Question about computer monitors and security

[JonF]

I have a question about a security practice that is in place at my work. I think the practice isn’t based on credible science, and no one has been able give me a solid justification. My background is almost entirely in math so I was hoping to get an engineer’s take on this:

Security is a big issue at my work. We basically have two networks that don’t ever touch each other. One is our public network that is connected to the commercial internet and has lax security. The other network is our private one, which is connected to nothing on the outside. Obviously at each desk we have a separate computer for each. The practice I’m questioning that we are required to keep our monitors at least 2 inches apart. They fear somehow information may bleed from the secure monitor, to an unsecure monitor, to the unsecure net. Is there any legitimate scientific basis behind this?


**I'm not sure if this is the correct forum for this, if not will a mod please move?

 

[AlephZero]

if you have monitors that are two inches or even two meters apart, and somebody can read information off the secure screen and type it into the insecure network, that's a much bigger security hole than worrying about the possibility of "high tech" espionage IMO.

An easy way to steal information from a secure network is just park a car outside the
building, and aim a camera with a zoom lens at the monitors, through the windows. That's the reason my employers take the simple precaution of not having any "significant" computer kit on the ground floor of any building...

I can't see any legitimate scientific basis for the "fear", that doesn't involve people tampering with the hardware.

 

[JonF]

My work has measures in place to prevent the possible security breaches you mentioned. My question is if there is any scientific basis for information possibly (no matter how unlikely) being transferred from monitor to monitor to the network in the manner I described?

 

[256bits]

Minimum 2 inches. Why not minimum 4 inches or 40 feet? Are there different minimum specifications for a CRT moniter versus an LCD monitor? Or color versus monochrome?
Or what if you are using large 24 pt font - is that a more security risk than smaller font?
Somebody should bring that up to the people in charge of internet/intranet security to study and they can write a blue book on appropriate monitor security issues, Maybe they will even realize that the angle between monitors is important - "No two monitors will be set next to another such that the angle formed between the two displays faces is greater than 44 degrees or less than 11 degrees."

If you catch my drift, it is not scientifically not technically verifiable where the 2 inches comes from.

No doubt a monitor gives off EM radiation that can be sensed by sensitive equipment.
But if you see a black windowless van parked outside your building for days in a row would your security people consider that suspicious?

Most likely, and this is just my opinion, it is a means for management inn their own way to keep an eye out for people who are more conscious of security issues than not.

EDIT: Not nixing management - something as simple as this will keep security on peoples minds, as witnessed by your inquiry here at PF. so that is a positive!

 

[DaveC426913]

My question is if there is any scientific basis for information possibly (no matter how unlikely) being transferred from monitor to monitor to the network in the manner I described?

No.

It is so ridiculous that I would suspect some misinformation or at least misrepresentation. i.e. that may be the corrupted broken telephone explanation, but someone may have a (or have once had) a proper reason for it.

For example, old CRTs too close together could distort each others' pictures with their magnetic fields.

IMO, this is much more likely the reason.

How do you know that this is the official explanation?

 

[JonF]

is so ridiculous that I would suspect some misinformation or at least misrepresentation

They really do have this rule in place for security reasons – it’s in our security handbook. I suspect it’s some legitimate security procedure that has been slowly bastardized by less knowledgeable security people over many years who didn’t understand the original requirement and it’s somehow found itself in writing.

How do you know that this is the official explanation?

Because it's literally written in our security protocols that monitors on the different systems must be at least 2 inches apart. Some of our security guys have been asked and they confirmed the fear of information leaking from one system to the other via monitors. I did http://en.wikipedia.org/wiki/TEMPEST" about computer emissions and security online, but I’m pretty sure it doesn’t apply:

 

[phinds]

Having a monitor next to any wire that goes outside the building and that could be tapped into by hostiles, COULD in theory present a security risk (highly unlikely but theoretically possible) but monitor to monitor is, as Dave said, just silly.

 

[johnbbahm]

I suspect this falls into "that's they way we have always done it" category.
If you think about it the network cables in the wall may be closer to each other than that.
(Although I have seen places that require separate conduit for secure networks.)

 

[Floid]

It could be possible for EM from the secure system to couple to the unsecure system. For this to happen the unsecure system would have to be hardware compromised so that it had a way of extracting the coupled signals and sending out that information (this couldn't be done strictly in software).

If this was really a concern, the separation should be much greater... like secure and unsecure systems can't be in the same room greater. And then if you were paranoid, you would make the rooms which had secure systems Faraday cages.

 

[DaveC426913]

Because it's literally written in our security protocols that monitors on the different systems must be at least 2 inches apart. Some of our security guys have been asked and they confirmed the fear of information leaking from one system to the other via monitors.

This is what I'm saying. The requirement is written in stone, but the rationale for it is not.

We do not know if the rationale - as told by your security guys - is the real reason why the requirement is in place.

 

[JonF]

This is what I'm saying. The requirement is written in stone, but the rationale for it is not.

We do not know if the rationale - as told by your security guys - is the real reason why the requirement is in place.

Valid point, Is there any possible valid security rational for keeping monitors at least 2 inches apart between the systems?