Transcript TRANSEC/EMSEC/TEMPEST

TRANSEC/EMSEC/
TEMPEST
Artur Zak
CS 996 – Information Security
Management
March 30, 2005
Overview
Definitions
 History
 EMSEC
 TRANSSEC
 TEMPEST
 POSA Example
 Homework

Definitions

EMSEC - Emission Security


TRANSSEC - Transmission Security


Preventing a system from being attacked using conducted or
radiated electromagnetic signals
Preventing data from being attacked or intercepted during the
transmission.
TEMPEST – Transient Electromagnetic Pulse Emanation
Standard

Government codeword that identifies a classified set of
standards for limiting electric or electromagnetic radiation.
History

1884 – Crosstalk
 Two-wire
circuits stacked on tiers of crosstrees on
supporting poles.


Solution – twisted pair cables.
1914 – compromising emanations in warfare.
 Earth
leakage caused a lot crosstalk including
messages from the enemy.

Solution – abolish earth-return circuits within 3,000 yeards of
the front.
History

1960’s – TV detector vans.
 British
authorities checking who has a TV at
home.

1990’s – Crypto keys in smartcards.
 Recover
the crypto key by analysis of the
current drawn by the card.
EMSEC – Emission Security



All electric and electronic devices radiate
emanations during operation.
Radiated signals may carry actual information.
Attacker may want to capture the radiated
signals and recreate some or all of the original
information.
 User
being attacted will never know that someone
intercepted any signals and recreated useful data
from it.
EMSEC - Vulnerabilities


Leakage through RF signals.
Emanations from signal cables.


Leakage to power lines.




Keyboard key presses can be picked up at up to 100 yards.
Power circuits pick up RF signals and conduct them to
neighboring buildings.
TV and computer screen radiation.
Sound.
Power Analysis.


Smartcard.
EEPROM.
EMSEC – Passive Attacks

Passive Attacks – using electromagnetic signals
present to gain information.
 Wardriving.

Set up equipment in a car and capture the emitted signals
hoping to recover valuable information.
 Electromagnetic

Eavesdropping
Attack against Automatic Teller Machines.
 Toys

Furby toys remember and randomly repeat things they hear.
EMSEC – Active Attacks

Active Attacks.
 Bugs
 Radio Microphones.
 TEMPEST Viruses
 Using computer to play a tune, turning it into low-grade radio
transmitter.
 Nonstop
 Using Phones near transmitters can cause to data to be
modulated by the phone and transmitted.
 Glitching
 Used to attack smartcards, but inducing a useful error.
EMSEC – Countermeasures

Attenuation – opposite of amplification. Reduce
the signal strength during transmission.
 Decreases
radiation perimeter. Attacker needs to get
closer to the source.


Risks being caught by the authorities.
Banding – restricting the information to be in a
specific band of frequencies.
 Attacker
has to first find out which band of
frequencies to scan.

If in a wrong band, only partial messages can be recovered.
EMSEC - Countermeasures

Shielding – Equipment or Buildings shielded to prevent
radiation from leaking from inside to outside or viceversa.



Wardriving attack no longer a problem.
May help against leakage.
Zone of Control (Zoning) – most sensitive equipment is
kept in the rooms furthest from the faciliti’s perimeter,
and shielding is reserved for the most sensitive systems.

May stop wardriving if attacker is not able to penetrate the
perimiter of the facility.
EMSEC - Countermeasures

Cabling Filtered Power
 Filters


cable and power supply noise.
Suppresses the conducted leakage.
Soft Tempest
 Applied

to commercial sector
Software techniques to filter, mask, or render
incomprehensible information bearing
electromagnetic emanations from a computer
system.
TRANSSEC – Transmission
Security
Information needs to be shared.
 Must be transmitted over long distances.
 Attacker may want to intercept the
information while in transit.

TRANSSEC - Vulnerabilities

RF Fingerprinting
 Identifying
RF device based on the frequency
behavior.

Radio Direction Finding (RDF)
 Triangulating
the signal of interest using directional
antennas at two monitoring stations.


Traffic Analysis
Signals collection
 Collecting
different signals and extracting information
from them.
TRANSSEC - Attacks

Eavesdropping


Covert Channels


Mechanism that though now designed for communication can
nonetheless be abused to allow information to be communicated
down from High to Low.
Sniffing


Listening on voice conversations.
Monitoring the traffic.
Jamming.


Noise insertion
Active Deception
TRANSSEC – Defenses

Low Probability of Detection (LPD)
 Techniques
used to make it hard for the attacker to
detect presence of the signal.



Directional Signaling
Line of Sight transmission
Low Probability of Interception (LPI)
 Techniques
used to make it hard for attackers to
intercept the signals.



Frequency hoppers
Spread spectrum
Burst transmission
TRANSSEC - Defenses

Burst Transmission – send data in short bursts
instead of continuous transmission.
 Employed
by spies during WW II.
 Attacker never knows when the data is sent.

Directional signaling – send signals in a specific
direction instead of broadcast in all directions.
 Attacker
has to first find out in which direction the
signal is transmitted.

Requires more complicated equipment to identify the source
of transmission.
TRANSSEC - Defenses

Frequency Hopping – during transmission hop from
frequency to frequency with predefined pseudorandom
sequence.

The receiver know the same sequence, therefore it knows which
frequency to tune in.



Attacker must know the exact sequence to be able to capture the
message.
Used in 2G and 3G cell phones.
Line of Sight – Used for short distance transmissions.

Optical transmission.


IR transmission.
Attacker needs to be in plain view, risking being exposed.
TRANSSEC - Defenses

Spread Spectrum
 Combine
information-bearing sequence by a
higher-rate pseudorandom sequence.
Makes it hard to intercept.
 Used in CDMA and GSM phones.

TEMPEST
Employing some of the defenses may not
be enough to secure entire system.
 Attackers may find a loophole, and break
into a system.
 Standards are needed to make sure that
the system is secured enough from both
emanations and during transmission.

TEMPEST

Government standard defining how to make
government systems secured from an attacker.
 Employs
both EMSEC and TRASNSSEC techniques
to limit the emanations from electronic equipment.
 Applies Strictly to classified facilities.



Individual electronic equipment.
Rooms in buildings.
Entire buildings
 Classified until 1995.
 After 1995 only basic information declassified.
TEMPEST Red/Black Separation

Maintain distance or install shielding
between circuits and equipment used to
handle classified or sensitive information.
RED -> classified or sensitive information.
 BLACK -> normal unsecured equipment.

 Includes
equipment carrying encrypted signal.
TEMPEST Red/Black Separation

Manufacture must be done under careful quality
control.
 Ensures
that additional units are built exactly the
same as the units that were tested.

Changing even a single wire can invalidate the tests.
Maintenance and Disposition of
TEMPEST Equipment

Guidelines provided by National Security
Telecommunications and Information
Systems Security Advisory Memorandum
(NSTISSAM).
 Applicable
to all departments and agencies of
the U.S. Government that use, maintain, or
make disposition of TEMPEST equipment.
Installation Requirements
All equipment must meet the requirements
of NSTISSAM.
 All must be installed in accordance with
Red/Black separation criteria.
 Local TEMPEST Manager must oversee
the process.

 Coordinate
and document all accreditation
documents resulting from the installation.
TEMPEST Procedures

TEMPEST Endorsement Program.
 Establishes
guidelines for vendors to
manufacture, produce, and maintain endorsed
equipment.
 Vendor must provide life cycle support for its
customers to ensure continued TEMPEST
integrity of the product.
 Support detailed in TEP’s TSRD No. 88-9B,
dated 8 March 1991.
TEMPEST Program Development

Guidelines for development of a maintenance and
disposition program:



Consider the addition cost of the program.
Ensure that data resident on the equipment is not compromised
during the maintenance/disposition process.
Keep a log of maintenance action for all TEMPEST equipment




Date of maintenance.
Action taken.
Technician name.
Equipment model and serial number.
TEMPEST Disposition Procedures



Use approved purging software to overwrite hard drives.
Maintain a log of the model and serial number of all equipment
disposed/destroyed.
Destruction of TEMPEST equipment no longer required is
recommended if transfer to another U.S. Government
department/agency is impractical.




Serial numbers and any classified markings must be removed.
The equipment will be broken into pieces of such a nature as to
preclude restoration.
A destruction certificate will be prepared and signed by the witnessing
individual.
All residue will be returned as scrap metal to the Defense Reutilization
Management Office.
TEMPEST Accreditation

TEMPEST Countermeasures Review
 Recommended
countermeasures are threat driven,
and based on risk management principles.
 Each site must be separately evaluated and
inspected.


Sites cannot be approved automatically by being inside an
inspectable space.
Certification must apply to entire system.

Connecting a single unshielded component compromises the
entire system.
Is TEMPEST necessary?

Two schools of thought:
 Yes:
Without TEMPEST information security is
compromised.
 No:
TEMPEST is a waste of resources, time,
and money
Need for TEMPEST

“The fact that electronic equipment give off
electromagnetic emanations has long been a
concern of the US Government. An attacker
using off-the-shelf equipment can monitor and
retrieve classified or sensitive information as it is
being processed without the user being aware
that a loss is occurring” – 1994 Joint Secretary
Commission report to the Secretary of Defense
and Director of Central Intelligence.
Need for TEMPEST

“Foreign governments continually engage
in attacks against U.S. secure
communications and information
processing facilities for the sole purpose of
exploring compromising emanations” –
Navy manual that discusses compromising
emanations.
No need for TEMPEST

1991 -> CIA Inspector General report to an
Intelligence Community.
 Millions
of dollars spent on protecting a
vulnerability that had low probability of
exploitation.
 Review the TEMPEST requirements based on
threat

Recommended to reduce TEMPEST requirements.
Examples



British MI5 monitoring French traffic noticed
enciphered traffic carried a faint secondary
signal.
Replica of Great Seal of the United States
presented to U.S. ambassador in Moscow in
1946. 1952 problem discovered with the gift.
A new U.S. embassy in Moscow had to be
abandoned after large numbers of microphones
were found in the structure.
TEMPEST Incidents


No TEMPEST incidents coverage in the press.
Business and Government do not admit to any
kind of security breaches achieved because lack
of TEMPEST security.
 Don’t
want to admit to the public of security breach.
 Don’t know that data was compromised, since
Passive attacks are not easily detectable.
Business Side of TEMPEST




TEMPEST industry is over a billion dollar a year
business.
Indicates that there are variable threats, and
organizations take protective measures.
TEMPEST certified equipment is often twice as
expensive as regular equipment of similar
performance.
U.S. Government Shields entire buildings to
prevent any emanations to leak outside of
allowed perimeter.
POSA Example
4 Sale & user information
8 Complete transaction
CFAC
5 Y/N
1 Sale information
7 Complete Trans.
Register
6 Y/N
POSA
2 Display
Sale Info
3 User CC
information
USER
Homework

Perform EMSEC/TRANSSEC risk analysis
on GTS system.
 Identify
the emanation and transmission
vulnerabilities.
 Make recommendations as to which
countermeasures should be used to eliminate
the threat.