How To Trick The Hackers

Image: Martin Klimek for Forbes

Shape Security’s Derek Smith and Shuman Ghosemajumder, a former click-fraud fighter at Google

For decades the information security industry’s default analogy has been virus versus antivirus, a futile race to detect hackers’ weapons. Now a few security veterans are flipping the game: Deciphering a shape-shifting chunk of code is about to become the attacker’s problem.

In January a team of entrepreneurs out of Google and the defence world unveiled a startup called Shape Security. The 58-person company sells a pizza-box-size appliance called a ShapeShifter that plugs into a company’s network and obfuscates the code behind the customer’s website. It replaces variables with random strings of characters that change every time a page is loaded, all without altering the way the site appears to human visitors. This trick, known as polymorphism, makes it vastly more difficult for cybercriminals to use automated tools to crack passwords, scrape content from thousands of sites or use malware-infected PCs to spy on victims’ online banking.

“We realised that so much frontline hacking is occurring in this automated, scripted fashion,” says Shape’s CEO, Derek Smith. “That germinated into the idea of turning polymorphism against the hackers.”

Shape was born in 2010 at the Department of Defense, where co-founders Smith and former Google mobile boss Sumit Agarwal met after Smith sold his last security firm, Oakley Networks, to Raytheon. But the core code-shifting idea came from another Oakley alum, Justin Call, who soon became Shape’s CTO. Agarwal found a vice president of strategy in Shuman Ghosemajumder, another former Googler who had spent years leading the search giant’s high-stakes battle against click fraud—just the sort of bot-based attack that Shape hopes to cripple. Since then it’s raised a total of $26 million from investors, including Kleiner Perkins Caufield & Byers, Venrock and Google Ventures. It already has more than 20 customers testing the technology and expects to book “low eight figures” in revenue for 2014. When its product comes out of testing, it plans to charge more than a million dollars a year per customer.

Shape’s challenges include persuading chief security officers to add yet another security appliance to their crowded data centres and ensuring that its code-scrambling trick doesn’t slow down a customer’s busy website or jumble the way it looks, says Jeremiah Grossman, chief technology officer of WhiteHat Security and well-known web-hacking researcher. But “if anyone can make this work, it’s this team,” he says.

If ShapeShifters do find their way into data centres around the internet, expect cybercriminals to find new ways around them. If criminals can’t read the HTML to figure out what part of the site to attack, they might use image recognition to study how the website looks or even hire humans to fill in for bots. Shape says it’s already filing patents for the next phases of that game.

But for now Ghosemajumder points out that rather than pay for expensive new bot upgrades, “the more rational approach for the attackers is to target the hundreds of websites where their automated attack still works”. To paraphrase the old saying about outrunning a bear: You don’t have to be more clever than the hackers. You just have to be more clever than their other targets.