Data Sheet—Saturday, December 10, 2016
Foreign governments use hackers to steal U.S. corporate secrets and meddle with our political system. Meanwhile, a botnet of millions of rogue devices recently cut off access to popular websites on the East Coast, and is now rampaging through Europe. Wouldn’t it be nice if we could turn the tables and put a stop to this?
The CEO of security company Invincea, Anup Ghosh, told me this week he fears that this urge for retaliation—to hack back—is building among the public and politicians. Indeed, a prominent Republican congressman this week called for “consequences” over Russia’s suspected hacking . I get it. There’s an intuitive appeal to using cyber soldiers to knock our adversaries’ offline until they get the message to stop.
In the case of the botnet of rogue devices known as Mirai, Invincea says it has found a way to “kill” it by exploiting a flaw in its code. And in the past, some have floated the idea of launching “white worms” that would spread in a way that would quarantine certain types of malware.
Alas, as appealing as it sounds for America to do more in the way of cyber offense, it’s probably a terrible idea. According to Ghosh, the notion can be attractive to policy types—those who don’t work with computer code—but is regarded with horror by security pros. The reason, he said, is that launching online attacks can have entirely unpredictable consequences, and that aggressive code can quickly mutate or ricochet and damage all sides.
I asked Edward Amoroso, who runs the consultancy group Tag Cyber, if Ghosh’s view is too timid. Nope. Amoroso, who used to be the Chief Information Security Officer at AT&T, said past examples show “hacking back” is dangerous and irresponsible, and doing so would amount to “playing chicken with history.” He says the answer lies instead in defense—hardening our computer systems to keep hackers out in the first place.
So there you have it. I defer to the guys with the computer training to have the final word on any plan to hack back. You can read about more mischief and mayhem in cyber-land further below—plus some fun fin-tech tidbits. Enjoy your weekend.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Rooting out Russians. President Obama ordered U.S. intelligence agencies to prepare a full report on Russia's hacking antics related to the U.S. election—and he wants it ready before he leaves office. But the report may be full of sensitive stuff, which means the public may not get to see it. (New York Times)
Air Force fires up cyber boosters. In one of the year's biggest digital defense contracts, the U.S. Air Force awarded $19 million to Endgame (aka "the Blackwater of Hacking") to beef up its endpoint detection systems. The deal shows how, despite the government's reputation as an IT dunce, some departments are leading edge adopters. (Fortune)
Hail Amazon, DDoS destroyer! Amazon's sprawling ambitions now extend to a new security service called Shield (how does Google's Project Shield feel about that name?) that will protect AWS customers from the sort of denial-of-service attack that cut off customer access to major websites last month. (Geek Wire)
Bailing on Bitcoin. Circle, one of the biggest early believers in bitcoin, has lost faith. The well-funded firm is washing its hands of its crypto-currency wallet service, and will focus instead on its blockchain services for banks. But the price of bitcoin is staying strong and another alt-currency, Stellar, suddenly soared back on the scene. (Fortune, Fortune)
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Our exclusive investigation sheds new light on hacking breaches at U.S. law firms that exposed sensitive corporate data. Also who did it.
A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government...
In the case of one firm, the attacks took place over a 94 day period starting in March of 2015, and resulted in the hackers stealing around seven gigabytes of data, according to information obtained by Fortune. Read more on Fortune.com
IBM Watson for Cybersecurity Inches from Research to Reality by Robert Hackett
Twitter, Surveillance, and the Sale of Social Media Data by Jeff John Roberts
KeyMe, the App That Makes it Scarily Easy to Copy Keys, Raises $25M by Jeremy Quittner
German Steelmaker Disclose 'Massive' Cyber Attack by Reuters/Fortune
Suspects Arrested in Russia Central Bank Cyber-heist by Reuters/Fortune
Talking Dolls Spy on Kids, Privacy Group Warns by Jeff John Roberts
ONE MORE THING
Is it punk rock to leave all your data exposed? Apparently so. In a piece of epic carelessness, the record label for rocker Joan Jett failed to lock down a server and left it all open on the Internet — social media passwords, personal data and even an early rejection letter from a music executive who complained Jett's vocals weren't up to snuff. (Motherboard)