While we’re waiting for me to finish up the next Paranoid PC article, check out this piece I ran into from SANS.  $3,000 worth of equipment is all it takes a researcher to breach a computer that’s not connected to a network and they do not have direct physical access to.

Depending on what you’re doing, even a heavily locked down computer may still be vulnerable to this kind of attack, even a computer like the one we’re building.

The folks we foresee ourselves in conflict with are smart, extremely well funded, and can pretty much act with impunity.  Act wisely.

Via SANS:

Researchers Say They Breached Air Gapped Computer (February 16, 2016)

Researchers at Tel Aviv University and Technion Research and Development say they managed to break into an air-gapped computer. The researchers measured radio waves emitted by the computer and with that information, were able to discern a cryptographic key. For the attack to be successful, would-be cyberintruders would need to be within several meters of the targeted device and to have US $3,000 worth of equipment. However, the researchers required only a few seconds of monitoring to gather the information they needed.
http://www.csmonitor.com/Technology/2016/0216/How-researchers-hacked-a-computer-
that-wasn-t-connected-to-the-Internet

[Editor’s Note (Williams): While this isn’t the sort of attack we should expect to see frequently, it is something we need to add it to our threat models (DoD has for years with the TEMPEST program). Many organizations have leased office space and share internal office walls with untrusted parties. If the researchers can penetrate a 15cm wall and get data several meters away with a $3000 rig, imagine what a well-funded adversary can achieve.]

About

Steve is a father of two, husband of one, devoted follower of Christ, IT guy, and jack of all trades. He's a liberty activist, blogger, gun lover, and general class radio operator. He read entirely too much Heinlein as a child and routinely fails at his attempts to become the "competent man".

Clef two-factor authentication