Re: A question for the list...

[Ray Stirbei <me () highentropy org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This topic has been coming back in one way or another since Morris Jr.'s worm 
in 88. It is very seductive. I am constantly exposed to the idea of one man 
seeking justice takes it upon himself to take down the Mafia/Darth 
Vader/whatever. Even Bruce Schneier brought back the topic in his last 
cryptogram ( http://www.counterpane.com/crypto-gram-0105.html ). He 
concluded: "...  we are going to have to emerge from our protective bunkers 
and actively engage the attacker".

The active response approach sounds like a more aggresive and effective 
alternative to the our current penetrate and patch model. Today, this is not 
an alternative due to:

The technical problem:
1) digital information can be easily altered without detection. Thats the 
reason why computer logs are hearsay evidence, rarely admissible in court. 
Even with integrity measures (like hashing), the level of confidence is much 
lower than a level you'd need to launch a counter attack. This problem is 
addressed in every capital punishment case. Are we confident enough this is 
indeed the right individual to press the button?
2) computer networks are all connected and its difficult to attack a 
particular network without affecting others. The military ocassionally misses 
targets in the physical world even with expensive guided missiles whose path 
they control. On the Internet, a packet must pass through many networks, and 
it travel along a path that you do not control. 

(Disclaimer: I am not a lawyer.)

The legal problem:
1) law, and not just specific acts. The purpose of civil/tort law is to 
prevent an individual or group to take matters into their own hands. If a 
burglar broke into your house, you file a police report. You do not grab a 
firearm and look for the guy yourself to pay back in kind.  Secondly, there 
is a concept of due care, or prudent man's rule (in the context of 
safeguards). If you take an attacker to court becuase he took your trade 
secrets and made them available, you will be asked what measures did you have 
in place to prevent this. If you didn't have a firewall/or x and y safeguard 
you don't have a trade secret. 
2) liability. This regards technical problem no. two. If a counter attack 
misses and takes down an unintended host or router, you will become liable. 

Even without bringing the ethical component, I recommend against active 
countermeasures like attacking back. Honeypots and deceptive tools like 
Forescout provide much active defense in a safe manner. In the last few 
months, with the rise of intrusion prevention I have been personally denied 
service four times in as many months. This can't be the best way to acquire 
respect for our profession.

ray



On Saturday 17 May 2003 12:27 am, Dan Hanson wrote:
> As part of incident handling and response, most of us have had to respond
> to virus infections that have affected networks and hosts. Reports are
> circulating that members of the IRC operator community have distributed
> code through the update mechanism of the Fizzer virus. The code reportedly
> attempts to remove the virus from the host. The latest information seems
> to indicate that the "update" code was removed until further testing can
> be done and more discussion regarding the legalities of this are had.
>
> At last year's Blackhat conference in Las Vegas, Tim Mullen presented what
> turned out to be a very controversial proposal. Briefly, he questioned why
> it would be inappropriate to strike back and disable (if not remove) a
> worm from hosts that are clearly not being adequately managed.
>
> The discussion, both in the session, and after, included those who
> felt that this was simply vigilanteism that has no place in the current
> world, and those who feel that there is a responsibility for someone to do
> something to try to maintain, if not improve, the security situation for
> those connected to the Internet.
>
> http://online.securityfocus.com/columnists/98
> http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Timothy%20Mu
> llen http://www.securityfocus.com/columnists/134
>
> It seems to me that a group finally took it upon themselves to do exactly
> what Tim was suggesting the community consider. But it appears that they
> have done it without any consultation of the community in general, and if
> I have read the reports correctly, with no authorization.
>
> Here is a link for a report on News.com and it contains some opinions by
> legal folk.
> http://news.com.com/2100-1002_3-1003894.html?tag=lh
>
> A bunch of ideas for discussion pop-up to me... some of these may not be
> totally on-topic for this forum, if you can tie something back into
> incident response, I'll likely allow it through.
>
> -What are the implications down the road?
>
> -Are there concerns that organizations have with this trend? Legal?
> Precedure?
>
> -Is this any different than a similar activity that installs
> malicious code on the target host?
>
> -The approach that Tim advocated was significantly less intrusive than the
> approach taken with the Fizzer virus, Tim's approach made no significant
> changes on the targeted host, simply blocked the ability of Nimda to
> replicate (if I remember correctly), and notify the owner that they have
> been compromised and where to go to find help in removing the infection.
> The approach taken to actually modify the system to remove Fizzer seems to
> go significantly past that. Why was the reaction to Tim's
> advocacy of discussion so hostile, and to date, I have seen no negative
> criticism of the Fizzer removal.
>
> -Is this a catalyst for a group (IETF?) of some kind to debate these
> issues to find a resolution? I think that most people would agree that the
> increasing risk that these distributed networks pose to every Internet
> connected host is grave, and a better method is required to deal with
> them. Are there other ideas that don't get us into "arms races" with
> malcode writers.
>
> -If this becomes standard practice, will this force the communication and
> update channels underground/encrypted (the "arms race" that I mentioned)
>
> -What are some of the strategies that organizations are implementing to
> control their exposure to these communication channels?
>
> -If a command can be given in a channel to "shut down" the network of
> hosts, what is the view on the legality of doing this? If you had a host
> on your network that was suddenly shut down by a well meaning (or not so
> well meaning third party), what would your response be?
>
> I am not advocating the validity of one side over another, I just find it
> curious how similar the idea of Tim's, and the actual attempt to remove
> the virus, are.
>
> As an aside, I would like to keep the discussion on this civil. If posts
> become to flamey to oneside or the other (i think both sides have valid
> ends) they will likely be rejected.
>
> D
>
> ---------------------------------------------------------------------------
> - *** Wireless LAN Policies for Security & Management - NEW White Paper ***
> Just like wired networks, wireless LANs require network security policies
> that are enforced to protect WLANs from known vulnerabilities and threats.
> Learn to design, implement and enforce WLAN security policies to lockdown
> enterprise WLANs.
>
> To get your FREE white paper visit us at:
> http://www.securityfocus.com/AirDefense-incidents
> ---------------------------------------------------------------------------
> -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+xmyZzejBliQ3SdsRAojNAJ4zZHCPUOztMk3LRm6ZluWdhXFHSgCgjdFO
DrNBiI8tdV+DwY9dXsjy3GQ=
=uzhb
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------