We’ve seen some interesting ideas to thwart cybercrime in our time – for example Kaspersky’s supposedly ‘unhackable’ operating system comes to mind – and most of them inevitably involve the use of super-complex algorithms, ciphers and other encryption methods.
So given this technological trend, it’s a bit of a surprise to learn that a number of companies are now turning to far cruder methods in order to protect their data – using the age old art of deception to confound would be hackers.
A report in the Washington Post earlier this week describes how a number of companies have hit on the novel approach of using fake data as a means of frustrating hackers in their efforts to get hold of the real thing.
Nathan Hosper, senior IT officer at Brown Printing Co., in Waseca, Minn., gave an explanation to the Washington Post of how this counter-espionage works. He said that the company, which stores a number of valuable assets like customer subscription information, hit upon the idea of planting fake data into its web servers in order to deceive hackers that broke through their first line of defense.
The idea is that hackers are lured into what Hosper terms “rabbit holes” containing fake user logins, passwords and bogus system files – with the simple aim being to frustrate them to the point of giving up.
But it gets better too, as Hosper also set up a system so that he could observe anyone who took the bait, logging their tactics and computer locations so that this information can be used to strengthen the firm’s security.
“We’re taking the hackers’ strengths and we’re making it their weaknesses. They get caught up in this cycle of fake information,” he explained.
The Washington Post explains that a number of companies across the US have picked up on this latest trend in cybersecurity, and says it reflects a growing mood among companies that they need to be “more aggressive” in fending off such threats. It quotes former Justice Department security expert Michael DuBose as saying that companies are “tired of just playing defense”, and want to fight back as much as it’s possible to do so.
Questions do remain about whether or not it’s wise to deploy such deceptive tactics though, which for many years were strictly the domain of law enforcement and intelligence agencies. Republican senator Mike Rogers warns that the use of fake data could prompt more determined hackers to retaliate even more aggressively – something that companies might not be prepared for.
“It’s best not to go punch your neighbor in the face before you hit the weight room,” said Rogers.
There are also concerns about how far some companies might go. “Active defense”, as the tactic is known to security experts, can also include retaliatory actions such as knocking a hacker’s server offline, or raiding their computers to delete the data they have stolen – techniques that the FBI says are “probably” illegal.