Electronic Security Sweeps for Law Firms and their Clients

Transcript

Digital Detectives

Electronic Security Sweeps for Law Firms and their Clients

03/14/2017

Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 77th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is Electronic Security Sweeps for Law Firms and their Clients.

Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow.com, need a private investigator you can trust, visit  HYPERLINK “http://www.pinow.com” pinow.com to learn more.

John W. Simek: We are delighted to welcome as today’s guest Charles Patterson, the Founder and President of Exec Security, TSCM, specializing in technical surveillance countermeasures, often referred to as electronic bug sweeps, and has been providing security sweeps for corporations and high profile clientele for over 20 years.

Charles began his career in 1978, working in executive protection and technical security services, traveling throughout the United States and over 40 different countries. During that time he gained extensive experience with many technologies, including two-way radio, telecom, audio systems, video surveillance and many others, and that led him to start his own business in 1995, specializing in TSCM.

Exec Security is one of the few full-time professional providers of electronic TSCM sweeps in the United States, serving major corporations, attorneys and private investigation firms throughout the US and the world. Thanks for joining us today Charles.

Charles Patterson: Good morning. Thanks a lot guys.

Sharon D. Nelson: Well, I have got to tell you Charles that when I first read the acronym TSCM, I went, what is that? So I was happy to find that it was spelled out, but I am guessing that many of our listeners do not know what technical surveillance countermeasures actually means in the real world. So can you help them to understand?

Charles Patterson: Sure. Yeah, the initials are easy to mix up. I hear people all the time going TCSM or they just mix the letters up, but that happens with acronyms all the time.

So I think the official name originated in the military, but it’s technical surveillance countermeasures. So it’s how do you protect against technical surveillance?

So, technical surveillance can be a lot of different things. It could be radio transmitters bugging devices, microphones, miniature recorders, covert video cameras are a big concern, also wiretaps and communications interception and that can be telephone systems, but it could also be other things, intercoms, paging systems, conference equipment, any type of audio transmission or video or loss of information through technical means, that’s the stuff we want to protect against, and that’s where the countermeasures come in.

It’s not really like the movies, a lot of times you will see in the movie somebody is waving a little black box around and if it beeps or lights up they think they have found a bug, but it’s a lot more. Detection techniques can be radio signal analysis as part of it, using spectrum analyzers or other equipment. Thermal imaging has become popular in recent years, electronic device detection from other types of electronic components, and of course telecom, data, wiring inspection and a major part of a sweep is a physical inspection as well, where we really want to take a close look at anything that might be posing a threat.

John W. Simek: Well, Charles, I am glad to hear that it’s not like television. I get the same thing when I — because I don’t watch CSI anymore doing forensics work, so I am glad to hear that. But can you tell our listeners how TSCM is related to cybersecurity.

Charles Patterson: Sure. Because I started listening to your podcast probably a couple of years ago, because you are covering a lot of the digital concerns that people face today. Cyber is such a big concern, the threat is big, and the risk is big as well, but there’s some areas of information security that may not quite be covered fully by cybersecurity and they may not be covered by other aspects of security, like physical security.

In the Wi-Fi, for instance, there can be rogue access points that may not be detected or noticed when someone is doing a big job with the firewall, protecting from the outside, somebody on the inside may come along and install something that goes undetected for a while.

(00:05:06)

Also in the wiring and the physical layer of the network, it’s possible to put in an ethernet tap that can physically tap an ethernet line, and there’s spare wires in every ethernet jack, there may be a spare pair of wires that has been known to be used for attaching a microphone to it. I even found a microphone built into an RJ45 ethernet jack using a spare pair, so that whoever was at the other end, whether it was at a patch panel or somewhere down the line, they could tap on to that and listen in to the room conversations.

Sharon D. Nelson: So why do people need to have these kind of sweeps done?

Charles Patterson: Well, I consider three different categories in which when people call us, it’s one of these three things usually. One is incident response. Somehow they have detected that information has been leaked or they suspect that information has been leaked. It could be that something was found online on the Internet someplace where they thought that, how come that information got out.

Another concern might be that there was a break in at the company. It may appear as if someone was just trying to commit a theft or robbery, but perhaps that was a cover for something else. Maybe they were trying to plant some device and they are not sure. Or if they are just suspicious about an employee or even an executive who was just fired, they may say listen, we need to find out was anything going on that they may have left behind or something like that.

Another category is just regular security concerns. A lot of corporations will have regular sweeps done, periodically, quarterly is recommended, but it could be even semiannually, where there hasn’t been no particular threat, but we will come in and we will do a sweep just to make sure that security is maintained.

