Bulletin Board #1

From: Kelleypi@aol.com
Date: Sat, 8 Feb 1997 19:40:12 -0500 (EST)
Subject: BULLETIN BOARD # 1

Tim.......I had no trouble monitoring computer screens over 15 years ago. We could actually watch as they type stuff in. The key was distance. Most of the hits were near field. Success dropped off considerably with distance. Results were quite varied from one type to the next. I had an Atari years ago that would break squelch on a Motorola Handitalkie from 50 feet away. Jack

Date: Sat, 08 Feb 1997 17:02:01 -0500
From: "Kevin D. Murray"
Reply-To: murray@spy.busters.com
Subject: Inside Information from Murray Associates

News from the Internet...
Via
Kevin D. Murray
Murray Associates
http://www.iapsc.org/kmurray
mailto:murray@spy.busters.com

From web site http://www.tipworld.com
"Don Crabb: Crustacean at Large"

Who's listening?

We've all read about snoopers using police scanners to listen in on cellular phone calls. Apparently, those folks have not yet got a life. Now, the Crusty One has discovered that several security firms in Chicago and New York are specializing in snooping on corporate data by tracking and recording cellular data calls made by traveling workers.

Cellular data collection has become big business for these firms, who talked to Crusty only on condition of anonymity. One source told your Watery Wayfarer that "We have quite a few Fortune 1000 clients. The CIOs of these companies come to us with a goal in mind: covertly gathering data about the competition in order to help guide their competitive moves. In recent months, we've been able to snag quite a lot of unencrypted data by locking onto cellular data calls and producing a magnetic record for our clients. For which, of course, we are paid handsomely. To the tune of a $10,000 flat startup fee for our service, and daily fees of $2,000 to $10,000, depending upon the level of electronic data capture the client wants. Our biggest client, a New York bank, and one of the ten largest banks in the world, has already spent more than $200,000 over the last six months on data snooping. Which just goes to show you that this is a growing market."

Growing, indeed, the Crusty One opines. Growing to the point that the Federal Government might want to consider unleashing an FBI sting operation to arrest some of these cretinous data spies. Because, of course, stealing corporate data by means of stealth just happens to be A FEDERAL CRIME!

Date: Sun, 15 Dec 1996 18:43:25 -0500
From: Michael Andrews
Subject: Associations, Training, etc.

Hello Tim,
Would you consider the text below as a future discussion topic?

Best of the Holidays to you and your family,

Mike Andrews

After conducting quite a few searches on the internet and talking to quite a few people in the security industry I've concluded that the TSCM field is somewhat chaotic and I have yet to find a single professional association. Please tell me I'm wrong.

Anyway - what I have found is the usual cross-section of people.... those with monumental egos based on +30 year old credentials and those who go quietly about their work and earn a solid living performing counter-measures sweeps. Of course, there are many different types in between the two extremes from the PI who occasionally performs TSCM sweeps to the full time, former government agent who wrote the book, so to speak.

I have several rhetorical questions to pose to the TSCM community:

Has anyone given any thought to forming a professional association that would, perhaps, standardize some of the training and provide a 'network' of subject matter experts?
Would the TSCM experts (you know who you are - you are the ones who rely on solid training combined with years of experience) consider stepping up to the task of creating a list of training and internship requirements or recommendations?
If an association is formed would it be appropriate to create a self-imposed certification program?
Could an association benefit the trade by forming a legislative action committee? (This one hurts to ask but it is probably one of those necessary evils - I've found that skilled TSCM Operators are often grouped with body guards, security guards and Alarm Monitoring Agencies.....I find that very strange and attribute it to a high fiber diet (government and paperwork)).

That about does it. Anyone out there have any thoughts?

Tim Johnson responded as follows:

That subject is being considered, even as we speak. I am working with others to get something set up in which a certification program will be established. It aint' gonna be easy to get certified as we will establish training, experience, recent experience, ongoing training, etc. criteria, somewhat similar to the CPP program.

The certification will be for an individual only, not an organization and we will be soliciting feedback from a members clients to insure quality.

This will also assist corporate security personnel in determining some level of competence of the providers of this type service.

Initially, there will be a core group who will establish the necessary guidelines, tests, training, experience requirements, etc. and administer the program. Eventually, we would like to see a board of directors established and members elected from the membership.

But, first, lets see what some of the comments are.

Do you, as security personnel, think this is needed?

would it be of benifit to you?

Comments, please and if you wish, they can be posted anonymously by requesting only your first name be used---no addresses.

Tim

From: "Mike Andrews" Subject: BULLETIN BOARD
Date: Sat, 8 Feb 1997 21:47:17 -0500

Tim,

Excellent idea on the bulletin board! Please count me in. Attached below, for your consideration, are some links pertinent to Van Eck Radiation. This collection of links constitutes "Open Source Intelligence" and should be validated via other means where possible.

Regards,

Mike Andrews

Open Source Intelligence on Van Eck Radiation:

Below are some links to web-sites I've found over the past year that deal with Van Eck Radiation in one way or another. I've tried to exclude those that appear to be hype (and in one case down-right fraudulent).

But first - a word to the wise......

This is a topic that stirs up the emotions and is, therefore, easily exploited by the unscrupulous and criminal minded. My advice to anyone interested in learning more about Van Eck radiation is "Beware!" There are some who will take your money and build tin boxes around your computers while waving around a volt meter and proclaiming they've found the leak. I've heard the pro's refer to that as a "rain dance." Last warning: Beware of hucksters and hackers.

U.S. Air Force Emission Security Technical Description:
http://www.rl.af.mil:80/Technology/TechDataSht/auto_tempest.html

U.S. Air Force Emission Security Site:
http://192.52.112.85/erc1/emsec/index.htm

Systemware - interesting system and components:
http://sysware.com:80/product.html

A Hacker's request - very sobering thought for the prudent....
http://www.onworld.com:80/MUT/mutForum/messages/257.html
DSI-110 : Another Van Eck capable system??
http://www.dynamic-sciences.com/prod01.html

A treasure trove of articles and links on a variety of topics including RS232 Eavesdropping, Van Eck Monitoring,
and a copy of the original paper by Van Eck (alleged).
(Some of these require an Adobe Acrobat reader)
http://www.jya.com/crypto.htm

Technical Security Standard for Information
Technology (TSSIT) - Royal Canadian Mounted Police...
http://www.rcmp-grc.gc.ca/html/tss-1-e.htm

Date: Sat, 08 Feb 1997 23:25:23 -0800
From: Bruce Alexander
Reply-To: galileo@teleport.com
Organization: The Observatory
To: dbugman@amug.org
Subject: Van Eck

Hi Tim:

I've read quite a bit on what this device can do and I'm interested on the details of how it operates, both from a professional perspective and to examine potential counter-measures.
Do you have any design specs available? Anything you could send me would be helpful. Thanks.

The Observatory
Investigative Reality
http://www.teleport.com/~galileo/Investigations
mailto:galileo@teleport.com

From: "Mike Andrews"
To:
Subject: Computer Alert
Date: Sun, 9 Feb 1997 12:00:04 -0500

Tim,
Something of interest to "Quicken" users.

Regards,
Mike Andrews

News reports just in:
"The Chaos Computer Club (Hacker organization in Hamburg Germany) has developed and demonstrated an ActiveX control that will transfer funds from users' bank accounts without using a personal identification or transaction number.

The Chaos Crackers demonstrated their hostile ActiveX control on a German TV show to make a point about what they saw as the security risks posed by ActiveX. If made available on a web site, the control could install itself on a user's computer and covertly check to see if the popular personal-finance software package Quicken is installed.

Continuing the scenario, if the control had found Quicken, it would issue a transfer order and add it to that application's batch of existing transfer orders. The next time the Quicken user paid their bills, the illicit transfer would be included, unnoticed by the victim. Quicken claims to have more than 9 million active users worldwide."

Source: "Wired" article by John Gilles, 5:21 PM PST 7 Feb 97

Full story can be found at: http://www.wired.com/news/

Titled and Description: Crackers Shuffle Cash With Quicken, ActiveX Friday - If you are one of the 9 million people who run the Quicken home finance package, steer clear of the Chaos Computer Club.