just requires a lack of morals.
If they're caught, some countries will not only refrain from punishing you, but they'll even congratulate for siphoning money from foreign countries.
I don't think there is a solution unless we had a world government... In which case we have a lot bigger problems facing us.
God spoke to me.
But I am curious about about the machines that are responsible for a lot of attacks online. A year or so ago I noticed ssh brute force attempts in /var/log/secure and found a cool solution called denyhosts that parses log files, adjusts /etc/hosts.deny, and logs all activity.
This got me thinking about a project... I would really like to create some NSE (nmap scripting engine) scripts, or something similar, to go through and scan the machines that show up in my log files as trying to weasel their way in via ssh or other common, filtered tools. It would be interesting to create some visual representations of services, geographical locations, and general makeup of the boxes that are attacking these services.
1) Collect as much info as you can about the source of the attack.
2) Send an email to the abuse address on record.
3) Harden system some more.
4) Wait for some sort of response.
5) Publish the source IP, whatever response is received in the email response, and AS info (i.e. netblock) along with the details of the attack.
6) Block all future traffic from the AS.
Show me packet captures and log entires, or it never happened.
No really. If it's after the fact, no... Cease fire when they do.
For justice, we must go to Don Corleone
Unless it is "Anticipatory Retaliation"...
If everyone clicked the link in those "work from home" scams 100 times, or replied to every "your webmail account is about expire" email with bogus details then it would drown the enemy in useless information.
If you then take it a step further and have an automated system that clicks links a million times automatically and replies to the emails with bogus information a million times then it would be even better.
Until someone gets the idea to send out a "I made a billion $$$ working from home. Click http://www.kernel.org/pub/linux/kernel/v2.6/testing/linux-2.6.38-rc2.tar.bz2 for details!" and you're suddenly part of the problem.
Rule #13: Do unto others.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The concept of revenge cyber attacks is functionally insane.
At least at the corporate level. Consider. A competitor's network appears to be attacking yours, so you attack back and get into their networks. Only it turns out that someone hacked the competitor, and it was no fault of the competitor at all. The counter attacking corporation's employees are now guilty of a felony, and presumably were directed to do so by a senior manager. The following actions are available to your competitor:
1. Pressing the district attorney to prosecute the employees and management
2. Pressing the district attorney to prosecute the corporation (i.e. the corporate death penalty)
3. Suing all the criminal employees including all executives in the chain, either authorizing parties or cognizant parties
4. Suing the corporation
Given the criminal act with malice of forethought, the #4 option will be of practically unlimited liability. You can expect to be charged 100% of all attorney's fees, the actual cost of their security event including cleanup and all IT labor associated therewith, and an apportionment of their ongoing security operations fees. For #3, some jurisdictions do not permit bankruptcy out of civil liabilities originating from criminal acts. No employee will be protected just because their bosses told them to do the act, as the act was a crime and is indefensible.
So, to be blunt: "dream on".
No sane Corporate Counsel will permit any company to do this.
C//
In the US, and in the sorts of theoretically-rule-of-law-y jurisdictions that corporations generally have substantial operations and assets in, most flavors of "cyberattack" are de jure Pretty. Seriously. Not. Legal.
This does approximately jack shit against gangs operating offshore in who-knows-where controlling botnets of enslaved Joe User XP home boxes; but it is the state of the law. Now, let's think about this for a second: Any "cyber-counterattack", unless unbelievably flawless, is probably going to have some amount of collateral damage: ISPs getting parts of their networks DDOSed, innocent-if-clueless home users getting their botnetted boxes taken down, etc. Even the direct damage will be illegal(though criminal gangs probably won't press charges); but the collateral damage will, in not a few cases, fall directly on people and businesses, in western jurisdictions, who had nothing to do with the original attack(other than, perhaps, not updating their AV often enough).
Now, when it comes to light that Foocorp LLC, a division of Deeppockets Industries, and their officers and employees have been guilty of numerous violations of federal cybercrime violations, most felonies, and a variety of civilly actionable property damage, where do you think the lawyers are going to go looking for blood? Yuri Shadymov and John Does 1-N, the mysterious perpetrators of the attack on Foocorp, or the conveniently-located-right-at-home Deeppockets Industries?
There would be a nonzero risk(and they would deserve every bit of it) that Deeppockets industries could find itself up to its eyeballs in civil suits, and the Foocorp IT team and every exec who knew of and authorized their actions could be looking at serious fines and some quality time in FPMITA...
Yes. But let's keep it non-nuclear, ok? Cruise missiles, Predator drones, maybe SeeBees with satchel charges: all fine. Just be sure the response isn't disproportionate.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Maybe that's next after Stuxnet. Program target IP, launch, fire, forget.
You are more likely to die as a result of a gun if you carry one yourself. I can't find the study, but you are also more likely to end up being shot by your own gun than you are to ever shoot a bad guy with it (which makes sense - we hear of accidental self shootings all the time and most people who own a gun never actually use it in self defence).
If those statistics even roughly translated to IP address seeking missiles then we are going to have a problem.
BTW, I think there is a problem with my server. Can you please do a portscan for me? My IP address is 127.0.0.1
They would never be certain to get the right target and cannot guarantee that innocent bystanders won't get caught in the crossfire. That may be acceptable in the silly plots of TV dramas, but in real life there are consequences.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
But I was just going to suggest radiation, not retaliation.
make imaginary.friends COUNT=100 VISIBLE=false
While the game theory behind spite(hurting others even at a cost to oneself, the under-appreciated counterpart to altruism, helping others even at a cost to oneself) is interesting, and suggests that it can actually be vital in maintaining some mutually beneficial equilibria, all that breaks down if the assumption that retailiation can be accurately allocated is violated. It also breaks down if the assumption that all agents are indivisible is violated.
Risk is a game of essentially perfect information(aside from the interpersonal alliance metadata). Everything on the board was in the open. Ye Olde Intertubes are often not so obliging. If I am hitting you through a botnet of compromised home users that I am renting from some botnet herder, do I fear your retaliation? Only if I think you are good enough to allocate it to me, despite multiple levels of indirection, and essentially innocent targets standing in your way.
Even if I am attacking directly, say from a colo owned by a shady shell corporation, the second assumption is violated. The shell corporation is an expendable appendage, nuke it into the ground for all I care, I've already extracted the value and moved on.
"Hello, my name is Inigo Montoya. You hacked my computer. Prepare to die."
Karma: Excellent. 15 moderator points expire sometime.
So, the summary is misleading.
The actual article (starts out) talking about using vulnerabilities in botnets and "attack" tools, and an idea called a "tarpit" that would attempt to tie up resources on botnets and "attack" tools.
Not much of a new idea, as people are already doing things like this: Locking out login attempts, delaying login, or CAPTCHAs are a simple example of "tarpits". Reverse engineering malicious programs is already being done. Honeypots, etc.
"Revenge assault" seems to be strong wording for this. Really just silly.
You'd think they were referring to stuff like the worms that spread around patching security holes and removing other worms. This, which would in itself also be a proven stupid idea, given how the "good" worm ended up tying up as much resources as the "bad" worms they were trying to stop.
The second part is just a whole lot of talk about how "data thieves" might steal data and "DLP". Whole bunch of silly lingo that seems to be not much more than fear mongering.
tl;dr version is basically, social engineering attacks are still a problem.
its the best way to get everyone blind.
Just like if you get up in the morning to find that your window is broken, the BEST response is to pick up a shotgun and go kick in your neighbour's front door.
Remember, your first impulse is always right and you can never, EVER misunderstand any situation.
For the attacks I heard about it was often not clear who was behind them. As for many viruses, it was unknown where Stuxnet came from. It is mostly unknown who is controlling the botnets behind DoS attacks. If someone steals data he will either use TOR, or an open hotspot.
You mean Tit-For-Tat? http://en.wikipedia.org/Prisoners_Dilemma
Worse, it's pretty easy to pin an obvious or even not-so-obvious cyberattack on someone else. If vigilante "cyber justice" is acceptable, then an efficient way of performing your cyber attack is simply to attack a third-party target and make it look like your real target did it.
There's a reason vigilante justice isn't acceptable.
I believe the political term is "preemptive strike".
Just like "shock and awe" is the new political term for "blitzkrieg".
It is a miracle that curiosity survives formal education. - Einstein
We need to establish corporate extraterritoriality before anyone exept the government can start to mount turreted autocannons in their lobbies/Black ICE in the networks/kink bombs in the implants of all employees and family members below B-grade. Or at least, that's the story that anyone below grade Ultraviolet/AAA gets fed. But boy, will those AAA bastards be up for a surprise when the second stage of Dunkelzahn's Cyberzombie-Jesus-plot finally comes into action at the product lifecycle end of Shadowrun 4ed...
Emotions! In your brain!
From a purely Machiavellian perspective, if you throw the first punch and they're still able to hit back, then you deserve to get hit.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Crippling the bots might achieve my immediate goal: bringing an end to your attack. If you are firing stolen missiles at me am I wrong to shoot them down?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
No.
Better to strike first. Mind, good enough so _they_ can't retalliate.
Whoever 'they' are ...
Well, victims "should" leave retaliation to law enforcement. But when there is no answer to the question, "What law enforcement?" victims "will" retaliate whether they "should" or not.
If I am firing hijacked passenger airliners at you, are the criminal homicide charges and the civil wrongful death suits that you would accrue by shooting them down worth it?
That's the problem: there is basically no such thing as a pure weapon on the internet. Most "stolen missiles" are simultaneously poorly secured home or business computers that have never left the ownership(and, in general, since the botnet guys don't want their hosts getting wiped) are still being actively used by their owners for whatever their intended purpose is.
Crippling them would, indeed, end the attack; but it would constitute committing dozens or hundreds of what(at least in the US) would be federal felonies and invitations to expensive civil suit. And, to be quite blunt about it, you would deserve to have your ass handed to you for doing so.
The other issue, with electronic attacks specifically, is that effective "self defense" would require absurdly broad authorization.
In physical terms, you have states like Texas, where shooting trespassers is largely legal, and states like Massachusetts where you pretty much have to have run out of other options before you can use lethal force in self defense. When it comes to electronic attacks, everybody already enjoys greater-than-Texas level of self-defense capability. I can tell my routers and switches to drop whatever packets I want them to. I can terminate whatever processes I care to on my hardware. I can delete whatever files, etc. My network, my rules.
Given that everyone, in basically every jurisdiction anywhere, can already do that any call for expanded powers of self defense is a call to be allowed to just start shooting up the neighborhood with wild abandon. Not going to end well.
Given the ease of hiding the origin of your attack (tried tracking spam?) you've got the problem of the hackers doing false flag attacks on you in order to trick you into attacking the real target of the hackers. The only way to actually stop attacks is to track them down and arrest them. No other plan will ensure the attacks permanently stop. On the other hand, having the RIAA attack MPAA in a full scale cyberwar would be kindof cool.
Why would anyone imagine that the same outcome would not apply in cyberspace? I DDOS you, you DDOS me. We get our friends to DDOS our enemies. You deface me, I deface you. Sounds like a whole lot of wasted bandwidth. I'd rather see folks invest in anti-spoofing at the network edge, implement better auth methods, and review content for vulnerabilities before they publish. Sheesh.
Wrong.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Hyperbolic, possibly; but the law is fairly broad and the bar fairly low.
I don't know about Texas, but in Florida, your legal right to shoot (or otherwise use lethal force) against anyone on your property is fairly broad.
Do you really want CORPORATES have that power? Please. These guys don't even have the common sense to break the boom-bust cycles. It's like giving a knife to a child incapable of learning from experience. So Company A attacks Hacker B. Only it turns out that the attack went awry and Hacker B is actually a rival corporate giant. So Rival Corporate giant attacks, which misfires too. Remember, it is difficult to prove motivation or origin or logic in a cyber attack. Isn't it fun, boys?
In a working state, the power to punish by act seen as criminal is exerted by the police and the courts. If "the strong" can "retaliate" against the weak, the we call that anarchy.
If Amazon want they can take offline everybody who is hosting wikileaks and every imageboard which used the word "anonymous" on the planet by dedicating 10% of their computational/network power to "retaliate". If google would like to "retaliate" against somebody, they could take a medium-sized country offline and render it inoperative for months (imagine what amount of disturbance they could cause by searching all gmail for important infrastructure numbers and showing them up in 10% of the search results - an adminitration getting 10times more calls than they can handle will not be able to work any more). Imagine if they show a companies homepage randomly in 1% of the search results - the homepage will be offline for some time. If china wants, they can take any NGO offline by an attack.
