Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Monitoring Hacking Targets For Retaliation

Posted by Soulskill on from the never-start-a-fight-but-always-end-one dept.

An anonymous reader writes: As high profile security breaches continue to grab headlines, little is being done visibly by the government to prevent future attacks. This is prompting some victims (and potential victims) to find creative ways to stop the hackers. The FBI is now concerned that U.S. companies and institutions are themselves breaking laws by retaliating with cyberattacks of their own. "In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched ... Federal investigators later discovered that a third party had taken some of the servers involved in the attack offline, according to the people familiar with the situation. Based on that finding, the FBI began investigating whether any U.S. companies violated anti-hacking laws in connection with the strike on those servers, according to people familiar with the probe."

59 of 96 comments (clear)

  1. Can shoot a person, can't take down a server by Anonymous Coward · · Score: 1, Interesting

    Disabling servers from which an attack is being launched against you isn't "retaliation". That's self-defense. Now, I know that striking back at the right target isn't easy, and some "innocent" people may get hurt, but if you are being attacked, and some third party's stuff is being used to attack you, you're still not "retaliating" if you damage that stuff in an attempt to end the attack.

    1. Re:Can shoot a person, can't take down a server by Immerman · · Score: 4, Interesting

      I don't know, seems like in a world where cyber-weapons are routinely deployed, the right to bear arms might reasonably be construed to include cyber-weapons. Especially when you consider that, at the time of writing, the right to bear arms was pretty clearly a protection of the people's ability to effectively rebel against a lawful but non-representative government.

      Of course having the right to *have* such weapons, and the right to *use* them, especially indiscriminately, are completely different things. Deploy a weapon likely to have significant collateral damage and you'd better be ready to suffer the full force of the law for the damage you do to bystanders, even if disabling the primary target was a clear-cut case of self defense.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    2. Re:Can shoot a person, can't take down a server by AchilleTalon · · Score: 1

      The proper way to answer to an on-going attack is to redirect traffic to analysis site and collect the information or go off-line. Responding to an on-going attack by an attack is not a defensive/self-defense reaction, it is an offensive reaction the site you target is then, following the same logic, completely entitled to reply to in turn. If you believe your reply is legitimate, the reply of the sites you then attack is also legitimate. You cannot pretend you have properly identify the authors when an attack is on-going. Most of them are perpetrated via other hijacked sites, you are just attacking hijacked sites and not the hijackers.

      Now, an aftermath attack is retaliation.

      If you cannot analyze the attack, the best self-defense is to go off-line to stop the attack.

      --
      Achille Talon
      Hop!
    3. Re:Can shoot a person, can't take down a server by gtall · · Score: 1, Insightful

      "the right to bear arms was pretty clearly a protection of the people's ability to effectively rebel against a lawful but non-representative government."

      Not really, it was said in reference to a well-regulated militia. The Point was that the founders knew very well the problems a small determined group could cause.

      Anyhow, the 2 year old in Idaho who managed to shoot his mother with her own weapon had a right bear arms too, the Constitution made no mention of age.

    4. Re:Can shoot a person, can't take down a server by operagost · · Score: 1

      The police just killed a unarmed, white, middle-aged guy in PA. By the way, this wasn't the first time. I thought maybe you didn't know that, being in your racist echo chamber.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    5. Re: Can shoot a person, can't take down a server by Shoten · · Score: 2

      No, but the Natural Laws upon which Western political thought is based do give you the intrinsic right to self preservation, right up to terminating the threat.

      But not in this context. If someone shoots you today, you can't go after them with a gun tomorrow after you get out of the hospital. These actions are not self-preservation at all, just retaliatory in nature. And that is clearly defined in both the explicit statutes and case law as a no-no.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    6. Re: Can shoot a person, can't take down a server by zlives · · Score: 1

      preemptive strike... its how we justified Iraq war!!
      clearly the cyber terrorist and terrorist state sponsors must be preemptively neutralized.

    7. Re:Can shoot a person, can't take down a server by John.Banister · · Score: 1

      Sounds like the rationalization behind drone strikes.

    8. Re:Can shoot a person, can't take down a server by kelemvor4 · · Score: 1

      The police just killed a unarmed, white, middle-aged guy in PA. By the way, this wasn't the first time. I thought maybe you didn't know that, being in your racist echo chamber.

      Right but there is a much better chance of the shooters at least going on trial for the murder in this case.

    9. Re: Can shoot a person, can't take down a server by ceoyoyo · · Score: 2

      In most western countries you have the right to respond to an imminent threat of physical harm with appropriate force. You do not have the right to respond to, for example, property damage. Part of that "Western political thought" is eliminating the cycle of eye-for-an-eye vengeance.

    10. Re:Can shoot a person, can't take down a server by HiThere · · Score: 1

      How certain can you be that you got the right servers? How certain can other people be?

      It's not clear to me that this is justified. It's too easy for it to go wrong, or to "accidentally" target someone other than the ostensible attacker.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    11. Re:Can shoot a person, can't take down a server by Anonymous Coward · · Score: 1

      Read it again, there's a comma in there right after the word State (from the as ratified by the States and authenticated by Thomas Jefferson, then-Secretary of State):
      "A well regulated Militia being necessary to the security of a free State, the right of the people to keep and bear Arms shall not be infringed."

      Why the pause? I, and others, will argue is the founders recognized a State needs a military force or it won't be free for long. But that military force can be turned against the people it's supposed to be protecting. The British soldiers were the shining example. The founders knew that one day the people may need to take up arms against their government (which has happened, see Battle of Athens). Thus, the people need weapons. The right is a defense against the militia, although it can serve other purposes as well.

  2. why they are concerned by Charliemopps · · Score: 4, Interesting

    They are concerned because some of these Attacks are perpetrated by the FBI/NSA/CIA.
    Can't have people retaliating against their own infiltration operations...

    Too bad the internet's down in North Korea, they'd be interested in this story for sure!

    1. Re:why they are concerned by cold+fjord · · Score: 1

      They are concerned because some of these Attacks are perpetrated by the FBI/NSA/CIA.

      DDOS against US/European banks? I highly doubt that.

      Too bad the internet's down in North Korea, they'd be interested in this story for sure!

      Your concern for the "Democratic People's Republic of Korea" is touching.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  3. Just like the old days... by Anonymous Coward · · Score: 3, Funny

    An i(phone) for and i(phone) and a (blue)tooth for a (blue)tooth.

  4. is it 4/1 already? by Anonymous Coward · · Score: 1

    I'm not sure what else to infer from a story that implies the fbi is investigating jpmorgan for criminal activity...

    1. Re:is it 4/1 already? by Jawnn · · Score: 1

      Bread and circuses. Nothing more.

  5. Can't catch a thief? by Anonymous Coward · · Score: 1, Insightful

    Catch the people defending themselves.

  6. Hooray Cyberpunk! by sabbede · · Score: 1
    Corporate cyberwarfare? Come on, that's right out of Gibson's head.

    And I am all for it.

    1. Re:Hooray Cyberpunk! by Anonymous Coward · · Score: 1

      Hack the Gibson!

    2. Re:Hooray Cyberpunk! by afgam28 · · Score: 2

      Does anyone else feel that using the term "cyberwar" to describe this is an insult to anyone who has ever been through a real war? Insofar as there is a conflict between two or more parties, it is like a war. But that's the furthest that the analogy can be taken without it falling apart. Let's get some things straight: computers aren't people, DDoS attacks cause orders of magnitude less suffering than real war, and using a hyperbolic analogy leads to massive escalations of a conflict (e.g. Obama getting involved and taking an entire country offline).

      I propose we replace this with a car analogy :). A bunch of people, possibly North Korean, possibly not, have gone and stolen a lot of cars and parked them in JP Morgan's car park. Now all the bankers, and their customers, can't find parking and can't get into the office. Banking and financial services have been denied. Then some guy at JP Morgan realizes that those cars all have New Jersey plates - that's where the attacks are coming from! So they go steal a bunch of other cars, drive them across the Hudson River, and use them to gridlock all the streets in Jersey City. Problem solved - there's now ample parking for Jamie Dimon's Maserati!

      Except that because cars were stolen and transported interstate, the FBI now has to get involved.

    3. Re:Hooray Cyberpunk! by zlives · · Score: 1

      not that i completely disagree, however just as a counter point...

      If ddos is not really that bad.. suffering and all, what difference does it make if the retaliation strike is done against the perpetrator's computer. its not a real person that's getting affected, just a computer. Or even an entire country, if it was US that retaliated, again its just some computers mostly being used to watch porn and cat videos anyway.

    4. Re:Hooray Cyberpunk! by afgam28 · · Score: 1

      Most DDoS attacks are launched from zombie botnets, so there's a lot of collateral damage when someone does a "retaliatory" or "self-defensive" attack. It usually misses the true perpetrator's computer.

      Anyway I'm not saying that DDoS is "not really that bad". My point was more that bad analogies lead to bad conclusions. It looks to me like a disgruntled employee hacked into SPE and hurt the feelings of a few celebrities who made some shitty movie, and somehow this has resulted in two nation-states getting involved. All because our leaders, the media and society don't really understand what's happening, so they've shoehorned this into a flawed mental model that they do understand: war.

