Should You Strike Back?

Late one night, a lone, armed figure breaks into an unmanned lobby. A voice overhead tells him to stop and await his arrest. Seeing no one, the spy darts toward the elevator. Thirty miles away, a security guard fires an encrypted command over the Internet. A second later, the lobby explodes in a spray of bullets. There's a war brewing in cyberspace. Make that a Netwar, so dubbed in Countering the New Terrorism, a book published last year by The RAND Corp., a Santa Monica, Calif.-based nonprofit research group formed during World War II.

It'll be a long time before remote-controlled robots fight battles to keep intruders out of office buildings (though unconfirmed reports circulated among security newsgroups in September did claim that a company in Thailand has invented a gun-toting robot directed through a remote-controlled camera).

But many players, including the government, RAND and Winn Schwartau, a security analyst in Seminole, Fla., say this information war is already upon us. And in his Internet survival book, Cybershock, Schwartau claims that some private corporations are already launching military-style counterattacks to protect their interests.

1pixclear.gif
1pixclear.gif
1pixclear.gif
Know Your Culprit

Criminal suits are tough to prosecute, so your evidence must be legally bullet-proof, both factually and procedurally, says Ira Winkler, president of Internet Security Advisors Group, who has assisted law enforcement during computer crime investigations.

It's much better to gather your own evidence for a civil suit, he adds, because then it's much easier to prosecute. Whether using commercial tools or other techniques to trap and track an attacker, the important thing is to provide evidence that couldn't have been tampered with. Winkler suggests the following:

1. When you detect an attack, dump all logs to read-only tape so you can prove that the data hasn't been tampered with.

2. Use a line analyzer that records the attacker's session keystrokes in a read-only format to provide evidence of what the attacker was trying to do inside your network.

3. Don't threaten the attacker; instead, alert the police. You don't want to escalate a hacking war.

4. Don't hack back. "If you do anything that can be perceived as intrusion or denial-of-service and you contact the police, you've just made it really easy for the police to arrest you," says Winkler.

If you do report the crime to the police, be prepared to show law enforcement that the cost of the crime meets the investigative threshold, which varies, depending on the law enforcement agency involved, says Richard Power, an editor at the Computer Security Institute. "It's got to look like you lost some money," he says.

1pixclear.gif

Rumors and off-the-record tales abound, but there has been only one recorded account of a true military-style cybercounterstrike from the corporate sector.

It happened during the World Trade Organization (WTO) summit in January. San Jose-based Conxion Inc., which hosted the WTO server, was hit by a denial-of-service attack launched by the Electrohippies (E-hippies), a U.K.-based online activist group.

Conxion traced the IP trail directly back to the E-hippies server and read postings encouraging E-hippies to mail-bomb the WTO. Instead of dropping those incoming packets at the router like most companies do to stop denial-of-service attacks, Conxion volleyed them back at the E-hippies server, swamping it for several hours. Conxion was so proud of its defensive tactics that it issued a press release.

Chris Malinowski, the recently retired lieutenant commander of the New York Police Department's Computer Crime Squad, says "returning mail to sender" doesn't constitute a crime. But many information technology professionals say they wouldn't risk taking such an action, even if they had explicit proof of the source of the attack.

The chief concern is accidentally slamming innocent sites through which hackers have routed their attacks to conceal their tracks.

"My fear scenario is that U.S. government agencies [involved in information warfare] will build in react capabilities," says John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn. "A smart hacker will launch a [denial-of-service] attack using those agencies' IP addresses, and they all start attacking each other. The worst case is Amazon shoots eBay who shoots the IRS who shoots Cisco who shoots . . ."

Another concern is liability.

"Launching a counterattack is very difficult because of all the liability issues that come up," says Pete van de Gohm, director of information asset protection at Enron Energy Services Inc. in Houston. "Like, what if the attack comes from a boundary outside the United States and I act against it? Does that constitute an act of war?"

Richard Power, an editor at the San Francisco-based Computer Security Institute, says most company executives with fiduciary responsibilities to their stockholders, government regulators and attorneys would never expose themselves to civil and criminal charges by allowing counterattacks.

Although no hot information war has broken out yet, there are clear indicators in the vendor and IT communities that IT security is shifting beyond passive firewall protection to a more active defense.

"I'm not sure about fighting back in terms of [counterattacking], but in terms of defending yourself, we're just beginning to scrape the surface of defensive measures and tools," says Ruth Lestina, a specialist in information security at Predictive Systems Inc., a New York-based systems integrator.

Defensive Tactics

Tool vendors are beginning to push hacker traps and tracers. Network Ice Inc., Recourse Technologies Inc. and Network Flight Recorder Inc. (NFR) all market IP tracking tools that can trace the route of an attack. They also offer decoy network boxes (fondly referred to as "honey pots") that identify an attack and limit it to a punching-bag server that looks like the larger network but isn't connected to it.

In addition, some Linux products, as well as the FreeBSD open-source Unix variant, ship with full bags of hacking tools, including Trojan horses (hidden executable programs) and port scanners that can be used to trace the techniques and footprints of the hackers involved in an attack.

