The Codex Surveillance & Privacy Newsletter - Sample Issue Excerpts Published monthly - Subscription Rate $95.00 Foreign Subscriptions: $135.00 The Codex is a hardcopy newsletter delivered by first class US mail. Send Check or MO to: Codex Publishing 286 Spring Street New York, NY 10013 Tel: 212-989-9898 Fax: 212-337-0934 Every day we see or hear in the news, stories about electronic surveillance, wiretapping, corporate espionage, computer hacking, etc. Ever wonder how it's done? The Codex is a monthly newsletter published by Codex Publishing of New York City. It was created by professionals in the field of electronic surveillance, countermeasures, security, investigations and competitor intelligence and will teach you all the inside "Tricks of the Trade". Prior issues of the Codex have featured articles on: How to TAP a telephone...How to BUG a room...How to intercept a CELLULAR telephone conversation... How to intercept a digital PAGER...How to HACK a web site...How to DECODE telephone numbers off a tape recording...How to LISTEN into your home or office when you're away on vacation...How to SEE into your home or office when you're away on business...How to build a RED BOX for free phone calls...How to DETECT an eavesdropping device planted in your home or office...How to ACQUIRE personal & confidential information on anyone... Future issues of the Codex will feature "How To" articles on: Spying, Industrial Espionage, Competitor Intelligence, Emerging Technologies, Privacy and How to get it, Computer Hacking, Telephone Phreaking, Cons & Schemes, Insider tips on the Internet, Self Defense, Big Brother, Encryption, Surveillance Devices, Privacy Equipment, Intelligence Gathering Equipment and Sources of Confidential Information One time reprint and excerpt rights automatically granted provided our name and address is given. Enclosed is an abbreviated sample. LETTER FROM THE EDITOR Happy New Year to everyone and we sincerely hope 1996 brings you all good fortune and everything you hope for. Be careful, you just might get it... In response to the overwhelming requests for advertising rates and information we have decided to accept limited advertising in 1996 and will begin to accept advertising immediately. Advertising will be limited to a full page at the nominal rate of $150.00 per issue with volume discounts of course. We will travel shortly to New Zealand to attend 'The Gathering Conference" on information and communications security and will report our findings in great detail in an upcoming issue of the Codex. "The Gathering" promises to be an exciting and information bonanza with several of the top people in the world attending and speaking on a variety of subjects of interest to us all. We urge you to adise us if you have a security, computer or communications function planned, as we will make every attempt to give the event coverage. If we don't know about it...there's not much we can report. We've got a wealth of info for you this month with a very interesting topic on Web Site hacking. Seems the old rule applies, "Anything man can invent, man can defeat." How long before this window is closed? Don't forget. ..If there is a topic you would like to see covered, please let us know and we'll do everything we can to get it done for you. Enjoy this issue...we had fun doing it. SpyKing **************************************************************************** ****** **************************************************************************** ****** Nowhere to run...Nowhere to hide... The vulnerability of CRT's, CPU's and peripherals to TEMPEST monitoring in the real world. Copyright 1996, All Rights Reserved By Frank Jones CEO Technical Assistance Group 286 Spring Street New York, New York 10013 USA Tel: 212-989-9898 Fax: 212-337-0934 E-Mail: spyking@thecodex.com URL: http://www.thecodex.com George Orwell wrote the classic "1984" in 1949. He depicted a world in which the government controlled it's citizens and a world devoid of privacy. Many of the things Orwell wrote almost fifty years ago have come to pass. Surveillance technology has progressed to the point that is possible to identify individuals walking city streets from satellites in orbit. Telephone, fax and e-mail communications can routinely be monitored. Personal information files are kept on citizens from cradle to grave. There is nowhere to run...nowhere to hide... The advent of the personal computer has revolutionized the way we do business, keep records, communicate and entertain ourselves. Computers have taken the place of typewriters, telephones, fax and telex machines. The Internet has opened up a new world of high speed and inexpensive communications. How secure and private is it? There are many encryption programs and hardware devices available for security purposes but what about the computer terminal itself? How safe is it? What are it's vulnerabilities? Hackers have been known to cause mischief from time to time...Is it possible for an adversary to snoop on your private data? Can Big Brother? Suppose it was possible to aim a device or an antenna at your apartment or home from across the street or down the block. Suppose you were working on a confidential business project on your PC. Suppose that device down the block could read what you were typing and viewing on the CRT? Feeling uncomfortable? Suppose that device could monitor everything you do on your computer by collecting electromagnetic radiation emitted from your computer's CRT, CPU and/or peripheral equipment, reconstruct those emissions into coherent receivable signals and store them for later review? Feeling faint? Good. The technology exists...and it has for some time.... You don't have to worry about a "middle of the night" break-in by some clandestine government black-bag team to plant a bug. They never have to enter your home or office. Seedy looking private investigators or the information warrior won't be found tampering with your telephone lines in the basement either...it's not necessary...all they have to do is point an antenna...safely, from a distance away...and collect your private data... This surveillance technique has become known as TEMPEST monitoring. TEMPEST stands for Transient Electromagnetic Pulse Standard. It is the standard by which the government measures electromagnetic computer emissions and details what is safe (allowed to leak) from monitoring. The standards are detailed in NACSIM 5100A, a document which has been classified by the National Security Agency. Devices which conform to this standard are called TEMPEST certified. In 1985, a Dutch scientist Wim van Eck published a paper which was written about in the prestigious "Computers & Security" journal, "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper caused a panic in certain government circles and was immediately classified as is just about all TEMPEST information. Wim van Eck's work proved that Video Display Units (CRT's) emitted electromagnetic radiation similar to radio waves and that they could be intercepted, reconstructed and viewed from a remote location. This of course compromises security of data being worked on and viewed by the computer's user. Over the years TEMPEST monitoring has also been called van Eck monitoring or van Eck eavesdropping. In 1990, Professor Erhard Moller of Acchen University in Germany published a paper, "Protective Measures Against Compromising Electromagnetic Radiation Emitted by Video Display Terminals". Moller's paper which updated in detail van Ecks's work also caused a furor. The government's policy of TEMPEST secrecy has created a double edged sword. By classifying TEMPEST standards, they inhibit private citizens and industry by failing to provide the means of adequately shielding PC's and/or computer facilities. There is an old saying, "You can't drive a nail without the hammer". If concerned personnel don't know the minimum standards for protection...how can they shield and protect? Shielding does exist which can prevent individuals and companies from being victims to TEMPEST monitoring. But without knowing the amount of shielding necessary... Perhaps this is the way the government wants it... My work has focused on constructing a countermeasures device to collect and reconstruct electromagnetic emissions from CRT's, CPU's and peripherals to diagnose emission levels and give security personnel a hands-on tool with which they can safeguard their computer data. In testing my countermeasures device I concentrated on interception and reconstruction of the three types of emitted electromagnetic radiation written about in van Eck and Moller's work. 1. Electromagnetic radiation emitted from CRT's - similar to radio waves 2. Shell waves on the surface of connections and cables 3. Compromising radiation conducted through the power line I found my greatest success (distance & quality) was in the collection of emitted radiation from the CRT although we were equally successful in our other experiments. In our opinion the greatest danger of TEMPEST monitoring comes from off premises and we decided early on to concentrate in this area. A workable countermeasures tool would give security personnel a handle on distance from which compromising electromagnetic radiation could be collected. Hopefully full countermeasures would then be implemented. This also is a double edged sword. The device I built albeit a countermeasures tool...can be used as an offensive TEMPEST monitoring device. My concerns however are that if such a device is not made available to the private sector...then the private sector is at the mercy of the information warrior using TEMPEST technology to gain an unfair advantage. TEMPEST MONITORING...HOW IT WORKS TEMPEST monitoring is passive. It cannot be detected. The computer emits compromising radiation which can be reconstructed from a remote location. There is no need to ever come near the target. No reason ever to go back to change a faulty bug like the Watergate burglars...It can be performed from an office or a vehicle with no chance of discovery. The premise is very simple. All electronic devices emit some low level electromagnetic radiation. Whenever an electric current changes in voltage level it generates electromagnetic pulses that radiate invisible radio waves. Similar to the ripples caused by dropping a small rock into a quite pool of water. These electromagnetic radio waves can carry a great distance. Computer monitors like televisions contain an electron gun in the back of the picture tube which transmits a beam of electrons (electric current). When the electrons strike the screen they cause the pixels to fluoresce. This beam scans across the screen from top to bottom very rapidly in a repetitive manner, line by line, flashing on and off, making the screen light and dark, creating the viewed image. These changes in the high voltage system of the monitor, generate the incoherent signal that TEMPEST monitoring equipment receive, reconstruct and view. We have found that most monitors emit signals in the 20 to 250 Mhz range although harmonics are fairly strong and can be intercepted. Radiated harmonics of the video signal bear a remarkable resemblance to broadcast TV signals although various forms of sync must be restored. Associated unshielded cabling can act as an antenna and increase interception range. Emissions can be conducted down power cables and supplies. Computers attached to unshielded telephone lines are easy prey as the telephone line acts as an excellent antenna. Printers and their cables are not immune either. The average computer setup in the home or office could be compared to a base station transmitting it's signals all over the neighborhood. Put quite simply, it is easy for someone with basic electronics knowledge to eavesdrop on you, while you are using a computer. They might not be able to steal everything from the hard disk but they can view anything you do....see anything you see... HOW IT'S DONE...THE COMPONENTS A good commercial wide band radio receiver preferably designed for surveillance (requires a little modification) with spectrum display. Sensitivity and selectivity are paramount. Not all receivers will do the job adequately Horizontal and vertical sync generator. Commercially available and will require some modification. Video Monitor with Shielded cables Active Directional Antenna (phased antenna array) with shielded cables. Think radio telescope. Video tape recording equipment. For capture and later review. WHAT WE WERE ABLE TO CAPTURE... Bench testing of the unit was quite successful in and around the office. Several computers were targeted and interception of the data was simple after injecting and restoring vertical and horizontal sync. We had no problem viewing computer screens on adjacent floors in the building (we were sometimes hindered by noise) and were able to differentiate (to my surprise) between different computers in a large office. We aimed our device out the window across the street at an adjacent office building and were able to view CRT screens without too much difficulty. I should mention here that during the field tests NO DATA WAS STORED FROM TARGET COMPUTERS. We were not on an eavesdropping mission. We simply were interested in testing OUR equipment not spying on others. Field testing of the unit was quite different and required continuing manipulation of the equipment. From a vehicle in a suburban area we were able to view active televisions inside homes ( the cable/pay-per-view people could have a field day) and what programs residents were watching. When we came across homes with active computers we were able to view CRTs. Average range was approximately 300 yards. We continued to test the device in a suburb of New York City with startling results. We were able to view CRT screens at ATM machines, banks, the local state lottery machine in a neighborhood candy store, a doctor's office, the local high school, the fire department, the local police department doing a DMV license plate check, a branch office of a securities trader making a stock trade and the local gas station tallying up his days receipts. We didn't expect that any of our "targets" would be TEMPEST certified and we were correct. BIGGER FISH IN A BIGGER POND We took our DataScan device, as we named it, to New York City. The Big Apple. We were interested in testing the integrity of various computer facilities and also wanted to see how our device would operate in an urban environment. Let me start off by saying New York is in a lot of trouble. We started at Battery Park (the southern tip of Manhattan Island) and headed north to Wall Street. The US Customs building leaks information as well as the Federal Reserve. Wall Street itself was a wealth of information for anyone interested. With hundreds of securities and brokerage companies located within a few blocks of each other, all an information warrior need do is rent an office with a view and aim his antenna. We were able to view CRT's in MANY executive offices. The World Trade Center was fertile. It afforded open parking areas nearby with millions of glass windows to snoop...we were most successful snooping the lower floors from the street. We borrowed a friends office at mid-tower in the south building and were able to view CRT's in the north building easily. We headed east towards the New York Post newspaper offices and read the latest news off their monitors (which was printed the next day). We headed north towards City Hall and NYPD Police Headquarters. Guess what? They're not TEMPEST certified either...Neither is the United Nations, any of the midtown banks, Con Edison (the power company) on First Avenue, New York Telephone on 42nd Street or Trump Tower! Citicorp's computer center in the SkyRink building on West 33rd Street was a wealth of information also... We found that with the proper frequency tuning, antenna manipulation, reintroduction of sync and vehicle location , we could monitor just about anyone, anywhere, anytime. There is no doubt in my mind that TEMPEST eavesdropping is here to stay and something that must be dealt with by computer and security professionals. Passwords, files, proprietary data and records are all vulnerable to the information warrior using TEMPEST monitoring equipment in a non TEMPEST certified world. POTENTIAL USERS OF TEMPEST MONITORING Big Brother: Yes, that's right. He does bug businesses. Sometimes with a court order and sometimes without one. It's unclear under present American law whether or not a court order would to needed to collect TEMPEST information. You never know when Big Brother's on a witchhunt. Maybe he suspects you of being a tax cheat, of insider trading, leftist sympathies, etc. Remember Watergate? Now, the FBI wants to be able to tap EVERY telephone, fax and data line in America at the turn of a switch and they want US to pay for it...Using TEMPEST technology they need never enter or come near your home or business. Foreign Intelligence Services: In the last days of the Bush Administration, the mission of the CIA was partially changed to spy on foreign businesses and steal trade secrets in response to the every growing surveillance of American industry by foreign competitors and foreign intelligence services. The Japanese are the worst. Most of the Japanese students living and attending school the USA are economic trade spies. The French intelligence service regularly bugged ALL the first class seats on AIR FRANCE flights to eavesdrop on traveling foreign businessmen. EVERY foreign service in the world is involved in corporate espionage to gain an economic advantage for their own companies. Do you have a foreign competitor? Then the chances are good that a foreign intelligence agency will spy on you. TEMPEST technology is becoming the medium of choice . The Activist: Dedicated, yet misguided activists may wish to further their own cause by releasing your private disclosures to the media. Every company circulates confidential memos that would be embarrassing if released to the public. TEMPEST technology makes corporate snooping simple. The Dissident: Dissidents want to damage more than your company's reputation. They may use TEMPEST technology as a means of compromising your internal security, valuable products and equipment, and even executive travel plans in order to commit crimes against your person, family or property! Financial Operators Unethical financiers can benefit greatly from prior knowledge of a company's financial dealings. TEMPEST attacks can be mounted quickly and from a distance with virtually no chance of discovery. Competitors: Competitors may seek to gain information on product development, marketing strategies or critical vulnerabilities. Imagine the consequences of a concerted TEMPEST attack on Wall Street. How much are you going to offer for that stock next week? You need to buy how many shares for control? Unions: Unscrupulous union negotiators may use TEMPEST technology to gain knowledge of a company's bargaining strategies and vulnerabilities. Is your company is having labor problems? Is your company is involved in any type of litigation or lawsuit with a union? Does your company have layoffs pending? Employees: One of your company's employees might use TEMPEST technology on another to further his own career and to discredit his adversary. It would be a simple matter for an adversary to plant a mole in your company who could position TEMPEST monitoring equipment in the right direction even though they might not be allowed to enter a specific restricted area... The Information Warrior: Brokers may profit from selling your company's secrets to the highest bidder, or maybe even to anyone who wants to know! Does your company have stock that is traded publicly? Or will be soon? With TEMPEST technology there is nowhere to run...nowhere to hide...Keep in mind that anybody with money, power, influence, or sensitive information is at serious risk. FINDINGS AND RECOMMENDATIONS Using simple off-the-shelf components with minor modifications we were able to monitor computer CRTs "at-will" in suburban and urban environments. We did not recreate the wheel. The TEMPEST monitoring premise is simple and anyone with a basic knowledge of electronics could construct such a device and use it with impunity. Our DataScan device differs from earlier models because of the unique signal amplification and directional antenna array used which we believe enhances the collection process