Are you a Person of Interest ?

Of course, as an individual, you’re an interesting person. But are you a Person of Interest? By that I mean, are you a person that it is individually interesting to hack, or are you just a person who is immersed in the mass of data that the hacker has targeted? With the confinement and the video binge, the opportunity is too strong to make discover some TV series to neophytes, and to debate with them on all the questions they open. After having made discover series like Person of Interest (for mass surveillance and hacking), but also Mr. Robot (for hacking), we have a lot to do, and especially to question ourselves. So, are you a Person of Interest?

Mass surveillance in China

In the last episode of…

A short summary of these series that launched the debate, and thus this article, may be useful (thanks to Wikipedia).

Person of Interest centers on a mysterious reclusive billionaire computer programmer named Harold Finch, who develops a computer program for the federal government known as “The Machine” that is capable of collating all sources of information to predict terrorist acts and identify people planning them. The Machine also identifies perpetrators and victims of other premeditated deadly crimes, but, because the government considers these “irrelevant”, he programs the Machine to delete this information each night. Anticipating abuse of his creation, Finch created a backdoor into the Machine. Tormented by the “irrelevant” deaths that might have been prevented, he eventually decides to use his backdoor to act covertly. To escape detection, he directs the Machine to provide only a tiny fragment of data: the social security number of a “person of interest”. The person may be a victim, a perpetrator, or an innocent bystander caught up in lethal events. The first episode shows how Finch recruited John Reese, a former Green Beret and CIA agent now presumed dead, to investigate the number provided by the Machine and act accordingly. As time passes, others join the team. From the beginning, the program raises an array of moral issues, from questions of privacy and “the greater good” to the idea of justifiable homicide to problems caused by working with limited information.

Mr. Robot follows Elliot Alderson, a young man living in New York City, who works at the cyber security company Allsafe as a cybersecurity engineer. Constantly struggling with social anxiety, dissociative identity disorder and clinical depression, Elliot’s thought process seems heavily influenced by paranoia and delusion. He connects to people by hacking them, which often leads him to act as a cyber-vigilante. He is recruited by a mysterious insurrectionary anarchist known as Mr. Robot and joins his team of hacktivists known as fsociety (namely “F*ck Society”). One of their missions is to cancel all consumer debt by destroying the data of one of the largest corporations in the world, E Corp (which Elliot perceives as Evil Corp), which also happens to be Allsafe’s biggest client.

Let’s not forget The Bureau, and in particular its latest season, which puts a little more emphasis on hacking.

Ok, that I’ve turned paranoid…

Personally, I’ve grown very fond of these shows. Not so much for the technical aspect (far too romanticized on Person if Interest, and a few too many mistakes on Mr. Robot), but for the questions they always raise. A good way to awaken the paranoid or conspiratorial in you.

The first question to be generally stated is:

But is there such a thing as mass surveillance?

There, you just have to call back quickly, for example:

• China, and its mass surveillance system, as well as its capitalist drift with a point system…
• the various revelations of Edward Snowden
• mass surveillance in Russia

You’re being watched

We are talking about everything that is state-owned, but we should not forget private interests:

• the massive use of cookies to track users through their internet browsing
• social authentications
• coverage of major groups: Google (with Android, Nest, GCP, …), Amazon (with AWS, Amazon Prime Video, Amazon Prime Photo, Amazon Prime Music, Alexa, …), Apple (with iPhone, iMac, iCloud, Siri, …), Facebook (with WhatsApp, Oculus VR, Giphy, Atlas - an advertising agency -, …)

And scandals related to the (mis)use of your personal data by all these organisations regularly make the headlines.

You shall not pass

The second question is in general:

But how easy is it to hack me, whether it’s my phone, my computer, or even my online banking account?

You shall not pass!

I like to answer this question in such a way as to make sure you are totally paranoid: excessively easy. Well, I admit, that kind of answer often makes me lose a part of the audience that is already between throwing the phone and the computer into the fire. But, for those who remain open, we can dig up the why.

If you have finished building your Faraday cage at the foot of the Green Bank Telescope, we can continue with my explanation.

The first answer to be given concerns the means. For those that do (see the second answer), companies spend astronomical budgets to guarantee the security of information systems. However, the result is not “is the door locked properly”, but “how long will the lock hold”. As with your armoured door. The real goal is not to prevent access, but to slow down the attacker enough so that you are warned and can take action. And very often these companies fail: just read the various daily announcements about massive data theft. So if, with their means, these companies fail, how can you be perfectly impervious?

The second answer concerns responsibility. So we know that your means are limited: you don’t necessarily have the knowledge or the support to do it. All too often, security measures are so restrictive for normal use that users end up competing with each other in ingenuity to circumvent them, and thus make them useless. Under these conditions, it is therefore incumbent on those who provide you with these services to guarantee their security, but also their confidentiality. This is the purpose of, for example, the GDPR in Europe, or the CCPA in California. In the same way, they must provide you with simple (and motivating) ways to make use of any security that you may be entrusted with.

It’s time now

But are they all effective? What can you do? The answer varies greatly from one solution to the next, but when I hear some people take pride in having “secured” their iPhone with FaceID, I can only recall an old episode of Columbo, where the assassin’s accomplice was driving around in a car, carrying a picture of the assassin to fool the cameras. Of course, not everyone is Columbo, but what about that young boy who manages to unlock his mother’s phone with his own face?

