Tag Archives: ethical hack

Deterrence

15 Thursday Jan 2015

Posted by in cyber war

3 Comments

Tags

, , , , ,

keyboard grenadeDoesn’t it just seem obvious that at some point, to protect our digital selves, we’ll have to fight back?  Firewalls and anti virus software are like fences – merely obstacles.  Leaving the porch light on and locking your door is no doubt wise.  Thieves target easy prey.  You don’t have to out run the bear, just your buddy.  The metaphors advising essential layers of protection are endless, but by now everyone should understand that absolutely no one is entirely safe from online intrusions.  Lest we all agree to simply run around naked, data privacy requires more than protection; we need to increase the risk/reward ratio of cyber attacks with a strong deterrent.

We’re building a fence along our border with Mexico – which is to say that’s a problem we don’t really care to see fixed.  Where American lives and real money are on the line, we deter attack with our armed forces.  The best defense is a good offense.  Cyber theft is starting to become real money.  It’s one thing for a credit card company to build fraud into its business model.  Not every business can do that.  The potential losses aren’t always known.  The information age is rapidly approaching its kairotic moment.  If we can’t control technology, then we might as well reboot ourselves back to the dark ages before cyber extremism launches us into the stone age.

I’m proposing the ability to respond to hacking efforts with intrusion countermeasures electronics.  ICE.  There are other terms for this but I like the literary reference from Tom Maddox and William Gibson.  The concept is an active defense that strikes back.  Currently there is very little risk to deter internationally remote cyber criminals.  This proposal is not new, the concept has been around since Burning Chrome and Neuromancer.  Black ICE takes it further by suggesting the response actually include deadly force.  Assuming that’s even possible.  So why are we not enacting an idea that’s older than the Internet?

Consider what we learned recently from the Sony attack, ostensibly by North Korea.  I have to use the adjective ostensibly, not because the FBI has yet to make their proof public, but because other agencies believe they have evidence demonstrating this is an inside job.  Point being, certainty is difficult in proving the source of cyber attacks.  So much can be spoofed.  IP addresses.  So much more is circumstantial and inferred.  This type of malware was used by this cyber warrior previously against that target.  The more sophisticated the attacker, the more likely they have obscured their tracks if not framed another source.  The level of certainty required in a U.S. civil court of law is virtually impossible.

Given that, you can be certain responding with a counter attack is illegal.  And your response will leave undeniable evidence.  No corporate legal team will approve counter attacks.  They would be complicit.  There is also the risk of escalating the conflict.  I don’t subscribe to that fear personally, but it doesn’t matter.  No legal entity can perform counter attacks.  It’s simply not allowed.  Only governments can respond with intrusion countermeasures.  Israel is transparent about this.  You can only hope the U.S. does it.  Deterrence requires we do so in a public and comprehensive manner.

Perhaps the government could outsource this to corporate ethical hackers like they do some military security now.  Regardless, I think this cost should come out of our defense budget.  I haven’t put any thought into how we should triage attacks.  Should our response to an attack against a small startup be as severe as that of a Fortune 500 company?  Should we discriminate at all.  Is our first level of response a denial of service attack or do we erase attacker hard drives?

The technology for countermeasures will be interesting.  The solution might require a government layer of software on every citizen’s computing device, much as we run anti virus now.  That’s a scary thought.  Worse than NSA snooping would be having to call the gov’t helpdesk when a software patch crashes your machine.  That Obama is responding with Executive orders now to the Sony hack tells me what direction we’re headed.  Could be years given the pace of political policy-making.  Could be months given the pace of technological progress.

Cyber War – Ethical Hacking

17 Sunday Jan 2010

Posted by in cyber war

Leave a comment

Tags

, , , ,

Tyler was in his essence as he walked his Unit and Console Sergeant through his hack.  “The SecIntel from this new dashboard is much richer than we expected.  It includes the results of the Chinese vulnerability scans.  So we know the vulnerable IPs that North Korea will exploit.  We simply exploit them first and set our trap.  The beauty here is these targets won’t ever have their data exfiltrated because the first step of our hack – the code I’ve already developed – is to redirect the hacks to our virtual environment where we can control everything.  I’m calling this Project Quarantine.  Sergeant, please sign me up for a medal.”

The Console Sergeant didn’t have much patience for over-confident software developers.  “This is good work soldier, but let’s be clear.  There will not be any medals because Cyber Command not a legitimate member of the Armed Forces.  Remember in high school or college, where you have sanctioned sports teams like basketball and football?  And then you have some new sport trying to gain awareness, and they call it a club?  Well that’s us, we’re a club.  Our funding comes entirely from Google – a freakin corporation!  We ethically hack their foreign government adversaries to keep them out of the courtroom.  Which leads me to my point.  Google isn’t paying us to quarantine.  They want these hackers dead!  So Project Quarantine is a nice start but you better think of it more as a killing field.  Now get to work on some black ice!”