Wyche Innovation Centre,
Understanding the Corporate Threat of Technical Surveillance
Assure Technical Speaking at the March 2014 Enterprise Security & Risk Management Conference in London
Contact Us Today for a confidential discussion regarding your requirements
Okay. So, a bit tongue and cheek slide pictures really, I’ve never watched this program. But, the first thing we have to look at is common perception and what people commonly perceive the threat from Technical Surveillance to be. That’s the first starting point for any audit and it is also the first starting for any problem as far as I am concerned, because the common perception around Technical Surveillance and how to defeat Technical Surveillance is often learned through Hollywood. It’s what people see in movies, it’s what people see on the television, and it’s what they read on the internet. The actual full grounding of threat, vulnerability, and mitigation of the risk that’s created there in is usually a completely separate story, really.
Okay. People also perceive the threat to be purely Commercial. Commercial devices and the kind of quick plant, what we would call quick plant devices (images of quick plant bugging devices revealed). This is a kind of thing that you can see that you can buy on eBay, a mixture of the kind of mouse with the GSM engine inside that allows people to dial in and listen to conversations. Wired microphone sets that you can buy down at Maplin’s for a tenner. The double plug socket, which you can buy again on eBay for £50 or £60. I’m not saying that these devices shouldn’t be worried about the Ecuadorian embassy found a big problem with the double plug socket and also a little bit of a problem finding it for a while.
Things like phone chargers. The last gentleman was talking about bringing your own devices. With your own devices come your own accessories. With your own accessories come your own risks. For example, this small thing, I think it’s again about £60 off eBay. That phone charger has GSM engine inside that can be dialled into anywhere around the world and allow the attacker to listen into conversations. The usual thing – what people might think of as a bug, the thing of the centre and the bottom on the left – all readily available, all very Commercially available devices. Anybody with small motive, a small budget can afford these but they are very effective attacks, extremely effective attacks.
Just because of the last bring your own device talk, I’ll talk a little bit about the phone charger – the phone charger attack. Again, about £60 off eBay. It’s a sealed unit and there is the same SIM card already inside. It’s a roaming SIM card so whoever buys it doesn’t even need to put a SIM card in and it’s fully sealed. You wouldn’t be able to tell the difference between that and any other phone charger that was in your area, be it a secure area or insecure area. For me to guarantee to find that, I would need probably a minimum of £70,000 to guarantee to find that and a maximum of about £100,000, okay? So don’t write off the Commercial threat.
Okay. So that’s obviously a picture of me, when I’ve had a shave and removed my glasses (picture of James Bond revealed). The reality of threat in the Commercial world is very different. The reality of threat that I see every day, every week of my working life is that Technical Surveillance attacks veer towards Government level attacks and veer towards Government level technology. Most of the people that I speak to on a business front, daily, perceive that they either don’t have a threat from Technical Surveillance, or that their Technical Surveillance threat is what we saw before. Disgruntled employees, people leaving and putting in something that was found on eBay.
That’s just not what we find. We don’t find that at all. We find that, especially in the competitive market type attack – let’s say if you got – if a deal is worth £1 million. Deals worth a £1 million. is a worth a 10% investment to gain the intelligence to win that deal. You can get an awful lot of spying for that money, an awful lot of spying.
You can hire ex-government employees with all of tradecraft and skills that they need to attack your Company. You can hire a team of them and they will have the kind of technology that a normal Corporate sweep team just cannot find. That’s been proven a number of times. Those was an incident not so long ago and I think it was a divorce case, but there was shares involved and that kind of thing.
There was pictures in the paper of a few guys attacking a house. Those guys were ex-military and ex-police Technical Surveillance officers. If you look at the equipment that they used, that was police equipment and military equipment that left their work and the arena when they did. So the reality of threat is often far greater.