CIA's peddle power - A cyber security blog by Luke Hally

Estimating Attacker Power

This degree has affected my tv habits, seeing me gravitate towards security and detective related genres, which I do enjoy, I’m just making time to watch them. So this week I started watching the Jack Ryan series on Amazon Prime. Episode 2 caught my attention. Not strictly the real world, but I did the thinking and calculations in the real world. The CIA have an enemy’s mobile phone with an 8 digit pin. I did some quick maths as I watched, 10^8 = 100 million. Hmm, a standard computer running at 3.2ghz, let’s assume 1000 steps per instruction. That’s 3.2m attempts per second, that’s around 30 seconds to crack. That doesn’t seem too long to me, ok on with the show. The plot progressed, the protagonist explaining that it is too hard to crack because it is: ten to the power of eight, that’s 100 million combinations! NOTE: it has been established that they have computers on hand to do the work.

I jumped on https://howsecureismypassword.net and tried a variety of 8 digit passcodes, the results ranged from immediately to 2 milliseconds.

So I decided to have a closer look. First I converted 10^8 to bits. So log2(10^8) ~27 – 27 bits. Having previously worked out that a fairly standard laptop can process 51 bits a day, I worked out it would take 5.2 milliseconds to crack this ((2^27/2^51)*24*60*60). There were mitigating circumstances – the phone would wipe after 10 incorrect attempts, but the time taken to brute force was not roadblock as it was illustrated to be. Maybe Jack Ryan is powering the CIA’s computers with the push bike he rides.

If I use my estimate for a state sponsored organisation (NSA etc), that will bring the time to crack down to 5 nano seconds. But, as my son says, it wouldn’t be as interesting if they did that!

Earthquake

We had an Earthquake in Victoria this week. We were fine and I don’t want to over-dramatise it, but there was an unknown risk for a short period, and these can quickly become a dangerous situation. Our house is an old wooden weatherboard house and it shook quite noticeably. Each week for my course, we undertake a case study in our tutor group. Fortunately, last week we did an earthquake response case study. Knowing that a major cause of injuries is people not evacuating quickly, I did the following:

Assessed the outside risk, had a truck had a collision on our street, causing the house to shake? No visible or audible risks outside.

Ordered an evacuation, told my wife to get out the front with our son.

I had an inside risk to assess before I followed. The washing machine was on, it is big and old and likes to go off balance at times. I didn’t think an off balance washing machine was shaking the house, but what if a floor board had broken and it was resting on a joist while spinning? Washing machine was fine.

I followed outside.

I did some recon with the neighbours to make sure it wasn’t just our house about to fall into a sinkhole. They verified a similar experience, as did social media shortly afterwards.

After things settled down, I undertook a visual inspection. We have plaster ceiling decorations and cornices so figured these would give a good indication of damage. All clear.

Outcomes

I was surprised at the impact this course has had on my approach to security and risk in a potentially dangerous situation. I was thinking ahead of my current situation and considering risks to us in our ‘next step’, not just now.

We now have a family evacuation plan.

I was very surprised at the ‘tolerance’ and flexibility of the wood in the old house. It shook quite a lot, but this appears to have absorbed/dissipated the energy. We have a lot of travel mementos around the house, paintings on walls and knick knacks on mantles etc. Lots of books. We had a few books fall off a book shelf and that was it. Flexibility and tolerance are important aspects of design in many structures and systems it would seem.