6 February, 2014 - 22:13 By Tony Quested

Hackers are being challenged by a Cambridge UK technology startup to try to prise data from a digital Fort Knox that the founders believe is impenetrable to cyber attacks on passwords and usernames via the internet.

Their safe-harbour hardware – branded Iridium Server – will remain in stealth until Q3 of this year although former Citrix duo Will Harwood and Roger Gross say there is a chance that the product could be ready to roll at the end of Q2.

They are so confident that cyber terrorists can’t crack their computerised ‘safe’ that they are holding a competition to prove the technology’s fortress capabilities in user name and password protection.

The breakthrough holds major implications for world governments and the military as well as industry sectors from healthcare to financial.

Based at St John's Innovation Centre, Cambridge and with an office at Innovation Martlesham, Silicon Safe Ltd’s first product is a patent pending password storage and authentication server, that prevents bulk identity theft from businesses in which millions of passwords can be stolen in a single cyber-attack.

Gross, who is CEO, said the solution “combines an ingenious approach to secure data storage with a special purpose security platform, culminating in an architecture that is fit for purpose.”

On-line identity theft is regarded as one of the most common forms of cyber-attack in the commercial world. Typically, a web site is hacked over the internet (or via a Worm or Trojan horse program installed inside the network) and identities are stolen from a file on the Webserver’s hard drive, or a database connected to it. Once obtained, the credentials are often used for a variety of criminal activities.

In June 2013, there were estimated to be 62 billion passwords in use worldwide. That’s in addition to around 1.63 billion credit and debit cards in circulation: $11.27 billion was lost by payment card issuers, merchants, and acquiring banks during 2012 because of cyber fraud.

There have been several high-profile bulk-password theft incidents in recent years including the Sony PlayStation Network security breach (70 million usernames and passwords stolen in 2010), Facebook login credentials theft (45 million usernames and passwords stolen in 2012) and Adobe in which 130 million usernames and passwords were stolen in 2013.

Gross said: “Loss of identity data not only causes huge inconvenience to both organisations and individual users but also there is significant financial implications for the affected business. We believe our security architecture is a game-changer that prevents theft of identity information.”

He added: “Our server protects passwords at rest. It replaces your existing password store (files or databases) which are vulnerable to remote attacks. Login credentials received by your webserver are sent to the password safe for authentication there. The password safe replies indicating success or failure.

“The password safe may look like a PC but it is not a PC, neither does it run an operating system. It is uses an unconventional hardware and software architecture (patent pending) providing immunity to the thousands of vulnerabilities associated with the PC platform, Windows and Linux. It is not vulnerable to code injection and other attacks used by hackers to penetrate a system, providing protection of your customer's and employee's identities.

“Integration with your existing webserver authentication code or login scripts is straightforward and requires changes to just a few lines of webserver code. Example integrations are available in PHP and Python.

“Our migration tools make light work of moving existing credentials into the server without the need to reset passwords. Each password safe can store login credentials for up to 64 million users and can authenticate users at a rate of over 100 per second.

“Our servers provide disaster recovery and high availability features built-in. They can be paired or clustered for scalability and load balancing including geographical redundancy.”

Talking exclusively to Business Weekly, Gross said an invitation-only early access Beta programme would start mid-Q2. “We plan to launch the product towards the end of Q3 or sooner if possible.”

Silicon Safe anticipates selling to dozens of customers annually initially – rising to hundreds within a couple of years, Gross confided.

“The product has a high sales value and we will be targeting the medium and large e-commerce sites initially i.e. customers that store tens of millions of passwords globally. They could expect to pay upwards of £100,000k for a solution plus annual maintenance so we don’t need to sell that many to generate substantial revenue. We also anticipate licensing the technology to others to manufacture under their own brand.”

Silicon Safe intends to manufacture in the UK. Gross said: “This is not a cost engineering exercise; we do not need to build a computer down to a price because our margins are good. We have outsourced the PCB design to a company in St Neots. The first 20 units manufactured will be used for the early access programme and will probably also be manufactured in this region.”

The idea for the business was catalysed by the founders’ awareness of the number of bulk password thefts that were making the headlines at the end of 2012, start of 2013. Harwood had felt for some time that PCs “were a hopeless platform upon which to base a security solution,” according to Gross.

“Will set himself the challenge of designing a totally secure computer architecture from scratch – initially as an academic exercise. Having heard of Will’s idea, I felt there was money to be made so we formed a company in early 2013 and built and tested several prototypes during the rest of the year. A patent was filed in August 2013. We have just completed the HW requirements and the PCB layout and manufacturing has commenced.”

The founders met in 1999 when they both worked at Citrix’s Cambridge R & D centre. Gross was the site director and Harwood was one of the engineering principals and development managers specialising in security and web products.

Harwood left Citrix in 2009 to undertake a PhD at York University. Gross left Citrix in 2004 and in 2007 started a training company in Ipswich which he sold as a going concern in 2012 – so they were both looking for a new challenge. “We met for coffee in January 2013 to catch up and the rest is history as they say.

“We believe the menace of bulk password theft is a significant and growing problem. Hardly a week goes by without another breach hitting the headlines. The inconvenience, costs and reputational damage facing a business recovering from an identity theft is massive, especially for very large ecommerce sites and social networks that can lose millions of identities. We believe that these businesses will pay a premium for a solution that can alleviate this problem.”

Initially the only employees are Will and Roger. But they have a very experienced and active advisory board so “feel like a larger organisation. Because we outsource the HW layout design and manufacture and write the software between us, we don’t need large teams of engineers as you do with a software company.

“Having said that, we will need to ramp up staff to start preparing to take the product to market (sales, marketing and support) in late Q2. We will likely grow to 10 people by this time next year and probably take a permanent office at St John’s Innovation Centre. We intend to allow future employees to enjoy a mix of home working and attendance at the office.”

The founders have worked full time on the project since early 2013. They wanted to avoid taking seed funding until they had a product – “rather than asking people to invest in an idea.”

Gross said: “With the R & D phase effectively complete and the manufacturing phase underway, the risk is significantly reduced and the valuation is higher so we are in the process of closing a small seed round to spend on manufacturing and IPR protection costs. We have the investors and will have completed the paperwork by March.

“We plan to take further external funding in Q2 once the beta has commenced and initial customer testimonials have been received. That should push the valuation up further allowing us to take on more investment to take the product to market and sustain us until profitability in 2016.

“We have been advised to also consider a sale to larger company as an alternative strategy to raising funding to scale the business up ourselves. This would have the advantage of enabling us to sell to the global giant businesses that might not be willing to purchase from a small startup.

“The UK is our initial focus – where we can learn to sell the product and gather vital data that will enable us to better predict sales patterns – but clearly there is a huge global opportunity here.

“We will recruit channel partners to scale sales. We will inevitably expand into the US and then Asia. Many sales will be to multinational businesses so that will most likely drive our geographic expansion as we will have to support the product there. We are undecided at this stage whether to use distributors or build a reseller channel abroad. We may license the IPR to a US giant instead.”

The ‘safe cracking hacker challenge’ will be launched later this month. Hackers will be invited to try to steal 100 usernames and passwords from an ‘unprotected’ password server on the internet.

Gross said: “All of the encryption and other protection has been removed so that the server itself can be directly accessed. We will be publishing the API to the server and provide a sample website that can be used to access the device and create user accounts etc.

“There will be no prize money offered because we believe serious hackers are not motivated by money. We are very confident they will not manage to steal any passwords.”

The IP address of the challenge server and other details concerning the hacker challenge and Beta program will be posted on the website soon. Keep an eye on www.siliconsafe.co.uk for details.

• PHOTOGRAPH SHOWS: Roger Gross (left) and Will Harwood of Silicon Safe Ltd