How to perform a bug sweep

The revelation of the identity of Deep Throat, the secret source of the Watergate scandal, reminded me of an old threat we still face today known as "bugging" or, as those in the business call it, "technical surveillance." Receiving information about a victim through audio or video surveillance provides an attacker with a wealth of information. And, as today's electronics become more sophisticated, bugging equipment once available only to spies is now easily obtainable on the Internet. In response to this threat, many corporations have started to perform bug sweeps or Technical Security Counter Measure (TSCM) operations, with the help of outside contractors.

TSCM is a specialized area, and performing a sweep requires expensive equipment that needs regular updating. As a result, sweeps can be pricey, although not as pricey as the losses from a bugged office. Many firms charge more than $10,000 for one floor of an office building. Therefore, you may want to limit the scope of the sweep to especially sensitive areas such as corporate management offices, boardrooms, etc. If you take this approach, it is important to remember to limit sensitive discussions to the "cleared" areas.

When researching vendors, ask about the equipment and techniques they use. Legitimate TSCM firms are up front about their techniques and technology. To find out if a potential vendor is legitimate, ask for references and seek out recommendations. Your local chapter of the FBI InfraGard or Secret Service Electronics Crimes Task Force may be a good place to start. Industry associations, such as the American Society for Industrial Security (ASIS), may also be of help.

Related Information   Discover how to stop hackers in their tracks. Learn five measures you can take to protect your organization from insider threats.

To help weed out the wannabes, let's take a closer look at five basic technologies used by genuine TSCM operators:

• RF detection. Some surveillance devices use radio frequency (RF) transmissions to carry their signals to the listener. To find these, TSCM analysts use an RF analyzer like REI's OSCOR (Omni Spectral Correlator). The OSCOR absorbs the RF transmissions in an area and uses a built-in database to filter out those known to be legitimate, such as TV and radio stations. The remaining transmissions are presented to an operator for analysis to determine if they pose a threat. The OSCOR is also used to store a profile of the radio frequency environment of the location. During later sweeps, comparing the record of the previous environment with a new set of signals can quickly point to potential problems.
• Detection of electronics. More sophisticated surveillance devices can be turned on and off as needed. When a bug is turned off, it does not transmit any RF signals and is therefore invisible to RF detection devices. In order to find these stealthy devices, the TSCM professional will turn to a Non Linear Junction Detector (NLJD). The NLJD looks a bit like one of those metal detectors they used to sell in the back of comic books. It works by sending out RF signals tuned to cause the semiconductors in electronic devices to resonate, even if they are powered off. During a sweep, the TSCM operator passes the NLJD over every surface in the office, looking for electronics in places where they should not be.
• Heat can be another telltale sign that electronics are present. Because small heat variations may point to a power supply, a TSCM toolkit should include a thermal imager, which the operator uses to scan the office and objects in it. If hot spots are found in unlikely places, a manual inspection is conducted to determine if they are from suspect devices.


• Phone and power lines are also popular places for the placement of surveillance devices. Phone lines provide power, access to conversations and other information, and a way for attackers to receive information. Power lines can provide power to devices hidden in electrical outlets and transmit information out of the area under surveillance. The TSCM operator will use equipment to detect anomalous behavior on these lines, such as voltage drops or the presence of sub carriers.


• Some surveillance devices may use infrared light to transmit their signals back to an attacker. An infrared viewer may reveal the presence of these devices. The TSCM operator scans the area looking for questionable IR sources and then investigates them further manually.

Like other forms of security testing, TSCM sweeps provide you with a snapshot of conditions at a particular time. For continued assurance that your offices are "clean" of surveillance devices, you'll need to repeat sweeps periodically. Most vendors provide some sort of "volume discount" for annual or biannual services.

TSCM services are not for every company, but if the disclosure of conversations or phone calls in your offices would cause irreparable harm to your business, you should consider checking to see if your walls have ears.

About the Author
Al Berg, CISSP, CISM is Information Security Director of New York City based Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading and the 4th fastest growing privately held financial services company in the US.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Security Awareness Training and Internal Threats,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.