1996-03-18 - Sample Codex Newsletter

Header Data

From: SpyKing <spyking@mne.net>
To: (Recipient list suppressed)
Message Hash: 9a1a1668db43feaa9451d21d4000b913b8a8f2e97531d1e8ccd9f26df3fb0334
Message ID: <9603172340.AA02237@mne.com>
Reply To: N/A
UTC Datetime: 1996-03-18 00:52:34 UTC
Raw Date: Mon, 18 Mar 1996 08:52:34 +0800

Raw message

From: SpyKing <spyking@mne.net>
Date: Mon, 18 Mar 1996 08:52:34 +0800
To: (Recipient list suppressed)
Subject: Sample Codex Newsletter
Message-ID: <9603172340.AA02237@mne.com>
MIME-Version: 1.0
Content-Type: text/plain


The Codex  Surveillance & Privacy Newsletter - Sample Issue Excerpts
Published monthly - 
Subscription Rate $95.00
Foreign Subscriptions: $135.00
The Codex is a hardcopy newsletter delivered by first class US mail.
Send Check or MO to:
Codex Publishing
286 Spring Street
New York, NY 10013
Tel: 212-989-9898
Fax: 212-337-0934

Every day we see or hear in the news, stories about electronic surveillance,
wiretapping, corporate espionage, computer hacking, etc. Ever wonder how
it's done? The Codex is a monthly newsletter published by Codex Publishing
of New York City. It was created by professionals in the field of electronic
surveillance, countermeasures, security, investigations and competitor
intelligence and will teach you all the inside "Tricks of the Trade".

Prior issues of the Codex have featured articles on:

How to TAP a telephone...How to BUG a room...How to intercept a CELLULAR
telephone conversation...
How to intercept a digital PAGER...How to HACK a web site...How to DECODE
telephone numbers off a tape recording...How to LISTEN into your home or
office when you're away on vacation...How to SEE into your home or office
when you're away on business...How to build a RED BOX for free phone
calls...How to DETECT an eavesdropping device planted in your home or
office...How to ACQUIRE personal & confidential information on anyone...

Future issues of the Codex will feature "How To" articles on:

Spying, Industrial Espionage, Competitor Intelligence, Emerging
Technologies, Privacy and How to get it, Computer Hacking, Telephone
Phreaking, Cons & Schemes, Insider tips on the Internet, Self Defense, Big
Brother, Encryption, Surveillance Devices, Privacy Equipment, Intelligence
Gathering Equipment and Sources of Confidential Information

One time reprint and excerpt rights automatically granted provided our name
and address is given. Enclosed is an abbreviated sample.

LETTER FROM THE EDITOR

Happy New Year to everyone and we sincerely hope 1996 brings you all good
fortune and everything you hope for. Be careful, you just might get it...

In response to the overwhelming requests for advertising rates and
information we have decided to accept limited advertising in 1996 and will
begin to accept advertising immediately.

Advertising will be limited to a full page at the nominal rate of $150.00
per issue with volume discounts of course.

We will travel shortly to New Zealand to attend 'The Gathering Conference"
on information and communications security and will report our findings in
great detail in an upcoming issue of the Codex. "The Gathering" promises to
be an exciting and information bonanza with several of the top people in the
world attending and speaking on a variety of subjects of interest to us all.
We urge you to adise us if you have a security, computer or communications
function planned, as we will make every attempt to give the event coverage.
If we don't know about it...there's not much we can report.

We've got a wealth of info for you this month with a very interesting topic
on Web Site hacking. Seems the old rule applies, "Anything man can invent,
man can defeat." How long before this window is closed?

Don't forget. ..If there is a topic you would like to see covered, please
let us know and we'll do everything we can to get it done for you.

Enjoy this issue...we had fun doing it.

SpyKing

****************************************************************************
******
****************************************************************************
******

Nowhere to run...Nowhere to hide...
The vulnerability of CRT's, CPU's and peripherals to TEMPEST monitoring in
the real world.

Copyright 1996, All Rights Reserved


By Frank Jones
CEO
Technical Assistance Group
286 Spring Street
New York, New York 10013 USA
Tel: 212-989-9898
Fax: 212-337-0934
E-Mail: spyking@thecodex.com
URL: http://www.thecodex.com


George Orwell wrote the classic "1984"  in 1949. He depicted a world in
which the government controlled it's citizens and a world devoid of privacy.
Many of the things Orwell wrote almost fifty years ago have come to pass.

Surveillance technology has progressed to the point that is possible to
identify individuals walking city streets from satellites in orbit.
Telephone, fax and e-mail communications can routinely be monitored.
Personal information files are kept on citizens from cradle to grave. There
is nowhere to run...nowhere to hide...

The advent of the personal computer has revolutionized the way we do
business, keep records, communicate and entertain ourselves. Computers have
taken the place of typewriters, telephones, fax and telex machines.

The Internet has opened up a new world of high speed and inexpensive
communications. How secure and private is it? There are many encryption
programs and hardware devices available for security purposes but what about
the computer terminal itself? How safe is it? What are it's vulnerabilities?
Hackers have been known to cause mischief from time to time...Is it possible
for an adversary to snoop on your private data? Can Big Brother?

Suppose it was possible to aim a device or an antenna at your apartment or
home from across the street or down the block. Suppose you were working on a
confidential business project on your PC. Suppose that device down the block
could read what you were typing and viewing on the CRT? Feeling
uncomfortable? Suppose that device could monitor everything you do on your
computer by collecting electromagnetic radiation emitted from your
computer's CRT, CPU and/or peripheral equipment, reconstruct those emissions
into coherent receivable signals and store them for later review? Feeling
faint? Good. The technology exists...and it has for some time....

You don't have to worry about a  "middle of the night" break-in by some
clandestine government black-bag team to plant a bug.  They never have to
enter your home or office. Seedy looking private investigators or the
information warrior won't be found tampering with your telephone lines in
the basement either...it's not necessary...all they have to do is point an
antenna...safely, from a distance away...and collect your private data...

This surveillance technique has become known as TEMPEST monitoring. TEMPEST
stands for Transient  Electromagnetic Pulse Standard. It is the standard by
which the government measures electromagnetic computer emissions and details
what is safe (allowed to leak) from monitoring. The standards are detailed
in NACSIM 5100A, a document which has been classified by the National
Security Agency. Devices which conform to this standard are called TEMPEST
certified.

In 1985, a Dutch scientist Wim van Eck published a paper which was written
about in the prestigious "Computers & Security" journal, "Electromagnetic
Radiation from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp
269-286. The paper caused a panic in certain government circles and was
immediately classified as is just about all TEMPEST information. 

Wim van Eck's work proved that Video Display Units (CRT's) emitted
electromagnetic radiation similar to radio waves and that they could be
intercepted, reconstructed and viewed from a remote location. This of course
compromises security of data being worked on and viewed by the computer's
user. Over the years TEMPEST monitoring has also been called van Eck
monitoring or van Eck eavesdropping.

In 1990, Professor Erhard Moller of Acchen University in Germany published a
paper, "Protective Measures Against Compromising Electromagnetic Radiation
Emitted by Video Display Terminals". Moller's paper which updated in detail
van Ecks's work also caused a furor.

The government's policy of TEMPEST secrecy has created a double edged sword.
By classifying TEMPEST standards, they inhibit private citizens and industry
by failing to provide the means of adequately shielding PC's and/or computer
facilities. There is an old saying, "You can't drive a nail without the
hammer". If concerned personnel don't know the minimum standards for
protection...how can they shield and protect? Shielding does exist which can
prevent individuals and companies from being victims to TEMPEST monitoring.
But without knowing the amount of shielding necessary...

Perhaps this is the way the government wants it... 
My work has focused on constructing a countermeasures device to collect and
reconstruct electromagnetic emissions from CRT's, CPU's and peripherals to
diagnose emission levels and give security personnel a hands-on tool with
which they can safeguard their computer data.  

In testing my countermeasures device I concentrated on interception and
reconstruction of the three types of emitted electromagnetic radiation
written about in  van Eck and Moller's work.

1. Electromagnetic radiation emitted from CRT's - similar to radio waves
2. Shell waves on the surface of connections and cables
3. Compromising radiation conducted through the power line

I found my greatest success (distance & quality) was in the collection of
emitted radiation from the CRT although we were equally successful in our
other experiments. In our opinion the greatest danger of TEMPEST monitoring
comes from off premises and we decided early on to concentrate in this area.
A workable countermeasures tool would give security personnel a handle on
distance from which compromising electromagnetic radiation could be
collected. Hopefully full countermeasures would then be implemented. 

This also is a double edged sword. The device I built albeit a
countermeasures tool...can be used as an offensive TEMPEST monitoring
device. My concerns however are that if such a device is not made available
to the private sector...then the private sector is at the mercy of the
information warrior using TEMPEST technology to gain an unfair advantage.

TEMPEST MONITORING...HOW IT WORKS

TEMPEST monitoring is passive. It cannot be detected. The computer emits
compromising radiation which can be reconstructed from a remote location.
There is no need to ever come near the target. No reason ever to go back to
change a faulty bug like the Watergate burglars...It can be performed from
an office or a vehicle with no chance of discovery. The premise is very simple.

All electronic devices emit some low level electromagnetic radiation.
Whenever an electric current changes in voltage level it generates
electromagnetic pulses that radiate invisible radio waves. Similar to the
ripples caused by dropping a small rock into a quite pool of water. These
electromagnetic radio waves can carry a great distance. 

Computer monitors like televisions contain an electron gun in the back of
the picture tube which transmits a beam of electrons (electric current).
When the electrons strike the screen they cause the pixels to fluoresce.
This beam scans across the screen from top to bottom very rapidly in a
repetitive manner, line by line, flashing on and off, making the screen
light and dark, creating the viewed image. These changes in the high voltage
system of the monitor, generate the incoherent signal that TEMPEST
monitoring equipment receive, reconstruct and view.  

We have found that most monitors emit signals in the 20 to 250 Mhz range
although harmonics are fairly strong and can be intercepted. Radiated
harmonics of the video signal bear a remarkable resemblance to broadcast TV
signals although various forms of sync must be restored.

Associated unshielded cabling can act as an antenna and increase
interception range. Emissions can be conducted down power cables and
supplies. Computers attached to unshielded telephone lines are easy prey as
the telephone line acts as an excellent antenna. Printers and their cables
are not immune either. The average computer setup in the home or office
could be compared to a base station transmitting it's signals all over the
neighborhood.

Put quite simply, it is easy for someone with basic electronics knowledge to
eavesdrop on you, while you are using a computer. They might not be able to
steal everything from the hard disk but they can view anything you do....see
anything you see...

HOW IT'S DONE...THE COMPONENTS

A good commercial wide band radio receiver preferably designed for
surveillance (requires a little modification) with spectrum display.
Sensitivity and selectivity are paramount. Not all receivers will do the job
adequately

Horizontal and vertical sync generator. Commercially available and will
require some modification.

Video Monitor with Shielded cables

Active Directional Antenna (phased antenna array) with shielded cables.
Think radio telescope.

Video tape recording equipment. For capture and later review.

WHAT WE WERE ABLE TO CAPTURE...

