Hacking back in self defense
3 likes846 views
David Willson, an attorney and cybersecurity expert, discusses the legality and ethics of "hacking back" in self-defense against cyber attacks. While some argue it could be considered self-defense of property, hacking back is generally illegal under the Computer Fraud and Abuse Act and risks escalating conflicts or impacting innocent third parties. Willson proposes embedding code in attacking bots to disable them upon connecting to the command and control server, but acknowledges legal issues with unauthorized access remain. The presentation explores arguments on both sides and raises questions about how laws could apply in scenarios of ongoing or imminent cyber attacks.
Hacking back in self defense
- 1. 1/10/2015 Page 1 Hacking Back in Self-Defense: Is It Legal? Should it Be? David Willson Attorney at Law CISSP, Security+ Titan Info Security Group and Azorian Cyber Security
- 2. 1/10/2015 Page 2 David Willson david@titaninfosecuritygroup.com Owner of Titan Info Security Group, LLC, providing enhanced cyber security and liability reduction or elimination Retired Army JAG officer Advised the DoD and NSA on computer network ops law Legal advisor to what is now CYBERCOM Published author and active speaker Licensed attorney in CO, NY, and CT Member ISSA and InfraGard Holds CISSP & Security+ certifications
- 3. 1/10/2015 Page 3 Legal Disclaimer This presentation is made available for educational purposes only as well as to provide general information and a general understanding of the law, not to provide specific legal advice. By viewing and participating in this presentation, you understand that no attorney-client relationship is formed. This presentation and material herein should not be used as a substitute for actual legal advice from a licensed attorney in your state with whom you establish an attorney-client relationship. The ideas presented are only theories and should not be considered authorization or advice to take action and/or violate the law.
- 4. 1/10/2015 Page 4 David Willson Articles and Lectures “An Army View of Neutrality in Space: Legal Options for Space Negation,” The Air Force Law Review, Vol. 50, 2001 “A Global Problem: Cyberspace Threats Demand an International Approach!” Armed Forces Journal, July 2009; ISSA Journal, August 2009; lectured on the subject at CSI (as keynote) and RSA “When Does Electronic Espionage Become an Act of War?” CyberPro Magazine, May 2010; ISSA Journal, June 2010; lectured on the subject at International Cyber Crime Conference “Flying through the Cloud: Investigations, Forensics, and Legal Issues in Cloud Computing” at CSI and HTCIA “Ethical Use of Offensive Cyberspace” at RSA
- 5. 1/10/2015 Page 5 $78,000 stolen $151,000 stolen $241,000 stolen $115,000 stolen Problem: Hackers and their botnets plague the networks of many businesses around the world! Jobs
- 6. 1/10/2015 Page 6 500 Executives Surveyed… “One thing is very clear: The cyber security programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries.” www.pwc.com/cybersecurity One sad reality is despite all the warnings, companies and individuals continue to fail to implement basic security practices.
- 7. 1/10/2015 Page 7 More Statistics Attacks against small and medium-size businesses up 60% 400 companies surveyed over a four-week period admit to approximately 72 attacks per week on their networks, with one successful each week Pentagon is attacked 6 million times per day (2008) 150,000 malware samples per day (Sophos) Zero Day attacks ever increasing
- 8. 1/10/2015 Page 8 Coreflood Botnet and CryptoLocker Computer virus used to steal personal and financial information from the machines it infects Stolen info can be used to steal funds, hijack identities, and commit other crimes FBI estimates that Coreflood enabled fraudulent transfers that cost businesses hundreds of thousands of dollars before the agency shut it down (Government Security News, John Mello, Jr.) Ransomeware
- 9. 1/10/2015 Page 9 Cost of Breach (Ponemon Study 2013)
- 10. 1/10/2015 Page 10 Losses (Ponemon Study 2013)
- 11. 1/10/2015 Page 11 What is a bot or botnet? Bot or web robots Software applications that run automated tasks over the Internet. The largest use of bots is in web spidering, in which an automated script fetches, analyzes, and files information from web servers at many times the speed of a human. Recently, bots have been used for search advertising, such as Google Adsense. Botnet Collection of infected computers or bots that have been taken over by hackers and are used to perform malicious tasks or functions. A computer becomes a bot when it downloads a file (e.g., an e-mail attachment or malware on a web site) that has bot software embedded in it. A botnet is considered a botnet if it is taking action on the client itself via IRC channels without the hackers having to log in to the client's computer. The typical botnet consists of a bot server (usually an IRC server) and one or more bot clients.
