Pia Landergren, IDG News Service\London Bureau
June 18, 2001, 06:09

With the rapid increase in security breaches leaving law enforcement struggling to keep up, some organizations are taking the law into their own hands and punishing hackers themselves.

Striking back at hackers with, for example, denial of service attacks is a sensitive subject, since doing so is illegal in most countries. However, security experts say the U.S. Department of Defense has used these methods. In addition, private companies use special firewalls and other counteroffensive software that can be set to automatically strike back at hackers, according to U.K. Internet security consultant and ex- hacker Mathew Bevan, among others.

Conxion Corp., an ISP (Internet service provider) based in Santa Clara, California, is one private company that acknowledges having reversed a denial of service attack on a group of hackers. When asked if giving hackers a dose of their own medicine is company policy, spokeswoman Megan O’Reilly-Lewis said, “We deal with it on a case-by-case basis.”

The World Trade Organization’s (WTO) Web site, which was being hosted by Conxion, was hacked into in late 1999. An organization called Electrohippies, or E-Hippies, bombarded the WTO Web page with download requests, which caused the Web service to slow down but not to crash completely.

“What our security staff did was to quickly write a script to reverse the traffic. Then they followed up with some more sophisticated methods,” said O’Reilly-Lewis. “It seemed to work fine,” she added.

“If they had been sophisticated hackers they would have easily avoided” the reverse attack, she said.

Hack attacks are clearly on the increase, and so are companies that specialize in tracking down the hackers.

“There’s a spectrum of things that we do,” said Bob Ayers, U.K. vice president of Para-Protect Ltd., headquartered in the U.S. The company uses an intrusion detection device with which it keeps tabs on a customer’s IT system. Ayers, a former U.S. military intelligence officer, described some of the actions companies can take when they discover an intrusion: “Disabling an account. Terminating the network link. We can go to the ISP and ask them to step in and take action.”

A company can also go beyond the e-mail address and find the person behind the crime. “You go pay him a visit,” said Ayers. “You talk to him and let him know that you’re not happy with what he is doing.” It might work, depending on your powers of persuasion, he added.

When asked if his company launches denial of service attacks on hackers on behalf of its customers, Ayers said, “I really don’t want to answer that question one way or another. All I can say is that the technology is there and how it is used is something I cannot predict.”

Both Ayers and another security expert, Winn Schwartau, president of IT security company Interpact Inc. in Seminole, Florida, and founder of security Web service Infowar.com, said that the U.S. Department of Defense has at least on one occasion launched a denial of service attack on hackers.

“Absolutely they have,” Schwartau said. “There was a group of pro-Mexicans (the Electronic Disturbance Theater) and they announced they were going to attack the Pentagon,” he said. “The Pentagon (the building that houses the department) knew about it. The Pentagon started shooting back, which was the right thing to do. However, it was illegal,” Schwartau said.

Not surprisingly, the Pentagon denies ever having used these methods.

“I am not aware that we have struck back at anyone with a denial of service attack,” said Susan Hansen, a spokeswoman at the Department of Defense. “We don’t discuss our specific security” measures, she added.

The number of malicious break-ins into companies’ computer systems is becoming alarming. The U.S. Federal Bureau of Investigation (FBI) found in a recent study that 85 percent of respondents had detected computer security breaches during the past year. The survey was based on responses from 538 security experts in various U.S. corporations and government agencies. Sixty-four percent suffered financial losses due to security breaches, and 186 respondents reported a total loss of almost $378 million. Thirty-eight percent of respondents detected denial of service attacks, compared to 27 percent last year.

According to a survey done by Schwartau, about one third of surveyed companies in the U.S. have already, or plan to, develop strike-back capabilities for possible hack attacks.

“Follow-up surveys in England found corresponding responses while an Australian survey found an even higher percentage of that country’s companies to be willing to strike back,” Schwartau said.

Hackers often make use of several computers along the way to their target, which makes it difficult for companies to launch a direct attack on the computer system the attack originated from. If someone has hacked into several computers, a vigilante may even end up striking back at an innocent bystander, whose computer has simply been used by the hacker. A sophisticated hacker can also make it look like an attack is coming from, for example, a company’s competitor.

One type of intrusion-detection equipment is a so-called honeypot, a machine that is set up to look like a network. It has false information, such as databases, installed to lure hackers to spend as much time as possible “inside” the machine. The way in, for a hacker, can be to figure out someone’s password, and to get in through the Internet. The longer a hacker is inside, the easier it is for the system administrator to find out the hackers identity, or IP (Internet protocol) address. Once that is known, the system administrator can launch a counterattack.

A denial of service attack is usually caused by someone sending more traffic to a network address than the server can handle, which causes it to crash. This can result in a Web site going down or a particular service, such as e-mail, becoming unavailable.

One industry insider does not believe in giving hackers a dose of their own medicine.

“I don’t believe in striking back, it would only invite further attacks,” said Mike Graves, European marketing manager at Hewlett-Packard Co.’s Internet Security Solutions Division, and based in Bristol, U.K.

“You may find yourself getting some publicity you don’t want. You may become a beacon for new attacks.” Hackers know each other and look out for each other, he added.

Graves’ suspicions are confirmed by ex-hacker Bevan.

“If my machine crashed and I’ve been hacking, say I was hacking into Barclays Bank, I would not give up then. If hackers gave up so easily there wouldn’t be any hackers. It’s the challenge” that keeps hackers motivated to keep going, Bevan said.

Some years ago, Bevan hacked into the U.S. Department of Defense?s computer system, a British Airforce base as well as many major corporations’ systems. He was charged with conspiracy to cause unauthorized modification to computers operated by the U.S. military and the Lockheed Martin Corp. missile and space company in 1996. Eventually, all charges against him were dropped.

“They were pushing a conspiracy angle,” but couldn’t prove it, Bevan said.

Being a hacker who was never punished, Bevan can understand why companies would want to take the law into their own hands and strike back. However, he insists the method would not work as it would only make him more determined to break the system.

Despite this, finding your own hacker tracker is not difficult. Some victims of hack attacks prefer to take a less drastic action than striking back directly. They hire companies such as Swedish Defcom AB, who specialize in finding hackers and then doing the police’s work for them; collecting enough evidence against the hackers to present the police with a clear case.

Thomas Olofsson is chief operating officer and recently found a gang of professional hackers for a customer. “This was the largest operation we’ve done,” said Olofsson. “We tracked down a gang of hackers who had used computers in different countries to hide along the way.”

“They had used a computer in South Africa and another one in the U.S. At last we found the source, a gang of hackers in one of the Baltic countries,” Olofsson said.

But catching hackers is just one of the first steps in a long process of bringing them to justice.

“What happens if a hacker in the U.K. breaks into a system in South Africa, or in the U.S.?,” said Ayers. “Where did the crime happen? And who has jurisdiction? The police must cooperate across borders, and frankly the police are not very good at that.”

As Ayers says, the police just don’t have enough resources to catch all criminals and laws still haven’t caught up with Internet crime. Despite the efforts of hacker trackers, then, hacker vigilante methods are not likely to go away any time soon.

“If you’re a skilled computer (person) you ain’t gonna go work for the U.K. police force for 20K (20,000 pounds (US$27,800) a year).” You’re going into the private sector, he said, adding, “It’s riskier to walk across Clapham Common (in London) at night than it is to enter into cyber crime.”

Para-Protect, headquartered in Centreville, Virginia, can be contacted online at http://www.para-protect.com/. Conxion, in Santa Clara, California, can be contacted at http://www.conxion.com/. HP, in Palo Alto, California, can be reached at http://www.hp.com/. Interpact is at http://www.interpactinc.com/.