greatly. It appears from our research that most individuals and companies do not use TEMPEST certified equipment and most have never even heard of TEMPEST. I believe the media should be made aware of the problem in hope that publicity about potential TEMPEST attacks will force the government to release the information necessary to allow private citizens and industry the means to properly secure their proprietary data. **************************************************************************** ******* **************************************************************************** ****** HACKING CELLULAR PHONES It turns out that there are several Japanese handheld transceivers (HT's) availible in the US for use by ham radio hobbyists that have hidden features allowing them to operate in the 800MHz band used by cellular telephones. Using an FSK decoder chip and a personal computer running an assembly language program to record and decypher the ID beeps at the beginning of cellular calls, a "phone book" of celular ID's can be compiled. A simple FSK oscillator controlled by the PC can then be used to dial out using the Handheld Transceiver and the captured ID codes. A low tech analysis could be done by taping the beeps and playing them back at slow speed into an oscilloscope. An edited tape may even be adequate for retransmission; no decyphering required. Several radio stores in New York sell the HT's and have given advice in the past about how to access the hidden out-of-band tuning features in the ROMS of the Japanese HT's. It's possible now to listen in to cellular phone conversations without building any special hardware. In fact if you have a good antenna, or live near a cellular repeater tower, you can pick up celluar calls using a UHF TV with a sliding tuner by tuning in "channels" between 72 and 83 on the UHF dial. Beside the obvious benefits of unlimited, untraceable, national mobile voice communication, there are other uses for cellular hacking. For instance: most people using cellular phones are pretty upscale. It is possible to scan for ID codes of the telephones of major corporations and their executives and get insider stock trading information. Simply by logging the called and calling parties you will be able to compile a database mapping out the executive level command & communication structure. If this is linked to a Vox operated tape deck you will know precisely what is going on and be able to note any unusual activity, such as calls between the executives of corporations that are in a takeover or leveraged buy out relationship. It is even likely that you will occasionally intercept calls between investors and their stock brokers, or calls discussing plans for new contracts. This data is most safely used for insider trading of your own; there will be no way that the Securities and Exchange Commission can establish a link between you and the insiders. A more risky proposition would be to offer any intelligence gathered to competitors for a price as industrial espionage. Then there are the anarchy & disruption angles for cybernetic guerrilla action at the corporate economic & financial level. Leaking info to the press can kill a deal or move stock prices prematurely. Intelligence gathered via cellular hacking can also be used to plan operations against corporate mainframes by providing names and keywords, or indicating vital information to be searched for. Listening to the phone calls of candidates and their campaign staff is also a field rich in possibilities. :) + **************************************************************************** ******* **************************************************************************** ******* WEB SITE HACKING A friend of mine showed me a nasty little "trick" over the weekend. He went to a Web Search server (http://www.altavista.digital.com/) and did a search on the following keywords - root: 0:0 sync: bin: daemon: You get the idea. He copied out several encrypted root passwords from password files, launched CrackerJack and a 1/2 MB word file and had a root password in under 30 minutes. All without accessing the site's server, just the index on a web search server! Well, the first thing I did was check my site and it's ok. The second thing I did was check my ISP for my home account, and it's okay. But by trying various combinations of common accounts on web searches, dozens of passwd files were found. It seems that a large number of locations who use httpd and ftpd on the same server often copy the regular passwd file to ftp/etc or ftp-users/etc for ftp user access. A few sites have left the root password in the file, and many contain user accounts' passwords. The problems I see here are as follows: 1. You can get the passwd file in some cases by simply pointing your URL to http://target.com/ftp/etc/passwd or http://target.com/ftp-users/etc/passwd. Not good. Anon ftp can't get it but a web browser can. Many passwd files are shadowed but you can see some legit account names. Yes, I realize that this may be a dummy file but hey, not always the case. 2. Some sites do not have the passwd file world readable, but the entire passwd file stills exists indexed on the web search server. I don't know about you, but I don't think I'd want my passwd file indexed and searchable on a world accessible web server. + **************************************************************************** ****** **************************************************************************** ****** MONITORING 900Mhz SPREAD SPECTUM Whats the current thinking on the security level of 900Mhz digital spread sectrum cordless phones? Clearly it's not a basic scanner job but how much more equipment is needed to monitor one ? The easiest way to do this is to simply buy a similar phone which has all the required signal processing hardware for that particular type of spread spectrum and modify it to receive promiscuously and not transmit while doing so, As far as I know, essentially no cordless phones use any kind of actual secure encryption of the digital bit stream, so all you have to do is ensure that your shadow phone is primed with the correct spreading sequence or hopping sequence and is tuned to the right center frequency. Typically choices for these are very limited (maybe 20 channels) and modifying the micro firmware in a phone or base unit to search all possiblities is realistic, especially with the help of an external PC as controller. The digital 900 mhz phones all use different proprietary modulation schemes, but many of them simply transmit a FSK or BPSK RF carrier digitally modulated by the output bitstream of a codec chip (CVSD or regular u-law PCM) on one of several randomly selected channels, perhaps slowly hopping from channel to channel in a fixed sequence. Even the phones that use direct sequence spreading