Rockville, Md.-based NFR, which markets its products as "clue-gathering tools for network and security managers," offers a souped-up intrusion-detection system that includes a "network forensics" element with data-traffic analysis and limited trace-back capabilities. NFR also has a product called BackOfficer Friendly, which sets up a fake session when it detects someone trying to install Back Orifice (a remote monitoring program) and logs the IP address of the attacker and any operations he tries to perform.

In addition to vendors, IT managers are also trying to build more reactive capabilities, according to Lestina. She says that more than two-thirds of Predictive's customers are looking for ways to get the upper hand with cyberattackers, and that includes trapping and tracing their activities.

"Say my site is brought under attack from your university, and I have an automated system that returns a message to the attacker saying, 'I detect this; I don't like it; I know where you live; and if you attack us again, you'll get a note from our lawyers,' " says Marcus Ranum, NFR's chief technology officer.

"We call it covert security. When these attacks are spoofed and hidden through the Internet, you need to root them out at the network layer," says Frank Huerta, founder and president of Palo Alto, Calif.-based Recourse Technologies. "It's about finding where the attack is coming from and damming it up at the source."

Slippery Slope

But trapping and tracking also pose some interesting legal questions concerning issues such as trespassing, entrapment and invasion of privacy.

Following an IP address across the Internet means passing through every server the attacker originally compromised. Since each of these servers is privately owned, you need permission, or else you're trespassing.

"There's nothing wrong with doing a Traceroute [a tracking program] back to the IP address, so long as you alert the administrator," explains Ira Winkler, president of security consulting firm Internet Security Advisors Group in Severna Park, Md.

In his book Tangled Web, Power asserts that as far back as 1994, when the U.S. Air Force Research Laboratory in Rome, N.Y., was under attack, agents grappled with just how far to track the attacker through a maze of private servers.

"To chase a hacker, you're going to digitally break and enter and trespass to follow the trail," Power says. "Remember that incident in which a burglar fell through a sunroof, sued and won [the lawsuit over the incident]? If a burglar can sue the people he's burgling, a hacker can turn around and sue a Fortune 50 company for invading his privacy, violating his space, causing him fear, whatever."

Antihacking tool vendors have at least considered trespassing when designing their tools. But the effectiveness of those tools is still open to question.

In order to get the bad guys, the traces must occur during a live connection. How, then, does a product like Recourse Technologies' ManHunt track attackers in real time while stopping at each server to ask permission?

Huerta waffles on ManHunt's technical workings, citing "intellectual-property concerns." But he does say that if a company using ManHunt fell under attack, one of two things would happen: ManHunt could pass a digitally signed e-mail message upstream to the predesignated point of contact at the service provider, which would require the recipient to read the mail and decide what action to take, sapping the tool of some of its value. Or, if the upstream Internet service provider were primarily running ManHunt nodes, it could conceivably route the trace automatically and in real time. But Recourse has a lot of selling to do to make that happen.

It's that kind of cooperation that will result in "cutting attacks off at the source" to provide a significant limiting of hack attacks, as ManHunt literature claims. But perpetrators will be cut off the Net only at the behest of the Internet service provider that actually serves the perpetrator, which is also the final destination of the IP tracking software.

Van de Gohm heaves a sigh of exasperation at antihacking tool vendors' cloak-and-dagger claims and the foggy goals behind them. Any basic network can do what these tools claim, he contends. Firewalls log all incoming IP addresses, which can be used to start a trace. And network monitors can track an attacker's activities in the network, unless he erases the system logs, of course.

"In the government, there are a number of reasons to detect, catch, trap and prosecute cyberattackers," van de Gohm says. "But in the private sector, you've got to ask yourself the bottom-line question: Does this enhance shareholder value?"

Huerta says the products do offer value beyond the ability to trap and prosecute. For example, he says, they can tell an administrator in New York what's going on in the company's Sydney, Australia, data center as well.

1by1.gif

Know Your Culprit

Criminal suits are tough to prosecute, so your evidence must be legally bullet-proof, both factually and procedurally, says Ira Winkler, president of Internet Security Advisors Group, who has assisted law enforcement during computer crime investigations.


It’s much better to gather your own evidence for a civil suit, he adds, because then it’s much easier to prosecute. Whether using commercial tools or other techniques to trap and track an attacker, the important thing is to provide evidence that couldn’t have been tampered with. Winkler suggests the following:



1.

When you detect an attack, dump all logs to read-only tape so you can prove that the data hasn’t been tampered with.


2.

Use a line analyzer that records the attacker’s session keystrokes in a read-only format to provide evidence of what the attacker was trying to do inside your network.


3.

Don’t threaten the attacker; instead, alert the police. You don’t want to escalate a hacking war.


4.
Don’t hack back. “If you do anything that can be perceived as intrusion or denial-of-service and you contact the police, you’ve just made it really easy for the police to arrest you,” says Winkler.


If you do report the crime to the police, be prepared to show law enforcement that the cost of the crime meets the investigative threshold, which varies, depending on the law enforcement agency involved, says Richard Power, an editor at the Computer Security Institute. “It’s got to look like you lost some money,” he says. — Deborah Radcliff




















Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon