Stopping Remote Access Breaches with “Honey”
Encryption has long been one of the most effective tools to prevent the exposure of sensitive data. As such, hackers are constantly working on new ways to crack encryption algorithms and exploit lapses in security. Information security professionals must be ever vigilant and constantly create innovative new methods to thwart attacks. Recently, one interesting new encryption security method has come to light that takes inspiration from another, quite different tactic, honeypots, to trap and confuse hackers.
The new approach, called “Honey Encryption”, could potentially offer more effective digital security by making fake data appear to be legitimate and valuable information to hackers. The project, developed by former RSA chief scientist Ari Juels and the University of Wisconsin’s Thomas Ristenpart, is currently a prototype and takes advantage of the brute-force cracking methods used by attackers. With each incorrect guess a cracking program makes, the software adds a piece of made-up data to the dataset. For example, if a hacker is trying to break into an enterprise’s credit card database, the program will create numbers that look like real credit card numbers, instead of the gibberish that attackers would currently see. With thousands of attempts in a typical attack, hackers will be bombarded with fake information, making it enormously difficult to determine whether information is real or not.
Currently, the prototype only protects encrypted data stored in password vaults, but the technology could have tremendous future implications for other forms of encrypted information. One day, a similar program could perhaps generate bogus but plausible network communications when a hacker is trying to break into a VPN’s encrypted tunnel. Or, a hacker could be faced with similar useless information as he tries to compromise a public Wi-Fi hotspot. It could even help to prevent several APT attack vectors used in high-profile attacks, such as the Adobe, Target and Neiman Marcus breaches that have led to the data of tens of millions of people being compromised.
Before it hits the mainstream, though, there are several challenges the technology will have to overcome, including distinguishing real attacks from user errors and making it work with other types of data. However, the underlying idea, using trickery to thwart hackers, is sound. As Juels said, “it’s a really underappreciated defense strategy.”
The technology may never completely stop attacks, but it will certainly make life more difficult for attackers. Combined with cutting-edge encryption methods, such as elliptic curve cryptography (ECC) and quantum cryptography, the future looks bright for keeping sensitive information protected.