In February of this year I announced at RSA SF, in my presentation on breach data and trends, that this year will mark a new era of legitimate and legal hack-back services. There is no question that self-defence has been in practice for many years and companies have provided hack-back services, but they tended to be clandestine operations that tried to avoid scrutiny under the law. The FBI certainly frowns upon it. This difference now is that more entities are willing to step forward and confirm their information security self-defense includes an active component. It has become overt and is on its way to becoming legal.

I mentioned the other day that the IDF had publicly announced they reserve the right to attack, presumably under the principle of self-defense. Germany has recently moved to say they also reserve this right.

To put the German announcement in perspective, consider the conclusion to a story from 2009 in Der Spiegel called National Defense in Cyberspace

…the uniformed hackers at Rheinbach [Department of Information and Computer Network Operations] are battling a particularly treacherous adversary: German criminal law, which has banned the preparation of computer sabotage since 2007. If the German cyber warriors did in fact launch test attacks on outside networks they would, strictly speaking, be breaking the law. The penalty for serious computer sabotage is a prison sentence of up to ten years

That battle is apparently winding down as the German military today openly admits to offensive preparation/capability and now is debating logistics and ethics of implementation.

Although the German admission is not a huge surprise – most countries are assumed to have cyber-offensive capabilities – the clear declaration that the CNO has an attack role has reportedly caused controversy among the country’s legislators.

The ambiguities are legion. Does the military have the legal or constitutional authority to launch cyber-attacks against third parties without the approval of Parliament and if so under what circumstances?

There is a subtle difference between the investigative/surveillance and the hack back debates. The authorities now are looking for support and permission to move beyond collecting information and into active defense or attack position intended to cause damage (e.g. shutdown a server). The surveillance debate paved the way, in terms of the right to alter a system without owner consent, but it usually stopped short of allowing damage.

Reports, such as this 2007 one from Austria, said police were given the legal green light for surveillance.

The Austrian Police has become the latest European agency to express its intention to use specially-crafted Trojans to remotely monitor criminal suspects.

According to reports in Austrian media, the minister of justice Maria Berger, and Interior Minister Gunther Plater, have drafted a proposal that will be amended by legal experts and the cabinet with the intention of allowing police to carry out such surveillance legally with a judge’s warrant.

And I assure you the private-sector was already doing this years before the government because it was able to move ahead without the scrutiny of public approval. I certainly was working on similar engagements long before 2007.

The good news is that public requests for the capability means public review on appropriate/ethical use. The bad news is that at least some pushing for surveillance capability seem to be unaware that their new attack tools are not fail-safe and require careful management. Once you are into surveillance you have a very fine line separating you from hack back. Just like a weapon can backfire or cause unintentional harm when not properly handled, a German offcial carelessly handed over control of malware to an adversary.

Der Mann hatte seiner Tochter einen Trojaner auf den Rechner gespielt, um ihr Treiben im Internet zu überwachen. Die Tochter hatte allerdings einen Freund aus der Hackerszene, dem die Spionage auffiel.

Um es dem neugierigen Vater heimzuzahlen, drang der Hacker in dessen Computer ein. Dort sah er, dass der Polizist dienstliche Mails an seinen Privatrechner umgeleitet hatte. Das ebnete dem Hacker den Weg ins Innere der Bundespolizei. Als Folge des Angriffs musste der “Patras”-Server abgeschaltet werden, über den die Polizei Verdächtige observiert.

So hack back is here and clearly is being approved, surfacing some interesting issues of trust, ethics and liability. This German case is a perfect example. The german quote above points out that an authority was moving sensitive data from the government to his personal systems (fail) he was using government tools/technology (e.g. malware) for personal use (fail) and he was unable to control who had access to his personal systems (fail). These types of problems with state/group/self defense are old but the discussion is now in the open about who should be authorized to hack back, when it is allowed, and their liability for collateral damage. It brings to mind a slight modification of an old quote “if you criminalize malware possession, only criminals will possess malware”.

VMware has announced support in their vCenter Configuration Manager (vCM) for the new vSphere 5.0 hardening guidelines

[VMware Center for Policy & Compliance (CP&C)] is pleased to announce the most anticipated content release to date in vCM, the VMware vSphere 5.0 hardening guidelines! As critical component of the vC Ops suite, vCM is the FIRST product in the market today to have the official GA version of the vSphere 5.0 Hardening Guidelines.

The five new rule groups are related to some exciting new possibilities in automation. It now is easier than ever to test vSphere configurations, monitor for changes, and compare them to policy. VMworld will be a great time to see how it works and where things are going next.

A slide deck has been circulating called “Life before and after vCloud Director” that claims to “reveal” that a vCloud environment could be designed to reduce redundancy. Chris Colotti makes some excellent points in a short and clear rebuttal:

A vShield appliance is only needed if you choose to NAT route the Organization networks or the vApp networks. These are not required, but are used if the design considerations call for it. Yes it can fail, anything can fail, so that statement is pretty broad. However, it is a VM protected most likely by VMware HA as are so many other production Virtual Machines today. There is also multiple blog posts about how VMware Fault Tolerance can be used to protect the vShield Manager as well as the deployed vShield Appliances themselves.

The appliance is the firewall, router, DHCP, and Load balancer for Selected Networks and Organizations, but not for the “vCD System”. You can always use direct connected networks and external firewalls, as well as load balancers and VPN devices. Again, vShield is NOT a requirement it is simply a tool to assist in the design of a multi-tenant vCloud Director deployment. We have also had folks deploy other Virtual Machines in the cloud itself to handle some of these functions including virtual load balancers.

The slide deck probably is based on an article from last year called “VMware vShield Manager design raises availability concerns“.

It is worth noting that VMware’s publicly stated best practice, per KB: 2011480, is to use fault tolerance with vShield.