Hacked Companies Fight Back With Controversial Steps 320
PatPending writes with this report on companies taking aggressive steps to deal with electronic attacks: "Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems. Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage. Veteran government and private officials warn that much of the activity is too risky to make sense, citing the chances for escalation and collateral damage." If you've been involved in such an action, how did it work out for you?
Asking you to break the law? (Score:5, Insightful)
Just remember, if a company asks you to break the law then you deserve what's coming to you when you get caught.
Look out for the ICE! (Score:5, Funny)
Obviously, they're in the process of developing Gibson's black ICE!
We should be afraid.
Companies are known to strike back (Score:5, Interesting)
There are companies that I know, who employed "private contractors" to do things that they can not legally do, to "make things right"
One of those companies, when its refinery was damaged by some African guerillas, got its own "private contractors" to hit back, and they hit back very very hard
So, I am not surprise of what they will do on the Cyberwar front - the "private contractors" can do anything for you, so long as you pay them
Re: (Score:2)
I was under the impression that "private contractors" had something to do with "shrinking genitalia." Which would also be somewhat effective.
cheers,
Re:Companies are known to strike back (Score:5, Interesting)
In that situation you should pay off the local government police and or military forces. If you can't pay them more than the local militias or criminals, you shouldn't do business there.
That is, in effect, what happens in civilized countries. You pay taxes for police services, if the services aren't up to the task you pay (technically 'lobby') politicians to write laws for you that will get the police up to the task or out of the way.
cyber security is a different matter. There's no one you can pay unless you're a huge multinational, and even then you may not have a presence wherever the problem initiated from. If you're hacked domestically you have the same recourse as physical security, call the police, if there aren't laws that will cover you, pay politicians to write some. But if you get hacked from a foreign country there's really nothing you can do except build hardened systems in the first place. Counter hacking doesn't seem like a good idea, because they, being criminals, are somewhat less hindered by morals and laws than you are, and can retaliate thusly. I suppose if you're really big you pay politicians in both countries to write treaties for you. But that would just serve to make counter hacking illegal.
Comment removed (Score:5, Interesting)
Re:Companies are known to strike back (Score:5, Interesting)
... i think they had seen too many episodes of CSI and actually thought you could hack a network with a VB GUI.
I cringed as much as the next nerd when I heard that line, but if you think about it it actually make sense. The fact that the terms are inaccurate is immaterial. She could have told them she fired up Backtrack 5 and used a known buffer overflow vulnerability in $PerimiterSwitchSoftware to get access to the internal network, and a remote code execution attack to enable directory traversal and and run w3svc as Admin, giving her free reign over the network. Would they have understood any more?
You're thinking of it as the actress saying lines for your amusement. She's not. She's telling a colleague, who wouldn't understand anyway, a bunch of buzzwords and jargon to dissuade them from getting too involved in something which will only confuse them, and distract them from their own involvement in the situation.
If Finance ask you about backups, do you tell them about cron jobs and the difference between differential and full backups? No, you tell them it's daily and hosted off site, and they should worry more about getting your pay cheque ready for the last Friday of the month.
Re: (Score:3)
Why are we arguing about this?!
Re:Companies are known to strike back (Score:4, Funny)
SoF is but one of the many venues that you can find "private contractors", and they come with all kinds of "skill sets"
Re:Companies are known to strike back (Score:5, Funny)
Might one contact such "private contractors" via Soldier Of Fortune magazine?
You want the best, right? A few years ago a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune. If you have a problem, if no one else can help, and if you can find them, maybe you can hire them.
Re: (Score:3)
not unless they are under 3 (http://www.imdb.com/title/tt0429493/)
A-team movie 2010
Re: (Score:3, Insightful)
Starship Troopers wasn't a serious movie? Jeez, you yanks really don't get irony do you?
Re: (Score:3)
I think when he said "serious" he actually meant "good."
The guy behind it should have spent less time going for "irony" and more time going for "making the characters not come off as complete fuckwits."
Re: (Score:3)
Oh come on and lighten up, it was WAY better than Battlefield Earth [wikipedia.org]! "Starship Troopers" absolutely nailed the 1950's DOD and CD training film style so popular during the "Cold War" - "Red Menace " era.
Re: (Score:3)
- Pointy Haired Boss.
Re:Asking you to break the law? (Score:5, Insightful)
Just remember, if a company asks you to break the law then you deserve what's coming to you when you get caught.
Well..if the US government (stuxnet for example) can do it (with no declaration of war), then it mustn't be illegal right? /ironyoff
Re:Asking you to break the law? (Score:5, Interesting)
once, we had a less-than-skilled attack on a company i was network admining at. I traced the source down to an ISP in a South American country and ISP and I contacted them stating that such-and-such IP on their network was engaging in an attack on my company. I asked them to look into this and block the user from hitting us thru the routes I provided. They said there was nothing they could do. I asked them what other recourse I had. They told me there was nothing I could do but shut down our systems and hope it went away. I asked them if I could take action to stop it and could I get and e-mail statement to that effect. They sent me an e-mail stating there is nothing they could do and I could do whatever I needed to correct the situation.
I ran it by the legal guys. got a thumbs up. put on a darker hat.
moved a bit of traffic off the oc-12 we had and proceeded to clobber the offending IP address and the nodes at the far end (ISP equipment). I got a very polite call after about an hour telling me that the offender has been pulled off-line and asking if I would be so kind as to stop defending myself as it was killing their network. I stopped my defense and was given a few names with contact info to call in the future should the needs arise.
a good result.
Re: (Score:3)
Every time a corporate tool asks me to break the law, I just tell them "No problem! Put it in writing and sign it!", and then they go ask somebody else and I never hear about it again. Totally not kidding.
Re:Asking you to break the law? (Score:5, Insightful)
It's up to /. (Score:3)
We are not anonymous nor 4chan
We are all guests on /.
We must respect /.'s decision on what to do
If /, decides that it wants this annoyance to continue, that this annoyance will continue
Re:It's up to /. (Score:5, Funny)
Perhaps we could use something called "active defense" or "strike-back" technology to fight these MCPC floods?
Ooops. Sorry guys, that put us accidentally back on-topic.
Carry on...
Stop playing the troll's game !! (Score:3, Informative)
One of the troll's aim is for others to repeat "mcpc"
What you are doing is just that, repeating it, 4 times
Stop playing that troll's game
Stop repeating "mcpc"
Control your temptation
Re:Stop playing the troll's game !! (Score:4, Informative)
Lets call it MyCleanPc not mcpc, which is really close to the trade name MCPc; MCPc is a legitimate reseller and professional services organization. I am former employee of MCPc and I can tell you when I worked there they always treated me well, and did right by their customers too.
Please don't conflate their name MyCleanPc which seems to have a somewhat dubious reputation and is a different company.
Re: (Score:2, Informative)
Re: (Score:3)
I'm pretty sure that tells the search engine not to follow the links in the comments.
Actually, this is no longer true. Nowadays, google even follows stuff that are not even links. Mention http:/// [http] in plain text, and google will follow it. I've got a couple of perl scripts available for download on my site, and some have URLs embedded in them, which the script pieces together with other stuff to get a real URL to download. Google crawls the script, recognizes the pieces as URLs, and the download attempts show up in my logs...
So yes, spamming forums helps the spammers again, and that even if
Re: (Score:3, Funny)
Well, I found your post insightful and informative. I would like to subscribe to your newsletter good sir.
I do the following (Score:5, Funny)
I simply drive to the GeoIP location with my illegal police baton and smack the head of whoever happens to be there at the time when I arrive. I've been doing this for a few years now.
Re:I do the following (Score:5, Funny)
Stupid (Score:5, Interesting)
The only time I've ever heard of something like this working out, it was when someone actually went to the effort to find out who was hacking them, and then turned the case over to the police. There was a story like that covered here on Slashdot several years ago.
Not even his computer. (Score:5, Interesting)
If the script-kiddie knows anything at all he'll be attacking from a zombie he's already "owned".
I think this is more sensationalism than fact.
Re:Stupid (Score:5, Interesting)
Sure enough, within a day, I had IP addresses and was able to resolve to the attackers location. He was stupid enough to not be using a proxy, and stupid enough to leave some vulnerabilities open on his PC - that made it very easy to be certain that he was the attacker.
I collated my data, and presented it to the Feds. They weren't interested. Couldn't even care less.
So I contacted the attacker independently (through my own proxies), and let them know that they should get better at what they're doing, or get out of the game. They didn't try to contact me again.
I can understand why people would be tempted to undertake their own vigilante actions.
Re:Stupid (Score:4, Interesting)
Unfortunately there are still too many of those who believe that the law will "protect" them
Even here, we can see those who fervently advocate going to the police / fbi / court even in the cyberwar cases
There's no point to go to the law when the other side does not believe in one - and, the law there is, in most cases, do not have the jurisdiction over those black hat, in the first place
Re:Stupid (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3)
More accurately "What are you going to do, DDOS some script-kiddie's rotating IPv4 address" and attack some innocent bystander who has a capped download limit and must pay excess charges for downloads and uploads, not only blocking them from using the internet but also having to pay for excess usage charges.
There is only one active response to be considered, gather all the evidence, reduce the risk of the attack but allow it to continue, contact the appropriate authorities supply the evidence and demonst
Not true that fighting back doesn't work. (Score:2, Interesting)
I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it
Re:Not true that fighting back doesn't work. (Score:5, Insightful)
95% of the time your "retaliation" isn't being targeted at the actual attacker, you are far more likely to be attacking some 3rd party's legitimate, vulnerable server that is acting as a re-director for the attacker. Now the 3rd party is going to be pissed that you're harming their business.
Re: (Score:3)
Thank you. That was the first problem I noticed with their revenge-oriented approach.
Re:Not true that fighting back doesn't work. (Score:5, Insightful)
I was doing due diligence on a computer security firm once who had be subject to a DDoS blackmail attack, you know, give us $5,000 or will we will keep your web site down. Well they back traced the control to some cyber cafe in eastern Europe and worked with the State Department to actually get the local police to go in and arrest the people involved.
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.
If the law says you can't defend yourself from someone trying to ruin your business then the law is an ass.
Equal to "If someone breaks into your home, you should be able to break into their home."
Re: (Score:2)
Equal to "If someone breaks into your home, you should be able to break into their home."
More like, "your neighbor is throwing rocks through your windows from inside his house and the police can't be troubled to do anything about it so you go over and stop him, and if his door is locked you may have to break it down"
Re: (Score:3)
Except in this case, you need to make sure those bricks are coming from that house. Forged IP addresses and what not.
Re:Not true that fighting back doesn't work. (Score:5, Insightful)
Equal to "If someone breaks into your home, you should be able to break into their home."
It's more like "If someone breaks into your home, you catch their license plate number. You should be able to break into whatever house the license plate is registered to, and see if you can find your stuff."
No you don't. Investigating the crime is law enforcement's job.
Re: (Score:3)
no investigation required, you know where your stuff is. It's a problem of recovery. That you can do yourself.
No, you suspect your stuff is somewhere, but that doesn't give you the right to cause criminal damage to someone else's property or to trespass upon it. Even if they had broken into your property, your course of action may now mean that they won't be charged with the crime, but that you will instead, or that you two would share a jail cell.
Just because their truck was taken by someone without
What if it was a hospital? (Score:5, Insightful)
That's a great idea right up until it is a server in a hospital that is being used for the attack.
No. I'm going to have to go with the other post:
And not just that but also a house you THINK belongs to the attacker when it is just one that the attacker is using.
Good luck with that. (Score:5, Insightful)
Good luck with that in court. I'm sure the judge and jury will completely understand your need to risk the lives of patients because you wanted to.
After all, if you were competent then you'd be able to block the attacks or at the very least mitigate/ameliorate any possible damage from them.
I mean that if a patient dies because of the cracker then it isn't your concern.
But if a patient dies because YOU decided to take out that server ... enjoy your stay at the Federal Pound Me In The Ass Prison.
Re: (Score:3)
After all, if you were competent then you'd be able to block the attacks or at the very least mitigate/ameliorate any possible damage from them.
Which highlights the very valid point that competence is irrelevant when the incompetence of many contributes to the attack. The hospital was also incompetent, so what is their liability if they're already operating a compromised system on behalf of their patients? Is this only a problem once that system is used to compromise another?
There's a good need for a 10,000' view of this.
Re:Good luck with that. (Score:5, Insightful)
No court system in the world has any jurisdiction over "private contractors", or they won't be "private contractors"
Either you are trolling or there is a huge gap between your understanding of the law and what the situation actually is. I suggest you talk to a lawyer before you test your theory in real life.
I hope you aren't mixed up in this nonsense: Sovereign Citizens: Radicals Exercising 'God-Given Rights' or Fueling Domestic Terrorism? [go.com]
That would be unlikely to end well. Sovereign Citizens - A Growing Domestic Threat to Law Enforcement [fbi.gov]
Re: (Score:3)
Yes, who can ever forget when Hewlett-Packard received the corporate death penalty for running a cell phone hacking scheme through a third-party contractor.
sPh
Re:What if it was a hospital? (Score:5, Insightful)
I'm guessing the court probably won't feel the same way when you're sued for everything you've got by the dead patient's family and the hospital, especially when an expert witness testifies that all you'd have to have done to stop the attack was insert a couple of firewall rules or null route the target IP for a little while.
Re:What if it was a hospital? (Score:5, Insightful)
Might as well bring down that server - if there happened to be patients died as a result, it's not your fault either, it's the fault of the hospital IT staff that let their server to be compromised
Yeah, well, that's your opinion. The law disagrees. A server of ACME Inc. was used by Black Hat to attack your server, which means Black Hat broke the law and, if caught, will be in trouble. The problem is that you, too, attacked ACME Inc.'s servers, and now you're in trouble too. In fact, you're in more trouble than Mr. Black Hat since he used 7 proxies while you or your contractor didn't.
And in military parlance, it's called "collateral damage"
Correct. But you and what army is going to convince the judge that you're free to kill innocents too?
Re: (Score:3)
No, then it's a BETTER idea. Not only is it better for you to have legal protection from being sued for disabling the system, but it's a BETTER idea for someone to stop the compromised system which is probably also leaking very sensitive identify data from patients.
Yes, and the lawful way you accomplish that is to call the hospital and inform their IT staff*. You don't hack the hospital, especially if you don't want to be sued for the downtime and costs to repair the damage you did that both the hospital and its vendors had to work to repair.
A punch comes from a direction, you disable the guy obviously punching from there. Possibly someone else told him to do it; that's one less guy punching you right now though. That's one less guy he can tell anyone ELSE to punch (or worse).
IP packets aren't a punch. You are justified in alerting the hospital, and blocking their packets anywhere from your network to the edge of theirs. You are not justified in hacking them.
*You do realize that hospitals are 24 hour
Re: (Score:3)
How about instead of hitting the nuclear war button you try contacting the owner first, or their ISP?
Re: (Score:3)
What if the person who punched you has moved away in the time it took you to turn around and you punch the guy that was standing behind him? Not only did you not reduce the number of people attacking you, but, if everyone acted like you, you now have one more person wanting to kick your ass.
Re:Revision (Score:5, Interesting)
So what happens when people start faking attacks on their server, so they have an excuse to attack their competition?
Re:Not true that fighting back doesn't work. (Score:5, Insightful)
Re:Not true that fighting back doesn't work. (Score:5, Insightful)
To me, tracking them down (let me guess, you can do a traceroute?) isn't exactly hacking by any means. Finding the person and telling law enforcement is not hacking, it is arguably the antithesis of hacking (not to say you got the right person, but that's aside the point). That makes your later claim that this is somehow like having someone holding a gun to your head, thus justifying "self defense," all the more confusing.
Re: (Score:3)
To me, tracking them down (let me guess, you can do a traceroute?) isn't exactly hacking by any means. Finding the person and telling law enforcement is not hacking, it is arguably the antithesis of hacking (not to say you got the right person, but that's aside the point)..
No they tracked them down by using an automated intrusion tool to break into one of the DDoS attack machines and then followed the stepping stone servers back to the control machine.
Re: (Score:2)
I guess I'm just not sure how the first half of your post relates to the second. What actually happened sounds fairly reasonable and not anything like what TFA is talking about; they d
Re:Not true that fighting back doesn't work. (Score:4, Insightful)
I guess I'm just not sure how the first half of your post relates to the second. What actually happened sounds fairly reasonable and not anything like what TFA is talking about; they didn't try to smoke the attacker, they found them and reported them.
You are missing that in order to report them they had to break into all the machines on the control path back to the source. If using exploit penetration tools to compromise attack machines and their command/control nodes isn't "hacking" I'm not sure what your definition of the word is.
Re:Not true that fighting back doesn't work. (Score:5, Informative)
Many botnet clients apply security patches to prevent others from taking the machine.
An eye for an eye (Score:4, Insightful)
Actually, an eye for an eye can be very appropriate, if you understand what the passage is really saying: not that you're entitled to an eye for an eye, but to no more than an eye for an eye or a tooth for a tooth. It doesn't so much institutionalize revenge as place a fair limit on it. There are, of course, two problems here: first, making sure you've identified the culpret correctly and second, how much hacking, DDOS or whatever is appropriate. Personally, if the attacker lives in a country where the law is respected, turning the evidence over to the proper authorities is probably your best bet. If not, have fun; after all, what's the worm going to do? Tell the police, "He found out I was hacking his computer, so he hacked me back?"
Re:Not true that fighting back doesn't work. (Score:5, Informative)
In the case of actual hacking, I have no sympathy. Use proper security and you will not need to worry about it. Unlike denial of service, most commonly exploited security holes are easily fixed - especially if you know they exist (which extortion implies.) Trying to hack back while you have security holes still present in your systems is asking for serious trouble.
Re: (Score:3)
but it is impossible to retaliate against, since it universally uses botnets
And, as we know, botnets are impossible to take down.
Re:Not true that fighting back doesn't work. (Score:5, Interesting)
Well, theoretically, if one were so obsessively inclined, it is possible to spelunk your way upstream, router by router, to track down the offending computers, even when the attacker is using forged IP addresses. Although, I imagine that even the cozy relationship that the various law / intelligence agencies and the various network providers normally enjoy would immediately become rather frosty if they found you doing that.
Once you have one member of the offending botnet, you find out how it has been compromised. A quick port scan can be telling here, but compromising the machine by other methods can be done, if necessary. Then you'd probably copy the botnet software to a VM for some dissection. Then you'd probably create some software of your own, to silently log any future connections to that machine, while trying to figure out how the botnet is being controlled. Eventually, you'll be able to track down the original (command) computer (even if they're using an IRC channel, or website, or relaying a command from one machine to the next ala Whisper Down the Alley style), and then the fun starts...botnet operators HATE IT when you compromise their command machines, and use the built-in webcam to take a picture of them. They really hate it when you record video. They're even more surprised when they're running Ubuntu, and think Linux would somehow prevent them from being hacked...
But yes, the obvious answer to an attacker on your network is to run to the comms room, and physically remove the network cables. As for the above, well, it's hard to find a programmer that's been angered deeply enough to engage in that kind of investigating.
Re:Not true that fighting back doesn't work. (Score:5, Insightful)
If someone is actively hacking you then hacking them back isn't a crime (or it shouldn't be) its just self defense. And if you have to hire some firm to do it I don't see how it is any different than hiring armed security guards or private detectives.
Real world thinking doesn't apply here. In the real world, if someone attacks you, you can beat them up and claim self-defense because you know it was them. In the digital world, very likely the person you are targeting is innocent. If a computer DDoS' your network, you don't DDoS them back, you block that IP address -- because criminals don't use their own computers to conduct attacks, and neither do they sign every packet with their name, address, and phone number. So when you unload on who you think is attacking you, then (by your own logic) they have every right to retaliate against you! At that point you've created the digital equivalent of a bar room brawl, but with weapons of mass destruction. And with every response by either party comes the increased risk of drawing another person into the conflict.
If everyone, or even a substantial minority, follows this logic it leads to the internet becoming lawless war zone where business simply cannot be conducted anymore because the network's reliability has been shot to hell. And let me be clear: You're not above screwing up. Even major name security researchers from businesses that specialize in this routinely get the names of the people involved wrong. Often. Open wifi, proxies, bot nets, the number of ways you can appear to be someone other than yourself is dizzying. Hell, I'm posting this through Tor... good luck even finding out who I am. Criminals have access to much better security than that... what do you think the odds are of figuring out who they are if you can't even figure out who I am when I'm making no special effort to hide my real identity?
Re: (Score:2)
I always thought the cousin Greedo approach would be appropriate.
Spammers/hackers should sleep with the fishes.
Re: (Score:3)
Ah yes, self-defense. Like that scene from the Big Lebowski, when they find out who stole their car? "Do you see what happens, Larry? This is what happens when you f%$K a stranger in the @$$."
I think working "with the State Department to actually get the local police to go in and arrest the people" is a bit different than hacking someone back. Especially when "hacking them back" might be hacking the wrong person's Ferrari to bits.
Re: (Score:2)
I hate that I have to point this out, but please, those of sound mind, repeat after me -
Defense is NOT the same thing as reactive offense.
I note that no longer do we hear government officials suggesting we should just sit quietly in our seats as
aircraft are hijacked anymore.
Re: (Score:3)
Yes, but in the case of the hijacked airplane, you'd probably have a >75% chance of attacking the right people (the hijackers), whereas with a 'cyber'attack,' the number is drastically lower.
Re: (Score:3)
Worked out quite well (Score:5, Funny)
I got the location of the punks house and nailed his mom while he was in the basement.
Feeding time came around and mom did not bring down the hot pockets according the regular schedule and he peeked his head above ground.
Said, "Hi. I'm from the company you were trying to hack. By the way your Mom is quite talented. Going to be around more often"
Got him back good (Score:4, Funny)
Then we called his mother.
She unplugged his PC and told us she'd deal with him when he got home from school.
Re: (Score:2)
You had logs and were still penetrated? What OS has logs and gets penetrated?
Re:Got him back good (Score:5, Funny)
You had logs and were still penetrated? What OS has logs and gets penetrated?
Well, if you're talking back doors, penetration, and encountering logs,you're probably talking OSX!
Re:Got him back good (Score:5, Insightful)
You had logs and were still penetrated? What OS has logs and gets penetrated?
All of them.
Let me get this straight (Score:2)
Re: (Score:2)
Exactly, in any case "active defence" is always an uneven battle. A small IT team that's main job is to keep the system running and most likely has little experience in hacking, and has tons of other work they also have to take care of, versus a team of experienced hackers (if they are just scriptkiddies then they most likely don't worth the effort) who do this full-time.
Strike Back tech (Score:4, Funny)
IP address tracking fiasco part 2 (Score:2)
Best defense.... (Score:5, Insightful)
1. Never put sensitive data on a computer connected to the internet, unless it absolutely must be there.
2. Never keep sensitive data that you don't need, overwrite it, then delete.
3. Never put confidential data into any computer system, networked or not. If you must, do so only if it's encrypted and secured by strong authentication at all times.
