Gallery

Hack the hackers

Posted on 27 Jan 2005 at 14:43

Controversially, it can mount counter-strikes at three levels of ferocity. First, there are what Symbiot calls 'invasive techniques'. This level of retaliation involves gaining access to the attacker's system with a view to 'disabling, destroying or seizing control over the attacking assets'.

The second level is the 'symmetric counter-strike'. This targets the hacker's system in line with the level of the initial attack. So if the hacker backs down, so will iSIMS.

Most severe, and most controversial, is the 'asymmetric counter-strike'. This level of retaliation fights back out of all proportion to the original attack. Retaliation at this level can even strike against distributed threats such as a DDoS zombie army. Worryingly, a user can launch a pre-emptive attack. Clearly, these options are illegal under the laws of many countries, including the UK, so how do the tool's writers avoid arrest?

Symbiot said it co-operates with law-enforcement agencies and continually evaluates the legal aspects of iSIMS's offensive capabilities. There is no reason why a Symbiot customer cannot just use the identification and frustration capabilities iSIMS provides to keep a hacker online for long enough to discover their identity, then pass everything over to the police. The company is at pains to stress that its customers must obtain appropriate legal advice before using iSIMS, and in some instances, Symbiot will supply it only with the counter-measures disabled.

The company also produces an open-source version of iSIMS. This combines standard network security tools with a graphical front end that enables the user to assess incoming threats, but does not have the ability to launch a counter-attack. Given that tools to execute exploits on vulnerable machines are available freely on the Internet, can angry users extend OpenSIMS' capability on their own?

'OpenSIMS is neither a preventative nor proactive security system,' said CyberArmy's Ward. 'Rather, it is a security infrastructure management system. This means that OpenSIMS will sit on top of any existing security measures and offer a unified management system. Though it is worth noting that OpenSIMS has a framework that allows for preventative and counter-measure systems.'

Could a company arm itself with OpenSIMS, teamed with a choice of exploit tools downloaded from hacking sites? 'This is not the case [in the basic product],' said Ward. 'Symbiot does, however, have an attacker database. This could be misconstrued as being a sort of weapon to use against hackers. However, its role is very much like an intrusion-detection system ruleset or a virus definition file: to identify and offer counter-measures.'

Law and disorder

Technically knowledgeable users are keen to fight fire with fire and the necessary tools and skills are becoming available. But anyone considering this approach should bear in mind that identifying the true source of an attack remains difficult. A hacker may break into a chain of servers and launch an attack from the last, or may recruit an army of innocent, if poorly protected, bystanders to do his or her dirty work. Symbiot's publicity material neatly sums up the other side of the argument, though: 'An infected machine... is no longer an innocent bystander'.

We need strong laws against increasingly unpleasant online criminals, but these are useless without the resources with which to enforce them. Until those resources are available, more people will strike back in anger regardless of whether the law permits it. With the potential for misdirected counter-strikes, patching your systems remains the top priority.

Author: Jon Thompson