Want better workplace security? Just use some common sense!

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/anchordesk/stories/story/0,10738,2833569,00.html

Robert Vamosi,
Associate Editor,
ZDNet Reviews
Thursday, December 20, 2001

An established company moves into a downtown high-rise and a few 
months later discovers that many of its secrets are going public. How 
is that possible? Its networks are locked down. Its employees use 
passwords, and are given security clearances. 

So what's the problem? How about that old warehouse next door? A
competitor has rented it and mounted large antennas behind closed
window blinds to listen for electronic emissions from its neighbor's
electronic equipment.

SOUND RIDICULOUS? The U.S. government doesn't think so. Preventing
such a scenario is one of the goals behind a project called "Tempest,"  
an acronym for Telecommunications Electronics Material Protected from
Emanating Spurious Transmissions. While many think Tempest is an
active eavesdropping operation (like the FBI's DCS 1000), it's really
a set of government standards designed to dampen electronic emissions
escaping government offices. Hardware makers are using these standards
to create equipment that doesn't emit strong electronic signals. Think
of Tempest as encryption for the electromagnetic spectrum.

Just what is the government shielding itself from? Almost every
electronic device emits some kind of radio noise. By limiting the
emissions, the government diminishes the possibility of someone
eavesdropping on its equipment.

AND WHAT COULD YOU DO with these emissions? Reconstruct monitor images
remotely. About 15 years ago, Dutch researcher Wim van Eck published a
paper on ways to convert ordinary cathode ray tube (CRT) monitor scans
into text. CRT monitors, like television sets, scan from side to side,
building screen images one row of pixels at a time. The intensity of
the cathode ray beam used to excite the electrons determines whether
the pixel will be red, blue, or green. Combinations of these produce
the wider six-million-color palette we're used to seeing. Every unique
color produced has an associated frequency which, in theory, can be
intercepted and reconstructed remotely.

You might be thinking that flat-screen monitors would be the answer,
but they too emit radio frequencies. So do modems, and for that
matter, just about any electronic device. But just how practical is
eavesdropping in this way? Not very.

It would take a lot of expensive equipment to isolate the emissions
from one monitor in a crowded office, and then reconstruct that screen
remotely. The idea that malicious users or foreign governments have
expensive equipment like this, and are renting hotel rooms next to
government or corporate offices, sounds a tad John le Carré-esque,
doesn't it?

YET REQUIRING government agencies to use Tempest-approved monitors and
equipment is still a good idea. The problem is, it's just one piece of
the puzzle. Good security, in order to work, has to be a complete
package. Unfortunately, not even the government has its act together.

Security expert Chey Cobb, a speaker at this year's Black Hat Win2K
Briefings, spoke of a National Security Agency building called the
National Reconnaissance Office (NRO) in Virginia that is adjacent to a
national-chain hotel. For some reason, this top-secret facility kept
its server-room window blinds wide open. If foreign agents staying at
the hotel next door didn't happen to bring their sophisticated
electronic eavesdropping equipment, they could always use binoculars
to read what was written on the whiteboard behind the servers.

THE SAME APPLIES to corporations, where so many common-sense rules
aren't being followed. For example: Close the blinds in rooms where
whiteboards face out and erase them whenever possible. Position
monitor screens away from exposed office windows. Shred physical
documents, and electronically shred all magnetic media.

Above all, make sure to use passwords, and to change them frequently.  
If a company's secrets are leaking to the outside world, it's probably
not because of the computer monitors they're using.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.