Technical Surveillance Counter Measures
(Countermeasures and counterspy)
Security & Spy Threats
In securing communications, a director must know
the potential security threats and available countermeasures.
by Kerrigan Lydon
Electronic surveillance and the need to protect information are undisputed facts in business and government. The fear that the security threat evokes among executives is easily exploited by counter measure products and "experts" that claim the ability to detect all taps on phones and bugs in offices.
The fact is, surveillance is extremely difficult to detect. If such an attack is suspected, or is going to be avoided, the security executive must know what steps to take and what equipment options are available and practical for him.
The initial steps a director must take in confronting a surveillance problem and protecting information begin with some fundamental concepts of security. For example, physical security of the facility, surveys of vulnerability, and the savvy to know when expert advice or counter measure equipment are needed are all paramount tactics in protecting information.
If a director suspects a surveillance threat, experts advise that a vulnerability assessment be undertaken. The director must assess who or what is the potential target of attack, how valuable that target is, who is most likely to need that information and what resources they have to launch an attack.
"When someone asks for my help," said James A. Ross, counter measures consultant, "the first question I ask is, What information do you have; what is so sensitive that some opposing force is going to the extreme risk of breaking into your communications?"
Once it is determined that a definite surveillance problem exists, or that information is so sensitive a problem is imminent, the director should know how to either impede and prevent an attack or how to detect it. He must also have the shrewdness to know when to call in an expert.
Surveillance Techniques in Brief
An understanding of the fundamental types of surveillance attacks is a prerequisite to understanding counter measure equipment. Basically, there are two means of electronic surveillance: bugs, devices that remove audio from a target area, and taps, eavesdropping devices connected to communications systems such as telephones, telex (fax) machines or computers. Bugs and taps vary in degree of sophistication, as do the means to detect them. Essentially, surveillance attacks are either wire alterations in existing communications lines or radio transmitter implants in the target area. Both techniques convert audio waves to radio waves and then re-modulate them for listening or recording.
Protective counter measures for a facility begin with physical security and effective access controls. Clearly, tight access controls will deter illegal entry and thus limit a facility's vulnerability to surveillance attack. But strong physical security will not impede determined surveillance artists, nor will it stop the leaking of information by employees.
Experts advise the "common sense" threat analysis and physical inspection be conducted first for the simplest and cheapest assurance against espionage. A search team, be it trusted professionals or security staff members with training in counter measures, should inspect the area for subtle signs of reconnaissance. The entire area, from the roof to the foundation, both inside and out, should be checked for strange wires, freshly turned earth or new mortar that might be used to hide radio transmission wires. Potential listening posts around and inside the facility should also be investigated. Likewise, any possible information leaks by maintenance personnel or eavesdropping by staff members should also be surveyed.
"Sweeping" the Facility
Detective counter measures involve more technology and should be used only after a threat analysis and physical inspection. Generally, the most important part of a counter measures survey is the search for radio transmitters. Again, because listening devices vary in sensitivity, so do the means to detect them.
Diode detectors (commonly known as "sniffers"), field strength meters, or grid dip meters are the least expensive and least sensitive type of bug detector. They range in price from about $50 to $1,000 and are limited in their applications. Because they measure the electro-magnetic field radiating from a transmitter and have no means of screening or selecting frequencies, diode detectors cannot distinguish a 50 milliwatt transmitter implant emission from the 1 million watt emission of a local television station. Diode detectors are best applied in rural areas or cities without heavy television and radio transmission. In that application, they have a greater chance of locating a low level transmission from a bug. It should be noted that these devices have a high false alarm rate and are generally thought to lack the screening and sensitivity capabilities that make equipment practical and assuring.
Higher quality search receivers are the principal tool a security officer or counter measures expert will use in detecting a clandestine transmitter. Prices of these various receivers range from $7,000 to $40,000 depending on the level of sophistication.
Broad band receivers using audio feedback systems are considered by several authorities to be a cost-effective detection measure for small to mid-size businesses that for economical reasons must conduct the search on their own. Priced at about $1,500, these receivers do not require intensive training or knowledge of electronics. They are best applied against a low level attack where the suspected infiltrator has limited resources and is most likely using a relatively primitive transmitter.
Audio feedback devices rely on an amplifier to enhance room audio. If a transmitter is picking up audio in a room, the receiver and amplifier will produce a loud squeal when swept near the hidden transmitter. This can be a major drawback to the device because an eavesdropper could hear the squeal, know his listening tactic is being detected, and could quickly evacuate his listening post. Another drawback is that the operator does not know how sensitive the receiver is to any particular frequency, as this sensitivity can vary depending on the manufacturer. Thus, it is difficult to determine how accurately the receiver is surveying various levels of the radio spectrum.
Because experts recommend that any phase of a sweep be conducted in a subtle manner, consideration should be given to the indication mechanism of the receiver. Some devices indicate a bug by flashing a warning light so that only the operator knows a transmitter is detected. Others employ ticks and noises that will let the eavesdropper know of the detection too.
Tuning capabilities of the receiver are another point to consider. Untuneable receivers, which carry different manufacturers' names and are essentially variations of the audio feedback receiver, can be accurate and effective. Tuneable receivers, however, will provide a more definitive analysis of the area.