You might consider it’s like having a fire inspection done. You don’t think there’s going to be a fire, but you want to have someone go and check to make sure that there’s no threats present.

And then the third category is when there’s this very serious or significant upcoming event, perhaps a board meeting or some other type of meeting or conference. Oftentimes at hotels, where we are called in in-advance to check out the boardroom, the conference room, meeting room, make sure that it’s secure, make sure that it stays secure for the duration of the meeting.

It’s important to understand the risk that’s involved too. The loss of confidential information, that can also translate into loss of dollars as well. There could be corporate strategy, details of mergers and acquisitions, stock offerings, personnel changes, even executive schedules.

I used to work in executive protection and one of the things that they really wanted to keep secret was what’s happening in the executives’ lives, because that could open them up to some other kind of attack as well.

And then it’s important to understand who is a possible threat, who is the enemy, is it a competitor, is it a disgruntled employee, or maybe even an executive who is just jealous, maybe he wants to get ahead, he wants to advance his position, or possibly legal issues, legal problems are another big concern. All these things together will prompt the company to want to have a sweep done.

John W. Simek: Well, Charles, who are the typical clients; I am sure not everybody is totally paranoid and calls you up, right?

Charles Patterson: Yeah. I think a lot of times the people who call us up sometimes as I mentioned it might be what we think of as an incident response, one of the first things they say is, I never thought I would be needing this, but and then they go on to explain.

Sometimes we are contacted by corporate security. We work closely with corporate security for a number of different major corporations. They are in touch with their legal department and they help handle any type of security aspect.

But we are also contacted by attorneys, sometimes directly, oftentimes along with a private investigator. There’s something going on for one of the attorney’s clients where they realize that the nature of the lawsuit, the nature of the concern somehow is serious enough that we need to — we want to take a good look at it.

There’s a number of private investigation firms, some of them may offer sweeps themselves. Many times they are not equipped to do a full, thorough job but we work closely with a lot of these firms so that when there is a need they can call us in and help handle the situation.

We always ask, whenever I get a call directly from a client one of the first questions is, have you been in touch with your attorney, because you are going to need the attorney one way or the other. If we come in and we do find a device, well, they are going to need their attorney to help take the next steps. And even if we come in and we don’t find that suspicious device or some significant problem, they still have other issues and they still will need their attorney to try to understand, well, why did they suspect this, was information leaked? Maybe it came from word of mouth.

(00:10:12)

Nobody wants to admit that they blabbed something, but sometimes we are called in and the security director says, well, we want to make sure there’s no bugs here, they think some information was leaked, just between you and me, we think somebody talked too much. As a matter of security we will go ahead and check the facility for them.

Sharon D. Nelson: You mentioned a couple of ideas about why lawyers might request a sweep, are there others?

Charles Patterson: Well, yeah, it could even be for their own offices, is there some major litigation going on, some major case that is so — that is that significant that you want your conference rooms to make sure that they are secure, or perhaps you are a firm that’s always dealing with these types of cases and so you need it regularly.

I know some larger law firms have their own TSCM teams that they use to travel around the country and even around the world taking care of their conference rooms there. Sometimes it may just be a case comes up where they realize this is a high profile case, we want to make sure we are doing our fiduciary responsibility, we are making sure that everything is as secure as needed.

And then for the clients, a lot of the concern is in the corporate level. So for legal counsel, for a corporation, their own offices may be of concern, but it may be other areas within a corporation. And again, as I mentioned before, if there was a break in or perhaps if an executive was recently fired, the attorney would know if there was any suspicious activity or some reason for concern.

And then of course there’s personal cases, the matrimonial cases, even inheritance. We were called in on a case where a family-owned company, a major corporation, but they were going through some changes and one brother was being booted out and nobody seemed to like him and they were very concerned about what information might be changing hands.

John W. Simek: Charles, let’s get into some of the really juicy stuff here and tell our listeners like how are these sweeps actually performed, and can you tell us something about the equipment, the tools, techniques, those kinds of things, including what you might find at the spy shops or on eBay, because I might want to put some of those in my Christmas list.

Charles Patterson: Yeah. Well, it’s important to understand what a tool does. As I mentioned, there are small devices that you can buy online that will detect maybe radio signals and it vibrates or it beeps when it’s near a signal. But it’s important to understand, there’s radio signals everywhere today. There’s radio signals from your stereo system, there’s radio signals from your computers, your phone, even lighting and room occupancy sensors, all kinds of stuff, so a small little sensor that’s very generic, it may not have any discerning of what type of signal you are finding.

