Preventing Countering Espionage - A modern threat
Intersec Magazine ❘ January 2005
Corporate Espionage was once thought of as a risk that only affects the richest companies in high-risk sectors or emerging markets; the latest trends suggest this is far from the truth.
The history of espionage, thought by some as the second oldest profession in the world, can be traced back to biblical times with more than 100 references in the Old Testament. Sun Tzu’s book “The Art of War”, written around 500 BC, deals specifically with intelligence networks and intelligence gathering. Unfortunately, as is often the case, history has not taught us the most basic of lessons; that intelligence is power, whether in business or war, and who has intelligence has the upper hand.
Many are naive enough to think that espionage comes straight out of the pages of Ian Fleming's James Bond, confined to Governments and the largest of corporations. They are very much mistaken.
No one wants to be a victim, least of all admit to being a victim, yet the rewards for those carrying out espionage far outweigh the risks or expenses involved. Sad as it may seem, a simple device bought for as little as two hundred pounds can cost a company millions through lost corporate intelligence. At the lower end of the scale, there is the office refuse; if this is not disposed of correctly, it can be yet another source of leaked information within companies or organisations.
Directors, management and IT personnel of many companies fail to understand the fundamental basics of countering espionage and the techniques employed by those carrying out such activities.
Millions of pounds are spent each year on eavesdropping transmitters, computer keystroke loggers and telephone recording systems. Everyone wants to know what everyone else is doing in business, and for some, it makes sense to have a budget for “intelligence” before entering into litigation suits, hostile takeovers or mergers and acquisitions.
Litigation, for example, is an area of complex issues, cross border or otherwise, where technical surveillance has in the past, been used to affect the outcome of a given case. When a case is worth £500 million, spending £50,000 on winning makes sense to many companies and far outweighs the risks of becoming the loser.
The level of the risks involved in Corporate Espionage is all relative to the financial rewards. The level of the technology employed is relative to the investment.
It is more and more evident that few security companies fully understand the technology involved and how communications operate or are intercepted/manipulated, leaking vital corporate intelligence to competitors.
Some Technical Surveillance Counter Measures (TSCM) firms are so far behind that the advice they pass on to their clients is often futile. With budgets in the tens of thousands of pounds, a telephone can be intercepted miles away from the target location and monitored from the other side of the world, live. Each call is time and date stamped, in turn recorded on a computer for later evaluation.
The fact of the matter is, in some cases a TSCM sweep is of no use when technical surveillance can be so remote. Better understanding is needed, both of the modus operandi and of the latest technology. Few TSCM firms understand just how far an espionage budget of £20k can go.
TSCM sweeps as part of a security housekeeping policy do make sense if carried out to include computer systems, rooms and telephone lines to the local exchange level. It is true that the basic technical principles of espionage techniques have not changed too much over the past twenty years since the end of the cold war. However, the movement in technology and the vast use of communications spanning the world has led the public into a false sense of security and apathy when employing these communication techniques.
Any electronic communication can be intercepted at one level or another; the role of the TSCM firms should be best utilised in identifying the areas of weakness and employing measures to combat these possible areas of weakness.
Many large companies fall foul of size and general lack of in-house security policies, making espionage far easier and easier still with inside information.
The placement of bugging devices in offices or boardrooms is not always the first option for espionage; often, the logistical problems involved in a live covert device far outweigh the benefits. However, should access have been gained via inside information or chance, many of those carrying out espionage prefer to install hardwired GSM based devices, solving power and distance issues. Cat5 cabling for example, is a good carrier for installing covert microphones. A GSM device being located elsewhere in the complex acts as a “ voice-activated transmitter” and is almost impossible to locate during a TSCM sweep of the given boardrooms or offices.
Having a good internal security policy will aid a company and deter potential offenders. Staff should challenge visitors not displaying a visitors badge; visitors should be met at reception and not left unattended. Workmen also should not be left unattended, and all companies should employ a clean desk policy where possible.
A device placed on the telephone line can be as far as five miles away prior to the line entering the local exchange. A simple device that tests line voltage or impendence will not detect hi-tech devices unavailable to the general public. These varieties of devices are normally of GSM type and utilise the power from other sources within the local exchange/cabinet. They are nigh on impossible to detect without a physical check of the line up to the local cabinet (green roadside cabinet) level.
Securing an external landline to the property need not be an expensive encryption system; replacing an analogue system with digital ISDN/ADSL system will ensure that the line is far more secure. Fibre-optic cables cannot be easily tapped into, unlike a twisted copper pair; a “pod-splitter” and true line identification are required.
The fact is that while it costs in excess of £250k for the necessary equipment for intercepting a cell phone, jamming the phone's signal costs less than a tenth of that price and is far easier on an operational basis. A target uses a cellular telephone because she/he thinks that it is the most secure way of communicating. A cellular jammer can be deployed to jam the cellular telephone, forcing the target to use the intercepted landline. Keeping it simple counts low risk and high gains.
Trojan Viruses sent to targets via email can contain complex keystroke logging programmes or open back doors to computer systems. At the lower end of the scale, there are many of such programmes freely available on the Internet, at a low cost or for no cost at all. At the higher end of the scale, there can be hackers targeting a business/director in order to gain given intelligence on sensitive financial matters. The cost of the latter option, whilst in the thousands of pounds mark, is, as I have previously covered, worth the risk in the larger cases.
New, off-the-shelf, computers are not as secure as users might think; the default settings are insecure and need to be configured prior to connection to the outside world. The most basic of steps should always be taken, updating anti-virus software on a weekly basis, backing up networks and installing a hardware firewall are just some of the easiest options to employ as a countermeasure.
The best answer to computer security is file and email encryption, this though, only providing that the computer system is firewall protected.
Bluetooth™ and Wireless connections
Wireless computer connections are high risk and can, if not set up correctly, be intercepted at ease by external attack. This risk has been highly reported over the past two years, but many manufacturers have still failed to change the default settings of their devices, thus enabling other “attacking” systems to connect and download vital information such as address books and other files; all without the user's knowledge.
Overall, what must be taken on board is that no one wants to work in a locked-down environment but in a secure one. All security recommendations need to be both affordable and workable; the simpler, the better, realistic and in keeping with the level of a possible threat.