VOLUME 8 NUMBER 2January 1993

HOME PAGE ADDRESS
http://www.dbugman.com/

E-mail
dbugman@dbugman.com



THE HOT MICX is published 3 to 4 times a year, contains information of a security nature, dealing mostly with electronic eavesdropping or information loss and is provided at no cost. Reproduction of any or all of this newsletter is authorized.

Well, here's hoping I get this issue of The Hot Micx completed. I'm developing this issue on Publish It! Easy and I've already lost the first version. As an uncle of mine once wrote, "If you don't get this letter, let me know and I'll write again".
Even if you're on the right track-you'll get run over if you just sit there.
- Arthur Godfrey


Now, if I remember , right, when I lost everything, I was just telling you about an article my wife saw in Dear Abby a week or two ago in which two secretaries were working late one evening. One secretary had to leave the office for a period of time and when she returned, she saw the other secretary kneeling down at her boss's desk, going through the trash. The secretary wrote Dear Abby and asked if she should tell her boss about the occurrence. Dear Abby's response was Definitely Not!

I suppose Dear Abby feels it is poor form to "tattle", but I wonder what her reaction would be if she realized the possible consequences of such an action. It may have been "harmless curiosity or it may have been nothing more serious than industrial espionage or it could have been the initial stages of gathering information for a possible kidnapping.

Me thinks, perchance, Dear Abby may wish to reconsider her decision. Then again, she may not be thinking of the darker side of such an action.

OK, with that out of the way, I'll try to remember the others I lost (I'm saving after each entry now, thank you).

I have always been among those who believed that the greatest freedom of speech was the greatest safety, because if a man is a fool the best thing to do is to encourage him to advertise the fact by speaking.
- Woodrow Wilson


Dateline Norfolk, VA The Arizona Republic March 13, 1993---When and where is it OK to record a cellular conversation without a court order. Apparently anywhere, when you happen to be a U.S. Senator and your target is a governor and it is all political.

It seems a federal grand jury refused to indict the Senator after an 18 month investigation. All that happened was the Senator, or his aides, released a transcript of the conversation the Governor had. But, to make it all OK, the Senator denied any wrongdoing connected to the illegal taping and acknowledged he knew of the contents of the tape. He also ordered his staff not to release the tape. (This is not to be confused with "It's OK to smoke as long as you don't inhale".)

So, if you just gotta do something illegal, be sure you're a politician. The unenforcable laws they enact for special interest groups apparently don't apply to them. Which, again, is probably OK. Being one of the best political groups money can buy, our elected officials have to make sure they're doing What you say in private is your business. Keeping it private is ours. © TSCI 1987
something, even when it's wrong.

No man, however strong, can serve ten years as schoolmaster, priest, or Senator, and remain fit for anything else.- Henry Brooks Adams
Speaking of cellular's, I spoke with Bob Runyon again this past weekend. He said he was a little down in the dumps for awhile because his prototype cellular intercept unit would only fit in a briefcase. Then he had an opportunity to view one which is presently in production; it takes two or three good sized cases and two people to transport and set it up. Now he's down in the dumps again because his prototype can only follow one conversation at a time and theirs tracks several. I think I convinced him not to worry when I pointed out I could only follow one conversation at a time.

If there is no hell, a good many preachers are obtaining money under false pretenses.
- William A. Sunday


Dateline Phoenix, AZ The Arizona Republic March 10 1993---Two high school sophomores were recently arrested after a ham-operator recorded a conversation in which they discussed killing a teacher and the ex-girlfriend of one of the teenagers. The conversation occurred over a cordless telephone. (Again, it's legal to listen to cordless telephones, Congress only said we can't listen to cellular's.) When arrested one of the teens had in his possession a 'sizable amount" of poisonous drain cleaner.

Again, I can't stress the importance to you of not conducting business over cordless telephones (unless they are one of the new secure units being built by Motorola). A radio scanner from the local electronics store may be all that's needed to listen in. They can be programmed to scans all the allocated frequencies, stopping when a channel is in use. And please don't think cordless phones are low powered units with a limited range. Signal are often picked up several hundred meters away and have been monitored as far away as a half mile. Of course, if you're using one in your office on the twentieth floor, line of sight reception may apply.
I keep six honest serving-men [They taught me all I knew]; Their names are What and Why and When And How and Where and Who.
- Rudyard Kipling


Technical Surveillance Countermeasures Seminar--- The next TSCM seminar is scheduled for Thursday and Friday, 20-21 May in Las Vegas. This time, it will be held at the Las Vegas Hilton. So far, with nothing more than the mention in the last newsletter, there are three who have indicated they will be attending. Space shouldn't be a problem; Dave Austin, Security Director at the Hilton, said a room large enough for all will be available. The fee for the seminar is $350.00 in advance. If you plan to attend, please contact me as soon as possible.

Gary Bunker will be assisting in presenting the sessions and will be covering such subjects as Computer Security, Electronic Countermeasures, Physical Security, Electronic Security, and how they all tie together. Discussion will cover the pros and cons of in-house vs. contract TSCM and what you should look for in both situations. Also covered will be the perceived threat and what the real threat really is.

TSCM equipment, mockup and actual surveillance devices and handouts will abound. Chalk dust and B.S. will be flying all over the place and, if it's as interesting as the past attendees have told me it was, I'll be astounded. Although each session is basically the same, each one is different. The attendees

decide the direction by your questions and desires. This is a learning seminar for you, not a teaching seminar for me. For further information on enrollment, content, etc., call me at any time.

Procrastination is the art of keeping up with yesterday.
- Don Marquis


Dateline Phoenix, The Arizona Republic March 14, 1993--- The FBI is turning at least part of its attention to those spies interested in American trade secrets. The Bureau has developed an Espionage and Counterintelligence Awareness Program to help high-tech companies understand the foreign threat.

Personally, I feel they are running at least ten years behind with their new program. The private sector has needed this information far longer that just recently and has had to depend on information developed by the private sector security consultant through research, contacts and real life experiences. With their past emphasis on not disclosing classified information, I doubt that you'll be getting much more than you would from a good ASIS seminar. That's not to say the information is not the same; just that we have been giving it to you all along.

Anyhow, a special awareness presentation can probably be arranged for your firm through your local FBI office. (Let me know if they mention anything I haven't already said.)

If you steal from one author, it's plagiarism. If you steal from two, it's research.
- Wilson Mizner


> If you are greeted by my answering machine, it means Toni and I are both away from the office. Please bear with me and leave your name and a number. I switched to the answering machine because of 1) the poor service provided by answering services and 2) they don't need to know who you are or what your business might be.

If you wish to know what a man is, place him in authority.
- Yugoslav Proverb


The following article is one I completed a few months ago and was published in the Phoenix ASIS Chapter Newsletter and the Round Report. If you feel it may be of interest to employees of your organization, feel free to reproduce it. Just drop me a line or a copy of the article for my "I love me" file

Information Protection

Has your company experienced a loss or compromise of information? Have you been confronted with information you're sure was discussed in private and only between you and a client or someone within your organization? Did you wonder how sensitive or proprietary information became public? Has a client or another member of your organization come to you and indicated a suspicion that personal or private information was being compromised? If the answer to any of these questions is YES then you may have been the target of corporate espionage, an activity that is more prevalent than most businesses suspect.

For the trained corporate spy, gathering of information may be no more difficult than reading newspaper and magazine articles or looking through your trash; on the other hand, it may involve other methods, such as breaking and entering, burglary, blackmail, extortion or electronics.

In trying to determine how information may be lost or compromised, the following examples are provided. As one who has had responsibility for gathering and protecting information for more than 20 years, I can assure you these are just a few of the methods used.
  1. Cellular and Cordless Telephones - Those of you using cellular and cordless telephones are seldom concerned that your conversations can be monitored. Rest assured, it is being done and can be done by anyone possessing a radio scanner covering the frequency range allocated for that use. In the past, it was pretty much a hit or miss deal for the cellular "eavesdropper". He, or she, had to tune through a selected portion of the frequency range and listen to all the conversations encountered. Advances in technology now allows the same listener to program a scanner and "follow" your conversations as they switch from cellular cell to cellular cell. Listening to cordless phone conversations is much simpler and less expensive; their frequencies are published in books available at radio electronic sales outlets or libraries. And in spite of legislation passed by Congress in the 1980's making it a federal offense to listen to cellular telephones, they are no more secure than the cordless telephones you may be using at home or in the office.

  2. Public Discussions - How often, during meals or in other public settings, have you keyed on a conversation occurring near you when you heard a word or phrase that "piqued your interest" to something interesting, informative or of potential interest. Practically everyone talks "shop" at one time or another and is guilty of the above. Shop talk should be saved for the office, preferably in a room or area designated for sensitive conversations.

  3. Trash Disposal - Near and dear to the opposition (your competitor) is the lack of concern for "trash". Having been involved with the technical (positive gathering of intelligence) support side of investigations for more than 10 years with the government, the very last resort was putting in a "wire" or "bug". There's just to much information available through other, less alerting methods. Additionally, for the past 20 years I have been responsible for the protection of both government and private sector information and feel strongly that information is gathered by electronic eavesdropping on a limited basis. In gathering information, I've often felt that if I can get your trash for a month or two, I've got most of your professional and private life. In addressing trash, it is not just sensitive, proprietary or confidential documents someone may be looking for, it may be something as harmless as memo's, call slips, sales leads or calls, outdated mailing list, carbons of sales receipts (often containing your customer's name, address and credit card number) or any of the other dozens of harmless pieces of paper thrown into the trash each and every day.

  4. Computer systems - They are only as good as the safeguards placed on them. Most systems encountered during my security examinations are determined to be "user" friendly to accommodate the lazy and inept; most are equipped with modems for easy 24 hour access; passwords are seldom changed and are "loaned" to coworkers; information is not compartmentalized to further restrict access. And while on computers, don't forget to include electronic typewriters-most contain carbon ribbons which has everything typed on it; many even contain disks similar to those used in computers.

  5. Storage - (Lack of) Storage of sensitive documents ranks near the top of the list in ways in which information is potentially compromised. Most office occupants consider the lock on their office door and the office alarm system adequate protection. What many don't realize is that dozens of office and non office persons have unescorted and "authorized" access to your facility, often after hours and includes the cleaning force, clerical help, building maintenance, security, property owners, etc., any one of which is potentially compromisable if the return is great enough.

  6. Accountability - Accounting for documents is seldom a consideration in the business world. In a number of examinations I have encountered boxes of unnumbered documents for which a client's competitor would have gladly payed several million dollars for a single copy. These documents were unaccounted for and unprotected, other than being in a "locked" office. Again, they were readily accessible to the scores of "non-people" we encounter daily, those people who are there but are not acknowledged.

  7. Physical Security - How good are your locks and alarms? If you have any reason to question them, it's probably a given they should be evaluated. Cheap or inexpensive locks, improperly installed locks, doors installed or mounted improperly, security systems installed which have had a past history of false alarms but are "operating properly now" and security systems which are also designed to pick up sounds when an office or property is vacated for the evening are just a few of the problem encountered time after time (In several instances, conversations have been monitored which occurred in the vicinity of the security sensors, roughly a 30 to 50 foot radius, were present on the security system lines at all times, whether armed or disarmed, from the "secured" facility back through the telephone company to the monitoring agency).

  8. Electronic Listening Devices - Last, but not least is the area of electronic surveillance. As a rule, it is generally considered the last resort in intelligence gathering and is used for "real time" information being discussed during closed door sessions. Electronic surveillance is easy to accomplish but hard to detect. Believe it or not, if an office is suspected of being compromised (bugged), a call is often made from the same office to arrange for an examination. To make a long story short, by the time a sweep is arranged, the device has either been removed or the person(s) making the installation is long gone. As a result, bugs or taps are found in just a small percent of the examinations.


Although many investigative agencies advertise "debugging" services, most have limited capabilities or contract through others to perform the examinations. Not being knowledgeable, many organizations often end up utilizing the services of agencies which charges what the traffic will bear, utilize poorly trained personnel, use equipment with extremely limited capabilities and leave you with a false sense of security. There has even been instances reported in which devices have been "found", possibly to justify the expense of the examination or to insure future examinations.

Should you experience a problem, check around before making a final decision on who to use. Don't use a phone in an area that may be compromised. In the event a device is located, the local police and/or the Federal Bureau of Investigations should be notified. Do not removed a suspected device prior to notification of a responsible person (The device should be evaluated to determine its operating characteristics and to further determine the potential damage done). Request a thorough verbal briefing and written report.

Tim Johnson