From: Matt Burnett (marukka@mac.com)
Date: Fri Jul 28 2006 - 07:46:53 EDT
every laptop ive taken apart that has had a built in mic, has had a
associated mic cable. Is taking apart a laptop a difficult task for a
IT professional? Yeah you could epoxy the mic holes, but there are
plenty of other holes in the laptop which would allow sound to travel
to the mic. And if your really worried about this, you can burn out
the mic part of the sound card by breifly attaching the mic cable to
the 12V supply.
On Jul 27, 2006, at 10:03 PM, Ralph Forsythe wrote:
> On Thu, 27 Jul 2006, Matt Burnett wrote:
>
>> Wouldnt it just be a lot easier for you or your boss to disconnect
>> the
>> microphone cable than going though some elaborate scheme to prove it
>> could possibly be done? If they can "ruled" any laptop at will then
>> couldnt they also get into your mail servers? Wouldnt anything that
>> would be discussed in your meeting generate followups in a email?
>
> How are you going to disconnect the microphone cable when there
> isn't one? The mic is built into the laptop - you'd have to take
> the thing apart. As an alternative, ram a bunch of epoxy in the
> mic hole(s); that would pretty much muffle any noise it might
> record, IMO.
>
> As for the task at hand, very easy as others have pointed out.
> Lots of ways to get into the system, especially in a corporate
> environment where remote access is often enabled for tech support
> purposes. Bear in mind you not only have to worry about people
> gaining access from the outside (which hopefully your network is
> secured against), but also an employee looking to do something bad
> - particularly one with privileges for remote access or ability to
> physically access the machine. Given that this *is* a conference
> room, uncontrolled physical access at some point is likely unless
> this laptop always travels with someone.
>
> There isn't a real good way to secure the network connection itself
> that wouldn't be easily bypassed by anyone with physical access to
> the laptop, and given that pretty much any modern laptop will have
> a microphone on it, I think epoxy or fun with a set of screwdrivers
> is the only sure bet - of course, this assumes someone doesn't
> bring their own machine into the room for a meeting, as people very
> often do (even more often if you have wi-fi access in there).
>
> I just don't see any unequivocal method of making sure you're
> secure against this, unless you switch it to a desktop PC with no
> microphone port and ban laptops from entering the room. And then
> we get to the risk assessment and threat/vulnerability vs cost
> determination, which is really what will define how far you're
> willing to go with this. Of course someone can always stick a mic
> into the celing, or rig up any number of other eavesdropping
> methods, so short of conducting meetings in a secured underground
> bunker, you will have to live with the potential. However you're
> most definitely going to get a new laptop out of the deal, so run
> with it!
>
> Someone else remarked that we can't assume this system is even
> connected at all. Actually it's a pretty logical step, since the
> original statement said "shiny new internet laptop". If it can
> surf the web, it's connected at least some of the time. Not a huge
> leap of faith on that one...
>
> - Ralph
>
> On Thu, 27 Jul 2006, Matt Burnett wrote:
>
>> Wouldnt it just be a lot easier for you or your boss to disconnect
>> the microphone cable than going though some elaborate scheme to
>> prove it could possibly be done? If they can "ruled" any laptop at
>> will then couldnt they also get into your mail servers? Wouldnt
>> anything that would be discussed in your meeting generate
>> followups in a email?
>>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:26 EDT