1997-01-31 - Intelligence Update (fwd)

Header Data

From: azur@netcom.com (Steve Schear)
To: cypherpunks@toad.com
Message Hash: e1f1f3028dba9668f1108db997478abfff6b9205e9901082b06a70957aade77c
Message ID: <v02140b02af1731478ad4@[10.0.2.15]>
Reply To: N/A
UTC Datetime: 1997-01-31 07:08:41 UTC
Raw Date: Thu, 30 Jan 1997 23:08:41 -0800 (PST)

Raw message

From: azur@netcom.com (Steve Schear)
Date: Thu, 30 Jan 1997 23:08:41 -0800 (PST)
To: cypherpunks@toad.com
Subject: Intelligence Update (fwd)
Message-ID: <v02140b02af1731478ad4@[10.0.2.15]>
MIME-Version: 1.0
Content-Type: text/plain


>Update on Bugging Devices
>=================================================
>
>0.902 - 0.928 ghz - Popular Commercial FH/DS Devices
>1.710 - 1.755 ghz - DEA Audio/Video Bugs (over 1400 bugs purchased in 1995)
>1.710 - 1.755 ghz - DOJ Audio/Video Bugs (.25 to .50 watts)
>1.710 - 1.850 ghz - Treasury Video Surveillance Systems
>2.400 - 2.484 ghz - Popular Commercial FH/DS Devices
>4.635 - 4.660 ghz - Treasury Video Surveillance Systems
>
>Most recently purchased gvt microwave surveillance gear seems to be running
>between 900mhz to 5ghz, with a few systems operating on the 7/8 ghz bands.
>
>Also, keep in mind that the pros love to use ultra low power devices which
>use the power lines as the transmission medium/antenna (9khz to 300 mhz).
>Devices typically operate below 10mw, often below 1mw. The devices
>typically use Wide FM and use voice inversion encryption... VERY easy to
>demodulate.
>
>Note: According to a recently obtained DOJ surveillance training manual:
>
>"The typical range for the 28 ghz devices is six miles, the typical range
>of the 2.4 ghz is thirty miles, and the typical range for the 1.7ghz  is 44
>miles."
>
>"... frequency modulated applications should operate below 3 ghz to take
>advantage of the favorable frequency propagation characteristics of that
>part of the spectrum."
>
>"...Frequency Hopping and Direct Sequence Devices spead spectrum devices
>should operate above 1.5 ghz, this will prevent the emissions from being
>detected by electronic countermeasures."
>
>The most popular surveillance reciever used covers 9khz (for CC/VLF) up to
>9ghz, so be sure to cover AT LEAST those bands.
>
>=================================================
>
>All TSCM people have heard about AID devices, but few know the actual freq
>they use, or what they look like.
>
>The devices are VERY popular with the law enforcement crowd, private
>investigators and corporate security types. The equipment is VERY overpriced,
>and the fairly easy to detect.
>
>AID bills itself as "The World's Largest Manufacturer of Electronic
>Intelligence Equipment and Specialized Protective Systems"
>
>AID was founded in 1970, and was sold in 92/93 to Westinghouse (Westinghouse is
>currently selling TONS of equipment to the DEA and State dept)
>
>AID - Westinghouse/Audio Intelligence Devices, Inc. Bug Freqs
>
>135 MHz - 150 MHz  Special Order/Secondary Band
>150 MHz - 174 MHz  Standard/Primary Band (Most Popular)
>216 MHz - 220 MHz  Special Order
>400 MHz - 470 MHz  UHF Repeaters
>
> 21 MHz -  80 MHz  Very Low Power WFM (.5mw - 10mw)  Special Order Only
> 36 MHz -  39 MHz  Very Low Power WFM (.5mw - 50mw)  ***Very Dangerous***
> 80 kHz - 200 kHz  "Line Carrier" Microphone Systems ***Very Dangerous***
> 30 kHz - 700 kHz  Spread Spectrum Current Carrier Devices
>
>1700MHz - 1900MHz  25-250mw Video and audio bugs (Mostly DEA/DOJ stuff)
>2400MHz - 2484MHz  25-250mw Video and audio bugs
>
>If the signal is "scrambled" it is nothing more than simple voice inversion,
>a circuit to "de-scramble" costs around $20.
>
>Note: AID devices are often re-tuned for outband channels... so be careful.
>
>The area of spectrum from 15MHz to 500MHz is the primary threat, 500MHz to 3GHz
>is the secondary threat, a "line carrier" threat is from 30kHz to 750kHz.
>
>If the person planting the bug suspects that a TSCM inspection may be
>conducted then AID suggests a frequency between 30MHz to 50MHz,
>sensitivity of rcvr should be better than .18uv/-122dbm. The mode is
>usually wideband FM.
>
>Also, keep in mind that AID devices are frequently used for illegal buggings,
>so be familiar with their realistic specs, expect power outputs well under
>50mw, and expect to see the AC power circuits being used as the antenna.
>
>Note: Mike Langley at NIA advises that AID/NIA/Westinghouse is totally
>shutting down all TSCM training, at that they have cancelled the production
>of all TSCM products effective 1 Jan 97.
>
>=================================================
>
>Several devices were recently found at a DOE facility on Long Island,
>details are a bit sketchy, but initial information indicates that a
>defecting  middle-eastern FIS agent provided a list of locations within
>several DOE facilties that were being targeted.TSCM inspection (not
>performed by DOE) located several devices. Facility/lab working on designs
>for triggering mechanisms... very interesting incident.
>
>=================================================
>
>HDS - Household Data Services
> 50.000 - 750.000 kHz   Carrier Current Audio System
>120.000 - 400.000 kHz   Carrier Current Audio System
>138.000 - 174.000 MHz   Wireless microphone/Body Wires (8KR Series .1 to 30 mw)
>150.000 - 174.000 MHz   Wireless microphone/Body Wires (ATX Series .1 to 30 mw)
>174.000 - 230.000 MHz   Wireless microphone/Body Wires
>350.000 - 440.000 MHz   Audio/Video Transmitters (360-440 popular)
>470.000 - 608.000 MHz   Audio/Video Transmitters
>570.000 - 928.000 MHz   Audio/Video Transmitters (Spread Spectrum Popular)
> 1,000  -  1,500 MHz    Low Power Audio/Video Transmitter (10-100mw max)
> 1,425  -  1,450 MHz    Low Power Audio/Video Transmitter (10-100mw max)
> 1,700  -  2,700 MHz    Audio/Video Transmitters 2.4-2.5 hot (10-100mw max)
> 1,710  -  1,900 MHz    Audio/Video Transmitters (10-100mw max) ** HOT **
> 6,425  -  7,125 MHz    Low Power Audio/Video Transmitter (10-100mw max)
> 8,100  -  8,700 MHz    Audio/Video Transmitter, 8.2/8.5 popular (10-100mw max)
>10,200  - 10,700 MHz    Audio/Video Transmitter, 10.5 popular (10-100mw max)
>17,700  - 19,700 MHz    Low Power Audio/Video Transmitter (10-100mw max)
>20,000  - 24,600 MHz    Low Power Audio/Video Transmitter (10-100mw max)
>
>=================================================
>
>Sony - Wireless Microphones and Body Wires
>470.000 - 489.000 MHz   2.5mw - 20mw, WFM (110kHz), Ultra low power
>770.000 - 782.000 MHz   2.5mw - 10mw, Ultra low power - Chnl 64
>782.000 - 794.000 MHz   2.5mw - 10mw, Ultra low power - Chnl 66
>794.000 - 806.000 MHz   2.5mw - 10mw, Ultra low power - Chnl 68
>770.000 - 810.000 MHz   2.5mw - 20mw, WFM (110kHz), Ultra low power
>902.000 - 928.000 MHz   2.5mw - 20mw, WFM (110kHz), Ultra low power
>947.000 - 954.000 MHz   2.5mw - 20mw, WFM (110kHz), Ultra low power
> 60.000 - 970.000 MHz   2.5mw - 10mw, WFM (300kHz) Audio Transmitter
>
>Note: These little low power devices have an adjustable freq deviation
>which can be adjusted to as high as +/- 225khz... System also uses a
>matched receiver. Entire system xmitter and cvr sell for under $2500.
>
>Imagine a 3mw transmitter operating at 782mhz (snuggled up to the audio of
>the local TV xmitter) using a 100khz cue channel subcarrier. Life
>expectancy at least  350 hours (using lithium cells). Reasonable range at
>least 1500 feet indoors.
