Attacks/Breaches
11/2/2012
12:42 PM
50%
50%

9 Facts: Play Offense Against Security Breaches

Striking back by hacking hackers is a legal and corporate no-no. But IT and security managers can shore up defenses and trick attackers into revealing their identities.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
When the intrusion prevention system signals that a corporate network is under fire, what IT manager wouldn't love to launch a cyber strike-back attack?

Better to control any such impulses, as legal experts say that "hitting back" may break the law. For starters, unauthorized access to an attacker's system can put you in violation of the Computer Fraud and Abuse Act or states' trespass laws.

On the other hand, as David Willson, an attorney from Titan Info Security Group, said at this week's Hacker Halted conference, "If a hacker wants to sue you for unauthorized access, that might be a chance you're willing to take."

[ The FBI is beefing up its resources to defend against malicious hackers. Read more at FBI Expands Cybercrime Division. ]

Unauthorized access to an attacker's system is one thing; a full-blown cyber strike-back is another. Given all the potential responses, exactly what is allowed -- or at least tends to not be prosecuted? Here are nine facts to help keep your security operations in the legal and ethical clear.

1. Forget striking back, unless you're Georgia.

Online attacks may be sexy, but they're also illegal – unless, of course, you happen to be operating under the aegis of a clandestine U.S. government cyber-weapons program, or assisting a state intelligence or security service.

Take the country of Georgia, which recently outed an attacker through his webcam. Unfortunately, its techniques fall into the "Don't Try This at Home" camp for corporate security professionals, since Georgia's self-described "counter cyber-intelligence" effort involved infecting the attacker with his own Georbot malware. To do this, Georgian security experts infected a test machine with the malware, thus putting it under the control of the attacker's botnet. Then they copied a fake zip file containing the malware, re-titled "Georgian-Nato Agreement," onto the PC.

Helpfully, Georgia's Computer Emergency Readiness Team (CERT) had already gained access to the botnet's command-and-control server control panel. So after the attacker unzipped the file and executed it, infecting himself with his own malware, Georgian authorities were literally able to control his computer. They then activated the webcam and began studying the contents of his PC, obtaining information about his destination city, Internet service provider, and email, as well as his handle--Eshkinkot--according to a report released by Georgia's CERT, which blamed the attack on Russian security services.

2. Don't set malicious booby traps.

If striking back is out, what's the point? Focus on building a better defense. "We discourage people from full-on attacking back," said Paul Asadoorian, product evangelist for Tenable Network Security. He teaches an "offensive countermeasures" course with John Strand on tactics and measures that companies can take to improve their defenses while also adding, in his words, "a splash of offense."

A large portion of the course is devoted to reviewing relevant case law from both the digital and physical realms. "We're definitely aiming to put in the hands of practitioners techniques that they can use that are both effective at stopping attackers today, and which also won't land them in an orange jumpsuit," Asadoorian said, speaking by phone.

He references a case involving Eric Stetz, who decided to protect his apartment by creating a malicious booby trap involving a knife duct-taped to a crutch. When the landlord opened the apartment on a preannounced maintenance visit, he fortunately avoided injury, but Stetz was arrested on charges of reckless endangerment. "You should not be thinking of doing the digital equivalent of what this person has done, because the moral of the story is, the wrong person could fall into this trap," said Asadoorian. "You have to use good common sense."

3. Pursue reconnaissance.

Malicious booby traps are out, but some types of reconnaissance seem to be legally acceptable. In a case involving Jerome Heckenkamp, for example, a Unix system administrator at Qualcomm who was investigating an attack collected the IP and MAC addresses of the attacker and then hacked into the alleged attacker's computer, which he found belonged to Heckenkamp. Crucially, however, the administrator didn't delete any data or set any traps -- he only collected relevant information -- and a court ruled that he hadn't violated Heckenkamp's privacy. Heckenkamp ultimately agreed to a plea bargain that saw him released for time served.

Port scans, which might be considered an offensive countermeasure, also appear to be legally acceptable in some circumstances according to Asadoorian, who noted that many security researchers have used them to help reveal the quantity of Internet-connected devices with known vulnerabilities.

Still, many underlying legal questions remain unanswered. Veteran technology reporter David Pogue, for example, this month asked in Scientific American, "Does a public 'Find My iPhone' search violate personal privacy?" after he tweeted the address of the person who'd snatched his iPhone from an Amtrak train. While local police recovered the phone and the culprit admitted guilt, Pogue's tweet raised some people's privacy hackles. After investigating the issue, however, Pogue reported that "for the most part … both the legal and ethical ramifications of my crowd-sourced phone quest are nothing but murk."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Titaninfosec
50%
50%
Titaninfosec,
User Rank: Apprentice
11/5/2012 | 6:53:28 PM
re: 9 Facts: Play Offense Against Security Breaches
Matthew, it is nice to say hackback is illegal, and for the most part it is, but this is the knee-jerk reaction that prevents companies from adequately defending themselves. As you quoted from me and my lecture at Hacker Halted there are avenues of approach companies can pursue that go beyond standard defensive techniques. This is needed because we are losing the war and being decimated. If law enforcement can help I am all for it. But if not, unique and out of the box options must be explored and there are a lot more legal options that companies are missing by falling prey to the fear that it is all illegal. Thanks for the great article.
Dave
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.