Hacked Companies Fight Back With Controversial Steps

PatPending writes with this report on companies taking aggressive steps to deal with electronic attacks: "Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems. Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage. Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage." If you've been involved in such an action, how did it work out for you?

Stupid

[phantomfive]

What are you going to do, DDOS some script-kiddie's computer?

The only time I've ever heard of something like this working out, it was when someone actually went to the effort to find out who was hacking them, and then turned the case over to the police. There was a story like that covered here on Slashdot several years ago.

Re:Stupid

[Wolfling1]

A couple of months ago, when I ws selling my motorbike, I received a few of those 'I'm on an offshore oilrig and I want to buy your bike' spams. I was curious, so I constructed a honeypot to see if I could gather some intel on the perps before going to the police.

Sure enough, within a day, I had IP addresses and was able to resolve to the attackers location. He was stupid enough to not be using a proxy, and stupid enough to leave some vulnerabilities open on his PC - that made it very easy to be certain that he was the attacker.

I collated my data, and presented it to the Feds. They weren't interested. Couldn't even care less.

So I contacted the attacker independently (through my own proxies), and let them know that they should get better at what they're doing, or get out of the game. They didn't try to contact me again.

I can understand why people would be tempted to undertake their own vigilante actions.

Re:Stupid

[Taco+Cowboy]

Unfortunately there are still too many of those who believe that the law will "protect" them

Even here, we can see those who fervently advocate going to the police / fbi / court even in the cyberwar cases

There's no point to go to the law when the other side does not believe in one - and, the law there is, in most cases, do not have the jurisdiction over those black hat, in the first place

Not true that fighting back doesn't work.

[jcrb]

I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.

If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.

If the law says you can't defend yourself from someone trying to ruin your business then the law is an ass.

Re:Not true that fighting back doesn't work.

[lightknight]

Well, theoretically, if one were so obsessively inclined, it is possible to spelunk your way upstream, router by router, to track down the offending computers, even when the attacker is using forged IP addresses. Although, I imagine that even the cozy relationship that the various law / intelligence agencies and the various network providers normally enjoy would immediately become rather frosty if they found you doing that.

Once you have one member of the offending botnet, you find out how it has been compromised. A quick port scan can be telling here, but compromising the machine by other methods can be done, if necessary. Then you'd probably copy the botnet software to a VM for some dissection. Then you'd probably create some software of your own, to silently log any future connections to that machine, while trying to figure out how the botnet is being controlled. Eventually, you'll be able to track down the original (command) computer (even if they're using an IRC channel, or website, or relaying a command from one machine to the next ala Whisper Down the Alley style), and then the fun starts...botnet operators HATE IT when you compromise their command machines, and use the built-in webcam to take a picture of them. They really hate it when you record video. They're even more surprised when they're running Ubuntu, and think Linux would somehow prevent them from being hacked...

But yes, the obvious answer to an attacker on your network is to run to the comms room, and physically remove the network cables. As for the above, well, it's hard to find a programmer that's been angered deeply enough to engage in that kind of investigating.

Not even his computer.

[khasim]

If the script-kiddie knows anything at all he'll be attacking from a zombie he's already "owned".

I think this is more sensationalism than fact.

Companies are known to strike back

[Taco+Cowboy]

There are companies that I know, who employed "private contractors" to do things that they can not legally do, to "make things right"

One of those companies, when its refinery was damaged by some African guerillas, got its own "private contractors" to hit back, and they hit back very very hard

So, I am not surprise of what they will do on the Cyberwar front - the "private contractors" can do anything for you, so long as you pay them

Re:Companies are known to strike back

[Sir_Sri]

In that situation you should pay off the local government police and or military forces. If you can't pay them more than the local militias or criminals, you shouldn't do business there.

That is, in effect, what happens in civilized countries. You pay taxes for police services, if the services aren't up to the task you pay (technically 'lobby') politicians to write laws for you that will get the police up to the task or out of the way.

cyber security is a different matter. There's no one you can pay unless you're a huge multinational, and even then you may not have a presence wherever the problem initiated from. If you're hacked domestically you have the same recourse as physical security, call the police, if there aren't laws that will cover you, pay politicians to write some. But if you get hacked from a foreign country there's really nothing you can do except build hardened systems in the first place. Counter hacking doesn't seem like a good idea, because they, being criminals, are somewhat less hindered by morals and laws than you are, and can retaliate thusly. I suppose if you're really big you pay politicians in both countries to write treaties for you. But that would just serve to make counter hacking illegal.

Re:Companies are known to strike back

[hairyfeet]

Companies hell, I've had cops come up to me in the shop that wanted obviously illegal stuff done, frankly i think they had seen too many episodes of CSI and actually thought you could hack a network with a VB GUI.

But honestly this kind of shit surprises me not in the least, anyone who has read some of the stuff that has been dumped onto Wikileaks knows that you can buy pretty much anything if the money is good enough. Personally I'm waiting for a cyber version of the Pinkertons, a little private army you can hire to do whatever dirty little thing you need done in cyberspace. After all thanks to many otherwise pretty damned lawless countries having Internet access in a way its like the wild west only the criminals don't have to physically come over the border to do their raiding before heading back to their personal hole in the wall. So to see the corps fighting back when the law itself can't really do shit thanks to countries that don't play by the same rules? Really not surprising.

Re:Companies are known to strike back

[L4t3r4lu5]

... i think they had seen too many episodes of CSI and actually thought you could hack a network with a VB GUI.

