22 November 1999
Source: Microfilm at Columbia University's Stern School of Business Library.
NSA's statement here in 1985 about the availability of TEMPEST standards contrasts with its 1999 statement to us that "their disclosure could reasonably be expected to cause serious damage to the national security:" http://cryptome.org/nsa-foia-app.htm.
These reports are cited in Christopher Seline's 1989 paper on TEMPEST law: http://cryptome.org/tempest-law.htm.
See Van Eck's 1985 paper, "Electromagnetic Radiation From Video Display Units: An Eavesdropping Risk?:" http://jya.com/emr.pdf.
American Banker, March 26, 1985, pp. 1, 22.
By DAVID O. TYSON
NEW YORK - A Dutch electronics expert told a banking security conference in Cannes, France, this month that bank computer systems, especially home banking systems, are easily breached because of their radiation emissions.
W. Van Eck, who has studied radiation leaks from video display terminals for four years, said that by using simple equipment costing less than $10, an ordinary television set, and a directional antenna inside a car parked outside a bank, it is possible to read the information displayed on almost any computer screen inside the building from as far away as 1,000 yards.
A U.S. government technical expert in Washington, who asked not to be identified confirmed that emissions can be picked up from some distance. "I certainly would challenge the $10 figure and the simple television set," the source said. "I think he's overstating his case. But from the standpoint of 'Could it be done?' - Yes, it could be done."
About 150 delegates from banks and computer security organizations attended the conference, called Securicom 85. In a technical paper, Mr. Van Eck spelled out measures banks may take to guard against emission leaks, such as metal screening or wallpaper and use of encryption. But if banks and other offices were to apply the most stringent security standards, Mr. Van Eck said, they would have to use equipment tested to government and military specifications. He told the conference that two such standards exist. In the U.S., it is the Nacsims 100A [sic, NACSIM 5100A] "Tempest" and its NATO equivalent AMSG720B.
Mr. Van Eck said that precisely what these standards require is classified information, and any discussion or publication of information relating to Tempest in the U.S. is forbidden by the National Security Agency.
Michael Levin, public affairs director for the National Security Agency at Fort Meade, Md., denies any such ban. In a telephone interview, he said the agency sponsors the Industrial Tempest Program, or ITP, by which manufacturers of electronic devices, even electric typewriters, are given stan dards to insure the equipment is free from spurious emissions.
"This system is called Tempest," Mr. Levin said. "You can refer to the public literature and will find quite a bit on it."
Mr. Levin said Mr. Van Eck's statement that the National Security Agency prohibits discussion of Tempest misses the point. "The specifics on what our concerns are and how they relate to intelligence and counterintelligence -- that's classified," he said. "But the standards are public and available to any manufacturer as a national standard, so he can design his equipment to meet the specifications and prevent the emission problem."
Mr. Van Eck said that if a bank wants to make sure its computer system is totally secure, it would have to use terminals that are on the "Tempest preferred product list." But he said the cost of such equipment makes it almost prohibitive.
"I don't believe that's so," said Mr. Levin of the National Security Agency. "It does cost a little more to manufacture equipment that has that full protection. But it's peanuts compared to what the banks might lose if their information were known outside."
"We're talking about improving something like a typewriter so it doesn't emit radiation to let a neighbor of the bank know what is going on there. It's a useful protection. What this Tempest does is provide a list of equipment engineered to do that."
"Rather than try to hide certain things under security, we have got to do certain things. In this Tempest area, we have been very open and have been charged with being open and assisting the public sector."
"Obviously, every industry has got to judge for itself how much to spend for its security."
Mr. Van Eck said it was possible to pick up information from a single screen among a bank of terminals. He said he carried out an experiment in London in which he parked in a van outside Scotland Yard and also an office in the City and reconstructed images.
After his talk, Mr. Van Eck said it was possible to reconstruct information from one particular terminal out of a bank of, say, 20 different ones. This is o because each terminal radiates its own characteristics, which are identifiable.
Referring to home banking systems like Pronto and Britain's Homelink, he told a reporter that any person with a suitable black box sitting in a home can easily "read" a neighbor's home banking screen. From the reconstructed information he can obtain his neighbor's password and find out how much cash the neighbor has in the bank.
"In fact, what I am saying is that home banking systems are especially vulnerable to this kind of eavesdropping," Mr. Van Eck said.
Robert I. Lipp, a Chemical Bank president, did not respond immediate ly to a request for comment on the Van Eck talk. Mr. Lipp is in charge of Chemical's personal and banking service group, which includes the Pronto home banking service, the nation's largest bank-at-home service.
Jeffrey M. Wilkins, chairman of CompuServe, also did not respond immediately to the same request. Three banks presently offer home banking on that on-line data base service and others are slated to go live with it.
American Banker, April 1, 1985, pp. 5, 20.
Memory Bank [A feature.]
The following quiz is based on articles that appeared in last week's issue of American Banker. Answers are on page 20.
3. The case had me so stumped I was just sitting in my office reading my name backwards on the door. That's when a dutch electronics expert named W. Van Eck walked in. "shamus," he said, "for a shot of that filing cabinet bourbon you got I'll show you how to see through bank walls." It was the answer to my problem. I asked him how. Now I'm asking you.
Following are answers to the Memory Bank Quiz on page 5.
3. Mr. Van Eck told a banking security conference that radiation leaks from video display terminals gives an eavesdropper with simple equipment the ability to read information displayed on the screens inside bank buildings.
Transcription and HTML by Cryptome.