Fluke LANMeter

Instrumentation for performing TSCM services on computer networks.

TSCM services on computer networks are highly specialized activities which requires a highly specialized background and extensive training. This specialized service requires the usage of several instruments:

• Hand-held Oscilloscope
• Cable Scanner (100+ MHz/Cat-5)
• "Dry Line" Time Domain Reflectometer w/ Cross-Talk Analysis
• Network Traffic Analyzer/Protocol Analyzer
• Computer with Packet Sniffing Software
• Portable Spectrum Analyser

These instruments are used in addition to Oscilloscopes, Spectrum Analysers, Multi-meters, Search Receivers, NLJD, X-ray, and other regular TSCM equipment.

The Fluke LANMeter^® provides an excellent instrument for TSCM teams. The "basic instrument" offers all the functions of a cable scanner, including a high quality dry-line TDR. The traffic analysis features are invaluable for identifying and tracing network abuse, hacker intrusions, and detecting covert eavesdropping devices on the network. The LANMeter^® is also invaluable for performing periodic network audits and reviews.

The Fluke DSP-2000/DSP-4000 Cable Analyzer and Fluke 105B Scope Meter are also excellent instrumentation for TSCM inspections, and complement the LANMeter series well.

During a TSCM inspection an Oscilloscope will be typically be the first instrument attached to the network being evaluated, the purpose is to observe the waveforms and signals present. In the event that a spread spectrum eavesdropping device has been installed on the network the oscilloscope will provide rapid detection. The oscilloscope will also provide a quick indication of the voltages present, the amount of RF noise, and limited information about cross-talk. One thing to watch for is the presence of any signal that does not match the template of "what should be on the network". For example why is there a steady 128 kHz, low level PPCM signal riding on the Ethernet wave form.

The second instrument used will typically be the Portable Spectrum Analyser. This instrument is used to take a quick look at the RF spectrum being used by the network. Normally a network will contain a small amount of noise along with the primary signal with a number of harmonics. Watch for the presence of any signal that does not match that typical for the type of network being tested. The Spectrum Analyser will also be used later when performing frequency domain and space domain inspections of the wiring closets.

Once all conductors combinations of the network have been carefully checked for foreign signals (by using an Oscilloscope and Spectrum Analyser) a Network Traffic Analyzer is used to monitor all activity which occurs on each specific segment (or cable drop). The purpose is to identify any anomaly in network traffic which could indicate the usage of eavesdropping software or a security weakness being exploited. A typical example of this would the usage of audio streaming or keystroke logging software which have been a popular method for eavesdropping. (Why is the CEO's Windows NT box streaming audio and video to a computer located outside the company?)

A Network Traffic Analyzer will typically evaluate only the headers of the packets, and should allow the user to perform several basic network functions such as Ping, Trace Route, DNS lookups, and provide lists of found or active network addresses. At this point the TSCM specialist will have obtained a list of all network entities which should then be verified by a physical inventory.

In the event that suspicious activities are detected a Packet Sniffer can then be used to capture and analyze the suspect activities. A Network Traffic Analyzer is typically used to observe headers, and the Packet Sniffer is used only after suspect activity is noted. A Packet Sniffer should be utilized as little as possible as it raises serious security issues, privacy concerns, and will typically provide "too much information" regarding network traffic.

Prior to this point all tests have been non-invasive, fairly undetectable, and should not have alerted the eavesdropper that a TSCM inspection is in progress.

The TSCM specialist will now cause a segmented network outage (typically caused by turning off a router or hub) and will disconnect all associated wiring. This isolates a group of computers and wiring from the rest of the network, and will provide "appropriate cover" for the remainder of the TSCM inspection.

At this point the physical wiring will be checked for any eavesdropping device, or anomaly. A cable scanner will be used to provide a basic wire map, and a TDR will be used to check for cable splices or taps. Once the cable has been "mapped-out" and the length has been determined by using a TDR a near-end/far-end cross talk analysis will be performed to locate inductive or capacitor isolated devices. Products such as the Fluke DSP-2000 or DSP-4000 are ideal for testing the physical wiring, and will also provide highly accurate cross talk analysis.

It may also be beneficial to also perform a Sweep Analysis of the cabling (with a Spectrum Analyzer and Sweep Generator) to identify any frequency response related anomalies.

Be sure to check all conductor combinations, and all references to ground, and structural components for signal paths. When checking UTP wiring be sure to check all four cable pairs, and check the voice cabling at the same time (easy to do when four Smart Remotes are being used), but ensure that all cabling is "dry" (has no signal on it) before performing any tests.

Before bringing the network back online, always connect/re-connect the Traffic Analyzer to watch for any suspicious activity immediately after the network is brought back online. Eavesdropping software will often attempt to re-connect to the host immediately after the network comes back on-line.

Also, perform a visual inspection on all cable and wiring which can be accessed (yes, this will involve climbing a ladder and moving ceiling tiles), and open up all wall-boxes and inspect them with a borescope.

HealthWatch: Better Robotic Hands Improving Lives

Revolutionary New Prosthetic Technology Giving Amputees' Higher Quality Of Life

There's been a medical breakthrough, as revolutionary robotic hand technology is changing lives.

The prosthetic had actually has individually functioning fingers, which allows patients to do things they never thought possible. Erminio Bugliana is a painter who struggles with his brush. He lost one hand, and the other was badly mangled, in a fireworks accident 20 years ago.

"You learn to become patient, or you can just go out of your mind," Bugliana said.

Now, after two decades, a seemingly impossible dream is coming true for the 52-year-old artist. Bugliana was amazed when he got his new robotic hand for the very first time. It's a revolutionary prosthetic called "I-Limb," and it's the first artificial hand that can move fingers independently. "It's really unbelievable," Bugliana said. "There's just so many things going through my mind, in regards to life being so much easier."

"Things like holding a cup or grabbing a credit card would be made much more simple by the new technology.

The robotic had works with nerves and muscles in the forearm, where the hand is attached. Bugliana flexes certain muscles to make the hand move in different ways. "The microprocessor in here is basically the whole thing that makes it work independently, plus there's a motor in each individual digit," Dr. Jared Howell, a physical therapist, said. "They outdid themselves on this one," Bugliana says. And now, with a glove that allows for a better grip, Bugliana will be able to ride a motorcycle. More importantly, after two decades of dreaming and hoping, Bugliana is back to holding a brush and painting, his life back in his hand. "It's funny how God can take something away, but also he can give it back," Bugliano said.

Bugliana's also looking forward to cutting a steak and driving a car, and simple everyday tasks like buttoning his shirt. The new robotic hand is covered by insurance, and it's expected to be used by veterans who lose hands in combat. Most prosthetic hands currently available are limited to a claw-like grasping motion.

Light powers nanomachine

Combine a light-guiding chip and optical tweezers and you have a nanomachine powered by light.

The prototype is a sliver of semiconductor material that vibrates and channels light. The device shows the potential for nanoscale machines driven by light rather than electricity, which broadens the range of possibilities for nanomachines.

The device could be used for ultrasensitive sensors and high-speed communications devices that use little power.

Research paper:
Harnessing Optical Forces in Integrated Photonic Circuits
Nature, November 27, 2008

Researchers' homepages:
Yale NanoDevices Laboratory
Nanophotonics Lab, University of Washington

Related stories and briefs:
Laser tweezer traps nanotubes -- precursor research

Automated Source Code Analysis Tools

There are several publicly available tools that attempt to perform static analysis of source code and automatically detect vulnerabilities. Most of these are useful as a starting point for a novice auditor, but none of them have progressed to the level of replacing a thorough audit by an experienced person. Many large software vendors use static analysis tools in-house to detect simple vulnerabilities before they make it into production code. However, the shortfalls of these tools are obvious. Nonetheless, they can be a useful place to get a quick start on a large and relatively un-audited source tree.

Splint is a static-analysis tool designed to detect security problems within C programs. With annotations added to programs, Splint has the ability to perform relatively strong security checking. The analysis engine has in the past been shown to detect security problems such as the BIND TSIG overflow automatically (albeit after they were already known). Although Splint has trouble dealing with large and complex source trees, it's still worth looking at. It is developed by the University of Virginia and can be found at www.splint.org/.

CQual is an application that evaluates annotations that have been added to C source code. It extends the standard C type qualifiers with additional qualifiers such as tainted, and has logic to infer the type of variables whose qualifiers have not been explicitly defined. CQual can detect certain vulnerabilities such as format strings; however, it will not find some of the more advanced issues that can be discovered by manual analysis. CQual was written by Jeff Foster and can be downloaded from www.wiley.com/compbooks/koziol.

Other tools, such as RATS offered by Secure Software, are available, but they were generally designed to locate simplistic vulnerabilities not commonly found in modern software. Some bug classes better lend themselves to detection via static analysis, and several other publicly available tools automatically detect potential format string vulnerabilities.

In general, the current set of static analysis tools is lacking when it comes to detecting the relatively complicated vulnerabilities found in modern software. While these may be good for a beginner, most serious auditors will go far beyond the subset of vulnerabilities for which these programs can check.

Source code auditing can be a painful task if you're armed only with a text editor and grep. Fortunately, some very useful tools are available that make source code auditing much easier. In general, these tools have been written to aid software development but work just as well for auditing. For small applications, it's not always necessary to use any specialized tools, but for larger applications that span multiple files and directories, these tools become very useful.

Cscope

Cscope is a source code browsing tool that is very useful for auditing large source code trees. It was originally developed at Bell Labs, and has been made publicly available under the BSD license by SCO. We have provided a copy at www.wiley.com/compbooks/koziol.

Cscope can locate the definition of any symbol or all references to a symbol of a given name, among other things. It can also locate all calls to a given function or locate all functions called by a function. When run, Cscope generates a database of symbols and references, and can be used recursively. It will easily handle the source code for an entire operating system and can make searching for specific vulnerability types across a large code base much easier. It will work on virtually every Unix variant with curses support, and there are precompiled Windows binaries available for download. Cscope can be invaluable for auditing and is used by many security researchers on a regular basis.

Cscope support is built into many editors, including Vim and Emacs, and it can be invoked from within those editors.

Ctags

Ctags is useful specifically for locating any language tags (symbols) within a large code base. Ctags creates a tag file that contains location information for language tags in files scanned. Many editors support this tag file format, which can allow for easy browsing of source code from within your favorite editor. Tag files can be created for many languages, including, most importantly, C and C++. One of Ctags's useful features is its ability to immediately go to a tag highlighted by the cursor, and then to return to the previous location or to a location farther up the tag stack. This feature allows your source code browsing to approximate the flow of execution. Ctags can be downloaded from www.wiley.com/compbooks/koziol; in addition, many Linux distributions offer a precompiled package.

Editors

Which text editor you use when viewing source code can make a big difference in ease of auditing. Certain editors offer features that are more conducive to development and source code auditing and make better choices. Two of these editors—Vim, the enhanced version of vi, and Emacs—offer complementary features, in addition to many features that are specifically added to make writing and searching through large amounts of code easy. Many editors offer features such as bracket-matching, which allow you to locate the partner of any opening or closing bracket. This can be very useful when auditing code with many nested brackets in complex patterns.

Many people have strong opinions about text editors and use their preferred editor religiously. Although some editors are inherently better suited for the task than others, the most important thing when choosing an editor is to pick something you're familiar with and comfortable using.

Cbrowser

Many other tools offer similar functionality to Cscope and Ctags. Cbrowser, for example, offers a graphical front-end for Cscope and can be useful for people who audit in a GUI environment.