Digg this story   Add to del.icio.us  
The Right to Defend
Tim Mullen, 2002-07-29

Is it criminal to reach out and hack an infected machine that's attacking your network?

When it comes to matters of security, most policies are hastily enacted as a reaction to some pressing force or foe. This is evident when you look at the rash of laws, procedures and policies put in place since September 11. I guess it is only natural-- our fragile human psyche requires immediate comfort in the face of danger; our fears only resting when we know something is being done, even if that "something" equates to nothing at all.

When I purchased my plane ticket to the Blackhat Briefings (this week in Las Vegas), my receipt included a new "security fee." It was a whopping 15 percent of the ticket price. Fifteen percent! And has this bought us in-flight security? If you consider the confiscation of a fingernail file from Grandma Clampett after a spread-eagle grope-a-thon while 500 pieces of unchecked baggage are dumped in the cargo bay to the dirge of a conveyor belt's hum to be "security," then I got what I paid for.

Or more appropriately, what we paid for.

In the realm of computer security, this trend is the same. We pay to defend ourselves from compromised machines owned by those who choose not to secure them.

If an owner neglects his dog, and that dog attacks me, not only am I legally allowed to convert it into Mutt Foo Yung, but the owner is liable in tort. Yet if an administrator who could not secure a bowling ball without leaving at least three holes decides to put a destined-to-be-owned box on the Internet, justice turns a blind eye when it attacks my network, consuming resources and bandwidth.

This has got to change.

Let's use Nimda as an example. If I tell my system to issue the exact same series of GET requests that Nimda does against a machine, that action could be considered a federal crime. I would be a criminal. A cracker. A felon. The scum of the earth. But if an administrator does not secure his box, and the same series of GET requests hammer against my network for months at a time, he is a victim. An innocent. A leaf in a storm. And they blame Microsoft.

I propose that we have the right to defend our systems from attack. I am not talking about some vigilante strike upon script kiddies at the drop of a packet. I am not talking about a rampant anti-worm. I am talking about neutralizing an attacking machine in singularity when it is clearly and definitively infected with a worm that will continue to attack every box it can find until stopped.

Almost a year from its birth, Nimda continues to propagate. Discussions in newsgroups yield responses like "ignore it" or "if you are secure from Nimda it doesn't matter." These people are obviously not responsible for paying for their bandwidth.

The moment that I begin to incur costs, or the integrity of services that I pay for is reduced by any degree, is the moment that I have the right to do something about it.

It is simply self-defense.

At Blackhat this week I'll be describing what some would call a "hack-back" against an attacking box. I am proposing that it be considered legal. The main threat to the Internet is the prospect of a multi-faceted worm with attack vectors that not only seek out different services, but that do so against multiple operating systems. A measured strike-back technology could mitigate such a worm.

While the full technical details explaining the methodology I propose are outside the scope of this column, suffice to say there are technical means to allow us to stop a Nimda attack, leaving the file structure completely in place for forensics, and closing the vector while leaving all services available. Not only is this defending ones' self with what the law would call "reasonable force," but in this case, it amounts to minimal force which is almost graceful. It is a controlled, precise, and effective neutralization of an attack. This technique can also be applied to the next major worm.

Many will be quick to condemn such a system. Many will crucify the concept. But I think it is time to defend our right to defend, and this is a viable means to do so. Before you criticize, be prepared to offer your own solutions, otherwise you will just be making noise.


SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
The Right to Defend 2002-07-29
Anonymous (10 replies)
The Right to Defend 2002-07-29
Anonymous (1 replies)
The Right to Defend 2002-08-01
Anonymous (3 replies)
The Right to Defend 2002-08-01
Anonymous (1 replies)
The Right to Defend 2002-08-05
Anonymous
The Right to Defend 2002-08-06
Anonymous
The Right to Defend 2002-08-07
moleculem@t
The Right to Defend 2002-07-29
Anonymous (1 replies)
The Right to Defend 2002-07-30
Anonymous
The Right to Defend 2002-07-29
Anonymous
The Right to Defend 2002-07-31
Kruse (1 replies)
The Right to Defend 2002-08-01
Anonimouse
The Right to Defend 2002-07-31
Anonymous
The Right to Defend 2002-07-31
William Stone, III
The Right to Defend 2002-08-01
Anonymous
The Right to Defend 2002-08-05
Anonymous
this makes no sense 2002-08-07
Anonymous
The Right to Defend 2002-08-08
Anonymous
The Right to Defend 2002-07-29
Anonymous
The Right to Defend 2002-07-29
Anonymous
Happened with Code Red 2... 2002-07-29
Nicholas Weaver
The Right to Defend 2002-07-29
Matthew Waddell (3 replies)
The Right to Defend 2002-07-30
Anonymous
The Right to Defend 2002-07-31
J. J. Horner (1 replies)
More Misinformation 2002-08-07
Anonymous 3 Letter Agency
Misinformation 2002-08-07
Anonymous 3 Letter Agency
Wanna be a cowboy 2002-07-29
Me (2 replies)
Wanna be a cowboy 2002-07-30
Anonymous
Wanna be a cowboy 2002-07-31
Anonymous
Responisbility for abetting a crime 2002-07-29
Anonymous (2 replies)
The Right to Defend 2002-07-29
Anonymous
The Right to Defend 2002-07-29
Anonymous
The Right to Defend 2002-07-30
Anonymous
The Right to Defend 2002-07-30
Anonymous
The Bigger Picture 2002-07-30
Anonymous
The Right to Defend 2002-07-30
Anonymous
The Right to Defend 2002-07-30
Anonymous (1 replies)
The Right to Defend 2002-07-30
Anonymous
The Right to Defend 2002-07-30
Mel
The Right to Defend 2002-07-30
Hamster1
The Right to Defend 2002-07-31
Anonymous
The Right to Defend 2002-08-01
Anonymous
The Right to Defend 2002-08-03
sceptic
The Right to Defend 2002-08-04
Itdincor
The Right to Defend 2002-08-05
State Admin (1 replies)
The Right to Defend 2002-08-06
Anonymous sysadmin
Here here! 2002-08-06
Anonymous (1 replies)
Here here! 2002-08-06
Astrix
The Right to Defend 2002-08-08
IV


 

Privacy Statement
Copyright 2010, SecurityFocus