Bench testing of the unit was quite successful in and around the office.
Several computers were targeted and interception of the data was simple
after injecting and restoring vertical and horizontal sync. We had no
problem viewing computer screens on adjacent floors in the building (we were
sometimes hindered by noise) and were able to differentiate (to my surprise)
between different computers in a large office. We aimed our device out the
window across the street at an adjacent office building and were able to
view CRT screens without too much difficulty. 

I should mention here that during the field tests NO DATA WAS STORED FROM
TARGET COMPUTERS. We were not on an eavesdropping mission. We simply were
interested in testing OUR equipment not spying on others. 

Field testing of the unit was quite different and required continuing
manipulation of the equipment. From a vehicle in a suburban area we were
able to view active televisions inside homes ( the cable/pay-per-view people
could have a field day) and what programs residents were watching. When we
came across homes with active computers we were able to view CRTs. Average
range was approximately 300 yards.

We continued to test the device in a suburb of New York City with startling
results. We were able to view CRT screens at ATM machines, banks, the local
state lottery machine in a neighborhood candy store, a doctor's office, the
local high school, the fire department, the local police department doing a
DMV license plate check, a branch office of a securities trader making a
stock trade and the local gas station tallying up his days receipts. We
didn't expect that any of our "targets" would be TEMPEST certified and we
were correct.

BIGGER FISH IN A BIGGER POND

We took our DataScan device, as we named it, to New York City. The Big
Apple. We were interested in testing the integrity of various computer
facilities and also wanted to see how our device would operate in an urban
environment. 

Let me start off by saying New York is in a lot of trouble. We started at
Battery Park (the southern tip of Manhattan Island) and headed north to Wall
Street. The US Customs building leaks information as well as the Federal
Reserve. Wall Street itself was a wealth of information for anyone
interested. With hundreds of securities and brokerage companies located
within a few blocks of each other, all an information warrior need do is
rent an office with a view and aim his antenna. We were able to view CRT's
in MANY executive offices. 

The World Trade Center was fertile. It afforded open parking areas nearby
with millions of glass windows to snoop...we were most successful snooping
the lower floors from the street. We borrowed a friends office at mid-tower
in the south building and were able to view CRT's in the north building easily.

We headed east towards the New York Post newspaper offices and read the
latest news off their monitors (which was printed the next day). We headed
north towards City Hall and NYPD Police Headquarters. Guess what? They're
not TEMPEST certified either...Neither is the United Nations, any of the
midtown banks, Con Edison (the power company) on First Avenue, New York
Telephone on 42nd Street or Trump Tower! Citicorp's computer center in the
SkyRink building on West 33rd Street was a wealth of information also...

We found that with the proper frequency tuning, antenna manipulation,
reintroduction of sync and vehicle location , we could monitor just about
anyone, anywhere, anytime. There is no doubt in my mind that TEMPEST
eavesdropping is here to stay and something that must be dealt with by
computer and security professionals.

Passwords, files, proprietary data and records are all vulnerable to the
information warrior using TEMPEST monitoring equipment in a non TEMPEST
certified world. 

POTENTIAL USERS OF TEMPEST MONITORING

Big Brother:

Yes, that's right. He does bug businesses. Sometimes with a court order and
sometimes without one. It's unclear under present American law whether or
not a court order would to needed to collect TEMPEST information. You never
know when Big Brother's on a witchhunt. Maybe he suspects you of being a tax
cheat, of insider trading, leftist sympathies, etc.  Remember Watergate?
Now, the FBI wants to be able to tap EVERY telephone, fax and data line in
America at the turn of a switch and they want US to pay for it...Using
TEMPEST technology they need never enter or come near your home or business.

Foreign Intelligence Services:

In the last days of the Bush Administration, the mission of the CIA was
partially changed to spy on foreign businesses and steal trade secrets in
response to the every growing surveillance of American industry by foreign
competitors and foreign intelligence services. The Japanese are the worst.
Most of the Japanese students living and attending school the USA are
economic trade spies. The French intelligence service regularly bugged ALL
the first class seats on AIR FRANCE flights to eavesdrop on traveling
foreign businessmen. EVERY foreign service in the world is involved in
corporate espionage to gain an economic advantage for their own companies.
Do you have a foreign competitor? Then the chances are good that a foreign
intelligence agency will spy on you. TEMPEST technology is becoming the
medium of choice .

The Activist:

Dedicated, yet misguided activists may wish to further their own cause by
releasing your private disclosures to the media. Every company circulates
confidential memos that would be embarrassing if released to the public.
TEMPEST technology makes corporate snooping simple.

The Dissident:

Dissidents want to damage more than your company's reputation. They may use
TEMPEST technology as a means of compromising your internal security,
valuable products and equipment, and even executive travel plans in order to
commit crimes against your person, family or property!

Financial Operators

Unethical financiers can benefit greatly from prior knowledge of a company's
financial dealings. TEMPEST attacks can be mounted quickly and from a
distance with virtually no chance of discovery.

Competitors:

Competitors may seek to gain information on product development, marketing
strategies or critical vulnerabilities. Imagine the consequences of a
concerted TEMPEST attack on Wall Street. How much are you going to offer for
that stock next week? You need to buy how many shares for control?

Unions:

Unscrupulous union negotiators may use TEMPEST technology to gain knowledge
of a company's bargaining strategies and vulnerabilities. Is  your company
is having labor problems? Is your company is involved in any type of
litigation or lawsuit with a union? Does your company have layoffs pending? 

Employees:

One of your company's employees might use TEMPEST technology on another to
further his own career and to discredit his adversary. It would be a simple
matter for an adversary to plant a mole in your company who could position
TEMPEST monitoring equipment in the right direction even though they might
not be allowed to enter a specific restricted area...

The Information Warrior:

Brokers may profit from selling your company's secrets to the highest
bidder, or maybe even to anyone who wants to know! Does your company have
stock that is traded publicly? Or will be soon? With TEMPEST technology
there is nowhere to run...nowhere to hide...Keep in mind that anybody with
money, power, influence, or sensitive information is at serious risk.

