Wednesday 30 September 15:00 - 15:30, Red room
Morton Swimmer (Trend Micro)
Nick FitzGerald (Independent researcher)
Andrew Lee (ESET)
download slides (PDF)
How do you win a game when the rules don't let you?
You change the rules!
In the computer security field, one possible game changer is aggressively fighting back. Star Trek's fictional James T. Kirk changed the Kobayashi Maru simulation from a no-win situation to one where a winning solution, but can we do the same? What are the ethical and legal challenges?
The dilemma stems from the problem that fighting back will have consequences, sometimes technical, sometimes ethical, sometimes legal. In a world where pointing NMAP at another's host is considered more than just impolite, using an exploit to gain control of an alleged C&C server, which is probably illegal in most countries anyway, is stepping well over the line. But not changing the rules means we persist in our course of staying one step behind the criminals. This is not satisfactory as it looks like everyone is losing in this scenario - except the criminals.
In this paper we will present various real and hypothetical scenarios of fighting back. For example: sinkholing; SSH honeypots that counter attack (yes, this is real); abusing open directories; hacking C&C servers; taking over botnets by either hijacking the C&Cs or buying them; shutting down DHT-based botnets; modifying phishing pages so they no longer work; using DDoS attacks against criminal infrastructure; and so on. We are not advocating any of these aggressive methods, and what we lay out in the paper is unlikely to be exhaustive. However, we will discuss where we, as the authors, see the boundaries of what we can do so that the readers come away with a better ethical framework for their own activities.
This discussion is long overdue as some mild forms of aggressive defensive tactics have already been tried, and some common daily working activities of security analysts may have potential legal consequences where few currently imagine there might even be ethical considerations. In some cases, the law is in conflict with what may seem like 'technical common sense'. However, these laws usually have solid foundations and being seen to violate them, even if there are no likely legal consequences, can have negative effects on cooperation with other companies and/or law enforcement agencies, or on public perception. We see this not as a final statement on the matter, but the beginning of a discussion that should accompany our actions in this new frontier.
Morton Swimmer was born in New York City, raised there and in Hamburg, Germany, then studied in England and Hamburg. It was at the University of Hamburg where he came to study computer security under Prof. Dr. Brunnstein and in 1988 he co-founded the Virus Test Center. He started his first anti-virus business in 1991, which was bought by S&S International UK. Then in 1996, Morton joined IBM Research in New York to work on IBM Antivirus and create the Digital Immune System, which was bought a few years later by Symantec. The next switch was to IBM Research in Zurich, Switzerland to research the applicability of intrusion detection techniques to the anti-virus field with one of the world's leading research groups in intrusion detection. From this research, the DIMVA Conference was formed. Somewhere along the way he got his Ph.D. with a thesis on malware intrusion detection. In 2007, he became a associate professor at CUNY's John Jay College of Criminal Justice and in 2008 he joined Trend Micro, where he still works, with only a brief stint in between at Intel Security. He is now based in Germany.
Andrew Lee brings to ESET a unique blend of corporate and security expertise. Having served as Chief Research Officer at ESET from 2004 to 2008, Lee was responsible for building ESET's reputation as a world-class research organization. Prior to accepting the role of CEO at ESET in January of 2011, Lee served as Chief Technology Officer for K7 Computing, an anti-virus software and Internet security company, where he was responsible for all aspects of K7's technology, leading acquisitions and bringing new products to the market. Mr Lee is a founding member of several of the most respected organizations, such as AVIEN and AMTSO, international non-profit associations that focus on addressing the global need for improvement in the objectivity, quality and relevance of anti-malware testing methodologies. A frequent speaker at industry conferences, ISC2 Seminars, AVAR, Virus Bulletin and EICAR, Mr. Lee is a widely published author of articles on antivirus and security and co-authored the "AVIEN Malware Defense Guide" with current ESET researcher David Harley. Andrew Lee holds an MSc degree in Computer Security from the University of Liverpool.