This story is so sad it is almost funny.

A prisoner in the US state of Kentucky was mistakenly freed after a phoney fax ordering his release was sent from a nearby grocery store.

One would think that all the money and time being spent on the prison system in America would have anticipated this sort of attack vector.

The fax ordering his release claimed to be from the state supreme court, but was riddled with spelling errors and had no letterhead.

Hard to argue that spelling should be the litmus unless someone can confirm that the court is religious about spelling, let alone grammar. Likewise, checking the source of the fax is useful if it is consistent enough to check and verify. Yet it is not terribly hard for someone to spoof the ID. What kind of grocery store has a fax available anyway?

The prison’s director said their policies do not require them to check the source of faxes.

“It’s not part of a routine check,” said Greg Taylor, “but certainly, in hindsight, that would perhaps have caused somebody to ask a question.”

Mr Taylor said spelling mistakes are common on court documents.

Well, exactly. If the normal routine is just noise, hard to tell someone to look for an attack signal. You generally want things to operate the other way around.

I think the real kicker of the whole story is the fact that the prisoner was just sitting at home, practically waiting for someone to find him:

Police found Rouse two weeks later at his mother’s house after prison authorities realised their mistake.

It took them two weeks to realize it was a mistake or to find the 19 year old sitting at home?

Remember in the movie Johnny Dangerously when the evil gangster Danny Vermin describes his “eighty-eight” handgun as “It shoots through schools”?

That’s what came to mind as I read about the latest development in Wim Van Eck attacks.

A radio antenna and radio receiver – equipment totalling less than £1000 – is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls.

[…]

CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too. It works slightly differently. With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time. Because they come through in order you just have to stack them up. And Kuhn has worked out how to decode the colour of each pixel from its particular wave form.

I am also reminded of a Swedish military intelligence soldier I once met who spent his years of service trying to find screw holes in secured rooms that he could detect a signal through.

In the early days of my career I was caught up in the challenge of securing the space to stop errant signals from escaping a defined perimeter. That’s always the first phase in security — how to stop things. However, the more modern view of security is that this type of work has important implications for improving access to a wider audience…securely. I mean cables are a giant nuisance. Kuhn’s research promises interesting new ways to get a signal to display far from the source, such that everyone in a certain space could see the same video without wires (saving deployment costs, weight, etc.) Once this medium becomes more mainstream, then security can come into play and figure out ways to reliably encode/decode and so forth.

As for defending against this kind of attack, Kuhn says using well-shielded cables, certain combinations of colours and making everything a little fuzzy all work.

None of those sound like much of a defense to me. Shielded cables might still leak at the ends, or other parts of the equipment and color combinations are easy to decipher. Not sure exactly what he means by making things fuzzy (pun not intended) but it seems that if a fuzzy image can be recognized at the source, an intercepted signal might still have enough info to interpret.

Barnaby Jack’s presentation at Amsterdam Blackhat has a lot of humor embedded. My favorite the image on his slide related to “defeating the watchdog”:

Funny how information security guys always prefer cats, but physical security guys like dogs.