Hackers learn to harness sound

There is a new threat to computer security that not even the best antivirus program can defeat.

Researchers at the University of California-Berkeley recently discovered a way to recover up to 96 percent of the characters a person types on a computer keyboard using a microphone, an algorithm and a spell checker.

"It's a form of acoustical spying that should raise red flags among computer security and privacy experts," Doug Tygar, UC Berkeley professor of computer science and information management, and the principal investigator of the study, said in a press release.

If a hacker were able to record the sounds of a user typing and develop a program similar to Tygar's, the personal information of the user would be severely compromised.

According to a statement released by UC Berkeley, Tygar's findings exploit the unique sounds each key on a keyboard makes when struck. First, he made a recording of someone typing at a keyboard and fed the recording into a computer. Using an algorithm, the computer guessed characters and words by categorizing the sounds of the keys. The researchers ran those guesses through spelling and grammar checkers to increase accuracy and make the text readable. Finally, they looped the audio to train the computer to recognize its mistakes and improve its ability to guess characters on its first try.

Despite this new approach to hacking, universities remain confident that their systems are secure.

Jim Stone, consulting services director of information technology at Boston University, said students who exercise "common sense" when using computers are relatively safe. He advised against opening suspicious attachments, clicking strange links and downloading music or movies since they often have viruses attached to them.

Before a person can connect their computer to the BU network, he or she must first install a virus scanner, a spyware detector and a firewall, according to BU's Personal Computing Support Center website. PCSC recommends running all Windows Updates frequently and allowing them to update automatically.

The university also takes additional precautions that make it more difficult for outsiders to access the network, according to Stone.

"We do go to great lengths to protect the data of our students and faculty," Stone said. "It is first and foremost on our minds. [BU students and faculty] are as safe as they're going to get."

But Leonid Levin, a computer science professor at BU, said computer security is still a major problem.

"All hacks ... are possible," Levin said. "The issue is whether somebody would be sufficiently interested in spending all these efforts before the security improves."

Ford Fay, database and systems Administrator at Harvard University, also advocates personal responsibility for sensitive information. Fay said students should keep passwords secret, avoid emailing confidential information and look at links before clicking them.

"Don't do something silly," Fay said. "Be savvy."

Harvard, like BU, has tough standards for connecting to its network. Users must install antivirus and anti-spyware software as well as a personal firewall, and the strength of passwords is verified.

All computers must be patched and upgraded, which "identifies and segregates areas of contamination," Fay said.

Each user receives an Ethernet card with a unique media access control address that must be registered before connecting to the network. Fay said this helps exclude people from the network who might want to collect personal information about users.

Students must provide both their student identification number and a personal identification number before logging onto Harvard websites that contain their personal information.

Fay said users are urged to use the Mozilla Firefox web browser and the Thunderbird email client because they are more secure than Microsoft Internet Explorer and Microsoft Outlook. "We make sure our users have good tools," he said.

According to the Privacy Rights Clearinghouse in San Diego, Massachusetts has not yet passed a law that requires businesses, nonprofits and state public institutions to notify consumers when their personal information has been compromised. This means that even if a data breach occurs, there is no legal obligation to report it. According to the Clearinghouse website, the Massachusetts Legislature may pass the law this year.

The Clearinghouse reports that more than 50 million people, including about one million university students, have experienced a data breach since February, the most common of which was hacking. Boston College and Tufts University were among the campuses affected.