From: “James M. Atkinson, Comm-Eng” <jmatk@tscm.com>
To: TSCM-L@tscm.com
Message Hash: 571a09d74a9c82893f1d707f7762146d410ea649db202dacf3ce7726b29f8f61
Message ID: <v03110705b1a17d9226d8@[205.161.57.127]>
Reply To: N/A
UTC Datetime: 1998-06-08 06:49:35 UTC
Raw Date: Sun, 7 Jun 1998 23:49:35 -0700 (PDT)
From: "James M. Atkinson, Comm-Eng" <jmatk@tscm.com>
Date: Sun, 7 Jun 1998 23:49:35 -0700 (PDT)
To: TSCM-L@tscm.com
Subject: TSCM-L Technical Security List
Message-ID: <v03110705b1a17d9226d8@[205.161.57.127]>
MIME-Version: 1.0
Content-Type: text/enriched
TSCM-L Technical Security List Monday, June 8, 1998 Volume 1998
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Postings: TSCM-L@tscm.com
Unsubscribe: unsubTSCM-L@tscm.com
Subscribe: subTSCM-L@tscm.com
Admin: jmatk@tscm.com
This material will only be sent to you upon your direct request, either by your
email request, or by signing up via our web page.
TSCM-L is published by Granite Island Group, and is written by James M. Atkinson.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A telephone eavesdropping system was recently encountered which is being sold by a
company in Pomezia, Italy. The system is for use on AT&T System 25, 75, and 85 PBX
systems (other versions are available for 1030, 3070, Merlin, and Partner systems).
The first element of the system consists of a station card which has been built from
scratch and appears almost identical to the original cards built by AT&T. There are
no modifications on the card, and all components appear legitimate
The only visual difference between the cards is several additional integrated
circuits, and discrete components. Additionally, on the silkscreen side of the card
is a small logo consisting of an upper case letter E followed by a 7xx type of number
(such as E-728). The logo will appear diagonally across the card from the serial
number. Each station card will support 8 digital phones, and one outgoing circuit.
The second element of the system is the printed circuit board that goes into the
actual telephone. Much like the station card the printed circuit board appears
original but closer inspection will reveal a small number of extra components and
PCB traces which go to the four pair position.
Suspect telephones will present an anomaly on the power and/or 4th pair. The
signal is a digital data signal (usually 160 Kbps). Vector signal analysis will
indicate a QAM/BPQSK cats-eye (a digital audio signal via a seven stage parasitic
polynomial 1+x6+x7 algorithm). Waveform is a serial data stream, bipolar signal
at roughly 700mV (680-715 mV depending on instrument). Power drain is fairly high
(average of 136% over normal), but station card will not indicate an over-current
condition or station error.
Serial data stream is constant, and only affected by application of power. Signal
stops if power is removed for more than 15 milliseconds. Disconnection of handset
does not effect signal. Signal is present in both on-hook and off-hook conditions.
The third element of the system is a small modification to the PBX back plane which
consists of two small wires which are tacked into place between the station card and
the line card. This bridging circuit allows a T-Carrier signal to pass from the
station card to an unused cable pair for an outgoing signal path (usually the 25th
pair). This modification will appear to be a legitimate factory modification to the
backplane.
The fourth element of the system is the transmission path back to the listening post
(which will appear to be a T-1 signal, but will only use one cable pair). A RF
transmitter could be used, however; such an emission would increase the possibility
of the system being detected if used inside or near the target facility. A RF
transmitter could be used once the signal is well outside the facility.
The transmission path will normally consist of a T-Carrier signal that can be traced
to a facility demarcation point and then to an external cable pair. The signal will
typically terminate at (or just prior to) an off-site SLC box. At this point the
T-Carrier signal will be bridged back to a listening post either by hardwiring or
an RF transmitter (though the use of a bridging capacitor to isolate the DC
components of the circuit).
Faked power outages in the PBX or server room will typically be used to cover the
installation activities. The installation consists of swapping the station card,
and then installing the jumper wires on the back plane. While the power is still
off the special printed circuit boards are installed into the target phones.
Optionally, the telephone may simply be swapped with an instrument that has been
modified in advance. Power is then restored with the event being logged as a short
power outage (usually during bad weather or construction work).
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
French Magistrate Targets Official Wiretapper
PARIS, May 28 (Reuters) - A man who headed France's official wiretap
unit has been placed under investigation in connection with illegal
eavesdropping carried out on orders of the late President Francois
Mitterrand's office, judicial sources said on Thursday.
Army Brigadier General Pierre Charroy, 63, was ordered placed under
investigation for complicity in invasion of privacy in his capacity as
head of the discreetly named Interministerial Control Group (GIC) under
Mitterrand, the sources said.
