“It’s an ill wind that blows nobody any good” ~ Unknown
Yesterday I was reading a really interesting (to me at least) thread on Twitter (right here) that posed a relevant question (to me anyway) asking ‘does the text of the new CISA bill allow for ‘hacking back’, or as I prefer to call it ‘surprise adoption’ in the context of offensive cyber countermeasures.
You may or may not be aware of the fact that aside from the obvious threat from online radicalization of homegrown terror actors, US assets, not just government assets, but private, corporate infrastructures, your assets and my assets are under attack CONSTANTLY. And I mean constantly. If you don’t believe me and you want a LIVE real-time view of who and what’s hitting this nations cyber ‘stuff’ right now all you need to do is CLICK HERE on any given Sunday, or right now if you are feeling adventurous.
For those who don’t like clicking links here’s a screenshot from 2 seconds ago as I write this post:
What you are seeing there is both nation state sponsored and individual attacks coming into US IP space, and there’s hundreds of them every minute of every day. In the US we are lucky enough to have the 2nd Amendment, and in many states the Castle Doctrine. This is a legal doctrine that:
“…designates a person’s abode (or, in some countries, any legally occupied place [e.g., a vehicle or workplace]) as a place in which that person has certain protections and immunities permitting him or her, in certain circumstances, to use force (up to and including deadly force) to defend himself or herself against an intruder, free from legal responsibility/prosecution for the consequences of the force used.”
Now consider this.
In this age of ‘cyber’ much of our lives and most all of business conducted relies on infrastructure, servers, etc. Privately owned. And they are under attack from malicious threat actors both foreign and domestic. yet we do not officially have any right to protect these critical online assets, by force if necessary. As you know I’ve been conducting my own offensive countermeasures for 5 years now, but by the letter of the law, some of the actions I have taken (against well documented enemies nonetheless) are illegal. I’m not sure how I feel about that. I have always said however, that if “I am convicted by a jury of my peers and sent to the joint, then the justice system will have been served. And similarly if I am not”. That’s because I believe in what I am doing, and am willing to do whatever is necessary. I guess in that sense I’m the same as the bad guys, because so do they. The bastards.
Here’s a crazy notion…
A ‘Cyber 2nd Amendment’. A ‘Cyber Castle Doctrine’. Right now, almost EVERYTHING cyber security wise is geared towards a DEFENSIVE SECURITY POSTURE. And defense is perfectly fine and totally necessary, it’s a tough job. But what if there was some degree at least of OFFENSIVE COUNTERMEASURES that could be deployed against these well known attackers that are constantly slapping our infosec teams all of the country and overseas around on a daily basis.
OpenSSL is an open-source implementation of the SSL and TLS protocols. These protocols are used pretty much everywhere secure connections are required. Last year we had the ‘Heartbleed’ scare, some of you may remember it. I myself exploited the vulnerability on a number of occasions in the first week after the zero-day announcement was made.
Today the internet is gearing up for another 7-alarm fire, again concernning OpenSSL and not one, not two but THREE new severe vulnerabilities in this same widely used implementation of SSL. Here’s the new CVE’s (click the image for an enlarged view).
CVE-2015-0209 and CVE-2015-0285 and CVE-2015-0288
At the top of this post, as is traditional now, I put a quote; “It’s an ill wind that blows nobody any good” this basically means even misfortune can benefit someone or something. Overnight and tomorrow and beyond security teams will be on full scramble working really hard to patch these severe vulnerabilities in a core technology. As it should be.
But… these same vulnerabilities that affect the good guys, also affect the bad guys.
Wouldn’t it be awesome if as well as the very necessary DEFENSIVE POSTURE, we also had the capability for equal but opposite teams of good guys to rapidly exploit this and start dealing out some goddamn Kraken on these penis wrinkles who are whacking our ‘cyber stuff’ every single minute of every single day, even if only for ‘intel collection’ purposes. (Call it what you like). Start occupying the same cyberspace as these fools (here’s a very small scale example of this strategy working, since this I have had zero problems). Instead of just running around like headless chickens on a zero-day, have a squad working the flip-side, to turn something traditionally seen as ‘bad’ into something we can use to our advantage. It is possible and apparently, there’s some that would say I’m living proof. We need to start thinking about weaponizing for this ‘new’ battle-space.
If it makes you feel any better, think ‘Cyber Minute men’… because make no mistake, it is a war.
Meanwhile as it things currently sit, ‘proof of concept code’ to exploit these new vulnerabilities is being developed and will be in the wild within hours if it isn’t already. Bad guys will be modifying it and using it to fuck with our shit. But bad guys are notoriously slow to patch their own stuff, so while they are doing that, I’ll be doing similar, to them.
Anyhow, just some (not so) random musings. I fully understand this isn’t a ‘solution’ by any means and ‘effective attribution’ needs to happen, but hope it might generate some quality discussion regarding a total defensive security posture versus a posture that combines both, because if we always do what we always did, we’ll always get what we always got.
Peace. And if you are new around this corner of the web, I’m on Twitter too.
There’s an unequal amount of good and bad in most things. The trick is to figure out the ratio and act accordingly.
FINALLY THIS SEEMS APPROPRIATE RIGHT ABOUT NOW: