Friday Squid Blogging: Laughing Squid

The small San Francisco film and video company is celebrating its 17th anniversary.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 21, 2012 at 4:58 PM • 16 Comments

Comments

ObSecDecember 21, 2012 9:09 PM

Times of Israel is reporting on a new Trojan that might be the next step in the U.S./Israeli cyber-war against Iran. "According to security experts, the virus, which was first seen several weeks ago, does its erasing on specific dates, the next one being January 21, 2013."

Angus S-FDecember 21, 2012 10:34 PM

@Joe_Kirby -- this is a GREAT idea. A trained, armed response to a shooter is the only way to reduce the risk to our kids. When you need help in seconds, the police are usually minutes away. We trust teachers and administrators and school nurses to take care of our kids, we should allow them to have the tools they need.

"Gun-Free Zones" are the same as "Unarmed Victim Zones". There is a reason that ALL of the mass shootings in recent memory, except for the Gabby Giffords shooting in Tucson, have happened in locations labelled as "Gun-Free Zones" -- the gunman knows he will be the only one armed there.

I strongly support programs like this one.

Sruce BchneierDecember 22, 2012 1:06 AM

TEMPEST Attacks! LCD Monitor leaks system noise to FRS
=
I don't operate any wireless equipment at my living location. This includes computers, computer equipment, routers, non-computer equipment, etc.

I'm having a problem with one of my LCD monitors.

It works without problems. That was until I picked up some heavy static noises from a hand held radio. I eliminated all sources of generating this type of noise until I came towards an LCD monitor. When the monitor is on and there is content on the screen the radio makes several types of garbage(static) sounds. As I manipulate contents on the screen, maximize and minimize windows, open different applications, the radio responds with scratchy(static) noises to match the activity on the screen. This includes typing and mouse movement.

When I switched the desktop background to a solid black color without wallpaper, the radio noise went down to almost nothing. But when I loaded any program with a white background, the noise from the radio exploded in volume.

When I passed the radio across different computer and non-computer electronic devices other than the LCD monitor, the wired mouse made a high pitched squeal sound within the static. None of the other computing devices such as the tower generated any noise.

I tried CRT monitors and separate computers attached to the CRT monitors but they did not generate any noise in the radio. On the computer connected to the net, I unplugged the cable leading to the router to rule this out but it made no difference, the LCD monitor is at fault.

While monitoring the radio noise, there were several instances where the noise on the channel being monitored stopped, and I switched to another channel and the same noise appeared. Why would the noise from the LCD switch channels during normal use of the LCD? Back and forth throughout the day the noise generated by the LCD would switch from one channel to the next and back to the first channel again.

The noise extends several steps within my living location. I'll test this another day to determine if it extends outside my living location and if so by how many feet.

The computer/monitor are grounded and attached to a surge protector. I'm not sure what I need to do to stop this, or if I should ignore it.

I assumed LCDs would be quieter than CRTs when it came to noise.

Unless I have a radio tuned to a specific channel, the LCD does not generate any noise which I can detect, unless it's above my hearing capacity.

The LCD monitor also functions as speakers, and while the sound cable is connected to the tower, I have disabled the onboard sound in my BIOS. The only other connection is the DVI cable to the tower.

How may I decrease this noise or eliminate it? It seems like the LCD is a mini radio station. When I turn it off the noise in the radio stops, if I blacken the screen the noise lessens. When I switch to a colorful background or load white screened applications like a web browser the noise jumps up loudly. I've tried grabbing and moving a browser window around the screen and the movement matches the noises in the radio.

Would any of this be considered normal?
==-
This certainly isn't unheard of, it's because some part of the monitor is unshielded. The more fix-it stuff is at the top of the following, with the technical backdrop that just might be good to know is at the bottom.

Unfortunately, the issue is most likely the panel charging the LCs. The only thing you can do is see if the manufacturer will replace it or upgrade you. Complain to the manufacturer, be sure to come up with some important thing it's interfering with(if I recall some medical devices use some sort of radio).

If the issue is actually internal wiring which is highly unlikely as detailed below, and it isn't in warranty, attempt to shield it yourself. To shield it yourself, you'll need thin foil(not kitchen foil) and electrical tape.

So, in any given monitor, there's 3 main parts. Input, logic, and output. Output, as previously mentioned, can't really be shielded. To shield both of the other sections, all you really need to do is manipulate the wiring to reduce the number of holes in the foil wrap needed to put it all back together. Obviously this will take some trial and error, and time.


USEFUL INFO THAT ISN'T REQUIRED:

Shielding wires can best be thought of as a encasing a wire in a Faraday cage, made of foil. If you want to see an example, Apple's iPod charging cords are all shielded, strip the insulation and see for yourself. This shielding acts doubly, keeping EM noise from messing with the signal, and keeps the signal's own noise from leaving.

WHY IT IS THE CHARGING PANEL AND NOT WIRING:
Because of the specific details you provided( bravo to you, the amount of data provided helped ), I can conclude that the charging panel(the array of electrodes responsible for producing the image) is putting out the interference. Three of your observations prove this.

First, you state the noise ceases completely when the monitor is turned off, which is consistent with it being EM noise.
Second, the noise's perceived pitch changes when the display is manipulated, which is to be expected, as the electrode charges would change as the display changes.
Third, a black screen is "quieter" than a white screen. Black is the lowest charge state, with the only power in use going to the backlight.

As for your questions:
Noise hopping channels isn't unheard of, though I don't know the science behind it. My best guess is that because the noise isn't an intended result of the electricity, small changes in voltage/amperage result in those hops.
(indirect question-ish) The mouse was likely the only other emitter because it has a fairly high density of wires + it emits light.
===-
@W00t:

What 1s the d1fference between - and where may 1 obta1n the non-k1tchen "foil" you ment1oned?

The d1sturbances sound l1ke a bugged env1ronment. The squeal com1ng from one area and/or dev1ce could mean the locat1on of the bug has been found - and 1 know adding a small dev1ce and/or mod1f1cation to a keyboard and/or mouse 1s s1mple enough - espec1ally for a quick 1n and out the door type bugging.

1s there an affordable method of sh1elding the equ1pment while not violating FCC/TEMPEST laws? Would a simple screen d1mmer attached to the monitor bring the no1se down? Or would 1t be best to put out the extra money requ1red by purchas1ng spec1al paint or wallpaper wh1ch blocks RF signals?

Whether or not 1t's a bug, at this point you are broadcast1ng your computer mon1tor and 1ts activ1t1es, down to the keyboard and mouse movements. What 1s the use of using Tor or any other l1ke serv1ce 1f you are pwned over the a1r waves?
====-
You could use kitchen foil, it's just more unwieldy to work with.

Yes, it could be a bug, I was running under the assumption you had no reason to believe you were bugged, and if you did you ran bug sweeps. If you believe you are bugged, you should definitely dismantle things to make sure a bug isn't simply piggybacking on the same power source.

Dimming the screen would reduce noise, but not completely eliminate it.
=====-
Thanks, W00t.

"Dimming the screen would reduce noise, but not completely eliminate it."

I have modified my browser to function with a black background and my choice of text colors and unchecked the option for all pages to use their own colors, so every page I visit is black with my choice of font/links colors. I'll rescan to determine if this lessens the noise. It's ugly, but tolerable. Coupled with a black theme for the desktop, including the background and system wide applications should also help - including disabling images in the browser.

You mentioned foil. I'm not an electrician, but wouldn't wrapping cords with foil and finishing the job off with a layer of strong black tape possibly conduct electricity? Are you suggesting I cover all wires leading to the computer(s) using this method? Wouldn't they each require special grounding? How many repeating layers of this and/or other material is needed? Have you tried "conductive tubing?"

While I want to shield enough to block noisy RF, I don't want to create a microwave type scenario where RF is contained but it still remains and is possibly amplified so as to add to the degeneration of my health, if that's possible.

1. Ferrite beads
2. Split beads
3. Toroids

CONDUCTIVE TUBING & FERRITE SNAP BEAD
http://www.lessemf.com/wiring.html

https://en.wikipedia.org/wiki/Electromagnetic_interference
https://en.wikipedia.org/wiki/Electromagnetic_radiation_and_health
https://en.wikipedia.org/wiki/Electromagnetic_shielding
https://en.wikipedia.org/wiki/EMF_measurement

I could try some or all of the three options above in addition to your advice? TY
===-
Anyways this reminding me of Van Eck phreaking look it up, some pretty interesting stuff.

Yep, had the same thought.

Countermeasures are detailed in the article on TEMPEST, the NSA's standard on spy-proofing digital equipment. One countermeasure involves shielding the equipment to minimize electromagnetic emissions. Another method, specifically for video information, scrambles the signals such that the image is perceptually undisturbed, but the emissions are harder to reverse engineer into images. Examples of this include low pass filtering fonts and randomizing the least significant bit of the video data information.
====-
can someone please point me to techie LCD monitor internal guides? If I'm going to take it apart I'd like to know what to expect. I've read more about Van Eck and Tempest than anyone can teach me here. Now I'm looking for LCD guides of what's inside.
===-
To be honest, its not the whats inside the LCD monitor you should be worrying about if you want to phreak LCD's . You should be worry more about the RF side of things, and figuring out the spread spectrum clock signal so you can pick up the signal. Top if off background noise is going to be bitch when it comes to LCD. Old CRT monitors are way easier to phreak those thing throw off EM radiation like nobody business.
===-
The noise coming from the LCD monitor is appearing on FRS channels:

- https://en.wikipedia.org/wiki/Family_Radio_Service

It continues for several minutes before it jumps to another channel then after a few minutes jumps back to the original channel. One of my concerns is the ability for others to pluck this noise from the air (Van Eck/TEMPEST) and monitor my activity, or possibly use an attack against the computer somehow. A recent UN report mentioned a high tech method(s):

* U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

- http://www.unodc.org/documents/frontpage/...
- http://www.hacker10.com/other-computing/...

In addition, I don't want my LCD monitor constantly sending monitor and/or system activity to a FRS channel(s) for others to hear. I choose wired over wireless for a reason, and there shouldn't be any noise coming from my LCD monitor and appearing over FRS, unless there is a bug or problem with the monitor. All of my
CRT systems are silent on FRS.

When I position the radio near different components, the power supply doesn't emit any noise on FRS, but it could be a problem, I don't know, I'll move to that once I resolve the LCD monitor problem, unless the PSU is the problem and not the monitor.

I may take apart the LCD monitor, I'm looking for a good list of what I'll find if I do.

I peered inside the vents on the top/back left hand side with a strong flashlight and came across a strange piece of silver tape inside, here's how I describe it:

OOGGGGGGGGGGGGGGG__

OO = a small thin black material coming out from underneath the silver piece of tape
GG = the strip of silver tape
__ = the bottom right hand portion of the silver tape is raised enough to allow a pinky finger entry

The silver tape/material/opening under tape is on the top left corner inside the monitor. The rest of the length and area inside that I can see contain no tape or black material. I've seen photos of planted bugs in people's living spaces and most if not all of the invasive ones are wrapped/covered in silver foil. I've found no other reason for that strip and material to be there, but what do I know.
=====
In addition, my CDROM drive light blinks once every second, sometimes with a second or 1/2 second in between, and I found this:

http://catless.ncl.ac.uk/Risks/19.60.html#subj9

"I'd worry about a Tempest virus that polled a personal computer's
CD-ROM drive to pulse the motor as a signalling method:

* Modern high-speed CD-ROM drive motors are both acoustically and
electrically noisy, giving you two attack methods for the price of one;

* Laptop computer users without CRTs, and the PC users that can afford
large LCD screens instead of CRTs, often have CD-ROM drives;

* Users are getting quite used to sitting patiently while their
CD-ROM drives grind away for no visibly obvious reason (but
that's quite enough about the widespread installs of software from
Microsoft CD-ROMs that prompted Kuhn's investigation in the first place.)"
===-
I don't think there should be anymore blinking if you remove the CD/DVD inside.
If it keeps blinking, find out which process uses it.
Anyway, you can disable it when you're not using it, if it's bothering you.

And shield your monitor.
http://en.wikipedia.org/wiki/...
====-
"I don't think there should be anymore blinking if you remove the CD/DVD inside."

Does Tails support this at boot?

If not, is there a Linux LiveCD which allows this and does not give you root access at boot?

I've looked at several different distributions which allow you to boot into RAM and remove the CD, but they all give you root and that's a very insecure environment to run TBB in!

"If it keeps blinking, find out which process uses it."

It doesn't blink on the several distros which boot into RAM, but I don't want to run Tor as root or reconfigure the permissions/PAM/etc. just to use TBB. As above, with Tails and many LiveCDs which don't boot into RAM, 99% of them have this blinking light issue. The actual INSTALLS I've done to HDD experience constant light activity too, even more so, without anything to explain them.

For Linux, I've ran rkhunter, chkrootkit, tiger, and other tools and nothing malicious is found. Without a deep binary analysis I don't know what else I could do.

For Windows, I use a few programs in the SysInternals Suite and they display strange usage on the system and reference programs which cannot be found with a search on the system, references to impersonation, spoofing, and more. I've ran almost every N.American scanner on the Windows systems, including command line only rootkit detectors and I've seen some strange 'strings' of binaries mentioned, but have no idea on how to clean the system.

I prefer to run LiveCDs because all installations, Windows and Linux, contain unexplainable frenzies of blinking lights, far worse than the blink every second on most LiveCDs. I'm wondering if this is firmware malware on my NIC or the CDROM itself. This has existed for years and never goes away, no matter what system I use, this strange baggage seems to re-infect everything.

