Bulletin Board #6

The BULLETIN BOARD is posted on a periodic basis, as information is collected or assistance is requested.

Although many who have signed on to this forum operate in the field of electronic countermeasures, the BULLETIN BOARD was established for the benefit of the non technical security manager and director. If you have comments, problems or need assistance, you can obtain it through several avenues:
  1. Post a request for assistance, which will then be posted to the membership.
  2. Post a request to me for assistance and I will post it without identifying the requestor.
  3. Contact any member direct that you feel might be able to provide you with the assistance you require.



From: "Mike Andrews"
Date: Tue, 4 Mar 1997 05:36:17 -0500

Tim,
An often overlooked aspect of TSCM (at least in terms of discussion items) appears to be physical security. Below are some "tips" that may prove useful.

On another note - a recent post to alt.security.tscm discussed a scenario in which the sweep operator discovers a bugging device planted by federal agents who are in possession of a court order. The question was something like: does the TSCM sweep operator who discovered the bug go to jail for obstruction of justice? Another contributor suggested that a clause be inserted in all contracts stating - more or less - that wiretapping was a federal crime and any discovered device would immediately be turned over to federal authorities. Thus, the TSCM operator becomes a part of the justice system rather than a victim of it.

Do you or anyone else on the list have any additional thoughts on this matter?

Now, for the physical security aspect of the business:

Tips for corporate locations:
  1. Exercise full control of areas visited by 'guests.' For example, limit guests to a lobby area and require escorts and "visitor" badges.
    1. Set aside a meeting area - conference room, huddle room, etc. - in which guests and corporate personnel may conduct business and thereby prevent easy access to inner office/shop/lab areas.
    2. Tours should be kept on well-defined paths that avoid sensitive areas. (Remember the SR71 incident in which foreign "journalists" walked through a manufacturing area and later had their shoe soles analyzed for metal fragments? Turned out that metal shavings constituted a significant intelligence find.)
    3. Keep a record of visitors. Significant counter-intelligence data can be derived from a visitors log. Same companies, same people, same areas visited and no particular reason to explain their repeated presence may indicate an intelligence gathering effort is underway. At the very least, a flag should be raised and used to provide a starting point for TSCM sweeps in terms of the area and perhaps even the capabilities of the perpetrator.
  2. Does the competition seem to know your every move in the market before you make it?
    1. Most often, competitive intelligence is derived from your suppliers, employees and contractors; It's easier to get information from people than to plant a bug and it's less risky. Implement an employee awareness program.
    2. Exercise distribution control - much like the government - segment information and limit its general distribution.
    3. USE THE SHREDDER! It's very easy to grab a bag of trash and head to the back room for a comfortable analysis. The news is literally in the trash can. Things like, corporate accounts, credit card receipts, travel vouchers, recent purchases, and much more can paint a thorough picture of the inner workings of any corporation (or home, for that matter).
  3. Not everyone in a corporation has full access to sensitive information. Therefore, consider the most likely targets - CEO, Comptroller, Research Associates, and the Janitor (Yes, I said the Janitor - one of the very few people who will have almost full access anywhere in the building.) Conducting a sweep? Don't forget to check out the Janitor's cleaning station (the big plastic can with wheels that has mops and brooms all over it).
  4. Key control - almost non-existent in 90% of all businesses. It's easy to implement, though. Just rekey the locks and establish a tiered master/submaster system. Very, very few people should have the master key.
    1. Rekey locks periodically - annually is recommended. You say your locksmith set you up with a special key that your employees can't get duplicated at the hardware store? I say baloney. Where there is a will, there is a way. Therefore, establish a time when all locks are rekeyed and do it. Don't make any big announcements, either. Yes, there will be some inconvenience and the employees will complain. Would you rather keep giving away your proprietary information?
    2. Janitorial contractors - the kind who have a key to your building and come in at night to wax the floors - should have their keys taken away. Why would you limit visitors access during the day and not at night? Think about it.
  5. Physical design - does your corporate board-room have one complete wall made of glass? For the View, you say? Think again.
    1. Does the ventilation system carry sound to other locations?
    2. Is there a return air vent in the bottom of the door?
    3. Could someone "parachute" a bug to your location in the duct work and never leave the basement?
    4. Can anyone "accidentally" walk into a conference room that is in use and then help themselves to a doughnut and a bug?
These are just a few items that apply to any Security Assurance business. Hope you find them useful.

Regards,

Mike Andrews



#2

From: "CMSgt James R. DeSantis"
Date: Sat, 8 Mar 1997 07:38:22 -0500

For #2 - Have they thought about possible computer viruses? Some, like the very destructive BRASIL (BRAZIL?) virus, don't activate right away once they've been passed. You can reboot your PC several times before it kicks in - and once you see the warning on your screen that YOU'VE BEEN BRASILLED!, it's too late. The computer support people at HQ averaged 20 hours per machine to erase/reconstruct a 170 MB hard drive. It's a boot sector virus, so it's easy to infect a floppy as well. Other viruses, like the Winword.Meatgrinder virus (AKA: WAZZU.X?), are said to be just as destructive, but older virus checkers won't see it since it's a Word Macro virus. Lots of companies haven't upgraded their anti-virus products since the big Michaelangelo scare a couple years ago...Word Macro viruses weren't in the wild yet! Even though the hard drive's dead and the floppies are gone, they can run a virus check on the floppies and see if any are infected. If the computer recognizes the hard drive - knows it's there, but says it's not a bootable partition, or is missing an operating system - then they can run a virus check against it from a bootable floppy. Finally, they might be able to recover the disks/hard drive by using Norton Utilities software. Since they're lacking evidence of deliberate tampering/break-in, it had to be some type of "logic bomb" that operated in the background of the computer's normal operating parameters.

Regards! JRD

FYI: From what I've heard, SA Pulliam's funeral will be Tuesday sometime. The body arrived at Dover AFB late Thursday afternoon. I'm sure the Global Reliance and the AFOSISA magazines will both provide details in later issues.



#3

Date: Wed, 12 Mar 1997 08:29:57 -0500
From: Robert Snyder
Reply-To: bsnyder@ptd.net
Organization: Handwriting Consultants of North America

Robert wrote in response to the possibility of someone illegally forwarding information and using both my e-mail address list and one by James Atkinsion.

Should you receive suspicious e-mail, open the e-mail header by pressing on the Blah Blab Blah block, copy the info and forward it to me orJames Atkinsion, or Robert Snyder (althopugh he did not indicate whether he provided a service for charge or if it would be free.

Robert Wrote:

Tim,
How can we catch a forger if we use Netscape or some other mail handler?
-Bob-
Mailto:bsnyder@ptd.net



#4

Date: Sun, 09 Mar 1997 10:12:58 -0800
From: "John W. Kennish"
Subject: Error In 3/8/97 Message
Re: Industrial Sabotage Inquiry

John wrote:
My error: Texas cattle company loss should have read $2 2 million, with a recovery of $ 1.7 million. John.



#5

Date: Sat, 08 Mar 1997 09:09:45 -0800
From: "John W. Kennish"
Subject: Industrial Sabotage Inquiry

From: John Kennish, Connecticut, USA
http://www.iapsc.org/jkennish (FYI)

John Wrote:
Dear Michael:
Given your description, while the method you "see", may have been sabotage, the motive is likely embezzlement: (within the organization) in some form, or espionage (if outside the organization). I would suggest that if you stive to establish the motive first, and the method second, that you will identify your offender, and the answers will fall into place.

The data apparently was internal to the firm. It had limited scope and value. However, the answer lies in the data. Simply, it was of a wide enough scope, and held enough of a form of unknown value, at this point, to someone within the company, to be erased. The value of the data could only hold one of two, or perhaps both, in some combination. Those values are first, postive to someone, or secondly, negative to someone.

*** VERY INPORTANT *** The data was erased for some reason. Why ? Someone got to close to something. Someone quit. Someone was hired. Someone was promoted, or demoted. Someone took on new job responsibilities. Something happened ? Did they change vendors ? Seek-out that reason. Widen your persective. Don't just look the lost data in terms of "stock codes and quanties" - what did it mean in terms of the total picture, when compared to everything else of relevance in the processes it inter-acted with (coming into these files, and from these files onward) ?

Don't limit your inquiry. It may be nothing at all. Or, you may likely only see the tip of the iceburg. As we know, big things, often have little beginnings. Don't merely review the physical stock stores and call it a day.

To attain the necessary resources, advise the firm's owners that this act is:
  1. Likely indicative of a more serious problem.
  2. Sets the stage for an opportunity to make an impression upon all the employees that these kinds of things are relevant, and are not to be ignored, or tolerated.
  3. Needs to be further investigated to clear the air.
  4. And that it is not your recommendation that things merely be left in place in a "let's see what happens next" approach.
  5. I would place these thoughts into writing for future reference.
  6. You are apparently a wire-guy, or computer security person. Also recommend that they engage someone who understands white collar and/or financail crimes to work with you on this. You may know the "how" of the matter, but you need help finding the "why ?"
  7. Be very aware that what you see may a), only a part of a larger thing, or b), what you see, may have well been planted for you to see, to lead you away from something else.
  8. I would audit the whole damm place. Not just the stock count. Audit all of the inventory, stock, raw materials, shipping, purchasing and sales records, etcetera. And during this process: watch people very closely. Someone destroyed the data for some reason. If the heat is turned-up by a coordinated inquiry, audit and investigative effort, and this with the visible support of senior management: your answer may pop-out at you, people will start breaking down, or your subject may do something else, or run for it.
Stock codes, and stock quanity records. What might you have ? Here are some possibilities: (A while back, I conducted a review for a Texas cattle company. In the end, we discovered that they had lost $ 1.2 million, at .25 and .50 an entry, to a purchasing scam which involved a dozen of their employees, and suppliers. They recovered $ 1.7 million from their insurance carrier. Look for the unexpected. Big things often have little beginnings, and simple answers. In the case of the cattle company, it was only .25 an entry, and that takes a lot of entries to reach $ 1.2 million. It took 6-months to review the documentation, but the patters became obvious. With the patterns, came motives. And with motives came names. And by chance the names fit the names of responsible, and known people. Check-mate.
  • Fradulent financial statements, and/or other realted documents.
  • Tax evasion on the part of the company. Always know who your friends are.
  • Inventory fraud, or theft. They may think that they have "A", when in reality the have "B" - stealing or selling their stock off of the dock. Look in the flea markets, and newspapers for their inventory.
  • Purchasing fraud.
  • Supplier problem - what is their "stock ?" What do they do ? Whom and what do they buy from the outside, in terms of materials ? They may be paying for what they think they are getting, but in reality, they are getting taken somewhere along the process. "Stock codes, and stock quanities" - your answer is to be found in the data, and its relationship to other records and data, and people.
  • Bribery and/or some form of internal employee corruption.
  • On, or Off-book payment scheme of some kind.
  • Combination of several of these.
My guess from a distance is likely a supplier, purchasing, inventory fraud in some form. Simply stated, the data did not get erased for no reason. There is a reason. The reason can be found by examining their operations, processes, documents, and records.

After-the-fact preventative measures: identify, monitor, and control access to a), the building itself, b), the room itself, c), the computer itself, and d), the computer files themselves. Assure their internal operations in terms if integrity. Assure a proper information security program. Implement an Ethics Policy. Train their employees. Make a wake-up call into the senior management group. Wake-up the audit group. Fire a few responsible employees. Set the tone.

Hope this is all of some help. Don't look for, nor take the obvious answer. Turn over just one more leaf. The answer is in the records system, and their employees: somewhere. Ask the question. If you don't ask the questions: you don't get the answers. John.



#6

Date: 27 Feb 97 15:58:51 EST
From: "Michael E. Chesbro" <100336.675@CompuServe.COM>
Subject: Re: Post on OI net

Tim,
I stopped by your web site. It looks good! I will add a link to it from my own web site when I do my next update. Probably next weekend. My web site is at: http://ourworld.compuserve.com/homepages/ChesNotes

I publish a newsletter, "ChesNotes Security News," which may be of interest to you. I'll add you to the subscription list if you want. It's free, and without any obligation.

It's good to hear from a Tech. And, I am always interested in staying in contact with fellow professionals.

Cheers,
Michael



#7

Date: 11 Mar 97 13:10:15 EST
From: "M. D. Goslar" <73374.1650@CompuServe.COM>
To: Tim Johnson
Subject: Spy shop owners admit to selling illegal bugs


Tim:
Are you familiar with Mr. Atkinson and his business as noted below at tscm.com? I would have expected his comments in your BB newsletter rather than in an undisclosed distribution list.

Best regards,

Martin Goslar
Organizational Research & Technology Services
Phoenix, AZ 602.867.3013

-------------Forwarded Message-----------------

From: James M. Atkinson, Comm-Eng, INTERNET:jmatk@tscm.com
To: [unknown], INTERNET:JMATK@TSCM.COM
Date: 3/10/97 2:38 PM
Subject: Spy shop owners admit to selling illegal bugs

What fine news,
These guys used to brag about how they were so untouchable, and about how they were above the law.
Looks like their attorneys weren't as good as they thought?
Score one for the good-guys
In reality the products they were selling were crappy little toy devices that could be built for under twenty dollars.

-jma

Spy shop owners admit to selling illegal bugs
-- The Associated Press
NEW YORK (Mar 10, 1997 1:13 p.m. EST) -- Three executives of the nation's biggest chain of spy shops pleaded guilty Monday to charges they illegally sold eavesdropping equipment that had been smuggled into the country.

The powerful bugs, hidden in functioning ballpoint pens, calculators and electrical outlets, were smuggled through U.S. Customs so The Spy Factory could sell them to anyone rather than just law enforcement officers who were entitled to buy them, prosecutors said.

The Spy Factory, based in San Antonio, sold transmitters that were much more powerful and had much greater transmission range than the Federal Communications Commission would allow. The transmitters also operated on frequencies reserved for the U.S. government and military.

The pleas entered by Spy Factory owner Ronald Kimball and general manager Marlin Richardson were part of plea agreements that interrupted their two-week trial and resulted in most of the charges being dropped.

Kimball also agreed to turn over all the company's assets to the government and close the stores, said Marvin Smilon, spokesman for U.S. Attorney Mary Jo White.

"I accept full responsibility for my conduct," Kimball told U.S. District Judge Sonia Sotomayor.

Kimball and Richardson pleaded guilty to conspiracy, possession and sale of wiretap devices and possession and sale of smuggled wiretap devices, charges that carry a maximum sentence of 15 years in prison and $750,000 in fines.

Spy Factory employee Tracy Edward Ford pleaded guilty to possessing and selling bugging and wiretapping devices, charges that carry up to 10 years in prison and $500,000 in fines.

Defense lawyers had portrayed the defendants as patriotic Americans who became overwhelmed by their store's success and growth into a 19-shop national chain.

Sentencing was scheduled for July 1.

"If it doesn't involve a torque wrench, then it's not TEMPEST"

James M. Atkinson - Phone: (508) 546-3803
Granite Island Group - TSCM.COM
127 Eastern Avenue #291 - http://www.tscm.com/
Gloucester, MA 01931-8008 - jmatk@tscm.com

The First, The Largest, The Most Popular,
and the Most Complete TSCM Counterintelligence Site on the Internet

Once again, your inquiries and comments are solicited, both pro and con. I hope to get some dialog started before I leave on vacation at the end of this month.

Perhaps I should address that at this point and ask for some assistance.

Toni and I will be traveling to France from 1 through 14 April with our grandson Trevor. Out travel will be by car and will cover the Central, Southwestern and Western portions of France. I'd be interested in visiting any security oeople while I am in their areas.

Also, we will be trying to develop information on Toni's ancestors who originally came from France. If you know of an genealogical organizations who would be able to help us get started, please pass the info to me via e-mail.

Enjoy until the next posting