Copy Link
Add to Bookmark
Report
COMSEC Letter 1988
ComSec Letter
Editor: James A. Ross
YOGO 4
1988
COMSEC LETTER
The ComSec Letter was started in 1984, The Year Of George
Orwell, by Jim Ross. Initially it was mailed at no charge to
everyone on his mailing list, and it was later offered by
subscription. After the founding of the Communication Security
Association, the letter became its official organ. In 1989 the
association decided to create a new organ, Comsec Journal; and,
in order to minimize confusion, the name of this letter was
changed to Surveillance.
What follows is an edited version of the contents of one
year of the letter. (The letter has been edited to remove
topical, superfluous, and outdated items.)
Ross Engineering, Inc.
7906 Hope Valley Court
Adamstown, MD 21710
Tel: 301-831-8400; Fax: 301-874-5100
January, 1988
TAP DETECTORS, AGAIN
Recently we received a catalog from Sharper Image which
offered a telephone tap detector. The blurb said that 98% of
"phone snooping" is done with low or medium impedance taps, and
that this device has a green light which means your line is
secure. We responded with the following letter to Richard
Thalheimer.
Dear Richard,
Just a short note with some information that might
save you from an expensive lawsuit some day.
In describing a "phone that knows how to keep a
secret" on page 14 of your current catalog, you say
that 98% of phone snooping is by low or medium
impedance taps.
First, in my experience most "phone snooping" is not
via taps; it is accomplished by phone modifications
known as phone bugging. Second, whoever told you that
taps are 98% low or medium impedance doesn't know what
he's talking about. In fact, he probably doesn't even
know what the word "impedance" means! Even a simple
tap, made from a few dollars worth of common electronic
components, presents a very high impedance to the
tapped line.
"Green light means your line is secure." Wow!
That's a powerful claim. Don't you wonder why Bell
Labs, with the best brains in the field, could never
make that claim?
I'm confident that the phone that you're touting can
be easily tapped, and it will not detect the tap. If
you'd like a live demonstration, I'm sure it can be
arranged.
I hope you'll check into this, and respond to this
letter. I'd like to pass your response on to our
members via the ComSec Letter (sample enclosed).
The initial response to this letter was a phone call from a
buyer at Sharper Image. He left a message that he had not yet
heard back from their vendor, but the device was not selling well
so they might drop it anyway.
OBSCENE CALLS COUNTERMEASURES
This subject continues to come up, so let's pass along our
ideas and ask for yours.
First, the new telco service which will allow you to
identify the calling number is in very limited operation at only
a few locations around the country. If you want to find out if
you can subscribe to it, we suggest that you call your telephone
company business office and ask when you'll be getting the
capability.
Now, not having that service, what can you do? Well, I know
one man who solved the problem by recording some of the calls,
and then advising the caller that the tape goes to the police if
the calls don't stop. That worked for him, but the last person
who inquired of me was a state trooper, so his caller certainly
would not be intimidated by a threat to go to the police.
My advice to the state trooper was to get an automatic
dialer, and to activate it during an obscene call. If the caller
is not too bright, he may think that the rapid, machine-made
signals are automatic trace signals especially if you say some
words to imply such.
Anybody got any good ideas? I don't think a loud noise will
help because I don't think it will pass through the telco
equipment end-to-end at its original ear-splitting level.
SPOUSAL EAVESDROPPING
Boy, talk about response! No sooner had the last ComSec
Letter hit the mail, than we had a call from member Nick
Beltrante informing us that he had mailed a copy of the decision
on the spousal eavesdropping case. Our thanks to Nick, and
here's the story.
It seems that the husband suspected his wife of extramarital
affairs, so he installed a system to automatically record all
calls. He got the proof, and confronted her. He caught her
(electronically) a second time. He divorced her, and she sued
him citing the federal eavesdropping law.
The judge in this case found conflicting precedents. He
chose the precedent in which husband and wife were living
together in the same household and no third party was involved in
the taping of the calls -- as was the situation in the case
before him. In the earlier case the ruling was that marital
cases traditionally are not tried in federal courts. Further,
exhaustive search of the legislative history could find no
indication that the drafters of the federal law meant for it to
be used in domestic conflicts.
Again, our thanks to member Beltrante for sending along the
information. The newspaper story that we had quoted was correct.
A federal judge did rule that federal eavesdropping laws do not
relate to domestic cases in certain circumstances.
CORRECTION
Just last month we passed along the new address for the Bell
Labs RECORD, but now we find that it is no longer published. The
new publication is AT&T Technology, and four issues cost $40.00
Sorry for any confusion we created.
HOW MUCH DECEPTION IS ENOUGH?
We just received a promotional piece from Dictaphone. It
looks very much like a Federal Express overnight letter. It's
smaller, but laid out the same way with the delivery instructions
typed on a form that looks like the Fedex form, and contained in
a transparent pocket on the carrier just like Fedex. One side of
the carrier says, "Jet Express" "URGENT LETTER ENCLOSED".
Overall, it is a strong effort to make the recipient think he is
receiving something that was important enough to warrant spending
about fifteen dollars for overnight delivery.
Unfortunately however, the information on the delivery form
gives the hoax away; it says, "Bulk Rate US Postage Paid,
Richmond, VA, Permit #936". He didn't spend fifteen dollars to
get it to me overnight; he spent twelve and a half cents or less
to get it to me within a few weeks or months!.
Now, we know that people who mail to rented lists want to
encourage you to open and read their offers, but this seller is
contradicting himself when he labels his piece "Urgent Letter"
and sends it bulk rate.
My personal reaction to this is that I don't trust Gordon F.
Moore who sent it to me. He tried to fool me once; and I think,
if I start talking to him about buying his product, he'll try to
fool me again. Therefore, he has no chance of ever selling me
anything.
Your comment?
CELLULAR PHONES, AGAIN
Well, the California Public Utilities Commission is on the
ball. They've asked the phone companies to notify customers that
cellular calls may not be private. Great!
Unfortunately, there is a superfluous word in at least one
of the announcements. It says, "Cellular telephones send calls
over public radio frequencies." The superfluous word, of course,
is "public". Its use implies that there are some frequencies
which are not public, and that is just not so. Everything
transmitted by radio can be heard by anyone who has the right
equipment and technique.
What's needed is education. Let's spread the word. Phone
conversations are not private. They can be overheard very
easily.
DRUG DEALERS AND CMTs
Newsweek wrote about it, and ComSec Letter has written about
it. Drug dealers use cellular phones to do their business. DEA
complains about it. DEA should do something about it. If I can
monitor drug deals in progress, why can't the DEA? If I can
monitor a collector on Long Island going about his rounds, why
can't the FBI?
You know, the irony of the whole thing is that those people
don't pay for their phone calls. They use stratagems that defeat
the phone companies' billing systems, so all of us who pay our
phone bills are subsidizing the drug dealers.
Let's move into the twentieth century, and use modern
communications and computational capabilities to put a stop to
this stuff.
LETTER
F. Douglas Porter of Tucson, Arizona wrote to ask some very
good questions. First, he wants to know when we are going to
sponsor meetings relating to computer communications and computer
security. Although the association is still in its infancy, we
are planning a big meeting for the east coast which will include
just what you want. At this time we can't be specific on place
and date, but we're working on it. You will be advised.
Also, he asks how he can access our BBS. Well Doug, the
volunteer who set up the ComSec BBS changed it into a personal
project, and then abandoned it altogether. There will be a board
some day, I'm sure; but there is none right now.
The last question is the tough one. He wants to know when
we'll be conducting some activities in the West, and that takes a
little background to answer. The people who organized this
association are all in the East and they remain the volunteer
work force. Our main effort at the moment is to get our next
expo under way, and we're working hard at it. However, we're
also putting together written procedures for establishing local
chapters, and we'll be sending information in this letter. Why
not start a chapter and begin to sponsor some local events, even
before the rules are in place? Let me hear from you.
February, 1988
EXCELLENT SUGGESTION
Bill Ranson of Richmond, Virginia called to suggest that we
summarize the eavesdropping laws in the ComSec Letter, and we
think that that is an excellent suggestion. Bill, you're on.
We'll start on that project right away, and you'll see something
in this letter in the near future.
Along that line, there are some excellent publications
available relating to communications, security, and privacy.
We're including an extra page with this letter which lists some
information sources that we recommend without reservation. (The
April issue of Computer Security Digest has some especially
chilling information from people in the computer trenches.)
If you contact any of them, please mention ComSec Letter.
OPPORTUNITIES
This association has openings for people ready to work. No
pay, just a lot of time-consuming work.
What's your reward? Maybe nothing. Maybe something.
The only thing that you'll get for sure is some publicity.
You'll get your name and company affiliation on our letterhead.
You'll sit at head tables from time to time; you might even get
to give a speech, if that's your desire.
All of these things may turn out to be of no value to you
other than some items you can add to your scrapbook to look at
when you're old and gray. On the other hand, if you are
ambitious, getting involved in an international organization's
activities might just bring you to the attention of the person
who can provide the big break you are looking for. Who knows?
There are committees and projects in need of leaders with
initiative. All involve paperwork, phone calls, and planning; but
no manual labor. Keep in mind that it is logical and normal that
members will select known workers for the next national board of
directors. If you can help in any way, contact the editor -- NOW.
IN THE MAIL & OUR THANKS
Thanks to Dave Mann who has sent much valuable information,
and to Bob Haydon who advised that he built a "listen-at-a-
distance" mike (discussed in a seminar) and it works.
Thanks also to Richard D'Aleo who sent us a written critique
with good suggestions for improving the seminar from his point of
view, and who also provided the information on "The Other NSA".
Also, Marion Lewis of Sovran Financial Corporation sent us
some material on Sherwood Communications Associates. Thanks
Marion. Sherwood is a relatively young firm, but they have an
amazing array of products -- from standard telephone items to
very sophisticated (and expensive) instruments. Also, they offer
used TSCM equipment at good prices. You'll find them listed in
the supplement to this letter because they have a great
collection of books and reports for sale.
LETTER
A member who is in military service wrote us recently asking
for our help in finding a job after his discharge. We have no
staff for any such job bank activity, and the work he's looking
for is very seldom advertised, so we're passing his request along
in this letter.
"I am about to leave military service. In the military one
of my functions was the monitoring of official telephone calls to
identify if there was any breach of security occurring.
"I have enjoyed this job and would like to be able to
continue with this type of work. Could the association provide me
any type of list of civilian jobs that might fall into this job
area or a list of those jobs that I could apply for that would
incorporate this type of work?
"Any assistance that you can give me in this job search
would be greatly appreciated."
If you can help, please contact Daryl L. Cole at RT3, Box
316, Kempner, TX 76539. Please send us a copy so we can report on
it in this letter 'cuz it seems to us that the only place in the
civilian world that he could find a job monitoring telephone
conversations would be with a big law enforcement organization.
We look forward to hearing from members and Daryl on this.
MEMBERS ONLY
Offers for free reprint service are for members of the
ComSec Association only. If you are not a member and are reading
a photocopy of this letter, please don't ask us to spend our time
and effort to serve you. We are offering a free service to
members -- people who support our efforts by paying dues. You can
join and become eligible for these free services. All you have to
do is apply and send money.
(This comment is prompted by our recent receipt of a request
[with self-addressed envelope] for a free reprint of an article
from a person who did not give his name, but the letter was from
a zip code where we have no members.)
BUGGED OR TAPPED?
Member Perry Myers of Myers Investigative Service in Chicago
sent us a clipping from the Chicago Tribune headlined "GOP
Chairman says he found tap on phone". Perry says that he thinks
there is something wrong in the story, and asks our opinion.
Well Perry, I agree that it's a hard story to understand. In
the first sentence Donald Totten says his phone was tapped, and
in the second sentence he says that his phone was bugged. Was it
one, or the other, or both?
We'll probably never know because Joseph Miles of Shadow
Investigative Service is quoted as reporting, "In the course of a
sweep I found a variation of voltage on the line. The possibility
existed. I found no hard evidence that one was in place".
Now, if the phone was bugged, there are some simple,
definitive tests which should have been performed, and (in your
editor's opinion) measuring line voltage is not one of them. If
these tests had been performed, the odds are that a bug would
have been detected.
On the other hand, if we're considering a tap, Mr. Miles
didn't have much chance of detecting one by measuring line
voltage. In our experience we only know of two instances in which
line voltage measurements gave a reasonably positive indication
that something was amiss. In both cases on-hook voltage was very
low and we suspect that an off-site parallel parasite transmitter
was the cause.
So let's hear from members. How often has line voltage
measurement indicated a problem in your experience? In my
experience a simple tap on an active line causes no measurable
change in voltage. In fact, the ordinary changes caused by normal
system activity are on the order of volts so it would be
impossible to measure the change of picovolts (or less) caused by
a decent tap.
Another question for members: Do you agree that a bugged
telephone should be detected by standard countermeasures
activities?
REEVALUATION OF THE EVALUATOR
This is another story of rapid response. In our last issue
we carried the story of our two evaluations of the Evaluator
telephone tap detector and reported that it did not detect any of
the taps that we put on our line.
Michael K. Stern, VP of Secom Information Products Company,
responded immediately, sending us another Evaluator for testing.
Further, he volunteered to come here to assist us with our tests.
He assures us that the unit really does detect taps (but he
hasn't told us how), and that other people have tested it with
positive results. Well, we'll try again when our schedule permits
and we'll advise you of our results in an upcoming newsletter.
THE OTHER NSA
Richard D'Aleo, an author who is writing a book on
intelligence gathering, sent us some material describing the
other NSA. It seems that there is an information source here in
Washington, DC called "The National Security Archive". This is a
non-profit (by design) institute founded by former Washington
Post reporter, Scott Armstrong. According to Time, this NSA now
operates on a million dollar budget with 30 people on the staff.
This NSA uses the Freedom of Information Act to collect
information which can be used by researchers into government
activities. If you have need of information which might have been
retrieved from government records, by all means, contact NSA at
1755 Massachusetts Ave. #500, Washington, DC 20036. 202-797-0882.
Please mention ComSec Letter when you contact them.
TELECOMMUNICATIONS COURSES
There are some courses on the administration, management,
and technology of telecommunications now being offered by AT&T.
If interested, contact Bruce E. Hemstock, AT&T Knowledge Plus, 55
Corporate Drive, Room 13J08, Bridgewater, NJ 08807. 800-554-
6400. Please mention ComSec Letter when you call or write.
P.S. One member commented that he'd like to see more technical
content in the ComSec Letter. What's your opinion?
COMMUNICATIONS/SECURITY/PRIVACY PUBLICATIONS
Newsletters, Magazines
Computer Security Digest computer security
150 N. Main St
Plymouth, MI 48170
313-459-8787
Monitoring Times radio monitoring
140 Dog Branch Rd.
Brasstown, NC28902
704-837-9200
Privacy Journal security/privacy
Box 15300 Compilation of State
Washington, DC 20003 and Federal Privacy
202-547-2865 Laws. $26.00
Security Letter corporate security
166 East 96th St.
New York, NY 10128
212-348-1553
Security Systems Digest security news/programs
Washington Crime News Service
7620 Little River Turnpike
Annandale, VA 22003
703-941-6600
Sherwood Communicatiuons Associates various publications
POB 535
Southampton, PA 18966
215-357-9065
Teleconnect modern telecommunications
12 West 21 St.
New York, NY 10011
212-691-8215
2600 hacking
POB 752
Middle Island, NY 11953
Books
Barbara Rowan has compiled an excellent reference, entitled
"Handbook on State Laws Regarding Secretly Recording Your Own
Conversations". $20 from Independent Hill Press, 105 South Alfred
St., Alexandria, VA 22314. There are periodic updates.
March, 1988
COMPUTER CRIME
Yes, it does exist; it does cause problems -- of varying
magnitude. Let's consider some of the various activities that we
have knowledge of.
First, we should consider those petty crimes by people who
think that stealing from big organizations is not stealing. The
crimes I'm thinking of are primarily those of theft of services
through the use of someone else's telephone credit card number.
Many, many long distance telephone calls are made this way. Many
of the people who do this think it's not really theft because the
phone company is so rich it doesn't know what to do with all of
its money. What they don't appreciate is that the phone companies
never lose money; they just add onto their rates to cover the
costs of these thefts. (But who can criticize the kids for such
shallow thinking -- we have men who would be president who say
that they are going to reduce our national debt without bothering
the people by raising taxes on corporations. They don't realize
that all of us will end up paying those high taxes because we'll
have to pay more for goods and services from those firms.)
Then there are the activities which are childish pranks,
taking advantage of the fact that most people/organizations are
trusting. Children with computer ability, by accessing someone
else's computer and leaving smart messages, perform the computer
equivalent of the kid trick of putting salt in the sugar bowl or
loosening the top on the pepper shaker in a restaurant.
Of course, there are also computer problems caused
inadvertently. Maybe these should also be called crimes. I'm
referring, for instance, to the virus experiment originated by
some folks at MacMag. It seems they wanted to try out a virus so
they planted one in several Macs in their office. This one was
set to appear on March 2, and to display a personal message from
their publisher. Well, they installed it in their Macs in
December and by March 2 it had spread to thousands of Macs (and
maybe into some commercial programs being offered for sale). In
any event, on March 2 thousands of Mac computers displayed the
message, "Richard Brandow, Publisher of MacMag, and its entire
staff would like to take this opportunity to convey their
Universal Peace Message to all Macintosh users around the world".
Last, but certainly not least, there are the serious
crimes --- more than just vexations. Large amounts of money and
property are being stolen. Data are being destroyed. We've all
read horror stories about these.
Just one observation before we consider some specifics: the
ones we've heard about are the failures; the successful computer
thefts are still unknown to us.
Some items in the news about some of those failures:
Computer Security Digest, April issue:
"The security of computers and data communications systems
is today largely non-existent, inadequate or outdated by new
offensive techniques.
"Governmental agencies (federal, state and local) seem to
have the loosest controls and the highest incident rate....
"Bell System Regionals are loaded with incidents.... The
culprits aren't all teenagers or long haired hippies either. The
new profile includes "mature" businessmen as well as the yuppie
community."
Washington Post April 18, 1988:
Headline: "New "virus" Infects NASA Macintoshes"
".... numerous reports of a virus called Scores ...."
"....200 to 400 Macintoshes in the agency's Washington area
offices .... were infected by the virus."
Yes, it does exist. What can we do about it? Well, to start
with, I suggest that we share information. I make this suggestion
knowing that it contradicts what the Washington Post says is the
philosophy of major corporations who want to keep a lid on
countermeasures so that the other side won't find out what we're
doing and react to combat our countermeasures. I don't think
those people have enough respect for the capabilities of the
other side. They are smart. They share information. We need to
get smart. We need to share information.
As a start, if you're using a DOS computer and have
downloaded programs from a BBS, check the date on your
COMMAND.COM file. If it's recent, you have a problem.
Data Processing and Computer Security, in its Winter '88
edition, says that there is a checking program called VI-RAID.
This program will create a "Program Authentication Code" on all
of your programs, and can then be used periodically tho check to
see if they have been altered. Available from Prime Factors,
Inc., 1470 E. 20th Ave., Eugene, OR 97403. 503-345-4334.
Anyone care to offer additional advice, or offer to provide
service?
DONATIONS TO THE CAUSE
If you have any items of TSCM equipment that you no longer
need, please consider donating them to the association. What we
are most interested in are those things that you found really
don't do what the seller said they would do. We'll test them and
report on what they actually can accomplish.
We're interested in the expensive items, of course, but
we're also interested in the inexpensive ones. For example, the
"Phone Tap Detector" advertized for $69.00 (plus $2.95 P&H) in
the February, 88 issue of Popular Communications would seem to be
an interesting item. If you bought one and found that it does not
detect taps, why not send it along to us?
Also, we're always looking for computers, modems, office
equipment and furniture, and anything that might be useful.
Certainly nobody around here is an expert on the tax laws, but
the association is organized as a 501 (c) (3) corporation (non-
profit, educational) which should mean that you should be able to
take some kind of a write off for any donation. Ask your tax
lawyer or accountant, but keep us in mind. Thanks.
FEEDBACK
Ben Otano, Bill Parker, and Perry Myers requested the
overseas travel tips mentioned in the last ComSec Letter, and Tom
Campbell of Northrop and Perry Myers responded positively to our
question about more technical content. Herb Greenberg sent us a
copy of an article in Business / North Carolina which features
reader Bob Grove, Editor of Monitoring Times. (In case you hadn't
noticed before, we've often suggested that folks in the TSCM
business could benefit from a lot of the material in this
publication. Call 'em in Brasstown, NC.)
We appreciate these letters, and especially appreciate the
nice compliments that came with them. Thanks. And, we got the
message. The response is for more technical content in these
letters, so we'll start putting in more technical detail.
TSCM, WHAT IS IT?
Recently, we've read in two different publications that 90%
of all TSCM "hits" are attributable to the physical search.
That is so far off from our experience that we're inclined
to believe that the statement is self-serving in the extreme.
Probably the folks who tell you that don't have any modern
technical equipment or any technical capability.
Of course it could be that one of the authors is parroting
the other. Come to think of it, his comments indicate a real lack
of experience in real-world situations so maybe he's an armchair
quarterback.
In any event, we feel obligated to comment based on our
experience on real jobs. No amount of physical search would have
found the speaker of the old speakerphone connected to spare
conductors in the 50-conductor cable. How about the carbon
microphone connected to spare pair in the conference room phone;
do you think physical search would have found that?
Of course, if you have RF-calibrated eyeballs, you can see
the radio transmitter emanations at 100 plus MHz, and the 200 KHz
carrier current transmissions. C'mon! Be serious. Although there
is no question that physical search has its place, it is only
occasionally the most important part of the TSCM job. In an old
multi-tenant office building, it really is important and time
consuming. There have been jobs when it was the most meaningful
segment of our procedure. For instance, we wouldn't have detected
the evidence of the tap on Bob Hay's home telephone without it,
but most of the communications compromises that we've found were
found through the use of modern instrumentation. No matter how
thorough your physical search, you'll never see any RF, and
you'll probably never see any of the modifications to telephones
that can be detected easily with simple technical tests with
modern equipment.
Another idea: the people who say that physical search is the
most important part of TSCM might just be the people to whom show
is more important than substance. Certainly the client will be
impressed by a lot of activity, even if the hustle and bustle is
useless, as the standard physical search is in many TSCM jobs.
April, 1988
MODERN PHONE SYSTEM VULNERABILITIES
Background
The basic message is: The bad guys are smart. They are goal
oriented. They communicate. If there are vulnerabilities, they'll
take advantage of them while the good guys have their heads in
the sand (or stuck up in the air).
The good guys must communicate. Don't be afraid that you'll
teach them new tricks -- they already know all the tricks.
We've frequently talked about and written about potential
weaknesses in modern telephone systems, but our feelings were
just that, feelings. We felt that some of the systems could be
taken advantage of based on sketchy technical details, but now
we've begun to receive good information from several different
sources. So let's look at some specific experiences.
Experiences, DISA
In order not to embarrass any of the people or companies who
have provided the details, we're not going to identify them; but
what follows is real. Take heed.
A company (composite, for the sake of this article) which
has one of the (early) modern telephone systems had DISA (or some
variant thereof) for the convenience of their salesmen. To use
DISA (Direct Inward System Access) a salesman would call the PBX
and use a four-digit code number for identification. The system
would then connect him to a trunk, and he would be able to make
his calls.
Some time after the system had been put into operation, the
company noticed that their telephone bills were suddenly full of
off-hours, long, and expensive calls to a lot of numbers in Latin
America. They concluded that someone had learned how to use their
system, and was abusing it.
Their first reaction to try to protect themselves was to
change to a six-digit code. Not even as effective as a finger in
the dike; each monthly bill still contained thousands of dollars
in charges for calls to Latin America.
Their next step was to contact AT&T, and ask for protection.
AT&T investigated and determined that the calls were originating
in upper Manhattan. However, the exact source was not determined
because the calls stopped coming.
That may sound like a happy ending, but it isn't really.
It's actually one of those inconclusive terminations that leaves
everyone hanging. In that company's case, they finally realized
that the people making calls through their system were not
individual hackers; they were big business. That's right. Their
conclusion was that drug dealers had set up a communications
business so that their calls could not be traced back to them.
The reason that the company was no longer used is that they cut
back on the number of trunks available to only two or three, and
the druggies could not make the volume of calls that they
required through only a few trunks. It's our guess that they have
moved on to another company that has enough trunks, so that they
don't have the operational problem of keeping track of several
systems with different passwords, etc. It's so much simpler to
deal with only one system at a time and we're sure that they are
now concentrating on another company and that that company is
being taken advantage of in a big way.
Experiences, Remote Diagnostics
In addition to using DISA to steal service, some of the
service stealers, are using the built-in maintenance facility.
They dial in to the PBX's computer, and access the remote
diagnostic capability, where, by use of the proper signals, they
can access trunks.
One security director said that they had put a recorder on,
and heard a tone burst on the incoming call, followed by dial
tone on the outgoing trunk.
Checking with some folks who install such systems, we find
that this is certainly possible on some of the most modern
systems.
The Real Threat
Both DISA and remote diagnostic capabilities are currently
being used to steal service from a lot of businesses.
But it's only money that's being stolen.
Egad! Did Ross, the Scotsman, say it's only money being stolen?
Yup. He said it. He said it because he thinks something much
more valuable can be stolen, and probably is being stolen even as
you read this.
That more valuable property is information. If the bad guys
have figured out how to enter and manipulate these systems, they
must have learned how to use their knowledge for eavesdropping.
What Can You do about Long Distance Theft?
Well, first read your phone bills. Do you have any excess
charges? If so, are they for calls to Latin America? If so, you
have probably been the target of the druggies. However, don't be
embarrassed and don't despair.
If your company has been victimized, don't feel too bad.
We've heard that the MCI sales offices in Phoenix and Denver were
hit -- bad. And MCI is a company that knows communications inside
and out -- but they got burned.
Also, keep in mind that the druggies are smart. They're not
going to continue to use the same company's lines until the
authorities find them. Their objective is to hide from authority
so they'll move on within a month or so.
However, they may cycle back, so it's a good idea to monitor
activity on your trunks after hours. Don't wait for the bill to
come in. Get some automated equipment that prints out line
activity. (Radio Shack has a dandy DNR (dialed number recorder)
that they call the CPA-1000 and sell it for $99.95.)
What Do We Plan to Do about Eavesdropping Vulnerabilities?
Unless one of our wonderful readers has already done it and
sends us a copy, we plan to do a survey of modern telephone
systems from Merlin to Dimension and Horizon, and on up from
there. We've heard that the CIA has already done it, but we don't
have access to their report (nor to such vast resources!), so
we'll just have to grind away at it. This is not the kind of a
project that gets accomplished overnight, so don't stand by your
mailbox looking for an announcement. While we're at it, though,
we'd like to hear from anyone who has specifics relating to any
system.
And, of course, if you want to call to compare notes, we'd
be glad to hear from you at any time.
MODERN TELEPHONE SYSTEMS INVULNERABILITIES
Well, the news is not all bad. Some of the telephone systems
that we've been exposed to recently, are really quite secure.
Some are unbelievably insecure, yes; but some are quite good.
First, some of the modern PBXs select an outgoing trunk for
the caller. That means that if you want to tap phone calls by a
specific person, you have to tap all lines and monitor all calls,
and turn on the recorder when you hear the voice of the target.
The only way around this is to secure access to the premises and
put the tap in behind the switchboard. That is possible, of
course, but it adds a level of complexity to the tapper's
problem.
Then, there are the systems that are almost immune to
bugging. Coupled with a good physical security program, they are
nearly 100% immune. For instance, we were recently doing the
standard test for a series parasite by flashing the hookswitch
while tuning through the spectrum. After about ten flashes, the
computer showed the phone "busy". Apparently, it took so many
interruptions as a sign of a malfunction, so it busied the phone
out. Ross figured he could reactivate by disconnecting and
reconnecting the feed, but that made the phone go completely
dead. So what we had was a phone that is nearly immune to
bugging. If a bugger had worked on one of these phones, the
system or the phone would have provided evidence that it had been
worked on.
We've heard that some systems will recover from faults by
turning the computer's power off and back on again. This is where
your physical security program will provide protection, first by
locking the area, and second by monitoring access.
TAP DETECTORS AND THE SHARPER IMAGE
In our January issue we ran a copy of a letter to Richard
Thalheimer of The Sharper Image. The letter advised him that the
tap detector that he was touting would not detect even a simple
tap, and that he might get himself sued by someone who depended
on his tap detector to protect his privacy.
Well, the first response was from a TSI buyer who said that
sales weren't going so well anyway, so maybe they'd drop the
item. Now comes the latest issue of their catalog, and, you
guessed it, they're still saying "you can guard the privacy of
your line..."
So it seems that they simply don't care what they say.
Anything to make a sale. Oh well.
THAT LIFE FORCE CATALOG
Wow! Super slick. Full of pictures of handsome men and
beautiful women. Some catalog, until you begin to read what it
says. How about "most unique" for an interesting variation on
English? On one page we read that the Research Electronics voice
scrambler is "THE MOST SECURE VOICE PRIVACY DEVICE IN THE WORLD".
Now, it might be good. Can't say; never tested it. But we know
for sure that it is not the most secure device in the world. On
page 4 they also show a fellow listening through a wall with a
device they sell, and they even advise you to check 18 USC 2511
before you use it. I wonder why they didn't read that law
themselves; it makes printing that ad a federal felony. Oh well.
May, 1988
MEMBERSHIP MEETING
You are reminded of the membership meeting scheduled for
July 23 at the Twin Bridges Marriott in Arlington, VA. We've
planned a little time for an informal get together with coffee
and sweet rolls and toast at 9 AM. Meeting will start at 10. If
you can make it, call as soon as possible -- we're buying lunch,
and the hotel needs a count.
So far the response has been encouraging, so let's consider
some of what we need to accomplish in the near future.
Annual Meeting. We've been looking for a place to hold our second
"annual" meeting (our first was in 1985). This time we have a
contract with a meeting organizer who won't try to remake our
plans for our conferences. All of the logistical details will be
handled by him, and all exhibitor affairs will be his
responsibility. We'll put together the details of the conference,
and he'll take care of the promotion, advertising, registration,
etc.
Local Chapter Organization. This should be one of our top
priorities. Maybe the DC-area members can set the rules,
organize, and become the lead chapter in setting up our national
meeting later this year.
Bylaws. We have some very simple bylaws. At this meeting I hope
that we can appoint someone to flesh them out for presentation at
our annual meeting. Also, someone has to do the paperwork to get
us recognized as a bona fide non-profit organization.
Nomination of New Board Members. At present we have authorized a
board of five members. One of the members has departed so we have
a current opening for one person. If the Bylaws are approved,
this will be a bona fide meeting of the association, and we'll be
able to elect a new board member immediately. It has been planned
to expand the board membership to seven or nine, and this can be
decided at this meeting. Nominations will then be sought from all
members by mail, with the election to be conducted by mail before
the annual meeting.
Appointment of Committee Chairmen. There are many functions that
need leadership. At the top of the list is membership affairs. As
I see it, this relates to both membership benefits and to
recruiting. In my mind, they seem to go hand in hand. The future
of this organization depends on having an effective membership
program. We have to have suitable benefits to attract and hold
members.
Corporate Membership Changes. I plan to ask the board to change
our corporate membership structure to make it similar to that of
the American Defense Preparedness Association. Specifically, I
propose that we leave the annual dues at $150, but that the
corporation can name five individuals who will have full voting
rights.
ComSec Letter Subscriptions. I plan to ask the board to authorize
subscriptions to the ComSec letter @ $25 per year (ten issues).
This should make it easier for some to afford, and will allow
libraries, etc. to subscribe without having to pay individual
dues.
B & E: A to Z
With a title like that this video has to be good. (In case
you're not familiar with the jargon, the subject is breaking and
entering -- in fact, the subtitle is "How to get in anywhere,
anytime".)
Just how good it really is depends on your point of view. I
watched it mostly on fast forward because I'm not really
interested in developing a new skill, especially a skill that
would normally be used in the commission of a crime. If you want
to learn how to break in through a locked door, this probably
will be very good for you. On the other hand, if you are already
accomplished in this field, you don't need this video.
Is it worth the price? Yes, emphatically. Even though I
skipped most of it, I was immensely impressed by demonstrations
which show how very vulnerable we all are. Further, it is
especially chilling when you realize that the person who had no
trouble defeating all kinds of locks seemed to be not too
experienced at the business. In any event, you should look at it
if only to increase your awareness of how flimsy most physical
barriers really are. Available @ $99.95 from CEP, POB 865,
Boulder, CO 80306. 303-443-2294.
WINKLEMANN, AGAIN
Wow! It seems that there are quite a few people who are glad
to hear that this company is alive again in the USA. We've heard
that someone in Florida bought the US rights or franchise, and
there are some people who would like to get more specific
details. Please call if you have any information.
BBS COMING
Member Ned Holderby has volunteered to start a computer
bulletin board system for members and others. Non-member callers
will be restricted to information about the association and its
benefits, and maybe some message service. Members will have
access to all of the stored information including back issues of
the ComSec Letter, members names and addresses (except those who
have instructed us not to list their names), a message service to
leave questions or messages for all or any specified member, etc.
Also, membership records can be maintained in one place, getting
rid of some of the confusion that resulted from our changes in
the past.
IN THE MAIL
Bill Ranson, of Richmond, VA sent us some interesting
comments. He starts by saying that our segment last month, Modern
Telephone System In-Vulnerabilities, whet his appetite, but
didn't give him anything to chew on.
He's right, of course. We noted elsewhere in that same
letter, that we're busy collecting information on
vulnerabilities, and we should have said that we are also
collecting information on invulnerabilities. This effort will be
reported on as it progresses (see segment, Northern Telecom SL-1
Meridian in this issue).
Bill also volunteers to provide information on equipment
that he has tested, and to test equipment that is provided to the
association for that purpose.
Bill, I hope that you can make it to the meeting on the
23rd. Lee Binette is planning to be there to suggest that the
ComSec Association start just such a program. Maybe you two can
get it going, and we'll see that test results get passed on to
members, either through this letter or through our BBS.
WORDPERFECT 5.0
Well, the new version of Wordperfect has finally arrived,
and we have it installed in our new (IBM XT clone) computer.
Strange, though. The old version of WP recognized our QMS KISS
laser printer and the new version never heard of it. However, the
factory has sent us a series of updated diskettes, and our
printer is back among the living (except that WP can no longer
draw lines).
If all goes well and the old man learns how to manage the
new program, you'll soon see changes in the format, layout, etc.
of this letter. (You might have noticed that the title of the
letter is bigger this issue, and we've put a box around the date
line, and we've even included a drawing of your editor with a
smile on his face. We tried to place the clip art in the center
of the page, but for some reason Wordperfect won't do that for
us. Yet. Our plans also include upgrading to full desk-top
publishing capability. It'll all come in due course. Although
we'd like to do everything at once, the budget
limits our speed, as does this old guy's ability
to learn all this new stuff.
So, there really is some hope for a fancier
letter. Don't despair. We may move slowly, but
we know where we want to go and we are
determined to get there. Next, we plan to
acquire a scanner so we can show pictures of
some of the finds in our TSCM work. After that,
comes a better laser printer so we can do the
whole desk-top publishing thing.
If you have any ideas about upgrading this
letter, your editor would really like to hear
from you. I'm proposing several ideas at our membership meeting
to enlarge the association and the readership of this letter. If
we can get a bigger readership, we'll be able to sell some
advertising in the letter. What do you think about that?
NORTHERN TELECOM SL-1 MERIDIAN
This is a system that we'll wholeheartedly recommend from a
security point of view. We also hear very good reports about its
reliability, but let's consider bugs and taps.
First, bugs. The SL-1 Meridian, coupled with a good physical
access control system is my number one choice as an anti-bug
telephone. Why? Well, if you are going to modify a phone to make
it into a room bug, you're going to disconnect the phone from the
feed. In the SL-1 Meridian system, as soon as a phone is
disconnected, it is locked out of the system until the system is
reset at the computer -- that's where the good physical security
program is important. Simply put, if you have this system, and
the boss finds his phone inoperative on Monday morning, you know
that you have a problem.
Now let's consider taps. If your mission is to tap the phone
calls of Mr. X, you simply have to connect to the wires that
carry his calls. However, this system pumps calls out on a T-1
span. That means that you need the equipment to break out the 24
channels, and you have to listen to all channels for Mr. X's
voice. Next to impossible for any but the most sophisticated
tapper with lots of clout, money, and technical capability.
Because of these characteristics, I rate this system #1 for
security. There may be others just as good or better, but we
haven't checked them all out yet. You'll hear more as we
progress.
June/July, 1988
SURVEILLANCE EXPO 88 (89?)
Surveillance Expo will be sponsored by the ComSec
Association and will take place in the Washington, DC area in
conjunction with our next membership meeting. As you read this
volunteers are looking for space for a meeting late this year,
but finding a site is proving to be a real problem and we may
have to reschedule to some time next year when appropriate space
will be available.
The meetings are being planned for the DC area because
that's where the volunteer workers are. To those members who have
been asking for a meeting in other areas we say, "Have at it.
We'll cooperate in any way." However, those of us working here
can barely handle the details of one meeting, let alone two.
NEW BOARD OF DIRECTORS
At the membership meeting held on July 23, 1988, it was
decided to expand the board to seven members, and an election was
held to fill the four vacancies. Joining Chuck Doan, Jim Ross,
and Ken Taylor on the board are: Mike Brumbaugh, Jack Mogus, John
Nolan, and Charles S. (Slick) Poteat.
BOARD MEMBER FUNCTIONS
Although not all members have been formally elected to
specific offices, the board members in the DC area have begun to
work on projects as follows: Mike Brumbaugh has been keeping
minutes of each meeting; Chuck Doan is VP, Finance; Jack Mogus is
working on membership programs and will be responsible for all
aspects of membership (keeping the list, recruiting, benefits,
local chapter affairs, etc.); John Nolan is in charge of all
aspects of organizing the upcoming Surveillance Expos and annual
membership meetings; Slick Poteat is developing a system for
collecting information on the equipment used and qualifications
of our members who work in TSCM; Jim Ross is still president, but
has announced that he will run for chairman at the next
membership meeting so that someone else can move into the
president's slot and lead the association through its critical
growth stage.
HITS
From time to time we pass along information regarding hits
(communications compromises) found by our members. In this issue
we'll detail some of those and also two interesting
vulnerabilities (Vantage phone and common wall). In future issues
we'll provide details on other vulnerabilities and some
communication compromises that are simple to implement.
As usual, you are invited to send along information that you
think would be of value to members.
Jack Mogus has had two occasions to look closely at a 66
connecting block for one of his clients. On the first occasion he
found a home-built radio transmitter, and on the second he found
a tap connected to a pair that led out of the building. (As soon
as we learn how to use our new scanner with our computer and
laser printer, we'll provide pictures of this find and any others
that we receive.)
Doug Ralph, in Canada, has been having a very busy year, and
reports two interesting finds. First, he was astounded to connect
to the talk pair of an on-hook Northern Telecom Vantage series
telephone and hear all of the room audio. That's right, the
microphone or speaker (of the speakerphone) of this instrument is
connected to the talk pair when on hook, and all you need is an
audio amplifier, connected through a blocking capacitor, and you
have a first class bugging system in place.
Ralph's other report points up the importance of a thorough
physical search. Under the conference table in a board room he
found remnants of duct tape, which probably had fastened a tape
recorder in place at one time. Way to go, Doug!
One contributor, who wishes to remain anonymous so that his
company will not be embarrassed, reported an interesting find by
his in-house telephone man. It seems that this young fellow
normally used white wire ties in his work, and one day he noticed
that someone else had been working in his territory. He tracked
the strange wiring to a Radio Shack tape recorder controller (PN
43-236), and from there to a tape recorder. The CEO who heard his
conversations on the tape was understandably in shock. Pictures
of this installation will also be carried in a future letter.
Let's now look at the common wall problem. We're referring
to multi-tenant office buildings with more than one tenant on one
floor so that there is a wall which is common to two different
businesses. Most of the modern office construction that we've
seen lately has office walls extending upward to the base of the
floor above, which is as it should be for physical security.
However, these walls, out of sight above the dropped ceiling,
have large holes in them to allow for HVAC air flow, which is not
how it should be for communications security. The next door
neighbor need only stick his head above the dropped ceiling to
hear what is going on in the adjoining office. Or, if he wants to
get it all, he can use this access hole to plant a microphone and
connect it to a tape recorder. This is a real vulnerability; look
for it!
MEMBERSHIP RENEWALS
During the past year, we arranged for all memberships to
expire at the same time, namely at the end of September. This
will make it much easier to keep track, produce rosters, etc.
At present we have many memberships expiring in September of
this year, and more expiring in '89. Also, we have a handful of
life memberships and a few corporate memberships. Anyway, this
seems to be a good time to remind everyone of the options.
Individual professional life memberships are still available
at $500. We've been told that this is too low a figure, so the
board will be considering raising it soon.
The corporate membership picture has just changed to make it
much more attractive for businesses to join. Each small business
corporate member can name up to five individual members, each
with full voting rights. The fee for this level of corporate
membership is still $150 per year, so give this option some
thought. If you plan on exhibiting at the upcoming Surveillance
Expo, you'll more than recoup your dues in the reduced charges
for exhibit space.
The date of membership expiration is printed at the end of
the first line on your mailing label. If your membership expires
September 30, 1988, a renewal form is enclosed with this letter.
Please don't procrastinate. We're entering into our big growth
year, and we need support from all of our old members.
LASER BEAM ON THE WINDOW. THREAT?
Kevin Murray has done a practical and thorough evaluation of
the laser beam on the window threat. We don't have room for it in
this issue, but we'll provide a full recounting of his evaluation
in the next issue. It's a good piece of work and we're very
pleased that he saw fit to share it with the membership.
Thanks, Kevin. It's input like this that we're looking for
to elevate the level of professionalism in TSCM practitioners.
COMSEC ASSOCIATION BBS
Ned Holderby advises that the board should be in operation
by the third week in August. More information in the next issue.
MEMBERSHIP LIST
If you've struggled through with us, you'll recall that,
after the first membership list, there has been a long break with
no list. It's a long sad story, a story of the kind of problems
that a new organization has when starting up. First, we had an
outside firm maintaining the list, and that worked great but cost
money. Then a member volunteered to maintain the list, notifying
members when it was time to renew, etc. Unfortunately, he never
notified a single member of lapsing membership, sometimes took
months to deliver the mailing labels for this monthly newsletter,
and lost many records. Finally, some volunteers had to put the
list back into our old simple-minded labels program which had no
facility for printing out the list in a format that would be
useable by the members.
Well, that should all be over soon. We have started using a
much more sophisticated and powerful mailing list program in our
business, and ordered a copy for Jack Mogus (who is responsible
for all aspects of membership affairs). This program, Promark,
will allow him to organize the membership list any way we want
and to print it out in any format. Hang in.
August/September, 1988
SURVEILLANCE EXPO '89
As of the time this is written, we do not have a contract
for space nor a contractor to manage the expo. John Nolan is
working on it very hard, and we should have definite information
by the time the next issue goes to press.
COMSEC ASSOCIATION BBS
Ned Holderby has set up a computer bulletin board for the
association. The board has a two-fold mission:
1. a facility for members to exchange information, and
2. a source of information about the association for
potential new members.
Only members will have access to the various conference,
message, and data file areas of the board. For example, we'll be
putting all of the back issues of the ComSec Letter on the board
(with topical information removed) so that all active members can
browse, read, download, or whatever. Members will have full
access and non-members will be limited to reading information
about the association.
Caution! The board will be run and maintained in a
professional and ethical manner. No games. No violations of
copyrights. No foul language. I'm sure you understand and
appreciate.
At the time that this is composed, your editor has not yet
been able to contact the board (Sorry Ned.), but a list of
members is on its way to him so he'll known who to allow onto the
board.
Our BBS number is 716-741-4245. I'll be leaving messages on
the board for members from time to time, and I hope you'll take
advantage of this facility.
LASER BEAM EAVESDROPPING
Kevin Murray has provided us with the results of their
testing of laser beam eavesdropping systems. It is of intense
interest to many, so we'll provide a reasonably complete summary
in this letter. (If you want an original of his report, I'm sure
he'll be pleased to oblige. Write him at Kevin D. Murray
Associates, POB 5004, Clinton, NJ 08809 or call 800-635-0811.)
Here's his report.
Laser Beam Eavesdropping
Summary.
Does it exist? Yes. We designed, built, and tested a complete
working system.
Does it work? Yes. The technique works very well under laboratory
conditions.
Is it a threat? No. Due to operational limitations under field
conditions, we are not reporting this as a threat to the majority
of clients at this time.
Sci-Fi Bugs?
Eavesdrop from afar, merely by pointing at a window. The
idea is alluring to some, horrific to others.
News media reports of just such a bugging device, based on
laser beam technology, have been circulating for some time now. A
litany of claims "...can hear from miles away..." and compound
claims "...through closed windows...", culminates with the coda
"No one is safe." Like the X-Ray vision glasses of comic book
fame, the claims tend to become exaggerated. But, unlike the
concept of X-Ray vision, laser listening can be accomplished with
the right equipment and conditions.
A Century Old Invention.
April 26th, 1880 - Alexander Graham Bell & Sumner Tainter
announce their invention - the Photophone. Sound transmitted on
reflected light rays a distance of 213 meters. They also claim,
"It can transmit songs with great clarity of tone." This is the
forerunner of CD record players, fiber optic telephone
transmission, and remote eavesdropping.
It's Greek to them, Diogenes.
We researched this threat for our clients and heard much
speculation from the pundits, conjecture from dilettantes, and
hyperbole from the media. In most cases, the "experts" had never
even seen a laser bug. They were running on grapevine knowledge.
We Built Our Own.
Using assembly plans available to the general public, we
built a laser receiving system (Radio/Electronics 10/87). For
aiming and safety reasons, a visible laser beam was used in our
tests (Spectra Physics Inc. - 10 mW linear Helium-Neon type).
Additional experiments with: optical processing, and professional
audio processing, were conducted. These results, and allowances
for more sophisticated receiver circuitry, were factored into our
test results.
Physics 101 (Simplified.)
Sound is transmitted by vibration. When you speak, you
vibrate the air. The air, in turn, vibrates everything it
contacts. Certain objects, e.g., windows and mirrors, pick up
vibrations very easily. When a laser light beam hits such an
object, it `vibrates' also as it reflects and continues its trip.
The reflected `vibrating' beam can be received, electronically
processed, and the audio listened to. Under controlled
conditions, high quality audio can be recovered.
Physics 202 (The Real World.)
Bouncing an invisible laser beam off a window, and
attempting to catch the reflection, is a little like playing 3-D
billiards, blindfolded. The fun increases exponentially with
distance from the target.
All sound will vibrate a window. This includes interior
conversations as well as exterior noises (cars, trucks, birds,
etc.) Our audio laboratory processing equipment could attenuate
this effect, to a degree. The rule of thumb seems to be, if the
outside noise is as loud as the conversation, audio processing
techniques are of marginal assistance.
Reflecting a beam off interior objects helps reduce external
sound. The beam, however, loses power with each pane of glass it
passes through. This reduces effective working distances and
increases the number of reflected beams with which one must cope.
Thick glass and thermo-pane glass, as used in office
buildings, do not conduct sound vibrations well.
Air thermals and wind, disrupt laser beams. The greater the
beam length, the greater the disruption. Wind blowing through a
laser beam generates noise similar to the cacophony of 747
engines.
A laser beam (one powerful enough for professional
eavesdropping) is the Neutron Bomb equivalent of a sharp stick in
the eye. Both can blind you, but the laser leaves the eye
standing. Blinding the subject of a surveillance is not the best
way of assuring a continued stream of information while remaining
unnoticed. We used safety goggles during our tests.
"There must be better ways to eavesdrop and spy", I hear you
say. There are.
"Beat the Beam" Countermeasures Course
If you suspect a laser beam eavesdropping attempt is being
made against you, use one of the following techniques:
Hold confidential conversations in a room
without windows. Place a radio against
the window and close the drapes. Install
a white noise generator on the window
pane.
In addition, do not discuss your suspicions in the
sensitive area. Contact an independent information security
consultant for additional assistance. Your problem is more
extensive than you think.
-30-
MORE ON VIRUS PROTECTION
If you think you need protection from infection by a
computer virus, RG Software Systems in Willow Grove, PA
offers
a program entitled, "Disk Watcher V2.0". According
to RG's president, Raymond Glath, the program has been
tested against the Leheigh University virus and "The Brain"
at the University of Delaware.
Please advise if you have any experience with this, or
any other anti-virus programs.
TELEPHONE SYSTEM INHERENT SECURITY
Recently in this letter we stated that a Northern
Telecom SL-1 Meridian phone would be locked out until reset
at the computer after being disconnected from the feed.
Within a week after seeing that bit of advice go out to our
members, we had an opportunity to work on such a system --
in fact, we worked on the system of the telephone person
who had given us that information.
What we discovered in handling the real thing is:
'tain't so. Some of the phones could be reconnected and
were automatically reset. Some would not reset. One member
advises that Northern Telecom Practice states that the M-
2000 series phones must be off line for at least six
seconds before being replugged. Another member advised that
it is necessary to wait at least thirty seconds before
attempting to reconnect. We don't have the total answer,
but we know that what we said last month is not totally
true. We were working on the M-3000 series -- the client
users call the "Darth Vader" phones -- and we could not
determine the pattern for which could be reset and which
could not.
October, 1988
SURVEILLANCE EXPO '89
Well, there will be no annual membership meeting and
expo until late '89. After the disappointment of being
close but not being able to make it during '87 or '88, we
were really counting on getting a show together early in
'89. At the board meeting in July John Nolan of Advance
Security took the ball, and it looked really promising.
Unfortunately, John encountered insurmountable problems and
resigned, so we're starting over -- again. (John, we thank
you for the short time that you were able to serve on the
board, and we wish you well in your other endeavors.)
So where do we stand? At the present time, Jim Ross is
talking to meeting organizers. If we can find one who can
do the job, the organizer and the association will make
some money while putting on an expo that is badly needed by
our members and by many people who have never heard of our
organization. Bringing off a successful expo is extremely
important, and we're determined to do it.
Be advised. Jim Ross may become financially involved
in backing this effort. He's stayed at arm's length to
avoid charges of conflict of interest, but the organization
needs this meeting and whatever it takes will be done.
SENSITIVE INFORMATION, HOLD BACK?
Recently Bob Grove, Editor of Monitoring Times,
editorially raised the question of how sensitive
information should be handled. That's a question that I am
often asked, so let's consider it.
The following material is a direct quote from the
Foreword to Section I of the notebook that I have prepared
for seminar participants, and it should give you a good
idea as to your editor's point of view. As usual, your
comments are encouraged.
"Before getting into the details of electronic
eavesdropping, let's address a very important philosophical
question.
"Much of the material to be covered during this
seminar is considered very sensitive. In fact, there are
some people who maintain that these topics should not be
discussed at all. They complain that, by covering methods
of electronic surveillance, we are 'teaching the bad guys
how to do it'.
"Let us answer that comment with two facts.
1. The bad guys already know what they need to
know to take advantage of the unsuspecting and naive people
of this world.
2. Anyone who studies the basic theory of
electronic communications will have no trouble
understanding everything necessary to tap phones, bug
rooms, etc. It is not complex.
"I believe that strength comes through knowledge, and
the route to knowledge is communication.
"Communication, to be effective, must be open,
straightforward, and complete.
"One principal objective of this course, then, is to
cover the principal points regarding electronic
surveillance because you need to understand those things in
order to protect your privacy."
TWO MORE PHILOSOPHICAL QUESTIONS
As long as we have started down the philosophical
route, let's go an additional step or two. Let's consider
the questions of whether TSCM practitioners should screen
their clients, and whether they should report their
findings to law enforcement.
We can't provide absolute answers, but we can provide
some information on our own operation, and what has been
told to us in the dozen years that we've been leading
seminars.
Let's start with an easy one. We've been told (it has
never happened on any of our jobs) that occasionally the
security director who has contracted for TSCM service will
ask that the contractor "find" something. (The idea is that
if a dead radio transmitter is "found", he'll become a hero
for ordering the service. And, of course, the TSCM service
firm will become richer because it will be necessary to
frequently return for additional work and maybe even do
some of the other divisions of the company, etc.) The
answer to that request is easy; it's "No!".
However, suppose that you are asked to work for a
company that has been in the press because of being forced
to sign consent decrees, etc? Suppose that you have certain
evidence that your client is under investigation by law
enforcement? What do you do then?
I can't tell you what to do, but I can tell you what
we do in my company, and I can tell you the consensus of
many discussions with many people in law enforcement and in
TSCM.
In my company we will not hide evidence of a crime or
participate in any activity which could be remotely
considered obstruction of justice.
However, we have worked for at least one company with
a reputation for questionable business practices, and we
have worked for clients who are under investigation.
The preceding two paragraphs may sound contradictory,
but let's think about it. Does the fact that a company is
under investigation mean that it is not entitled to seek
professional help? After a lot of discussion with many
seminar participants, we don't think that a person loses
any rights by virtue of being under investigation.
What do you think?
On the question of reporting our findings to law
enforcement, let me make two points.
First, this world that we live in is not like
Hollywood. All loose ends are not tied up at the end of the
job as they are at the end of the TV episode. Communication
is not instantaneous and complete. Our conclusions are
based on a lot of factors, and it is rare that we could
present an absolute, no-question-about-it conclusion to any
law enforcement agency.
Second, to whom do we report what? During the recent
ASIS show in Boston, a visitor to the booth seemed shocked
when we said that reporting findings to law enforcement was
not required, expected, or done. He seemed to be of the
opinion that we should use our time to report crimes to
"the authorities". As he left the booth I realized that the
picture essay displayed behind me would have been a very
good case in point. We discovered a tap on the mayor's
telephone which may or may not have been indicative that a
crime had been committed. However, we would have been hard
pressed if we had had to report it to law enforcement
because there was good reason to believe that the tap was
not court-authorized and had been placed by one or more
members of the police department!
VULNERABILITIES (continued from an earlier issue)
In a recent issue of this letter we outlined some of
the current vulnerabilities that we see in our professional
practice of commercial technical surveillance
countermeasures. Let's cover one which we think is very
dangerous -- one that we've been warning clients about for
years: the private line telephone, installed for
"security".
How many times have you seen the CEO order a separate
telephone line that does not go through the PBX? He thinks
he's protecting himself from eavesdropping, but what he's
really doing is making it very easy to identify the
appropriate pair to tap. It's like hanging a sign on the
pair, "TAP HERE!". We saw this in a now famous company
(Wedtech) a couple of years ago, and we continue to see it.
The latest example was on a "Hello" telephone in a
government contractor's office. The phone was installed
because there was so much sensitive information to be
discussed, and it's called the "Hello" phone because that's
the way it is answered -- in case somebody is listening.
One further thought on private line telephones. I've
been telling people in the seminar for years that the best
way to tap a phone is to call the phone company and order
an extension. Of course, a private line phone is an ideal
target for this kind of tap. (Recently, a man who had
attended the seminar, approached me and asked, "Do you
remember what you said is the best way to tap a phone?" I
said I remembered, and he smiled and said, "Well, it
works!") It will not be successful every time, but, of all
of the businesses in this world that must take orders by
phone, the phone companies are at the top of the list.
If you think that you're safe because the number is
not listed, or not published, or in any other way
protected, you just don't appreciate the nature of free
enterprise. ALL of those numbers are available. There are
people in this country who can get the information for you.
For example, I noticed on a recent trip to New York City
that there was a light on early in the morning at the old
address of a man who had stolen a lot of money from our
company. So I called one of the information providers, gave
him the address, and I had a full listing of everyone with
telephone service at that address back in less than 24
hours. So, if you or the CEO have had a private line
installed, think again. The single line phone is very
vulnerable. If you have a good size operation, think
seriously about a more secure installation such as the
Northern Telecom SL-1 that we wrote about recently.
COMING SOON
Richard Paradis sent us a copy of a product
announcement that was carried in, of all things, IEEE
SPECTRUM. (That's the magazine that goes to all members of
the Institute of Electrical and Electronics Engineers.) The
headline was "A double whammy for eavesdroppers", and the
notice touted a product that will advise you when your
phone is tapped. Rich asked if we'd care to comment on this
item for the benefit of the membership, and in a future
issue we'll reprint the letter that we sent to the SPECTRUM
editor.
Another member, Bill Ranson, sent us information on
some of his activities and some interesting data sheets.
Again, we'll have to wait till a future issue to cover
these fascinating submissions due to lack of space.
Last, but certainly not least, Leo Hurley of Exxon
provided us with excerpts from an article in Security
Management (the one published by the National Foreman's
Institute, not the one published by ASIS). In an article
entitled "Sizing up Sweepers" Sam Daskam is quoted
extensively, and Leo asked how I react to the quoted
material. Well, Sam has many, many years of experience in
this business and certainly should know whereof he speaks.
(Of course, Sam worked for Mason for 15 or 16 years before
starting his present business, so he is probably heavily
oriented toward government-to-government threats.) However,
if he is quoted accurately, I'm shocked, and I'll explain
why in a future issue.
November, 1988
SURVEILLANCE EXPO '89
As we reported in the last letter, the expo that we
were planning for February is off. The earliest that we can
hope for is the fall of '89. If you are interested in
participating in any way, please contact Jim Ross.
TELE-PRIVACY GUARD
Richard Paradis sent along a copy of a notice in, of
all things, IEEE SPECTRUM, one of the publications that
goes to all members of The Institute of Electrical and
Electronics Engineers. The notice that caught his eye was
headlined "A Double Whammy for Eavesdroppers", and Rich
wrote to ask if I would comment on this for the members of
the ComSec Association.
Thanks Rich, and the text of the letter which I had
already mailed to the editor of SPECTRUM follows. (By the
way, they have never responded in any way. I wonder if that
is because they are looking for an engineer to check my
comments for accuracy, or because they were embarrassed
and consigned the letter to file 13 without any
consideration of its merit.) (I really think IEEE should
ensure that technical information mailed to members is
correct, and I wonder how I can influence them to hire some
engineers. Maybe I'll send a marked copy of this issue to
the president of the IEEE; that should get some response.)
(Note. The following letter was sent by
Jim Ross on Ross Engineering, Inc.
letterhead to the editor of IEEE SPECTRUM
on June 6, 1988.
Dear Mr. Christianson:
This relates to your editorial "About Professionalism", and
the segment in the same issue (June) entitled "A Double Whammy
for Eavesdroppers".
First, let me express a thought regarding the definition of
professionalism. In the simplest sense, I think a professional is
someone who is paid to do something that others might do for
nothing. For example, a cab driver is a professional, and one
would expect that he would be a more proficient driver than you
or I. That's certainly not always true, but it remains a
reasonable expectation.
So let's move along to writing. Those of us who write
professionally, in general, should be better at the craft than
others. I think that professional writers should be especially
careful about how they use words, their basic, elemental tools
for communicating with their audience.
Ah yes, the audience. If the professional writer's audience
is, let's say, a group of engineers, isn't it reasonable to
expect that the words used to communicate with them will be the
technical terms that have precise meanings in their specialty,
and that the information will be technically correct?
Now that I have gone through all of that preamble, let me
get to the reason for this letter.
The technical content of SPECTRUM is usually so good that I
was astounded to read the segment regarding eavesdroppers. It is
so wrong, so confusing, so muddled, and so badly worded that its
author and all of the editors at SPECTRUM should be blushing
until you have atoned for this muddled miasma.
(This current piece of misinformation follows close on the
heels of an article in the April issue in which you assert "for a
mere $49" you can buy a device that will "detect small changes in
line impedance" and notify the user of a telephone line tap.)
Let me be agonizingly specific -- and your audience is
electrical engineers so we'll use engineering terms. In analyzing
"Eavesdroppers' Whammy" I'm going to quote specific sentences out
of what you presented, and comment on each one.
Quote #1
"About $50 buys you any of several commercial devices said
to prevent a tap or unauthorized person from listening in on your
telephone calls."
Comment #1
This sentence is correct, but you must pay careful
attention to the words "said to prevent a tap". Many people offer
equipment that they say will detect taps on phone lines.
The kind of people who sell such devices are the same kind
of people who sell nostrums to grow hair on bald heads, and diet
pills that melt away the fat. None of them will detect even a
simple tap made out of $2.00 worth of parts (at retail).
By the way, there are also tap detectors sold for as much as
$62,500.00 which also cannot detect the $2.00 tap.
Quote #2
"This kind of device usually drops the phone's 50 volt on-
hook voltage to about 18 volts instead of the normal 12-15 V
whenever you lift the receiver."
Comment #2
All wrong, except that the usual on-hook voltage in this
country is 50 V. (Although there are many PBXs (private
exchanges) that operate on different on-hook voltages.)
First, you say that off-hook voltage is normally 12-15 V.
Well, on hundreds of real telephone systems I have measured off-
hook voltage as low as 2 V and as high as 30 V. The most common
is about 8 V, but there is no norm that can be counted on.
Second, you assert that when I tap the phone line, it will
cause the off-hook voltage to increase by about 50%. Wow!
When I tap the phone line, you'll see no change in either
on-hook or off-hook voltage. My tapping equipment (all $2.00
worth) does not affect the line in any way that can be detected
electronically. There is no measurable change in line voltage
because I am not loading the line at all.
As a matter of fact, we have even run tap-detection tests
with a time domain reflectometer (TDR). The engineers and
technicians who participated in the tests were very experienced
with the TDR, and they were never able to tell when my tap was
on-line or off-line.
Quote #3
"As a result, the impedances of your phone and the tap
should not match and your phone should go dead."
Comment #3
Huh?
Look. The standard telephone presents almost pure resistance
to the line. It is, after all, operating in a DC circuit ---
just direct current running through it while it's in operation.
That resistance is on the order of 600 to 900 ohms in most old
sets. My tap, on the other hand, uses a blocking capacitor so
that the impedance seen by the DC circuit has essentially
infinite magnitude.
While in operation, the old-fashioned (carbon microphone)
telephone voltage varies by one or two volts -- sometimes more.
My tap will be taking picowatts of power off of the phone line
and will not cause the DC voltage to vary by even one one
thousandth of a volt.
Your assertion that my tap will cause the off-hook voltage
to be unusually high makes no sense whatsoever.
Nor does your declaration that if the tap impedance and
phone impedance don't match, the phone will go dead. When I tap a
phone line, I am deliberately creating the biggest impedance
mismatch possible -- and, believe me, the phone doesn't go dead.
Final Comment
The SCR device described will prevent someone from listening
on an extension phone, but there have been similar devices sold
for many years for a few dollars. The sellers of the earlier
devices never made any money for a simple reason. When an
extension telephone goes off hook, there is a discernable
difference in sound level (about 3 dB or half power), so why
would anyone pay for a circuit to do what your own senses do for
you?
Sincerely,
James A. Ross
President
P.S. By the way, technical surveillance countermeasures (TSCM) is
our business. If you ever need consultation (a limited amount
free) in this field, please call. We'll try to help you sort the
wheat from the chaff in the press releases that you receive in
this very specialized field.
(Quoted above is the entire text of the
letter that your editor sent to the
editor of IEEE SPECTRUM. If there is EVER
any response, you'll be advised.)
AT&T TRAINING PROGRAMS
Just received: AT&T catalogs of training programs. For
copies, or to inquire about training schedules, call 800-554-
6400.
COMMUNICATIONS HANDBOOKS AND PUBLICATIONS
Here's another good source of good information. For a
listing of available handbooks and other publications, contact
either Chuck Firnsin (312-681-7483) or R.L. Grabo (312-681-7479)
at: GTE Communications Systems Corp., 400 North Wolf Rd.,
Northlake, IL 60164 When you write or call, please mention the
ComSec Letter.
December, 1988
DISA
In case you didn't appreciate the message in our April
issue, I'll try again:
If your switch offers DISA (Direct
Inward System Access), you are in
jeopardy! You may soon join the ranks of
companies that have been ripped off.
Do not jump to the conclusion that
I'm warning that some hackers might make
some long distance calls on your lines.
Yes, hackers are a nettlesome
problem. When they discover a DISA route
(They call them "extenders" so it doesn't
sound like stealing.), they pass the word
around and your phone bill will suffer.
Yes, they can run up your phone bill, and
you'll have to pay it.
However, the people I am referring
to are organized, and they are probably
drug dealers, and they make a lot of
calls.
As I write this I am looking at a printout of calls made
through one company's DISA capability: 27 pages with 51 entries
per page. In eight days $51,624.36 worth of calls were made on
four trunks to numbers in Pakistan.
I repeat: in eight days $51,624.36 worth of overseas calls
were made through this company's DISA facility. The people at
this company were smart; they detected the theft rapidly, and put
a stop to it rapidly. If they had learned of the abuse only after
receiving the bill, it could have been a quarter of a million
dollars!
If your switch offers DISA, you are in jeopardy! In our next
issue we'll include more detail on this situation. Stay tuned!
NYQUIST vs. NYQUIL
Most folks have heard of Nyquil, but, sniffling and sneezing
bears little relationship to TSCM. Nyquist, on the other hand, is
important in modern communications; and, if you haven't heard of
it, here's your introduction to the Nyquist Criterion. It relates
to the conversion of analog signals to digital, with an eye
toward later reconstructing (D to A) a replica of the original
signal.
As usual with history questions, I don't remember the man's
full name, or country, or when he lived. However, I do remember
his premise: the Nyquist Criterion (widely used but unproved
mathematically, I believe) states that, in sampling an analog
signal in the time domain, one should use a sampling rate of at
least two times the highest frequency in the signal in order to
prevent aliasing. For example, if the highest frequency is 1,000
Hz, it should be sampled more that 2,000 times per second.
Before explaining what that means in practical terms, let me
point out that the terminology definitely proves that engineers
and/or mathematicians can invent crazy words as do the
bureaucrats. (The other day I heard a bureaucrat say that
airlines reduce fares on some routes to "incentify" customers to
use those routes. Wow!)
"Aliasing" is a word that was coined to describe what
happens when an analog signal has been sampled at too low a rate,
and the A-to-D and D-to-A process has rebuilt a signal that is
unlike the original signal, an "alias" of the original.
The Nyquist Criterion, then, is important when designing a
modern telephone which has digital output to the switch. If the
sampling rate is too low, the reconstructed analog signal out of
the switch will be a very distorted version of the original
signal.
TSCM EQUIPMENT
Recently, a retired government TSCM expert stated that it
costs about two hundred and fifty thousand dollars to equip one
TSCM team. Now that Watkins-Johnson has introduced their WJ-38000
ELINT receiver, that number will probably climb to about one
million because this receiver alone can cost more than
$500,000.00.
All kidding aside, this is a serious matter and one that we
intend to cover in detail in future issues of this letter. For
the sake of brevity at this time, let's just note that your
editor does not agree that such expenditures are necessary.
Certainly there are some government-to-government threats that
are very high level and deserve high level responses, but there
is no way to justify spending that much money for equipment to
equip every team. After all, most work by most teams most of the
time will address the standard, real-world threat. More later.
NEW WORD NEEDED
Because of the work we've been doing lately to identify the
vulnerabilities in modern electronic PBXs, we've been talking
with a lot of folks who also don't speak "telephonese". Out of
necessity we've been using the word "switch" when referring to
such PBXs. Unfortunately, when most folks hear that word, in
their mind's eye they see the switch on the wall that we throw to
turn the lights on. Confusing.
So let's start a movement to invent a better word. After
all, aren't people who work in engineering supposed to be
precise? Let us hear from you!
PULSE THROUGH A LOADING COIL?
This was a question asked by Joe Wilson Elliott during one
of our telephone conversations. I don't think I ever answered
him, but it deserves to be answered because it illustrates the
fact that different educational and training courses teach
different "facts".
Anyway, can you get a pulse through a loading coil? What do
you think? If anyone expresses interest, we'll answer the
question in a future letter.
JUMPING TO (DANGEROUS) CONCLUSIONS
Regarding spousal tape recording of telephone conversations
without consent, we reported in January: "A federal judge did
rule that federal eavesdropping laws (Title III, 18 USC 2510,
etc.) do not relate to domestic cases in certain circumstances."
2600, in its fall issue jumps from this fact to the
erroneous conclusion, ".... it is now legal for married couples
to place wiretaps on their home telephones in order to catch
their spouses doing nasty things like having affairs." We hope
the readers of this letter understand the difference between the
two statements. The ruling only said that certain specific
federal laws do not apply in certain circumstances. It did not
say that such eavesdropping is legal. There's a big difference.
RF FLOODING
One of the comments that we got on our questionnaire after
our London seminar indicated that the person wanted information
on "modern techniques such as RF flooding". How nice it would
have been if that person had read our material which pleads for
any question at any time, or listened to any of our exhortations:
"If you have a question, ask it at any time." If he had asked the
question in front of the group, we would have had an interesting
topic to discuss. We had people with exceptionally diverse
backgrounds. A discussion would have provided more than one point
of view, and that's the value of the seminar format. It's not the
authoritarian headmaster lecturing to a group of cowed students;
it's open give and take among experienced, senior people.
Well, I'm very sorry that he did not speak up. If he had, I
could have pointed out to him that RF flooding is probably fifty
years old. Also, I could have mentioned that we had been covering
some techniques which have come into use in 1988. That's right,
we were discussing truly modern methods such as electronic switch
manipulation, REMOBS, bugging of modern electronic phones, etc.
Thrown in for good measure were some comments on how companies
are being robbed (through toll fraud on a major scale) by people
taking advantage of DISA, voice mailboxes, diverters, etc.
And he wanted to discuss modern methods such as RF flooding!
In any event, I'll explain what I think is meant by "RF
flooding", with the hope that a reader will either endorse my
theory, or explain how I went wrong. Before I go on, let me
explain that I am guessing at what is meant by RF flooding. In
all of the courses that I have taken in math and electronics,
"flooding" is a term that was never used in any class or
practical exercise. I have the feeling that it was invented by a
technician whose field strength meter told him that the telephone
was full of RF, so much so that it was flooding out of it and all
over the floor. (Doesn't that make you wonder if you should wear
boots while doing TSCM?)
As you read this, keep in mind that I have never been
exposed to any government training in countermeasures, and this
explanation is based only on my response to the name given to the
technique.
So here goes. The older electromechanical telephones contain
a hookswitch which is really several switches in one assembly.
Each conductor is connected to a flexible metal strip, and all of
the strips are physically parallel and very close together. On
hook, some connections are made, and some are open. Off hook,
other combinations occur. In the on-hook condition the talk
circuitry (carbon microphone, speaker, and side-tone transformer)
are disconnected from the line in the DC sense. That is, no
direct current is possible in the circuit because the circuit is
open. However, what causes the circuit to be open is the fact
that two flat metal strips, side by side, are not touching.
Does that sound familiar? Two conductors separated by a
dielectric? Of course. That's the definition of a capacitor. And
although a capacitor may be an open circuit for DC, it sure isn't
open for RF. In fact, it is nearly a perfect conductor.
So my guess is that somebody fifty (or so) years ago figured
out that he could connect to the talk circuit by applying RF to
the talk pair. I've never tried it, and don't know anyone who
has, but the theory is sound. Although the audio recovered is
probably not good, and it certainly is easy to detect.
Well, there's my answer. If I'm way off base (or even a
little off) I'd like to hear from anyone who can set me straight.
I'll run the best answer that comes in. How 'bout it???