are effectively just transmitting a fast BPSK signal modulated at the chip rate. Receivers and signal processing boxes capable of dealing with this kind of digital modulation are a standard commodity item in the spook world (made by Condor Systems and Watkins Johnson and the like) and even sometimes show up on the high tech surplus market (and are collected by some of us who collect high tech spook hardware as a hobby) they are however very expensive compared with simply modifying a couple of real phones to do the job. The digital modulation and "spread spectrum" features of 900 mhz phones are primarily intended to allow them to share the 902-928 mhz band with all the other users (other phones, truck tracking systems short range wireless video cameras and video distribution, various industrial users, wireless LANs of several types, ham radio operators, and several other types of unlicensed uncoordinated devices radiating up has plagued the older 46/49 mhz FM type. The FCC in fact requiressome level of spectrum spreading for this purpose but leaves the actual choice up to the implementor rather than establishing a standard method. Obviously only a secure form of encryption with randomly chosen and wide enough keys would really make intercepting a digital cordless phone difficult for someone determined to do so, especially if they were targeting one particular phone. I believe almost all of the manufacturers have chickened out in the face of NSA and ITAR and not even implemented toy encryption with random keys - they are simply assuming that Joe Sixpack or his 14 year old son won't be able to pick them up on a commercially available scanner and that the federal law banning sale of scanners capable of intercepting digital transmissions and converting them to analog listenable audio will keep the scanner companies from marketing such and keep customers from complaining about nosey neighbors listening to their calls. But don't assume that if someone really has some serious reason, you can be certain that expensive ($5-$20K) DSP based systems capable of intercepting several common types are already for sale to the usual suspects. And finally one should not forget that unless one has an ISDN line, intercepting calls on regular analog subscriber loops (normal telephone lines) by virtually undetectable simple alligator clip class wiretaps or bugs is something that any bright 12 year old can pull off (and many do before they grow up) - so if you have something to hide you shouldn't trust the phone at all. + **************************************************************************** ******** **************************************************************************** ******** COMPUTER SECURITY FOR PRIVATE PEOPLE Why should you worry about security? The answer lies in the fact that information has become an extremely marketable commodity.This commodity can be stolen from you without your knowledge, causing sometimes devastating harm to your business and personal life. Sensitive information needs guarding. Implementing an computer security program first requires you to determine what data is truly sensitive. The rule of thumb should be that any data, improperly released, that could cause a loss equivalent to ten percent of your annual net profit or mental hardship should be classified as sensitive. METHODS OF ATTACK Computer-based systems include all machine-readable files and auxiliary items such as magnetic backup tapes, floppy disks, printer paper carbons, and printer ribbons. Common methods of attack include unauthorized copying of files, hacking (unauthorized access to your system), between-the-lines entry (using a logged in terminal while the user is away), and hard disk surveillance (using a utility program to search for sensitive files on your Hard drive). Wire taps or other methods used to intrude on your phone lines or view your monitor. Imagine that you are holding an unlabeled floppy disk in your hand. Can you tell by eye what the disk contains? No, you need a computer to do that. How much information can a 720K disk hold? Even a disk of that small capacity holds more data than a regular size novel. High density disks (1.2 MB) hold almost twice that amount. When you give the DOS "Del a: *.*" command for this disk, all of the files are completely erased from the disk right? Wrong! Any good utility program such as the Norton Utilities or Lotus' Magellan can find those files and undelete them. s copying files from a hard disk to a floppy a time consuming and complex process? No, even with relatively large files, it is a fairly simple and quick procedure. Using a program like Magellan, one would be able to pick, choose, and sort files to copy very easily. >From the preceeding questions, the following about floppy disks is evident: 1. Unless they are scanned by a computer, you cannot tell what files are on them. External labels may be incorrect or misleading. Classification labels can be removed. 2. Their data storage density is such that hundreds of sensitive files could be walking out your door on a few microfloppies in someone's shirt pocket. 3. Floppies can retain sensitive files even when they look erased. 4. Floppies are easy to copy. It is easy to copy files from hard disks to floppies. None of this requires any extensive computer knowledge. Since floppy disks and the new 8mm magnetic tape backups for PC's have extreme portability, rigid measures have to be taken to protect them and to prevent unauthorized copying of your hard drive onto these media.The following would help: a. While it is fine to keep your programs on hard disk, the sensitive data files that they generate would be written to floppy disks. These disks could be backed up with another disk. The originals should be locked up onsite. The backups should be securely stored offsite. b. Make sure sensitive magnetic media have both an external label and an internal electronic label designating their classification (the DOS LABEL command can do this). c. Use the DOS ATTRIBUTE command on sensitive files to set an electronic switch so that the files cannot be accidentally erase. Attributing sensitive files on a disk also acts as a deterrent to someone grabbing a classified disk, changing the external label, then doing a global DELETE on the disk so they can remove it from the site under the guise of it being empty. Later they would UNDELETE the files using a file utility. d. Employ password security on sensitive files. Wordperfect 5.1 (and higher) has the ability to place minimal password protection on files. While the password (lockword) protection for Wordperfect is far from foolproof, it, combined with the other security measures suggested, provides a fairly decent perimeter of security. There are software packages available for PC's that can encrypt entire files. e. Have