FINDINGS AND RECOMMENDATIONS

Using simple off-the-shelf components with minor modifications we were able
to monitor computer CRTs "at-will" in suburban and urban environments. We
did not recreate the wheel. The TEMPEST monitoring premise is simple and
anyone with a basic knowledge of electronics could construct such a device
and use it with impunity. 

Our DataScan device differs from earlier models because of the unique signal
amplification and directional antenna array used which we believe enhances
the collection process greatly.

It appears from our research that most individuals and companies do not use
TEMPEST certified equipment and most have never even heard of TEMPEST.

I believe the media should be made aware of the problem in hope that
publicity about potential TEMPEST attacks will force the government to
release the information necessary to allow private citizens and industry the
means to properly secure their proprietary data.

****************************************************************************
*******
****************************************************************************
******

HACKING CELLULAR PHONES                                                         

It turns out that there are several Japanese handheld transceivers (HT's)
availible in the US for use by ham radio hobbyists that have hidden
features allowing them to operate in the 800MHz band used by cellular
telephones. 

Using an FSK decoder chip and a personal computer running an assembly
language program to record and decypher the ID beeps at the beginning of
cellular calls, a "phone book" of celular ID's can be compiled. A simple
FSK oscillator controlled by the PC can then be used to dial out using the
Handheld Transceiver and the captured ID codes.

A low tech analysis could be done by taping the beeps and playing them back
at slow speed into an oscilloscope. An edited tape may even be adequate for
retransmission; no decyphering required.

Several radio stores in New York sell the HT's and have given advice in the
past about how to access the hidden out-of-band tuning features in the ROMS
of the Japanese HT's. It's possible now to listen in to cellular phone
conversations without building any special hardware. In fact if you have a
good antenna, or live near a cellular repeater tower, you can pick up
celluar calls using a UHF TV with a sliding tuner by tuning in "channels"
between 72 and 83 on the UHF dial.

Beside the obvious benefits of unlimited, untraceable, national mobile voice
communication, there are other uses for cellular hacking. For instance: most
people using cellular phones are pretty upscale. It is possible to scan for
ID codes of the telephones of major corporations and their executives and
get insider stock trading information. Simply by logging the called and
calling parties you will be able to compile a database mapping out the
executive level command & communication structure. If this is linked to a
Vox operated tape deck you will know precisely what is going on and be able
to note any unusual activity, such as calls between the executives of
corporations that are in a takeover or leveraged buy out relationship. It is
even likely that you will occasionally intercept calls between investors and
their stock brokers, or calls discussing plans for new contracts.

This data is most safely used for insider trading of your own; there will be
no way that the Securities and Exchange Commission can establish a link
between you and the insiders. A more risky proposition would be to offer any
intelligence gathered to competitors for a price as industrial espionage.

Then there are the anarchy & disruption angles for cybernetic guerrilla
action at the corporate economic & financial level. Leaking info to the
press can kill a deal or move stock prices prematurely. Intelligence
gathered via cellular hacking can also be used to plan operations against
corporate mainframes by providing names and keywords, or indicating vital
information to be searched for. Listening to the phone calls of candidates
and their campaign staff is also a field rich in possibilities.  :)
+

****************************************************************************
*******
****************************************************************************
*******

WEB SITE HACKING

A friend of mine showed me a nasty little "trick" over the weekend. He went
to a Web Search server (http://www.altavista.digital.com/) and did a search
on the following keywords -
     
          root: 0:0 sync: bin: daemon:
     
You get the idea. He copied out several encrypted root passwords from
password files, launched CrackerJack and a 1/2 MB word file and had a root
password in under 30 minutes. All without accessing the site's server, just
the index on a web search server!
     
Well, the first thing I did was check my site and it's ok. The second thing
I did was check my ISP for my home account, and it's okay. But by trying
various combinations of common accounts on web searches, dozens of passwd
files were found.
     
It seems that a large number of locations who use httpd and ftpd on the same
server often copy the regular passwd file to ftp/etc or ftp-users/etc for
ftp user access. A few sites have left the root password in the file, and
many contain user accounts' passwords. The problems I see here are as follows:
     
1. You can get the passwd file in some cases by simply pointing your URL to
http://target.com/ftp/etc/passwd or http://target.com/ftp-users/etc/passwd.
Not good. Anon ftp can't get  it but a web browser can. Many passwd files
are shadowed but you can see some legit account names. Yes, I realize that
this may be a dummy file but hey, not always the case.

2. Some sites do not have the passwd file world readable, but the entire
passwd file stills exists indexed on the web search server. I don't know
about you, but I don't think I'd want my passwd file indexed and searchable
on a world accessible web server.   +

****************************************************************************
******
****************************************************************************
******
MONITORING 900Mhz SPREAD SPECTUM

Whats the current thinking on the security level of 900Mhz digital spread
sectrum cordless phones? Clearly it's not a basic scanner job but how much
more equipment is needed to monitor one ?

The easiest way to do this is to simply buy a similar phone which has all
the required signal processing hardware for that particular type of spread
spectrum and modify it to receive promiscuously and not transmit while doing so,

As far as I know, essentially no cordless phones use any kind of actual
secure encryption of the digital bit stream, so all you have to do is ensure
that your shadow 
phone is primed with the correct spreading sequence or hopping sequence and
is tuned to the right center frequency. Typically choices for these are very
limited (maybe 20 channels) and modifying the micro firmware in a phone or
base unit to search all possiblities is realistic, especially with the help
of an external PC as controller.

