Cybercrime Defense: Think -- and Act? -- Like a Hacker

It is known in the industry as "active defense" or "strike-back" technology, andReuters' Joseph Men says that can range from "modest steps to distract and delay a hacker to more controversial measures," like hiring a contractor to hack the hacker -- something that could violate the laws of the U.S. or other countries.

Shawn Henry, former head of cybercrime investigations at the FBI who recently cofounded a new cybersecurity company CrowdStrike to help companies respond to, as well as defend against, hackers, told Menn: "Not only do we put out the fire, but we also look for the arsonist."

This, say some experts, is a bad idea that amounts to vigilante justice, and will just lead to an escalating battle between hackers and companies that the hackers are sure to win. John Pescatore, formerly with the National Security Agency and Secret Service, who now leads research firm Gartner's Internet security practice, told Reuters, "There is no business case for it and no possible positive outcome."

Take the Initiative

At least one famous example from about 18 months ago was security consultant HBGary Federal. CEO Aaron Barr said he had identified leaders of the hactivist group Anonymous and would sell their names to clients including the FBI. In response, Anonymous hacked HBGary, and posted more than 50,000 of its private e-mails. Barr resigned about a month later, at the end of February.

Still, there are some supporters of "strike back." Dr. Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made what he called the"stand-your-cyberground" argument April 30 in The Atlantic.

While the focus of that article was the U.S. government being too constrained by international law to lead cyberdefense against foreign attacks, Lin told CSO at the time that self-defense is a basic right, authorized by the Second Amendment. He said it helped deter outlaws during the "Wild West" era. During modern times, commercial ships under attack from pirates are allowed to shoot and kill them, and bank security guards are allowed to shoot robbers, he said.

The same principle applies here, Lin said this week. While he agrees that escalation is a possibility, there would also be, "the deterrent to others to not cyberattack a company that could plausibly respond in kind," he said.

"It's also reasonable to think that failing to respond to a cyberattack is an incentive for hackers to continue, if not escalate, their activities. This is a reason why bad neighborhoods tend to get worse -- they can, given the absence of reliable law enforcement or self-defense.

"I don't see how doing nothing will de-escalate a situation like this," Lin said. "A hacker is not like the angry drunk who will eventually run out of steam and pass out or sober up. If cyberattacks are still profitable, then they will continue or increase."

Build a Better Firewall

However, Rebecca Herold, an information security, privacy and compliance consultant who goes by the name "The Privacy Professor," stands with those who say the best defense is simply better defense. Layered security, she said, will make it difficult enough for hackers to look elsewhere.

There could be multiple unintended consequences of retaliation, she said. "Becoming what I call a boomerang cyber-attacker in response to being attacked could end up doing your own systems, your data and reputation harm, not to mention innocent victim systems," she said. "The bad guys, if they're smart, will lead you to other networks, not their own."

Herold said businesses focused on getting revenge on hackers "end up taking resources away from important business activities, and will likely leave gaps in security elsewhere."

"Plus, networks are now so complex, and consist of so many components, that a lot can go terribly wrong if an organization starts trying to have automated defensive cyber attacks on attackers," she said. "Many would likely end up being the Barney Fife of the cyberworld, shooting themselves in their own cyber foot and having their digital bullets taken away by regulatory oversight agencies after bad things have happened."

Herold said also that counterattacks wouldn't deter hackers. "If hackers know you will counterattack, that would likely attract more harmful types of hackers who are looking for the thrill of a conquest and subsequent bragging rights," she said.

Patrick Lin still argues that weakness is more of an invitation to hackers than a show of strength. "Perhaps some hackers will take [a counterattack] as a challenge, but they're not so much the rational adversary, who is motivated by profit," he said. "Just as some hackers and muggers may strike back harder if the victim resists or fights back, this minority group shouldn't drive policy that's otherwise reasonable and potentially more helpful than not."

In the case of modern-day pirates, Lin argues that allowing commercial ships to countrerattack has not caused an escalation of conflict, "and it's hard to see why it would."

"Why shouldn't ships be able to defend themselves against pirates?" Lin said.

He agrees that letting law enforcement handle crime is best. "But in the case of cyber, there is no reliable law enforcement, and there isn't even an 'authority' we can appeal to," since there is a continuing debate in Congress over whether the Department of Defense or Department of Homeland Security should oversee cybersecurity laws.

Cyberattacks on industry amount to "a potential powder keg, and something is going to happen if government doesn't intervene and establish law," Lin said.

Aggressive Ad Providers Spy on 80 Million Mobile Users

Some advertising inside free apps for smartphones pose a threat to consumer privacy, according to a company that makes security software for mobile phones.

More than 50 percent of free apps embed advertising in their offerings provided by ad networks, according to Lookout Mobile Security. Some of those networks access personal information on the phones they're running on without clearly explaining what they're doing to users, recent research by Lookout revealed.

It also noted that 5 percent of the apps on smarktphones, which represent 80 million downloads, are embedded with "aggressive" ad networks that perform "non-kosher" acts on a smartphone, such as changing bookmark settings  and delivering ads outside the context of the app they are embedded in.

An analysis of free apps in GooglePlay showed that the leading user of aggressive ad networks was personalization apps , like wallpaper apps (17 percent), followed by entertainment (eight percent) and games (seven percent).

Lookout makes a free app that can downloaded from GooglePlay that identifies what ad networks are running on a phone and what they do.

The security vendor has also released a set of comprehensive guidelines for mobile advertisers. They outline "best practices" for the pitch firms to follow and govern transparency and clarity, individual control, ad delivery behavior, data collection and other topics.

In addition to collecting personal data from smartphones, ad networks have also been reported to push "scareware," such as battery upgrade warnings, and shove marketing icons onto a phone's start screen or advertising into its notification bar.

Source : PCWORLD

iFAKE: Photos turn out to be shopped, and will iPhone 5 have a changeable camera lens?

IF your palms were getting all sweaty at the allegedly leaked pictures of the alleged iPhone 5 last month, you weren't the only one.

UPDATE: As the internet reels from being tricked again by the iPhone rumour brigade, even more details haves surfaced online, showing that Apple applied for a patent for a smartphone with a changeable camera.

is Apple really toying with the idea of letting picture-loving iPhone users change lenses on the iPhone 5, or are they just toying with our emotions?

Apple's application for a "back panel for a portable electronic device with different camera lens options" included a diagram reminiscent of an opened iPhone with labelled parts.

The application described a design to let users change lenses that typically are fixed in the backs of smartphones to act as eyes for cameras.

"It would be desirable to provide a structure for a compact device that allows the end user to reconfigure the optical arrangement of the device while retaining the benefits of assembling the device using a pre-assembled digital imaging subsystem," said a copy of the patent application available online.

The latest rumour comes as the web was tricked into thinking images of a potential iPhone prototype was real after some fairly convincing photos were published on Apple rumour site, 9to5Mac.

Thousands of people were tricked into thinking they were real.

Turns out the photos were renderings created by Flickr user, Martin Hajek based on alleged iPhone parts that were leaked by Apple rumour website, 9to5Mac.

Mr Hajek seemed pretty pleased with himself, boasting on Flickr that he'd even tricked Gizmodo into believing they were real.

"You would think Gizmodo of all blogs would be able to tell a leaked prototype from a leaked rendering!," he wrote on Flickr.

We'd like to join Mr Hajek on the high moral ground, but we too were one of the fooled.

Don't get excited. This is not an iPhone 5. It's a digital rendering based on 'leaked' iphone 5 parts. A fake, basically. Picture: 9to5mac