We should not aim for an internet, where we retaliate and fight wars without any legal court having said anything, but plainly with the legitimation of the own strength. Once this would be the established order of things, the internet failed.
If somebody behave badly, put them on a list. Don't pair with them, don't accept mail from them, and anybody who systematically ignores that ends on the same list. That system is not perfect, but its the best we have. Try to figure out the people behind and bring them to justice. The security companies should dedicate a substential amount of their products to educating the user (e.g.: pay high-level news speakers or actors to speak a 2 minute warning on the current trends). Official/company websites need to stop to put "ssl-certified" logos on the webpage itself, but should put a picture with how the URL bar should look like and ask the user to compare and remember it. Big companies should not educate the user to install just every program, because they tell to.
What i want to say: the image, the resources, and the power of big companies can be used in constructive ways, and not to establish illegal actions as the course of the day.
I thought he was going to hit me so I hit him back first.
Everything you know is wrong, Just forget the words and sing along.
Seems pretty acceptable to me. As long as the attack is confirmed, and there aren't idiots at the helm. Didn't Israel do something like this? Pre-emptive assassinations or something that?
I wouldn't be surprised if big-iron IT departments didn't already do something like this. Not like it matters anyways, with corporate control of the internet looming (slashdot story of 2 tier internet access)
As a former Shadowrun GM, I can only facepalm. Either roll with Sleaze or do your decking with a disposable deck. And remember: when the ICE rezzes, your MAC address is already forfeit.
Every trollism an AC posts is prefixed, in my mind, with "A. Coward whined, in a weak and cowardly voice:"
Good that you point out that the /. article is misleading.
But you are wrong in naming defensive measures that enhance login security "tarpits".
If I recall right "tarpits" work by tying up resources at the attacking computer.
See here for an actual implementation:
http://www.wilderssecurity.com/showthread.php?t=16674
Hey don't blame me, IANAB
IANAL.This brings up the question, "Is cyber self-defense a legally viable defense in court?"
The analogy goes like this. I was being attacked so I whacked him to may him stop. The corporate equivalent is, My network and computer systems were being attacked to whacked the attacker to make him stop.
It is true that 'attacking' the ip who infiltrated your network is probably the wrong target but in the article, the suggested counter attack was not an attack, it was an infiltration designed to glean information about who is really behind the attack and what sorts of info they are looking for.
RTFA
The problem is that it's easy to make a computer invulnerable, even if it stays on a static IP. Then you don't have to fear retaliation.
"When information is power, privacy is freedom" - Jah-Wren Ryel
That "pinning" is standard operating procedure, it's rare for an attack to be traceable to a real guilty party.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Naturally, although many cyber attacks right now are done through botnets or are made to look as if they were done by an anonymous, meaningless entity, rather than intentionally placing evidence that leads you to believe it's from a particular third party.
The short version is that vigilante justice is particularly bad for cyber attacks because attribution is particularly difficult.
I'd say the law is fairly reasonable. In any case it clearly does not permit the use of deadly force against a mere trespasser.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There is nowhere in the USA where use of deadly force against a mere trespasser is legal.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
There are no airliners and no passengers and no deaths: just the temporary shutting down of some pcs. The owners of those pcs may not know that they are being used to attack you, but they still are. I think a case can be made for your right to disable a weapon in the hand of your attacker even if it is not the attacker's property.
Another strained analogy. An enemy of yours is able to trick you neighbor's fancy automated lawn sprinkler into hosing down the front door of your business, driving off your customers. Are you justified in shutting off his water temporarily to stop the attack?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Any competent attackers will cover their tracks, often making it appear that the source of the attack is in a completely different country. It's fairly easy to frame someone and make it look credible.
They need to forcibly enter your home or occupied vehicle (rather than just being on your property). Otherwise, Florida's castle doctrine does exactly that.
Somehow I managed to read this title as "Is Retaliation the answer to Cylon attacks?"
The answer is clearly yes (assuming we have any ships left to retaliate with...)