Hacker Tactic: Holding Data Hostage

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nytimes.com/2014/06/22/sunday-review/hackers-find-new-ways-to-breach-computer-security.html?_r=0

The perpetual cat-and-mouse game between computer hackers and their targets
is getting nastier. Cybercriminals are getting better at circumventing
firewalls and antivirus programs. More of them are resorting to ransomware,
which encrypts computer data and holds it hostage until a fee is paid. Some
hackers plant virus-loaded ads on legitimate websites, enabling them to
remotely wipe a hard drive clean or cause it to overheat. Meanwhile,
companies are being routinely targeted by attacks sponsored by the
governments of Iran and China. Even small start-ups are suffering from
denial-of-service extortion attacks, in which hackers threaten to disable
their websites unless money is paid.

Just days after the F.B.I. and international law enforcement agencies
teamed up earlier this month to kill one ransomware program, CryptoLocker,
which had infected over 300,000 computers, another pernicious program,
Cryptowall, popped up and began spreading rapidly.

In response, more companies are resorting to countermeasures like planting
false information on their own servers to mislead data thieves, patrolling
online forums to watch for stolen information and creating “honey pot”
servers that gather information about intruders. Last year, companies also
spent roughly $1.3 billion on insurance to help cover expenses associated
with data theft.

Some security experts are urging even more aggressive action. “Companies
want better results than are being delivered by law enforcement,” said
Stewart A. Baker, former assistant secretary for policy at the Department
of Homeland Security. He questioned whether the National Security Agency,
the F.B.I. or the C.I.A. had enough qualified counterhackers to stake out
corporate networks and also whether those businesses would be comfortable
giving the government more access to their networks.

Mr. Baker maintains that victims of data theft can reasonably argue that
they have a right to follow and retrieve stolen data wherever the thief
takes it. And, he added, federal law on the matter is so ambiguous that
prosecuting a company for trespassing on the domain of a hacker would be
difficult and highly unlikely.

“I do really believe there should be a Second Amendment right in cyber,”
added Jeffery L. Stutzman, vice president of Red Sky Alliance, referring to
the right to bear arms. His company coordinates intelligence sharing for
many of the world’s top corporations. Virtually all of them are weighing
how aggressive to be in combating hackers, he said.

In 2011 Michael Hayden, former director of both the C.I.A. and the N.S.A.,
suggested that the government should consider allowing a “digital
Blackwater” with paid mercenaries battling cyberattackers on behalf of
corporations. But security experts warn that by taking matters into their
own hands companies risk an escalating cycle of retaliation, lawsuits or
Internet traffic jams.

What’s more, since cybercriminals typically hijack the systems of unwitting
third parties to launch attacks, it is often hard to pinpoint targets for
retaliation, said Orin S. Kerr, a professor at the George Washington
University Law School. It is “kind of like a blindfolded partygoer trying
to hit a piñata with a baseball bat,” he said. “He might hit the piñata but
he might hit Aunt Sally, who happens to be standing nearby.”

Companies might also trip up law enforcement efforts or find themselves on
the wrong end of a lawsuit if they inadvertently gain access to someone
else’s server. And under many foreign laws, self-defense actions by private
companies amount to espionage.

The Justice Department takes the stance that a company is most likely
breaking the law whenever it gains access to another computer network
without permission. At a panel hosted by the American Bar Association, John
Lynch, chief of the computer crime and intellectual property section of the
Justice Department’s criminal division, said that usually, when his office
determines that companies have gone outside their server to investigate a
perceived attacker, his first thought is, “Oh wow — now I have two crimes.”

There are, however, other ways to fight hackers that are both legal and
effective, said Mr. Stutzman of Red Sky Alliance. His firm, for example,
profiles attackers by keeping their pictures, phones numbers and other
personal data on file. He is also an advocate of software that tags
sensitive documents so that if they are stolen they self-destruct or
transmit an alert to the owner.

Most security companies say the main objective should be raising the cost
to hackers. CloudFlare, for instance, has developed a service called Maze,
which it describes as “a virtual labyrinth of gibberish and gobbledygook”
designed to divert intruders to bogus data and away from useful
information. Other companies create bottlenecks to route attackers through
security checkpoints.

It is fairly common for law firms to have their email read during
negotiations for ventures in China, said Dmitri Alperovitch, a founder
ofCrowdStrike, a company that investigates hackers. So if a company knows
its lawyers will be hacked, planting decoys can give them an upper hand, he
said.

This month CrowdStrike unmasked a secret cell of cyberthieves linked to the
Chinese Army that had stolen millions of dollars’ worth of data from
military contractors and research companies, often by hiding its attack
software in emailed invitations to golfing events.

Samir Kapuria, vice president of Symantec’s Cyber Security Group, recounted
how his company helped a major manufacturer create bogus blueprints of a
valuable product with a traceable but harmless flaw and left it hidden in
its servers. When the manufacturer later found the planted blueprint for
sale on the black market, he said, Symantec was able to help trace the leak
to its source, fire the subcontractor and save the manufacturer tens of
millions of dollars.

But there can also be unintended consequences when planting false
information, said Dave Dittrich, a security engineer at the University of
Washington. He offered a theoretical example in which a company
intentionally inserts flaws into a faked vehicle design. “If someone plants
false information to be stolen and used, and this results in the death of
any innocent human beings,” he said, “there could be a good case made that
the entity who planted the fake data is acting in a negligent and
unjustifiable manner.”

In general, Mr. Kapuria of Symantec prefers a philosophical approach toward
thwarting the legions of cybercriminals, describing the fight as “Cyber Sun
Tzu — when the enemy is relaxed, make them toil; when full, make them
starve; when settled, make them move.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!