Subject: General Tech | June 5, 2016 - 02:18 PM | Scott Michaud
Tagged: security, Cyber Security, coil whine
As new hardware launches, many readers ask whether they produce any noticeable form of coil whine. For instance, this is an issue for graphics cards that are outputting a very high frame rate. The electronics create sound from the current oscillating as it flows through them. It can also be an issue for motherboards or power supplies as well. You can check out this fairly old video from LinusTechTips for a demonstration.
Image Credit: ACM
It turns out that, because this whine is related to the signal flowing through the oscillating circuit, security researchers are looking into the types of information that can be inferred from the whine. In particular, the Association for Computing Machinery (ACM) published a paper called Physical Key Extraction Attacks on PCs. It discusses several methods of attacking a device, such as reading minor fluctuations in its grounding plug or monitoring induced radiation with an antenna. Its headlining method is “Acoustic” though, which listens to coil whine sound produced by the computer, as it decrypts RSA messages that are sent to it, to gather the RSA secret key from it.
While they have successfully demonstrated the attack using a parabolic microphone at 33ft away, and a second demonstration using a mobile phone at 1ft away, the news should be taken with a grain of salt. Mostly, it's just interesting to realize that there's nothing really special about a computer. All it does is stores and processes data on whatever physical state we have available in the world. Currently, that's almost always radio-frequency radiation flowing through semiconductors. Whatever we use will have consequences. For instance, as transistors get smaller, to push more complex signals through a given surface area and power, we'll eventually run out of atoms.
This is just another, often forgotten side-effect: electric signals induce the transfer of energy. It could be electromagnetic, acoustic, or even thermal. In the realm of security, this could, itself, carry some of the data that we attached to our world's state, and allow others to access it (or sometimes modify it) without our knowledge or consent.
Subject: General Tech | July 15, 2011 - 05:37 PM | Tim Verry
Tagged: pentagon, hack, Cyber Security, cracking
If we thought that the antics of LulzSec and Anonymous were bad, the recent admission by the Pentagon that 24,000 files were stolen by an as yet identified to the public attacker is not good news at all. Exactly what was taken has not been released; however Deputy Defense Secretary William J. Lynn III said that the Pentagon believes the attacker was a foreign government and according to Fox News, Lynn stated that “’we have a pretty good idea’ who did it.”
The Pentagon attack was revealed to the public during a speech on Thursday as a preface to a newly proposed more active cyber-defense. The Pentagon believes that the threat of retaliation is not enough of a deterrent to stop attackers, and a more active defense is needed. The strategy includes a greater focus on defense rather than offensive measures, improving its workers’ computer habits to mitigate the risk of succumbing to viruses and malware, and calls for collaboration with other federal agencies, contractors, and foreign allies.
You can read more about the attack and the proposed defense to further attacks here.
Subject: Editorial, General Tech | May 5, 2011 - 08:35 AM | Tim Verry
Tagged: Internet, Education, Cyber Security
Microsoft recently posted a press release detailing the results of its sponsored study by the NCSA (National Cyber Security Alliance). The study sought to determine whom people believe bears the responsibility for teaching children how to protect themselves on the Internet, as well as what the current situation is as far as K-12 students’ level of preparedness and education. The executive director of the NCSA, Michael Kaiser, had this to say:
“Just as we would not hand a child a set of car keys with no instruction about how to drive, we should not be sending students out into the world without a solid understanding of how to be safe and secure online."
According to Microsoft, the NCSA advocates for a “comprehensive approach” to teaching children from K-12 how to stay safe and secure online. While the consensus seems to be that students do need educated in Internet security, people are divided on exactly who bears the primary responsibility for teaching children. Children’s teachers, parents, and even government leaders and law enforcement have all been raised as possible responsible parties. The majority of teachers (80 percent) and school administrators (60 percent) surveyed are proponents of parents being responsible for teaching their kids about “digital safety, security, and ethics.” On the other hand, more than 50 percent of the IT coordinators surveyed believe that teachers are the ones that bear the most responsibility of educating kids. From the survey, one area where all groups do seem to agree is on the question of government responsibility in educating kids. Microsoft states that less than one percent believe law enforcement and government officials should bear the responsibility.
While cyber security is important for students to learn, as 97 percent of school administrators believe schools should have courses and an educational plan for students throughout their K-12 grades, only 68 percent of administrators “believe their schools or school districts are doing an adequate job of preparing students...”
The situation of adequate education looks even bleaker when teachers where surveyed. When asked whether they feel prepared to teach students adequately, 24 percent believed they were adequately prepared to talk about and educate kids on protecting personal information on the Internet, and 23 percent are comfortable teaching the risks of cyberbullying. Further, only one-third of teachers surveyed believe they are prepared to educated students on basic Internet security skills “such as password protection and backing up data.” The low numbers are attributed to the lack of professional development training that teachers are receiving. Microsoft states that “86 percent received less than six hours of related training.” Microsoft quotes Kaiser in saying that “America’s schools have not caught up with the realities of the modern economy. Teachers are not getting adequate training in online safety topics, and schools have yet to adopt a comprehensive approach to online safety, security and ethics as part of a primary education. In the 21st century, these topics are as important as reading, writing and math.”
In all of this, there is a ray of hope. Comparing the 2010 study to the NCSA’s 2008 study which you can read here, an increasing number of teachers believe cyber security and professional development training is a priority.More than 60 percent of school officials and teachers are interested in pursing further security training. This interest in training among teachers is up to 69 percent from 55 percent in 2008. IT coordinators and administrators are also becoming more interested in revamping the educational curriculum to better teach their students and workers. Further improvements in interest among educators pursuing further security training can be seen between the 2010 and the 2011 NCSA study. Also, slightly higher percentages exist across the board for teachers who have tought aspects of security in their classrooms compared to both the 2010 and 2008 studies.
On the other hand, while interest in training is increasing for teachers, from 2010 to 2011, security topics taught in clases have actually dropped. This is in addition to a decrease in teachers' beliefs that they bear responsibility in educating kids.
A comparison paper between the 2008 and 2010 study can be downloaded here (PDF).
What are your thoughts on this issue; who bears the primary responsibility in educating children on the importance of Internet safety?
Image 1 courtesy 2011 NCSA study. Image 2 courtesy 2008 to 2010 NCSA comparison study. Material is copyright NCSA, and used according to fair usage guidelines for the purpose of commentary and reporting.