2.1 INTRODUCTIONWe know that a viable TSCM program is equally as interested in DENIAL as DETECTION and that within limits, you cannot separate physical security from technical security. The following is intended to assist you in making the initial determination concerning the current ability of the physical security systems to keep the would-be perpetrator from gaining entry into the target area and thus introducing a technical surveillance device.Examples of some methods and devices used in carrying out eavesdropping attacks are shown in the following list.
2.2 THE EAVESDROPPING THREAT2.2.1 INTRODUCTIONModern technology has aided the would-be eavesdropper more than it has provided reliable countermeasures tools. Which is to say that the development of countermeasures equipment has not, until recent years, kept current with the development of eavesdropping techniques. It has given the eavesdropper unbelievably small transmitting and recording devices which can be hidden almost anywhere and are all but immune to detection. INFORMATION is power, it is the life blood of any organization and so, figuratively speaking, clandestine eavesdropping devices slowly drain the life blood from this nations security, from corporate undertaking, and from the individuals right of privacy.The concept of eavesdropping is certainly nothing new. Electronic eavesdropping did not begin with Watergate; it was , by that time, at least 100 years old. It began when electricity was first used as a means of communications. During the civil War information was gathered by tapping telegraph wires. Indeed, countermeasures efforts were common by 1880 and 1890. Electric eavesdropping was considered a standard tool of both law enforcement agencies and private individuals. Remember, at that time it was not illegal. In fact, the technical art of eavesdropping has always been well in advance of the laws to protect against such action. There have been legislative efforts against technical surveillance since the year 1900 but they have not been very effective nor have they served as an adequate deterrent against this practice. Fortunately, most people abhor the crime of eavesdropping. Notwithstanding, it has grown more and more common. The motives that inspire this growth are even more diverse than are the available methods. Perhaps necessity is, in fact, the mother of invention. Where does one look for the potential eavesdropper? He, or she, can be categorized in any number of ways; he or she can be a member of some Hostile Intelligence Service (HIS), friendly foreign government, an activist, dissident, competitor, reporter, vendor, union, company employee, member or official of your own organization, or a neighbor. In short, there is no standard description of the potential eavesdropper; he or she could be anyone. From a countermeasures perspective, this puts us at a tremendous disadvantage. When we go into an area to conduct our examinations, we are operating on the premise that everyone having legitimate access to that facility is trustworthy. Otherwise, we are wasting both time and effort. The historical truth of the matter is, sadly, this has been proven to be a false premise time and time again. 2.2.2 THE OPPOSITIONIn any discussion of countermeasures one must begin by examining the methods of attack available to the potential eavesdropper. We will refer to these individuals as "The Opposition". We are engaged in a serious, high stakes competition with the opposition. Let there be no misunderstanding, this is a straight-forward win-lose situation. There can be no draws, no win-win potential. Either we win or the opposition does.Let's put on our "black hats" for a few minutes. We are going to assume the role of the opposition. What are our goals? Methods? Problems? First we must assume that our goal is to gather intelligence, listen in on the most sensitive conversations of a particular person or persons without their suspecting either our intentions or activities. What are our options. This Option Sequence is really an over simplification. Just making decisions is no guarantee of success. Since we must assume that the opposition are professionals we must assume they will leave no stone unturned in their efforts to gather as much intelligence about the target area as possible. The more intelligence gathered the more informed will be their decisions and the greater the likelihood of their success. As soon as the decision is made to attack a given facility, but before entering the Option Sequence, the opposition will begin a Target Analysis. 2.3 TARGET ANALYSISThe choice of method of attack and, to a large degree, the device(s) chosen for employment will be dictated by the environment under attack. The Target Analysis will be as complete as possible and will influence the entire Option Sequence that follows.For example, if the Target Analysis shows us that a surreptitious entry, while necessary, will be extremely risky, the device chosen must be highly dependable and require little or no servicing. After all, we don't want to have to re-enter the target area just to change a battery or tape. Reverting to our true identity for a moment, as a Technical Surveillance Countermeasures specialist we must also do a Target Analysis. If not, how can we make reliable estimates of the real threat? As you go over this outline, look at each point from both perspectives, the Opposition and the Countermeasures specialist. Facility Exterior Characteristics are listed below: 2.3.1 Building Description
2.3.2 Adjacent Structures
2.3.3 Traffic/Activity Patterns
2.3.4 Facility GroundsDefined Physical Barriers include:
2.3.5 Building Exterior
2.3.6 ConclusionThis list is by no means all inclusive. With each new site there will be new and additional considerations. However, you can begin to recognize the impact and importance of a good Target Analysis.Once all (or as much as possible) of this information is gathered and studied you are ready to select the best options and employ the most appropriate device. 2.4 DEVICE SELECTIONIn Section 2.2, an Option Sequence was set forth leading us down to the point where, based upon the intelligence gathered during the Target Analysis, we must now commit ourself to the selection of the device(s) upon which we must depend. Within this Section we are going to look at various methods of attack, that is, the device(s). We will not at this time begin to explore the esoteric electronics of the various devices. We will, however, examine the pros and cons involved with each selection. We will attempt to discuss the advantages against the disadvantages.Early in the text it was said that the ideal method of eavesdropping was to be physically present during the discussion of interest, and still, we did not want to be detected; therefore our physical presence was ruled out. That would be possible only if we could share the secret of Lamar Cranston (The Shadow). Alas, lacking that talent, the next best thing to being there is to have placed the most basic of eavesdropping tools...the mic and wire run. 2.4.1 THE MIC AND WIRE RUNAdvances in technology have greatly altered this simple approach. Not only are microphones available today that are unbelievably small, but transmitting wire as thin as a single strand of hair from your head is now available. It is virtually invisible to the eye and can be concealed in the cracks between the boards or tile on a floor. It can disappear into the minute crack existing between the baseboard and the wall.Microphones, either directional or non-directional, are no longer huge...extremely high fidelity microphones smaller in diameter than a pencil eraser are commonplace. So what are the disadvantages? Many! Microphone installations are not overly popular in that they require extensive access to the target area. It takes a great deal of time to properly install and conceal any microphone and, if one chooses to install the fine wire runs great care must be exercised to avoid breaking the wires during the concealment process. Another disadvantage is that, unless one wants to run the transmission line into an RF Transmitter, install one or more line boosters, etc., the listening post must be close by. There are other methods to employ the microphone as your eavesdropping choice, among them would be tying the transmission line from the microphone to some fortuitous path. Perhaps excess wiring among the utility lines or, more commonly found, excessive and unused telephone wiring. Still, unless the listening post is nearby, you will be forced to employ line amplifiers along the path. 2.4.2 THE R.F. TRANSMITTERBy far, the most popular method of "bugging" any office. There are any number of potential frequencies available. The signal may be modulated in many ways and combinations. Various esoteric techniques are possible, ranging from burst transmissions to spread spectrum signals or swept frequencies. Simple frequency modulated or amplitude modulated signals might be "snuggled" with legitimate commercial signals; that is, transmitted at a frequency extremely close to thelegitimate broadcast and at a signal level so weak in comparison that it is easily missed during any countermeasures effort. The transmitting devices available today can be easily acquired, simple devices such as "wireless FM Microphones" which are legally sold over the counter in many electronics stores. They can also be extremely complex, easily concealable because of their small size. The devices can be hidden in the barrel of a fountain pen, in some office artifice, within a block of wood made to appear as part of the furniture. The ways in which to hide an RF transmitter are virtually limitless. Even though RF transmitters are often the first choice, they are not without their problems. There is the need to limit the output of the device in order to make its detection as difficult as possible. But even when reducing the signal output, you must still have enough power to receive it at the selected listening post. This means that one must carefully evaluate free space loss, building construction and other factors pertaining to signal attenuation. The necessary power to drive the device must be determined. Do you use batteries and risk having to replace them on a frequent basis or do you install the device in the existing AC wiring and risk its detection as a result of continued power drain. 2.4.3 THE CARRIER CURRENT DEVICEThis attack has certain advantages since you can employ the existing AC power lines within the targeted area. This approach has been used successfully in the past but is not frequently employed today. It is a rather easily detected attack, requires time to install and, of greatest concern, you must have the listening post close by. The signal imposed will not couple across a power transformer and so you will be required to set up the listening post on the same side of the transformer as the target, usually within the same building.2.4.4 THE TELEPHONE COMPROMISEWithout doubt, the telephone represents the greatest threat to security (in terms of audio security) there is. To begin with, a telephone is generally found at or near the conversational center of the target area, it provides the would-be eavesdropper with all the necessary components (microphone, power, transmission path, etc.) needed. One has the choice of performing any number of modifications to the instrument or tapping the lines, the difference being, of course that if you elect to "tap" you are going to limit yourself to eavesdropping on out-going and in-coming telephone conversations only. By modifying the instrument, you will be able to pick up in house conversations even while the instrument is in an "on-hook" condition. The only disadvantage is that you must be able to establish access to the instrument and/or frame room.2.4.5 OTHER ATTACK FORMSLet your imagination run wild....Laser attacks? Light Attacks?The use of these will depend upon the Target Analysis you have accomplished. Also, many of these attack methods, while technically possible, are not practical and/or give less than desirable results. 2.4.6 ENCRYPTIONIt is a fact in government services that, if you have something secret to communicate, do not use the telephone.If it is essential to use a telephone, then messages should be encrypted AT THE TELEPHONE, and deciphered likewise at the recipients telephone. First, scrambling and speech inversion devices are relatively easy to "de-scramble". Beating the voice frequency with an audio oscillator often achieves this. Secondly, even the fairly sophisticated encryption systems can usually be broken given enough time, a suitably powerful computer and expert, experienced personnel such as are available to government or military authorities. Ultimately, the only positively unbreakable "codes" are those based on the one-time pad, supposing the pads are truly random. Thirdly, even the most sophisticated telephone encryption system can be defeated by the cheapest, simplest eavesdropping devices placed on the system prior to the encryption, such as a drop-in transmitter, to replace the existing telephone carbon microphone. 2.5 THE TSCM APPROACH2.5.1 GENERALAfter wearing the "Black Hat" for awhile we can all see that their problems are as great as ours. What we need to examine now is our response to the threat. We will be looking at the various types of services offered, the philosophy or approach employed and the major problems that might be encountered.Basically, There are three (3) different types of TSCM services provided: TSCM Surveys TSCM Monitors Preconstruction Consultations 2.5.2 TSCM SurveysA full survey is, as the name implies, the maximum response to a request. It involves an extensive analysis and examination of the target area. Basically, we carry out an R.F. analysis or search, a thorough telephone system analysis, examination of the walls, ceilings, floors, furnishings, etc., a target analysis, examination of denial aspects (that is, how the physical and procedural security meet the potential threat) identification of wiring, cables and air ducts and pipes, etc. At the end of a full survey, we should know if anything is threatening the area and should be able to provide the customer with a detailed report for use in enhancing the overall security of the examined area(s).2.5.3 TSCM MONITORSFrequently, you will receive a request for TSCM coverage of sensitive meetings, conferences, etc. Whenever possible, you will visit the intended site and perform a physical and limited electronic examination prior to the beginning of the meeting. Then, throughout the conference, an ongoing R.F. examination is conducted.2.5.4 TSCM INSPECTIONSThese are, in fact, a limited form of survey. For example, a new telephone instrument or system has been introduced into a previously examined area, an examination may be warranted. The examination would not necessarily be as extensive as those performed during a TSCM Survey.2.5.5 PRECONSTRUCTION CONSULTATIONWhen plans are being made to build a new facility or to improve an existing one, you can be called in to meet with the builder to discuss the needed technical security considerations and to make recommendations concerning the tasks at hand.2.5.6 GENERAL SURVEY APPROACHA TSCM Survey can be divided into two major phases, the Non-alerting Phase and the Alerting Phase. Again there is no great mystery involved in these phases, their name provides the description.In the Non-alerting Phase you would carry out those tasks that would not alert the potential eavesdropper to the fact that a Survey was taking place. The reason for this is obvious, if the device chosen is one which can be switched on and off from a remote location and the eavesdropper hears your efforts, he will simply turn the device off. Your chances of locating the device may be drastically reduced. Or he may simply fold up his operation and leave. A TSCM operation is not just to locate a device, you should also want to identify the installer. In the alerting Phase, you will complete your target analysis, completing the R.F. analysis and perform the physical search as well as anything else that wasn't accomplished during the Non-alerting Phase. As stated in the beginning, our reasons for accomplishing the TSCM survey are simple; we want to deny the opposition access to the sensitive areas and we want to detect as early as possible any device that might have been introduced in spite of the denial efforts. 2.6 RESERVED2.7 MICROPHONES2.7.1 INTRODUCTIONThe eavesdropper has, at his disposal, microphones which will not only pick up a whisper at 20 feet, but which are also smaller than the eraser on a pencil. While there are several different types of microphones, such as the carbon or condenser microphones, the professional eavesdropper will generally opt for the magnetic or electret microphone.2.7.2 THE MAGNETIC MICROPHONEThe magnetic (or dynamic, as it is sometimes called) microphone requires no power to operate and converts sound into electrical signals by the movement of a small coil of wire near a permanent magnet. This action generates small electrical signals in the coil proportional to the coil movement caused by sound vibrations striking a thin diaphragm which is physically connected to the coil of wire. This means that no power for the microphone is drained from the battery of a radio transmitter, recorder or other powered device to which it is attached.
2.7.3 THE ELECTRET MICROPHONEThe non-magnetic electret microphone is extremely small in size and has high sensitivity and good frequency response. It is similar in construction to a condenser type except that a voltage charge is permanently stored internally, and it is the vibration of this charge response that to room audio which produces the electrical output signal. The electret rivals the magnetic microphone in eavesdropping applications since it exhibits most of the beneficial characteristics of the magnetic unit and has the advantage of producing larger electrical signals with its built-in preamplifier.2.7.4 THE CONTACT MICROPHONEOf all the microphones utilized by the eavesdropper, the contact and spike microphones are perhaps the only ones specifically designed for this purpose. These microphones contain a special crystal which, when slightly compressed, will produce a very small electrical signal. If it is placed against a vibrating wall or attached to a rigid probe which is touching one of the vibrating surfaces, the crystal will produce small electrical signals which correspond to the vibrations. If these vibrations are caused by room conversation sound, the electrical signal will correspond to those sounds.2.7.5 THE CAVITY MICROPHONEThe pneumatic cavity microphone is an electronic version of a glass tumbler against the wall, historically recognized as one method of monitoring adjacent room conversations. This microphone is substantially superior, however and operating by using a specially constructed small cavity which, in general, is highly responsive to surface vibrations at the audio frequencies found in human speech. This cavity is used in conjunction with a conventional microphone to enhance its performance and force its output to correspond to wall surface or window vibrations rather than a direct sound input. Several manufacturers offer these microphones as electronic stethoscopes.2.7.6 LOUD SPEAKERSOne of the most frequently used microphones is a simple speaker usually found on a TV, radio or intercom. Most speakers are structurally similar to a magnetic microphone with a coil of wire positioned in a magnetic field. When used as a speaker, electrical current is passed through the coil which vibrates the speakers to provide sound. Due to their large cones, moving coil loudspeakers are very sensitive and act as excellent microphones. When acoustical energy impinges on an unused speaker cone and vibrates the coil of wire in the permanent magnetic field, small amounts of electrical energy are produced which can be transmitted by radio or over wires to a listening post.
2.7.7 MICROPHONE WIRE RUNSRegardless which type of microphone is used by the eavesdropper, he must transmit the audio sounds outside the target premise. With the exception of a radio transmitter with a built in microphone and amplifier, the eavesdropper will normally connect the microphone to an amplifier, transmitter or tape recorder by any conductive means, from conductive paint to extremely small wires. Wires as thin as human hairs, and just as flexible, are commonly used and can be purchased at most local electronic shops. This wire can be sewn into a carpet or hidden in a variety of different ways. Once outside the target office, the conductive paint or small wires may be connected to an unused wire, electrical conduit or ground wire in a ceiling or wall which then carries the signal to the listening post or to a radio transmitter. |