Signature style

Text-based forensics sexes you up

Try this simple test'

Not only can how you type reveal who you are, what you type can be revealing as well. Neal Krawetz, who heads the security consulting firm Hacker Factor Solutions, created an online test called Gender Guesser, which does exactly that.

You type in 300 words or more and the program guesses if you are male or
female. Krawetz drew on earlier research that showed how someone's gender
could be determined by the kinds of words and parts of speech used. To take the test and find out how it works, go to GCN GCN.com/776.

Digital forensics doesn't come cheap

Although the knowledge of telltale typing habits may help flush out criminals, that work is getting more expensive because of the increasing cost of digital forensics.

The discipline of digital forensics is quickly becoming more professional as standards are established, and courts are beginning to require that evidence be processed only in certified laboratories.

And that professionalism does not come cheap. 'It's tremendously expensive,'
said Jim Christy of the Defense Department's Cyber Crime Center, which runs the nation's largest certified digital forensics lab.

As a result, DOD is appealing to industry to provide software that could help reduce costs.

Christy told security professionals in February at the Black Hat Federal Briefings in Arlington, Va., that keeping up certification for the lab, its personnel, and its hardware and software accounts for up to 40 percent of the facility's overhead. Faced with these requirements and the challenge of processing a rapidly growing volume of data, the Cyber Crime Center needs industry's help.

'One of the reasons I'm here is to appeal to the vendors to create the tools and processes to help us process the evidence in a timely manner,' Christy said.
One of the greatest needs is for tools for testing and evaluating hardware and software used in the lab.

Digital forensics is the discipline of analyzing and preparing digital evidence in criminal investigations. Christy is a pioneer in computer crime investigation, with more than 30 years experience in the field. When he began, there were no standards or guidelines for how to gather and handle this data. Today, it is a structured and increasingly regulated field. In 2003, the American Society of Crime Lab Directors set standards for certifying digital forensics labs.

All tools used in the lab must be certified to those standards, and all personnel must be tested and evaluated annually. All work on evidence done by an analyst must be reviewed by other certified analysts. The failure of an analyst could jeopardize any convictions in recent trials where the analyst testified or prepared evidence.

The accreditation program is still in its infancy. There
are 327 accredited general forensics labs nationwide, Christy said, but only 12 accredited digital forensics labs. And with more than 19,000 law enforcement agencies, most with fewer than 25 officers, demands on certified labs are growing.
The Cyber Crime Center facility has 90 analysts, but the workload is growing faster than its workforce. The number of digital devices from which evidence can be gleaned is growing rapidly and now includes iPods and X-Box game consoles in addition to PCs, Global Positioning System devices and cellular phones. The volume of data gathered in a single investigation can rapidly amount to a terabyte.

The Cyber Crime Center lab handled about 12 terabytes of data in 2001, Christy said, and 156 terabytes in the 700 cases it handled last year. At the same time, the turnaround time for each case has decreased from 89 days in 2003 to 41 days in 2006.

'You need bigger and better tools' to handle that volume of data, Christy said.
Christy recently retired as a special agent from the Cyber Crime Center and now heads the center's newly formed Futures Exploration division, an outreach program that seeks support from industry and academia. As part of that outreach, the center announced the DC3 challenge at the August 2006 Black Hat Briefings in Las Vegas. The contest was a set of 11 challenges on data recovery and analysis. Twenty-one teams entered, and the winner ' a team from Access Data ' won a trip to the January Defense Cyber Crime Conference in St. Louis.

One of the challenges was to recover data from a broken CD, a problem for which the lab had no solution. Eleven of the teams solved that problem, Christy said. 'And they all had different techniques.' So now when a damaged CD comes in as evidence, analysts have 11 techniques to use.

The challenge will be repeated this year. One of the tasks likely to be included will be recovery of data from the BitLocker encryption feature in Microsoft's Vista operating system.

William Jackson

In a famous cartoon from The New Yorker, a pooch sitting at a computer proclaims, 'On the Internet, nobody knows you're a dog.' That may be true, at least for the gifted canines among us. But if the typist is a human, 'they can tell if you're a left-handed female piano player with an ergonomic keyboard,' Neal Krawetz of Hacker Factor Solutions told attendees at a Black Hat Conference in Las Vegas last year.

Since the 1980s, research has shown that the way a person types is as unique as a fingerprint. How long someone holds down the keys and the time it takes to move from one key to another vary among individuals, and those variations can be measured and captured to produce a profile of a person's typing style.

The idea is not new. Morse code aficionados have long known that each operator has a unique rhythm of clicking out dots and dashes. It's called the operator's fist. But now, vendors are beginning to offer software that exploits this behavior, known as keystroke dynamics, to authenticate the identity of their customers and employees.

Conceivably, those systems could even be used to comply with Homeland Security Presidential Directive 12, which calls on agencies to authenticate network users in two ways. Keystroke dynamics could be an attractive form of authentication because, unlike other techniques such as biometrics, this form of authentication does not require new hardware.

And researchers are studying whether they can extend the technology into other realms, too. If keystroke dynamics can apply to more than just password verification, it will also offer a method of identifying and tracking the activity of criminals, terrorists or anyone who uses a keyboard.

Nowadays, almost every online transaction requires a password. But the security of that password can be compromised in many ways. People choose passwords that can be easily guessed, or they might use the same password for many Web sites to make it easier to remember.

