Beware the hidden eyes and ears
These specialists trace the devices to their exact location and alert residents of the bugged premises. Once granted permission to explore indoors, the sleuths amaze the occupants by revealing a bug contained in an everyday item such as a pen, alarm clock or calculator. The sale of these miniature listening devices is big business in Japan. You can even buy bugs and bug detectors at the same shop.
In addition, corporate Japan has become aware of bugging issues. In response, many corporations employ security companies to perform technical security counter measure (TSCM) operations, or bug sweeps.
“Sixty percent of my 500 clients are companies, including foreign ones. My business has doubled in the last five years,” says Kenichi Sakai, president of TRS. The main reason for the increase in the counter-surveillance business is recent media attention, he notes. “It has people and companies worried that they could be a victim of this kind of thing, and they decide to take action.”
Furthermore, devices that were once available only to spies are now cheaply and easily obtainable on the Internet and in shops. The 007 gadgets that Q handed to James Bond seem primitive compared to what we can now buy over the counter.
According to Jack Byrd, managing partner at 360 Risk Management Group in Tokyo, some of the more advanced bugs can be turned on and off remotely, and when turned off do not emit radio waves. Some bugs do not transmit but record audio for later retrieval. These also do not emit signals, and therefore must be traced by equipment that detects their magnetic field or thermal image. Byrd’s organization uses various methods to conduct a sweep.
“For a TSCM on a board meeting, we start by conducting a sweep of the meeting room prior to the meeting and securing the room until the meeting begins,” Byrd says. “For the duration of the meeting, 360 Risk Management may or may not be in an adjacent room with equipment which monitors the radio frequencies given off by bugs.”
Surprisingly, perhaps, corporate boardrooms are bugged less than corporate bedrooms, and 360 Management Risk sweeps CEOs’ residences as frequently as their offices.
“On a daily basis, confidential information is more likely to be discussed in executive offices and residences,” Byrd says. “Board meetings happen very infrequently. Four times a year, sometimes only once or twice annually.”
He talks about the time 360 Risk Management found a bug used to spy on a meeting between two parties involved in an attempted hostile takeover of a retail chain.
“It was not discovered until after the meeting when our client became suspicious and asked us to sweep their offices,” Byrd says. “But the damage was already done.” Based on the discovery of the bug, however, Byrd’s client prevailed in subsequent litigation.
The art of TSCM is complex and changes with fast-developing technologies. The equipment is expensive and must be continually updated to be effective. There is also the trick of using it in the right places. Byrd notes that your significant other, your co-workers and business partners, rather than your fiercest business rival, are more likely to target you with a technical surveillance device. Yet, you are more likely to take countermeasures against your competitors in other enterprises.
Byrd says understanding clients’ worldwide operations, and understanding the legal framework of each jurisdiction is a serious consideration.
However, the biggest threat to companies may not be from audio or video bugs, but from attacks on corporate IT systems.
“The biggest change in modern-day spying is that most corporations discuss their strategy and other secrets electronically and via email,” Byrd says.
Companies are spending huge amounts around the world on the deployment and maintenance of network security, to guard against hackers and prevent loss of data that could hurt them.
“Taking TSCM and IT security seriously is only one part of protecting yourself and/or your business against intrusion,” Byrd says. “It makes no sense to go to extremes with TCSM while leaving sensitive materials on desktops after hours or failing to instruct employees on proper security measures. These may include not having sensitive conversations in public areas [restaurants, coffee shops, trains, etc.], and leaving work PCs and USB sticks unsecured in hotel rooms. Such actions may carry greater risks for the company and are more commonly overlooked.”
Kunio Sakaide, an associate managing director at Kroll International, adds that social engineering is the oldest and most successful method of getting information, defeating even state-of-the-art security systems. Social engineering – the psychological manipulation of people to persuade them to disclose information, and sometimes referred to as “bugs in the human hardware” – has been around as long as there have been scammers.
“Angry employees will leak information out of revenge or greed,” Sakaide says. “Or someone can obtain a trusted worker’s password, or even gain an access card or code to get inside a facility.”
According to Hugh Ashton, who has worked in financial houses, gaining access may be a simple matter. It may be enough to stand outside the door to an office and wait for an employee with a valid card, then say: “I left my card upstairs. Silly me!”
“I remember walking through the labs of a major Japanese electronics maker,” Ashton says. “I noticed that one unattended UNIX [multi-user computer operating system] workstation was logged in as ‘root’. This user account allows unrestricted access to the contents of the computer, and the whole network. I know enough [about] UNIX to be dangerous – it would have taken me less than a minute to wipe that computer’s disk, and bring down the whole laboratory.”
Ashton adds that some employees write their passwords on yellow sticky notes on the side of their monitors. The cleaning staff who come in after working hours may harvest these for later use by another paymaster.
“Or an attacker can use the cleaning staff to plant a USB keylogger between an executive’s computer and the keyboard,” Ashton says. “This sits unobserved, acting as a recording device, storing all user names and passwords, contents of email messages and memos typed on the computer until the cleaning staff [these people have legal access to the area] retrieve the device and return it to its owner in exchange for a ‘bonus’ payment.”
There are low-tech solutions, requiring only a little effort to implement. Ensuring that all employees comply with a published set of security guidelines can go a long way towards mitigation.
Social engineering can also be used to extract money and information from victims. According to CSO Data Protection, earlier this year, Symantec, the US computer security software corporation, “discovered an aggressive social engineering campaign targeting a limited set of multinational firms in Europe. The attacks were by the book, employing classic techniques, eventually netting the criminals vast sums of stolen funds for their efforts.
“In April, an administrative assistant working in a France-based multi-national firm received an email message referencing an invoice hosted in a file sharing service [such as Dropbox]. A few moments later, a person posing as a senior executive within the assistant’s firm authoritatively instructed her to process the invoice referenced in the email.” The employee complied.
Social engineering, on the personal level, may involve alcohol, sex, money, mind games and various other techniques. On the technical level are email phishing scams, social network manipulations, mobile phone text message hoaxes, and much more.
The weakest link in the typical security system is the human factor, but as spying devices grow in sophistication, demand will continue to grow for bug sweeps and counter-surveillance measures.
This article also appeared in EuroBiz Magazine