Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] V-E scanning & legality

From: Rob Shein <rshein () mail wash averstar com>
Date: Mon, 13 Nov 2000 10:30:34 -0500
re: V-E scanning & legalityAbsolutely true, but it had better bother someone
who is providing vulnerability assessment services on behalf of a client.
Just because the bad guys don't mind committing crimes in the course of
their actions doesn't mean we should as well, just in the name of simulating
them.  Likewise, it should also bother a client who is considering employing
the services who thinks that the ends of such a test justify the means of
breaking the law to achieve them.  There are many ways to test for emissions
without building an illegal device; the point here is not to be able to
reconstruct traffic, data, or the display on a video screen, but to suppress
ALL emissions.  Otherwise, you can't be sure that you're really safe.

On another note, I remember that WYSE came out with a dedicated windows
terminal (to use with WinFrame or Terminal Server) with a flat screen that
was compliant, out of the box, as they claimed.  Now, in truth, since this
terminal used standard 10/100BaseT connectivity, it was only compliant until
you actually plugged it into the network, but hey, that's not the box's
fault, is it? :-)  I hadn't verified that the box was compliant at all, but
they did sell a lot of units to some TLA's, and I assume that some degree of
testing did take place.  It's not a definitive answer regarding the
flat-screen immunity to this sort of attack, but it's something.  I would
imagine that a plasma display is vulnerable, however, as they have much
higher power requirements...but then again, I remember GRiD's laptops that
were compliant all those years ago, which had plasma displays.

Hmm...maybe I'll just stick to testing web servers :-)

  -----Original Message-----
  From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of
David Alexander
  Sent: Friday, November 10, 2000 4:41 AM
  To: PEN-TEST () SECURITYFOCUS COM
  Subject: Re: [PEN-TEST] V-E scanning & legality


  I don't think the legality issue is going to bother someone who is already
intent on an illegal act I.E. stealing information from another
organisation.

  On a separate note, does anyone know if the new LCD/plasma flat screens
are vulnerable to this ?

  David Alexander
  Project Manager & Information Security Consultant
  Qualified BS7799 Lead Auditor
  Triskele Ltd.

  Office  01491 833280
  Mobile 0780 308 3130




  > -----Original Message-----
  > From: Rob Shein [mailto:rshein () MAIL WASH AVERSTAR COM]
  > Sent: 08 November 2000 16:08
  > To: PEN-TEST () SECURITYFOCUS COM
  > Subject: Re: [PEN-TEST] Penetration Testing and Van Eck Scanning
  >
  >
  > If I understand the laws correctly (and I am NOT a lawyer, thank god),
  > construction of a Van Eck device is illegal in the U.S.  The
  > concept behind
  > the law is similar to the law regarding ownership or
  > construction of bugging
  > devices.  Frankly, I don't see how viable it really is for a typical
  > commercial enterprise to go sufficiently TEMPEST-compliant to
  > thwart this
  > form of surveillance.  If they're a small business, it's too
  > expensive for
  > their budget, and if it's a large business, it's too
  > difficult to cast the
  > net that wide and be sure that some high-level manager
  > doesn't circumvent
  > the controls because he doesn't want to deal with the
  > inconvenience or cost.
  >
  > > -----Original Message-----
  > > From: Penetration Testers
  > [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
  > > Of Johann van Duyn
  > > Sent: Wednesday, November 08, 2000 10:45 AM
  > > To: PEN-TEST () SECURITYFOCUS COM
  > > Subject: [PEN-TEST] Penetration Testing and Van Eck Scanning
  > >
  > >
  > > Just a thought I had while on a nicotine-and-caffeine break:
  > >
  > > Has anyone ever done a bit of Van Eck (aka TEMPEST) surveillance
  > > as part of
  > > a penetration test, just to show people what can be seen
  > from a van in the
  > > corporate parking lot when the security attendant is on his
  > lunch break?
  > > That could provide a few hot debates in boardrooms,
  > especially if one were
  > > to tune in to the Internet browsing habits of a few senior
  > directors...
  > >
  > > Has anyone done it, or had/seen it done (esp. outside of a military
  > > environment)? Are there any good references around re.
  > proposed civilian
  > > standards for 'safety' from Van Eck scanning? And where
  > would one look
  > > around either for people who do that type of surveillance, or the
  > > equipment
  > > to do that with.
  > >
  > > And, finally, if this is not the right forum for such
  > discussions, could
  > > anyone in the know point me to such?
  > >
  > > Very ta,



  David Alexander
  Project Manager & Information Security Consultant
  Qualified BS7799 Lead Auditor
  Triskele Ltd.

  Office  01491 833280
  Mobile 0780 308 3130
Previous By Date Next
Previous By Thread Next

Current thread: