Hacker Tactic: Holding Data Hostage
June 23, 2014
THE perpetual cat-and-mouse game between computer hackers and their targets is getting nastier. Cybercriminals are getting better at circumventing firewalls and antivirus programs. More of them are resorting to ransomware, which encrypts computer data and holds it hostage until a fee is paid. Some hackers plant virus-loaded ads on legitimate websites, enabling them to remotely wipe a hard drive clean or cause it to overheat. Meanwhile, companies are being routinely targeted by attacks sponsored by the governments of Iran and China. Even small start-ups are suffering from denial-of-service extortion attacks, in which hackers threaten to disable their websites unless money is paid.
Just days after the F.B.I. and international law enforcement agencies teamed up earlier this month to kill one ransomware program, CryptoLocker, which had infected over 300,000 computers, another pernicious program, Cryptowall, popped up and began spreading rapidly.
In response, more companies are resorting to countermeasures like planting false information on their own servers to mislead data thieves, patrolling online forums to watch for stolen information and creating “honey pot” servers that gather information about intruders. Last year, companies also spent roughly $1.3 billion on insurance to help cover expenses associated with data theft.
Some security experts are urging even more aggressive action. “Companies want better results than are being delivered by law enforcement,” said Stewart A. Baker, former assistant secretary for policy at the Department of Homeland Security. He questioned whether the National Security Agency, the F.B.I. or the C.I.A. had enough qualified counterhackers to stake out corporate networks and also whether those businesses would be comfortable giving the government more access to their networks.
Mr. Baker maintains that victims of data theft can reasonably argue that they have a right to follow and retrieve stolen data wherever the thief takes it. And, he added, federal law on the matter is so ambiguous that prosecuting a company for trespassing on the domain of a hacker would be difficult and highly unlikely.
“I do really believe there should be a Second Amendment right in cyber,” added Jeffery L. Stutzman, vice president of Red Sky Alliance, referring to the right to bear arms. His company coordinates intelligence sharing for many of the world’s top corporations. Virtually all of them are weighing how aggressive to be in combating hackers, he said.
In 2011 Michael Hayden, former director of both the C.I.A. and the N.S.A., suggested that the government should consider allowing a “digital Blackwater” with paid mercenaries battling cyberattackers on behalf of corporations. But security experts warn that by taking matters into their own hands companies risk an escalating cycle of retaliation, lawsuits or Internet traffic jams.
What’s more, since cybercriminals typically hijack the systems of unwitting third parties to launch attacks, it is often hard to pinpoint targets for retaliation, said Orin S. Kerr, a professor at the George Washington University Law School. It is “kind of like a blindfolded partygoer trying to hit a piñata with a baseball bat,” he said. “He might hit the piñata but he might hit Aunt Sally, who happens to be standing nearby.”
Companies might also trip up law enforcement efforts or find themselves on the wrong end of a lawsuit if they inadvertently gain access to someone else’s server. And under many foreign laws, self-defense actions by private companies amount to espionage.
The Justice Department takes the stance that a company is most likely breaking the law whenever it gains access to another computer network without permission. At a panel hosted by the American Bar Association, John Lynch, chief of the computer crime and intellectual property section of the Justice Department’s criminal division, said that usually, when his office determines that companies have gone outside their server to investigate a perceived attacker, his first thought is, “Oh wow — now I have two crimes.”
There are, however, other ways to fight hackers that are both legal and effective, said Mr. Stutzman of Red Sky Alliance. His firm, for example, profiles attackers by keeping their pictures, phones numbers and other personal data on file. He is also an advocate of software that tags sensitive documents so that if they are stolen they self-destruct or transmit an alert to the owner.
Most security companies say the main objective should be raising the cost to hackers. CloudFlare, for instance, has developed a service called Maze, which it describes as “a virtual labyrinth of gibberish and gobbledygook” designed to divert intruders to bogus data and away from useful information. Other companies create bottlenecks to route attackers through security checkpoints.
