The Great Firewall of Cyberspace

Back to Contents of Issue: April 2006

Are our efforts at prevention worth the crime?

by Bonnie Lee La Madeleine

2005, it seems, was the worst year for cyber security since, well, 2004. No one is safe from digital plagues and burglars. According to USA Today, 130 data breaches exposed 55 million Americans to potential ID theft, and the United States Computer Emergency Readiness Team (US-CERT) reported 5,198 software vulnerabilities that exposed users to perpetrators. The message is clear: without better measures to protect ourselves, the end of the world will be upon us.

The response to this heightened risk is to develop more technology to counter cybercrime tactics and allay fears, at a sizable chunk of an estimated JPY200 billion information security market. At the end of 2003, Nomura Research Institute, Ltd. predicted that network security would grow into a JPY4.3 trillion (USD39 billion) industry by 2008, as security companies improve ways to protect our data and help companies remain productive. Biometric technologies that use biological features (iris or retina scans, voice recognition, and finger- or handprints) for identification and access rights are estimated to capture at least USD2 billion of that market's revenue. Japan's technology giants are leading the way. Fujitsu, Hitachi and NEC all announced in 2005 biometric advances intended to keep undesirables away from data and equipment, and to capture a large part of that pie. Two have vein scanning that can block access to data, homes, and cars. Digital security, it seems, is going to be big business in 2006.

To date, the solution to a data breach or new viral infection has complicated access to life-simplifying technology. We need new passwords and guard-dog software to deter those lurking virtual parasites from infecting our technology or sending illicit messages to our enemies. Such efforts take time, reduce productivity, and challenge our patience. They also fail to decrease anxiety. In addition, most of the devices that are designed to protect information, computers, and cars are ineffective. Fingerprint scanners can be bypassed using the same stuff to make gummy bears or even Play-Doh(R) for less than a thousand yen.

As the memories of those year-end prophecies of doom fade, it is time for sober reflection on the real threats to data security and for determining the logical steps to protect us from ever more devious cyber criminals. Since 2002, cyber attacks have declined, according to annual surveys by non-profit organizations in Australia and the United States. Only 35 percent of respondents in the 2005 Australian Computer Crime and Security Survey reported an attack against their computers, down from 62.7 percent in 2002.

The US equivalent of the survey was more precise, but equally optimistic. They reported an increase in the (successful) misuse of computer systems. Just over half (56 percent) of the respondents claimed unauthorized uses, but these included employees' inappropriate use of company bandwidth (sharing jokes, downloading music, and the like). Hardly threatening criminal activity, but still, ethically, thieving. Neither reported significant criminal activity that puts millions of people's personal data at risk, despite a few significant, highly publicized scares.

What type of bunker is really needed to protect our networks and computers? Surprisingly, it is neither spammers nor those seeking personal information for resale that is the most costly threat to digital information. Rather, both studies suggest, it is the loss or theft of mobile phones, computers, and PDAs. Finding ways to prevent work slowdowns or exposure when an employee's work communication tools go missing would go a long way to securing network information. One possible solution is to use a biometric scan to deny access to hard drives.

Biometrics gets under the skin
Biometric approaches to digital security are diverse. Each approach exploits an aspect of the body that makes an individual unique: the voice, handwriting, finger, hand, iris, retina, or face. Recent devices can go deeper, penetrating the skin to use the vessels carrying blood back to the lungs as the identifying feature. Yet, the process for all these scans is the same: a snapshot (a statistical profile) of the area is taken and digitally compared with one in a database, a USB, or a smart card. If there is a match, access is granted. No match, no access.

Biometric security offerings vary according to cost, convenience, equipment, and extent of the user's personal information required. Fingerprints are the oldest biometric identifier and the least effective. Keystroke and signature access is the most cost-effective means of securing access to information, requiring only software that creates statistical profiles of the individual's typing or writing patterns. Voice-pattern recognition operates similarly, and requires training, but a headset is necessary. While these systems do not infringe on privacy, they are complex and still require users to remember multiple passwords.

Current technology uses either penetrating sensors emitting light powerful enough to pass through the body, or reflecting sensors that barely penetrate the body. Less light intensity is required for reflecting sensors than for penetrating ones, which require a receptor behind the subject to catch the light and create the image. Most technologies use reflected light because it can be incorporated into portable, less costly security systems.

Iris and retina scans shoot light directly into the eye. Critics wonder if repeated exposure might increase the risk of damage to the lens or retina. This claim has yet to be investigated, but if visual damage is suspected, the potential liability to companies using this technology could be high. Therefore, non-invasive scans of areas of the body most of us are willing to expose, like our fingers or palms, have become the primary target for biometric data security.

External traits, like our faces or fingerprints, are unique but hardly static. They change with aging, exposure and injury. Moreover, external traits can be counterfeited or stolen, albeit gruesomely, further reducing the consumer appeal. So researchers are looking for deeper levels of distinction that have unique identifiers and are less susceptible to violent efforts at acquisition. One promising candidate is the circulatory system. It is sufficiently complex. Also, deoxygenated blood can be imaged with relatively simple technology -- which is just what hand- and face-geometric scanners do. Reading the veins just under the skin of our fingers, hands or face is starting to gain acceptance. Fujitsu has created a contact-less palm sensor that gates access to money, homes, computers, and data. It has the potential to protect us from our own clumsiness.

"For the convenience"
Fujitsu's palm scanner is a little black box. No kidding. It can be installed in machines like ATMs, computers, cars and main entrances or carried around in the same way as flash drives on key chains.

The box is simply a digital camera that uses near infrared light to take pictures of the vasculature of the palm. To be more precise, it snaps a shot of the veins just under the skin that are carrying deoxygenated blood back to the lungs and heart. When the black box senses movement it will ask for a hand. The exchange is like a secret handshake, making sure that the veins in your palm are those with access privileges to data, home or money. The flash of near-infrared light allows a digital image of the hand's vein pattern to be taken. This image is compared with one stored on a smart card or on the device. If the two images match, you get to use the card, withdraw money, enter your home, or borrow a library book.

It sounds simple, and, surprisingly, it is. According to Dr. Akira Wakabayashi, leader of the engineering team that designed this device, the black box registers an image more like an X-ray than a camera taking snapshots of a child's first steps. Unlike an X-ray, however, only the veins are imaged. This is where the true security comes into play.

Near infrared light is invisible to the human eye. Infrared, the light used to beam information between computers, PDAs and motion detectors, has a significantly shorter wavelength, and can be used to send information without wires. It can also, it turns out, identify hemoglobin, a protein in red blood cells that carries oxygen to nearly every cell in our body, after it has dumped its oxygen payload and is returning to the lungs to get more. Each human has a unique network of vessels, or veins, that carry this de-oxygenated blood. This structure is visible when exposed to near-infrared light. Importantly, to take the image the subject must be alive and intact. This significantly reduces the risk of mutilation, murder, or duplication by a criminal intent on breaching security.

Evaluating the merits of available biometric technologies depends on the end user, its particular goals, and the perceived threat to data. Measures of accuracy are not as important as one might think. The economics of hacking the system are, in many ways, more relevant than the value of the object being protected. The effort that is required to successfully copy the physical trait and transform that information into the input needed to trick the device will determine how good or bad any biometric measure will be.

Three years ago, Tsutomo Matsumoto, a cryptographer, molded gelatine into a fake finger that successfully tricked fingerprint recognition devices 80 percent of the time. More relevant, the total cost of his hack was less than a price of movie ticket. Getting access to information or stealing a car would be simple and, from the thief's point of view, cost effective.

When a biometric device gives a false positive that allows an incorrect reading, it is called a false acceptance. False acceptance rates (FAR) are just one of the metrics used to determine the success of a biometric study, and a follow-up in 2005 shows how pointless fingerprinting can be as a means of protecting ourselves.

However, there are also false rejection rates (FRR). The combination of FAR and FRR is important in determining what makes one biometric technological offering better than another. How do the available metrics fair? Iris, finger and hand geometry are less prone to mistakes than other available technologies. Fujitsu tested their palm scanner with 140,000 people, and the results exceeded their best expectations for false acceptance, with a less than one in 12,500 chance that the wrong person will be able to access information protected behind the biometric gate.

Currently, most biometric-scanner technology appears clunky or awkward and remains too expensive for broad consumer use. However, Fujitsu's scanner has already found commercial applications. Tokyo-Mitsubishi has started to use the contact-less scanners to increase ATM user security, and hospitals and apartment complexes are using these systems as passkeys to facilities.

When asked if he would use this technology, Wakabayshi replied, "Yes, but not just for the security, for the convenience [also]." I could see his point. No need to fumble for keys in the dark to get into my home or car, and the nightmarish efforts to key in that thirteen-character code to access my wireless would disappear. Convenience and peace of mind.

Just how scary is the information crime world? How much protection do we need? Answers to those questions depend more on the information we are seeking to protect, the vulnerability of data, and the amount of trust customers put in the company holding that data. One truth, however, is that an ounce of prevention is always worth more than a pound of cure.

The threat from cyber criminals, judging from cases listed on both the Interpol and FBI websites, is not so great. Seventeen cases are listed on the FBI Information Crime web pages for 2005. The total estimated (not actual) cost to victims was less than USD6 million. Most of these cyber criminals were young virus authors, and only one case involved a targeted theft of credit card numbers. While it's true the list is just a sample, and out-of-court settlements are unreported, it still indicates that companies are spending USD2 billion to protect against crimes causing damages on the order of USD6 million.

Organizations and companies that generate most reports on cyber crime have large stakes in the information security markets. These argue that criminals are using increasingly sophisticated methods to plunder data, but most of these lure individuals who are careless or less savvy computer users. A case in point is the extent of damage caused by the Karma-Sutra virus. Sites that lure naiNve web users into releasing a program on their computers are common and a clear threat to personal security, but most surveys show that firewalls and training are more effective at reducing exposure risk than high-tech software and equipment. Besides, few employees actually go to personal sites at work.

Ninety percent of the financial burden of these computer-related security breeches in the United States and Australia are associated with the loss or theft of laptops, mobile phones, and PDAs. While technically not data theft or invasion, these situations do present an exposure risk. It is here that biometric technology and finger and palm scanning can prove their worth.

If the hard drive data is secure, or the mobile phone cannot be operated with a positive palm scan, then the information is harder to access. It makes the computer less attractive for petty thefts. More telling is that most respondents in the surveys reported that attacks were non-malicious in nature: spammers.

So, while the real threat to our digital lifestyle remains unknown, and these very cool measures are generated to protect our data from our own carelessness, we simply do not know how many hackers are out there looking to get our personal information. This raises a question: Is peace of mind worth all of this? JI

Note: The function "email this page" is currently not supported for this page.