04 Feb 2011
Regular readers of this blog will know that I was hacked a few weeks ago, losing control of my Hotmail, Gmail, Facebook and LinkedIn accounts to a hacker who posed as me in an attempt to extort money out of my friends.
I've since regained control of all of these services, even Facebook, which finally lumbered back into my clutches last night, following two weeks of radio silence from Zuckerberg and his crew.
In the course of getting my online life back, I managed to find the hacker's IP address, ISP and email address. He (or less likely, she), caused me several hours of irritation, worry (that something like Paypal with my bank details would be next on his list) and work. I wanted to give him at least some of the same pain. I wanted revenge.
Is this a valid response? Among the many clichés favoured by sports coaches is ‘Attack is the best defence'. Hackers' systems and networks are subject to many of the same flaws and security holes from which the rest of us suffer. I'd be willing to bet the administrators of most underworld hacking shops and forums use a simply cracked username and password combination for their authentication.
Surely the global security industry boasts sufficient brains, skill and resource to create some interesting tools to really stymie these cyber criminal operations? Certainly law enforcement bodies are aware of where most of them operate, both in the real and virtual worlds - and so finding them isn't the issue. Stuxnet itself was allegedly the result of state collusion, couldn't these same states get together to create something to target the command and control servers of a major botnet, for instance?
Or failing that, why not just use existing Trojans, worms and other malware against them? If your organisation knows that it has been hacked, and who by, surely hacking into that network, seeing what information has been stolen, and working out how best to prevent its further dissemination is the most appropriate preventative measure?
These questions were posed recently at the Black Hat conference in Washington DC, and appeared to garner some support. However some sanity was inserted into the conversation by Trend Micro recently in its Malware Blog, pointing out that antagonising organised criminal groups with their extensive networks, deep pockets and lack of ethics, possibly isn't a recipe for enduring delight.
Also, we probably don't want to expend energy creating new types of malware in order to go on the offensive. It will be a matter of moments before that same malware is turned around and pointed back in our direction, probably with some new and intriguing features that we hadn't thought of. An escalating cyber war anyone?
I may want revenge, but I've also seen the Sopranos. Consequently, I've decided not to email my hacker, tempting though it is.