Hacking back in self defense

1/10/2015

Hacking Back in Self-Defense:

Is It Legal? Should it Be?

David Willson

Attorney at Law

CISSP, Security+

Titan Info Security Group

and

Azorian Cyber Security

1/10/2015

David [email protected]

Owner of Titan Info Security Group, LLC, providing enhanced cyber security and liability reduction or elimination

Retired Army JAG officer

Advised the DoD and NSA on computer network ops law

Legal advisor to what is now CYBERCOM

Published author and active speaker

Licensed attorney in CO, NY, and CT

Member ISSA and InfraGard

Holds CISSP & Security+ certifications

1/10/2015

Legal Disclaimer

This presentation is made available for educational purposes only

as well as to provide general information and a general

understanding of the law, not to provide specific legal advice.

By viewing and participating in this presentation, you understand

that no attorney-client relationship is formed.

This presentation and material herein should not be used as a

substitute for actual legal advice from a licensed attorney in your

state with whom you establish an attorney-client relationship.

The ideas presented are only theories and should not be

considered authorization or advice to take action and/or violate

the law.

1/10/2015

David Willson Articles and Lectures

“An Army View of Neutrality in Space: Legal Options for Space

Negation,” The Air Force Law Review, Vol. 50, 2001

“A Global Problem: Cyberspace Threats Demand an International

Approach!” Armed Forces Journal, July 2009; ISSA Journal,

August 2009; lectured on the subject at CSI (as keynote) and

RSA

“When Does Electronic Espionage Become an Act of War?”

CyberPro Magazine, May 2010; ISSA Journal, June 2010;

lectured on the subject at International Cyber Crime Conference

“Flying through the Cloud: Investigations, Forensics, and Legal

Issues in Cloud Computing” at CSI and HTCIA

“Ethical Use of Offensive Cyberspace” at RSA

1/10/2015

$78,000 stolen

$151,000 stolen

$241,000 stolen

$115,000 stolen

Problem: Hackers and their botnets plague the networks of many businesses around the world!

Jobs

1/10/2015

500 Executives Surveyed…

“One thing is very clear: The cyber security programs

of US organizations do not rival the persistence,

tactical skills, and technological prowess of their

potential cyber adversaries.”www.pwc.com/cybersecurity

One sad reality is despite all the warnings, companies

and individuals continue to fail to implement basic

security practices.

1/10/2015

More Statistics

Attacks against small and medium-size businesses

up 60%

400 companies surveyed over a four-week period

admit to approximately 72 attacks per week on their

networks, with one successful each week

Pentagon is attacked 6 million times per day (2008)

150,000 malware samples per day (Sophos)

Zero Day attacks ever increasing

1/10/2015

Coreflood Botnet and CryptoLocker

Computer virus used to steal personal and financial

information from the machines it infects

Stolen info can be used to steal funds, hijack identities,

and commit other crimes

FBI estimates that Coreflood enabled fraudulent

transfers that cost businesses hundreds of thousands

of dollars before the agency shut it down (Government

Security News, John Mello, Jr.)

Ransomeware

1/10/2015

Cost of Breach (Ponemon Study 2013)

1/10/2015

Losses (Ponemon Study 2013)

1/10/2015

What is a bot or botnet?

Bot or web robots

Software applications that run automated tasks over the Internet. The largest use of bots is in web spidering, in which an automated script fetches, analyzes, and files information from web servers at many times the speed of a human. Recently, bots have been used for search advertising, such as Google Adsense.

Botnet

Collection of infected computers or bots that have been taken over by hackers and are used to perform malicious tasks or functions. A computer becomes a bot when it downloads a file (e.g., an e-mail attachment or malware on a web site) that has bot software embedded in it. A botnet is considered a botnet if it is taking action on the client itself via IRC channels without the hackers having to log in to the client's computer. The typical botnet consists of a bot server (usually an IRC server) and one or more bot clients.

1/10/2015

How a Bot Works

Botnets have different topologies or command and

control (CnC) structures

Most, it appears, use a compromised server as an IRC

server, or referred to as the IRC daemon (IRCd)

Multiple bots will communicate with the IRCd via a

“phone home” function

Single point of failure: If the central CnC is blocked or

otherwise disabled, the botnet is effectively neutered

(this will become important as we get into the theory)

1/10/2015

More Definitions

Spam

Add-ons

Cookies

MyLife.com

ReUnion.com

Google

1/10/2015

Is Hacking Back Self-Defense?

No

C.H. “Chuck” Chassot of the DoD Command,

Control, Communications & Intelligence office: “It

is the DoD's policy not to take active measures

against anybody because of the lack of certainty

of getting the right person.”

1/10/2015

Is Hacking Back Self-Defense?

Yes

Timothy Mullen, CIO of AnchorIS, Inc.: People should be

allowed to neutralize one that is unwittingly spreading

destructive Internet worms such as Nimda

Jennifer Stisa Grannick, litigation director at the Center

for Internet and Society at Stanford Law School: “This is

a type of defense of property. There is a lot of sympathy

for that (kind of action) from law enforcement and

vendors because we do have such a big problem with

viruses.”

1/10/2015

Response

NothingBlock

Call LE

Hack

BackRemove

Clean-up

Scenario

Business X finds malware

on their networks in the

form of a bot that is

receiving instructions from

a host server via IRC chat

1/10/2015

Deterrents to Hack Back

Law Ethics Retribution

Illegal to gain

unauthorized

access to a

computer

Highly probable

that hacking

back will affect

innocent

computers or

networks

You may

awaken the

beast!

1/10/2015

Computer Fraud and Abuse Act (CFAA)

A law to prevent trespass against a computer or

network

Applies to any “protected computer”

Must “exceed authorized access”

Computer

Damage

Loss

1/10/2015

Law

“Whoever intentionally accesses a computer without

authorization or exceeds authorized access, and

thereby XXX”

1/10/2015

Law, cont.

Unauthorized Access to a Computer

Computer Trespass

Self-Defense

1/10/2015

Embed Code in the “Phone

Home” function of a Bot.

When the Bot connects to the IRC

server the Code disables it.

My Theory

1/10/2015

Common Objections

“You will start a war with China!”

Really?

1/10/2015

Common Objections

“You will impact an innocent

bystander!”

No one in this scenario is innocent.

Victim? Yes!

Innocent? No!

1/10/2015

Legal?

Did you have the intent to access the innocent

computer or server being used as the IRC server?

Did you access that server without authorization?

Did you cause harm, alter, or in some way have a

negative impact on the innocent computer?

1/10/2015

Legal?, cont.

Does an infected computer impliedly grant you access

to their system if their computer is causing damage to

or plaguing your computer or network?

Wouldn’t a traditional scenario of self-defense apply in

this situation?

Is the only driving factor imminence?

1/10/2015

Legal?, cont.

Does an infected computer whose negligence allows

your computer to be attacked, and the attack is ongoing

or imminent, give you automatic authority to defend

yourself by accessing that infected computer?

Can the victim of a bot attack claim that their code was

automatic, used common protocols, followed the bot

into the infected server (IRCd), and blocked the bot –

did he exceed authorized access?

1/10/2015

Questions

David Willson

Attorney at Law

CISSP, Security +

Titan Info Security Group

719-648-4176

[email protected]

mailto:[email protected]

Hacking back in self defense

Technology

Transcript of Hacking back in self defense