How to Greatly and Promptly Reduce the Threat of Hack Attacks Worldwide
I’m a computer guy, software mostly and an inventor. I started in the Pleistocene Era and recently retired. Along the way I got hooked on encryption as an intellectual pursuit. At the time I was working in the bowels at the DOD and saw first hand and from the inside out thousands of attacks a day by hackers trying to penetrate our little corner of the government (okay, so it was military and had tons of personally Identifiable Information).
I was in the data center at midnight local time December 31, 1999 in anticipation of the Y2K calamity. We escaped that fiasco with years of concerted reconstruction of computer systems worldwide, and it worked well.
Anyway, two of the prime and unusual characteristics of my little encryption program were forms of obfuscation — the intentional insertion of misleading but real-looking items. In the actual program code of the software itself, I placed many misidentified elements, interesting but non-functional pieces of code and complete constructs that claimed to do some of the critical encryption functions but really only appeared to do things. These were all designed to occupy and frustrate anyone attempting to reverse engineer my program.
In the output of my program, coded secret messages, there is also considerable obfuscation and camouflage, all designed to tie up cryptographers and code breakers. Tantalizing patterns, long and captivating journeys down blind alleys, numerous red herrings all conspire to consume vast amounts of time and computing power to no avail. I know what they look for and I let them find it, but as though I am trying to hide it.
Obfuscation is the key to overcoming powerful, crafty and irregular opponents. Don’t lay out your database as one would expect. Sure, you should have a column labeled “Password” but it should only contain dead static data values and certainly not a password. The real password is always encrypted and stored in some odd table somewhere, perhaps one of several similarly named and esoteric looking tables of unclear intent and in a column named “Reason Code” or some other meaningless nonsense.
If you have an algorithm that posts payments, it should be named very misleadingly. It should call likewise strangely named subroutines that reference strange and unclear database tables, columns and memory variables.
In other words, never let the bastards know what you are really doing.
Now, this flies in the face of conventional wisdom that calls for concisely and logically identified database components and software procedures. But, the key to the Obfuscation model is to have a separate and closely guarded translation and description that tells a programmer today or years from now that the Payments Posting functions are executed in api_Vacation_Time_Accumulation and the employee data is in tbl_Archived_Transaction_Disputes_1994 or something, one of several odd tables named tbl_Archived_Transaction_Disputes_1995, tbl_Archived_Transaction_Disputes_1996 and so forth.
Make a rabbit hole from which no creeper can escape with anything of value.
But here is where we take Obfuscation Theory worldwide. We, corporations banks, governments and the military should create thousands, millions of honeypot servers, websites and databases that are all crafted to look like real stuff, things that hackers would want to hack and code breakers would want to break. Make them do things, have activity, maybe send data back and forth with other honeypot drone sites so they look live and realistic. It could create a whole new niche of cybersecurity — Obfuscation Subject Matter Experts all trained in design, coding, interaction and management of high-quality Catch and Obfuscate drone resources. Use advanced UI and IX principles to lure the hackers in and impress them. How could such a beautiful site, server or database be a drone, a do-nothing honey pot?
Yes, it would take time and money but not nearly what we are suffering now at the hands of these nefarious state-sponsored and even lone wolf attacks. Corporations would start seeing fewer attacks and instead start seeing reports from their fleet of drones showing how effective certain strategies are working. So, it would be measurable and repeatable.
Obfuscated honey pot resources will cost money but it will be money you are spending on your terms, not some hackers. And, that money would stay in your organization, not the bitcoin account of some seventeen year old Russian kid.
Further, when a honey pot site is penetrated, it would be designed to start reporting and tracking the movements of the intruder. The idea would be more to monitor which hackers are where, what tactics are they using and so forth. They could interact with the hacker in ways he/she might expect it to. Corporate and government cyber security people would love to have a real-time trove of that kind of information. This is your enemy. Here he is. This is what he’s doing and, predictably, what he may do next.
Every hour an intruder is creeping your honey pots is an hour that he’s not attacking you.
It is crazy to me that, a government agency responsible for paying a branch of our military has a domain name of, say, USArmyPayroll.gov Or Army.Payroll.US.MIL. It would make much more sense if the hackers could spend hours flipping past similarly names domains, none or few ,of which actually do anything except lure ne’er-do-wells. The real domain should be something like DailyExtendedServices.gov or something equally nebulous. Why set ourselves up as a guided tour? Look Here. The Payroll For The Army Is Here.
We have used Obfuscation before, to great success. The Quaker Cannons of the civil war, logs disguised as field artillery to stall enemy advances. The inflated rubber “tanks” of WWII on English beaches used as a feint to mislead German Intelligence before D-Day. Fake radio broadcasts, military “secrets” planted on a floating corpse left for the German forces to discover and many more tricks, particularly by the British, served to waste much time on the part of the enemy and cause them to allocate resources to counter thrusts and parries that never came. D-Day itself was a massive and beautifully coordinated ruse.
Like our open society, our technology is designed to be logical, well-laid and easy to understand. That makes it easy for future technicians and repairmen to service. It also makes it easier for bad guys to creep in, figure it out and devise ways to bend it to their advantage.
We don’t need to re-write all of our internet domains, computer programs and databases. Indeed, as I did in my program, you only need to Obfuscate Where Needed. And, surely some programs that have no Personally Identifiable Information or financial accounts or government secrets have no need to be obfuscated.
But, in my humble opinion, we need to stop just playing defense. The arms race of armor versus bullets will continue ad infinitum. A little well-crafted and well-placed obfuscation in our owned resources AND an ongoing effort to develop honey pots to attract and tie up the creepers would serve us well. If there are ten thousand hackers in the world, we need to put out about a million juicy honey pots.
We need to hear the hackers complain that “it ain’t like the old days when you could immediately identify a target, get in, peruse it’s well-laid out database, read it’s very serviceable program code, tamper with it and wait to reap the rewards. Nowadays you don’t know what’s what and can spend days and weeks picking through the chaff before you discover any actual real data. And, even then, if you manage to get in, there’s no telling what kind of rabbit hole you/re going into. Goofy names, weird structures, zombie procedures — they’ll make you look like a fool.”
Another extension of this strategy, and a cost-saving measure, would be to copy the original website, database or program, then modify it down to a zombie site designed to be hacked, to no avail.
If a hacker encounters six or ten apparently identical websites, for example, with similar names and appearance, how can they tell which are the zombies and which one is the real ABC Corp hub, especially when they are all named “Telegenisys Past Factors 117”, “Telegenisys Past Factors 118”, “Telegenisys Past Factors 119” and so forth.
A little ingenuity can help you create an Obfuscation strategy that won’t take long to implement or cost an exorbitant amount.
With rigid guidelines of offline documentation, encrypted design abstracts and access-controlled translation indexes, we can manage and maintain obfuscated properties just as well as straightforward Welcome, Here’s The Payroll designs that we have now.
Once we quit openly and clearly posting our invaluable intellectual, personal and financial resources for all to see and attack, and get our political and government leaders to take a more aggressive legal, IC, IP and military stance toward attacks of any kind — physical or cyber, we will see these devastating data compromises fall away and the real promise of technology begin to take hold, free from the real fear of likely disruption, ransom and destruction.