When the world gets closer.

We help you see farther.

Sign up to our expressly international daily newsletter.

Already a subscriber? Log in.

You've reach your limit of free articles.

Get unlimited access to Worldcrunch

You can cancel anytime.

SUBSCRIBERS BENEFITS

Ad-free experience NEW

Exclusive international news coverage

Access to Worldcrunch archives

Monthly Access

30-day free trial, then $2.90 per month.

Annual Access BEST VALUE

$19.90 per year, save $14.90 compared to monthly billing.save $14.90.

Subscribe to Worldcrunch
Germany

Hack Back - When A Cyber Attack Victim Turns 'Digital Vigilante'

German authorities, like their counterparts elsewhere, have proven unable to protect certain businesses and individuals from cyber crimes. Now, more and more are taking digital justice into their own hands.

In our hands? (arkangel)
In our hands? (arkangel)
Ulrich Clauß

BERLIN - What with malware able to easily cancel out whatever security measures are in place on a computer, the cyber-crime phenomenon is in full developmental swing.

That's the word from a new report on the dark side of the information technology revolution in the current issue of "Bundeslagebild Cybercrime," published by Germany's Federal Criminal Police Office. Meanwhile, the UK's domestic intelligence service MI-5 says Internet crimes have now reached "industrial-scale" proportions.

What we know is that cyber attacks are aimed at both businesses and governments; they threaten both public and private sector data; and research and academic facilities are hardly spared. "The extent of what is going on is astonishing," says MI-5 head Jonathan Evans.

This, of course, only pertains to the attacks the police know about. Internet security experts estimate cyber crime levels are much higher. Businesses in particular are known to be reluctant to divulge what they may have experienced, in order to protect their image.

But silence is not just a question of image. The fact is that in no other area are the forces of law and order as helpless as they are when dealing with cyber crime. According to most experts, the discrepancy between the technical know-how and equipment of the perps and that of the cops is vast – and the bad guys have the upper hand.

"In what is often called "cyber war" but should be called "cyber crime," the forces of order are not as well equipped as the attackers," says IT expert Max Mühlhäuser, who heads the Telecooperation Lab at Darmstadt's Technical University. "And the growing professionalism of attackers means that action is urgently needed."

In Germany, since it has become publically known that the police couldn't even manage the "Bundestrojaner" – the "federal Trojan" spyware allegedly used by the government to access the computers of suspects in criminal investigations -- without the help of outside service providers, more and more have begun to circumvent the authorities and take on cyber-thieves directly.

Cyberwar researcher Sandro Gaycken, of the Institute for Computer Science at Berlin's Freie Universität, confirms that "digital vigilantism" is the new trend, particularly in sectors strongly affected by efficient cybercriminals such as the financial industry, development companies, and research groups. In those areas, the amount of manipulation and spying is "frightening," he says -- "and absolutely nobody is going to go public when something like that happens to them."

The tendency is to deal with it in-house, says Gaycken. "They don't involve the police. They build up their own unit, or hire outside help. And the new hype with those guys is hitting back. Attacking the attacker."

Data trap

One such "Enterprise Strikes Back" service provider is CrowdStrike, a California company that describes itself as "the stealth-mode security start-up." It provides companies with "hack back" solutions to fight private wars on the web, and minces no words when it comes to criticizing the kinds of security strategies used until now to fight cyber attacks.

"The industry's mistake was to focus on the tools the attackers were using," says Dmitri Alperovitch, co-founder and Chief Technical Officer, who espouses a kind of hand-to-hand combat strategy. "You have to concentrate on the attacker himself, not on the weapon used but on the tactics."

Shawn Henry, a former cybercrime specialist with the FBI and now president of CrowdStrike Services, puts it this way: "We don't only put out the fires, we light them too." Its range of hack-back services is wide, and includes everything from figuring out how to dodge attacks all the way to ruining the attacker financially.

For example, CrowdStrike can set up a data trap that will lure attackers into believing they have hit on something of value although it is actually worthless data that can't be copied. But it will keep the attackers busy for a while, and waste a lot of their time. There are also very clever ways of ascertaining attacker identity and sending disinformation or malware to their computer.

Not surprisingly, no company has thus far publicly admitted to using these or other hack-back tactics – attacking IT systems, even in counter-attack, is after all illegal in most Western countries. In Germany, Paragraph 202 (known as the Hacker Paragraph) of the Criminal Code outlines the acts relating to data espionage and phishing that are punishable with imprisonment or a fine.

According to those familiar with the sector, that doesn't stop many companies from using these methods against cyber attackers, particularly as frustration is growing among enterprises that realize how much is at stake, and that legal methods simply do not work.

