FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks
from the dangerous-ideas dept
It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:
In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it's a bad idea not just because it likely breaks the law, but because it's stupid and dangerous. First, accurately determining who is behind a hack is quite difficult -- as we're seeing lately with all the recent skepticism about the FBI's claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences -- even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.
On top of that, the article notes, the hack back attempt could make the situation even worse:
Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren’t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.
Finally, think through the obvious consequences of this. If you're a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm -- then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.
Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through -- and lawmakers prevent it from being protected by law.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes
Companies: jp morgan
Reader Comments
Subscribe: RSS
View by: Time | Thread
This is a bad idea, the tit for tat just leads to more hacks as each side tried to prove who has the bigger dick. In the end the losers will be smaller players who couldn't afford better security and were drafted into the original hack without their knowledge.
When the rules are an eye for an eye, everyone ends up blind.
[ link to this | view in chronology ]
Re:
Step 1: Be a dumbass and connect vital controls to the internet.
Riiiiight.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Botnets
Even when not intentionally trying to provoke a hacking war, it's common practice for hackers to use compromised third party systems as launching points for attacks. It is difficult to determine (by the target) which machines are owned by the attackers, and which are members of a botnet. Collateral damage is a real ongoing concern with counter-hacking.
[ link to this | view in chronology ]
Re: Botnets
[ link to this | view in chronology ]
Re: Botnets
Yeah, I'm sure after something like that a hacker/group would be real hesitant to repeat their actions. /s
[ link to this | view in chronology ]
Re: Re: Botnets
[ link to this | view in chronology ]
Re: Re: Re: Botnets
[ link to this | view in chronology ]
Re: Re: Re: Botnets
You have much greater faith in antivirus programs than you should. I've seen reports that the best of them catch only 80% of existent malware, and no antivirus will stop a zero-day. The antivirus industry is selling snake-oil. Actual secured systems don't need it. Don't fall for their BS.
Which is why I don't want people like you anywhere near the decision making process. Yours is a "ready, shoot, aim" mentality. Systems that are part of a botnet are victims too. If those systems are 911, or air-traffic control, or pentagon, or managing other critical systems, you could be causing far more collateral damage to victims even further removed from the original incident.
Please, get over your blind lust for revenge before you start WWIII.
[ link to this | view in chronology ]
Re: Re: Re: Re: Botnets
In order for an antivirus to work, the A/V company has to write a signature to find that particular malware. Most malware writers check against the most popular A/Vs to make sure it will pass not being seen before they put it out. Doesn't make sense to put on out that is not going anywhere. They will usually write 4 or 5 similar versions slightly different so when it is identified and a signature written, they issue a variation that is no longer spotted to keep it going.
There are far too many malwares out for A/V companies to write one for every one they spot. So they wind up working on the ones most widely spread. All the malware writer has to do is keep it below the threshold of being well known and they are good to go.
No matter what you do, they are releasing far more malwares than can be kept up with meaning that the A/V will not spot the majority of them.
So thinking that A/Vs will take care of the problem is foolish.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Botnets
Indeed signatures are often inadequate, as many viruses are created to morph, and change their strings on a regular basis.
I often worked with a virologist who found the homologous behaviors of organic viruses, and those of the electronic world to be fascinating similar.
[ link to this | view in chronology ]
Re: Re: Botnets
[ link to this | view in chronology ]
Re: Botnets
[ link to this | view in chronology ]
Re: Re: Botnets
I am so fscking sick to death with you Yanquis' litigious BS. You can't solve all the ills of the world by throwing lawyers at them! Who do you think you are, MafiAA?!?
You don't like like drug or arms deals going on in the dark net? Sue! Oh, they're in Russia, and they don't give a rat's ass for US' tort law. Oops. How about the Somalis, of Afghan Taliban, or Cubans, or Venezuelans, or "Best Korea" (cf. Fark.com), ...
How about you/we just stop doing stupid things giving nutbars reason to escalate some corporation's (Sony!) problems into WWIII?
[ link to this | view in chronology ]
I'm not convinced it would be worse if you didn't involve lawyers.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Piker. Why not just targeted assassinations? Start with their CEO and systems security staff. "All's fair in love and war." Except this isn't war. It's just business. No-one wins in war. The "winner" just loses less (ideally).
Anyone promoting this foolishness should be recognized as the sociopaths that they are.
[ link to this | view in chronology ]
haha, like they care. Banks and the likes of MPAA and others who are in bed with the government can easily get away with much worse things.
The "suicide"s among bankers are hilarious. Someone cut himself up with a chainsaw, other killed himself with multiple shots from a nailgun... Nothing suspicious, officially suicide. Im pretty sure if they were able to hack back they would do it.
Its not a matter of legality.
[ link to this | view in chronology ]
It's never appropriate
A much better choice, as other commenters have noted, is to strengthen one's own defenses -- preferably BEFORE a major security incident.
[ link to this | view in chronology ]
FBI
In the Ok bombing, the FBI claimed that traces of explosive evidence were a match for that found in the remains of the truck. Yet the head of the explosives section, Dr. Frederic Whitehurst testified under oath that the testing done by the FBI lab could distinguish between urea found in fertilizer, and that found in urine. Whitehurst also testified that many cases and tests came under extreme political pressure to "show" that the test was positive for a particular person.
Richard Jewel, the actual hero of the Olympic Park bombing, was named as a person of suspicion in that event. Persons of suspicion are not supposed to be publicly named. He won a rather large lawsuit, and of course was innocent.
The anthrax attacks had five people named, one after another, as the guilty party. Again massive pressure and subterfuge was placed in attempts to prove each of these individuals guilty. Ivins was finally pressured into suicide with no real evidence, and the case closed. Ivins was almost certainly not the guilty party, and would have required the help of four or five additional people working for a year to achieve this attack. The NAS (National Association of Sciences) said that Ivins did not have access to the equipment or containment units that would have been required. A bunch of terms, particularly "ultracentrifuge" were bandied about to make it appear as though he was guilty. As a biochemist, I had an ultracentrifuge in my lab section. So did my ex-wife. Big deal, except that it sounds malevolent.
Ivins reputedly used acetaminophen to kill himself. Doing so produces a long and extremely pain full death. Any scientist knows how to commit suicide with little or no pain with common objects found in the home or lab.
How can anyone trust the FBI?
[ link to this | view in chronology ]
Re: FBI
[ link to this | view in chronology ]
Re: Re: FBI
But they are not the only ones playing dirty tricks. The RIAA, Sony, and others have admitted at some point to hiring third party services to do DoSS, serve malware, and do other little nasties. Which they get away with by the DOJ and crew just refusing to take issue with it.
This is not an original idea by any means. Your computer can be hijacked into a bot net. How you gonna feel when you find out about it when your computer craters due to one of these attacks?
[ link to this | view in chronology ]
Re: Re: FBI
[ link to this | view in chronology ]
Re: FBI
Yes Your government is corrupt and helps terrorists every second day then blames Russia, NK or Iran for everything.
[ link to this | view in chronology ]
Re: FBI
The OKC bombing indicates something that is much stronger than the ridiculous amount of tnt they would have had to fit in that truck...
[ link to this | view in chronology ]
Re: Re: FBI
Science = bad only for the ignorant. Most would have never been born were it not for the sciences, and of those that managed to come into the world alive, 2/3 would have left it before age 5.
The living third had horrible lives. Infested by all sorts of parasites and bacteria. Head and body lice alone must have made life miserable. For most, clothes were worn until they fell apart, and were rarely washed. Baths were considered unhealthy (as well as immoral), and a great number of people had two baths. One when they were born, another on their wedding day. I can not imagine the crusts and odors that would have built up. Perfume chemists were (and remain) in high demand.
I could go on endlessly, but those who despise the sciences know nothing of science or history.
[ link to this | view in chronology ]
Re: Re: Re: FBI
[citation needed] Particularly in Europe, the concept of "wash and be clean" was a major part of both Judaism and Christianity from the very beginning.
[ link to this | view in chronology ]
Still pretty grimy
My source is An Underground Education by Richard Zacks. I'd need to find the book to look up his source. Of course, he also suggested that Brigham Young made full use of his cultish influence to seduce women in the form of "God wants you to have sex with me. HELL IF YOU DON'T." So Mr. Zacks may hold some... unpopular opinions.
[ link to this | view in chronology ]
Nation states. Every time I see that term, I have to wonder who came up with it and why. A nation is a state, so that's kind of redundant.
Do you go around calling people "person beings"? What sort of pets do you prefer? Are you a feline cat person being, or a canine dog person being?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Nations are rather new
Before that, a person's fealty was to his lord, and then to his lord's lord, ultimately to the king. (All that I am your LORD crap in the KJV was using the language of the time to articulate that God was supposed to be the top boss.) When a new king rose to power, then everyone had to reinstate their fealty to the new boss, usually on pain of death.
Once we developed the notion of nations, the process was easier. Whoever the king of France becomes is less consequential if your loyalty is to France.
However, this change in thought created some new notions: what if a given king was bad for the country? Is it not then patriotic to vanquish the king and put a better regent in his place?
And this train of thought was a critical step in the development of Democracy, and the modern nations.
Soooo... States are generally nations. But they are not conceptually the same thing.
[ link to this | view in chronology ]
Re: Nations are rather new
That's "the party line", or what history wants us to think (so we'll be good citizens of The State). I'm still mostly loyal to a person; myself. Others are loyal to family, then extended family, then those you live close to or deal with on a regular basis. Some person half a continent away who I've never met and with whose ideas or aspirations I disagree, not so much. Once you get into Louis' "L'etat, c'est moi", we're in serious disagreementland.
Ancient Greece was city states. There was no "nation" then. Rome changed that, or maybe it was rampant tribalism elsewhere and Greek city states were the outlier.
Regardless, nationhood came to be recognized and accepted as the best way to wield power and control over populations, and we've been stuck in that downward spiral ever since. I wish humanity could get over this infatuation, but too many others appear to prefer this state of affairs (so far).
[ link to this | view in chronology ]
Re: Re: Nations are rather new
FTFY
[ link to this | view in chronology ]
Re: Re: Re: Nations are rather new
It's pretty silly that you believe barbarism is the only option. I'm trying to get us out of it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Nations are rather new
We must be reading about different messes then. Most of the ones I read about daily are caused by small, unaccountable, powerful individuals and groups loyal only to themselves (and occasionally to shareholders, which also mostly falls under "themselves" in most cases) pursuing unchecked greed and attempting to live by the rule of Might Makes Right. You know, barbarism.
I really ought to call Godwin on this and be done with it. But let me point out two things. First, every one of those governments failed, and failed pretty quickly, far faster than the average, and they are no longer with us. Communist China is sort of an edge case; technically they're still with us, but they've changed so much in the last few decades that Mao wouldn't really recognize the modern Chinese government.
Second, I really do appreciate the way the Nazis organized their population productively. They took a war-torn nation suffering under crippling poverty, debt, and hyperinflation, and in the course of a few short years they managed to turn it into an industrial powerhouse that was the envy of the world. And then they got into a war of conquest, genocide, and all manner of horrible things that have since turned their very name into a synonym for "evil," but just imagine if they had put that all that potential to a productive use instead!
When's the last time you built a road, commissioned a police or fire department, established standards for things we use every day to work together, or educated a child? I've never done any of those things as an individual "person like you and me," but as a citizen, I do all of the above and more on a regular basis, by paying taxes and contributing to things larger than myself, which raises my standard of living, and yours, and that of all citizens. That's what civilization is: a group of individuals working together in an organized fashion to accomplish things beyond the scope of what they could accomplish on their own.
Sure sounds like you're trying to do away with civilization and revert to a every-man-for-himself society. That is the very definition of barbarism.
[ link to this | view in chronology ]
Devolving back into barbarism
And these all depend on the presence of a robust infrastructure.
[ link to this | view in chronology ]
Re: Devolving back into barbarism
Infrastructure must be managed by society and not by individuals driven by a profit motive, because high-quality infrastructure is unprofitable and attempts to make it profitable inevitably decreases its quality, to the detriment of all. (See: Comcast, Verizon, AT&T, TWC, toll roads, privatization of water supplies, privatization of prisons, and so on...)
[ link to this | view in chronology ]
Re: Re: Devolving back into barbarism
So much this. We need society and a state in which we are citizens so that the one can benefit from the many, and the many from the one. Interdependence is the key here. The idea that we're all in the same boat is what makes for a healthy society. Problems begin when individuals and groups attempt to exempt themselves from taking their turn at the oars using the "What's in it for me?" argument.
Subordinating ourselves to a group of any size can and will detract from our individuality but abrogating our responsibilities to the group/society will, by definition, detract from the group/society if enough of us do it. The impact depends on the size of the group and the number of people not pulling their weight.
This is why I can't abide big L liberarians. They're too damn selfish. The small Ls I can live with; they don't live in a fantasy world in which selfishness is a virtue that benefits all.
[ link to this | view in chronology ]
Re: Re: Re: Devolving back into barbarism
I fully agree with the rest of that, but why believe a state has anything to do with it?
I'm trying to do a cost/benefit analysis, and all indications I see show that states and rulers are not worth the price we pay for them. People appear to believe allowing us to benefit from wonders like indoor plumbing demands we accept a ruler to keep us squabbling kids from hurting and stealing from each other. Why, and how's that working out for us, really? All indications show it's doing a damnably poor job of it. The rich get richer, the poor get poorer, and war after bloody war decimates innocents in their way. How can this be better than the alternative, except for the privileged, connected few who've mastered the machinations of state bribery?
Yes, and what's a state, or rulers, got to do with that? We give up our autonomy for the greater good, and it's taken and given to the friends of the state, who in turn use it to enrich their friends instead of all of us as equally deserving partners. Subordinating ourselves to a state has not eliminated those few who use it to divide and conquer us individually. In fact, it empowers them. It creates a point of concentration (a la shopping mart) where they can go to grab (or buy) our power to use against the rest of us.
This is why I can't abide statism. It's chosen friends and hangers-on are too damned selfish, and demanding I help them by laying down my arms in favour of the many sacrifices us all to the whims and greed of the privileged, connected few.
[ link to this | view in chronology ]
The necessity of the state
There's a couple of things.
The state was established during feudalism as the one that holds the monopoly on force, that if anyone else attacks, invades or breaches the rights of anyone else (including aggressors foreign) that the state intervenes and defends the meek.
And then there's the matter of standards. Meat inspection, restrictions against lead pipes, regulations on advertising and so on all come from the power of the state.
So far all our iterations of statehood have sucked, but until we can effectively refine it so that it works or find a substitute that works adequately in its stead, it's going to be a necessary evil. Otherwise, society WILL devolve into natural order (rule of might) until a state, most likely feudalism, is established.
[ link to this | view in chronology ]
Re: The necessity of the state
Good answer. That in itself justifies the state. If only we could get that part to actually work! Instead, we still end up with belligerent states run by greedy and arrogant politicians using that military power for political ends instead of defense or merely upholding sane laws.
One of the things I was hoping for from the Internet was a massive improvement in communications and citizen reporting. If the Streisand Effect can do all the wonderful things we've seen it do, then surely masses reporting on-line (Yelp?) that so and so is selling bad meat, yada yada, would negate the necessity for expensive and often ineffectual regulatory bodies (cf. FCC).
I'm hoping that one of these days, we'll start to get education for the masses right, and people will start to see the need to take their rightful place in seeing how !@#$ gets done, not just continue letting things happen to them because they can't do anything about it anyway.
[ link to this | view in chronology ]
Re:
You could have spent 5 seconds looking up the term and learning why it exists before posting something useless. Perhaps you belong on Slashdot rather than Techdirt.
[ link to this | view in chronology ]
Re:
There you go.
[ link to this | view in chronology ]
GO FOR IT
you will all pay dearly if you begin this......
and the thought "you aint seen noting yet"
[ link to this | view in chronology ]
"you will all pay dearly"
The problem is that we're paying pretty dearly already. And many, many of us are running out of things left to lose.
If you're not one of them. If you still have life and family and money, then this should be a concern to you.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Was wondering what would be commented on first...
[ link to this | view in chronology ]
Maybe they figure out that the only winning move is not to play...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This reminds me of a story.
The woman in question is now caught up with some colorful characters, and despite prior promises otherwise, isn't being very helpful in him getting his stuff back. Said colorful characters could be a threat were he to go up alone, and then there's the logistics of customs.
We were joking around and talking about hiring a contingent of big men with guns to escort him while he collected his belongings. Burning her house to the ground is optional. And the question rose of legal issues that might rise.
On a lark we looked at the cost of hiring a Security Team, say from Xe or Academi or whatever they call themselves now (so many names!). If you can afford mercs, you can afford a legal team that could get OJ Simpson acquitted. Or even a prosecutor to assure there's no indictment.
The cheaper option is to hire the local constabulary force to "enforce the law", e.g. make sure you get to take all you want.
I suspect when the big companies start counter-hacking and crashing innocent go-between computers, they'll never get prosecuted because they can afford to stay above it or quagmire the courts for decades.
So yeah, hack A to set up a false flag on B and watch the storm from a safe distance.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
After all, the number of judges that will call you on it could be counted on a single hand, so the odds are fairly good that you'd get away with claiming whatever you wanted to.
[ link to this | view in chronology ]
Hell some of the OSX systems use apple as a username and apple as a password and this is used whenever someone 'forgets' their primary password!
[ link to this | view in chronology ]
What happens if data goes "missing"?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It's a very fancy model.
It's also possible that the botnet master looks identical to the rest of the botnet when looking from the botnet.
So you'd be trying to figure out in a swarm of flies which is the master fly.
I suspect the big companies will get frustrated and just choose to kill everything in the botnet.
[ link to this | view in chronology ]
Re:
In my view, that doesn't change the ethics of it at all. If I have a machine that's been coopted into a botnet, having a company "counterattack" by injecting their own code onto my machine means that I've been illegally and unjustly attacked by two parties instead of just one. I think anybody who does such a thing, regardless of their intention, is acting in an egregiously bad manner.
"That way, you are not actually denying any service to any innocent 3rd parties, and are only destroying legit targets."
For this to make any sense, you have to have believe that the only attacks that are worth objecting to are ones that cause a denial of service. Attacks the result in a denial of service, however, are the ones that are the least worrisome, not the most.
[ link to this | view in chronology ]