    5. Re:Hooray Cyberpunk! by sabbede · · Score: 1
      I'm not talking about retaliatory DDoS.

      Unless the people behind the attack are physically located in the US or a nation interested in prosecuting them, there is no authority to turn to, no one to track down and prosecute the offender and no hope of restitution. That is where your car analogy falls apart, as there would be no FBI to get involved.

      But under your analogy, leaving cars all over Jersey streets wouldn't be the proper response. Hiring someone to find and beat the perpetrators would be the way to go.

      Taking the law into one's own hands is not permissible in civil society. But putting a bounty on the head of an outlaw is something rather different.

    6. Re:Hooray Cyberpunk! by sabbede · · Score: 1

      Is there a term that fits better? You are right that the traditional definition of "war" doesn't really fit, but if you look at the modern usage (http://dictionary.reference.com/browse/war?s=t definitions 5-7) you will see that it is absolutely appropriate. I tend to get a bit pedantic with semantics, so I'm not exactly enthusiastic about what has been done to the term (I want to slap LBJ for "The War on Poverty"), but it is what it is.

    7. Re:Hooray Cyberpunk! by zlives · · Score: 1

      in unrelated news, it seems everything we declare a war on keeps getting to be a bigger issue. Poverty, Drugs, Terrorism... perhaps its time we declared war on good health, wealth and wisdom.

    8. Re:Hooray Cyberpunk! by sabbede · · Score: 1
      You must never have seen the classic 1959 Peter Sellers film, "The Mouse that Roared". It's a serious documentary investigating the counter-intuitive results of war with America.

      To save you some googling: http://www.imdb.com/title/tt00...

    9. Re:Hooray Cyberpunk! by zlives · · Score: 1

      read the book, you know those things that burn really well at F. 451

    10. Re:Hooray Cyberpunk! by sabbede · · Score: 1

      What, one of those wood tablets? They don't even have wifi!

  7. If the government can't defend you... by Anonymous Coward · · Score: 5, Interesting

    ...should you not defend yourself?

    1. Re:If the government can't defend you... by ultranova · · Score: 1

      ...should you not defend yourself?

      Sure. The problem is, in the absence of an impartial referee everyone can submit to without losing face, things tend to get out of hand. You think someone's been unjust to you? Retaliate! Someone might be planning to attack? Attack them first! Someone's getting dangerously powerful? Take them down while you still can!

      Just look at world politics: areas with functioning hegemons, even completely impotent ones like the EU, have issues settled through legal battles, while areas without them, like Africa, have an endless supply of militant groups. The hegemon doesn't necessarily have to be a Leviathan, to produce obedience through fear of themselves, they just need to have general recognition as the legitimate ruler so that anyone willing to defect over any particular issue is put back into line by the others for fear of anarchy.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    2. Re:If the government can't defend you... by jeffmeden · · Score: 1

      ...should you not defend yourself?

      Sure. The problem is, in the absence of an impartial referee everyone can submit to without losing face, things tend to get out of hand. You think someone's been unjust to you? Retaliate! Someone might be planning to attack? Attack them first! Someone's getting dangerously powerful? Take them down while you still can!

      Just look at world politics: areas with functioning hegemons, even completely impotent ones like the EU, have issues settled through legal battles, while areas without them, like Africa, have an endless supply of militant groups. The hegemon doesn't necessarily have to be a Leviathan, to produce obedience through fear of themselves, they just need to have general recognition as the legitimate ruler so that anyone willing to defect over any particular issue is put back into line by the others for fear of anarchy.

      More importantly, the article mentions using "overseas locations" to retaliate. Really all this is (or would be) doing is dirtying the water to make it harder to find out who the real malicious actors are. Better to spend your resources tracing down the exact source, or better yet on public awareness campaigns about malware (since all DDoS "attacks", and a lot of other attacks, come from compromised bystanders). Otherwise, you are just going to push your attackers on to a different group of hosts and will get hit again before too long.

    3. Re:If the government can't defend you... by N1AK · · Score: 1

      Better to spend your resources... on public awareness campaigns about malware (since all DDoS "attacks", and a lot of other attacks, come from compromised bystanders).

      I'm sure the first thing people should think of when someone is shooting at them is that they should be putting more money into lobby educating people not to give guns to violent people!

    4. Re:If the government can't defend you... by Jaime2 · · Score: 1

      Nope. The person you are attacking back against is likely another victim whose hardware has been commandeered. In this case, your attack will do nothing to harm the perpetrator and will probably harm a bystander.

      If retaliation becomes the norm, then an effective method of attack amplification will be for a small entity to attack a large entity and frame the intended victim for it.

    5. Re:If the government can't defend you... by crimson+tsunami · · Score: 1

      If the first time you think about this is when you are under actual attack, haven't you already lost anyway?

    6. Re:If the government can't defend you... by Anonymous Coward · · Score: 2

      This is exactly the situation that shipping faced in the sixteenth through eighteenth centuries: state and non-state actors alike were interdicting commerce, seizing assets, and wrecking trade. Privateers arose, working both sides of the dilemma: they were both freebooting pirates and instruments of revenge for losses incurred. Eventually people realized that the only ones profiting from that system were the pirates, precisely because they worked both sides of the issue, while everyone else suffered tremendously.

      Copyright infringement isn't what deserves the label of "piracy": the hacking and mercenary counter-attacking we see now is.

    7. Re:If the government can't defend you... by NoKaOi · · Score: 1

      ...should you not defend yourself?

      There's also a difference between retaliation and defense.
      Scenario 1: Bank is being hacked. They take down attacking server to stop the attack. That's defense.
      Real world analogy: Somebody is mugging you. You punch them in the face to prevent them stealing your wallet.

      Scenario 2: Bank was hacked. They take down the server that attacked them. That's retaliation.
      Real world analogy: Somebody mugged you. You figure out who they are, go over to their apartment and punch them in the face.

      Of course, in scenario 2 they'll argue that they're bringing down the attacking servers because there is probably stolen data on them, but realistically, at that point do you think the hackers didn't copy it somewhere else?

  8. hahahhah oh the irony by Connie_Lingus · · Score: 2, Interesting

    as if the FBI/CIA/NSA aren't already tools of the plutocratic multi-nationals.

    i believe that the only reason they don't want them doing it on their own is that it robs the 3-letter agencies of political glory.

    --
    never bring a twinkie to a food fight.
    1. Re:hahahhah oh the irony by cold+fjord · · Score: 1

      i believe that the only reason they don't want them doing it on their own is that it robs the 3-letter agencies of political glory.

      So you see no downside to unregulated corporate hacking? I would have thought that someone supposedly concerned about "plutocratic multi-nationals" might have a different view. Or does this come back to the question of who's a tool?

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  9. I'm sorry by Intrepid+imaginaut · · Score: 1

    I know I shouldn't say it but this is completely fucking awesome. We live in a cyberpunk future!

  10. laugh by koan · · Score: 2

    Is this the same FBI that told us NK was responsible for the Sony hack?
    Federal Bureau of Incompetence.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:laugh by HiThere · · Score: 1

      Why do you think that was incompetence rather that political manuvering? Ask 10 people at random, and if they even know about the Sony hack, most of them will blame North Korea.

      Lies, rather than incompetence, is what you should expect here until there is evidence to the contrary. (OTOH, if they were really competent, and cared, they could at least have come up with some decent evidence. My take is that they didn't care, however, rather than that they were incompetent.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re:laugh by koan · · Score: 1

      Sure conspiracy is an option, I've covered that multiple times here's one: http://slashdot.org/comments.p...

      But here's something else to consider, getting caught at lying IS incompetence, so you see no matter how you look at it they are incompetent.

      --
      "If any question why we died, Tell them because our fathers lied."
  11. Not real hackers by MichaelMacDonald · · Score: 5, Insightful

    Normally I would be against this, but nowadays hackers are mostly just extortionists. Not to mention the damage they've done to the work done by real hackers trying to protect freedom. Really, I think this generation of hackers just need to be purged so the scene can get back to normal.

    1. Re:Not real hackers by wbr1 · · Score: 1
      That used to be the difference between hacker vs cracker. One was for personal enlightenment or social gain, while the other was for various profit/greed/destructive motives. Then the mass media co-opted hacker to be the bad guy.

      Now we have 'hacktivists' (whether you love or loathe the term) who are supposed to use their powers for perceived social good. As is often the case, the distinction is not always black and white.

      --
      Silence is a state of mime.
    2. Re:Not real hackers by HiThere · · Score: 1

      Sorry, but the term "cracker" was only created after the media started to refering to ANY computer exploit as the work of a hacker, and only publicizing the unlawful ones. It never caught on outside of a quite limited community. Give up the battle, it's time to invent a new word to mean what hacker used to mean.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  12. Re:dem haxx0rz by NotBornYesterday · · Score: 3, Insightful

    Probably not. Any hacker with two brain cells to rub together would quietly infiltrate systems in company A, from there infiltrate Company B, C & D, rinse/repeat until sufficient layers of abstraction sit between them & their target, and then use them to attack the real target. If the response of victim X is to nuke the IPs from which the attack came, they are a) hitting the wrong entity, b) potentially destroying evidence left by the real perps, and c) probably initiating a re-retaliation from the victim of their attack.

    --
    I prefer rogues to imbeciles because they sometimes take a rest.
  13. Ok for them by Lawrence_Bird · · Score: 2

    but not ok for anyone else. this is what happens when governments routinely skirt the law.

  14. Maybe if the FBI took care of them by azav · · Score: 2

    the companies wouldn't have an incentive to do that.

    --
    - Zav - Imagine a Beowulf cluster of insensitive clods...
  15. Re:dem haxx0rz by kelemvor4 · · Score: 2

    Probably not. Any hacker with two brain cells to rub together would quietly infiltrate systems in company A, from there infiltrate Company B, C & D, rinse/repeat until sufficient layers of abstraction sit between them & their target, and then use them to attack the real target. If the response of victim X is to nuke the IPs from which the attack came, they are a) hitting the wrong entity, b) potentially destroying evidence left by the real perps, and c) probably initiating a re-retaliation from the victim of their attack.

    ... and so begins Internet War 1!

  16. Just like the police by operagost · · Score: 1

    Is anyone surprised by the attitude of the FBI? They're cops. Cops are people who ignore you when you report a theft or assault, protect their own skins instead of the public, then throw you in jail for carrying a weapon to defend yourself.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  17. Yep, that's law enforcement for you by russotto · · Score: 1

    Dog in the manger. Can't protect you, can punish you for doing anything to protect yourself.

  18. Re:dem haxx0rz by mallyn · · Score: 1

    This friend speaks my words. Thank you.

    --
    Most Respectfully Yours Mark Allyn Bellingham, Washington
  19. FBI by TimSSG · · Score: 1

    Is this the same FBI that told us NK was responsible for the Sony hack?
    Federal Bureau of Incompetence.

    I just wish we could get all the incompetence located in a single bureau. Tim S.

  20. Re:Law won't solve that. by ceoyoyo · · Score: 1

    You need a name for that group. Something catchy. How about "League of Nations?" Or maybe something a little more modern. "United Nations?" But United Nations sounds like everybody would get involved. So maybe you want to have a smaller group of just the most important countries, specifically addressing security problems. You could call it the "Security Council" and just have the most powerful countries on it. Plus maybe a small number of rotating seats so the rest of the world had some representation. Then, for the biggest powers you could have direct lines of communication between their leaders so that they could cut through the diplomatic crap when the shit really hits the fan. Telephones would work. Better make them land lines for reliability. And make them red, because red means they're important.

  21. Re:Retaliation and Police? by HiThere · · Score: 1

    The purpose of the police is to protect the state. Normally they do this by enforcing the laws in such a way that those with the power to threaten the state feel that they are more secure being supported by the state than by threatening it. Additionally they often enforce other laws that happen to be there.

    Don't read this remit too narrowly. Consider it in context with "The law in its majesty forbids both the rich and the poor man from sleeping under the bridge."

    Unfortunately, I have described an honest and upright police force, not the one we've got.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  22. Re:dem haxx0rz by Mr.+Flibble · · Score: 2

    Probably not. Any hacker with two brain cells to rub together would quietly infiltrate systems in company A, from there infiltrate Company B, C & D, rinse/repeat until sufficient layers of abstraction sit between them & their target, and then use them to attack the real target. If the response of victim X is to nuke the IPs from which the attack came, they are a) hitting the wrong entity, b) potentially destroying evidence left by the real perps, and c) probably initiating a re-retaliation from the victim of their attack.

    The use of jumpboxes is common when attacking targets, which is exactly what you have described. However, the idea that you just "hack back" via a DDOS isn't how it is done. Companies know that blind DDOS retaliation will only land them in hot water, so they use other methods.

    A common method is a honeypot - a network segment with machines in it designed to be infected for observation purposes. Then, when activity is noticed in this network, things like trojaned PDF documents can be placed in the honey pot with titles like "All customers credit cards do not share". The attacker downloads this "great" data, opens it, and gets hacked in return.

    This way, the payload is deployed against the target hosts only through the direct action of the attacker themselves.

    Other methods that are similar are used, but this should give you the gist.

    --
    Try to hack my 31337 firewall!
  23. so... what? DDOS the botnets? by ihtoit · · Score: 1

    Great idea... why didn't we think of that?

    o.0

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  24. Re:self defense by ihtoit · · Score: 1

    you aren't hacking the one person who's hacking you, you're hacking innocents whose computers have been hijacked for the sole purpose of hacking you.

    Twat.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel