Featured this month

NEWS

Online banking - catch 22 1

Hi-tech crime costs £2.4 billion 2

Firearms expert in charge of National Hi-

Tech Crime Unit 2

Citibank call centre fraud reveals Indian data

protection deficit 3

Reuters IM service shut down by worm 3

Toxic blogs 4

Disclosure - time to ask the users 4

FEATURES

AnalysisChoicepoint saga repercussions 5

BiometricsCombining biometric measurements for

security applications 7

IP TheftManaging Intellectual Property 14

Disaster RecoveryFrom incident to disaster 17

Software flawsEvolution of vulnerability assessment 19

REGULARS

News in brief 3,4

Events 20

Contents

ISSN 1361-3723/05 © 2005 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple orsystematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

Online banking - catch 22 UK bank, HSBC, will not give up pushing online banking, despite thethreats from organized gangs against Internet users, said the banks'Group Operating Officer, Alan Jebson, at the recent E-Crime Congress in London.

"We want to see as many customers as possible using online banking," said Jebson."Going online has increased productivity," he said. However, the bank is engaged in aconstant cat and mouse game to stop electronic fraudsters exploiting the new systemloopholes to steal money.HSBC has 18.9 million Internet registered users to safeguard, some of which havealready been tricked into exposing their account details to phishers, said Jebson."Customers are no longer sure that emails sent from banks are genuine."In fact consumer mistrust is directly affecting the takeup of online banking servicesaccording to analyst firm, Forrester.To combat phishing and other threats HSBC is in daily contact with law enforcementto get dubious sites closed down. Also, in an industry response the financial services sector as a whole is movingtowards two-factor and three-factorauthentication.

"But the harder we make it for criminals, the more inconvenient it is for customers,"said Jebson.

ISSN 1361-3723

April 2005

Two-layers of biometric measurements to ensure securityOne biometric can’t do it all...

Biometric technology is being embraced by Governments as the way tofight identity theft and potentially shield us from terrorist attacks. TheUK Government is likely to push through an Identity Card Bill, thatwould insist on all UK citizens having biometric-based ID cards. The US iscalling for all visitors to the country to have biometric-based passports.Demand for biometrics is growing whether the technology is ready or not.

Professor Richard Walton, former director of the CESG analyses the pitfalls of biometrics. He examines whether the use of one biometric measurement is enoughfor many applications. He delves into the probabilities of false positives arising aswell false negatives. He sets out why the combination of different biometrics is agood option. The author also examines how biometrics based on behavioural mea-surements can complement physiological biometrics. Turn to page 6...

NEWS

Editorial office:Elsevier Advanced Technology

PO Box 150Kidlington, Oxford

OX5 1AS, United KingdomTel:+44 (0)1865 843645Fax: +44 (0)1865 853971

E-mail: s.hilley@elsevier.comWebsite: www.compseconline.com

Editor: Sarah Hilley

Editorial Advisors:Peter Stephenson,US; Silvano Ongetta, Italy;

Paul Sanderson, UK; Chris Amery, UK;Jan Eloff, South Africa; Hans Gliss, Germany;David Herson, UK; P.Kraaibeek, Germany;

Wayne Madsen, Virginia, USA; Belden Menkus,Tennessee, USA; Bill Murray, Connecticut, USA;

Donn B. Parker, California, USA; Peter Sommer, UK;Mark Tantam, UK; Peter Thingsted, Denmark;

Hank Wolfe, New Zealand; Charles Cresson Wood,USA Bill J. Caelli, Australia

Production/Design Controller:Colin Williams

Permissions may be sought directly from Elsevier GlobalRights Department, PO Box 800, Oxford OX5 1DX, UK;phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail:permissions@elsevier. com. You may also contact GlobalRights directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Support & contact’, then‘Copyright & permission’.In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222Rosewood Drive, Danvers, MA 01923, USA; phone: (+1)(978) 7508400, fax: (+1) (978) 7504744, and in the UKthrough the Copyright Licensing Agency Rapid ClearanceService (CLARCS), 90 Tottenham Court Road, London W1P0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 207631 5500. Other countries may have a local reprographicrights agency for payments.

Derivative WorksSubscribers may reproduce tables of contents or preparelists of articles including abstracts for internal circulationwithin their institutions.Permission of the Publisher is required for resale or distrib-ution outside the institution.Permission of the Publisher is required for all other deriva-tive works, including compilations and translations.

Electronic Storage or Usage Permission of the Publisher is required to store or use elec-tronically any material contained in this journal, includingany article or part of an article.Except as outlined above, no part of this publication may bereproduced, stored in a retrieval system or transmitted inany form or by any means, electronic, mechanical, photo-copying, recording or otherwise, without prior written per-mission of the Publisher.Address permissions requests to: Elsevier Science GlobalRights Department, at the mail, fax and e-mail addressesnoted above.

NoticeNo responsibility is assumed by the Publisher for any injuryand/or damage to persons or property as a matter of prod-ucts liability, negligence or otherwise, or from any use oroperation of any methods, products, instructions or ideascontained in the material herein. Because of rapid advan-ces in the medical sciences, in particular, independent veri-fication of diagnoses and drug dosages should be made.Although all advertising material is expected to conformto ethical (medical) standards, inclusion in this publicationdoes not constitute a guarantee or endorsement of thequality or value of such product or of the claims made ofit by its manufacturer.

02065Printed by:

Mayfield Press (Oxford) LImited

Online banking :catch 22Continued from page 1...

But even after technical systems are inplace to identify criminals, they can stillescape said Jebson. Money mules,recruited by criminal gangs are a key linkfor the transfer of money in onlinefrauds. The mules are enlisted throughwebsites, where job descriptions requestthe applicant to have a bank account.HSBC has introduced a new fraud detec-tion system to cope. But catching themoney mules doesn't solve the problemas they are hard to prosecute, said Jebson.

"Banks and government need to worktogether to get better legal support."

Trojans are another worry for HSBC,said Jebson as they don't rely on users togive away data.

In response, "customers will have toplay more significant roles," in securingtheir data.

Already they "are becoming wiser toPC security issues," he said. "But somestill don't have firewalls or anti-virus."

Last year HSBC faced 100,000 virusattacks in one day alone but Jebson didnot highlight this as the bank's biggestIT security risk. "The primary e-threatused to be hackers," he said, "but it nolonger keeps us awake at night."

2.4 billion lost to hi-tech crimeBrian McKenna

Last year British business lost £2.4billion to electronically-enabled

crime, the National Hi-Tech Crime Unithas said.

The Unit made the claim at its E-CrimeCongress in London on 5 April. Accordingto a survey conducted by NOP, 89% of asample group of 200 companies said thatthey had experienced some form of hi-techcrime during 2004.Highlights of the report:• 90% of the 200 companies suffered

unauthorized penetration of companysystems.

• 89% suffered theft of information ordata.

• 97% were hit by virus attacks whichhad cost them £71

• financial fraud had cost nine per centat £68k.

The survey also found that more thana quarter of companies failed to under-take regular security audits.

Detective Superintendent Mick Deats,deputy head of the Unit said: “Over thepast year, we have seen a sustainedincrease in the professionalism of cyber-criminals scope of the problem that wewill be able to build effective strategiesto deal with it."

Trevor Pearce, director-general of theNational Crime Squad, told delegates atthe congress that “thirty five per cent ofthe companies surveyed have no crisismanagement procedures, which are, as weknow from long experience in the off-lineworld, essential in extortion situations”.

He went on to confirm that theSerious and Organised Crime Agency(SOCA), planned by the outgoingLabour government, will take on respon-sibility for the "international and orga-nized end of hi-tech crime” from theUnit, when it is launched.

Firearms expert incharge of National Hi-Tech Crime Unit

The former head of Firearms at theNational Crime Squad has been

appointed to the top position in theUK’s National Hi-Tech Crime Unit.Detective Chief Superintendent SharonLemon replaces Len Hynds, who hasbeen promoted to Assistant ChiefConstable with the National CrimeSquad as Business Change andTransition Director.

Sharon Lemon started her career withthe Metropolitan Police, and served atmany busy inner London divisions at allranks, until she joined the NationalCrime Squad (NCS) in 1999. As theHead of Firearms she is recognized astransforming the armed capability to one

Computer Fraud & Security April 20052

April 2005 Computer Fraud & Security

Ralph Lauren shoppers get more thanthey thoughtCustomers who have used their GM brand-ed MasterCard in Ralph Lauren recentlymight well be contacted by their cardprovider. Not to tell them of a special deal,but to break the bad news that they are oneof 180,000 customers whose credit cardinformation has been access by criminals,stolen from Ralph Lauren Polo Corp.

HSBC North America has been contactingowners of the card to warn them that theirdata may have been stolen. While RalphLauren has not yet admitted liability, TheWall Street Journal has quoted an insider say-ing that the information was stolen from thefamous purveyor of American casual wear.

Microsoft's April patchesApril showers rained down on patch man-agement teams thanks to Microsoft's latestupdate. Consisting of eight patches fortwelve vulnerabilities, five of which wereclassed as critical, the update containedpatches for problems in Internet Explorer,Word and MSN Messenger as well as forMicrosoft's TCP/IP stack.

Banks fight the PhishersFacing losses of up to $500m a year, banksare finally starting to invest in technologythat is fighting the war against phishers.

Phishing, the creation of websites mas-querading as legitimate banking sites, isresponsible for an increasing amount of fraudand thefts from banks and customers.Technologies being implemented includesoftware that enables a bank to tell if some-one is "casing" its site in order to replicate itfor a phishing site.

CAN-Spam used against gang of fourFour US citizens are being prosecuted usingthe recent CAN-Spam legislation, afterallegedly sending hundreds of thousands ofemails offering weight-loss programmes.Over 10,000 complaints were received aboutthe defendants use of email.

US federal employees get chip IDBiometric information is going to play anintegral part of the ID badges that all USfederal employees will receive later this year.

In another attempt to increase security inthe US, staff's ID badges will contain infor-mation such as digital fingerprints stored in achip. The badges will also have the facility toadd different levels of security clearance andenable employees to access governmentbuildings other than their own.

NEWS

where the NCS is seen as good practicenationally.

She was head of the Paedophile On-Line Investigation Team (POLIT), thenational and international single point ofcontact for child abuse on-line investiga-tions. She also played a key role in theformation of the Virtual Global Taskforce(VGT), an international law enforcementcollaboration comprising Australia,Canada, Interpol, the UK and the USA.

Lemon said, in a statement: “I am rel-ishing the challenge of managing theUnit which tackles all aspects of hi-techcrime and criminality …. During its firstfour years, the Unit has established aclear presence in this field and built anoutstanding profile nationally and inter-nationally. I am keen to build on thisexcellent start.”

