Patrick Lin, who is Assistant Professor and Director of Ethics and Emerging Science Group at California Polytechnic State University, penned  a thought provoking piece titled ‘Stand Your Cybergound’ Law: A Novel Proposal for Digital Security in The Atlantic magazine in which he offers up a proposal allowing private industry to conduct cyber retaliation against foreign attackers. He rightly points out that a majority of cyber attacks against the United States or its interests are against private companies. It was reported just this week that the Department of Homeland Security  has sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against multiple companies, which began earlier this year and is still under way. The face that companies are expected to fend for themselves is huge vulnerability in our national cyber defense. The Department of Defense protects military networks. The Department of Homeland Security defends other federal government networks. And everyone else is basically left to stand or fall on its own. It is the case  that there have been increased collaboration  between the public and private sectors in recent years. And the policy makers are looking at additional means for increased information sharing and collaboration. The  proposed Cyber Intelligence Sharing and Protection Act (CISPA) is one such effort. But if private company  is under attack, there is no calvary coming. Couple this with the fact that approximately 85% of the US critical infrastructure is owned and operated by private industry. It would take more that information sharing to adequately implement an effective national cyber defense. Our current cyber defense  is  mostly dependent on private for-profit companies making business decisions about how much to spend on their security overhead. That is certainly a recipe for disaster. It is imperative that government, business and academia join forces and develop better options for addressing this issue.

In the article, Lin writes, “ we may not be ready yet for the government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved [International humanitarian law] issues, including Geneva and Hague Conventions [which] requires that we take care in distinguishing combatants from noncombatants.”

I would first draw a distinction between passive defense ( i.e. blocking attacker access, removing a vulnerability being exploited, etc ) and active defense ( i.e. launching a counter attack to disable the attackers capabilities).

All entities, government and private sector, are engaged in the former. Some more successfully than others. Some with greater effort than others. There are no legal or ethical questions there except a much broader sense . If gas pipelines are considered critical national infrastructure and these pipelines are owned and operated by private companies, should/can the government do more to defend them from attack? More than information sharing and increased collaboration, that is.

As to active defense, I have heard have seen proposals or discussions in security circles of the government launching counter cyber attacks against foreign adversaries on behalf of private companies. Lin’s proposal would create a legal framework that would allow the companies themselves to retaliate. He seems to find inspiration in the much talked about ” stand your ground” laws such as the one in Florida that came to national attention as a it is reportedly invoked in the defense of the fatal shooting an unarmed teenager by an armed neighborhood watch volunteer.

Notwithstanding his references to armed citizens taming the wild, wild west. I find this proposal problematic on three fronts. From the purely cyber security perpective ,from a business perspective, and as a matter of national security policy. I’ll reiterate, in fairness, that Lin is not necessarily endorsing this as a solution, but contributing to a much needed discussion on nation cyber defense policy.

• Security: In most cases, it is difficult to nearly impossible to ascertain the real identity of the attacker. Attackers use other compromised systems (victims) to launch attacks. Lin makes the point that ” There is a reasonable argument in claiming that a botnet is not fully innocent and therefore not immune to harm.Most, if not all, botnets are made possible by negligence in applying security patches to software, installing anti-malware, and using legally purchased and not pirated, vulberable copies of software“. In other words, you allowed your systems to by hacked, so you deserve it if caught in a counter attack. I certainly agree that most reported successful attacks or breaches are a result of some degree of negligence. Most security professionals would agree that no system is immune to attack. We are trained to practice due diligence in making reasonable attempts to identify vulnerabilities and risk. You can never eliminate all risks all the time nor can you afford to mitigate all identified ones.

• Business: Typical business security incidence response practice includes: Detecting the attack, containing the damage, remediating effects of attack and gathering evidence, returning systems to normal and some follow-up. Lin’s proposal would require additional steps to gather sufficient forensic evidence to identify an actual perpetrator. He proposes allowing companies to present this evidence to some governmental body to review and sanction retaliation. Companies will then have to plan and execute the counter attack. Few companies have in-house expertise to do this. Few business managers will be willing to fund such activities. Whats the return? You get hacked from a $500 laptop and you spend $50,000 to do what exactly?

• National Security: We know for a fact some of the attacks on our private owned critical infrastructure have been attributed to foreign government affiliated networks. Would it really be wise to license private companies to attack these networks? I would think not. Most of these folks can’t even patch their servers or encrypt their sensitive data. The last think we need is an international incident started by some system administrator at some SMB. I mean a government allowing private entities to conduct cyber attacks against a foreign nation with a wink and a nod is not exactly a novel concept. Google ‘Russia Georgia Cyberwar”.

I commend Dr. Lin for his contribution to this very important discussion. I don’t necessarily agree with the proposed approach but as a nation, we really need to come to terms with how best to improve our national cyber defense as we are in dire straits.

I recently overheard a comment by a co-worker ( shoutout Ben A.) that we read and listen to news reports and assumed the report knows what they are  talking about until they turn to a topic we are familiar with in some depth and realize that report spouting off to potentially millions of people don’t have a clue what they are talking about.  How true!

I ran into this article today  titled ” Botnet exploits Linux users’ ignorance“. The writer makes the point that ” a lack of knowledge and awareness about how to use Linux mail servers could be contributing to the disproportionately large number of Linux machines being exploited to send spam”.

I wholeheartedly agree with this. Companies see open source technologies as a means of saving money but do not have staff adequately trained to secure these systems.

The second point I noticed was that the report from Symantec’s Hosted Services referenced in the article pointed out that ” Linux based machines are 5 times more likely to send out spam than Windows based computers”.

The writer quotes a Symantec Malware Analyst as saying:

“…..one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open-source software to keep costs down, have not realised that leaving port 25 open to the Internet also leaves them open to abuse.”

Great blog post by RSnake: http://ha.ckers.org/blog/20100314/conversations-with-a-blackhat/

He references his conversation with an actual blackhat. No, not the script-kiddie kind that frequents the hacking forums. I’m referring to the guys who seek no publicity and hire their services out for hefty sums. He blackhat laments the fact that the security practices being put into place a target companies may actually be working. RSnake talks of the potential payday of hackers collaborating with botnet herders for more targeted botnet attacks. My comment on that post is below:

“Interesting post however I don’t see this idea as particularly novel. This is just the natural evolution of the concept of “botnets for rent”. I think the key here is being able to provide the bot herder a list a potential high value targets to go after. This would seem a rather risky proposition for the herder, however, as he would be putting his botnet at greater risk. The secret sauce in a successful botnet is to have it under the radar as long as possible. Bigger risks = bigger rewards, I guess.”-me.

IronKey has come up with a USB drive that can be used to access accounts virtually without involving the operating system or applications that cause so many of today’s security problems. The drive runs a walled or ‘hardened’ Linux virtual environment inside the PC’s OS. It comes complete with its own browser hardwired to access only a particular bank service, and incorporates RSA Secure ID tokens for authentication.

This allows users  simply plug the drive into any PC, and without the need for any additional drivers or software, after which the host PC was given a precautionary scan for malware, including specialised banking Trojans such as Zeus. The virtualised environment run from the drive could resist browser based  attacks, session hijacking, and accessed the bank via a hosted service network run either by IronKey or from a dedicated server. This solution is currently mainly targeted for companies that want increased protection in access their accounts but it could very well be the future.

Did you hear the one about the bot that attacked the other bot and killed it? O but not before stealing your online banking credentials, that is.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called “Kill Zeus,” apparently removes the Zeus software from the victim’s PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own “botnet” networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses.

Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules — U.S. residents with bank accounts — who then move the cash out of the country.

Read the full article