So we have some fairly advanced spectrum analysis equipment. Laboratory grade spectrum analyzer can hook up to the computer. We can run traces and have it detect signals in the whole area, showing what frequency they are at, what the waveform looks like, and we can start to analyze, where is it coming from, was this signal present the last time we swept here, track it down with direction finding. So the radio signals are very important and we look at that.

We also use thermal imaging. Thermal imaging has come down in price in recent years. When I got started in the business it was a new thing and you wanted to buy a thermal imager, it would probably cost you $70,000 or more; some military stuff still costs that much. But electronics, when it’s active, when it’s powered up, it generates heat, particularly covert cameras. Any kind of small camera typically generates a lot of heat, enough that it would be spotted. If it was behind a ceiling tile, for instance, in a drop ceiling, from standing on the floor and looking around with the thermal imager you would be able to notice that there’s a hotspot and then you know that’s something you need to check out.

We use also a device called a non-linear junction detector, it’s another one of those long words, it uses initials NLJD, and basically what it does is it detects electronic components, diodes and transistors and chips, even if they are not active. So even if it’s not transmitting, even if it’s not turned on the NLJD or the non-linear junction detector has a way of detecting that there is a component present. For instance, could be hiding in a book. Particularly in a law library there’s so many books, to go through each one manually could take forever, so this is a device that we use.

That’s one you might see if you see any movies with a Secret Service and it looks like there’s a guy with a metal detector going up and down the wall with it, that’s the non-linear junction detector.

(00:15:05)

And of course we have got to look at wiring as well; telecom, data wiring, we look into the outlets. We use what’s called the TDR, a time domain reflectometer. Hey, if you like big words, this is a good field to get into. The TDR is kind of like a radar for wire. It can send a pulse signal down a pair of wires and give you a little reflection coming back and tell you what’s at the other end, is it short, is it open, or is there some other component or splice somewhere on the wire. So a lot of different techniques like this that are used.

And as I mentioned, the physical inspection is probably the most important part of the sweep, because that’s where stuff — even traces of something that was left behind will be uncovered. We might find a little bit of duct tape stuck under a table.

Actually, we were sweeping one conference room and it was a very large conference table, and in the center of the conference table, underneath was a little piece of cardboard stapled in there that formed a shelf. It was clearly done haphazardly by somebody in a hurry. It’s the perfect place to hide a recording device. The recording device was not there. What would happen is the person who was doing the eavesdropping would go in ahead of a meeting, crawl under the table, put a little recorder on this little cardboard shelf that he had made and remove it later. So the recorder wasn’t there when we were sweeping, but we did find the evidence that was left behind.

So as I mentioned, there is some limitation with the tools that you find online, but it’s a matter of understanding what the tool does and then how to use it.

It’s kind of like, for instance, if someone said what’s the best screwdriver I need to fix my car? Well, the screwdriver is one tool. The screwdriver is not going to let you solve every problem, but you certainly may use it. So that’s the way a lot of the tools are.

Sharon D. Nelson: Well, it sounds like there is a lot of tools and it sounds like there is a lot to be found.

Charles Patterson: There is a lot of stuff out there, yeah.

John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.

[Music]

Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes Website Scanning, Web Application Firewall, including DDoS mitigation, and 24×7×365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today, visit  HYPERLINK “http://www.pinow.com/”www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Electronic Security Sweeps for Law Firms and their Clients. Our guest is Charles Patterson, who is the Founder and President of Exec Security TSCM, specializing in technical surveillance countermeasures, often referred to as electronic bug sweeps. He has been providing security sweeps for corporations and high profile clientele for over 20 years.

So I am listening to you Charles and I am hearing about little cardboard shelves and crawling under tables and it sounds like this might be quite the process in an office of any size. How much time would it take to do a sweep?

Charles Patterson: It can vary depending on the size of the area and what’s involved. Typically when we are hired for a job, we are usually looking at about four or five hours. That may include three or four offices, a conference room, in some cases depending on how many people we bring, if it’s a large area, we may want to bring in a few extra technicians on a job. But there is a lot of tediousness to the work.

(00:19:54)

Sometimes we have expectation from the client. Again, they have watched the movies and they think we are going to come in, or sometimes they will even say, well, the last guy was here, all he did was walk around and wave his antenna thing and he was done in an hour. I say, well, no, we are going to be here for three, four or five hours at least. And then the client wishes he brought a book because he is going to have to sit around with us.

Sharon D. Nelson: I will bet that’s true.

Charles Patterson: Yeah, it is. And at the same time, we have clients that call up and the first thing they say is, well, we have a facility, it’s a 28,000 square foot facility, I would like to know what it would cost to have it swept?

Sharon D. Nelson: Well, tell me about the pricing, because I know our listeners are going to be interested. I mean is this flat fee, is it by the hour, and how much would you charge, give me some kind of example in term of hourly or flat fees, whichever one you use.

Charles Patterson: Well, in the case like I just mentioned where someone comes and starts off by saying, hey, we have this giant facility, we want it swept. Well, I say, well, let’s talk a little bit, let’s try to understand what’s going on here. It’s not a simple thing just to give some kind of flat fee without really understanding the concerns.

Typically, if someone wants their whole facility swept after we talk with them, they are happy to narrow it down to say four or five main offices, typically like the CEO, the legal office, financial office and conference room, something like that, because one is they haven’t understood the depth of the inspection, that it is going to take a long time if someone wanted — one job we went to started off, the guy wanted about 10 offices swept, but when we got there he said, well, while you are here, we have offices over here and over there. And I said, look, that amount of offices we will be here for two or three days, so let’s narrow it down and let’s try to get a handle on the situation.

The cost of a sweep can vary, again, depending on the size. We are often looking between — if it’s a local area that we can get to, it may be $3,000-5,000; if we are traveling, it could be $4,000-6,000 to $8,000, again, depending on the size. It’s not a $500 job. Just bringing out the equipment, we have probably over $200,000 invested in the equipment that we use. So even if someone thought they could rent equipment, it would cost them much more than the cost of a sweep.

But we try to make it affordable. We try to understand what the concerns are. When there is a very serious concern, a serious threat, then the money is not the problem. The client really wants professional service and they want it done in a timely fashion. And that’s, again, where we are full-time at this, so sometimes we get a call and it says, well, listen, we have got a meeting at a hotel tonight, are you available, and then we will try and scramble and get there.

Usually we have about two or three technicians on the job, and as I said, sometimes if there is a really big job, we may look to bring in more people.

John W. Simek: Well, Charles, how did you get started in this field and does it require any specific skills or education?

Charles Patterson: Well, it makes me think of the sign you might see in some places that says, you don’t have to be crazy to work here, but it helps.

John W. Simek: The other one that says, you think hiring an expert is expensive, try hiring an amateur.

Charles Patterson: Well, true. Well, there is a lot of technology that we have to be aware of. My own background, again, I began working on security in around 1978. Now, I had aptitude for electronics. I was a ham radio operator as a kid. You will find a lot of professionals in the TSCM field were or are ham radio operators as well, because we tend to have a desire to — we like to work with our hands, we like to work with electronics, and we also have a curiosity, curiosity to understand how things work. Again, we want to learn about any kind of technology.

I worked with radio as a kid, which meant that I also understood a little bit of wiring, a little bit about microphones. Then when I was working in the security field I took care of the radio systems, I took care of some telephone equipment. Like anytime the phone company would come to service the telephones, I was the escort to follow them around and make sure that everything was handled okay. And I just kept learning. Any chance I got I tried to study something.

Occasionally the company I worked for would hire someone to come in and do a sweep for either, an important meeting was going on or maybe a conference at a hotel, I would be the escort with the people that were doing the sweep and I got to see a wide range of capabilities. Some guys really didn’t seem to know what they were doing. They would say things that didn’t make sense. Again, waving the wand around. I would shake my head a little bit and say something is not right. And then at other times there was a team would come in who seemed to know what they were doing.

(00:24:55)

So at one point I finally decided I would go for a little training myself, and after I took a class I realized that all of my own interests and all of my own kind of hobbies and the things I had taught myself with technology all came together in the TSCM field and I decided to make a go of it.

And again, a curiosity to understand how things work, a little bit of aptitude in radio, video, data, telecom, but there’s an important thing, it’s not just being a techie, you need to have a mindset for security, because you are going to be entrusted with protecting corporate assets and confidential information. So if someone doesn’t really have an understanding of security, they are not going to do too well in this field.

It’s certainly not like being a spy or being a James Bond character. You really have to be serious about protecting information.

Sharon D. Nelson: Well, give us a story or two, because I know we are running close to the end of our time, give us a story or two of interesting cases that you have handled.

Charles Patterson: Oh, sure, there’s a few. One of the things we didn’t talk too much about is voicemail and phone system hacking. This is another area where now some of the stuff may be looked at from a cyber point of view, but for many years voicemail has been vulnerable.

One company that brought us in — well, we were brought in with the investigation firm, they had fired an employee who worked in the IT department and he understood the telephone system. After he got fired, he called in, dialed into the voicemail system and was able to navigate around the system and discovered that the CEO never changed his default password for his voice mailbox.

So the employee decided he would listen to the messages there and he found a message that was an old message, from three or four months previous, the situation had already been taken care of, but the message was an irate customer who spent five minutes cursing at the boss. So the employee listened to this and thought, oh, here’s some fun.

He knew what’s called a broadcast feature for messages, he was already in the boss’ mailbox, he took that message and forwarded it to every employee in the entire company. So come Monday morning, all the employees come to work, every single one of them has their red light flashing on their phone. They check their voicemail and it says, oh, you have a message from the CEO, so they all listened to it very diligently and hear this irate customer cursing and cursing and cursing. So that was a little bit of harassment, a little bit of embarrassment. It took a little while but we were able to figure out that that’s what had happened. That’s the type of thing that you may not expect, but it’s something that you have got to think about.

And another case, I have mentioned disgruntled employees and executives even within the company, in any kind of security insider threat is a big concern. Well, we found a microphone planted in a ceiling, wired back to an executive’s desk. This was in a stock brokerage firm and apparently he had been listening to the conference room where the SEC and the NASDAQ people would come to do their audits. So he was trying to listen to what was going on with the people that were auditing the company. He thought maybe he is doing something good for his firm, but ended up getting him fired.

And then to add a little insult to injury, we took the microphone down from the ceiling and noticed that there was a little sticker on it from a spy shop in Manhattan, and the attorney then went to the bookkeeper for the company and they did a little search and found that the whole eavesdropping system was purchased on the company AMEX card by this executive. Again, a little embarrassment there, but they were happy to have that resolved.

Like I said, I can think of another time, we were sweeping executive offices and an executive dining room at a technology company, we were looking at the Wi-Fi, and we know what to expect, we have been there before, we know all the access points have certain labeling structure, we will find other things on Wi-Fi, there’s video display equipment, things like that that use Wi-Fi, but here’s an access point that’s labeled dark web. And we thought, is this a joke or what.

But we did a little direction finding with the signal, it was not in the area we were concerned with, but we found approximately where it was coming from and reported it to the security, who then got in touch with IT, and they were able to find. It was a rogue access point that some clever employee thought he was able to give himself some extra Wi-Fi or something like that.

So there’s a lot of little things that come up that may not be obvious right away, you have to really dig a little bit to find out all the details behind it.

(00:29:55)

John W. Simek: Charles, why don’t you tell us three tips that anybody can practice to help secure their information and conversations?

Charles Patterson: Sure. It’s important, first of all, to understand the value of your information and be careful of what you yourself are saying in conversations, and for a company to establish some good policies so that employees also know that the information that they are handling is confidential.

Then from the technical perspective, we always recommend, one is keep an eye out for anything in your office that’s disturbed or out of place. If you left the night before and you come back and you see some furniture has been moved, you might want to try to understand why, was there a cleaner in there, was something going on, have ceiling tiles been moved. If you have ever moved a ceiling tile, they usually leave dust behind and the dust falls down. If there’s ceiling tile dust on a desk, it may warrant paying some close attention to what’s up above.

If you have a concern for hidden cameras, there’s little devices that you can buy from a spy shop called Spy Finder. It basically shines a little flashing LED and you look through a hole to see if there’s a reflection coming back. But you can kind of do the same thing with a flashlight. If there’s any suspicious hole, whether it’s in a hotel room or in an office and you didn’t notice that hole before, you can shine in there with a flashlight. If you see a reflection coming back, it could mean that there’s a camera behind there. It could be something else, it could be an aluminum stud in the wall, but it’s something that now you can investigate further, either cover the hole or maybe poke a paperclip into it and see what you hit.

Sharon D. Nelson: Well, I am glad I am not paranoid Charles, because you are scaring the bejesus out of me here. I am going to look at all the holes in the hotel or malls at this point.

Can you tell us how folks would get in touch with you if they had questions or wanted to engage your services?

Charles Patterson: Sure. The website is  HYPERLINK “http://www.execsecurity.com” execsecurity.com and I am available by email at  HYPERLINK “[email protected]” [email protected]. On the website we have a blog, it’s the news page if you go to the website, Twitter is @ExecTSCM and Facebook also Exec TSCM.

Sharon D. Nelson: Well, we sure want to thank you for joining us today Charles. We have never had this subject discussed before and it’s fascinating and a little creepy too. Not that you are creepy, but the subject is creepy.

Charles Patterson: We want to protect our information.

Sharon D. Nelson: We sure do. So thank you very much for agreeing to join us today as our guest.

Charles Patterson: Thank you. It has been really enjoyable. Thanks a lot.

John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cybersecurity services at  HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.