Printer Friendly

When competitors really bug you.

Two men are speaking in hushed tones in a conference room. The door is locked, and secretaries have been given orders for the men not to be disturbed. Both men are intent and agitated.

"I just don't understand, Dan.

"I know, George, I don't understand either.

"We worked so hard on this account. Do you realize the amount of money and resources we put into this job? "

"It's not just the money, Dan, but the original ideas that our staff came up with. Our competition came up with the exact same plan for the client and underbid us just enough to get the account. "

"Our competitors must have a psychic working for them. We took steps to protect our project. We only discussed it in our offices or in the conference room. Only you and I knew the contents of the entire project. I just don't know. "

In another area of the same building, a man enters a room that is seldom used. He opens a small box stored in a corner of the room and removes a cassette tape. As he leaves the room, he slips the tape into his pocket.

Miles away, at another office, a secretary announces a Mr. Smith. The executive informs his secretary to show Mr. Smith in. Mr. Smith enters and closes the door behind him. He removes a tape from his pocket and gives it to the man behind the desk in return for an envelope.

Mr. Smith looks at the man and asks, "Again? "

The man behind the desk looks up at Mr. Smith and replies, "Yes. "

Mr. Smith turns and leaves the office. The man buzzes his secretary and tells her to hold his calls. He places the tape in a recorder and presses the button marked play.

The tape begins:

"I just don't understand, Dan.

i i know, George, I don't understand either.

"We worked so hard on this account .

The man smiles.

TO MANY, ESPIONAGE CONJURES up a picture of someone in a long black leather coat stealing another country's secrets so that his or her country can be victorious over the first.

Industrial espionage can be viewed as individuals in well-tailored suits obtaining another company's secrets so that their company can be financially victorious over the first. Proprietary information is one of a company's most valuable assets, and it should be protected with the same degree of determination as a company's tangible assets, if not more so.

The level of threat is determined by the value of the information. Information that may be targeted includes * advertising strategies * marketing plans * trade secrets * stocks, bonds, and trading information * client lists and customer information * Department of Defense contractors' operations * labor negotiations * political strategies * hiring and firing information * entertainment contract negotiations * court cases, trial preparation, and client conferences * information on sports teams and famous sports figures * any other information that can give one entity an advantage over another

People have committed robberies, burglaries, and, in some cases, murders to obtain proprietary information. Stealing proprietary information can net the offender from tens of thousands to millions of dollars. With such an incentive, the theft of information is a very real avenue for a competitor to use against a corporation.

WE HAVE ESTABLISHED A MOTIVE for theft; now what about opportunity? Crain's Chicago Business, a leading Chicago-area business magazine, stated the following in a radio ad campaign: "A listening device configured like a common ball point pen can pick up conversations in a boardroom. If you want to know what is going on in business in Chicago, read Crain's Business."

The pen mentioned in the advertisement is not the figment of some ad writer's imagination. The pen has an operating time of up to 15 hours and a range of 200 meters. The pen transmitter and a number of other similar devices do exist. What is more frightening is that they are readily available to anyone.

Transmitters the size of a matchbox can be bought at many electronic stores. They are sold as "wireless microphones" to be used by individuals who wish to speak and have their voices amplified through an ordinary AM or FM radio receiver. With a small modification, these transmitters can be made to transmit just above or below the tuning capabilities of a common AM or FM radio. This small modification transforms an easily obtainable, legitimate device into an inexpensive listening device that can transmit conversations and is virtually undetectable by normal means.

Another listening device available from electronic and discount stores is the wireless intercom. There are two types. The first transmits an audio signal using radio waves for its transmission. A radio frequency receiver is used to listen to the audio captured. The device is effective; however, its range is limited.

The second type, and the most dangerous, transmits audio over standard AC power lines, which exist in every home and business. These listening devices can be built into walls, floors, and ceilings. When connected to an AC power source, they can function indefinitely. They are about the size of a pack of cigarettes (but can be made smaller) and can be disguised to resemble an electrical wall receptacle.

With a small modification, they can also be built into any appliance using AC power. The receiver can be plugged into an AC power receptacle in another part of the building. The receiver can then capture the audio from the room where the transmitter has been placed. The receiver can pick up a signal from the transmitter as long as both the transmitter and receiver are on the same side of the power company's transformer. The effective distance can be an entire office building or hotel, or, in the case of a private residence, the distance of several houses.

Telephone transmitters can be bought through the mail from companies that advertise in electronics magazines. These miniature devices, about the size of a AAA battery, can be secreted inside a telephone. When installed, the device looks just like a component of the telephone and is virtually undetectable by someone who is not familiar with it. The transmitter will transmit conversations whenever a call is made or received from the telephone. Power is leached from the telephone line, making battery replacement unnecessary.

Tape recorders can be placed on telephone lines using a device the size of a pack of cigarettes to turn the recorder on only when the telephone is off the hook. This conserves the battery powering the recorder and reduces the number of times the tape must be changed.

Extended time recorders that hold up to 12 hours on one cassette are available. The device is normally placed at any point between the telephone and the first interior appearance point (the location where the telephone company's lines enter the building). Once the device is attached, anyone - an employee, a maintenance worker, or a cleaning person-can remove the recorded tape and replace it with a blank one.

Another way to use the extended time recorder is in conjunction with a voice-activated-or VOX-switch. This switch turns on the recorder when it senses audio. This configuration can be placed under a boardroom conference table, in the ceiling, under furniture, or camouflaged in some other manner. The device only records when there is audio in the room, thus conserving the battery powering the recorder and reducing the number of times the tape must be changed. This is what is referred to as a passive device, since it is only active or operational when audio is present.

The infinity transmitter is a dangerous device. Years ago when it was first introduced, it was called a harmonica bug. The transmitter is placed in or near a telephone. The target's telephone can then be called from anywhere in the world, by land line or cellular. Just after the number is dialed, a tone generator is held at the mouthpiece of the caller's telephone. In the past, a harmonica was blown into the mouthpiece, hence the term harmonica bug. The target's telephone does not ring, but the phone answers and remains on hook. The caller can then listen to all audio in the room where the infinity transmitter was placed. The bug stays on until the caller hangs up.

This device is being marketed in this country under the guise of a "security device. " A person can supposedly dial his or her phone number from anywhere in the world and listen to see if a burglar is rummaging around in his or her office or home.

Unused wires, or spare pairs, can be used to carry audio from and to most rooms in a building or a residence. Business phones almost always have unused pairs leading from the telephone to the frame room. A microphone can be connected to an unused pair in an office and then picked up in the telephone frame room.

In many condominium and apartment buildings, a 25- to 50-pair cable is strung through all the apartments. The correct pair is then connected to the modular jack for each resident. The problem with this method of running cable is that all of the apartments' telephone lines may be accessed in any one of the apartments.

A number of "how to" books are available that explain in detail how to build, install, and monitor telephone transmitters, room transmitters, and other listening devices. With the aid of these books, a person with a minimum amount of electronic understanding can build, install, and monitor a sophisticated device.

The Watergate eavesdroppers commissioned the construction of a listening device for 30,000 to be used in one of their operations. Today, this same type of device is commercially available, easily obtained, and may be purchased for less then $750.

A variety of devices are used in offices or residences to transfer information. And all of these devices are susceptible to attack.

Fax. The fax has become a fixture in today's office. It transmits documents over phone lines through tones that are unintelligible when heard. Many people are under the misconception that since these tones can't be understood, fax transmissions are safe. To compromise a fax transmission, all that is needed is a recording of these tones. The recording can then be played into another fax machine and the document printed out.

Data transmission is similar to the fax. With the aid of a modem, tones are used to transmit data over telephone lines and dedicated computer system lines. When these lines are intercepted, the tones can be recorded and then downloaded through another modem to a PC. The data can then be reviewed at leisure.

Phones. Despite warnings, people often discuss sensitive information about their company's operations over the phone. Many government offices and military bases have a sticker on their telephones that says, "This phone is not secure. " Companies should be aware that telephone conversations can be compromised easily.

Meetings and conferences. Executives accomplish a great deal during meetings and conferences, and the information discussed during these exchanges may be sensitive or confidential. Conversations can be compromised during these sessions, whether they take place in executive offices, boardrooms, conference rooms, or hotel rooms.

Video. With video teleconferencing, meetings can take place with participants located in different countries. Not only can you hear the person you are speaking to, but you can also see him or her. This technology uses either hard wire or RF (radio frequency) to transmit the signal, and either method can be compromised using the appropriate intercept device.

Bugs and taps. These terms are often misused in publications, in movies and television, and by the news media. A bug is a clandestine listening device designed to capture oral communications. An example would be a wired microphone or a miniature radio transmitter. An appropriate term for this type of device is an oral intercept device (OID).

Tap is a term applied to the direct or indirect connection of a device to a pair of telephone wires for the purpose of capturing oral communication. An appropriate term for this type of device is a wire communication intercept device (WCID).

