| I spend a great deal of my time dealing with highly | | | | stealing computer files. As a matter of fact there is a |
| sensitive, highly confidential information. Over the years | | | | whole niche market dedicated to nothing more than |
| I have noticed that many of the institutions I have | | | | developing and distributing new types of spy ware. |
| worked with have gone to great pains and | | | | Then there is another niche market dedicated to selling |
| considerable expense to make certain their computer | | | | protection against these pieces of malware. Folks, I |
| systems have state of the art firewalls and | | | | talking millions of dollars each year, connected to these |
| "hacker-proof" encoding systems. Nonetheless, they | | | | two enterprises. Would it surprise you to know that |
| continue to leak data like a sieve!How can this be? | | | | many of the same people writing the protection |
| Simple, they are guarding the air conditioner duct | | | | software also write the malware?Any who, how to |
| instead of the front door.So, what do I know about it? | | | | these insidious pieces of data stealing malware get into |
| My knowledge of the field is pretty backdoor in | | | | your systems? Simple, you or one of your associates, |
| nature.First of all, I work a lot with people who love | | | | put them there.I know what you're thinking, "Not me! I |
| nothing more than to stir up hate and discontent | | | | would never do such a self destructive thing. Neither |
| wherever they go. They will intentionally uncover and | | | | would anyone I work with." And, at least intentionally, |
| publish sensitive information. It is fun for them. In order | | | | you're right. But, take look at the most common |
| to find out why they do these things I do a lot of | | | | avenues of entry and think through your response |
| debriefing with them when an incident occurs.Second, I | | | | again.Most Common Sources of Spyware: |
| have two brothers who made carriers out of law | | | | 1. Screen savers |
| enforcement. One of my brothers served many years | | | | 2. Emoticons |
| as a state trooper and another as a sheriff's deputy. | | | | 3. Clip Art |
| They were both extremely successful in the | | | | 4. Spam |
| investigation facet of the job and I am about to tell you | | | | 5. Email attachments |
| why. Then you can see if you are vulnerable to the | | | | 6. Unprotected web browsing (cookies) |
| same kind of attack.The sources of data loss, in no | | | | 7. Peer to Peer applications (mp3 files) |
| particular order, are as follows.1. Waste Archeology. | | | | 8. Shareware |
| Simply speaking, someone who really wants to know | | | | 9. Freeware |
| your secrets will go through your trash. And guess | | | | 10. Involuntary Download (may present as a fictitious |
| what? It is completely legal. Buy a $20.00 shredder, | | | | error you must click to correct) |
| and use it.2. Taps. | | | | So, have you EVER added any of this to your |
| Seriously, if you have a wireless system it is pretty | | | | system, even to an email? I know me too. |
| simple to eaves drop via laptop from the coffee shop | | | | Oh well, as MaElla (my grandmother) used to say, |
| next door.3. Pop-ins. | | | | "Once bitten, twice shy."What have we |
| Be extremely wary of maintenance crews and repair | | | | learned?Basically, don't put anything unverified on your |
| staff you haven't called in. Check ID's. Also, be aware | | | | system, even if it is really, really cool.Bye the way, |
| of someone who comes in asking a lot of questions. | | | | does anyone know where MaElla got "Once bitten, |
| You may be surprised what the reception staff will tell | | | | twice shy"?Part VFirst and foremost, never use a |
| someone who smiles and asks nicely.4. Hacking in. | | | | cordless phone for anything other than the |
| Do you know the easiest way to hack in to a secure | | | | convenience of answering a call. Switch to a corded |
| system? Steal the password taped to the computer | | | | line for any specific communications.Monitoring cordless |
| screen at Ed's work station. Trust me, I see it every | | | | and cellular phone calls has become a million dollar |
| day. You know what else? Most people use the same | | | | hobby in America. Some even sell their monitored |
| password for every system they need to access.5. | | | | conversations on line. Think ex-girlfriend sites.Mobile |
| Cordless phones. | | | | phones are an even greater liability. Not only are |
| Remember most cordless phones and cells are | | | | means available to monitor the conversations, but it is |
| basically fancy radios. If it puts out a signal, the signal | | | | not particularly difficult to track the location of the |
| can be picked up with a scanner.6. Ticking bombs. | | | | parties based on their signal. Now, that is scary.This |
| Answering machines, voice mail, fax machines | | | | tracking will become even easier when newer 3G |
| anything that requires an access code can be beaten | | | | phones come online because their base stations are |
| (remember the password taped to the computer?).7. | | | | even closer together.What can you do? |
| Starbucks. | | | | 1. Use a regular line for increased security. |
