From: "James M. Atkinson, Comm-Eng" <jmatk@tscm.com>
Date: Sun, 7 Jun 1998 23:49:35 -0700 (PDT)
To: TSCM-L@tscm.com
Subject: TSCM-L Technical Security List
Message-ID: <v03110705b1a17d9226d8@[205.161.57.127]>
MIME-Version: 1.0
Content-Type: text/enriched


TSCM-L Technical Security List    Monday, June 8, 1998    Volume 1998
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Postings:           TSCM-L@tscm.com
Unsubscribe:   unsubTSCM-L@tscm.com
Subscribe:       subTSCM-L@tscm.com
Admin:		     jmatk@tscm.com

This material will only be sent to you upon your direct request, either by your 
email request, or by signing up via our web page. 

TSCM-L is published by Granite Island Group, and is written by James M. Atkinson.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

A telephone eavesdropping system was recently encountered which is being sold by a 
company in Pomezia, Italy. The system is for use on AT&T System 25, 75, and 85 PBX 
systems (other versions are available for 1030, 3070, Merlin, and Partner systems).

The first element of the system consists of a station card which has been built from 
scratch and appears almost identical to the original cards built by AT&T. There are 
no modifications on the card, and all components appear legitimate

The only visual difference between the cards is several additional integrated 
circuits, and discrete components. Additionally, on the silkscreen side of the card 
is a small logo consisting of an upper case letter E followed by a 7xx type of number 
(such as E-728). The logo will appear diagonally across the card from the serial 
number. Each station card will support 8 digital phones, and one outgoing circuit.

The second element of the system is the printed circuit board that goes into the 
actual telephone. Much like the station card the printed circuit board appears 
original but closer inspection will reveal a small number of extra components and 
PCB traces which go to the four pair position.

Suspect telephones will present an anomaly on the power and/or 4th pair. The 
signal is a digital data signal (usually 160 Kbps). Vector signal analysis will 
indicate a QAM/BPQSK cats-eye (a digital audio signal via a seven stage parasitic 
polynomial 1+x6+x7 algorithm). Waveform is a serial data stream, bipolar signal 
at roughly 700mV (680-715 mV depending on instrument). Power drain is fairly high 
(average of 136% over normal), but station card will not indicate an over-current 
condition or station error. 

Serial data stream is constant, and only affected by application of power. Signal 
stops if power is removed for more than 15 milliseconds. Disconnection of handset 
does not effect signal. Signal is present in both on-hook and off-hook conditions.

The third element of the system is a small modification to the PBX back plane which 
consists of two small wires which are tacked into place between the station card and 
the line card. This bridging circuit allows a T-Carrier signal to pass from the 
station card to an unused cable pair for an outgoing signal path (usually the 25th 
pair). This modification will appear to be a legitimate factory modification to the 
backplane.

The fourth element of the system is the transmission path back to the listening post 
(which will appear to be a T-1 signal, but will only use one cable pair). A RF 
transmitter could be used, however; such an emission would increase the possibility 
of the system being detected if used inside or near the target facility. A RF 
transmitter could be used once the signal is well outside the facility.

The transmission path will normally consist of a T-Carrier signal that can be traced 
to a facility demarcation point and then to an external cable pair. The signal will 
typically terminate at (or just prior to) an off-site SLC box. At this point the 
T-Carrier signal will be bridged back to a listening post either by hardwiring or 
an RF transmitter (though the use of a bridging capacitor to isolate the DC 
components of the circuit).

Faked power outages in the PBX or server room will typically be used to cover the 
installation activities. The installation consists of swapping the station card, 
and then installing the jumper wires on the back plane. While the power is still 
off the special printed circuit boards are installed into the target phones. 
Optionally, the telephone may simply be swapped with an instrument that has been 
modified in advance. Power is then restored with the event being logged as a short 
power outage (usually during bad weather or construction work).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

French Magistrate Targets Official Wiretapper

PARIS, May 28 (Reuters) - A man who headed France's official wiretap
unit has been placed under investigation in connection with illegal
eavesdropping carried out on orders of the late President Francois
Mitterrand's office, judicial sources said on Thursday.

Army Brigadier General Pierre Charroy, 63, was ordered placed under
investigation for complicity in invasion of privacy in his capacity as
head of the discreetly named Interministerial Control Group (GIC) under
Mitterrand, the sources said.

The GIC is officially entrusted with carrying out wiretaps on the orders
of magistrates in cases of espionage or serious crimes. The body is so
shrouded with secrecy that it is not known if Charroy still heads it.

Former Mitterrand aides acknowledged last year that the late president,
who ruled from 1981-1995, had ordered security officers attached to his
office to carry out illegal wiretaps on the telephone lines of lawyers,
journalists, politicians and at least one movie actress.

The justice sources said magistrate Jean-Paul Vallat suspected Charroy
of having aided the presidential wiretappers who acted without the
permission of magistrates, making their actions illegal.

Prime Minister Lionel Jospin pledged in last year's general election
campaign to end an era of "monarchical secrecy" if he came to power and
to lift the lid on cases like possible illegal wiretapping under
Mitterrand, with whom Jospin was on poor terms.

Jospin has since been accused of dragging his feet on the promise since
he became prime minister and judge Vallat has written to ask for his
help in his probes.

Some 15 former Mitterrand aides are under investigation and could face
possible trial in the case.

Mitterrand died in 1996, seven months after leaving office.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The following pages which contain TSCM equipment reviews have been 
updated and are now available:

http://www.tscm.com/tmdespect.html

http://www.tscm.com/tmdeantenna.html

http://www.tscm.com/fluke785.html

http://www.tscm.com/tmdenljd.html

http://www.tscm.com/tmdedemod.html

http://www.tscm.com/tmdeacous.html

http://www.tscm.com/tmdeanc.html

http://www.tscm.com/tmdeaux.html

http://www.tscm.com/tmdecraft.html

http://www.tscm.com/tmdephot.html

http://www.tscm.com/tmdephys.html

http://www.tscm.com/tmdescope.html

http://www.tscm.com/tmdesets.html

http://www.tscm.com/tmdetdr.html

http://www.tscm.com/tmdevehcl.html

http://www.tscm.com/tmdevideo.html

http://www.tscm.com/tmdevom.html

http://www.tscm.com/tmdevsa.html

http://www.tscm.com/intercept1.html

http://www.tscm.com/reioscor.html

http://www.tscm.com/spectan.html

http://www.tscm.com/tmde.html

http://www.tscm.com/training.html

http://www.tscm.com/trainingciv.html

http://www.tscm.com/traininggov.html

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Granite Island Group
Mission and Purpose Statement

Granite Island Group provides expert technical, analytical and research

capability for the detection, nullification, and isolation of eavesdropping 
devices, technical surveillance penetrations, technical surveillance 
hazards, and physical security weaknesses.

Detection: Measures taken to detect technical surveillance devices, 
technical security hazards, and physical security weaknesses that would

permit the technical or physical penetration of a facility.

Nullification: The process of neutralizing or negating technical devices 
employed by making the placement of such devices more difficult. This 
includes ensuring that a room is protected with adequate physical 
construction and security measures thus making the placement or use of

illegal listening devices ineffective.

Isolation: A method to deter, or make extremely difficult, the 
introduction of eavesdropping devices by establishing special security

areas, for the conduct of classified or sensitive activities. 


Granite Island Group also provides:

Vulnerability Analysis to provide senior management with guidelines for

the enhancement of security and reduction of the vulnerability of 
sensitive areas to the technical surveillance threat.

Design, Manufacture, and Sale of TSCM, signals intelligence, cryptographic, 
and related secure communications systems and devices.

Research and Development of technical systems, devices, and tradecraft

utilized by the intelligence community.

Development of Specialized Computer Software and Firmware.

Design and Installation of high performance computer networks and 
communications systems.

Disaster Preparedness Planning 

Intelligence Analysis and activities to determine the existence and 
capability of surveillance equipment being used against the United 
States Government, United States corporations, establishments, or 
persons. Special emphasis is given to detecting and countering espionage 
and other threats and activities directed by foreign intelligence services.

Specialized Training for those in sensitive positions concerning the 
threat of technical surveillance and the part they can play in the TSCM

program. This includes advanced training and seminars for TSCM teams and 
technical security personnel.

Closed Enrollment Training regarding technical security and protective

related issues.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Copyright (c)1998 Granite Island Group. All Rights Reserved.




=======================================================================
Everybody's into computers... Who's into yours?
=======================================================================
James M. Atkinson                             Phone: (978) 546-3803
Granite Island Group - TSCM.COM
127 Eastern Avenue #291                        http://www.tscm.com/
Gloucester, MA 01931                               jmatk@tscm.com
=======================================================================
Do not try the patience of Wizards,
for they are subtle and quick to anger.
=======================================================================