To thwart hackers, firms salting their servers with fake data

Brown Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets — online editions and subscriber databases — were increasingly at risk with the proliferation of cyber-espionage.

And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.

The Waseca, Minn., company began planting fake data in Web servers to lure hackers into “rabbit holes” in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.

“We’re taking the hackers’ strengths and we’re making it their weaknesses,” said Nathan Hosper, a senior information technology officer at Brown. “They get caught up in this cycle of fake information.”

Brown is only one of a number of companies that are adopting tactics long used by law enforcement and intelligence agencies to turn the tables on hackers.

The emerging trend reflects a growing sense in industry that companies need to be more aggressive in fighting off intruders as the costs of digital espionage soar. The theft of intellectual property and other sensitive documents — from military weapon designs to files on contract negotiations — is so rampant that senior U.S. officials say it may be the most significant cyberthreat the nation faces over the long term.

“Companies are tired of playing defense,” said Michael DuBose, a former chief of the Justice Department’s Computer Crime and Intellectual Property Section who now handles cyber-investigations for Kroll Advisory Solutions. “They want to feel like they actually can fight back. Most of us in the industry agree that we ought to push the envelope to protect the rights and properties of U.S. businesses.”

In the parlance of network security, digital deception is known as a type of “active defense,” a controversial and sometimes ill-defined approach that could include techniques as aggressive as knocking a server offline. U.S. officials and many security experts caution companies against taking certain steps, such as reaching into a person’s computer to delete stolen data or shutting down third-party servers.

Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire — hackers who identify data as bogus may be all the more determined to target the company trying to con them.

Just how far companies should be allowed to go to defend themselves is the subject of intense debate in the industry and on Capitol Hill.

Rep. Mike Rogers (R-Mich.), the chairman of the House Intelligence Committee, said at a recent conference that disrupting another party’s server is an offensive act that could trigger retaliation that a company might not be prepared for. “It’s best not to go punch your neighbor in the face before you hit the weight room,” he said.