Columbo’s mask

The first rule is to review your PIN codes and passwords:

• finish your son’s date of birth
• no more 4-digit code
• no more using your children’s names as passwords
• no more using the same code or password everywhere

So yes, it can quickly become very complicated to have an ultra-complex password (a number, a special character, a lowercase, an uppercase, a hieroglyph, an emoticon, and especially in the right order in relation to what you ask the site or application.

But it doesn’t matter: you still have your post-its and your notebook… … … Did you hear me yelling there?

If you have an excellent memory and like mental gymnastics, you still can:

• remember a page from your favorite religious book, and use it as a password with all the punctuation that goes with it *
• or define a “dynamic” password: a fixed password base, that you specifically and logically complete/modify for each site.
• put all the important dates in your life in a row

Except that you will always have sites or applications for which this will not fit, and you will have to find an exception… and how to memorize it.

Some users are more perverse: they lie about anything at every use and as soon as the system asks them for a password again, they follow the lost password procedure. It’s almost effective, but it’s tiring.

Others will rely on password portfolio solutions (Dashlane, 1Password, …). Why not! But we come back to the above mentioned aspects on responsibilities and their obligations. On your side, this can clearly simplify your life: there is only one password to memorize, and you can make it as complex as you want! But there is one important point to remember: they can sometimes send you a temporary code to your main e-mail address to make sure that it is you who is trying to access the wallet, so remember the password as well. That’s only two, but still.

But a password, it’s crackable. So it may take time, but since there is no such thing as zero risk, … It has to be reduced. That’s what the different techniques of [MFA] (https://en.wikipedia.org/wiki/Multi-factor_authentication) are all about:

The use of multiple authentication factors to prove one’s identity is based on the premise that an unauthorized actor is unlikely to be able to supply the factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user’s identity is not established with sufficient certainty and access to the asset (e.g., a building, or data) being protected by multi-factor authentication then remains blocked. The authentication factors of a multi-factor authentication scheme may include:

• Something you have - some physical object in the possession of the user, such as a USB stick with a secret token, a bank card, a key, etc.
• Something you know - certain knowledge only known to the user, such as a password, PIN, TAN, etc.
• Something you are - some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
• Somewhere you are - some connection to a specific computing network or utilizing a GPS signal to identify the location.

The applications listed above can help you with this, for example.

Okay, great, so you can “secure” access to your tools within certain limits. But what about your devices (computers, phone, …)? They are just as vunerable. Coming back to our friends Harold and Elliot, you too often leave open access to your phones: Wifi, Bluetooth, NFC, … So start by disabling them whenever possible. In the case of Bluetooth, some software versions allow to have it active (so that it connects elsewhere) but without “publishing” it. Same for the Wifi in your home.

Then, a good antivirus is always useful. A paying one is better. It’s stupid to say but, the advanced functions above are very useful but paying. You could always multiply the free applications that each brings a part of these functions … But this can become counterproductive in terms of security, but also in terms of performance. We then come back to the constraints that you would try to bypass.

Yes, but me I’m under Mac OS, and there’s no virus or anything like that!

Objection!

Just last week, I was able to demonstrate just by installing an antivirus on a friend’s Mac that it was a nice marketing illusion that had served its time.

Yes, but when I’m on the net, I surf via a VPN

Well, beyond the question of trust in this VPN service, a VPN is still a tunnel. Have you ever seen a road tunnel preventing a pedestrian from entering it in the opposite direction of the cars? It’s bullshit without a no, but it’s possible. So your VPN, apart from getting you to the other side of the mountain, has little use in that. And when I see the TV commercials of some people promising you privacy on the internet, I can’t help but giggle…

Am I safe?

It depends. We can finally get back to the original subject: are you a Person of Interest?

You have now done a lot for your security: you have cut useless accesses, you don’t use Social Logins anymore, you have made your passwords more complex, you abuse MFAs, … It’s not bad. So you still have the sites and applications you use. Remember, you got out of your Faraday cage to come back on the internet to read the rest of this article. You are therefore connected to third parties.

I remember last year, a friend of mine was worried because he had received an email “sent by himself” (remind me to tell you about Sender Forgery and Spoofing), threatening him to “divulge he knows exactly what was found on his hard drive” unless he paid a Bitcoin ransom. So for one, this famous friend is a bit paranoid and only uses LiveUSB. And two, he doesn’t store anything because he’s unable to find anything (which can be funny in private life). Anyway, the question was: why was he targeted?

Well, he wasn’t actually targeted. His email was simply found in a database that was hacked, and the vile offenders decided to send emails to all known addresses found in it. After all, they would find at least one person “who knows very well what was lying around on his hard drive” and who would pay his ransom without flinching.

However, there is no stolen confidential data here, nor any real ransom. This is just an attempt at a mass con.

But the point is interesting. This reminds me of the episode Shut Up and Dance of Black Mirror. That pretty much sums it up. If we hack you specifically, knowing you for real, there’s an interest. But this is still extremely exceptional, and no, your personal savings do not interest us. Either you’re doing something illegal, and that interests the authorities or the avengers. Either you actually have money (we are talking in billions). Or finally, you have access to interesting information (business, strategy, … always for values in billions).

But, again, this is an exception. The general rule is that you are just drowning in the mass of information hacked from vulnerable sites/tools. There are various ways to see if this is possible: the portfolios mentioned above, but also a well provisioned website: Have I been pwned?.

My soul of great paranoid romantic prefers to stay on the idea that I am a Person of Interest, and that the Machine is watching me. And you, are you a person of interest?

PS: remember: You’re being watched.