Carvercon 2018 - Washington, DC - November 16

Security Management International (SMI) is pleased to host the inaugural CARVER Target Analysis and Vulnerability Assessment Convention in Washington, D.C. on Friday, November 16th, 2018 from 8am – 5pm. The event will be in Washington D.C. at the Washington Marriott Metro Center with a continental breakfast, lunch, and light fare in the afternoon.

This one-day event will cover a range of topics related to protecting critical infrastructure and key resources, utilizing the CARVER Target Analysis and Vulnerability Assessment Methodology as a foundation for discussion. The latest innovations in assessment technology, recent case studies, and best practices for identifying and minimizing security threats will all be addressed.

Featured speakers include retired CIA officer and the “Godfather of CARVER,” Leo Labaj, former Deputy Director of the FBI, William Esposito, former US National Security Advisor and Supreme Allied Commander, General James Jones, plus many more. more

Wi-Fi to Get More Security Muscle

The Wi-Fi Alliance has officially unveiled WPA3, its next-generation security standard to keep wireless networks better protected, alongside a move to streamline the setup of the likes of smart home gadgets.

As you may be aware, WPA3 follows on from the currently employed WPA2 standard, which has been hit by security vulnerabilities that have led folks to question its overall strength in recent times.

So, the arrival of WPA3 is clearly important, and the Wi-Fi Alliance is delivering the fresh standard in two forms, one aimed at the home user, and one for businesses: WPA3-Personal and WPA3-Enterprise.

Both flavors are designed to provide far more robust security, with users benefiting from Protected Management Frames (PMF) to defend against malicious parties eavesdropping on their data transmissions. more

Technical Surveillance Countermeasures (TSCM) and Cell Phone Security Presentation

As part of the New Jersey Association for Justice Boardwalk Seminar, Murray Associates president Kevin D. Murray will present a session entitled, “Technical Surveillance Countermeasures (TSCM) and Cell Phone Security.”

Eavesdropping, wiretapping, snooping, voyeurism, and espionage are covert activities. The victim rarely knows when it happens. Kevin D. Murray explores the world of corporate espionage, explaining how many companies are bleeding profits for lack of a counterespionage strategy. 

Regularly scheduled TSCM inspections narrow the window-of-vulnerability, spot new security loopholes, identify decaying security measures and practices, disrupt the spy’s intelligence collection phase, and keep counterespionage awareness levels elevated.

"Success-to-failure ratios are similar… most airplanes don’t crash; most people don’t drown in their baths; most houses don’t burn to the ground whenever the stove is used… and, most spying goes undiscovered." ~Kevin   more

Detective Science: Fingerprinting Text to Discover Data Leakers

Fingerprinting text; the ability to encode hidden data within a string of characters opens up a large number of opportunities.

Spybuster Tip: For example, someone within your team is leaking confidential information but you don’t know who. Simply send each team member some classified text with their name encoded in it. Wait for it to be leaked, then extract the name from the text — the classic canary trap.

Here’s a method that hides data in text using zero-width characters. Unlike various other ways of text fingerprinting, zero width characters are not removed if the formatting is stripped, making them nearly impossible to get rid of without re-typing the text or using a special tool. In fact you’ll have a hard time detecting them at all – even terminals and code editors won’t display them. more

A Snitch on the Foreign Spy Website ...what could possibly go wrong?

China has launched a new website that allows citizens to report people they suspect of being foreign spies or separatists.

The Ministry of State Security reporting platform even offers rewards to citizens who report those who are trying to “overthrow the socialist system,” the South China Morning Post reported.

Accessible in both English and Mandarin, the website (www.12339.gov.cn) was launched on April 15 as part of China's National Security Education Day.

The new website details an exhaustive list of offenses that can be reported, including collusion with foreign countries, plotting to “dismember the state” and “fomenting subversion of state power” through “rumor, libel or other ways.” more

Dutch Treat Espionage Seriously - You Should Too

The Netherlands - The foreign affairs ministry has advised travelers to China to take ’empty’ laptops and mobile phones with them to avoid their data being compromised by the government. 

The advice was contained in a letter circulated to 165 businesses and knowledge institutions accompanying prime minister Mark Rutte on a trade mission this week.

The letter says: ‘The Chinese government will want to know everything about you and your business or organisation. You should presume that all computers and phones that enter China are constantly being monitored to obtain this information.’ 

Sources told the Volkskrant that the cabinet is taking similar precautions for trips to Russia, Iran and Turkey. The last is particularly sensitive because the country is a NATO ally. more

Counter-Espionage For Business Travelers Course

The Counter-Espionage for Business Travelers Course is a two-day seminar designed to educate those individuals in your organization who may become targets of espionage, whether knowingly or unknowingly, from an economic competitor or a hostile intelligence service.

Unfortunately, most business travelers are untrained, and thus unprepared, to handle even the most common espionage tactics, such as:

• Elicitation
• Bribery
• Blackmail
• Extortion
• Electronic Surveillance
• Electronic Exploitation
• Physical Surveillance
• Hotel/Office Covert Intrusions

A small sample of the topics covered include:

• Economic vs. Industrial Espionage
• Foreign Intelligence Collection Methods
• How to Recognize Elicitation and Recruiting Techniques
• Operational Security (OPSEC) Awareness
• Communication Security (COMSEC) Awareness
• Data Attack and Intrusion Methodologies
• How to become an "Invisible Traveler"
• Surveillance Detection Techniques

If you can't go for the course, at least go for some good books on the subject:

Among Enemies: Counter Espionage for the Business Traveler by Luke Bencie.

Staying Safe Abroad: Traveling, Working & Living in a Post-9/11 World by Edward L. Lee

Hedy Lamarr - The Spread Spectrum Lady

“Bombshell” (Alexandra Dean’s timely documentary) explores, Lamarr, in collaboration with avant-garde composer George Antheil, of all people, came up with a way to ensure secure radio signals, a frequency-hopping technology that has been called the basis for such up-to-date innovations as Wi-Fi, Bluetooth and GPS.

Though one of the most recognized faces in the world, Lamarr, executive producer Susan Sarandon has said, “was never seen for who she was.”

Yet what makes “Bombshell” intriguing is not just Lamarr’s gift for invention, it’s also what a fiery individualist she was, someone who had no regrets about her eventful life (”You learn from everything”), not even its racy, tabloid elements. more

TSCM Security Tip: Check Hotel Ownership

Many hotels, conference centers and resorts are controlled or owned by governments engaging in business espionage. Checking the ownership before booking your off-site meetings and general business travel can significantly reduce your risk of electronic surveillance.

Click for interactive map.

From a New York Times article, Foiling Cyberspies on Business Trips...
Evan Anderson, chief executive of Invnt/IP, a group dedicated to combating nation-sponsored intellectual property theft...said he created a map of Chinese-owned hotels around the world in 2016 and was surprised by how many they were, including some in Silicon Valley where technology companies hold meetings. “Most people don’t realize that an individual Four Seasons hotel, Ritz-Carlton, or many other brands can be owned by a Chinese company with close ties to the Chinese government,” he said.

---

Checking venue ownership is the first step to reducing the risk of intellectual property theft. The second step is hiring a Technical Surveillance Countermeasures (TSCM) specialist. They will search for all types of electronic surveillance (i.e., audio bugging, video voyeurism, and data cybersecurity), before and during your stay.

Security directors from Fortune 1000 companies are invited to receive my free Off-Site Meeting Security Checklist — 25 recommendations / 5-page report. ~Kevin

TSCM News - Professional Spybusters in Demand for Bug-Sweeping

In the trade it is known as TSCM but everyone else calls it bug-sweeping. It is not cockroaches that these pest controllers are hunting but eavesdropping devices that could be hidden anywhere from a mobile phone to the cable in the back of a computer.

Demand for the services of professional technical surveillance countermeasures specialists has grown dramatically along with public awareness of the dangers. Britain’s professional spy catchers have never been busier as businesses and wealthy individuals realise that they are being watched and listened to. 

