University of Maryland-College Park researchers set up over 200 “honeypot” computers to test whether online warnings deter cyberthieves. Quite the opposite, they found—in a study that may be a wakeup call to law enforcement.
Warnings aimed at discouraging cyberhackers have almost no effect on skilled cybercriminals, according to a University of Maryland-College Park study.
In a finding that is likely to prove discouraging to law enforcement, the study discovered that warning “banners” set to flash across screens to discourage illegal online activity actually prodded trespassers to increase their efforts to infiltrate computer networks.
Researchers set up a number of “honeypot” computer accounts at a large American university, which was not named, to lure and monitor hackers to test whether “situational deterring cues” discourage system trespassing —”one of the fastest growing, yet least understood, forms of cybercriminal activity,” according to the study, released Wednesday by Criminology & Public Policy, published by the American Society of Criminology.
The University of Maryland researchers set up a number of decoy computer accounts and during a six-month period in 2012 waited for the trespassers to arrive. And they certainly did.
The study authors—Alexander Testa, David Maimon, Bertrand Sobesto, and Michel Cukier─ reported 553 unique “system trespassing events” on the 221 target computers.
Once the hackers had broken into the honeypot computers their screens flashed with an online warning banner:
The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited. Unauthorized users are subject to institutional disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system is monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, the Institution may provide the evidence of such activity to law enforcement officials.
The researchers then observed and recorded the hackers’ behavior: How they navigated the attacked computer system, or changed file permissions, even after they were exposed to no-trespass warnings.
Those who had broken through the barriers to access administrator accounts—the privileged accounts that provide widespread access and the ability to wreak the maximum damage, usually held by information technology staff—didn’t appear dissuaded by the warning.
In fact, according to the researchers, hackers “increased the proportion of system trespassing events in which the ‘change file permission’ command was recorded,” compared to a control group that did not see a warning.
In a finding that they said surprised them, “sanction threats in an attacked computer system escalated the manipulation of file permission.”
In other words, the warning only apparently goaded them to keep hacking.
Some 21 percent of the hackers ferreted out by the decoy computers appear to be relative amateurs who did not attempt to crack administrative accounts, and in this group, there were signs of users being intimidated or deterred by the online warnings.
The study authors concluded that the more skilled hackers possessed “high criminal self-efficacy” and were confident in their ability to escape detection. Another possibility is that the sight of the warning banner made them react “defiantly.”
When faced with a threat, “administrative trespassers may escalate their offending in response to a sanction threat perceived as illegitimate,” the study said.
The lesson for security services, say the authors, is that more stringent methods are needed to deter the kinds of cybercriminality that have resulted in the theft of thousands of individuals’ identities, credit card numbers and other private information from large corporate networks over the past several years.
While they did not rule out the use of online warnings as a deterrent, the authors recommended the development of more sophisticated strategies that employed “repeated visual and verbal cues that can be responsive to a diverse group of offenders and situations in cyberspace.”
The full study, entitled “Illegal Roaming and File Manipulation on Target Computers” is available online here.
This summary was prepared by TCR Deputy Editor (Digital) Nancy Bilyeau. Readers’ comments are welcome.