450 likes | 821 Views
TRANSEC/EMSEC/TEMPEST. Artur Zak CS 996 – Information Security Management March 30, 2005. Overview. Definitions History EMSEC TRANSSEC TEMPEST POSA Example Homework. Definitions . EMSEC - Emission Security
E N D
TRANSEC/EMSEC/TEMPEST Artur Zak CS 996 – Information Security Management March 30, 2005
Overview • Definitions • History • EMSEC • TRANSSEC • TEMPEST • POSA Example • Homework
Definitions • EMSEC - Emission Security • Preventing a system from being attacked using conducted or radiated electromagnetic signals • TRANSSEC - Transmission Security • Preventing data from being attacked or intercepted during the transmission. • TEMPEST – Transient Electromagnetic Pulse Emanation Standard • Government codeword that identifies a classified set of standards for limiting electric or electromagnetic radiation.
History • 1884 – Crosstalk • Two-wire circuits stacked on tiers of crosstrees on supporting poles. • Solution – twisted pair cables. • 1914 – compromising emanations in warfare. • Earth leakage caused a lot crosstalk including messages from the enemy. • Solution – abolish earth-return circuits within 3,000 yeards of the front.
History • 1960’s – TV detector vans. • British authorities checking who has a TV at home. • 1990’s – Crypto keys in smartcards. • Recover the crypto key by analysis of the current drawn by the card.
EMSEC – Emission Security • All electric and electronic devices radiate emanations during operation. • Radiated signals may carry actual information. • Attacker may want to capture the radiated signals and recreate some or all of the original information. • User being attacted will never know that someone intercepted any signals and recreated useful data from it.
EMSEC - Vulnerabilities • Leakage through RF signals. • Emanations from signal cables. • Keyboard key presses can be picked up at up to 100 yards. • Leakage to power lines. • Power circuits pick up RF signals and conduct them to neighboring buildings. • TV and computer screen radiation. • Sound. • Power Analysis. • Smartcard. • EEPROM.
EMSEC – Passive Attacks • Passive Attacks – using electromagnetic signals present to gain information. • Wardriving. • Set up equipment in a car and capture the emitted signals hoping to recover valuable information. • Electromagnetic Eavesdropping • Attack against Automatic Teller Machines. • Toys • Furby toys remember and randomly repeat things they hear.
EMSEC – Active Attacks • Active Attacks. • Bugs • Radio Microphones. • TEMPEST Viruses • Using computer to play a tune, turning it into low-grade radio transmitter. • Nonstop • Using Phones near transmitters can cause to data to be modulated by the phone and transmitted. • Glitching • Used to attack smartcards, but inducing a useful error.
EMSEC – Countermeasures • Attenuation – opposite of amplification. Reduce the signal strength during transmission. • Decreases radiation perimeter. Attacker needs to get closer to the source. • Risks being caught by the authorities. • Banding – restricting the information to be in a specific band of frequencies. • Attacker has to first find out which band of frequencies to scan. • If in a wrong band, only partial messages can be recovered.
EMSEC - Countermeasures • Shielding – Equipment or Buildings shielded to prevent radiation from leaking from inside to outside or vice-versa. • Wardriving attack no longer a problem. • May help against leakage. • Zone of Control (Zoning) – most sensitive equipment is kept in the rooms furthest from the faciliti’s perimeter, and shielding is reserved for the most sensitive systems. • May stop wardriving if attacker is not able to penetrate the perimiter of the facility.
EMSEC - Countermeasures • Cabling Filtered Power • Filters cable and power supply noise. • Suppresses the conducted leakage. • Soft Tempest • Applied to commercial sector • Software techniques to filter, mask, or render incomprehensible information bearing electromagnetic emanations from a computer system.
TRANSSEC – Transmission Security • Information needs to be shared. • Must be transmitted over long distances. • Attacker may want to intercept the information while in transit.
TRANSSEC - Vulnerabilities • RF Fingerprinting • Identifying RF device based on the frequency behavior. • Radio Direction Finding (RDF) • Triangulating the signal of interest using directional antennas at two monitoring stations. • Traffic Analysis • Signals collection • Collecting different signals and extracting information from them.
TRANSSEC - Attacks • Eavesdropping • Listening on voice conversations. • Covert Channels • Mechanism that though now designed for communication can nonetheless be abused to allow information to be communicated down from High to Low. • Sniffing • Monitoring the traffic. • Jamming. • Noise insertion • Active Deception
TRANSSEC – Defenses • Low Probability of Detection (LPD) • Techniques used to make it hard for the attacker to detect presence of the signal. • Directional Signaling • Line of Sight transmission • Low Probability of Interception (LPI) • Techniques used to make it hard for attackers to intercept the signals. • Frequency hoppers • Spread spectrum • Burst transmission
TRANSSEC - Defenses • Burst Transmission – send data in short bursts instead of continuous transmission. • Employed by spies during WW II. • Attacker never knows when the data is sent. • Directional signaling – send signals in a specific direction instead of broadcast in all directions. • Attacker has to first find out in which direction the signal is transmitted. • Requires more complicated equipment to identify the source of transmission.
TRANSSEC - Defenses • Frequency Hopping – during transmission hop from frequency to frequency with predefined pseudorandom sequence. • The receiver know the same sequence, therefore it knows which frequency to tune in. • Attacker must know the exact sequence to be able to capture the message. • Used in 2G and 3G cell phones. • Line of Sight – Used for short distance transmissions. • Optical transmission. • IR transmission. • Attacker needs to be in plain view, risking being exposed.
TRANSSEC - Defenses • Spread Spectrum • Combine information-bearing sequence by a higher-rate pseudorandom sequence. • Makes it hard to intercept. • Used in CDMA and GSM phones.
TEMPEST • Employing some of the defenses may not be enough to secure entire system. • Attackers may find a loophole, and break into a system. • Standards are needed to make sure that the system is secured enough from both emanations and during transmission.
TEMPEST • Government standard defining how to make government systems secured from an attacker. • Employs both EMSEC and TRASNSSEC techniques to limit the emanations from electronic equipment. • Applies Strictly to classified facilities. • Individual electronic equipment. • Rooms in buildings. • Entire buildings • Classified until 1995. • After 1995 only basic information declassified.
TEMPEST Red/Black Separation • Maintain distance or install shielding between circuits and equipment used to handle classified or sensitive information. • RED -> classified or sensitive information. • BLACK -> normal unsecured equipment. • Includes equipment carrying encrypted signal.
TEMPEST Red/Black Separation • Manufacture must be done under careful quality control. • Ensures that additional units are built exactly the same as the units that were tested. • Changing even a single wire can invalidate the tests.
Maintenance and Disposition of TEMPEST Equipment • Guidelines provided by National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM). • Applicable to all departments and agencies of the U.S. Government that use, maintain, or make disposition of TEMPEST equipment.
Installation Requirements • All equipment must meet the requirements of NSTISSAM. • All must be installed in accordance with Red/Black separation criteria. • Local TEMPEST Manager must oversee the process. • Coordinate and document all accreditation documents resulting from the installation.
TEMPEST Procedures • TEMPEST Endorsement Program. • Establishes guidelines for vendors to manufacture, produce, and maintain endorsed equipment. • Vendor must provide life cycle support for its customers to ensure continued TEMPEST integrity of the product. • Support detailed in TEP’s TSRD No. 88-9B, dated 8 March 1991.
TEMPEST Program Development • Guidelines for development of a maintenance and disposition program: • Consider the addition cost of the program. • Ensure that data resident on the equipment is not compromised during the maintenance/disposition process. • Keep a log of maintenance action for all TEMPEST equipment • Date of maintenance. • Action taken. • Technician name. • Equipment model and serial number.
TEMPEST Disposition Procedures • Use approved purging software to overwrite hard drives. • Maintain a log of the model and serial number of all equipment disposed/destroyed. • Destruction of TEMPEST equipment no longer required is recommended if transfer to another U.S. Government department/agency is impractical. • Serial numbers and any classified markings must be removed. • The equipment will be broken into pieces of such a nature as to preclude restoration. • A destruction certificate will be prepared and signed by the witnessing individual. • All residue will be returned as scrap metal to the Defense Reutilization Management Office.
TEMPEST Accreditation • TEMPEST Countermeasures Review • Recommended countermeasures are threat driven, and based on risk management principles. • Each site must be separately evaluated and inspected. • Sites cannot be approved automatically by being inside an inspectable space. • Certification must apply to entire system. • Connecting a single unshielded component compromises the entire system.
Is TEMPEST necessary? • Two schools of thought: • Yes: Without TEMPEST information security is compromised. • No: TEMPEST is a waste of resources, time, and money
Need for TEMPEST • “The fact that electronic equipment give off electromagnetic emanations has long been a concern of the US Government. An attacker using off-the-shelf equipment can monitor and retrieve classified or sensitive information as it is being processed without the user being aware that a loss is occurring” – 1994 Joint Secretary Commission report to the Secretary of Defense and Director of Central Intelligence.
Need for TEMPEST • “Foreign governments continually engage in attacks against U.S. secure communications and information processing facilities for the sole purpose of exploring compromising emanations” – Navy manual that discusses compromising emanations.
No need for TEMPEST • 1991 -> CIA Inspector General report to an Intelligence Community. • Millions of dollars spent on protecting a vulnerability that had low probability of exploitation. • Review the TEMPEST requirements based on threat • Recommended to reduce TEMPEST requirements.
Examples • British MI5 monitoring French traffic noticed enciphered traffic carried a faint secondary signal. • Replica of Great Seal of the United States presented to U.S. ambassador in Moscow in 1946. 1952 problem discovered with the gift. • A new U.S. embassy in Moscow had to be abandoned after large numbers of microphones were found in the structure.
TEMPEST Incidents • No TEMPEST incidents coverage in the press. • Business and Government do not admit to any kind of security breaches achieved because lack of TEMPEST security. • Don’t want to admit to the public of security breach. • Don’t know that data was compromised, since Passive attacks are not easily detectable.
Business Side of TEMPEST • TEMPEST industry is over a billion dollar a year business. • Indicates that there are variable threats, and organizations take protective measures. • TEMPEST certified equipment is often twice as expensive as regular equipment of similar performance. • U.S. Government Shields entire buildings to prevent any emanations to leak outside of allowed perimeter.
CFAC 4 Sale & user information 8 Complete transaction 5 Y/N POSA 1 Sale information 7 Complete Trans. Register 6 Y/N 2 Display Sale Info 3 User CC information USER POSA Example
Homework • Perform EMSEC/TRANSSEC risk analysis on GTS system. • Identify the emanation and transmission vulnerabilities. • Make recommendations as to which countermeasures should be used to eliminate the threat.