The present application relates generally to allowing hackers access to false data.
As recognized herein, hackers all too frequently attempt to gain access to innocent computer systems via brute-force techniques or password guessing. So-called “honeypot” systems have been introduced that are intentionally vulnerable to draw an attacker's attention and admit access, but as also recognized herein, such tools can seem suspicious to experienced hackers, and in any case are unhelpful against attacks on individual machines such as employee laptops or smartphones.
Accordingly, in one aspect a device includes a processor and storage accessible to the processor. The storage bears instructions executable by the processor to determine that an attempt has occurred of unauthorized access to a computer system having a computer interface for presentation to an authorized user. The instructions are executable to, responsive to determining that an attempt has occurred of unauthorized access to the computer system, return from the computer system a proxy interface instead of the computer interface. The proxy interface permits access to at least partially falsified data.
The falsified data may include a falsified credit card number, a falsified password, and/or a falsified user account. The falsified data may be digitally watermarked to facilitate tracking the falsified data.
In some examples, the instructions can be executable to activate key stroke recording to record all key strokes received by the proxy interface. In some examples, the instructions can be executable to activate a camera coupled to the computer system. Also in some examples, the instructions may be executable to determine that an attempt has occurred of unauthorized access to the computer system at least in part based on a determination that a number of failed login attempts satisfies a threshold. If desired, the instructions may be executable to, responsive to determining that an attempt has occurred of unauthorized access to the computer system, transmit a message to an administrator account.
In another aspect, a computer readable storage medium that is not a transitory signal includes instructions executable by a processor to detect an attack on a computer system, and responsive to detecting an attack on a computer system, return a proxy version of a legitimate interface of the computer system. The proxy version includes plural proxy selectors corresponding to respective selectors on the legitimate interface. Selection of a proxy selector invokes sham data corresponding to data invoked responsive to selection of the respective selector on the legitimate interface but sanitized of sensitive information accessible through the legitimate interface.
In another aspect, a method includes establishing a proxy interface appearing like a legitimate interface of a computer system. The method also includes, responsive to correct login to the computer system, returning the legitimate interface, and responsive to detecting an attack on the computer system, returning the proxy interface.
The details of present principles, both as to their structure and operation, can best be understood in reference to the accompanying drawings, in which like reference numerals refer to like parts, and in which:
The present disclosure relates to improving the security of individual computer systems by allowing attackers to appear to gain access, but then presenting only a false representation of the system. When the attacker attempts to guess passwords, unlock patterns, etc., rather than continuing to fail, the hacker is allowed to falsely succeed (e.g., to gain access to a sandbox and/or a virtual machine image that establishes the false representation of the system). As understood herein, this is preferable to failure, as failure will simply incentivize the attacker to continue trying until true credentials are found, or until another true weakness in the system is found. So, upon apparently “successful” (but actually failed) hacking of the system, the system will present a synthetic sanitized version of its normal interface but without any of the system's true sensitive information present.
In one embodiment, false data including sham user accounts, sham passwords, sham credit card numbers, etc. can be provided in response to the false login. This data can be self-identifying (watermarked) so that if found elsewhere it can be determined which server was attacked. In addition or alternatively, upon allowing a false login to the device, keystrokes can be recorded, photographs taken with the devices camera, etc., to aid in identifying the attacker. Notifications of false may be sent to device administrator accounts via backchannels such as short message service (SMS), email, etc.
With respect to any computer systems discussed herein, a system may include server and client components, connected over a network such that data may be exchanged between the client and server components. The client components may include one or more computing devices including televisions (e.g., smart TVs, Internet-enabled TVs), computers such as desktops, laptops and tablet computers, so-called convertible devices (e.g., having a tablet configuration and laptop configuration), and other mobile devices including smart phones. These client devices may employ, as non-limiting examples, operating systems from Apple, Google, or Microsoft. A Unix or similar such as Linux operating system may be used. These operating systems can execute one or more browsers such as a browser made by Microsoft or Google or Mozilla or another browser program that can access web pages and applications hosted by Internet servers over a network such as the Internet, a local intranet, or a virtual private network.
As used herein, instructions refer to computer-implemented steps for processing information in the system. Instructions can be implemented in software, firmware or hardware; hence, illustrative components, blocks, modules, circuits, and steps are sometimes set forth in terms of their functionality.
A processor may be any conventional general purpose single- or multi-chip processor that can execute logic by means of various lines such as address lines, data lines, and control lines and registers and shift registers. Moreover, any logical blocks, modules, and circuits described herein can be implemented or performed, in addition to a general purpose processor, in or by a digital signal processor (DSP), a field programmable gate array (FPGA) or other programmable logic device such as an application specific integrated circuit (ASIC), discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A processor can be implemented by a controller or state machine or a combination of computing devices.
Any software and/or applications described by way of flow charts and/or user interfaces herein can include various sub-routines, procedures, etc. It is to be understood that logic divulged as being executed by, e.g., a module can be redistributed to other software modules and/or combined together in a single module and/or made available in a shareable library.
Logic when implemented in software, can be written in an appropriate language such as but not limited to C# or C++, and can be stored on or transmitted through a computer-readable storage medium (e.g., that is not a transitory signal) such as a random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), compact disk read-only memory (CD-ROM) or other optical disk storage such as digital versatile disc (DVD), magnetic disk storage or other magnetic storage devices including removable thumb drives, etc.
In an example, a processor can access information over its input lines from data storage, such as the computer readable storage medium, and/or the processor can access information wirelessly from an Internet server by activating a wireless transceiver to send and receive data. Data typically is converted from analog signals to digital by circuitry between the antenna and the registers of the processor when being received and from digital to analog when being transmitted. The processor then processes the data through its shift registers to output calculated data on output lines, for presentation of the calculated data on the device.
Components included in one embodiment can be used in other embodiments in any appropriate combination. For example, any of the various components described herein and/or depicted in the Figures may be combined, interchanged or excluded from other embodiments.
The term “circuit” or “circuitry” may be used in the summary, description, and/or claims. As is well known in the art, the term “circuitry” includes all levels of available integration, e.g., from discrete logic circuits to the highest level of circuit integration such as VLSI, and includes programmable logic components programmed to perform the functions of an embodiment as well as general-purpose or special-purpose processors programmed with instructions to perform those functions.
Now specifically in reference to
As shown in
In the example of
The core and memory control group 120 include one or more processors 122 (e.g., single core or multi-core, etc.) and a memory controller hub 126 that exchange information via a front side bus (FSB) 124. As described herein, various components of the core and memory control group 120 may be integrated onto a single processor die, for example, to make a chip that supplants the conventional “northbridge” style architecture.
The memory controller hub 126 interfaces with memory 140. For example, the memory controller hub 126 may provide support for DDR SDRAM memory (e.g., DDR, DDR2, DDR3, etc.). In general, the memory 140 is a type of random-access memory (RAM). It is often referred to as “system memory.”
The memory controller hub 126 can further include a low-voltage differential signaling interface (LVDS) 132. The LVDS 132 may be a so-called LVDS Display Interface (LDI) for support of a display device 192 (e.g., a CRT, a flat panel, a projector, a touch-enabled display, etc.). A block 138 includes some examples of technologies that may be supported via the LVDS interface 132 (e.g., serial digital video, HDMI/DVI, display port). The memory controller hub 126 also includes one or more PCI-express interfaces (PCI-E) 134, for example, for support of discrete graphics 136. Discrete graphics using a PCI-E interface has become an alternative approach to an accelerated graphics port (AGP). For example, the memory controller hub 126 may include a 16-lane (x16) PCI-E port for an external PCI-E-based graphics card (including, e.g., one of more GPUs). An example system may include AGP or PCI-E for support of graphics.
In examples in which it is used, the I/O hub controller 150 can include a variety of interfaces. The example of
The interfaces of the I/O hub controller 150 may provide for communication with various devices, networks, etc. For example, where used, the SATA interface 151 provides for reading, writing or reading and writing information on one or more drives 180 such as HDDs, SDDs or a combination thereof, but in any case the drives 180 are understood to be, e.g., tangible computer readable storage mediums that are not transitory signals. The I/O hub controller 150 may also include an advanced host controller interface (AHCI) to support one or more drives 180. The PCI-E interface 152 allows for wireless connections 182 to devices, networks, etc. The USB interface 153 provides for input devices 184 such as keyboards (KB) and mice, microphones and various other devices (e.g., cameras, phones, storage, media players, etc.).
In the example of
The system 100, upon power on, may be configured to execute boot code 190 for the BIOS 168, as stored within the SPI Flash 166, and thereafter processes data under the control of one or more operating systems and application software (e.g., stored in system memory 140). An operating system may be stored in any of a variety of locations and accessed, for example, according to instructions of the BIOS 168.