I cringed as much as the next nerd when I heard that line, but if you think about it it actually make sense. The fact that the terms are inaccurate is immaterial. She could have told them she fired up Backtrack 5 and used a known buffer overflow vulnerability in $PerimiterSwitchSoftware to get access to the internal network, and a remote code execution attack to enable directory traversal and and run w3svc as Admin, giving her free reign over the network. Would they have understood any more?

You're thinking of it as the actress saying lines for your amusement. She's not. She's telling a colleague, who wouldn't understand anyway, a bunch of buzzwords and jargon to dissuade them from getting too involved in something which will only confuse them, and distract them from their own involvement in the situation.

If Finance ask you about backups, do you tell them about cron jobs and the difference between differential and full backups? No, you tell them it's daily and hosted off site, and they should worry more about getting your pay cheque ready for the last Friday of the month.

Indeedy

[obarthelemy]

I've been in contact about a job with a French cybersecurity company that has subsidiaries in 3 countries to be able to be able to offer 24x7 service, and, avowedly, do stuff (counter-attack for ex.) that would be illegal in France.

I don't have a big issue with counter-attacks existing, and being nasty (let's face it, if you beat on me, I'm gonna beat on you). I do have an issue with the potential for counter-attack evolving into spying and pro-active stuff. I'm sure they're doing it already.

Honeypots, misinformation

[Dan+East]

I would think lots of honeypots, dead ends, and misinformation would be effective. It would be difficult for the hacker to know when they have accessed legitimate machines or information. That's one of the problems with typical security is that it typically provides confirmation when an access attempt has failed. If instead of indicating failed access, you instead direct them to bogus data, it would make the hacker's life rather miserable.

Doesn't End Well

Google Multi-bet.

"Seems there has been blackmail and hack attempts to at least two online bookies,
Multibet.com and Centrebet"

"syn flood on port 80 - MASSIVE one

The server was originaly in Alice, thus killing the Alice network. Telstra then implemented their "DDoS protection" (www.radware.com - ironically, when we told our current DDoS protectors this, they laughed) in their Sydney office. It took out part of their core network in Sydney straight away before they killed the www server ips." http://forums.whirlpool.net.au/archive/237347

They just bought more bots to the fight.

Re:Best defense....

[girlintraining]

Never put sensitive data on a computer connected to the internet, unless it absolutely must be there.

o_O Not very realistic when we live in an "always on / always connected" world. Everything is merging into the network and stand alone devices are a minority.

Never keep sensitive data that you don't need, overwrite it, then delete.

Also, you should burn all the clothes you haven't worn in over a week (you obviously don't need that many clothes), not have a junk drawer, and while you're at it, delete any data on your system with an access time older than 3 months. Also, delete sarcasm.sys ...

Never put confidential data into any computer system, networked or not. If you must, do so only if it's encrypted and secured by strong authentication at all times.

Confidential, defined: Everything that isn't out on the curb with a big sign that says "Free" on it. Also, you should stop using the internet since most of it isn't secured and uses strong authentication... there's never a reason to use plain-text data exchanges. I mean, I don't even leave the house without my PGP key, and when I hangout with my friends, we use finger signs that are one-way encrypted... because otherwise someone might understand us and that would be bad.

Use all practical forms of security, firewalls, strong authentication, multiple networks with isolation, IDS, AV/anti-malware, no running as Admin/root, separate accounts for every user with appropriate access restrictions, including separate accounts for any services running on your servers, whole disk encryption, etc.

Basically, throw everything you can at the problem and hope something stops the attacker, and if you frustrate everyone who has to use the system because it requires 30 character long passwords rotated every 15 minutes, 9 levels of encryption, and a sample of hair, blood, finger print scan, iris scan, and ass cheek measurements... it might not be secure enough to protect grandma's secret goolash recipe.

The first 3 are what I call the "Mr Miyagi" approach, "Best defense, no be there." Item 4 is what most companies focus on, but it's not nearly as useful if you haven't used 1-3.

I take a somewhat simpler approach to security: Build it so that breaking it costs more than the value of what you're protecting. There is no perfect security. All of it can be hacked. Your only responsibility, professionally, ethically, morally, is to make it cost them as much or more to break through than whatever is being guarded. Criminals are just as rational as anyone else: They go for the low hanging fruit, the most gain for the least effort. I call it the "Mr. Bear Grylls" approach, 'You only have to run faster than the guy next to you when escaping a lion."

Re:Revision

[TFAFalcon]

So what happens when people start faking attacks on their server, so they have an excuse to attack their competition?

Re:Asking you to break the law?

[non-plus]

once, we had a less-than-skilled attack on a company i was network admining at. I traced the source down to an ISP in a South American country and ISP and I contacted them stating that such-and-such IP on their network was engaging in an attack on my company. I asked them to look into this and block the user from hitting us thru the routes I provided. They said there was nothing they could do. I asked them what other recourse I had. They told me there was nothing I could do but shut down our systems and hope it went away. I asked them if I could take action to stop it and could I get and e-mail statement to that effect. They sent me an e-mail stating there is nothing they could do and I could do whatever I needed to correct the situation.

I ran it by the legal guys. got a thumbs up. put on a darker hat.

moved a bit of traffic off the oc-12 we had and proceeded to clobber the offending IP address and the nodes at the far end (ISP equipment). I got a very polite call after about an hour telling me that the offender has been pulled off-line and asking if I would be so kind as to stop defending myself as it was killing their network. I stopped my defense and was given a few names with contact info to call in the future should the needs arise.

a good result.