From: Rui Shantilal Date: Fri Nov 12, 2004 6:51am Subject: Re: Re: Microphones and internet (Part 2) Check the processes that the machine is running and look for something suspicious. (www.sysinternals.com tools will help u on this) On the other hand, monitor your network connections to understand if there is any weird traffic in your perspective, use for example, ethereal for this ! regards rs On Fri, 12 Nov 2004 00:12:13 -0000, Brian Noble wrote: > > > > I would also search for files that have been created or modified in > the last few days to see if there could be audio files. Each file > will need to be examined. A program could be saving small bits of > audio to a file and sending them out periodically much like a > keylogger does. If the computer in question is on a local network be > sure to check the drives that the suspect computer can access. > One question for the hardware people here if the mic is not external > to the computer but internal to the case how would you get around > the fans and harddrive noise? > > Brian Noble > > > > > > --- In TSCM-L@yahoogroups.com, Rui Shantilal wrote: > > > > Check the processes that the machine is running and look for > something > > suspicious. > > > > On the other hand, monitor your network connections to understand > if > > there is any weird traffic in your perspective, use for example, > > ethereal for this ! > > > > regards > > > > rs > > > > > > On Wed, 10 Nov 2004 15:21:34 -0800 (PST), Jan Vandenbos > > wrote: > > > > > > Btw, this is all assuming the recorded conversations > > > are leaving the machine over the net in some fashion > > > or another. > > > > > > I'd also do a search (using a forensic tool, or > > > something like Agent Ransack (again, > > > http://www.download.com) and look for files with the > > > following extensions > > > > > > .au, .wav, .mp3, .aa, .ra, .ram., ... > > > > > > I'd also search inside archive files (like .zip, > > > .rar). > > > > > > This is still not guaranteed, since recording software > > > might be using its own internal mechanisms for > > > encoding/storing the audio streams. > > > > > > If the 'recording' software is storing the recorded > > > audio on the local hard drive (rather than a live > > > connection over the net), then there will need to be > > > some way for the perp to pull the data off the system > > > either: > > > > > > 1) The perp has physical access to the machine - > > > probably on a somewhat regular basis > > > > > > 2) The system/malicious monitoring software transmits > > > the audio files on a regular basis (ie. via email or > > > other batch network job) > > > > > > 3) The perp has remote access to the machine to get > > > access to the files. > > > > > > As a side note - Microphones on PC's concern me > > > (especially considering the prevalence of microphones > > > in laptops and PDA's these days), but I'm also > > > concerned about cameras/webcams plugged into > > > computers. One would imagine it wouldn't be a > > > difficult effort to distribute software that turned on > > > web cameras as well as Microphones on machines one > > > wanted to monitor. > > > > > > Jan > > > > > > > > > --- Jan Vandenbos wrote: > > > > > > > > > > > Lots of comments out there on the web and discussion > > > > in the past on this topic... > > > > > > > > Ie: > > > > > > > > > > > http://www.landfield.com/isn/mail-archive/1999/Apr/0036.html > > > > > > > > First things I'd check (Basic I know, but important) > > > > - > > > > also this is all assuming this is windows... (If its > > > > on a unix/Linux variant machine I can send > > > > instructions for that too) > > > > > > > > 1) Start->Run->Control Panel->Add/Remove Programs - > > > > and look for programs that you don't recognize. > > > > > > > > 2) Bring up the Task manager (differs depending on > > > > your version of windows), and look under the > > > > Processes > > > > tab for unusual program. If you search for each > > > > program name on the Internet there are many sites > > > > that > > > > identify these programs for you and you can check > > > > which should be there or not. > > > > > > > > 3) Check the startup group > > > > (Start->Programs->Startup), > > > > and also the Windows Registry sections 'Run', 'Run > > > > Once', 'Run Service', etc... for strange programs. > > > > An > > > > easy way to do this is to grab 'Startup Mechanic' > > > > off > > > > http://www.download.com or similar site. Startup > > > > mechanic will list all the programs set to start > > > > when > > > > the computer boots, and will give you a starting > > > > place > > > > to look for malicious software. > > > > > > > > 4) Go to the command prompt (Start->Run->CMD) > > > > and type in 'netstat -a'. > > > > > > > > Unless malicious software has done a good job in > > > > hiding itself - you should see some trace at least > > > > in > > > > the netstat -a. > > > > > > > > FWIW, the Netstat -a shows a list of all the network > > > > connections on the host. If someone were listening > > > > full time with some kind of remote mic activiation > > > > software, you'd probably see a live connection to > > > > their IP address in that list (you might have to go > > > > through each one and find out which ones are > > > > suspicious). > > > > > > > > If you want, send me the output of that 'netstat -a' > > > > command direct via email and I can share thoughts on > > > > what looks suspicious. > > > > > > > > Assuming on the other hand that any purported > > > > malicious software was installed and was capable of > > > > hiding itself, another good way would be to plug a > > > > 'network sniffer' in between the machine in question > > > > and the Internet (use a hub, not a switch if you're > > > > doing this - I can explain why offline if you need). > > > > > > > > > > > > Look at the traffic going back and forth between > > > > that > > > > machine and other hosts on the Internet and see if > > > > any > > > > of the traffic looks suspicious. > > > > > > > > Start with the machine idle. You'll probably see a > > > > fair bit of traffic anyways (instant messaging and > > > > other network keep alive traffic), but it'll make it > > > > easier to single out suspicious traffic. > > > > > > > > Hope that helps... If you need more detail, feel > > > > free > > > > to drop me a note offline. > > > > > > > > Jan > > > > > > > > --- sewellr@i... wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > A local police department suspects someone of > > > > > putting a hidden microphone > > > > > in a room and accesses the audio via the internet > > > > > (the room has a computer > > > > > connected to the internet). If this was the case, > > > > > how would the bad guy do > > > > > it? Software covertly installed on the computer? > > > > > What would you look for > > > > > physically (other than a microphone, of course)? > > > > > > > > > > Sgt. Kirk Sewell > > > > > Illinois State Police, Technical Investigations > > > > > 500 Iles Park Place, Suite 300 > > > > > Springfield, IL 62718 > > > > > (217) 524-6079 office > > > > > (217) 467-4211 pager > > > > > (217) 836-0919 mobile > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================== > > > TSCM-L Technical Security Mailing List > > > "In a multitude of counselors there is strength" > > > > > > To subscribe to the TSCM-L mailing list visit: > > > http://www.yahoogroups.com/community/TSCM-L > > > > > > It is by caffeine alone I set my mind in motion. > > > It is by the juice of Star Bucks that thoughts acquire speed, > > > the hands acquire shaking, the shaking is a warning. > > > It is by caffeine alone I set my mind in motion. > > > =================================================== TSKS > > > > > > > > > > > > Yahoo! Groups Sponsor > > > > > > > > > Get unlimited calls to > > > > > > U.S./Canada > > > > > > ________________________________ > > > Yahoo! Groups Links > > > > > > To visit your group on the web, go to: > > > http://groups.yahoo.com/group/TSCM-L/ > > > > > > To unsubscribe from this group, send an email to: > > > TSCM-L-unsubscribe@yahoogroups.com > > > > > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of > Service. > > > > > > > > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. > =================================================== TSKS > > > > Yahoo! Groups Sponsor > > ADVERTISEMENT > > > > > ________________________________ > Yahoo! Groups Links > > To visit your group on the web, go to: > http://groups.yahoo.com/group/TSCM-L/ > > To unsubscribe from this group, send an email to: > TSCM-L-unsubscribe@yahoogroups.com > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. 10106 From: James M. Atkinson Date: Fri Nov 12, 2004 9:15am Subject: Defendant: Microsoft source code sale was a setup Good article, interesting case, well done. -jma http://www.securityfocus.com/news/9912 Defendant: Microsoft source code sale was a setup By Kevin Poulsen, SecurityFocus Nov 11 2004 5:38PM A 27-year-old Connecticut man facing felony economic espionage charges for allegedly selling a copy of Microsoft's leaked source code for $20 says he's being singled out only because the software giant and law enforcement officials can't find the people who stole the code in the first place. "They're using me as an example, to show if you do something like this, they're going to [work] you over," said William Genovese, in a telephone interview Thursday. "Why go after me? Why not go after the guy who took the code? Why not go after the guy who released it on the net?" In February, two 200 megabyte files containing incomplete portions of the source code for the Windows 2000 and Windows NT operating systems appeared on websites and peer-to-peer networks around the world. Evidence in the files pointed to Microsoft partner Mainsoft, a developer of Unix tools for Windows, as the original source, but how the files were leaked, and by whom, remains a mystery. What distinguishes Genovese from perhaps thousands of other curious computer geeks who shared the proprietary source code at the time is a short message he posted to his website, illmob.org -- a hacker destination from which he distributes open source intrusion tools written under his handle, "illwill." "Everyone was throwing up Bit Torrent links and downloading it on IRC," says Genovese. "I wrote on my website, joking, I have it, and if anybody wants it they can donate to my site." Genovese claims he meant it as a joke, and he was surprised when someone actually responded a few days later and asked how much he should donate. "I was laughing, because I thought it was somebody stupid who wanted it and didn't know how to download it," he says. The stranger gave Genovese $20 through the PayPal donation button on his website, and Genovese let him download a copy of the source code from his server. In July, the same man contacted Genovese again. "He e-mailed me again and said he had formatted his computer and basically he wanted to download the source again," says Genovese. "I didn't have it any more, and he said if you can find it I'll send you more money just for the hassle." Genovese says he found the files easily on a peer-to-peer network, and again provided them to the donor. He isn't laughing anymore. According to court records, the mysterious donor was actually an investigator with an unnamed online security firm that Microsoft had hired to track people sharing the source code online. After the first "sale" was complete, Microsoft reported Genovese to the FBI. The Bureau took the case seriously, and the Microsoft investigator arranged the second transaction at the FBI's request. 'Economic Espionage' Armed with a federal criminal complaint out of Manhattan, FBI agents converged on Genovese's Connecticut home early Tuesday morning, searched his condo and arrested him. Now free on a $50,000 signature bond, Genovese stands accused of violating the 1996 Economic Espionage Act. Passed to meet the perceived threat of foreign espionage against American companies, the Economic Espionage Act carries up to ten years in prison for stealing trade secrets for personal financial gain, or for a third party's economic benefit. For the first five years of its existence the law could only be used with approval from the Justice Department in Washington -- a limitation that was lifted in March, 2002. The $20 payment is what opened to door for prosecutors to invoke the rarely-used law, says attorney Jennifer Granick, executive director of the Stanford Center for Internet and Society. "The statute requires you to act for the economic benefit of someone other than the trade secret owner," she says. "The real question is whether this information remains a trade secret after it is globally available to anyone with an Internet connection," says Granick. "This is something that the courts have been grappling with, so it's pretty shocking that the government would pursue criminal charges for something that the civil courts can't even agree on." Government offices were closed Thursday for Veteran's Day. Microsoft declined to comment for this story. Although the complaint describes him as a "vendor" of stolen source code, Genovese says the only person who took his website post seriously was Microsoft's undercover agent. He claims that the same person later purchased another widely-traded underground file, the Paris Hilton video, for a $15 payment, though the transaction escaped mention in the complaint. If convicted, under federal sentencing guidelines Genovese's sentence would be based on the value of the source code, if any, and his criminal history: Genovese has a conviction for intruding into private user's computers in 2000 and spying on their keystrokes, for which he was sentenced to two years of probation. "It happened right after I got my computer," he says. "I started using Trojan horses and stuff like that, and I ended up getting in trouble." ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- [Non-text portions of this message have been removed] 10107 From: Date: Fri Nov 12, 2004 8:28am Subject: Re: Re: suggestions on a portable USB .... ...and the linux utility would be ? On Fri, 12 Nov 2004 11:38 -0400, wrote: > > Why would the write blocker matter, isn't it just a bridge device that > performs direct calls to the drive? Which blocker will do HPA? > > Sorry about the off-topic thread. > > > ...... Original Message ....... > On Thu, 11 Nov 2004 05:11:58 -0800 (PST) DATA_4N6_Engineering > wrote: >> >> >> I have seen drives that use HPA, and all of the systems I sell have the > operating system plus the ability to have a static restore in HPA. One > of > the main reasons it hasn't been found is, firewire and usb write blockers > do not allow the identification of HPA. Encase will see it in DOS only > and > only after you tell it to look at the ATA drive. I worked with XWays > forensics to modify their Replica software for imaging, initially it did > not see the HPA I created. Also Prodiscover will identify HPA if you > use > the correct write blocker. Many drives have been modified, its technique > that allows the discovery, many manufacturers will sell a larger capacity > drive with HPA enabled to meet a specific sales need or shortage. Many > manufacturers use HPA for their factory restores, so its out there, its > using the right tools and knowing how to identify HPA. Mark Menz has a > utility called driverid that will identify HPA and disable for use with > other write block devices, and he offers the >> only write block with published specifications that allows for access to > the firmware to see HPA. I have done extensive testing to confirm That > ability of Write blockers, and found firewire and USB to be lacking. > You > have to document, check and recheck to make sure you have all the sectors > of a drive, and use the right software. As a added note, Linux will not > see HPA unless you use a utility to change the firmware setting of the > drive. And you have to make sure the change is temporary and when > powered > off does not change the drive, other wise you will have problems with > modifying the data, and destroying evidence. And if its password > protected > your out of luck. Viewing of the restore in HPA is tradecraft and > invlolves many other steps. >> But if I wanted to hide something, I would use HPA(password protected), > chances are it would not be found. >> >> Jon Asdourian >> Data Forensics Engineering >> >> telos888@y... wrote: >> Have you ever found anything in the HPA in a real-world situation? Do >> you >> know of anyone who has? >> >> There are lots of shenannigans that can happen there, but I haven't >> talked >> to anyone yet that found a modified HPA "in the wild" so to speak (e.g. >> modified geometry). >> >> >> ...... Original Message ....... >> On Mon, 18 Oct 2004 05:39:05 -0700 (PDT) DATA_4N6_Engineering >> wrote: >>> >>> >>> USB is microprocessor intensive, firewire is not. I have tested most >>> of >> the write blocker units and have found the throughput for USB to be >> unsatisfactory. I only use write blockers designed and based on NIST >> standards for SCSI and IDE drives including Raid. I have a firewire >> write >> blocker and it's throughput is much faster than my USB unit. I try to >> image all drives in their native interface. I really don't like >> firewire >> or USB write blockers. If I have to go to DOS on some occasions, my >> write >> blockers are easy to implement, and I don't have to worry about special >> drivers for USB and Firewire. I have found many incompatibilities with > USB >> and firewire units, and if you have to preview a drive, you will never >> be >> able to view the HPA with USB or Firewire write blocks. With my write >> blocks and portable machine I can be assured of compatibility for any >> drive, except possible for RLL and MFM and I haven't seen any of those >> for >> a while, although I do keep a controller card around >>> just in case. >>> >>> >>> Jon Asdourian >>> Data Forensics Engineering >>> >>> >>> >>> telos888@y... wrote: >>> Wonder why everything out there is Firewire instead of USB 2.0. USB >>> 2.0 >>> has a higher throughput than 1394a doesn't it (480 Mbp/s vs 400 Mbp/s)? >>> >>> >>> ...... Original Message ....... >>> On Sat, 16 Oct 2004 12:37:24 -0700 (PDT) Steve Sanchez >> >>> wrote: >>>> Message: 2 >>>> Date: Fri, 15 Oct 2004 20:41 -0400 >>>> From: telos888@y... >>>> Subject: Re: Re: Review: An Evidence Collection Device >>>> >>>> Any suggestions on a portable USB or Firewire >>>> write-blocker in that >>>> $200 >>>> range? >>>> >>>> >>>> Hi, >>>> >>>> Try Firefly from http://www.digitalintel.com >>>> >>>> Excellent product and cheap too! >>>> >>>> Steve >>>> >>>> __________________________________________________ >>>> Do You Yahoo!? >>>> Tired of spam? Yahoo! Mail has the best spam protection around >>>> http://mail.yahoo.com >>>> . >>>> >>> >>> >>> >>> ======================================================== >>> TSCM-L Technical Security Mailing List >>> "In a multitude of counselors there is strength" >>> >>> To subscribe to the TSCM-L mailing list visit: >>> http://www.yahoogroups.com/community/TSCM-L >>> >>> It is by caffeine alone I set my mind in motion. >>> It is by the juice of Star Bucks that thoughts acquire speed, >>> the hands acquire shaking, the shaking is a warning. >>> It is by caffeine alone I set my mind in motion. >>> =================================================== TSKS >>> >>> >>> Yahoo! Groups SponsorADVERTISEMENT >>> >>> >>> --------------------------------- >>> Yahoo! Groups Links >>> >>> To visit your group on the web, go to: >>> http://groups.yahoo.com/group/TSCM-L/ >>> >>> To unsubscribe from this group, send an email to: >>> TSCM-L-unsubscribe@yahoogroups.com >>> >>> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. >>> >>> >>> >>> >>> >>> >>> Jon Asdourian >>> 61 356B Red Porsche Coupe >>> 69 Red MGC GT >>> 63 Burgundy Austin Healey 3000 BJ7 >>> 356 Registry 16017, PCA 2002112915, MGCC 99577 AHCC >>> >>> --------------------------------- >>> Do you Yahoo!? >>> vote.yahoo.com - Register online to vote today! >>> >>> [Non-text portions of this message have been removed] >>> >>> >>> >>> >>> >>> >>> >>> ======================================================== >>> TSCM-L Technical Security Mailing List >>> "In a multitude of counselors there is strength" >>> >>> To subscribe to the TSCM-L mailing list visit: >>> http://www.yahoogroups.com/community/TSCM-L >>> >>> It is by caffeine alone I set my mind in motion. >>> It is by the juice of Star Bucks that thoughts acquire speed, >>> the hands acquire shaking, the shaking is a warning. >>> It is by caffeine alone I set my mind in motion. >>> =================================================== TSKS >>> Yahoo! Groups Links >>> >>> >>> >>> >>> >>> >>> >>> . >>> >> >> >> >> ======================================================== >> TSCM-L Technical Security Mailing List >> "In a multitude of counselors there is strength" >> >> To subscribe to the TSCM-L mailing list visit: >> http://www.yahoogroups.com/community/TSCM-L >> >> It is by caffeine alone I set my mind in motion. >> It is by the juice of Star Bucks that thoughts acquire speed, >> the hands acquire shaking, the shaking is a warning. >> It is by caffeine alone I set my mind in motion. >> =================================================== TSKS >> >> >> Yahoo! Groups SponsorADVERTISEMENT >> >> >> --------------------------------- >> Yahoo! Groups Links >> >> To visit your group on the web, go to: >> http://groups.yahoo.com/group/TSCM-L/ >> >> To unsubscribe from this group, send an email to: >> TSCM-L-unsubscribe@yahoogroups.com >> >> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. >> >> >> >> >> >> Jon Asdourian >> 61 356B Red Porsche Coupe >> 69 Red MGC GT >> 63 Burgundy Austin Healey 3000 BJ7 >> 356 Registry 16017, PCA 2002112915, MGCC 99577 AHCC >> >> --------------------------------- >> Do you Yahoo!? >> Check out the new Yahoo! Front Page. www.yahoo.com >> >> [Non-text portions of this message have been removed] >> >> >> >> >> >> >> >> ======================================================== >> TSCM-L Technical Security Mailing List >> "In a multitude of counselors there is strength" >> >> To subscribe to the TSCM-L mailing list visit: >> http://www.yahoogroups.com/community/TSCM-L >> >> It is by caffeine alone I set my mind in motion. >> It is by the juice of Star Bucks that thoughts acquire speed, >> the hands acquire shaking, the shaking is a warning. >> It is by caffeine alone I set my mind in motion. >> =================================================== TSKS >> Yahoo! Groups Links >> >> >> >> >> >> >> >> . >> > > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. > =================================================== TSKS > Yahoo! Groups Links > > > > > > > -- Ronald J. Wilczynski National Program Office Regional Computer Forensic Lab Program 916-977-2250 916-549-1311 cell RJWilczynski@F... 10108 From: Daryl Date: Fri Nov 12, 2004 9:07am Subject: Re: Cisco Phone System Info Concentrate on the backend call manager app. There are a few there; bugs, managed via telnet, etc. Rgds. --- In TSCM-L@yahoogroups.com, Rui Shantilal wrote: > > I am aware that each IP phone has it´s own web server, try to go for > it, using known exploits against Web Server, for example, manipulating > http headers. > > rs > > > On Thu, 11 Nov 2004 00:32:43 -0800 (PST), Mitch D wrote: > > Looking for exploit info on Cisco VOIP phones systems > > Thanks > > md > > > > > > > > __________________________________ > > Do you Yahoo!? > > Check out the new Yahoo! Front Page. > > www.yahoo.com > > > > > > > > > > ======================================================== > > TSCM-L Technical Security Mailing List > > "In a multitude of counselors there is strength" > > > > To subscribe to the TSCM-L mailing list visit: > > http://www.yahoogroups.com/community/TSCM-L > > > > It is by caffeine alone I set my mind in motion. > > It is by the juice of Star Bucks that thoughts acquire speed, > > the hands acquire shaking, the shaking is a warning. > > It is by caffeine alone I set my mind in motion. > > =================================================== TSKS > > > > > > > > Yahoo! Groups Sponsor > > > > ADVERTISEMENT > > > > > > ________________________________ > > Yahoo! Groups Links > > > > To visit your group on the web, go to: > > http://groups.yahoo.com/group/TSCM-L/ > > > > To unsubscribe from this group, send an email to: > > TSCM-L-unsubscribe@yahoogroups.com > > > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. 10109 From: Leanardo Date: Fri Nov 12, 2004 9:44am Subject: Re: Cisco Phone System Info Google "VOMIT" and "VoIP" you should find some links to this application (Linux based) Bruce : ) --- In TSCM-L@yahoogroups.com, Mitch D wrote: > Looking for exploit info on Cisco VOIP phones systems > Thanks > md 10110 From: Daryl Date: Fri Nov 12, 2004 10:32am Subject: Re: Microphones and internet (Part 2) Noise and vibration can be a problem, but can be filtered, probably depends on the machine in question. Most VOIP tools in skype, MSNIM, YIM, etc, seem to use the internal mic just fine. If this is a WinXP machine, I'd run netstat -o from the command line to see what processes are listening, the PID can then be mapped back to the running process via task manager, or it's more adult sibling Process Explorer (even if it's a child process or .dll calling svchost), available free via sysinternals.com, probabaly better to install before trying this in case task manager or another process has been trojaned to hide it. Best test would be a sniffer on the local circuit. Sniff for traffic as you create noise in the target area. Good Luk. --- In TSCM-L@yahoogroups.com, "Brian Noble" wrote: > > > > I would also search for files that have been created or modified in > the last few days to see if there could be audio files. Each file > will need to be examined. A program could be saving small bits of > audio to a file and sending them out periodically much like a > keylogger does. If the computer in question is on a local network be > sure to check the drives that the suspect computer can access. > One question for the hardware people here if the mic is not external > to the computer but internal to the case how would you get around > the fans and harddrive noise? > > Brian Noble > > > > --- In TSCM-L@yahoogroups.com, Rui Shantilal wrote: > > > > Check the processes that the machine is running and look for > something > > suspicious. > > > > On the other hand, monitor your network connections to understand > if > > there is any weird traffic in your perspective, use for example, > > ethereal for this ! > > > > regards > > > > rs > > > > > > On Wed, 10 Nov 2004 15:21:34 -0800 (PST), Jan Vandenbos > > wrote: > > > > > > Btw, this is all assuming the recorded conversations > > > are leaving the machine over the net in some fashion > > > or another. > > > > > > I'd also do a search (using a forensic tool, or > > > something like Agent Ransack (again, > > > http://www.download.com) and look for files with the > > > following extensions > > > > > > .au, .wav, .mp3, .aa, .ra, .ram., ... > > > > > > I'd also search inside archive files (like .zip, > > > .rar). > > > > > > This is still not guaranteed, since recording software > > > might be using its own internal mechanisms for > > > encoding/storing the audio streams. > > > > > > If the 'recording' software is storing the recorded > > > audio on the local hard drive (rather than a live > > > connection over the net), then there will need to be > > > some way for the perp to pull the data off the system > > > either: > > > > > > 1) The perp has physical access to the machine - > > > probably on a somewhat regular basis > > > > > > 2) The system/malicious monitoring software transmits > > > the audio files on a regular basis (ie. via email or > > > other batch network job) > > > > > > 3) The perp has remote access to the machine to get > > > access to the files. > > > > > > As a side note - Microphones on PC's concern me > > > (especially considering the prevalence of microphones > > > in laptops and PDA's these days), but I'm also > > > concerned about cameras/webcams plugged into > > > computers. One would imagine it wouldn't be a > > > difficult effort to distribute software that turned on > > > web cameras as well as Microphones on machines one > > > wanted to monitor. > > > > > > Jan > > > > > > > > > --- Jan Vandenbos wrote: > > > > > > > > > > > Lots of comments out there on the web and discussion > > > > in the past on this topic... > > > > > > > > Ie: > > > > > > > > > > > http://www.landfield.com/isn/mail-archive/1999/Apr/0036.html > > > > > > > > First things I'd check (Basic I know, but important) > > > > - > > > > also this is all assuming this is windows... (If its > > > > on a unix/Linux variant machine I can send > > > > instructions for that too) > > > > > > > > 1) Start->Run->Control Panel->Add/Remove Programs - > > > > and look for programs that you don't recognize. > > > > > > > > 2) Bring up the Task manager (differs depending on > > > > your version of windows), and look under the > > > > Processes > > > > tab for unusual program. If you search for each > > > > program name on the Internet there are many sites > > > > that > > > > identify these programs for you and you can check > > > > which should be there or not. > > > > > > > > 3) Check the startup group > > > > (Start->Programs->Startup), > > > > and also the Windows Registry sections 'Run', 'Run > > > > Once', 'Run Service', etc... for strange programs. > > > > An > > > > easy way to do this is to grab 'Startup Mechanic' > > > > off > > > > http://www.download.com or similar site. Startup > > > > mechanic will list all the programs set to start > > > > when > > > > the computer boots, and will give you a starting > > > > place > > > > to look for malicious software. > > > > > > > > 4) Go to the command prompt (Start->Run->CMD) > > > > and type in 'netstat -a'. > > > > > > > > Unless malicious software has done a good job in > > > > hiding itself - you should see some trace at least > > > > in > > > > the netstat -a. > > > > > > > > FWIW, the Netstat -a shows a list of all the network > > > > connections on the host. If someone were listening > > > > full time with some kind of remote mic activiation > > > > software, you'd probably see a live connection to > > > > their IP address in that list (you might have to go > > > > through each one and find out which ones are > > > > suspicious). > > > > > > > > If you want, send me the output of that 'netstat -a' > > > > command direct via email and I can share thoughts on > > > > what looks suspicious. > > > > > > > > Assuming on the other hand that any purported > > > > malicious software was installed and was capable of > > > > hiding itself, another good way would be to plug a > > > > 'network sniffer' in between the machine in question > > > > and the Internet (use a hub, not a switch if you're > > > > doing this - I can explain why offline if you need). > > > > > > > > > > > > Look at the traffic going back and forth between > > > > that > > > > machine and other hosts on the Internet and see if > > > > any > > > > of the traffic looks suspicious. > > > > > > > > Start with the machine idle. You'll probably see a > > > > fair bit of traffic anyways (instant messaging and > > > > other network keep alive traffic), but it'll make it > > > > easier to single out suspicious traffic. > > > > > > > > Hope that helps... If you need more detail, feel > > > > free > > > > to drop me a note offline. > > > > > > > > Jan > > > > > > > > --- sewellr@i... wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > A local police department suspects someone of > > > > > putting a hidden microphone > > > > > in a room and accesses the audio via the internet > > > > > (the room has a computer > > > > > connected to the internet). If this was the case, > > > > > how would the bad guy do > > > > > it? Software covertly installed on the computer? > > > > > What would you look for > > > > > physically (other than a microphone, of course)? > > > > > > > > > > Sgt. Kirk Sewell > > > > > Illinois State Police, Technical Investigations > > > > > 500 Iles Park Place, Suite 300 > > > > > Springfield, IL 62718 > > > > > (217) 524-6079 office > > > > > (217) 467-4211 pager > > > > > (217) 836-0919 mobile > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================== > > > TSCM-L Technical Security Mailing List > > > "In a multitude of counselors there is strength" > > > > > > To subscribe to the TSCM-L mailing list visit: > > > http://www.yahoogroups.com/community/TSCM-L > > > > > > It is by caffeine alone I set my mind in motion. > > > It is by the juice of Star Bucks that thoughts acquire speed, > > > the hands acquire shaking, the shaking is a warning. > > > It is by caffeine alone I set my mind in motion. > > > =================================================== TSKS > > > > > > > > > > > > Yahoo! Groups Sponsor > > > > > > > > > Get unlimited calls to > > > > > > U.S./Canada > > > > > > ________________________________ > > > Yahoo! Groups Links > > > > > > To visit your group on the web, go to: > > > http://groups.yahoo.com/group/TSCM-L/ > > > > > > To unsubscribe from this group, send an email to: > > > TSCM-L-unsubscribe@yahoogroups.com > > > > > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of > Service. 10111 From: Hawkspirit Date: Fri Nov 12, 2004 8:36pm Subject: paper embedable chips Subject: Fwd: mass-producible paper embedable chips Subject: mass-producible paper embedable chips http://www.physorg.com/news1917.html Chip-Embedded Paper for Wireless Transmission November 10, 2004 Japanese company Oji Paper announced November 8 that it has jointly developed technology to embed semiconductor chips in paper during papermaking processes. This invention was co-developed with two other companies FEC Group and Toppan Forms. According to the JCN network, the embedded chip is 0.5x0.5mm and comes with a built-in antenna for wireless transmission at frequencies of between 13.56MHz to 2.45GHz. This breakthrough technology enables mass production of chip-embedded paper. The new chip-embedded paper gets a bit thicker than regular paper, but its printable property is comparable to regular paper. The new technology is expected to be applied in lots of paper products: personal checks, paper bills, gift certificates, etc. The paper is available in sheets and rolls. Oji demonstrates the technology at Smart Labels Asia 2004 held in Tokyo from November 9 to 11. About Oji Paper: Major Business Lines of Oji Paper Co.,Ltd: Production, conversion/processing and sales of printing, writing and related papers; packaging and wrapping papers; carbonless papers; household products; containerboard and boxboard. Production and sales of such end-use products such as corrugated board and boxboard containers; paper-board containers; plastics; thermal paper; self-adhesive paper and disposable paper diapers. Production and sales of chemicals for paper making and packaging equipment. [Non-text portions of this message have been removed] 10112 From: James M. Atkinson Date: Sat Nov 13, 2004 11:37am Subject: CIA's No. 2 official retires amid reports of infighting http://www.cnn.com/2004/US/11/13/cia.retirement.ap/index.html CIA's No. 2 official retires amid reports of infighting WASHINGTON (AP) -- John McLaughlin, who took temporary command of the CIA for three months this year during a wave of criticism of the spy agency, is retiring amid internal conflicts. In a statement Friday, McLaughlin, the CIA's deputy director and 32-year agency veteran, called his departure a "purely personal decision" and said it was time to move on to other endeavors. But former intelligence officials in touch with current agency personnel say there has been turmoil in recent weeks as new CIA Director Porter Goss tried to make changes and get settled in. Goss, a Florida Republican who formerly chaired the House Intelligence Committee, brought four of his congressional aides with him to the CIA's 7th floor executive offices shortly after he took over in September. But tension began before he arrived. Officials as senior as former CIA Director George Tenet fumed at legislation approved by Goss' committee and the full House that said the CIA's Directorate of Operations "needs fixing." The bill warned that without changes, the clandestine unit -- the agency's most famous division -- could become a "stilted bureaucracy incapable of even the slightest bit of success." Now, moves made by Goss and his aides are believed to be riling current personnel. The Washington Post reported in Saturday editions that Deputy Director of Operations Stephen Kappes turned in his resignation Friday following a tense meeting at CIA headquarters in suburban Virginia. Goss and White House officials asked Kappes to reconsider his decision over the weekend, the newspaper said. Other officials are also considering leaving. An intelligence official reached late Friday declined to comment. McLaughlin temporarily took over the CIA in July when Tenet retired, also citing personal reasons. McLaughlin's ascension put him in line to field criticism from two reports highly critical of U.S. intelligence operations, the September 11 Commission report and the Senate's investigation into the flawed prewar intelligence on Iraq. President Bush decided in August to nominate a permanent replacement for Tenet and tapped Goss, who was a CIA operative during the 1960s. Officials painted McLaughlin's decision to retire from government as a natural one: A CIA official said McLaughlin thought the period of government transition after the election was a "logical time to move on." McLaughlin plans to take time off while considering opportunities in the private sector, said the official, who spoke on condition of anonymity. Since 1972, McLaughlin has advanced within the agency to become a part of its senior leadership. He was an analyst for European and Russian issues before rising to deputy director for intelligence in 1997. By 2000, he had become Tenet's right hand, as deputy director of central intelligence. When Tenet announced resigned in July, McLaughlin temporarily headed the agency for nearly three months. McLaughlin, 62, called "Merlin" by some of his colleagues, was known for pulling off impromptu magic tricks, like turning a dollar bill into other denominations. ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10113 From: delta Date: Sat Nov 13, 2004 8:42am Subject: voice on internet very cheap to listen via internet .... david from paris http://www.micro-espion.com/boutique/achat/produit_details.php?id=13 10114 From: Does it matter Date: Sat Nov 13, 2004 7:07am Subject: Re: OT Hard drives Interesting, I thought the same thing when I saw on the net a guy who made a makeshift clean room with a fish tank, a walmart hepa air cleaner, dishwashing gloves, and some epoxy. --- In TSCM-L@yahoogroups.com, telos888@y... wrote: > Back in the old days of MFM and RLL drives, a friend of mine recovered a > drive with a broken actuator by removing the platters in a "clean room" > Ziploc, then Windexing the platters and putting them into a new enclosure - > drive worked perfectly. > > Most (if not all) of the data recovery houses out there don't even use > clean rooms, just open air analysis stations - I think clean rooms may be > more required for manufacturing than post-mortem stuff. > > > ...... Original Message ....... > On Thu, 11 Nov 2004 13:18:27 -0000 "Does it matter" > wrote: > > > > > > > >I have noticed lately that lots of people on this board are into > >computer forensics like I am, which is great. On a side note, I was > >wondering if anyone out there knows of a place or a person who > >teaches clean room type data recovery applications i.e. taking apart > >the drive in a class 100 type enviroment and then diagnosing > >problems. > > > >It appears that there aren't any classes that I can find for this > >and you have to get someone who worked for a hard drive company like > >Maxtor, Seagate, WD, etc to show you the tricks of the trade? > > > >Can anyone shed some light on this? > > > >Thanks > > > >Darren > > > > > > > > > > > > > > > > > > > >======================================================== > > TSCM-L Technical Security Mailing List > > "In a multitude of counselors there is strength" > > > > To subscribe to the TSCM-L mailing list visit: > >http://www.yahoogroups.com/community/TSCM-L > > > > It is by caffeine alone I set my mind in motion. > > It is by the juice of Star Bucks that thoughts acquire speed, > > the hands acquire shaking, the shaking is a warning. > > It is by caffeine alone I set my mind in motion. > >=================================================== TSKS > >Yahoo! Groups Links > > > > > > > > > > > > > > > >. > > 10115 From: Mitch D Date: Sat Nov 13, 2004 2:09pm Subject: Cisco Hack Info ( excellent info) Figured I'd share this w the list: In the SIP images of Cisco 7960/7940 (and perhaps 7970/7980) phones, there is a "telnet" option which can be enabled. In the highest access mode of this interface, it is possible to activate a "test keys" mode, which would allow an external party to make calls to remote (external) destinations without the local user hearing any indication that the phone had been placed into "remote intercom" mode. The test key mode allows a telnet user to simulate the exact keystrokes of a local user, Additionally, there is a feature called "auto-answer" which can be activated on a single line, meaning that whatever SIP username is associated with that line will also achieve an auto-answer (on speakerphone, if available) for that line. This also can be used as a remote area surveillance system. (example: in our office, I have a special extension which calls all phones across the entire office and muxes them back into a single conference bridge, so that I can listen to the entire office at night to see if there is anything amiss (fan noises, UPS signalling, fire alarms, voices.)) Both variations create a bright green LED to light up on the deskset, and also the LCD screen shows the status of the "call" in progress, so there is some external indication that something is happening. Cisco has made some progress in ensuring that "pirate" versions of code for the phones is not easily developed and uploaded; updated versions need to be cryptographically signed before the phone will upload them (exact methods unknown) which to some degree mitigates threat from versions which have no physical indications, though anything is possible with enough budget and brainpower. Both of these "features" are available currently on the SIP images and present different threat situations for voice surveillance. I don't know if they're also available in the SCCP or H.323 versions of the code. Both are exceedingly dangerous, and telnet mode should never be enabled in an insecure (or even secure) environment. The intercom feature is also an issue, since there is no reverse authentication from the Cisco phones (another major failing in my opinion of Cisco's SIP practical implementation strategy.) ===== Mitch Davis TSCM/Special Operations Group Inc. Nashville,TN.USA MitchD@t... site:www.tscmusa.com. Tel (615)837-9933 FAX (615) 523-0300 Cell(615) 364-6776 __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com 10116 From: E. Charles Sterling Date: Sat Nov 13, 2004 6:04pm Subject: RE: [security] Re: OT Hard drives You can get to a reasonable position, thought not perfect by any means, by altering an existing room or chamber like that of an environmental testing chamber or walk-in freezer by cleaning and sealing the inside. The key is, are you trying to occasionally try to save a disk drive or are you after a production clean room environment. Pending the level of experimenting or production will define the level of expense and micron level filtration that is needed. You can visit companies not unlike Reliability, Inc. to see their clean room and normally find those of which ever company that uses a clean room ready to discuss the entire process with you. http://www.howstuffworks.com/ http://www.clean-rooms.org/ http://www.clean-rooms.com/ http://www.bcacontract.com/cr.html http://clean-rooms.com/?google_Cleanrooms http://www.modular-office.com/Clean_Room.htm http://www.sbmcorp.com/Managed_Services_CLS.htm These few links will give you additional reference to the building of and cleaning of Clean Rooms of all levels from one-time use problem solves, used modular clean rooms and the technology wherein to do it yourself. cheers, cs -----Original Message----- From: Does it matter [mailto:u12armresl@y...] Sent: Saturday, November 13, 2004 7:08 AM To: TSCM-L@yahoogroups.com Subject: [security] [TSCM-L] Re: OT Hard drives Interesting, I thought the same thing when I saw on the net a guy who made a makeshift clean room with a fish tank, a walmart hepa air cleaner, dishwashing gloves, and some epoxy. --- In TSCM-L@yahoogroups.com, telos888@y... wrote: > Back in the old days of MFM and RLL drives, a friend of mine recovered a > drive with a broken actuator by removing the platters in a "clean room" > Ziploc, then Windexing the platters and putting them into a new enclosure - > drive worked perfectly. > > Most (if not all) of the data recovery houses out there don't even use > clean rooms, just open air analysis stations - I think clean rooms may be > more required for manufacturing than post-mortem stuff. > > > ...... Original Message ....... > On Thu, 11 Nov 2004 13:18:27 -0000 "Does it matter" > wrote: > > > > > > > >I have noticed lately that lots of people on this board are into > >computer forensics like I am, which is great. On a side note, I was > >wondering if anyone out there knows of a place or a person who > >teaches clean room type data recovery applications i.e. taking apart > >the drive in a class 100 type enviroment and then diagnosing > >problems. > > > >It appears that there aren't any classes that I can find for this > >and you have to get someone who worked for a hard drive company like > >Maxtor, Seagate, WD, etc to show you the tricks of the trade? > > > >Can anyone shed some light on this? > > > >Thanks > > > >Darren > > > > > > > > > > > > > > > > > > > >======================================================== > > TSCM-L Technical Security Mailing List > > "In a multitude of counselors there is strength" > > > > To subscribe to the TSCM-L mailing list visit: > > http://www.yahoogroups.com/community/TSCM-L > > > > It is by caffeine alone I set my mind in motion. > > It is by the juice of Star Bucks that thoughts acquire speed, > > the hands acquire shaking, the shaking is a warning. > > It is by caffeine alone I set my mind in motion. > >=================================================== TSKS > >Yahoo! Groups Links > > > > > > > > > > > > > > > >. > > ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" To subscribe to the TSCM-L mailing list visit: http://www.yahoogroups.com/community/TSCM-L It is by caffeine alone I set my mind in motion. It is by the juice of Star Bucks that thoughts acquire speed, the hands acquire shaking, the shaking is a warning. It is by caffeine alone I set my mind in motion. =================================================== TSKS Yahoo! Groups Sponsor ADVERTISEMENT ---------------------------------------------------------------------------- -- Yahoo! Groups Links a.. To visit your group on the web, go to: http://groups.yahoo.com/group/TSCM-L/ b.. To unsubscribe from this group, send an email to: TSCM-L-unsubscribe@yahoogroups.com c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. [Non-text portions of this message have been removed] 10117 From: jtowler Date: Sat Nov 13, 2004 7:13pm Subject: RE: Elections See Below ... -----Original Message----- From: James M. Atkinson [mailto:jmatk@tscm.com] Sent: Tuesday, 9 November 2004 2:18 p.m. To: TSCM-L@yahoogroups.com Subject: Re: [TSCM-L] Elections At 03:39 AM 11/8/2004, Michael Puchol wrote: > > GPS tracking without seeing the satellites > >We tried a Labrador, but it wasn't able to keep up with the vehicles. Must have been a Newfoundland, a Black Lab can see GPS satellites with no problem. Now, as silly as all the above is, I just have to ask: Do you mean a breed of dog (Black Lab), or the desk with all the gear in the back of the Black Helicopter (Black Lab), or did you really intend both as a joke? Can you confirm your answer to the above is true? - Jim [Non-text portions of this message have been removed] 10118 From: jtowler Date: Sat Nov 13, 2004 7:52pm Subject: RE: Re: Microphones and internet (Part 2) and SONY PLAYSTATION 2 See Below -----Original Message----- From: Jan Vandenbos [mailto:jvandenbos@y...] Sent: Thursday, 11 November 2004 12:22 p.m. To: TSCM-L@yahoogroups.com Subject: Re: [TSCM-L] Re: Microphones and internet (Part 2) Content deleted. As a side note - Microphones on PC's concern me (especially considering the prevalence of microphones in laptops and PDA's these days), but I'm also concerned about cameras/webcams plugged into computers. One would imagine it wouldn't be a difficult effort to distribute software that turned on web cameras as well as Microphones on machines one wanted to monitor. Jan --- Jan Vandenbos wrote: I see that Sony is due to release a new "game" called "EyeToy: Chat" based on the same USB Camera as in 'EyeToy: Play" for the Sony PlayStation 2. Anyway, from memory, the idea is that you plug the EyeToy (read USB camera/mic) into your PS2, and go online to chat with folk. Fun, of course. Anyway, it seems there is an additional software module in the "game" that lets you set the system up so if it detects movement in the room (younger sister sneeking into your room to steal your collection), then it will play a pre-recorder noise (alarm). All the above set me thinking that there is a camera/mic and online and left running ... So, watch for the PS2 in the staff break room, where the staff discuss the new R&D work over coffee. Note that the "Welcome to NSA" document prohibits such talk in hallways, break rooms etc. To say nothing about the PS2 being there ... - Jim [Non-text portions of this message have been removed] 10119 From: walshingham2000 Date: Sat Nov 13, 2004 7:59pm Subject: Have Crypto Will Travel......?? PGPBOARD COMMENTARY ------------------- PGPBOARD Angeles City, Philippines http://groups.yahoo.com/group/pgpboard/ pgpboard@s... ************************ © HAVE CRYPTO...WILL TRAVEL ========================= by Alan Taylor There are some places in this world where either the use, or possession of cryptographic software can result in very real exposure to state coercion, or worse. In Europe and the United States we tend to get worked up about our governments "snooping" into our private communications. People like Phil Zimmerman and his PGP put our private electronic communications into an invulnerable(?) cryptographic envelope. Our (USA) Government countered with the "Clipper Chip", and third party key escrow schemes, which are currently floundering on the reef of free speech, but they should not be considered as dead in the water. The British Government introduced their RIP legislation, crudely threatening their citizenry with five years of imprisonment if they refused to cough-up their private keys, and passphrases. However, in general, the reality is that strong public key encryption technology is freely available, without any physical threat to both the American & European citizenry. However, this is certainly NOT the case in other countries. (Contact PGPBOARD at pgpboard@s... concerning travelling with cryptographic software.) IN CHINA, it is potentially dangerous to posses any flavor of PGP or Gnupg, all Internet traffic is channeled through two major gateways in Beijing and Shanghai to facilitate filtering of transmissions. In addition, all Internet users must register with the police. Some PGP traffic out of Mainland China is hand carried by NGO's or others into Hong Kong, on PC's, diskettes, or USB flash drives. IN BURMA (MYANMAR), to be caught with cryptographic software either in your possesion, or installed on a PC can result in arrest and detention without trial, years of imprisonment, or execution if you are Burmese citizen. These are the potential extreme threats, and they should not be treated lightly. However, if you and your laptop need to travel, then there are certain precautions you should observe, otherwise you can find yourself in a world of hurt...literally. The first piece of advice for the traveling crypto aficionado would be:- "IF YOU DON'T NEED IT THEN LEAVE IT AT HOME." However, if you are a real crypto junkie, or an NGO with an attitude, then it would be advisable to take some sort of precautions. The only viable precaution is to treat all destinations as the "worst case scenario" irrespective of their perceived safety. SOFTWARE & CRYPTO STANDARDS =========================== Many crypto aficionados get severely hung up on crypto standards, and the perceived security of this or that algorithm...etc..etc.. Such discussions can be stimulating, and very informative. However, before their departure, our NGO with an attitude, or traveling crypto junkie needs to be aware of only a few vital parameters. 1. 1024 bit asymmetric keys have not yet been busted...but better to use 2048 bits. 2 MD5 is depreciated owing to security concerns, best use SHA1. 3. None of the following block ciphers have been busted, 3DES, CAST, IDEA, BLOWFISH (AES not considered due to insufficient track record). We recommend 3DES. (PGPBOARDS bulletin concerning the current status of DES and 3DES is available upon request from pgpboard@s...) 4. There have been no known break thru's in the factoring of very large prime numbers that render PK cryptology both obsolete and insecure. 5. That your chosen secret key passphrase, is both rememberable, and cryptographically strong; with nothing so trivial such as aunty Flo's birthday...!! 6. Carry with you on diskette PGPBOARDS "GPG HOME BASE". This package in configured around GnuPG, with WINPT graphical user interface compete with keyring manager, XP WIN 98 notepad, together with all of the command com files required for either WIN 98 or XP. No software footprint is left on the PC hosting the cryptographic software. GPG HOME BASE includes a command line SMTP server that can directly address the recipients mail server, and effectively bypass any in country local ISP's mail server. (GPG HOME BASE IS AVAILABLE FREE OF CHARGE) 7. Before departure, and/or upon arrival at your destination, generate and sign your mission critical public keys in the presence of the intended recipients(s) of your encrypted traffic. The signature format of these mission critical public keys should have "non exportable signatures". Do not upload these keys to a public key server, 8. Assume the destination country/territory falls into the "worst case crypto" scenario. Best Regards Alan Taylor PGPBOARD Administrator Angeles City Philippines.. 11/13/2004 10:49 AM CST (Note © This article may be freely reproduced with due credit) 10120 From: jtowler Date: Sat Nov 13, 2004 8:03pm Subject: RE: Re: Microphones and internet and SONY PLAYSTATION 2 and EyeToy Camera/mic Correction to below: The "EyeToy: Chat" game is mostly as described, however the "SpyToy" feature is a part of a different PS2 "game" titled "EyeToy: Play2". Links for those interested: EyeToy camera and general article: http://www.ps2home.co.uk/ps2__eyetoy.htm EyeToy: Chat: http://www.ps2home.co.uk/eyetoychat.htm EyeToy: Play2 with "SpyToy" feature: http://www.ps2home.co.uk/eyetoy%20play%202.htm Security risks apply ... -----Original Message----- From: jtowler [mailto:jtowler@x...] Sent: Sunday, 14 November 2004 2:53 p.m. To: 'TSCM-L@yahoogroups.com' Subject: RE: [TSCM-L] Re: Microphones and internet (Part 2) and SONY PLAYSTATION 2 See Below -----Original Message----- From: Jan Vandenbos [mailto:jvandenbos@y...] Sent: Thursday, 11 November 2004 12:22 p.m. To: TSCM-L@yahoogroups.com Subject: Re: [TSCM-L] Re: Microphones and internet (Part 2) Content deleted. As a side note - Microphones on PC's concern me (especially considering the prevalence of microphones in laptops and PDA's these days), but I'm also concerned about cameras/webcams plugged into computers. One would imagine it wouldn't be a difficult effort to distribute software that turned on web cameras as well as Microphones on machines one wanted to monitor. Jan --- Jan Vandenbos wrote: I see that Sony is due to release a new "game" called "EyeToy: Chat" based on the same USB Camera as in 'EyeToy: Play" for the Sony PlayStation 2. Anyway, from memory, the idea is that you plug the EyeToy (read USB camera/mic) into your PS2, and go online to chat with folk. Fun, of course. Anyway, it seems there is an additional software module in the "game" that lets you set the system up so if it detects movement in the room (younger sister sneeking into your room to steal your collection), then it will play a pre-recorder noise (alarm). All the above set me thinking that there is a camera/mic and online and left running ... So, watch for the PS2 in the staff break room, where the staff discuss the new R&D work over coffee. Note that the "Welcome to NSA" document prohibits such talk in hallways, break rooms etc. To say nothing about the PS2 being there ... - Jim [Non-text portions of this message have been removed] 10121 From: James M. Atkinson Date: Sat Nov 13, 2004 9:54pm Subject: Impedance of a Typical Alarm PIR Cable Run For TSCM purposes, what is the impedance of the wiring that services a typical PIR sensor hooked up to an Alarm Panel. The biggest concern is audio signals present on the power lines that go to the sensor, and a method to couple sweep gear into the active wires without presenting enough of an impedance mismatch to trip the alarm or reset the circuit. Also, important to shoot a TDR pulse into all of the lines to trace out the presence of an eavesdropping device. -jma ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10122 From: kondrak Date: Sat Nov 13, 2004 11:00pm Subject: Re: Impedance of a Typical Alarm PIR Cable Run We always considered it twisted pair -600 ohms. At 22:54 11/13/2004, you wrote: >For TSCM purposes, what is the impedance of the wiring that services a >typical PIR sensor hooked up to an Alarm Panel. > >The biggest concern is audio signals present on the power lines that go to >the sensor, and a method to couple sweep gear into the active wires without >presenting enough of an impedance mismatch to trip the alarm or reset the >circuit. Also, important to shoot a TDR pulse into all of the lines to >trace out the presence of an eavesdropping device. > >-jma > > > > > > >----------------------------------------------------------------------------------------------------- > > >We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. >----------------------------------------------------------------------------------------------------- > > > James M. Atkinson Phone: (978) 381-9111 > Granite Island Group Fax: > 127 Eastern Avenue #291 Web: http://www.tscm.com/ > Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com >----------------------------------------------------------------------------------------------------- > > > World Class, Professional, Ethical, and Competent Bug Sweeps, and >Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. >----------------------------------------------------------------------------------------------------- > > > > > > > >======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. >=================================================== TSKS >Yahoo! Groups Links > > > > 10123 From: A Grudko Date: Sat Nov 13, 2004 11:36pm Subject: RE: Digest Number 1727 -----Original Message----- (Poster not identified by the time it got to me) > Oh, because a good portion of the TSCM business is politically driven, That would be a pity - TSCM should only be technically driven. (I acknowledge that in some countries there may be laws made by politicians that seek to control or inhibit TSCM, but as a discipline TSCM practitioners should be above politics). Andy Grudko (British), DPM, Grad IS (South Africa) MIS/Grudko Associates, Est. 1981. PSIRA reg. No. 8642 www.grudko.com , agrudko@i... Pretoria HO (+27 12) 244 0255 - 244 0256 (Fax) Branches: Sandton (+27 11) 465 9673 - 465 1487 (Fax) Johannesburg (+27 11) 781 7206 - 781 7207(Fax) Mid Rand (+27 11) 318 1451 - 318 6846(Fax) Cellular (+27) 82 778 6355 - ICQ 146498943 SACI(Pres) SASA, IPA, WAD, CALI, UKPIN, IWWA. "When you need it done right - first time" --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.794 / Virus Database: 538 - Release Date: 2004/11/10 10124 From: Shawn Hughes (Road) Date: Sun Nov 14, 2004 4:13am Subject: Re:PIR Impedance James, I don't have any problems thinking you could inject audio into a PIR power feed, although you would need some hefty filtering at the LP, because clock and crappy power supply noise is sometimes significant. Far as impedance, for all the systems I have ever installed or repaired, the majority use resistance values as a safety. .5K under or over, it sets a trouble flag on the zone. Limits the length of cable used, but precludes attaching anything. Noise is an issue with longer runs, as well. I have scoped cable pairs on zones that became flaky, and found that 60 cycle noise and EMI can piss off the sensor, so I am guessing a *live* PIR wouldn't like having an audio or video signal piggybacked onto it. Of course, making sure that the number of sensors match the number of zones is important, too.... I haven't ever measured impedance on an alarm cable pair, and don't recall reading any specs on it, but if you want to know, I can get that data for you if it is in any of the manuals for the systems I deal with in a day or so. -Shawn At 05:36 AM 11/14/04 +0000, you wrote: >The biggest concern is audio signals present on the power lines that go to >the sensor, and a method to couple sweep gear into the active wires without >presenting enough of an impedance mismatch to trip the alarm or reset the >circuit ==================================== Shawn Hughes Special Projects Consultant and Subcontractor 110 Hughes Hale Lane, Harriman, TN 37748 USA (865) 335-7992 Voicemail srh@e... /////////////////////////////////////////////////////////////////////////////// Lead Instructor Explosives, WMD, and Technical Operations Tactical Response www.warriormindset.com Training at the Cutting Edge! (731) 676-2041 Main Office ////////////////////////////////////////////////////////////////////////////// ******NOTICE: Due to the age of my email account, I have to set spam filtering VERY high. If you do not receive a response in a reasonable amount of time, please try an alternate communications method. I apologize for the inconvienence. 10125 From: Michael Dever Date: Sat Nov 13, 2004 11:30pm Subject: Re: Impedance of a Typical Alarm PIR Cable Run Jim Are you talking about the power wiring or the alarm signaling circuit? A typical PIR will operate on 12 VDC and draw approximately 10-20mA. Whereas, the alarm circuit 'normal' resistance varies depending on the manufacture. For example, ADEMCO (Honeywell) alarm panels typically use an 'end of line resistor' of 2.2k ohm or sometimes 10k (typical in Australia). Normally, the alarm circuit will be tripped if the resistance changes by more than +/- 10% variation. Simple DC based alarm circuits can easily be 'spoofed' by applying a voltage equal to the steady state value (typically 6V on a 12V system). However, a lot of alarm panels these days (including ADEMCO) use a proprietary serial data stream instead of the DC loop. This allows individual sensors to be addressed and for multiple sensors to multiplexed onto the same loop. There are even higher security methods of signaling using 'end of line' modules which are unique to each sensor. These type of systems can use encryption to further thwart substitution. For example, The Australian Government extensively uses a type of signaling system between sensors and the alarm panel that is encrypted. I think TDRing one of these circuits would trigger an alarm. Also, I would be concerned about the effects of TDR pulses on the electronics at both ends. Hope this helps! Regards Mike On 14 Nov 2004, at 14:54, James M. Atkinson wrote: > > > For TSCM purposes, what is the impedance of the wiring that services a > typical PIR sensor hooked up to an Alarm Panel. > > The biggest concern is audio signals present on the power lines that > go to > the sensor, and a method to couple sweep gear into the active wires > without > presenting enough of an impedance mismatch to trip the alarm or reset > the > circuit. Also, important to shoot a TDR pulse into all of the lines to > trace out the presence of an eavesdropping device. > > -jma > > > > > > > ----------------------------------------------------------------------- > ------------------------------ > > We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. > ----------------------------------------------------------------------- > ------------------------------ > > James M. Atkinson Phone: (978) 381-9111 > Granite Island Group Fax: > 127 Eastern Avenue #291 Web: > http://www.tscm.com/ > Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com > ----------------------------------------------------------------------- > ------------------------------ > > World Class, Professional, Ethical, and Competent Bug Sweeps, and > Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. > ----------------------------------------------------------------------- > ------------------------------ > > > > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. > =================================================== TSKS > Yahoo! Groups Links > > > > > > > > Michael J. Dever CPP Dever Clark & Associates GPO Box 1163 Canberra ACT 2601 Voice: (02) 6254 5337 Email: dca@b... This message is sent in strict confidence for the addressee only. It may contain legally privileged information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise the sender immediately of any error in transmission. [Non-text portions of this message have been removed] 10126 From: James M. Atkinson Date: Sun Nov 14, 2004 8:37am Subject: Cisco Phone Vulneability http://cryptome.org/cisco-holes.htm In the SIP images of Cisco 7960/7940 (and perhaps 7970/7980) phones, there is a "telnet" option which can be enabled. In the highest access mode of this interface, it is possible to activate a "test keys" mode, which would allow an external party to make calls to remote (external) destinations without the local user hearing any indication that the phone had been placed into "remote intercom" mode. The test key mode allows a telnet user to simulate the exact keystrokes of a local user. Additionally, there is a feature called "auto-answer" which can be activated on a single line, meaning that whatever SIP username is associated with that line will also achieve an auto-answer (on speakerphone, if available) for that line. This also can be used as a remote area surveillance system. (Example: in our office, I have a special extension which calls all phones across the entire office and muxes them back into a single conference bridge, so that I can listen to the entire office at night to see if there is anything amiss (fan noises, UPS signalling, fire alarms, voices.)) Both variations create a bright green LED to light up on the deskset, and also the LCD screen shows the status of the "call" in progress, so there is some external indication that something is happening. Cisco has made some progress in ensuring that "pirate" versions of code for the phones is not easily developed and uploaded; updated versions need to be cryptographically signed before the phone will upload them (exact methods unknown) which to some degree mitigates threat from versions which have no physical indications, though anything is possible with enough budget and brainpower. Both of these "features" are available currently on the SIP images and present different threat situations for voice surveillance. I don't know if they're also available in the SCCP or H.323 versions of the code. Both are exceedingly dangerous, and telnet mode should never be enabled in an insecure (or even secure) environment. The intercom feature is also an issue, since there is no reverse authentication from the Cisco phones (another major failing in my opinion of Cisco's SIP practical implementation strategy.) ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10127 From: James M. Atkinson Date: Sun Nov 14, 2004 9:51am Subject: Spyware charge levelled at Lexmark http://software.silicon.com/malware/0,3800003100,39125876,00.htm Spyware charge levelled at Lexmark November 12 2004 Allegations have been swirling around an online newsgroup this week that printer manufacturer Lexmark has been installing spyware on its customers' computers. Reports on the comp.periphs.printers Usenet newsgroup claim that Lexmark has been planting spyware on its customers' PCs in the form of undocumented software that monitors the use of its printers and silently reports back to a Lexmark-owned company website. One user said that after initially denying the allegations, Lexmark acknowledged installing tracking software that reported printer and cartridge use back to the company for survey purposes. He claimed that Lexmark said no personal data was taken by the program, and that it was impossible to identify anyone by it. However, users installing the software are prompted to fill in a registration form including their name and the serial number of the product. The newsgroup posting claims that the program, found on the X5250 installation software, embeds itself in the registry and monitors the use of the printer through DLL files in the c:\program_files\lexmark500 folder. The program sends the information, which includes print and scanning data, to the URL www.lxkcc1.com. According to the internet Whois database, this domain name belongs to Lexmark International in Kentucky. Lexmark's UK office has not responded to repeated requests for comment. # # # # / also note that....a similar form of "spying" was done by Creative Labs back in 2001, according to this NEWS.COM article: http://news.com.com/2100-1040-268361.html?legacy=cnet ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10128 From: mark de Boer Date: Sun Nov 14, 2004 10:44am Subject: Re: Impedance of a Typical Alarm PIR Cable Run James, Here in the Nether lands Alarm systems are sold that have audio circuits in them for the Alarm central to"listen in" for alarm verification by a company called CIPE. this type of system almost asks for a wire tap routed via PSTN. this System is not used by quality installers but its out there. Do you have simular systems in the states? Also Ive heard of dual detector /radar PIR's transformed into radar transmitters that transmit the audio from the room, It was a reliable source (i personally never seen it myself). Perhaps the best way to check for audio is put the scope on the data bus lines and also check the power use in Milli amp for every detector(when having access to the specs from the alarm system . Best regard Marc RRBsecurity Netherlands "James M. Atkinson" wrote: For TSCM purposes, what is the impedance of the wiring that services a typical PIR sensor hooked up to an Alarm Panel. The biggest concern is audio signals present on the power lines that go to the sensor, and a method to couple sweep gear into the active wires without presenting enough of an impedance mismatch to trip the alarm or reset the circuit. Also, important to shoot a TDR pulse into all of the lines to trace out the presence of an eavesdropping device. -jma ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" To subscribe to the TSCM-L mailing list visit: http://www.yahoogroups.com/community/TSCM-L It is by caffeine alone I set my mind in motion. It is by the juice of Star Bucks that thoughts acquire speed, the hands acquire shaking, the shaking is a warning. It is by caffeine alone I set my mind in motion. =================================================== TSKS Yahoo! Groups SponsorADVERTISEMENT --------------------------------- Yahoo! Groups Links To visit your group on the web, go to: http://groups.yahoo.com/group/TSCM-L/ To unsubscribe from this group, send an email to: TSCM-L-unsubscribe@yahoogroups.com Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. --------------------------------- Win a castle for NYE with your mates and Yahoo! Messenger [Non-text portions of this message have been removed] 10129 From: Date: Sun Nov 14, 2004 0:45pm Subject: New poll for TSCM-L Enter your vote today! A new poll has been created for the TSCM-L group: What style of X-Ray or penetrative imaging system (if any) do you use. If you can not access the Polls section of Yahoo then please privately email your thoughts on the subject to me. o Emitter - Golden XR Series (stand alone tube) o Emitter - Pass Through/Box Type o Plate - Digital System (ie: RTR) o Plate - Film Based (ie: Golden) o Do Not Use X-Ray Imaging o 3-D Tomography o 3-D Micro Tomography o Phase Array 3-D Tomography o Millimeter Wave Tomography To vote, please visit the following web page: http://groups.yahoo.com/group/TSCM-L/surveys?id=1500738 Note: Please do not reply to this message. Poll votes are not collected via email. To vote, you must go to the Yahoo! Groups web site listed above. Thanks! 10130 From: James M. Atkinson Date: Sun Nov 14, 2004 1:44pm Subject: Re: Impedance of a Typical Alarm PIR Cable Run Marc, I am trying to determine a range of impedances present on a variety of live alarm sensor lines so that when I am running a TDR across the lines I can set up a faster impedance match instead of "tuning up" the line each time I switch into a different cable. With Time Domain Reflectometry it is extremely important to have a smooth transition or impedance match between the final driver in the TDR, the line under test, and the circuit that is sampling the line. It is undesirable to connect to a line alarm line without first having a close match as you will introduce a slight spike in the line that may trip an alarm of that sensor. This is quite important if you are in the non-alerting stage of the sweep and haven't yet approached the sound stage. Quite a few alarm sensors in the U.S. integrate a microphone into the system, but in some states it is illegal to have, use, or possess such a system due to the eavesdropping laws. A few years back there where a number of lawsuits over the issue, and the companies that were using, and the companies that installed the systems lost a huge suit. The audio transmitters you mention can be done by introducing a microphone into the sensor housing, or by taping or suspending a small piece of foil or metalized mylar onto the microwave beam of the sensor. A good example of this would be a PIR/Microwave sensor that is mounted on the wall of the office of an executive and is directed towards the window with drapes. The eavesdropper places a very lightweight piece of foil inside of behind the drapes. The air in the room slightly moves the foil which causes a very slight doppler shift in the 10 GHz signal that can be picked up some distance away from the targeted area. The critical parts of the equation is that the metallic foil has to be as thin and light as possible (minimal mass), should be in the main beam (easy enough), and should have sharp, almost saw tooth edges around the outside. The same type of threat exists on the infrared side of the sensor as well, where a beam of infrared light can be used to carry the intelligence off of the sound stage and into a repeater location. One of the more dangerous situations (from a TSCM perspective) is PIR sensors inside a conference room, or mounted on the walls just outside a conference room. In both cases a spy can access the sensor for less than 5 minutes and introduce a hostile device that will be missed by most TSCM equipment. The PIR's can then be used to bounce the audio signal down the hall or out a window where the eavesdropper can pick it up. In such cases a microphone is introduced into a PIR sensor in the targeted area (in this case an executive conference room), since all cable runs for the PIR's in the area are often shared; the audio signal is present at all other PIR's in the immediate area. The spy simply picks an office or other area on the same cable run and uses the audio signal to modulate the IR at some distance away from the targeted area. This threat can be blended with the microwave motion sensor where the IR receiver directly modulates the microwave transmitter. Remember that most microwave motion sensors are looking for a doppler shift, not a slight shift caused by audio modulating the RF. The spy then picks the last chain on the PIR wiring and introduces a filter to keep the audio from reaching the alarm panel where it could cause a false alarm or cause the bugging to be discovered by a TSCM person. But to get back to the issue of the impedance of alarm line... the biggest annoyance is that you have not only the power supply wire to content with but also the signalling lines which has to be handled carefully as the alarm monitor will detect that mischief is afoot if your note careful. Checking alarms line is also a hassle as there are invariably extra wires in the cable that are not used for anything, and the sensors are commonly installed in a shared bus configuration that was very time consuming to examine. It doesn't help that each of the wires in the cable is at a difference impedance, and has a different termination on the each end. -jma At 11:44 AM 11/14/2004, mark de Boer wrote: >James, > >Here in the Nether lands Alarm systems are sold that have audio circuits >in them for the Alarm central to"listen in" for alarm verification by a >company called CIPE. this type of system almost asks for a wire tap routed >via PSTN. >this System is not used by quality installers but its out there. >Do you have simular systems in the states? > >Also Ive heard of dual detector /radar PIR's transformed into radar >transmitters that transmit the audio from the room, It was a reliable >source (i personally never seen it myself). > >Perhaps the best way to check for audio is put the scope on the data bus >lines and also check the power use in Milli amp for every detector(when >having access to the specs from the alarm system . > >Best regard > >Marc >RRBsecurity >Netherlands > ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10131 From: James M. Atkinson Date: Sun Nov 14, 2004 3:24pm Subject: White House has ordered new chief to eliminate officers who were disloyal to Bush http://www.newsday.com/news/nationworld/nation/ny-uscia1114,0,707331.story?coll=ny-top-headlines CIA plans to purge its agency Sources say White House has ordered new chief to eliminate officers who were disloyal to Bush BY KNUT ROYCE WASHINGTON BUREAU November 14, 2004 WASHINGTON -- The White House has ordered the new CIA director, Porter Goss, to purge the agency of officers believed to have been disloyal to President George W. Bush or of leaking damaging information to the media about the conduct of the Iraq war and the hunt for Osama bin Laden, according to knowledgeable sources. "The agency is being purged on instructions from the White House," said a former senior CIA official who maintains close ties to both the agency and to the White House. "Goss was given instructions ... to get rid of those soft leakers and liberal Democrats. The CIA is looked on by the White House as a hotbed of liberals and people who have been obstructing the president's agenda." One of the first casualties appears to be Stephen R. Kappes, deputy director of clandestine services, the CIA's most powerful division. The Washington Post reported yesterday that Kappes had tendered his resignation after a confrontation with Goss' chief of staff, Patrick Murray, but at the behest of the White House had agreed to delay his decision till tomorrow. But the former senior CIA official said that the White House "doesn't want Steve Kappes to reconsider his resignation. That might be the spin they put on it, but they want him out." He said the job had already been offered to the former chief of the European Division who retired after a spat with then-CIA Director George Tenet. Another recently retired top CIA official said he was unsure Kappes had "officially resigned, but I do know he was unhappy." Without confirming or denying that the job offer had been made, a CIA spokesman asked Newsday to withhold naming the former officer because of his undercover role over the years. He said he had no comment about Goss' personnel plans, but he added that changes at the top are not unusual when new directors come in. On Friday John E. McLaughlin, a 32-year veteran of the intelligence division who served as acting CIA director before Goss took over, announced that he was retiring. The spokesman said that the retirement had been planned and was unrelated to the Kappes resignation or to other morale problems inside the CIA. It could not be learned yesterday if the White House had identified Kappes, a respected operations officer, as one of the officials "disloyal" to Bush. "The president understands and appreciates the sacrifices made by the members of the intelligence community in the war against terrorism," said a White House official of the report that he was purging the CIA of "disloyal" officials. " . . . The suggestion [that he ordered a purge] is inaccurate." But another former CIA official who retains good contacts within the agency said that Goss and his top aides, who served on his staff when Goss was chairman of the House intelligence committee, believe the agency had relied too much over the years on liaison work with foreign intelligence agencies and had not done enough to develop its own intelligence collection system. "Goss is not a believer in liaison work," said this retired official. But, he said, the CIA's "best intelligence really comes from liaison work. The CIA is simply not going to develop the assets [agents and case officers] that would meet the intelligence requirements." Tensions between the White House and the CIA have been the talk of the town for at least a year, especially as leaks about the mishandling of the Iraq war have dominated front pages. Some of the most damaging leaks came from Michael Scheuer, former head of the CIA's Bin Laden unit, who wrote a book anonymously called "Imperial Hubris" that criticized what he said was the administration's lack of resolve in tracking down the al-Qaida chieftain and the reallocation of intelligence and military manpower from the war on terrorism to the war in Iraq. Scheuer announced Thursday that he was resigning from the agency. ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10132 From: James M. Atkinson Date: Mon Nov 15, 2004 6:44am Subject: CIA veterans clash with new chief - Senior officers fear Goss too isolated; resignations mount [If you do sweeps for the agency, or work at the schoolhouse you should dust off your resume, start chatting with recruiters, and begin looking at the help wanted ads on Sundays. -jma] CIA veterans clash with new chief Senior officers fear Goss too isolated; resignations mount By Walter Pincus and Dana Priest The Washington Post Updated: 12:00 a.m. ET Nov. 14, 2004 WASHINGTON - Within the past month, four former deputy directors of operations have tried to offer CIA Director Porter J. Goss advice about changing the clandestine service without setting off a rebellion, but Goss has declined to speak to any of them, said former CIA officials aware of the communications. The four senior officials represent nearly two decades of experience leading the Directorate of Operations under both Republican and Democratic presidents. The officials were dismayed by the reaction and were concerned that Goss has isolated himself from the agency's senior staff, said former clandestine service officers aware of the offers. The senior operations officials "wanted to talk as old colleagues and tell him to stop what he was doing the way he was doing it," said a former senior official familiar with the effort. More defections coming? Last week, Deputy Director John E. McLaughlin retired after a series of confrontations between senior operations officials and Goss's top aide, Patrick Murray. Days before, the chief of the clandestine service, Stephen R. Kappes, said he would resign rather than carry out Murray's demand to fire Kappes's deputy, Michael Sulick, for challenging Murray's authority. Goss and the White House asked Kappes to delay his decision until Monday, but they are actively considering his replacement, several current and former CIA officials said. Kappes, whose accomplishments include persuading Libyan leader Moammar Gaddafi to renounce weapons of mass destruction this year, began removing personal photos from his office walls yesterday, associates said. A handful of other senior undercover operations officers have talked seriously about resigning, as soon as Monday. "Each side doesn't understand the other's culture very well," one former senior operations officer said. "There is a way to do this elegantly. You don't have to humiliate people. You bring in people with really weak credentials, and everyone is going to rally around the flag." Culture clash Agency officials have criticized as inexperienced the four former Hill staff members Goss brought with him. Goss's first choice for executive director ­ the agency's third-ranking official ­ withdrew his name after The Washington Post reported that he left the agency 20 years ago after having been arrested for shoplifting. Through his CIA spokesman, Goss, a former CIA case officer and chairman of the House intelligence committee, declined to comment about these matters. At his Senate confirmation hearing Sept. 14, Goss said, "There is too much management at headquarters," which he said was "too bureaucratic" and had "stifled some of the innovation, some of the creativity and, frankly some of the risk-taking in the field." He described one "stroke-of-a-pen fix" that he was considering: "Reassurance that people will be supported in the field, building the morale, those are more leadership issues." He also offered a glimpse of his management style. "I believe it takes, sometimes, very blunt, strong language" to get changes made. "I don't like doing it ­ I call it tough love ­ but I think occasionally you have to do that." Goss has adopted a management style that relies heavily on former committee staff aides, several of whom are former mid-level CIA employees not well regarded within the CIA's Directorate of Operations. Murray, the new chief of staff, has been perceived by operations officers as particularly disrespectful and mistrustful of career employees. One former senior DO official agreed yesterday that some changes were needed, saying: "Clean the place out if it's needed, but you've got to be clever about it." The disruption comes as the CIA is trying to stay abreast of a worldwide terrorist threat from al Qaeda, a growing insurgency in Iraq, the return of the Taliban in Afghanistan and congressional proposals to reorganize the intelligence agencies. The agency also has been criticized for not preventing the Sept. 11, 2001, attacks and not accurately assessing Saddam Hussein's ability to produce weapons of mass destruction. Advice reportedly rebuffed The four former deputy directors of operations who have tried to offer Goss advice are Thomas Twetten, Jack Downing, Richard F. Stoltz and the recently retired James L. Pavitt. They "wanted to save him from going through" what two other directors, Stansfield Turner and John M. Deutch, had experienced when they tried to make personnel changes quickly, one former senior official aware of their efforts said. Turner and Deutch served under Democratic presidents. Turner wanted to clean house after the Watergate scandal and CIA "dirty tricks" exposed during the Church Commission hearings. Deutch sought to change the inbred culture of the operations staff after the Iran-contra scandal. The Directorate of Operations numbers about 5,000 people, including about 1,000 covert operators overseas, and runs foreign spying, including counterterrorism operations. Because its operators engage in undercover activities, often on their own, they are a difficult group to manage and control. To win their support, Goss's immediate predecessor, George J. Tenet, met with the former directors regularly. He sought advice from them individually and started to rebuild the clandestine service, which was cut by Deutch after its main adversary, the Soviet Union, dissolved, and before terrorism became a central focus. Although Kappes has not left his job, several people have been approached or screened as his replacement. One is the director of the counterterrorism center; the other is the station chief in London. Both are undercover and may not be identified by name. Another candidate, according to current and former CIA officials, is Richard P. Lawless Jr., a former CIA operations officer who is deputy assistant secretary of defense for Asian and Pacific affairs, according to a CIA official who asked not to be identified. Lawless served in the agency from 1972 to 1987, when he left after running afoul of senior DO officers while carrying out secret missions for then-CIA Director William J. Casey. Lawless then opened a private consulting firm that did business in Asia, particularly with Taiwan and South Korea. In a 2002 profile in the Taipei Times, Lawless was described as having "long-term ties to President Bush's brother, Florida Governor Jeb Bush." The two met shortly after Lawless set up his consulting firm and Jeb Bush was Florida's secretary of commerce seeking business in Asia. ----------------------------------------------------------------------------------------------------- We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. ----------------------------------------------------------------------------------------------------- James M. Atkinson Phone: (978) 381-9111 Granite Island Group Fax: 127 Eastern Avenue #291 Web: http://www.tscm.com/ Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com ----------------------------------------------------------------------------------------------------- World Class, Professional, Ethical, and Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. ----------------------------------------------------------------------------------------------------- 10133 From: Hawkspirit Date: Mon Nov 15, 2004 8:54am Subject: Alarm Sweep Using a standard "O"scope on these four alarm lines should tell you all you need to know without interfering with the circuit. The DC power feed to the sensors should have no AC present. The signaling pair will be quiet or have alarm system data flow. I would not inject TDR pulses into alarm electronics without having the assistance of the alarm company. The last thing you want to do on a weekend sweep is bring down an alarm system. In most cases the sensor feed lines terminate in an inaccessible locked control central panel. Roger Tolces Electronic Security Co. www.bugsweeps.com Date: Sat, 13 Nov 2004 22:54:14 -0500 From: "James M. Atkinson" Subject: Impedance of a Typical Alarm PIR Cable Run For TSCM purposes, what is the impedance of the wiring that services a typical PIR sensor hooked up to an Alarm Panel. The biggest concern is audio signals present on the power lines that go to the sensor, and a method to couple sweep gear into the active wires without presenting enough of an impedance mismatch to trip the alarm or reset the circuit. Also, important to shoot a TDR pulse into all of the lines to trace out the presence of an eavesdropping device. -jma [Non-text portions of this message have been removed] 10134 From: Date: Tue Nov 16, 2004 9:25am Subject: Re: CIA veterans clash with new chief - Senior officers fear Goss too isolated; resignations mount Looks like Colin Powell just resigned this morning. ..... Original Message ....... On Mon, 15 Nov 2004 07:44:54 -0500 "James M. Atkinson" wrote: > >[If you do sweeps for the agency, or work at the schoolhouse you should >dust off your resume, start chatting with recruiters, and begin looking at >the help wanted ads on Sundays. -jma] > > >CIA veterans clash with new chief >Senior officers fear Goss too isolated; resignations mount > >By Walter Pincus and Dana Priest >The Washington Post >Updated: 12:00 a.m. ET Nov. 14, 2004 > > >WASHINGTON - Within the past month, four former deputy directors of >operations have tried to offer CIA Director Porter J. Goss advice about >changing the clandestine service without setting off a rebellion, but Goss >has declined to speak to any of them, said former CIA officials aware of >the communications. > >The four senior officials represent nearly two decades of experience >leading the Directorate of Operations under both Republican and Democratic >presidents. The officials were dismayed by the reaction and were concerned >that Goss has isolated himself from the agency's senior staff, said former >clandestine service officers aware of the offers. > >The senior operations officials "wanted to talk as old colleagues and tell >him to stop what he was doing the way he was doing it," said a former >senior official familiar with the effort. > >More defections coming? >Last week, Deputy Director John E. McLaughlin retired after a series of >confrontations between senior operations officials and Goss's top aide, >Patrick Murray. Days before, the chief of the clandestine service, Stephen >R. Kappes, said he would resign rather than carry out Murray's demand to >fire Kappes's deputy, Michael Sulick, for challenging Murray's authority. > >Goss and the White House asked Kappes to delay his decision until Monday, >but they are actively considering his replacement, several current and >former CIA officials said. > >Kappes, whose accomplishments include persuading Libyan leader Moammar >Gaddafi to renounce weapons of mass destruction this year, began removing >personal photos from his office walls yesterday, associates said. > >A handful of other senior undercover operations officers have talked >seriously about resigning, as soon as Monday. > >"Each side doesn't understand the other's culture very well," one former >senior operations officer said. "There is a way to do this elegantly. You >don't have to humiliate people. You bring in people with really weak >credentials, and everyone is going to rally around the flag." > >Culture clash >Agency officials have criticized as inexperienced the four former Hill >staff members Goss brought with him. Goss's first choice for executive >director ­ the agency's third-ranking official ­ withdrew his name after >The Washington Post reported that he left the agency 20 years ago after >having been arrested for shoplifting. > >Through his CIA spokesman, Goss, a former CIA case officer and chairman of >the House intelligence committee, declined to comment about these matters. > >At his Senate confirmation hearing Sept. 14, Goss said, "There is too much >management at headquarters," which he said was "too bureaucratic" and had >"stifled some of the innovation, some of the creativity and, frankly some >of the risk-taking in the field." > >He described one "stroke-of-a-pen fix" that he was considering: >"Reassurance that people will be supported in the field, building the >morale, those are more leadership issues." > >He also offered a glimpse of his management style. "I believe it takes, >sometimes, very blunt, strong language" to get changes made. "I don't like >doing it ­ I call it tough love ­ but I think occasionally you have to do >that." > >Goss has adopted a management style that relies heavily on former committee >staff aides, several of whom are former mid-level CIA employees not well >regarded within the CIA's Directorate of Operations. Murray, the new chief >of staff, has been perceived by operations officers as particularly >disrespectful and mistrustful of career employees. > >One former senior DO official agreed yesterday that some changes were >needed, saying: "Clean the place out if it's needed, but you've got to be >clever about it." > >The disruption comes as the CIA is trying to stay abreast of a worldwide >terrorist threat from al Qaeda, a growing insurgency in Iraq, the return of >the Taliban in Afghanistan and congressional proposals to reorganize the >intelligence agencies. The agency also has been criticized for not >preventing the Sept. 11, 2001, attacks and not accurately assessing Saddam >Hussein's ability to produce weapons of mass destruction. > >Advice reportedly rebuffed >The four former deputy directors of operations who have tried to offer Goss >advice are Thomas Twetten, Jack Downing, Richard F. Stoltz and the recently >retired James L. Pavitt. > >They "wanted to save him from going through" what two other directors, >Stansfield Turner and John M. Deutch, had experienced when they tried to >make personnel changes quickly, one former senior official aware of their >efforts said. > >Turner and Deutch served under Democratic presidents. Turner wanted to >clean house after the Watergate scandal and CIA "dirty tricks" exposed >during the Church Commission hearings. Deutch sought to change the inbred >culture of the operations staff after the Iran-contra scandal. > >The Directorate of Operations numbers about 5,000 people, including about >1,000 covert operators overseas, and runs foreign spying, including >counterterrorism operations. Because its operators engage in undercover >activities, often on their own, they are a difficult group to manage and >control. > >To win their support, Goss's immediate predecessor, George J. Tenet, met >with the former directors regularly. He sought advice from them >individually and started to rebuild the clandestine service, which was cut >by Deutch after its main adversary, the Soviet Union, dissolved, and before >terrorism became a central focus. > >Although Kappes has not left his job, several people have been approached >or screened as his replacement. One is the director of the counterterrorism >center; the other is the station chief in London. Both are undercover and >may not be identified by name. > >Another candidate, according to current and former CIA officials, is >Richard P. Lawless Jr., a former CIA operations officer who is deputy >assistant secretary of defense for Asian and Pacific affairs, according to >a CIA official who asked not to be identified. Lawless served in the agency >from 1972 to 1987, when he left after running afoul of senior DO officers >while carrying out secret missions for then-CIA Director William J. Casey. > >Lawless then opened a private consulting firm that did business in Asia, >particularly with Taiwan and South Korea. In a 2002 profile in the Taipei >Times, Lawless was described as having "long-term ties to President Bush's >brother, Florida Governor Jeb Bush." The two met shortly after Lawless set >up his consulting firm and Jeb Bush was Florida's secretary of commerce >seeking business in Asia. > > > >----------------------------------------------------------------------------------------------------- > >We Expertly Hunt Real Spies, Real Eavesdroppers, and Real Wiretappers. >----------------------------------------------------------------------------------------------------- > > James M. Atkinson Phone: (978) 381-9111 > Granite Island Group Fax: > 127 Eastern Avenue #291 Web: http://www.tscm.com/ > Gloucester, MA 01931-8008 Email: mailto:jmatk@tscm.com >----------------------------------------------------------------------------------------------------- > > World Class, Professional, Ethical, and Competent Bug Sweeps, and >Wiretap Detection using Sophisticated Laboratory Grade Test Equipment. >----------------------------------------------------------------------------------------------------- > > > > > > >======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: >http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. >=================================================== TSKS >Yahoo! Groups Links > > > > > > > >. >