Hack back at the hackers.

[xmaddness]

Here is a document going around the news archives. I thought it was interesting.


http://symbiot.com/media/iwROE.pdf

[Relyt]

I wouldn't doubt that many would like to get a pound of flesh belonging to someone malicious. But even if we are given ROE, how would be able to track the culprit down? He/she is most likely hopping from computer to computer in different countries, to do the dirty deeds, and there could be many innocent bystanders getting hammered along the way. The thought of getting some payback is interesting though.

cheers

[pooh sun tzu]

An inspiring document that speaks truth. "Make no mistake, we are in the midst of an information warfare conflict which we have not been fighting"

That quote should ring in the hearts of any security professional who understands the nessessity of security on a larger scale than just their network. The justice system can only do so much, and even then it is similar to fighting a tidalwave with a wooden spoon.

The Tao teaches us to act ignorant when we are knowledgeable, act weak when we are in fact strong. We have done both long enough and there might be a time, soon, to step forth from what I see as a reoccuring siege against networks.

Merely my thoughts.

[Tiger Shark]

Pooh: I agree with your sentiment entirely.... I'm a "strike back when struck" kinda chap.

The unfortunate thing is the collateral damage. It could be argued that if Mr. Innocent Bystander has left his computer open to the world then he is, in fact, an enabler in the process and that harm/damage incurred by him is more a result of his actions then mine when I trash his box on the way to my target.

But the other side of me..... (I guess I'm softening with age..... ), doesn't think that is necessarily justified. Mr. Bystander can't be expected to be a security guru as well as a top of the line Mercedes mechanic. OTOH, if you have had his ISP chat with him a couple of times about his compromised box and he has done nothing about it then it is no longer his ignorance that is the issue, it's his laissez faire attitude.... Trash the box? Maybe... Add to the problem by compromising it yourself? Maybe. The trouble is that when you do that and the evidence points back to you, then Mr. Bystander has a court case he can win. If you take steps to hide your tracks then, IMO, you are acknowledging that you are doing something you know is wrong and are therefore no better than the brat you are really after.

It's a tough question that requires a lot of care on the part of the person striking back IMO.

[MrLinus]

I actually had contacted Symbiot to ask them about their product since they are a tad vague as to what exactly it does. I still need to re-contact them as they said they'd setup an interview (article kinda of thing for EnterpriseITPlanet) with their CEO. What I'd be curious specifically about is how it reacts to say worms. As an example, my admin was kind enough to give full admin access on my work box so I decided to install Sygate in case my "experimentations" opened up things. That said, the logs are showing oodles of repeated scans from a variety of places (worm activity). What would worry me about their product (based on the vagueness understanding of it -- which is nil!) is that it might be reactionary against someone who, unknowningly, is infected with a worm.

In effect, now that I think about it, this kind of application/device could be used as a DoS against a target if you trigger it to respond and spoof the source or create a worm that mimics a specific kind of attack. (Perhaps far out there concept but it is possible).

But as I said, they aren't the first. I'm presently working on an article about Air Defense's Wireless IDS product. It has it's own reactionary mechanism to deal with rogue stations: you can initiate a DOS against the station to knock them off the connection. Now, AFAIK, this has to be done by the admin but I don't doubt this could be automated (it's a really neat but expensive product). It is a form of "attack back" (the term "hack back" suggests breaking into the machines, which in turn would be a method of breaking the law -- regardless of how good the law is at dealing with this, I don't think it's right as it does start the "slippery slope" concept). Attack back, and specifically controlled DoSes, wouldn't be that bad because it just causes an annoyance and even if it's an innocent bystander they only get disconnected and get to yell at their ISP.

I think at this point it's still a question of what exactly Symbiot is intending on producing for their product.

[Tiger Shark]

Ms. M:

In effect, now that I think about it, this kind of application/device could be used as a DoS against a target if you trigger it to respond and spoof the source or create a worm that mimics a specific kind of attack. (Perhaps far out there concept but it is possible).

Not far out at all. Turning peoples automated defense systems against them is far from new. The simplest example is Mr. Cracker scanning my systems and realizing that at a certain threshold my firewall places a ban on all communication with him. OK, NP.... Use the same means as he did to get blocked but spoof the addresses of all the major search engines, microsoft, AV vendors and the firewall will block them too. You just DoSed the target. If all you intended to be was a pain in the a$$, (disgruntled employees for example), then you just had your fun.

Extending the concept to using the target's machines to attack another target is far from a huge leap.....

[pooh sun tzu]

I wasn't thinking along the lines so much as an automated system, or even a quick coutnerstrike upon the attacker (which may be an innocent bystanding acting as a node for the attacker)

But methodical, ROE based, investigative counter-attacks. Just like how a sniper takes their time to ensure the crosshairs are perfectly aligned.

[NukEvil]

It is interesting, to be able to attack the computers which are shown to be attacking you. If I was a home user with the capabilities of launching such attacks, I would do it, no questions asked. For now, it's either kill or be killed. My ISP wouldn't like it, but I could just find another one...

If I were administering a network of a large corporation (or even a small business), however, I would think twice before using my network's resources to put an enemy computer offline. In this people's court world, where lawyers reign supreme and everyone else pays them to, a lawsuit against my corporation would mean no more job for me.