Computer Shopper - UK (2021-01)

(Antfer) #1

CYBERCOP


12 JANUARY2021|COMPUTER SHOPPER|ISSUE


Don’thackback

If you’ve been thevictimofacyberattack youmight feel like exacting revengeonthe

perpetrators,but it wouldn’t be awisemove–even ifit maysoonbelegal

IWASONEof toomany people
packed uncomfortably intoahot
carriage when the train pulled
intoVauxhall station. Afew new
passengers managed to squeeze
in and the train was just about to
pull out when one final, frantic
man threw himselfinthrough the
door.Everyone felt the impact
and lost another fraction of their
breathing space and patience.
“Ass!” exclaimed one voice.
The latecomer lashed out,
striking anearbyonlooker,who
asked, “Why did you hit me?”
“You called me arude word,”said
the man. “No,hedidn’t, Idid,”
called out the American voice
who had started the exchange.
The predominantly British
congregation broke the first rule
of commuting, wherebyeveryone
ignores awkward situations by
staring at their newspapers, and
jeered loudly.Itwas magnificent.
There’s aconnection between
this incident of mistaken identity
and the problems inherent in the
idea of attacking back against
hackers. The US is looking into
legislation that supports US
companies retaliating against
cyberattacks. Most countries’
laws forbid hacking, whether as

an initial act or in response to an
incoming threat. Now there’s a
possibility that companies can
react in kind to being hacked.
If someone breaks intoyour
computers and steals data, who
do you punch back, virtually? The
owner of the system that
launched the attack? Their ISP?
Or their government? To fully
appreciatethe problem with
fighting back, youhaveto
understand how most hackers
operate. They rarely use their own
computers to launch an attack.
They are morelikely to use other
victims’ systems, or proxies, VPNs

or other anonymising systems,
such as the Tornetwork.
If an attacker is coming at you
from another victim’s computer,
and you break intothat system
in response,you’re punching the
guy in front of the commuter
who offended you. If the attacker
is using Amazon WebServices as
aproxy,you’ll end up launching
an attack against one of the
largest companies in the world. I
hope your legal war chest of
funds can compete, should you
be detected and prosecuted.

DIVINEATTRIBUTION
Attribution, the process whereby
analysts decide who launched an
attack after the event, is hard to
do well. US-based security firms
often claimthat most attacks
against American businesses are
orchestrated by agents of the
Chinese government. The basis of
this analysis can be as simple as
looking at the internet addresses
of the attacking systems or,in
more convincing cases, deep
analysis of the malware used to
compromise systems.
The fact is that hackers
launch attacks from systems all
over the world. If most attacks
appear to originatefrom Russian
cyberspace,itseems particularly
lazy to leap to the assumption
that Russian criminals or
government agents are behind
them. It’s more likely that other
nation states are proxying through
Russia to avoid attribution. They
are in effect pushing Russia to
the front of the carriage to face
the aggressive commuter.
There’s another downside to
fighting back: you might just
start something you can’t finish.
Maybe you correctly identified
the opponent and are confident
you’ve targeted the appropriate
computer systems. And maybe
you don’t believe the authorities
will become involved because
your guilty target, who started it
in the first place, probablywon’t
tell tales. But unless you’re a
skilled hacker with an arsenal of

advancedtoolsforattackand
defence,youprobablywon’t
comeoutofthisfightwell.
Youwerehackedbefore,so
clearlyyourdefensivecapabilities
are not world class. Youmight be
better off fixing that, rather than
punching back. Don’t forget, too,
that once you start playing with
the big boys things can quickly
escalate. Youmay be aninja
behind the keyboard, but you
can’t assume that hostilities will
remain online.Ahome visit from
your opponent, or more likely his
associates, would bypass any
firewall andcould end up being
painful at best.

JUSTICE OFTHE PIECE


And where does it end? What do
youwant to achieve by fighting
back? Is asense of ‘justice done’
enough and, if it is, how much
damage do you need to inflict on
the target’s systems before you
feel vindicated? If your target has
backups you might need to lurk
on his network formonths,
slowly damaging his files until his
backups become useless. If you
lost intellectual property in the
original attack you maywant to
steal secrets in return. How many
secrets will balance things out?
Hacking back and exacting
revenge takes time and energy
that might be better spent
improving your own security.
Even if the law changes and it
becomes legal to fight back
against hacking attacks, it’s not
going to be afeasible or wise
response foralmost any
individual or organisation. You
need the ability to identify avalid
target; agoal that provides you
with value beyond asense of
revenge; resources to achieve
your goal; and the ability to
protect yourself against a
physical attack. If you can do all
of that, you might consider ajob
at GCHQ,which is always keen to
expand its cyber capabilities.

This article wasoriginally
published in Shopper 338

GORDONHOLMES


With more than 30 years of
experience in law enforcement,
our retired cop gave apolice
officer’sperspectiveoncybercrime

If someone breaks intoyour computersand

steals data, who do youpunch back?
Free download pdf