a consistent backup procedure for all of your files. Backup sensitive files onto disks designated and labled for that purpose. f. Do not leave disks with sensitive files on them unattended or unsecured. In large offices, require that authorized users of classified disks sign the media in and out through a designated librarian. g. Before sending a magnetic disk to someone, scan it with a file utility program to ensure it has no deleted, but recoverable, sensitive files. If it does, reformat the disk, and then write the non-sensitive files to the disk. h. Before trashing magnetic media, cut them up into little pieces. For damaged disks containing highly sensitive files, you may wish to use a degausser on the disk first. By not keeping sensitive files on your hard disk, you go a long way toward computer security. However, you should also consider the importance of not leaving a secure place (such as a locked drawer in their desk). At the end of the day, all classified media must be returned to the central library to be locked up. Also, auxiliary items such as spent carbons, printer ribbons, printouts, and damaged magnetic media should be securely stored until disposed of. Sensitive computer printouts should be shredded and intermixed with non-sensitive shredded documents prior to disposal. OTHER COMPUTER DEFENSES You may decide to use integrated software security packages such as Norton Disklock. These among other packages, offer hard disk lockdown, file lockword protection, temporary keyboard lockdown, and some security audit trails. The best defense though is not to put all your eggs in one basket. One can install security software on their computer and still keep sensitive files on securely locked away floppies. In fact, it might behoove you to place "decoy" sensitive files behind your security software defense. Decoy files look like they contain valuable, sensitive information, but in reality, behind their technical appearance, they have no useful secrets. These types of files can be "trapped" with information which, if it becomes public, would be harmless, but would tell you of a penetration or compromise. This method can be called the "False Fortress" defense. A TSCM (or Technical Surveillance Countermeasures) expert should be consulted if there is a possibility of some wanting your data so badly that they would resort to illegal taping or otherwise tampering with your phone lines or remotely viewing your monitor (yes it can be done). POINTS TO REMEMBER 1. When the terms "lock" or "locked up" are used for storage areas, we mean locks or safes that can withstand a physical attack of at least one to two hours of duration. 2. Do not make it easy for an information thief by placing signs in your office on where sensitive materials are stored. 3. Keep access to sensitive information by your coworkers and associates on a need-to-know basis. SUMMARY Your computer security will be good only if you use a comprehensive plan. Each defense must be adequate. It does little good if the password to a sensitive file is your first name. Learn to think like an information thief, and you will have less chance of being victimized by one. If you think that there is no possibility of anyone attempting to use covert methods to steal information from you...think again! In today's high-tech world, secrets are increasingly at a premium. + **************************************************************************** ********* **************************************************************************** ********* THE USE OF VOICE MAILBOXES BY TELEPHONE PHREAKERS For the past few years the use of voice mailbox systems in the USA has been increasing. Voice mailbox systems must be divided into two different types: Toll-free voice mailbox systems used by many types of companies, and voice mailbox systems from companies providing party lines, dating lines and other, mostly expensive, services. Normally a phreaker will primarily select the toll-free voice mailbox system. If no toll-free voice mailbox is available he probably has the knowledge and the technical capability to call a voice mailbox of a service provider in an illegal toll-free way. The problem, however, is not which voice mailbox system he will call, but how he will use it. To understand how to misuse a voice mailbox system, the basic system use must be understood. A voice mailbox is like a house. When you enter the house your host welcomes you. The host in this case is a voice menu explaining all the functions of the system. To choose one of these functions you just have to press the corresponding button of the key-pad. Having made a selection you will leave the entrance and enter a "room". Each room is dedicated to a special topic. Topics can be live discussions with as many people as are in the room, public message areas, private message areas, playing a game, etc. A large voice mailbox system can have more than 100 different "rooms". If the number is not toll free, the phreaker uses techniques to call the voice mailbox system free of charge anyway. If the voice mailbox is interesting, easy to hack and fits his needs, the phreaker has a lot of uses for such a system. It has been evidenced by court trials that phreakers use voice mailbox systems as their "headquarters", to meet, to discuss, to have conferences with up to 20 persons participating at the same time, to leave messages to other phreakers or to deposit and share knowledge. They waste system resources without paying for it. It is also interesting to see how the phreakers used system resources. As mentioned above, a voice mailbox is like a house, a house with easy-to-pick or no locks in the doors. The business of the service provider requires the voice mailbox to be easy to use without big security installations. The voice mailbox must be an open house for everybody, and that makes it easy for the phreaker. First a phreaker will look for hidden functions in the voice mailbox. Hidden functions are normally used to reprogram the voice mailbox from a remote location. Commonly, hidden functions are available to increase the security level of certain rooms and for creating new rooms with new possibilities and features. With knowledge of the hidden functions of a system, the phreaker can create new rooms for meetings with other phreakers, and he is able to raise the security level of such rooms so that only insiders can gain access. Increasing the security level means assigning an access code to a room. Without knowledge of the access code the room cannot be entered. Thus, he is able to create a voice mailbox inside the voice mailbox for a closed user group, "Entrance for phreakers only". This voice mailbox for phreakers can be used to post calling card numbers, private messages for other phreakers, the newest access codes for other voice mailbox systems, the newest tricks on how to cheat the telephone system, etc. All owners of voice mailbox systems can do is to watch the traffic inside his system and look for changes such new rooms suddenly appearing. From a pratical point of view it is very difficult to increase the security of a voice mailbox without causing problems for paying users. In case of misuse it is necessary to co-operate with. a security expert and the local authorities to limit financial losses. + **************************************************************************** ******** **************************************************************************** ******** COUNTERFEITING MONEY This information is provided for informational purposes only to familiarize security and law enforcement personnel with one method of counterfeiting money. Before reading this article, it would be a very good idea to get a book on photo offset printing, for this is the method used in counterfeiting US currency. If you are familiar with this method of printing, counterfeiting should be a simple task. Genuine currency is made by a process called "gravure", which involves etching a metal block. Since etching a metal block is impossible to do by hand, photo offset printing comes into the process. Photo offset printing starts by making negatives of the currency with a camera, and putting the negatives on a piece of masking material (usually orange in color). The stripped negatives, commonly called "flats", are then exposed to a lithographic plate with an arc light plate maker. The burned plates are then developed with the proper developing chemical. One at a time, these plates are wrapped around the plate cylinder of the press. The press to use should be an 11 by 14 offset, such as the AB Dick 360. Make 2 negatives of the portrait side of the bill, and 1 of the back side. After developing them and letting them dry, take them to a light table. Using opaque on one of the portrait sides, touch out all the green, which is the seal and the serial numbers. The back side does not require any retouching, because it is all one color. Now, make sure all of the negatives are registered (lined up correctly) on the flats. By the way, every time you need another serial number, shoot 1 negative of the portrait side, cut out the serial number, and remove the old serial number from the flat replacing it with the new one. Now you have all 3 flats, and each represents a different color: black, and 2 shades of green (the two shades of green are created by mixing inks). Now you are ready to burn the plates. Take a lithographic plate and etch three marks on it. These marks must be 2 and 9/16 inches apart, starting on one of the short edges. Do the same thing to 2 more plates. Then, take 1 of the flats and place it on the plate, exactly lining the short edge up with the edge of the plate. Burn it, move it up to the next mark, and cover up the exposed area you have already burned. Burn that, and do the same thing 2 more times, moving the flat up one more mark. Do the same process with the other 2 flats (each on a separate plate). Develop all three plates. You should now have 4 images on each plate with an equal space between each bill. The paper you will need will not match exactly, but it will do for most situations. The paper to use should have a 25% rag content. By the way, Disaperf computer paper (invisible perforation) does the job well. Take the paper and load it into the press. Be sure to set the air, buckle, and paper thickness right. Start with the black plate (the plate without the serial numbers). Wrap it around the cylinder and load black ink in. Make sure you run more than you need because there will be a lot of rejects. Then, while that is printing, mix the inks for the serial numbers and the back side. You will need to add some white and maybe yellow to the serial number ink. You also need to add black to the back side. Experiment until you get it right. Now, clean the press and print the other side. You will now have a bill with no green seal or serial numbers. Print a few with one serial number, make another and repeat. Keep doing this until you have as many different numbers as you want. Then cut the bills to the exact size with a paper cutter. You should have printed a large amount of money by now, but there is still one problem; the paper is pure white. To dye it, mix the following in a pan: cups of hot water, 4 tea bags, and about 16 to 20 drops of green food coloring (experiment with this). Dip one of the bills in and compare it to a genuine US bill. Make the necessary adjustments, and dye all the bills. Also, it is a good idea to make them look used. For example, wrinkle them, rub coffee grinds on them, etc. As before mentioned, unless you are familiar with photo offset printing, most of the information in this article will be fairly hard to understand. Along with getting a book on photo offset printing, try to see the movie "To Live and Die in LA". It is about a counterfeiter, and the producer does a pretty good job of showing how to counterfeit. A goodbook on the subject is "The Poor Man's James Bond". If all of this seems too complicated to you, there is one other method available for counterfeiting: The Canon color laser copier. The Canon can replicate ANYTHING in vibrant color, including US currency. But, once again, the main problem in counterfeiting is the paper used. This data is provided for informational purposes only. Counterfieting is illegal and you will be arrested if caught. + **************************************************************************** ******** **************************************************************************** ******** HOME BREW HERF DEVICE We coined HERF (High Energy Radio Frequency) as a generic term to mean a device that can interfere with a computer or communication's system operation. Simply, since a computer is electronic in nature, it both emits low level radiation and is susceptible to external interference. For example, when your cell phone goes haywire on a bridge or in a tunnel, it is caused by interference. In this case the interference in passive. The metallic structures 'suck-up' and disperse the transmissions and you get nada. Or, in the days of roof antennas, a pigeon would cause TV reception to falter just as a lightening storm could make the screen go blank for a few seconds. (With cable it's a few hours.) A computer is just as susceptible to interference, except that more power is required to cause a system failure or 'crash'. It is no surprise that surge protectors are designed to keep power linespikes from affecting a computer . . . a so called natural phenomenon. Not man made . . . just part of the power grid. We have all learned that certain integrated circuits, (IC's or chips) will self-destruct if we touch them after walking on a carpet on a dry day. The discharge of static electricity is large enough to break down the silicon barrier on the chips and Voila! No more chip . . . no more working computer. It should be no surprise then that a non-natural, or man made electrical discharge would have similar results. And they do. The object, on the part of certain in the military, is to create an arsenal of non-lethal weaponry. And they are doing it. The concept of particle beam weapons as part of Star Wars (SDI) relied upon focussed high energy beams that would destroy their electronic targets. Ground based systems have been tested at the regular weapons places like Los Alamos et al with varying degrees of success. Remember, the military requirements are generally an order of magnitude more rigid, so from their standpoint, the technology isn't there yet. For example, one mission goal would be: create a system that can force an cooperative pilot to make landing. Drug running is a good example. By targeting the avionics and communications of the target aircraft, the policing airplane would successively disable systems until the plane either landed or . . . well it is a big ocean. But conventional explosives would be unnecessary and the pilot would have been an unfortunate victim of a 'plane that ran out of gas.' HERF weapons can be operated over a wide range of frequency with a corresponding set of pros, cons and functional tradeoffs: distance, dispersion, penetration, reflection . . . all pretty basic stuff for a first year engineering student. Some businesses located on sightlines near airports have experienced periodic computer malfunction . . . with no apparent source or readily observable villain. But, it turns out that the high power radar systems have been responsible in many cases. The high frequency (above 1GHz) radar signals penetrate most structures, are focussed and can crash a computer network in a split second. Having unexplained system crashes? Look for outside influence. There are ways to identify certain power sources. Until recently I thought that HERF guns or their brethren HPM (High Power Microwave) devices were a military and laboratory reality, and in the future they would migrate into the hands of the 'bad guys'. I was wrong. It's pretty obvious that the hobbyist with a few dollars can purchase a surplus radar system from the U.S. Government for pennies on the dollar. Make a few modifications and BINGO, you got yourself a pretty potent electronic weapon. But it was not so obvious that HERF guns had already evolved to street technology - where the home brew hobbyist can put one together from spare parts. We made one. The device was ostensibly built as an electronics project for giggles. If you build up a large electric high voltage field, the air around the point of electrical build up can ionize and actually glow. The familiar experiments with Van De Graaf generators and Tesla coils create long spiky lightening-bolt shaped electrical discharges that are most impressive. But another phenomenon of sustained high voltage fields is known as St. Elmo's Fire which World War II fighter pilots and North Atlantic seamen report as balls of lightening that can dance or follow a plane or a ship. Last year, some friends and I were trying to come up with a unique window decoration for Christmas. We put nails around the window frame, attached the right wires,added a few more gizmos and waited for St. Elmo's Fire to provide a ghostly glow in the darkness. But, in our experimentation with the device, we found that if we discharged the voltage field in a short We also found that the discharges could cause computers up to a couple of hundred yards away to also feel the effects of my St. Elmo's toy. Admittedly curious, we played with the circuits and wanted to see just how much of an effect my home-brew efforts could have. We contacted friends in Australia and asked to listen to certain frequencies on their short wave radio. It turned out that every time the device was quickly discharged, sufficient energy was released in a short period of time to be 'heard' 14,000 miles away. Our HERF gun is astonishingly simple. Mounted on a piece of wood about 12" square sits the power transformer, rectifier and storage capacitors. (This is also known as a power supply.) A heavy gauge (4 or 6) wire runs from the plywood circuits to a long tube with a 1/2" thick metal bar on the end. Inside the tube is another circuit, this one purloined from a confidential source. This circuit is generically known as Jacob's Ladder or a high voltage multiplier. It takes the input voltage from the power supply (of a couple thousand volts for example) and brings it to perhaps millions of volts. Or, lower voltage and higher current. Ohm's law applies. A one microsecond pulse of 2.5 Megawatts is emitted every time it is fully charged. That's the equivalent of 100 amps at 25,000 volts, or 10 amps at 250,000 volts. The circuit performance can be enhanced very easily I believe. Just put a tuned coil as the output load and a resonance will increase the power in a focussed range by a factor of 10. Twenty five Megawatt pulses are trivial. The dispersion pattern is uncontrolled to say the least. Omnidirectional is an understatement. When we designed it we were not interested in focussed damage . . . but the resultant local computer outages were a source of entertainment. For us. Frequency and directionality are inversely proportional and with a little engineering, a more usable system is on the horizon. All for the price of a few parts from Radio Shack and Ed's Electrical Junk Store. The principle behind HERF guns is simplicity itself and they have arrived a lot sooner than any of us. + There's a LOT MORE in every issue of the Codex. Subscribe today. Don't miss an issue... Check out our WEB SITE - The Codex Privacy Page URL: http://www.thecodex.com The Codex Surveillance & Privacy Newsletter DataScan - Diagnostic TEMPEST Evaluation System Design and Fabrication of Specialized Systems Technical Surveillance CounterMeasures (TSCM) Forensic Audio Restoration & Audio Tape Enhancement -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7.1 mQCNAzDgc7MAAAEEAK1gzGapvWKn287T8QPYphpIzF6+uHAyf/shVPbrGD/f5v8i sgMOSC5x05w9xyijpzx2ua5i4eXXzjiq257y7oJy60TEFWRHYqGJtZRpqlh9DKjD 0EA5dVitmEgKNot3rmcF9amBxUP2RwIq2nzHfgiLGB3obqeKYp0MXw7qZrH7AAUR tB5TcHlLaW5nIDxzcHlraW5nQG5vdmFsaW5rLmNvbT4==UBv6 -----END PGP PUBLIC KEY BLOCK----- -- =-GRAHAM-JOHN BULLERS=-=AB756@FREENET.TORONTO.ON.CA=-=ALT.2600.MODERATED-= Lord grant me the serenity to accept the things I cannot change.The courage to change the things I can.And the wisdom to hide the bodies of the people =-=-=-=-=-=-=-=-=I had to kill because they pissed me off=-=-=-=-=-=-=-=-=-= --- ifmail v.2.8.lwz * Origin: Toronto Free-Net (1:340/13@fidonet)