Citibank call centrefraud reveals Indiandata protection deficitBrian McKenna

The Indian business process out-sourcing industry fears a Western

backlash in the wake of a fraud inci-dent that targeted Citibank. Three for-mer employees of Mphasis, aBangalore-based outsourcing company,and nine accomplices allegedly stolemore than $350,000 from Citibankaccount holders in New York. The would-be fraudsters were arrested by Punepolice after an alert by a Citibank official,

Nasscom, India’s IT industry lobbygroup, has moved to set up a nationalemployee registry dubbed ‘Fortress India’.This voluntary register will be in operationbefore the end of May, and will enrol the350,000 Indians who work in BPO.

Industry commentator KrishnanThiagarajan, writing in the HinduGroup Publications’ eWeek, said thatwhile US protests over jobs lost to out-sourcing died down after the presidentialelections, the ‘key issues relating to datasecurity and privacy [have been] leftunaddressed by the Indian government’.

“[T]he latest fraud exposes the softunderbelly of data security in BPO out-sourcing”, he said, and called for Nasscom

and the Indian government to act to putin place a ‘comprehensive data protectionlaw’ as well as screen candidates.

Meanwhile, the Indian Express soughtto downplay the significance of the fraud,citing the US investor site, The MotleyFool’s observation that ‘the facts of theMphasis case suggest that in some cases,data may be safer once sent abroad.Reflect for a moment on how quickly thealleged criminals in Pune were caught’.

Reuters IM service shutdown by worm

Financial news provider Reuters wasforced to shut down its instant mes-

saging service on Thursday 14 April tostop the spread of a back-doorinstalling worm.

The service, which has 60,000 users,was the victim of Kelvir-U. Reutersoffers the IM service to financial clientsalong with its news and information ser-vices. It said that the worm was notspecifically designed to attack the service,which is based on Microsoft’s WindowsMessenger client.

The Reuters service was back in actionby 7am on Friday 15 April. FrancisDeSouza, chief executive of IMlogic, aninstant messaging security and manage-ment company told Internet Week that"the Kelvir worm attacked only version3.1 client of the Reuters client, not ver-sion 4.0. Large customers, who hadmostly upgraded, were okay."

IMlogic has also said this was the firstinstance where a virus has targeted a pri-vately controlled user community.

The Kelvir-U worm sends an IM tocontacts on an infected user’s contactslist, encouraging recipients to click on ahyper-link that invokes a back-doorinstalling worm, Spybot.

The Kelvir worm that knocked outReuters is only the most recent in a longline of variants that have appeared in thelast six weeks. Symantec says that twodozen different Kelvir worms havecropped up, all of which tarketMicrosoft's MSN Messenger andWindows Messenger. Please turn over...

3

In brief

Computer Fraud & Security April 20054

NEWS

David Robinson, UK general manager,Norman Data Defense Systems advisedsystem administrators to seriously consid-er just blocking ‘instant messaging butthis may not be an option in some organ-isations, so the need for a multi-layeredscanning approach must be considered.

“Gateway scanners that scan IM pro-tocols have been available for a while,”,he added “and multiple layers of antivirus scanning are essential; additionally,proactive scanning must be seriouslyconsidered”.

Welcome to the toxic blog

The accessibility of Web logs, theiranonymous nature and potential

global readership has long been a drawfor aspiring writers, lobbyists, painedteenagers and angry workers. Add tothat the large storage capacity, and it isno surprise as to why blogs havebecome such a phenomenon.Unfortunately, the hackers have noticedthis too. Welcome to the toxic blog.

By creating a blog from a legitimate,free, blogging site, hackers are able to filltheir page with keylogging software ormalicious code. They then send out theirblog address via spam or through aninstant messaging service, even targetingparticular individuals - and as soon assomeone visits the page, they are infect-ed, or spied on.

Websense Security Labs have releaseddetails of toxic blogs to warn consumersof the "hundreds" of occurrences on theInternet. Given that most blog sites donot have protection for the files thatthey host, it is an easy way for hackers todisseminate their wares, requiring onlysocial engineering to get people to lookat their pages. And the popularity ofblogs is such that this is getting easier.

While the toxic blog is not yet wide-spread, it is another reason to ensurethat security is up to date and to contin-ue questioning the legitimacy of links onemails and IM. What might seem aninteresting way to spend 10 minutes or agood shortcut to updating your softwarecould give you and your network much,much more.

Disclosure — time toask the usersEric Doyle

The circular debate around theethics of vulnerability disclosureneeds customer input

Vulnerability disclosures hit theheadlines in April when Sybase

appeared to threaten UK securityresearch firm Next Generation SystemsSoftware (NGS) with legal action. NGSfound eight security holes in Sybase'sAdaptive Server Enterprise (ASE) data-base last year and reported them toSybase. After fixes were released inFebruary and time had been allowedfor customers to apply them, NGS saidit would publicly release details of theflaws.

The database company took excep-tion, and argued that security bug hunt-ing comes under the banner of databaseperformance testing and benchmarking.Publishing the results from such testswithout permission is specifically pro-hibited under the licensing agreementfor Sybase ASE.

Several days later, NGS was allowed toco-publish edited details with Sybase.Sherief Hammad, a founding director ofNGS, said that it was an amicable agree-ment. He added that this would notchange the way NGS works in thefuture as he feels the company alwaysacts responsibly.

Sybase insists it was all a misunder-standing and is now reviewing its poli-cies regarding vulnerability research.Kathleen Schaub, vice president of mar-keting at Sybase, says it will work moreproactively and co-operatively withresearchers in the future.

The incident underlines the uneasyrelationship between researchers andsoftware vendors. This is rooted in thebelief that researchers are little betterthan hackers. Though some people arewilling to give researchers credibility, thisis not the view of Marcus Ranum, asecurity advisor He disputes the term‘researcher’ and regards those who claimthe term as self-seeking opportunists atbest.

Research network used for file sharingInternet2, the superfast version of the inter-net being used and tested by US universities,is apparently being used for illegal file shar-ing of music and films.

The Recording Industry Association ofAmerica has said that it intends to file over400 lawsuits against students using the net-work for file sharing and illegal downloads ofpirated material.

Cops bust Estonian for ebank theft Estonian police arrested a 24-year-old manthey suspect stole millions from onlineaccounts across Europe using a virus thatdeleted itself once it had done its job.

The alleged thief wrote seemingly genuineletters from government institutions, banksand investment firms, but which actuallycontained a link to a page that uploaded thevirus. The virus then transmitted their per-sonal information, including internet bank-ing account numbers and passwords, back tohim and deleted itself after emptying theaccounts. The man faces five years' prison.

eBay scammer get six yearsA federal judge sentenced Charles Stergios,21, to more than six years for scams oninternet auction site eBay that cheated 321people out of $421,000. The judge earlierrejected a plea bargain after Stergios threw ajug of water across the courtroom at a prose-cutor who called him a thief.

Phishermen take up pharmingPharming is a new scam that secretly directscomputer users from a legitimate Web site toa fraudulent copy of that site that collectspasswords, credit card numbers or other pri-vate information for potential misuse.

"It's almost entirely out of the user's hands.They're simply connecting to a Web site thatthey believe is a legitimate site," saidSymantec's Oliver Friedrichs was reportedsaying. "If phishing is like pulling individualfish out of the ocean, pharming is more likeyou're throwing a big net," he said.

Pharming cuts out the need for a responsefrom the victim. It exploits the InternetDomain Name System to translate a Website's address into a numerical code for theInternet routing.

Delay biometric passports, EU asks USThe European Union has called on the US todelay until August 2006 the deadline for theintroduction of biometric passports for visi-tors without visas.

Only Austria, Belgium, Finland, Germany,Luxembourg and Sweden are currently ableto meet the present October deadline.

In brief

April 2005 Computer Fraud & Security5

ANALYSIS

Disaster for entire information brokerageindustryIn many respects it was a disaster notjust for ChoicePoint and potentiallymany of its customers, but also thewhole information brokerage industrythat has mushroomed during the lastdecade, especially in the US. The casehighlights how vulnerable our identitieshave become and the lack of regulationover the agencies entrusted with it. Andit is at least stimulating healthy debateover how to protect personal informa-tion without constricting the electroniccommerce and financial sectors that havebecome utterly dependent on real-timeaccess to such data.

Who ever heard ofChoicepoint?

ChoicePoint, based in Georgia, is oneof the world’s largest data brokers oraggregators. Only a tiny minority ofconsumers whose data is held by it hadheard of the company until it disclosedthe security breach in February fourmonths after it had been discovered.Equally, few of the consumers wereaware that so much personal informationhad been concentrated in a single data

repository comprising 19 billion records.This extends well beyond credit reportsand includes:

• Court records.• Bankruptcy proceedings.• Driving records.• Consumer demographics.• Lifestyle data.• Employment background checks.• Tenant rental history.• Insurance claims.• Social security numbers.• Dates of birth.

In short, ChoicePoint collates just aboutall personal information that is in the pub-lic domain and a good deal that is not soreadily available. In Europe the informa-tion brokerage business is not quite so welladvanced, with no single repository with ascomprehensive a data set as ChoicePoint.But many of the same issues apply, and theChoicePoint case is just as pertinent inhighlighting the growing risks involved inthe personal information trade.

That hurt!The impact of the breach onChoicePoint itself was all too obvious.The disclosure was followed by a 20%

fall in its share price, and then there arethe huge costs of having to alert initially145,000 Californian customers, plus110,000 more in other states, that theirpersonal records had been compromised.On top of that there are lawsuits todefend, and possible damages to pay. Anumber of lawsuits are pending, involv-ing class actions on behalf of consumerswhose identities have been compro-mised, arguing negligence onChoicePoint’s part.

ResponseMost serious of all is the longer-termloss of confidence in ChoicePoint’s abil-ity to manage and protect so muchdata. The company has been quick torespond in several ways. ChoicePointhas stopped selling personal informa-tion, except when this is clearly for thebenefit of consumers, for example to awell established bank seeking a creditreference. It has also appointed CarolDiBattiste, formerly deputy administra-tor of the US Transportation SecurityAdministration, to look after privacyand authorisation of access. This wasmore to regain trust by having an exter-nal security advisor removed from thecompany’s day-to-day running, than tobeef up security.

No IT security breach?Indeed a bizarre aspect of the case isChoicePoint’s assertion that there had

ChoicePoint sagarepercussionsNot an information security breach?

Philip Hunter

Fall out from the ChoicePoint debacle in the US continues to rever-berate around the IT security world and beyond. The case surfaced inFebruary 2005 when the company revealed it had fallen victim to amajor scam allowing identity thieves access to personal data on atleast 145,000 consumers and possibly as many as 500,000. This hasstoked the smouldering debate over the relative rights of individualsand agencies over control of personal information and over who isresponsible for monitoring access to it. It has also called into ques-tion the boundary between strict technical IT security and the broad-er issues of identity fraud.

“ Choicepoint

collates all

personal

information

that is in

the public

domain”

Computer Fraud & Security April 20056

ANALYSIS

been no information security breach,that instead it was a conventional fraudof the kind that happens every day.This is extremely disingenuous, and nothelpful to the cause of informationsecurity. It is true that there was nohack in the technical sense. A group ofidentify thieves registered 50 fake com-panies as ChoicePoint customers, andfrom that point on were able to helpthemselves legitimately to almost all thedata they wanted. No amount ofencryption or authentication wouldhave helped at that stage.

But technology these days is only thetip of the information security iceberg.It is easy enough to make a systemtotally impregnable in theory, but themuch harder task of the real worldinvolves allowing legitimate users to goabout their business relatively unim-peded while detecting and combatingabuses. This involves procedures andpolicies beyond technology, andChoicePoint has tacitly admitted culpa-bility on these fronts through movessuch as DiBattiste’s appointment.

ID theft opportunitiesHowever the information securityissues go beyond ChoicePoint to thewhole basis of modern commerce,highlighting the growing problem ofidentity theft. According to the UKconsumer group Which, identity theftnow costs the UK economy £1.3 bil-lion annually and is rising fast, havingso far afflicted one in four adults oneway or another. One problem is thatidentity data such as dates of birth andnational insurance numbers cannot bechanged, unlike passwords. This is whythere has been so much concern amongthe consumers affected by theChoicePoint case, who fear they couldfall victim to a variety of frauds foryears to come.

Identity fraud can take various forms.It can lead to obtaining of credit cards,bank accounts or telephone service inthe name of the victim, or it caninvolve taking over someone’s existingaccount by fraudulently executing achange of address. It can even result in

a complete identity take over for fraud-ulent assumption of financial and otherbenefits. These may include rentingproperty and obtaining benefits such asfree dentistry or medicines normallyonly available to people on lowincomes. Another problem is that theftof identities, unlike say credit cards,often goes undetected for a long time,sometimes over a year. This increasesthe exposure of the liable parties,whether this is a bank, insurance com-pany, or in some cases the customersthemselves. Therefore banks and othersare striving to improve detection ratesby various means, for example throughidentification of unusual transaction

patterns or other anomalies. The most common identity frauds so

far have involved simple theft of per-sonal details for withdrawing cash fromvictims’ bank accounts, or making pur-chases on their credit cards. But thiscan be readily stopped by issuing newPINs and account numbers to cus-tomers in the event of a large-scalebreach such as the ChoicePoint fraud.For ChoicePoint victims, the greaterrisks involve accessing of credit statusreports for various motives includingobtaining basic credit.

FreezingThis however can be stemmed at least

temporarily by imposing a security freezeon specified consumers, prohibiting anythird party from accessing certain per-sonal details on them.

In California, and also Texas, con-sumers have the right to freeze theircredit reports at any time in this way,and then lift the freeze when they are

applying for credit themselves.Consumers therefore can exert somecontrol over their credit reports andensure they are available to a bank towhich they are applying for a new creditcard, but not to any third party withouttheir knowledge.

In the long term however securityfreezes if widely deployed wouldimpede the processing of applicationsand references for credit that often takeplace in the background without con-sumers’ knowledge. Civil libertariansthough would no doubt consider this aprice worth paying. In this case,ChoicePoint has imposed its own secu-rity freeze by suspending the sale ofinformation products that contain sen-sitive consumer data, and estimates itwill lose $15 to $20 million revenue in2005 as a result.

BankruptcyBut the case has also stimulated debateover longer-term issues surroundingidentity. In particular it has focusedattention on the relative ease withwhich personal information can nowbe gathered and then sold. One loop-hole likely to be closed in the US is thelucrative and freely available personalinformation about people who have

“Security freezes

could impede

identity fraud”The pain of the Choicepoint frauddebacle:• The shareprice of the data aggrega-

tor plunged by 20%.• Shareholders file a class-action suit

agains the company and its exectu-tives.

• Company executives are beinginvestigated by the Securities andExchange Commission for hastyshare deals.

Making it up:• Choicepoint has withdrawn the sale

of citizen information that containssensitive data.

• The company has created an inde-pent office of Credentialing,Compliance and Privacy.

Security concepts for biometric measurementsThere are four security concepts thatare important for this discussion. Theseare the False Acceptance Rate (FAR),the False Rejection Rate (FRR),Entropy, and Secret Data. In this section I shall define these four concepts and make general remarksabout their relevance to biometric security mechanisms.

FARThe FAR is the probability that a bio-metric system will accept a measure-ment as genuine when it is in fact not.It is typically presented either as a per-centage value or as a probability in therange 0 to 1. A typical biometric sys-tem based on a single measurement (forexample measuring a single fingerprint)will have a FAR between 0.1% and 2%(i.e. probability between 0.001 and0.02). For most applications the FAR isthe key element in providing security.However, FAR does not give the wholepicture and sometimes it is necessary to

April 2005 Computer Fraud & Security7

BIOMETRICS

undergone bankruptcy proceedings.This has been picked up on by senatorMaria Caldwell, who has filed anamendment to pending bankruptcyreform legislation in an attempt to stopcriminals trolling court records not somuch for credit information but morefor personal data such as social securitynumbers in order to steal identities.

No consumer controlAnother loophole, in this case shieldingthe information brokers themselves, isthe lack of a business relationship withthe consumers whose data they hold.Apart from the security freeze option inTexas and California, consumers haveno control over the gathering or sale ofthat information, providing basic dataprotection guidelines are adhered to,and yet can suffer when breaches occur.Furthermore they often lack the legalrights they would have if they werecustomers. For these reasons one pro-

posal is to give the brokers an econom-ic incentive to maintain tight securityby imposing fines when breaches occur.Brokers are also likely to be required todisclose when breaches occur, as theyare already in California. These twomeasures would give brokers the incen-tives often lacking at present to besecure and be seen to be secure.

More questionable are plans to giveconsumers greater control over theirpersonal records. In practice few wouldexercise such rights to their advantageand there is also the danger of intro-ducing an administrative quagmire.Giving consumers too many rights canbe counterproductive, as has beenshown in the case of general compensa-tion claims where about two thirds faileven in a relatively favourable litigationclimate, because so many are frivolousor wildly over optimistic. The result isa huge waste of public money. Howeverthe ChoicePoint case does suggest that

allowing consumers to impose securityfreezes could significantly impede iden-tity fraud without too much inconve-nience if they are applied sparingly and only when risk of fraud has beenidentified.

The ChoicePoint fraud has also beenvaluable in another sense, by highlight-ing how we now have very little controlover who does have access to personalinformation that may not facilitateidentity theft but can compromisewhat services we may be granted andon what terms. At present medicalrecords remain largely outside the graspof information brokers, in the UK atleast, being still paper based to theextent that they are not always evenavailable to health practitioners whenrequired. Now is perhaps the time toensure that our medical records are notmade available for sale in the same wayas our credit status to potential insurersor whoever might want to access them.

Combining biometric measurements for securityapplicationsProfessor Richard Walton CB

In the current security environment Governments and others arelooking to Biometric technology to improve identification processes.Some of the potential applications have significant implications forcivil liberties. There is legitimate concern about the efficacy of thetechnology and of the decision-making processes resulting frominterpretation of biometric measurements. Claims are often exagger-ated; by technology vendors and by both advocates and opponentsof the use of biometrics for such purposes. This paper examinessome of the issues arising from the application of biometric measure-ments for security applications. Specifically there is concern that useof a single biometric measure is inadequate for many potential appli-cations. Important questions considered include the use of Entropy tocompare the security properties of a biometric system with a tradi-tional password system based on secret data and the use of statisti-cal models to underpin security claims. The paper is based on areport commissioned by Senselect Ltd to examine the effects of usingtwo or more biometric measurements for security applications.

Computer Fraud & Security April 20058

BIOMETRICS

consider the statistical distribution ofthe false acceptances in greater detail.Much of the literature makes no explic-it mention of this statistical distributionbut assumes an underlying randommodel based on a normal distribution.For many current purposes this is goodenough but there could be problemswith large-scale operations. In anyapplication it is also necessary to con-sider detailed attack scenarios whichwill depend on the implementation ofthe biometric system, the environmentin which it operates and the capabilitiesof the potential attacker.

Although the FAR is crucial for mostapplications its measurement is non-trivial. There are various trials that havebeen conducted for various biometricproducts (see for example [1]) and theseshow a considerable variation in perfor-mance between similar-looking prod-ucts and differing operational scenarios.To determine FAR (and FRR) with anydegree of accuracy requires either a verylarge-scale (and hence expensive) trialor an accurate statistical model support-ing a smaller trial. In general theserequirements are not met and we arereliant on poorly-supported vendorassertions. In the majority of cases thereported values of FAR and FRR arebased on relatively small-scale trials inbenign conditions under the assump-tion of a random normal distribution offalse acceptance biometric scores. Thebiometric scores are themselves oftenbased on proprietary algorithms that arenot made available for scrutiny - mak-ing it even more difficult to gauge thevalidity of the estimated FAR.

FRRThe FRR is the probability that a mea-surement of the biometric from a gen-uine source is rejected by the system asfalse. Like the FAR, the FRR usually isreported as either a percentage or as aprobability between 0 and 1. Biometricsystems tend to be set up with an FRRlarger than the FAR. A typical rangemight be 1-10%. For most applicationsthe FRR does not directly affect thesecurity offered but is a hygiene factoraffecting the cost and acceptability ofthe system. For this reason in [2] CESGignores the FRR in making recommen-dations on the security offered by a bio-metric system. For the applications thatwould have been foremost in mindwhen [2] was written, this is under-standable. However it is actually wrongfor the general case. As we shall see insection 5.4 of this report, there areimportant applications where the FRRis the crucial security parameter and theFAR provides the hygiene factor. Theremarks made in 2.1 about measuringFAR apply equally to FRR.

ENTROPYThe entropy of a biometric system is ameasure of the uncertainty of the out-come of a random measurement, giventhe prior knowledge available to theobserver. (Thus entropy is not a func-tion of the system alone but also fac-tors in the observer). If the observerknows a measurement has n possibleoutcomes with probabilitiesp1,p2,….,pn respectively the associatedentropy measured in bits (binarydigits) is given by:

For example for a single throw of a fairdie the entropy is log26 = 2.585 bits.

This is all very well as far as it goes butoften we are looking at a slightly differ-ent scenario where we are not concernedso much with the outcome of the mea-surement but with the measurement giv-ing a specific (acceptable) value. This

requires a slightly more complicatedmodel. Suppose the observer can dividethe measurements into n categories withprobability of acceptance pi for the cate-gory i (1 < i < n). Suppose also thatfrom the point of view of the observerthe probability of the measurementbeing in category i is qi. Then theentropy would be given by:

To illustrate the concept, let us now consid-er the situation for a single biometric mea-surement with FAR = pA and FRR = pR.We are concerned with the biometricmeasurement being accepted as genuinerather than the value of the measure-ment1. Thus, assuming that the distrib-utions of false rejections and acceptancesare random (normal model) the entropyfrom the points of view of a genuinesubject (EG) and an impostor (EI) wouldbe:

EG = log2 1/(1-pR) and EI = log2 1/pA.

An FAR of 1% and FRR of 5% wouldyield EG = 0.074 bits and EI = 6.64 bits.An independent observer who believed agenuine person or an impostor to beequally likely would see a differententropy:

E = ½ log2 1/(1-pR) +½ log2 1/pA,

(which in the above example would be3.69 bits).

The importance of entropy is that itallows us to compare the strength of dif-ferent systems against random attacks,which in turn gives us a baseline for com-parisons between dissimilar securitymechanisms. For example, entropy can beused to compare multi-fingerprint bio-metric systems with traditional passwords.On the other hand it can be seen fromthe above that entropy is highly depen-dent on the specific scenario envisagedand a great deal of care must be takenwhen making calculations. It is sometimeshelpful to think of the entropy as a mea-surement of the gap in an attacker's

�n

i = 1E = qi log21/pi.

�n

i = 1E = pi log21/pi.

“There are good

reasons to

combine

biometrics”

April 2005 Computer Fraud & Security9

BIOMETRICS

knowledge. The attacker then fills the gapeither with more information or withextra work or accepts a (high) probabilitythat the attack will fail.

Secret dataSecret data is information known only tothe legitimate user(s) of a security systemand which is crucial to the security of themechanisms. Most information securitymechanisms rely on some secret data tokeep out the attackers. In some cases thesecret data has to be known (by which Imean available for use) by many/all usersof the system (shared) whereas in othercases knowledge of the secret data may beconfined to a single entity (private). Forexample in a traditional symmetric cryp-tographic system the key or cryptovari-able must be known to all users, whereasin an asymmetric (public key) system theprivate keys of individual users are onlyknown to them. Secret data may need tobe stored securely (possibly for a longtime) or may be ephemeral and onlyrequired during the computation sur-rounding a particular transaction andmay then be destroyed. For example inthe RSA public key system the privatekeys are permanent and if compromisedthe whole public/private key set has to bechanged whereas in the Diffie-Hellmansystem the private keys are ephemeralwith new ones being generated for eachuse. In general a security system will usea mixture of shared and private,ephemeral and non-ephemeral secretdata. The important thing is that thesecurity of the system is dependent onsecret data remaining secret.

Secret data is a source of entropy - inmany cases the only source of entropy tobe overcome by the attacker.Traditionally, cryptographic security ismeasured purely in terms of the entropyprovided by the secret data. Generalattack scenarios include the assumptionthat all non-secret data is known andavailable for use by the attacker. This isthe fail-safe assumption whenever theattack environment cannot be controlled.However there are occasions (especiallywith biometric security systems) whenthe attack environment can be partially

controlled and it can make sense to relaxthe fail-safe assumption. On such occa-sions it is legitimate to consider the non-secret sources of entropy.

Applications of single biometricsMost current applications of biometricsare concerned with identity verificationfor a relatively small population. Thisprovides a benign environment in whichthe technology can perform very well.There are always specific security andacceptability issues but by-and-large thetechnology copes with the demands onit. The scenario is that subjects havebeen enrolled in the system co-operative-ly by providing one or more measure-ments of the biometric from which atemplate is computed and stored - either

in the system or on a token under thecontrol of the subject. Then in opera-tional circumstances the subject claimsan identity and submits to the appropri-ate biometric measurement. The systemchecks the new measurement against thetemplate and issues a pass/fail decision.If the result is a fail it is usual for somekind of further examination to be con-ducted. In this scenario the importantparameters are the FAR and FRR. If theFAR is too high the system might beineffective (insecure) while if the FRR istoo high the burden of secondary exami-nation can become intolerable. As longas the number of false claimants is rela-tively small and the security requirementis low enough the system can work well.

If the system is stressed with a largenumber of false claimants the danger offalse acceptance can be too great.

Such verification systems are mosteffective when the operational environ-ment is such as to exclude presentationof false credentials. For example if ahuman guard is present who can ensurethat the subject actually does presentthe appropriate biometric measurementand is not able to fool the system witha fake or bypass the sensor with anelectronic replay.

However if the biometric system isunsupervised or can otherwise befooled or bypassed without triggeringan alert, the security will be ineffectivebecause as it states in [2], the biometrictemplate and algorithm is not secret (Iwill look at one exception later in thispaper. One problem with mechanicaldevices is that when an attacker worksout how to spoof them the trick cankeep on working and this is muchmore dangerous than with humanoperatives who might be less alert butare unpredictable. In applications withinadequate supervision or other protec-tion a biometric will need to be com-plemented with a source of additionalentropy to block such attacks - forexample by involving secret data, orpossibly by use of additional non-secretmechanisms that cannot be attacked inthe same way.

As operations increase in scale orwhen more complex applications arerequired, the problems of too high FARand/or FRR can become unacceptable.Now there are some biometric mea-sures that reportedly do have very lowFAR values (for example RetinalScanning, DNA matching) and some-times the solution to larger-scale issueswill be to select one of these measures.But sometimes these solutions will beunappealing and the possibility of com-bining measurements from differentbiometric sources could be attractive.This is the main point of this paperand will be the subject of the next sec-tion. But first I want to give one exam-ple calculation by way of warning ofsome of the dangers of interpretingbiometric measurements.

“Most single

biometric

measurements

are not up

to the job”

Computer Fraud & Security April 200510

BIOMETRICS

A messy exampleI shall be concerned with the followingsituation. We have a set of subjects onwhom we will perform a biometric mea-surement which we want to comparewith one specific template (we might, forexample, be looking for a criminal). Wedon't know whether or not the wantedindividual is present. What can we inferfrom the measurements. Suppose thereare n people to be measured and that theFAR and FRR of the system are p and rrespectively. Suppose also that our priorbelief is that the probability of the gen-uine subject being present is q. We get mmatches. What is the probability that thegenuine subject is among the matches?

The algebra involved is a bit messy toperform although it is relatively straight-forward so I will just state the answer,which is:

mq(1-r)2(1-p)mq(1-r)2(1-p)+(n-m+1)(1-

q+rq)(1+rq)p

As it stands this doesn't convey muchto most of us but if we plug in somefigures we can see some implications.

If q=1 and r=0, we are in a state wherethe genuine subject is tested and(because FRR is zero) will definitelyprove positive so if m=1 we wouldrequire the result to be certain, i.e. theexpression should equal1, which it does.Similarly if q=0 the genuine subject isn'ttested so the expression must evaluate to0, which again it does. So far so good!

Now suppose that q=½ and m=1 andr=0 (so we are bound to get the targetif he's present!). Now the probabilityevaluates to

(1-p)1-p+pn

But even so, if n is large enough thisprobability can be much less than 1. Forexample if FAR is 1% (reasonable forsome fingerprint measurements) and thenumber being tested is 50, the probabili-ty of a single positive result being theright one (even with no FRR) will be:

0.99/(0.99+0.5) = 0.99/1.49which is close to 2/3.

Although this might be enough toconvict on the balance of probabilities itis far from being beyond all reasonabledoubt. Yet what might a mathematicallyilliterate Prosecution, Jury and Judgemake of it?

The moral of this is that inferencesbased on biometrics are not all that sim-ple and that care needs to be taken inselecting applications.

Combining biometricsFor many of the applications now underconsideration it appears that most singlebiometric measurements are not up tothe job. A natural question to ask iswhether or not something can be gainedby combining different biometrics.There are indeed a number of good rea-sons why such a step is worth taking.The most obvious reason for combiningtwo or more biometric measurements isto reduce the overall FAR. Many of theproblems of scale are occasioned by thesize of FAR or FRR or both. If we takemeasurements from two independentbiometrics, the combined FAR will bethe product of the two individual FARs.Thus using both a fingerprint and a facescan (for example), each with a FAR of1%, will result in a combined FAR of0.01%. For more than two independentbiometrics the combined FAR will againbe the product of all the individualFARs. Thus using a suitable combina-tion of biometrics can enable us to drivedown the FAR as much as we want. Theassumption of independence is impor-tant, but for most biometrics being con-sidered this should not prove to be aproblem. In cases where there is anydoubt it will be important to conducttrials to establish the true position. Anexample of common biometric measure-ments that would not be independent isheight and weight. These are not usuallyused for identification purposes becauseof high FAR and in the case of weight,instability over time (although heightused to appear on passports).

So consider two biometrics (which wewill assume to be independent) withFAR and FRR p1, p2 and r1, r2 respec-tively. The combined system has

FAR = p1p2 and FRR = 1 - (1-r1)(1-r2)

(This latter is approximately FRR =r1+r2). So although we get an improve-ment in FAR, the FRR gets worse.However the improvement from multi-plication of 2 small numbers (FAR) ismuch greater than the worsening byaddition of 2 small numbers (FRR) so itis possible to achieve a significant overallimprovement by resetting thresholds tokeep the FRR manageable while benefit-ing from a good reduction in FAR.

We have seen in 2.3 that when lookingat the defence against attacks on a bio-metric security system we need to con-sider the entropy faced by the attacker.In many cases, subject to the extent towhich the attacker is able to harnessknowledge of the biometric details, theFAR will provide the main source ofentropy (as log21/FAR). In those caseswhere the attacker is able to exploit someof the biometric knowledge to spoof thesystem the involvement of more thanone biometric might still leave some pro-tection to fill the gap and thereby per-form better than any of the individualcomponent biometrics.

There is a further major advantage to beexpected from combining different bio-metrics. Recall that in 2.1 I said that wereally ought to consider the statisticaldistribution of false acceptances morecarefully and that the random model onwhich we (and most others) rely is notnecessarily valid. In fact it is almost cer-tainly invalid. In reality when consider-ing a particular biometric measure wewould expect to find false acceptances tocluster among a set of individuals whohave similar characteristics. So there willbe some individuals who are never mis-taken for a particular target while othersmay be mistaken regularly. This is farfrom random. However if we are usingtwo or more truly independent biomet-rics there is no obvious reason for thesame individuals to cluster with respect

April 2005 Computer Fraud & Security11

BIOMETRICS

to different biometrics, so the realitywill be closer to the random modelwhich we can analyse. The more inde-pendent biometrics that are used thecloser to the random model will be theresult and security will be greater. Forlarge-scale applications this could beextremely important.

Further applicationsThe range of applications for whichbiometrics are now being consideredhas grown beyond the simple identityverification considered in section 3.Especially with the desire to use bio-metrics to assist in the war against ter-rorism, the fight against crime and thepolicing of borders, the scale and typeof operations has changed. As we haveseen, scale alone is a major factorrequiring much lower values of FAR tomaintain acceptable security, but thereare other issues involved that cannot beremedied simply by improving the valueof the FAR.

To help in the descriptions that fol-low I shall consider the set of allpotential subjects (S) to be partitionedinto 5 categories:

a. V: VIPs, individuals who may need specialtreatment. V will necessarily be smalland individuals in V will always beassumed to have been registered withgreat care. In many circumstancesattempted matches will be against asingle template - i.e. we know we aretrying to verify a particular individualwhich makes V look much like R(below) and the only effect is that thesystem would issue some form of VIPalert. The more interesting case is whenthe VIP identity is not claimed and thesystem has to match against all thetemplates in V.

b. R: Registered users, individuals who arealready in the system having co-operatedin the registration process.

c. N:Unregistered users, individuals

appearing for the first time, who are

expected to be co-operative but aboutwhom nothing is known.

d. T: Known targets, individuals whose bio-metric details are on the system(although they may not have beenobtained co-operatively) - the associatedidentity may or may not be known.

e. U:Unknown targets, individuals whose

biometric details are not on the system,but whom we wish to catch.

Standard identity verificationThis process is only concerned withindividuals in R or (possibly) V. Allsubjects must claim to be a particularregistered individual and a matchagainst the stored template is attempt-ed to verify the claim. This is a goodapplication for biometrics.

Unclaimed identity verificationSome applications do not require theidentity to be claimed (for example somefingerprint operated locks). This meansthat matches must be attempted againstall templates in the system. In such sys-tems we consider all the subjects to be inV. Biometrics will only be useful if V issmall. Such applications are always goingto be less secure than the standard processand should be avoided if possible.

Open identificationBy an open identification system I meanone where subjects may or may notalready be on the system. If they are onthe system (R or V) all that is required is astandard verification. But if they claim notto be on the system (N) we need to verifythat this is indeed the case and then theymust be registered. Because of the differ-ent nature of the two tasks it is sensible tothink of them (and implement them) sep-arately. Thus for an immigration system(for example) the sensible solution wouldbe to have a standard verification systemat the point of entry and refuse entry to allwho fail to make a valid identity claim.Normally the registration process will beundertaken elsewhere in advance.

Avoidance of duplicateidentitiesThis is the other half of open identifica-tion although it may also be a freestand-ing application. A subject claims to be inN and it is necessary to ensure this is soby checking against all the stored identi-ties of members of R. Unless the poten-tial size of R is small the use of the com-mon biometrics is likely to be inade-quate. There is potential here for the useof several independent biometric mea-surements depending on the size of pop-ulation and the dangers of failure. For animmigration system the potential size ofpopulation is the whole world. Howeverthere is another issue here. Usually theparameter that is important for securityis the FAR, but in this case the securityfailure arises from a failure to match abiometric in the genuine case and theincorrect match to a false identity is theinconvenience to the user. This will limitthe utility of biometrics. Fortunately it isusually possible to afford more time andcomputation in the registration processthan in an access control situation so alayered approach is both possible andnecessary. Initially a search against tem-plates should be made with a thresholdyielding a low FRR. Scores against allbiometrics should be stored and all sin-gle matches should be subjected to sec-ondary testing - if necessary involving re-measurement. There will be a need for amuch deeper understanding of theunderlying biometric technology andmore rigorous trials than is the case withstandard verification applications. Thiswill be expensive but necessary toachieve the benefits of the application.At the verification stage (see sectionOpen Identification) it may be possibleto use fewer biometrics (and differentthresholds) than are actually stored inthe registration process reserving theother biometrics for use in the event offailing the primary test, thereby reapingthe benefits of simplicity most of thetime with low overall FAR through sec-ondary testing. Where more than onebiometric is used it could enhance secu-rity by varying the order of testing. Forexample if several fingerprints and a face

Computer Fraud & Security April 200512

BIOMETRICS

scan are available the subject would notknow in advance which test is to be usedat a particular time so as to reduce thepossibility of a successful masquerade.

Crime fishingThere are two flavours to crime fishing.One is the technique either of trawlingthrough a data base of people's biomet-ric measurements to match biometricevidence from a particular crime andthe other is of searching a data base ofbiometrics associated with variouscrimes and then trying to match a particular individual. As indicated bythe calculation in 3.1 this is fraughtwith problems. If the database is small(as compared to 1/FAR) and there isgood reason to believe the guilty partyis there, a fishing expedition can beeffective. Otherwise the danger of amiscarriage of justice is high. Therewill also often be concerns about thequality of biometric data taken unco-operatively (e.g. lifted from the sceneof a crime). Multiple biometrics couldhelp because of the much reducedvalue of the FAR and also theimproved randomness of false matches- but the chances of multiple biometricdata being available from a particularcrime scene is also much reduced.Crime fishing is not the same as usingbiometric evidence to clinch caseswhere there is a substantial body of cir-cumstantial or other evidence to sup-port a suspicion. In such cases the pop-ulation being tested is small (often 1)and the probability that the guiltyparty is among those being tested isreasonably substantial.

Watch listThe watch list is seen as a potentialweapon in the war against terrorism.The idea is to have a database of thedetails (in this case biometrics) of theknown or suspected terrorists and tosearch this database for matches. Sowhen an individual in N is registeredwe search for matches against details of members of T. We also (at least on a random basis) search for matchesbetween individuals in R and those in

T. The points to make here are:a. The search at registration time is not

too bad being just a minor additionto the existing search for duplication(see section: avoidance of duplicateidentities).

b. Searching at point of entry will be aburden and ineffective if T is toolarge.

c. As with the search for duplication,the critical security parameter here isthe FRR and not the FAR.

d. Unless T is very small we will needmultiple biometrics to be effective.

e. Normally, members of T will nothave been cooperative in providingbiometric samples, so there will bedoubts about quality.2

f. The most important terrorists will bein U and we won't have anything tomatch against. This underlines theimportance of vigilance in the regis-tration process - trying to identifysupposed members of N who arereally in U. Biometrics won't help usdo this.

As a final remark in this section,among the advantages of fingerprints andface scans is the possibility of obtainingsome uncooperative measurements. So,despite their high values of FAR andFRR they still have a role to play in thesemore challenging applications.

Non-biometric biometricsWhen we think about biometrics most of us take the term literally andconsider physiological measurementslike height, weight, fingerprints, facescans, hand geometry, iris scans, retinalimages, DNA etc. However, there isanother class of measurement that arealso considered to be 'biometric'. Theseare measurements of learned behaviourthat can also characterise an individual.These non-biometric biometrics havetheir own characteristics that can becomplementary to those of other bio-

metrics. In this section I will considerjust a few of the more important aspects.

An important set of non-biometricbiometrics is to do with how we writeand includes handwriting, signaturesand dynamic signatures. The most useful of these for security purposes isthe dynamic signature. The dynamicsignature captures not only the form inwhich you sign your name but also thedynamics of the action. The dynamicsignature has been found to be charac-teristic of the individual and hard toforge. There are products available toimplement the technology. The maindrawback today is that there has beenlittle (if any) independent research toverify vendor claims as to the effective-ness of the technology. Propertiesinclude:

a. Very low values of FAR are reported,Good.

b. Variation of performance doesdepend on the individual subject,with consequently variable values ofFRR, Bad - although overall, thevendors claim acceptable values ofFRR.

c. The subject has to cooperate; it is pos-sible to fail deliberately unlike a physi-cal biometric; this makes it unsuitablefor some purposes but ideal for others,for example a duress signal.

d. The dynamic signature involvessecret information (captured in theFAR - so entropy is easy to calculate)that cannot be forgotten and cannotbe taught to anyone else, Magic forsecurity purposes.

e. An individual can develop severalsignatures for different purposes,Opens up a number of possibilities.

f. The signature can vary slowly withtime, Bad but manageable.

g. Injury can affect the signature tem-porarily or permanently, Bad butmanageable.

April 2005 Computer Fraud & Security13

BIOMETRICS

h. Signatures are culturally acceptable,Good.

Combining a technology like dynamicsignature with a physiological biometriccan result in an overall system that cancombine the advantages of both. This canbe especially valuable for high securityapplications because of the entropy charac-teristics of the dynamic signature and theability to pass a duress signal, while thephysiological biometric can provide bothsome assurance against deliberate falsifica-tion and secondary testing to reduce theFRR. (For example allow an extra go atsigning if the fingerprint or whatevermatches up). To keep a good FAR it isimportant to ensure that eventually a passis obtained against both measurements.

ConclusionsThe security of biometrics is characterisedby two quantities, the FAR and the FRR.Unfortunately it is difficult to obtain validestimates for these quantities becauselarge-scale trials are expensive and theunderlying statistical models are ofteninadequate to support smaller-scale trials.

The use of single biometric measure-ments is generally good enough for small-scale verification of a claimed identity butis less good for large-scale applications andthose requiring matches against a numberof templates. Many applications nowbeing considered fall into these categories.

Improvements can be made by com-

bining independent biometrics. TheFAR of a combination is the productof the individual component biomet-rics. This leads to significant reductionin system FAR and hence to increasedsecurity. Moreover the errors arisingfrom combined independent biomet-rics are will be more random than foreach component and thus the randomstatistical models underlying the security calculations will be a betterapproximation to the true picture.There is also potential for the differentbiometrics to complement each otherin resistance to differing attack scenar-ios, thereby compensating to someextent for the inherent lack of secretdata in a biometric template.

In some potential applications, thecritical security parameter is the FRRrather than the FAR. This needs to behandled with care but it is also helpfulto combine independent biometrics.

Biometrics based on behavioural mea-surements can complement physiologicalbiometrics extremely well. Dynamic sig-natures, in particular, offer a way of ben-efiting from increased entropy and whenused in combination with physiologicalbiometrics can be very powerful.

References:

[1] Fingerprint Vendor TechnicalEvaluation 2003, Final report for NIST,NISTIR 7123, 6 July 2004.

