Viability of power-line intrusions

Discussion in 'Windows Vista Security' started by FYIGMO, Mar 25, 2008.

  1. FYIGMO

    FYIGMO Guest

    If I connect my Vista laptop to a power outlet in public, such as an airport
    terminal, library, or coffee shop, how viable is the threat from someone
    gaining access to my computer via a power-line network? If the threat is
    viable today, what is the best method of stopping it?

    I know many people will say this is too unlikely and that other security
    threats are of much more concern to the average computer user, but with the
    increasing sophistication of ripoff artists either trying to steal your
    identity or pilfer your financial data I wouldn't assume the threat is not
    viable and not likely to increase in the future. After all, the federal
    government and the defense industry utilize TEMPEST, outlining the need for
    classified "Red Power" systems to protect computers from power-line
    monitoring and Van Eyck monitoring as well, versus "Black Power" systems that
    are connected to the public grid. In fact, not too long ago the French were
    caught conducting industrial espionage by tapping into a local power grid and
    accessing information via power lines.

    Any thoughts would be welcome. Thanks.
     
    FYIGMO, Mar 25, 2008
    #1
    1. Advertisements

  2. FYIGMO

    Smithsonian Guest

    There is no way really to prevent someone from accessing your computer. Id
    say you wouldnt. I'd say dont enter any personal information.
     
    Smithsonian, Mar 25, 2008
    #2
    1. Advertisements

  3. FYIGMO

    Alun Jones Guest

    Be realistic.

    If you are concerned about the kind of highly-motivated, well-funded and
    overly-technical attacker that would be able to deduce anything from
    monitoring your power usage (let alone inject anything through the power
    cable), you already work for an institution that can give you advice (such
    as "don't use your laptop... anywhere but in the office").

    Yes, Van Eyck phreaking allows an observer with a large truckful of
    expensive equipment to get something of an idea of what's on your screen
    (with varying degrees of success and/or resolution) - provided there isn't a
    lot of interference. There are some interesting results with reading light
    levels from a CRT in a darkened room, but your laptop doesn't have a CRT.

    Your laptop power supply takes 50-60Hz alternating current, applies
    rectifiers (diodes) and smoothers (capacitors) to it, plus probably a
    significant level of other solid-state electronics, to create a more
    smoothed direct current signal. I've not heard of any attacks that can use
    fluctuating power drain to determine the activity on your system - that
    doesn't mean they don't exist or aren't possible, but if you truly fear
    that, carry a battery charger, and plug _that_ into the outlet; always work
    off battery.

    I'm pretty certain that there are no good attacks that allow any measure of
    control over your system through fluctuating the power supply, short of the
    obvious overloading, or de-powering.

    The short answer - if you think your opponents are smarter and richer than
    you, and they're interested in your information, stop using the information
    in places they can get to.

    Alun.
    ~~~~
     
    Alun Jones, Mar 27, 2008
    #3
  4. FYIGMO

    Jason Guest

    Get a good antivirus program such as Kaspersky and a free firewall like ZoneAlarm. Kaspersky has auto detect and will cut your chances of getting penetrated by 90%.


    Post Originated from http://www.VistaForums.com Vista Support Forums
     
    Jason, Mar 28, 2008
    #4
  5. FYIGMO

    FYIGMO Guest

    I understand realism, which is why anyone would simply use battery power if
    they were that afraid of a power-line intrusion. The question is more
    theoretical at this time, but for how long? If there's two things I've
    learned over the years it's never underestimate the cunning and tenacity of
    criminals, and second is that computer software and hardware continues to
    increase in capability while dropping in price, resulting in home computers
    or laptops today that two or three decades ago would have taken "national"
    means to have owned and operated.

    Also, you wrote: "If you are concerned about the kind of highly-motivated,
    well-funded and overly-technical attacker that would be able to deduce
    anything from monitoring your power usage...."

    I clearly said in my original posting that power-line intrusions are used to
    collect data, not monitor your power usage. I suggest you read about the
    NSA's TEMPEST program and security requirements regarding it. Computer data
    can be just as easily collected via power lines as through a broadband
    connection, only it's much more covert. If governments and corporations can
    use it and are concerned with protection against it, then there's no reason
    to believe criminals have not, or will not soon, be using it.

    You also said: "The short answer - if you think your opponents are smarter
    and richer than you, and they're interested in your information, stop using
    the information in places they can get to."

    For now, you still have that option, but as companies and/or their products
    are increasingly connected to the web and cell networks, it won't be long
    before you don't have any choice. Have you ever tried operating a computer
    that's not connected to the internet? It's amazing how many programs won't
    function because the program can't communicate to the internet for reasons
    such as product verification, and when you try to communicate with the
    company they go into vapor lock (as though regular mail doesn't exist or is
    not an option anymore for communications) and fail or refuse to pass along
    authorization numbers, etc., for your legally owned software to function.

    I don't think it's a dumb question to be asking about criminals and
    power-line intrusions. As we all become more connected to the web for
    everyday needs and services, it's just another possible vulnerability to be
    concerned about.

    FYIGMO
     
    FYIGMO, Mar 30, 2008
    #5
  6. Well engineered laptops would have good filtering of the AC to DC conversion
    inbound as well as RF decoupling outbound. Nothing is perfect though, so
    there
    will be some leakage. This is not the same as 'access to my computer' in any
    command and control sense. It is data leakage only, and not very much at
    that.

    Back when I was more familiar with TEMPEST, laptops didn't exist. However,
    I'm reasonably sure the guidelines for sensitive data on laptops include not
    doing
    as you suggest. :eek:)
     
    FromTheRafters, Mar 30, 2008
    #6
  7. FYIGMO

    FYIGMO Guest

    That's why the threat is potentially so great. For example, some businessman
    is waiting to board his flight and using his computer in the terminal. The
    battery dies, and he's forced to plug-in (good luck finding a plug!).
    Anyway, he may be doing something as simple as his home finances with Quicken
    and, BAM!, some thief who's accessed his laptop via the power lines has just
    tapped into his financial data. For people who are prudent with security
    that will never be a problem, but the scenario above describes the vast
    majority of computer users who innocently operate their computers yet are
    totally vulnerable to intrusion. Just more food for thought.

    FYIGMO
     
    FYIGMO, Mar 31, 2008
    #7
  8. No, it's not that simple. It would take much time to
    gather enough information from the data leakage
    to allow penetration of your system. The bad guy
    would have to invest much time gathering and then
    analyzing - just to get the merest crumbs.

    I'm reasonably sure there won't be enough time in the
    case of your businessman.

    Governments have to worry about such things because
    the bad guys know that the end result may prove worth
    the time and effort.
     
    FromTheRafters, Mar 31, 2008
    #8
  9. FYIGMO

    FYIGMO Guest

    I can see your point, but I'll still remain a bit paranoid when it comes to
    the tenacity of thieves. I read in the Wall Street Journal yesterday about a
    grocery chain's fiber optic network (thought to be secure) which was
    penetrated by malware, allowing the thieves to intercept customer's credit
    card numbers as they swiped them at the checkout counter. I figure that at
    some point these guys will resort to power-line intrusions of banks, etc.,
    because, as you mentioned, the financial gain is such that it is worth the
    time and effort of sifting through the data. In summary, I don't trust
    anyone these days....

    FYIGMO
     
    FYIGMO, Apr 2, 2008
    #9
  10. A healthy paranoia is a good thing. :eek:)
    I believe that that is my employer. I hadn't heard about
    the fiber optic angle though. Man in the middle attack
    is all I heard. I was wondering how the man got in the
    middle.
    [snip]
     
    FromTheRafters, Apr 3, 2008
    #10
  11. FYIGMO

    FYIGMO Guest

    You can read more about this story at the following URL:

    http://www.newser.com/story/23007.html

    It would be interesting to see if it is where you work. On a related
    subject, I just read a piece about a guy who encountered a network on his
    Apple in 2005 -- accessed through the power plug and the apartment's
    electrical wiring. After discovering the network (via OS X's Network
    Monitor), he disconnected the internet line. This had no effect on the
    exchange of information between his computer and the other system. The
    computer had no wireless capacity. The only option was the powerline.

    The Perpheral Monitor detected a second "Display" attached to his computer.
    After a while, he plugged more and more devices into vacant outlets on the
    power strip. After adding a TV, clock radio and cordless phone to the strip,
    the network vanished. About twenty-minutes later, it was reestablished, using
    a process called "Python." He also discovered a user, named "Wheeler" who had
    "root user" access. Apparently, it turned out to be local police (Roseville,
    California) in the upstairs apartment conducting warrantless surveillance,
    which I assume immediately ceased as the above-mentioned computer user was an
    attorney.

    Comments?

     
    FYIGMO, Apr 4, 2008
    #11
  12. FYIGMO

    Alun Jones Guest

    And how would you collect data over the power line, if not by monitoring the
    power usage?
    Sure there is - if they can get credit card numbers, say, by paying someone,
    or indulging in a little light hacking of a badly-secured web-site, why on
    earth would they try and sink thousands of dollars into a truckful of
    electronics that they then would need to spend a few months learning how to
    use?

    It's different if you think someone is targeting you, of course. Then you
    have to theorise that there is no "easier target", because you're the one
    they want - is your data really so interesting? If it is, may I suggest not
    using an airport lounge or other public area to fetch your data?
    Power-line intrusions have nothing to do with "as we all become more
    connected to the web". You're needlessly expanding the discussion.

    If you have data that valuable and that secret, you stay off the web, and
    you use places you know to be safe. No compromise.

    Alun.
    ~~~~
     
    Alun Jones, Apr 7, 2008
    #12
  13. FYIGMO

    Alun Jones Guest

    While there are some network protocols that piggy-back on the electrical
    wiring, I've not heard of any that are included by default in a system's
    power connection. For it to show up in his own Network Monitor, it would
    have to be a legitimate network, and not simply one made by looking for
    patterns in power usage, such as you're describing.

    So, your clever attorney must have bought himself an "ethernet over power
    lines" network adaptor, plugged into it, and then forgotten that he'd done
    so.

    As for the dual display, my Mac is so crap at detecting displays plugged in
    or unplugged, that I wouldn't be at all surprised.

    More likely is that his system was acting strangely, and it was easier to
    blame outside influences than his own inability to use the computer. I've
    seen that _far_ more often than I've seen examples of security breaches that
    verge on the fantastic, if not the entirely impossible.

    Alun.
    ~~~~
     
    Alun Jones, Apr 7, 2008
    #13
  14. FYIGMO

    FYIGMO Guest

    The primary issue is not hiding secret data, but being able to make purchases
    via the web and not have your credit card info intercepted. At any rate,
    what you said is correct, one must use common sense whenever accessing the
    web and never compromise regarding personal/financial data and its security.
    Quite frankly, I'm more concerned about giving my credit card to a waiter or
    waitress (which I haven't done for years) than I am using it over the web.
    Later....

    FYIGMO
     
    FYIGMO, Apr 8, 2008
    #14
  15. Use encryption.
     
    FromTheRafters, Sep 15, 2009
    #15
  16. FYIGMO

    Paul Adare Guest

    Time to double up on your medications Lloyd.
     
    Paul Adare, Sep 15, 2009
    #16
  17. you're naive if you think power outlet intrusions only take place in public places!



    Posted as a reply to:

    Re: Viability of power-line intrusions


    Be realistic

    If you are concerned about the kind of highly-motivated, well-funded and
    overly-technical attacker that would be able to deduce anything from
    monitoring your power usage (let alone inject anything through the power
    cable), you already work for an institution that can give you advice (such
    as "don't use your laptop... anywhere but in the office")

    Yes, Van Eyck phreaking allows an observer with a large truckful of
    expensive equipment to get something of an idea of what's on your screen
    (with varying degrees of success and/or resolution) - provided there isn't a
    lot of interference. There are some interesting results with reading light
    levels from a CRT in a darkened room, but your laptop doesn't have a CRT

    Your laptop power supply takes 50-60Hz alternating current, applies
    rectifiers (diodes) and smoothers (capacitors) to it, plus probably a
    significant level of other solid-state electronics, to create a more
    smoothed direct current signal. I've not heard of any attacks that can use
    fluctuating power drain to determine the activity on your system - that
    doesn't mean they don't exist or aren't possible, but if you truly fear
    that, carry a battery charger, and plug _that_ into the outlet; always work
    off battery

    I'm pretty certain that there are no good attacks that allow any measure of
    control over your system through fluctuating the power supply, short of the
    obvious overloading, or de-powering

    The short answer - if you think your opponents are smarter and richer than
    you, and they're interested in your information, stop using the information
    in places they can get to

    Alun
    ~~~~

    EggHeadCafe - Software Developer Portal of Choice
    WCF Workflow Services Using External Data Exchange
    http://www.eggheadcafe.com/tutorial...a-6dafb17b6d74/wcf-workflow-services-usi.aspx
     
    lloyd dettering, Sep 18, 2009
    #17
  18. AC and DC CAN BOTH BE ACCESSED! you're an expert? I doubt it!



    Posted as a reply to:

    Re: Viability of power-line intrusions


    Be realistic

    If you are concerned about the kind of highly-motivated, well-funded and
    overly-technical attacker that would be able to deduce anything from
    monitoring your power usage (let alone inject anything through the power
    cable), you already work for an institution that can give you advice (such
    as "don't use your laptop... anywhere but in the office")

    Yes, Van Eyck phreaking allows an observer with a large truckful of
    expensive equipment to get something of an idea of what's on your screen
    (with varying degrees of success and/or resolution) - provided there isn't a
    lot of interference. There are some interesting results with reading light
    levels from a CRT in a darkened room, but your laptop doesn't have a CRT

    Your laptop power supply takes 50-60Hz alternating current, applies
    rectifiers (diodes) and smoothers (capacitors) to it, plus probably a
    significant level of other solid-state electronics, to create a more
    smoothed direct current signal. I've not heard of any attacks that can use
    fluctuating power drain to determine the activity on your system - that
    doesn't mean they don't exist or aren't possible, but if you truly fear
    that, carry a battery charger, and plug _that_ into the outlet; always work
    off battery

    I'm pretty certain that there are no good attacks that allow any measure of
    control over your system through fluctuating the power supply, short of the
    obvious overloading, or de-powering

    The short answer - if you think your opponents are smarter and richer than
    you, and they're interested in your information, stop using the information
    in places they can get to

    Alun
    ~~~~

    EggHeadCafe - Software Developer Portal of Choice
    WCF Workflow Services Using External Data Exchange
    http://www.eggheadcafe.com/tutorial...a-6dafb17b6d74/wcf-workflow-services-usi.aspx
     
    lloyd dettering, Sep 18, 2009
    #18
  19. No anti-virus program will stop a powerline intrusion by the government's powerline intrusion. Microsoft gave them the Source Codes for the Windows O/S family and the anti-malware programs depend on the O/S first starting up bafore they can protect you; the gov. is in control BEFORE the anti-malware program starts up!



    Posted as a reply to:

    Re: Viability of power-line intrusions


    Be realistic.

    If you are concerned about the kind of highly-motivated, well-funded and
    overly-technical attacker that would be able to deduce anything from
    monitoring your power usage (let alone inject anything through the power
    cable), you already work for an institution that can give you advice (such
    as "don't use your laptop... anywhere but in the office").

    Yes, Van Eyck phreaking allows an observer with a large truckful of
    expensive equipment to get something of an idea of what's on your screen
    (with varying degrees of success and/or resolution) - provided there isn't a
    lot of interference. There are some interesting results with reading light
    levels from a CRT in a darkened room, but your laptop doesn't have a CRT.

    Your laptop power supply takes 50-60Hz alternating current, applies
    rectifiers (diodes) and smoothers (capacitors) to it, plus probably a
    significant level of other solid-state electronics, to create a more
    smoothed direct current signal. I've not heard of any attacks that can use
    fluctuating power drain to determine the activity on your system - that
    doesn't mean they don't exist or aren't possible, but if you truly fear
    that, carry a battery charger, and plug _that_ into the outlet; always work
    off battery.

    I'm pretty certain that there are no good attacks that allow any measure of
    control over your system through fluctuating the power supply, short of the
    obvious overloading, or de-powering.

    The short answer - if you think your opponents are smarter and richer than
    you, and they're interested in your information, stop using the information
    in places they can get to.

    Alun.
    ~~~~

    EggHeadCafe - Software Developer Portal of Choice
    WCF Workflow Services Using External Data Exchange
    http://www.eggheadcafe.com/tutorial...a-6dafb17b6d74/wcf-workflow-services-usi.aspx
     
    lloyd dettering, Sep 18, 2009
    #19
  20. Van Eyck? You're so old-hat!



    Posted as a reply to:

    Re: Viability of power-line intrusions


    Be realistic

    If you are concerned about the kind of highly-motivated, well-funded and
    overly-technical attacker that would be able to deduce anything from
    monitoring your power usage (let alone inject anything through the power
    cable), you already work for an institution that can give you advice (such
    as "don't use your laptop... anywhere but in the office")

    Yes, Van Eyck phreaking allows an observer with a large truckful of
    expensive equipment to get something of an idea of what's on your screen
    (with varying degrees of success and/or resolution) - provided there isn't a
    lot of interference. There are some interesting results with reading light
    levels from a CRT in a darkened room, but your laptop doesn't have a CRT

    Your laptop power supply takes 50-60Hz alternating current, applies
    rectifiers (diodes) and smoothers (capacitors) to it, plus probably a
    significant level of other solid-state electronics, to create a more
    smoothed direct current signal. I've not heard of any attacks that can use
    fluctuating power drain to determine the activity on your system - that
    doesn't mean they don't exist or aren't possible, but if you truly fear
    that, carry a battery charger, and plug _that_ into the outlet; always work
    off battery

    I'm pretty certain that there are no good attacks that allow any measure of
    control over your system through fluctuating the power supply, short of the
    obvious overloading, or de-powering

    The short answer - if you think your opponents are smarter and richer than
    you, and they're interested in your information, stop using the information
    in places they can get to

    Alun
    ~~~~

    EggHeadCafe - Software Developer Portal of Choice
    WCF Workflow Services Using External Data Exchange
    http://www.eggheadcafe.com/tutorial...a-6dafb17b6d74/wcf-workflow-services-usi.aspx
     
    lloyd dettering, Sep 18, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.