transec/emsec/ tempest artur zak cs 996 – information security management march 30, 2005
Post on 19-Dec-2015
235 views
TRANSCRIPT
TRANSEC/EMSEC/TEMPEST
Artur ZakCS 996 – Information Security
ManagementMarch 30, 2005
Overview
Definitions History EMSEC TRANSSEC TEMPEST POSA Example Homework
Definitions
EMSEC - Emission Security Preventing a system from being attacked using conducted or
radiated electromagnetic signals TRANSSEC - Transmission Security
Preventing data from being attacked or intercepted during the transmission.
TEMPEST – Transient Electromagnetic Pulse Emanation Standard Government codeword that identifies a classified set of
standards for limiting electric or electromagnetic radiation.
History
1884 – Crosstalk Two-wire circuits stacked on tiers of crosstrees on
supporting poles. Solution – twisted pair cables.
1914 – compromising emanations in warfare. Earth leakage caused a lot crosstalk including
messages from the enemy. Solution – abolish earth-return circuits within 3,000 yeards of
the front.
History
1960’s – TV detector vans.British authorities checking who has a TV at
home.
1990’s – Crypto keys in smartcards.Recover the crypto key by analysis of the
current drawn by the card.
EMSEC – Emission Security
All electric and electronic devices radiate emanations during operation.
Radiated signals may carry actual information. Attacker may want to capture the radiated
signals and recreate some or all of the original information. User being attacted will never know that someone
intercepted any signals and recreated useful data from it.
EMSEC - Vulnerabilities
Leakage through RF signals. Emanations from signal cables.
Keyboard key presses can be picked up at up to 100 yards. Leakage to power lines.
Power circuits pick up RF signals and conduct them to neighboring buildings.
TV and computer screen radiation. Sound. Power Analysis.
Smartcard. EEPROM.
EMSEC – Passive Attacks
Passive Attacks – using electromagnetic signals present to gain information. Wardriving.
Set up equipment in a car and capture the emitted signals hoping to recover valuable information.
Electromagnetic Eavesdropping Attack against Automatic Teller Machines.
Toys Furby toys remember and randomly repeat things they hear.
EMSEC – Active Attacks
Active Attacks. Bugs
Radio Microphones. TEMPEST Viruses
Using computer to play a tune, turning it into low-grade radio transmitter.
Nonstop Using Phones near transmitters can cause to data to be
modulated by the phone and transmitted. Glitching
Used to attack smartcards, but inducing a useful error.
EMSEC – Countermeasures
Attenuation – opposite of amplification. Reduce the signal strength during transmission. Decreases radiation perimeter. Attacker needs to get
closer to the source. Risks being caught by the authorities.
Banding – restricting the information to be in a specific band of frequencies. Attacker has to first find out which band of
frequencies to scan. If in a wrong band, only partial messages can be recovered.
EMSEC - Countermeasures
Shielding – Equipment or Buildings shielded to prevent radiation from leaking from inside to outside or vice-versa. Wardriving attack no longer a problem. May help against leakage.
Zone of Control (Zoning) – most sensitive equipment is kept in the rooms furthest from the faciliti’s perimeter, and shielding is reserved for the most sensitive systems. May stop wardriving if attacker is not able to penetrate the
perimiter of the facility.
EMSEC - Countermeasures
Cabling Filtered PowerFilters cable and power supply noise.
Suppresses the conducted leakage.
Soft TempestApplied to commercial sector
Software techniques to filter, mask, or render incomprehensible information bearing electromagnetic emanations from a computer system.
TRANSSEC – Transmission Security Information needs to be shared. Must be transmitted over long distances. Attacker may want to intercept the
information while in transit.
TRANSSEC - Vulnerabilities
RF Fingerprinting Identifying RF device based on the frequency
behavior. Radio Direction Finding (RDF)
Triangulating the signal of interest using directional antennas at two monitoring stations.
Traffic Analysis Signals collection
Collecting different signals and extracting information from them.
TRANSSEC - Attacks
Eavesdropping Listening on voice conversations.
Covert Channels Mechanism that though now designed for communication can
nonetheless be abused to allow information to be communicated down from High to Low.
Sniffing Monitoring the traffic.
Jamming. Noise insertion Active Deception
TRANSSEC – Defenses
Low Probability of Detection (LPD) Techniques used to make it hard for the attacker to
detect presence of the signal. Directional Signaling Line of Sight transmission
Low Probability of Interception (LPI) Techniques used to make it hard for attackers to
intercept the signals. Frequency hoppers Spread spectrum Burst transmission
TRANSSEC - Defenses
Burst Transmission – send data in short bursts instead of continuous transmission. Employed by spies during WW II. Attacker never knows when the data is sent.
Directional signaling – send signals in a specific direction instead of broadcast in all directions. Attacker has to first find out in which direction the
signal is transmitted. Requires more complicated equipment to identify the source
of transmission.
TRANSSEC - Defenses
Frequency Hopping – during transmission hop from frequency to frequency with predefined pseudorandom sequence. The receiver know the same sequence, therefore it knows which
frequency to tune in. Attacker must know the exact sequence to be able to capture the
message. Used in 2G and 3G cell phones.
Line of Sight – Used for short distance transmissions. Optical transmission.
IR transmission. Attacker needs to be in plain view, risking being exposed.
TRANSSEC - Defenses
Spread SpectrumCombine information-bearing sequence by a
higher-rate pseudorandom sequence. Makes it hard to intercept. Used in CDMA and GSM phones.
TEMPEST
Employing some of the defenses may not be enough to secure entire system.
Attackers may find a loophole, and break into a system.
Standards are needed to make sure that the system is secured enough from both emanations and during transmission.
TEMPEST
Government standard defining how to make government systems secured from an attacker. Employs both EMSEC and TRASNSSEC techniques
to limit the emanations from electronic equipment. Applies Strictly to classified facilities.
Individual electronic equipment. Rooms in buildings. Entire buildings
Classified until 1995. After 1995 only basic information declassified.
TEMPEST Red/Black Separation
Maintain distance or install shielding between circuits and equipment used to handle classified or sensitive information.
RED -> classified or sensitive information. BLACK -> normal unsecured equipment.
Includes equipment carrying encrypted signal.
TEMPEST Red/Black Separation
Manufacture must be done under careful quality control. Ensures that additional units are built exactly the
same as the units that were tested. Changing even a single wire can invalidate the tests.
Maintenance and Disposition of TEMPEST Equipment Guidelines provided by National Security
Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM).Applicable to all departments and agencies of
the U.S. Government that use, maintain, or make disposition of TEMPEST equipment.
Installation Requirements
All equipment must meet the requirements of NSTISSAM.
All must be installed in accordance with Red/Black separation criteria.
Local TEMPEST Manager must oversee the process.Coordinate and document all accreditation
documents resulting from the installation.
TEMPEST Procedures
TEMPEST Endorsement Program.Establishes guidelines for vendors to
manufacture, produce, and maintain endorsed equipment.
Vendor must provide life cycle support for its customers to ensure continued TEMPEST integrity of the product.
Support detailed in TEP’s TSRD No. 88-9B, dated 8 March 1991.
TEMPEST Program Development
Guidelines for development of a maintenance and disposition program: Consider the addition cost of the program. Ensure that data resident on the equipment is not compromised
during the maintenance/disposition process. Keep a log of maintenance action for all TEMPEST equipment
Date of maintenance. Action taken. Technician name. Equipment model and serial number.
TEMPEST Disposition Procedures
Use approved purging software to overwrite hard drives. Maintain a log of the model and serial number of all equipment
disposed/destroyed. Destruction of TEMPEST equipment no longer required is
recommended if transfer to another U.S. Government department/agency is impractical. Serial numbers and any classified markings must be removed. The equipment will be broken into pieces of such a nature as to
preclude restoration. A destruction certificate will be prepared and signed by the witnessing
individual. All residue will be returned as scrap metal to the Defense Reutilization
Management Office.
TEMPEST Accreditation
TEMPEST Countermeasures Review Recommended countermeasures are threat driven,
and based on risk management principles. Each site must be separately evaluated and
inspected. Sites cannot be approved automatically by being inside an
inspectable space. Certification must apply to entire system.
Connecting a single unshielded component compromises the entire system.
Is TEMPEST necessary?
Two schools of thought:Yes: Without TEMPEST information security
is compromised.
No: TEMPEST is a waste of resources, time, and money
Need for TEMPEST
“The fact that electronic equipment give off electromagnetic emanations has long been a concern of the US Government. An attacker using off-the-shelf equipment can monitor and retrieve classified or sensitive information as it is being processed without the user being aware that a loss is occurring” – 1994 Joint Secretary Commission report to the Secretary of Defense and Director of Central Intelligence.
Need for TEMPEST
“Foreign governments continually engage in attacks against U.S. secure communications and information processing facilities for the sole purpose of exploring compromising emanations” – Navy manual that discusses compromising emanations.
No need for TEMPEST
1991 -> CIA Inspector General report to an Intelligence Community.Millions of dollars spent on protecting a
vulnerability that had low probability of exploitation.
Review the TEMPEST requirements based on threat
Recommended to reduce TEMPEST requirements.
Examples
British MI5 monitoring French traffic noticed enciphered traffic carried a faint secondary signal.
Replica of Great Seal of the United States presented to U.S. ambassador in Moscow in 1946. 1952 problem discovered with the gift.
A new U.S. embassy in Moscow had to be abandoned after large numbers of microphones were found in the structure.
TEMPEST Incidents
No TEMPEST incidents coverage in the press. Business and Government do not admit to any
kind of security breaches achieved because lack of TEMPEST security. Don’t want to admit to the public of security breach. Don’t know that data was compromised, since
Passive attacks are not easily detectable.
Business Side of TEMPEST
TEMPEST industry is over a billion dollar a year business.
Indicates that there are variable threats, and organizations take protective measures.
TEMPEST certified equipment is often twice as expensive as regular equipment of similar performance.
U.S. Government Shields entire buildings to prevent any emanations to leak outside of allowed perimeter.
POSA Example
POSA
CFAC
USER
1 Sale information7 Complete Trans.
Register
5 Y/N
4 Sale & user information8 Complete transaction
3 User CCinformation
6 Y/N 2 DisplaySale Info
Homework
Perform EMSEC/TRANSSEC risk analysis on GTS system. Identify the emanation and transmission
vulnerabilities.Make recommendations as to which
countermeasures should be used to eliminate the threat.