Hacker Tactic: Holding Data Hostage

Hackers Find New Ways to Breach Computer Security

This story is included with an NYT Opinion subscription.

THE perpetual cat-and-mouse game between computer hackers and their targets is getting nastier. Cybercriminals are getting better at circumventing firewalls and antivirus programs. More of them are resorting to ransomware, which encrypts computer data and holds it hostage until a fee is paid. Some hackers plant virus-loaded ads on legitimate websites, enabling them to remotely wipe a hard drive clean or cause it to overheat. Meanwhile, companies are being routinely targeted by attacks sponsored by the governments of Iran and China. Even small start-ups are suffering from denial-of-service extortion attacks, in which hackers threaten to disable their websites unless money is paid.

Just days after the F.B.I. and international law enforcement agencies teamed up earlier this month to kill one ransomware program, CryptoLocker, which had infected over 300,000 computers, another pernicious program, Cryptowall, popped up and began spreading rapidly.

In response, more companies are resorting to countermeasures like planting false information on their own servers to mislead data thieves, patrolling online forums to watch for stolen information and creating “honey pot” servers that gather information about intruders. Last year, companies also spent roughly $1.3 billion on insurance to help cover expenses associated with data theft.

Some security experts are urging even more aggressive action. “Companies want better results than are being delivered by law enforcement,” said Stewart A. Baker, former assistant secretary for policy at the Department of Homeland Security. He questioned whether the National Security Agency, the F.B.I. or the C.I.A. had enough qualified counterhackers to stake out corporate networks and also whether those businesses would be comfortable giving the government more access to their networks.

Mr. Baker maintains that victims of data theft can reasonably argue that they have a right to follow and retrieve stolen data wherever the thief takes it. And, he added, federal law on the matter is so ambiguous that prosecuting a company for trespassing on the domain of a hacker would be difficult and highly unlikely.

“I do really believe there should be a Second Amendment right in cyber,” added Jeffery L. Stutzman, vice president of Red Sky Alliance, referring to the right to bear arms. His company coordinates intelligence sharing for many of the world’s top corporations. Virtually all of them are weighing how aggressive to be in combating hackers, he said.

In 2011 Michael Hayden, former director of both the C.I.A. and the N.S.A., suggested that the government should consider allowing a “digital Blackwater” with paid mercenaries battling cyberattackers on behalf of corporations. But security experts warn that by taking matters into their own hands companies risk an escalating cycle of retaliation, lawsuits or Internet traffic jams.

What’s more, since cybercriminals typically hijack the systems of unwitting third parties to launch attacks, it is often hard to pinpoint targets for retaliation, said Orin S. Kerr, a professor at the George Washington University Law School. It is “kind of like a blindfolded partygoer trying to hit a piñata with a baseball bat,” he said. “He might hit the piñata but he might hit Aunt Sally, who happens to be standing nearby.”

Companies might also trip up law enforcement efforts or find themselves on the wrong end of a lawsuit if they inadvertently gain access to someone else’s server. And under many foreign laws, self-defense actions by private companies amount to espionage.

The Justice Department takes the stance that a company is most likely breaking the law whenever it gains access to another computer network without permission. At a panel hosted by the American Bar Association, John Lynch, chief of the computer crime and intellectual property section of the Justice Department’s criminal division, said that usually, when his office determines that companies have gone outside their server to investigate a perceived attacker, his first thought is, “Oh wow — now I have two crimes.”

There are, however, other ways to fight hackers that are both legal and effective, said Mr. Stutzman of Red Sky Alliance. His firm, for example, profiles attackers by keeping their pictures, phones numbers and other personal data on file. He is also an advocate of software that tags sensitive documents so that if they are stolen they self-destruct or transmit an alert to the owner.

Most security companies say the main objective should be raising the cost to hackers. CloudFlare, for instance, has developed a service called Maze, which it describes as “a virtual labyrinth of gibberish and gobbledygook” designed to divert intruders to bogus data and away from useful information. Other companies create bottlenecks to route attackers through security checkpoints.

It is fairly common for law firms to have their email read during negotiations for ventures in China, said Dmitri Alperovitch, a founder of CrowdStrike, a company that investigates hackers. So if a company knows its lawyers will be hacked, planting decoys can give them an upper hand, he said.

This month CrowdStrike unmasked a secret cell of cyberthieves linked to the Chinese Army that had stolen millions of dollars’ worth of data from military contractors and research companies, often by hiding its attack software in emailed invitations to golfing events.

Samir Kapuria, vice president of Symantec’s Cyber Security Group, recounted how his company helped a major manufacturer create bogus blueprints of a valuable product with a traceable but harmless flaw and left it hidden in its servers. When the manufacturer later found the planted blueprint for sale on the black market, he said, Symantec was able to help trace the leak to its source, fire the subcontractor and save the manufacturer tens of millions of dollars.

But there can also be unintended consequences when planting false information, said Dave Dittrich, a security engineer at the University of Washington. He offered a theoretical example in which a company intentionally inserts flaws into a faked vehicle design. “If someone plants false information to be stolen and used, and this results in the death of any innocent human beings,” he said, “there could be a good case made that the entity who planted the fake data is acting in a negligent and unjustifiable manner.”

In general, Mr. Kapuria of Symantec prefers a philosophical approach toward thwarting the legions of cybercriminals, describing the fight as “Cyber Sun Tzu — when the enemy is relaxed, make them toil; when full, make them starve; when settled, make them move.”

Ian Urbina is an investigative reporter for The New York Times.