Showing posts with label information. Show all posts
Showing posts with label information. Show all posts

08 March 2017

The Ghost in the Machine


Again, first off, a disclaimer. This is not a political rant any more than my previous post. Last time, I went after Michael Flynn for his lack of deportment. This time, I'm inviting you into the Twilight Zone.  

We have a habit, in this country, of thinking we're the center of attention. In other words, Trump's issues with his Russian connections are all about American domestic politics. There's another way to look at this. What if it turns out to be about Russian domestic politics?

Bear with me. Filling in the background, we have Russian interference in the 2016 U.S. presidential election. This appears not to be in dispute. There's a consensus in the intelligence community. Fairly obviously, Hillary Clinton wasn't the Russians' first choice, and she seems to have inspired Vladmir Putin's personal animus. It's not clear whether the Russians wanted simply to weaken Clinton's credibility and present her with an uncertain victory or if they thought they could engineer her actual defeat.



Deception and disinformation are tools of long standing. Everybody uses them, and the Russians have a lot of practice. They've in fact just announced the roll-out of a new integrated platform for Information Warfare, and under military authority (not, interestingly, the successor agencies to KGB). Their continuing success in controlling the narrative on the ground in both Ukraine and Syria, less so in the Caucasus, demonstrates a fairly sophisticated skill-set. To some degree, it relies on critical mass, repeating the same lies or half-truths until they crowd out the facts. Even if they don't, the facts become suspect.

Now, since the Inauguration, we've had a steady erosion of the established narrative. Beginning with Gen. Flynn, then Sessions, former adviser Page Carter, Jared Kushner. Consider the timeline. Nobody can get out in front of the story, because the hits just keep coming. They're being blind-sided. "They did make love to this employment," Hamlet says, and none of them seem to realize they could be fall guys, or that it's not about them.

The most basic question a good lawyer can ask is cui bono. Who benefits? If the object was to have a White House friendlier to the Kremlin than the one before, that doesn't appear to be working out. But perhaps the idea is simply to have an administration in disarray, one that can't cohesively and coherently address problems in NATO, say, or the Pacific Rim.  Short-term gain. Maybe more.



Let's suppose somebody is playing a longer game. We have a story out of Russia about the recent arrests of the director of the Center for Information Security, a division of the Federal Security Service, and the senior computer incident investigator at the Kaspersky Lab, a private company believed to be under FSB discipline - both of them for espionage, accused of being American assets, but both of them could just as plausibly be involved in the U.S. election hack. What to make of it? Loose ends, possibly. Circling the wagons. Half a dozen people have dropped dead or dropped out of sight lately, former security service personnel, a couple of diplomats. Russians have always been conspiracy-minded, and it's catching. You can't help but think the body count's a little too convenient, or sort of a collective memory loss.

Here's my thought. This slow leakage and loss of traction, the outing of Flynn and Sessions and the others - and waiting for more shoes to drop - why do we necessarily imagine this has to come from the inside? Old rivalries in the intelligence community, or Spec Ops, lifer spooks who didn't like Mike Flynn then and resented his being booked for a return engagement later. Just because you want to believe a story badly doesn't make it false. But how about this, what if the leaks are coming from Russian sources?

Remove yourself from the equation. It's not about kneecapping Trump, it's about getting rid of Putin, and Trump is collateral damage. There are factions in Russia that think Putin has gotten too big for his britches. He's set himself up as the reincarnation of Stalin. And not some new Stalin, either. The old Stalin. None of these guys are reformers, mind you, they're siloviki, predators. They just want to get close enough with the knives, and this is protective coloration. Putin, no dummy he, is apparently eliminating collaborators and witnesses at home, but somebody else is working the other side of the board.



If the new administration comes near collapse, because too many close Trump associates are tarred with the Russian brush, the strategy's going to backfire, and the pendulum will swing the other way. The scenario then has the opposite effect of what was intended. Putin will have overreached himself, embarrassed Russia, and jeopardized their national security. That's the way I'd play it, if it were me, but I'm not the one planning a coup.