In general, search receivers must demonstrate the following characteristics. They must be highly sensitive and selectable over a large radio spectrum so that a wide range of potential bug frequencies can be surveyed. They should exhibit frequency stability and be capable of different demodulation techniques. That is, good receivers will be able to separate or remove audio signals from carrier waves so that a trained technician can analyze the nature of the signals being detected. Good search receivers also will demonstrate a high rejection of unwanted signals adjacent to frequency ranges being analyzed. This will increase the accuracy of the sweep.
Among the more sophisticated versions of counter measure equipment are spectrum analyzers and non-linear junction detectors. The spectrum analyzer costs about $8,000 to $9,000. It is usually less sensitive than a standard counter measure receiver, but because it displays its screening and tuning capabilities on a video screen, it is often used by professionals to augment a surveillance receiver. The non-linear junction detector costs about $18,000 and uses the reflection of microwave emissions to detect a bug.
Telephones, telex (fax) machines and computers are the most vulnerable area of information security. Attacks against them fall into two categories: taps and compromises. Taps are simply eavesdropping connections on the telephone, while compromises are modifications in the telephone wiring that utilize part of the phone system for room and line eavesdropping. any phone, even those not is use, can become an effective listening device when compromised.
Experts emphasize strongly that there is no way to prove conclusively the existence of a phone tap short of a physical inspection the the entire length of telephone wiring. For this reason, protective measures are recommended first over detective measures if a surveillance threat is suspected.
There are numerous ways to protect a phone system against taps and compromises. Because many phone attacks draw transmitting power from the phone itself, protective measures hinge on cutting off the power source, thus rendering the wires useless for the leaching and transmission of data. This can be done quite simply by unplugging phones in a suspected area. For a multiline phone system, ensuring that all hold and line buttons are in the up position will close off the power flow and negate a bugging device.
There are several protective devices that assure transmission of information without debilitating your daily communications systems. One recognized device, according to several counter measure experts, is the telephone scrambler. Priced between $500 and $13,000, scramblers encode audio signals passing through the wires and then decode them at the other end. Both listener and speaker need compatible scramblers in their phone for the technique to work.
Audio jamming devices, advertised under various manufacturers' names, are another impedance method. Ranging in price from $500 to #3,500, the mechanism injects modulated signals that are heard as noise obscuring the conversation if intercepted. A major problem is that as signals pass, the modulation signals are often filtered out through normal clearances of the phone company. There is no guarantee that this filtration will or will not occur.
It cannot be emphasized strongly enough that there is no guaranteed way to detect telephone taps and bugs. Some means are available, however, that can detect the presence of a low impedance tap on the line. Other means can detect the presence of a bug if the implant contains its own power source.
As stated earlier, wiretaps commonly operate in a parasitic nature, drawing transmitting power from the phone system voltage. By contrast, radio transmitter taps contain their own amplification and power sources to relay digital information.
Several wiretap detection devices, sometimes called telephone analyzers, are available for an average price of $4,000. They operate by measuring a change in voltage on the line, thus indicating the presence of a parasitic tap. A $50 voltmeter can accomplish essentially the same thing. The analyzer and the voltmeter can find crude voltage-activated tape recorders and taps that draw an excessive amount of power from the line.
In detecting telephone compromises that leech power from an unused telephone and transmit room audio, a high gain transistorized amplifier is used. Variations are commercially available ranging in sophistication and price from $90 to $150. The device is clipped to telephone wires and basically acts as a tap itself. If the telephone is not in use and room audio is heard when amplified by the high gain transistor, the phone has been compromised. This procedure can be time consuming as all line pairs must be tested.
Radio transmitters on a phone system can be detected by the same equipment that is used to find transmitters in a room. At times they can also be effectively detected by a simple tape recorder/transmitter detector available for about $1,000. Both the small tape recorder/transmitter detector and the counter measure receivers will detect a phone radio transmitter if the mechanism has been place in the phone itself. This is frequently not the case, however, because radio taps can be effective when attached to any accessible point on the phone wires. But for bugs placed in the mouthpiece or elsewhere in the phone, counter measure detectors will effectively indicate their presence.
Digital and Computer Information Protection
Interception of communications originating from teletypes, data-phone, facsimile and computers is done with many of the same transmitter and coupling techniques that are used for audio interception. It is worth noting that despite the low risk of capture when tapping these media, interception is difficult to implement and only in extreme cases is it cost effective.
text for photos:
tscm1: The non-linear junction detector, a sophisticated counter measure, reflects low level microwaves to detect implanted transmitters, microphones, recorders and amplifiers.
tscm2: Transmitter/Tape recorder detectors can be as small as a pack of cigarettes and allow the individual to subtly check an area for hidden transmitters or recorders.
tscm3: Telephone analyzers vary in degrees of technology and effectiveness. They measure the voltage of wiring in the phone system to determine the presence of a tap.
Computer surveillance is fast becoming a security concern because of the increased use of computers in business. Leeching computer information requires extensive manipulation and interference with programming. To protect computer systems, operating programs should be augmented by additional access codes for sensitive data. Inexpensive modules to encrypt and decrypt digital computer information are available to improve levels of security.
The art of surveillance and counter surveillance is an esoteric topic that the security director confronting an information protection problem should be educated in. In summary, he should know the fundamentals of attack techniques and counter measure equipment. He should begin by analyzing the surveillance threat and closely inspecting facilities and telecommunications for potential vulnerability. Above all, he should know that there are no guarantees to detect all types of technical espionage. There are only steps to take, protectively and detectively, that will increase the chances of keeping information confidential.