And once that password falls into the wrong hands, anyone can take over that user's identity. Recognizing this, many organizations are adding a second layer of verification to increase security. For example, some banks are asking their customers to choose a picture password from a range of choices offered. Others are issuing tokens ' small devices that generate a series of one-time-use passcodes ' to customers who access their accounts via the Internet.

Another solution is biometric identification, which involves a host of technologies that rely on either physiological traits unique to a person ' a fingerprint or iris pattern, for example ' or behavioral traits. Typing rhythm falls into the latter category.

Identification via keystroke dynamics has the advantage of being relatively inexpensive and simple to implement. Physiological biometrics usually requires special hardware such as a fingerprint scanner, but keystroke dynamics software only needs a keyboard.

Parda Federal Credit Union, in Auburn Hills, Mich., adopted a password verification system based on keystroke dynamics late last year. Parda had been searching for a way to meet guidance issued by the Federal Financial Institutions Examination Council on authentication of customer identity on the Internet.
The FFIEC guidance did not endorse any particular technology, but it did cite multifactor identification ' that is, using one or more systems in addition to a password ' to reduce the risk of account fraud and identity theft.

The credit union explored several options but decided on a system from BioPassword. 'The real attractive piece is that our membership doesn't have to do anything different,' said Melissa Auchter, Parda's chief information officer. 'You don't want to surprise them. You're talking about people's money.'

Parda uses BioPassword's Internet Edition, which is designed for Web-based applications such as online banking, health care portals and business-to-business transactions. The software is installed on the institution's server and analyzes the keystrokes of users logging in from anywhere.

BioPassword also sells an Enterprise Edition for companies to verify the identity of employees and people using in-house computers. In that case, the software needs to be installed on every access point.

When someone enters his or her password, the system records how long the keys are held down and the time between presses, said Jared Pfost, BioPassword's vice president of security and product strategy. After a training period of about nine samples, it creates a statistical representation of that person's typing pattern. Then the next time that user logs in, the system compares the password entry to that template.

If there is a match, the user is granted access; if not, access is blocked. The level of security can be tailored to the organization's needs, Pfost said. On the Internet Edition, security can be dialed down so that 99 percent of the time, the system would not reject a customer logging in. On the other extreme, the Enterprise Edition can be adjusted to be 99 percent secure. The key is to strike a balance between security and usability, Pfost said.

Parda tested BioPassword on its own employees for about a month before introducing it to members of the credit union, Auchter said. All customers were asked to reset their passwords to take advantage of the new system, and no major problems have been reported so far, she said.

Once a person establishes a rhythm for typing a password, it's very hard for someone else to mimic, said Steven Bender, chief executive officer of iMagic Software, which makes a password verification system called Trustable Passwords, also based on keystroke dynamics. It uses technology that recognizes when typing goes from slow and unfamiliar to muscle memory, Bender said. At that point, the rhythm becomes stable and persistent.

Neither BioPassword nor iMagic Software has clients in the federal government. State and local governments, however, are considering keystroke dynamics products because they're cost effective, Bender said. Fingerprint scanners, smart cards and passcode-generating tokens are expensive platforms to set up, maintain and upgrade. On the other hand, password verification, which is purely a software solution, can be easily installed and updated.

It also helps alleviate the problems that lead to insecure passwords in the first place. People can choose a dictionary word instead of gibberish, Bender said. Also, 'with our product, you don't have to change your password anymore,' he added. The more typing samples it acquires, the more robust the template becomes. In fact, if someone does steal a password and tries to log in with it, the system will know because that thief's typing pattern will surely be different.

Rhythm nation

Such password verification products don't record the actual keys pressed, only the timing, so they differ from keystroke logging software that can be used to spy on computer users. However, stretching the science of keystroke dynamics beyond what's currently possible could offer a way to do just that.

Daniele Gunetti and Claudia Picardi of the University of Torino in Italy are applying the technology to long stretches of text, seeing if typists can be identified when writing a memo or e-mail, and not just when entering a password. Then, a user's identity could be verified even after he or she has gained access to the system.

Their technique monitors the relative speed of typing particular combinations of letters. For example, one person might type 'a' and 's' quicker than 'a' and 'b,' while another person might do the opposite. By recording these speeds, the researchers can get a picture of the typist's global rhythm, Picardi said.

The longest text the researchers have tested is 2,500 characters, and with that they get 0.5 percent false alarms ' that is, instances of the system marking a legitimate user as an impostor.

Picardi sees this as a way for law enforcement to track people ' criminals or terrorists ' as they move across the Web typing e-mail messages and posting on message boards. The caveat is that their keystrokes would have to be monitored as they are typing, so law enforcement would have to get the cooperation of Web sites or Internet service providers to spy on their users. A person's typing pattern cannot be reconstructed from existing text.

The system could also be used for more mundane purposes, such as password recovery. Now, if someone forgets a password, it has to be sent by e-mail or reset by a call to a help desk. With keystroke dynamics, Picardi said, that person could just type some text and have the system verify his or her identity.

Their keystroke analysis system is still in the research stage, so it is not available commercially. Other groups would eventually have to take the initiative to develop it into a product, Picardi said. However, the researchers do have a prototype on their Web site. Anyone can subscribe and provide samples of his or her typing. The person can then test the software to see if it identifies them correctly or flags them as an unwelcome threat.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above