YOU are a law-abiding citizen, walking down the street, minding your own business. Then, out of nowhere, a sniper opens fire in your direction. A bullet hits your arm, another whizzes by your head. You scan the area, decide that the sniper is in a nearby apartment building, and, as another bullet grazes your ear, decide it鈥檚 time to act. You just happen to be carrying a rocket launcher, so you aim in the direction of the attacker, press fire, and blow the whole block to smithereens.
A little over the top, perhaps? OK, how about another scenario. You pinpoint the sniper, walk up to him, and take away his gun. Certainly a more palatable solution, if no less implausible. Perhaps the only real answer is simply to yell, 鈥淗ey, stop it!鈥 and run like hell.
Take these scenarios, apply them to computer security, and you have entered the world of counterstrike software 鈥 software that responds aggressively to intrusions. Companies from banks to airlines are besieged by hackers, viruses, worms and spam, and, dammit, they鈥檙e not going to take it any more. The time has come to strike back.
Advertisement
The idea of counterstriking took a big step forward at the end of March, when the computer security company Symbiot of Austin, Texas, launched the first commercially available security software with a counterstrike capability. Now any company prepared to pony up $10,000 a month for Symbiot鈥檚 product can strike back against hackers and other sources of unwanted electronic traffic. Advocates applaud, but opponents argue that counterstriking does not fit the ethics of network administration, could in some cases be illegal, and may lead us all to a cyber bloodbath. As web pundit Zachary Heaton of Dayton, Ohio, wrote online earlier this month, 鈥淚nternet users everywhere are in for a wild ride.鈥
The internet is undoubtedly a dangerous place. 鈥淲e are attacked continuously,鈥 said Jeff Schiller, network manager at the much-hacked Massachusetts Institute of Technology, where intrusions typically bring down a couple of computers a day. And it鈥檚 not just Schiller who is suffering. The CERT Coordination Center at Carnegie Mellon University in Pittsburgh, Pennsylvania, reports a steady rise in computer incidents in the US: 137,529 in 2003, up from 82,094 the year before and 52,658 in 2001. An 鈥渋ncident鈥 can be anything from an individual hacker attempting to log onto a bank鈥檚 network, to a release of a virus that infects millions of computers and places them at the disposal of the virus鈥檚 creator. The economic damage from both types of attack is mounting. In 2003, a survey by the FBI and industry group Computer Security Institute, based in San Francisco, found more than half of the 530 companies they surveyed had suffered from some kind of unauthorised computer use in 2003.
Most organisations respond to attacks by building better defences 鈥 the cyber-equivalent of guard dogs and barbed-wire fences. IT managers build firewalls to filter and bounce suspicious or unwanted traffic, 鈥渂lack holes鈥 to soak up suspect emails, and 鈥渉oneypots鈥 to lure hackers into decoy servers where they can do no harm. Some even build 鈥渟ticky honeypots鈥 or 鈥渢arpits鈥, which delay the response to connection attempts.
But however good the defences are, hackers keep coming up with ways to breach them, tirelessly uncovering weaknesses in the software. Network managers try to stay one step ahead, but it鈥檚 a never-ending struggle. 鈥淭he bad guys who write worms are thinking, smart people,鈥 says Schiller. Building and reinforcing defences takes money, personnel and bandwidth, and that may be more than a small company can afford.
鈥淚 was looking at all the things I had to secure against, all the things I had to pay for, and I got fed up with it,鈥 says Tim Mullen, who runs IT for AnchorIS, a company that develops secure accounting software in Charleston, South Carolina. 鈥淚 decided to take matters into my own hands.鈥 So in 2002, Mullen presented a demo software that was capable of striking back against the spread of certain virulent worms. The exercise made him something of a celebrity in the security world, and sparked a widespread debate over counterstriking.
Wicked worm
Mullen鈥檚 software was designed to deal with attackers like the Nimda worm, which swept the web in 2001. Nimda exploited a weakness in Microsoft Windows that allowed it to insert a 鈥渕utual exclusion鈥 program, or mutex, onto computers. The mutex instructed the computer to infect others and could later be exploited to do whatever Nimda鈥檚 creators wanted. Though Microsoft had released a security patch, the worm affected thousands of computers which had not yet been patched.
But when Nimda tries to contact a machine running Mullen鈥檚 software, something different happens. Initially it responds like an unpatched victim, so Nimda duly delivers its malevolent mutex. But instead of allowing the mutex to install itself, Mullen鈥檚 software sends a worm carrying a mutex of his own back to the machine that sent the Nimda worm. Mullen鈥檚 mutex shares the name of the Nimda mutex and plants itself on that computer, but ahead of the original mutex in the start-up queue. Then it reboots the machine. Because Mullen鈥檚 mutex gets activated first in the reboot process, the Nimda mutex never gets to run. Instead, Mullen鈥檚 mutex produces a pop-up window telling the user of the guilty computer that it has been spreading the Nimbda worm, and that one of the recipients has retaliated.
Aside from perhaps giving the user a bit of a surprise, Mullen鈥檚 software is fairly harmless. But the mere idea of sending instructions to an unwitting person鈥檚 computer prompted a huge debate. After all, a counterstrike could be far more aggressive: it might consist of code that enters an infected computer and stays there, blocking outbound traffic, preventing the worm from spreading. This would prevent a user on the infected system from surfing the web or updating their virus software. Or the code could program the computer to shut down as soon as it is booted up, making it almost impossible to use at all.
Mullen鈥檚 software stopped well short of these actions. But the very idea of striking back created a sensation in the online security world, and made him a hero 鈥 or a villain, depending on your point of view. 鈥淢ost of the security people lost their minds,鈥 Mullen says. 鈥淭hey said, oh my god, you鈥檙e an idiot! That鈥檚 not the answer! So I said, 鈥極K then, what is the answer?'鈥
Rapid response
Perhaps it is iSIMS, the new product from Symbiot that is causing such a stir. When iSIMS senses a computer it is defending has come under attack, it begins by analysing the type of attack 鈥 possibly an intrusion, virus or worm 鈥 determines its origin, calculates how much it will cost a company if it succeeds, and suggests possible responses. All businesses running the software are linked in a network which pools data and helps in the analysis. It is up to the individual client, not Symbiot, to decide what action to take.
Some of the responses are purely defensive: blocking traffic from a certain site; diverting traffic to a honeypot; limiting the amount of bandwidth particular senders can take up; or diverting certain incoming traffic 鈥 such as data coming from a region where the company has no customers 鈥 for closer observation.
If these measures don鈥檛 work, iSIMS can get tough. For instance, a victim can choose to 鈥渢ag鈥 a hacker 鈥 allowing him to steal certain information that appears valuable but actually contains code that stamps all data packets from the hacker鈥檚 computer with a tag stating, in effect, 鈥淚鈥檓 a known attacker鈥. This tag will be recognised by all subscribers on Symbiot鈥檚 network. Another measure is called 鈥渁ttack reflection鈥. Here, iSIMS alters the routing data on a packet containing malicious code so that it gets sent back to where it came from.
As a last resort, iSIMS can send code to the attacking computer to put an end to the attack. Symbiot spokesman William Hurley will not reveal exactly what the code could do, saying it is proprietary, but says it 鈥渃ould be seen by some as malicious code鈥. But almost certainly this option would only be used after repeated attempts to resolve the problem with internet service providers and law enforcement. 鈥淭he process could take days, weeks or even months,鈥 he says. 鈥淭he key is responding appropriately to the type of attack.鈥
But whichever way you look at it, Symbiot鈥檚 software enables its customers to invade other computers, and that is what has critics up in arms. 鈥淭his type of thinking comes from a small number of security professionals, ones I鈥檇 consider hotheads, who want to get back at people,鈥 says Eugene Schultz, an engineer at Lawrence Berkeley National Labs who has testified before the US Congress on computer security issues. 鈥淚t鈥檚 a vigilante mentality, and it just seems so irresponsible.鈥
Symbiot is well aware of potential criticism and is stepping carefully. Before releasing iSIMS, it issued a white paper on the 鈥渞ules of engagement鈥, which describes the company鈥檚 recommendation that counterstriking is only justified when all else fails.
And critics fear that any counterstrike software, whatever the built-in safeguards, could lead to attacks on innocent bystanders. Take, for instance, one of the fastest-growing threats on the internet: dispersed denial of service (DDoS) attacks. Here, a hacker sends out a program 鈥 perhaps via an attachment embedded in an email 鈥 instructing hundreds, thousands or even millions of computers to simultaneously send nonsense requests to the servers belonging to a particular company 鈥 let鈥檚 call it company X. The owners of those millions of 鈥渮ombie鈥 computers may be entirely unaware of anything untoward going on, but company X is overwhelmed with requests and stands to lose large amounts of money as its online operations are effectively shut down. If company X tried to fend off the attack by retaliating, the target would be the zombies. And that鈥檚 one of the key objections for opponents of counterstriking, because those zombies could belong to anyone: individuals, small businesses, high schools, hospitals 鈥 even you.
But are the zombies really innocent bystanders? Maybe not. Mullen says computer users who don鈥檛 take basic precautions 鈥 like installing virus protection and a personal firewall, and keeping their software updated with the latest security patches 鈥 are partly responsible for the spread of virulent worms. 鈥淭hese people are like drunk drivers,鈥 he says. 鈥淭hey think they can plug a computer into the wall and leave it on all the time without any responsibility for what they are doing.鈥 Symbiot takes a similar line. 鈥淎n infected machine, one no longer under control of its owner, is no longer an innocent bystander,鈥 the company told New 杏吧原创.
But even if zombies do bear some responsibility for the damage their machines to do, there is another group of potential counterstrike victims who are clearly blameless. These are the people whose addresses have been intentionally 鈥渟poofed鈥 by a hacker: in other words the hacker sends out malicious code that appears to come from the innocent victim鈥檚 address. What if counterstrike software were deployed against a target that was in fact a spoofed address? It is even possible to envisage an elaborate plot in which an unscrupulous small operator lures two larger rivals into a shooting match by convincing each one that it is under attack by the other.
Steve Mead, a computer scientist with the US National Institute of Standards and Technology, knows from personal experience how easily such a firefight could start. Before he joined NIST, Mead ran a small IT support company, and he had designed a software program to monitor suspicious activity on his servers. If the program detected overtly hostile activity, such as aggressive scanning of ports into the system, it would launch an automatic counterstrike in the form of an aggressive scan of his attacker鈥檚 computer. The sheer quantity of activity Mead鈥檚 program would generate should bring the attacking computer grinding to a halt in a matter of minutes.
Mead asked a hacker friend to test the system by acting as an attacker. His friend obliged. Everything appeared to work fine. Mead saw his system light up as it retaliated against his friend鈥檚 computer. He called his friend to thank him, but then learned, to his horror, that his friend had spoofed the FBI. Mead鈥檚 computers were now striking back at the FBI.
In a panic, Mead shut everything down. The counterstrike had only lasted about 15 minutes, and Mead never heard from the FBI about his attack on its system, but he learned his lesson and disabled his program. 鈥淚 really didn鈥檛 ever think of that possibility,鈥 he says. 鈥淭hey probably could have tracked it back to me, and I don鈥檛 think they would have had a sense of humour about it.鈥
But even if counterstriking can leave companies badly burnt, that doesn鈥檛 mean it鈥檚 always wrong, its advocates insist. 鈥淭he men and women who work the trenches of system administration know that fast-spreading worms like Nimda are a real problem that must be addressed,鈥 Mullen argued in 2002 in the online journal SecurityFocus.com. Curtis Karnow, an attorney specialising in e-commerce, security and privacy at the San Francisco office of the law firm of Sonnenschein, Nath & Rosenthal, has some sympathy for that view. 鈥淚f you do it right and stop the bad guys, no one is going to be mad at you,鈥 he says.
But others insist this is wrong in principle. 鈥淵ou cannot take matters into your own hands,鈥 says Bruce Schneier, who founded IT security company Counterpane Internet Security in Mountain View, California, 鈥渨e have controls in the legal system. Removing them is very dangerous to society.鈥 Marc Zwillinger, who like Karnow is a Sonnenschein attorney, takes a similar view. 鈥淭he Internet is not the Wild, Wild West,鈥 he says. 鈥淭here are lots of laws, and lots of enforcement.鈥 And at MIT, Schiller, despite his woes dealing with hackers, also comes down against counterstriking.
So what鈥檚 the alternative? Sound laws and effective enforcement, perhaps. But even the FBI admits that they don鈥檛 always work. 鈥淲hen you鈥檙e dealing in the cyber realm, everything is so fast,鈥 says Erkan Chase, who is head of the FBI鈥檚 Criminal Computer Intrusion unit in Washington, DC. 鈥淲hen you鈥檙e getting hit with a DDoS attack, the system administrators are two feet deep in it,鈥 he says, 鈥渢he FBI gets called after they鈥檝e gotten a handle on the situation.鈥
Perhaps there are other ways to make the internet safer: better education for home computer users and less vulnerable software. But most agree that the only way to attain 100 per cent security on the net will be to change its very nature. A totally secure web would be one where snippets of code are not passed from computer to computer, where nothing can happen except clearly defined activities like loading a web page or reading email.
But such strict control of activities on the internet could be the worst outcome of all. There is one type of person who bothers Schiller even more than hackers, and that鈥檚 rule makers. 鈥淭he big risk is that the troublemakers could easily be used as the excuse for draconian measures,鈥 he says. 鈥淒umb down the internet, and all you could use it for is email and web browsing. That would be a shame.鈥