According to James Williams, director of the TSCM Institute, the only professional body covering the emerging industry, “eavesdropping is on the increase” as the number of devices and ways to bug people have multiplied. more

If you are looking for a reliable firm (many are not), contact me for a referral in your area. ~Kevin

Do Bug Detecting Gadgets Work? Let's Ask an Ex-Police Chief

CA - A judge set bond at $100,000 on Friday for former La Joya police Chief Geovani Hernandez, who’s accused of accepting cash to provide security for drug shipments... When agents arrested Hernandez, they found a “bug detector” designed to reveal hidden recording devices and prevent electronic surveillance. more

SCIFs Go Corporate

With cybersecurity threats on the rise, the private sector is taking a cue from national security protocol to protect corporate secrets, investing in highly protected SCIFs, or Sensitive Compartmented Information Facilities.

What happens in a SCIF stays in a SCIF—and has ever since the concept of the “war room” originated during World War II. ...

Private companies are increasingly seeing the benefits too—especially those working in fields whose success is dependent on continually out-innovating their competitors. “The rooms can be used in many ways once built, from proposal writing and strategy sessions, to hands-on R&D and product testing,” says Gordon. “They can even be portable. But they all give companies piece of mind that work and discussions taking place inside the room are completely confidential.” more

Can't afford a SCIF (they're expensive), use a TSCM team to conduct pre-meeting inspections. If you can afford a SCIF (sweet), use a TSCM team to re-certify it's integrity against eavesdropping. SCIF effectiveness tends to decay with age and use. ~Kevin

The Cuban "Acoustic Attack" - Eavesdropping, TSCM, or Other?

The FBI is reportedly investigating who was behind an “acoustic attack” that inflicted at least two staffers of the U.S. Embassy in Havana with sudden hearing loss. Washington expelled two Cuban diplomats earlier this year in response to the incident, the U.S. State Department said on Wednesday.

The Cuban foreign ministry said it was investigating the allegations.

Citing officials familiar with the investigation, The Associated Press reported on Wednesday that embassy staff in Havana began suffering from hearing loss in the fall of 2016. U.S. officials later concluded that a device operating outside the range of audible sound has been installed inside or near diplomatic residences in Havana. more

Media speculation as to what and who is rampant. 

Some what theories, which the media has missed, include: 
• An ultrasonic bugging device (an eavesdropping attack).
• An ultrasonic room flooding device (an eavesdropping countermeasure). 

If either of these were incompetently programmed–thus producing a higher than safe level of audio power output–people would experience hearing loss and other sickness symptoms (headache, nausea, disorientation, etc.).

As to who... A bugging device could be planted by anyone, not just the Cubans. An ultrasonic room flooding device would be placed by whoever has control of the room, in an effort to deter electronic eavesdropping attempts — mixing differing frequencies of ultrasound has a detrimental effect on microphones. This is a rarely used Technical Surveillance Countermeasures (TSCM) tactic due to the fine balance between effectiveness and dangerousness. It zaps hearing aids, too.

An "acoustic attack" just to cause intentional harm seems unlikely. The results of the investigation should be interesting, if they see the light of day. Ultra-unlikely. ~Kevin

Visit us at counterespionage.com to learn how business and governments protect themselves against electronic eavesdropping attacks.

The Case for Corporate Counterintelligence

Excellent article explaining why corporations need a Counterintelligence Program. Make sure your program is holistic. Round it out by adding in Technical Surveillance Countermeasures (TSCM), and technical information security elements. 

Q: I am trying to garner support for creating a corporate counterintelligence (CI) program within our security organization; we are an international company with people and facilities in multiple countries. What does a “good” corporate CI program look like?

A: ...For its lifeblood, does your organization rely on: Patented or copyrighted products? Trade secrets? Proprietary information, technology, services or processes? Are supply chain vendors/subcontractors hired to support any of those areas? Is research and development a core capability? Does your organization provide goods or services not provided by anyone else? Are foreign nationals employed in the organization (domestically or internationally)? Are US citizen employees assigned to facilities outside the US? If you answered yes to any of these, then your organization is a viable candidate for a dedicated CI program... more

Be Successful Like Apple - Get Serious About Information Security

A recording of an internal briefing at Apple earlier this month obtained by The Outline sheds new light on how far the most valuable company in the world will go to prevent leaks about new products.

