Fake data used to thwart hackers
Brown Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets — online editions and subscriber databases — were increasingly at risk with the proliferation of cyber-espionage.
And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.
The Waseca, Minn., company began planting fake data in Web servers to lure hackers into “rabbit holes” in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.
“We’re taking the hackers’ strengths and we’re making it their weaknesses,” said Nathan Hosper, a senior information technology officer at Brown. “They get caught up in this cycle of fake information.”
Brown is only one of a number of companies that are adopting tactics long used by law enforcement and intelligence agencies to turn the tables on hackers.
The emerging trend reflects a growing sense in industry that companies need to be more aggressive in fighting off intruders as the costs of digital espionage soar. The theft of intellectual property and other sensitive documents — from military weapon designs to files on contract negotiations — is so rampant that senior U.S. officials say it may be the most significant cyberthreat the nation faces over the long term.
“Companies are tired of playing defense,” said Michael DuBose, a former chief of the Justice Department’s Computer Crime and Intellectual Property Section who now handles cyber-investigations for Kroll Advisory Solutions. “They want to feel like they actually can fight back. Most of us in the industry agree that we ought to push the envelope to protect the rights and properties of U.S. businesses.”
...I have been saying for sometime that to defeat these guys you need to go on offense and mess with them. The means described in this story are modest, but at least partially effective depending upon the time the hacker is willing to devote to the process. I would still like to see some tracing mechanism so that you could find a return address for the data thieves.