Help: Can anyone identify what this is?
Hi everyone, We had someone loitering near our front office door today. The conversation went like this: Me: What are you doing? Him: Nothing Me: Where are you from? Him: A company Me: Do you work for Google (he was wearing a Google t-shirt)? Him: No Me: Who do you work for? Him: Leidos He had a device hidden near the stairwell door: https://www.alfie.wtf/photos/wispy.jpg Sorry for the low quality image. It was taken from a capture of a video. I've got the video at work but would rather not release it as yet because it has his face on it. The diameter of the antenna base was around 2cm and the height of the antenna was around 15cm. Someone on Reddit said that it looked like a jammer. After going to Google Images and searching for the following, it looks like he's on the right track: - "GSM detector" - "GSM jammer" - "GPS detector" - "GPS jammer" If anyone has info on what this device could be or where I could go to get more info, that would be much appreciated. Alfie -- Alfie John alfiej@fastmail.fm
It would be helpful to know what the units of measurement are on the side. If they are amps it would indicate that the boxes are transmitting a signal, rather than listening. Can you tell from the video? Were the lights flashing? Interesting that only one is illuminated in this photo. On Thu, Mar 19, 2015 at 5:23 AM, Alfie John <alfiej@fastmail.fm> wrote:
Hi everyone,
We had someone loitering near our front office door today. The conversation went like this:
Me: What are you doing? Him: Nothing Me: Where are you from? Him: A company Me: Do you work for Google (he was wearing a Google t-shirt)? Him: No Me: Who do you work for? Him: Leidos
He had a device hidden near the stairwell door:
https://www.alfie.wtf/photos/wispy.jpg
Sorry for the low quality image. It was taken from a capture of a video. I've got the video at work but would rather not release it as yet because it has his face on it.
The diameter of the antenna base was around 2cm and the height of the antenna was around 15cm.
Someone on Reddit said that it looked like a jammer. After going to Google Images and searching for the following, it looks like he's on the right track:
- "GSM detector" - "GSM jammer" - "GPS detector" - "GPS jammer"
If anyone has info on what this device could be or where I could go to get more info, that would be much appreciated.
Alfie
-- Alfie John alfiej@fastmail.fm
On Thu, Mar 19, 2015, at 07:12 PM, Troy Etulain wrote:
It would be helpful to know what the units of measurement are on the side.
I'm at home now so can't give you measurements based on the size of the tiles vs the device from the video. I'll be in on Monday and update the thread... but off the cuff I'd say about it's about 25cm X 25cm and 10cm high. The Antennas base was around 2cm diameter and antenna height around 20cm high. He held it by a single antenna when he left, and the way how it swung as he lifted it up onto his clipboard I'd say it wasn't light but wasn't heavy. Random stab - 600g in total (I'm comparing it to a Kindle that I've got near by).
If they are amps it would indicate that the boxes are transmitting a signal, rather than listening. Can you tell from the video?
Not sure how I could tell.
Were the lights flashing? Interesting that only one is illuminated in this photo.
Only one light was constantly on. No flashing. Alfie -- Alfie John alfiej@fastmail.fm
Monopole antennas (a rod perpendicular to a ground plane) are usually tuned (sized in length) to be either 1/4 of a wavelength of the rf being transmitted/received, or 5/8 wave. Jim Bell On Thursday, March 19, 2015 6:04 AM, Alfie John <alfiej@fastmail.fm> wrote: On Thu, Mar 19, 2015, at 07:12 PM, Troy Etulain wrote:
It would be helpful to know what the units of measurement are on the side.
I'm at home now so can't give you measurements based on the size of the tiles vs the device from the video. I'll be in on Monday and update the thread... but off the cuff I'd say about it's about 25cm X 25cm and 10cm high. The Antennas base was around 2cm diameter and antenna height around 20cm high. He held it by a single antenna when he left, and the way how it swung as he lifted it up onto his clipboard I'd say it wasn't light but wasn't heavy. Random stab - 600g in total (I'm comparing it to a Kindle that I've got near by).
If they are amps it would indicate that the boxes are transmitting a signal, rather than listening. Can you tell from the video?
Not sure how I could tell.
Were the lights flashing? Interesting that only one is illuminated in this photo.
Only one light was constantly on. No flashing. Alfie -- Alfie John alfiej@fastmail.fm
On Fri, Mar 20, 2015, at 04:23 AM, jim bell wrote:
Monopole antennas (a rod perpendicular to a ground plane) are usually tuned (sized in length) to be either 1/4 of a wavelength of the rf being transmitted/received, or 5/8 wave. Jim Bell
Awesome. I was hoping that someone would have technical info like that. Thanks. Alfie -- Alfie John alfiej@fastmail.fm
On Thu, Mar 19, 2015 at 1:23 AM, Alfie John <alfiej@fastmail.fm> wrote:
If anyone has info on what this device could be or where I could go to get more info, that would be much appreciated.
Well whatever it is it looks like maybe 6 freq/id labels and one of them doing 20dB. This stray porcupine needs a nice warm home on your lab bench.
On Thu, Mar 19, 2015, at 07:32 PM, grarpamp wrote:
On Thu, Mar 19, 2015 at 1:23 AM, Alfie John <alfiej@fastmail.fm> wrote:
If anyone has info on what this device could be or where I could go to get more info, that would be much appreciated.
Well whatever it is it looks like maybe 6 freq/id labels and one of them doing 20dB. This stray porcupine needs a nice warm home on your lab bench.
I don't think we'll see him again any time soon :) Alfie -- Alfie John alfiej@fastmail.fm
Dnia czwartek, 19 marca 2015 23:24:30 Alfie John pisze:
On Thu, Mar 19, 2015, at 07:32 PM, grarpamp wrote:
On Thu, Mar 19, 2015 at 1:23 AM, Alfie John <alfiej@fastmail.fm> wrote:
If anyone has info on what this device could be or where I could go to get more info, that would be much appreciated.
Well whatever it is it looks like maybe 6 freq/id labels and one of them doing 20dB. This stray porcupine needs a nice warm home on your lab bench.
I don't think we'll see him again any time soon :)
Dang. Maybe he would share some more fun toys? ;) -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On Thu, Mar 19, 2015, at 05:24, Alfie John wrote:
On Thu, Mar 19, 2015, at 07:32 PM, grarpamp wrote:
On Thu, Mar 19, 2015 at 1:23 AM, Alfie John <alfiej@fastmail.fm> wrote:
If anyone has info on what this device could be or where I could go to get more info, that would be much appreciated.
Well whatever it is it looks like maybe 6 freq/id labels and one of them doing 20dB. This stray porcupine needs a nice warm home on your lab bench.
I don't think we'll see him again any time soon :)
Haha, ya you'll probably just see his more discrete senior next time! Leidos, being a subsidiary of SAIC, makes me concerned this man might be working on contract to perform non-destructive entry of your facility. Newbish to not have a pretext, unless the pretext is being from Leidos, in which case maybe the intent is just to induce fear. The thorough rubber banding is weird. They seem like independent devices, but it looks like the intention is to deploy them as a set (if you're deploying three surreptitiously through an area, why not undo a bit more of the packaging first?) The boxes appear to have two labels on top of them, the second label is only somewhat visible on the rightmost box. All three labels visible appear to start with 0x3, left to right I can read: 0x3[f/1?]e[]2, 0x3[f/1?][e?][] and 0x342[f/1?]2. Searching for these preliminary transcriptions doesn't yield anything substantial. Is the door he was seen at shared with other parties? If so, having building management reach out to other tenants with a photograph of the man and the device would be a good way to enhance situational awareness around the building and to make any later attempt at whatever he was doing more difficult without explicit collaboration. Sharing these details and concerns may possibly aid in correlating the activity with authorized activities from the other tenants. If it's a single tenancy area, be sure to share these details with your management and co-workers if you haven't already. Is the door, or any nearby door, secured via a prox-card system? If so, my first assumption is this might be an attempt to record RFID transactions. Does your business have wireless access points reachable from the device location? This may be targeting that traffic if so. Naturally, several of these questions have potentially operationally sensitive answers and you shouldn't answer them here. Just some things to consider. I think your business should: - share all information with other tenants/coworkers/building management to increase situational awareness and potentially reveal the reason for this event. - begin considering doing a TSCM sweep - consider enlisting counsel to reach out to Leidos to get them to affirm or deny participation in this escapade - consider contracting with a firm to provide heightened guarding -- 0x7D964D3361142ACF
On Fri, Mar 20, 2015, at 03:50 AM, Max R.D. Parmer wrote:
Leidos, being a subsidiary of SAIC, makes me concerned this man might be working on contract to perform non-destructive entry of your facility. Newbish to not have a pretext, unless the pretext is being from Leidos, in which case maybe the intent is just to induce fear.
Is the door he was seen at shared with other parties? If so, having building management reach out to other tenants with a photograph of the man and the device would be a good way to enhance situational awareness around the building and to make any later attempt at whatever he was doing more difficult without explicit collaboration. Sharing these details and concerns may possibly aid in correlating the activity with authorized activities from the other tenants. If it's a single tenancy area, be sure to share these details with your management and co-workers if you haven't already.
Sorry, I should have mentioned that Leidos are in the same building as us. However, they are not on our floor and are seperated by a few floors, so he had zero business being on our level. We're considering getting building management to setup swipe access to our level.
Is the door, or any nearby door, secured via a prox-card system? If so, my first assumption is this might be an attempt to record RFID transactions.
Yes, you need RFID to get into our office space.
Does your business have wireless access points reachable from the device location? This may be targeting that traffic if so.
Yes. This was our main concern. Seeing the antennas made me immediately think that it was some sort of pentest into our wifi.
Naturally, several of these questions have potentially operationally sensitive answers and you shouldn't answer them here. Just some things to consider.
I think your business should: - share all information with other tenants/coworkers/building
Already done. I've shown the video to the other tenants on the same floor and they have all turned on the awareness.
management to increase situational awareness and potentially reveal the reason for this event.
Management were as suspicious as I was. Since Snowden, we (I work at FastMail) have upped our paranoia for obvious reasons as I would consider us to be in the same boat as the other targets.
- begin considering doing a TSCM sweep
This makes sense. Never considered it before.
- consider enlisting counsel to reach out to Leidos to get them to affirm or deny participation in this escapade
Yeah, that's why I was asking for info on the device. We wanted to know what it was so we knew how to approach them.
- consider contracting with a firm to provide heightened guarding
Yep. Considering our options. Thanks for your response. Alfie -- Alfie John alfiej@fastmail.fm
On Fri, 20 Mar 2015 09:56:22 +1100 Alfie John <alfiej@fastmail.fm> wrote:
Sorry, I should have mentioned that Leidos are in the same building as us.
This is...too rich? Yours is some kind of email provider with offices in the same building as some* US 'defense' contractor. *and IIRC these saic shitbags had something to do with the tor/freedom hosting affair? yep http://www.slate.com/blogs/future_tense/2013/08/05/freedom_hosting_saic_nsa_...
However, they are not on our floor
Now, that's reassuring. Anyway, best of luck.
On Fri, Mar 20, 2015, at 10:46 AM, Juan wrote:
Sorry, I should have mentioned that Leidos are in the same building as us.
This is...too rich? Yours is some kind of email provider with offices in the same building as some* US 'defense' contractor.
Don't worry, the irony is not lost on us.
*and IIRC these saic shitbags had something to do with the tor/freedom hosting affair?
yep
http://www.slate.com/blogs/future_tense/2013/08/05/freedom_hosting_saic_nsa_...
Yep, they've since rebranded.
However, they are not on our floor
Now, that's reassuring. Anyway, best of luck.
Thanks! Alfie -- Alfie John alfiej@fastmail.fm
On Thu, Mar 19, 2015 wrote:
Is the door, or any nearby door, secured via a prox-card system? If so, my first assumption is this might be an attempt to record RFID transactions.
Some RFID implementation is capturable for replay, some are 2F like challenge response plus pinpad on the fob/paddle. Consider physical lock and key plus pin / swipe / bio. Have doors audio infrared video camera record stream to offsite. Verify staff is defensive against social engineering and collect curious events. Use real end2end software openvpn / ssh to host/lan over wifi, not just silly soho style router firmwares for wlan and firewall protection. Etc. Set out some cookies for new friends :)
On Sat, Mar 21, 2015, at 04:45 PM, grarpamp wrote:
On Thu, Mar 19, 2015 wrote:
Is the door, or any nearby door, secured via a prox-card system? If so, my first assumption is this might be an attempt to record RFID transactions.
Some RFID implementation is capturable for replay, some are 2F like challenge response plus pinpad on the fob/paddle. Consider physical lock and key plus pin / swipe / bio. Have doors audio infrared video camera record stream to offsite. Verify staff is defensive against social engineering and collect curious events. Use real end2end software openvpn / ssh to host/lan over wifi, not just silly soho style router firmwares for wlan and firewall protection. Etc. Set out some cookies for new friends :)
The device was actually right next to our RFID reader for the office door. He did manage to capture one person walk through, who then alerted me to his presence. Yeah, our netsec is best practice. Alfie -- Alfie John alfiej@fastmail.fm
On Mar 21, 2015, at 7:51 AM, Alfie John <alfiej@fastmail.fm> wrote:
The device was actually right next to our RFID reader for the office door. He did manage to capture one person walk through, who then alerted me to his presence.
Yeah, our netsec is best practice.
Just throwing this out there, but perhaps it was simply a diversion in the physical realm to take a slight edge away from a network realm. -Benjamin
On Sun, Mar 22, 2015, at 06:33 AM, bbrewer wrote:
On Mar 21, 2015, at 7:51 AM, Alfie John <alfiej@fastmail.fm> wrote:
The device was actually right next to our RFID reader for the office door. He did manage to capture one person walk through, who then alerted me to his presence.
Yeah, our netsec is best practice.
Just throwing this out there, but perhaps it was simply a diversion in the physical realm to take a slight edge away from a network realm.
By the look on his face, I'm pretty sure he didn't expect us to come out, especially while recording video :) Alfie -- Alfie John alfiej@fastmail.fm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/22/2015 02:08 PM, Alfie John wrote:
By the look on his face, I'm pretty sure he didn't expect us to come out, especially while recording video :)
Any chance that video might wind up accessible someplace? Maybe someone here recognizes the individual in question (or has access to facial recognition software that doesn't suck). - -- The Doctor [412/724/301/703/415] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "I slip into the archaic at dramatically appropriate moments. So sue me." --Harry Dresden -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVD3AtAAoJED1np1pUQ8RkZbkP/1nsCWkRtb+wh2vOxgU9rnY9 RzuSBTkOZoaJHdHJ7/3lq+qhYryF8Rm2KvpzdMAnNqbwMKp7FBwZNZSx+iNd0efV NKvyh3/rGGlliQiOviNIP+4twdq9pZlMby2UOsZQgw3hv9JnXn7hddIc0K5B4yEj zj0rn7XnFuAqkxvnLedw4i4FY+qC5j6+6ZC4Je1WVFxROO1N1H/OTqSwGosoM40G l0txV04PeBWoppe3XcW3xn02zWcbpGxOZFWvxXmJYf76H5nDP33QSK0IBSl4GPXJ A0fzHo/O8o4I9Fs7y7UE30JlP9+Wg/I4XbQ0z/vYycZ8RFjWgKaJwluI319D9ADo ib4+BkXsZobD89DA9Oir48nQNCFbv3IQ3dkEswwz3hen9ja3nSFhhuvw5tinSxDf rgEW0RgRFt+pKU3mGd1yrO8Oxg3skITqdntiePnAXhFnZxNoxYi3sWYqyJTUGCBZ UYCHES6v4s6v1OADkYO5g5LF2RZadRI+tTChYEaoZMhjRnb+wLx80ZXf6SzqU5cq 2xgo35Fty15xNdj5qE1FyAJZPhGpFd6FZTvRt773mrE+hUCBVbo0WDwnI9H/xcvr p/FYJUWVs7GnTYIDJ0mP3K3WXo3MqYa9AH36H0DLl6o7l39UV8eG/p2S3K2bJcWZ TmhfYsak7GZk07Grctvc =MOao -----END PGP SIGNATURE-----
On 3/18/15, Alfie John <alfiej@fastmail.fm> wrote:
... We had someone loitering near our front office door today. The conversation went like this:
Me: What are you doing? Him: Nothing Me: Where are you from? Him: A company Me: Do you work for Google (he was wearing a Google t-shirt)? Him: No Me: Who do you work for? Him: Leidos
sounds legit ;P
He had a device hidden near the stairwell door:
this is likely automated wifi attack gear. the three units together could cover channels 1, 6, 11 concurrently. (in my own kit, 4-8 radios is sweet spot) the extra battery capacity lets it run for days attacking on full auto. unlikely to be a jammer because they cover more frequencies and this appears tuned to 2.4Ghz. you should be running wireless intrusion (e.g. custom kismet?) monitoring to look for malicious activity. and of course, it is time to change all your WPA2 passwords! (or switch to WPA-Enterprise)
On Fri, Mar 20, 2015, at 11:21 AM, coderman wrote:
On 3/18/15, Alfie John <alfiej@fastmail.fm> wrote: this is likely automated wifi attack gear. the three units together could cover channels 1, 6, 11 concurrently. (in my own kit, 4-8 radios is sweet spot)
Well that's interesting. I wondered why there were three units.
the extra battery capacity lets it run for days attacking on full auto.
He put it in near the stairwell door (almost next to our door RFID), but it was in full view of anyone walking to the elevators. So I don't think he was trying to hide, otherwise he would have done it from behind the stairwell door and not in plain sight. Maybe it was just bad opsec?
you should be running wireless intrusion (e.g. custom kismet?) monitoring to look for malicious activity. and of course, it is time to change all your WPA2 passwords! (or switch to WPA-Enterprise)
Awesome. Thanks for the advice. Will look wireless intrusion detection. WPA-Enterprise too. Alfie -- Alfie John alfiej@fastmail.fm
participants (10)
-
Alfie John -
bbrewer -
coderman -
grarpamp -
jim bell -
Juan -
Max R.D. Parmer -
rysiek -
The Doctor -
Troy Etulain