Security Scene Errata


http://www.nwfusion.com/news/0111vigilante.html
http://cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html
Striking back
Corporate vigilantes go on the offensive to hunt down hackers.

By Winn Schwartau
Network World, 01/11/99

In September 1998, the Electronic Disturbance Theater, a group of
activists that practices politically driven cyber civil-disobedience,
launched an attack aimed at disabling a Pentagon Web site by flooding it
with requests. The Pentagon responded by redirecting the requests to a
Java applet programmed to issue a counteroffensive. The applet flooded the
browsers used to launch the attack with graphics and messages, causing
them to crash. 

The incident raises issues all user organizations will soon have to
grapple with, if they haven't already. When you detect a break-in, should
you launch a counterattack in order to protect your network? Is law
enforcement capable of stopping cybercrime and can it be trusted to keep
investigations quiet? If not, don't corporations have a right to defend
themselves? 

Some emboldened user organizations are answering "yes." They are striking
back against hackers, sometimes with military efficiency and intensity, in
an effort to protect their self-interests. In the process, they are
fueling a debate over what is legal and ethical in terms of corporate
vigilantism. 

[And why doesn't there seem to be a single PUBLICALY documented
source of this?]

One end of the opinion spectrum says law enforcement agencies are
generally not up to the task, so corporations have a fiduciary
responsibility to protect their interests. The only question for these
companies is how far they are willing to go. Will they break laws, and if
so, which ones? 

[And if they do break a single one, they will find themselves
in a lawsuit that rivals any others they have seen. Big companies have
deep pockets, hackers don't.]

The opposite view is corporate vigilantism is wrong:  Taking the law into
one's own hands only makes things worse. 

The First Vigilante Corp. 

Lou Cipher (a pseudonym of his choice) is a senior security manager at one
of the country's largest financial institutions. "There's not a chance in
hell of us going to law enforcement with a hacker incident," he says.
"They can't be trusted to do anything about it, so it's up to us to
protect ourselves." 

[Lou Cipher? Seems someone with that big of a company and
that kind of position could set a trend. If he exists. And why don't
they go to law enforcement? Not because of reaction, but because
of the public embarassment of an intrusion. People lose faith in
financial institutions when they aren't secure. THAT is the reason.]

Cipher's firm has taken self-protection to the extreme.  "We have the
right to self-help - and yes, it's vigilantism," he says. "We are drawing
a line in the sand, and if any of these dweebs cross it, we are going to
protect ourselves." 

Cipher says his group has management approval to do "whatever it takes" to
protect his firm's corporate network and its assets. 

[And odds are their management has NO clue that employees
are breaking the law.]

"We have actually gotten on a plane and visited the physical location
where the attacks began. We've broken in, stolen the computers and left a
note: 'See how it feels?' " On one occasion, he says: "We had to resort to
baseball bats. That's what these punks will understand. Then word gets
around, and we're left alone.  That's all we want, to be left alone." 

[This is pure crap. Even if they COULD track the attacker back
like that, pulling the attacker's information and actually visiting
is just too far fetched. Resorting to breaking and entering? Malicious
harassment? No way. Last, the response "see how it feels". No, the attackers
did not break in and steal your computers. They tried to hack them. 
This goes way beyond "eye for an eye" justice.]

A senior vice president of security at a major global financial firm
speaks of the matter in military terms. He equates a hacker intrusion to a
"first strike," and says defense is an appropriate response. "If you use
measures to restore your services, that's defense, not offense," he says.
When asked how far his company goes, he concedes only, "I am willing to
defend myself." 

In interviews with dozens of companies, a surprising number are seriously
considering implementing "strike-back" capabilities. However, when asked,
most companies would not admit they have already taken such steps. 

[Beacuse it is illegal. They CAN'T implement them. Further, striking
back at an alleged attacker would create a situation where ALL evidence
collected from the would-be attacker would be inadmissable.]

Bruce Lobree, an internal security consultant at a major financial
institution, is cautious about admitting his firm uses vigilante
activities and strike-back techniques. He says with a smile, "I can't
answer yes or no. That's proprietary. Besides, legally we can't. But I can
tell you that everything that occurs at our network perimeter and inside
our networks is recorded." 

A recent study, "Corporate America's Competitive Edge," conducted by
Warroom Research, a competitive intelligence firm in Annapolis, Md., shows
that 32% of the 320 surveyed Fortune 500 companies have installed
counteroffensive software. Warroom President Mark Gembecki notes that not
every company will send out thugs to enforce their firewall policies.
Cyber-response is OK, he says, but Cipher's physical retaliation is "a
clear and overt violation of civil rights." 

[So roughly 100 Fortune 500 companies have implemented a strike
back server. How many times do I have to point out that it is illegal?
Should I also point out there is absolutely NO company offering these 
servers or software? The closest thing that comes to mind is products
like SideWinder that have *user* defined actions as a response. This is akin
to saying that gun manufacturers are to blame for user error. These are 
companies who can't fully implement adequate security, are miraculously 
implementing strike back technology?]

