Monday, January 27, 2014

Password management for crime analysts

For law enforcement agencies, the threat of unauthorized access to records management systems, criminal intelligence databases or other systems containing sensitive information is very real. Law enforcement systems are a very juicy target for hackers with a malicious intent. One of the ways these systems are protected from unauthorized access is through requiring passwords to log in to these systems.

With the growth of online services, we’ve all had an increase in the number of passwords that we need to keep up with. As a crime analyst, I have ended up with a staggering number of passwords to manage. Nearly every application or source of information I use is protected by a password. If this weren’t enough, in order to maintain compliance with the FBI’s Criminal Justice Information Services (CJIS) rules most of these systems require that passwords being changed on a regular basis and meet certain criteria for complexity. Because of this proliferation of password protected systems it becomes nearly impossible to remember all these complex passwords.

First, I want to discuss some password management practices that are critical to maintaining the security of these systems. These recommendations are based on a piece by computer security expert Bruce Schneier.

  • Don’t use simple or dictionary words for your password. Hackers have created tools that use word lists to try and guess passwords. Many of these tools use dictionaries in several languages as well as lists of passwords stolen from compromised previously sites. Some of these word lists contain millions of possible passwords. 
  • Don’t use passwords based on easily guessed personal information such as your children’s names, pet names, etc. 
  • Don’t reuse passwords. If your password is compromised one one site, then the unauthorized user will often try these credentials on other sites you use. If you reuse passwords you’ve just given them the keys to the kingdom. 
  • Make your passwords more complex by using more than just letters and numbers. Use special characters too and don’t repeat characters. Use the longest password the application will allow. Every additional character in a password increases the time and computing power needed to crack it. 

Probably the most important advice I can give you is to use a password manager to keep up with your passwords.

A password manager is an application used to securely create, store and manage a large number of logins and passwords. Many of them come with password generators that can create truly secure passwords. Others have features that can automatically enter these passwords into applications that use password logins. The real beauty in a password manager is that you just have to remember one password, the one that opens the password manager in order to keep up with hundreds of passwords. (Yes, I really have several hundred passwords to keep up with.) The password manager’s database is encrypted and if properly implemented can keep nearly anyone short of the NSA from obtaining the data contained therein.

There are a number of password managers out there. Two of my favorites are 1Password a paid commercial application and KeePass a free, open source application.

1Password got it’s start as a Mac OSX application. Not long after, they also created an iOS application for iPhone and iPad. They just recently launched a Windows version. The strong suit for 1Password is that if your devices are part of the Apple ecosystem, they seamlessly work together. For instance, 1Password on my MacBook syncs the database to my iPhone and iPad. If I make changes or add a password/login on one device, it will be synced to the others. It also integrates with the OSX web browser Safari to save new logins/passwords as well as automatically offering to enter them into sites you visit.

Additionally, 1Password will store encrypted notes, credit card numbers, driver’s license info, software license keys and WiFi authentication information in it’s database as well. This makes it a great choice for storing all those sensitive bits of information you need to keep track of, but need to keep private.

My other favorite is KeePass. KeePass got it’s start as an open source project for Windows OS. Lots of creative people volunteered their time and skills to create KeePass. Since the programming code is open for any to look at, many security and programming experts have vetted the code to ensure that the encryption behind it is secure and does not contain any “backdoors” to allow people to break the encryption.

Additionally, KeePass comes in both an installed version and a version that will run completely off a USB drive. The USB version is also helpful for those whose network security policy prevents them from installing software on their work machine. The best part is that it’s free. Since my work machines are all Windows OS, I use KeePass to keep up with passwords on these machines. There are also compatible versions for smartphones and Linux machines as well as many other devices.

There are certainly other password managers out there. I’ve even known people to create an encrypted spreadsheet or other document to keep up with them. If you’re going to go that route though, make sure you know what you’re doing in implementing the encryption.

Here’s a couple of tips from my workflow that might help. One, back up your password database religiously. Also, keep it accessible on several devices that way if one device is unavailable, you can still get to your passwords. I keep a version on my workstation and a backup on a USB drive.

How do you manage your passwords?

Monday, January 20, 2014

Understanding UCR

When I was in the Navy I learned about something called Dead Reckoning navigation. This was the way that ships navigated before the days of GPS. The way it works is that if you start from a known point and you accurately record the direction, speed and time you travel you can navigate to any point on the globe. The first, and most important thing is starting from a known point.

In order to know where you are going, you have to know where you have been. 

Crime stats are a lot like this. In order to know if your agency’s crime suppression efforts are effective, you have to know where you started from. The FBI’s Uniform Crime Reports program or UCR is an important tool in collecting crime statistics from police agencies across the country. These crime statistics help you to know where your agency’s crime suppression efforts started from and where they are going.

First, a little background is in order. 

Way back in 1927 the International Association of Chiefs of Police (IACP) began work on a program to collect crime statistics from law enforcement agencies across the United States. In the early 1930’s this program was taken over by the US government and responsibility was given to the FBI to collect and analyze these crime statistics. Now, nearly every law enforcement agency in the United States reports crime data to the UCR program. 

There is a number of different types of crime data collected by the UCR program. Crimes are broken up into two broad categories Part 1 crimes and Part 2 crimes. However, Part 1 data is the most commonly used crime data in the UCR program. The crimes counted as Part 1 crimes are:

  • Murder
  • Rape
  • Robbery
  • Aggravated Assault
  • Burglary
  • Larceny
  • Vehicle Theft
  • Arson

Murder, Rape, Robbery and Aggravated Assaults are further classified as Violent Crimes while the remainder of the list are classified as Non-Violent Crimes. Obviously these aren’t all types of crime but they are a pretty good representative. 

So just what are these UCR stats good for?

Some people (often lazy journalists) think crime stats are to be used to pillory police chiefs. Others, usually small publishing companies, believe that UCR data is to be complied into simplistic lists which are then used to declare a city as the “most dangerous” in a press release which also just happens to announce the release of their paid “report”. The latter examples has gotten so common that the FBI’s UCR Program now issues prominent warnings on their UCR publications warning against the practice. These types of comparisons rarely take into account the differences in a community that can affect crime. 

The prevalence of crime in a community has quite a number of factors such as population demographics, economic and education factors, residents’ historic attitudes about crime, funding and support of police, etc. Since no two cities are identical, it’s really not a valid assessment to compare UCR crime numbers directly. 

The real value in UCR stats goes back to my illustration about dead reckoning navigation: In order to know where you are going, you have to know where you have been. UCR crime stats allow an agency to track consistent metrics year to year to determine how their agency is doing in their mission of crime suppression. While it isn’t terribly useful to compare one jurisdiction’s UCR crime numbers to another, it is a valid technique to compare a jurisdiction’s performance to their numbers in previous years. 

It can also be helpful to look at other agencies around yours to see if they are seeing the same increases or decreases in crime categories. If burglary is up in your jurisdiction, has it also gone up in a neighboring community? If so, the problem may be more widespread than just your jurisdiction. This may point to the need for a collaborative effort between these two jurisdictions to develop a solution. You aren’t directly comparing your burglary numbers to theirs but are seeing if there are similarities in the trends at the two jurisdictions. 

It is also worth keeping this next point in mind about UCR crime stats or any type of performance measures. Don’t freak out if you have a bad month or year. Not to belabor the point with nautical illustrations but this may be helpful. 

When you steer a ship, there is what called a compass repeater in the pilothouse that displays the direction or heading the ship is going. The helmsman will usually be given orders to steer a course of a specific direction. However, if you’ve ever used a compass you know that the needle will often move around a bit. It also takes some time for the ship’s rudder to have an effect on turning the ship. If the helmsman moves the wheel every time the compass needle bounces or he doesn’t allow for the time it takes for the rudder to have an effect on the ship’s course he’ll have a heck of a time steering the desired course. By the time the ship starts turning the compass needle may have bounced around in another direction or he’ll have oversteered the ship as he kept adding rudder input trying to get the ship to respond. New helmsman are often cautioned against “chasing the needle”. 

Crime stats are like that too. If every time the crime numbers spike your agency changes course, you will never be effective. Instead the question to ask is: “Is this increase part of a larger trend or just an isolated incident?” If it is an isolated incident, the numbers will likely smooth out the next month. Police agencies like big ships take time to change direction so don’t chase the needle. 

UCR crime statistics aren’t the only a performance measure an agency should use but they are probably one of the most important. 

Monday, January 13, 2014

What makes a good BOLO?

One common task for crime analysts is the creation of BOLOs. BOLO is an acronym for Be On the LookOut and is a bulletin that may be distributed within an agency or to multiple law enforcement agencies. BOLOs are commonly used to highlight Wanted Persons, specific crimes or officer safety information. BOLOs usually contain sensitive law enforcement information and are not distributed to the public.

But what makes a good BOLO? In my 23 years in law enforcement I've seen some good BOLO's, some mediocre BOLOs and some that fall somewhere in between. 

Before we get to the elements that make a good BOLO it will probably be helpful that we talk a little about what makes good design. A well designed publication is attractive and easy to read. It draws the eye to important details. But most importantly good page design doesn’t get in the way of what you are trying to communicate. 

About twenty years ago I read a slim but outstanding book The Non-Designer’s Design Book by Robin Williams. No, not Robin Williams the comedian but the designer and author. Her slim volume opened my eyes to what makes good page design. In her book she says there are four basic principles of page design. They are:

  • Contrast
  • Repetition
  • Alignment
  • Proximity

Contrast draws our eyes to the page by reducing monotonous elements. Think book chapter titles that use different fonts, thickness or colors from the page text. Repetition unifies design elements across multiple pages. Kind of like a logo or header that is on every page of a document. Alignment and proximity help to group like items together and connect the different groups to make one coherent document. 

Since I have been both a reader and producer of law enforcement BOLOs and have been for quite some time I have some thoughts on what else makes a good BOLO. 

Make your BOLO visually appealing. Include a picture, map or other graphic to catch the reader’s attention. For a Wanted Person BOLO this is pretty easy, include a picture of your wanted person. If your BOLO is about a crime or crime series, a still from surveillance footage or crime scene photo will work. In an Officer Safety BOLO you can either use a suspect’s photo if the BOLO is about a person or a picture of the seized weapon or evidence. If all else fails and you have no other photos or graphics you can always fall back to a map of the area you’re talking about in your BOLO. 

It helps to learn some basic photo editing skills such as how to crop a photo to remove extraneous elements, or how to adjust brightness or contrast to make the photos or graphics look better. 

Keep your BOLOs to one page whenever possible. Keep in mind that your officers have limited room in their patrol cars and a whole lot of other crap to carry. Keeping a BOLO to a one pager makes it more likely that your officers are going to read it and keep them handy. They won’t read a novella length BOLO no matter how pretty it is. You may have to ruthlessly edit your BOLO to get it down to only the most essential facts to keep it to one page. To quote Sgt. Joe Friday: “Just the facts, ma’am.” This is perfectly OK because you’re going to include information on how they can contact you for more info. 

Think about branding. This means that you include a patch or badge logo that readily identifies the BOLO as coming from your agency. This will help officers from other agencies recognize the origin of the BOLO. You also need to include your contact information. In addition to giving readers a person to contact for more info, this will also help you to establish a reputation as a resource for your agency as well as for other agencies. 

You also need to include a statement or disclaimer that indicates how or if this document can be redistributed or protected. I know that seems like a no-brainer but I’ve seen law enforcement sensitive bulletins with sensitive criminal intelligence information posted on public social media sites or even forwarded to the media. 

What software you should use to create BOLOs? I avoid using word processing applications such as Microsoft Word for BOLOs. Instead I use a page layout application like Microsoft Publisher. The reason is that a page layout application gives you much greater control on where you can place layout elements on a page than a word processing application. If you don’t have publisher you can use an open source page layout application like Scribus. In a pinch you could use a drawing application like LibreOffice Draw. I’ve even seen folks with limited options use a presentation application like Microsoft PowerPoint. All of these types of applications will give you much greater control over the placement of page elements. 

Lastly, if you distribute these files electronically, use a standard file format such as PDF. Nearly any computer, tablet or smartphone can view PDF’s without having to have any additional software. If you send it in a proprietary format such as a Microsoft Publisher file, you run the risk of the recipients not being able to view your BOLO. 

The image above is a mock BOLO I created for this post using the open source software Scribus. It’s modeled after the actual BOLO template I use I normally use for BOLOs at my agency. Don’t be afraid to copy, modify or mash-up my design when you create your next BOLO. 

Monday, January 6, 2014

How to calculate an increase or decrease

Probably the biggest promise that crime analysis holds for a police agency is that it can make an agency more efficient at its mission of making the community you serve safer. Efficiency should be the new buzzword for police. If our methods of crime fighting aren’t efficient, then we are wasting the resources we have been entrusted with. I don’t know about your agency, but in the sleepy little burg where I work, we have precious few resources to waste.

But how do you know if your agency is being effective?

The beginning of the process to determine effectiveness is to measure certain crime or Call for Service metrics and ask yourself: Has this metric increased or decreased? Before I became a crime analyst I was a police officer. I signed up to catch bad guys and not “do math” (I hated math in school). That being said, calculating increase or decrease is pretty easy. It’s even easier if you setup a spreadsheet with the formula or use a tool like Wolfram Alpha.

Usually when police agencies are concerned with calculating an increase or decrease it’s comparing one time period to another. For instance an agency wants to know whether vehicle thefts this year have increased or decreased over last year. For an example we’re going to use a real life example of Uniform Crime Reports data for Vehicle Thefts from the agency where I work, Killeen, Texas. We’ll compare the number of reported vehicle thefts from 2011 to those in 2012.

2011 - 187
2012 - 192

The formula for calculating this looks like this:

(New Value - Old Value) / Old Value = Change

Don’t forget when you see a parentheses in a math equation to solve the operation inside the parentheses first. Once you’ve solved the whole equation, then multiply the result (Change) x 100  to turn that number into a Percentage of Increase or Decrease.

Plugging our Vehicle Theft numbers in that formula we get:

(192-187) / 187 = 0.0267

We then multiply 0.0267 x 100 to convert that number to a percentage and get an increase of 2.67%. If the Change result had been a negative number it would indicate a decrease from the previous year.

It gets even easier to calculate this with Wolfram Alpha. Go to the Wolfram Alpha website, and input this into the input box:

187, 192

Keep in mind that the order in which you input these numbers is VERY important. If you are wanting to compare the numbers for two time periods, you must put the Old Value first. Wolfram Alpha will give a whole list of calculations using these two numbers and one of them will be the result of our desired increase / decrease calculation.

It’s also pretty easy to do these calculations in a spreadsheet like Microsoft Excel. By the way, as a crime analyst, learning to use Excel and learning to use it proficiently is a must. It can make your life so much easier and is almost always my go-to tool. Here’s an example of a simple way to lay out a spreadsheet to make these calculations:

A caution is in order here. You must be very careful with comparing values that are zero. If you had 1 murder in 2011 and 0 murders in 2012 you had a -100% decrease. However, if you had 0 murders in 2011 and 1 in 2012 you did not have a 100% increase. Why is this?

Can you divide by zero? The answer is that you can’t. If you don’t believe me, plug the numbers into the formula and see for yourself. The proper way to represent this would be to indicate that the value is Not Calculable. If you input this into Excel it will give you a Divide by Zero error ( #DIV/0! ) in the results cell.