Most security software defends PCs and websites by acting like a locked door to shut hackers out. A new security company, Mykonos Software, instead invites hackers in through a fake entrance and plays tricks on them until they give up.
“If you break in, I want to have fun with you,” says David Koretz, CEO of Mykonos. Koretz claims that the computer security industry is too timid—he advocates making hackers’ lives tedious and difficult instead.
Mykonos sells software intended to protect websites against attacks—like those on Sony’s websites last year that yielded thousands of credit-card numbers—aimed at gaining access to valuable data such as user credentials. When Mykonos’s software identifies an attacker, it tries to waste the hacker’s time by offering false data such as phony software vulnerabilities and fake passwords. This week, the 19-person company announced it had received $4 million in investments from a number of Web and technology company leaders, including Jeff Clark, the chairman of Orbitz.
The company’s software is aimed primarily at hackers who use automated tools that identify and exploit vulnerabilities in websites, says Koretz. Such tools allow even relatively unskilled hackers, sometimes dubbed “script kiddies,” to cause considerable damage.
Wasting assailants’ time “changes the economics” of attacking websites, says Koretz. “At the end of the day, there are a finite number of hackers, and if you break all of the automation, it becomes something only some people can do,” he says. “It’s a step towards making it more like bank robbery, a manageable problem.”
Mykonos software first needs to accurately identify attackers, to avoid breaking a site for legitimate users. The company’s software does that by using small snippets of code injected into Web pages, forms, and other data sent out to a computer accessing the site. The snippets are placed so that they will be altered by the most common methods used to probe for security vulnerabilities. When these snippets are altered, Mykonos’s software automatically notes the IP address of the potential attacker.
If an attacker is using a Web browser to probe a site, a small, tough-to-delete tracking file known as a “supercookie” is injected into it. If nonbrowser software is being used, the characteristics of the attacker’s computer are “fingerprinted.” When the same computer returns, the defense software knows and can respond appropriately.
Mykonos’s software creates the illusion that the hacker is making progress. “We can intercept their scans and inundate them with fake values,” says Koretz. “It takes much longer [for an attacker to scan a site], and the results are useless.”
A scan that might usually take five hours could take 30, Koretz says. Other tactics include offering up dummy password files, which can help track an attacker when he or she tries to use them. “We’ll let them break the encryption and present a false login page. We have the ability to hack the hacker,” says Koretz.
As a promotional tool to impress potential clients, Mykonos engineers have built versions of the company’s software that taunt attackers. One directs a hacker to a Google Maps search for nearby criminal attorneys. Another parodies Microsoft’s now-defunct anthropomorphic paper clip, Clippy, with the message: “It looks like you’re an unsophisticated script kiddie. Do you need help writing code?”
Mykonos could use its system to simply block attackers, but Koretz says hackers expect such behavior and will simply keep looking for new ways in. “If you just block, they will find a different route to attack you. If you ensnare them in a painful way, you change the economics of the attack—it becomes much more expensive.”
Sven Dietrich, an expert on computer security and a professor at Stevens Institute of Technology, says annoying attackers can be a bad idea. “It’s conceivable that when he or she finds out that they’ve been had, they will seek retribution,” says Dietrich.
Security researchers sometimes use sacrificial “honeypot” computers as a way to study attacks up close in a safe environment. Dietrich says it’s important to carefully separate these machines from other computer networks to reduce the potential impact of revenge attacks, but this is not an option for a company using Mykonos’s software. “If you are using it in a production system, then they know who created it and is trying to deceive them.”
Koretz argues that the frustrations his software delivers can crop up naturally in the course of hacking a site, so many attackers will likely ascribe them to bad luck and move on to another possible target.
Dietrich also says that actively scanning, or installing pieces of tracking code on another computer, could make it unstable. If attackers compromise an innocent machine, “the risk is that you may affect systems that are critical or cause someone to lose their digital goods or worse,” he says.
Koretz predicts that the approach will become more common as conventional security software proves increasingly ineffective. “Deception is a legitimate defense,” he says.