The digital 900 mhz phones all use different proprietary modulation schemes,
but many of them simply transmit a FSK or BPSK RF  carrier digitally
modulated by the output bitstream of a codec chip (CVSD or regular u-law
PCM) on one of several randomly selected channels,  perhaps slowly hopping
from channel to channel in a fixed sequence.  Even the phones that use
direct sequence spreading are effectively just transmitting a fast BPSK
signal modulated at the chip rate.   Receivers and signal processing boxes
capable of dealing with this kind of digital modulation are a standard
commodity item in the spook world (made by Condor Systems and Watkins
Johnson and the like) and even sometimes show up on the high tech surplus
market (and are collected by some of us who collect high tech spook hardware
as a hobby)
they are however very expensive compared with simply modifying a couple of
real phones to do the job.

The digital modulation and "spread spectrum" features of 900 mhz phones are
primarily intended to allow them to share the 902-928 mhz band with all the
other users (other phones, truck tracking systems short range wireless video
cameras and video distribution, various industrial users, wireless LANs of
several types, ham radio operators, and several other types of unlicensed
uncoordinated devices radiating up has plagued the older 46/49 mhz FM type.
The FCC in fact requiressome level of spectrum spreading for this purpose
but leaves the actual choice up to the  implementor rather than establishing
a standard method.    Obviously only a secure form of encryption with
randomly  chosen and wide enough keys would really make intercepting a
digital cordless phone difficult for someone determined to do so, especially
if they were targeting one particular phone.  I believe almost all of the
manufacturers have chickened out in the face of NSA and ITAR and not even
implemented toy encryption with random keys - they are simply assuming that
Joe Sixpack or his 14 year old son won't be able to pick them up  on a
commercially available scanner and that the federal law banning sale of
scanners capable of intercepting digital transmissions and converting them
to analog listenable audio will keep the scanner companies from marketing
such and keep customers from complaining about nosey neighbors listening to
their calls. But don't assume that if someone really has some serious
reason, you can be certain that expensive ($5-$20K) DSP based systems
capable of  intercepting several common types are already for sale to the
usual suspects. And finally one should not forget that unless one has an
ISDN line, intercepting calls on regular analog subscriber loops (normal
telephone lines) by virtually undetectable simple alligator clip class
wiretaps or bugs is something that any bright 12 year old can pull off (and
many do before they grow up) - so if you have something to hide you
shouldn't trust the phone at all.     +

****************************************************************************
********
****************************************************************************
********

COMPUTER SECURITY FOR PRIVATE PEOPLE

Why should you worry about security?  The answer lies in the fact that
information has become an extremely marketable commodity.This commodity can
be stolen from you without your knowledge, causing sometimes devastating
harm to your business and personal life.  Sensitive information needs guarding.

Implementing an computer security program first requires you to determine
what data is truly sensitive.  The rule of thumb should be that any data,
improperly released, that could cause a loss equivalent to ten percent of
your annual net profit or mental hardship should be classified as sensitive.

METHODS OF ATTACK

Computer-based systems include all machine-readable files and auxiliary
items such as magnetic backup tapes, floppy disks, printer paper carbons,
and printer ribbons.  Common methods of attack include unauthorized copying
of files, hacking (unauthorized access to your system), between-the-lines
entry (using a logged in terminal while the user is away), and hard disk
surveillance (using a utility program to search for sensitive files on your
Hard drive).  Wire taps or other methods used to intrude on your phone lines
or view your monitor.

Imagine that you are holding an unlabeled floppy disk in your hand.  Can you
tell by eye what the disk contains?  No, you need a computer to do that.
How much information can a 720K disk hold?  Even a disk of that small
capacity holds more data than a regular size novel.  High density disks (1.2
MB) hold almost twice that amount.  When you give the DOS "Del a: *.*"
command for this disk, all of the files are completely erased from the disk
right?  Wrong! Any good utility program such as the Norton Utilities or
Lotus' Magellan can find those files and undelete them. 

s copying files from a hard disk to a floppy a time consuming and complex
process?  No, even with relatively large files, it is a fairly simple and
quick procedure.  Using a program like Magellan, one would be able to pick,
choose, and sort files to copy very easily.

>From the preceeding questions, the following about floppy disks is evident:

1. Unless they are scanned by a computer, you cannot tell what files are on
them.  External labels may be incorrect or misleading.  Classification
labels can be removed.

2. Their data storage density is such that hundreds of sensitive files could
be walking out your door on a few microfloppies in someone's shirt pocket.

3. Floppies can retain sensitive files even when they look erased.

4. Floppies are easy to copy.  It is easy to copy files from hard disks to
floppies.  None of this requires any extensive computer knowledge.

Since floppy disks and the new 8mm magnetic tape backups for PC's have
extreme portability, rigid measures have to be taken to protect them and to
prevent unauthorized copying of your hard drive onto these media.The
following would help:

a. While it is fine to keep your programs on hard disk, the sensitive data
files that they generate would be written to floppy disks.  These disks
could be backed up with another disk.  The originals should be locked up
onsite.  The backups should be securely stored offsite.

b. Make sure sensitive magnetic media have both an external label and an
internal electronic label designating their classification (the DOS LABEL
command can do this).

c. Use the DOS ATTRIBUTE command on sensitive files to set an electronic
switch so that the files cannot be accidentally erase.  Attributing sensitive
files on a disk also acts as a deterrent to someone grabbing a classified
disk, changing the external label, then doing a global DELETE on the disk so
they can remove it from the site under the guise of it being empty.  Later
they would UNDELETE the files using a file utility.

d. Employ password security on sensitive files.  Wordperfect 5.1 (and
higher) has the ability to place minimal password protection on files.
While the password (lockword) protection for Wordperfect is far from
foolproof, it, combined with the other security measures suggested, provides
a fairly decent perimeter of security.  There are software packages
available for PC's that can encrypt entire files.

e. Have a consistent backup procedure for all of your files.  Backup
sensitive files onto disks designated and labled for that purpose.

f. Do not leave disks with sensitive files on them unattended or unsecured.
In large offices, require that authorized users of classified disks sign the
media in and out through a designated librarian.

g. Before sending a magnetic disk to someone, scan it with a file utility
program to ensure it has no deleted, but recoverable, sensitive files.  If
it does, reformat the disk, and then write the non-sensitive files to the disk.

h. Before trashing magnetic media, cut them up into little pieces.  For
damaged disks containing highly sensitive files, you may wish to use a
degausser on the disk first.

By not keeping sensitive files on your hard disk, you go a long way toward
computer security.  However, you should also consider the importance of not
leaving 

a secure place (such as a locked drawer in their desk).  At the end of the
day, all classified media must be returned to the central library to be
locked up.  Also, auxiliary items such as spent carbons, printer ribbons,
printouts, and damaged magnetic media should be securely stored until
disposed of.  Sensitive computer printouts should be shredded and intermixed
with non-sensitive shredded documents prior to disposal.

OTHER COMPUTER DEFENSES

You may decide to use integrated software security packages such as Norton
Disklock.  These among other packages, offer hard disk lockdown, file
lockword protection, temporary keyboard lockdown, and some security audit
trails.  The best defense though is not to put all your eggs in one basket.
One can install security software on their computer and still keep sensitive
files on securely locked away floppies.  In fact, it might behoove you to
place "decoy" sensitive files behind your security software defense.  Decoy
files look like they contain valuable, sensitive information, but in
reality, behind their technical appearance, they have no useful secrets.
These types of files can be "trapped" with information which, if it becomes
public, would be harmless, but would tell you of a penetration or
compromise.  This method can be called the "False Fortress" defense.  A TSCM
(or Technical Surveillance Countermeasures) expert should be consulted if
there is a possibility of some wanting your data so badly that they would
resort to illegal taping or otherwise tampering with your phone lines or
remotely viewing your monitor (yes it can be done).

POINTS TO REMEMBER

1. When the terms "lock" or "locked up" are used for storage areas, we mean
locks or safes that can withstand a physical attack of at least one to two
hours of duration.

2. Do not make it easy for an information thief by placing signs in your
office on where sensitive materials are stored.

3. Keep access to sensitive information by your coworkers and associates on
a need-to-know basis.

SUMMARY

Your computer security will be good only if you use a comprehensive plan.
Each defense must be adequate.  It does little good if the password to a
sensitive file is your first name.  Learn to think like an information
thief, and you will have less chance of being victimized by one.

If you think that there is no possibility of anyone attempting to use covert
methods to steal information from you...think again! In today's high-tech
world, secrets are increasingly at a premium.         +

****************************************************************************
*********
****************************************************************************
*********

THE USE OF VOICE MAILBOXES BY TELEPHONE PHREAKERS

For the past few years the use of voice mailbox systems in the USA has been
increasing. Voice mailbox systems must be divided into two different types:
Toll-free voice mailbox systems used by many types of companies, and voice
mailbox systems from companies providing party lines, dating lines and
other, mostly expensive, services.  Normally a  phreaker will primarily
select the toll-free voice mailbox system.  If no toll-free voice mailbox is
available he probably has the knowledge and the technical capability to call
a voice mailbox of a service provider in an illegal toll-free way. The
problem, however, is not which voice mailbox system he will call, but how he
will use it.

 To understand how to misuse a voice mailbox system, the basic system use
must be understood. A voice mailbox is like a house. When you enter the
house your host welcomes you. The host in this case is a voice menu
explaining all the functions of the system. To choose one of these functions
you just have to press the corresponding button of the key-pad. Having made
a selection you will leave the entrance and enter a "room". Each room is
dedicated to a special topic. Topics can be live discussions with as many
people as are in the room, public message areas, private message areas,
playing a game, etc. A large voice mailbox system can have more than 100
different "rooms".  If the number is not toll free, the phreaker uses
techniques to call the voice mailbox system free of charge anyway. If the
voice mailbox is interesting, easy to hack and fits his needs, the phreaker
has a lot of  uses for such a system. It has been evidenced by court trials
that phreakers use voice mailbox systems as their "headquarters", to meet,
to discuss, to have conferences with up to 20 persons participating at the
same time, to leave messages to other phreakers or to deposit and share
knowledge.  They waste system resources without paying for it. It is also
interesting to see how the phreakers used system resources.  

As mentioned above, a voice mailbox is  like a house, a house with
easy-to-pick or no locks in the doors. The business of the service provider
requires the voice mailbox to be easy to use without big security
installations. The voice mailbox must be an open house for everybody, and
that makes it easy for the phreaker. First a phreaker will look for hidden
functions in the voice mailbox. Hidden functions are normally used to
reprogram the voice mailbox from a remote location. Commonly, hidden
functions are available to increase the security level of certain rooms and
for creating new rooms with new possibilities and features. With knowledge
of the hidden functions of a system, the phreaker can create new rooms for
meetings with other phreakers, and he is able to raise the security level of
such rooms so that only insiders can gain access. Increasing the security
level means assigning an access code to a room.  

Without knowledge of the access code the room cannot be entered. Thus, he is
able to create a voice mailbox inside  the voice mailbox for a closed user
group, "Entrance for phreakers only". This voice mailbox for phreakers can
be used to post calling card numbers, private messages for other phreakers,
the newest access codes for other voice mailbox systems, the newest tricks
on how to cheat the telephone system, etc. All owners of voice mailbox
systems can do is to watch the traffic inside his system and look for
changes such new rooms suddenly appearing. From a pratical point of view it
is very difficult to increase the security of a voice mailbox without
causing problems for paying users. In case of misuse it is necessary to
co-operate with.  a security expert and the local authorities to limit
financial losses.                    +

****************************************************************************
********
****************************************************************************
********
COUNTERFEITING MONEY

This information is provided for informational purposes only to familiarize
security and law enforcement personnel with one method of counterfeiting
money.  Before reading this article, it would be a very good idea to get a
book on photo offset printing, for this is the method used in counterfeiting
US currency. If you are familiar with this method of printing,
counterfeiting should be a simple task. Genuine currency is made by a
process called "gravure", which involves etching a metal block. Since
etching a metal block is impossible to do by hand, photo offset printing
comes into the process. 

Photo offset printing starts by making negatives of the currency with a
camera, and putting the negatives on a piece of masking material (usually
orange in color). The stripped negatives, commonly called "flats", are then
exposed to a lithographic plate with an arc light plate maker. The burned
plates are then developed with the proper developing chemical. One at a
time, these plates are wrapped around the plate cylinder of the press. The
press to use should be an 11 by 14 offset, such as the AB Dick 360. Make 2
negatives of the portrait side of the bill, and 1 of the back side. 

After developing them and letting them dry, take them to a light table.
Using opaque on one of the portrait sides, touch out all the green, which is
the seal and the serial numbers. The back side does not require any
retouching, because it is all one color. Now, make sure all of the negatives
are registered (lined up correctly) on the flats. By the way, every time you
need another serial number, shoot 1 negative of the portrait side, cut out
the serial number, and remove the old serial number from the flat replacing
it with the new one. Now you have all 3 flats, and each represents a
different color: black, and 2 shades of green (the two shades of green are
created by mixing inks). Now you are ready to burn the plates. Take a
lithographic plate and etch three marks on it. 

These marks must be 2 and 9/16 inches apart, starting on one of the short
edges. Do the same thing to 2 more plates. Then, take 1 of the flats and
place it on the plate, exactly lining the short edge up with the edge of the
plate. Burn it, move it up to the next mark, and cover up the exposed area
you have already burned. Burn that, and do the same thing 2 more times,
moving the flat up one more mark. Do the same process with the other 2 flats
(each on a separate plate). Develop all three plates. You should now have 4
images on each plate with an equal space between each bill.

The paper you will need will not match exactly, but it will do for most
situations. The paper to use should have a 25% rag content. By the way,
Disaperf computer paper (invisible perforation) does the job well. Take the
paper and load it into the press. Be sure to set the air, buckle, and paper
thickness right. Start with the black plate (the plate without the serial
numbers). Wrap it around the cylinder and load black ink in. Make sure you
run more than you need because there will be a lot of rejects. Then, while
that is printing, mix the inks for the serial numbers and the back side. You
will need to add some white and maybe yellow to the serial number ink. You
also need to add black to the back side. 

Experiment until you get it right. Now, clean the press and print the other
side. You will now have a bill with no green seal or serial numbers. Print a
few with one serial number, make another and repeat. Keep doing this until
you have as many different numbers as you want. Then cut the bills to the
exact size with a paper cutter. You should have printed a large amount of
money by now, but there is still one problem; the paper is pure white. To
dye it, mix the following in a pan:  cups of hot water, 4 tea bags, and
about 16 to 20 drops of green food coloring (experiment with this). Dip one
of the bills in and compare it to a genuine US bill. Make the necessary
adjustments, and dye all the bills. Also, it is a good idea to make them
look used. For example, wrinkle them, rub coffee grinds on them, etc.

As before mentioned, unless you are familiar with photo offset printing,
most of the information in this article will be fairly hard to understand.
Along with getting a book on photo offset printing, try to see the movie "To
Live and Die in LA". It is about a counterfeiter, and the producer does a
pretty good job of showing how to counterfeit. A goodbook on the subject is
"The Poor Man's James Bond".

If all of this seems too complicated to you, there is one other method
available for counterfeiting: The Canon color laser copier. The Canon can
replicate ANYTHING in vibrant color, including US currency. But, once again,
the main problem in counterfeiting is the paper used. 

This data is provided for informational purposes only.  Counterfieting is
illegal and you will be arrested if caught. +

****************************************************************************
********
****************************************************************************
********

HOME BREW HERF DEVICE

We coined HERF (High Energy Radio Frequency) as a generic term to  mean  a
device that can interfere with a computer  or  communication's system
operation. Simply,  since a computer is electronic in nature, it both  emits
low level radiation and is susceptible to external  interference.   For
example, when your cell phone goes haywire on a bridge or  in  a tunnel, it
is caused by interference.  In this case the  interference  in passive.  The
metallic structures 'suck-up' and  disperse the transmissions and you get nada.

Or, in the days of roof antennas, a pigeon would cause TV  reception  to
falter just as a lightening storm could make the  screen go blank for a few
seconds. (With cable it's a few hours.)

A  computer is just as susceptible to interference,  except  that  more
power is required to cause a system failure or 'crash'.   It  is  no
surprise that surge protectors are designed to keep  power linespikes from
affecting a computer . . . a so called  natural phenomenon.  Not man made .
. . just part of the power grid.   We have  all  learned  that certain
integrated  circuits,  (IC's  or chips)  will  self-destruct if we touch
them after walking  on  a carpet  on  a dry day.  The discharge of  static
electricity  is large  enough to break down the silicon barrier on the chips
and Voila! No more chip  . . . no more working computer. It  should  be no
surprise then that a non-natural, or man made electrical discharge would
have similar results. And they do. The  object, on the part of certain in
the military, is to create an arsenal of non-lethal weaponry.  And they are
doing it.