"Anyway, you can disable it when you're not using it, if it's bothering you."

Disable what?

"And shield your monitor."

Thanks. I'm investigating and most of the guides require specific addons to the computer's cabling system. Most of the guides appear incomplete, or are in another language other than English.

Any comments on the Tempest/blinking light possibility?

Any comments on why it's spewing out noise to FRS stations and freq hopping?
===-
More comments from elsewhere:

@kb2vxa:

"You're making a mountain out of a mole hill."

I respect your opinion and I don't wish to argue against it, but please look at it from the way I and some others have. I want to eliminate the noise created by the LCD monitor. If this was such a common experience, I would expect at least one of the dozens of other electronic equipment to generate some noise, however faint, on FRS - but they do not.

"You are under the wrong impression that somehow RF hash from the back light can somehow carry data. A liquid crystal display (LCD) does not generate its own light like a CRT or plasma screen and requires a light source to make the display visible. Even those that do cannot transmit computer data being none reaches the monitor."

The LCD is connected to a tower, which other devices connect to. Under testing I've heard the CDROM drive accessing data noises within the FRS channels, along with mouse movements and keyboard activity, along with other noises. When I disable the LCD monitor, all of these disturbances vanish. This means the weakness is in the monitor, and my tower is well shielded or shielded enough so as not to generate any noise in radios I can notice. The reference I made to the strange tape and material within the back side of the LCD monitor at the top could be a sign of some type of antenna or device for amping.

"Their FRS radios will only hear what yours does, RF hash, no data whatsoever THAT IS if one is standing outside your house tapping the radio and scratching his head wondering what's the matter with his radio. You and only you know what it is and where it's coming from."

And what of experienced and curious sysadmins? Rogue crackers? Bored HAMs?
Are there any remote radio injection attacks against systems? This is something I'll research later, as I do believe it was mentioned in at least one whitepaper on side channel attacks.

"Thanks for the chuckles, if the report reveals secrets it would not be published but sent by secret courier to the KGB in Moscow."

I'm not aware of any secrets revealed within the document. But it did raise an interesting point without exposing the method(s) delivered to us from an interesting party. This wasn't just some random article written by some anonymous, disturbed fellow and posted to a pastebin or conspiracy minded blog or forum. And one cannot deny the dozens of TEMPEST attacks available today.

"So... all this and no word on moving the radio farther from the monitor. Why don't you try talking somewhere besides in front of the computer if it bothers you so much?"

Thank you for considering conversation as my reason for posting this, but it is not. I would not choose a noisy channel to talk on. Clear conversation is not the point of this thread. I desire the elimination of this garbage coming from the LCD monitor. I don't care if no one in the world can pick up on it and hear it, I would like to properly resolve it and not ignore it.

One can also dredge up the subject of EMF on health, too, but I have not experienced any disturbance of health from exposure to this noise and most people would argue any possible EMF effects on health to be one of one's over active imagination and not real world application.

[-]

A continued discussion was posted elsewhere, this may be useful in the voyage to remove this "noise":

[-]

In addition, my CDROM drive light blinks once every second, sometimes with a second or 1/2 second in between, and I found this:

[-]

http://catless.ncl.ac.uk/Risks/19.60.html#subj9

"I'd worry about a Tempest virus that polled a personal computer's
CD-ROM drive to pulse the motor as a signalling method:

* Modern high-speed CD-ROM drive motors are both acoustically and
electrically noisy, giving you two attack methods for the price of one;

* Laptop computer users without CRTs, and the PC users that can afford
large LCD screens instead of CRTs, often have CD-ROM drives;

* Users are getting quite used to sitting patiently while their
CD-ROM drives grind away for no visibly obvious reason (but
that's quite enough about the widespread installs of software from
Microsoft CD-ROMs that prompted Kuhn's investigation in the first place.)"

[-]


Any comments on the silver tape and material inside the back of the LCD?

...Disconnection of the LED CDROM and HDD lights could be something I should do to relieve one possible issue.

[-]

Some articles with examples:

"If everything is just right, you can pick up signals from some distance. "I was able to eavesdrop certain laptops through three walls," says Kuhn. "At the CEBIT conference, in 2006, I was able to see the Powerpoint presentation from a stand 25 metres away."

uhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximise the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference.

As for defending against this kind of attack, Kuhn says using well-shielded cables, certain combinations of colours and making everything a little fuzzy all work."

- http://www.newscientist.com/blog/technology/2007/...

=!==-!=
TO EASILY VIEW THE PDF files below:
=!==-!=

Online viewer for PDF, PostScript and Word:

"This is an online viewer, with which you can view PDF and PostScript files as browsable images and Word documents as web pages. Given a URL on the net or a file on your computer, the viewer will try to retrieve the document, convert it and show it to you. No plugin software is required."

http://view.samurajdata.se/

The viewer software is open source, licensed under the GNU Public License.
=!==-!=

Electromagnetic eavesdropping risks of flat-panel displays
http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf

=

Eavesdropping attacks on computer displays
- http://www.cl.cam.ac.uk/~mgk25/...

=

Compromising emanations: eavesdropping risks of computer displays
- http://www.cl.cam.ac.uk/techreports/...
- http://www.cl.cam.ac.uk/techreports/...

=

Compromising emanations of LCD TV sets
- http://www.cl.cam.ac.uk/~mgk25/emc2011-tv.pdf

=

"Q: Can I use filtered fonts also on flat-panel displays

My experience so far has been that with LCDs, the video cable is the most significant source of radiated information leakage. Where an analogue video cable (with 15-pin VGA connector) is used, low-pass filtered fonts have the same benefits as with CRTs. Where a purely digital video cable is used (DVI-D, laptop-internal displays with FPD/LVDS links, etc.) only the last step, namely randomizing the least-significant bits, should be implemented.

Where the video signal is entirely encoded in digital form, the low-pass filtered step will not have the desired effect. In fact, it can actually increase the differences between the signal generated by individual characters, and thereby make automatic radio character recognition more reliable."

- http://www.cl.cam.ac.uk/~mgk25/emsec/...

=

Remotely Eavesdropping on Keyboards (and read the comments!)

"The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They've outline four separate attack methods, some that work at a distance of as much as 65 feet from the target.

In one video demonstration, researchers Martin Vuagnoux and Sylvain Pasini sniff out the the keystrokes typed into a standard keyboard using a large antenna that's about 20 to 30 feet away in an adjacent room."

- https://www.schneier.com/blog/archives/2008/10/remotely_eavesd.html

=

Video eavesdropping demo at CeBIT 2006
- http://www.lightbluetouchpaper.org/2006/03/09/...

=

Optical Emission Security – Frequently Asked Questions

"Q: What about LEDs?

For devices with RS-232 serial ports, it is customary to provide a status indicator LED for some of the signal lines (in particular transmit data and receive data). Often, these LEDs are directly connected to the line via just a resistor. As a result, anyone with a line of sight to the LED, some optics and a simple photosensor can see the data stream. Joe Loughry and David A. Umphress have recently announced a detailed study (submitted to ACM Transactions on Information and System Security) in which they tested 39 communications devices with 164 LED indicators, and on 14 of the tested devices they found serial port data in the LED light. Based on their findings, it seems reasonable to conclude that LEDs for RS-232 ports are most likely carrying the data signal today, whereas LEDs on high-speed data links (LANs, harddisk) do not. Even these LEDs are still available as a covert channel for malicious software that actively tries to transmit data optically.

I expect that this paper will cause a number of modem manufacturers to add a little pulse stretcher (monostable multivibrator) to the LEDs in the next chip set revision, and that at some facilities with particular security concerns, the relevant LEDs will be removed or covered with black tape.

The data traffic on LEDs is not a periodic signal, and therefore, unlike with video signals, periodic averaging cannot be used to improve the signal-to-noise ratio. The shot-noise limit estimation technique that I used to estimate the CRT eavesdropping risk can even more easily (because no deconvolution is needed) also be applied to serial port indicators and allows us to estimate a lower bound for the bit-error rate at a given distance. I have performed a few example calculations and concluded that with a direct line of sight, and a 100 kbit/s signal (typical for an external telephone modem), at 500 m distance it should be no problem to acquire a reliable signal (one wrong bit every 10 megabit), whereas for indirect reflection from the wall of a dark room, a somewhat more noisy signal (at least one wrong bit per 10 kilobit) can be expected to be receivable in a few tens of meters distance.

- http://www.cl.cam.ac.uk/~mgk25/emsec/...

=

Ancient Story on Slashdot: Coming to a Desktop near you: Tempest Capabilities

"New Scientist has an interesting article about a new toy we will all want. It's a card that plugs in one of your PCI slots and allows you to scan the EMF spectrum and read your neighbours terminal. In about 5 years you might be able to get one for just under £1000. (Modern Tempest Hardware costs about £30000) "

http://www.yro.slashdot.org/story/99/11/08/...

=

"Any unshielded electrical device with a variable current (including LCDs) will give out EMF radiation. It's the nature of the beast.

For that matter, light is EMF radiation, so unless you have your LCD in a coal-mine, it's reflecting EMF all the time it's switched on.

Then, there's the fact that screen monitoring isn't the only monitoring you can do. I used to use a radio, tuned into the bus for the PET, as a sound card. Worked surprisingly well, for all that very clunky metal shielding. What's to stop a much higher-quality receiver from seeing the data, in an unshielded box, being sent TO the LCD, or to any other device on the machine?

It's a mistake to assume that Tempest technology is single-function and that that single-function only works in a single situation."

- http://slashdot.org/comments.pl?...

=

800Mbps Wireless Network Made With LED Light Bulbs
- http://science.slashdot.org/story/11/08/02/...

=

There are a lot of other files, many in PPT format, which can be found easily on this subject of LCD monitor (and other computing devices) TEMPEST sniffing.

===

Sources for this discussion:

- http://forums.radioreference.com/computer/...
- http://clsvtzwzdgzkjda7.onion/viewtopic.php?...

.onion link above requires a running Tor client session in order to view. (https://www.torproject.org)

This on-going discussion backed up to Pastebin(s) in order to retain it as an artifact. Many of these
types of discussions are REMOVED from the net because of the nature of the discussion (TEMPEST).

Neil in ChicagoDecember 22, 2012 2:21 AM

"1996 – Created The Squid List, a San Francisco Bay Area events list."
If they'd been just a couple years sooner, they could have been Craig!

NobodySpecialDecember 22, 2012 3:35 PM

@Angus S-F
Our children are t much greater risk from other drivers than from school shooters.
Failing to equip our minivans with efficient anti-vehicle weapons makes them increasing vulnerable to a drunk/distracted/speeding driver.

Since most commuters are only driving soft skin vehicles a relatively low power RPG fitted as standard to each minivan would allow parents to take out that swerving SUV before it hits them.

FigureitoutDecember 23, 2012 10:53 PM

@Sruce Bchneier
I don't operate any wireless equipment at my living location.
--Impressive, takes some discipline. I don't know if you're the poster or just copy/pasting; do you think it could perhaps be something besides the monitor, maybe the PC itself? Or was it ~60hz I'm assuming? What kind of handheld is that, if it's cheap I may want to check it out myself. It's funny all the responses the hams were giving, they don't really care about eavesdropping, they want to be heard clearly! My old XCVR can only get 3.5-29Mhz, I've got other stuff but none that can get where you're getting. I know you want silence but my favorite strategy for eavesdroppers is giving them "droppings" to analyze; kind of like OTPs. Have you tried maybe running a separate monitor right beside it w/ a strobe light screen or static tv? But you see, if one didn't have to worry about creepers eavesdropping/attacking, this sick waste of electricity wouldn't even be thought up and we could all move on to creating not breaking systems.

Nick PDecember 25, 2012 10:34 AM

@ itgrrl

It's doable. I can't say whether the specific agency can or will do it, though. It's costly and will require highly specialized equipment.

Clive RobinsonDecember 25, 2012 4:18 PM

@ itgrrl,

As @Nick P notes "It's doable" and "it's costly", both in terms of "highly specialized equipment" but also in specialized human resources (and they tend to want remuneration equitable with their skill level).

A perhaps 'not as well known as it might be' statisitic is the one which indicates if a particular line of investigation will be followed or not based on it's expense and resource availability (it's the reason why most Internet crime is actually not investigated). This statistic has another dimension which is 'newsworthy', that is the more news time a crime makes the higher the expense bar is set (you try to hurt a sitting US President and that expense bar is set so high it might as well be infinity for practical purposes).

Thus the level of physical or information destruction you need to employ on a HD is somewhat proportionate.

In essence there are two areas of storage on a modern HD, the actual platters you store your data on and the semiconductor memory the HD manufacturer adds to store various bits of data in. Some of which are used with the drives function, some related to user data buffering, and on some more recent FDE drives encryption keys.

Thus to reliably destroy the data you need to address both areas. From the physical perspective the platters are best dealt with by physicaly unmounting and (if you don't know your chemicals or don't have access to them) subject both sides of the platters to a significant grinding with a buffing wheel with fine grade Jewelers rouge to remove the metalic top layer (the supporting or substrate layer is in some cases glass so spotting you've done the job can be easy). Then stoke up a coke or charcoal based fire to over 1000C and cook them for quite a while (significant heat tends to destroy magnetic storage properties of many materials) and hopefully turn the platter substrate to globs of molten liquid [1]. That takes care of the easy bit, the hard bit is destroying the semiconductor memory, there are chemicals but the chances of the average person having any kind of untraceable access to them is minimal at best, which leaves high intensity heat, which unfortuntly will result in some quite toxic chemicals being liberated which as it says on some CAS sheets "have toxilogical disadvantages" (ie dead with just a whiff or two)...

