[ISN] Want better workplace security? Just use some common sense!

From: InfoSec News (isnat_private)
Date: Wed Dec 19 2001 - 22:55:18 PST

  • Next message: InfoSec News: "[ISN] *MAJOR SECURITY BREACH AT CCBILL**"

    Robert Vamosi,
    Associate Editor,
    ZDNet Reviews
    Thursday, December 20, 2001
    An established company moves into a downtown high-rise and a few 
    months later discovers that many of its secrets are going public. How 
    is that possible? Its networks are locked down. Its employees use 
    passwords, and are given security clearances. 
    So what's the problem? How about that old warehouse next door? A
    competitor has rented it and mounted large antennas behind closed
    window blinds to listen for electronic emissions from its neighbor's
    electronic equipment.
    SOUND RIDICULOUS? The U.S. government doesn't think so. Preventing
    such a scenario is one of the goals behind a project called "Tempest,"  
    an acronym for Telecommunications Electronics Material Protected from
    Emanating Spurious Transmissions. While many think Tempest is an
    active eavesdropping operation (like the FBI's DCS 1000), it's really
    a set of government standards designed to dampen electronic emissions
    escaping government offices. Hardware makers are using these standards
    to create equipment that doesn't emit strong electronic signals. Think
    of Tempest as encryption for the electromagnetic spectrum.
    Just what is the government shielding itself from? Almost every
    electronic device emits some kind of radio noise. By limiting the
    emissions, the government diminishes the possibility of someone
    eavesdropping on its equipment.
    AND WHAT COULD YOU DO with these emissions? Reconstruct monitor images
    remotely. About 15 years ago, Dutch researcher Wim van Eck published a
    paper on ways to convert ordinary cathode ray tube (CRT) monitor scans
    into text. CRT monitors, like television sets, scan from side to side,
    building screen images one row of pixels at a time. The intensity of
    the cathode ray beam used to excite the electrons determines whether
    the pixel will be red, blue, or green. Combinations of these produce
    the wider six-million-color palette we're used to seeing. Every unique
    color produced has an associated frequency which, in theory, can be
    intercepted and reconstructed remotely.
    You might be thinking that flat-screen monitors would be the answer,
    but they too emit radio frequencies. So do modems, and for that
    matter, just about any electronic device. But just how practical is
    eavesdropping in this way? Not very.
    It would take a lot of expensive equipment to isolate the emissions
    from one monitor in a crowded office, and then reconstruct that screen
    remotely. The idea that malicious users or foreign governments have
    expensive equipment like this, and are renting hotel rooms next to
    government or corporate offices, sounds a tad John le Carré-esque,
    doesn't it?
    YET REQUIRING government agencies to use Tempest-approved monitors and
    equipment is still a good idea. The problem is, it's just one piece of
    the puzzle. Good security, in order to work, has to be a complete
    package. Unfortunately, not even the government has its act together.
    Security expert Chey Cobb, a speaker at this year's Black Hat Win2K
    Briefings, spoke of a National Security Agency building called the
    National Reconnaissance Office (NRO) in Virginia that is adjacent to a
    national-chain hotel. For some reason, this top-secret facility kept
    its server-room window blinds wide open. If foreign agents staying at
    the hotel next door didn't happen to bring their sophisticated
    electronic eavesdropping equipment, they could always use binoculars
    to read what was written on the whiteboard behind the servers.
    THE SAME APPLIES to corporations, where so many common-sense rules
    aren't being followed. For example: Close the blinds in rooms where
    whiteboards face out and erase them whenever possible. Position
    monitor screens away from exposed office windows. Shred physical
    documents, and electronically shred all magnetic media.
    Above all, make sure to use passwords, and to change them frequently.  
    If a company's secrets are leaking to the outside world, it's probably
    not because of the computer monitors they're using.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 15:16:27 PST