Help - Search - Members - Calendar
Full Version: Companies hacking back
Dumpshock Forums > Discussion > Shadowrun
Backgammon
Article from the Economist, reposted here: http://www.economist.com/news/business/215...gainst-computer

QUOTE
Firewalls and firefights

A new breed of internet-security firms are encouraging companies to fight back against computer hackers
Aug 10th 2013 | LAS VEGAS AND SAN FRANCISCO |From the print edition


“IF SOMEONE is shooting at you, the last thing you should focus on is the calibre of the bullet,” says George Kurtz, the boss of CrowdStrike, a young tech company. Seated at a coffee table at Black Hat, a conference for the cyber-security industry held in Las Vegas recently, Mr Kurtz is expounding on the fundamental flaw he sees in the way many firms deal with cyber-intrusions. Most, he says, spend too much time trying to work out what hit them and far too little trying to understand the motivations of their attackers and how to counter future assaults.

CrowdStrike is a vocal advocate of “active defence” technologies that are generating much buzz in the cyber-security world. Their proponents argue that those who think firewalls, antivirus programmes and other security software are enough to keep their networks safe are kidding themselves. Instead, companies should work on the assumption that their systems have been breached, and take the fight to the hackers. The methods they prescribe include planting false information on their systems to mislead data thieves, and creating “honeypot” servers, decoys that gather information about intruders.

There are worries that such talk of active defence may encourage companies to go further, and “hack back” at their tormentors, even though many countries have laws that forbid such activity. In a survey of 181 delegates at last year’s Black Hat event, just over a third said they had already engaged in some form of retaliation against hackers.

Concerns about cyber-vigilantism have not deterred financiers from investing in tech firms that see active defence as a money-spinning opportunity. Take the case of Endgame, a secretive outfit that is adapting technology developed for intelligence agencies for commercial use. In March it raised $23m in a second round of funding and added Kenneth Minihan, a former director of America’s National Security Agency, to its board. Endgame has reportedly developed a system called “Bonesaw” that detects which software is being used by devices connected to the web. This could be used defensively by companies to detect vulnerabilities on their own devices, but could also be used to spot them on someone else’s.

Gibberish and gobbledygook
Like many other information-technology businesses, the active-defence firms are deploying cloud computing (the delivery of software and data storage over the internet) and big-data crunching. CrowdStrike has developed a cloud-based service that scoops in intelligence about online threats from across the web and merges them with analysis from its own research team. It charges its customers from $25,000 to hundreds of thousands of dollars a year for its services. At the Black Hat conference researchers from Endgame demonstrated a system dubbed “BinaryPig”, which crunches huge amounts of data swiftly to help identify and understand hackers by seeking patterns in the “malware” that they use to enter others’ systems.

Other companies are concentrating on technology to foil software that hackers use to enter websites to indulge in wholesale “scraping”, or extraction, of their content. CloudFlare, one such start-up, has developed a service called Maze, which it proudly describes as “a virtual labyrinth of gibberish and gobbledygook”. The service detects content-scrapers and diverts them from the site’s useful material into dummy web pages with useless content.

John Strand, an expert in active-defence techniques at SANS Institute, a computer-security training outfit, says the goal of all these technologies is to drive up the costs that hackers incur in the hope this will deter them in future. It is not to wreak havoc in enemy servers. “We deal in poison, not venom,” he says.

But some security boffins argue that companies should be given more legal latitude to probe those servers. Stewart Baker, a former Department of Homeland Security official who now works for Steptoe & Johnson, a law firm, thinks firms should be allowed to “investigate back” in certain carefully prescribed situations. “There’s a difference between being a vigilante and a private investigator,” he insists. He also suggests that governments should consider licensing specialist firms to conduct investigations according to strict guidelines, rather than relying solely on their own cyber-detectives.

Other voices in the industry give warning that letting private companies hack into others’ servers, even to protect their own property, could lead to trouble. “It’s a foolish strategy to up the ante when you don’t know who you are attacking,” says Jeffrey Carr of Taia Global, a security consultancy. Mr Carr notes that hackers who are provoked might strike back even harder, triggering an escalation of hostilities.

Even some of the techniques employed by firms such as CrowdStrike could land firms in trouble. For instance, it might seem cunning for a company to try to trick hackers into losing money, by planting dummy accounts somewhere on their system that made the company’s financial health seem much worse than it is. But if instead of just using the misinformation to make unwise trades, the hackers leaked the figures to the financial markets, the company could find itself in hot water with regulators.

In spite of such risks, which can be minimised through close co-ordination between companies’ IT and legal teams, security experts are predicting that the popularity of active-defence techniques will grow. One reason is that businesses are making increasing use of cloud computing and mobile devices such as smartphones, which make it harder to establish clear defensive perimeters around their IT systems. “If you don’t really know where your castle starts and ends, you can’t really build an effective wall and moat around it,” explains Nils Puhlmann, formerly chief security officer of Zynga, a social-gaming company, and a founder of the Cloud Security Alliance, an industry group.

