Slashdot Mirror
Hacked Companies Fight Back With Controversial Steps
PatPending writes with this report on companies taking aggressive steps to deal with electronic attacks: "Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems. Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage. Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage." If you've been involved in such an action, how did it work out for you?
Just remember, if a company asks you to break the law then you deserve what's coming to you when you get caught.
95% of the time your "retaliation" isn't being targeted at the actual attacker, you are far more likely to be attacking some 3rd party's legitimate, vulnerable server that is acting as a re-director for the attacker. Now the 3rd party is going to be pissed that you're harming their business.
I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.
If the law says you can't defend yourself from someone trying to ruin your business then the law is an ass.
Equal to "If someone breaks into your home, you should be able to break into their home."
1. Never put sensitive data on a computer connected to the internet, unless it absolutely must be there.
2. Never keep sensitive data that you don't need, overwrite it, then delete.
3. Never put confidential data into any computer system, networked or not. If you must, do so only if it's encrypted and secured by strong authentication at all times.
4. Use all practical forms of security, firewalls, strong authentication, multiple networks with isolation, IDS, AV/anti-malware, no running as Admin/root, separate accounts for every user with appropriate access restrictions, including separate accounts for any services running on your servers, whole disk encryption, etc.
The first 3 are what I call the "Mr Miyagi" approach, "Best defense, no be there." Item 4 is what most companies focus on, but it's not nearly as useful if you haven't used 1-3.
make imaginary.friends COUNT=100 VISIBLE=false
An eye for an eye makes the whole world blind, especially when the guy who just got poked in his good eye opens fire on everybody else.
To me, tracking them down (let me guess, you can do a traceroute?) isn't exactly hacking by any means. Finding the person and telling law enforcement is not hacking, it is arguably the antithesis of hacking (not to say you got the right person, but that's aside the point). That makes your later claim that this is somehow like having someone holding a gun to your head, thus justifying "self defense," all the more confusing.
Great Intellect...
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.
Real world thinking doesn't apply here. In the real world, if someone attacks you, you can beat them up and claim self-defense because you know it was them. In the digital world, very likely the person you are targeting is innocent. If a computer DDoS' your network, you don't DDoS them back, you block that IP address -- because criminals don't use their own computers to conduct attacks, and neither do they sign every packet with their name, address, and phone number. So when you unload on who you think is attacking you, then (by your own logic) they have every right to retaliate against you! At that point you've created the digital equivalent of a bar room brawl, but with weapons of mass destruction. And with every response by either party comes the increased risk of drawing another person into the conflict.
If everyone, or even a substantial minority, follows this logic it leads to the internet becoming lawless war zone where business simply cannot be conducted anymore because the network's reliability has been shot to hell. And let me be clear: You're not above screwing up. Even major name security researchers from businesses that specialize in this routinely get the names of the people involved wrong. Often. Open wifi, proxies, bot nets, the number of ways you can appear to be someone other than yourself is dizzying. Hell, I'm posting this through Tor... good luck even finding out who I am. Criminals have access to much better security than that... what do you think the odds are of figuring out who they are if you can't even figure out who I am when I'm making no special effort to hide my real identity?
#fuckbeta #iamslashdot #dicemustdie
That's a great idea right up until it is a server in a hospital that is being used for the attack.
No. I'm going to have to go with the other post:
And not just that but also a house you THINK belongs to the attacker when it is just one that the attacker is using.
I guess I'm just not sure how the first half of your post relates to the second. What actually happened sounds fairly reasonable and not anything like what TFA is talking about; they didn't try to smoke the attacker, they found them and reported them.
You are missing that in order to report them they had to break into all the machines on the control path back to the source. If using exploit penetration tools to compromise attack machines and their command/control nodes isn't "hacking" I'm not sure what your definition of the word is.
-jon
It should be easy for spammers to register mycleanpc2.com and continue spamming.
If only there was a HTML attribute that would stop the search engines from following the spam links...
Good luck with that in court. I'm sure the judge and jury will completely understand your need to risk the lives of patients because you wanted to.
After all, if you were competent then you'd be able to block the attacks or at the very least mitigate/ameliorate any possible damage from them.
I mean that if a patient dies because of the cracker then it isn't your concern.
But if a patient dies because YOU decided to take out that server ... enjoy your stay at the Federal Pound Me In The Ass Prison.
An eye for an eye makes the whole world blind...
Actually, an eye for an eye can be very appropriate, if you understand what the passage is really saying: not that you're entitled to an eye for an eye, but to no more than an eye for an eye or a tooth for a tooth. It doesn't so much institutionalize revenge as place a fair limit on it. There are, of course, two problems here: first, making sure you've identified the culpret correctly and second, how much hacking, DDOS or whatever is appropriate. Personally, if the attacker lives in a country where the law is respected, turning the evidence over to the proper authorities is probably your best bet. If not, have fun; after all, what's the worm going to do? Tell the police, "He found out I was hacking his computer, so he hacked me back?"
Good, inexpensive web hosting
Equal to "If someone breaks into your home, you should be able to break into their home."
It's more like "If someone breaks into your home, you catch their license plate number. You should be able to break into whatever house the license plate is registered to, and see if you can find your stuff."
No you don't. Investigating the crime is law enforcement's job.
The computer someone retaliates against could just be the previous victim of the cracker. If they have owned a government system of any kind at all (even something that provides a bus timetable) and you attack it then you could be in some very deep shit legally with a courtroom opponent that will spend whatever it takes of taxpayers money to make an example of you.
You had logs and were still penetrated? What OS has logs and gets penetrated?
All of them.
I've just about had it. Slashdot used to be news for Nerds. Now it's almost entirely mindless bullshit, and the last straw is when spammers are permitted to confiscate the site, and Slashdot management allows it. As if it's my job to waste my mod points to mark this crap as Troll.
I am logging off, and deleting Slashdot from my home page. Have at it trolls. All yours now.
While summary and TFA seem to imply some sort of vigilantie response it never enumerates even a single example of what that would be or cites any incidents where retaliation had actually been carried out.
TFA only seems to provide any detail or information about misdirection, honey pots..etc to thwart attacks and obscure important information...All obvious and non contraversial actions.
What I find most distrubing is this little jem:
"In April, Department of Homeland Security Secretary Janet Napolitano told the San Jose Mercury News that officials had been contemplating authorizing even "proactive" private-entity attacks, although there has been little follow-up comment."
How are idiots like Janet even allowed to be secretary of anything? I don't know whats worse having such thoughts or publically admitting to having had them.
That's a common misconception in many countries, I *highly* recommend you verify that information for your geographic area.
The law is only for those who commit really serious crimes, like copyright infringement.
Starship Troopers wasn't a serious movie? Jeez, you yanks really don't get irony do you?