>
>=================================================
>
>Finished putting the final touches on a new page
>concerning Mace and Personal Protection Sprays.
>
>Drop by and let me know what you think.
>
>   http://www.tscm.com/mace
>
>
>The ASP - Armament Systems and Procedures Web page is
>now also online, the address follows:
>
>      http://www.tscm.com/asp/
>
>=================================================
>
>BMS manufactures a line of pro-grade products used primarly for the
>Broadcast and Television markets, but their prices are cheap, very small,
>low power, and a serious threat to our clients.
>
>Most of their voice/video/telem products (ie:BMT25-S) operates from
>900mhz-4ghz, and are easily detectable at 10mw and 100mw.
>
>The major threat is from the X-Band, and Ku-Band devices which they sell
>that operate up to 13.5ghz.
>
>Keep in mind the devices are as small as 1.0in x 1.0in x 3.3in, and can be
>run from a 12vdc battery for days, if not weeks.
>
>Most of the devices utilize a variable frequency audio dual sub-carrier
>between 4 to 9 mhz.
>
>They sell small omni directional, and highly directional antenna as well.
>
>=================================================
>
>Intel on Microwave surveillance system (made by AST in MD ??)
>
>Stock Devices
>1.2 to 2.2  ghz
>3.7 to 4.2  ghz
>5.9 to 6.45 ghz
>
>Special Order Devices (1.4 ghz bands)
>1.2 to 2.8  ghz - Justice just bought a bunch of these
>2.2 to 3.8  ghz
>3.2 to 4.8  ghz - State Department item
>4.2 to 5.8  ghz
>5.2 to 6.8  ghz
>
>Tech material mentions product available to 8.5/8.8 ghz
>
>All funtions (including freq) are software controlled,
>
>Direct Sequence output, 60 mhz window for spread spectrum
>
>Device designed to transmit FDM baseband signals from a PBX backplane using
>QAM 64 or 256 modulation.
>
>The box I examined measured 1 * 3.5 * 3 and took power from 8 to 16 vdc (12
>pref).
>
>Output power fixed at 100mw
>
>=================================================
>
>Recently I did some work designing an experimental spread sprectrum
>wireless microphone.
>
>The goal of the project was to see just how small, and how cheaply a
>realistic device could be built.
>
>Initial goal was a device that would use the 47 CFR 15.247 for the ISM band
>from 902 to 928 mhz and an enhancement (jumper change) mode to extend the
>upper frequency range to 954 mhz.
>
>The device would have to have a range of at least 150 feet in a hotel
>building and/or office building (parking lot monitoring).
>
>The device must be small enough to be "dropped in a pocket," concealed in
>the seam of a drape, and placed into furniture.
>
>Device must use consumer (radio shack) batteries.
>
>Device must cost less $100 in materials to build
>
>I felt the above specs would reflect a realistic device.
>
>---------------
>
>1) Battery used was 2ea EPX-76 cells which gave 2.5 to 3 hours of usable
>audio, sub-ed a DL123A lithium which upped the time to over 4 days (and
>still counting)
>
>2) Microphone was two surface mount Seimens hearing aid elements.
>
>3) Spread Spectrum controller was a surface mount WL-9010 from Wireless
>Logic, the chip is a compact stand alone transmitter.
>
>4) Used a Mitsubishi codec chip commonly used in cellular telephone with a
>noise cancelling circuit (this is why two microphones were used).
>
>5) Small pot was used to adjust the output power between .15mw to 65mw
>
>6) All components used where SMT versions, hot flow was used for assembly
>
>7) Entire circuit was assembled on a .30 by .25 inches square double sided
>printed circuit board.
>
>8) PCB soldered directly to battery cap
>
>9) .5 inch long paper clip used as antenna
>
>10) Currently working on a telephone line version.
>
>11) Range at 50mw (legal power limit) tested usable and clear at 260 feet
>(device placed in hotel room, and monitored in the parking lot)
>
>12) Device WAS NOT detectable with an AVCOM 65 until the antenna was within
>8 inches of the device (until a hump started to slightly appear).
>
>
>What doe this tell us?
>
>Spread spectrum devices can be real small, cheaply made, and low power
>using off the shelf products.