This is of course utterly far-fetched, and I'm an obvious paranoid. Oh, there's someone at the door. Must be my new Bulgarian pal, the umbrella salesman.

24 February 2016

Sauce for the Goose


Meanwhile, back on the spook front, a couple or three developments. Maybe not all of a piece. They just bunched up on the radar around the same time.

To begin with, NSA has announced the establishment of a new Directorate of Operations, to oversee two previously separate missions - known as Signals Intelligence and Information Assurance - the first their offensive eavesdropping capacity, and the second their security firewalls. This is kind of a big deal, although it might not seem like it to an outside. The intelligence agencies prefer not to cross-pollinate.



Although inter-agency and intra-agency transparency looks good on paper, there are inherent risks, and they don't necessarily have a lot to do with jurisdiction or budget fights. Yes, you always have to live with dedicated turf warriors, but this is actually about keeping your assets secure and compartmentalized. For many years, CIA has maintained an institutional divide between Intelligence and Operations, and resisted calls to integrate. You could argue one mission is passive and the other active, but more to the point, a compromise on one side of the shop doesn't jeopardize the other. You limit your exposure. You're not giving up a roadmap to sources and methods.

So it's a trade-off. NSA may well enhance its analytical skills, of intercepted traffic and in defense against cyber attack. They may also be opening the watertight doors.

The next thing that caught my attention probably falls under the heading of Old Wine, New Bottles. Some while ago, DARPA came up with a program, or a menu of programs, called Total Information Awareness. This was shelved, for a time, and then implemented by fits and starts, not as a fully coherent approach. Then come the Snowden leaks, and data-mining is on everybody's lips. Nancy Pelosi and the House Intelligence Committee are shocked, shocked, but eventually the smoke blows away. Now a new tool has surfaced, called Information Volume and Velocity. (Don't you love these names?) This is designed to model trends on social media, among other platforms.



The most obvious application is counterterrorism. ISIS, for one, and the insurgents in the North Caucasus, for another, are more than familiar with Twitter and Facebook. They use them for recruitment, and public relations, and for command-and-control in the field - although lately the more popular vehicle has been on-line simulator games. You can see the appeal of a first-person shooter.

The problem, from NSA's point of view (or CIA, or the FBI, or Homeland Security), isn't data collection. The issue is how to process the material, and spin gold out of straw. The volume, not to mention the velocity, is impossible to keep up with. What they've got is an embarrassment of riches. The information environment is overwhelming. They need a filtering mechanism, to define the threat posture.



Last but not least, we have the recent Apple dust-up. This isn't a theoretical, or preventative policing. It's a question that came up after the San Bernadino shootings last December. Farook, one of the shooters, had an iPhone. FBI investigators would like to unlock it, and Apple says they won't provide a way to defeat the encryption. What we got here is real quicksand.

These issues are nowhere near clear-cut, although Apple CEO Tim Cook seems determined to frame it in apocalyptic terms and FBI Director James Comey is taking a predictably hard line. The law-and-order argument is uncomplicated. Comey says, we need to pursue every lead, in case other people are involved. We have a duly-issued search warrant for the digital contents of the phone, and the manufacturer has a legal and moral obligation to comply. Apple has in fact given the FBI everything it could download from the Cloud, but it refuses to write code that would reverse-engineer the encrypted data that's on the phone itself. Apple maintains that this would of necessity amount to a master key, that would unlock any iPhone. In other words, they could no longer market a secure product. They may cloak it in civil liberties, but it's a business decision.



The disingenuousness, or hypocrisy, on both sides, doesn't take away from either position. Comey's point is perfectly well taken, and so is Cook's. And for once, although I'm sure there are people who probably think I never met a surveillance program I didn't like, I'm with Apple on this one. Whether you trust U.S. federal agencies to take the high road is irrelevant. There are other countries in the world. There are more than a few that bully their own citizens, and whose management of information technology is anything but benign. We'd be handing them a loaded gun.