Thus physical destruction is not a route you want to go down unless you know what you are about [1], and involves considerable time and energy, which usually involves considerable other physical security measures (you do have to sleep occasionaly).

A better route if done properly is to render the information effectivly pre-destroyed by the use of multiple layer encryption. However don't use comercial FDE on it's own I just don't trust the key managment and I don't think Nick P and others do either [2].

The main problem as with all crypto systems is Keying Material (KeyMat) handling. You obviously don't want to lose/destroy the KeyMat and lock your data away from yourself effectivly forever. But likewise you don't want to give the KeyMat to others by carelessness and thus make your data available to whomever they not you chose potentialy to your detriment.

One way you can be careless with KeyMat is not knowing the systems you are using it on sufficiently well that you are certain as to how ephemeral or not the KeyMat is on the device. And further under what conditions KeyMat may or may not be retained in part or full and thus available to those with better knowledge of the systems than you.

This is thus a significant problem as the average person including most security gurus don't know the systems they use or recomend sufficiently well to have anything close to certainty. Further often the designers of such systems likewise generaly don't have sufficient knowledge other more knowledgeable attackers might apply to make their systems secure from such vectors[2].

Thus you have a situation of potentialy never knowing if a system you use is actually secure even if you know all that the designer does about the system...

The solution is in general to use "orthagonal systems" in series, that is for arguments sake you use three seperate. crypto systems in series (for arguments sake, a FDE HD, an Inline Media Encryptor (IME) and software such as TrueCrypt on the PC it's self). The idea being that any weaknesses with the systems will either be negated by the other systems or an attacker will not know weaknesses with all the systems (unlikely with Level III three organisations or these days Level II criminal or Level I crackers who sell exploits to either or both other levels).

These data destruction issues are why I still hand out the same advice I have for as long as I've had knowleddge of such systems "Paper Paper, never data".

However I don't hold with,

Words in your head,
are yours till your dead.
Unless you err,
and to pressure you defer.

Simply because the majority of humans are incapable of remembering anything with sufficient entropy with any accuracy, and most if not all humans suffer from fairly cheaply exploitable weaknesses of one kind or another (look up "Rubber Hose Cryptanalysis" or the XCD $5 wrench cartoon).

Thus you end up with Bruce's password advice of "Write it down on a piece of paper, and keep it" with those other bits of paper you value "in your wallet". But as we know people get "pick-pocketed", mugged or lose their wallets in other ways all the time, which puts you back at the KeyMat problem but from a different and (hopefully) more understandable and controlable way for the average person.

And to all those that have read this far have an enjoyable "winter festival" and be thankful we no longer have a bean in the pudding/cake for who will be "King for the Day" (and then have their blood let the next day to fertilize the fields as an offering to the various Gods).

[1] Nick P and I have discussed using liberal quantities of thermite in a fire brick safe on this site before but there are risks involved (traped moisture and other rapidly expanding/gassing substances can cause explosions for instance).

[2] If you hunt back on this blog you will see that Nick P, RobertT, myself and others have discusssed in depth how to store KeyMat in RAM and the various ways it can be got at. For a recent example look towards the end of this thread,

http://www.schneier.com/blog/archives/2012/08/...

Nick PDecember 25, 2012 5:12 PM

SECURITY NEWS

BLAKE2 variant of SHA-3 candidate faster than MD5

Readers might remember that I stated my intention of using any SHA-3 algorithm that survived peer review. I'm a believer in diversity. I'll be putting BLAKE2 to use in the near future.

Quantum crypto on broadband fiber

ASSURANCE TECH NEWS

We have numerous choices in terms of key internet services like HTTP and DNS to boost our security. I've also promoted porting stuff to robust OS's like OpenBSD, INTEGRITY or LynxSecure. We're lacking in the area of application servers, both products and how to do it. I think this is a step in the right direction.

It has minimal kernel code, the system is modular, the components are easy to implement, and it gives you plenty of dynamic functionality. I was thinking about doing something like that with Python, Lua or Java. I had considered Lua due to small size and JIT. I might just contribute to the JX Operating System platform and reuse existing Java tech.

iMatix is a big advocate of MDD and other enhanced development approaches. They have open sourced many of their tools. They've written helpful guides. They've also built applications with excellent performance, security and reliability characteristics. Another example of a company doing software development right.

OWASP Enterprise Security API is probably news to someone. I'm mentioning it just in case it benefits a reader. It's good work. I'd like to see a medium-to-high assurance implementation of it.

Not security related, but cool: interactive map of how brain organizes what we see.

Clive RobinsonDecember 26, 2012 12:13 AM

@ Nick P,

The BBC article on QKD you linked to might be new but the story is old (by Internet standards ;) I put a link up to an older story on the same research on a squid page a few weeks back).

Unfortunatly like many other articles published by "science correspondents" it's still getting the details wrong and trying to paint QKD as being ready for Prime Time (which it's not) and a Slayer of "modern internet-based encryption" (which it never will be in current QKD form).

I went through the details of some of QKD's failings back in,

http://www.schneier.com/blog/archives/2012/09/...

The big QKD problems most people talked of were,

1, Needs seperate fibres.
2, Range (or the lack there of).
3, Data Rate (or lack there of).

Which are thought in the main to be "technical" not "theoretical" problems that should be solvable which appears to be the case for the first problem with this latest bit of research from Cambridge. We have also seen slow (very very slow) progress on the Data Rate / range issues but they are well well away from 1x10^6 bits/sec at 1x10^6 meters that might bode well of sensible or wide spread commercial use.

However there are other problems that they just ignore presumably because they don't currently have technical solutions on which improvments can be made. Or they either hope someone else will think of a way to either mittigate or solve the problem.

One such issue is the one that stoped "Mono Rail Trains" becoming anything other than a localised curiosity and that is "points" or more correctly the ability to switch a train from one set of rails to another in a usable way.

Currently QKD is Point 2 Point or link level only, nobody has worked out how to either switch or route the QBit photons and maintain the security of the Quantum Theory promises. To be even as close to usable as nearly all "modern internet-based encryption" is this problem needs to be solved.

When and only when somebody solves the problem in a practical way that MUST also maintain the theoretical security level that Quantum Theory appears to give us will QKD have even a small chance of replacing "modern internet-based encryption".

And the last time I looked even solving the switching problem "in theory" was at best an open research issue...

Clive RobinsonDecember 26, 2012 3:15 PM

OFF Topic:

Some of you might have heard a bit about the NSA's "Perfect Citizen" project via one or two leaks to the news organisations.

Well the NSA downplayed it, however a Freedom Of Information request by the Electronic Privacy Information Center (EPIC) has turned up some interesting bits and pieces that make the previous NSA statments look somewhat less than shining examples of open honesty.

http://news.cnet.com/8301-1023_3-57560644-93/...

Nick PDecember 26, 2012 8:29 PM

@ Clive Robinson

"Unfortunatly like many other articles published by "science correspondents" it's still getting the details wrong and trying to paint QKD as being ready for Prime Time (which it's not) and a Slayer of "modern internet-based encryption" (which it never will be in current QKD form)."

Well, I wasn't necessarily promoting all the content of that article. You know from past conversations I'm not a QKD advocate. Hard to believe that will make it big if we still don't even have widespread secure email, SSL for web sites, or TLS for Internet apps.

Unrelated: I've mentioned that there are a few systems still around from the Orange Book days. I finally got a price on one. A full XTS-400 with 1GB RAM costs around $57,000. Ouch. The main reason for the price that I can see is higher costs for such products plus non-volume market, meaning the few customers must pay plenty.

I still don't know what a Boeing SNS costs. Apparently they really are defence only: the owner is Boeing Phantom Works and they never return my emails. I could pretext them, but I'm too legit for that. ;) I also found that their old competitor, Cryptek's DiamondTEK line, was acquired by API and somehow added into their Netgard Encryption suite. The "old guard" is still dying off, product by product, with only two in active use... barely.

At least we have DARPA Clean Slate funding bottom-up, secure computing. I can't wait to see what all of those groups finally come up with.

KashmarekDecember 28, 2012 1:51 PM

Looking for some help on "trusted" certificates. As part of login processing slowdown, I found over 350 "trusted" certificates on my Win7 32-bit computer (fully patched). A clean install into a new partition shows that 22 such certificates is all that is necessary. Most of the extra certificates are from foreign countries (though some are from banks, credit card issuers, or financial institutions).

Any idea how they get there? Could they be part of an attempt to use my computer in a botnet? What is the best reference for Trusted Certificates 101? Does anyone have a "trusted" certificate management tool that ties them together, explains where they came from (and why), plus knows which ones can be deleted without incurring any probelms?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..