Rove investigator erases his PCs - to kill computer virus

Outside firm performs seven-level wipe
By Dan Goodin in San Francisco

Published Saturday 1st December 2007 00:00 GMT

A US official overseeing a probe of former Bush aide Karl Rove has been called on the carpet after it was discovered he hired a private computer-help company to erase all the hard drives belonging to him and two deputies.

Special Counsel Scott J. Bloch bypassed his own agency's computer technicians and instead hired an outside firm to perform a seven-level wipe, all but guaranteeing the files could never be restored. Although the official said he contracted the work after suspecting his computer was infected by a virus, a manager with the private firm said a wipe that thorough is an unusual way to treat a malware infection. The receipt for the work performed makes no mention of a virus.

Bloch's office is investigating whether Rove and other White House officials improperly used government agencies to help re-elect Republicans running from Congressional seats. In turn, Bloch has been the subject of a White House-ordered probe into whether he improperly retaliated against whistle-blowers in his own staff and dismissed cases brought to his agency.

http://www.theregister.co.uk/2007/12/01/official_purges_agency_computers/comments/

The comments are worth reading also.
Why isn't this guy in jail for obstructing Justice or interfering with an investigation?

He should go DIRECTLY to jail without passing GO.

The NSA can retrieve data from anything. If the government really wants that information, it's on those platters.

The NSA has techniques where they can see the screen on a computer from the next building over. Without a network. Without cameras, cables, anything. They have some pretty insane technology. All of this is public knowledge and it's shown in academic security circles.

Furthermore, if this guy wanted the virus gone, you boot to a LiveCD, kill the virus, scan the system, extract important datafiles, scan them again, and then you flatten the system. Reinstall everything and put the data back on. Most viruses don't attack data, they attack applications/executables. This could have been resolved in an hour by a competent tech. By asking for a 7 level wipe, they were actively saying: I don't want anybody short of the NSA able to read this disk.

It is possible to read those platters using highly specialised equipment to examine residual magnetism the "gap" between magnetic domains. But with a recovery rate of megabytes (at most) per day, it's not very practical. Particularly with large modern drives, since the first task is to rebuild the total file system, just so as to be able to determine where any files of interest might have physically resided on the platters. There is a month's worth of work just there. Emerging high density platter designs with physically imprinted magnetic domains will soon render this attack mode entirely worthless.


And the looking over one's shoulder at one's screen is also more myth than reality these days too. With old, badly shielded displays of 80's or earlier vintage, virtually anyone with decent electronics skills could knock up a receiver that could "read" the contents of a nearby screen. Provided of course there were not too many other equally nearby displays to confuse the receiver.

Now if you take a look at a modern CRT, or other display you should note a few features: At each end of the cable linking it to the computer should be a "fat bit" These are ferrites which stop the cable from acting like an antenna and radiating the signal running from the computer to the screen. And if you peer inside the casing you should be able to see an internal box made of metal (usually "bright" steel) with a lot of holes punched in it for ventilation. This is a Faraday cage, which prevents the leakage of radiated signals from the display's circuitry. The lead glass from which the tube is made "closes" the Faraday cage's "open" side.

Long and the short of it, is that you are only practically vulnerable to these attacks, if you're still using 286 (or earlier) monochrome kit with sub-gigabyte storage capacity.

Wireless interface devices, and networking are the places where most modern systems leak like sieves. 'Tails' on mice (and keyboards) might be a pain in the rear, but they ARE secure. Same argument goes double in favour of cabled networking.

Have you been to any security shows where the NSA and different academics talk about these things? I work with a professor who teaches hacking and presents at these shows.

The demonstrations are scary. I've seen some of the materials that come out of these shows, the abstracts and the papers.

The two of us can't do these things.

The NSA does these things right now.

The technically easier task is eavesdropping on the contents of a computer monitor's screen.

There are a number of points along the path from video card to the monitor which might potentially radiate an electromagnetic signal which bears an impression of the "screen contents". The first is the card generating all of the signals. Next is the cable linking the card to the monitor and finally there is the monitor itself.

Ferrites at each end of the cable and a foil or braided shield mean that all but very old or very cheap kit will not betray your viewing habits by turning that cable into an antenna. And a closed computer case will keep the video card from broadcasting to all and sundry.


This leaves the original TEMPEST attack on the signal radiated by the display device as it "constructs" the image. With a TV set or older low resolution monitors reconstructing a monochrome facsimile of the screen is a relatively trivial task. It is something that any expert hobbyist could manage since both broadcast very strong signals. Primarily because neither has any significant shielding, which allows the 40-80,000 volt "flyback" transformer (among other things) to act as an effective radio transmitter. And relatively trivial is not the same thing as easy. Recovering the screen image, still requires extracting a multi-megahertz signal from a very low frequency carrier signal.

Now all that is allowable simply because the device came first. The frequencies at which TVs and like resolution displays operate, weren't particularly useful for hit bandwidth communication anyway so there was no great incentive to "protect" the 24-25 KHz band, and once TVs started (mass) broadcasting whacking great carrier signals on these frequencies the point became moot. That band of radio was simply DEAD. Eventually advances in technology make it possible to skim a "strong" nearby signal from the general noise. And thus TEMPEST is born. With one major caveat. The "listening antenna" has to be placed where the desired signal is the strongest one.


Variable resolution computer monitors (Particularly as screen resolutions radically departed from VGA specs (and near parity with TV)) made it too expensive to continue the policy of simply abandoning bands of the airwaves when they became too "polluted". To start with instead of residing in one narrow notch of the electromagnetic spectrum, the various signals are smeared across a broad swathe. And nor are the vast majority sinchronised with a small number of broadcast signals.

This along with the general propensity of modern kit of any sort to radiate on any number or commercially valuable wavelengths lead to Emission's Standards Control. Modern electronic kit has just too many (and varied) high frequency components to be allowed to radiate freely. Enclosures are shielded, as are cables which are further protected with ferrite cores. All enclosures containing electronic componentry which has the potential to radiate a signal mist by regulation be shielded to a certain minimum standard.

Yes this allows some leakage, but not very much. Certainly not enough to be distinguishable from the background at any practical range, except where computers are very few and far between. In any urban setting, the receiving antenna, a fairly large, complex and delicate device in its own right, would have to be within the target's property boundaries to get a reliable signal. And forget about picking out anything from a cubicle farm at all, at all. Obtaining a suitable angular orientation to the "device of interest" makes the whole problem just that little bit more interesting.

So theoretically it is doable, and it might barely be practicable under precisely the right circumstances, (Say at a trade show) but as a general purpose, surveillance technique, that can be legally carried out without an enabling warrant, it's a non starter. And the counter is ludicrously simple. A device that sits between the computer and the monitor cable which precisely synchronises with the timing signals to the monitor and broadcasts a "jamming" signal on exactly the same wavelength as the monitor.


Now for reading old data from a hard disk.

One theoretical possibility is remounting platters in more sensitive platforms and doing all sorts of scientific magic to "read" the "spaces" between magnetically stored bits. It works on the theory that at different temperatures, the exact position at which a bit is written moves slightly because different parts of the hard disk expand and contract at slightly different rates. So far so good. However, just to get the necessary resolution to read inside the "gaps" requires at least two and arguably three or more generations more sensitive hardware. So anything stored on cutting edge hardware is safe for at least two years.

For "fresher" data the only available option is quite literally putting the platter under a microscope and reading the "fringes" one bit at a time.

And having achieved the necessary degree of acuity of magnetic "sight" the "reader" has to hope that the "overwrite" occurred under completely different conditions than when the overwritten data was originally written.

According to the articles I've read, the best hope is scanning the disk's surface for areas where there actually is a good solid read in the gap. Such locales are decoded and some sense is hopefully made of the data found there. Illicit material of single types: pictures, music, movies are easiest. But it's a total crap shoot as to whether anything of use is actually recovered. The more there was originally the better the chances, but there is no guarantee. And it's an expensive fishing trip no matter what.

Finding remnants of a child porn collection, or evidence of a bootleg collection of five thousand copyright audio tracks would be amongst the least difficult of tasks. Tracking down specific "subversive" literature? Not bloody likely! Plain text at best amounts to only a fraction of a percent of stored data, finding it amongst the small amount of actually recoverable data in actionable amounts would be highly unlikely.

It's doable yes. Practical only with relatively dated recording media, and to all intents and purposes, there will be no further significant improvements in the capability. Current generation kit, just doesn't have any gaps from which reliable data can be recovered. Next generation kit will make such "reading between the lines" impossible. Every single magnetic domain on the hard disk platter will occupy its own individual micro machined pit. And there will be nothing whatsoever in the gaps.

It's a dead end technology, good for perhaps a few more years as a forensic fishing rod. But as a tool of repression, its not a concern.

There are so many other, far easier avenues of intrusion, that TEMPEST and forensic recovery of overwritten data are almost pure fap material. Workable only under ideal conditions. Trojans; undisclosed back doors (for the ConspTheory crowd); ISP logfiles, unpatched vulnerabilities; social engineering; physical bugs; software bugs; all are far far bigger threats to anyone's data.

Sorry to say, but the demos you have seen are pretty much all fluff and no substance. It keeps the paranoid looking over their shoulders. It works a lot like the Stassi files. It wasn't so much that you were in there and under surveillance, but that it was impossible to know that you weren't. But the counters are so simple, a $10 jamming device to thwart covert surveillance and a ball peen hammer to make forensic examination of a hard disk a moot point. Almost any form of halfway decent encryption will also make it virtually impossible to recover anything at all.

As with any other law enforcement "surveillance device" they're essentially stupidity filters and in this case very expensive and utterly impractical ones at that.

NSA can indeed do these things. At least for demonstration purposes. But there is no earthy reason for the NSA to attempt to go to the expense with no guarantee of a result, to attempt to use the technology except in the most exceptional of circumstances. And as the saying goes: "If you can't take a joke, why did you join the ..."

If THEY want to "come for you and I", we have almost certainly left enough subversive footprints across the Web, that THEY will have all the excuse they need to cause us to "disappear" if THEY so desire.

If the NSA (or anyone else) IS looking over your shoulder, I can almost guarantee that these two techniques are amongst the last that will be pulled from their bag of tricks (dirty or otherwise).

really scary, was threatened, and feared for his life.
What the heck are we doing with people like this running our country?

He wiped the drives because he's a Rove-style scumbag himself,
and -HE'S- being investigated for his blatant attempts to
turn his Department into a corrupt "Hit Team" for the Repub Party.

He's a Shrub-kissing little MAGGOT, and he's not being "threatened"
by anything except the concept of "impartial JUSTICE".

he was investigating Rove, and the WH was investigating him. Sounds like they came up with more on him than he did on them, and they forced him to back off.

At least, that's how I'm reading it.

He's as Rovian as the people he's allegedly investigating.
He wiped those drives to destroy evidence of his own illegal
political machinations, because he's currently under investigation.

That's the B*sh misAdministration for ya: Crooked and Crookeder.

The only reason you would ever do a 7 level wipe is to absolutely blank the drive, ensuring that not a byte of data was retrievable.

This asshole knew exactly what he was doing, and it wasn't cleaning a virus.

Karl Rove And the Case Of the Seven-Level Wipe

As reported in today's Wall Street Journal, Special Counsel Scott Bloch, the head of the operation investigating Karl Rove prior to his departure from the White House (and still investigating other WH officials), is the subject of a federal investigation of his own.

>SNIP<

A downright cynic is then forced to view the activities and the assertions of that second party to initiate its investigation in light of those possibly ulterior motives.

There's just one problem. The White House's investigation of Bloch predates Bloch's investigation of the White House by more than a year.
Bloch
http://suitablyflip.blogs.com/suitably_flip/2007/11/karl-rove-and-t.html

Edited to add:

Today's Must Read

Today's Must Read
By Paul Kiel - November 28, 2007, 9:39AM

It's just not enough that a number of administration officials have been investigated for malfeasance; the Bush Administration takes it the extra mile. The man who's charged with investigating some of that malfeasance is himself under investigation. And he's clearly no slouch at malfeasance.

Scott Bloch heads the Office of Special Counsel (OSC), an odd little agency that was set up to police federal employees of infractions that do not rise to the criminal level. The OSC's main brief is enforcing the Hatch Act, which prohibits federal employees from using government resources for political ends (so Bloch should be a busy man). He's also supposed to make sure whistleblowers do not suffer retaliation. The OSC reports to the White House.

Bloch himself has been under investigation since 2005 for a variety of infractions, including retaliating against employees who took issue with internal policies and discriminating against those who were gay or members of religious minorities. At the direction of the White House, the Office of Personnel Management's inspector general has been pressing on with an investigation of Bloch.

http://www.tpmmuckraker.com/archives/004790.php

* * * * * * * * * * *

My question is, if this guy is this unscrupulous, why did he not get promoted? Or was he just bucking for one? After all he is acting like a good republican.

all of us need to make some noise about this.

If not, *why* not??