-----[ So, you think you're secure? ]----- by: Mr. Zippy! INTRODUCTION: You've finally done it. You compiled PGP yourself to make sure you're running a clean version, and you chose a passphrase that no one would ever guess. You didn't write it down, so the FBI would never find it if they raided you. You don't even encrypt messages while online, to prevent someone from monitoring the data line in hopes of trapping your passphrase. In fact, you regularly wipe your swapfile so there's no traces of it anywhere. There's no way anyone will ever get your passphrase unless they beat it out of you, right? WRONG! Remember that black van parked accross from your computer room's window? They're not tapping your phone line or using a lazer mic to tape your conversations. They're watching everything you type scroll accross a little monitor, and recording it all to VHS tape for later study. No, I didn't see this on the X-Files last week. The technology to do this is available now (for as little as $200). It's called van Eck radiation, and information about it has been classified by the Governments of the United States, England, and others. HOW IT WORKS: Remember the interference on your TV when you fired up your Vic 20 computer or printed to that old dot-matrix printer? The interference was caused by electromagnetic radiation (known as van Eck radiation, after a researcher who published a paper on the subject). In fact, you could often tune that Vic 20 computer in on an old black-and-white TV with fine tuning controls. You didn't know it then, but you were using a van Eck device. The theory behind van Eck radiation is that all electronic devices emit some level of electromagnetic radiation. This radiation can be detected by devices which are basically modified TV receivers. By tuning the receiver into the frequency your monitor is on, you can watch everything scroll by. Not only can your screen be monitored, but your printer, keyboard, or any other electronics device you may be operating. WHAT IS AT RISK: Think about the kind of data you display on your computer monitor. Your financial records, personal letters, business proposals, or anything else you wouldn't want others to see can all be monitored and recorded for later review. The information on your screen is the easiest to capture - you just need to tune the signal in on another screen. It can be recorded on any standard VCR. Anything you type on your keyboard can also be monitored. This includes your PGP key, the password for your 'net provider, or your credit card number. So just because it's not displayed on the screen as you type it doesn't mean that it can't be captured by someone who really wants it. Your printer and FAX machine are not immune to van Eck evesdropping, either. Capturing the van Eck radiations from a keyboard, printer, or FAX can be more difficult than those from a monitor. It is necessary to have the exact same model available to analyze before you can figure out what you have captured. The concept is still fairly simple: If you use a "Brand A" keyboard, I'll buy the same model. I hit each key, and watch the pattern on a scope. Now, I watch the patterns come out of your keyboard, and match them to those I've already figured out. Suddenly, your secret password isn't much of a secret any more. The same is true of printers and FAX machines. If you have the same model, you can figure out each signal in advance, and then reading the captured output becomes easy. WHO IS AT RISK: Everyone. You don't need to be a criminal trying to hide your activities from law enforcement officials to be concerned about van Eck eavesdropping. Consider the value of the data on your screen - what it it worth to someone else? Here's an example of various situations and types of information that could be gained by monitoring van Eck radiation: - Bankers (account data, transaction passwords) - Brokers (data leading to insider trading) - Law Enforcement (information on current investigations) - Designers, Architechts (current plans, models) - Software Designers (new algorithms and techniques) - Unfaithful Partners (letters to the "other") HOW TO PROTECT YOURSELF: Over the years, electronics devices have been designed to give off less and less interference. For example, I can set my laptop on top of my TV and not cause any noticable disturbance. This means that long-range detection of van Eck radiation is not practical. Instead, the easier way is to plant transceivers that detect the radiation, and transmit it to monitoring posts farther away. Devices used to detect "bugs", radio scanners, and physical inspections of your equipment and surrounding areas can help to turn up transceivers of this type. It's a well known fact that if you're getting bad TV reception, you can attach the antenna to the cold water pipe and it improves drastically. In the same way, electromagnetic radiation can be detected through building wiring or water pipes. It would be nearly impossible to get your equipment away from water pipes or elecrtical wiring. Therefore, you'll need a way to ensure that no radiation emits from your equipment. The NSA has created a specification for hardware which emits minimum ammounts of electromagnetic radiation (called "Tempest"). Of course, if they were to publish this specification, they would not be able to eavesdrop on van Eck emmisions themselves. The concept is obvious, though. Equipment should be enclosed in cases which trap emmisions inside. The electrical supply should either be isolated or be "dirtied" with dummy emissions. The room itself should be shielded such that detection from outside is impossible. SUMMARY: If you have somthing to hide, you need to be aware of all the ways it can be discovered. Not everyone needs to build a safe room to ensure that their information stays private. However, if the information on your screen is worth more to others than it is to you, you should take precautions to ensure it doesn't get out. CREDITS: Not much information is available on van Eck Radiation, due to the topic being classified by most Governments. Most of this information was obtained from one of these three sources: "Information Warfare" by Winn Schwartau (excellent book) "Computers and Security" December, 1985 issue Anonymous computer monitor technician at local repair depot