>
>Watch that area between 800 mhz and 1 gig
>
>=================================================
>
>We are interested in purchasing old catalogs, training materials, and technical
>documentation used by Audio Intelligence Devices, HDS, and other
>surveillance companies.
>
>Specifically we are looking for:
>
>   Old product catalogs
>   Sales materials picked up at trade shows (IE: NATIA)
>   Training Manuals from National Intelligence Academy
>   Textbooks from National Intelligence Academy
>   Product Owners Manuals
>   Product Service Manuals
>
>We are also interested in purchasing "generations" of materials, so if you
>have ten years worth of old catalogs from the '70s were interested.
>
>Let us know what you've got, and we'll work out cash payment arrangements.
>
>The materials will be used for project that starts in January and will run
>for at least six months.
>
>If you have materials from other technical intelligence schools or
>surveillance we could also be interested.
>
>=================================================
>
>I recently had a chance to examine a new device made by Delft
>Industries.
>
>It is very similar to the X-Band units I've examined,
>except that the frequencies were higher and mods were much
>more subtle.
>
>Small PCB was cemented into the rear of the unit, underneath the regular
>PCB (black rubber covered 1.5 cm * 4cm * .8cm).
>
>Unit consited of a two microphones, compander circuits,
>power supply/regulator, and modulator circuit.
>
>Compander circuit operated dual circuits around 120hz to 15khz.
>
>No external mods to case, only very small variation in power drain,
>no internal battery, several large surface mount caps...
>
>Entire unit double sided surface mount PCB, looks like 4 layers,
>2/3 digital circuitry, 1/3 analog and RF circuitry.
>
>The only mods to the alarm PCB was the cutting of several traces
>on the back of the PCB (near the emitter circuit).
>
>The doppler alarm operated between 24 ghz and 24.25 ghz, intelligence
>seems to be a 480k bit digital data stream using the alarm
>signal as the carrier (QAM mod).
>
>Looks like one version of the product will also allow someone
>to deactivate a specific sensor remotely upon on command.
>
>According to the factory, the units are being shipped into
>Canada and Mexico in quanity, then transported into the
>US in small quantities.
>
>Heavy usage in Texas, New Orleans, Florida, California,
>and Pennsylvania.
>
>Device have already been offered for sale in several
>"spy shops" in New York, and Miami.
>
>- Be Careful Out There
>
>========================================================
>
>You may find it interesting to revist our web site in
>the near future, during the last few months the site has
> undergone incredible growth, copius additions, and changes..
>
>        http://www.tscm.com/
>
>On January 2, 1997 we rolled out several new
>product lines which increased the number of TSCM products
>on our web page to over 1,000 TSCM and technical security
>products.
>
>At the present time we have over 12,500 pages of
>printed documents available for download.
>
>If you haven't reviewed it yet, be advised that we now
>have a TDR tutorial page available online.
>
>        http://www.tscm.com/riserbond.html
>
>
>We've also updated the materials we have online
>regarding the REI OSC-5000
>
>        http://www.tscm.com/reioscor.html
>
>
> ===============================================================
>
>DOJ just took delivery of a large number of video transmitter modules
>
>Operating freqs between 8ghz and 11 ghz (PLL field programmable)
>
>10mw rf output (max), nominal 8.5mw
>
>power draw below 35ma
>
>baseband video trans, not SS
>
>all modules have audio inputs (solder tab), standard audio subcarrier,
>audio section may be disabled to conserve power.
>
>Min. effective (flat array ant) range indicated as 2700 feet line of sight,
>and 1500 rural.
>
>I would estimate the range to be below 500 ft with a unity gain antenna.
>
>A number of the units came preinstalled in fake squirel and
>birds nests with a low light auto iris CCD camera (unk manuf, suspect
>Kodak). I've seen similar units used by the DEA (installed under tree
>bark).
>
>Both unity gain ant config (stub), and biconical flat pack.
>
>Power requirements seem to correlate to 9vdc lithium batteries.
>
>>From what I can see on the physical specs, looks like the transmitter, and
>camera combined are 2/3 the size of a standard 9vdc battery.
>
>The document indicates gvt paid $874 per module (Xmit module only),
>document also mentions req code for the "domestic counterterrorism"
>program.
