February 15, 2013: Defending against hackers has always been difficult, especially since these intruders strive to remain undetected for as long as possible once they have gotten in. This gave rise to the field of “intrusion detection”. This included not just detecting hackers as they tried to get in but also developing methods to detect hackers who had sneaked in and were wandering around inside the network like legitimate users. The most successful method here is to check everyone connected to a system and have their actions monitored and profiled. Hackers are not going to behave like normal users. The most likely response to this defense will be hackers attempting to find ways to disable the user profiling system right away. If nothing else the user profiling makes intrusion more of a challenge.

User profiling is nothing new. The technique was discovered over 150 years ago by accident. In the early days of the telegraph, experienced operators found that they could tell who was on the other end of a telegraph line by the rhythm of how the telegraph key was hit. This was called the operators “fist.” When computers came along, it was possible to automate that particular intelligence gathering task. For example each user has a distinct typing pattern and rhythm produces an identifiable “fist.” This led to several more ways to obtain information based on the keyboard use as well as identifying people by their pattern of actions when using their computer.

For example, five years ago, a technique, based on the sound that is made when a user strikes a key on a computer keyboard, enabled you to determine what was being typed. Collect enough of these key noises, and based on what language the typist was using (all languages have a certain frequency of letter use), you can quickly “decode” those key noises and figure out what is being typed. This sort of predictive analysis is nothing new in Cyber War. This works for email or IMs (Instant Messaging). You can also positively identify different email users by analyzing their text. That same technique is used to crack secret codes. One of the oldest (by several decades) of these computer eavesdropping techniques is the ability, using fairly simple equipment, to pick up the small electronic signals your keyboard makes every time a key is hit and analyze those to figure out what is being typed.

Most of these techniques, however, assume you can get pretty close to the keyboard in question. Electronic signals from keyboards are kept from going far by modifying keyboards. These are the U.S. “Tempest” grade keyboards, often required when you are doing classified work. Getting a recording device near a keyboard may also prove difficult. So while the spies keep coming with great new tools, you still have to be at the right place at the right time to make it all work.

Researchers have found yet another way to eavesdrop on a computer user. A dot-matrix printer, still used to print multi part forms, gives out distinct sounds as each letter is formed, and computer software has been developed to "read" the sounds with a high degree of accuracy. Background noises can be screened out. This is one of several techniques developed in the last decade that allows useful information to be extracted from seemingly meaningless sounds. Intelligence agencies are always working to increase the number of tools they have to make sense out of seeming nonsense.

All this sort of work is now being used to improve intrusion detection. Hackers can automate phony “fists” and similar deceptions but there is still the problem that when hackers sneak into a network they do not behave like the people who belong there.