Peter A Clarke

Data breaches can occur as easily in the public sector as the private sector.  In the public sector the consequences can be particularly worrying.  As with the personal details of 112,000 French police officers being put on line according to the BBC report French police hit by security breach as data put online.   This is all the more concerning given the murder of two police officers. As is commonly the case the first assumption about the cause of the breach, hacking by terrorists is not the likely cause.  The likely cause was the actions of a disgruntled worker.  An insider attack.  This bespeaks a break down in internal controls and probably lax security within the organisation.  Many data breaches are low tech affairs, with insiders having easy access to files that they shouldn’t have day to day access to.

The article provides:

The personal details of 112,000 French police officers have been uploaded to Google Drive in a security breach just a fortnight after two officers were murdered at their home by a jihadist.

A mutual organisation which provides extra health and other insurance benefits for police says the details were uploaded by a disgruntled worker.

It has said the files are protected by a password and there is no reason to believe details have been accessed.

The files include postal addresses.

The security breach comes two weeks after a police commander and his partner were stabbed to death at their home near Paris.

Their young child survived the attack by Larossi Abballa, who said he was acting on a call from so-called Islamic State (IS) to “kill infidels”.

RTL reports (in French) that the details of the officers, serving and retired, and their families, were uploaded to the Google Drive storage service on 2 June, where they were protected by a password.

It is unclear whether the person who uploaded the data took any further security measures to protect it.

Security experts say Google Drive does offer two-factor authentication but if it was not used, anybody who knew the password may have been able to access the data.

The mutual organisation concerned, Mutuelle Generale de la Police (MGP), told France TV Info that it had been the victim “of a malicious act on the part of an employee”.

A spokesman for the French police union, Nicolas Conte, told RTL that the incident was “extremely worrying”.

On a more high tech note Wired writes that researchers have found a way of stealing data from air gapped computers by using the sound emitted by the cooling systems, the fans, inside a computer.  It provides:

In the past two years a group of researchers in Israel has become highly adept at stealing data from air-gapped computers—those machines prized by hackers that, for security reasons, are never connected to the internet or connected to other machines that are connected to the internet, making it difficult to extract data from them.

Mordechai Guri, manager of research and development at the Cyber Security Research Center at Ben-Gurion University, and colleagues at the lab, have previously designed three attacks that use various methods for extracting data from air-gapped machines—methods involving radio waves, electromagnetic waves and the GSM network, and even the heat emitted by computers.

Now the lab’s team has found yet another way to undermine air-gapped systems using little more than the sound emitted by the cooling fans inside computers. Although the technique can only be used to steal a limited amount of data, it’s sufficient to siphon encryption keys and lists of usernames and passwords, as well as small amounts of keylogging histories and documents, from more than two dozen feet away. The researchers, who have described the technical details of the attack in a paper (.pdf), have so far been able to siphon encryption keys and passwords at a rate of 15 to 20 bits per minute—more than 1,200 bits per hour—but are working on methods to accelerate the data extraction.

“We found that if we use two fans concurrently [in the same machine], the CUPU and chassis fans, we can double the transmission rates,” says Guri, who conducted the research with colleagues Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici, director of the Telekom Innovation Laboratories at Ben-Gurion University. “And we are working on more techniques to accelerate it and make it much faster.”

The Air-Gap Myth

Air-gapped systems are used in classified military networks, financial institutions and industrial control system environments such as factories and critical infrastructure to protect sensitive data and networks. But such machines aren’t impenetrable. To steal data from them an attacker generally needs physical access to the system—using either removable media like a USB flash drive or a firewire cable connecting the air-gapped system to another computer. But attackers can also use near-physical access using one of the covert methods the Ben-Gurion researchers and others have devised in the past.

We are trying to challenge this assumption that air-gapped systems are secure. Mordechai Guri

One of these methods involves using sound waves to steal data. For this reason, many high-security environments not only require sensitive systems be air-gapped, they also require that external and internal speakers on the systems be removed or disabled to create an “audio gap”. But by using a computer’s cooling fans, which also produce sound, the researchers found they were able to bypass even this protection to steal data.

Most computers contain two or more fans—including a CPU fan, a chassis fan, a power supply fan, and a graphics card fan. While operating, the fans generate an acoustic tone known as blade pass frequency that gets louder with speed. The attack involves increasing the speed or frequency of one or more of these fans to transmit the digits of an encryption key or password to a nearby smartphone or computer, with different speeds representing the binary ones and zeroes of the data the attackers want to extract—for their test, the researchers used 1,000 RPM to represent 1, and 1,600 RPM to represent 0.

The attack, like all previous ones the researchers have devised for air-gapped machines, requires the targeted machine first be infected with malware—in this case, the researchers used proof-of-concept malware they created called Fansmitter, which manipulates the speed of a computer’s fans. Getting such malware onto air-gapped machines isn’t an insurmountable problem; real-world attacks like Stuxnet and Agent.btz have shown how sensitive air-gapped machines can be infected via USB drives.

To receive the sound signals emitted from the target machine, an attacker would also need to infect the smartphone of someone working near the machine using malware designed to detect and decode the sound signals as they’re transmitted and then send them to the attacker via SMS, Wi-Fi, or mobile data transfers. The receiver needs to be within eight meters or 26 feet of the targeted machine, so in secure environments where workers aren’t allowed to bring their smartphones, an attacker could instead infect an internet-connected machine that sits in the vicinity of the targeted machine.

Normally, fans operate at between a few hundred RPMs and a few thousand RPMs. To prevent workers in a room from noticing fluctuations in the fan noise, an attacker could use lower frequencies to transmit the data or use what’s known as close frequencies, frequencies that differ only by 100 Hz or so to signify binary 1’s and 0’s. In both cases, the fluctuating speed would simply blend in with the natural background noise of a room.

“The human ear can barely notice [this],” Guri says.

The beauty of the attack is that it will also work with systems that have no acoustic hardware or speakers by design, such as servers, printers, internet of things devices, and industrial control systems.

The attack will even work on multiple infected machines transmitting at once. Guri says the receiver would be able to distinguish signals coming from fans in multiple infected computers simultaneously because the malware on those machines would transmit the signals on different frequencies.

There are methods to mitigate fan attacks—for example, by using software to detect changes in fan speed or hardware devices that monitor sound waves—but the researchers say they can produce false alerts and have other drawbacks.

Guri says they are “trying to challenge this assumption that air-gapped systems are secure,” and are working on still more ways to attack air-gapped machines. They expect to have more research done by the end of the year.