Is there a common thread? I dunno. There's no hard and fast. Maybe it signifies, maybe not. Stuff drifts past in my peripheral vision, and sometimes it catches the light.

04 August 2013

PINs and Passwords, Part 1


Needles…
More often than you might imagine, financial institutions deploy inadequate security protection, the type of inadequacy where the word ‘woefully’ often finds itself used. I don’t know how much Discover has beefed up its on-line security since I last owned a card, but its password protection was weaker than some porn sites (so I’m told, ahem). It took Capital One and Washington Mutual a while to come up to speed, but my present bank still allows only a ten character password.

If a bank left the keys in their door at night or even left it unlocked, you could hardly blame the curious– or the wicked– for coming inside and wandering around. But that’s happened in the on-line financial world. Institutions lobby for harsh penalties, but their rantings and ravings are meant to detract attention from their own failings.

But a third party is involved, you, the customer. What do you have in your wallet?

From the aspect of a consumer, we can use the following to protect ourselves. From the standpoint of crime writers, we can use the information below to plot clues within a story.

… and PINs

Think about your PIN number, ‘PIN’ singular because most people use one for everything, even their security alarm code. And past behavior suggests people will continue using an easily exposed code even after reading an article like this.

But wait. Doesn't a 4-digit PIN imply guessing one is only a 1-in-10,000 chance?

Not at all. Knowing a little about you (Social Security Number, birth date, etc.) might help hackers, but the PINs and alarm codes of one in four customers can be reduced to sixteen or so numbers.

Does yours begin with 1? Or 19?

The vast majority of PIN numbers begin with 1 or 0. If yours starts with 1, you’ve reduced the possibilities from 10,000 to 1000. If 19, your herd's shrunk to 100.

Do you use the internationally ubiquitous top N° 1 PIN? 1234? Or another of the popular sequential variants, 4321, 5678, 6789?

Does your number begin with 19xx, perhaps a date? The possible numbers are now one hundred, probably a lot less, maybe twenty possibilities if you’re young and eighty possibilities if you aren’t, but a few more if the number represents month-and-day (MMDD) or day-and-month (DDMM). Popular dates that go beyond birthdays include George Orwell's literary 1984 and historical years 1492 and 1776.

Take 2486, which has two strikes against it: It not only comprises semi-sequential even numbers, but it's also a visual pattern, a diamond on a keypad. Other popular visuals are a square (1397), a cross (2046), an X (1937), and the most popular of all, a straight line down the middle (2580). Visual patterns produce deceptively random-looking numbers, but statistics demonstrate they offer little security. And let's face it: Security and convenience find themselves at odds with each other.

'heat' map

statistical moiré
PIN-stripes

Using graphing tools and such visuals as 'heat maps', researchers can determine less than obvious patterns. Some stand out like stars in the sky while others exhibit a warp and woof of woven fabric revealing unconscious human subtleties we're unaware of.

People love couplets, paired digits such as 1010, 1212, the ever-popular 6969, Intel’s 8080, or that Zager and Evans song, 2525. Even when not using 9898 or 2323, people exhibit a preference for pairs one numeric step apart such as 2389 (2-3,8-9) or 5478 (5-4,7-8)) instead of 2479 or 5668. Perhaps we still hear childhood chants in our head from when we learned to count.

A few users exhibit a distinct lack of imagination, to wit: 0001. Others look to pop culture for inspiration, especially fans of James Bond (0007 or 0070), Star Trek (1701), or George Lucas (1138). The 1980s hit 867-5309 peaked at #4 on both the Billboard Hot 100 chart and the hottest 7-digit PIN list.

Some people can’t be bothered at all: 0000, 1111, 2222, 9999, etc. These same overall patterns persist with PINs longer than four digits although people tend to pick phone numbers when forced to select 7-digits, thus adding artificial randomization to the mix.

