Hacker vigilantes strike back
By Pia Landergren
(IDG) -- As security breaches explode and law enforcement struggles to keep up, some organizations are taking the law into their own hands and punishing hackers themselves.
Striking back at hackers with, for example, denial of service attacks is a sensitive subject, since doing so is illegal in most countries. The process involves bombarding a server with so much traffic that it crashes. However, security experts say the U.S. Department of Defense has done it. Also, private companies use special firewalls and other counteroffensive programs to automatically strike back at hackers, says U.K. Internet security consultant and ex-hacker Mathew Bevan and others.
California ISP Conxion acknowledges having reversed a denial of service attack on a group of hackers.
"We deal with it on a case-by-case basis," says Megan O'Reilly-Lewis, Conxion spokesperson, when asked whether giving hackers a dose of their own medicine is company policy.
The World Trade Organization's Web site, hosted by Conxion, was hacked in late 1999. An organization called Electrohippies, or E-Hippies, bombarded the WTO Web page with download requests, causing the service to slow but not crash.
"What our security staff did was to quickly write a script to reverse the traffic. Then they followed up with some more sophisticated methods," O'Reilly-Lewis says. "It seemed to work fine." Sophisticated hackers could have avoided the reverse attack, she adds.
Is the Web Getting Wilder?
Hack attacks are clearly on the increase, and so are companies that specialize in tracking down the hackers.
It takes a spectrum of weapons to fight hackers, says Bob Ayers, U.K. vice president of Para-Protect. The company has intrusion detection devices to keep tabs on its customers' systems. Ayers, a former U.S. military intelligence officer, lists several ways to thwart intruders: "Disabling an account. Terminating the network link. We can go to the ISP and ask them to step in and take action." Or, he can go beyond the e-mail address to find the person behind the crime.
"You go pay him a visit," Ayers says. "You talk to him and let him know that you're not happy with what he is doing." It might work, depending on your powers of persuasion, he adds.
Does Para-Protect hit hackers with denial of service attacks on behalf of its customers?
"I really don't want to answer that question one way or another," Ayers says. All I can say is that the technology is there and how it is used is something I cannot predict."
Both Ayers and another security expert, Winn Schwartau, president of Interpact and founder of security Web service Infowar.com, say the Defense Department has at least on one occasion launched a denial of service attack on hackers.
"Absolutely they have," Schwartau says. "There was a group of pro-Mexicans -- the Electronic Disturbance Theater -- and they announced they were going to attack the Pentagon," he said. "The Pentagon knew about it. The Pentagon started shooting back, which was the right thing to do. However, it was illegal," Schwartau says.
Not surprisingly, the Pentagon denies ever having used those methods.
"I am not aware that we have struck back at anyone with a denial of service attack," says Susan Hansen, a spokesperson at the Defense Department. "We don't discuss our specific security" measures, she adds.
Malicious break-ins into corporate computer systems are mounting. A recent FBI study finds 85 percent of respondents detected computer security breaches during the past year. The survey drew responses from 538 security experts in various U.S. corporations and government agencies. Sixty-four percent suffered financial losses due to security breaches, and 186 respondents report a total loss of almost $378 million. Thirty-eight percent of respondents detected denial of service attacks, compared to 27 percent last year.
According to a survey done by Schwartau, about one third of surveyed companies in the United States now have or plan to develop strike-back capabilities for possible hack attacks.
"Follow-up surveys in England found corresponding responses, while an Australian survey found an even higher percentage of that country's companies to be willing to strike back," Schwartau says.
When hackers use several computers along the way to their target, it's more difficult for companies to directly attack the originating culprit. A vigilante may even end up striking back at an innocent bystander whose computer was simply used by a hacker. A sophisticated hacker can also make it look like an attack is coming from, for example, a company's competitor.
One type of intrusion-detection equipment is a so-called honeypot, a machine set up to look like a network. It runs false information, such as databases, to lure hackers to spend time "inside" the machine. Hackers may enter by figuring out a password and surfing in through the Internet. The longer a hacker is inside, the easier it is for the system administrator to determine the hacker's identity or IP address. Then, the system administrator can launch a counterattack.
Can Counterattacks Backfire?
One industry insider does not believe in giving hackers a dose of their own medicine.
"I don't believe in striking back; it would only invite further attacks," says Mike Graves, European marketing manager at Hewlett-Packard's Internet Security Solutions Division.
"You may find yourself getting some publicity you don't want. You may become a beacon for new attacks." Hackers know each other and look out for each other, he adds.
Graves' suspicions are confirmed by ex-hacker Bevan.
"If my machine crashed and I've been hacking...I would not give up then. If hackers gave up so easily there wouldn't be any hackers. It's the challenge" that keeps hackers motivated to keep going, Bevan says.
Bevan claims he has hacked into the Defense Department's computer system, a British Air Force base, and many major corporations' systems. In 1996, he was charged with conspiracy to cause unauthorized modification to computers operated by the U.S. military and Lockheed Martin. Eventually, all charges were dropped.
"They were pushing a conspiracy angle" but couldn't prove it, Bevan says.
Bevan says he understands why companies would want to take the law into their own hands and strike back. However, he insists the method will not work, because it only makes hackers more determined.
Despite this, finding a hacker tracker is not difficult. Some victims prefer less drastic action, such as hiring a company to gather evidence and prepare a case for the police.
Thomas Olofsson is chief operating officer of the Swedish firm Defcom, which recently found a gang of professional hackers for a customer.
"This was the largest operation we've done," Olofsson says. "We tracked down a gang of hackers who had used computers in different countries to hide along the way. They had used a computer in South Africa and another one in the U.S. At last we found the source, a gang of hackers in one of the Baltic countries."
But catching hackers is just one of the first steps in a long process of bringing them to justice.
"What happens if a hacker in the U.K. breaks into a system in South Africa, or in the U.S.?" Ayers asks. "Where did the crime happen? And who has jurisdiction? The police must cooperate across borders, and, frankly, the police are not very good at that."
In fact, police lack resources to catch all criminals, and many laws still haven't caught up with Internet crime. Despite the efforts of hacker trackers, then, hacker vigilante methods are not likely to go away any time soon.
And detective work on the Web for private investigators is not just more lucrative, it's safer than police work, Ayers adds.
|Back to the top|