THE WALLS HAVE EARS

Feb 1, 2005 12:00 PM, By KEVIN D. MURRAY

Eavesdropping detection is a serious business in the corporate environment, and counterespionage work is a full-time specialty within the security field. Corporate security should work together with professionals instead of “playing detective” themselves, to ensure a thorough inspection is made. This article will cover what a customer can expect from an eavesdropping inspection service and what tools are used in the inspection process.

Electronic eavesdropping inspections — sometimes referred to as technical surveillance countermeasures or TSCM — are a company's systematic effort to detect intelligence collection efforts.

Starting such a program, or upgrading current efforts, involves working with an independent security consultant who specializes in surveillance detection testing and overall counterespionage consulting. The consultant should not be product-affiliated. Accepting remuneration from product sales, accepting commissions or kick-backs, or having a menu of “other recommended services” that his company provides can cloud judgment.

The most visible part of the specialist's work will be the search for electronic eavesdropping devices. It is not, however, the only part. A good counterespionage consultant will also identify and make corrective recommendations for other information-loss vulnerabilities, such as inadequate perimeter security or poor security habits.

Working with the specialist can develop a list of sensitive areas. Not all areas of the facility are equally sensitive, or sensitive at all. The list of areas to be inspected is not rigid. It will change with time and circumstances. The process is very economical if planned properly. It is rarely necessary to “check everything.” Creating a hierarchy of areas being inspected increases effectiveness and reduces costs. Sensitive areas might include offices, conference rooms, executive dining areas, off-site meeting locations, executive homes, vehicles, etc.

Once the sensitive areas in a facility are identified, a specialist can help the user decide how often to conduct reinspections. Each area will have its own Window-Of-Vulnerability-Tolerance (WOVT).

What is the cost of an inspection?

Inspections will cost a lot less than suffering a loss or a lawsuit. Eavesdropping detection inspection services are usually charged on a per-item basis, or in the case of smaller assignments, a pre-agreed-upon flat rate. All budgets may be accommodated simply by inspecting the most sensitive areas first. Counterespionage consulting is usually billed on a daily basis. Small inspections involving, say, five average size offices, five telephones, associated wiring and switching equipment, and a final written report, might cost $3,700. A larger inspection involving 20 average-size rooms, a large board room, 40 telephones, associated wiring and switching equipment, five fax machines and associated wiring, six speakerphone systems, a video teleconferencing unit and a final written report might cost $18,500. It is important to get a knowledgeable and well-equipped specialist who may complete an inspection in half the time required by someone who is ill-equipped and not very knowledgeable. A qualified specialist will also be many times more effective.

What is an inspection program?

The service supplier will come to a facility with his instrumentation at a mutually convenient time. This visit is usually scheduled during off-hours so as not to be disruptive to work. The next sections will describe how the actual inspection will happen.

Preliminary Evaluation/Survey

At the outset, the specialist conducts a background interview to obtain an overview of the security climate, concerns and culture. (This discussion is not held within the areas being inspected.) Just like a doctor, he wants to fully understand the symptoms and circumstances that preceded the call for assistance, or the decision to begin a proactive protection program. A survey of current security measures includes an inspection of perimeter and interior physical security hardware — doors, locks, windows, vents, alarm devices, wastepaper disposal methods, etc. It also includes a review of current security policies and procedures. A tour of the facility may be part of the process. All the necessary keys should be available, along with a copy of the floor plans, if necessary.

Visual Examination

The areas in question are visually inspected for eavesdropping devices, and evidence of prior eavesdropping attempts (bits of wire, tape, holes, fresh paint or putty, disturbed dust, etc.). The technical investigators rely heavily on their eyes, knowledge and experience during this stage of their work — these are the finest detection instruments available. The visual inspection is thorough and includes furniture, fixtures, wiring, ductwork, and small items within the area.

Acoustic Ducting Evaluation

Unexpected sound leakage into adjacent areas has been found to be the cause of many information leaks, especially the in-house type. Open-air ceiling plenums, air ducts, common baseboard heater ducts, walls common with storage/rest/coffee rooms, and holes in concrete floors have all aided eavesdroppers at one time or another. The acoustical ducting evaluation takes all of this into consideration.

Inspection of Telephone Instruments

An extensive physical examination of telephone instruments is undertaken. There are many types of attacks involving bugs, taps, and wiring modifications that can compromise a basic telephone instrument. Business telephones have additional vulnerabilities, some of which are legitimate system features that, when abused, become eavesdropper-friendly.

After a telephone instrument is opened for inspection, it is put back together and its screws are sealed over with security tape. This provides visual proof that the phone has not been opened since the technical investigator last inspected it.

