Security Software Aims To Trick Hackers
Hacker attacks are increasing and Web sites need new defenses to protect their data.
That’s where Mykonos comes in, a security company that protects Web sites from attacks by wasting a hacker’s time instead of using an easily breakable wall.
“If you break in, I want to have fun with you,” David Koretz, CEO of Mykonos, told Technology Review. He says that the computer security industry is “too timid” and that the solution is making hackers’ lives “tedious and difficult.”
The software goes into action when it detects an intruder by offering false data and phony software vulnerabilities. This is intended to waste the hacker’s time and force them to give up out of desperation.
The company has received $4 million in funding this week from a number of Web and technology leaders.
The company’s software is primarily aimed at hackers who use automated tools that identify and exploit weaknesses in Web sites.
Koretz says that wasting a hacker’s time “changes the economics” of attacking Web sites. He said that the software makes hacking more like bank robbery, which is easily managed.
The software first makes sure that it isn’t attacking a legitimate user. It does this through the use of small snippets of code injected into Web pages that are sent out to a computer using the site. If the data snippet is altered, the software automatically notes the IP address of the potential hacker.
If the hacker is using a Web browser to probe the site, a small tracking file known as a “supercookie” is injected into it. If they aren’t using a browser, the hacker’s computer is fingerprinted. When the same computer returns, the software knows and reacts appropriately.
The software sets up the illusion that the hacker is making progress. “We can intercept their scans and inundate them with fake values,” Koretz said. “It takes much longer [for an attacker to scan a site], and the results are useless.”
He said that a scan might usually take five hours, but would take 30 with his software. The other tactic is to offer up a fake password and log in page. They are essentially hacking the hacker.
Some computer security experts are not convinced though. They’re concerned that annoying hackers would just lead them to come back more powerful than before, fueled by vengeance.
Koretz agrees that a revenge outcome is possible, but he hopes that most hackers will just ascribe the deception as bad luck and move on to another target.
He predicts his tactic will become more widespread once traditional anti-hacking methods are proved ineffective.