When Does Defensive Security Go Too Far?
If someone hacks you, you can just hack them back in self-defense, right? Well, no. Unless firearms are involved, attacking your attacker is itself a crime. Even defensive security measures can go too far, as demonstrated in an unusual presentation at the RSA Conference.
With the help of the Honorable Laura Beeler, a real-world US Magistrate Judge, a panel of experts acted out a possible scenario. If you’re missing your TV courtroom dramas while attending the conference in San Francisco, you can get a dose by reviewing the recorded session.
In this imaginary scenario, security experts at Dolls-R-Us decided to go after hackers indirectly by creating a kind of honeypot. They set up a sacrificial network, with servers carefully isolated from the overall company network, and baited the network with interesting documents—things like financial, trading, and building plans. They deliberately made the fake network’s security weak enough for hacking, but strong enough not to be a giveaway.
Soon enough a hacker penetrated the security and grabbed the documents, copying them to his dark web repository. And here the plot thickens.
Suzie, a 13-year-old full-scholarship student at Nevermore Academy, was working on a paper about the dark web. With her advisor’s permission, and a reminder of the school policy that no downloads are allowed, she takes an exploratory journey, where she happens upon the repository containing Dolls-R-Us plans. Being a typical teen girl, she can’t resist looking at the 2024 doll plans.
Opening the document triggers a beacon, and sends the security team her IP address. Law enforcement raids the Academy, and Suzie is expelled. Her parents sue Dolls-R-Us for negligence.
The plaintiff’s lawyers argued that the
Read more on pcmag.com
