Innovation & Technology February 25, 2010, 5:00PM EST

InZero: Closing the Gate on Cyber Crime

The startup has a device that may actually stop computer viruses dead in their tracks

By John Carey

Browse Issues

Browse the BusinessWeek Archive

Story Tools

http://images.businessweek.com/mz/10/10/370/1010_mz_52inzero.jpg

Shevchenko: Giving hackers, criminals, and spies the middle finger Jeff Hutchens/Reportage by Getty Images

When even Google (GOOG) falls victim to hackers, it's clear that traditional security software isn't getting the job done. Hackers, criminals, and spies have broken into the computer systems of thousands of companies, government agencies, and organizations. Eighty-five percent of companies and agencies surveyed by the Ponemon Institute, a research firm, have suffered security breaches and data losses over the previous year—roughly one-quarter of which involved hackers. The losses are pegged at more than $1 trillion per year. "The bad guys are getting better and better, and my money is on the bad guys," says security expert William R. Cheswick of AT&T Labs.

Against this darkening backdrop, a tiny, Herndon (Va.) startup called InZero Systems claims to have developed a hackproof hardware-based system—a boast that strikes some experts as far-fetched. In general, any company that says it can thwart all intruders "is run by idiots who don't deserve a second glance," warns Bruce Schneier, chief security technology officer at BT (BT), the British telecom giant.

Schneier has not evaluated InZero's technology. Many who have, however, say they are impressed. Its approach has been tested by the military's Defense Advanced Research Projects Agency (DARPA) and several companies that specialize in finding cracks in computer security. No one has broken in. "It was very secure, but we were concerned about its user friendliness," says former DARPA director Anthony J. Tether, who bought 10 devices to test just before he left the agency in early 2009. "As best we can tell, there isn't a way to circumvent it," says Ronald J. Dorman, vice-president of Telos (TLSRP.PK), a computer and network security company hired by InZero to evaluate the system.

The idea behind InZero was hatched in 2002 by Oleksiy Shevchenko, a computer engineer in Ukraine who was trying to address the Internet security concerns of a policeman friend. He steered clear of the traditional defense strategy, which uses software to look out for new viruses or intruders, then devises ways to thwart each. Because malware comes in many disguises, this approach leaves networks exposed in the early stages of a new attack. Instead, Shevchenko set up hardware that acts like a second computer (in geekspeak, a "sandbox") sitting between a vulnerable computer and the Internet.

When you venture out on the Web, it feels like you are using your own machine, but you are actually in InZero's sandbox. You can send e-mail and go anywhere in cyberspace, even to sites known to harbor hackers and viruses. The effect is similar to having a Webcam on your computer aimed at a second computer's screen, says cryptography expert Phil Zimmermann, who was asked by InZero to assess the technology. There's a barrier between the two systems that prevents anything bad from getting to your machine.

Since the operating system and memory in InZero's sandbox are read-only, they can't be changed by a virus, and hackers can't commandeer the device. "Whatever mayhem is on this other computer is not going to hurt you," says Zimmermann, who says he can't think of any way to break in. InZero CEO Louis R. Hughes offers a second analogy: that of a patient with an unknown disease quarantined behind a glass wall. "Our device is the equivalent of that glass wall," he says.

SECOND SIGHT

The idea of a second device acting as a barricade isn't new. Security experts often set up a buffer computer to interact with the larger world; if and when the machine gets infected, they simply wipe it clean and reinstall software. Many researchers have also latched onto the idea of a software sandbox—or virtual computer—that resides right inside a PC, says AT&T's Cheswick.