| I spend a great deal of my time dealing with | | | | your response again.Most Common Sources of |
| highly sensitive, highly confidential | | | | Spyware: |
| information. Over the years I have noticed | | | | |
| that many of the institutions I have worked | | | | 1. Screen savers |
| with have gone to great pains and | | | | |
| considerable expense to make certain their | | | | 2. Emoticons |
| computer systems have state of the art | | | | |
| firewalls and "hacker-proof" encoding | | | | 3. Clip Art |
| systems. Nonetheless, they continue to leak | | | | |
| data like a sieve!How can this be? Simple, | | | | 4. Spam |
| they are guarding the air conditioner duct | | | | |
| instead of the front door.So, what do I know | | | | 5. Email attachments |
| about it? My knowledge of the field is pretty | | | | |
| backdoor in nature.First of all, I work a lot | | | | 6. Unprotected web browsing (cookies) |
| with people who love nothing more than to | | | | |
| stir up hate and discontent wherever they go. | | | | 7. Peer to Peer applications (mp3 files) |
| They will intentionally uncover and publish | | | | |
| sensitive information. It is fun for them. In | | | | 8. Shareware |
| order to find out why they do these things I | | | | |
| do a lot of debriefing with them when an | | | | 9. Freeware |
| incident occurs.Second, I have two brothers | | | | |
| who made carriers out of law enforcement. One | | | | 10. Involuntary Download (may present as a |
| of my brothers served many years as a state | | | | fictitious error you must click to correct) |
| trooper and another as a sheriff's deputy. | | | | |
| They were both extremely successful in the | | | | So, have you EVER added any of this to your |
| investigation facet of the job and I am about | | | | system, even to an email? I know me too. |
| to tell you why. Then you can see if you are | | | | |
| vulnerable to the same kind of attack.The | | | | Oh well, as MaElla (my grandmother) used to |
| sources of data loss, in no particular order, | | | | say, "Once bitten, twice shy."What have we |
| are as follows.1. Waste Archeology. | | | | learned?Basically, don't put anything |
| | | | unverified on your system, even if it is |
| Simply speaking, someone who really wants to | | | | really, really cool.Bye the way, does anyone |
| know your secrets will go through your trash. | | | | know where MaElla got "Once bitten, twice |
| And guess what? It is completely legal. Buy a | | | | shy"?Part VFirst and foremost, never use a |
| $20.00 shredder, and use it.2. Taps. | | | | cordless phone for anything other than the |
| | | | convenience of answering a call. Switch to a |
| Seriously, if you have a wireless system it | | | | corded line for any specific |
| is pretty simple to eaves drop via laptop | | | | communications.Monitoring cordless and |
| from the coffee shop next door.3. Pop-ins. | | | | cellular phone calls has become a million |
| | | | dollar hobby in America. Some even sell their |
| Be extremely wary of maintenance crews and | | | | monitored conversations on line. Think |
| repair staff you haven't called in. Check | | | | ex-girlfriend sites.Mobile phones are an even |
| ID's. Also, be aware of someone who comes in | | | | greater liability. Not only are means |
| asking a lot of questions. You may be | | | | available to monitor the conversations, but |
| surprised what the reception staff will tell | | | | it is not particularly difficult to track the |
| someone who smiles and asks nicely.4. Hacking | | | | location of the parties based on their |
| in. | | | | signal. Now, that is scary.This tracking will |
| | | | become even easier when newer 3G phones come |
| Do you know the easiest way to hack in to a | | | | online because their base stations are even |
| secure system? Steal the password taped to | | | | closer together.What can you do? |
| the computer screen at Ed's work station. | | | | |
| Trust me, I see it every day. You know what | | | | 1. Use a regular line for increased |
| else? Most people use the same password for | | | | security. |
| every system they need to access.5. Cordless | | | | |
| phones. | | | | 2. Dedicate a secure line in your office for |
| | | | sensitive communication. They are not cheap. |
| Remember most cordless phones and cells are | | | | Or-Com offers one that has fair reviews for |
| basically fancy radios. If it puts out a | | | | about $300.00. |
| signal, the signal can be picked up with a | | | | |
| scanner.6. Ticking bombs. | | | | 3. Use first names on non-secure lines. |
| | | | |
| Answering machines, voice mail, fax machines | | | | 4. Speak in general terms on non-secure |
| anything that requires an access code can be | | | | lines.If you think these precautions a |
| beaten (remember the password taped to the | | | | completely paranoid, you may be right. On the |
| computer?).7. Starbucks. | | | | other hand, browse Spy Emporium for an |
| | | | overview of just a few of the surveillance |
| Never discuss sensitive information in a | | | | devices available.Part VI.If you work with |
| public restaurant! If I wanted to know about | | | | confidential data, and you use any of the |
| a corporations business, I go to the snack | | | | following pieces of technology, it is just a |
| bar at lunch and read the paper over coffee. | | | | matter of time until your confidentiality is |
| You won't believe the things you hear (if | | | | compromised.1. Disposable roll fax machines. |
| you're in education, teacher lounges are hair | | | | |
| raising!).8. Brain cramps. | | | | Used rolls contain copies of every item the |
| | | | machine has received.2. Unattended fax |
| Unlocked cabinets, offices, desks, paper | | | | machines. |
| work left out, answering stupid questions | | | | |
| over the phone. Hello?9. Traitors. | | | | Fax machines left on are excellent sources |
| | | | for stealing confidential data. When I expect |
| Face it, some folks will sell you out for | | | | a fax, I alert the office staff to put it in |
| the right price. The right price might be as | | | | a folder in my in-box.3. Dictation machines. |
| simple as someone asking, "So, what | | | | |
| confidential things are you working on these | | | | If you use dictation machines and leave |
| days?" You really wouldn't believe what | | | | tapes on the secretaries' desk to be |
| people have told me in answer to that | | | | transcribed don't be shocked when a tape goes |
| question. Keep sensitive information on a | | | | missing (Tell the truth, this has already |
| need to know basis.10. Describing a spy. | | | | happened hasn't it?).5. Answering machines. |
| | | | |
| The typical spy is a short, fat, tall, thin | | | | Most are accessible with a 3 or 4 digit |
| man, with curly, bald hair. She often wears | | | | code. Most people don't change the factory |
| provocatively conservative clothing and is | | | | set "3, 4, and 5." These are easy to hack.6. |
| liberally conservative. In other words, | | | | Cordless microphones. |
| ANYBODY is the typical spy.Now I will expound | | | | |
| upon each section individually.Part 1One of | | | | Crystal clear signals for about 1,300 feet |
| the first areas I mentioned in breaches in | | | | or a quarter mile.Part VII.One of the most |
| security was "rifled" trash. I believe this | | | | popular and reliable methods for gathering |
| to be foremost method of stealing | | | | information from an organization is to "scout |
| confidential information. In reality it isn't | | | | the perimeter." Although, this is not as sexy |
| even stealing. In California Versus Greenwood | | | | as the "mission impossible" methods, it is |
| the Supreme Court held the Constitution does | | | | very popular and very effective.Here are your |
| not prohibit warrant less search and seizure | | | | most frequent weak spots.1. The company lunch |
| of garbage left for collection outside the | | | | room. Many people actually carry confidential |
| curtilage (the enclosed area immediately | | | | files with them to review over lunch. |
| surrounding a home or dwelling) of a home. | | | | |
| This could include places of business.Here | | | | 2. The neighborhood coffee klatch. This is |
| are some pro-active steps you can take.1. | | | | true for the same reason as above. |
| Don't transfer confidential documents to | | | | |
| recycling vendors.2. If you have a copier, | | | | 3. The guy who is always at the newsstand |
| install a shredder next to it.3. Purchase a | | | | when you pick up your paper. You know the one |
| cross-cut shredder for extremely sensitive | | | | you discuss current office events with |
| documents.4. Destroy all waste paper.5. Get | | | | because he doesn't know the people anyway. |
| shredders for each individual. People won't | | | | |
| wait in line to use a bulk shredder.6. DON'T | | | | 4. The chatty new friend your spouse just |
| KEEP CARDBOARD BOXES OF UNINVENTORIED OLD | | | | made. Think about this when discussing |
| DOCUMENTS LYING AROUND.Part II.Remember, | | | | business with your spouse. |
| James Bond is not interested in your | | | | |
| secrets.That being said, competitors, | | | | 5. Any off-site meeting places. Luncheon |
| disgruntled employees, ex-spouses and other | | | | rooms, county offices, etc.Part VIIINext to |
| wreakers of havoc are interested in your | | | | going through the trash, the most vulnerable |
| secrets.There are many methods of "bugging" | | | | area for exploitation is the human brain. |
| out there.The five main categories are, in | | | | |
| alphabetical order: Acoustic, Optical, RF, | | | | The major offenders: |
| Tie-In, and Ultrasonic.1. Acoustic - low tech | | | | |
| glass to the wall, ventilation, electrical | | | | 1. Unsecured offices, cabinets, drawers and |
| out-let, out side the window, stand by the | | | | doors. |
| door, close proximity listening.2. Optical - | | | | |
| high end and expensive.3. RF - radio | | | | 2. Files left on the desk over night. |
| frequency and receiver devices.4. Tie-in - | | | | |
| hooking directly in to a phone line. The box | | | | 3. Group passwords. |
| is usually easily accessible on an exterior | | | | |
| wall.5. Ultrasonic - think transmitter, | | | | 4. Company phone directories. |
| receiver but with audio pressure rather than | | | | |
| radio waves.The most prevalent and dangerous | | | | 5. Desktop rolodexes.Part IXAnother source |
| of this is alphabetically and most | | | | of compromised confidential information is |
| destructively listed first. Always be aware | | | | the office traitor. Most people have a price. |
| of your immediate surrounding when discussing | | | | The price may have been paid the last time |
| confidential information.Part IIIAlways check | | | | they were insulted, degraded or unappreciated |
| the identification of persons who pop in to | | | | at the office. One the other hand, there may |
| do technical work around your office. This is | | | | be an actual monetary price for which a |
| especially true if you PERSONALLY have not | | | | trusted associate can be turned.Here are some |
| called them for service. These folks are | | | | of the characteristics you may need to be on |
| known as "spooks".You see, "Spooking" is a | | | | the look out for.1. Those passed over for |
| hide in plain site method of gaining access | | | | raises, passed over for promotion. |
| to confidential informationIt seems carrying | | | | |
| a clipboard will gain a spook access to most | | | | 2. Those experiencing significant financial |
| places, even those with confidential data to | | | | difficulty. |
| protect.But, there are other common tools the | | | | |
| spook may carry to increase their appearance | | | | 3. Those who gamble. |
| of authenticity: 2-way Radio, Maglight, | | | | |
| Construction worker hard hat, and my personal | | | | 4. Those that employ recreational |
| favorite the attention tone cell phone. Now, | | | | pharmaceuticals (including alcohol). |
| this particular ruse means the spook has a | | | | |
| partner but is anything more impressive than | | | | 5. Those involved in labor and management |
| that tone from the "base office" checking the | | | | disputes. |
| technicians' status?However, the most | | | | |
| powerful, by far, access granting technique | | | | 6. Those that seem to always be on the |
| (I mean this will get you in anywhere) is a | | | | lookout for the next big deal.Part |
| set of Dickies. Yes, Dickies. The same things | | | | X.Basically, if you take a look at the |
| you wore for summer jobs in high school and | | | | qualifications for a field agent for the CIA |
| college. They are a virtual cloak of | | | | you can build a fair profile of what an |
| invisibility in our culture.Most common | | | | office spy may "look like."1. A Bachelors |
| guises:1. Telephone/communications | | | | Degree, rarely more. |
| technicians - (typically wearing blue/grey | | | | |
| Dickies)2. Computer service technicians - | | | | 2. Solid academic record, not outstanding. |
| (polo shirt and tan Dickies pants)3. Copy | | | | |
| machine technicians - (polo shirt and blue | | | | 3. Interest in inter-business and |
| Dickies pants)4. Custodians - (typically | | | | international affairs. |
| anyone with a set of blue/grey Dickies is | | | | |
| granted cart blanche access)5. Messenger | | | | 4. Solid interpersonal skills. |
| services - (typically wearing brown | | | | |
| Dickies)6. A/C heating technicians - | | | | 5. Solid communication skills. |
| (typically wearing blue-green Dickies)The | | | | |
| beauty of this type of "spooking" is nobody | | | | 6. Frequent traveler. |
| ever challenges these folks. And if some | | | | |
| particularly diligent person does question | | | | 7. Interest in foreign languages. |
| them, the spook goes into his, "fine with me, | | | | |
| but it will be at least four weeks until I | | | | 8. Prior residence outside the area. |
| can get back here. We're really backed up." | | | | |
| That is usually enough to intimidate even the | | | | 9. Possible prior military experience. |
| most on top of things staff member.I don't | | | | |
| usually recommend testing out these | | | | 10. Experience in business and/or economics |
| surveillance techniques, the power of the | | | | (but with deficit skills in their own finance |
| Tricky Dickie is not to be believed unless | | | | management). |
| you actually see it in action. So, get your | | | | |
| lazy brother-in-law a set of Dickies and send | | | | 11. The person is usually between the ages |
| him through your office. You won't believe | | | | of 21-35. |
| the results. Afterwards, get the lazy bum to | | | | |
| do your yard work so you get your moneys | | | | 12. Previous work in law enforcement or |
| worth from the Dickie investment.Part IVThere | | | | corrections. |
| are many ways of stealing computer files. As | | | | |
| a matter of fact there is a whole niche | | | | 13. May be considered a loner, not a joiner. |
| market dedicated to nothing more than | | | | |
| developing and distributing new types of spy | | | | 14. No police record. |
| ware. Then there is another niche market | | | | |
| dedicated to selling protection against these | | | | 15. Hobbies include martial arts, scuba, |
| pieces of malware. Folks, I talking millions | | | | hunting, proficiency with firearms, chess, |
| of dollars each year, connected to these two | | | | math, avid reader, may write prolifically or |
| enterprises. Would it surprise you to know | | | | play a musical instrument, etc. |
| that many of the same people writing the | | | | |
| protection software also write the | | | | 16. The person may be interested in training |
| malware?Any who, how to these insidious | | | | manuals and field guides.In other words, just |
| pieces of data stealing malware get into your | | | | about anybody who would make a good employee. |
| systems? Simple, you or one of your | | | | The key is to look for unusual groupings of |
| associates, put them there.I know what you're | | | | these skills. Most people will meet 3 or 4 of |
| thinking, "Not me! I would never do such a | | | | the criteria. Those who meet 6 or more should |
| self destructive thing. Neither would anyone | | | | be considered possible candidates.This |
| I work with." And, at least intentionally, | | | | section completes a ten part series |
| you're right. But, take look at the most | | | | concerning confidentiality and security. |
| common avenues of entry and think through | | | | |