The GIC is officially entrusted with carrying out wiretaps on the orders
of magistrates in cases of espionage or serious crimes. The body is so
shrouded with secrecy that it is not known if Charroy still heads it.
Former Mitterrand aides acknowledged last year that the late president,
who ruled from 1981-1995, had ordered security officers attached to his
office to carry out illegal wiretaps on the telephone lines of lawyers,
journalists, politicians and at least one movie actress.
The justice sources said magistrate Jean-Paul Vallat suspected Charroy
of having aided the presidential wiretappers who acted without the
permission of magistrates, making their actions illegal.
Prime Minister Lionel Jospin pledged in last year's general election
campaign to end an era of "monarchical secrecy" if he came to power and
to lift the lid on cases like possible illegal wiretapping under
Mitterrand, with whom Jospin was on poor terms.
Jospin has since been accused of dragging his feet on the promise since
he became prime minister and judge Vallat has written to ask for his
help in his probes.
Some 15 former Mitterrand aides are under investigation and could face
possible trial in the case.
Mitterrand died in 1996, seven months after leaving office.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The following pages which contain TSCM equipment reviews have been
updated and are now available:
http://www.tscm.com/tmdespect.html
http://www.tscm.com/tmdeantenna.html
http://www.tscm.com/fluke785.html
http://www.tscm.com/tmdenljd.html
http://www.tscm.com/tmdedemod.html
http://www.tscm.com/tmdeacous.html
http://www.tscm.com/tmdeanc.html
http://www.tscm.com/tmdeaux.html
http://www.tscm.com/tmdecraft.html
http://www.tscm.com/tmdephot.html
http://www.tscm.com/tmdephys.html
http://www.tscm.com/tmdescope.html
http://www.tscm.com/tmdesets.html
http://www.tscm.com/tmdetdr.html
http://www.tscm.com/tmdevehcl.html
http://www.tscm.com/tmdevideo.html
http://www.tscm.com/tmdevom.html
http://www.tscm.com/tmdevsa.html
http://www.tscm.com/intercept1.html
http://www.tscm.com/reioscor.html
http://www.tscm.com/spectan.html
http://www.tscm.com/tmde.html
http://www.tscm.com/training.html
http://www.tscm.com/trainingciv.html
http://www.tscm.com/traininggov.html
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Granite Island Group
Mission and Purpose Statement
Granite Island Group provides expert technical, analytical and research
capability for the detection, nullification, and isolation of eavesdropping
devices, technical surveillance penetrations, technical surveillance
hazards, and physical security weaknesses.
Detection: Measures taken to detect technical surveillance devices,
technical security hazards, and physical security weaknesses that would
permit the technical or physical penetration of a facility.
Nullification: The process of neutralizing or negating technical devices
employed by making the placement of such devices more difficult. This
includes ensuring that a room is protected with adequate physical
construction and security measures thus making the placement or use of
illegal listening devices ineffective.
Isolation: A method to deter, or make extremely difficult, the
introduction of eavesdropping devices by establishing special security
areas, for the conduct of classified or sensitive activities.
Granite Island Group also provides:
Vulnerability Analysis to provide senior management with guidelines for
the enhancement of security and reduction of the vulnerability of
sensitive areas to the technical surveillance threat.
Design, Manufacture, and Sale of TSCM, signals intelligence, cryptographic,
and related secure communications systems and devices.
Research and Development of technical systems, devices, and tradecraft
utilized by the intelligence community.
Development of Specialized Computer Software and Firmware.
Design and Installation of high performance computer networks and
communications systems.
Disaster Preparedness Planning
Intelligence Analysis and activities to determine the existence and
capability of surveillance equipment being used against the United
States Government, United States corporations, establishments, or
persons. Special emphasis is given to detecting and countering espionage
and other threats and activities directed by foreign intelligence services.
Specialized Training for those in sensitive positions concerning the
threat of technical surveillance and the part they can play in the TSCM
program. This includes advanced training and seminars for TSCM teams and
technical security personnel.
Closed Enrollment Training regarding technical security and protective
related issues.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Copyright (c)1998 Granite Island Group. All Rights Reserved.
=======================================================================
Everybody's into computers... Who's into yours?
=======================================================================
James M. Atkinson Phone: (978) 546-3803
Granite Island Group - TSCM.COM
127 Eastern Avenue #291 http://www.tscm.com/
Gloucester, MA 01931 jmatk@tscm.com
=======================================================================
Do not try the patience of Wizards,
for they are subtle and quick to anger.
=======================================================================
Return to June 1998
Return to ““James M. Atkinson, Comm-Eng” <jmatk@tscm.com>”
1998-06-08 (Sun, 7 Jun 1998 23:49:35 -0700 (PDT)) - TSCM-L Technical Security List - “James M. Atkinson, Comm-Eng” <jmatk@tscm.com>