For companies with data to protect, their primary problem is how cheap hacking can be.
While “hacking” encompasses a wide variety of activities, one company is specifically tackling the botnet problem: The ability to use a network of linked computers to overwhelm a website or break into user accounts.
A denial of service attack is probably the most well known kind of attack using botnets. But for $200, you can put 10,000 computers around the world to work on whatever nefarious purpose you prefer.
Shape Security is trying to put a stop to that with a new product, unveiled today, called Shape Shifter. It is a “botwall,” a hardware device that companies plug into their servers to protect their data and users by automatically scrambling web application code when users try to access it.
“Today, it’s extremely cheap for an attacker to bring down a website,” says Shuman Ghosemajumder, the company’s product lead. The idea is to make hacking a human endeavor again: If bots won’t work, hackers will face more time and expense to do the dirty work themselves, or hire others to do it for them (Picture the gold farmers of World of Warcraft.)
Learning from hackers
“In the world of security, most people are trying to prevent something from happening…a lot of the engineering was, ‘how do I detect a bot or malware and prevent it from landing?’” says Ted Schlein, a former Symantec executive turned cybersecurity investor at venture fund Kleiner Perkins Caufield Byers. But today, “there’s really only two kinds of companies, those who have been breached and know it and those who have been breached and don’t know it. You have to have a mental shift—’you know what, I give, they’re there, I’m going to render them ineffective.’”
When you log into a site like an online bank or Facebook, you are connecting to a secure web application—a piece of code that runs on the web and handles the secure transfer of information such as a password. With an application installed on a phone or computer, hackers would need to reverse-engineer (i.e. figure out how it works from what it does) the code to learn how it works. But a web app’s code is visible to anyone who looks so web browsers can run them. Hackers seeking to crack systems can look at that code and write scripts to exploit it—maybe they purchased some of the credit card info stolen from Target, for instance, and want to exploit the code at an online shopping site to make as many online purchases as fast as they can. Or perhaps, unbeknownst to you, some malware is tracking your keystrokes as you log into your bank account.
The challenge is allowing people in while keeping bots out. Current methods, including identifying IP addresses or limiting the number of times someone can log in, are easily surmountable. So Shape decided to learn from hackers, and adopt a different defense. Many kinds of malware rely on code that changes its appearance to avoid detection by anti-virus software, a tactic called “polymorphism.”
Shape’s flagship product replicates the polymorphism effect but for web applications, rewriting the code each time a page is reloaded. That means that bots have no frame of reference when searching for vulnerabilities to exploit—instead of seeing a variable name like “username” or “password,” they see new names like “v6DbNQEs4z” each time the site is reloaded. The website looks the same to you and me, but the bots can’t pick the lock if they can’t find the keyhole.
The “mystery” start-up
Since the company was founded in 2012, it has raised $26 million in venture funding, including a round lead by Schlein, who joined the board, and Google Chairman Eric Schmidt. This, while the company’s product was working in “stealth mode”—no one knew what Shape was developing or if an actual product was forthcoming.
Whenever you hear about a company raising lots of money with no product, it hardly sounds good—think Clinkle, the Stanford payments start-up that raised both $25 million and the level of dysfunction in Silicon Valley. When I first heard about Shape, I wasn’t sure it was a real product.
But it’s hard to argue with the staff the company assembled, among them CEO Derek Smith, who sold cyber security firm Oakley Technologies to Raytheon in 2007; Sumit Agarwal, Google’s first product manager; Michael Coates, the former head of security for Mozilla; and Ghosemajumder, who helped develop the technology that prevents Google ad click fraud.
Into the field
Shape Shifter has been in trials with companies like StubHub, the online ticket re-seller, and Citigroup, whose head of security praised it for “turn[ing] the cost equation back around in the defender’s favor.”
With the company’s product finally revealed, it will meet the most important test: Hackers seeking to break it. Perhaps more sophisticated scripts could circumvent the polymorphism: I asked Coates whether a bot could somehow link to user prompts for information to the scrambled code behind the scenes, and he said that was the first thing Shape expects hackers to try—and that the company “will be ready with the next six or seven moves.”
If the botwall works as promised, Shape’s executives and investors predict large demand: Virtually any company doing business online—banks, retailers, social networks, the government, you name it—will want to protect against swarming online hackers, who cost American businesses as much as $100 billion each year.