Screen-blocking systems stop prying eyes

Oculis Labs thinks it has stared down a long-known gaping hole in data protection

You've probably been in this situation before: A colleague strolls up behind your computer during work hours and your personal e-mail is in view.

To protect computer users in such instances -- and some that are much more problematic -- a U.S.-based company, Oculis Labs, has come up with two systems that obscure sensitive content on a computer screen, offering an alternative to plastic overlays that block content unless viewed at a direct angle.

Oculis Labs' first product, Chameleon, is designed for military use. For first-time users, Chameleon does a calibration test to observe how a person's eyes move over the text. For most people, this pattern is different. A user tracks a blue dot around nine positions on the screen.

When Chamelon is in use, a person's eye movements are tracked by a so-called "gaze tracker," which is an infrared camera, said Bill Anderson, president of Oculis Labs and former vice president of encryption at SafeNet.

When a document is displayed, only that authorized user can see the text as the camera tracks the person's eyes. For people who don't have the same viewing pattern, the text changes. Anyone else -- such as a translator employed by the military working with the soldier -- will see content that's been convincingly crafted to look like the real content, but isn't.

For example, a line of text that reads "the cat ran across the road" may appear to a snooper to say "the turtle had a nice lunch," Anderson said.

Those text changes occur in a 23 to 65 millisecond period when the eyes make rapid movements -- known as saccades -- but the user doesn't notice anything in a split-second of relative blindness.

"We are replacing content with equally probably false content," said Anderson.

Chameleon intercepts application content, such as that in a Microsoft Word document, before it hits the graphics card and alters it. The authorized user can slightly detect that the text is changing outside their peripheral vision but in a way that doesn't interfere with their comprehension of the document, Anderson said.

Chameleon alters the text by using a statistical dictionary to come up with convincing yet false content. It means that a soldier doesn't have to worry that the translator may be also gathering intelligence. About 5 percent of the time, however, people can share the same viewing pattern.

Chameleon also resists what is known as a tempest attack, a decades-old technique where electronic signals emitted by hardware such as a graphics card can be detected and then used to figure out content, Anderson said. It also defeats attempts with zoom lenses to take screenshots of content.

Applications sending data to the graphics card are unaware of Chameleon. So far the system just works with Microsoft Windows-based PCs, but could be used with other operating systems, Anderson said.

Chameleon will cost around US$10,000 per seat for a perpetual license. Anderson said Oculis plans to approach the U.S. military and potentially other NATO allies.

Oculis has also developed a spin-off product for consumer and enterprise use called Private Eye, which just went on sale about two weeks ago. Private Eye works with a regular webcam. It detects who is primarily using the computer and if that user turns away, the text is blurred on the screen within 100 milliseconds, Anderson said.

Users often grapple with a decision of whether to close a window when a colleague comes by, which could be perceived as rude or a sign that one employee doesn't trust another, Anderson said.

But when PrivateEye is known to be used, even those scenarios tend to stop: "Nobody wants to be perceived as the one who is always snooping," Anderson said.

With the forthcoming version, PrivateEye Professional, if the webcam sees someone else behind the authorized user, it will display a thumbnail-sized video window with the interloper's image.

"An adversary sees his own face, so he knows he's been caught," Anderson said.

The standard version of PrivateEye retails for $19.95 for a consumer license and $59.95 for a commercial one. The licenses are perpetual. PrivateEye Professional will sell for $59.95 for noncommercial use an $119.95 for commercial use.

Oculis Labs, which started two years ago on about $1 million in financing from family and friends, is hoping its technology could be woven into data leakage security products offered by large vendors, Anderson said. Another option is securing a deal with an original equipment manufacturer to ship PrivateEye with new PCs, he said.

Oculis Labs is working to raise another $1 million to $1.5 million over the next few months during a funding round, Anderson said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about BillMicrosoftNATOSafeNet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts