JAWS Technologies bites back against e-criminals

Seldom does a company offer a cash prize to anyone who can prove its product is defective. But that's what JAWS Technologies Inc. did in 1998, to demonstrate that its 4096-bit encryption key was virtually unbreakable. JAWS offered US$5 million to anyone who could break the code. Of 569 hackers who tried, not one was able to claim the prize.

At the time of the contest, JAWS was barely a year old, and the Canadian company had produced an encryption code that is "statistically unbreakable." Nothing in cyberspace is ever completely hack-proof —just as there is no such thing as a burglarproof Lock — but JAWS' code is so complex it resembles a virtual strongbox, wrapped in thick iron chains and thou-sands of locks. Something not even the great magician Harry Houdini could break.

To explain JAWS' encryption code simplistically: If you have a one-digit number between 1 and 9, how many guesses must you make to guess the right number? No more than 10. If you have a two-digit number, it could take you as many as 100 guesses. A 4096-digit number would be like 10 to the 4096th power — extremely difficult (but not impossible) to break.

Every hour of every day, legions of face-less virtual Houdinis are out there trying to break computer security codes and penetrate dot-com organizations. Once they've penetrated your system, hackers ensure they have open access from that point forward. They work with the system to make sure they can always get back in. They'll always have a future door, so they don't have to recreate the hack again.

"The sign of a true hacker is someone who gets in without you knowing," says JAWS' chief executive officer Robert Kubbernus. "You don't know when that information is going to come forward to haunt you. Our profiles tell us that hackers are getting younger all the time. They don't realize that hacking is a crime. To them, it's the ultimate video game. But they're walking through all our corporate systems and proud of it. They're exchanging information with a cyber-community out there that they feel a part of. And they are worldwide."

JAWS' chief technology officer Tej Minhas warns that the criminal element is a growing presence in cyberspace, and it is moving into hacking in a big way.

"What's starting to happen is that corporate espionage types and terrorists are entering the picture to wreak total havoc on the infrastructure," Minhas says. "Hackers are being organized into 'cyber-gangs'. Less 'benign' viruses are being created to infiltrate computer systems. The real threat is what's tailing behind the recreational hacker."

A variety of damage can occur when hackers get inside an organization. Because of the Internet/dot-corn phenomenon, companies are spending fortunes marketing their brands and images online. However, once they've been compromised, that brand takes a hard hit on the marketplace.

"After some of the major sites were com-promised, we saw several million dollars shaved off the market caps the very next day," says JAWS' chief operating officer Peter Labrinos. "Right now, e-commerce is at such a germinal stage that the confidence of consumers is very important. Other businesses won't want to do e-business with a company if it can't prove to the world that it can safeguard every-one's interests."

One may argue that security concerns have hindered the growth of e-commerce, which on the surface appears to be explosive. "The business-to-business model is moving ahead fast, but the business-to-consumer aspect of e-commerce is definitely stifled, with many hesitating to give their credit card number over the Internet," Labrinos says. "Bypassing security is one thing —once a hacker gets in, how do you know what has been compromised? What confidential information could become public down the road?"

The Time Warner-AOL transaction was done almost exclusively on the Internet and it ran into the billions, and if anyone had gotten hold of that vital information, it would have been a disaster. Trillions of dollars are being exchanged in negotiations and corporate transactions on the Net every week. Governments are under tremendous pressure to step up e-procurement, serving the public better, more easily and less expensively over the Internet. But is all this data secure?

A major daily newspaper in Western Canada once challenged JAWS to break into its computer system as a publicity stunt, Kubbernus recalls. "This reporter said the paper didn't need e-security, that we were blowing things out of proportion. He signed off on the forms to allow us to go to work. Four hours later, we showed him that we had control over his bank account. Not just access to the account, but control over it. We gained access to his network, personal files and password-protected areas. The only evidence we left behind was our calling card, which read: 'Greetings from your friends at JAWS'."

As a result of such adventures, JAWS Technologies has become something of a media darling. Kubbernus, Minhas and Labrinos are the first ones the media calls in the aftermath of a big dot-corn penetration, such as the recent eBay and AOL debacles.

"We did end up being a media darling, and not by design," Kubbernus agrees. "JAWS is known Canada-wide and we're trying to replicate this in the U.S. as well. We want to be a regular source for the media."

In the New Economy, every organization has to go through Internet 101 and the media is hungry for content in this very hot area. So regular calls come in from CBC, CNN, ROB (Report on Business) TV, CTV's Canada AM, the National Post and The Globe and Mail.

JAWS is also developing an early warning program to alert the media about a hack or a virus in the marketplace at the same time it is alerting its customers. "An early response media desk will help people find out fast about things like the 'I Love You' virus," Kubbernus forecasts.

Kubbernus, a successful venture capitalist based in Toronto, founded JAWS in 1997, after purchasing JAWS Software, a small development company. "These developers built the software mainly for their own use and didn't really know what they had," Kubbernus says. "However, we can no Longer say that our encryption code is 'statistically unbreakable'. A distributed computing program can hook up 30,000 computers online and borrow computer power from every one of them to solve a problem. That's how all these algorithms are being broken.

"You have to keep evolving your encryption software because hackers never sleep,” Kubbernus emphasizes. “As our use of computing devices changes, we have to stay on top of the trend. These devices are shrinking and becoming hand-held. We’re witnessing the wireless phenomenon. Encryption and security products have to grow with that."

JAWS is also stepping up its R&D capability. "We have a very strong R&D division and we continue to look at bleeding-edge technology, to continue to stay ahead of the hackers," Minhas notes. "We're looking at biometric (DNA-based) and quantum computing. We're seeing the advent of biocomputers, where computers will replicate the human nervous system and be that much faster and more capable of breaking encryption codes. Genetics and computing devices are also being 'packaged' and there is some weird stuff going on out there indeed. We're working with think tanks, third-generation wireless companies, leading-edge cryptographers. We're sponsoring two chairs in advanced cryptography, and plan to create a center of excellence in this field."

JAWS recently started up an e-Security Innovation Centre with the University of Calgary. "We'll be able to look at the next wave of e-securitv products without being encumbered by commercial interests,” Minhas predicts.

JAWS also relies on first-hand information from ‘the dark side.’ To help JAWS keep up with developments on cyber-crime, hackers and intelligence operatives are on the JAWS payroll as advisors.

"We do mock penetration attack exercises when our customers engage us," Kubbernus reveals. "We break in, surprise them, show up four hours later in control of their bank account — with their consent, of course. We were one of the first companies to hire a teenage hacker, back in 1997. That approach became somewhat 'in vogue' later on.

"We also infiltrate hacker boards and communities to find out what they're up to. We engage in chats. We know our way around the culture. Our people attend the Black Hat conference for hackers. These guys play games like 'Spot the Fed.’” (At Black Hat Briefings, lectures cover such topics as 'Assessing and Penetrating NT Networks and Hosts', 'Linking NT and Unix Vulnerabilities for Maximum Impact' and 'Identifying Common E-commerce Web Vulnerabilities'.)

JAWS is forging stronger links with the U.S. military and intelligence communities. In January, the U.S. President and the Office of International Programs released a plan to fight cyber-terrorism through new security standards, multi-layered defensive technologies, and stepped-up training and research. JAWS was asked to offer a five-day training program for military, law enforcement and information technology person-nel. JAWS was also called upon to gather computer 'fingerprints' and other cyber-forensics for use in court. And JAWS now has a comprehensive online training pro-gram for law enforcement and security officials, called 'JAWS University'.

JAWS is listed on the NASDAQ and has offices in Ottawa, Toronto, Calgary, Edmonton, Boston, Fairfield (New Jersey), Chicago and Pasadena (California). JAWS started off with only its encryption code, but now provides 'end-to-end security solutions,' offering a variety of e-security products and services.

"Security is only as good as the human who is operating is, so we look at how people use technology,” Kubbernus says. “Most people don’t even know how to get the ’12:00’ to stop flashing on their VCR. So why give them a super-sophisticated system if they can’t operate it?

"We wanted to figure out how the growing marketplace was driving security needs, which I think accounts for our success," Labrinos says. "We recognize that it is not just all about technology. We have to Look at the customer's organization, figure out the problem first. What is it that you're really trying to achieve with e-business and what is it that you really need to secure, because we can tighten the screws so hard on an organization that no information flows in or out. Obviously, you can't go that far. You have to meet the client's business needs."

JAWS strongly encourages its clients to deal only with companies, contractors and suppliers that are also 'e-secure'. "At the corporate end, security is now part of the requirement to maintain your ISO standards, if you're an ISO-certified company" Kubbernus explains. "Basically, you're only as good as your security chain. Your com-munity of companies must start to build its own security protocol. It's like an online Neighborhood Watch."

Canada has gone to great lengths to ensure that its postal service is top-notch and that penalties are imposed on anyone who interferes with the mails. If anything hap-pens to your Letter as it is being delivered, someone can go to jail. Yet e-mail has out-stripped Canada Post tenfold. It is the most significant mail delivery system being used today. And no one — not tel-cos, e-mail companies or software developers — is responsible for the securing of that information. No laws are being created to deal with people reading your e-mail. Are there penalties or jail time? We don't even know who the handlers are anymore. There are quite simply too many transit nodes.

According to Minhas: "Legislation is lagging too far behind the technology. We have no Legal precedents in this fast-growing worldwide global economy. Our creaking legislatures are going to have to step on it."

"On the e-commerce front, the ship has left harbor," Kubbernus sums up. "Corporations can't rethink their e-business strategy. Nowadays, they must have their products and services or even a brochure online. There is no choice. Now it's just a question of fixing the holes."