Re: [PEN-TEST] Penetration Testing and Van Eck Scanning(Frank Jon es)

["Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>]

A search on ("Frank Jones" tempest spyking) will turn up some less than
flattering results regarding this individual. I am not in a posistion to
judge their accuracy, but do believe that a person should research thier
sources. So, before you go too far down the path Mr. Jones points out, you
might want to do a little digging.

-----Original Message-----
From: shaun () 2600 CO ZA
To: PEN-TEST () SECURITYFOCUS COM
Sent: 11/12/00 11:32 PM
Subject: Re: [PEN-TEST] Penetration Testing and Van Eck Scanning

ISSO wrote:
> I think TEMPEST eavesdropping has very limited value with today's low
> rad monitors.

Short article in ZD's Smart Business Magazine of June 2000 (formerly PC
Computing) - page 72 - content as follows:

'Frank Jones, a former police officer who now develops TEMPEST scanners
for
authorized government agencies, outlined the security threat of
electromagnetic radiation in his 1996 essay, "Nowhere to Run...Nowhere
to
Hide..."'

'During a day trip to downtown New York City with a portable TEMPEST
scanner, Jones found that "with the proper frequency tuning, antenna
manipulation,...and vehicle location, we could monitor just about
anyone,
anywhere, anytime." Jones's successful targets included the New York
Post,
City Hall, and several midtown banks at ranges of up to 300 yards.'

Further down the article it also mentions that Jones' latest TEMPEST
scanner - the DataScan TEMPEST Monitoring System, is capable of reaching
ranges of 1000 yards.

I would not be too quick to eliminate TEMPEST scanning as a very real
threat, both of external attack, and of government CANIVORE-esque
behaviour.
One could include in their pen-test a physical audit which would check
things like the age of the monitors for the important servers, location
of
the most important machines relative to the exterior of building, and
their
height above the ground floor (or below).


Shaun Dewberry
(If-someone's-got-a-title-to-describe-my-job-insert-here-please)
2600 Computer Security
www.2600.co.za