>
>I wonder if these are the "tree frogs" that the boys at Quantico were
>trying to get bids on, back in September?
>
>It's only a matter of a few months before these devices start getting
>"lost in the field " and start re-appearing in the private sector.
>
> ===============================================================
>
>I've heard from several engineers at TI that an unidentified gvt law
>enforcement agency has them working on a super compact thermal imaging
>system and video transmitter for covert surveillance. System utilizes an
>electronic LCD chopper instead of the regular mechanical chopper. Device
>contains integral microwave tranmitter (unk freq). From what I can gather,
>these are going to be used for conducting long term thermal surveillance of
>areas... I will advise as I obtain further intel.
>
> ===============================================================
>
>Just finished reading the 1997 Hewlett Packards optoelectronics designers
>guide, and found several items of interest.
>
>Most of us are familiar with the low power 900nm I/R devices.
>
>But did you know that they also make CHEAP LED's for communications
>that operate from 700nm to 1510nm??
>
>700, 710, 875, 905, 940, 1100, and 1510nm are the most common products in
>the HEMT line.
>
>Can be modulated (open air) from 0 to 750khz with no problem, and higher speeds
>with some minor distortion.
>
>just a heads up
>
> ===============================================================
>
>We are taking delivery of the first 95S radio's and third generation MSS
>units from Boeing... We are expecting initial shipments to customers mid to
>end of Feb.
>
>The 95S is a stand alone wideband receiver designed for SIGINT and TSCM,
>weighs in at just under 8 lbs (complete). Radio will retail for around
>6,000 and 7,500 dollars (US) depending on config.
>
>While the unit is fully self contained, we will have a VME version avail
>(we have them now). Coverage is a clean from 5khz to 8ghz (yes 8ghz), and
>sensitivity is superior to anything Watkins Johnson makes.
>
>Reciever is being built into the new MSS-3500 briefcase system, which will
>allow automated spectrum monitoring of 40ghz of spectrum in 8/9ghz
>segments.
>
> ===============================================================
>
>Just finished playing with a nasty little Radio Shack (CM-421)
>single channel VHF microphone.
>
>While the product is designed for use in the 160-220 range, it's designed
>so that to be recrystalized and usable anywhere in the world.
>
>The product can be easily retuned from 90-300Mhz (by the book), power
>output is variable via a pot from 5mw to 50mw.
>
>Current drain is around 40ma at 50mw, and much lower for 5mw output.
>
>Product is extremely stable, with adjustable deviations (to +/1 100khz)
>
>Integral tietack microphone
>
>Radio Shack will sell the xmitter only for around
>50 bucks (I bought several to eval)
>
> ===============================================================
>
>Recently had access to some of the new fiber optic devices out there and
>wanted to post some of the techniques by which they can be detected.
>
>
>Subject device optics are made by Corning Glass, and consists of three
>components. The "electronics" are manufactured by E-systems in Dallas, TX.
>
>
>The entire installation kit fits into two 18 * 22 * 7 briefcases made by
>SKB, the first case contains a battery powered automatic fusion
>splicer/LID, equipment to test the installation, and a tool kit. The second
>case contains the microphones, spools of "cable", optical modules,
>controllers, and battery packs
>
>
>1. "Front-End Microphone" is a small glass cylinder roughly 2.5mm wide x
>5mm long with a small 1.5mm long pinhole tube on one end, and a 3 to 12 ft
>50/125 fiber tail on the other. This part of the system is designed to be
>installed "pinhole" style. Pigtail cable is routed to and fusion spliced
>into a "Runner Cable". The microphone contains small barbs to keep it in
>position with out the use of adhesives. A small 2.5mm needle drill bit is
>used to drill the hole.
>
>2. The "Runner Cable" is a 50um/125um fiber optic bundle, typically 3 to 8
>fibers are combined to allow a single runner to support 6-8 devices. This
>cable is flat and measures roughly 125um high, and .75 to 1mm wide. Cable
>has a min. bend radius of 4cm, and is field terminated with a small
>automated fusion splicer to the "Front-End Microphone". This cable can be
>left loose or secured with an adhesive. Installation kit contains a small
>flexible installation tube to assist in installing below carpet or behind
>wood panelling.