4. Use all practical forms of security, firewalls, strong authentication, multiple networks with isolation, IDS, AV/anti-malware, no running as Admin/root, separate accounts for every user with appropriate access restrictions, including separate accounts for any services running on your servers, whole disk encryption, etc.
The first 3 are what I call the "Mr Miyagi" approach, "Best defense, no be there." Item 4 is what most companies focus on, but it's not nearly as useful if you haven't used 1-3.
Re:Best defense.... (Score:5, Interesting)
Never put sensitive data on a computer connected to the internet, unless it absolutely must be there.
o_O Not very realistic when we live in an "always on / always connected" world. Everything is merging into the network and stand alone devices are a minority.
Never keep sensitive data that you don't need, overwrite it, then delete.
Also, you should burn all the clothes you haven't worn in over a week (you obviously don't need that many clothes), not have a junk drawer, and while you're at it, delete any data on your system with an access time older than 3 months. Also, delete sarcasm.sys ...
Never put confidential data into any computer system, networked or not. If you must, do so only if it's encrypted and secured by strong authentication at all times.
Confidential, defined: Everything that isn't out on the curb with a big sign that says "Free" on it. Also, you should stop using the internet since most of it isn't secured and uses strong authentication... there's never a reason to use plain-text data exchanges. I mean, I don't even leave the house without my PGP key, and when I hangout with my friends, we use finger signs that are one-way encrypted... because otherwise someone might understand us and that would be bad.
Use all practical forms of security, firewalls, strong authentication, multiple networks with isolation, IDS, AV/anti-malware, no running as Admin/root, separate accounts for every user with appropriate access restrictions, including separate accounts for any services running on your servers, whole disk encryption, etc.
Basically, throw everything you can at the problem and hope something stops the attacker, and if you frustrate everyone who has to use the system because it requires 30 character long passwords rotated every 15 minutes, 9 levels of encryption, and a sample of hair, blood, finger print scan, iris scan, and ass cheek measurements... it might not be secure enough to protect grandma's secret goolash recipe.
The first 3 are what I call the "Mr Miyagi" approach, "Best defense, no be there." Item 4 is what most companies focus on, but it's not nearly as useful if you haven't used 1-3.
I take a somewhat simpler approach to security: Build it so that breaking it costs more than the value of what you're protecting. There is no perfect security. All of it can be hacked. Your only responsibility, professionally, ethically, morally, is to make it cost them as much or more to break through than whatever is being guarded. Criminals are just as rational as anyone else: They go for the low hanging fruit, the most gain for the least effort. I call it the "Mr. Bear Grylls" approach, 'You only have to run faster than the guy next to you when escaping a lion."
Black ICE got him.... (Score:2)
Plead the 5th. (Score:2)
If you've been involved in such an action, how did it work out for you?
I have, and let me tell you, it was... hey, hold that thought for just a second, someone's knocking at the door...
Indeedy (Score:5, Interesting)
I've been in contact about a job with a French cybersecurity company that has subsidiaries in 3 countries to be able to be able to offer 24x7 service, and, avowedly, do stuff (counter-attack for ex.) that would be illegal in France.
I don't have a big issue with counter-attacks existing, and being nasty (let's face it, if you beat on me, I'm gonna beat on you). I do have an issue with the potential for counter-attack evolving into spying and pro-active stuff. I'm sure they're doing it already.
Re: (Score:3)
I don't have a big issue with counter-attacks existing, and being nasty (let's face it, if you beat on me, I'm gonna beat on you). I do have an issue with the potential for counter-attack evolving into spying and pro-active stuff. I'm sure they're doing it already.
I'm quite sure the ability to do so has existed for many years.
