ComSec Letter Editor: James A. Ross YOGO 4 1988 COMSEC LETTER The ComSec Letter was started in 1984, The Year Of George Orwell, by Jim Ross. Initially it was mailed at no charge to everyone on his mailing list, and it was later offered by subscription. After the founding of the Communication Security Association, the letter became its official organ. In 1989 the association decided to create a new organ, Comsec Journal; and, in order to minimize confusion, the name of this letter was changed to Surveillance. What follows is an edited version of the contents of one year of the letter. (The letter has been edited to remove topical, superfluous, and outdated items.) Ross Engineering, Inc. 7906 Hope Valley Court Adamstown, MD 21710 Tel: 301-831-8400; Fax: 301-874-5100 January, 1988 TAP DETECTORS, AGAIN Recently we received a catalog from Sharper Image which offered a telephone tap detector. The blurb said that 98% of "phone snooping" is done with low or medium impedance taps, and that this device has a green light which means your line is secure. We responded with the following letter to Richard Thalheimer. Dear Richard, Just a short note with some information that might save you from an expensive lawsuit some day. In describing a "phone that knows how to keep a secret" on page 14 of your current catalog, you say that 98% of phone snooping is by low or medium impedance taps. First, in my experience most "phone snooping" is not via taps; it is accomplished by phone modifications known as phone bugging. Second, whoever told you that taps are 98% low or medium impedance doesn't know what he's talking about. In fact, he probably doesn't even know what the word "impedance" means! Even a simple tap, made from a few dollars worth of common electronic components, presents a very high impedance to the tapped line. "Green light means your line is secure." Wow! That's a powerful claim. Don't you wonder why Bell Labs, with the best brains in the field, could never make that claim? I'm confident that the phone that you're touting can be easily tapped, and it will not detect the tap. If you'd like a live demonstration, I'm sure it can be arranged. I hope you'll check into this, and respond to this letter. I'd like to pass your response on to our members via the ComSec Letter (sample enclosed). The initial response to this letter was a phone call from a buyer at Sharper Image. He left a message that he had not yet heard back from their vendor, but the device was not selling well so they might drop it anyway. OBSCENE CALLS COUNTERMEASURES This subject continues to come up, so let's pass along our ideas and ask for yours. First, the new telco service which will allow you to identify the calling number is in very limited operation at only a few locations around the country. If you want to find out if you can subscribe to it, we suggest that you call your telephone company business office and ask when you'll be getting the capability. Now, not having that service, what can you do? Well, I know one man who solved the problem by recording some of the calls, and then advising the caller that the tape goes to the police if the calls don't stop. That worked for him, but the last person who inquired of me was a state trooper, so his caller certainly would not be intimidated by a threat to go to the police. My advice to the state trooper was to get an automatic dialer, and to activate it during an obscene call. If the caller is not too bright, he may think that the rapid, machine-made signals are automatic trace signals especially if you say some words to imply such. Anybody got any good ideas? I don't think a loud noise will help because I don't think it will pass through the telco equipment end-to-end at its original ear-splitting level. SPOUSAL EAVESDROPPING Boy, talk about response! No sooner had the last ComSec Letter hit the mail, than we had a call from member Nick Beltrante informing us that he had mailed a copy of the decision on the spousal eavesdropping case. Our thanks to Nick, and here's the story. It seems that the husband suspected his wife of extramarital affairs, so he installed a system to automatically record all calls. He got the proof, and confronted her. He caught her (electronically) a second time. He divorced her, and she sued him citing the federal eavesdropping law. The judge in this case found conflicting precedents. He chose the precedent in which husband and wife were living together in the same household and no third party was involved in the taping of the calls -- as was the situation in the case before him. In the earlier case the ruling was that marital cases traditionally are not tried in federal courts. Further, exhaustive search of the legislative history could find no indication that the drafters of the federal law meant for it to be used in domestic conflicts. Again, our thanks to member Beltrante for sending along the information. The newspaper story that we had quoted was correct. A federal judge did rule that federal eavesdropping laws do not relate to domestic cases in certain circumstances. CORRECTION Just last month we passed along the new address for the Bell Labs RECORD, but now we find that it is no longer published. The new publication is AT&T Technology, and four issues cost $40.00 Sorry for any confusion we created. HOW MUCH DECEPTION IS ENOUGH? We just received a promotional piece from Dictaphone. It looks very much like a Federal Express overnight letter. It's smaller, but laid out the same way with the delivery instructions typed on a form that looks like the Fedex form, and contained in a transparent pocket on the carrier just like Fedex. One side of the carrier says, "Jet Express" "URGENT LETTER ENCLOSED". Overall, it is a strong effort to make the recipient think he is receiving something that was important enough to warrant spending about fifteen dollars for overnight delivery. Unfortunately however, the information on the delivery form gives the hoax away; it says, "Bulk Rate US Postage Paid, Richmond, VA, Permit #936". He didn't spend fifteen dollars to get it to me overnight; he spent twelve and a half cents or less to get it to me within a few weeks or months!. Now, we know that people who mail to rented lists want to encourage you to open and read their offers, but this seller is contradicting himself when he labels his piece "Urgent Letter" and sends it bulk rate. My personal reaction to this is that I don't trust Gordon F. Moore who sent it to me. He tried to fool me once; and I think, if I start talking to him about buying his product, he'll try to fool me again. Therefore, he has no chance of ever selling me anything. Your comment? CELLULAR PHONES, AGAIN Well, the California Public Utilities Commission is on the ball. They've asked the phone companies to notify customers that cellular calls may not be private. Great! Unfortunately, there is a superfluous word in at least one of the announcements. It says, "Cellular telephones send calls over public radio frequencies." The superfluous word, of course, is "public". Its use implies that there are some frequencies which are not public, and that is just not so. Everything transmitted by radio can be heard by anyone who has the right equipment and technique. What's needed is education. Let's spread the word. Phone conversations are not private. They can be overheard very easily. DRUG DEALERS AND CMTs Newsweek wrote about it, and ComSec Letter has written about it. Drug dealers use cellular phones to do their business. DEA complains about it. DEA should do something about it. If I can monitor drug deals in progress, why can't the DEA? If I can monitor a collector on Long Island going about his rounds, why can't the FBI? You know, the irony of the whole thing is that those people don't pay for their phone calls. They use stratagems that defeat the phone companies' billing systems, so all of us who pay our phone bills are subsidizing the drug dealers. Let's move into the twentieth century, and use modern communications and computational capabilities to put a stop to this stuff. LETTER F. Douglas Porter of Tucson, Arizona wrote to ask some very good questions. First, he wants to know when we are going to sponsor meetings relating to computer communications and computer security. Although the association is still in its infancy, we are planning a big meeting for the east coast which will include just what you want. At this time we can't be specific on place and date, but we're working on it. You will be advised. Also, he asks how he can access our BBS. Well Doug, the volunteer who set up the ComSec BBS changed it into a personal project, and then abandoned it altogether. There will be a board some day, I'm sure; but there is none right now. The last question is the tough one. He wants to know when we'll be conducting some activities in the West, and that takes a little background to answer. The people who organized this association are all in the East and they remain the volunteer work force. Our main effort at the moment is to get our next expo under way, and we're working hard at it. However, we're also putting together written procedures for establishing local chapters, and we'll be sending information in this letter. Why not start a chapter and begin to sponsor some local events, even before the rules are in place? Let me hear from you. February, 1988 EXCELLENT SUGGESTION Bill Ranson of Richmond, Virginia called to suggest that we summarize the eavesdropping laws in the ComSec Letter, and we think that that is an excellent suggestion. Bill, you're on. We'll start on that project right away, and you'll see something in this letter in the near future. Along that line, there are some excellent publications available relating to communications, security, and privacy. We're including an extra page with this letter which lists some information sources that we recommend without reservation. (The April issue of Computer Security Digest has some especially chilling information from people in the computer trenches.) If you contact any of them, please mention ComSec Letter. OPPORTUNITIES This association has openings for people ready to work. No pay, just a lot of time-consuming work. What's your reward? Maybe nothing. Maybe something. The only thing that you'll get for sure is some publicity. You'll get your name and company affiliation on our letterhead. You'll sit at head tables from time to time; you might even get to give a speech, if that's your desire. All of these things may turn out to be of no value to you other than some items you can add to your scrapbook to look at when you're old and gray. On the other hand, if you are ambitious, getting involved in an international organization's activities might just bring you to the attention of the person who can provide the big break you are looking for. Who knows? There are committees and projects in need of leaders with initiative. All involve paperwork, phone calls, and planning; but no manual labor. Keep in mind that it is logical and normal that members will select known workers for the next national board of directors. If you can help in any way, contact the editor -- NOW. IN THE MAIL & OUR THANKS Thanks to Dave Mann who has sent much valuable information, and to Bob Haydon who advised that he built a "listen-at-a- distance" mike (discussed in a seminar) and it works. Thanks also to Richard D'Aleo who sent us a written critique with good suggestions for improving the seminar from his point of view, and who also provided the information on "The Other NSA". Also, Marion Lewis of Sovran Financial Corporation sent us some material on Sherwood Communications Associates. Thanks Marion. Sherwood is a relatively young firm, but they have an amazing array of products -- from standard telephone items to very sophisticated (and expensive) instruments. Also, they offer used TSCM equipment at good prices. You'll find them listed in the supplement to this letter because they have a great collection of books and reports for sale. LETTER A member who is in military service wrote us recently asking for our help in finding a job after his discharge. We have no staff for any such job bank activity, and the work he's looking for is very seldom advertised, so we're passing his request along in this letter. "I am about to leave military service. In the military one of my functions was the monitoring of official telephone calls to identify if there was any breach of security occurring. "I have enjoyed this job and would like to be able to continue with this type of work. Could the association provide me any type of list of civilian jobs that might fall into this job area or a list of those jobs that I could apply for that would incorporate this type of work? "Any assistance that you can give me in this job search would be greatly appreciated." If you can help, please contact Daryl L. Cole at RT3, Box 316, Kempner, TX 76539. Please send us a copy so we can report on it in this letter 'cuz it seems to us that the only place in the civilian world that he could find a job monitoring telephone conversations would be with a big law enforcement organization. We look forward to hearing from members and Daryl on this. MEMBERS ONLY Offers for free reprint service are for members of the ComSec Association only. If you are not a member and are reading a photocopy of this letter, please don't ask us to spend our time and effort to serve you. We are offering a free service to members -- people who support our efforts by paying dues. You can join and become eligible for these free services. All you have to do is apply and send money. (This comment is prompted by our recent receipt of a request [with self-addressed envelope] for a free reprint of an article from a person who did not give his name, but the letter was from a zip code where we have no members.) BUGGED OR TAPPED? Member Perry Myers of Myers Investigative Service in Chicago sent us a clipping from the Chicago Tribune headlined "GOP Chairman says he found tap on phone". Perry says that he thinks there is something wrong in the story, and asks our opinion. Well Perry, I agree that it's a hard story to understand. In the first sentence Donald Totten says his phone was tapped, and in the second sentence he says that his phone was bugged. Was it one, or the other, or both? We'll probably never know because Joseph Miles of Shadow Investigative Service is quoted as reporting, "In the course of a sweep I found a variation of voltage on the line. The possibility existed. I found no hard evidence that one was in place". Now, if the phone was bugged, there are some simple, definitive tests which should have been performed, and (in your editor's opinion) measuring line voltage is not one of them. If these tests had been performed, the odds are that a bug would have been detected. On the other hand, if we're considering a tap, Mr. Miles didn't have much chance of detecting one by measuring line voltage. In our experience we only know of two instances in which line voltage measurements gave a reasonably positive indication that something was amiss. In both cases on-hook voltage was very low and we suspect that an off-site parallel parasite transmitter was the cause. So let's hear from members. How often has line voltage measurement indicated a problem in your experience? In my experience a simple tap on an active line causes no measurable change in voltage. In fact, the ordinary changes caused by normal system activity are on the order of volts so it would be impossible to measure the change of picovolts (or less) caused by a decent tap. Another question for members: Do you agree that a bugged telephone should be detected by standard countermeasures activities? REEVALUATION OF THE EVALUATOR This is another story of rapid response. In our last issue we carried the story of our two evaluations of the Evaluator telephone tap detector and reported that it did not detect any of the taps that we put on our line. Michael K. Stern, VP of Secom Information Products Company, responded immediately, sending us another Evaluator for testing. Further, he volunteered to come here to assist us with our tests. He assures us that the unit really does detect taps (but he hasn't told us how), and that other people have tested it with positive results. Well, we'll try again when our schedule permits and we'll advise you of our results in an upcoming newsletter. THE OTHER NSA Richard D'Aleo, an author who is writing a book on intelligence gathering, sent us some material describing the other NSA. It seems that there is an information source here in Washington, DC called "The National Security Archive". This is a non-profit (by design) institute founded by former Washington Post reporter, Scott Armstrong. According to Time, this NSA now operates on a million dollar budget with 30 people on the staff. This NSA uses the Freedom of Information Act to collect information which can be used by researchers into government activities. If you have need of information which might have been retrieved from government records, by all means, contact NSA at 1755 Massachusetts Ave. #500, Washington, DC 20036. 202-797-0882. Please mention ComSec Letter when you contact them. TELECOMMUNICATIONS COURSES There are some courses on the administration, management, and technology of telecommunications now being offered by AT&T. If interested, contact Bruce E. Hemstock, AT&T Knowledge Plus, 55 Corporate Drive, Room 13J08, Bridgewater, NJ 08807. 800-554- 6400. Please mention ComSec Letter when you call or write. P.S. One member commented that he'd like to see more technical content in the ComSec Letter. What's your opinion? COMMUNICATIONS/SECURITY/PRIVACY PUBLICATIONS Newsletters, Magazines Computer Security Digest computer security 150 N. Main St Plymouth, MI 48170 313-459-8787 Monitoring Times radio monitoring 140 Dog Branch Rd. Brasstown, NC28902 704-837-9200 Privacy Journal security/privacy Box 15300 Compilation of State Washington, DC 20003 and Federal Privacy 202-547-2865 Laws. $26.00 Security Letter corporate security 166 East 96th St. New York, NY 10128 212-348-1553 Security Systems Digest security news/programs Washington Crime News Service 7620 Little River Turnpike Annandale, VA 22003 703-941-6600 Sherwood Communicatiuons Associates various publications POB 535 Southampton, PA 18966 215-357-9065 Teleconnect modern telecommunications 12 West 21 St. New York, NY 10011 212-691-8215 2600 hacking POB 752 Middle Island, NY 11953 Books Barbara Rowan has compiled an excellent reference, entitled "Handbook on State Laws Regarding Secretly Recording Your Own Conversations". $20 from Independent Hill Press, 105 South Alfred St., Alexandria, VA 22314. There are periodic updates. March, 1988 COMPUTER CRIME Yes, it does exist; it does cause problems -- of varying magnitude. Let's consider some of the various activities that we have knowledge of. First, we should consider those petty crimes by people who think that stealing from big organizations is not stealing. The crimes I'm thinking of are primarily those of theft of services through the use of someone else's telephone credit card number. Many, many long distance telephone calls are made this way. Many of the people who do this think it's not really theft because the phone company is so rich it doesn't know what to do with all of its money. What they don't appreciate is that the phone companies never lose money; they just add onto their rates to cover the costs of these thefts. (But who can criticize the kids for such shallow thinking -- we have men who would be president who say that they are going to reduce our national debt without bothering the people by raising taxes on corporations. They don't realize that all of us will end up paying those high taxes because we'll have to pay more for goods and services from those firms.) Then there are the activities which are childish pranks, taking advantage of the fact that most people/organizations are trusting. Children with computer ability, by accessing someone else's computer and leaving smart messages, perform the computer equivalent of the kid trick of putting salt in the sugar bowl or loosening the top on the pepper shaker in a restaurant. Of course, there are also computer problems caused inadvertently. Maybe these should also be called crimes. I'm referring, for instance, to the virus experiment originated by some folks at MacMag. It seems they wanted to try out a virus so they planted one in several Macs in their office. This one was set to appear on March 2, and to display a personal message from their publisher. Well, they installed it in their Macs in December and by March 2 it had spread to thousands of Macs (and maybe into some commercial programs being offered for sale). In any event, on March 2 thousands of Mac computers displayed the message, "Richard Brandow, Publisher of MacMag, and its entire staff would like to take this opportunity to convey their Universal Peace Message to all Macintosh users around the world". Last, but certainly not least, there are the serious crimes --- more than just vexations. Large amounts of money and property are being stolen. Data are being destroyed. We've all read horror stories about these. Just one observation before we consider some specifics: the ones we've heard about are the failures; the successful computer thefts are still unknown to us. Some items in the news about some of those failures: Computer Security Digest, April issue: "The security of computers and data communications systems is today largely non-existent, inadequate or outdated by new offensive techniques. "Governmental agencies (federal, state and local) seem to have the loosest controls and the highest incident rate.... "Bell System Regionals are loaded with incidents.... The culprits aren't all teenagers or long haired hippies either. The new profile includes "mature" businessmen as well as the yuppie community." Washington Post April 18, 1988: Headline: "New "virus" Infects NASA Macintoshes" ".... numerous reports of a virus called Scores ...." "....200 to 400 Macintoshes in the agency's Washington area offices .... were infected by the virus." Yes, it does exist. What can we do about it? Well, to start with, I suggest that we share information. I make this suggestion knowing that it contradicts what the Washington Post says is the philosophy of major corporations who want to keep a lid on countermeasures so that the other side won't find out what we're doing and react to combat our countermeasures. I don't think those people have enough respect for the capabilities of the other side. They are smart. They share information. We need to get smart. We need to share information. As a start, if you're using a DOS computer and have downloaded programs from a BBS, check the date on your COMMAND.COM file. If it's recent, you have a problem. Data Processing and Computer Security, in its Winter '88 edition, says that there is a checking program called VI-RAID. This program will create a "Program Authentication Code" on all of your programs, and can then be used periodically tho check to see if they have been altered. Available from Prime Factors, Inc., 1470 E. 20th Ave., Eugene, OR 97403. 503-345-4334. Anyone care to offer additional advice, or offer to provide service? DONATIONS TO THE CAUSE If you have any items of TSCM equipment that you no longer need, please consider donating them to the association. What we are most interested in are those things that you found really don't do what the seller said they would do. We'll test them and report on what they actually can accomplish. We're interested in the expensive items, of course, but we're also interested in the inexpensive ones. For example, the "Phone Tap Detector" advertized for $69.00 (plus $2.95 P&H) in the February, 88 issue of Popular Communications would seem to be an interesting item. If you bought one and found that it does not detect taps, why not send it along to us? Also, we're always looking for computers, modems, office equipment and furniture, and anything that might be useful. Certainly nobody around here is an expert on the tax laws, but the association is organized as a 501 (c) (3) corporation (non- profit, educational) which should mean that you should be able to take some kind of a write off for any donation. Ask your tax lawyer or accountant, but keep us in mind. Thanks. FEEDBACK Ben Otano, Bill Parker, and Perry Myers requested the overseas travel tips mentioned in the last ComSec Letter, and Tom Campbell of Northrop and Perry Myers responded positively to our question about more technical content. Herb Greenberg sent us a copy of an article in Business / North Carolina which features reader Bob Grove, Editor of Monitoring Times. (In case you hadn't noticed before, we've often suggested that folks in the TSCM business could benefit from a lot of the material in this publication. Call 'em in Brasstown, NC.) We appreciate these letters, and especially appreciate the nice compliments that came with them. Thanks. And, we got the message. The response is for more technical content in these letters, so we'll start putting in more technical detail. TSCM, WHAT IS IT? Recently, we've read in two different publications that 90% of all TSCM "hits" are attributable to the physical search. That is so far off from our experience that we're inclined to believe that the statement is self-serving in the extreme. Probably the folks who tell you that don't have any modern technical equipment or any technical capability. Of course it could be that one of the authors is parroting the other. Come to think of it, his comments indicate a real lack of experience in real-world situations so maybe he's an armchair quarterback. In any event, we feel obligated to comment based on our experience on real jobs. No amount of physical search would have found the speaker of the old speakerphone connected to spare conductors in the 50-conductor cable. How about the carbon microphone connected to spare pair in the conference room phone; do you think physical search would have found that? Of course, if you have RF-calibrated eyeballs, you can see the radio transmitter emanations at 100 plus MHz, and the 200 KHz carrier current transmissions. C'mon! Be serious. Although there is no question that physical search has its place, it is only occasionally the most important part of the TSCM job. In an old multi-tenant office building, it really is important and time consuming. There have been jobs when it was the most meaningful segment of our procedure. For instance, we wouldn't have detected the evidence of the tap on Bob Hay's home telephone without it, but most of the communications compromises that we've found were found through the use of modern instrumentation. No matter how thorough your physical search, you'll never see any RF, and you'll probably never see any of the modifications to telephones that can be detected easily with simple technical tests with modern equipment. Another idea: the people who say that physical search is the most important part of TSCM might just be the people to whom show is more important than substance. Certainly the client will be impressed by a lot of activity, even if the hustle and bustle is useless, as the standard physical search is in many TSCM jobs. April, 1988 MODERN PHONE SYSTEM VULNERABILITIES Background The basic message is: The bad guys are smart. They are goal oriented. They communicate. If there are vulnerabilities, they'll take advantage of them while the good guys have their heads in the sand (or stuck up in the air). The good guys must communicate. Don't be afraid that you'll teach them new tricks -- they already know all the tricks. We've frequently talked about and written about potential weaknesses in modern telephone systems, but our feelings were just that, feelings. We felt that some of the systems could be taken advantage of based on sketchy technical details, but now we've begun to receive good information from several different sources. So let's look at some specific experiences. Experiences, DISA In order not to embarrass any of the people or companies who have provided the details, we're not going to identify them; but what follows is real. Take heed. A company (composite, for the sake of this article) which has one of the (early) modern telephone systems had DISA (or some variant thereof) for the convenience of their salesmen. To use DISA (Direct Inward System Access) a salesman would call the PBX and use a four-digit code number for identification. The system would then connect him to a trunk, and he would be able to make his calls. Some time after the system had been put into operation, the company noticed that their telephone bills were suddenly full of off-hours, long, and expensive calls to a lot of numbers in Latin America. They concluded that someone had learned how to use their system, and was abusing it. Their first reaction to try to protect themselves was to change to a six-digit code. Not even as effective as a finger in the dike; each monthly bill still contained thousands of dollars in charges for calls to Latin America. Their next step was to contact AT&T, and ask for protection. AT&T investigated and determined that the calls were originating in upper Manhattan. However, the exact source was not determined because the calls stopped coming. That may sound like a happy ending, but it isn't really. It's actually one of those inconclusive terminations that leaves everyone hanging. In that company's case, they finally realized that the people making calls through their system were not individual hackers; they were big business. That's right. Their conclusion was that drug dealers had set up a communications business so that their calls could not be traced back to them. The reason that the company was no longer used is that they cut back on the number of trunks available to only two or three, and the druggies could not make the volume of calls that they required through only a few trunks. It's our guess that they have moved on to another company that has enough trunks, so that they don't have the operational problem of keeping track of several systems with different passwords, etc. It's so much simpler to deal with only one system at a time and we're sure that they are now concentrating on another company and that that company is being taken advantage of in a big way. Experiences, Remote Diagnostics In addition to using DISA to steal service, some of the service stealers, are using the built-in maintenance facility. They dial in to the PBX's computer, and access the remote diagnostic capability, where, by use of the proper signals, they can access trunks. One security director said that they had put a recorder on, and heard a tone burst on the incoming call, followed by dial tone on the outgoing trunk. Checking with some folks who install such systems, we find that this is certainly possible on some of the most modern systems. The Real Threat Both DISA and remote diagnostic capabilities are currently being used to steal service from a lot of businesses. But it's only money that's being stolen. Egad! Did Ross, the Scotsman, say it's only money being stolen? Yup. He said it. He said it because he thinks something much more valuable can be stolen, and probably is being stolen even as you read this. That more valuable property is information. If the bad guys have figured out how to enter and manipulate these systems, they must have learned how to use their knowledge for eavesdropping. What Can You do about Long Distance Theft? Well, first read your phone bills. Do you have any excess charges? If so, are they for calls to Latin America? If so, you have probably been the target of the druggies. However, don't be embarrassed and don't despair. If your company has been victimized, don't feel too bad. We've heard that the MCI sales offices in Phoenix and Denver were hit -- bad. And MCI is a company that knows communications inside and out -- but they got burned. Also, keep in mind that the druggies are smart. They're not going to continue to use the same company's lines until the authorities find them. Their objective is to hide from authority so they'll move on within a month or so. However, they may cycle back, so it's a good idea to monitor activity on your trunks after hours. Don't wait for the bill to come in. Get some automated equipment that prints out line activity. (Radio Shack has a dandy DNR (dialed number recorder) that they call the CPA-1000 and sell it for $99.95.) What Do We Plan to Do about Eavesdropping Vulnerabilities? Unless one of our wonderful readers has already done it and sends us a copy, we plan to do a survey of modern telephone systems from Merlin to Dimension and Horizon, and on up from there. We've heard that the CIA has already done it, but we don't have access to their report (nor to such vast resources!), so we'll just have to grind away at it. This is not the kind of a project that gets accomplished overnight, so don't stand by your mailbox looking for an announcement. While we're at it, though, we'd like to hear from anyone who has specifics relating to any system. And, of course, if you want to call to compare notes, we'd be glad to hear from you at any time. MODERN TELEPHONE SYSTEMS INVULNERABILITIES Well, the news is not all bad. Some of the telephone systems that we've been exposed to recently, are really quite secure. Some are unbelievably insecure, yes; but some are quite good. First, some of the modern PBXs select an outgoing trunk for the caller. That means that if you want to tap phone calls by a specific person, you have to tap all lines and monitor all calls, and turn on the recorder when you hear the voice of the target. The only way around this is to secure access to the premises and put the tap in behind the switchboard. That is possible, of course, but it adds a level of complexity to the tapper's problem. Then, there are the systems that are almost immune to bugging. Coupled with a good physical security program, they are nearly 100% immune. For instance, we were recently doing the standard test for a series parasite by flashing the hookswitch while tuning through the spectrum. After about ten flashes, the computer showed the phone "busy". Apparently, it took so many interruptions as a sign of a malfunction, so it busied the phone out. Ross figured he could reactivate by disconnecting and reconnecting the feed, but that made the phone go completely dead. So what we had was a phone that is nearly immune to bugging. If a bugger had worked on one of these phones, the system or the phone would have provided evidence that it had been worked on. We've heard that some systems will recover from faults by turning the computer's power off and back on again. This is where your physical security program will provide protection, first by locking the area, and second by monitoring access. TAP DETECTORS AND THE SHARPER IMAGE In our January issue we ran a copy of a letter to Richard Thalheimer of The Sharper Image. The letter advised him that the tap detector that he was touting would not detect even a simple tap, and that he might get himself sued by someone who depended on his tap detector to protect his privacy. Well, the first response was from a TSI buyer who said that sales weren't going so well anyway, so maybe they'd drop the item. Now comes the latest issue of their catalog, and, you guessed it, they're still saying "you can guard the privacy of your line..." So it seems that they simply don't care what they say. Anything to make a sale. Oh well. THAT LIFE FORCE CATALOG Wow! Super slick. Full of pictures of handsome men and beautiful women. Some catalog, until you begin to read what it says. How about "most unique" for an interesting variation on English? On one page we read that the Research Electronics voice scrambler is "THE MOST SECURE VOICE PRIVACY DEVICE IN THE WORLD". Now, it might be good. Can't say; never tested it. But we know for sure that it is not the most secure device in the world. On page 4 they also show a fellow listening through a wall with a device they sell, and they even advise you to check 18 USC 2511 before you use it. I wonder why they didn't read that law themselves; it makes printing that ad a federal felony. Oh well. May, 1988 MEMBERSHIP MEETING You are reminded of the membership meeting scheduled for July 23 at the Twin Bridges Marriott in Arlington, VA. We've planned a little time for an informal get together with coffee and sweet rolls and toast at 9 AM. Meeting will start at 10. If you can make it, call as soon as possible -- we're buying lunch, and the hotel needs a count. So far the response has been encouraging, so let's consider some of what we need to accomplish in the near future. Annual Meeting. We've been looking for a place to hold our second "annual" meeting (our first was in 1985). This time we have a contract with a meeting organizer who won't try to remake our plans for our conferences. All of the logistical details will be handled by him, and all exhibitor affairs will be his responsibility. We'll put together the details of the conference, and he'll take care of the promotion, advertising, registration, etc. Local Chapter Organization. This should be one of our top priorities. Maybe the DC-area members can set the rules, organize, and become the lead chapter in setting up our national meeting later this year. Bylaws. We have some very simple bylaws. At this meeting I hope that we can appoint someone to flesh them out for presentation at our annual meeting. Also, someone has to do the paperwork to get us recognized as a bona fide non-profit organization. Nomination of New Board Members. At present we have authorized a board of five members. One of the members has departed so we have a current opening for one person. If the Bylaws are approved, this will be a bona fide meeting of the association, and we'll be able to elect a new board member immediately. It has been planned to expand the board membership to seven or nine, and this can be decided at this meeting. Nominations will then be sought from all members by mail, with the election to be conducted by mail before the annual meeting. Appointment of Committee Chairmen. There are many functions that need leadership. At the top of the list is membership affairs. As I see it, this relates to both membership benefits and to recruiting. In my mind, they seem to go hand in hand. The future of this organization depends on having an effective membership program. We have to have suitable benefits to attract and hold members. Corporate Membership Changes. I plan to ask the board to change our corporate membership structure to make it similar to that of the American Defense Preparedness Association. Specifically, I propose that we leave the annual dues at $150, but that the corporation can name five individuals who will have full voting rights. ComSec Letter Subscriptions. I plan to ask the board to authorize subscriptions to the ComSec letter @ $25 per year (ten issues). This should make it easier for some to afford, and will allow libraries, etc. to subscribe without having to pay individual dues. B & E: A to Z With a title like that this video has to be good. (In case you're not familiar with the jargon, the subject is breaking and entering -- in fact, the subtitle is "How to get in anywhere, anytime".) Just how good it really is depends on your point of view. I watched it mostly on fast forward because I'm not really interested in developing a new skill, especially a skill that would normally be used in the commission of a crime. If you want to learn how to break in through a locked door, this probably will be very good for you. On the other hand, if you are already accomplished in this field, you don't need this video. Is it worth the price? Yes, emphatically. Even though I skipped most of it, I was immensely impressed by demonstrations which show how very vulnerable we all are. Further, it is especially chilling when you realize that the person who had no trouble defeating all kinds of locks seemed to be not too experienced at the business. In any event, you should look at it if only to increase your awareness of how flimsy most physical barriers really are. Available @ $99.95 from CEP, POB 865, Boulder, CO 80306. 303-443-2294. WINKLEMANN, AGAIN Wow! It seems that there are quite a few people who are glad to hear that this company is alive again in the USA. We've heard that someone in Florida bought the US rights or franchise, and there are some people who would like to get more specific details. Please call if you have any information. BBS COMING Member Ned Holderby has volunteered to start a computer bulletin board system for members and others. Non-member callers will be restricted to information about the association and its benefits, and maybe some message service. Members will have access to all of the stored information including back issues of the ComSec Letter, members names and addresses (except those who have instructed us not to list their names), a message service to leave questions or messages for all or any specified member, etc. Also, membership records can be maintained in one place, getting rid of some of the confusion that resulted from our changes in the past. IN THE MAIL Bill Ranson, of Richmond, VA sent us some interesting comments. He starts by saying that our segment last month, Modern Telephone System In-Vulnerabilities, whet his appetite, but didn't give him anything to chew on. He's right, of course. We noted elsewhere in that same letter, that we're busy collecting information on vulnerabilities, and we should have said that we are also collecting information on invulnerabilities. This effort will be reported on as it progresses (see segment, Northern Telecom SL-1 Meridian in this issue). Bill also volunteers to provide information on equipment that he has tested, and to test equipment that is provided to the association for that purpose. Bill, I hope that you can make it to the meeting on the 23rd. Lee Binette is planning to be there to suggest that the ComSec Association start just such a program. Maybe you two can get it going, and we'll see that test results get passed on to members, either through this letter or through our BBS. WORDPERFECT 5.0 Well, the new version of Wordperfect has finally arrived, and we have it installed in our new (IBM XT clone) computer. Strange, though. The old version of WP recognized our QMS KISS laser printer and the new version never heard of it. However, the factory has sent us a series of updated diskettes, and our printer is back among the living (except that WP can no longer draw lines). If all goes well and the old man learns how to manage the new program, you'll soon see changes in the format, layout, etc. of this letter. (You might have noticed that the title of the letter is bigger this issue, and we've put a box around the date line, and we've even included a drawing of your editor with a smile on his face. We tried to place the clip art in the center of the page, but for some reason Wordperfect won't do that for us. Yet. Our plans also include upgrading to full desk-top publishing capability. It'll all come in due course. Although we'd like to do everything at once, the budget limits our speed, as does this old guy's ability to learn all this new stuff. So, there really is some hope for a fancier letter. Don't despair. We may move slowly, but we know where we want to go and we are determined to get there. Next, we plan to acquire a scanner so we can show pictures of some of the finds in our TSCM work. After that, comes a better laser printer so we can do the whole desk-top publishing thing. If you have any ideas about upgrading this letter, your editor would really like to hear from you. I'm proposing several ideas at our membership meeting to enlarge the association and the readership of this letter. If we can get a bigger readership, we'll be able to sell some advertising in the letter. What do you think about that? NORTHERN TELECOM SL-1 MERIDIAN This is a system that we'll wholeheartedly recommend from a security point of view. We also hear very good reports about its reliability, but let's consider bugs and taps. First, bugs. The SL-1 Meridian, coupled with a good physical access control system is my number one choice as an anti-bug telephone. Why? Well, if you are going to modify a phone to make it into a room bug, you're going to disconnect the phone from the feed. In the SL-1 Meridian system, as soon as a phone is disconnected, it is locked out of the system until the system is reset at the computer -- that's where the good physical security program is important. Simply put, if you have this system, and the boss finds his phone inoperative on Monday morning, you know that you have a problem. Now let's consider taps. If your mission is to tap the phone calls of Mr. X, you simply have to connect to the wires that carry his calls. However, this system pumps calls out on a T-1 span. That means that you need the equipment to break out the 24 channels, and you have to listen to all channels for Mr. X's voice. Next to impossible for any but the most sophisticated tapper with lots of clout, money, and technical capability. Because of these characteristics, I rate this system #1 for security. There may be others just as good or better, but we haven't checked them all out yet. You'll hear more as we progress. June/July, 1988 SURVEILLANCE EXPO 88 (89?) Surveillance Expo will be sponsored by the ComSec Association and will take place in the Washington, DC area in conjunction with our next membership meeting. As you read this volunteers are looking for space for a meeting late this year, but finding a site is proving to be a real problem and we may have to reschedule to some time next year when appropriate space will be available. The meetings are being planned for the DC area because that's where the volunteer workers are. To those members who have been asking for a meeting in other areas we say, "Have at it. We'll cooperate in any way." However, those of us working here can barely handle the details of one meeting, let alone two. NEW BOARD OF DIRECTORS At the membership meeting held on July 23, 1988, it was decided to expand the board to seven members, and an election was held to fill the four vacancies. Joining Chuck Doan, Jim Ross, and Ken Taylor on the board are: Mike Brumbaugh, Jack Mogus, John Nolan, and Charles S. (Slick) Poteat. BOARD MEMBER FUNCTIONS Although not all members have been formally elected to specific offices, the board members in the DC area have begun to work on projects as follows: Mike Brumbaugh has been keeping minutes of each meeting; Chuck Doan is VP, Finance; Jack Mogus is working on membership programs and will be responsible for all aspects of membership (keeping the list, recruiting, benefits, local chapter affairs, etc.); John Nolan is in charge of all aspects of organizing the upcoming Surveillance Expos and annual membership meetings; Slick Poteat is developing a system for collecting information on the equipment used and qualifications of our members who work in TSCM; Jim Ross is still president, but has announced that he will run for chairman at the next membership meeting so that someone else can move into the president's slot and lead the association through its critical growth stage. HITS From time to time we pass along information regarding hits (communications compromises) found by our members. In this issue we'll detail some of those and also two interesting vulnerabilities (Vantage phone and common wall). In future issues we'll provide details on other vulnerabilities and some communication compromises that are simple to implement. As usual, you are invited to send along information that you think would be of value to members. Jack Mogus has had two occasions to look closely at a 66 connecting block for one of his clients. On the first occasion he found a home-built radio transmitter, and on the second he found a tap connected to a pair that led out of the building. (As soon as we learn how to use our new scanner with our computer and laser printer, we'll provide pictures of this find and any others that we receive.) Doug Ralph, in Canada, has been having a very busy year, and reports two interesting finds. First, he was astounded to connect to the talk pair of an on-hook Northern Telecom Vantage series telephone and hear all of the room audio. That's right, the microphone or speaker (of the speakerphone) of this instrument is connected to the talk pair when on hook, and all you need is an audio amplifier, connected through a blocking capacitor, and you have a first class bugging system in place. Ralph's other report points up the importance of a thorough physical search. Under the conference table in a board room he found remnants of duct tape, which probably had fastened a tape recorder in place at one time. Way to go, Doug! One contributor, who wishes to remain anonymous so that his company will not be embarrassed, reported an interesting find by his in-house telephone man. It seems that this young fellow normally used white wire ties in his work, and one day he noticed that someone else had been working in his territory. He tracked the strange wiring to a Radio Shack tape recorder controller (PN 43-236), and from there to a tape recorder. The CEO who heard his conversations on the tape was understandably in shock. Pictures of this installation will also be carried in a future letter. Let's now look at the common wall problem. We're referring to multi-tenant office buildings with more than one tenant on one floor so that there is a wall which is common to two different businesses. Most of the modern office construction that we've seen lately has office walls extending upward to the base of the floor above, which is as it should be for physical security. However, these walls, out of sight above the dropped ceiling, have large holes in them to allow for HVAC air flow, which is not how it should be for communications security. The next door neighbor need only stick his head above the dropped ceiling to hear what is going on in the adjoining office. Or, if he wants to get it all, he can use this access hole to plant a microphone and connect it to a tape recorder. This is a real vulnerability; look for it! MEMBERSHIP RENEWALS During the past year, we arranged for all memberships to expire at the same time, namely at the end of September. This will make it much easier to keep track, produce rosters, etc. At present we have many memberships expiring in September of this year, and more expiring in '89. Also, we have a handful of life memberships and a few corporate memberships. Anyway, this seems to be a good time to remind everyone of the options. Individual professional life memberships are still available at $500. We've been told that this is too low a figure, so the board will be considering raising it soon. The corporate membership picture has just changed to make it much more attractive for businesses to join. Each small business corporate member can name up to five individual members, each with full voting rights. The fee for this level of corporate membership is still $150 per year, so give this option some thought. If you plan on exhibiting at the upcoming Surveillance Expo, you'll more than recoup your dues in the reduced charges for exhibit space. The date of membership expiration is printed at the end of the first line on your mailing label. If your membership expires September 30, 1988, a renewal form is enclosed with this letter. Please don't procrastinate. We're entering into our big growth year, and we need support from all of our old members. LASER BEAM ON THE WINDOW. THREAT? Kevin Murray has done a practical and thorough evaluation of the laser beam on the window threat. We don't have room for it in this issue, but we'll provide a full recounting of his evaluation in the next issue. It's a good piece of work and we're very pleased that he saw fit to share it with the membership. Thanks, Kevin. It's input like this that we're looking for to elevate the level of professionalism in TSCM practitioners. COMSEC ASSOCIATION BBS Ned Holderby advises that the board should be in operation by the third week in August. More information in the next issue. MEMBERSHIP LIST If you've struggled through with us, you'll recall that, after the first membership list, there has been a long break with no list. It's a long sad story, a story of the kind of problems that a new organization has when starting up. First, we had an outside firm maintaining the list, and that worked great but cost money. Then a member volunteered to maintain the list, notifying members when it was time to renew, etc. Unfortunately, he never notified a single member of lapsing membership, sometimes took months to deliver the mailing labels for this monthly newsletter, and lost many records. Finally, some volunteers had to put the list back into our old simple-minded labels program which had no facility for printing out the list in a format that would be useable by the members. Well, that should all be over soon. We have started using a much more sophisticated and powerful mailing list program in our business, and ordered a copy for Jack Mogus (who is responsible for all aspects of membership affairs). This program, Promark, will allow him to organize the membership list any way we want and to print it out in any format. Hang in. August/September, 1988 SURVEILLANCE EXPO '89 As of the time this is written, we do not have a contract for space nor a contractor to manage the expo. John Nolan is working on it very hard, and we should have definite information by the time the next issue goes to press. COMSEC ASSOCIATION BBS Ned Holderby has set up a computer bulletin board for the association. The board has a two-fold mission: 1. a facility for members to exchange information, and 2. a source of information about the association for potential new members. Only members will have access to the various conference, message, and data file areas of the board. For example, we'll be putting all of the back issues of the ComSec Letter on the board (with topical information removed) so that all active members can browse, read, download, or whatever. Members will have full access and non-members will be limited to reading information about the association. Caution! The board will be run and maintained in a professional and ethical manner. No games. No violations of copyrights. No foul language. I'm sure you understand and appreciate. At the time that this is composed, your editor has not yet been able to contact the board (Sorry Ned.), but a list of members is on its way to him so he'll known who to allow onto the board. Our BBS number is 716-741-4245. I'll be leaving messages on the board for members from time to time, and I hope you'll take advantage of this facility. LASER BEAM EAVESDROPPING Kevin Murray has provided us with the results of their testing of laser beam eavesdropping systems. It is of intense interest to many, so we'll provide a reasonably complete summary in this letter. (If you want an original of his report, I'm sure he'll be pleased to oblige. Write him at Kevin D. Murray Associates, POB 5004, Clinton, NJ 08809 or call 800-635-0811.) Here's his report. Laser Beam Eavesdropping Summary. Does it exist? Yes. We designed, built, and tested a complete working system. Does it work? Yes. The technique works very well under laboratory conditions. Is it a threat? No. Due to operational limitations under field conditions, we are not reporting this as a threat to the majority of clients at this time. Sci-Fi Bugs? Eavesdrop from afar, merely by pointing at a window. The idea is alluring to some, horrific to others. News media reports of just such a bugging device, based on laser beam technology, have been circulating for some time now. A litany of claims "...can hear from miles away..." and compound claims "...through closed windows...", culminates with the coda "No one is safe." Like the X-Ray vision glasses of comic book fame, the claims tend to become exaggerated. But, unlike the concept of X-Ray vision, laser listening can be accomplished with the right equipment and conditions. A Century Old Invention. April 26th, 1880 - Alexander Graham Bell & Sumner Tainter announce their invention - the Photophone. Sound transmitted on reflected light rays a distance of 213 meters. They also claim, "It can transmit songs with great clarity of tone." This is the forerunner of CD record players, fiber optic telephone transmission, and remote eavesdropping. It's Greek to them, Diogenes. We researched this threat for our clients and heard much speculation from the pundits, conjecture from dilettantes, and hyperbole from the media. In most cases, the "experts" had never even seen a laser bug. They were running on grapevine knowledge. We Built Our Own. Using assembly plans available to the general public, we built a laser receiving system (Radio/Electronics 10/87). For aiming and safety reasons, a visible laser beam was used in our tests (Spectra Physics Inc. - 10 mW linear Helium-Neon type). Additional experiments with: optical processing, and professional audio processing, were conducted. These results, and allowances for more sophisticated receiver circuitry, were factored into our test results. Physics 101 (Simplified.) Sound is transmitted by vibration. When you speak, you vibrate the air. The air, in turn, vibrates everything it contacts. Certain objects, e.g., windows and mirrors, pick up vibrations very easily. When a laser light beam hits such an object, it `vibrates' also as it reflects and continues its trip. The reflected `vibrating' beam can be received, electronically processed, and the audio listened to. Under controlled conditions, high quality audio can be recovered. Physics 202 (The Real World.) Bouncing an invisible laser beam off a window, and attempting to catch the reflection, is a little like playing 3-D billiards, blindfolded. The fun increases exponentially with distance from the target. All sound will vibrate a window. This includes interior conversations as well as exterior noises (cars, trucks, birds, etc.) Our audio laboratory processing equipment could attenuate this effect, to a degree. The rule of thumb seems to be, if the outside noise is as loud as the conversation, audio processing techniques are of marginal assistance. Reflecting a beam off interior objects helps reduce external sound. The beam, however, loses power with each pane of glass it passes through. This reduces effective working distances and increases the number of reflected beams with which one must cope. Thick glass and thermo-pane glass, as used in office buildings, do not conduct sound vibrations well. Air thermals and wind, disrupt laser beams. The greater the beam length, the greater the disruption. Wind blowing through a laser beam generates noise similar to the cacophony of 747 engines. A laser beam (one powerful enough for professional eavesdropping) is the Neutron Bomb equivalent of a sharp stick in the eye. Both can blind you, but the laser leaves the eye standing. Blinding the subject of a surveillance is not the best way of assuring a continued stream of information while remaining unnoticed. We used safety goggles during our tests. "There must be better ways to eavesdrop and spy", I hear you say. There are. "Beat the Beam" Countermeasures Course If you suspect a laser beam eavesdropping attempt is being made against you, use one of the following techniques: Hold confidential conversations in a room without windows. Place a radio against the window and close the drapes. Install a white noise generator on the window pane. In addition, do not discuss your suspicions in the sensitive area. Contact an independent information security consultant for additional assistance. Your problem is more extensive than you think. -30- MORE ON VIRUS PROTECTION If you think you need protection from infection by a computer virus, RG Software Systems in Willow Grove, PA offers a program entitled, "Disk Watcher V2.0". According to RG's president, Raymond Glath, the program has been tested against the Leheigh University virus and "The Brain" at the University of Delaware. Please advise if you have any experience with this, or any other anti-virus programs. TELEPHONE SYSTEM INHERENT SECURITY Recently in this letter we stated that a Northern Telecom SL-1 Meridian phone would be locked out until reset at the computer after being disconnected from the feed. Within a week after seeing that bit of advice go out to our members, we had an opportunity to work on such a system -- in fact, we worked on the system of the telephone person who had given us that information. What we discovered in handling the real thing is: 'tain't so. Some of the phones could be reconnected and were automatically reset. Some would not reset. One member advises that Northern Telecom Practice states that the M- 2000 series phones must be off line for at least six seconds before being replugged. Another member advised that it is necessary to wait at least thirty seconds before attempting to reconnect. We don't have the total answer, but we know that what we said last month is not totally true. We were working on the M-3000 series -- the client users call the "Darth Vader" phones -- and we could not determine the pattern for which could be reset and which could not. October, 1988 SURVEILLANCE EXPO '89 Well, there will be no annual membership meeting and expo until late '89. After the disappointment of being close but not being able to make it during '87 or '88, we were really counting on getting a show together early in '89. At the board meeting in July John Nolan of Advance Security took the ball, and it looked really promising. Unfortunately, John encountered insurmountable problems and resigned, so we're starting over -- again. (John, we thank you for the short time that you were able to serve on the board, and we wish you well in your other endeavors.) So where do we stand? At the present time, Jim Ross is talking to meeting organizers. If we can find one who can do the job, the organizer and the association will make some money while putting on an expo that is badly needed by our members and by many people who have never heard of our organization. Bringing off a successful expo is extremely important, and we're determined to do it. Be advised. Jim Ross may become financially involved in backing this effort. He's stayed at arm's length to avoid charges of conflict of interest, but the organization needs this meeting and whatever it takes will be done. SENSITIVE INFORMATION, HOLD BACK? Recently Bob Grove, Editor of Monitoring Times, editorially raised the question of how sensitive information should be handled. That's a question that I am often asked, so let's consider it. The following material is a direct quote from the Foreword to Section I of the notebook that I have prepared for seminar participants, and it should give you a good idea as to your editor's point of view. As usual, your comments are encouraged. "Before getting into the details of electronic eavesdropping, let's address a very important philosophical question. "Much of the material to be covered during this seminar is considered very sensitive. In fact, there are some people who maintain that these topics should not be discussed at all. They complain that, by covering methods of electronic surveillance, we are 'teaching the bad guys how to do it'. "Let us answer that comment with two facts. 1. The bad guys already know what they need to know to take advantage of the unsuspecting and naive people of this world. 2. Anyone who studies the basic theory of electronic communications will have no trouble understanding everything necessary to tap phones, bug rooms, etc. It is not complex. "I believe that strength comes through knowledge, and the route to knowledge is communication. "Communication, to be effective, must be open, straightforward, and complete. "One principal objective of this course, then, is to cover the principal points regarding electronic surveillance because you need to understand those things in order to protect your privacy." TWO MORE PHILOSOPHICAL QUESTIONS As long as we have started down the philosophical route, let's go an additional step or two. Let's consider the questions of whether TSCM practitioners should screen their clients, and whether they should report their findings to law enforcement. We can't provide absolute answers, but we can provide some information on our own operation, and what has been told to us in the dozen years that we've been leading seminars. Let's start with an easy one. We've been told (it has never happened on any of our jobs) that occasionally the security director who has contracted for TSCM service will ask that the contractor "find" something. (The idea is that if a dead radio transmitter is "found", he'll become a hero for ordering the service. And, of course, the TSCM service firm will become richer because it will be necessary to frequently return for additional work and maybe even do some of the other divisions of the company, etc.) The answer to that request is easy; it's "No!". However, suppose that you are asked to work for a company that has been in the press because of being forced to sign consent decrees, etc? Suppose that you have certain evidence that your client is under investigation by law enforcement? What do you do then? I can't tell you what to do, but I can tell you what we do in my company, and I can tell you the consensus of many discussions with many people in law enforcement and in TSCM. In my company we will not hide evidence of a crime or participate in any activity which could be remotely considered obstruction of justice. However, we have worked for at least one company with a reputation for questionable business practices, and we have worked for clients who are under investigation. The preceding two paragraphs may sound contradictory, but let's think about it. Does the fact that a company is under investigation mean that it is not entitled to seek professional help? After a lot of discussion with many seminar participants, we don't think that a person loses any rights by virtue of being under investigation. What do you think? On the question of reporting our findings to law enforcement, let me make two points. First, this world that we live in is not like Hollywood. All loose ends are not tied up at the end of the job as they are at the end of the TV episode. Communication is not instantaneous and complete. Our conclusions are based on a lot of factors, and it is rare that we could present an absolute, no-question-about-it conclusion to any law enforcement agency. Second, to whom do we report what? During the recent ASIS show in Boston, a visitor to the booth seemed shocked when we said that reporting findings to law enforcement was not required, expected, or done. He seemed to be of the opinion that we should use our time to report crimes to "the authorities". As he left the booth I realized that the picture essay displayed behind me would have been a very good case in point. We discovered a tap on the mayor's telephone which may or may not have been indicative that a crime had been committed. However, we would have been hard pressed if we had had to report it to law enforcement because there was good reason to believe that the tap was not court-authorized and had been placed by one or more members of the police department! VULNERABILITIES (continued from an earlier issue) In a recent issue of this letter we outlined some of the current vulnerabilities that we see in our professional practice of commercial technical surveillance countermeasures. Let's cover one which we think is very dangerous -- one that we've been warning clients about for years: the private line telephone, installed for "security". How many times have you seen the CEO order a separate telephone line that does not go through the PBX? He thinks he's protecting himself from eavesdropping, but what he's really doing is making it very easy to identify the appropriate pair to tap. It's like hanging a sign on the pair, "TAP HERE!". We saw this in a now famous company (Wedtech) a couple of years ago, and we continue to see it. The latest example was on a "Hello" telephone in a government contractor's office. The phone was installed because there was so much sensitive information to be discussed, and it's called the "Hello" phone because that's the way it is answered -- in case somebody is listening. One further thought on private line telephones. I've been telling people in the seminar for years that the best way to tap a phone is to call the phone company and order an extension. Of course, a private line phone is an ideal target for this kind of tap. (Recently, a man who had attended the seminar, approached me and asked, "Do you remember what you said is the best way to tap a phone?" I said I remembered, and he smiled and said, "Well, it works!") It will not be successful every time, but, of all of the businesses in this world that must take orders by phone, the phone companies are at the top of the list. If you think that you're safe because the number is not listed, or not published, or in any other way protected, you just don't appreciate the nature of free enterprise. ALL of those numbers are available. There are people in this country who can get the information for you. For example, I noticed on a recent trip to New York City that there was a light on early in the morning at the old address of a man who had stolen a lot of money from our company. So I called one of the information providers, gave him the address, and I had a full listing of everyone with telephone service at that address back in less than 24 hours. So, if you or the CEO have had a private line installed, think again. The single line phone is very vulnerable. If you have a good size operation, think seriously about a more secure installation such as the Northern Telecom SL-1 that we wrote about recently. COMING SOON Richard Paradis sent us a copy of a product announcement that was carried in, of all things, IEEE SPECTRUM. (That's the magazine that goes to all members of the Institute of Electrical and Electronics Engineers.) The headline was "A double whammy for eavesdroppers", and the notice touted a product that will advise you when your phone is tapped. Rich asked if we'd care to comment on this item for the benefit of the membership, and in a future issue we'll reprint the letter that we sent to the SPECTRUM editor. Another member, Bill Ranson, sent us information on some of his activities and some interesting data sheets. Again, we'll have to wait till a future issue to cover these fascinating submissions due to lack of space. Last, but certainly not least, Leo Hurley of Exxon provided us with excerpts from an article in Security Management (the one published by the National Foreman's Institute, not the one published by ASIS). In an article entitled "Sizing up Sweepers" Sam Daskam is quoted extensively, and Leo asked how I react to the quoted material. Well, Sam has many, many years of experience in this business and certainly should know whereof he speaks. (Of course, Sam worked for Mason for 15 or 16 years before starting his present business, so he is probably heavily oriented toward government-to-government threats.) However, if he is quoted accurately, I'm shocked, and I'll explain why in a future issue. November, 1988 SURVEILLANCE EXPO '89 As we reported in the last letter, the expo that we were planning for February is off. The earliest that we can hope for is the fall of '89. If you are interested in participating in any way, please contact Jim Ross. TELE-PRIVACY GUARD Richard Paradis sent along a copy of a notice in, of all things, IEEE SPECTRUM, one of the publications that goes to all members of The Institute of Electrical and Electronics Engineers. The notice that caught his eye was headlined "A Double Whammy for Eavesdroppers", and Rich wrote to ask if I would comment on this for the members of the ComSec Association. Thanks Rich, and the text of the letter which I had already mailed to the editor of SPECTRUM follows. (By the way, they have never responded in any way. I wonder if that is because they are looking for an engineer to check my comments for accuracy, or because they were embarrassed and consigned the letter to file 13 without any consideration of its merit.) (I really think IEEE should ensure that technical information mailed to members is correct, and I wonder how I can influence them to hire some engineers. Maybe I'll send a marked copy of this issue to the president of the IEEE; that should get some response.) (Note. The following letter was sent by Jim Ross on Ross Engineering, Inc. letterhead to the editor of IEEE SPECTRUM on June 6, 1988. Dear Mr. Christianson: This relates to your editorial "About Professionalism", and the segment in the same issue (June) entitled "A Double Whammy for Eavesdroppers". First, let me express a thought regarding the definition of professionalism. In the simplest sense, I think a professional is someone who is paid to do something that others might do for nothing. For example, a cab driver is a professional, and one would expect that he would be a more proficient driver than you or I. That's certainly not always true, but it remains a reasonable expectation. So let's move along to writing. Those of us who write professionally, in general, should be better at the craft than others. I think that professional writers should be especially careful about how they use words, their basic, elemental tools for communicating with their audience. Ah yes, the audience. If the professional writer's audience is, let's say, a group of engineers, isn't it reasonable to expect that the words used to communicate with them will be the technical terms that have precise meanings in their specialty, and that the information will be technically correct? Now that I have gone through all of that preamble, let me get to the reason for this letter. The technical content of SPECTRUM is usually so good that I was astounded to read the segment regarding eavesdroppers. It is so wrong, so confusing, so muddled, and so badly worded that its author and all of the editors at SPECTRUM should be blushing until you have atoned for this muddled miasma. (This current piece of misinformation follows close on the heels of an article in the April issue in which you assert "for a mere $49" you can buy a device that will "detect small changes in line impedance" and notify the user of a telephone line tap.) Let me be agonizingly specific -- and your audience is electrical engineers so we'll use engineering terms. In analyzing "Eavesdroppers' Whammy" I'm going to quote specific sentences out of what you presented, and comment on each one. Quote #1 "About $50 buys you any of several commercial devices said to prevent a tap or unauthorized person from listening in on your telephone calls." Comment #1 This sentence is correct, but you must pay careful attention to the words "said to prevent a tap". Many people offer equipment that they say will detect taps on phone lines. The kind of people who sell such devices are the same kind of people who sell nostrums to grow hair on bald heads, and diet pills that melt away the fat. None of them will detect even a simple tap made out of $2.00 worth of parts (at retail). By the way, there are also tap detectors sold for as much as $62,500.00 which also cannot detect the $2.00 tap. Quote #2 "This kind of device usually drops the phone's 50 volt on- hook voltage to about 18 volts instead of the normal 12-15 V whenever you lift the receiver." Comment #2 All wrong, except that the usual on-hook voltage in this country is 50 V. (Although there are many PBXs (private exchanges) that operate on different on-hook voltages.) First, you say that off-hook voltage is normally 12-15 V. Well, on hundreds of real telephone systems I have measured off- hook voltage as low as 2 V and as high as 30 V. The most common is about 8 V, but there is no norm that can be counted on. Second, you assert that when I tap the phone line, it will cause the off-hook voltage to increase by about 50%. Wow! When I tap the phone line, you'll see no change in either on-hook or off-hook voltage. My tapping equipment (all $2.00 worth) does not affect the line in any way that can be detected electronically. There is no measurable change in line voltage because I am not loading the line at all. As a matter of fact, we have even run tap-detection tests with a time domain reflectometer (TDR). The engineers and technicians who participated in the tests were very experienced with the TDR, and they were never able to tell when my tap was on-line or off-line. Quote #3 "As a result, the impedances of your phone and the tap should not match and your phone should go dead." Comment #3 Huh? Look. The standard telephone presents almost pure resistance to the line. It is, after all, operating in a DC circuit --- just direct current running through it while it's in operation. That resistance is on the order of 600 to 900 ohms in most old sets. My tap, on the other hand, uses a blocking capacitor so that the impedance seen by the DC circuit has essentially infinite magnitude. While in operation, the old-fashioned (carbon microphone) telephone voltage varies by one or two volts -- sometimes more. My tap will be taking picowatts of power off of the phone line and will not cause the DC voltage to vary by even one one thousandth of a volt. Your assertion that my tap will cause the off-hook voltage to be unusually high makes no sense whatsoever. Nor does your declaration that if the tap impedance and phone impedance don't match, the phone will go dead. When I tap a phone line, I am deliberately creating the biggest impedance mismatch possible -- and, believe me, the phone doesn't go dead. Final Comment The SCR device described will prevent someone from listening on an extension phone, but there have been similar devices sold for many years for a few dollars. The sellers of the earlier devices never made any money for a simple reason. When an extension telephone goes off hook, there is a discernable difference in sound level (about 3 dB or half power), so why would anyone pay for a circuit to do what your own senses do for you? Sincerely, James A. Ross President P.S. By the way, technical surveillance countermeasures (TSCM) is our business. If you ever need consultation (a limited amount free) in this field, please call. We'll try to help you sort the wheat from the chaff in the press releases that you receive in this very specialized field. (Quoted above is the entire text of the letter that your editor sent to the editor of IEEE SPECTRUM. If there is EVER any response, you'll be advised.) AT&T TRAINING PROGRAMS Just received: AT&T catalogs of training programs. For copies, or to inquire about training schedules, call 800-554- 6400. COMMUNICATIONS HANDBOOKS AND PUBLICATIONS Here's another good source of good information. For a listing of available handbooks and other publications, contact either Chuck Firnsin (312-681-7483) or R.L. Grabo (312-681-7479) at: GTE Communications Systems Corp., 400 North Wolf Rd., Northlake, IL 60164 When you write or call, please mention the ComSec Letter. December, 1988 DISA In case you didn't appreciate the message in our April issue, I'll try again: If your switch offers DISA (Direct Inward System Access), you are in jeopardy! You may soon join the ranks of companies that have been ripped off. Do not jump to the conclusion that I'm warning that some hackers might make some long distance calls on your lines. Yes, hackers are a nettlesome problem. When they discover a DISA route (They call them "extenders" so it doesn't sound like stealing.), they pass the word around and your phone bill will suffer. Yes, they can run up your phone bill, and you'll have to pay it. However, the people I am referring to are organized, and they are probably drug dealers, and they make a lot of calls. As I write this I am looking at a printout of calls made through one company's DISA capability: 27 pages with 51 entries per page. In eight days $51,624.36 worth of calls were made on four trunks to numbers in Pakistan. I repeat: in eight days $51,624.36 worth of overseas calls were made through this company's DISA facility. The people at this company were smart; they detected the theft rapidly, and put a stop to it rapidly. If they had learned of the abuse only after receiving the bill, it could have been a quarter of a million dollars! If your switch offers DISA, you are in jeopardy! In our next issue we'll include more detail on this situation. Stay tuned! NYQUIST vs. NYQUIL Most folks have heard of Nyquil, but, sniffling and sneezing bears little relationship to TSCM. Nyquist, on the other hand, is important in modern communications; and, if you haven't heard of it, here's your introduction to the Nyquist Criterion. It relates to the conversion of analog signals to digital, with an eye toward later reconstructing (D to A) a replica of the original signal. As usual with history questions, I don't remember the man's full name, or country, or when he lived. However, I do remember his premise: the Nyquist Criterion (widely used but unproved mathematically, I believe) states that, in sampling an analog signal in the time domain, one should use a sampling rate of at least two times the highest frequency in the signal in order to prevent aliasing. For example, if the highest frequency is 1,000 Hz, it should be sampled more that 2,000 times per second. Before explaining what that means in practical terms, let me point out that the terminology definitely proves that engineers and/or mathematicians can invent crazy words as do the bureaucrats. (The other day I heard a bureaucrat say that airlines reduce fares on some routes to "incentify" customers to use those routes. Wow!) "Aliasing" is a word that was coined to describe what happens when an analog signal has been sampled at too low a rate, and the A-to-D and D-to-A process has rebuilt a signal that is unlike the original signal, an "alias" of the original. The Nyquist Criterion, then, is important when designing a modern telephone which has digital output to the switch. If the sampling rate is too low, the reconstructed analog signal out of the switch will be a very distorted version of the original signal. TSCM EQUIPMENT Recently, a retired government TSCM expert stated that it costs about two hundred and fifty thousand dollars to equip one TSCM team. Now that Watkins-Johnson has introduced their WJ-38000 ELINT receiver, that number will probably climb to about one million because this receiver alone can cost more than $500,000.00. All kidding aside, this is a serious matter and one that we intend to cover in detail in future issues of this letter. For the sake of brevity at this time, let's just note that your editor does not agree that such expenditures are necessary. Certainly there are some government-to-government threats that are very high level and deserve high level responses, but there is no way to justify spending that much money for equipment to equip every team. After all, most work by most teams most of the time will address the standard, real-world threat. More later. NEW WORD NEEDED Because of the work we've been doing lately to identify the vulnerabilities in modern electronic PBXs, we've been talking with a lot of folks who also don't speak "telephonese". Out of necessity we've been using the word "switch" when referring to such PBXs. Unfortunately, when most folks hear that word, in their mind's eye they see the switch on the wall that we throw to turn the lights on. Confusing. So let's start a movement to invent a better word. After all, aren't people who work in engineering supposed to be precise? Let us hear from you! PULSE THROUGH A LOADING COIL? This was a question asked by Joe Wilson Elliott during one of our telephone conversations. I don't think I ever answered him, but it deserves to be answered because it illustrates the fact that different educational and training courses teach different "facts". Anyway, can you get a pulse through a loading coil? What do you think? If anyone expresses interest, we'll answer the question in a future letter. JUMPING TO (DANGEROUS) CONCLUSIONS Regarding spousal tape recording of telephone conversations without consent, we reported in January: "A federal judge did rule that federal eavesdropping laws (Title III, 18 USC 2510, etc.) do not relate to domestic cases in certain circumstances." 2600, in its fall issue jumps from this fact to the erroneous conclusion, ".... it is now legal for married couples to place wiretaps on their home telephones in order to catch their spouses doing nasty things like having affairs." We hope the readers of this letter understand the difference between the two statements. The ruling only said that certain specific federal laws do not apply in certain circumstances. It did not say that such eavesdropping is legal. There's a big difference. RF FLOODING One of the comments that we got on our questionnaire after our London seminar indicated that the person wanted information on "modern techniques such as RF flooding". How nice it would have been if that person had read our material which pleads for any question at any time, or listened to any of our exhortations: "If you have a question, ask it at any time." If he had asked the question in front of the group, we would have had an interesting topic to discuss. We had people with exceptionally diverse backgrounds. A discussion would have provided more than one point of view, and that's the value of the seminar format. It's not the authoritarian headmaster lecturing to a group of cowed students; it's open give and take among experienced, senior people. Well, I'm very sorry that he did not speak up. If he had, I could have pointed out to him that RF flooding is probably fifty years old. Also, I could have mentioned that we had been covering some techniques which have come into use in 1988. That's right, we were discussing truly modern methods such as electronic switch manipulation, REMOBS, bugging of modern electronic phones, etc. Thrown in for good measure were some comments on how companies are being robbed (through toll fraud on a major scale) by people taking advantage of DISA, voice mailboxes, diverters, etc. And he wanted to discuss modern methods such as RF flooding! In any event, I'll explain what I think is meant by "RF flooding", with the hope that a reader will either endorse my theory, or explain how I went wrong. Before I go on, let me explain that I am guessing at what is meant by RF flooding. In all of the courses that I have taken in math and electronics, "flooding" is a term that was never used in any class or practical exercise. I have the feeling that it was invented by a technician whose field strength meter told him that the telephone was full of RF, so much so that it was flooding out of it and all over the floor. (Doesn't that make you wonder if you should wear boots while doing TSCM?) As you read this, keep in mind that I have never been exposed to any government training in countermeasures, and this explanation is based only on my response to the name given to the technique. So here goes. The older electromechanical telephones contain a hookswitch which is really several switches in one assembly. Each conductor is connected to a flexible metal strip, and all of the strips are physically parallel and very close together. On hook, some connections are made, and some are open. Off hook, other combinations occur. In the on-hook condition the talk circuitry (carbon microphone, speaker, and side-tone transformer) are disconnected from the line in the DC sense. That is, no direct current is possible in the circuit because the circuit is open. However, what causes the circuit to be open is the fact that two flat metal strips, side by side, are not touching. Does that sound familiar? Two conductors separated by a dielectric? Of course. That's the definition of a capacitor. And although a capacitor may be an open circuit for DC, it sure isn't open for RF. In fact, it is nearly a perfect conductor. So my guess is that somebody fifty (or so) years ago figured out that he could connect to the talk circuit by applying RF to the talk pair. I've never tried it, and don't know anyone who has, but the theory is sound. Although the audio recovered is probably not good, and it certainly is easy to detect. Well, there's my answer. If I'm way off base (or even a little off) I'd like to hear from anyone who can set me straight. I'll run the best answer that comes in. How 'bout it???