Tscm Risk Management Presentation June 2012

TSCM Risk ManagementTSCM Risk Management_________________________________________________________________________

© 2012 info@tscm‐za.com www.tscm‐za.com

WelcomeWelcome _________________________________________________________________________

Threat of Electronic Eavesdropping “Focussing on GSM Bugs”

29 June 2012Radisson Blu HotelPort Elizabeth – South Africa

S hi h dSteve WhiteheadManaging Member E d i D i S l i ®


Eavesdropping Detection Solutions®

Lets Meet!Lets Meet!_________________________________________________________________________

Please feel free to askWhat is your name?

What is your role in

Please feel free to ask questions and to share your experiences!What is your role in

your organisation?

H l h

y p

How long have you been in this role?


ObjectiveObjective_________________________________________________________________________

T id li i i f h l d i k i d i h• To provide a realistic view of the value and risks associated withcorporate information protection and to determine who is at risk

• Technical vulnerabilities and latest attack methodology

• Indicators that eavesdropping could be taking place

• Countermeasures to protect informationfrom technical attacks

Indicators that eavesdropping could be taking place

from technical attacks• To raise awareness of the realconsequences of intellectual property andconsequences of intellectual property andinformation vulnerabilities


Status of Technical ThreatsStatus of Technical Threats_________________________________________________________________________

In recent years the technical aspects of electronic• In recent years the technical aspects of electronicsurveillance detection have become much more complex

• Growth in surveillance enabling technology and newterminology – convergence, virtualisation, GSM, GPRS, GPS, IP,l h i i d i l d idBluetooth, VoIP, Wi‐Fi, SD memory cards, wireless, android,

embedded web services and more

• Miniaturisation regarding al three phases of eavesdropping

• Convergence• Convergence

• Technology ‐ empowering people


• Cyber‐espionage

Our Work Terrain Then & NowOur Work Terrain – Then & Now_________________________________________________________________________

• Offices and buildings were drab lifts were manned by building• Offices and buildings were drab – lifts were manned by buildingemployees and receptionists formed the 2nd line of defence

W ll i t d d k h i d fili bi t• Walls were painted green or grey, desks, chairs and filing cabinetswere wooden, warn and scarred

• Office machines were few, heavy, manual in operation andfrequently old

Offices are designed for• Offices are designed for beauty and efficient

functioningfunctioning• It has atmosphere with expensive equipmentp q p• Blurring boundaries


ConvergenceConvergence_________________________________________________________________________

Telephone systems have changed from the traditional PBXand voice to IP based systems and controlled by the ITDepartment

Voice data and video use shared resources and interactVoice, data and video use shared resources and interactwith each other synergistically

Unified communications deployment!

IP telephony transcends the traditional job boundaries of data communications and telecommunications


TechnologyTechnology________________________________________________________________________


Technology________________________________________________________________________


“Power To The People”________________________________________________________________________

Apple sold 15 million iPad’s duringApple sold 15 million iPad s during2010. The craze for tablet computerscannot be ignored by organisations andthey will find their way into the officewhether supported by IT or not.Banning personal de ices is also not an

The question is what do youdo from an IT security

Banning personal devices is also not anoption!

do from an IT securityperspective to control whataccess these devices have toyour corporate networks? Yet another channel via

which corporate data can b t l i d!


be stolen or misused!

Technology – Digital CopiersTechnology Digital Copiers________________________________________________________________________


VoIP Eavesdropping AlertVoIP Eavesdropping Alert________________________________________________________________________


“Wiretapping” Fibre Opticsetapp g b e Opt cs________________________________________________________________________

The fibre cable to be tapped is placed into ai b d l i d i ( ) h li hmicro‐bend clamping device (1). The light

pulses leaking from the cable are detected bythe optical photo detector (2) and sent to anp poptical‐electrical converter (3). The converterchanges the light pulses to electricalinformation that is placed on an Ethernetinformation that is placed on an Ethernetcable attached to an attacker's laptop. Thelaptop, running sniffer software, provides the

k i h i i h d lliattacker with a view into the data travellingthrough the tapped fibre cable

Optical taps have been found on police networks in the Netherlands andGermany. The FBI investigated one discovered on Verizon's network in theU S Networks used by U K and French pharmaceutical companies have also


U.S. Networks used by U.K. and French pharmaceutical companies have alsobeen attacked, probably for industrial espionage

“Wi‐Fi Warping Wallpapera p g a pape________________________________________________________________________


Attack MethodsAttack Methods_________________________________________________________________________

1. Hard wired attacks

2. Telephone attacks

3. Radio Frequency (RF) transmitter attacks

4. Esoteric attacks


GSMGSM________________________________________________________________________

GSM (Global System for Mobile Communications) is a communicationstandard to describe technologies for second generation (2G) digitalcellular telephonescellular telephones

The GSM standard has improved with the development of thirdp pgeneration (3G) standard and GSM networks will evolve further withthe incorporation of the fourth generation (4G) standard


How Does GSMWorkHow Does GSM Work________________________________________________________________________

Th GSM k i f ll E h ll i ll i hThe GSM network consists of cells. Each cell is a cell site thatconsists of an elevated tower that contains transceivers(transmitters and receivers) signal processors a timing receiver(transmitters and receivers), signal processors, a timing receiverand electrical power sources. The GSM network refers to thesetowers as base stations or Base Transceiver Stations (BTS)towers as base stations or Base Transceiver Stations (BTS)


How Does GSMWork (2)How Does GSM Work (2)________________________________________________________________________

Th S b ib Id i M d l (SIM) i d hi hThe Subscriber Identity Module (SIM) is a smart card whichsecurely stores the key identifying information of a mobile phoneservice subscriber as well as subscription informationservice subscriber, as well as subscription information,preferences and text messages. The SIM card is used toauthenticate you to your GSM carrier!authenticate you to your GSM carrier!

The SIM stores network state information such as its currentThe SIM stores network state information such as its currentlocation area identity (LAI). If the handset is turned off and backon again it will take data off the SIM and search for the LAI it was


in before it was turned off!

How Does GSMWork (3)How Does GSM Work (3)________________________________________________________________________

A GSM phone mustpconnect to a base stationvia a signal. When aphone is turned on, thephone searches for asignal to connect with!Behind the scenes, a cellh i i t tphone is in constant

contact with the availablebase station makingbase station makinghandshakes every fewminutes and sending


minutes and sendingdata!

Evolution of GSM InstrumentsEvolution of GSM Instruments________________________________________________________________________


GSM ExploitationGSM Exploitation_________________________________________________________________________

The BBC reported on 2 March 2004 thatThe BBC reported on 2 March 2004 that“Nokia mobile phones that doubles aslistening devices can be bought on thelistening devices can be bought on theInternet”

In spy mode the phone• will not ring• will not vibrate• will not show anything on the screen• phone will auto answer calls• microphone sensitivity is increased


GSM ExploitationGSM Exploitation_________________________________________________________________________

C|net reported on 1 December 2006 that the FBI hasC|net reported on 1 December 2006 that the FBI hasremotely activated a criminal’s cell phone microphone tolisten to the surrounding conversations The eavesdroppinglisten to the surrounding conversations. The eavesdroppingtechnique functioned whether the phone was on or off!


GSM Based BugsGSM Based Bugs _________________________________________________________________________


3G Engine Based Video Devices3G Engine Based Video Devices _________________________________________________________________________

• Concealed in everyday items

• Higher bandwidth enablesvideo product

• Much improved sound qualityand better compressionand better compression


Detecting GSM Based BugsDetecting GSM Based Bugs _________________________________________________________________________


Technology – Cell SpyingTechnology Cell Spying________________________________________________________________________


Millionaire Investigated!Millionaire Investigated!________________________________________________________________________

The Sunday Times reported on 27 November 2011 that that aThe Sunday Times reported on 27 November 2011 that that aPretoria businessman is at the centre of a criminalinvestigation over the alleged illegal interception of hisg g g pestranged wife's private e‐mails, SMS’es and BlackBerrymessages, or BBMs


Detecting SpywareDetecting Spyware_________________________________________________________________________


Phone “Hacking”Phone Hacking_________________________________________________________________________


Not in the BoardroomNot in the Boardroom_________________________________________________________________________


GSM SafeGSM Safe_________________________________________________________________________


“Spycam” InformationSpycam Information_________________________________________________________________________

Type the word “SpyCam” in Google search and you will get 2 020 000hits. Not bad for a word that is not even in dictionary.com

Whole websites are devoted to selling them such as spycam.com, my‐spycam.com and spycamwarehouse.com

“Spycams” are selling big time!

Man eb sites offer ho to instr ctionsMany web sites offer how to instructions

Some “spycam” videos get posted on the Internet

Occasionally someone gets caught


Hidden SpycamsHidden Spycams_________________________________________________________________________


Hidden Video Camera FoundHidden Video Camera Found________________________________________________________________________


Africa ExamplesAfrica Examples_________________________________________________________________________

Sudan’s opposition leader Hassan al‐Turabi buggedFebruary 2012

Bugging devices were found in the hotel rooms ofDr. Willibrod Slaa and another oppositionmember of Parliament at the Hotel 56 in thecapital city of Dodoma Dar Es Salaam Februarycapital city of Dodoma, Dar Es Salaam ‐ February2009

Ugandan government tappingprivate telephone conversationsi H t l ill ll M h 2009


in Hotels illegally – March 2009

Local ExamplesLocal Examples_________________________________________________________________________


Ministers Offices CheckedMinisters Offices Checked_________________________________________________________________________

News 24 reported on 10 May 2012News 24 reported on 10 May 2012that the Minister of State Security,Dr Siyabonga Cwele hasDr Siyabonga Cwele hasannounced in Parliament that“Cabinet members have asked toCabinet members have asked tohave their offices swept for fearthat they are being tapped”that they are being tapped


Local ExamplesLocal Examples_________________________________________________________________________

The Business Day reported on 8September 2011 that the University’sAd i i t t P f Th bAdministrator, Professor ThembaMosia, has confirmed that buggingdevices were discovered in thedevices were discovered in theoffices of senior management at theUniversity and that a senior staffymember has been suspended.


UpdateUpdate_________________________________________________________________________


Who is Breaking the Law?Who is Breaking the Law?_________________________________________________________________________

The Witness (KZN newspaper)reported on 18 March 2011 that aPi t it b d t i dPietermaritzburg advocate is underinvestigation by the South AfricanPolice in connection with a buggingPolice in connection with a buggingdevice that was discovered in theceiling of the Bar Administrator’sgoffice. The same advocate is alreadyunder investigation in connection withthe alleged theft of a hard drive fromthe CCTV surveillance system at thePi t it b d t ’ h b


Pietermaritzburg advocates’ chambers

It Does Not Matter Who You Are?It Does Not Matter Who You Are?_________________________________________________________________________

Th S d Ti d 22 AThe Sunday Times reported on 22 August2010 that former President NelsonMandela’s Houghton house was buggedMandela s Houghton house was buggedprior to the ANC’s 2007 national conferencein Polokwane The SAPS VIP Protection Unitin Polokwane. The SAPS VIP Protection Unitfound the listening device during one oftheir regular sweeping exercisestheir regular sweeping exercises


Fairweather Trust vs InvestecFairweather Trust vs Investec_________________________________________________________________________

Th S d Ti t d 01 A t 2010 th t th Ch it f ilThe Sunday Times reported on 01 August 2010 that the Chait familyof Cape Town is suing Investec for R 170 million. Former Telkomtechnician Seun Briel alleged in a Cape Town court that he illegallytechnician Seun Briel alleged in a Cape Town court that he illegallytapped telephones at the offices and residences of the Chait familyat the request of Investecq

k l bInvestec spokeswoman Ursula Nobregatold the Sunday Times that "is not ourpolicy to spy on clients (or) violate thepolicy to spy on clients (or) violate theconstitutional rights of individuals"


“Bugging” Scandal Rocks SAFABugging Scandal Rocks SAFA_________________________________________________________________________

Ci P d 25 J l 2010 h D J d hCity Press reported on 25 July 2010 that Danny Jordaan, whois the FIFA Local Organising Committee’s CEO; former SAF b ll A i i (S f ) id M l fi Oli h iFootball Association (Safa) president Molefi Oliphant, vice‐president Mandla Mazibuko and CEO Leslie Sedibedi d hi h h hi l i i d i h ddiscovered this month that vehicle monitoring devices hadbeen secretly fitted to their cars


Internal Problems!Internal Problems!_________________________________________________________________________


Recent DiscoveriesRecent Discoveries_________________________________________________________________________


Eavesdropping QuestionEavesdropping Question _________________________________________________________________________

Assuming youAssuming you would not get caught, what iscaught, what is

the least payment

you would want to plant an

d ieavesdropping device at work,

just once?just once?

Source : Kevin Murray March 2009


What is TSCM?What is TSCM?_________________________________________________________________________

TSCM is a counterintelligence activity and refers to a set ofmeasures employed to identify and to investigate hostilep y fy gtechnical devices planted by an adversary for collectionpurposesp p

TSCM is largely directed at the protection of informationg ybut will often reveal physical and other security problems,lack of education and can help to assess the vulnerability of


sensitive facilities

What is Our Task?What is Our Task?_________________________________________________________________________

To detect and to neutralise hostile penetration technologies thatTo detect and to neutralise hostile penetration technologies thatare used to obtain unauthorised access to information. Thisincludes the detection of equipment or building componentsincludes the detection of equipment or building componentsthat have been modified for direct or indirect transmission ofinformation

Basically we are still looking for a recorder, microphone, a videocamera or a transmission that should not be there!camera or a transmission that should not be there!

Acquisition & Transmission of Processing &Acquisition & Conversion

of Information

Transmission of Information

Processing & Storage

of Information


TSCM AngleTSCM Angle_________________________________________________________________________

• Eavesdropping detection (Debugging)

• VIP protection programmes

• Provision of secure environments

• Consulting regarding information protection

• Communications system integrity testing


CountermeasuresCountermeasures_________________________________________________________________________

• Policies and Procedures– Ensuring Technical Countermeasures Becomes Due Diligence

• Outsourcing and Contracting– Choosing a Sweep Team

if i d i l– Verifying Credentials

• In‐house Capability– Equipment

– Training

Certification– Certification

• EducationExecutive Briefings


– Executive Briefings

– Staff Awareness

Guidelines Choosing a Service ProviderChoosing a Service Provider

________________________________________________________________________

One of the most difficultthings is to choose the correctgservice provider

Prospective clients are facedwith a myriad of information

h das each service provideremphasise their experience,backgro nd opinions andbackground, opinions andmarketing messages


Things to Consider When Choosing a Service ProviderChoosing a Service Provider

________________________________________________________________________

1 Is the company recognised by the industry or others?1. Is the company recognised by the industry or others?2. Who will conduct the survey(s)3. Make enquiries about experience and training/refresher3. Make enquiries about experience and training/refresher

training4. Make enquiries about equipment5. On what level will the services be performed6. Certificate of Quality

l d d7. Report, analysis and recommendations8. Do they perform other business services as well such as

electronic surveillance?electronic surveillance?9. Are they prepared to have their findings verified?10. Will they testify in Court on your behalf?


10. Will they testify in Court on your behalf?11. Membership of professional institutions

EquipmentEquipment_________________________________________________________________________


OSCOR Green_________________________________________________________________________

OSCOR Green_________________________________________________________________________


TALAN DPA 7000_________________________________________________________________________

TALAN DPA-7000_________________________________________________________________________


ReportingReporting_________________________________________________________________________

The survey consists of a radio frequency spectrumThe survey consists of a radio frequency spectrumevaluation on various levels, power line sweeps, physicalsearch non linear junction detection and various telephonesearch, non‐linear junction detection and various telephoneand line tests to detect illicit voice and data taps

All signals and measurements are noted, recorded andstored for future comparisons

A complete report is submitted detailing the results of thesurvey with recommendations where applicablesurvey with recommendations where applicable


Reporting_________________________________________________________________________

Reporting_________________________________________________________________________


Final ThoughtsFinal Thoughts_________________________________________________________________________

Espionage is one of the oldest professions because as longa there was one person who had an advantage overanother, one army, or one agricultural or tradingadvantage, someone was skulking about trying to get theirhands on that information or technology

“the most valuable thing in the world is not gold ordiamonds, it is information.”


Final Thoughts (2)Final Thoughts (2)_________________________________________________________________________

• Serious espionagewill include technical surveillance• The possibility must be resolved before accusing people• Bugging is the easiest spy technique to discover• Smart clients don't wait until they "think they are beingbugged"• Intelligence collection is a leisurely process. Conversationsand information are collected – in many ways – long beforethey are used against you. Until this collected intelligence isused, no harm is done. No losses suffered. Pro‐active sweepsdetect snooping early – thus, drastically reducing the


potential for loss Source : Kevin Murray – Spybusters.com

Your Approach?Your Approach?_________________________________________________________________________

I h i f i i h ldi b k?Is your approach to information security holding you back?

Organisations need a clear definition of information security th t i i t t th h t ththat is consistent throughout the

organisation

A weak security culture, training, and attitude can easily open up anorganisation's security to attack Executives play a key role in influencingorganisation s security to attack. Executives play a key role in influencingemployees to pay more attention to awareness training and security. Ifemployees do not see executives making statements and demonstrating the


importance of security, they are not likely to treat it as a priority either

Phone Hacking Kills Multi gBillion Dollar Business

_________________________________________________________________________

News Corp.’s News International unit recently announced thatit will shut down its News of the World tabloid. Why is this

You are responsible for your employee's

yimportant to you...

You are responsible for your employee sactions. Ethics, like security is a top‐downcorporate culture. A strong corporatecorporate culture. A strong corporatecounterespionage programme sends twomessages: spying is not tolerated (in eitherdirection), and employees are obligated topro‐actively protect corporate intellectual


assets! (Source : Kevin Murray – Scrapbook)

About UsAbout Us_________________________________________________________________________


A Complete PackageA Complete Package_________________________________________________________________________

Awareness Briefings

P li iPolicies

Procedures

Standards

VIP Protection Support

Communications S itSecurity

Provision of Secure Environments


Environments

MembershipMembership_________________________________________________________________________


Join UsJoin Us_________________________________________________________________________


Questions?Questions?_________________________________________________________________________


Tscm Risk Management Presentation June 2012

Documents

Transcript of Tscm Risk Management Presentation June 2012