Striking back

Corporate vigilantes go on the offensive to hunt down hackers.

By Winn Schwartau

Network World, 01/11/99

In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash.

The incident raises issues all user organizations will soon have to grapple with, if they haven't already. When you detect a break-in, should you launch a counterattack in order to protect your network? Is law enforcement capable of stopping cybercrime and can it be trusted to keep investigations quiet? If not, don't corporations have a right to defend themselves?

Some emboldened user organizations are answering "yes." They are striking back against hackers, sometimes with military efficiency and intensity, in an effort to protect their self-interests. In the process, they are fueling a debate over what is legal and ethical in terms of corporate vigilantism.

[And why isn't there a single publicly documented source of this? Aside from the grandiose claims of "Lou Cipher", there is no indication of multiple organizations doing it.]

One end of the opinion spectrum says law enforcement agencies are generally not up to the task, so corporations have a fiduciary responsibility to protect their interests. The only question for these companies is how far they are willing to go. Will they break laws, and if so, which ones?

[And if they do break a single one, they will find themselves in a lawsuit that rivals any others they have seen. Big companies have deep pockets, hackers don't.]

The opposite view is corporate vigilantism is wrong: Taking the law into one's own hands only makes things worse.

The First Vigilante Corp.

Lou Cipher (a pseudonym of his choice) is a senior security manager at one of the country's largest financial institutions. "There's not a chance in hell of us going to law enforcement with a hacker incident," he says. "They can't be trusted to do anything about it, so it's up to us to protect ourselves."

[Lou Cipher? Seems someone with that big of a company and that kind of position could set a trend. If he exists. And why don't they go to law enforcement? Not because of reaction, but because of the public embarassment of an intrusion. People lose faith in financial institutions when they aren't secure. THAT is the reason.]

Cipher's firm has taken self-protection to the extreme. "We have the right to self-help - and yes, it's vigilantism," he says. "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves."

Cipher says his group has management approval to do "whatever it takes" to protect his firm's corporate network and its assets.

[And odds are their management has no clue that employees are breaking the law. For executives at a large financial institution to sign off on this activity would be criminally insane.]

"We have actually gotten on a plane and visited the physical location where the attacks began. We've broken in, stolen the computers and left a note: 'See how it feels?' " On one occasion, he says: "We had to resort to baseball bats. That's what these punks will understand. Then word gets around, and we're left alone. That's all we want, to be left alone."

[This is pure crap. Even if they could track the attacker back to his location, there would be no way to know who was at the keyboard. This is the same dilemna law enforcement faces, and why they are perceived as "innefective" by people like "Lou Cipher". Moving past this problem, if Cipher's team could get the attacker's information reliably, actually visiting them is just too far fetched. Resorting to breaking and entering? Malicious harassment? Physical assault? No way. Last, the response "see how it feels". No, the attackers did not break in and steal your computers. They tried to hack them. This goes way beyond "eye for an eye" justice.]

A senior vice president of security at a major global financial firm speaks of the matter in military terms. He equates a hacker intrusion to a "first strike," and says defense is an appropriate response. "If you use measures to restore your services, that's defense, not offense," he says. When asked how far his company goes, he concedes only, "I am willing to defend myself."

In interviews with dozens of companies, a surprising number are seriously considering implementing "strike-back" capabilities. However, when asked, most companies would not admit they have already taken such steps.

[Beacuse it is illegal. They can't implement them. Further, striking back at an alleged attacker would create a situation where ALL evidence collected from the would-be attacker would be inadmissable.]

Bruce Lobree, an internal security consultant at a major financial institution, is cautious about admitting his firm uses vigilante activities and strike-back techniques. He says with a smile, "I can't answer yes or no. That's proprietary. Besides, legally we can't. But I can tell you that everything that occurs at our network perimeter and inside our networks is recorded."

[Innuendo, nothing more. Of course organizations log everything internally, that is a non-sequitor. The jump from logging attacks to any form of strike-back technology is huge.]

A recent study, "Corporate America's Competitive Edge," conducted by Warroom Research, a competitive intelligence firm in Annapolis, Md., shows that 32% of the 320 surveyed Fortune 500 companies have installed counteroffensive software. Warroom President Mark Gembecki notes that not every company will send out thugs to enforce their firewall policies. Cyber-response is OK, he says, but Cipher's physical retaliation is "a clear and overt violation of civil rights."

[So roughly 100 Fortune 500 companies have implemented a strike back server. How many times do I have to point out that it is illegal? Should I also point out there is absolutely no company offering these servers or software at the time of this article? The closest thing that comes to mind are products like SideWinder that have user defined actions as a response. This is akin to saying that gun manufacturers are to blame for user error. These are companies who can't fully implement adequate security, are miraculously implementing strike back technology?]

Such extreme counteroffensive methods raise the hackle of even the staunchest corporate information warrior. Lloyd Reese, program manager of information assurance for Troy Systems, a technical support company in Fairfax, Va., has a criminal justice background and says physical response is illegal and "doomed to failure." Such responses will only invite further attacks - perhaps even more intense, he says. "Companies need to follow the appropriate legal process. We already have chaos on the Internet, why should we make it worse?"

Joseph Broghamer, information assurance lead for the U.S. Navy's Office of the Chief Information Officer, goes further, saying even the Pentagon shouldn't have done what it did. "Offensive information warfare is not a good thing . . . period. You want to block, not punish," he says. "There is no technical reason to react offensively to a hacker attack." His opinion is shared by precious few.

[His opinion is shared by precious few?! I must be misreading this. Any logical and sane person shares that exact view.]

As part of its information security practice, Ernst & Young has been asked about strike-back capabilities and how hostile perimeters might be used for defense. Dan Woolley, national leader of market development for the firm, says he knows of "companies in finance, insurance and manufacturing that are developing and deploying the capability to aggressively defend their networks." He is quick to point out, however, "We don't do it for ourselves even though we are attacked regularly."

[What?! "agressively DEFEND". Of course E&Y defends their networks. This is clever placement of a quote to make it seem like more people agree with this absurd idea. E&Y doesn't agressively ATTACK the attackers.]

The questions security software vendors and consultancies like Ernst & Young are now grappling with are wrenching: Should they develop offensive software, offer it to their clients, deploy it and support it? And if so, how open should they be about it?

How they do it

It's easy to understand why companies are interested in the idea of corporate vigilantism. Even the best layers of defense - firewalls, passwords and access control lists - can't work alone for many reasons. Among them:

Network topology, users and software are constantly changing. There is no way to keep up.

New vulnerabilities are found - and exploited - daily.

A small number of individuals with little technical skill can launch massive online attacks.

Once an attack is detected, corporate vigilantes have various methods of evening the score.

[No. This is only assuming the attacker knows little, and uses their own account, registered to them while attacking.]

The Navy's Broghamer argues that sometimes the best response to an attack is to shut down the network connection altogether, although he acknowledges the Navy is not as sensitive to uptime and customer perception as the private sector.

Another approach is to send a strongly worded message to the source IP address or to an ISP in the path. Traceroute is a tool that can identify source IP addresses. But you have to get the assistance of ISPs down the line to trace additional hops on the Internet, because each hop has to be covered in order to find the real source. That's all legal, but you may need to pressure the ISP into working with you quickly to identify the next hop in the chain. Once you collect this data, it can be handed over to law enforcement officials - who may or may not react.

[Oh yeah, lets blatantly ignore the concept of 'spoofing' here. Just because the packets hit your system doesn't mean you really know where they come from. All of this sets people like Cipher up to attack innocent strangers.]

In 1994, Secure Computing, a security vendor in Roseville, Minn., introduced Sidewinder, a novel firewall with strike-back capabilities. If it senses an attack, it launches a daemon that will trigger the offensive techniques of your choice. Other companies indicate they will soon be offering a range of strike-back products.

[Once again, this is extremly misleading. Secure Computing never advertised it would trigger the offensive techniques. It advertised that it could take 6 pre-defined actions, and NO user defined actions. The default was to dig, traceroute, nslookup, finger, ping and whois. Never did they suggest, encourage or mention offensive attacks. No default action or script provided with a SideWinder firewall is offensive. This is as of version 3.2]

A company crosses the line when it responds by unleashing a denial-of-service attack against an intruder, as the Pentagon did. This can be done via massive e-mail spamming, the Ping of Death and hostile Java applets.

[I would have to double check, but the Pentagon situation mentioned twice now did not result in the DOD attacking back. It took the same actions as Abacus Sentry takes.. it drops the route and denies future connections. That is a defensive response.]

No matter what offensive mechanism you choose, the trick is to identify the culprit before returning fire. Should you fail to recognize that the attacker spoofed the identity of another company, you may find yourself attacking J.C. Penney, NBC or General Motors. Innocent companies would not take kindly to that sort of activity - no matter the reason - and ISPs don't appreciate being the vehicle for Internet-based attacks.

[FINALLY.. they mention this! At *NO* point can you EVER tell who is at the keyboard attacking you. No matter what account is used, where they come from, or anything else.. you never know if you are attacking the right person. End of story.]

Indeed, one of the big dangers with corporate vigilantism is how easy it is to overreact to an apparent attack. In spring 1997, one of the Big Six accounting firms used scanning tools from Internet Security Systems (ISS) to assess the security of a major ISP that controlled a huge amount of Internet traffic. When a network administrator on duty at the ISP noticed a thousand simultaneous connections to his firewall, he reacted quickly and shut down several routers. "His manual reaction took down 75% of the Internet," says Tom Noonan, president of ISS. "Anyone using Sprint at that time was in a world of hurt."

