Signature style

 

Connecting state and local government leaders

A new form of authentication based on the telltale timing of users' keyboard strokes holds promise for agencies.

In a famous cartoon from The New Yorker, a pooch sitting at a computer proclaims, 'On the Internet, nobody knows you're a dog.' That may be true, at least for the gifted canines among us. But if the typist is a human, 'they can tell if you're a left-handed female piano player with an ergonomic keyboard,' Neal Krawetz of Hacker Factor Solutions told attendees at a Black Hat Conference in Las Vegas last year.Since the 1980s, research has shown that the way a person types is as unique as a fingerprint. How long someone holds down the keys and the time it takes to move from one key to another vary among individuals, and those variations can be measured and captured to produce a profile of a person's typing style.The idea is not new. Morse code aficionados have long known that each operator has a unique rhythm of clicking out dots and dashes. It's called the operator's fist. But now, vendors are beginning to offer software that exploits this behavior, known as keystroke dynamics, to authenticate the identity of their customers and employees.Conceivably, those systems could even be used to comply with Homeland Security Presidential Directive 12, which calls on agencies to authenticate network users in two ways. Keystroke dynamics could be an attractive form of authentication because, unlike other techniques such as biometrics, this form of authentication does not require new hardware.And researchers are studying whether they can extend the technology into other realms, too. If keystroke dynamics can apply to more than just password verification, it will also offer a method of identifying and tracking the activity of criminals, terrorists or anyone who uses a keyboard.Nowadays, almost every online transaction requires a password. But the security of that password can be compromised in many ways. People choose passwords that can be easily guessed, or they might use the same password for many Web sites to make it easier to remember.And once that password falls into the wrong hands, anyone can take over that user's identity. Recognizing this, many organizations are adding a second layer of verification to increase security. For example, some banks are asking their customers to choose a picture password from a range of choices offered. Others are issuing tokens ' small devices that generate a series of one-time-use passcodes ' to customers who access their accounts via the Internet.Another solution is biometric identification, which involves a host of technologies that rely on either physiological traits unique to a person ' a fingerprint or iris pattern, for example ' or behavioral traits. Typing rhythm falls into the latter category.Identification via keystroke dynamics has the advantage of being relatively inexpensive and simple to implement. Physiological biometrics usually requires special hardware such as a fingerprint scanner, but keystroke dynamics software only needs a keyboard.Parda Federal Credit Union, in Auburn Hills, Mich., adopted a password verification system based on keystroke dynamics late last year. Parda had been searching for a way to meet guidance issued by the Federal Financial Institutions Examination Council on authentication of customer identity on the Internet.The FFIEC guidance did not endorse any particular technology, but it did cite multifactor identification ' that is, using one or more systems in addition to a password ' to reduce the risk of account fraud and identity theft.The credit union explored several options but decided on a system from BioPassword. 'The real attractive piece is that our membership doesn't have to do anything different,' said Melissa Auchter, Parda's chief information officer. 'You don't want to surprise them. You're talking about people's money.'Parda uses BioPassword's Internet Edition, which is designed for Web-based applications such as online banking, health care portals and business-to-business transactions. The software is installed on the institution's server and analyzes the keystrokes of users logging in from anywhere.BioPassword also sells an Enterprise Edition for companies to verify the identity of employees and people using in-house computers. In that case, the software needs to be installed on every access point.When someone enters his or her password, the system records how long the keys are held down and the time between presses, said Jared Pfost, BioPassword's vice president of security and product strategy. After a training period of about nine samples, it creates a statistical representation of that person's typing pattern. Then the next time that user logs in, the system compares the password entry to that template.If there is a match, the user is granted access; if not, access is blocked. The level of security can be tailored to the organization's needs, Pfost said. On the Internet Edition, security can be dialed down so that 99 percent of the time, the system would not reject a customer logging in. On the other extreme, the Enterprise Edition can be adjusted to be 99 percent secure. The key is to strike a balance between security and usability, Pfost said.Parda tested BioPassword on its own employees for about a month before introducing it to members of the credit union, Auchter said. All customers were asked to reset their passwords to take advantage of the new system, and no major problems have been reported so far, she said.Once a person establishes a rhythm for typing a password, it's very hard for someone else to mimic, said Steven Bender, chief executive officer of iMagic Software, which makes a password verification system called Trustable Passwords, also based on keystroke dynamics. It uses technology that recognizes when typing goes from slow and unfamiliar to muscle memory, Bender said. At that point, the rhythm becomes stable and persistent.Neither BioPassword nor iMagic Software has clients in the federal government. State and local governments, however, are considering keystroke dynamics products because they're cost effective, Bender said. Fingerprint scanners, smart cards and passcode-generating tokens are expensive platforms to set up, maintain and upgrade. On the other hand, password verification, which is purely a software solution, can be easily installed and updated.It also helps alleviate the problems that lead to insecure passwords in the first place. People can choose a dictionary word instead of gibberish, Bender said. Also, 'with our product, you don't have to change your password anymore,' he added. The more typing samples it acquires, the more robust the template becomes. In fact, if someone does steal a password and tries to log in with it, the system will know because that thief's typing pattern will surely be different.Such password verification products don't record the actual keys pressed, only the timing, so they differ from keystroke logging software that can be used to spy on computer users. However, stretching the science of keystroke dynamics beyond what's currently possible could offer a way to do just that.Daniele Gunetti and Claudia Picardi of the University of Torino in Italy are applying the technology to long stretches of text, seeing if typists can be identified when writing a memo or e-mail, and not just when entering a password. Then, a user's identity could be verified even after he or she has gained access to the system.Their technique monitors the relative speed of typing particular combinations of letters. For example, one person might type 'a' and 's' quicker than 'a' and 'b,' while another person might do the opposite. By recording these speeds, the researchers can get a picture of the typist's global rhythm, Picardi said.The longest text the researchers have tested is 2,500 characters, and with that they get 0.5 percent false alarms ' that is, instances of the system marking a legitimate user as an impostor.Picardi sees this as a way for law enforcement to track people ' criminals or terrorists ' as they move across the Web typing e-mail messages and posting on message boards. The caveat is that their keystrokes would have to be monitored as they are typing, so law enforcement would have to get the cooperation of Web sites or Internet service providers to spy on their users. A person's typing pattern cannot be reconstructed from existing text.The system could also be used for more mundane purposes, such as password recovery. Now, if someone forgets a password, it has to be sent by e-mail or reset by a call to a help desk. With keystroke dynamics, Picardi said, that person could just type some text and have the system verify his or her identity.Their keystroke analysis system is still in the research stage, so it is not available commercially. Other groups would eventually have to take the initiative to develop it into a product, Picardi said. However, the researchers do have a prototype on their Web site. Anyone can subscribe and provide samples of his or her typing. The person can then test the software to see if it identifies them correctly or flags them as an unwelcome threat.

Text-based forensics sexes you up

Try this simple test'

Not only can how you type reveal who you are, what you type can be revealing as well. Neal Krawetz, who heads the security consulting firm Hacker Factor Solutions, created an online test called Gender Guesser, which does exactly that.

You type in 300 words or more and the program guesses if you are male or
female. Krawetz drew on earlier research that showed how someone's gender
could be determined by the kinds of words and parts of speech used. To take the test and find out how it works, go to GCN GCN.com/776.

Digital forensics doesn't come cheap

Although the knowledge of telltale typing habits may help flush out criminals, that work is getting more expensive because of the increasing cost of digital forensics.

The discipline of digital forensics is quickly becoming more professional as standards are established, and courts are beginning to require that evidence be processed only in certified laboratories.

And that professionalism does not come cheap. 'It's tremendously expensive,'
said Jim Christy of the Defense Department's Cyber Crime Center, which runs the nation's largest certified digital forensics lab.

As a result, DOD is appealing to industry to provide software that could help reduce costs.

Christy told security professionals in February at the Black Hat Federal Briefings in Arlington, Va., that keeping up certification for the lab, its personnel, and its hardware and software accounts for up to 40 percent of the facility's overhead. Faced with these requirements and the challenge of processing a rapidly growing volume of data, the Cyber Crime Center needs industry's help.

'One of the reasons I'm here is to appeal to the vendors to create the tools and processes to help us process the evidence in a timely manner,' Christy said.
One of the greatest needs is for tools for testing and evaluating hardware and software used in the lab.

Digital forensics is the discipline of analyzing and preparing digital evidence in criminal investigations. Christy is a pioneer in computer crime investigation, with more than 30 years experience in the field. When he began, there were no standards or guidelines for how to gather and handle this data. Today, it is a structured and increasingly regulated field. In 2003, the American Society of Crime Lab Directors set standards for certifying digital forensics labs.

All tools used in the lab must be certified to those standards, and all personnel must be tested and evaluated annually. All work on evidence done by an analyst must be reviewed by other certified analysts. The failure of an analyst could jeopardize any convictions in recent trials where the analyst testified or prepared evidence.

The accreditation program is still in its infancy. There
are 327 accredited general forensics labs nationwide, Christy said, but only 12 accredited digital forensics labs. And with more than 19,000 law enforcement agencies, most with fewer than 25 officers, demands on certified labs are growing.
The Cyber Crime Center facility has 90 analysts, but the workload is growing faster than its workforce. The number of digital devices from which evidence can be gleaned is growing rapidly and now includes iPods and X-Box game consoles in addition to PCs, Global Positioning System devices and cellular phones. The volume of data gathered in a single investigation can rapidly amount to a terabyte.

The Cyber Crime Center lab handled about 12 terabytes of data in 2001, Christy said, and 156 terabytes in the 700 cases it handled last year. At the same time, the turnaround time for each case has decreased from 89 days in 2003 to 41 days in 2006.

'You need bigger and better tools' to handle that volume of data, Christy said.
Christy recently retired as a special agent from the Cyber Crime Center and now heads the center's newly formed Futures Exploration division, an outreach program that seeks support from industry and academia. As part of that outreach, the center announced the DC3 challenge at the August 2006 Black Hat Briefings in Las Vegas. The contest was a set of 11 challenges on data recovery and analysis. Twenty-one teams entered, and the winner ' a team from Access Data ' won a trip to the January Defense Cyber Crime Conference in St. Louis.

One of the challenges was to recover data from a broken CD, a problem for which the lab had no solution. Eleven of the teams solved that problem, Christy said. 'And they all had different techniques.' So now when a damaged CD comes in as evidence, analysts have 11 techniques to use.

The challenge will be repeated this year. One of the tasks likely to be included will be recovery of data from the BitLocker encryption feature in Microsoft's Vista operating system.

William Jackson








































Rhythm nation













NEXT STORY: Bringing it all together

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.