RE: [Full-disclosure] Tempest today
You have your answer, but I'll add some background anyway.
TEMPEST is old stuff (US/UK). Anyone who's ever worked in COMSEC
(Government Communications Security) knows about TEMPEST, it was a big
deal during the cold war. Most of the basic stuff was declassified in
1995.
It's simply the ability to block any and all unintentional signals
('electro-magnetic radiation') which may emanate from communication or
data processing equipment. There's two parts of COMSEC equipment, the
part than handles the plain text data like I/O, processor and memory
(red side), and the part that's not involved in unencrypted data like
power supplies and I/O that carries encrypted data (black side). One of
the earlier examples of a TEMPEST leak was the ability to pick up typed
text from the power lines into teletype equipment or even the IBM
Selectric typewriters. Some of the embassies on both sides of the cold
war were found to have innocent wires stretched across the ceiling of
the comm center but with both ends unterminated, which apparently
operated as a simplistic amplifier or pickup. Many bugs picked up and
repeated electronic, not audio signals. The U.S. Embassy in the USSR
had to be rebuilt in the '80s because the concrete was peppered with
passive electronic components (things like resistors and real bugs).
A simple demonstration of TEMPEST vulnerability is by using a telco
impedance pickup. The impedance pickup will amplify voice (or data) on
a phone wire without needing to touch the metal wire. It picks up the
varying magnetic field around a wire which expands and collapses as the
signal changes. (It also buzzes radically when near fluorescent bulbs,
old high-leakage CRT monitors, some LCDs, some keyboards, and some
mice).
Another related term you might want to google is SIGINT, or Signals
Intelligence. It covers the ability to collect, and process, signals.
There's more to it than meets the eye. The position of a signal can be
triangulated electronically within a few milliseconds, 'position' is
data. The keystrokes or other characteristics of encrypted data can
tell you who the operator is, 'characteristic' is data you can link with
HUMINT (Human Intelligence). Then there's the conversation, sorta tells
you who's talking to who and what's been escalated up to or repeated
from headquarters (makes life easy if someone in the conversation passes
along a message using weak crypto or a compromised key). Many INTEL
satellites are SIGINT, more like radioscopes pointed down which join the
hubble-sister telescopes pointed down.
(Note: Encryption applies privacy only temporarily. Encryptions of the
past are obsolete and weak today, and can be decrypted at leisure.)
That's what TEMPEST is worried about. Leaking signal from red side to
black side, that signal getting picked up by some guy with telco gear, a
bug in the wall or an antenna in the ceiling, or a trio of satellites
above. Doesn't help you used that 3DES PGP key 5 years ago.
Bill Stout
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul
Sebastian Ziegler
Sent: Friday, August 18, 2006 9:45 AM
To: full-disclosure
Subject: [Full-disclosure] Tempest today
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi list,
I've seen some fuss about the technique called "tempest" lately. Some
people claim it would be "the thing" in modern security. This bugs me
somehow because first of all I think it is way to much of an effort
compared to the more casual techniques used today. Also all information
that I can find on the Internet refers to some stuff the NSA released in
the mid-nineties. Now that is not really a good and reliable source of
information in my believe. :)
Can anybody tell me how far evolved this technique is today and who uses
it? Maybe some reference to a whitepaper or something similar. Would be
great.
Thanks
Paul
Brief definition of tempest for those who have never heard of it:
Picking up the radiation produced by a monitor or cables that connect
the graphics-card or graphics-chipset with the monitor in order to spy
the screen of the user. Kind of like getting access to a VNC server on
the box without having input yourself. The interesting part is that it
is technically undetectable.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE5e6XaHrXRd80sY8RCg/9AKCBAs2SjvitArRFHs+6moRb0UX4GQCfbCo9
wi9z1V+h5m0YJFdz9IZK+EI=
=2pu2
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RealVNC 4.1.2 minor heap corruption/DoS vulnerability (authentication required)
They probably will post patch information here: http://www.realvnc.com/pipermail/vnc-announce/2006/date.html - Juha-Matti Niall FitzGibbon <[EMAIL PROTECTED]> wrote: This vulnerability affects the latest version of RealVNC (4.1.2) on all platforms. It is tested on Windows. To exploit the vulnerability, the attacker must either control a connected and authenticated client connected to a vulnerable VNC server or control a VNC server with at least one vulnerable connected and authenticated client. The attack exploits a signed/unsigned integer mismatch leading to an integer overflow and subsequent allocation of very large or zero size areas on the heap. The result of the attack is Denial of Service due to heap corruption and improper program flow. It doesn't seem possible to exploit the heap corruption in order to gain code execution the source of the copy operation is not defined by the attacker. The attack is thus of limited usefulness due to the necessity of prior authentication. The vulnerability lies in the following functions: rfb/SMsgReader.cxx : readClientCutText() rfb/CMsgReader.cxx : readServerCutText() These functions handle clipboard changes propagated from the other party. The simplest way to trigger this vulnerability is to modify the CMsgWriter::clientCutText or SMsgWriter::writeServerCutText in order to send an integer length of -1 on clipboard updates. This results in an allocation of zero bytes to the heap on the other party and subsequent write of a zero terminator to an address immediately before the allocated zero-length buffer followed by a large memcpy to that buffer. When an exception is finally thrown, RealVNC handles this by terminating the connection and possibly the process, throwing an error message about the message type. Reported to vendor ([EMAIL PROTECTED]) 01 August 2006. No response at time of writing. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New PowerPoint 0-day and Trojan - FAQ document ready
I have constructed a FAQ document about the recent 0-day vulnerability in Microsoft PowerPoint disclosed on Saturday. This vulnerability is being exploited by Trojan horse TROJ_SMALL.CMZ. The document entitled as Microsoft PowerPoint 0-day Vulnerability FAQ - August 2006, CVE-2006- (CVE name will be updated when it is available) is located at http://blogs.securiteam.com/?p=559 New related malware names assigned will be updated to the document when they are available. - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is watching you!!!
SHH!!! we're finally rid of him! Never ever EVER speak his name again -Original Message-From: yearsilent [mailto:[EMAIL PROTECTED]Sent: Saturday, August 19, 2006 5:40 AMTo: vodka hooch; full-disclosure@lists.grok.org.ukSubject: [inbox] Re: [Full-disclosure] n3td3v is watching you!!!back to home, and watch you mother !vodka hooch <[EMAIL PROTECTED]> wrote: the biggest hackers is watching google and yahoo we watch fd too people think we disappear we still strong we biggest hackers around big bad hackers! you think you can bad mouth n3td3v in threads and talk about mail filters we beat mail filter, we beat everyone governments, businesses and everyone! we got techniques to penetrate windows vista windows vista hacks be made public soon we distribute on public list you think you win, no n3td3v win n3td3v not just one person, we big you think we lamers, no we hav 0day programs and techniques we can engineer the security industry and make things happen to get securityfocus.com and news.com to write stories we not care anymore what people think we do our own thing n3td3v security group are best, we is new movement you not say anything to change what we is we new, we big, we bold we here to stay n3td3v Do you Yahoo!?Get on board. You're invited to try the new Yahoo! Mail Beta.___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ Want to be your own boss? Learn how on Yahoo! Small Business. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1154-1] New squirrelmail packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1154-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff August 20th, 2006 http://www.debian.org/security/faq - -- Package: squirrelmail Vulnerability : variable overwriting Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-4019 James Bercegay of GulfTech Security Research disovered a vulnerability in SquirrelMail where an authenticated user could overwrite random variables in the compose script. This might be exploited to read or write the preferences or attachment files of other users. For the stable distribution (sarge) this problem has been fixed in version 1.4.4-9. For the unstable distribution (sid) this problem has been fixed in version 1.4.8-1. We recommend that you upgrade your squirrelmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-9.dsc Size/MD5 checksum: 678 de55f30e42570db82bec8aefe90093ac http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-9.diff.gz Size/MD5 checksum:25409 b9e9854e2702f34a7d5bede75942a391 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4.orig.tar.gz Size/MD5 checksum: 575871 f50548b6f4f24d28afb5e6048977f4da Architecture independent components: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.4-9_all.deb Size/MD5 checksum: 569078 1510859cc583447180b761ae38895191 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6N1SXm3vHE4uyloRAtM9AJ0Q2WbKe5eiMpKlPAFtTR9s8V3J6gCfaMXA xsv481/mlpJlBEIE9u5DX7o= =5D0M -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LOL HY
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Edward Pearson wrote: > Fuck you all. I'm going to Bugtraq. Bye Bye... We'll miss you!! - -- Flavio Visentin GPG Key: http://www.zipman.it/gpgkey.asc There are only 10 types of people in this world: those who understand binary, and those who don't. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6NgOusUmHkh1cnoRAnSZAJ4rB9/YGH2JCQY7BzlkRvWhOajL0QCfRvBY gODcvlxOPjm1y3YDpEzMfMU= =y1Fa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tempest today
[EMAIL PROTECTED] wrote: > On Sat, 19 Aug 2006 18:49:09 -0500 Bipin Gautam > <[EMAIL PROTECTED]> wrote: >> Ok, here is something from the book that I was trying to >> assemble/write. > >> Some Links: http://www.eskimo.com/~joelm/tempest.html >> http://www.erikyyy.de/tempest/ > >> Lets begin& >> >> SNIP SNIP SNIP > > Please help make the list self-policing. Follow the list charter > and note that self-promotion is forbidden. Please don't quote the entire message in your response if you have nothing useful to add. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Tempest today
With double layered windows (double glazed), the ability to use triangulation between laser TX and rx means it may be possible to capture vibrations from the inner glass panel. Infra-red absorbtive/scattering glass makes the most sense, or external curtain materials, but we are int purpose built locations at this point. a poor mans solution should be THE semi opaque glass we use in kitchen that has those INCLINED trangular cut surfaces throughout while the granular surface on the other side. Any light (though depends on the wavelength) would bounce to the extreme right or left. Moreover, without a small bug in the windows itself (say a prism) it would be difficult to capture the reflected beem anyways. or yes as u suggested, scattering glass. a double layered window with distinct difference in refractive index of exterior & interior glass "might" be a better solution. I experimented a simple solution. A 3v DC motor pressed in the glass window to cause a small noise & glass vibration would almost completely remove the chances for evasdroping. (but hey it was a extermely simple amature solution to defeat my own amature equpment anyways. Any coment on this, welcome!) -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Tempest today
> >Faraday cages may be used to provide protection from HERF and EMP > >effects. This reminds me of a novel (http://en.wikipedia.org/wiki/Limes_inferior) by a Polish S-F writer, late Janusz A. Zajdel, who once wrote about a "bug" which transmitted information through shielded walls by using a modulated X-ray stream.. :) Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 "Every program in development at MIT expands until it can read mail." -- Unknown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Tempest today
Some comment inline... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, 20 August 2006 4:45 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Tempest today -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 19 Aug 2006 18:49:09 -0500 Bipin Gautam <[EMAIL PROTECTED]> wrote: >Ok, here is something from the book that I was trying to >assemble/write. > >Some Links: http://www.eskimo.com/~joelm/tempest.html >http://www.erikyyy.de/tempest/ > >Lets begin. > >Faraday cages may be used to provide protection from HERF and EMP >effects. > >Countermeasures: >It is easy to defeat ordinary audio eavesdropping, just by >sound-proofing a room. And simply drawing the curtains or creating a >specially crafted background noise or by using double glass with >air >gap in the middle can soundproof and can defeat newer systems, >which >shine a laser beam onto a glass window and decode any modulation of >the reflected beam caused by sound vibrations in the room. Actually, it depends on the laser's light frequency somewhat. The curtain only helps when the laser is reflecting off objects inside the room, not the window itself. With double layered windows (double glazed), the ability to use triangulation between laser TX and rx means it may be possible to capture vibrations from the inner glass panel. As most curtains don't make much difference to sound, simply drawing them is not going to make a major difference in these situations. Infra-red absorbtive/scattering glass makes the most sense, or external curtain materials, but we are int purpose built locations at this point. > >Faraday's cage: The charge on a charged conductor resided only on its >exterior, and had no influence on anything enclosed within it. To >demonstrate this fact he built a room coated with metal foil, and >allowed high-voltage discharges from an electrostatic generator to >strike the outside of the room. He used an electroscope to show >that >there was no electric charge present on the inside of the room's >walls. A Faraday cage is best understood as an approximation to an >ideal hollow conductor. A round drum, sphere etc can act like a >Faraday's Cage. Basically, the enclosure may be made of an unbroken >conducting sheet, like the metal box surrounding a sensitive radio >receiver, or a wire mesh, like that in the door of a microwave >oven. >Any holes in the box or mesh must be significantly smaller than the >wavelength of the radiation that is being kept out, or the >enclosure >will not effectively approximate an unbroken conducting surface. > >This shielding effect is used to eliminate electric fields within a >volume, for example to protect electronic equipment from lightning >strikes and other electrostatic discharges (ESDs). Faraday cages are >often put to a dual purpose: to block electric fields, as explained >above, and to block electromagnetic radiation. The latter >application >is known as RF shielding. > >Some traditional architectural materials act as Faraday shields in >practice. These include plaster with wire mesh, and rebar concrete. >These will affect the use of cordless phones and wireless networks >inside buildings and houses. While Some buildings have designs that >block radio signals by accident due to thick concrete walls or a steel >skeleton. This blocking is generally very unpredictable between different buildings, and moy not coincide wih the radiation characteristics of the target system. Don't rely on this. >RF and Magnetic shielding: Radio frequency (or RF) shielding is >required when it is necessary to block high frequency - 100 >kilohertz >and above - interference fields. These shields typically use >copper, >aluminum, galvanized steel, or conductive rubber, plastic or >paints. >These materials work at high frequencies by means of their high >conductivity, and little or no magnetic permeability. Magnetic >shields >use their high permeability to attract magnetic fields and divert >the >magnetic energy through them. With proper construction, magnetic >shielding alloys have the ability to function as broadband shields, >shielding both rf and magnetic interference fields. > >Electromagnetic shielding: It is the process of limiting the coupling >of an electromagnetic field between two locations. Typically it is >applied to enclosures, separating electrical content from the >outside >world, and to cables, separating internal wires from the >environment >the cable runs through. The shielding is achieved using a >conductive >material as a barrier. Typical materials include sheet metal, metal >mesh, ionized gas, plasma and aluminum foil. The shielding can >reduce >the coupling of radio waves, visible light, electromagnetic fields >and >electrostatic fields. The amount of reduction depends very much >upon >the material used, the method of connection of the shield (or >screen) >and the frequency of the fields of interest. One
Re: [Full-disclosure] Tempest today
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 19 Aug 2006 18:49:09 -0500 Bipin Gautam <[EMAIL PROTECTED]> wrote: >Ok, here is something from the book that I was trying to >assemble/write. > >Some Links: http://www.eskimo.com/~joelm/tempest.html >http://www.erikyyy.de/tempest/ > >Lets begin… > >Faraday cages may be used to provide protection from HERF and EMP >effects. > >Countermeasures: >It is easy to defeat ordinary audio eavesdropping, just by >sound-proofing a room. And simply drawing the curtains or creating >a >specially crafted background noise or by using double glass with >air >gap in the middle can soundproof and can defeat newer systems, >which >shine a laser beam onto a glass window and decode any modulation of >the reflected beam caused by sound vibrations in the room. > >Faraday's cage: The charge on a charged conductor resided only on >its >exterior, and had no influence on anything enclosed within it. To >demonstrate this fact he built a room coated with metal foil, and >allowed high-voltage discharges from an electrostatic generator to >strike the outside of the room. He used an electroscope to show >that >there was no electric charge present on the inside of the room's >walls. A Faraday cage is best understood as an approximation to an >ideal hollow conductor. A round drum, sphere etc can act like a >Faraday's Cage. Basically, the enclosure may be made of an unbroken >conducting sheet, like the metal box surrounding a sensitive radio >receiver, or a wire mesh, like that in the door of a microwave >oven. >Any holes in the box or mesh must be significantly smaller than the >wavelength of the radiation that is being kept out, or the >enclosure >will not effectively approximate an unbroken conducting surface. > >This shielding effect is used to eliminate electric fields within a >volume, for example to protect electronic equipment from lightning >strikes and other electrostatic discharges (ESDs). Faraday cages >are >often put to a dual purpose: to block electric fields, as explained >above, and to block electromagnetic radiation. The latter >application >is known as RF shielding. > >Some traditional architectural materials act as Faraday shields in >practice. These include plaster with wire mesh, and rebar concrete. >These will affect the use of cordless phones and wireless networks >inside buildings and houses. While Some buildings have designs that >block radio signals by accident due to thick concrete walls or a >steel >skeleton. >RF and Magnetic shielding: Radio frequency (or RF) shielding is >required when it is necessary to block high frequency - 100 >kilohertz >and above - interference fields. These shields typically use >copper, >aluminum, galvanized steel, or conductive rubber, plastic or >paints. >These materials work at high frequencies by means of their high >conductivity, and little or no magnetic permeability. Magnetic >shields >use their high permeability to attract magnetic fields and divert >the >magnetic energy through them. With proper construction, magnetic >shielding alloys have the ability to function as broadband shields, >shielding both rf and magnetic interference fields. > >Electromagnetic shielding: It is the process of limiting the >coupling >of an electromagnetic field between two locations. Typically it is >applied to enclosures, separating electrical content from the >outside >world, and to cables, separating internal wires from the >environment >the cable runs through. The shielding is achieved using a >conductive >material as a barrier. Typical materials include sheet metal, metal >mesh, ionized gas, plasma and aluminum foil. The shielding can >reduce >the coupling of radio waves, visible light, electromagnetic fields >and >electrostatic fields. The amount of reduction depends very much >upon >the material used, the method of connection of the shield (or >screen) >and the frequency of the fields of interest. One example is a >coaxial >cable, which has electromagnetic shielding in the form of a wire >mesh >surrounding an inner core conductor. The shielding impedes the >escape >of any signal from the core conductor, and also signals from being >added to the core conductor. > >Though i have practically seen putting a dipole near the coaxial >cable >can sniff its signal within despite the sealing. The rf sealing >strict >depends on the quality which i've seen is rare in MOST commercial >products for general uses. > >Shielded Tent: It Shielded enclosures, tempest equipment, shielded >chambers Another way of making sure you are not being bugged is to >use >a shielded tent, which prevents radio waves entering or leaving. >Though Mobile phone calls are impossible from inside the tent, but >no-one will be able to listen to your conversations using bugs or >radio wave listening devices. It will also prevent anyone >intercepting >radio emissions from computers, preventing them from seeing what >you >have on screen. A more sophisticated - and expensive - method i