The briefing, titled “Stopping Leakers - Keeping Confidential at Apple,” was led by Director of Global Security David Rice, Director of Worldwide Investigations Lee Freedman, and Jenny Hubbert, who works on the Global Security communications and training team...

The briefing, which offers a revealing window into the company’s obsession with secrecy, was the first of many Apple is planning to host for employees. In it, Rice and Freedman speak candidly about Apple’s efforts to prevent leaks...

Director of Global Security, David Rice...“We deal with very talented adversaries. They're very creative and so as good as we get on our security controls, they get just as clever.” more

If your security plan does not include Technical Information Security Surveys, contact me. ~Kevin

Corporate Espionage Countermeasures Tips

via Colleen McKown – American Greed Report
Corporate espionage schemes can occur when people already working for someone else infiltrate a company, or employees who've already left a company leave behind co-conspirators who send them data.

Some important steps companies can take:

• Install technology that monitors everything going into your email system to determine if it's a legitimate message or if it's phishing or malware.

• Monitor for what's going out of your email system as well by installing leakage control systems. These can, for example, tell whether data is being sent to Dropbox or personal Google, Amazon or Microsoft cloud accounts. They can also monitor for documents or spreadsheets going out.

• Use whitelisting, which lets you specify which applications are approved to run on a computer system. Anything not on the whitelist won't run, which protects the network from malware and other harmful applications.

• Consult with labor employment counsel to make sure your agreements on who owns intellectual property and prohibiting misuse or removal of such property are up to date. more

Competitive Intelligence is a Euphemism for Business Espionage

How far would you go to figure out what the competition is up to? 

Test out their products and services to see how they work? Hire away their staff to learn their tricks? Monitor their job listings to glean insight about upcoming initiatives?

Such tactics are par for the course in the technology industry, in which companies go to great lengths to size up their competition.

 
The latest example is Uber, which according to a New York Times report employs what it calls a “competitive intelligence” team to study its rivals. That team bought anonymized data — including information on Lyft receipts gleaned from customer in-boxes — from analytics firm Slice Intelligence. more

Competitive Intelligence is a euphemism for Business Espionage. Smart businesses employ Business Counterespionage, which is a euphemism for companies like mine. ~Kevin

TSCM Questions We Get - "How often do you find a bug?"

Q. How often do you find a bug?

A. It depends on the type of sweep. We conduct Technical Information Security Surveys (enhanced TSCM) sweeps for bugs and surveillance devices in businesses and government (and occasionally residential or matrimonial type sweeps).

Business and Government TSCM Sweeps

Regularly scheduled, due-diligence, technical information security surveys rarely turn up devices. No surprise there. Typically, organizations using our services already have a high overall security profile. They are “hardened targets”. For those clients, the bug sweep bonus is... having a known window-of-opportunity when something is found.

Often, what we do find are other information vulnerabilities like: decayed security hardware; security policies no longer being followed; and other unseen security issues (scroll down).

Discovery statistics on our "emergency sweeps" (sweeps where illegal electronic surveillance is suspected) varies from year to year, about 2%-5%. However, the rate of determining what happened and resolving the client's concerns is extremely high. (Isn't that the real point of the exercise?) More often than not, these info-loss cases can be traced back to the human element, or the poor security practices, which allowed the leak to occur some other way.

With organizations, the opposition's focus is on getting the information, in all its forms. Corporate espionage, industrial espionage, call it what you will. There is no one spy tool of choice here. It's electronic surveillance plus hundreds of other tradecraft techniques which may be employed. Solving these organizational emergency cases requires more than a simple TSCM bug sweep. Required add-on skills and experience include: corporate investigations, alarm system design, computer forensics, and information management to name a few.

Residential Bug Sweeps

When it comes to residential and matrimonial bug sweeps, the find rate for locating bugs and surveillance devices is quite high. This makes sense. The opposition's focus is narrow; they want to intercept communications and/or determine the location of a specific person. Electronic surveillance is the tool of choice. Personal privacy is the biggest loss.

Solving these cases is relatively easy for a number reasons:

·       The spy is usually a do-it-yourselfer, an amateur, or someone with limited tradecraft skills.

·       The victim has a good idea who is doing the spying.

·       Resources rarely permit the purchase of advanced bugging or tracking devices.

·       Surveillance devices adequate to accomplish the goal are inexpensive and easy to obtain.

·       Locations for placement of bugs, taps, spy cameras and trackers are limited.

·       Having a personal stake in this type of surveillance, spies often tip their hand to show power.

The Security Director’s Dilemma

Justifying cost to the bean counters.

Private investigators and people who handle residential and matrimonial bug sweep cases don’t charge very much for their services. Mainly because private individuals have limited budgets. But, also because their overhead is low. Their detection gadgets are often basic and inexpensive, insurance costs (if any) are not up to corporate standards, for example.

Professional security consultants who specialize in business and government-level TSCM are not a dime-a-dozen. They invest heavily, and continually in: sophisticated instrumentation, professional certifications, and advanced (and continuous) training. Their overhead includes: an office staff, trained Technical Investigators, licensing, insurance, instrument calibration, and an annual Carnet so they can travel Internationally for their clients.

Security directors know, it’s not all about the money. It’s all about the protection you get for your money. A cheap sweep is a mental band-aid, and a CYA move.

They are charged with protecting corporate assets. This type of information security requires a security consultant with a depth of experience and knowledge of: information management, corporate investigations, complex security systems, and yes… Technical Surveillance Countermeasures.

Benefits of Quality TSCM

Second to 'getting the goods', the goal of espionage and voyeurism is 'never be discovered'. Obviously, if you don't check, you won't know you’re under attack. Organizations don’t have a choice. They don’t want their pockets picked, so TSCM is an important element of their security.

The benefits of having a Technical Information Security Survey (enhanced TSCM) as part of an organization’s security program include:

·       Increased profitability.

·       Intellectual property protection.

·       A working environment secure from electronic surveillance invasions.

·       Advance warning of intelligence collection activities (spying).

·       Checks the effectiveness of current security measures and practices.

·       Document compliance with many privacy law requirements.

·       Discovery of new information security loopholes, before they can be used against them.

·       Help fulfill legal the requirement for "Business Secret" status in court.

·       Enhanced personal privacy and security.

·       Improved employee morale.

·       Reduction of consequential losses, e.g. information leak can spark a stockholder's lawsuit, activist wiretaps, and damage to “good will” and sales.

The benefit list is really longer, but you get the idea.

There are some excellent corporate-level TSCM consultants out there. Now that you know about the different levels of service, track one down to help solve your information security concerns.  You will look like a hero to all your colleagues, except perhaps, the near-sighted bean counters.

Contact me here if you would like to know more.  Kevin D. Murray, CPP, CISM, CFE

Corporate Boards Still Unprepared for Challenge of Cybersecurity

Tom Ridge, the former Homeland Security secretary and Pennsylvania governor, says the majority of corporate boards and CEOs are unprepared for the challenges posed by rising cyber risk.

In fact, 59% of directors report that their boards find it challenging to oversee cyber risk, and only 19% report that their boards possess a high level of knowledge about cybersecurity, he said, citing a study released in March by the National Association of Corporate Directors...

“Most board members don’t want to be technologists. We didn’t design these 16 hours for them to be technologists. We designed it for them to be better educated and to meet their fiduciary responsibilities,” Mr. Ridge said during a meeting with CIO Journal. "It’s top down. This is the CEO saying ‘we are changing now.'" more

Raising awareness comes not a moment too soon. The next step is integrating this into the corporate security program. Learn how, now.

It Pays to Spot Spies in Beijing, or Peeking Duck

China is offering cash rewards of up to $72,400 to encourage residents in the capital Beijing to report about foreign spies in the country, stepping up its campaign against espionage.

Beijing's residents can report through a hotline, by mail or in person any activity endangering China's national security or thefts of national secrets, the Beijing Daily and other state media reported.

The top reward for whistle-blowers ranges from $1,500 (100,000 yuan) to $72,400 (500,000 yuan), depending on how important the intelligence is, the report said. more