Wish I could go to BlackHat and hear what you have to say, but as a poor Swede I guess I'd have to swim there. ;) Anyways, what you are thinking is something I have wanted to be able to do many times. I know it to be effective at times, when you have a directed attack and manages to outsmart and locate the hacker/cracker. But, I have changed my mind about all this. Because I have, as many others who has written here, found a few flaws.

First of, when is it OK to "back-hack"? How much bandwidth must you loose? How many servers must be under attack? What attacks are OK to back-hack? Worms, directed attacks, [D]DoS? First attack? Tenth? Heck, even I have managed to type in the wrong IP-range when scanning my own network and inadvertedly scanning someone else. If someone downed my computers (should they actually be unsecure for some reason) I wouldn't find that acceptable, even though I did the first mistake.

Second. Is any admin allowed to do this? If anyone sitting at home running Snort would be allowed to hack any computer that has Nimda or what have you we would soon see a load of badly done attacks and a lot of downed servers. And I'm also sure hackers/crackers would _love_ to root servers and when the police kicks in the door they "just retaliated to protect their network".


There are ways around this, yes. Laws about when to "back-hack", laws of what you can and cannot do, laws on reporting what you do to the law enforcement. But I'm sure these laws would be very hard to write, and probably full of loopholes (as we all know not an uncommon thing in the "digital world"). One might have a special license that allows you to "back-hack", so that only educated company technitians are allowed to do this (hmm, that would be a nice job opportunity, starting a "back-hack consulting firm" ;).

But actually. I have found that it often works quite well to track down an admins mail-adress and tell him he is insecure and he is hitting servers around the world with, say, Nimda. Add a few comments on how this reflects badly on his company and perhaps a notice about taking legal actions (although I'd do this as a second thing, if you have gotten a reply and they say they don't care).

The time it takes to hack into every host that has a worm, every host used by a hacker and so on is probably far more than finding the mail-adresses to the admins of the boxes. Or just do what I have done at times, mail all the typical admin-related adresses as root@target_net.com, administrator@..., postmaster@... and so on. If you don't get the right guy, someone will probably forward the mail to him (or her, as the case might be).

In extreme cases, just inform the law enforcement, especially while being under an actuall attack from a hacker and not from a worm. If you are secure, no sweat. And you don't anger him and make yourself a target and a challange by taking down his boxes. ;)

Just my thoughts on this, the way I see it. Although I admit it would be a lot more fun your way, I don't think it would work.

/LoomChild

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/203/24160#24160