"One of the reasons for using illegal means is that the state just isn't efficient. The prosecutors aren't good enough, partly because they have cheap, ineffective tools to work with. Investigators need more means, and more highly qualified people, to be able to work in a more targeted fashion," says computer scientist Gaycken.

Another problem is that states are bound to their own laws and territoriality – a factor that limits their radius of action. "From that perspective, vigilantism could seem justified. It's that way with self-defense: if the state is not there, and I'm attacked, I can hit back." But that's only part of the story, Gaycken believes. Investigations hampered by data protection legislation and national borders often appear cumbersome and indeed unnecessary to companies that have been attacked.

The latest cyberwar developments have only strengthened the aggressive self-help trend. The discovery that worms like Flame, Stuxnet and Duqu had been working away, sometimes for many years, in computer systems - including the uranium enrichment centrifuges of the Iranian nuclear program - was a massive defeat for the computer virus protection industry.

For Mikko Hypponen, the founder of F-Secure, a security firm, Flame malware marks nothing less than the "failure of the antivirus industry," and as such a turning point in IT security.

US and France have more leeway

Neither the German Minister of the Interior nor the Federal Office for Information Security Technology (BSI), which are responsible for security across the web in Germany as well as for government computers, had any comments on these latest developments. Paired with the trend towards vigilantism, however, the issue begs answers, particularly as it touches not only on the law but also civil rights. The bottom line is that the state has a monopoly on the use of force.

Says IT expert Mühlhäuser: "My impression from a number of indicators is that the German federal government sees defending the German economy against cybercrime and cyber-intelligence as far less important a sovereign function than, for example, the United States or France do," he said.

Mühlhäuser notes that both those countries have legitimized state-organized economic espionage in the past in the interests of keeping their own economies in good shape. But in Germany, for lack of effective enforcement, more and more businesses and institutions have no choice but to take matters into their own hands. Time will tell whether this will bring a measured, practical response, or if people will come out with all guns blazing, Wild West style.

Read the original article in German.

Photo - arkangel

You've reached your limit of free articles.

To read the full story, start your free trial today.

Get unlimited access. Cancel anytime.

Exclusive coverage from the world's top sources, in English for the first time.

Insights from the widest range of perspectives, languages and countries.

Economy

Lex Tusk? How Poland’s Controversial "Russian Influence" Law Will Subvert Democracy

The new “lex Tusk” includes language about companies and their management. But is this likely to be a fair investigation into breaking sanctions on Russia, or a political witch-hunt in the business sphere?

Photo of President of the Republic of Poland Andrzej Duda

Polish President Andrzej Duda

Piotr Miaczynski, Leszek Kostrzewski

-Analysis-

WARSAW — Poland’s new Commission for investigating Russian influence, which President Andrzej Duda signed into law on Monday, will be able to summon representatives of any company for inquiry. It has sparked a major controversy in Polish politics, as political opponents of the government warn that the Commission has been given near absolute power to investigate and punish any citizen, business or organization.

And opposition politicians are expected to be high on the list of would-be suspects, starting with Donald Tusk, who is challenging the ruling PiS government to return to the presidency next fall. For that reason, it has been sardonically dubbed: Lex Tusk.

University of Warsaw law professor Michal Romanowski notes that the interests of any firm can be considered favorable to Russia. “These are instruments which the likes of Putin and Orban would not be ashamed of," Romanowski said.

The law on the Commission for examining Russian influences has "atomic" prerogatives sewn into it. Nine members of the Commission with the rank of secretary of state will be able to summon virtually anyone, with the powers of severe punishment.

Under the new law, these Commissioners will become arbiters of nearly absolute power, and will be able to use the resources of nearly any organ of the state, including the secret services, in order to demand access to every available document. They will be able to prosecute people for acts which were not prohibited at the time they were committed.

Their prerogatives are broader than that of the President or the Prime Minister, wider than those of any court. And there is virtually no oversight over their actions.

Nobody can feel safe. This includes companies, their management, lawyers, journalists, and trade unionists.

Keep reading...Show less

You've reached your limit of free articles.

To read the full story, start your free trial today.

Get unlimited access. Cancel anytime.

Exclusive coverage from the world's top sources, in English for the first time.

Insights from the widest range of perspectives, languages and countries.

Already a subscriber? Log in.

You've reach your limit of free articles.

Get unlimited access to Worldcrunch

You can cancel anytime.

SUBSCRIBERS BENEFITS

Ad-free experience NEW

Exclusive international news coverage

Access to Worldcrunch archives

Monthly Access

30-day free trial, then $2.90 per month.

Annual Access BEST VALUE

$19.90 per year, save $14.90 compared to monthly billing.save $14.90.

Subscribe to Worldcrunch

The latest