TSCM-L Technical Security List Monday, June 8, 1998 Volume 1998 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Postings: TSCM-L@tscm.com Unsubscribe: unsubTSCM-L@tscm.com Subscribe: subTSCM-L@tscm.com Admin: jmatk@tscm.com This material will only be sent to you upon your direct request, either by your email request, or by signing up via our web page. TSCM-L is published by Granite Island Group, and is written by James M. Atkinson. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ A telephone eavesdropping system was recently encountered which is being sold by a company in Pomezia, Italy. The system is for use on AT&T System 25, 75, and 85 PBX systems (other versions are available for 1030, 3070, Merlin, and Partner systems). The first element of the system consists of a station card which has been built from scratch and appears almost identical to the original cards built by AT&T. There are no modifications on the card, and all components appear legitimate The only visual difference between the cards is several additional integrated circuits, and discrete components. Additionally, on the silkscreen side of the card is a small logo consisting of an upper case letter E followed by a 7xx type of number (such as E-728). The logo will appear diagonally across the card from the serial number. Each station card will support 8 digital phones, and one outgoing circuit. The second element of the system is the printed circuit board that goes into the actual telephone. Much like the station card the printed circuit board appears original but closer inspection will reveal a small number of extra components and PCB traces which go to the four pair position. Suspect telephones will present an anomaly on the power and/or 4th pair. The signal is a digital data signal (usually 160 Kbps). Vector signal analysis will indicate a QAM/BPQSK cats-eye (a digital audio signal via a seven stage parasitic polynomial 1+x6+x7 algorithm). Waveform is a serial data stream, bipolar signal at roughly 700mV (680-715 mV depending on instrument). Power drain is fairly high (average of 136% over normal), but station card will not indicate an over-current condition or station error. Serial data stream is constant, and only affected by application of power. Signal stops if power is removed for more than 15 milliseconds. Disconnection of handset does not effect signal. Signal is present in both on-hook and off-hook conditions. The third element of the system is a small modification to the PBX back plane which consists of two small wires which are tacked into place between the station card and the line card. This bridging circuit allows a T-Carrier signal to pass from the station card to an unused cable pair for an outgoing signal path (usually the 25th pair). This modification will appear to be a legitimate factory modification to the backplane. The fourth element of the system is the transmission path back to the listening post (which will appear to be a T-1 signal, but will only use one cable pair). A RF transmitter could be used, however; such an emission would increase the possibility of the system being detected if used inside or near the target facility. A RF transmitter could be used once the signal is well outside the facility. The transmission path will normally consist of a T-Carrier signal that can be traced to a facility demarcation point and then to an external cable pair. The signal will typically terminate at (or just prior to) an off-site SLC box. At this point the T-Carrier signal will be bridged back to a listening post either by hardwiring or an RF transmitter (though the use of a bridging capacitor to isolate the DC components of the circuit). Faked power outages in the PBX or server room will typically be used to cover the installation activities. The installation consists of swapping the station card, and then installing the jumper wires on the back plane. While the power is still off the special printed circuit boards are installed into the target phones. Optionally, the telephone may simply be swapped with an instrument that has been modified in advance. Power is then restored with the event being logged as a short power outage (usually during bad weather or construction work). ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ French Magistrate Targets Official Wiretapper PARIS, May 28 (Reuters) - A man who headed France's official wiretap unit has been placed under investigation in connection with illegal eavesdropping carried out on orders of the late President Francois Mitterrand's office, judicial sources said on Thursday. Army Brigadier General Pierre Charroy, 63, was ordered placed under investigation for complicity in invasion of privacy in his capacity as head of the discreetly named Interministerial Control Group (GIC) under Mitterrand, the sources said. The GIC is officially entrusted with carrying out wiretaps on the orders of magistrates in cases of espionage or serious crimes. The body is so shrouded with secrecy that it is not known if Charroy still heads