Slashdot Mirror
Hacked Companies Fight Back With Controversial Steps
PatPending writes with this report on companies taking aggressive steps to deal with electronic attacks: "Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems. Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage. Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage." If you've been involved in such an action, how did it work out for you?
Just remember, if a company asks you to break the law then you deserve what's coming to you when you get caught.
I simply drive to the GeoIP location with my illegal police baton and smack the head of whoever happens to be there at the time when I arrive. I've been doing this for a few years now.
I got the location of the punks house and nailed his mom while he was in the basement.
Feeding time came around and mom did not bring down the hot pockets according the regular schedule and he peeked his head above ground.
Said, "Hi. I'm from the company you were trying to hack. By the way your Mom is quite talented. Going to be around more often"
95% of the time your "retaliation" isn't being targeted at the actual attacker, you are far more likely to be attacking some 3rd party's legitimate, vulnerable server that is acting as a re-director for the attacker. Now the 3rd party is going to be pissed that you're harming their business.
Obviously, they're in the process of developing Gibson's black ICE!
We should be afraid.
http://www.geoffreylandis.com
I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.
If the law says you can't defend yourself from someone trying to ruin your business then the law is an ass.
Equal to "If someone breaks into your home, you should be able to break into their home."
I would think lots of honeypots, dead ends, and misinformation would be effective. It would be difficult for the hacker to know when they have accessed legitimate machines or information. That's one of the problems with typical security is that it typically provides confirmation when an access attempt has failed. If instead of indicating failed access, you instead direct them to bogus data, it would make the hacker's life rather miserable.
Better known as 318230.
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.
Real world thinking doesn't apply here. In the real world, if someone attacks you, you can beat them up and claim self-defense because you know it was them. In the digital world, very likely the person you are targeting is innocent. If a computer DDoS' your network, you don't DDoS them back, you block that IP address -- because criminals don't use their own computers to conduct attacks, and neither do they sign every packet with their name, address, and phone number. So when you unload on who you think is attacking you, then (by your own logic) they have every right to retaliate against you! At that point you've created the digital equivalent of a bar room brawl, but with weapons of mass destruction. And with every response by either party comes the increased risk of drawing another person into the conflict.
If everyone, or even a substantial minority, follows this logic it leads to the internet becoming lawless war zone where business simply cannot be conducted anymore because the network's reliability has been shot to hell. And let me be clear: You're not above screwing up. Even major name security researchers from businesses that specialize in this routinely get the names of the people involved wrong. Often. Open wifi, proxies, bot nets, the number of ways you can appear to be someone other than yourself is dizzying. Hell, I'm posting this through Tor... good luck even finding out who I am. Criminals have access to much better security than that... what do you think the odds are of figuring out who they are if you can't even figure out who I am when I'm making no special effort to hide my real identity?
#fuckbeta #iamslashdot #dicemustdie
Might one contact such "private contractors" via Soldier Of Fortune magazine?
You want the best, right? A few years ago a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire them.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
You had logs and were still penetrated? What OS has logs and gets penetrated?
Well, if you're talking back doors, penetration, and encountering logs,you're probably talking OSX!
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Might as well bring down that server - if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised
I'm guessing the court probably won't feel the same way when you're sued for everything you've got by the dead patient's family and the hospital, especially when an expert witness testifies that all you'd have to have done to stop the attack was insert a couple of firewall rules or null route the target IP for a little while.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
Might as well bring down that server - if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised
Yeah, well, that's your opinion. The law disagrees. A server of ACME Inc. was used by Black Hat to attack your server, which means Black Hat broke the law and, if caught, will be in trouble. The problem is that you, too, attacked ACME Inc.'s servers, and now you're in trouble too. In fact, you're in more trouble than Mr. Black Hat since he used 7 proxies while you or your contractor didn't.
And in military parlance, it's called "collateral damage"
Correct. But you and what army is going to convince the judge that you're free to kill innocents too?
Equal to "If someone breaks into your home, you should be able to break into their home."
It's more like "If someone breaks into your home, you catch their license plate number. You should be able to break into whatever house the license plate is registered to, and see if you can find your stuff."
No you don't. Investigating the crime is law enforcement's job.
Many botnet clients apply security patches to prevent others from taking the machine.
Rod Taylor
Companies hell, I've had cops come up to me in the shop that wanted obviously illegal stuff done, frankly i think they had seen too many episodes of CSI and actually thought you could hack a network with a VB GUI.
But honestly this kind of shit surprises me not in the least, anyone who has read some of the stuff that has been dumped onto Wikileaks knows that you can buy pretty much anything if the money is good enough. Personally I'm waiting for a cyber version of the Pinkertons, a little private army you can hire to do whatever dirty little thing you need done in cyberspace. After all thanks to many otherwise pretty damned lawless countries having Internet access in a way its like the wild west only the criminals don't have to physically come over the border to do their raiding before heading back to their personal hole in the wall. So to see the corps fighting back when the law itself can't really do shit thanks to countries that don't play by the same rules? Really not surprising.
ACs don't waste your time replying, your posts are never seen by me.
A couple of months ago, when I ws selling my motorbike, I received a few of those 'I'm on an offshore oilrig and I want to buy your bike' spams. I was curious, so I constructed a honeypot to see if I could gather some intel on the perps before going to the police.
Sure enough, within a day, I had IP addresses and was able to resolve to the attackers location. He was stupid enough to not be using a proxy, and stupid enough to leave some vulnerabilities open on his PC - that made it very easy to be certain that he was the attacker.
I collated my data, and presented it to the Feds. They weren't interested. Couldn't even care less.
So I contacted the attacker independently (through my own proxies), and let them know that they should get better at what they're doing, or get out of the game. They didn't try to contact me again.
I can understand why people would be tempted to undertake their own vigilante actions.
The law is only for those who commit really serious crimes, like copyright infringement.