Murphy's Law: Finding Another Fist

Archives

August 21, 2020: Hackers, telegraph operators and UAV users all have one important thing in common; a DOP (Distinct Operating Pattern). The latest DOP to be discovered and applied in a practical way uses an app that tracks the movement of a UAV and within a short period (way before the quadcopter battery runs low and forces it to land) deduces the location of the operator. The AI (artificial intelligence) drone-tracking algorithm needs a 3-D map of the area where UAVs will be tracked. The AI is a GRU (Gated-Recurrent Unit) neural network that studies movements in space and time and is able to track the movements of the quadcopter back to its origin (launch point) with over 80 percent accuracy. That accuracy improves the more the algorithm is used, and modifies itself. That’s what a neural network does; it trains itself or, in other words, learns. Because of this learning ability the drone-tracking software will continue to become more capable the more it is used. One of the items it will eventually learn is individual operating styles.

This sort of thing (DOP) is nothing new. The technique was discovered in the mid-1800s by accident. In the early days of the telegraph experienced operators found that they could tell who was on the other end of a telegraph line by the rhythm of how the telegraph key was hit. This was called the operators “fist.” When computers came along it was possible to automate that particular intelligence gathering task. For example, each user has a distinct typing pattern and rhythm that produces an identifiable “fist.” This led to several more ways to obtain information based on the keyboard use as well as identifying people by their pattern of actions when using their computer.

In 2008 another example was discovered. This one was based on the sound that is made when a user strikes a key on a computer keyboard that made it possible to determine what was being typed. Collect enough of these key noises, and based on what language the typist was using (all languages have a certain frequency of letter use), you can quickly decode those key noises and figure out what is being typed. This sort of predictive analysis is nothing new in Cyber War. This works for email or IMs (Instant Messaging). You can also positively identify different email users by analyzing their text. That same technique is used to crack secret codes. One of the oldest (by several decades) of these computer eavesdropping techniques is the ability, using fairly simple equipment, to pick up the small electronic signals your keyboard makes every time a key is hit and analyze those to figure out what is being typed.

Most of these techniques, however, assume you can get pretty close to the keyboard in question. Electronic signals from keyboards are kept from going far by modifying keyboards. These are the American “Tempest” grade keyboards, often required when you are doing classified work. Getting a recording device near a keyboard may also prove difficult. While the spies keep coming with great new tools, you still have to be at the right place at the right time to make it all work.

Researchers have found yet another way to eavesdrop on a computer user. A dot-matrix printer, still used to print multi-part forms, gives out distinct sounds as each letter is formed, and computer software has been developed to read the sounds with a high degree of accuracy. Background noises can be screened out. This is one of several techniques developed since the 1990s that allows useful information to be extracted from seemingly meaningless sounds. Intelligence agencies are always working to increase the number of tools they have to make sense out of seeming nonsense.

Another recent DOP development enabled individual computer hackers to be identified. That’s because hackers are finding the more recent high-end (expensive to install and maintain) network security systems more complex, unpredictable and difficult to penetrate. For example, it is increasingly common to encounter systems that not only demand complex and multiple user identification but also limit any access to a known list of “trusted” users and has different access limits for each of these users based on their jobs and past activities while on the system.

All this is in addition to the growing complexity of “intrusion detection” systems. This special software is not just about detecting hackers as they try to get in but also continuing to check, using a constant infusion of new information and routines, for detecting hackers who had sneaked in and were wandering around inside the network using stolen IDs from like legitimate users. One of the most successful of these new monitoring methods is to continually monitor everyone who is an authorized user and create a unique user profile of how they normally behave when logged in. This is very difficult for hackers to deal with because stealing someone else’s ID and password is one thing, but knowing the other persons normal behavior patterns is extremely difficult. The most likely response to this defense will be hackers attempting to find ways to disable the user profiling system right away. Even this is dangerous because the more advanced systems allow the profiling system to be partially, but not completely, disabled for maintenance and even maintenance personnel have profiles of how they operate. The practice of installing user profiling systems makes intrusion more of a challenge, often to the point where most professional hackers will not deal with it unless the payoff is huge or someone (like gangsters or the secret police) has forced them to go after these new defenses.

It is possible to deceive all these DOP methods. Hackers can automate phony “fists” and similar deceptions. It is also possible to detect those deception methods. There is still the problem that when hackers sneak into a network, they do not behave like the people who belong there. It’s a never-ending competition where the side with the best algorithms and databases usually win.