He has a point. But it is not just the mentality of tech teams that will need to change. Today, many executives assume that what’s inside the corporate firewall is pretty safe and what’s outside it is not. But now that cyber-criminals are scaling even the highest of these walls with impunity, businesspeople must shed this binary view of security. Wherever data are held, they will need stronger, and smarter, protection from the hackers’ digital bullets.
Tymeaus Jalynsfein
Very, Very Interesting indeed... wobble.gif cool.gif
SpellBinder
Still you have the human element.

I remember an article long ago about a hacker for Anonymous that got through just by calling in and asking for a password reset. wobble.gif rotfl.gif
Tymeaus Jalynsfein
QUOTE (SpellBinder @ Sep 4 2013, 05:17 PM) *
Still you have the human element.

I remember an article long ago about a hacker for Anonymous that got through just by calling in and asking for a password reset. wobble.gif rotfl.gif


Which is not all that uncommon, sadly. frown.gif
SpellBinder
I believe it.

The Face, being a better decker than the decker.
Sendaz
That reminds me, is a Techno/Decker referred to as a DoubleDecker? biggrin.gif

I am just thinking though, some hackers work through zombie'd systems, ie they compromise someone else's computer to send the malware through from.

If these people are backtracking an attack and end up at Joe's Computer (the compromised system), how are they going to be able to tell that he is not the real originator of the malware without basically co-opting his system and rooting around inside it?

I mean, it's one thing to alert the authorities and have them send someone over to investigate this and in the process of the investigation of the system they determine whether it was compromised or not, but how would you feel if Mega Computer Systems, Ltd. basically rapes your computer trying to determine if you were the hacker or not in a recent attack and in the process have access to all your files?

Cyber-vigilantism indeed.

It makes me recall a series of incidents a few years back when a certain electronic store's in store tech support service was discovered to have been copying information from computers being brought in to be worked on as well as loading key loggers and other spy type programs. Not quite the same, but it's a reminder that techies are still human with all their foibles and when you hand large chunks of power to someone, there will be the urge to abuse it that some will fall for, especially when there is little or no oversight on this.
Backgammon
QUOTE (Sendaz @ Sep 5 2013, 05:48 AM) *
If these people are backtracking an attack and end up at Joe's Computer (the compromised system), how are they going to be able to tell that he is not the real originator of the malware without basically co-opting his system and rooting around inside it?


Well, it gets worse than that. There was another article a while back about how cyberwarfare is a big deal between governments right now, right. We've all heard how China is hacking the shit out of everyone, especially the US, but that it's very difficult to PROVE it's actually a Chinese hacker that got into this or that system. Well, take that problematic, and apply "proactive defence" - a third party actor could basically start a cyber war between 2 countries by making himself pass off as another country's hacker.

So, it definitely gets messy.
Tymeaus Jalynsfein
QUOTE (Sendaz @ Sep 5 2013, 03:48 AM) *
That reminds me, is a Techno/Decker referred to as a DoubleDecker? biggrin.gif


You, Sir, Should be flogged... or better yet, bamboo canes applied forcefully to the soles of your feet.
Draco18s
QUOTE (Tymeaus Jalynsfein @ Sep 4 2013, 07:39 PM) *
Which is not all that uncommon, sadly. frown.gif


Actually, that's how all of North Korea's hacking happens. They're not very computer savvy (compared to other hackers) but they know how coerce people.
CanRay
QUOTE (SpellBinder @ Sep 4 2013, 08:34 PM) *
The Face, being a better decker than the decker.
The Decker should never forget his roots. Social Networking V1.0!
shonen_mask
QUOTE (Sendaz @ Sep 5 2013, 05:48 AM) *
That reminds me, is a Techno/Decker referred to as a DoubleDecker? biggrin.gif

I am just thinking though, some hackers work through zombie'd systems, ie they compromise someone else's computer to send the malware through from.

If these people are backtracking an attack and end up at Joe's Computer (the compromised system), how are they going to be able to tell that he is not the real originator of the malware without basically co-opting his system and rooting around inside it?

I mean, it's one thing to alert the authorities and have them send someone over to investigate this and in the process of the investigation of the system they determine whether it was compromised or not, but how would you feel if Mega Computer Systems, Ltd. basically rapes your computer trying to determine if you were the hacker or not in a recent attack and in the process have access to all your files?

Cyber-vigilantism indeed.

It makes me recall a series of incidents a few years back when a certain electronic store's in store tech support service was discovered to have been copying information from computers being brought in to be worked on as well as loading key loggers and other spy type programs. Not quite the same, but it's a reminder that techies are still human with all their foibles and when you hand large chunks of power to someone, there will be the urge to abuse it that some will fall for, especially when there is little or no oversight on this.



Submiting a desktop for repair and someone stealing info off it is not a Hack. Some lame working for a government agency with a I.D., with a password to the office computer, with an admin password, then steals docs rotfl.gif is not a hack...

If people were so concerned with anti-hacking, agencies like the NSA would be in fashion a bit more. but Now instead it's time to give the first wingnut with a corporate charter domain over our information... rotfl.gif
Nemo157
QUOTE (Sendaz @ Sep 5 2013, 11:48 PM) *
I am just thinking though, some hackers work through zombie'd systems, ie they compromise someone else's computer to send the malware through from.

If these people are backtracking an attack and end up at Joe's Computer (the compromised system), how are they going to be able to tell that he is not the real originator of the malware without basically co-opting his system and rooting around inside it?


Heh, if companies actively hacking back into systems that hack them becomes common you could make a double-honey pot. Somehow entice hackers to use your system as a zombie to hack a company, then when the company hacks back record all the info on what they're doing.
Sendaz
QUOTE (shonen_mask @ Sep 5 2013, 01:13 PM) *
Submiting a desktop for repair and someone stealing info off it is not a Hack. Some lame working for a government agency with a I.D., with a password to the office computer, with an admin password, then steals docs rotfl.gif is not a hack...

If people were so concerned with anti-hacking, agencies like the NSA would be in fashion a bit more. but Now instead it's time to give the first wingnut with a corporate charter domain over our information... rotfl.gif

I was not comparing what the tech guys were doing to what hackers do, nor did I call it a hack by itself. They were operating from a position of trust and misused that position.

Rather I was comparing the notion to that of the Companies that want to be able to go after the hackers and that while the company's goal may be well intended, it will still be administered by by individuals and without careful oversight of what they do and how, it can be easily abused.
shonen_mask
I agree that is the main topic of the day and should be brought to said topic just as you did in your post....

I'm talking about the lack of concern for general policies toward computer crime in general. no one would 'dare' label the last guy to get caught stealing from his office computer a jerk (*hint* its in the news). But the NSA who has no choice by US law but to work with all applicable policies, is bullied in the news...



quentra
To be fair, most of Snowden's information revealed surveillance activity that is illegal under current US law. Of course they're gonna be bullied - they should be charged with fucking crimes, because they were committing fucking crimes.

Shit, what happened to the anarchist punks who used to play this game? I miss those guys.
Sendaz
QUOTE (quentra @ Sep 17 2013, 09:51 PM) *
To be fair, most of Snowden's information revealed surveillance activity that is illegal under current US law. Of course they're gonna be bullied - they should be charged with fucking crimes, because they were committing fucking crimes.

Shit, what happened to the anarchist punks who used to play this game? I miss those guys.

His only mistake was dumping it all, proof and chaff alike. This allowed the spindoctors to play up the chaff (covering events not related to any of the proofs) and keep people's attention off the proof ( like the gunship video of soldiers high fiving after shooting up the group that also included international reporters)

But this is straying into RL political/other so we will leave it there for another forum to discuss.
Sengir
QUOTE (Sendaz @ Sep 18 2013, 07:45 AM) *
( like the gunship video of soldiers high fiving after shooting up the group that also included international reporters)

Uhm, that was another guy...Snowden is the one who revealed that everything we always suspected about intelligence gathering is true: They tap cables, cooperate with service providers, pay companies to weaken their crypto implementations...
Sendaz
QUOTE (Sengir @ Sep 18 2013, 06:32 AM) *
Uhm, that was another guy...Snowden is the one who revealed that everything we always suspected about intelligence gathering is true: They tap cables, cooperate with service providers, pay companies to weaken their crypto implementations...

You are correct, I was thinking of Pte 1st class Manning.

Brain not fully recovered from this friggin flu.

The crazy part is this all comes out and other than a splash on the front pages for a short while, nothing really changes.
quentra
I was born in the 90s, what is this 'privacy' and 'change' you speak of? I think reading Neo-As Guide to North America in middle school gave me a skewed perspective on things.
shonen_mask
QUOTE (Sengir @ Sep 18 2013, 06:32 AM) *
Uhm, that was another guy...Snowden is the one who revealed that everything we always suspected about intelligence gathering is true: They tap cables, cooperate with service providers, pay companies to weaken their crypto implementations...



The same information that an ISP for example, has to provide by Law to a company structured like a facebook or microsoft.....

and they by law never have to admit it.....
Sengir
QUOTE (shonen_mask @ Sep 18 2013, 02:22 PM) *
The same information that an ISP for example, has to provide by Law to a company structured like a facebook or microsoft.....

How shall I put it...no
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Dumpshock Forums © 2001-2012