by Unknown
To connect to a Wi-Fi LAN, a computer has to be equipped with a wire-
less network interface controller. The combination of computer and interface
150
Advanced Criminal Investigations and Intelligence Operations
controller is called a station. All stations share a single radio-frequency communication channel. Transmissions on this channel are received by all stations within range. A carrier wave is used to transmit the data in packets, referred to as Ethernet frames. Each station is constantly tuned in on the radio-frequency communication channel to pick up available transmissions.
Piggybacking refers to access to a wireless Internet connection by bring-
ing one’s own computer within the range of another’s wireless connection
and using that service without the subscriber’s explicit permission or knowledge. Piggybacking often occurs unintentionally, since most access points are configured without encryption by default and operating systems can
be configured to connect automatically to any available wireless network.
A user who happens to start up a laptop in the vicinity of an access point may find the computer has joined the network without any visible indication.
A user intending to join one network may instead end up on another one if the latter has a stronger signal.
Using Bluetooth Technology
Bluetooth is a wireless technology standard for exchanging data over short distances, using short-wavelength radio transmissions in the industrial, scientific, and medical ( ISM) radio band from 2400 to 2483.5 MHz (including guard bands) from fixed and mobile devices, creating personal area networks (PANs) with high levels of security. Each channel has a bandwidth of 1 MHz.
The first channel starts at 2402 MHz and continues up to 2480 MHz in
1 MHz steps. It usually performs 800 hops (1 MHz step changes) per sec-
ond, with adaptive frequency hopping (AFH) enabled. Bluetooth provides
a secure way to connect and exchange information between devices such as
digital cameras, FAXes, GPS, laptops, mobile phones, personal computers,
printers, telephones, and video game consoles.
Any Bluetooth device in discoverable mode will transmit the following information on demand:
• Device name
• Device class
• List of services
• Technical information (e.g., device features, manufacturer, Bluetooth
specification used, clock offset)
Any device may perform an inquiry to find other devices to connect to, and any device can be configured to respond to such inquiries. However, if the device trying to connect knows the address of the device, it always responds to direct connection requests and transmits the information shown in the
Electronic Intelligence and Signals Intelligence
151
aforementioned list if requested. Use of device’s services may require pairing or acceptance by its owner, but the connection itself can be initiated by any device and held until it goes out of range. Some devices can be connected to only one device at a time, and connecting to them prevents them from connecting to other devices and appearing in inquiries until they disconnect from the other device.
Every device has a unique 48-bit address. However, these addresses are
generally not shown in inquiries. Instead, friendly Bluetooth names are used, which can be set by the user. This name appears when another user scans for devices and in lists of paired devices.
Prior to Bluetooth v2.1, encryption is not required and can be turned
off at any time. Moreover, the encryption key is only good for approximately 23.5 hours; using a single encryption key longer than this time allows simple XOR attacks to retrieve the encryption key. Turning off encryption is required for several normal operations, so it is problematic to detect if encryption is disabled for a valid reason or for a security attack.
Bluetooth v2.1 addresses this in the following ways: (1) encryption
is required for all nonservice discovery protocol (SDP) connections; (2) a new encryption pause and resume feature is used for all normal operations
requiring encryption to be disabled, enabling easy identification of normal operation from security attacks; and (3) the encryption key is required to be refreshed before it expires. Link keys may be stored on the device file system, not on the Bluetooth chip itself. Many Bluetooth chip manufacturers allow link keys to be stored on the device; however, if the device is removable, this means that the link key will move with the device.
Bluejacking is the sending of a picture or a message from one user to an
unsuspecting user through Bluetooth wireless technology. Common applications include short messages, but do not involve the removal or alteration of any data from the device. Bluejacking can also involve taking control of a mobile device wirelessly, etc. (There’s always something new!)
Emanations Intelligence
9
Emanations Intelligence
Emanations intelligence (EMINT) involves the investigation and study of
compromising emissions (CEs), also known as TEMPEST. Compromising emanations are unintentional data-related or intelligence-bearing signals, which, when intercepted and analyzed, may disclose the information transmitted, received, or processed by any information-processing equipment.
Emanations may consist of (1) electromagnetic emanations or emissions
(space radiations, stray magnetic fields, conducted signals, and power-line modulation) and (2) acoustic emanations or emissions. An example of this is the reading of emanations generated by the key strokes of a computer (sound waves produced by mechanical motions and striking parts in a functional
relationship to the information being processed).
Early discovery and technology of this source was known as van Eck
phreaking. In 1985, Wim van Eck published the first unclassified technical analysis of the security risks of emanations from computer monitors. His findings created a stir in the intelligence and security community, which believed that such monitoring was a highly sophisticated and technologically advanced attack methodology. Van Eck demonstrated that he could successfully eavesdrop on a computer system from hundreds of feet away, using a television set and $15 worth of electronic equipment. Such emanations are still referred to as van Eck radiation and the eavesdropping technique as van Eck phreaking.
The term compromising emanations rather than radiation is used because the compromising signals can and do exist in several forms, such as magnetic and electric field radiation, line conduction, or acoustic emissions.
Government researchers were already aware of the danger of such ema-
nations, as Bell Laboratories reported this vulnerability to secure TTY communications as early as WWII and was able to produce 75% of the plaintext being processed in a secure facility from a distance of 80 feet. The NSA published Tempest Fundamentals, NSA-82-89, NACSIM 5000 , NSA (Classified) on February 1, 1982.
Compromising emanations consist of electrical, mechanical, or acoustical energy intentionally or unintentionally emitted by sources within equipment and systems that process information. This energy may relate to encrypted messages or to information being processed in such a way that it can lead to 153
154
Advanced Criminal Investigations and Intelligence Operations
recovery of the plaintext. CE can be propagated through space and through available conductors. The interception and propagation ranges and analysis of such emanations are affected by a variety of factors, such as the functional design of the information-processing equipment, system and equipment
installation, or environmental conditions related to physical security and ambient noise.
Computers and other electronic equipment emit interference into the
surrounding environment. For example, by placing two video monitors close together, the images will behave erratically until you space them apart
. Any electrical or electronic circuit that carries a time-varying current will emanate electromagnetic signals with the strength of the emission proportional to the current amplitude and its time rate of change. These signals propagate from the source as free space waves and guided waves along conductors connected or close to the radiator. If time variations of the source currents are related in any way to the information content of the signals, the emanation will also have some relationship to the data, making it possible to reconstruct the original information into intelligence through analysis of these emissions.
The term TEMPEST, coined in the late 1960s and early 1970s, refers
to the field of Emissions or Emanations Security (EMSEC) and is a code-
name for NSA operations to secure electronic communications equipment
from eavesdroppers and to intercept and interpret those signals from other sources. The term TEMPEST is not an acronym and does not have any particular meaning, although it is sometimes referred to as
• Transmitted Electro-Magnetic Pulse/Energy Standards & Testing
• Telecommunications Electro-Magnetic Protection, Equipment,
Standards & Techniques
• Transient Electro-Magnetic Pulse Emanation Standard
• Telecommunications Electronics Material Protected from Emanating
Spurious Transmissions
Insiders even jokingly refer to it as “Tiny Electro-Magnetic Particles Emitting Secret Things.”
Measurement and Signature Intelligence
MASINT is scientific and technical intelligence information obtained by
quantitative and qualitative analysis of data (metric, angle, spatial, wavelength, time dependence, modulation, plasma, and hydromagnetic) derived
from specific technical sensors for the purpose of identifying any distinctive features associated with the source, emitter, or sender and to facilitate subsequent identification and/or measurement of the same.
Emanations Intelligence
155
Things That Are Vulnerable to Hacking
Automobiles. Car thieves can unlock your car and start it by sending it a text message or two. Many automotive systems, such as OnStar, use
the same type of cellular technology as a common cell phone. The
same hack could potentially affect infrastructure like power grids
and traffic systems.
Baby monitors. Baby monitors have been around for a long time, and video-equipped versions have become popular. What most users
probably don’t realize is that the dozen or so wireless channels that
these helpful devices use can often be picked up by anyone with a
similar device or a wireless receiver. Newer baby monitor models
feature frequency hopping technology that changes channels ran-
domly to ensure privacy.
Garage door openers. Hackers can easily modify a standard door opener to accept a USB port, and software is available on the web to modify
how it operates. This vulnerability is typically an issue only for older
garage door systems, and newer openers use a more secure rolling
code that changes each time it is used.
Medical implants. High-tech medical devices like pacemakers and insulin pumps that use a wireless signal for easy tweaking are vulnerable
to anyone with the correct reprogramming hardware. Unfortunately,
the signal they use is not encrypted, meaning that anyone who finds
a way to obtain such a device could literally manipulate the heart of
a patient, causing cardiac arrest or even death. Insulin pumps are
apparently even more susceptible to outside interference and may be
vulnerable from distances of up to a half mile. Using radio antennas,
hackers can hijack a pump’s wireless signal and cause it change the
rate insulin, with potentially lethal results.
Human brain. Because of the immense amount of data that the human brain can hold, scientists have been attempting to crack our internal
hard drives for quite some time. Researchers have begun to translate
the trillions of impulses that go on in our heads into readable data.
DARPA has been funding a program to reverse engineer the human
brain in an effort to mine its computational abilities.
Computer Anonymity, Privacy, and Security
There is a difference between computer anonymity, privacy, and security.
Anonymity is merely concealing one’s identity, for example, the conceal-
ment of masking of an e-mail address. Privacy involves more than mere
masking, but complete concealment or invisibility, even from your system
156
Advanced Criminal Investigations and Intelligence Operations
administrator, for example, through codes or encryption. Security involves active countermeasures to prevent threats from succeeding. Anonymity and
privacy (cover and concealment) are the first steps to take (by depriving the threat of knowing of your existence or whereabouts).
E-mail is like dropping a post card in the e-mail. Without an envelope, it is subject to observation. An anonymous e-mail remailing system (a pseudo-anonymous server) is much like an electronic mail drop. Users are given an anonymous e-mail address to which other people can send e-mail to them.
That e-mail is then forwarded to their real e-mail address. It can also post or mail the user’s e-mail without a trace of their real e-mail address. To add privacy, encryption is a good idea. A few potential sites include
• http:/ www.cs.berkeley.edu/~ralph/remailer-list.html (University of
California at Berkeley)
• http:/ www.compulink.co.uk/~net-services/jd.htm (re-mailer and
encryption software)
• http:/ www.anonymizer.com (keeps your web browsing anonymous)
• http://www.micros.hensa.ac.uk/gci-bin/msg2html/path=micros/
mac/finder/g/g119 (automatically deletes cookies from the Preference folder after each web session)
• http:/ www.emf.net/~mal/cookiesinfo.html
• http:/ www.simtel.net/pub/simtelnet/win3/inet/ns-demo2.zip
• http:/ www.shareware.com
• http:/ java.sun.com/sfaq/index.html (removes applets, which is a Java program that runs from inside a web browser; a hostile applet
exploits and monopolizes a computer system’s resources inappropri-
ately and is a threat to security)
Encryption is hiding information behind a façade of nonsensical code. The key to encryption and decryption is the use of two keys: one to encrypt (by the sender) and one to decrypt (by the receiver). The sender encrypts an encoded or encrypted message using the receiver’s (recipient’s) public key. The recipient then uses his or her private key to decode or decrypt the message received.
The public key encryption program PGP was designed by Phil Zimmerman
in 1991 and was considered the encryption standard. Most of the websites I checked were out of date. (Note: Encryption programs are considered muni-tions and are subject to export restrictions under the International Traffic in Arms Regulations or ITAR; refer to 15 C.F.R. 734.2(b) (1997) and 15 C.F.R.
744.9 (1997).)
Steganography, the technology of hiding files within files, is the science of communication that obscures the existence of the communication by hiding
(in a virtually undetectable manner) messages within surplus space within picture and sound files.
Emanations Intelligence
157
Cryptonomics is the marriage of cryptography and economics to provide secure transactions online through digital cash (electronic currency) or virtual cash. One web page on this is http:/ www.clickshare.com/clickshare (which tracks and monitors online digital cash purchases for the purchaser).
Security is the final phase of privacy, anonymity, and security, and it begins w
ith a good password. Computers connected to a network for
communicating with each other use a protocol or language called TCP/IP.
It should be obvious that when choosing a password, users should select one that is not obvious or easily guessed. Crackers identify users’ passwords and can use them to access files and data, read, or send e-mail and attachments, and access other parts of networks.
Passwords are only where security begins. A word on deleting files is
warranted. Merely deleting a file does not completely eliminate it. Deleted files are still on the hard drive and are recoverable with undelete programs and forensic programs. To eradicate a file, users must overwrite it using a file wipe utility.
Firewal s monitor traffic from inside and out to ensure that selected communications are allowed to cross the threshold in either direction. (This is not protection against viruses.) Firewalls are custom made either to allow traffic in or to block traffic, based upon access control policy for the network involved. Kerberos is a network security that protects against internal threats from attempts to login to another host in the network. Security Administrator Tool for Analyzing Networks (SATAN) is a tool that probes for and analyzes computer system vulnerabilities. (It can also be used by crackers to probe victims for weaknesses.)
Cell Phone Baseband Hacking
Smartphone hacks on iPhones and Android phones have been on the rise, and in 2011, a new threat was identified—hacking the cell phone signal itself or baseband hacking. Ralf-Philipp Weinmann of the University of Luxembourg showed off a pretty neat proof-of-concept hack at the Black Hat D.C. conference in Washington, DC.
Previously, mobile hacking involved phone’s operating systems or other
software. This new threat involves breaking into the phone’s baseband processor, which is the hardware that sends and receives radio signals to and from cell towers. Baseband is the component in the iPhone that manages all the functions that require an antenna, notably all cellular services. The baseband processor has its own RAM and firmware in NOR flash, separate from
the core resources and functions as a resource to the main CPU. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores
their MAC addresses in its NVRAM.