Even those with a strong inclination for vigilantism note that counteroffensive responses are fraught with danger. "Talk to your lawyers," Troy Systems' Reese advises. "Keep in mind that your strike back has to go through a long path, and you might do damage at any place along the way." Retribution can cause a hair-trigger response that could cause damage to systems in the path from you to the attacker.

"You really have to understand what you're doing," says Ray Kaplan, a senior information security consultant with Secure Computing. "Your first response might invite further attack, exactly the opposite of what you intended. You have to consider your firm's public relations posture and how the Internet community as a whole will react to your actions."

Don't ask, don't tell

As for how law enforcement will view vigilantism, the answer from many companies is a resounding, "Who cares?"

Vigilantism is emerging as a response to the intense frustration people feel with law enforcement authorities they view as simply not up to snuff. Complaints from top firms in the U.S. range from downright ineffectiveness ("clueless" is an oft-repeated word) to a lack of staff, lack of funding, courts that are too crowded with cases and the snail-like speed at which typical law enforcement investigations run.

"One reason you see vigilantism is because law enforcement doesn't get the job done," says Fred Cohen, president of Fred Cohen and Associates and principal scientist at Sandia National Laboratories. "Law enforcement might investigate if you have a lot of political clout and you do all of the leg work."

Companies are also fearful of what might happen if they do bring in law enforcement. "It's a hell of a situation when victim companies are more fearful of the FBI than they are of the attackers," says Michael Vlahos, senior fellow at the U.S. Internet Council. He echoes the worry that sensitive corporate information will not be protected if handed over to law enforcement.

"Law enforcement is helpless," ISS's Noonan maintains.

"It's not like Israeli fighters who train every day for every contingency. Conventional law enforcement just can't match the skills needed. Besides, you can't trust law enforcement to keep your secrets from becoming public knowledge."

Predictably, law enforcement does not favor the vigilante view - at least publicly. "If someone were to attack us, we are not encouraged to swat back," says Lt. Chris Malinowski of the New York Police Department, who specializes in cybercrime. "If companies take any of these proactive defensive steps, they are taking a big chance, subject to criminal prosecution."

Dave Green, deputy chief of the Computer Crimes and Intellectual Property Section for the U.S. Department of Justice, says he relates to the frustration over law enforcement's inability to respond, but adds that his department can only recommend protective measures. Yet he stops short of advising against corporate vigilantism outright. When asked if companies should hack back at attackers, Green responds, "no comment," as he does to questions as to what could legally be considered an attack. "But I can say that law enforcement is gearing up and is much better equipped to deal with cybercrime," he adds.

When they are not speaking for attribution, law enforcement authorities of all stripes go further than Green. Local police, state police, the FBI, Secret Service, Interpol and Scotland Yard members all say the same thing - unofficially: "We can't handle the problem. It's too big. If you take care of things yourself, we will look in the other direction. Just be careful."

[And amazingly enough, not a single NAME to be attributed this quote...]

Security consultant Lobree seems to understand the police mentality and applies the red light theory to cybervigilantism. "Suppose it's the dead of night on a country road, and you come upon a stop light. You can see for miles in all directions. Are you going to run the light even knowing there is virtually no chance of being caught?" Some, perhaps most, won't, because they have an innate fear of being caught. Others will forge ahead. "A lot of companies recognize that the chance of getting caught in a vigilante cyberstrike is pretty darn low," he says.

It's your call

A number of sources suggest vigilantism might be a business opportunity for a firm that wants to specialize in counteroffensive network security. "In the 1860s, law enforcement was conducted by Pinkerton, a private company," Vlahos says. Many suggest that privatization should be the case in the cyberworld as well. The kind of offensive network security products needed to make it happen are starting to find their way into corporate tool kits and onto the Internet.

[A company specializing in illegal activity. Sounds like organized crime to me.]

But the legal challenges that coexist with hostile perimeters and counteroffensive measures are daunting.

The astute company will examine every aspect of its posture before marching down the slippery slope of vigilantism. Sometimes the best defense is not to overreact. In the worst case, do nothing until a proper response can be developed.

Vlahos says courts may be the place to create new laws more attuned to the technology. "This is a whole new arena, and I don't know how we can explore it without trying new approaches, even if they are technically illegal."

Cipher, the baseball-bat-bearing vigilante, is all for new approaches. "Personal persuasion is always more effective than electronic persuasion," he says. "Personal persuasion virtually guarantees that a hacker will see the error of his ways, scamper to please and turn over a new leaf."

[And I can tell you that if he entered my household without permission, regardless of what I did.. I would use my right to shoot in self defense. Where would he be then?]

No matter what path you choose, make sure it is well thought out and that you have your legal ducks in a row. You just might need them.


main page ATTRITION feedback