[iwar] [fc:Is.it.criminal.to.reach.out.and.hack.an.infected.machine.that's.attacking.your.network?]

From: Fred Cohen (fc@all.net)
Date: 2002-07-29 18:34:19
Next message: Fred Cohen: "[iwar] WISE"
Previous message: Fred Cohen: "[iwar] [fc:Hackers.target.Linux.sites]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200207300134.g6U1YJ901392@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 29 Jul 2002 18:34:19 -0700 (PDT)
Subject: [iwar] [fc:Is.it.criminal.to.reach.out.and.hack.an.infected.machine.that's.attacking.your.network?]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

The Right to Defend
Is it criminal to reach out and hack an infected machine that's attacking your network?
By Tim Mullen Jul 29, 2002

When it comes to matters of security, most policies are hastily enacted as a
reaction to some pressing force or foe. This is evident when you look at the
rash of laws, procedures and policies put in place since September 11. I
guess it is only natural-- our fragile human psyche requires immediate
comfort in the face of danger; our fears only resting when we know something
is being done, even if that "something" equates to nothing at all.

When I purchased my plane ticket to the Blackhat Briefings (this week in Las
Vegas), my receipt included a new "security fee." It was a whopping 15
percent of the ticket price. Fifteen percent! And has this bought us
in-flight security? If you consider the confiscation of a fingernail file
from Grandma Clampett after a spread-eagle grope-a-thon while 500 pieces of
unchecked baggage are dumped in the cargo bay to the dirge of a conveyor
belt's hum to be "security," then I got what I paid for.

Or more appropriately, what we paid for.

In the realm of computer security, this trend is the same. We pay to defend
ourselves from compromised machines owned by those who choose not to secure
them.

If an owner neglects his dog, and that dog attacks me, not only am I legally
allowed to convert it into Mutt Foo Yung, but the owner is liable in tort.
Yet if an administrator who could not secure a bowling ball without leaving
at least three holes decides to put a destined-to-be-owned box on the
Internet, justice turns a blind eye when it attacks my network, consuming
resources and bandwidth.
The moment that I begin to incur costs, or the integrity of services that I
pay for is reduced by any degree, is the moment that I have the right to do
something about it.
This has got to change.

Let's use Nimda as an example. If I tell my system to issue the exact same
series of GET requests that Nimda does against a machine, that action could
be considered a federal crime. I would be a criminal. A cracker. A felon.
The scum of the earth. But if an administrator does not secure his box, and
the same series of GET requests hammer against my network for months at a
time, he is a victim. An innocent. A leaf in a storm. And they blame
Microsoft.

I propose that we have the right to defend our systems from attack. I am not
talking about some vigilante strike upon script kiddies at the drop of a
packet. I am not talking about a rampant anti-worm. I am talking about
neutralizing an attacking machine in singularity when it is clearly and
definitively infected with a worm that will continue to attack every box it
can find until stopped.

Almost a year from its birth, Nimda continues to propagate. Discussions in
newsgroups yield responses like "ignore it" or "if you are secure from Nimda
it doesn't matter." These people are obviously not responsible for paying
for their bandwidth.

The moment that I begin to incur costs, or the integrity of services that I
pay for is reduced by any degree, is the moment that I have the right to do
something about it.

It is simply self-defense.

At Blackhat this week I'll be describing what some would call a "hack-back"
against an attacking box. I am proposing that it be considered legal. The
main threat to the Internet is the prospect of a multi-faceted worm with
attack vectors that not only seek out different services, but that do so
against multiple operating systems. A measured strike-back technology could
mitigate such a worm.

While the full technical details explaining the methodology I propose are
outside the scope of this column, suffice to say there are technical means
to allow us to stop a Nimda attack, leaving the file structure completely in
place for forensics, and closing the vector while leaving all services
available. Not only is this defending ones' self with what the law would
call "reasonable force," but in this case, it amounts to minimal force which
is almost graceful. It is a controlled, precise, and effective
neutralization of an attack. This technique can also be applied to the next
major worm.

Many will be quick to condemn such a system. Many will crucify the concept.
But I think it is time to defend our right to defend, and this is a viable
means to do so. Before you criticize, be prepared to offer your own
solutions, otherwise you will just be making noise

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Will You Find True Love?
Will You Meet the One?
Free Love Reading by phone!
http://us.click.yahoo.com/7dY7FD/R_ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] WISE"
Previous message: Fred Cohen: "[iwar] [fc:Hackers.target.Linux.sites]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT