TRANSEC/EMSEC/ TEMPEST Artur Zak CS 996 – Information Security Management March 30, 2005

Overview Definitions History EMSEC TRANSSEC TEMPEST POSA Example Homework

Definitions EMSEC - Emission Security  Preventing a system from being attacked using conducted or radiated electromagnetic signals TRANSSEC - Transmission Security  Preventing data from being attacked or intercepted during the transmission. TEMPEST – Transient Electromagnetic Pulse Emanation Standard  Government codeword that identifies a classified set of standards for limiting electric or electromagnetic radiation.

History 1884 – Crosstalk  Two-wire circuits stacked on tiers of crosstrees on supporting poles. Solution – twisted pair cables – compromising emanations in warfare.  Earth leakage caused a lot crosstalk including messages from the enemy. Solution – abolish earth-return circuits within 3,000 yeards of the front.

History 1960’s – TV detector vans.  British authorities checking who has a TV at home. 1990’s – Crypto keys in smartcards.  Recover the crypto key by analysis of the current drawn by the card.

EMSEC – Emission Security All electric and electronic devices radiate emanations during operation. Radiated signals may carry actual information. Attacker may want to capture the radiated signals and recreate some or all of the original information.  User being attacted will never know that someone intercepted any signals and recreated useful data from it.

EMSEC - Vulnerabilities Leakage through RF signals. Emanations from signal cables.  Keyboard key presses can be picked up at up to 100 yards. Leakage to power lines.  Power circuits pick up RF signals and conduct them to neighboring buildings. TV and computer screen radiation. Sound. Power Analysis.  Smartcard.  EEPROM.

EMSEC – Passive Attacks Passive Attacks – using electromagnetic signals present to gain information.  Wardriving. Set up equipment in a car and capture the emitted signals hoping to recover valuable information.  Electromagnetic Eavesdropping Attack against Automatic Teller Machines.  Toys Furby toys remember and randomly repeat things they hear.

EMSEC – Active Attacks Active Attacks.  Bugs Radio Microphones.  TEMPEST Viruses Using computer to play a tune, turning it into low-grade radio transmitter.  Nonstop Using Phones near transmitters can cause to data to be modulated by the phone and transmitted.  Glitching Used to attack smartcards, but inducing a useful error.

EMSEC – Countermeasures Attenuation – opposite of amplification. Reduce the signal strength during transmission.  Decreases radiation perimeter. Attacker needs to get closer to the source. Risks being caught by the authorities. Banding – restricting the information to be in a specific band of frequencies.  Attacker has to first find out which band of frequencies to scan. If in a wrong band, only partial messages can be recovered.

EMSEC - Countermeasures Shielding – Equipment or Buildings shielded to prevent radiation from leaking from inside to outside or vice- versa.  Wardriving attack no longer a problem.  May help against leakage. Zone of Control (Zoning) – most sensitive equipment is kept in the rooms furthest from the faciliti’s perimeter, and shielding is reserved for the most sensitive systems.  May stop wardriving if attacker is not able to penetrate the perimiter of the facility.

EMSEC - Countermeasures Cabling Filtered Power  Filters cable and power supply noise. Suppresses the conducted leakage. Soft Tempest  Applied to commercial sector Software techniques to filter, mask, or render incomprehensible information bearing electromagnetic emanations from a computer system.

TRANSSEC – Transmission Security Information needs to be shared. Must be transmitted over long distances. Attacker may want to intercept the information while in transit.

TRANSSEC - Vulnerabilities RF Fingerprinting  Identifying RF device based on the frequency behavior. Radio Direction Finding (RDF)  Triangulating the signal of interest using directional antennas at two monitoring stations. Traffic Analysis Signals collection  Collecting different signals and extracting information from them.

TRANSSEC - Attacks Eavesdropping  Listening on voice conversations. Covert Channels  Mechanism that though now designed for communication can nonetheless be abused to allow information to be communicated down from High to Low. Sniffing  Monitoring the traffic. Jamming.  Noise insertion  Active Deception

TRANSSEC – Defenses Low Probability of Detection (LPD)  Techniques used to make it hard for the attacker to detect presence of the signal. Directional Signaling Line of Sight transmission Low Probability of Interception (LPI)  Techniques used to make it hard for attackers to intercept the signals. Frequency hoppers Spread spectrum Burst transmission

TRANSSEC - Defenses Burst Transmission – send data in short bursts instead of continuous transmission.  Employed by spies during WW II.  Attacker never knows when the data is sent. Directional signaling – send signals in a specific direction instead of broadcast in all directions.  Attacker has to first find out in which direction the signal is transmitted. Requires more complicated equipment to identify the source of transmission.

TRANSSEC - Defenses Frequency Hopping – during transmission hop from frequency to frequency with predefined pseudorandom sequence.  The receiver know the same sequence, therefore it knows which frequency to tune in. Attacker must know the exact sequence to be able to capture the message. Used in 2G and 3G cell phones. Line of Sight – Used for short distance transmissions.  Optical transmission. IR transmission. Attacker needs to be in plain view, risking being exposed.

TRANSSEC - Defenses Spread Spectrum  Combine information-bearing sequence by a higher-rate pseudorandom sequence. Makes it hard to intercept. Used in CDMA and GSM phones.

TEMPEST Employing some of the defenses may not be enough to secure entire system. Attackers may find a loophole, and break into a system. Standards are needed to make sure that the system is secured enough from both emanations and during transmission.

TEMPEST Government standard defining how to make government systems secured from an attacker.  Employs both EMSEC and TRASNSSEC techniques to limit the emanations from electronic equipment.  Applies Strictly to classified facilities. Individual electronic equipment. Rooms in buildings. Entire buildings  Classified until After 1995 only basic information declassified.

TEMPEST Red/Black Separation Maintain distance or install shielding between circuits and equipment used to handle classified or sensitive information. RED -> classified or sensitive information. BLACK -> normal unsecured equipment.  Includes equipment carrying encrypted signal.

TEMPEST Red/Black Separation Manufacture must be done under careful quality control.  Ensures that additional units are built exactly the same as the units that were tested. Changing even a single wire can invalidate the tests.

Maintenance and Disposition of TEMPEST Equipment Guidelines provided by National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM).  Applicable to all departments and agencies of the U.S. Government that use, maintain, or make disposition of TEMPEST equipment.

Installation Requirements All equipment must meet the requirements of NSTISSAM. All must be installed in accordance with Red/Black separation criteria. Local TEMPEST Manager must oversee the process.  Coordinate and document all accreditation documents resulting from the installation.

TEMPEST Procedures TEMPEST Endorsement Program.  Establishes guidelines for vendors to manufacture, produce, and maintain endorsed equipment.  Vendor must provide life cycle support for its customers to ensure continued TEMPEST integrity of the product.  Support detailed in TEP’s TSRD No. 88-9B, dated 8 March 1991.

TEMPEST Program Development Guidelines for development of a maintenance and disposition program:  Consider the addition cost of the program.  Ensure that data resident on the equipment is not compromised during the maintenance/disposition process.  Keep a log of maintenance action for all TEMPEST equipment Date of maintenance. Action taken. Technician name. Equipment model and serial number.

TEMPEST Disposition Procedures Use approved purging software to overwrite hard drives. Maintain a log of the model and serial number of all equipment disposed/destroyed. Destruction of TEMPEST equipment no longer required is recommended if transfer to another U.S. Government department/agency is impractical.  Serial numbers and any classified markings must be removed.  The equipment will be broken into pieces of such a nature as to preclude restoration.  A destruction certificate will be prepared and signed by the witnessing individual.  All residue will be returned as scrap metal to the Defense Reutilization Management Office.

TEMPEST Accreditation TEMPEST Countermeasures Review  Recommended countermeasures are threat driven, and based on risk management principles.  Each site must be separately evaluated and inspected. Sites cannot be approved automatically by being inside an inspectable space. Certification must apply to entire system.  Connecting a single unshielded component compromises the entire system.

Is TEMPEST necessary? Two schools of thought:  Yes: Without TEMPEST information security is compromised.  No: TEMPEST is a waste of resources, time, and money

Need for TEMPEST “The fact that electronic equipment give off electromagnetic emanations has long been a concern of the US Government. An attacker using off-the-shelf equipment can monitor and retrieve classified or sensitive information as it is being processed without the user being aware that a loss is occurring” – 1994 Joint Secretary Commission report to the Secretary of Defense and Director of Central Intelligence.

Need for TEMPEST “Foreign governments continually engage in attacks against U.S. secure communications and information processing facilities for the sole purpose of exploring compromising emanations” – Navy manual that discusses compromising emanations.

No need for TEMPEST > CIA Inspector General report to an Intelligence Community.  Millions of dollars spent on protecting a vulnerability that had low probability of exploitation.  Review the TEMPEST requirements based on threat Recommended to reduce TEMPEST requirements.

Examples British MI5 monitoring French traffic noticed enciphered traffic carried a faint secondary signal. Replica of Great Seal of the United States presented to U.S. ambassador in Moscow in problem discovered with the gift. A new U.S. embassy in Moscow had to be abandoned after large numbers of microphones were found in the structure.

TEMPEST Incidents No TEMPEST incidents coverage in the press. Business and Government do not admit to any kind of security breaches achieved because lack of TEMPEST security.  Don’t want to admit to the public of security breach.  Don’t know that data was compromised, since Passive attacks are not easily detectable.

Business Side of TEMPEST TEMPEST industry is over a billion dollar a year business. Indicates that there are variable threats, and organizations take protective measures. TEMPEST certified equipment is often twice as expensive as regular equipment of similar performance. U.S. Government Shields entire buildings to prevent any emanations to leak outside of allowed perimeter.

POSA Example POSA CFAC USER 1 Sale information 7 Complete Trans. Register 5 Y/N 4 Sale & user information 8 Complete transaction 3 User CC information 6 Y/N 2 Display Sale Info

Homework Perform EMSEC/TRANSSEC risk analysis on GTS system.  Identify the emanation and transmission vulnerabilities.  Make recommendations as to which countermeasures should be used to eliminate the threat.