Such extreme counteroffensive methods raise the hackle of even the
staunchest corporate information warrior. Lloyd Reese, program manager of
information assurance for Troy Systems, a technical support company in
Fairfax, Va., has a criminal justice background and says physical response
is illegal and "doomed to failure." Such responses will only invite
further attacks - perhaps even more intense, he says.  "Companies need to
follow the appropriate legal process. We already have chaos on the
Internet, why should we make it worse?"

Joseph Broghamer, information assurance lead for the U.S.  Navy's Office
of the Chief Information Officer, goes further, saying even the Pentagon
shouldn't have done what it did.  "Offensive information warfare is not a
good thing . . . period. You want to block, not punish," he says. "There
is no technical reason to react offensively to a hacker attack." His
opinion is shared by precious few. 

[His opinion is shared by precious few?! I must be misreading this.
Any logical and sane person shares that exact view.]

As part of its information security practice, Ernst & Young has been asked
about strike-back capabilities and how hostile perimeters might be used
for defense.  Dan Woolley, national leader of market development for the
firm, says he knows of "companies in finance, insurance and manufacturing
that are developing and deploying the capability to aggressively defend
their networks." He is quick to point out, however, "We don't do it for
ourselves even though we are attacked regularly."

[What?! "agressively DEFEND". Of course E&Y defends their
networks. This is clever placement of a quote to make it seem like more
people agree with this absurd idea. E&Y doesn't agressively ATTACK
the attackers.]

The questions security software vendors and consultancies like Ernst &
Young are now grappling with are wrenching: Should they develop offensive
software, offer it to their clients, deploy it and support it? And if so,
how open should they be about it? 

How they do it

It's easy to understand why companies are interested in the idea of
corporate vigilantism. Even the best layers of defense - firewalls,
passwords and access control lists - can't work alone for many reasons.
Among them: 

Network topology, users and software are constantly changing. There is no
way to keep up. 

New vulnerabilities are found - and exploited - daily. 

A small number of individuals with little technical skill can launch
massive online attacks. 

Once an attack is detected, corporate vigilantes have various methods of
evening the score. 

[No. This is only assuming the attacker knows little, AND uses
their OWN account, registered to THEM while attacking.]

The Navy's Broghamer argues that sometimes the best response to an attack
is to shut down the network connection altogether, although he
acknowledges the Navy is not as sensitive to uptime and customer
perception as the private sector. 

Another approach is to send a strongly worded message to the source IP
address or to an ISP in the path. Traceroute is a tool that can identify
source IP addresses. But you have to get the assistance of ISPs down the
line to trace additional hops on the Internet, because each hop has to be
covered in order to find the real source. That's all legal, but you may
need to pressure the ISP into working with you quickly to identify the
next hop in the chain. Once you collect this data, it can be handed over
to law enforcement officials - who may or may not react.

[Oh yeah, lets blatantly ignore the concept of 'spoofing' here.
Just because the packets hit your system doesn't mean you REALLY
know where they come from.]

In 1994, Secure Computing, a security vendor in Roseville, Minn.,
introduced Sidewinder, a novel firewall with strike-back capabilities. If
it senses an attack, it launches a daemon that will trigger the offensive
techniques of your choice. Other companies indicate they will soon be
offering a range of strike-back products. 

[Once again, this is extremly misleading. Secure Computing
never advertised it would trigger the offensive techniques. It advertised
that it could take *6 pre-defined actions*, and *NO* user defined actions. 
The default was to dig, traceroute, nslookup, finger, ping, and whois. Never
did they suggest, encourage, or mention offensive attacks. No default
action or script provided with a SideWinder firewall is offensive. This
is as of version 3.2]

A company crosses the line when it responds by unleashing a
denial-of-service attack against an intruder, as the Pentagon did. This
can be done via massive e-mail spamming, the Ping of Death and hostile
Java applets. 

[I would have to double check, but the Pentagon situation
mentioned twice now did not result in the DOD attacking back. It took
the same actions as Abacus Sentry takes.. it drops the route and denies
future connections. That is a defensive response.]

No matter what offensive mechanism you choose, the trick is to identify
the culprit before returning fire. Should you fail to recognize that the
attacker spoofed the identity of another company, you may find yourself
attacking J.C. Penney, NBC or General Motors.  Innocent companies would
not take kindly to that sort of activity - no matter the reason - and ISPs
don't appreciate being the vehicle for Internet-based attacks. 

[FINALLY.. they mention this! At *NO* point can you *EVER*
tell who is at the keyboard attacking you. No matter what account is used,
where they come from, or anything else.. you NEVER know if you are attacking
the right person. End of story.]

Indeed, one of the big dangers with corporate vigilantism is how easy it
is to overreact to an apparent attack. In spring 1997, one of the Big Six
accounting firms used scanning tools from Internet Security Systems (ISS) 
to assess the security of a major ISP that controlled a huge amount of
Internet traffic. When a network administrator on duty at the ISP noticed
a thousand simultaneous connections to his firewall, he reacted quickly
and shut down several routers. "His manual reaction took down 75% of the
Internet," says Tom Noonan, president of ISS. "Anyone using Sprint at that
time was in a world of hurt." 

Even those with a strong inclination for vigilantism note that
counteroffensive responses are fraught with danger.  "Talk to your
lawyers," Troy Systems' Reese advises.  "Keep in mind that your strike
back has to go through a long path, and you might do damage at any place
along the way." Retribution can cause a hair-trigger response that could
cause damage to systems in the path from you to the attacker. 

"You really have to understand what you're doing," says Ray Kaplan, a
senior information security consultant with Secure Computing. "Your first
response might invite further attack, exactly the opposite of what you
intended. You have to consider your firm's public relations posture and
how the Internet community as a whole will react to your actions." 

Don't ask, don't tell

As for how law enforcement will view vigilantism, the answer from many
companies is a resounding, "Who cares?" 

Vigilantism is emerging as a response to the intense frustration people
feel with law enforcement authorities they view as simply not up to snuff.
Complaints from top firms in the U.S. range from downright ineffectiveness
("clueless" is an oft-repeated word) to a lack of staff, lack of funding,
courts that are too crowded with cases and the snail-like speed at which
typical law enforcement investigations run. 

"One reason you see vigilantism is because law enforcement doesn't get the
job done," says Fred Cohen, president of Fred Cohen and Associates and
principal scientist at Sandia National Laboratories. "Law enforcement
might investigate if you have a lot of political clout and you do all of
the leg work." 

Companies are also fearful of what might happen if they do bring in law
enforcement. "It's a hell of a situation when victim companies are more
fearful of the FBI than they are of the attackers," says Michael Vlahos,
senior fellow at the U.S. Internet Council. He echoes the worry that
sensitive corporate information will not be protected if handed over to
law enforcement. 

"Law enforcement is helpless," ISS's Noonan maintains. 

"It's not like Israeli fighters who train every day for every contingency.
Conventional law enforcement just can't match the skills needed. Besides,
you can't trust law enforcement to keep your secrets from becoming public
knowledge." 

Predictably, law enforcement does not favor the vigilante view - at least
publicly. "If someone were to attack us, we are not encouraged to swat
back," says Lt. Chris Malinowski of the New York Police Department, who
specializes in cybercrime. "If companies take any of these proactive
defensive steps, they are taking a big chance, subject to criminal
prosecution." 

Dave Green, deputy chief of the Computer Crimes and Intellectual Property
Section for the U.S. Department of Justice, says he relates to the
frustration over law enforcement's inability to respond, but adds that his
department can only recommend protective measures.  Yet he stops short of
advising against corporate vigilantism outright. When asked if companies
should hack back at attackers, Green responds, "no comment," as he does to
questions as to what could legally be considered an attack. "But I can say
that law enforcement is gearing up and is much better equipped to deal
with cybercrime," he adds. 

When they are not speaking for attribution, law enforcement authorities of
all stripes go further than

Green. Local police, state police, the FBI, Secret Service, Interpol and
Scotland Yard members all say the same thing - unofficially: "We can't
handle the problem.  It's too big. If you take care of things yourself, we
will look in the other direction. Just be careful." 

[And amazingly enough, not a single NAME to be attributed
this quote...]

Security consultant Lobree seems to understand the police mentality and
applies the red light theory to cybervigilantism. "Suppose it's the dead
of night on a country road, and you come upon a stop light. You can see
for miles in all directions. Are you going to run the light even knowing
there is virtually no chance of being caught?" Some, perhaps most, won't,
because they have an innate fear of being caught. Others will forge ahead.
"A lot of companies recognize that the chance of getting caught in a
vigilante cyberstrike is pretty darn low," he says. 

It's your call

A number of sources suggest vigilantism might be a business opportunity
for a firm that wants to specialize in counteroffensive network security.
"In the 1860s, law enforcement was conducted by Pinkerton, a private
company," Vlahos says. Many suggest that privatization should be the case
in the cyberworld as well. The kind of offensive network security products
needed to make it happen are starting to find their way into corporate
tool kits and onto the Internet. 

[A company specializing in illegal activity. Sounds like
organized crime to me.]

But the legal challenges that coexist with hostile perimeters and
counteroffensive measures are daunting. 

The astute company will examine every aspect of its posture before
marching down the slippery slope of vigilantism. Sometimes the best
defense is not to overreact. In the worst case, do nothing until a proper
response can be developed. 

Vlahos says courts may be the place to create new laws more attuned to the
technology. "This is a whole new arena, and I don't know how we can
explore it without trying new approaches, even if they are technically
illegal." 

Cipher, the baseball-bat-bearing vigilante, is all for new approaches.
"Personal persuasion is always more effective than electronic persuasion,"
he says. "Personal persuasion virtually guarantees that a hacker will see
the error of his ways, scamper to please and turn over a new leaf." 

[And I can tell you that if he entered my household without
permission, regardless of what I did.. I would use my right to shoot 
in self defense. Where would he be then?]

No matter what path you choose, make sure it is well thought out and that
you have your legal ducks in a row.  You just might need them

[Might?]