The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (And as we know, Social Security Numbers contain their own well-known patterns.)

To reemphasize, the greater the number of digits required, the more predictable selections become. Why? Why does the problem worsen with additional digits? As people are forced to use more digits, I hypothesize they react by falling back on easy-to-recall patterns such as sequences. Someone might remember 3791, but they won't easily recall 379114928, and they may reason 123456789 is as difficult as any other number.

PIN-pricks

The bad guys know these things. They don’t need high-speed analysis engines or intensive code-cracking software. They know the numbers and work the odds. As often as not, they can hack into an account– or your house or your medical files or your life– within moments.

Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders.
PIN-ups
If you absolutely cannot remember little used numbers and carry a reminder, at least code the number in some way.
• Some take a cue from old-fashioned costing codes that used alphabet substitution for digits: I=1, J=2, K=3, …
• Roman numerals might be another idea, e.g, 2009=MMIX.
• One handy method is to subtract your PIN from 9999 and write that down. When you need your PIN, you simply subtract the code from 9999 again. (For those who know hexadecimal (base 16: 0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F), this geeky technique is even more effective: Where F is 15, subtract your PIN from FFFF, e.g, 9531=6ACE. I used this method to label keys in an apartment complex: 1422B=EBDD4.)

Your job– you should choose to accept it– is to make breaking into your account as difficult as possible, not that institutions tell you what you really need to know: Their usual advice is to cover ATM and store keypads with your hand. Don’t tell anyone your PIN. Don’t write it on a stick-em and carry it in your billfold.

But you can do a lot more than that: Make your number as difficult to guess as possible.

PIN-wheel

So what numbers are rarely used? Generally, the higher the first digit, the less common the password. Of the ten least used PINs, four start with 8, two with 9, and two with 6. Just don’t blow your efforts with 8888 or 8000, or 9999 or 9000.

Tip: Sure, you want a number you can remember. Toward that end, I suggest picking an easy four letter word (or a word with the same number of letters as the number of PIN digits) you can remember, say ‘easy’ itself. Look at E-A-S-Y on a telephone keypad and you’ll see the letters correspond to 3279, which breaks the most obvious patterns. Reverse the digits if you like to make the combination harder. If your ATM doesn't show letters, then open your cell phone. See more tips in the box at right.

PIN-points

In the following table* of the twenty most used numbers, it becomes painfully obvious any baddie who’s learned only the first four or five most popular numbers can suck the money out of one in five ATM accounts. With a crib sheet of these twenty numbers, he can boost his takings to 27%.

Most Common PIN Numbers
rank PIN freq %
1 1234 10.713
2 1111 6.016
3 0000 1.881
4 1212 1.197
5 7777 0.745
6 1004 0.616
7 2000 0.613
8 4444 0.526
9 2222 0.516
10 6969 0.512
11 9999 0.451
12 3333 0.419
13 5555 0.395
14 6666 0.391
15 1122 0.366
16 1313 0.304
17 8888 0.303
18 4321 0.293
19 2001 0.290
20 1010 0.285

Least Common PIN Numbers
rank PIN freq %
9981 9047 0.001161
9982 8438 0.001161
9983 0439 0.001161
9984 9539 0.001161
9985 8196 0.001131
9986 7063 0.001131
9987 6093 0.001131
9988 6827 0.001101
9989 7394 0.001101
9990 0859 0.001072
9991 8957 0.001042
9992 9480 0.001042
9993 6793 0.001012
9994 8398 0.000982
9995 0738 0.000982
9996 7637 0.000953
9997 6835 0.000953
9998 9629 0.000953
9999 8093 0.000893
10000 8068 0.000744
* Credit for this table and the heat maps goes to math mensch and privacy professional, Nick Berry.

PIN-out

Now go forth and protect thy accounts. And drop me a line if you use these clues in your own stories.