[2] Electronic Information ProcessingSecurity Notice S(E)N 03/04, The useof biometrics for identification andauthentication, 23 September 2003

Notes1 This is a subtle point, if we were only concerned with the value of themeasurement the entropy would turnout low from the point of view ofeither a genuine subject or an impostoras in each case the likely result is nearlypredictable - acceptance in the one caseand rejection in the other.

2 Of course as time goes on it is possible that individuals will havebeen registered before they start their terrorist career, so what is a majorproblem today may lessen considerablyin the future.

About the author:

Professor Richard Walton CB B.Sc. Ph.D.(Nottingham) B.A. (O.U.) C.Math. FIMA MBCS as appointed toin January 1999 to the UK GCHQBoard as Director CESG, the NationalTechnical Authority for InformationAssurance. He held this post untilOctober 2002 when he was seconded tothe Cabinet Office to initiate work onthe production of a National Strategy on Information Assurance. His earlierposts included Head of the Divisionemploying most of the GCHQMathematicians (1996-99) and Head of the Mathematical Services Group inCESG (1985-91). He was appointedCompanion of the order of the Bath(CB) in the 2003 New Year Honours.He retired from the Civil Service in May 2003 and is now an independentconsultant (own company, Walton-Mackenzie Ltd) and visiting Professor in the Information Security Group atRoyal Holloway University of London.He was appointed as an independentmember of the Defence ScientificAdvisory Council in April 2004.

Contact:Email: Richard@walton-mackenzie.com

Industry Growth Rate 1998-2005 Source: Biometric Industry Report - Forecasts and Analysis to 2006, 2nd edition

Year Revenue(US$ million) Growth Rate

1998 52.9

1999 98.3 86%

2000 120.0 22%

2001 160.4 34%

2002 260.1 62%

2003 423.6 63%

2004 707.3 67%

2005 1131.6 60%

2006 1867.2 65%

Biometric sales : on the up

IP THEFT

Consider the entertainment industry. Iwas told by a security executive of one ofthe United States’ largest entertainmentcompanies that one particular animatedfilm cost over $7 million and took overten years to produce due to the need toevolve entirely new technologies in orderto make the production. Weeks beforethe film was to appear in distribution itwas leaked somehow to the Internetunderground.

The entertainment industry, thoughperhaps the most visible, is by nomeans the only high profile industrythat exists largely based upon uniqueintellectual property. The pharmaceuti-cal industry spends billions of dollarsevery year to research and develop newdrugs. If the formula for a new drug isleaked prior to approval by governmentagencies, all of the development invest-ment may be wasted on a product thata competitor may bring a clone of tomarket faster.

The bottom line is that IP manage-ment has become business’s biggestnightmare. Over the next few columns we will take up the topic ofprotecting and managing IP. We willbegin this month with an overview ofthe problem and some representativecases. Next, we will discuss strategiesand tools for protecting IP proactively.We’ll end with some innovative tech-niques for tracking IP leakage and gain-ing convictions when IP is stolen. Webegin with some background on theproblem.

BackgroundAccording to US Deputy AssistantAttorney General John G. Malcolm,intellectual property crime consistsmainly of “…copyright piracy, trade-mark counterfeiting, and theft of tradesecrets.”1 In his testimony Mr.Malcolm pointed out some significantand troubling issues. For example, hedescribes in detail the relationshipsbetween various types of organizedcrime and piracy. In one case, piratedcopies of Microsoft and Symantec soft-ware brought the pirates over $9Million. Mr. Malcolm describes theorganization of a typical high levelsoftware piracy, or , warez group:

“Like legitimate companies, “top-tier”warez groups have clear hierarchies anddivisions of labor. Rank and position with-in warez groups are based on a variety offactors, including special skills, length andquality of service to the group, and reputa-tion within the warez scene. A typicalgroup - which can consist of people all overthe world who may know each other onlythrough their screen names - will consist ofone or possibly two leaders, two or threehigh level individuals known as “Council,”twelve to fifteen Staff members, and a gen-eral Membership comprising anywherefrom twenty to eighty individuals. TheLeader has ultimate authority over allaspects of the group and its activities.Council members are primarily responsiblefor the group’s day-to-day operations,including preparation of new releases,

recruitment, and security issues. Staff mem-bers are typically the most active individu-als in preparing a group’s new releases fordistribution, or in maintaining the group’s“File Transfer Protocol” (FTP) sites fromwhich the pirated software is distributed.Finally, the general Members contribute tothe group in a variety of ways, includingacting as occasional suppliers of new soft-ware, hosting the groups FTP servers, orproviding hardware (e.g., laptops, harddrives, routers, other computer equipment)to other group members for use in theirwarez activities. The more work someonedoes for the group, the higher up the orga-nization that person will move, and thegreater the access that person will have topirated products.”

An example of such a group wasShadowCrew, a group consisting of over4,000 members world wide that wasdescribed as an on-line one stop shop foridentity theft. While not dealing direct-ly in intellectual property, ShadowCrewfollowed the same sophisticated organi-zational scheme as top-tier warez groupsand, through a combination of sophisti-cated organization and strong discipli-nary measures against members, thegroup cleared tens of millions of dollarsthrough identity theft, document forgeryand other similar illegal enterprises. Thedanger here is that such groups are high-ly organized, very structured, almostcompletely anonymous and, therefore,extremely effective.

Former Attorney General Janet Renoexpressed concern as early as 2000. Inan article prepared for theStandard.comshe stated:

Computer Fraud & Security April 200514

“The FBI estimates

that countries

are targeting

US firms”

Managing IntellectualPropertyPeter Stephenson

Over the past couple of years we have discussed a number of tech-niques for managing risk, conducting investigations and other proac-tive and reactive approaches to some of the tougher problems ofinformation security. Now we take up what is, arguably, the mostdifficult and potentially expensive information security problem ofall: protection of intellectual property. The difficulties associatedwith IP protection are significant. And they are matched directly bythe impact of IP compromise.

IP THEFT

April 2005 Computer Fraud & Security15

“…economic espionage – unlawful prac-tices engaged in by private companies andsometimes by foreign governments aimed atstealing assets such as formulas, blueprintsor marketing strategies – is on the rise. The FBI estimates that a significant num-ber of countries are targeting US firms,with high-tech companies the most frequent targets.”

With that pronouncement theAttorney General moved IP theft intothe arena of international economicespionage. The bottom line is that IPtheft is a real and increasing issue andinformation security professionals arebeing asked to step up to the problemand solve it.

But solving the problem of IP man-agement is not a trivial task. Itrequires a solid combination of goodsecurity policy, solid implementationand several things that organizationsoutside of the government have beenreluctant to do, most especially infor-mation classification. Informationclassification is the core of any effort toprotect IP because without such classi-fication it may be difficult to deter-mine what does or does not need to beprotected. Also, without formal infor-mation classification, an employeeleaking intellectual property outside ofthe organization may claim ignoranceof the IP’s value.

A framework for IP managementOver the next few columns we willdevelop and expand upon a frameworkfor protecting intellectual property.That framework needs to address threeimportant aspects of IP management:

• Policy foundation.• Proactive management.• Discovery, tracing and recovery of

leaked intellectual property.

To address these we will adapt a sim-ple, but extremely effective, framework Ideveloped nearly ten years ago calledIntrusion Management to the task of

managing intellectual property. TheIntrusion Management Framework con-sists of five layers:

AVOIDANCE: Everything you do toavoid the consequences of an intru-sion

ASSSURANCE: Everything you do toensure that the measures you took inAvoidance are working correctly andeffectively

DETECTION: Everything you do todetect an intrusion attempt

RESPONSE: Everything you do whenthe first three layers fail

RECOVERY: Restoring the target system to its pre-incident state

Adapting this framework to our needs,we get a new Intellectual PropertyManagement Framework:

AVOIDANCE: Everything you do toproactively protect your intellectualproperty

ASSURANCE: Those tests and auditsyou perform to ensure that your pro-tection measures are effective

DETECTION: All measures you taketo detect, report, contain and trackattempts to alter, destroy, access, orotherwise compromise your IP

RESPONSE: Those measures used totrace leaked intellectual property,identify the sources of the leak andtake action against those sources

RECOVERY: Measures taken to inter-dict and manage the consequences ofan IP leak and to ensure that thesource and enabling root cause(s) ofthe leak are removed and appropriatecountermeasures implemented.

Over the course of the next severalcolumns we will discuss each of the lay-ers of the framework in detail. To setthe stage, however, we offer some briefdiscussion of the layers here.

The Avoidance LayerAvoidance, as with any information pro-tecting model, is arguably the mostimportant set of tasks that you can per-form. Not only is it far less expensive to

implement good avoidance measures thanit is to recover after the fact, good avoid-ance, assurance, and detection measureslower the cost and impact of theinevitable successful attempt at IP theft.

The application of avoidance measuresfollows a detailed risk analysis of the IPenvironment. We have discussed riskmanagement in depth here and weintroduced you to the FARES (nowcalled Formal Analysis of Risk inEnterprise Systems) process. FARES orother risk management methodologies(FARES is preferred, of course, due toits highly structured and reliably prov-able approach) must be applied to yourIP environment so that you can under-stand the threats against your intellectualproperty and the vulnerabilities thatwould allow a threat to produce animpact successfully. You also need toknow what that impact will be so thatyou can craft an appropriate, cost-effec-tive, response.

There is a class of IP protection toolsemerging in both hardware and softwareenvironments. For example, the applica-tion of secure vaults allows the imple-mentation of specialized encrypted stor-age containers that both protect andhelp track IP stored as files.Watermarking and other identificationmeasures also are becoming more mature.

Of course, before tools can be applied,the results of the risk analysis need to betransformed into a clear set of policiesgoverning IP management. From thosepolicies you will develop a set of stan-dards and practices to implement them.

The Assurance layerWe will discuss the assurance layer muchmore completely in future columns,however we should mention here thatthe testing and auditing of avoidancemeasures is critical. Knowing that themeasures you are taking to protect yourIP is one of the most important proac-tive aspects of IP management.Additionally, these measures shouldwork together with detection measuresto enable you to identify, rapidly,attempts to compromise intellectualproperty. IP leakage takes very little

time and effective containment often isdependant upon how rapidly the event isdetected.

The Detection LayerThe Detection Layer is one of the mostdifficult to implement. It begins, ofcourse, with procedures dictated by poli-cies and standards. However, IP is char-acterized by the fact that, to a computer,it is no different from any other file. Ifan intruder can access it, the intrudercan steal it and may not ever be detectedin the act. For that reason, special pre-cautions need to be in place to monitorall access to IP. A key aspect of detectionis the ability to contain the leak once itis identified. Timely containment maymean the difference between a costlyleak and no incident at all.