| Never discuss sensitive information in a public | | | | 2. Dedicate a secure line in your office for sensitive |
| restaurant! If I wanted to know about a corporations | | | | communication. They are not cheap. Or-Com offers |
| business, I go to the snack bar at lunch and read the | | | | one that has fair reviews for about $300.00. |
| paper over coffee. You won't believe the things you | | | | 3. Use first names on non-secure lines. |
| hear (if you're in education, teacher lounges are hair | | | | 4. Speak in general terms on non-secure lines.If you |
| raising!).8. Brain cramps. | | | | think these precautions a completely paranoid, you |
| Unlocked cabinets, offices, desks, paper work left out, | | | | may be right. On the other hand, browse Spy |
| answering stupid questions over the phone. Hello?9. | | | | Emporium for an overview of just a few of the |
| Traitors. | | | | surveillance devices available.Part VI.If you work with |
| Face it, some folks will sell you out for the right price. | | | | confidential data, and you use any of the following |
| The right price might be as simple as someone asking, | | | | pieces of technology, it is just a matter of time until |
| "So, what confidential things are you working on these | | | | your confidentiality is compromised.1. Disposable roll fax |
| days?" You really wouldn't believe what people have | | | | machines. |
| told me in answer to that question. Keep sensitive | | | | Used rolls contain copies of every item the machine |
| information on a need to know basis.10. Describing a | | | | has received.2. Unattended fax machines. |
| spy. | | | | Fax machines left on are excellent sources for |
| The typical spy is a short, fat, tall, thin man, with curly, | | | | stealing confidential data. When I expect a fax, I alert |
| bald hair. She often wears provocatively conservative | | | | the office staff to put it in a folder in my in-box.3. |
| clothing and is liberally conservative. In other words, | | | | Dictation machines. |
| ANYBODY is the typical spy.Now I will expound upon | | | | If you use dictation machines and leave tapes on the |
| each section individually.Part 1One of the first areas I | | | | secretaries' desk to be transcribed don't be shocked |
| mentioned in breaches in security was "rifled" trash. I | | | | when a tape goes missing (Tell the truth, this has |
| believe this to be foremost method of stealing | | | | already happened hasn't it?).5. Answering machines. |
| confidential information. In reality it isn't even stealing. In | | | | Most are accessible with a 3 or 4 digit code. Most |
| California Versus Greenwood the Supreme Court held | | | | people don't change the factory set "3, 4, and 5." |
| the Constitution does not prohibit warrant less search | | | | These are easy to hack.6. Cordless microphones. |
| and seizure of garbage left for collection outside the | | | | Crystal clear signals for about 1,300 feet or a quarter |
| curtilage (the enclosed area immediately surrounding a | | | | mile.Part VII.One of the most popular and reliable |
| home or dwelling) of a home. This could include places | | | | methods for gathering information from an organization |
| of business.Here are some pro-active steps you can | | | | is to "scout the perimeter." Although, this is not as sexy |
| take.1. Don't transfer confidential documents to | | | | as the "mission impossible" methods, it is very popular |
| recycling vendors.2. If you have a copier, install a | | | | and very effective.Here are your most frequent weak |
| shredder next to it.3. Purchase a cross-cut shredder | | | | spots.1. The company lunch room. Many people |
| for extremely sensitive documents.4. Destroy all waste | | | | actually carry confidential files with them to review |
| paper.5. Get shredders for each individual. People won't | | | | over lunch. |
| wait in line to use a bulk shredder.6. DON'T KEEP | | | | 2. The neighborhood coffee klatch. This is true for the |
| CARDBOARD BOXES OF UNINVENTORIED OLD | | | | same reason as above. |
| DOCUMENTS LYING AROUND.Part II.Remember, | | | | 3. The guy who is always at the newsstand when |
| James Bond is not interested in your secrets.That | | | | you pick up your paper. You know the one you |
| being said, competitors, disgruntled employees, | | | | discuss current office events with because he doesn't |
| ex-spouses and other wreakers of havoc are | | | | know the people anyway. |
| interested in your secrets.There are many methods of | | | | 4. The chatty new friend your spouse just made. |
| "bugging" out there.The five main categories are, in | | | | Think about this when discussing business with your |
| alphabetical order: Acoustic, Optical, RF, Tie-In, and | | | | spouse. |
| Ultrasonic.1. Acoustic - low tech glass to the wall, | | | | 5. Any off-site meeting places. Luncheon rooms, |
| ventilation, electrical out-let, out side the window, stand | | | | county offices, etc.Part VIIINext to going through the |
| by the door, close proximity listening.2. Optical - high | | | | trash, the most vulnerable area for exploitation is the |
| end and expensive.3. RF - radio frequency and | | | | human brain. |
| receiver devices.4. Tie-in - hooking directly in to a | | | | The major offenders: |
| phone line. The box is usually easily accessible on an | | | | 1. Unsecured offices, cabinets, drawers and doors. |
| exterior wall.5. Ultrasonic - think transmitter, receiver but | | | | 2. Files left on the desk over night. |
| with audio pressure rather than radio waves.The most | | | | 3. Group passwords. |
| prevalent and dangerous of this is alphabetically and | | | | 4. Company phone directories. |
| most destructively listed first. Always be aware of | | | | 5. Desktop rolodexes.Part IXAnother source of |
| your immediate surrounding when discussing | | | | compromised confidential information is the office |
| confidential information.Part IIIAlways check the | | | | traitor. Most people have a price. The price may have |
| identification of persons who pop in to do technical | | | | been paid the last time they were insulted, degraded or |
| work around your office. This is especially true if you | | | | unappreciated at the office. One the other hand, there |
| PERSONALLY have not called them for service. | | | | may be an actual monetary price for which a trusted |
| These folks are known as "spooks".You see, | | | | associate can be turned.Here are some of the |
| "Spooking" is a hide in plain site method of gaining | | | | characteristics you may need to be on the look out |
| access to confidential informationIt seems carrying a | | | | for.1. Those passed over for raises, passed over for |
| clipboard will gain a spook access to most places, | | | | promotion. |
| even those with confidential data to protect.But, there | | | | 2. Those experiencing significant financial difficulty. |
| are other common tools the spook may carry to | | | | 3. Those who gamble. |
| increase their appearance of authenticity: 2-way Radio, | | | | 4. Those that employ recreational pharmaceuticals |
| Maglight, Construction worker hard hat, and my | | | | (including alcohol). |
| personal favorite the attention tone cell phone. Now, | | | | 5. Those involved in labor and management disputes. |
| this particular ruse means the spook has a partner but | | | | 6. Those that seem to always be on the lookout for |
| is anything more impressive than that tone from the | | | | the next big deal.Part X.Basically, if you take a look at |
| "base office" checking the technicians' | | | | the qualifications for a field agent for the CIA you can |
| status?However, the most powerful, by far, access | | | | build a fair profile of what an office spy may "look |
| granting technique (I mean this will get you in | | | | like."1. A Bachelors Degree, rarely more. |
| anywhere) is a set of Dickies. Yes, Dickies. The same | | | | 2. Solid academic record, not outstanding. |
| things you wore for summer jobs in high school and | | | | 3. Interest in inter-business and international affairs. |
| college. They are a virtual cloak of invisibility in our | | | | 4. Solid interpersonal skills. |
| culture.Most common guises:1. Telephone | | | | 5. Solid communication skills. |
| communications technicians - (typically wearing blue | | | | 6. Frequent traveler. |
| grey Dickies)2. Computer service technicians - (polo | | | | 7. Interest in foreign languages. |
| shirt and tan Dickies pants)3. Copy machine technicians | | | | 8. Prior residence outside the area. |
| - (polo shirt and blue Dickies pants)4. Custodians - | | | | 9. Possible prior military experience. |
| (typically anyone with a set of blue/grey Dickies is | | | | 10. Experience in business and/or economics (but with |
| granted cart blanche access)5. Messenger services - | | | | deficit skills in their own finance management). |
| (typically wearing brown Dickies)6. A/C heating | | | | 11. The person is usually between the ages of 21-35. |
| technicians - (typically wearing blue-green Dickies)The | | | | 12. Previous work in law enforcement or corrections. |
| beauty of this type of "spooking" is nobody ever | | | | 13. May be considered a loner, not a joiner. |
| challenges these folks. And if some particularly diligent | | | | 14. No police record. |
| person does question them, the spook goes into his, | | | | 15. Hobbies include martial arts, scuba, hunting, |
| "fine with me, but it will be at least four weeks until I | | | | proficiency with firearms, chess, math, avid reader, |
| can get back here. We're really backed up." That is | | | | may write prolifically or play a musical instrument, etc. |
| usually enough to intimidate even the most on top of | | | | 16. The person may be interested in training manuals |
| things staff member.I don't usually recommend testing | | | | and field guides.In other words, just about anybody |
| out these surveillance techniques, the power of the | | | | who would make a good employee. The key is to look |
| Tricky Dickie is not to be believed unless you actually | | | | for unusual groupings of these skills. Most people will |
| see it in action. So, get your lazy brother-in-law a set | | | | meet 3 or 4 of the criteria. Those who meet 6 or |
| of Dickies and send him through your office. You won't | | | | more should be considered possible candidates.This |
| believe the results. Afterwards, get the lazy bum to do | | | | section completes a ten part series concerning |
| your yard work so you get your moneys worth from | | | | confidentiality and security. |
| the Dickie investment.Part IVThere are many ways of | | | | |