Security Scene Errata


[This article is much like the 'blitzkrieg' article that came out months
previous to this one. The same arguments and problems facing the 'blitzkrieg' 
server apply to this one. Please refer to the original article for
these arguments. You can also view a letter written to CMP.COM complaining about
this article.]

http://www.internetwk.com/news1298/news120498-12.htm

Friday, December 4, 1998, 5:15 p.m. ET.
The Enterprise Strikes Back
By RUTRELL YASIN                  

Stung far too many times by hackers, IT managers are fighting back. 

An increasing number of large companies are arming themselves with systems
designed to launch debilitating counteroffensives when attacks are
detected, according to a security study to be released next month. 

[This study should be interesting as it could very well outline
several companies employing illegal methods of retaliation against
would be hackers.]

In an 18-month study of 320 Fortune 500 companies, 30 percent said they
have installed software capable of launching counterattacks after
suffering security breaches, according to WarRoom Research president Mark
Gembicki, an author of the study.

[There is absolutely no way this figure is right, OR the study 
was carried out poorly. No IT manager in their right mind would admit 
to deploying such a device. Further, since there is NO commercial
system for striking back at attackers, that means that the 30% have
created their own method. I find this very difficult to believe.]

The report, titled "Corporate America's Competitive Edge,"  focuses on
security and business intelligence practices. Gembicki will share
preliminary findings at several conferences next week in the Washington,
D.C., area. 

The method known as "strikeback"  gained wider attention during the past
few months as the Pentagon reportedly thwarted a series of attacks with
software that disabled browsers used by the attackers. 

[If memory serves, this was disabling IPs from connecting to the 
web server to thwart a "bandwidth sitin", NOT a hacker attack.]

Strikeback runs the gamut from passive collection of information about
hackers to deter further intrusion to a "Ping of Death"  and flooding a
hacker's system beyond its capacity, both of which shut down the hacker's
system. Strikeback can even be escalated to the network level, where a
victimized company alerts its firewalls and routers to cut off all
external access or to flood the hacker's system. 

[Sending the flood or 'ping of death' to the remote system is just
as illegal as the person attacking them. Dropping the route between an 
attacking host and your network is not a strike back method.]

Users and security experts said there is a need for strikeback
capabilities but also warn that taken too far it could pose serious legal
and technical problems. 

[Too far? The *FIRST* 'ping of death' sent from yoru host to a remote
system is technically illegal.]

"The idea of striking back is good, but there are legal issues that need
to be resolved," said Dean Rich, who heads network protection as vice
president of security at an Internet technology developer. 

For example, you must ensure that a counterstrike is aimed at the correct
system. 

[Which as we all know is impossibly to do. Hackers often use other
networks to launch their attacks from. There is no way to distinguish this
remotely. If there was, feds would be busting hackers left and right.]

Jeff Moss, the director of penetration services at Secure Computing Corp.,
said he agreed. 

"I'm a big fan of using equal force. If someone hits you with a stick, hit
him back with a stick," Moss said. "The Defense Department was right in
defending itself. It didn't break into any machines nor did it delete
files." 

However, "the DOD was lucky it knew who was attacking and could get the
right people," Moss said.  "In many cases, you can't be completely sure of
who's attacking." 

Once a hacker detects a retaliation, he can forge the headers on packets
and make it seem as though the attack is coming from another address or
location, experts said. And if a company launches a countermeasure using
hostile applets or code that denies services or wreaks havoc on an
innocent user, the results could be disastrous. 

Gembicki would not comment on whether any of the surveyed companies had
actually inserted hostile applets to disable any attacker systems. 

[What?! Gembicki said that 30% of the companies surveyed HAD 
installed this type of software.]

But he did say many companies would rather rely on their own strikeback
capabilities than call in the FBI or state law enforcement agencies. They
view strikeback as a right, just as the law protects physical self-defense
by way of force, he said. 

[To use their analogy against them, this is more like setting 
a booby trap in the house. It is illegal because it is just as capable 
of going off on the fireman or policeman coming in to help you, as it is
on the criminal breaking in.]

Security vendors are treading carefully, incorporating strikeback-like
features in their products at a deliberate pace. 

[Of course, they can't quote a single piece of software with a 
SINGLE strikeback feature...]

"Personally, I don't know of any [commercial] software in place that truly
does strike back,"  Rich said. But he cited a case in which a company was
being spammed through e-mail, and it returned fire by sending a denial of
service that flooded the culprits' systems with traffic and virtually shut
them down. 

But any strikeback "certainly has to be done with caution," said Patrick
Taylor, director of strategic business marketing at Internet Security
Systems Inc. 

The company's RealSecure intrusion detection system can send a command
that kills a TCP/IP connection when an intrusion is detected. It also can
e-mail an administrator or have an Internet service provider revoke an
account that is launching an attack. 

[Resetting a connection to your network and denying traffic is NOT
strikeback. Including this in the article is very misleading.]

"It doesn't have the immediate gratification of [a person] saying 'Hey I
blew that guy out of the water,' " Taylor said. But it can set the stage
for a company to launch a more controlled counteroffensive, he added. 

But it's an ominous sign if companies adopt an attitude of shoot first and
ask questions later, said Drew Williams, manager of intrusion detection at
computer security developer Axent Technologies Inc. A passive approach is
better, he said, in which IT managers can gather complete information
about the intruders and then strike. 

Some reports have indicated that 80 percent of intrusions occur inside an
organization, and 65 percent to 70 percent of those are mistakes, Williams
said. It would be regrettable to launch a counterstrike against someone
who has mistakenly keyed something, he added. 

Gembicki agreed there should be controls on the use of strikeback
technology. A code of ethics controls how government agencies such as the
Pentagon use strikeback measures. However, many of the Fortune 500
companies are motivated by profits and protecting corporate assets. 

[Yeah, the code of ethics is "don't do a damn thing against
anyone. No offensive action."]

"These companies are truly borderless" and are moving into uncharted
territory, Gembicki said. 

[In most cases, the new territory is illegal.]

As a result, Rich expects to see "a lot of information security cases
going to court in the next few years, and these [cases] will set the
foundation." 

[The last thing to consider is that if hackers know this software
is installed, they can intentionally use the companies with strike-back
servers to target third parties. Using the forged packets, it would be trivial
to trick the servers into attacking an arbitrary host. Rather than being
a tool for the company, it becomes a DoS tool for the rest of the net.]