Security seals should be custom-made and serialized so that they cannot be duplicated. Computer-printed sticky labels, nail polish, or even stock security seals are not adequate in this situation.

Customers can periodically inspect their consultant's security seals themselves. Broken seals may indicate an intrusion, while missing seals may indicate a switch of telephone sets. Either condition is suspicious and should prompt a call to a specialist (from a safe phone, of course).

Inspection of Other Communications Devices

Other communications devices such as faxes, speakerphones, modems, computers, etc. are included because they may carry information the eavesdropper finds interesting. One not-so-obvious reason for inspecting is that their connections to the outside world can be hijacked. Standard audio and video room eavesdropping devices just love fax and modem lines, LANs, VoIP and wireless LANs! All are additional sound/video/data-moving conduits which need to be inspected.

Inspection of Telephone Wiring

Wiring associated with the telephones under test is inspected for attachments and damage. Damaged wiring is often the only evidence of a prior wiretap.

Junction blocks — where telephone wires connect to each other within a building — may also be inspected. These connected wires form a path between the telephone instrument and the on-premises, telephone switching equipment. In some cases (e.g.: simple residential phone service and facsimile machines) internal wiring connects directly to outside cables which lead to the phone company central office. Junction blocks are an easy and relatively safe place to attach a wiretap device. Extra wiring paths may also be constructed at junction blocks (using the spare wiring already in place) to route the audio/video/data to a remote relay device or a listening post.

The building's telephone room houses more junction blocks for the internal phone system; switching equipment for the internal telephone system; and telephone company junction blocks for the incoming lines. This is another area of vulnerability which requires an inspection from both a wiretapping and physical security point of view. In large buildings, this room is usually found in the basement/utility area. Historically, small to medium-sized telephone rooms have received minimal security attention.

Phone Line Electrical Measurements

Measurements are taken and compared against telephone industry standards. Readings which deviate from the norm can help reveal certain types of wiretaps.

• Time Domain Reflectometry Analysis. In this test, a pulse is injected into the telephone line. If the two wires are intact and parallel to one another, the pulse continues its trip smoothly. If the pulse passes a point where there is a change in the wiring (splices to other wires, a wiretap, a wall plug, the end of the wires, etc.) a portion of the pulse is reflected back and alerts the technical investigator to a possible problem. An instrument called a Time Domain Reflectometer (also known as TDR or cable radar) injects these pulses, reads their reflections, and measures the time difference between the two events. This allows the TDR to calculate the distance to the irregularity. A time-vs.-irregularity graph is displayed on the TDR's display. This signature is interpreted. Imperfections in line integrity are calculated to within a few inches of their actual location, and then they are inspected in person.

  This device allows a thorough examination of the wiring even when hidden from normal view. Time Domain Reflectometry allows reliable testing of phone wiring up to 2,000 feet in length, and detection of some wiretap attacks at distances of up to 36,000 feet.

• Non-Linear Junction Detection (NLJD). This detection technique — similar to retail shoplifting tag detection — is used to locate the semiconductor components used in electronic circuits, e.g. diodes, transistors, etc. Bugging devices which contain these components (transmitters, tape recorders, amplified microphones, miniature TV cameras, etc.) are discovered in this manner. They are detectable even when secreted inside walls and objects by using an NLJD. The NLJD emits a radio signal and listens for the return signal from the electronic parts which make up eavesdropping devices. Also, discovery of an eavesdropping device using an NLJD is not dependent on the eavesdropping device being active at the time of the search.

• RF Spectrum Analysis/Radio Reconnaissance Spectrum Analysis (RRSA). Eavesdropping devices which transmit a radio signal (over-the-air or on building wiring) may be detected with an instrument called a Spectrum Analyzer. In simple terms, it can be thought of as a radio which has a very long and continuous tuning dial. The received signals are shown on a display screen for visual analysis, and are also converted to sound. Radio Reconnaissance Spectrum Analysis is a technique that carries the detection process several steps further. Each signal the technical investigator receives is evaluated to determine if it is carrying voice, data or video information from the sensitive areas being inspected. Analysis also includes converting video signals into viewable and documentable television pictures. Capturing eavesdropping evidence on-the-fly is quite important, but may not be available from inexperienced or under-equipped purveyors.

  In addition to detecting video bugging devices, the RRSA technique detects computer emissions. These are signals inadvertently emitted by some computers which can be received and reconstructed from a considerable distance away. The technique also detects emissions from computers which have been deliberately bugged.

  Due to the sensitivity of an RRSA system, radio transmissions from bugging devices are detectable even if the device is not in the vicinity of the areas being inspected. This means that although only certain rooms may be slated for inspection, entire sections of buildings benefit from this particular test.

• Thermal Emissions Spectrum Analysis (TESA). Electronic eavesdropping devices and covert spy cameras are discovered with speed and certainty thanks to a relatively new detection method: Thermal Emissions Spectrum Analysis (TESA). TESA allows hidden bugs and spy cameras to be “seen” on a portable video display by virtue of the minute amounts of heat radiated as electricity flows in their circuitry. Surveillance devices hidden in ceiling tiles, in walls and in other common objects create slight warm spots.

  Detecting eavesdropping devices requires sensitivities in the thousandths-of-a-degree Celsius range — much less than the amount of heat one's fingertip leaves on an object after touching it for a split second. Currently, thousandths-of-a-degree level of sensitivity is only available in special lab-quality instruments priced in the $50,000 and up range. Lab-quality TESA instrumentation is different from the utility-grade infrared cameras used by police and electrical inspectors — as different as prop planes are from commercial jets. Utility infrared cameras cost $8,000-$30,000, but their sensitivity is only in the tenths-of-a-degree range.

  Availability of this very worthwhile test procedure is still limited due to the cost of instrumentation. A consultant who employs this level of testing may not ensure professional competence, but the ability to deploy the latest detection technologies is a good start.

• Additional tests. As in the medical profession — counterespionage consultants also have many tests that are selectively applied depending upon a client's specific needs or concerns. Every situation is a bit different.

In addition to the group of inspection procedures already mentioned, there are tests which are used as the situation demands. A good technical investigator will bring additional analysis and thought to the inspection process. The overall goal of the specialist should always be to solve the concern, not simply to dash blindly through a one-size-fits-all checklist.

Customers should expect to be taken on a guided tour of the whole inspection process, test by test, (in easy-to-understand terms) the very first time one is conducted. The more customers know about what the technical investigators are doing, the better it is for all concerned.

In addition to the tests outlined above, the investigative process should also take into consideration infrared, fiber optic, hydrophonic and new eavesdropping threats — which will develop in the months and years to come as new technology is introduced to the market.

Final Report

When the inspection is complete, the customer should receive a full verbal debriefing. In this meeting the lead technical investigator highlights all serious problems he found, and recommends solutions which may need to be implemented promptly. A detailed written report should be forthcoming within a week.

A final report should include

• a statement about why the inspection was undertaken — proactive, or active problem;

• a description of all the areas and communications equipment inspected;

• an explanation of all tests conducted;

• the findings;

• recommendations for security improvements;

• a review of any other espionage loopholes found;

• security improvements since the last inspection;

• photos, floor maps, inspection history logs, etc.; and

• other useful espionage prevention information.

Final reports are important documents and should be safeguarded. Together they show a continuing effort to provide information security for specific areas within a business or agency. This is proof that the company took extraordinary steps to legally classify its information as proprietary and secret.

Important Extras

A counterespionage consultant would be seriously remiss if only electronic eavesdropping issues were addressed. Experience has shown that few information leaks can be blamed solely on electronic eavesdropping. Sure, eavesdropping may be the most devastating form of espionage — that information is the freshest. But this is only one piece of the puzzle. To see the entire picture, a good spy will collect the other puzzle-parts as well. Each part may seem innocuous in and of itself, but they are synergistically related.

A specialist should take a holistic approach to information security and should endeavor to solve problems or concerns no matter what the actual cause.

One never hears about successful eavesdropping or espionage attacks. That's because they are covert acts. Frequency of publicity is on par with commercial airline flights — only the partially completed flights (crashes) make the news. Watergate, for example, was a classic case of espionage incompetence in action. But, for every Watergate, there are many more silent successes. This apparent quiet is what gives uninformed people the impression that spying does not occur. It is a false sense of security. Not only is information theft invisible and silent, it is also prevalent. Spying is a common activity. Discovery relies heavily on proactive inspections — and intuition. Whenever an executive suspects an information loss, it is a legitimate warning flag. It is not paranoia.

FOR THE RECORD

About the Author

Kevin D. Murray, CPP, specializes in eavesdropping detection and counterespionage consulting for business and government. He invites readers to contact him via his “What's your question?” page at www.spybusters.com.

The article is excerpted from a new book about security entitled The Facility Manager's Guide to Security: Protecting Your Assets by Robert N. Reid. ISBN: 0-88173-479-9 6 × 9, 327 pp., Illus., Hardcover. The book is available from Fairmont Press at www.fairmontpress.com.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue