Forget the theoretical - what hacking back looks like in the real world

There have been many posts and links on Cybercrime Review discussing the legal implications of hacking back - see my collection of those posts, here: Hacking Back - are you authorized?  A discussion of whether it's an invitation to federal prison or a justified reaction/strategy?. What is lost in these discussions is a strong foothold in real world examples. Well, now we have a recent, real life "hack back" to look upon - the Republic of Georgia's counter-espionage hack of a supposed Russian perpetrator who was propagating malware for the purposes of espionage against Georgia. This is a must read.

Here's the story from IT world: Irked by cyberspying, Georgia outs Russia-based hacker -- with photos

And here is the Georgia CERT report: CYBER ESPIONAGE -- Against Georgian Government - (Georbot Botnet)

A quick summary for those who don't want to follow the links -- Georgia had been getting attacked and mined for information from a botnet, and this included infiltration of government entities. Fed up with this, the Georgian government decided to take action:  (taken from a ZDNET article about the same):

In order to lay the bait after the attacks increased in severity over the course of 2011, Georgia allowed a computer to be infected on purpose. Placing a ZIP archive named "Georgian-Nato Agreement," once opened, the investigator's own malware was installed. 

While the alleged hacker was being photographed, his computer was rapidly mined for sensitive documents. One Word document contained instructions on who and how to hack particular targets; as well as website registration data linked to an address within Russia.

As mentioned above, there are pictures of the Russian hacker in the report - part of the malware the hacker had been propagating (against Georgia) enabled webcams and took photographs. Georgia CERT experienced sweet revenge when this functionality was turned on the hacker himself.

Does this example change your opinion of "hacking back?"

Read More

An attempt to make the case for "hacking back"

Justin's recent post, "The illegality of striking back against hackers," presents a number of interesting issues with regard to organizations hacking in retaliation against those who hack them first. It is only fair that such an act should be allowed in light of the current state of our legal system. But as Justin correctly states, allowing retaliation is not a clear-cut issue and should not be considered lightly.

Hacking cases are complex. Beyond the cases where hackers go to the Internet to boast about their actions, it can be very difficult for law enforcement and prosecutors to track down the perpetrators. Facing a lack of resources, cybercrime investigators tend to focus their attention on issues such as child pornography. Hacking cases and the identity (or other) thefts that follow present great hurdles for millions of Americans each year.

Of course, there is a remedy for consumers - file a lawsuit. After LinkedIn's recent security breach, many quickly jumped at the chance to file. LinkedIn committed a grave error, and attention needed to be brought to the issue so they'll fix the problem and other companies will be warned as well. No amount of investment in security, however, will make a system perfect and neither will it make a company immune from lawsuits and damage to their reputation when breaches occur.

Likewise, there is also a solution for the hacking victim - file a lawsuit. The CFAA allows a civil suit to be brought for certain damages, but it carries with it a multitude of problems. Often, the hacker could only be found by an investigation that would, in turn, violate the CFAA (see Justin's point number 2). They may be located in another country. They may not have any money, and even if they do, there may be no legal process for getting to it. For these reasons (and many others), companies like LinkedIn are often required to take the beating from the press and users, spend a lot of money beefing up security, and keep their fingers crossed.

Until law enforcement and prosecutors make these cases more of a priority, American organizations (and therefore, consumers) will be left without a true means of protecting themselves. But suppose we modified the CFAA to allow a self defense-type approach. In some ways, being hacked is like being punched in the face. If you retaliate in either situation, it's possible that others will come in defense of the attacker (imagine a bar fight where all of your friends are already outside, and you're now facing five guys twice your size). Similarly, if you were in a crowd and weren't sure who the punch came from, you can't just start hitting everyone to get back at the true puncher. However, if you can find them and timely respond, you may be able to defend yourself from further harm.

There are a few ways in which such a modification would be helpful:

1. Investigation - Allowing victims to hack back would allow them to collect the information that would be essential to any civil or criminal case - information like the IP address of the hacker.
2. Security Improvement - Patching security issues is much easier if you know how the infiltration happened. Further, knowing what resources hackers are using would allow technology security teams to better plug the holes in their networks. Perhaps the statute could require mandatory reporting so that the government could collect data in an effort to study developing patterns in the hacking world.
3. "Cathartic Chest Pounding" (Justin's words) - Billion dollar corporations have at least one thing that common hackers don't - a billion dollars. Not every business has the ability to dedicate essentially unlimited resources to protecting themselves, but these do. Hacking back may result in more attacks at first, but the right successes might turn hackers away. (The problem here, of course, is that if large companies make themselves essentially hack-proof, the market for unauthorized data will result in attacks on small business that have no such resources.)

Obviously, there's no easy solution to this problem, but rest assured - the CFAA is not likely to hinder everyone. Now we have the waiting game to see how prosecutors, Congress, and corporations will respond.

Read More

The illegality of striking back against hackers

It has been an emerging trend in recent security publications to highlight the interesting trend of companies "hacking back" against infiltrators and potential data exfiltrators. The concept sounds intriguing - if the internet is the wild wild west, then what better way to participate in it than to allow the tumbleweeds to shift in the wind as you and your foe see who can draw first, or, more accurately, get the last shot. However, the Computer Fraud and Abuse Act provides no escape hatch for such actions; there is no Castle Doctrine in federal statutes relating to hacking, and no such doctrine in state cybercrime laws, either. Any such activities are ill-advised, likely illegal, and do nothing but encourage the escalation of cybercrime.

It's certainly clear that this is a response to the plethora of attacks that have happened recently, but I think more tellingly, resonates from the clear embarrassment that permeates any large company's mea culpa when they admit a breach has occurred. In the article above, it notes that firms have popped up that are for-hire counter-strikers. While the notion fulfills the age-old revenge story meme, and could even make hackers think twice about striking your company (if they knew you would take such measures), the legal niceties are nothing even remotely so poetic. Here is a non-exclusive list of the problems I see with such a strategy:

1.  Such actions tread into legal no-mans-land - namely, that as far as I can tell, there is no legal precedent in support of such actions. Conversely, there's a ton of case law that is not on your side which states bluntly that unauthorized access is just that, unauthorized - no matter who the party "hacking" is.

2.  Any sophisticated hacker that would attack a semi-large or multi-national corporation isn't going to be hacking from their Dell PC at home, sitting behind a poorly secured Linksys router. They will be hitting through proxies, utilizing Tor, or more likely executing strikes through already compromised machines. The implication of this is three-fold - (a) in striking back, you may end up attacking an unwitting third-party who is likely also a victim of a computer crime - therefore, you will have even less sympathy if litigation arises; (b) if the originating host is an already compromised third-party, you could accidentally cause greater damage to hosts that are specifically enumerated in the CFAA, such as government computers, those containing national security information, or systems involved in medical care or public health/safety (See the DOJ's Prosecuting Computer Crimes manual) - and end up with a significant felony; or (c) (assuming a world where hacking-back becomes common), end up irritating a non-interested party, motivating them to also attack you.

3. While such actions may embolden or vindicate a hacked entity, they also put a larger target on your forehead. More specifically, if I were a hacker and my goal was simply to exfiltrate data, and you then attack me back, I am highly likely to escalate my attacks quid pro quo. Accordingly, what might have been simply a small case of data loss may turn into full scale damage to your systems; instead of sneaking in and out, you are now susceptible to much more malicious attacks - Denial of Service attempts, deletion of sensitive or irreplaceable data, actual hardware damage, or "doxing" of company executives. This undoubtedly will raise the price of the incident exponentially.

4.  It is unclear to me what an entity stands to gain by hacking back, other than the cathartic chest pounding that may occur when one can say that they "lost the battle, but won the war." Is that really worth a potential prison sentence?  Yes, your efforts could assist law enforcement in tracking down who hacked you, but it won't be so cathartic when the tables are turned, post investigation, to then investigate you for your actions.

5. Lastly, in 2008 the CFAA was amended to include a conspiracy offense, so you may not even need to actually breach an attacker to run afoul of the law. Could a corporate agreement with a strike-back contractor be sufficient to violate 18 U.S.C. 1030(b)?  That is not clear - but I'm betting we are going to find out if this trend evolves into the norm.

Read More