Robert Blincoe, Author at New ĐÓ°ÉÔ­´´ Science news and science articles from New ĐÓ°ÉÔ­´´ Thu, 07 Jan 2010 10:59:00 +0000 en-US hourly 1 https://wordpress.org/?v=7.0.1 242057827 Your keyboard knows that it’s you and you’re stressed /article/1944239-your-keyboard-knows-that-its-you-and-youre-stressed/?utm_campaign=RSS|NSNS&utm_content=currents&utm_medium=RSS&utm_source=NSNS Thu, 07 Jan 2010 10:59:00 +0000 http://dn18350 Stressed?
Stressed?
(Image: Peter Cade/Getty)

Next time you enter a username and password, think about the rhythm of your typing. Not only can it be used to identify you, it can reveal if you are in a stressful environment.

The team behind the discovery suggest it could be used by retailers or banks to detect whether you are logging into your account under extreme stress or duress.

It has long been known that the rhythms of a person’s typing style are stable over time, leading to suggestions they could be used to verify identity or even spot early signs of Alzheimer’s disease. But little was know about the effect of stress on typing patterns, so psychologist , UK, investigated.

Stress test

They asked 35 people to log into a computer 36 times over three separate sessions up to a month apart, using the same user name (abertayexperiment) and password (understandsomething). People were put into stressed and neutral states alternately by listening to a known to elicit particular emotions and heard either heard gentle paper crumpling or arguing couples and emergency sirens.

The length of time each key was held down and the interval between one being released and another pressed was recorded to generate a typing “fingerprint” for each person. Electrodes were attached to the typists’ hands to detect sweating – a sign of stress also exploited by lie detectors.

The team used the data to develop and test software that identifies a person from their typing style alone. Using just the 36 characters of the login details it was able to correctly identify users 97.2 per cent of the time in a total of 42,840 login attempts. It wasn’t unusual for a person’s timing to vary by just 20 milliseconds between two logins a week apart, says Dowman.

The data also showed that stress can be detected in a person’s typing because it changes the pattern of timings – for example by making key-presses shorter on average – although typists retained enough of their style to be identifiable.

“There’s no question: people do type differently under stress,” says Dowman. He suggests that security systems could be designed to raise the alarm if it seems that a person might be being forced to log into a system, whether a cash machine or online account. More research will be needed, however, before a system could tell if a person is, say, just having a bad day or being held at gunpoint.

No more passwords

, a computer security consultant and visiting professor at the , UK, says that the Abertay system’s success rate is similar to other biometric systems in use, such as voiceprints or the fingerprint scanners built into laptops.

With further improvements to typing-style recognition, passwords may no longer be needed for some systems, he says. “You can take the identification characteristics of the way they type in their username.”

The Abertay group have applied for patents on their ideas about how to detect signs of a stressful environment in a person’s typing style.

]]>
1944239
Proper use of English could get a virus past security /article/1943168-proper-use-of-english-could-get-a-virus-past-security/?utm_campaign=RSS|NSNS&utm_content=currents&utm_medium=RSS&utm_source=NSNS Fri, 27 Nov 2009 17:06:00 +0000 http://dn18211 Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.

One of the most common ways of hijacking other people’s computers is to use “code-injection” attacks, in which malicious computer code is delivered to and then run on victims’ machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.

Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.

of Johns Hopkins University in Baltimore, Maryland, and his colleagues developed a way to search a large set of English text – mostly composed of more than 15,000 Wikipedia articles and roughly 27,000 books from the online library – for combinations of words that could be used in code.

Their program highlighted the text to be used in the instruction set in bold, while leaving the sections to be skipped in plain text, as in the following example: There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union.”

CODE STANDS OUT

It’s not the first time the potential weakness has been recognised, but many computer security experts thought the rules of English word and sentence construction would make the task impossible.

In machine code – the raw code that microprocessor chips understand – combinations of characters not seen in plain text, such as strings of mostly capital letters, are required.

“There was not a lot to suggest it could be done because of the restricted instruction set [of machine code],” said Mason. “A lot of people didn’t think it could be done.”

John Walker, managing director of UK security consultancy , said the research highlighted a basic weakness in antivirus tactics, and that hackers would undoubtedly try to exploit it. “There is no doubt in my mind that antivirus software as we know it today has gone well past its sell-by date,” he said.

, a security and cryptology researcher at University College London, said malicious code in this form would be “very hard if not impossible to detect reliably”.

Shell game

Hackers call the part of a code-injection attack that is used to gain control of a vulnerable computer “shell code”. Because this is usually written in machine code, Mason and colleagues dubbed their technique “English shell code”.

They presented (PDF) at the in Chicago earlier this month, being careful to leave out some of their methodology to avoid helping malicious hackers.

“I’d be astounded if anyone is using this method maliciously in the real world, due to the amount of engineering it took to pull off,” said Mason. He added that he and his colleagues developed the proof of concept to highlight the weakness and to encourage the development of security measures before hackers worked out how to use similar techniques.

]]>
1943168