it. Former Mitterrand aides acknowledged last year that the late president, who ruled from 1981-1995, had ordered security officers attached to his office to carry out illegal wiretaps on the telephone lines of lawyers, journalists, politicians and at least one movie actress. The justice sources said magistrate Jean-Paul Vallat suspected Charroy of having aided the presidential wiretappers who acted without the permission of magistrates, making their actions illegal. Prime Minister Lionel Jospin pledged in last year's general election campaign to end an era of "monarchical secrecy" if he came to power and to lift the lid on cases like possible illegal wiretapping under Mitterrand, with whom Jospin was on poor terms. Jospin has since been accused of dragging his feet on the promise since he became prime minister and judge Vallat has written to ask for his help in his probes. Some 15 former Mitterrand aides are under investigation and could face possible trial in the case. Mitterrand died in 1996, seven months after leaving office. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The following pages which contain TSCM equipment reviews have been updated and are now available: http://www.tscm.com/tmdespect.html http://www.tscm.com/tmdeantenna.html http://www.tscm.com/fluke785.html http://www.tscm.com/tmdenljd.html http://www.tscm.com/tmdedemod.html http://www.tscm.com/tmdeacous.html http://www.tscm.com/tmdeanc.html http://www.tscm.com/tmdeaux.html http://www.tscm.com/tmdecraft.html http://www.tscm.com/tmdephot.html http://www.tscm.com/tmdephys.html http://www.tscm.com/tmdescope.html http://www.tscm.com/tmdesets.html http://www.tscm.com/tmdetdr.html http://www.tscm.com/tmdevehcl.html http://www.tscm.com/tmdevideo.html http://www.tscm.com/tmdevom.html http://www.tscm.com/tmdevsa.html http://www.tscm.com/intercept1.html http://www.tscm.com/reioscor.html http://www.tscm.com/spectan.html http://www.tscm.com/tmde.html http://www.tscm.com/training.html http://www.tscm.com/trainingciv.html http://www.tscm.com/traininggov.html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Granite Island Group Mission and Purpose Statement Granite Island Group provides expert technical, analytical and research capability for the detection, nullification, and isolation of eavesdropping devices, technical surveillance penetrations, technical surveillance hazards, and physical security weaknesses. Detection: Measures taken to detect technical surveillance devices, technical security hazards, and physical security weaknesses that would permit the technical or physical penetration of a facility. Nullification: The process of neutralizing or negating technical devices employed by making the placement of such devices more difficult. This includes ensuring that a room is protected with adequate physical construction and security measures thus making the placement or use of illegal listening devices ineffective. Isolation: A method to deter, or make extremely difficult, the introduction of eavesdropping devices by establishing special security areas, for the conduct of classified or sensitive activities. Granite Island Group also provides: Vulnerability Analysis to provide senior management with guidelines for the enhancement of security and reduction of the vulnerability of sensitive areas to the technical surveillance threat. Design, Manufacture, and Sale of TSCM, signals intelligence, cryptographic, and related secure communications systems and devices. Research and Development of technical systems, devices, and tradecraft utilized by the intelligence community. Development of Specialized Computer Software and Firmware. Design and Installation of high performance computer networks and communications systems. Disaster Preparedness Planning Intelligence Analysis and activities to determine the existence and capability of surveillance equipment being used against the United States Government, United States corporations, establishments, or persons. Special emphasis is given to detecting and countering espionage and other threats and activities directed by foreign intelligence services. Specialized Training for those in sensitive positions concerning the threat of technical surveillance and the part they can play in the TSCM program. This includes advanced training and seminars for TSCM teams and technical security personnel. Closed Enrollment Training regarding technical security and protective related issues. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Copyright ©1998 Granite Island Group. All Rights Reserved. ======================================================================= Everybody's into computers... Who's into yours? ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group - TSCM.COM 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931 jmatk@tscm.com ======================================================================= Do not try the patience of Wizards, for they are subtle and quick to anger. =======================================================================