Privacy Is Precious, Is Yours Being Adequately Protected?

by Sarah L. H. Saul

Sadly, it seems that privacy is rarely appreciated by individuals or organisations until it is compromised.

Technical surveillance attacks are in use, that’s a fact! Technical surveillance attacks are successfully compromising the privacy of organisations and individuals. We’re not just taking about eavesdropping on conversations or spy cameras, technical surveillance attacks on networks are also in use and can’t be detected by traditional cyber-security measures. Perhaps the lack of privacy appreciation is due to the inherent trust many people have in others, leading them to believe it won’t happen to them.

Perhaps it’s a dismissal of the fact that experienced privacy attackers are paid to illicit private organisational or personal information. Maybe it’s because some risk managers and security directors approach the subject of ‘privacy’ as if it isn’t part of their overall security remit. Perhaps even some security professionals think that technical surveillance only happens elsewhere (overseas/movies/spy novels).

Whatever the reasons may be, I urge you to take your privacy protection seriously and include technical surveillance counter measures (TSCM) services in your security strategies. 

I’m guessing that everyone, individually or as part of an organisation, has been subject to some form of human engineering privacy attack these days. Whether that be via vishing, phishing or other methods, the end goal is the same – the attacker wishes to compromise your privacy for some form of gain (usually, but not exclusively, a financial gain). Privacy attackers deploy a number of different methods to gain the information they want. It’s very easy to acquire, install and use technical surveillance attacks – not quite so easy to detect, identify and locate them though!

It’s important to protect your privacy across all security threat domains.

Organisations and individuals do seem to understand the need to ensure that their physical safety is secured. Most people do understand the risks inherent in online interactions and they know that they must establish and maintain their cyber security processes. However, when I discuss technical surveillance countermeasures, many people (even those in some senior security positions) seem to have very little awareness of what technical surveillance is and even less awareness of how to mitigate. I’m obviously surprised when approached by security directors or close protection specialists who are unaware of what a TSCM survey is (and what it is not!).

Why Is Technical Surveillance Counter Measures Required?

There are always privacy threats in all environments. There will always be someone who wants to compromise your personal, professional or organisational privacy. That’s not alarmist speak, that’s just how it is!

Compromising privacy is an age-old human attack strategy. Take a look through history, it’s littered with the personal and political consequences of eavesdropping and espionage, of gossip about private lives and stolen information. The old saying ‘knowledge is power’ is absolutely true. Naivety, ignorance or lack of knowledge is a disadvantage in most professional situations. Being able to obtain and exploit information, which the target/victim assumes is unknown, is a skill that is as sought after today as it has ever been.

Whether it’s an organised criminal gang, targeting individuals to gain access to money, a voyeur who wants to compromise personal privacy for their own gratification or for widely sharing sensitive imagery, a business competitor whom wishes to damage the reputation of your personnel and brand, a disgruntled colleague who wishes to ruin your reputation or a state-sponsored privacy attack seeking political leverage or gains, there are plenty of threats.

From small, inexpensive, easily obtained, easily installed privacy compromising devices and techniques to bespoke devices and techniques created by professional FIS (foreign intelligence services), the opportunities to compromise privacy are numerous, and always evolving.

Every security director of any degree of competence understands that a holistic approach to security is necessary to ensure all threats are identified and adequately mitigated. The security landscape of physical, cyber and technical security threat domains must all be included in any robust organisational security strategy.

Constantly Evolving Threat

Privacy compromising attacks are constantly developing. There’s a continued historical dance between those who attack privacy and those who mitigate privacy threats. Privacy attackers are evolving and adapting. TSCM specialists are constantly researching and developing new countermeasures for new attacks and attack methods as they emerge. If you aren’t a TSCM specialist, how do you ensure you are aware of the emerging privacy protection threats and methodologies?

What Does a TSCM Survey Involve?– Measurement, Analysis, Interpretation, Mitigation

The Hollywood myth of a TSCM survey, usually referred to in movies as a bug sweep, continues to depict what we at Verrimus refer to as a ‘wandwaver’. That is, an individual (usually male) waving a handheld piece of electronic equipment around a room and either declaring ‘all clear’ or ‘finding’ a little black box or wired microphone.

The reality (for any competent TSCM operator) is wildly different! Seriously, any competent TSCM operator would love to rock up to a task with one little handheld beeping device and be able to declare the space attack free or compromised in a short time! The reality, for a competent TSCM operator, involves transporting lots of pelicases of varied measurement equipment and tools, multi-layered threat domain examinations, crawling and climbing to conduct physical non-destructive searches of small and difficult spaces and analysis of the results using their experience and knowledge of attack methods.

From Tig Trager in Sons Of Anarchy ‘sweeping’ the clubhouse before Church, to James Bond (in From Russia With Love Bond, searching the room for bugs, and finding one behind a painting. Then he takes a ‘phone bug detector’ out of a leather case and discovered that his phone was also tapped. He requested a room change, because of the “small bed”, and listened for a “pop” to confirm that someone had been listening in on the conversation) the depictions of conducting a TSCM survey are wildly INACCURATE!

Over and over again we meet people appointed to design and maintain an organisation’s security, who have gained their knowledge of TSCM (technical surveillance countermeasures) via Hollywood movies and TV shows.

It still shocks us when a security director is expecting our TSCM Operators to walk into the area of concern, wave a handheld electronic device around and declare the space ‘free from bugs’! That’s how it happens in the movies and on TV, that’s not reality!

Unfortunately, there still does not exist a single piece of measurement equipment that can measure EVERY threat domain and declare ‘all clear’. A TSCM survey, conducted by any professional, will include lots of different equipment to measure all domains and an experienced operator to interpret and analyse all of those measurements. There is NO SINGLE PIECE OF EQUIPMENT THAT COVERS ALL THREAT DOMAINS! Whatever an equipment manufacturer may tell you!

A competent TSCM operator has a suite of measurement tools, to assist them to take accurate measurements of a threat domain in order for them to interpret and analyse. A competent TSCM operator knows what combination of tools are required, in what order those tools need to be used, how to analyse results, how to recognise anomalies in the task environment, how to investigate anomalies, how to mitigate all TSCM risks.

Please ensure that you personally or professionally are not ignoring the significant threat of technical surveillance. Whether it’s; a personal attack to eavesdrop on your private conversations/ a passive network tap on your organisation’s system/a key stroke logger installation/ a ‘bug’ in the boardroom/ a hidden camera in staff toilets or hotel spaces/a compromised telephone or any number of other attacks, the first step to design a prevention strategy is to be aware of the threat, assess the risk and mitigate appropriately.