Hacking the Hackers: The Legal Risks of Taking Matters Into Private Hands
Imagine you're a security professional at a large financial institution monitoring the firewall and taking note of the varieties of malware that attack on a daily basis, how they operate, and what makes them tick. The security and IT teams disarm them and patch whatever holes are uncovered. Each day brings new attacks, so much so that a lack of malware would likely indicate a downed detection system, not that attackers have gone on holiday. Often you'll see an updated version of yesterday's and last week's attack, and you expect another version to come around soon.
Other banks are being hit with the malware, and, like your security partners, you know that this familiar hack has come from a botnet, a collection of hacked computers doing work on behalf of the host, who almost certainly is sitting comfortably behind a desk in Eastern Europe.
What do you do?
There's no right or wrong answer. You may quietly attend to the malware. You may also share information about it with a network of security teams at other banks through some authorized communication channels. If it seems serious enough, you may also alert government agencies like the Secret Service or the FBI. But at the end of the day, there's not much you can really do to stop the next wave of malware from the attacker. Even if you could pin down the person responsible with strong evidence, the US has no influence in Eastern Europe, and those countries will not lift a finger to extradite their citizens for participation in crimes outside their borders. Even if hacking is illegal in that country, it is unlikely the perpetrators will be charged for it domestically.
Chances of change seem slim, but that doesn't sit well with everyone. As often happens when an official system fails to yield desired results, an alternative, unofficial, even underground solution will emerge. So it shouldn't come as a surprise that some security professionals are fighting back. These are digital vigilantes, and they are hacking the hackers.
Over the last few years, there's been a proliferation of invite-only groups with hundreds of sophisticated IT security professionals from major banks and financial institutions and other security researchers. These groups operate informally alongside official bank communication channels, and bank managers may or may not be aware of their existence, according to sources who spoke on the condition of anonymity. This would vary from bank to bank.
Their collective interests and goals of policing the networks lead members to share sensitive information among themselves, so that they can learn from the attacks on one another and be prepared for them. The group also enlists the help of security researchers to analyze malware and assist in organized attacks to wipe out the source of a threat.
In essence, in the face of a hands-tied government, private groups are taking matters into their own hands. But this vigilante work has consequences.
[Do you aspire to the C-suite, or some other spot in upper IT management? Then bulk up your credentials around today's most pressing IT movement, digital business, at the InformationWeek IT Leadership Summit.]
From the start, digital vigilanteism has been a grey area of moral and legal correctness. In order to collaborate, there has to be a shared flow of information, which can include information about a bank's firewall and security protocols. Such information is supposed to be kept internal and highly secured. So even with the best of intentions, these vigilantes are breaking countless corporate rules.
To see how dire the consequences can be, one only has to look at the case of the programmer Sergey Aleynikov who was arrested one month after leaving Goldman Sachs. He was convicted of stealing computer code and sentenced to eight years in federal prison. According to one source, because of the career risks and potential jail time, and because they are so close knit, many group members are acting without informing or seeking consent from their security colleagues or management.
Breaking into somebody's computer, even if it belongs to a hacker in Russia who just hacked you, is illegal. It's the same as if you broke into a robber's house to take back your stolen jewels. Intention does not justify the crime of breaking and entering.
As with any other battle, there's also a risk of hurting innocent bystanders. The goal is to shut down hackers at the source, but that often involves going through botnets, networks of millions of infected PCs that report to a central server. Famously, the botnet known as Zeus has 3.6 million in the US alone, and BredoLab was up to 30 million at one point.
Botnet PCs are remotely controlled and often used to coordinate a large-scale denial of service attack, send spam, and deploy spyware. To interrupt the botnet, security experts need to navigate this nebulus to gain access to and destabilize the command and control infrastructure (preferably with the element of surprise).