On June 19, 1934, Congress enacted the Federal Communications Act (ch. 652, (sections of)605, 48 stat. 1103, as amended, 47 USC (sections of)605). The law said, in essence: No person not being authorized by the sender shall intercept any communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communications to any person.

MOST STATES ALREADY HAD some type of law prohibiting wiretapping; however, none of these statutes was enforced. The law, in effect, legalized wiretapping by default since these laws were not enforced.

Bugging, although addressed in the law, was also vague. The difference between bugging being legal as opposed to illegal depended on whether the entry to the place to attach the device constituted an illegal trespass.

On June 19, 1968, Congress enacted the Omnibus Crime and Safe Streets Act. The portion of this law that addressed wire communications intercepts and oral intercepts was referred to as Title III, 18 USC (sections of)2510-2520. Title III stringently regulates the use of wiretaps and listening devices by federal law enforcement agencies, requiring a court order issued by a court of competent jurisdiction. The use of wiretaps and listening devices by private parties is also prohibited, specifically in instances that directly or indirectly affect interstate commerce.

The law also prohibits recording people's conversations, unless one of the parties agrees to it. In regard to industrial espionage, it is the third or unknown party who records the conversation, making the recording a federal offense. Many states, such as Illinois, have enacted similar and more stringent laws requiring all parties of a conversation to agree to the recording.

Title Ill also addresses several additional areas indirectly related to intercepting conversations. (section of)2512(l)(a) prohibits the distribution, possession, advertisement, and mailing of any electronic, mechanical, and other device whose design "renders it primarily useful for the purpose of surreptitious interception of wire or oral communications." This law has been qualified to reflect that size alone will not be used as a criterion. However, according to Senate Report 1097, "A device will not escape the prohibition merely because it may have innocent uses."

Unfortunately a variety of devices are available by mail order that are advertised specifically as listening devices. It is difficult to believe that the primary design of devices described in ads as FM telephone transmitters, infinity transmitters, telephone taps, and room bugs have any purpose in life other than to surreptitiously intercept wire or oral communications. Title 111, as amended, also addresses and prohibits intercepting communications using cellular telephone and data transmissions.

Locations that store sensitive proprietary information or are used for discussing confidential information should be examined for electronic intercept devices. Searches have been referred to as countermeasures, TSCM (technical surveillance countermeasures), sweeps, and electronic intercept detection (EID).

The EID search should be planned so that a minimum number of people know a search is to be conducted. The search should be scheduled so it doesn't interfere with the company's normal operations. After hours is an ideal time.

Some companies, however, do searches during business hours. While the search should still be planned with only the minimum number of people aware that it is to take place, no attempt should be made to disguise it. A disguise can be a deterrent, especially if it is common knowledge among employees that the company regularly conducts unscheduled EID searches. The search should cover four main areas: * The radio-frequency spectrum should be examined for emanations transmitting audio from the area searched. A computer-controlled radio-frequency scanning receiver with an auto frequency locking and alarming option or a spectrum analyzer should be used. A broad-spectrum radio-frequency detector/field-strength meter used to supplement the RF scanning receiver or spectrum analyzer is acceptable. However, this should not be the only device used to search for RF devices because it is ineffective in areas with a high concentration of ambient RF signals. * The AC power lines should be tested for audio in the form of a carrier or subcarrier. A tunable receiver that can be connected to the AC power line is used to test for audio on these lines. A number of inexpensive, wireless intercom systems transmit on the AC power lines. Intercoms can be accidentally or intentionally left on, transmitting important conversations from conference rooms to an intercom listening station. * Telephones and telephone lines can be attacked in a number of ways. A telephone analyzer also reads on-hook and off-hook voltage. These readings are helpful when interpreted in conjunction with the other examinations made. Telephones and telephone lines should be physically examined for unauthorized devices and modifications. Suspicious wires and cables should be tested for unauthorized audio and traced. * An in-depth search should be made for passive devices, devices that do not emanate a signal or transmit audio at the time of the search. Devices that are the subject of this facet of the search are VOX tape recorders and transmitters placed in a sleep mode or activated by a timer. Structural material such as ventilator ducts and conduit pipe should be tested for audio conductivity. Unused wire pairs should be tested for audio, identified, and traced.

After the search, those involved should tell management what has or has not been located. The oral report should be followed by a written report explaining the search's methods, its results, and recommendations to reduce and eliminate possible compromise.

The team doing the search can be proprietary or a consulting firm specializing in electronic intercept detection. Few companies, however, have the resources to support an in-house EID team. The equipment alone can cost from $25,000 to $75,000.

A number of highly skilled, experienced consultants offer EID services. Companies that offer this service often subcontract the work to a consultant who specializes in the field.

People who conduct EID searches should have formal training in EID. Training should be documented, and copies of the documentation should be available to a company on request.

Experience is also necessary. People with superior credentials, for example, will have had offensive as well as defensive training and experience. They would have obtained such training and experience as employees of a government agency authorized to conduct electronic surveillance. Consultants should also be able to provide a company with a list of the equipment they have used, and that equipment should be state-of-the-art.

A company that hires a consultant should make sure the individual signs a nondisclosure agreement before doing a search. Because searches frequently require a consultant to examine an executive's private office thoroughly, sensitive materials are often observed. In many cases, a company will need to tell the consultant the type of information that needs to be protected so the consultant can better analyze the potential and means of information loss.

Consultants should give companies references on request. While many companies that have had EID searches don't want it publicized, a consultant should be able to give you the names of at least a few companies that have agreed to act as references.

A company should also get a proposal with a breakdown of fees. While fees are certainly an important consideration, they should not be the deciding factor in hiring a consultant.

The company may also choose to have someone in the organization go undercover. The person doesn't have to be at the management or senior level. Someone in a typing pool who types important documents, a data entry person who has access to an unsecured information system, or other support personnel are excellent examples of positions offering easy access to a company's proprietary information.

A company should have background checks done on individuals who will have access to sensitive company information to verify their education, work history, and other personal data. Because information on applications can be falsified, the background investigation should be performed by a professional, either an investigative service or an in-house specialist with investigative training and experience.

All waste paper with any proprietary information should be shredded. This type of waste includes reports; financial data; client or customer information; personnel information; and scraps of paper with names, dates, meetings, phone numbers, and notes. Once trash is placed in the collection container outside the building, anyone can go through it and obtain valuable information about the company and its operations.

Subcontractors, vendors, and repair people should be monitored while they're in the building. Ask for and verify identification. Unscheduled service on data storage and transmission equipment should be highly scrutinized. Noncompany employees should be made to sign in and out and be given controlled (numbered) contractor's or visitor's badges to be worn while they're on company grounds. This procedure allows security and office staff to identify intruders and have them removed.

Some people that think if a company is concerned about the theft of corporate information it is paranoid. Paranoia is seeing someone behind every bush and tree. Good security is trimming the bushes and trees so no one can hide behind them. Companies must be able to operate with the peace of mind that adversaries and competitors are not listening to and stealing valuable proprietary information.

A single solution to industrial espionage does not exist, but the threat can be minimized by implementing several countermeasures: * Awareness. Proprietary information is a valuable asset and must be protected just like any other asset. Eavesdropping devices exist and are easily available to anyone who wants them. Because of the profit potential from the theft of information, industrial espionage is a very real threat. * Electronic intercept detection. Hiring a consultant who specializes in electronic intercept detection can allow a company to operate and function with the peace of mind that adversaries are not listening to or stealing proprietary information. * Access control. Using electronic access control systems with reporting capabilities that provide audit trails, in conjunction with strict policies governing nonemployees in a facility, minimizes the possibility of information theft. Alarm systems, CCTV monitoring, and security officers increase the level of protection. * Data control. Files and file storage must be controlled. Entry into information systems (mainframes, minis, micros, and PCs) should be passwordcontrolled with security software that has audit trail capabilities. * Waste material control Paper with any sensitive data should be shredded when no longer needed. Even fragmented bits of data on scraps of paper should be properly disposed of.

intercepting oral, wire, radio, and data communications violates federal and state laws. The FBI or the United States Attorney's Office can be contacted if a listening device is located. Eavesdropping is a crime and should be prosecuted.

Eavesdropping can be compared to rape in that the victim does not always report the crime because of embarrassment. But detecting and prosecuting eavesdropping and related offenses such as advertising, selling, and mailing eavesdropping devices will reduce the incidence of industrial espionage. About the Author . . . Patrick L. Jones, CPP, is president and senior consultant of Patrick Jones & Associates Inc., located in the Chicago metropolitan area. The company specializes in electronic intercept detection and information services. He is a member of ASIS.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:preventing theft of corporate information
Author:Jones, Patrick
Publication:Security Management
Date:Dec 1, 1990
Previous Article:A little TSCM.
Next Article:Brushing up on security.

Related Articles
SPI versus spy.
And the SPI survey says....
Counterespionage techniques that work.
Welcome to cold war II.
The target company.
Making a clean sweep of spies.
New Flexguard provides extra security. (Equipment Update).
Safeguarding corporate secrets: after three insiders are accused of stealing its trade secrets, Coca-Cola vowed to better protect its data. Don't...

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters