Friday, January 15, 2010

A Case for Hacking Back and How InfoSec Could Get a Whole Lot More Fun^H^H^HInteresting

After Google’s Stand on China, U.S. Treads Lightly


Here are some interesting quotes from the article:

"...the company began a secret counteroffensive."
"It (Google) managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at at least 33 other companies, including Adobe Systems, Northrop Grumman and Juniper Networks, according to a government consultant who has spoken with the investigators."

and

"For example, the servers that carried out many of the attacks were based in Taiwan, though a Google executive said “it only took a few seconds to determine that the real origin was on the mainland.”

At what point will companies start condoning and justifying, on a regular basis, this sort of active response? As much as this incident says about the current state of verifiable, targeted attacks and APT what does it say about the justification for "hacking back" against the attackers?

If an organization does not have the capability to perform this sort of 'investigation' how will your company (if you're a consultant) handle this request?

The DoJ Computer Crime & Intellectual Property Section has some interesting reading in Appendix C, Best Practices for Victim Response and Reporting:

4. Do Not Hack into or Damage the Source Computer
Although it may be tempting to do so (especially if the attack is ongoing), the company should not take any offensive measures on its own, such as "hacking back" into the attacker's computer—even if such measures could in theory be characterized as "defensive." Doing so may be illegal, regardless of the motive. Further, as most attacks are launched from compromised systems of unwitting third parties, "hacking back" can damage the system of another innocent party. If appropriate, however, the company's system administrator can contact the system administrator from the attacking computer to request assistance in stopping the attack or in determining its true point of origin.

Based on the NYT article, Step 3 for responding to an incident, "Notify Law Enforcement", occurred according to this quote:

"Seeing the breadth of the problem, they alerted American intelligence and law enforcement officials and worked with them to assemble powerful evidence that the masterminds of the attacks were not in Taiwan, but on the Chinese mainland."

So, another question that arises is when, at what level, how, and to what extent did American intelligence and law enforcement officials become involved?

Even if Google put the cart before the horse, I don't think that the company nor those involved in the investigation will be punished.

Further reading:
Hacking Back: Optimal Use of Self-Defense in Cyberspace
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)