It is fairly common for law firms to have their email read during negotiations for ventures in China, said Dmitri Alperovitch, a founder of CrowdStrike, a company that investigates hackers. So if a company knows its lawyers will be hacked, planting decoys can give them an upper hand, he said.
This month CrowdStrike unmasked a secret cell of cyberthieves linked to the Chinese Army that had stolen millions of dollars’ worth of data from military contractors and research companies, often by hiding its attack software in emailed invitations to golfing events.
Samir Kapuria, vice president of Symantec’s Cyber Security Group, recounted how his company helped a major manufacturer create bogus blueprints of a valuable product with a traceable but harmless flaw and left it hidden in its servers. When the manufacturer later found the planted blueprint for sale on the black market, he said, Symantec was able to help trace the leak to its source, fire the subcontractor and save the manufacturer tens of millions of dollars.
But there can also be unintended consequences when planting false information, said Dave Dittrich, a security engineer at the University of Washington. He offered a theoretical example in which a company intentionally inserts flaws into a faked vehicle design. “If someone plants false information to be stolen and used, and this results in the death of any innocent human beings,” he said, “there could be a good case made that the entity who planted the fake data is acting in a negligent and unjustifiable manner.”
In general, Mr. Kapuria of Symantec prefers a philosophical approach toward thwarting the legions of cybercriminals, describing the fight as “Cyber Sun Tzu — when the enemy is relaxed, make them toil; when full, make them starve; when settled, make them move.”
主動出擊反制黑客
揚·烏爾維納 2014年06月23日
Viktor Hachmang
電腦黑客與其攻擊目標之間持續不斷的貓鼠遊戲變得越來越激烈。網絡罪犯越來越善於繞開防火牆和殺毒程序。越來越多的黑客在藉助軟件進行勒索,此類軟件對電腦數據進行加密挾持,直到獲得金錢。一些黑客在合法網站上植入攜帶病毒的廣告,使他們能夠遠程抹除硬盤上的數據,或者使硬盤過熱。與此同時,一些公司經常成為伊朗及中國政府發起的攻擊活動的目標。甚至小型初創企業都在遭受勒索目的的拒絕服務攻擊,黑客會要求網站拿出錢來,否則就令網站無法運轉。
本月早些時候,聯邦調查局(FBI)和國際執法機構聯手摧毀了勒索軟件程序CryptoLocker,該程序感染了30萬台電腦,但另一個惡意程序Cryptowall突然出現,並開始迅速傳播。
面對這些威脅,越來越多的公司開始採取反制手段,比如在自己的服務器上植入錯誤信息以誤導數據竊賊,在網絡論壇內巡視,尋找被盜信息,創立「蜜罐」服務器,收集有關入侵者的信息。去年,各大公司還花費了大約13億美元(約合80億元人民幣)購買保險,以便幫助支付與數據盜竊有關的費用。
一些安全專家呼籲採取更為強硬的行動。曾在國土安全部(Department of Homeland Security)負責政策事務的助理部長斯圖爾特·A·貝克(Stewart A. Baker)說,「執法部門目前取得的成效,還達不到企業的要求。」 他質疑國家安全局(National Security Agency,簡稱NSA)、FBI或CIA(中央情報局)是否有足夠多合格的反黑客人員去監視公司網絡,此外也懷疑這些公司能不能放心地給政府更多訪問其網絡的權限。
數據盜竊的受害者認為他們有權追蹤、取回數據,無論盜賊將數據放在何處,貝克始終相信這種看法是有理有據的。他還表示,相關的聯邦法律非常模糊,因為入侵黑客網域的行為起訴一家公司是很困難的,幾乎沒有成功的機會。
紅色天空聯盟(Red Sky Alliance)副總裁傑弗里·L·斯塔茨曼(Jeffery L. Stutzman)表示,「我真的認為在網絡中應該有一種憲法第二修正案的權利,」他指的是在網絡中「持槍」的權利。他的公司為很多世界頂級公司協調情報共享。他表示,基本上它們都在考慮應該以何種強度與黑客作戰。
2011年,曾在CIA和NSA擔任局長的邁克爾·海登(Michael Hayden)表示,政府應該考慮允許一個「數碼版黑水公司(Blackwater)」的僱傭兵代表公司打擊網絡攻擊者。但安全專家警告稱,公司自己動手作戰,可能會導致報復、訴訟或網絡通信堵塞的進一步升級。
除此之外,喬治·華盛頓大學法學院(George Washington University Law School)教授奧林·S·克爾(Orin S. Kerr)表示,由於網路罪犯常常劫持不知情的第三方的系統發動攻擊,通常很難確定報複目標。「這有點像聚會上被遮住眼睛的客人用棒球棒打皮納塔,」他說,「他也許能打中皮納塔,但也有可能打中的是站在一旁的莎莉姨媽。」
如果一不小心進入了他人的服務器,企業還可能妨礙到執法部門的行動,甚至成為被告。許多國外的法律規定,私營企業的自衛行動屬網絡間諜行為。
司法部認為,只要一家公司未經允許進入另一個計算機網絡,它就極有可能觸犯了法律。在美國律師協會(American Bar Association)主持的一個小組討論會上,司法部刑事犯罪科計算機犯罪與知識產權處主任約翰·林奇(John Lynch)說,通常,當他的辦公室確定了一家公司為調查某個已知黑客而進入其服務器時,他的第一個想法是,「哎呦——現在有兩起罪行了。」
然而,紅色天空聯盟的斯塔茨曼說,還是有一些方法能夠合法而有效地打擊黑客的。例如,他的公司會為黑客建立檔案,保存黑客的照片、電話號碼和其他個人信息。他還支持使用一些軟件給敏感文件添加標記,一旦被盜,這些文件可以自我銷毀或向主人報警。
大多數網絡安全公司說,其主要目標應該是增加黑客活動的成本。例如,CloudFare就開發了一款名叫Maze的服務,該公司稱,這款服務就像「一個錯綜複雜的虛擬迷宮」,可以把入侵者引向假數據,讓他們遠離有用的信息。還有一些公司則設置了瓶頸,把攻擊者引向安全檢查點。
黑客調查公司CrowdStrike的創始人之一德米特里·阿爾珀洛維奇(Dmitri Alperovitch)說,一些律所在中國談判建立合資公司期間,他們的郵箱常常會被入侵。因此,她說如果一家律所知道其律師將成為黑客的攻擊目標,可以率先放置誘餌,以便佔據上風。
本月,CrowdStrike揭露了與中國軍方有關的一個秘密的網絡盜竊機構。他們從軍事承包商和研究公司那裡竊取了價值數百萬美元的數據,方法通常是把黑客軟件藏在高爾夫活動的郵件邀請函里。
賽門鐵克公司(Symantec)網絡安全服務組副總裁薩米爾·卡普里亞(Samir Kapuria)回憶了一個案例,當時他的公司幫助一家大型製造商偽造了一款重要產品的藍圖——藍圖中有一個可以追蹤但無害的缺陷,並把它藏在服務器里。他說,製造商後來發現了黑市上正在銷售這個藍圖,則能夠幫助追蹤這個漏洞的來源,解僱承包商,從而為公司節省數千萬美元。
不過,華盛頓大學(University of Washington)的安全工程師戴夫·迪特里奇(Dave Dittrich)說,嵌入虛假信息的做法可能會引發始料未及的後果。他舉了一個假設的例子:一家公司故意在虛假的車輛設計圖中加入了一些缺陷。「如果這些包含不實信息的文件被偷走並使用,會導致無辜者喪命,」他說,「我們有充分理由證明,在文件中故意嵌入虛假信息的公司,是在以不負責任和無正當理由的方式行事。」
總地來說,賽門鐵克的卡普里亞傾向於用一種豁達的方式來挫敗網絡犯罪大軍,他稱這種方法是「網絡孫子兵法——故敵佚能勞之,飽能飢之,安能動之。」
沒有留言:
張貼留言