- 12. 1/10/2015 Page 12 How a Bot Works Botnets have different topologies or command and control (CnC) structures Most, it appears, use a compromised server as an IRC server, or referred to as the IRC daemon (IRCd) Multiple bots will communicate with the IRCd via a “phone home” function Single point of failure: If the central CnC is blocked or otherwise disabled, the botnet is effectively neutered (this will become important as we get into the theory)
- 13. 1/10/2015 Page 13 More Definitions Spam Add-ons Cookies MyLife.com ReUnion.com Google
- 14. 1/10/2015 Page 14 Is Hacking Back Self-Defense? No C.H. “Chuck” Chassot of the DoD Command, Control, Communications & Intelligence office: “It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person.”
- 15. 1/10/2015 Page 15 Is Hacking Back Self-Defense? Yes Timothy Mullen, CIO of AnchorIS, Inc.: People should be allowed to neutralize one that is unwittingly spreading destructive Internet worms such as Nimda Jennifer Stisa Grannick, litigation director at the Center for Internet and Society at Stanford Law School: “This is a type of defense of property. There is a lot of sympathy for that (kind of action) from law enforcement and vendors because we do have such a big problem with viruses.”
- 16. 1/10/2015 Page 16 Response Nothing Block Call LE Hack Back Remove Clean- up Scenario Business X finds malware on their networks in the form of a bot that is receiving instructions from a host server via IRC chat
- 17. 1/10/2015 Page 17 Deterrents to Hack Back Law Ethics Retribution Illegal to gain unauthorized access to a computer Highly probable that hacking back will affect innocent computers or networks You may awaken the beast!
- 18. 1/10/2015 Page 18 Computer Fraud and Abuse Act (CFAA) A law to prevent trespass against a computer or network Applies to any “protected computer” Must “exceed authorized access” Computer Damage Loss
- 19. 1/10/2015 Page 19 Law “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby XXX”
- 20. 1/10/2015 Page 20 Law, cont. Unauthorized Access to a Computer Computer Trespass Self-Defense
- 21. 1/10/2015 Page 21 Embed Code in the “Phone Home” function of a Bot. When the Bot connects to the IRC server the Code disables it. My Theory
- 22. 1/10/2015 Page 22 Common Objections “You will start a war with China!” Really?
- 23. 1/10/2015 Page 23 Common Objections “You will impact an innocent bystander!” No one in this scenario is innocent. Victim? Yes! Innocent? No!
- 24. 1/10/2015 Page 24 Legal? Did you have the intent to access the innocent computer or server being used as the IRC server? Did you access that server without authorization? Did you cause harm, alter, or in some way have a negative impact on the innocent computer?
- 25. 1/10/2015 Page 25 Legal?, cont. Does an infected computer impliedly grant you access to their system if their computer is causing damage to or plaguing your computer or network? Wouldn’t a traditional scenario of self-defense apply in this situation? Is the only driving factor imminence?
- 26. 1/10/2015 Page 26 Legal?, cont. Does an infected computer whose negligence allows your computer to be attacked, and the attack is ongoing or imminent, give you automatic authority to defend yourself by accessing that infected computer? Can the victim of a bot attack claim that their code was automatic, used common protocols, followed the bot into the infected server (IRCd), and blocked the bot – did he exceed authorized access?
- 27. 1/10/2015 Page 27 Questions David Willson Attorney at Law CISSP, Security + Titan Info Security Group 719-648-4176 david@titaninfosecuritygroup.com