US startup aims to turn tables on hackers
US startup Shape Security is turning the tables against hackers by using one of their own techniques against them
US startup Shape Security is turning the tables against hackers by using one of their own techniques against them.
The firm said its product makes it more difficult for hackers to carry out automated attacks, turning websites into “moving targets” by continually changing their code.
Shape Security’s technology changes the HTML, JavaScript and cascading style sheets (CSS) used to create websites without altering the look and feel of the website for legitimate users.
This is similar to the polymorphism technique used by hackers to avoid detection by making malware difficult to recognise because it is designed to rewrite its code each time it infects a new machine.
The novel approach is aimed at defending websites from attackers who use low-cost automated software tools that identify and exploit code vulnerabilities.
“This may help break the economics of breaches like the one Target experienced in late 2013,” Sumit Agarwal, the firm’s founder wrote in a blog post.
“Many web attacks are only profitable if automated. Criminal enterprises pursue profit – without automated scripts, many of today’s attacks cease to be economically viable,” he said.
This is consistent with the growing security trend of analysing attacker business models and looking for ways to undermine or disrupt them that is used by Microsoft, Adobe and others.
Detractors have said that given time attackers could probably identify parts of code that do not change, but that would take time and effort, diminishing an attacker’s return on investment.
According to Smart Security, several companies have tested the ShapeShifter network appliance, including Citigroup bank and the ticket seller StubHub.
The firm had raised $26m from investors ahead of its product launch and has several high-profile backers, including Google, Google chairman Eric Schmidt's investment company TomorrowVentures, and Enrique Salem, the former chief executive of security firm Symantec.
More on anti-hacker disruption
- Microsoft leads major disruption of ZeroAccess botnet
- Disruption key to data protection, says HP
- Microsoft evolves disruption anti-cyber crime tactic
- Accept defeat and change the battle plan, says Adobe security chief
- Microsoft uses disruption strategy to tackle botnets
- Microsoft partnership takes down 1,000 cyber crime botnets
- Microsoft unveils state-of-the-art Cybercrime Center