Way back in the mists of time I administered a network with a CIPE VPN. (This was shortly after CIPE had been found to have a number of holes that weren't going to be plugged - it was in the process of being decommissioned but I digress). The straw that broke the camels back with that was when I spotted odd behaviour, ran tcpdump on each end of the VPN and discovered that a very particular type of traffic - VoIP as it happens - was going in one
Honeypots, misinformation (Score:5, Interesting)
I would think lots of honeypots, dead ends, and misinformation would be effective. It would be difficult for the hacker to know when they have accessed legitimate machines or information. That's one of the problems with typical security is that it typically provides confirmation when an access attempt has failed. If instead of indicating failed access, you instead direct them to bogus data, it would make the hacker's life rather miserable.
How about physical reprisals? (Score:3)
When the money in play gets big enough I would think that physical reprisals would become an increasing likelihood. The money providing private security in Iraq and Afghanistan was good, but these guys are looking for new markets and selling an anti-hacking service that involves your attacker winding up dead in a car crash or of an accidental overdose has a certain appeal.
Doesn't End Well (Score:2, Interesting)
Google Multi-bet.
"Seems there has been blackmail and hack attempts to at least two online bookies,
Multibet.com and Centrebet"
"syn flood on port 80 - MASSIVE one
The server was originaly in Alice, thus killing the Alice network. Telstra then implemented their "DDoS protection" (www.radware.com - ironically, when we told our current DDoS protectors this, they laughed) in their Sydney office. It took out part of their core network in Sydney straight away before they killed the www server ips." http://forums.whi [whirlpool.net.au]
False flag (Score:3)
So, if I want to hack Lockheed Martin, I route my attack through a compromised Boeing system. Then I sit back and watch the antics ensue.
Pointless stupidity doing collatoral damage (Score:4, Insightful)
Slashdot is Toast (Score:4, Insightful)
I've just about had it. Slashdot used to be news for Nerds. Now it's almost entirely mindless bullshit, and the last straw is when spammers are permitted to confiscate the site, and Slashdot management allows it. As if it's my job to waste my mod points to mark this crap as Troll.
I am logging off, and deleting Slashdot from my home page. Have at it trolls. All yours now.
Who specifically is retaliating? (Score:4, Insightful)
While summary and TFA seem to imply some sort of vigilantie response it never enumerates even a single example of what that would be or cites any incidents where retaliation had actually been carried out.
TFA only seems to provide any detail or information about misdirection, honey pots..etc to thwart attacks and obscure important information...All obvious and non contraversial actions.
What I find most distrubing is this little jem:
"In April, Department of Homeland Security Secretary Janet Napolitano told the San Jose Mercury News that officials had been contemplating authorizing even "proactive" private-entity attacks, although there has been little follow-up comment."
How are idiots like Janet even allowed to be secretary of anything? I don't know whats worse having such thoughts or publically admitting to having had them.
Fun with script kiddies (Score:4, Funny)
A rather incompetent script kiddie kept trying to hack one of my servers some years ago. Poking back, I found he had left the entire C: drive on his windows box shared to the world. So I dropped a gift into his startup directory. Yeah, not much of a story.
Cyberpunk much? (Score:3)
We even have chromed-out cybernetics, though they're fairly fashion-over-function these days. [bespokeinnovations.com]
Somewhat Related (Score:3)
Say you work for company, which gets compromised and data is exfiltrated out of the network to a known source (the attacker used scp so the ip address, username and password are left within bash history or some other bash log). You find it within minutes or before the scp is completed. How do people feel about logging into the machine the data is being exfiltrated to and erasing it from the remote server?
Even if the 3rd party box is one they popped and not the attackers true machine, your not damaging the machine, network, etc., you are just removing 'unauthorized data' (granted, it may be a very fine line).
ICE (Score:3)
Unless, like my system, you have black-ICE installed....
mark "geez, slashdotters don't even read anymore...."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
It's the only way to be sure...
Re:Good morning, Mr. Mitnick (Score:4, Insightful)
If only there was a HTML attribute [wikipedia.org] that would stop the search engines from following the spam links...