>
>3. The "Repeater" consists of a disguised box roughly 15cm x 5cm x 5cm,
>with an optional battery pack/power supply/trickle charger (15cm x 10cm x
>5cm) or the device can be powered directly off of AC Mains. The repeater
>can be easily installed and hidden in a cinder block or concrete on an
>outside wall. It looks like the device is for long term installations, it
>is totally sealed and the electronics have conformal coatings/potting.
>
>Device appears to emit a RF digital signal using 64/128/256 QAM Spread
>Spectrum modulation on programmable frequencies between 1.5ghz and 8.5 ghz.
>Modulator is contained into a "flat-pack" style antenna module. A 512kbps
>baseband signal is supplied to the antenna (bit stream can go as high as
>2mbps, the one I examined was set for 512).
>
>Note: The "repeater" supplies the antenna with a baseband signal, control
>codes, and power. The modulator/transmitter is contained in the antenna.
>
>The device uses an RF guard channel that is used to deactivate all
>emissions (Go Mute) upon remote command.
>
>The "repeater" utilizes 8 fiber outputs (it has 8 field replacable optical
>modules), and one min. SMA connector for the baseband output. Suspect the
>device can also be be uploaded with transmision times. It also contains
>sufficent memory (32mb) to hold a good 4 hours or more of compressed audio.
>
>Repeater can also transmit (Spread Spectrum) over telco or power lines with
>a small adapter (I was not able to secure the frequencies, but I suspect
>somewhere between 200khz and 3 mhz).
>
>
>Device Operation:
>
>System uses a 50/125 Raw fiber optic distribution system, the fiber is
>coated, but not jacketed or buffered in any way. The fiber has a frequency
>response between 1230 to 1550/1710? single mode. I suspect it is standard
>single mode (1500nm) fiber strand.
>
>The "Repeater" contains a low power single mode solid state light source, a
>duplexer/splitter (prism), and a light reciever. The light beam is
>transmitted into the fiber, travels to the "Front-End" where it is is
>reflected against an angled vibrating membrane. The membrane causes a
>slight frequency shift in the light beam, which is reflected back to the
>"Repeater" where it is "picked" off with a prism and solid state detector.
>(typical fiber optic microphone).
>
>
>Counter-Measures:
>
>There is NO METAL in the microphone or fiber distribution system, and they
>CANNOT be detected by a Non-Lin (no non-linear junctions). Nor can they be
>detected with metal detectors, and no electro-magnetic field is present on
>the "Front End".
>
>The "Repeater" section is fairly to detect with a non lin, but since it is
>supposed installed into the outside wall it tends not to be practical. The
>ideal way to detect is to sweep the exterior of the building for RF
>emissions. Also, the unit tends to run VERY hot (110-135 degrees), and
>should be visible as a thermal anomally.
>
>Also, the system can be detected by looking for minute amounts of light
>"leaking" from both the microphone, fusion couplings, and fiber
>distribution system.
>
>The pinhole for the microphone can be detected with a IR visual search
>around 440 to 450nm (you'll need a light source with at least 500,00 candle
>power, the Blue Light Ultra works well, or an Omnichrome).
>
>Once a suspect pinhole is found it can be tested for IR with a conventional
>Spectrum Analyser with a IR front end (the Tektronix SA-42 or SA-46 works
>well). There is always a small amount or IR leakage with this system.
>
>Once the microphone is detected it is a fairly simple matter to trace the
>line back to the controller module or "Repeater"
>
>Keep in mind that the system is designed to use 3 to 8 microphones.
>
>
>I am going to get a look at an OC-12 clamp-on fiber optic tapping system in
>a few weeks and will advise.
>
> ===============================================================
>
>
>As always,
>Please treat this information as highly confidential and
>please do not redistribute, Thank You
>
>
>Regards,
>
>-jma
>
> ===============================================================
>         Train, Observe, Detect, Protect, Defend, Repel
> ===============================================================
>  James M. Atkinson
>  Granite Island Group - TSCM.COM
>  127 Eastern Avenue #291                 http://www.tscm.com/
>  Gloucester, MA 01931-8008                  jmatk@tscm.com
> ===============================================================
>      The First, The Largest, The Most Popular, and the Most
>      Complete TSCM Counterintelligence Site on the Internet
> ===============================================================
>







Thread