The  concept of particle beam weapons as part of Star Wars  (SDI)  relied
upon focussed high energy beams that would destroy  their  electronic
targets.  Ground based systems have been tested at the  regular weapons
places like Los Alamos et al with varying degrees  of success. Remember, the
military requirements are generally  an  order  of  magnitude more rigid, so
from  their  standpoint,  the  technology isn't there yet. For example, one
mission goal would be: create a system that  can  force  an cooperative
pilot to make landing.  Drug running  is  a  good  example.  By targeting
the avionics and  communications  of  the  target  aircraft, the policing
airplane  would  successively  disable  systems until the plane either
landed or  . . . well  it  is a big ocean.  But conventional explosives
would be unnecessary  and  the pilot would have been an unfortunate victim
of a  'plane  that ran out of gas.'

HERF weapons can be operated over a wide range of frequency  with  a
corresponding  set  of pros, cons  and  functional  tradeoffs: distance,
dispersion, penetration, reflection . . .  all  pretty  basic stuff for a
first year engineering student.  

Some businesses located on sightlines near airports have experienced
periodic computer malfunction . . . with no apparent source  or  readily
observable villain.  But, it turns out that the  high  power  radar  systems
have been responsible in many  cases.   The  high  frequency (above 1GHz)
radar signals penetrate most  structures,  are focussed and can crash a
computer network in a  split second.   Having  unexplained system crashes?
Look  for  outside influence. There are ways to identify certain power
sources. Until  recently  I thought that HERF guns or their brethren  HPM
(High  Power  Microwave) devices were a military  and  laboratory reality,
and in the future they would migrate into the hands of the 'bad guys'.  I
was wrong.

It's  pretty  obvious that the hobbyist with a  few  dollars  can purchase
a  surplus radar system from the  U.S.  Government  for pennies  on the
dollar.  Make a few modifications and BINGO,  you got yourself a pretty
potent electronic weapon. But  it was not so obvious that HERF guns had
already evolved  to street  technology  - where the home brew hobbyist  can
put  one together from spare parts. We made one.  

The  device  was ostensibly built as an electronics  project  for giggles.
If you build up a large electric high  voltage  field, the  air around the
point of electrical build up can  ionize  and actually glow. The familiar
experiments with Van De Graaf generators  and  Tesla coils create long spiky
lightening-bolt  shaped electrical  discharges  that are most  impressive.
But  another phenomenon  of  sustained  high voltage fields is  known  as
St. Elmo's Fire which World War II fighter pilots and North Atlantic seamen
report as balls of lightening that can dance or follow  a plane or a ship.
Last year, some friends and I were  trying to come up with a unique window
decoration  for  Christmas. We put nails around  the  window  frame,
attached the right wires,added a few more gizmos and waited for St. Elmo's
Fire to provide  a ghostly glow in the darkness. 

But, in our experimentation with the device, we found that if we discharged
the voltage field in a short We also found that the discharges could cause
computers  up to  a  couple of hundred yards away to also feel the  effects
of my St. Elmo's toy.  Admittedly curious, we played with  the circuits and
wanted to see just how much of an effect my home-brew efforts could have.
We contacted friends in Australia and asked to listen to certain frequencies
on their short wave radio.  It turned out that every time the device was
quickly discharged, sufficient  energy was released in a short period of
time to be 'heard' 14,000 miles away.

Our HERF gun is astonishingly simple.  Mounted on a  piece  of wood  about
12" square sits the power transformer, rectifier  and storage capacitors.
(This is also known as a power supply.)

A  heavy gauge (4 or 6) wire runs from the plywood circuits to  a long  tube
with a 1/2" thick metal bar on the end.   Inside  the tube  is  another
circuit, this one purloined  from  a confidential source. This circuit is
generically known as  Jacob's Ladder or a high voltage multiplier. It takes
the input voltage from the power supply (of a couple thousand volts for
example) and  brings it to perhaps millions of volts.  Or,  lower  voltage
and higher current.  Ohm's law applies.

A one microsecond pulse of 2.5 Megawatts is emitted every time it is fully
charged. That's the equivalent of 100 amps at 25,000 volts, or 10 amps  at
250,000  volts.  The  circuit performance can  be  enhanced  very easily I
believe. Just put a tuned coil as the output load and a resonance  will
increase the power in a focussed  range  by  a factor of 10. Twenty five
Megawatt pulses are trivial.

The dispersion pattern is uncontrolled to say the least. Omnidirectional is
an understatement. When we designed it we were not interested  in  focussed
damage . . . but the  resultant  local  computer outages were a source of
entertainment. For us. Frequency and directionality are inversely
proportional and  with  a  little engineering, a more usable system is on
the horizon. All  for the price of a few parts from Radio Shack and Ed's
Electrical Junk Store. The principle behind HERF guns is simplicity itself
and they have arrived  a lot sooner than any of us.       +

There's a LOT MORE in every issue of the Codex. Subscribe today. Don't miss
an issue...







 









    


                                            




     







Check out our WEB SITE - The Codex Privacy Page
URL: http://www.thecodex.com

The Codex Surveillance & Privacy Newsletter
DataScan - Diagnostic TEMPEST Evaluation System
Design and Fabrication of Specialized Systems
Technical Surveillance CounterMeasures  (TSCM)
Forensic Audio Restoration & Audio Tape Enhancement  

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7.1

mQCNAzDgc7MAAAEEAK1gzGapvWKn287T8QPYphpIzF6+uHAyf/shVPbrGD/f5v8i
sgMOSC5x05w9xyijpzx2ua5i4eXXzjiq257y7oJy60TEFWRHYqGJtZRpqlh9DKjD
0EA5dVitmEgKNot3rmcF9amBxUP2RwIq2nzHfgiLGB3obqeKYp0MXw7qZrH7AAUR
tB5TcHlLaW5nIDxzcHlraW5nQG5vdmFsaW5rLmNvbT4==UBv6

-----END PGP PUBLIC KEY BLOCK----- 






Thread