Post on 15-Jul-2015
transcript
1/10/2015 Page 1
Hacking Back in Self-Defense:
Is It Legal? Should it Be?
David Willson
Attorney at Law
CISSP, Security+
Titan Info Security Group
and
Azorian Cyber Security
1/10/2015 Page 2
David Willsondavid@titaninfosecuritygroup.com
Owner of Titan Info Security Group, LLC, providing enhanced cyber security and liability reduction or elimination
Retired Army JAG officer
Advised the DoD and NSA on computer network ops law
Legal advisor to what is now CYBERCOM
Published author and active speaker
Licensed attorney in CO, NY, and CT
Member ISSA and InfraGard
Holds CISSP & Security+ certifications
1/10/2015 Page 3
Legal Disclaimer
This presentation is made available for educational purposes only
as well as to provide general information and a general
understanding of the law, not to provide specific legal advice.
By viewing and participating in this presentation, you understand
that no attorney-client relationship is formed.
This presentation and material herein should not be used as a
substitute for actual legal advice from a licensed attorney in your
state with whom you establish an attorney-client relationship.
The ideas presented are only theories and should not be
considered authorization or advice to take action and/or violate
the law.
1/10/2015 Page 4
David Willson Articles and Lectures
“An Army View of Neutrality in Space: Legal Options for Space
Negation,” The Air Force Law Review, Vol. 50, 2001
“A Global Problem: Cyberspace Threats Demand an International
Approach!” Armed Forces Journal, July 2009; ISSA Journal,
August 2009; lectured on the subject at CSI (as keynote) and
RSA
“When Does Electronic Espionage Become an Act of War?”
CyberPro Magazine, May 2010; ISSA Journal, June 2010;
lectured on the subject at International Cyber Crime Conference
“Flying through the Cloud: Investigations, Forensics, and Legal
Issues in Cloud Computing” at CSI and HTCIA
“Ethical Use of Offensive Cyberspace” at RSA
1/10/2015 Page 5
$78,000 stolen
$151,000 stolen
$241,000 stolen
$115,000 stolen
Problem: Hackers and their botnets plague the networks of many businesses around the world!
Jobs
1/10/2015 Page 6
500 Executives Surveyed…
“One thing is very clear: The cyber security programs
of US organizations do not rival the persistence,
tactical skills, and technological prowess of their
potential cyber adversaries.”www.pwc.com/cybersecurity
One sad reality is despite all the warnings, companies
and individuals continue to fail to implement basic
security practices.
1/10/2015 Page 7
More Statistics
Attacks against small and medium-size businesses
up 60%
400 companies surveyed over a four-week period
admit to approximately 72 attacks per week on their
networks, with one successful each week
Pentagon is attacked 6 million times per day (2008)
150,000 malware samples per day (Sophos)
Zero Day attacks ever increasing
1/10/2015 Page 8
Coreflood Botnet and CryptoLocker
Computer virus used to steal personal and financial
information from the machines it infects
Stolen info can be used to steal funds, hijack identities,
and commit other crimes
FBI estimates that Coreflood enabled fraudulent
transfers that cost businesses hundreds of thousands
of dollars before the agency shut it down (Government
Security News, John Mello, Jr.)
Ransomeware
1/10/2015 Page 11
What is a bot or botnet?
Bot or web robots
Software applications that run automated tasks over the Internet. The largest use of bots is in web spidering, in which an automated script fetches, analyzes, and files information from web servers at many times the speed of a human. Recently, bots have been used for search advertising, such as Google Adsense.
Botnet
Collection of infected computers or bots that have been taken over by hackers and are used to perform malicious tasks or functions. A computer becomes a bot when it downloads a file (e.g., an e-mail attachment or malware on a web site) that has bot software embedded in it. A botnet is considered a botnet if it is taking action on the client itself via IRC channels without the hackers having to log in to the client's computer. The typical botnet consists of a bot server (usually an IRC server) and one or more bot clients.
1/10/2015 Page 12
How a Bot Works
Botnets have different topologies or command and
control (CnC) structures
Most, it appears, use a compromised server as an IRC
server, or referred to as the IRC daemon (IRCd)
Multiple bots will communicate with the IRCd via a
“phone home” function
Single point of failure: If the central CnC is blocked or
otherwise disabled, the botnet is effectively neutered
(this will become important as we get into the theory)
1/10/2015 Page 14
Is Hacking Back Self-Defense?
No
C.H. “Chuck” Chassot of the DoD Command,
Control, Communications & Intelligence office: “It
is the DoD's policy not to take active measures
against anybody because of the lack of certainty
of getting the right person.”
1/10/2015 Page 15
Is Hacking Back Self-Defense?
Yes
Timothy Mullen, CIO of AnchorIS, Inc.: People should be
allowed to neutralize one that is unwittingly spreading
destructive Internet worms such as Nimda
Jennifer Stisa Grannick, litigation director at the Center
for Internet and Society at Stanford Law School: “This is
a type of defense of property. There is a lot of sympathy
for that (kind of action) from law enforcement and
vendors because we do have such a big problem with
viruses.”
1/10/2015 Page 16
Response
NothingBlock
Call LE
Hack
BackRemove
Clean-up
Scenario
Business X finds malware
on their networks in the
form of a bot that is
receiving instructions from
a host server via IRC chat
1/10/2015 Page 17
Deterrents to Hack Back
Law Ethics Retribution
Illegal to gain
unauthorized
access to a
computer
Highly probable
that hacking
back will affect
innocent
computers or
networks
You may
awaken the
beast!
1/10/2015 Page 18
Computer Fraud and Abuse Act (CFAA)
A law to prevent trespass against a computer or
network
Applies to any “protected computer”
Must “exceed authorized access”
Computer
Damage
Loss
1/10/2015 Page 19
Law
“Whoever intentionally accesses a computer without
authorization or exceeds authorized access, and
thereby XXX”
1/10/2015 Page 21
Embed Code in the “Phone
Home” function of a Bot.
When the Bot connects to the IRC
server the Code disables it.
My Theory
1/10/2015 Page 23
Common Objections
“You will impact an innocent
bystander!”
No one in this scenario is innocent.
Victim? Yes!
Innocent? No!
1/10/2015 Page 24
Legal?
Did you have the intent to access the innocent
computer or server being used as the IRC server?
Did you access that server without authorization?
Did you cause harm, alter, or in some way have a
negative impact on the innocent computer?
1/10/2015 Page 25
Legal?, cont.
Does an infected computer impliedly grant you access
to their system if their computer is causing damage to
or plaguing your computer or network?
Wouldn’t a traditional scenario of self-defense apply in
this situation?
Is the only driving factor imminence?
1/10/2015 Page 26
Legal?, cont.
Does an infected computer whose negligence allows
your computer to be attacked, and the attack is ongoing
or imminent, give you automatic authority to defend
yourself by accessing that infected computer?
Can the victim of a bot attack claim that their code was
automatic, used common protocols, followed the bot
into the infected server (IRCd), and blocked the bot –
did he exceed authorized access?
1/10/2015 Page 27
Questions
David Willson
Attorney at Law
CISSP, Security +
Titan Info Security Group
719-648-4176
david@titaninfosecuritygroup.com