Additionally, though not shown for clarity, in some embodiments the system 100 may include a gyroscope that senses and/or measures the orientation of the system 100 and provides input related thereto to the processor 122, an accelerometer that senses acceleration and/or movement of the system 100 and provides input related thereto to the processor 122, an audio receiver/microphone that provides input from the microphone to the processor 122 based on audio that is detected, such as via a user providing audible input to the microphone, and a camera that gathers one or more images and provides input related thereto to the processor 122. The camera may be a thermal imaging camera, a digital camera such as a webcam, a three-dimensional (3D) camera, and/or a camera otherwise integrated into the system 100 and controllable by the processor 122 to gather pictures/images and/or video. Still further, and also not shown for clarity, the system 100 may include a GPS transceiver that is configured to receive geographic position information from at least one satellite and provide the information to the processor 122. However, it is to be understood that another suitable position receiver other than a GPS receiver may be used in accordance with present principles to determine the location of the system 100.
It is to be understood that an example client device or other machine/computer may include fewer or more features than shown on the system 100 of
Turning now to
Referring to
It is to be understood that the proxy interface 402 is a version of a legitimate interface of the computer system 302 such as for presentation of application selectors, in that, in the example shown, the proxy version is identical in appearance and configuration to the legitimate interface but does not return the same data otherwise returned by the legitimate interface. The proxy interface need not be identical to the legitimate interface in appearance and configuration, however.
In the desktop interface example shown, the proxy interface 402 includes proxy selectors corresponding to respective selectors on the legitimate interface. For example, the proxy interface 402 may include an apparent email invocation selector 404 that would appear to be selectable to access an email account, an Internet home page invocation selector 406 that would appear to be selectable to access an Internet home page, potentially with the user already logged in or with the login credentials remembered, a social media Internet site invocation selector 408, and document directory invocation selector 410.
Selection of one of the proxy selectors 404-410, however, unlike selection of the corresponding selectors on the legitimate interface, does not invoke what the proxy selectors feign to invoke. Instead, selection of a proxy selector invokes presentation of sham data that in some cases may correspond to data invoked responsive to selection of the respective selector on the legitimate interface but sanitized of sensitive information otherwise accessible through the legitimate interface.
For example, selection of the proxy email selector 404 may return an email interface with a sham account, including a sham contact list with non-existent email addresses listed and a false password that is not a legitimate password. The proxy interface may also return, depending on the context, not a true credit card number but rather a sham or falsified credit card number that in reality does not match any credit card number issued by a financial institution.
The false data 504F-510F may be accessed in the same portions of the proxy account 502 as the corresponding actual data 504-510 are otherwise accessible in the legitimate, actual account 500.
Other tests may be used to determine whether unauthorized access is being attempted. For example, if an unauthorized biometric signal is input to the computer a single time, the test at diamond 600 may be positive. Additionally or alternatively, if remote access is being attempted from a predetermined geographic location, e.g., a location known to be a haven for hackers, even a single time, the test at diamond 600 may be positive. Additionally or alternatively, if falsified login credentials are used in an attempt to gain access, the test at diamond 600 may be positive.
Moving from block 604 to block 606, as mentioned above access may be allowed to the putative hacker to falsified data. The falsified data may be digitally watermarked so that if the hacker subsequently attempts to use the falsified, the watermark can be detected. The watermark may identify the computer system 302 from which the sham data is obtained. For example, a watermark or seed included with the falsified data may itself include a particular IP address associated with the system 302, or another type of identifier for the system 302. Additionally or alternatively, the falsified data may use other seeded randomness so that the seed can be identified later by a system administrator.
If desired, pursuant to a positive test at diamond 600 all keystrokes input to the computer system 302 by means of, e.g., the proxy interface may be recorded at block 608 for subsequent investigatory purposes. Also, an imager on or coupled to the computer system 302 may be activated at block 610 to obtain a still or video image of the area around the computer system 302 to thereby possibly image an in-person hacker. Backchannel messages reporting the hacking may be sent at block 612, preferably as soon as possible after detection of the hack attempt. The messages may be sent to system administrator accounts, law enforcement, the true user, etc.
Before concluding, it is to be understood that although a software application for undertaking present principles may be vended with a device such as the system 100, present principles apply in instances where such an application is downloaded from a server to a device over a network such as the Internet. Furthermore, present principles apply in instances where such an application is included on a computer readable storage medium that is being vended and/or provided, where the computer readable storage medium is not a transitory signal and/or a signal per se.
It is to be understood that whilst present principals have been described with reference to some example embodiments, these are not intended to be limiting, and that various alternative arrangements may be used to implement the subject matter claimed herein. Components included in one embodiment can be used in other embodiments in any appropriate combination. For example, any of the various components described herein and/or depicted in the Figures may be combined, interchanged or excluded from other embodiments.