Author Topic: Exploits And Mitigation  (Read 31484 times)

0 Members and 2 Guests are viewing this topic.

MaxPower

  • Drone Pilot
  • *****
  • Posts: 757
  • My favorite breed is Rescue
Re: Exploits And Mitigation
« Reply #15 on: September 12, 2018, 03:54:10 PM »
any electrically conductive material can be used as a antenna. however the antenna length must be tuned to match the desired radio frequency. you *could* use a paperclip as a tv antenna. you wont pick up many (possibly 0) tv stations. this is because the length of the antenna must match the frequency (or a quarter of said frequency)  of the radio wave you want to transmit/receive, or (remote) reception will be degraded. and yes television uses radio waves.
usually antennas are designed to transmit/receive (well not so much transmit) a range of frequencies, such as fm radio, am radio, uhf tv , etc.

a metal heatsink doesnt match any frequency, mainly because they are designed to dissipate heat, not transmit/receive. thus any transmissions will be of poor quality at best. and when encased in a solid metal case (a standard desktop pc for example) is further degraded or blocked entirely because the case becomes a (poor) faraday cage. the new glass cases tend to let radio waves through.
furthermore tempest monitoring* may (further) drown out any transmissions from said heatsink.
modern LCD screen have cut down significantly on tempest monitoring due to much lower power requirements and therefore less transmit power over older crt monitors. while still possible, tempest monitoring may only extend a few tens of feet from the monitor. instead of 100 or so for crt monitors.

*tempest monitoring is when a person picks up emissions from your monitor ,and reconstructs those to see what you are doing on your monitor. arguably it can include monitoring any emissions from your computer.
see here for more info.
I have used a paper clip and a short jumper clipped wire many times for a satisfactory TV antenna. Local reception was just about as good as the old trusty rabbit ear antennas. I always get a laugh when I see commercials for the Magic TV Key and other similar products which are nothing more than a simple indoor antenna marketed to make it sound like you will get a ton of extra channels "for free" only with their magic device.

Many years ago, I remember working on computers that were Tempest rated. Otrona made a "portable" Tempest computer that was time consuming to work on due to all the extra shielding and a ton of screws that had to be removed. A nice but expensive computer used primarily by the military.

Just about anything conductive can be used for a receiving antenna as reception is more forgiving. Transmitting is another story as efficiency and effectiveness is determined by proper design...

Whistler

  • Drone Pilot
  • *****
  • Posts: 593
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #16 on: September 13, 2018, 07:09:52 PM »
Quote
any electrically conductive material can be used as a antenna. however the antenna length must be tuned to match the desired radio frequency.

Ding, Ding, Ding, - Give this man a cigar !   ;)
(Would you settle for a +1 instead ?)   ;D

Thanks for the excellent lead in.
Okay - pull out your calculator, let's figure this out.



For an example, we'll be using a laptop from  - oh, I don't know, 2004. This example laptop might be a Toshiba, M-55 Satellite w/ a susceptible Pentium 4M (mobile) cpu running at 2.0 GHz (max cpu freq..)
This lappy is built from molded plastic - except for the back of the lid - which is aluminum. (No Faraday cage effect for the cpu.)
Wifi in 2004 (and still) operates in the 2.4 GHz range.

The first thing to know about antennas is:
There is an inverse relationship between frequency and wavelength: the lower the frequency, the longer the wavelength; the higher the frequency, the shorter the wavelength.

So how do you figure antenna length for one full wavelength of 2.4 GHz ? (This goes for any frequency you want an antenna length for.)
Divide the speed of light in meters, ((Damn Brits... ;) ) ...which is the speed radio signals propagate at,) by the frequency.
c / f = one full wavelength for the target frequency - in meters.

Speed of light in meters: 299,792,458
Freq (cycles per second): 2.4 GHz = 2,400,000,000
Which comes out to: 0.124913524 meters,
or 12.491 Centimeters
Converting to inches, we get 4.9177165", approximately 4 and 59/64 inches.
That's just shy of 5" (actually, right between 4-7/8 and 4-15/16")
Think we can stuff that in a laptop ?  ;) (Heh, heh, heh)
(I actually thought about tearing mine down again to get an accurate measurement on the heatpipe (the copper section) from the cpu to the cooling fins the fan blows through, but a picture will do.)

K000032240 TOSHIBA SATELLITE M55 HEATSINK SERIES "GRADE A"
visitors can't see pics , please register or login


The length of my cooling fins are approximately 2.4 inches.
That means that if the heatpipe was used for an antenna, it would be right in the ballpark for 2.4 GHz.
As far as I'm concerned, yeah, it can easily be used as an antenna.

As far as cpu coolers in desktops ?
It's actually possible they could act like a YAGI antenna
Scope this out...
What we have here is known as a BiQuad wifi antenna, designed for 2.4 & 5 GHz (Hence the different sized plates.)
visitors can't see pics , please register or login

From: https://www.kickstarter.com/projects/1096577862/the-biquad-yagi-antenna-for-wifi-and-fpv

They are right around the size of the larger CPU coolers like the MegaHalems.
visitors can't see pics , please register or login

Granted, these antennas have to be precise in their measurements and spacing, so it's doubtful the coolers would work as antennas, but, most MoBos are mounted on the side panel of the desktop case, which would make a perfect YAGI antenna (for just one direction.)  ;)


Quote
usually antennas are designed to transmit/receive (well not so much transmit) a range of frequencies, such as fm radio, am radio, uhf tv , etc.
Yup, That's why if you wanted to build an AM loop to pick up the entire AM spectrum from 540 KHz to 1700 KHz (1.7 MHz,) you would shoot for the center frequency of 1120 KHz.
((1700 - 540) / 2) + 540 == 1120
Broadcast antennas are a whole different ballgame. You need to consider impedance matching, resistance, grounding, reduction baluns, antenna height, polarization, etc., etc., etc. .
c / f ==
299,792,458 / 1,120,000 == 267.67 meters
Convert.
878.18' is one full wavelength for 1120 KHz
Then make your antenna length 1/4 wave of 878.18'
or
219.5' ( or 219'6") - total length of wire for a 1/4 wave loop.
Gauge of the wire, spacings between turns, winding style (spiral, box, spider,) and size of the loop all make a difference in the nulling and distance of the stations you can pick up.
It's a fun project for DIY'ers, and there's plenty of info on the net .  ;)

Quote
furthermore tempest monitoring* may (further) drown out any transmissions from said heatsink.

How so ?
TEMPEST (a.k.a. Van Eck Phreaking) monitoring is generally passive reconnaissance. What I mean by that is; the target is not being zapped by any electro-magnetics the attacker is putting out. The attacker is reading and interpreting the the targets' electro-magnetic emminations.
This article explains it better than I can.
http://www.surasoft.com/articles/tempest.php

Oh, and I really like this one - they apply TEMPEST mitigation to their website - LOL. (See if you can pick up on it.  ;)  )
https://www.hertzsystems.com/en/product/tempest-equipment/

Quote
modern LCD screen have cut down significantly on tempest monitoring due to much lower power requirements...
Don't be getting slack on me, WR250. (Tisk,tisk.)  ;)
(Just kidding.)

The cables going to those LCDs and metal hinges in laptops make TEMPEST attacks still viable. It's still (as of 2007,) up to 75' with the right target.  Funny how there's no newer information on this in Public Domain. (I smell a R.A.T.)  ;)  ;D
http://web.archive.org/web/20180312095201/https://www.newscientist.com/blog/technology/2007/04/seeing-through-walls.html
https://www.engadget.com/2007/04/21/laptops-and-flat-panels-also-vulnerable-to-van-eck-eavesdropping/


Big D. even had his communications TEMPEST hardened.   
https://electrospaces.blogspot.com/2017/11/trumps-communications-equipment-outside.html

So yeah, I have to disagree with you on these points. 
 
It is kind of a specialist area. Anti TEMPEST, Van Eck, whatever you want to call it, technologies were actually being developed in the last days of WWII by the Army.  ;)

Here's some info on covert channels :  https://hackaday.com/2017/02/02/hacking-the-aether/

And a good Sci-Fi book to read (if you haven't already,) is the Crytonomicon by Neal Stephenson.
https://archive.org/details/cryptonomicon00neal

    ;)      :)
It may be that your sole purpose in life, is to serve as a warning to others.   :o

wr250

  • Elluminati
  • ******
  • Posts: 1352
  • tux the magic penguin
Re: Exploits And Mitigation
« Reply #17 on: September 15, 2018, 04:58:48 AM »
Quote
Quote
furthermore tempest monitoring* may (further) drown out any transmissions from said heatsink.

How so ?
the same way jamming radio signals work. the more extraneous radio noise tossed out there, the harder it is to sort out what your looking for.
as i understood your "heatsink as a antenna" theory, it is passive reconnaissance, just like tempest monitoring.
additionally thermal paste (what intel and most manufacturers use) is non electrically conductive, forming a barrier to what you are describing, thus weakening the effect.
on recent (core2/i series/pentium/celeron) intel processors (and many amd,but not all) there is thermal paste between the silicon die and the (glued on) heat spreader on the chip. then another layer of thermal paste between the heat spreader and the cpu cooling device.
therefore i do not think this is a valid attack for anything other than govt agencies with more money than brains to carry out. and why would they do that when so many (un)known flaws exist to get information that are far easier to do? or when people actually volunteer said info (farcebook, tweeter, etc)

additionally tempest attacks on crt monitors could be carried out several hundred feet away from the target. lcd monitors use less power and therefore have less "broadcasting" capabilities. no matter how you factor things , more distance in receivable radio emissions required 1 of 2 things.
1. a larger receiving antenna ( i dont see anyone carrying around a 40' dish to tempest monitor)
2. more transmit power.
statistics can be used to prove anything. 14% of the people know this.
https://lptd.home.blog/

Whistler

  • Drone Pilot
  • *****
  • Posts: 593
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #18 on: September 15, 2018, 05:55:35 AM »
Quote
additionally thermal paste (what intel and most manufacturers use) is non electrically conductive...


" - some companies use silver, aluminum, ceramic, and diamonds which are ground to a very fine powder and mixed with the bonding compound. The final mixture of the thermal paste is often kept as a secret recipe.""

From:
https://www.ekwb.com/blog/thermal-compound-guide/

I'm kind of rushed for time right now, so I didn't check out what the major manufacturers use as standard, But, silver is electrically conductive, Diamonds are generally not - there are exceptions.
https://www.thoughtco.com/diamond-a-conductor-607583

"   After 21 seconds of research, I learnt that it depends on the type of diamond. The range of resistance is pretty high, some are very resistant while some are very conductive. It depends on their constitution (since diamonds are not all the same).   "

https://www.quora.com/Is-diamond-electrically-conductive

(In a pinch, (automotive) Anti-Sieze makes a (cheap, and) fairly decent thermal paste.)   
Yes, I've used it on an old - and very hot - AMD dual-core setup from 2005 and it dropped the cpu temps from 100 C (boiling) to approximately mid 50's C.  ;)

BUT, you are forgetting something; the cpu is electrically grounded to the cooler through the cooler mounting screws. ;)

Quote
additionally tempest attacks on crt monitors could be carried out several hundred feet away from the target. lcd monitors use less power and therefore have less "broadcasting" capabilities. no matter how you factor things , more distance in receivable radio emissions required 1 of 2 things.
1. a larger receiving antenna ( i dont see anyone carrying around a 40' dish to tempest monitor)
LOL - neither do I.  :) :D  ;D
(Smart ass)  ;)
Quote
2. more transmit power.

Don't forget about unshielded transmissions from the cables going to the monitor, plus the keyboards and mice.  ;)

https://www.allaboutcircuits.com/news/hackers-device-electromagemissions-side-channel-attacks-cybersecurity/

http://www.cialfor.com/2016/04/21/van-eck-phreaking-a-hack-using-eradiations/

(There's more than one way to skin a cat.)
(Sorry Spookcat - :D - just a figure of speech)   ;)


Add to that the general insecurity of wireless keyboards and mice. (Different attack, but still highly effective.)
https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/

So, I still have to disagree with you.
(This is getting some good info out there though.)  ;)
It may be that your sole purpose in life, is to serve as a warning to others.   :o

wr250

  • Elluminati
  • ******
  • Posts: 1352
  • tux the magic penguin
Re: Exploits And Mitigation
« Reply #19 on: September 15, 2018, 06:17:16 AM »

" - some companies use silver, aluminum, ceramic, and diamonds which are ground to a very fine powder and mixed with the bonding compound. The final mixture of the thermal paste is often kept as a secret recipe.""

From:
https://www.ekwb.com/blog/thermal-compound-guide/
from what ive seen in 30 years of building computers, the thermal paste used by OEM's is shit. its not in the interests of a OEM to take the chance of over application of a electrically conductive paste to short something out.
 arctic silver has silver in it. arctic silver claims its electrically non conductive.
http://www.arcticsilver.com/as5.htm

Quote
BUT, you are forgetting something; the cpu is electrically grounded to the cooler through the cooler mounting screws. ;)

consumer intel cpus use a plastic mounting system. many amd processors do as well. however there are some that bolt to a metal backplate which is shielded with plastic/rubber to prevent shorting the board.
server processors usually use a metal backplate, which has the rubber/plastic shield on it to prevent shorting the board.
aftermarket heatsinks use the stock intel mounting holes, or the aforementioned metal backplate.
Quote
Add to that the general insecurity of wireless keyboards and mice. (Different attack, but still highly effective.)
https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/

So, I still have to disagree with you.
(This is getting some good info out there though.)  ;)
as far as kb insecurities, nothing beats a hardware inline dongle to intercept keystrokes. but then again, that requires physical access. with physical access, its game over.
intercepting the (usually) unencrypted wireless communications from a kb/mouse is always a possibility.

/*edit*/
i added "electrically" to the the arctic silver claim for clarity
statistics can be used to prove anything. 14% of the people know this.
https://lptd.home.blog/

Sofia

  • Ellightened
  • ******
  • Posts: 3254
Re: Exploits And Mitigation
« Reply #20 on: September 23, 2018, 11:50:42 PM »
.....

*tempest monitoring is when a person picks up emissions from your monitor ,and reconstructs those to see what you are doing on your monitor. arguably it can include monitoring any emissions from your computer.
see here for more info.
Tempest monitoring is what my handler does.

Dyna-X

  • Ellightened
  • ******
  • Posts: 3392
Re: Exploits And Mitigation
« Reply #21 on: September 25, 2018, 11:39:45 AM »
from what ive seen in 30 years of building computers, the thermal paste used by OEM's is shit. its not in the interests of a OEM to take the chance of over application of a electrically conductive paste to short something out.
 arctic silver has silver in it. arctic silver claims its electrically non conductive.
http://www.arcticsilver.com/as5.htm
 
consumer intel cpus use a plastic mounting system. many amd processors do as well. however there are some that bolt to a metal backplate which is shielded with plastic/rubber to prevent shorting the board.
server processors usually use a metal backplate, which has the rubber/plastic shield on it to prevent shorting the board.
aftermarket heatsinks use the stock intel mounting holes, or the aforementioned metal backplate.as far as kb insecurities, nothing beats a hardware inline dongle to intercept keystrokes. but then again, that requires physical access. with physical access, its game over.
intercepting the (usually) unencrypted wireless communications from a kb/mouse is always a possibility.

/*edit*/
i added "electrically" to the the arctic silver claim for clarity


Ah you are into a favorite topic of mine (and pet peeve as well) in that I've always thought the MIL-spec for RF shielding on computers and associated cables (called tempest here) should be a standard on "consumer grade" computers including laptops.

Notice that cool green anodized aluminum power supply brick with the properly shielded BNC type connector. (and the quality of all the cabling in the experiments behind it) This is how it is supposed to be.

visitors can't see pics , please register or login

wr250

  • Elluminati
  • ******
  • Posts: 1352
  • tux the magic penguin
Re: Exploits And Mitigation
« Reply #22 on: September 25, 2018, 08:20:46 PM »

Ah you are into a favorite topic of mine (and pet peeve as well) in that I've always thought the MIL-spec for RF shielding on computers and associated cables (called tempest here) should be a standard on "consumer grade" computers including laptops.


that will never happen , due to costs involved and that manufacturers deem "unnecessary" except for military computers. this is to make said electronics "emp resistant", and not really for tempest protection, although it does that too.
as long as americans want  cheep, they will get cheep, and complain about the cheepness of the cheep item. 
statistics can be used to prove anything. 14% of the people know this.
https://lptd.home.blog/

Whistler

  • Drone Pilot
  • *****
  • Posts: 593
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #23 on: October 03, 2018, 12:06:06 AM »
from what ive seen in 30 years of building computers, the thermal paste used by OEM's is shit. its not in the interests of a OEM to take the chance of over application of a electrically conductive paste to short something out.
 arctic silver has silver in it. arctic silver claims its electrically non conductive.
http://www.arcticsilver.com/as5.htm
True.
 
Quote
consumer intel cpus use a plastic mounting system. many amd processors do as well. however there are some that bolt to a metal backplate which is shielded with plastic/rubber to prevent shorting the board.
server processors usually use a metal backplate,
Yup
Quote
which has the rubber/plastic shield on it to prevent shorting the board.
aftermarket heatsinks use the stock intel mounting holes, or the aforementioned metal backplate.as far as kb insecurities, nothing beats a hardware inline dongle to intercept keystrokes. but then again, that requires physical access. with physical access, its game over.
Agreed
Quote
intercepting the (usually) unencrypted wireless communications from a kb/mouse is always a possibility.

/*edit*/
i added "electrically" to the the arctic silver claim for clarity

Allright, let's get a couple of things straight.
Are we talking magnetic or electrical antennas ?
Please read this entire article - it's the most basic, fundamental description of the technology that I could find.
https://interferencetechnology.com/antenna-fundamentals/
Do you notice how an insulated (condenser - capacitor) setup is ideal for how an electrical (not magnetic field) antenna works ?
Quote
consumer intel cpus use a plastic mounting system. many amd processors do as well. however there are some that bolt to a metal backplate which is shielded with plastic/rubber to prevent shorting the board.
That's a condenser / capacitor.    ^^^^^
Wasn't your main point that the cpu's are [electrically] insulated (capacitor action) from the heatsink ?
The example I was using was a magnetically coupled heat-pipe {loop- inductor]... but it works better as an electrically coupled heat-pipe antenna.
Take a look here at a loop FM transmitter (which is magnetically coupled, not electrically coupled). Pay special attention to the line about the tank circuit.
(Scroll down to " THE PROBLEM - POOR STABILITY ")
(Oh BTW - if you're into DIY, hit the Home link on this page - there are some awesome projects there.   ;)    )
http://www.techlib.com/area_50/Readers/Pilar/index.htm

(BTW - I've also built quite a few systems, for customers, so I'm not a novice in this area)   ;)

The point is, with a little electrical engineering, that heat pipe can be used as a fairly efficient transmitting antenna - even if it's not on a standard frequency.   ;)

It may be that your sole purpose in life, is to serve as a warning to others.   :o

Whistler

  • Drone Pilot
  • *****
  • Posts: 593
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #24 on: October 03, 2018, 01:55:47 AM »
FED - Er...      Face-book strikes again.
https://thehackernews.com/2018/09/facebook-account-hacked.html
It may be that your sole purpose in life, is to serve as a warning to others.   :o

Whistler

  • Drone Pilot
  • *****
  • Posts: 593
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #25 on: October 03, 2018, 02:07:01 AM »
Really, they're just making the public aware of this now ?

https://thehackernews.com/2018/09/uefi-rootkit-malware.html
It may be that your sole purpose in life, is to serve as a warning to others.   :o

wr250

  • Elluminati
  • ******
  • Posts: 1352
  • tux the magic penguin
Re: Exploits And Mitigation
« Reply #26 on: October 03, 2018, 06:03:54 AM »
True.
  Yup  Agreed
Allright, let's get a couple of things straight.
Are we talking magnetic or electrical antennas ?
Please read this entire article - it's the most basic, fundamental description of the technology that I could find.
https://interferencetechnology.com/antenna-fundamentals/
Do you notice how an insulated (condenser - capacitor) setup is ideal for how an electrical (not magnetic field) antenna works ?That's a condenser / capacitor.    ^^^^^
Wasn't your main point that the cpu's are [electrically] insulated (capacitor action) from the heatsink ?
The example I was using was a magnetically coupled heat-pipe {loop- inductor]... but it works better as an electrically coupled heat-pipe antenna.
Take a look here at a loop FM transmitter (which is magnetically coupled, not electrically coupled). Pay special attention to the line about the tank circuit.
(Scroll down to " THE PROBLEM - POOR STABILITY ")
(Oh BTW - if you're into DIY, hit the Home link on this page - there are some awesome projects there.   ;)    )
http://www.techlib.com/area_50/Readers/Pilar/index.htm

(BTW - I've also built quite a few systems, for customers, so I'm not a novice in this area)   ;)

The point is, with a little electrical engineering, that heat pipe can be used as a fairly efficient transmitting antenna - even if it's not on a standard frequency.   ;)



as i stated in an earlier post, antennas (magnetic or not) need to be tuned to a specific frequency for transmit. a randomly sized hunk of metal used a processor back plate will not be a very good transmit antenna. also you have other interference such as hard drive activity, power supply radio noise, and other components that generate electrical noise. it is not feasible to monitor such noise for any real data. unless something happens to be a nearly perfect tuned length to suffice as a "transmit antenna" then its pretty much hopeless, unless you are within a few feet of the device,in which case you have physical access anyways. game over at that point.
can we agree to disagree on this?

/*edit*/
this is why the police simply seize computers, to gain physical access. yes even the FBI. because its not feasible to use tempest monitoring on a computer tower. the monitor may be a different story though.
statistics can be used to prove anything. 14% of the people know this.
https://lptd.home.blog/

wr250

  • Elluminati
  • ******
  • Posts: 1352
  • tux the magic penguin
Re: Exploits And Mitigation
« Reply #27 on: October 05, 2018, 04:56:17 AM »
a relatively new exploit:
some supermicro server motherboards  manufactured after 2014 ( real start date unknown) to late 2016, have a extra chip on the motherboard that is not part of supermicro's design. it was added in production to some server boards, the number of which is unknown. the chip looks like a power regulator, but isnt. it can steal the stream of data going to and from the cpu, and report back to an unknown internet server the server is idle (periods of low cpu activity) . since it has the datastream access it can inject commands and/or alter them.

effected companies :
Amazon (amazon reported this  when they found it during a security audit of the servers)
Apple
and about 30 other companies.
it is suspected this a state sponsored hack (since the parts were manufactured in china, and had the chip upon leaving china, had the chips) and the US govt is extremely interested in this hardware hack.

amazon has removed the problem servers, and Apple has terminated its supermicro contract (allegedly for other reasons) and gone with another company for its servers.

it should be noted this chip was not "added on later" it was added during production of the board. apparently that chip had a obvious failure when amazon found it.
statistics can be used to prove anything. 14% of the people know this.
https://lptd.home.blog/

wr250

  • Elluminati
  • ******
  • Posts: 1352
  • tux the magic penguin
Re: Exploits And Mitigation
« Reply #28 on: October 05, 2018, 05:05:21 AM »
it should be noted that this is an attack which the US govt has warned against for years and has employed itself, usually after board manufacture, but before the board gets installed. yes you govt does this, so it isnt to unreasonable that others do as well.
china has a unique position: the boards are manufactured within its boarders, and it has the money/technology to insert said chips during mobo manufacture without anyone being the wiser.
statistics can be used to prove anything. 14% of the people know this.
https://lptd.home.blog/

Walks_At_Night

  • Hall Of Famer, Morg!
  • Ellevated
  • *****
  • Posts: 16085
  • Morg!
Re: Exploits And Mitigation
« Reply #29 on: October 05, 2018, 06:08:21 AM »
it should be noted that this is an attack which the US govt has warned against for years and has employed itself, usually after board manufacture, but before the board gets installed. yes you govt does this, so it isnt to unreasonable that others do as well.
china has a unique position: the boards are manufactured within its boarders, and it has the money/technology to insert said chips during mobo manufacture without anyone being the wiser.

I'm following this one with interest WR.   Once upon a time I was in the server business - still miss it.   Fascinating that Apple got bit by this.