• 05/28/2013
    12:44 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

PC Lockdowns Eyed As IP Theft Tool

Controversial proposal says businesses should be allowed to lock down PCs they suspect contain stolen information. Privacy expert warns of fraud risk.
The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Should businesses be allowed to lock down PCs they suspect contain stolen information?

That's one proposal contained in a report released last week by the Commission on the Theft of American Intellectual Property that outlined a number of measures for combating intellectual property theft. The commission is run by the former director of national intelligence, Dennis Blair, as well as Jon Huntsman, a former U.S. ambassador to China.

The commission's report gained immediate notoriety for recommending that businesses be allowed to hack back for the purpose of recovering stolen intellectual property. In particular, the commission recommended that policymakers "support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means." The report defines intellectual property as not just information targeted for economic espionage, but also software and music.

[ How would your company handle an all-out cyber war? Read Should CIOs Hire Cyber Pinkertons? ]

How could copyrighted software and music, as well as information targeted via espionage operations, be rendered inoperable? According to the report, software can be written that will allow only authorized users to open files containing valuable information. It explains, "If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user's computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account."

But according to Lauren Weinstein, founder of the Privacy Forum, that proposal bears a striking similarity to the ransomware campaign currently targeting PC users. Ransomware is malware that locks a PC and flashes a "threat of prosecution" warning -- often customized to appear to be from the FBI or local law enforcement agencies for targets in other countries -- that says access to child pornography or other illegal content has been detected. The notice then demands a fine be paid to unlock the PC.

According to the FBI, it's been inundated with complaints from consumers who've paid as much as $200 -- and sometimes more -- in response to what they believed to be a bureau-ordered fine.

"So now we have the IP Commission suggesting that firms be allowed to use basically this same technique -- pop up on someone's computer because you believe they've stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well," said Weinstein in a blog post.

The proposed lockdowns would be disproportionate to the alleged crimes being committed, he said, and might just as easily be exploited by fraudsters. "Outside of the enormous collateral damage this sort of 'permitted malware' regime could do to innocents -- how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net?" he asked.

The commission's proposal has been viewed by Canadian journalist and author Cory Doctorow as a recommendation that the entertainment industry -- which backed the controversial anti-piracy bill SOPA -- should be granted the ability to "legalize the use of malware in order to punish people believed to be copying illegally."

Malware is a hot-button topic where entertainment companies are concerned, owing to Sony's failed 2005 music CD copy-protection system, which hid a rootkit on CDs by 52 different artists. Sony's intention was to make it difficult for users to copy the CDs, but according to security experts, the rootkit transmitted users' IP address to Sony and was almost impossible to remove. In short order, online attackers adapted Sony's technology to design hard-to-detect malware.

"There is no good malware at all," said Christian Mairoll, CEO of Austrian anti-malware firm Emsisoft, via email. "Piracy is indeed a problem that has to be solved. But legalized and widely spread malware would lead to even more problems with unforeseeable consequences."

Deploying malware in the service of protecting intellectual property would also face challenges from the information security industry. Mairoll, for example, promised that his firm would never whitelist any form of malware, built by the entertainment industry or otherwise. His comments echoed those of other security firms that have pledged to detect the FinFisher spyware sold by U.K.-based Gamma Group, which is used by some autocratic regimes to spy on political dissidents.

Whether you call it "hacking back" or old-fashioned eye-for-an-eye retaliation, offensive security calls for profiling and, if possible, individually identifying an attacker and taking countermeasures to harm the attacker's systems. Read the Offensive Cybersecurity report today. (Free registration required.)


re: PC Lockdowns Eyed As IP Theft Tool

So, now, wait a minute... companies should be allowed to "hack back" at people who have stolen their Intellectual Property? Thinking like someone who follows best practices here, what does an intelligent user do when they have data that is valuable? They save it, they back it up and they make sure that their backup works. Now, if I was "hacking for fun and profit", wouldn't it make sense that as soon as I stole data that I thought could ever be useful, important or valuable, that I'd make multiple copies? Even better, depending on the sophistication of the hacker's strategy, those multiple copies could be geographically dispersed, encrypted, saved to multiple medias, even burnt to optical. At that point, what does the hacked company do? My mantra when it comes to information security - once it's digital and outside of your security envelope, it's public knowledge (or might as well be).

Again, wait a minute... "If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user's computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account." Yeah, THIS isn't going to work - turning law enforcement officers into technical support personnel is NOT going to be beneficial. What happens when mommy or daddy brings their work PC home and little Johnny decides to start mashing keys on the keyboard, ends up trying to open a protected file, and then blows the password enough times to lock the account. Mommy or daddy have to call a law enforcement agency and explain the situation to get their account unlocked? I'd like to think that our law enforcement agencies out there have more to do than just sit around in a call center and wait for a prospective hacker to ring them for assistance.

This whole idea's bothersome - what's even worse is that someone paid for all of the work that went into this.

Andrew Hornback
InformationWeek Contributor