To get a bit technical, the command and control infrastructure is distributed, as well, which makes it that much tougher to shut down. The bots connect to various URLs, chat rooms, etc. to check for instructions. When somebody wants to issue an instruction, it can be posted on one of those websites or chat rooms. Software experts analyze malware to find the URLs that the malware connects to for instructions, so that those domain names can be blackholed, thereby preventing communication. (This works only until a new variant of the malware using different URLs comes out.)
The reason to try to hack all the way back to the hacker in charge is to figure out how that hacker controls the botnet, so you can dismantle it easier through technical methods or figure out who the hacker is and try to get him prosecuted. According to the source, this kind of justice is served all the time.
Unfortunately, a technical error may disrupt service for the thousands of unknowing victims in the botnet. It can knock systems offline, either directly or as a result of blackholing the associated domain names. These may be personal or corporate computers, so the consequences of a technical blip during an attack vary. Maybe it's a retailer using the computer to run logistics on shipping, and a few orders are backed up as a result. But imagine a hospital's computer is used for patient scheduling. An interruption could prevent doctors from seeing their schedule. Maybe someone would miss a surgery. In a worst-case scenario, someone could die as a result. Imagine the damning headlines if it were traced back to a rogue security employee at a major bank.
Perhaps it's only a matter of time before something truly shocking occurs from the actions of digital justice crusaders, but the fact is that institutions do somewhat illegal things all the time to stay on top of security protocols. What's more, it is proving effective. One simple example is the monitoring of Rescator.cc, a site where hackers can flip stolen credit card information. It's where cards stolen from the Home Depot were sold, and many banks that monitor such sites noticed the large batch of newly uploaded cards from a single seller.
When big uploads like these occur, banks want to discover where the seller is getting the credit information. Some purchase a handful of cards and run fraud analysis software to find the common denominator. Findings are passed on to the Secret Service or the retailer to alert them of the security breach. Surely, the ends justify the means, but have the curious security researchers, in the good-intentioned act of discovering the source of fraud, now funded the hacker by buying some stolen cards for analysis? Should they be penalized for those actions or congratulated for their efforts?
Ransomware is also a special case with interesting consequences. The malware encrypts your hard drive and offers to sell you the key to decrypt it. It's no big deal if you have good backups, but many do not. Sometimes it's cheaper just to pay the ransom, even if you're a police department.
Many of the people involved in what we would call vigilante activities are working very hard to figure out how to generate the decryption keys on their own to help victims for free. This could include hacking the server that processes payments in order to grab the algorithm being used to generate keys. Now think of the consequences if someone were to take down the systems processing the payments (intentionally or accidentally) and send out the decryption keys. This would prevent the perpetrators from profiting from their crime, but the victims would have no way to recover their files unless someone had figured out how to generate keys.
These questions help explains why past attempts at monitored forums for financial security teams haven't really taken off, while more covert invite-only groups have. It is important for players in the space to be collaborative and communicate efficiently about malware, vulnerabilities, and breaches, but they are still talking about and taking actions in legal grey areas. They'll want messaging to be ephemeral, not organized and certainly not achieved in forums that can be used against them one day.
For the cause
Involvement in semi-illegal operations is a risk to a career and can lead to heavy fines and jail time, so what's the motivation? Why take the risk?
Certainly, there is an element of wanting to take matters into your own hands, to give hackers a taste of their own medicine, and to do some good for the world of security by temporarily disarming a threat. But mostly, there's a pride in taking tricky malware apart and building a clever counterattack. For those with the determination to narrow in on their prey and see them taken off the grid, it's sport. It's fun.
Of course, without the ability to toss cyber criminals behind bars, the victory of knocking out a hacker is at best temporary. If the counterhack is successful, perhaps the command and control infrastructure will be out of commission for weeks or months while the botnet is painstakingly rebuilt.
As long as other countries tolerate or actively support hacking and refuse to prosecute or extradite, foreign hackers will continue to wage war against US institutions. It is worrying that private groups are fighting back with the aid of sensitive corporate information, but there's an argument to be made that, given the political handicaps, there is a significant role private actors are taking in leveling the playing field.Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio