Wasting Hackers' Time to Keep Websites Safe

http://www.technologyreview.com/web/39521/?mod=chfeatured

Couldn't make up my mind where to post this...please move if need be, thanks

 

Great to see a better way to prevent hacking. Making them waste time, resources, and confidence sounds good to me.

 

I feel like this is what most mitigations do anyways. Everything like DEP or ASLR basically either forces the hacker to search for something else to use or to use another exploit entirely. Sandboxing forces the hacker to come up with a second exploit.

It's all about wasting their time and making it too big a pain.

This takes it to a new level by actively tricking them, which is fun.

 

Wasting their time is good... but, what about wasting their time and attack them at the same time? Make them believe they stole the info (documents, etc) they want and they access it, it attacks them. Maybe some of them will be stupid enough to open in an actual useful computer. Maybe there's a caustic malware out there (where have I heard this? lol), that would break out of a virtual environment, where the document was being accessed.

Who knows...

Anyway, something that I noticed in that article is the following:

What if the attack is using a web browser within a virtual environment, that gets cleaned every time? This supercookie won't have any effect. Or, am I missing something?

Then, they do say:

Which would answer the question I made above. Then again, can't these hackers be using other computers that are part of a zombie network, maybe one made up of a few thousands to many thousands of computers? How the heck are they going to get a fingerprint? They all would be attackers... at random times.

Again, how? I'm pretty sure hackers would be using zombie networks at their disposal. So, there's no attacker's IP. Well, there's an attacker's IP, just the wrong attacker, so to speak.

-Beginning of "conspiracy"-

Heck, who knows if the people behind this new security company also took part of the attacks we've seen, so that they could come up and sell this kind of program? It would be kind of funny.

I mean, one does have to make demand happen. If there's no demand, there's no reason for the offer/supply to happen. Right?

-end of "conspiracy"-

I don't know what to say about this new way. The way it sounds, it makes us feel like hackers are that stupid. Are they, though?

 

You can say this about just about any security company.

Most hackers probably aren't making use of botnets.

 

Indeed... but, the timing makes one wonder if it's all a coincidence or what, right?

I suppose some aren't; but, the question is - and, I'm not talking about those script kiddies - even those true hackers that don't run any botnets, are they stupid? Because, this security company seems to think so.

I don't have to be a script kiddie to attack a website or other; I can be an actual hacker with interest in attacking xyz service.

Maybe this will turn out to be a great measure against those script kiddies, but I don't see it of any use against real hackers. Granted I'm not an expert, so maybe it can be.

 

A lot of hacking is trying to send garbage data at a website and see what you get back. If you get nothing back it means something. If you get something back it means something else. If you get a fake database of passwords etc back or some encrypted stuff (ie: you're being played with) you probably won't realize it because this is typically what would happen, only with a legit database.

 

Yes, but I was merely seeing it from the perspective of fingerprinting an attacker.

And, regarding of what you mention here, that's precisely what I said first - decoy and attack. There's no attack, though. Only decoy. It's time to damage the attackers. Firemen sometimes fight fire with fire, because water won't cut it. Just saying... that's all. Give them fake stuff that, at the same time, it will attack them.

But, a question: Won't these hackers know about it now? Also, won't this tool also have its own fair share of bugs, maybe letting itself become an attacking vector as well?

 

It wouldn't be a good idea to attack back in case a "real" user got caught in the cross fires. Entering garbage data is something a regular user can do by mistake (like if i try to log into a poorly coded site, maybe with javascript disabled, and i accidentally enter in some bad information so the page returns an error - this could easily be a hacker testing the site for weaknesses.)

And yes, it's possible that the tool will be exploited/ over-complicate the security.

 

Sounds just like a honey pot to me. We used to trap crawlers in never ending redirects ourselves to the dismay of Russia,