These precautions depend upon clas-sification and isolation of intellectualproperty such that it is treated specially.Restriction of access is, as well, veryimportant. We will discuss some waysto control access to IP files in anupcoming column.

The Response LayerThe Response layer assumes that all elsehas, at least in part, failed. If the

response layer is to be useful, however,certain functions in the upper three lay-ers need to be effective. For example, we need to know what IP was involved,how the leakage occurred and who wasinvolved. Given that information wecan begin to take appropriate reactivemeasures. The Detection Layer needs to provide a reliable audit trail that wecan use to recreate the event.

Response to an IP incident usually is a formal investigation and the evidencecollected in that investigation needs tobe managed as we have discussed in ourcolumns on end-to-end digital investiga-tion. There are some very sophisticatedtracing mechanisms required as well.These tracing mechanisms will be a topicin themselves.

The Recovery LayerRecovery from an IP incident requiresthat you understand fully what hasoccurred and what the consequences ofthe event are. Often part of recovery,more than with any other type of sys-tem breach, involves legal action.Thus, legal counsel must be involvedfrom the first knowledge that a leak hasoccurred. To this end, a solid relation-ship with counsel prior to an event is a

must. In addition you will need toknow what law enforcement agency tocall when an event occurs and whowithin that agency is your optimumpoint of contact.

Recovery also may include the needfor communications to the public.Corporate communications staff needsto understand how to handle the mediaand how to understand and communi-cation the magnitude of the event.This requires training and close communication.

ConclusionsThe process of managing intellectualproperty is a very complicated one. It ispervasive and global. It is pervasive inthe sense that protective measures, whilefocused upon the IP itself, need to per-meate the enterprise in a layered protec-tion scheme typical of good securitydefense in depth. It is global in the sensethat IP management may apply not onlyto the hosting enterprise, but to connect-ed enterprises and, even, to the Internet.Ability to operate effectively within thesedisparate and often unmanageable (bythe owner of the IP) environmentrequires careful planning and execution.

Over the next several months we willaddress each layer in the model in detail.We will offer policy suggestions, we willexamine tools and we will developprocesses that can help protect your IPwhile it is contained and recover from abreach if hat containment fails. We willbegin next time by expanding andextending the framework into a workingmodel that you can use to verify your IP management plan.

References:1 Statement of John G. MalcolmDeputy Assistant Attorney General For The Criminal Division UnitedStates Department of Justice Beforethe Subcommittee on Courts, theInternet, and Intellectual PropertyCommittee on the Judiciary, UnitedStates House of RepresentativesConcerning Copyright Piracy andLinks to Crime and TerrorismPresented on March 13, 2003

IP THEFT

Computer Fraud & Security April 200516

US Government fight against IP TheftSpecial agency had to change tactics to defeat IP theft

So serious are the financial losses for businesses from intellectual property leakagethat the US Department of Justice set up the Intellectual Property Task Force in 2004.The Task Force underwent a review and has announced in March a change in tacticsto up the tempo to tackle ever rising IP theft as follows:

• Expanding the Department's Computer Hacking and Intellectual Property(CHIP) Program by increasing the number of specially-trained federal prosecu-tors in key United States Attorneys' Offices throughout the country;

• Increasing the number of complex, multi-district and international intellectualproperty enforcement actions to target sophisticated intellectual property thievesand organizations, building on the unprecedented successes achieved by theCriminal Division's Computer Crime and Intellectual Property Section;

• Strengthening the Justice Department's ability to bring intellectual propertycharges in organized crime, illegal importation, and fraud cases.

• Deploying attorneys to the United States embassies in Hong Kong andBudapest, Hungary to increase international coordination and enforcement.

• Increasing cooperation with victims of intellectual property theft. • Encouraging respect for intellectual property rights through youth education.

DISASTER RECOVERY

But it is not just good business sense tohave business resumption planning it hasbecome a regulatory requirement in theUK for financial years beginning afterApril 2005. Companies will be required topublish separate operating and financialreviews warning investors of business risks,including possible details of businessrecovery plans.

The fear of loss of IT systems toppedthe list of worries with nearly three-quar-ters of respondents listing it as numberone, followed by loss of skills. Despite anincrease to 41% in the proportion ofevents involving loss of key personnellast year, only a handful of business con-tinuity plans covered staff loss. As I writethis, a large British law firm has just lostan entire 40 plus strong specialist groupto a competitor firm.

All the pain: none ofthe gainOne of the more disquieting findings isthat although organisations have experi-enced disruptions over the past 12 monthsranging from floods to loss of staff to ter-rorist damage in other countries, they havenot updated the business continuity plansto reflect the incidents. They are as vulner-able now as they were prior to the inci-dent. No lessons have been learned. Allthe pain: none of the gain to misquote aformer Chancellor of the Exchequer.

Even when organizations have pre-pared a plan business continuity plan,many have no idea whether it will work

in anger because they do not bother totest it. A fifth never tested and just overa half only rehearsed the plans once ayear. And one in eight organizations thatuncovered a problem during a test didnot update the business continuity planto reflect the problem. An excellentexample of testing of plans and of testevacuation drills was demonstrated dur-ing the terrorist attack on the WorldTrade Centers when all but a few ofMorgan Stanley’s 3,700 employees suc-cessfully evacuated from the secondTower. Dean Witter, a brokerage that isnow part of Morgan Stanley, was one ofthe organizations that was affected bythe 1993 bomb attack. Managementdecided there and then that should theunthinkable happen again, staff wouldbe trained to evacuate. The staff, whowere involved mainly in processingtrades for retail investors or handlingadministrative matters, were trained andorganized to evacuate floor by floor.

After the first airplane crashed into theNorth Tower, Morgan Stanley’s staffquickly and efficiently evacuated fromtheir 22 floors (53rd to 74th) of theSouth Tower. Their plans were to evacu-ate irrespective of the building manage-ment’s decision as to whether to evacuateor not. When the second airplane hit theTwin Towers just above the MorganStanley floors, the evacuation by MorganStanley personnel was well under way.

Where this model evacuation wentawry was in the ticking off of names

after the evacuation. Staff just wenthome, turned off their telephones andavoided contact. It took two and a halfdays of telephoning and home visitsbefore Morgan Stanley was able toaccount for all bar 15 employees, someof whom had stayed inside the buildingto help colleagues down. Good planningand luck helped to contribute to thissuccess story. Others were not so fortu-nate. Investment bank, Keefe BruyetteWoods, situated in the South Tower, lost69 of its 172 staff, and Cantor Fitzgeraldlost 700 of its 1,000 staff.

A separate survey in March based on250 companies conducted by theBusiness continuity Institute found thatorganizations have contingency plans fordealing with terrorist attacks, but arefailing to plan for disruption caused bymore mundane events such as telecom-munications and power failures, whichare more likely to cause disruption. Justover a quarter of respondents regard ter-rorism and war as their biggest threat,followed by natural disasters, fire andfloods. And yet a fifth of businesses donot have disaster recovery plans for theirIT systems. And a third do not havegeneral business resumption plans. Thissurvey found a similar level of non-test-ing (25%) to the CMI survey.

One of the main failures of the planssurveyed was that they failed to plan forpotential telecommunications failures.Nearly three-quarters of the companiessurveyed recognized that the failure oftelecommunications would damage thereputation of their businesses, but mostrelied on business resumption plans thatassumed telecommunications would beworking. Only an eighth of organizationhad second-tier telecommunications inplace and less than a tenth had a third-party recovery site.

The survey also found weaknesses inbusinesses’ supply chains. Nearly a fifthsaid they were happy to rely on a state-ment from the supplier that they hadbusiness resumption plans in place. Athird had asked to read the supplier’s busi-ness resumption plan, and another 27%did not know how suppliers’ businessresumption plans were verified.

April 2005 Computer Fraud & Security17

From incidents to disastersStephen Hinde

Just under a half of businesses have not developed corporate recov-ery plans to deal with catastrophic events according to a reportissued by the UK Chartered Management Institute (CMI) in March2005. The survey of 440 managers, conducted by the ContinuityForum and Veritas Software, ranged from sole traders to companiesemploying more than 10,000 employees. The Survey found that justover three-quarters of financial institutions have business continuityplans – twice as many as retail companies. The lessons of the terroristattacks on the New York World Trade Center and the IRA bombs thatdevastated parts of the City of London in the 1990s are apparentlystill not learned.

DISASTER RECOVERY

The disaster of the redchilliesThe contamination of food with an illegaldye which triggered the UK's biggest everrecall of products last February is a goodcase study for business continuity planning.

Sudan 1 is a synthetically produced reddye normally used for colouring solvents,oils, waxes, petrol and shoe and floor pol-ishes. It is also used to colour some chillipowders produced in India and exportedaround the world. It is rated a “classthree” carcinogen, or cancer-causingagent, by the International Agency forResearch on Cancer and has been bannedfrom use as a food additive in Britain andthe rest of the European Union since1995. America banned its use in 1918.

There is a concern that the dye, SudanI, has the potential to cause cancer.However, the Food Standards Agencyhas said the risk is very low. ProfessorAlan Boobis, an expert in toxicology atImperial College, London said “Sudan 1was banned from use in food productsfollowing experiments on rats, whichsuggested that the chemical could triggerthe formation of malignant tumours.There is little reason for the public to bealarmed. People should not be undulyconcerned about the health effects. It is agood idea to remove this substance fromthe food chain, but this is being donesimply as a precaution, not because thereis an immediate impact on health."

Since July 2003 — following the dis-covery of traces of Sudan 1 in chilli pow-der samples in France — all dried andcrushed or ground chilli coming into theEU must be accompanied by a certificateshowing that it has been tested andfound to be free of the illegal dye. Anyconsignment that does not have a certifi-cate is detained for tests and destroyed ifit contains Sudan 1. But chilli powderhas a long shelf life and some of thebatches now in Britain arrived before thetesting regime was introduced, as did thebatch at the centre of this scandal.

The contaminated batch of chilli pow-der passed through at least two suppliersin Britain before ending up with PremierFoods, a large food manufacturer whichinadvertently used the chilli powder to

produce a batch of Crosse & BlackwellWorcester sauce. This sauce, in turn, wasused as an ingredient in a wide range ofother products. More than 600 differentproducts manufactured by over 60 dif-ferent producers contained the illegalpowder. Many are ready-made mealssuch as shepherd’s pie, pasta bake, chick-en wings, sausage casserole, pizza andchilli con carne. It is really staggeringwhat products actually containWorcestershire sauce.

