[IP] Firm retaliates against cyberattacks; some fear it will make matters worse

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Firm retaliates against cyberattacks; some fear it will make matters worse
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 21 Jun 2004 09:50:26 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

Firm retaliates against cyberattacks; some fear it will make mattersworse



Monday, June 21, 2004
By Matthew Fordahl, The Associated Press

SAN JOSE, Calif. -- In war, politics and sports, it's often said thatthe best defense is a strong offense. But the foot soldiers of computersecurity work differently: They scramble to build virtual walls thatcan blunt the impact of attacks.





Harry Cabluck, Associated Press

Now, a Texas company wants to bring vigilante justice to cyberspace.

Symbiot Security Inc. says its new Intelligent Security InfrastructureManagement Systems not only defends networks but lets them fight back,too. Symbiot says the product is already in use in some corporate,government and military networks.

Though the notion of striking back against "bad guys" may satisfyprimal urges, most security experts question whether retaliation willactually halt cyberattacks. Instead the skeptics worry that fightingback could trigger lawsuits, Internet traffic jams and more digitalonslaughts.

Ideas about going on the offensive against Internet attackers "havebeen bounced around for a while," said senior analyst Jesse Doughertyof the security firm Sophos Inc. "But I don't think anyone has beenfoolhardy enough to actually to form a company around the concept."


Until now, that is.

The offering, known as iSIMS, comes amid growing frustration overcomputer intruders. The U.S.-government funded CERT Coordination Centerbased at Carnegie Mellon University's Software Engineering Institutehandled 137,529 computer security incidents in 2003, up from 82,094last year and 52,658 in 2001.

Hackers, worms and data attacks are costing companies dearly, and openthe door to identity theft and the loss of intellectual property.

"Make no mistake," reads a document on Symbiot's Web site, "we are inthe midst of an information warfare conflict which we have not beenfighting."

Symbiot's iSIMS consists of hardware, software and support services.Much of it is focused on traditional defensive measures, like blockingunwanted traffic or deflecting it to where it can do no harm. But itcan also escalate the response and return fire.

In documents on the Austin, Texas, company's Web site, Symbiotadvocates a gradual escalation of action based on the best informationavailable and the customer's preference.

However, privately held Symbiot won't reveal what shape the mostaggressive attacks might take. It also won't say whether any iSIMSclients, whom it will not name, have taken aggressive offensivemeasures. It did say, however, that iSIMS has been deployed on "severalenterprise, government and military networks."

"When we're talking about this, the technical details become extremelyimportant," said Tim Mullen, chief software architect of the secureaccounting program maker AnchorIS.

Mullen, who has no relationship with Symbiot, says he supports strikingback in certain situations.

A position paper attributed to Symbiot's executives and posted on itsWeb site broadly outlines the counter-strike philosophy. "On the Rulesof Engagement for Information Warfare" says computer intrusions deservea response in kind -- including "asymmetric" countermeasures that caninclude flooding the attacking computers with data, rendering themInternet-blind, and other measures to neutralize the problem.


Such actions could be disastrous, experts say.

The Internet is made up of countless interconnected devices, and anyinnocent routers between the attacker and retaliator would suffer atleast twice in a counterstrike. In most cases, the identity of theattacker isn't clear. Other times, the "attacker" could be thousands ofcomputers whose users have no idea their machine is infected with avirus.

Symbiot said much of the criticism of iSIMS has been lodged by peoplewho aren't familiar with the product. Still, its executives declined toreveal details, and turned down a request for a telephone interview.William Hurley II, Symbiot's vice president of corporate development,cited "demands to our schedule," though he did accept questions viae-mail and sent back answers, which he insisted be attributed to thecompany or to its management.

The responses mirrored the content of Symbiot's Web site, whichdescribes the 18-employee company as "emerging as a leader" in securityinfrastructure management. The company described the initial responseto iSIMS, which officially launched in April, as "overwhelming."

Symbiot said the system collects data from all its customers, tracksattacks and attackers and analyzes each incident for the potentialmonetary impact and offers a "risk score." The company says anydecision to take action ultimately resides in its clients. It offers nolegal indemnification.

Symbiot acknowledged that strong offensive responses are notappropriate for attacks that are difficult to track. But even caseswhere it's possible to track down an attacker can lead to trouble.

For instance, if a hacker takes advantage of vulnerabilities onmultiple PCs to relay the assault through them, then the victim cantrace it by exploiting the same vulnerabilities as the initial act.

"So you are in effect breaking into each of those systems as you followthis person back," said Adrian Vanzyl, chief executive of the securityfirm Seclarity Inc. "Are you legally liable for that? It's a very, verygood question."


In the past, some attempts to fight fire with fire have misfired.

A week after the MSBlaster worm took advantage of unpatchedWindows-based computers last August, a variant dubbed Welchia wasreleased. It exploited the same flaw as MSBlaster but also attempted toinstall the patch that fixed the vulnerability.

As it did so, Welchia clogged networks even as it sought machines tofix.

"We've seen worms that have had major impact like causing delays inairline schedules, shutting down ATM machines, 911 systems and so on,"said Dorothy Denning, a professor of defense analysis at the NavalPostgraduate School. "Putting any kind of worm out there would bedangerous."







(Symbiot's rules of engagement: www.symbiot.com/media/iwROE.pdf)

<http://www.post-gazette.com/pg/04173/335081.stm>

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on TERROR OVER INTERNET PROTOCOL?
Next by Date: [IP] Vint Cerf: Net's moving into iron age [TECH UPDATE]
Previous by thread: [IP] more on TERROR OVER INTERNET PROTOCOL?
Next by thread: [IP] Vint Cerf: Net's moving into iron age [TECH UPDATE]
Index(es):
- Date
- Thread