Seediscussions,stats,andauthorprofilesforthispublicationat:https://www.researchgate.net/publication/313887410

Platform-agnosticLow-intrusionOpticalDataExfiltration

ConferencePaper·December2016

DOI:10.5220/0006211504740480

CITATIONS

5

READS

141

2authors:

Someoftheauthorsofthispublicationarealsoworkingontheserelatedprojects:

FosteringinfoseceducationthroughCTFcompetitionsViewproject

RefereedpublicationsinBrazilViewproject

ArthurLopes

UniversityofCampinas

1PUBLICATION5CITATIONS

SEEPROFILE

DiegoF.Aranha

UniversityofCampinas

83PUBLICATIONS674CITATIONS

SEEPROFILE

AllcontentfollowingthispagewasuploadedbyDiegoF.Aranhaon22February2017.

Theuserhasrequestedenhancementofthedownloadedfile.

Platform-agnostic Low-intrusion Optical Data Exfiltration

Arthur C. Lopes1 and Diego F. Aranha1

1Institute of Computing, University of Campinas, Campinas, Brazilarthur.lopes@students.ic.unicamp.br, dfaranha@ic.unicamp.br

Keywords: Covert Channel, Data Exfiltration, Information Hiding, Air-Gapped Machines, Error-Correcting Codes.

Abstract: Information leakage through covert channels is a growing and persistent threat, even for physical perimetersconsidered as highly secure. We study a new approach for data exfiltration using a malicious storage devicewhich subtly transmits data through blinking infrared LEDs. This approach could be used by an attackertrying to leak sensitive data stored in the device, such as credentials, cryptographic keys or a small classifieddocument. An ideal application for this approach is when an attacker is capable of sneaking a malicious deviceinside a protected perimeter and has remote control over a camera inside such perimeter. The device can thencollect information and transmit directly to the attacker, without the need of recovering the device to obtain thecaptured information, erase evidence or prevent a forensic investigation. We discuss techniques for improvingcommunication efficiency up to 15 bits per second per LED, and possible countermeasures for mitigation.

1 INTRODUCTION

With the major advances in computing observed inthe last decades and widespread availability of com-puter systems, all kinds of organizations make exten-sive use of computers to store and exchange informa-tion, sometimes of extremely sensitive nature. Tech-niques developed by the information security field arecritical to protect and prevent such data from leak-ing in several ways, for example by data breaches andmalicious data exfiltration activities. The concept ofdata exfiltration consists in the extraction of data froma closed network after a malicious software has infil-trated such network. A convert channel is typicallyemployed for the task, posing a challenge to currentmonitoring capabilities.

The Snowden leaks (Verble, 2014) were amongthe first of a series of high-profile leakage cases inrecent years, after which security processes have se-riously started to consider the threat of data exfiltra-tion. Various forms of prevention have been recom-mended and adopted, including compartmentalizationof storage, data encryption at rest, and machine iso-lation from networks, in a so-called air-gapped sys-tem (Maass, 2013). For these reasons, this paper aimsto explore new low-intrusive optical methods for dataexfiltration and their efficiency and limitations. Thegoals are two-fold: by anticipating the impact of thisthreat and proposing countermeasures, organizationsbecome able to protect data from exfiltration and de-

sign mitigation strategies; by improving low-intrusiveexfiltration mechanisms, activists and whistleblow-ers can be informed about plausible ways to subtlyand efficiently collect evidence of misbehavior or leaksensitive information.

In this paper, we study an efficient and ingeniousapproach for data exfiltration, involving a maliciousstorage device that leaks its critical contents. It as-sumes a scenario where the attacker is able to in-sert the malicious device in the security perimeter andwait until it is used to copy data from or between air-gapped machines. After the device detects the stor-age of critical data, it starts transmitting informationthrough blinking infrared LEDs to a nearby cameraunder the control of the attacker. We claim the as-sumption is realistic, since there is growing evidencethat users will simply plug in or even use USB drivesthey find (Tischer et al., 2016). This can happen evenin tight security perimeters (Langner, 2011). Since nomodifications are required in any of the air-gapped at-tacked machines, the approach requires a low level ofintrusion and is agnostic to choices of operating sys-tem and software security mechanisms.

The approach has several advantages when com-pared to recent results in the research literature. Forexample, a recent paper (Sepetnitsky et al., 2014)builds an optical covert channel from hard-to-detectluminosity changes in a monitor LED. Similarly, theexfiltrated data can then be captured by a receivingdevice controlled by the attacker in the same environ-

ment. However, this and other approaches (Zaddachet al., 2013; Guri et al., 2015b; Guri et al., 2016a;Guri et al., 2016d; Guri et al., 2016c) require a vul-nerability to be exploited and malicious software tobe installed in the air-gapped machine, because hard-ware control typically requires local privileges. Re-quiring a target-specific exploit to be crafted may notbe always under the capabilities of the attacker; andthe installed software component can be found anddissected afterwards in case of detection, representingobstacles in practice. In comparison, our approach re-quires only a flash drive to be inserted in the target en-vironment, perhaps by employing social engineeringskills (Abraham and Chengalur-Smith, 2010). Afterthe flash drive is connected to the air-gapped machineand data is received, the malicious device can starttransmitting without requiring privileges or interfer-ing in any way with the attacked system. The attackerdoes not need to retrieve the flash drive later, sincedata can then be captured by a networked camera ora smartphone inside the security perimeter. Becauseno actual changes have to be made in the attackedsystem, this imposes further obstacles to forensic in-vestigations for collecting evidence of the maliciousactivities. Optical data exfiltration through blinkingLEDs also offers higher bandwidth compared to heat-based methods (Loughry and Umphress, 2002), al-lowing the attacker to leak larger pieces of data. Theadditional flexibility allows the idea to be used in sev-eral scenarios.

The paper is organized as follows. Section 2 dis-cusses data exfiltration techniques and related workavailable in the research literature. Section 3 proposesa threat model and presents our prototype device andprotocol design. Section 4 collects preliminary re-sults, Section 5 discusses proposed countermeasuresand Section 6 concludes the paper.

2 RELATED WORK

Data exfiltration can be defined as an unauthorizedway of obtaining and transmitting data from a closedor private network. To prevent detection, the trans-mission commonly employs a process not meant totransfer data, such as covert channels or stegano-graphic techniques (Cheddad et al., 2010). This typeof attack creates a subliminal channel to transmit sen-sitive data from inside a security perimeter directly tothe attacker. Performance is usually low, in the orderof a few bits per second, due to low signal-to-noiseratios or limited bandwidth.

Electromagnetic emanations (Kuhn and Ander-son, 1998) and keyboard LEDs (Loughry and

Umphress, 2002) were amid the first covert channelsapplied to data exfiltration, but there has been signif-icant interest in other types of covert channels in re-cent years. Several studies focus on using optical ef-fects, heat, sound, radio and have been demonstratedto work in machines not connected to external net-works. Low-intrusive approaches may employ opti-cal channels and a receiver device infected with soft-ware under remote control of the attacker, but thereare several other ways to accomplish this, with differ-ent trade-offs in terms of efficiency and intrusiveness.

Techniques exploiting optical effects includeLEDs (Loughry and Umphress, 2002; Sepetnitskyet al., 2014) or projecting whole images on a reflect-ing LCD monitor (Guri et al., 2016a). Transmissionrate is generally low, compared to other means oftransmission, due to limitations in both software andhardware. Frequently, there is some inherent limita-tion in the components that imposes an upper boundon transmission rate, such as the number of times aLED can be blinked in a time unit (25Hz) and itsluminosity, or the screen brightness. This can makethe attacks unreliable and hard to port across differ-ent machines. The low bandwidth restricts the ap-proach to transmit cryptographic keys and other shortsensitive bit strings. Heat can be exploited in an ex-tremely subtle way (Guri et al., 2015b), by increas-ing computing load until a nearby machine can cap-ture changes in temperature. A severe limitation isinefficient communication due to the time required toheat up and cool down a computer just by runningsoftware in user space, thus resulting in extremelyrestricted bandwidth and transmission rates. Covertchannels can also be built from sounds emitted by me-chanical hardware components, such as the computerfan (Guri et al., 2016d) or the hard drive (Guri et al.,2016c); or inaudible sound transmitted through thespeakers (Hanspach and Goetz, 2014), with varioustransmission rates. The most efficient methods arebased on radio transmission emanating from displaycables (Guri et al., 2014), the USB bus (Guri et al.,2016b) and CPU instructions for multi-rate data trans-fers (Guri et al., 2015a); which can be then capturedby a conventional cell phone or dedicated equipment.In practice, a lot of variables can disturb the trans-mission and efficient reception mechanisms are oftendifficult to design or even impractical. There could bealso unexpected obstacles between the machine andreceiver using optical channels or interference fromheat or sound emitting objects nearby. The exfiltra-tion effort can also be detected and disrupted if oper-ational security is sophisticated enough to block radiosignals or other means of communication.

Another disadvantage of those methods is the high

level of intrusiveness regarding the air-gapped ma-chine, requiring an internal component to be tamperedwith (like in Fansmitter (Guri et al., 2016d) or Disk-Filtration (Guri et al., 2016c)) before it is installed in-side the target machine. This may be hard to managein a real attack and perhaps can be detected. In termsof software, in some cases low-level access to oper-ating system data is necessary for fine-grained sta-tus information such as CPU temperature(Guri et al.,2015b) or to control LEDs in peripherals (Loughryand Umphress, 2002; Sepetnitsky et al., 2014). Thesedrawbacks limit the the applicability of these ideas,since the target machine necessarily needs to be in-fected with malicious software before transmission,making the attack unreliable across different operat-ing systems or work against multiple software secu-rity mechanisms. The software artifact can also bediscovered after the attack and inspected in a laterforensic investigation, even if attribution may be dif-ficult to resolve (Tsagourias, 2012).

Table 1 summarizes some aspects of different ap-proaches for data exfiltration proposed in the liter-ature. Approaches requiring intrusive access to thetarget air-gapped machine for introducing maliciouscomponents or local execution privileges are markedhigh. Approaches requiring user space software ex-ecution in the target machine are marked as medium,and the introduction of a malicious device in the se-curity perimeter are marked low. Although thereare previous works about data exfiltration using flashdrives and hard drives (Clark et al., 2009; Zaddachet al., 2013), the optical approach we pursue is newand untested. The proposed method was designed tocircumvent many of restrictions in other approachesand obtain a better trade-off between speed and levelof intrusiveness. In our case, no malware infection,hardware tampering or any general modifications arerequired, since the malicious device needs only to beattached to the target machine. Additionally, no soft-ware execution or privileges are needed in the air-gapped machine. These features should allow themethod to be hard to detect in practice or during aforensic investigation.

3 OPTICAL DATAEXFILTRATION

In this section, we describe in detail our approach fordata exfiltration. First, we define a threat model anda possible application scenario. Then, we present thedesign of the prototype transmitter and receiver de-vices, and the transmission protocol.

3.1 Threat Model and Scenario

In our scenario, communication is established be-tween a transmitter and receiver. The transmitter isa malicious thumb drive connected to the target air-gapped machine from which the attacker wants to leakinformation from. We assume the device was previ-ously introduced in the environment using social en-gineering skills. The malicious device is equippedwith blinking infrared LEDs and looks just like a sim-ple USB flash drive, although the firmware is modi-fied to check stored files for critical information andsubsequent transmission. The file extensions or pat-terns for locating critical information are programmedin the firmware before the device is deployed.

For reception, we assume the attacker as capableof infecting a connected machine with malware thatcontrols the camera. This machine can be either anetworked computer or a smartphone inside the se-curity perimeter. The camera monitors its view andwaits for LEDs to start blinking in a predeterminedspecific way, as a handshake sequence to synchronizethe transmitter and receiver. After the camera readsthe LED and completes the handshake, it starts trans-missting the captured data to an attacker-controlledremote server. The diagram in Figure 1 illustrates howthe studied optical data exfiltration method works.

3.2 Transmitter

The main component of our prototype transmittingdevice is a Teensy2 board1 to simulate the mass stor-age device. The LUFA framework (acronym forLightweight Framework for AVRs) (Camera, 2013)and additional software 2 were employed for assem-bling the firmware portion. An SD card attached tothe board works as the storage memory of the device.Two infrared LEDs finish the design.

Figure 2 presents the latest version of the trans-mitter. It is connected to a computer using a com-mon USB connector and can be used as a regular flashdrive, communicating to the SD card normally. Al-though the prototype is clearly different than a regu-lar flash drive, we claim that an improved version canbe built to be much closer in appearance than a typi-cal USB stick; and the LEDs can also be made muchsmaller. This is very important for our approach, be-cause targeted users must find the device convincingenough for daily use. With a realistic appearance, thedevice can be easily used in a real situation, effort-lessly deceiving the target.

1https://www.pjrc.com/store/teensy.html2http://elasticsheep.com/2010/04/teensy2-usb-mass-

storage-with-an-sd-card/

Table 1: Comparison of different data exfiltration methods presented in the recent literature using various covert channels,resulting in different performance characteristics and requiring different levels of intrusiveness. Our approach tries to maxi-mize transmission speed without requiring highly intrusive mechanisms (malware infection and local execution privileges inthe target machine).

Work Type Speed Intrusiveness Transmission rateMonitor LED (Sepetnitsky et al., 2014) Light Low High < 25Hz

VisiSploit (Guri et al., 2016a) Light High High –BitWhisper (Guri et al., 2015b) Heat Low Medium 1-8 bits/h (< 1 bps)Fansmitter (Guri et al., 2016d) Sound Low High 900 bits/h (< 1 bps)

Diskfiltration (Guri et al., 2016c) Sound Low High 180 bits/min (3 bps)Ultrasound (Hanspach and Goetz, 2014) Sound Medium High 20 bps

AirHopper (Guri et al., 2014) Radio High High 104-408 bpsUSBee (Guri et al., 2016b) Radio High High 160-640 bpsGSMem (Guri et al., 2015a) Radio Low High 1-2 or 100-1000 bps

This work Light Medium Low 30 bps

Figure 1: Diagram illustrating the process of data exfiltration. The malicious device is attached to the air-gapped machine,while the camera under control of the attacker is part of the receiver. A simple transmission protocol ensures synchronizedcommunication between the two.

Our first attempt at building the transmitterconsisted in repurposing the open source projectBadUSB (Caudill, 2014) to control a Phison micro-controller in a way that the LED would flash in a con-trolled way. Unfortunately, modifying the firmwarein the way we wanted was problematic. We alsostarted using a single activity LED, commonly foundin flash drives, but limited bandwidth suggested mul-tiple LEDs as an alternative. Using multiple LEDsintroduced a new problem: the device may now lookunusual and suspicious during high activity, riskingdetection. We mitigated this threat by using light in-visible to the human eye, augmenting the device withinfrared LEDs. The current version of the transmittercan send multiple bits at a time, substantially increas-ing the bandwidth, without facilitating means of de-tection. We argue that such a device would be usedby unsuspicious users, or even security-aware profes-sionals.

3.3 Receiver

A webcam or a smartphone camera are ideal choicesat the receiving end. Both of these devices do not

Figure 2: The final prototype of our malicious data exfil-tration device, with focus given to two infrared LEDs in therear part of the device.

have the best resolution available in the market, butreproduce realistic conditions with a capture rate ofno more than 30 frames per second and a resolutionup to 720p. Another requirement for the receiver is a

stationary position, so we consider that a smartphoneis being held steadily or that a fixed webcam is alreadytargeting the LEDs to simplify the capture.

We implemented the software component usingthe OpenCV 3.0 library (Itseez, 2015). The soft-ware monitors the captured images and identifies thesource of data being transmitted, keeping track ofeach individual LED and its behaviour. After thehandshake, the received bit string can then be storedin the remote-controlled machine or be sent to a webserver through the smartphone mobile connection orthe computer network. This web server is assumed tobe under adversarial control, providing a safe havenfor the data do be finally extracted.

The algorithm for LED detection and location issimple. Basically, it looks for differences betweentwo consecutive frames and determines what portionsof the image have the blinking LEDs. The infraredlight produces a very distinctive color when captured,allowing for background noise to be detected and iso-lated. After the initial handshake protocol has fin-ished, the receiver knows the location of each LEDand can monitor the states to receive incoming mes-sages. The bits are transmitted in the simplest waypossible: a value 1 is represented by turning the LEDon, and a value 0 contrariwise.

Figure 3 shows the reception process after thehandshake has been completed. The image is a framecaptured by a standard webcam. The distance be-tween the device and the camera in this experimentwas about one meter.

Figure 3: A screenshot of the exfiltration process after thehandshake, as per the receiving view. The red rectanglesshow the location of each LED, only one is turned on in thepicture, showcasing the distinctive color of infrared light.

3.4 Protocol

The transmission protocol starts from the handshakesequence transmitted at the beginning of the message,implementing a simple kind of synchronization. Thisis used to mark when transmission is starting againso the receiver can stop decoding new bits and startlooking for any missing piece of information that hasbeen lost in the last attempt. Another purpose for thehandshake is to provide additional time for the camerato locate the LEDs in the start phase.

After the handshake protocol is finished, the mes-sage bits are transmitted through the blinking LEDs.However, this kind of noisy transmission introducessome errors in the data being sent. Because of thetime the LED takes to light up or turn off, sometimesthe bit is incorrectly read and ends up flipped at thereceiving end. The easiest way we found to copewith this problem was to employ a Hamming(7,4)-code (Hamming, 1986) that allows for the correctionof one bit per word. This choice was apparently suf-ficient in our tests with one and multiple LEDs andhas solved the cases in which the error occurs whenthe LED starts to fade and the camera captures thistransitory moment, resulting in a flipped bit.

One important feature about the designed proto-col was the low quantity of parity bits, decreasing theavailable bandwidth just a little. More sophisticatedtypes of error-correcting codes were considered, butdiscarded due to a much higher number of parity bits.Another positive aspect about Hamming codes is theirclassical and well-understood nature, allowing simpleimplementation and usage.

Figure 4 presents an overview of our approach,with short descriptions of the process for transmissionand reception.

4 RESULTS AND DISCUSSION

We experimentally evaluated our approach with themain goal of transmitting specific small pieces of in-formation from the attached SD card, such as creden-tials and cryptographic keys. The data is transmittedusing two infrared LEDs, each one representing a dif-ferent bit.

The biggest observed limitation is the cameraframe rate at the receiving end, because each LEDis capable of transmitting more than 30 bits per sec-ond. In terms of speed, we achieved rates of 10-15bits per second per LED, which is efficient enoughfor our purposes. The main restriction in the transmis-sion is the time that the LED takes to light up or turncompletely off. Our results are not so far from some

(a) Overview of the transmission process. Data is first captured and encoded for transmission using an error-correcting code.After the handshake sequence is sent, data can be transmitted.

(b) Overview of the reception process. The receiver camera first locates the LEDs and waits for the synchronization sequence(handshake). After the handshake, data can be decoded and stored for retrieval by the attacker.

Figure 4: Description of the steps required by our studied approach for data exfiltration, encompassing the transmission andreception of data.

published related works (Sepetnitsky et al., 2014) andrepresent an improvement in terms of level of intru-sion and stealthiness. Given the limitations of the op-tical approach, the achieved speed appears promising,making it possible to send data like passwords andcryptographic keys in just a few seconds, and somesmall files in minutes.

We observed three critical factors from the envi-ronment that may interfere with the transmission: (i)level of brightness, (ii) distance between the transmit-ter and receiver, and (iii) device positioning. Becausethe infrared light is weaker than regular light from acommon LED, the infrared LED will fade if the envi-ronment is too bright, which may incur in additionalloss during the transmission, since the capture wouldlose track of the device more easily. The distancebetween transmitter and receiver interferes in a sim-ilar way. If the distance between the two increases,the amount of noise in the environment that interfereswith the transmission will increase too, since otherexternal LEDs and lights may appear in the camera’sview. Another important factor to the transmissionis the positioning of the device regarding the camera.The data transmitting LEDs are located in the oppo-site side from the USB port, and the camera needsto be able to capture the image of the LEDs directly,otherwise the entire process will fail.

Our preliminary results were obtained in an ambi-ent light room and with a distance of about one meterbetween the device and the camera. During the ex-periment we tried to minimize the amount of noiseintroduced from the environment while still keepingit realistic. Improving the quality of the camera at thereceiving end allows both the distance and transmis-sion rate to be increased, but this may not be compat-ible with real scenarios.

5 COUNTERMEASURES

Countermeasures for defensive purposes are certainlypossible and mostly require improved operationalprocedures (Zander et al., 2007). Ensuring that USBports are not visible in the air-gapped machines (e.g.using the machine in a closed environment with re-stricted access and tinted windows) and sanitizing ex-ternal devices by default should mitigate the exfiltra-tion threats posed by our approach. The main sug-gested point of entrance for the malicious device inthe security perimeter is through an employee tar-geted by social engineering. Raising security aware-ness of the staff through user training is thus essentialto prevent data exfiltration efforts.

6 CONCLUSION

We explored a new data exfiltration approach usingan optical covert channel. The approach is platform-agnostic and does not require malware infection orany other modifications to be performed in the tar-get air-gapped machine. It involves a malicious flashdrive equipped with infrared LEDs for transmissionand a connected camera for reception. Compared torelated work, it achieves moderate speed with a lowlevel of intrusiveness. As a result, it can be used totransmit small pieces of sensitive information, suchas credentials, cryptographic keys or a short confiden-tial document. A prototype was built and experimen-tally evaluated, reaching transmission rates of 30 bpsof exfiltrated data using two LEDs. This can be easilyimproved by including more LEDs and adjusting thereception software accordingly.

ACKNOWLEDGEMENTS

We thank FAPESP (Sao Paulo Research Foundation)for financial support through process 2015/13876-7.

REFERENCES

Abraham, S. and Chengalur-Smith, I. (2010). Anoverview of social engineering malware: Trends,tactics, and implications. Technology in Society,32(3):183–196.

Camera, D. (2013). LUFA - LightweightUSB Framework for AVRs.http://www.fourwalledcubicle.com.

Caudill, A. (2014). Phison 2251-03(2303) Custom Firmware and Ex-isting Firmware Patches (BadUSB).https://github.com/adamcaudill/Psychson.

Cheddad, A., Condell, J., Curran, K., and McKevitt,P. (2010). Digital image steganography: Surveyand analysis of current methods. Signal Process-ing, 90(3):727–752.

Clark, J., Leblanc, S., and Knight, S. (2009). Hard-ware trojan horse device based on unintendedUSB channels. In NSS, pages 1–8. IEEE.

Guri, M., Hasson, O., Kedma, G., and Elovici, Y.(2016a). VisiSploit: An Optical Covert-Channelto Leak Data through an Air-Gap. CoRR,abs/1607.03946.

Guri, M., Kachlon, A., Hasson, O., Kedma, G.,Mirsky, Y., and Elovici, Y. (2015a). Gsmem:Data exfiltration from air-gapped computers overGSM frequencies. In USENIX Security Sympo-sium, pages 849–864. USENIX Association.

Guri, M., Kedma, G., Kachlon, A., and Elovici, Y.(2014). Airhopper: Bridging the air-gap betweenisolated networks and mobile phones using radiofrequencies. In MALWARE, pages 58–67. IEEE.

Guri, M., Monitz, M., and Elovici, Y. (2016b).USBee: Air-Gap Covert-Channel via Elec-tromagnetic Emission from USB. CoRR,abs/1608.08397.

Guri, M., Monitz, M., Mirski, Y., and Elovici, Y.(2015b). BitWhisper: Covert Signaling Channelbetween Air-Gapped Computers Using ThermalManipulations. In CSF, pages 276–289. IEEE.

Guri, M., Solewicz, Y. A., Daidakulov, A., andElovici, Y. (2016c). DiskFiltration: Data Ex-filtration from Speakerless Air-Gapped Com-puters via Covert Hard Drive Noise. CoRR,abs/1608.03431.

Guri, M., Solewicz, Y. A., Daidakulov, A., andElovici, Y. (2016d). Fansmitter: AcousticData Exfiltration from (Speakerless) Air-GappedComputers. CoRR, abs/1606.05915.

Hamming, R. W. (1986). Coding and information the-ory (2. ed.). Prentice Hall.

Hanspach, M. and Goetz, M. (2014). Recent develop-ments in covert acoustical communications. InSicherheit, volume 228 of LNI, pages 243–254.GI.

Itseez (2015). Open source computer vision library,version 3.0. https://github.com/itseez/opencv.

Kuhn, M. G. and Anderson, R. J. (1998). Soft tem-pest: Hidden data transmission using electro-magnetic emanations. In Information Hiding,volume 1525 of Lecture Notes in Computer Sci-ence, pages 124–142. Springer.

Langner, R. (2011). Stuxnet: Dissecting a cyberwar-fare weapon. IEEE Security & Privacy, 9(3):49–51.

Loughry, J. and Umphress, D. A. (2002). Informationleakage from optical emanations. ACM Trans.Inf. Syst. Secur., 5(3):262–289.

Maass, P. (2013). How Laura Poitras HelpedSnowden Spill His Secrets. New York Times.http://www.nytimes.com/2013/08/18/magazine/laura-poitras-snowden.html.

Sepetnitsky, V., Guri, M., and Elovici, Y. (2014).Exfiltration of information from air-gapped ma-chines using monitor’s LED indicator. In JISIC,pages 264–267. IEEE.

Tischer, M., Durumeric, Z., Foster, S., Duan, S.,Mori, A., Bursztein, E., and Bailey, M. (2016).Users really do plug in USB drives they find. InIEEE Symposium on Security and Privacy, pages306–319. IEEE Computer Society.

Tsagourias, N. (2012). Cyber attacks, self-defenceand the problem of attribution. Journal of Con-flict and Security Law.

Verble, J. (2014). The NSA and Edward Snowden:surveillance in the 21st century. SIGCAS Com-puters and Society, 44(3):14–20.

Zaddach, J., Kurmus, A., Balzarotti, D., Blass, E.,Francillon, A., Goodspeed, T., Gupta, M., andKoltsidas, I. (2013). Implementation and impli-cations of a stealth hard-drive backdoor. In AC-SAC, pages 279–288. ACM.

Zander, S., Armitage, G. J., and Branch, P. (2007). Asurvey of covert channels and countermeasuresin computer network protocols. IEEE Commu-nications Surveys and Tutorials, 9(1-4):44–57.

View publication statsView publication stats