LThe scandal prompted the largestrecall of food products in British history.Retailers were instructed to remove allaffected items. Supermarket shelves andcatering establishments were similarlyinstructed. The UK Food StandardsAgency worked with the food industryand local authorities to trace any otherproducts which might be contaminated.Local authorities were faced with a mas-sive task: not only was there a list ofover 600 affected products, which tooka long time in compilation; but also inidentifying shops, restaurants and othercatering establishments – unbelievably,there was no list. The task was carriedout by telephone, letter or face-to-facevisits.

David Statham, Director ofEnforcement at the Food StandardsAgency, said: “This has been an enor-mous undertaking. Hundreds of prod-ucts have been affected in thousands ofshops. The vast majority of contaminat-ed foods have been removed providingsome reassurance to consumers.However, there may be some productsremaining both in shops and in the cater-ing sector and we will continue to workwith local authorities to remove them asfar as is practical and achievable.”

The slow reactionConcerns have been raised about whythe public was alerted to the problemsome weeks after the Food StandardsAgency knew that Sudan 1 may haveentered the food chain after routinetests by an Italian company on a batchof Crosse & Blackwell Worcester sauce.This slow disclosure by the Agency,which was set up after the BSE foodscare of the 1990s to stop a repetitionof a food scare, helped to feed a mediafrenzy, thereby exacerbating the impactand moving it from a very low risk inci-dent to a major cancer scare.

It took the Agency a very long time toestablish the list of affected foods. It isperhaps a sign of how far society hasmoved into eating processed food thatthe authorities had no comprehension asto just how many foods containWorcestershire sauce.

The fact that the contaminated productwas used as an ingredient in so manyprocessed foods introduced additional lay-ers into product recall – with some of the60 plus producers not having productrecall systems. Product recall was thoughtof in linear terms as exemplified by thePerrier Water recall in the early 1990s – asingle, discrete product that was easy toidentify. The lack of a definitive list ofcatering establishments and food shopsalso hampered the product recall.

It was fortuitous that the risk to humanhealth was very low bearing in mind thetime taken to respond; the slowness inidentifying the products affected; and theincomplete list of catering establishmentsand food shops. All these lessons that willneed to be addressed by the FSA before areally serious food incident happens.

The punishment of theinnocent?When I conduct physical securityaudits, I always look at the neighbour-ing businesses to see whether there aredangerous substances stored or riskyprocesses that increase the risks posedto the computer centre or the likeli-hood of an incident or disaster. Forinstance, a site near an airport runway,

Computer Fraud & Security April 200518

“Lea & Perrins

had an

established

crisis team”

Vulnerability assessment technology hasevolved significantly since the initialrelease of SATAN1 about a decade ago.SATAN was a dictionary based UNIXsecurity testing tool designed to helpsystem administrators identify commonsecurity problems. Second generationvulnerability scanners built upon hard-coded decision trees followed shortly.Predefined decision trees allowed mini-mization of the necessary probesdepending on operating system andapplication. Their lack of flexibilityhowever made them quickly obsolete.

Modern scanner architectures are builtas inference-based systems, which don’trequire any agent software on the targetsystems. They learn about each target sys-tem individually while selective probesare being exchanged with the target sys-tem. The inference-based architecture iscentred around highly multi-threadedengines for scanning thousands of vulner-abilities simultaneously on any system ona network. Modern scanner architecturesalso support multiple levels (trusted andun-trusted) of vulnerability assessmentagainst any given target system.

Untrusted vulnerability assessments simu-late the scenario of an attacker withoutprior knowledge about the target system,while trusted assessments leverage creden-tials to log into the target systems forauditing configuration and patch infor-mation. An important criterion for mea-suring the effectiveness of a vulnerabilityscanner is the comprehensiveness andaccuracy of its vulnerability knowledgebase. Also, the ability to report and com-municate vulnerability findings in a stan-dardized manner from the vulnerabilityscanner to other applications (i.e. patchdistribution or configuration manage-ment) is a critical requirement.

The OVAL2 (Open VulnerabilityAssessment Language) project is aneffort to develop a standardized processfor checking, reporting, and remediationof configuration as well as vulnerabilityissues. OVAL is being developed as aninternational effort under the leadershipof MITRE with support from industry,government, academia, and the securitycommunity. XML based OVAL providesa definition schema for various plat-forms (Windows, Linux, Solaris …). Itallows definined standardized probesand criteria to test a system for a partic-ular vulnerability. The OVAL effortinvolves development and standardiza-

SOFTWARE FLAWS

or next door to a gasometer, or adja-cent to a munitions factory, or a labo-ratory conducting vivisection experi-ments. To ignore them and to assumethat you can look at the risks facing thecomputer centre in isolation from theneighbouring environment is risky tothe point of foolhardiness. But whatabout neighbouring products?

In the case above, the contaminatedchilli powder was used as an ingredient inWorcester Sauce – Crosse & Blackwell’sWorcester Sauce. But to most BritonsWorcestershire Sauce is synonymous withLea & Perrins. In fact, over 90% ofWorcester sauce sold in the UK is Lea &Perrins. For most consumers Worcestersauce is Lea & Perrins and Lea & Perrinsis Worcester sauce. So any scare storyabout contaminated Worcester sauceautomatically implicated Lea & Perrins

in many consumer’s minds – a thoughtprocess encouraged by the media incor-rectly showing a bottle of Lea & Perrinsto illustrate their story of the contamina-tion. Thus Lea & Perrin, a brand ownedby HP Foods, was a blameless brandcaught up in the crossfire.

Lea & Perrins had an established cri-sis team that was activated when thedisaster struck. The team included theboard of directors, key officials and theregulatory and external affairs manager.On a typical day the company receives50 calls at its customer service tele-phone line. After the story broke thatbecame over 5,000 in a week. Thecompany used an external company tofield the large increase in telephonecalls and replaced its usual week-endrecorded message service with staffworking 10 hour shifts.

There is no easy answer to how todefend a product that was not affected.You can not reassure the public by verypublic pictures of products being with-drawn from shelves, as we saw withPerrier and other products in the past,because there is no product to withdraw.You can not be seen to benefit fromknocking the affected competing prod-uct. The company depended heavily onpublic relations and getting its officialsin front of the cameras. It is also lucky inthat a bottle lasts a long time so the pur-chase of the next bottle is likely to bewell after the scare is over, unlike, say,bread or meat or eggs.

The important lesson is that Lea &Perrins was prepared – it had plans andthey were activated quickly. So manyincidents become disasters because ofthe poor response by management.

April 2005 Computer Fraud & Security19

From SATAN to OVAL: theevolution of vulnerabilityassessmentBy Dr. Gerhard Eschelbeck, CTO & VP Engineering, Qualys

With the growing reliance and dependence on our inter-connectedworld, security vulnerabilities are a real world issue requiring focusand attention. Security vulnerabilities are the path to security breach-es and originate from many different areas - incorrectly configuredsystems, unchanged default passwords, product flaws, or missingsecurity patches to name a few. The comprehensive and accurateidentification and remediation of security vulnerabilities is a keyrequirement to mitigate security risk for enterprises.

EVENTS

Computer Fraud & Security April 200520

12-13 May 2005RSA JapanLocation: Tokyo Prince Hotel,Tokyo, JapanWebsite: www.rsasecurity.com/conference

5-6 May 2005CLA 2005 WorldComputer andInternet Law CongressLocation: Washington DC,USAWebsite: www.cla.org

13-15 June 2005CSI NETSEC

Location: Scotsdale,Arizona USAWebsite: www.gocsi.com

6-8 June 2005GARTNER IT SECURITY SUMMITLocation: Washington DC,USAWebsite: www.gartner.com/2_events/conferences/sec11.jsp

19-22 June 2005ISACA INTERNATIONALCONFERENCELocation: Oslo, NorwayWebsite: www.isaca.org/

26 June - 1 July 200517th ANNUAL COMPUTER SECURITY CONFERENCELocation: SingaporeWebsite: www.first.org

5-6 July 2005IP Crime CongressLocation: LondonWebsite:www.IPCrimeCongress.org

23-28 July 2005BLACKHAT USALocation: Las Vegas, USAWebsite: www.gocsi.com

29-31 August 2005HIGH TECHNOLOGYCRIME INVESTIGATIONASSOCIATIONLocation: Monterey, CaliforniaWebsite: www.htcia.org

17-19 October 2005RSA EuropeLocation: Vienna, AustriaWebsite: www.rsasecurity.com/conference

EVENTS CALENDAR

tion of two additional schemas. Thesystem characteristics schema isfocused on a standardized XML formatfor collecting system configurationinformation. This provides the basisfor configuration and compliancemanagement. Lastly, the resultsschema defines an XML-based formatfor storing the results of an OVALevaluation of a system. The resultsschema enables communication ofstandardized assessment results - forexample to a patch distribution system.

OVAL aims to standardize and definea structured process for identifying andcommunicating vulnerability and con-figuration information from the point ofknowledge of a vulnerability to thepoint of action. Vulnerability Assessmenthas matured over the past years, and tostandardize the information exchangeduring the full vulnerability lifecyclemakes OVAL a significant contributionto the security industry. Multiple securi-ty vendors have committed support forOVAL in their upcoming product releas-es. Enterprises will benefit from OVALcompliant tools to integrate and

improve the flow of information fromvulnerability alert, to vulnerability detec-tion as well as remediation.

About the AuthorGerhard Eschelbeck is chief technologyofficer and vice president of engineeringfor Qualys, Inc. He published the industry's first research derived from a statistical analysis of millions of criticalvulnerabilities over a multi-year period.Eschelbeck presented his findings beforeCongress, and is a significant contributorto the SANS Top 20 expert consensusidentifying the most critical security vul-nerabilities. He holds several patents inthe field of managed network security and earned Masters and Ph.D. degrees in computer science from the University of Linz, Austria. Eschelbeck can bereached at ge@qualys.com.

1 “Info about SATAN”, CERIASPurdue, http://www.cerias.purdue.edu/about/history/coast/satan.php2 “Open Vulnerability and AssessmentLanguage”, MITRE Corporation,http://oval.mitre.org/

British IT directors fail tomake strategic case forIAM

Brian McKenna

Identity and Access Management isbeing misunderstood and badly posi-tioned by UK IT directors, says aresearch report from RSA Security. As a consequence British boards arefailing to get the strategic point of the technology

The research found that 27% of the 101 IT directors canvassed statedthat lack of buy-in from senior man-agement was the main obstruction to implementing identity and access management. This is despite the factthat 52% of the respondents believe it would save their companies money.

The researchers found that while76% recognised IAM as a priority,only eight per cent had a good under-standing, and 34% had not muchunderstanding at all.