Return-Path: <sentto-279987-5084-1027992716-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 29 Jul 2002 18:35:09 -0700 (PDT) Received: (qmail 20018 invoked by uid 510); 30 Jul 2002 01:30:53 -0000 Received: from n33.grp.scd.yahoo.com (66.218.66.101) by all.net with SMTP; 30 Jul 2002 01:30:53 -0000 X-eGroups-Return: sentto-279987-5084-1027992716-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.194] by n33.grp.scd.yahoo.com with NNFMP; 30 Jul 2002 01:31:56 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 30 Jul 2002 01:31:56 -0000 Received: (qmail 95877 invoked from network); 30 Jul 2002 01:31:55 -0000 Received: from unknown (66.218.66.216) by m12.grp.scd.yahoo.com with QMQP; 30 Jul 2002 01:31:55 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 30 Jul 2002 01:31:55 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g6U1YJ901392 for iwar@onelist.com; Mon, 29 Jul 2002 18:34:19 -0700 Message-Id: <200207300134.g6U1YJ901392@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 29 Jul 2002 18:34:19 -0700 (PDT) Subject: [iwar] [fc:Is.it.criminal.to.reach.out.and.hack.an.infected.machine.that's.attacking.your.network?] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: The Right to Defend Is it criminal to reach out and hack an infected machine that's attacking your network? By Tim Mullen Jul 29, 2002 When it comes to matters of security, most policies are hastily enacted as a reaction to some pressing force or foe. This is evident when you look at the rash of laws, procedures and policies put in place since September 11. I guess it is only natural-- our fragile human psyche requires immediate comfort in the face of danger; our fears only resting when we know something is being done, even if that "something" equates to nothing at all. When I purchased my plane ticket to the Blackhat Briefings (this week in Las Vegas), my receipt included a new "security fee." It was a whopping 15 percent of the ticket price. Fifteen percent! And has this bought us in-flight security? If you consider the confiscation of a fingernail file from Grandma Clampett after a spread-eagle grope-a-thon while 500 pieces of unchecked baggage are dumped in the cargo bay to the dirge of a conveyor belt's hum to be "security," then I got what I paid for. Or more appropriately, what we paid for. In the realm of computer security, this trend is the same. We pay to defend ourselves from compromised machines owned by those who choose not to secure them. If an owner neglects his dog, and that dog attacks me, not only am I legally allowed to convert it into Mutt Foo Yung, but the owner is liable in tort. Yet if an administrator who could not secure a bowling ball without leaving at least three holes decides to put a destined-to-be-owned box on the Internet, justice turns a blind eye when it attacks my network, consuming resources and bandwidth. The moment that I begin to incur costs, or the integrity of services that I pay for is reduced by any degree, is the moment that I have the right to do something about it. This has got to change. Let's use Nimda as an example. If I tell my system to issue the exact same series of GET requests that Nimda does against a machine, that action could be considered a federal crime. I would be a criminal. A cracker. A felon. The scum of the earth. But if an administrator does not secure his box, and the same series of GET requests hammer against my network for months at a time, he is a victim. An innocent. A leaf in a storm. And they blame Microsoft. I propose that we have the right to defend our systems from attack. I am not talking about some vigilante strike upon script kiddies at the drop of a packet. I am not talking about a rampant anti-worm. I am talking about neutralizing an attacking machine in singularity when it is clearly and definitively infected with a worm that will continue to attack every box it can find until stopped. Almost a year from its birth, Nimda continues to propagate. Discussions in newsgroups yield responses like "ignore it" or "if you are secure from Nimda it doesn't matter." These people are obviously not responsible for paying for their bandwidth. The moment that I begin to incur costs, or the integrity of services that I pay for is reduced by any degree, is the moment that I have the right to do something about it. It is simply self-defense. At Blackhat this week I'll be describing what some would call a "hack-back" against an attacking box. I am proposing that it be considered legal. The main threat to the Internet is the prospect of a multi-faceted worm with attack vectors that not only seek out different services, but that do so against multiple operating systems. A measured strike-back technology could mitigate such a worm. While the full technical details explaining the methodology I propose are outside the scope of this column, suffice to say there are technical means to allow us to stop a Nimda attack, leaving the file structure completely in place for forensics, and closing the vector while leaving all services available. Not only is this defending ones' self with what the law would call "reasonable force," but in this case, it amounts to minimal force which is almost graceful. It is a controlled, precise, and effective neutralization of an attack. This technique can also be applied to the next major worm. Many will be quick to condemn such a system. Many will crucify the concept. But I think it is time to defend our right to defend, and this is a viable means to do so. Before you criticize, be prepared to offer your own solutions, otherwise you will just be making noise ------------------------ Yahoo! Groups Sponsor ---------------------~--> Will You Find True Love? Will You Meet the One? Free Love Reading by phone! http://us.click.yahoo.com/7dY7FD/R_ZEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT