lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 20 Aug 2006 22:31:51 -0700
From: "Bill Stout" <bill.stout@...enborder.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: RE: Tempest today

You have your answer, but I'll add some background anyway.

TEMPEST is old stuff (US/UK).  Anyone who's ever worked in COMSEC
(Government Communications Security) knows about TEMPEST, it was a big
deal during the cold war.  Most of the basic stuff was declassified in
1995.

It's simply the ability to block any and all unintentional signals
('electro-magnetic radiation') which may emanate from communication or
data processing equipment.  There's two parts of COMSEC equipment, the
part than handles the plain text data like I/O, processor and memory
(red side), and the part that's not involved in unencrypted data like
power supplies and I/O that carries encrypted data (black side).  One of
the earlier examples of a TEMPEST leak was the ability to pick up typed
text from the power lines into teletype equipment or even the IBM
Selectric typewriters.  Some of the embassies on both sides of the cold
war were found to have innocent wires stretched across the ceiling of
the comm center but with both ends unterminated, which apparently
operated as a simplistic amplifier or pickup.  Many bugs picked up and
repeated electronic, not audio signals.  The U.S. Embassy in the USSR
had to be rebuilt in the '80s because the concrete was peppered with
passive electronic components (things like resistors and real bugs).  

A simple demonstration of TEMPEST vulnerability is by using a telco
impedance pickup.  The impedance pickup will amplify voice (or data) on
a phone wire without needing to touch the metal wire.  It picks up the
varying magnetic field around a wire which expands and collapses as the
signal changes.  (It also buzzes radically when near fluorescent bulbs,
old high-leakage CRT monitors, some LCDs, some keyboards, and some
mice).

Another related term you might want to google is SIGINT, or Signals
Intelligence.  It covers the ability to collect, and process, signals.
There's more to it than meets the eye.  The position of a signal can be
triangulated electronically within a few milliseconds, 'position' is
data.  The keystrokes or other characteristics of encrypted data can
tell you who the operator is, 'characteristic' is data you can link with
HUMINT (Human Intelligence).  Then there's the conversation, sorta tells
you who's talking to who and what's been escalated up to or repeated
from headquarters (makes life easy if someone in the conversation passes
along a message using weak crypto or a compromised key).  Many INTEL
satellites are SIGINT, more like radioscopes pointed down which join the
hubble-sister telescopes pointed down.  

(Note: Encryption applies privacy only temporarily.  Encryptions of the
past are obsolete and weak today, and can be decrypted at leisure.)

That's what TEMPEST is worried about.  Leaking signal from red side to
black side, that signal getting picked up by some guy with telco gear, a
bug in the wall or an antenna in the ceiling, or a trio of satellites
above.   Doesn't help you used that 3DES PGP key 5 years ago.

Bill Stout


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Paul
Sebastian Ziegler
Sent: Friday, August 18, 2006 9:45 AM
To: full-disclosure
Subject: [Full-disclosure] Tempest today

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi list,

I've seen some fuss about the technique called "tempest" lately. Some
people claim it would be "the thing" in modern security. This bugs me
somehow because first of all I think it is way to much of an effort
compared to the more casual techniques used today. Also all information
that I can find on the Internet refers to some stuff the NSA released in
the mid-nineties. Now that is not really a good and reliable source of
information in my believe. :)

Can anybody tell me how far evolved this technique is today and who uses
it? Maybe some reference to a whitepaper or something similar. Would be
great.

Thanks
Paul


Brief definition of tempest for those who have never heard of it:
Picking up the radiation produced by a monitor or cables that connect
the graphics-card or graphics-chipset with the monitor in order to spy
the screen of the user. Kind of like getting access to a VNC server on
the box without having input yourself. The interesting part is that it
is technically undetectable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE5e6XaHrXRd80sY8RCg/9AKCBAs2SjvitArRFHs+6moRb0UX4GQCfbCo9
wi9z1V+h5m0YJFdz9IZK+EI=
=2pu2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