Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/5/2009
10:22 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Offensive Computing: A Bad Idea That Never Dies

Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?

Your network is getting scanned from some system on the other side of the country, or perhaps the globe. You traceroute the IP address, and discern the offending system is infected with a bot that's trying to infect you. You take a look at the device and see it's not patched for a multitude of OS vulnerabilities. Is it ethical (never mind legal) for you to take the system down with some exploits of your own?It's clearly not legal in most areas I'm familiar with. But let's set that annoying fact aside for a moment.

I despise the topic of "offensive computing." The controversial subject seems to come up every couple of years. Following the massive Code Red worm outbreak in the summer of 2001, which brought many networks to a crawl. Shortly thereafter we had the counter-worms Code Green and CRclean surface: both were devised to spread and patch Code Red's target: unpatched IIS Web servers.

It was a desperate time, and sometimes those times call for desperate measures. But these types of worms aren't a good idea. Too many potential unintended consequences. Too high of a risk of collateral damage: innocent networks clogged -- or even data destroyed -- because of a programming error.

In fact, the very idea of offensive computer actions goes against the 10 Commandments of Computer Ethics, created in 1992, by the Computer Ethics Institute, and are supposedly the foundation for the CISSP's own ethics rules:

The Commandments

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people's computer work.

3. Thou shalt not snoop around in other people's files.

4. Thou shalt not use a computer to steal.

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not use or copy software for which you have not paid.

7. Thou shalt not use other people's computer resources without authorization.

8. Thou shalt not appropriate other people's intellectual output.

9. Thou shalt think about the social consequences of the program you write.

10. Thou shalt use a computer in ways that show consideration and respect.

Seems like a good ethical foundation to me. Which is why it was so surprising to me, last year, when Microsoft researchers broached the idea of using worms to propagate patches. From a blog I wrote on the topic last year:

Because no central server needs to provide and coordinate all the downloads, software patches that spread like worms could be faster and easier to distribute because no central server must bear all the load. "These strategies can minimize the amount of global traffic across the network."

I'm sure it would work. Except for those times that it doesn't.

It also could violate Ethical Commandments 1, 2, 7, and often number 10.

But the biggest, most boneheaded notion I think I've ever encountered was Sen. Orrin Hatch's interest in blowing hard-drives off of the Internet if they illegally downloaded music files. From my 2003 news story, "Senator: Give Movie And Record Companies A License To Hack":

The chairman of the Senate Judiciary Committee, Orrin Hatch, R-Utah, said on Tuesday that he'd be interested in learning ways to damage computers used to illegally swap song and movie files.

The comments came during a hearing on copyright abuse. Hatch was quoted by the Associated Press as saying he'd be interested in hearing about ways to disrupt file-swappers without destroying their systems, but if that couldn't be done then he'd be in favor of destroying their computers.

This isn't the first time legislators floated the idea of giving the recording and motion picture industries a license to hack. Lobbyists for those industries have sought the right to hack into and disable peer-to-peer trading networks, and they want legal protection against suits over damages done to the computer systems of file swappers.

That idea was asinine on the face of it. But it shows just how whacked the notion of "offensive security" could possibly get.

Just this morning, the idea of offensive computing reared its provoking head on Christofer Hoff's Rational Survivability blog. Here he raises the question:

Yesterday at IANS, Greg Shipley gave a great keynote that focused on a lot of things we do today in InfoSec that aren't necessarily as effective as they should be. Greg called for a change in our behavior as a community to address the gaps we have.

In the Q&A section, it occurred to me that for the sake of argument, I would ask Greg about his thoughts on changing our behavior and position in dealing with security and our adversaries by positing that instead of always playing defense, we should play some offense.

I didn't constrain what I meant by "offense" other to suggest that it could include "active countermeasures," but what is obvious is that people immediately throw up walls around being "offensive" without spending much time defining what it actually means.

I know Chris is trying to get a discussion on the subject rolling. And we should always re-evaluate how we protect and respond to risks and threats. But my answer is: No, Chris, we should not engage in offensive computing.

Chris didn't define what he meant by offensive computing. I suspect so as to not draw attention away from the spirit of the question. But I can't think of any circumstance where a private citizen, or CISO, would have the right to take offensive action on systems they don't own, control, or have responsibility over.

Chris called this statement out, I'm not sure if it was his analogy, or someone at IANS he was discussing the concept of offensive computing with:

There's not been a war yet that has been won with defense alone, so why do we expect we can win this one by simply piling on more barbed wire when the enemy is dropping smart bombs? This is the definition of insanity and a behavior that we don't talk about changing.

This analogy is stinko. CISOs and private citizens, and even cybercops, aren't fighting a "war" against malware or cybercrime. There is no single enemy. There are a multitude of characters. All with varying means, motives, and capabilities. Some are cyberthugs, some are writing malware just to wreak havoc, others are sophisticated criminal rings conducting identity theft and stealing credit card information. Others are mere annoyances.

Just like fighting any other type of crime, there will be no final victory. There will be no surrender. There will, ultimately, be no end. And, just like any other crime, the best society can do is manage it down to a reasonable level.

So, if you find yourself under digital attack, block the offending ports, call the police, and/or contact the hosting company or ISP of the attacker. Handle it like you would any other crime, but don't commit one of your own in the process by attacking back.

Because if we go down this path, the U.S. government may one day conclude it's within some lobbyist group's rights to wipe your hard drive.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.