Estructura Curricular Desde el planteamiento de los lineamientos:

system is compromised and your password is the same on other systems then you have a problem. There is no simple solution to this other than to be cautious who you sign up with and to use different passwords and email addresses for casual and serious accounts. Never store confidential information such as passwords, encryption keys and credit card numbers in webmail accounts.

Electronic Surveillance

Covert Electronic Monitoring (CEM) is one of the biggest dangers to orga- nizations at risk from commercial espionage.For this reason penetration testing teams are employed to simulate a physical intrusion by an attacker where the goal is to install listening devices in sensitive areas. By listening devices, I mean the following:

• Traditional Room ‘Bugs’: Professional bugs (rather than those cheaply bought at ‘spy shops’) are capable of extremely long-term autonomous operation. During a fingertip search of a ceiling space in 2002, my team found a bug that had been placed by an unknown attacker, probably several years before, and still very much active. Discrete cameras are sometimes used as well, but in commercial espionage, video is less common than voice recording and data snooping. In general, bugs are designed to transmit voice via a radio signal to a receiver. The range of a signal varies based on the strength of transmission and the nature of the surrounding super-structure. The frequencies that bugs transmit on also varies depending on how much you’ve paid for such a device but also on locale as governments tend to license different wavelengths. This however will be of minor interest to criminals and corporate spies.

• Phone taps: These can be placed virtually anywhere in the internal phone system but often specific offices are targeted and devices connected directly to a handset or in line with the phone system. Like room bugs, they are generally designed to transmit radio signals. • Network Taps: These can be physical devices that are attached to

a vulnerable cable or ‘creeper boxes’ self contained autonomous discrete computers that perform a variety of monitoring tasks. Net- work taps will communicate information back to an attacker via the organization’s own Internet connection or via a GSM link.

• Software Monitoring: There is a variety of software available for the remote monitoring of workstations. Typically, such software is used to capture keystrokes, record passwords and grant remote access to files and network resources. It is recommended that any such

116 INFORMATION GATHERING

software be developed in house rather than downloaded from the Internet. Aside from avoiding the obvious inherent risks you won’t have to worry about your code being detected by antivirus scanners and be able customize on a test by test basis. Some packages are commercially available, but are mostly overpriced and poorly written. Any organization employing a decent penetration testing team will have the talent available to develop remote monitoring software. • Key Logging Hardware: These are small devices that are connected

inline between the work station and the keyboard. Keystrokes are recorded and the devices physically retrieved at a later date. Physical key loggers are a favorite weapon of industrial spies working at the target site. They can be easily installed and whilst obvious if one is looking for them they have the advantage that antivirus software won’t detect them which is a concern with software key loggers.

Do bear in mind that when performing a penetration test it is not necessary to actually install such devices in order to demonstrate vulnerability. One of my clients prefers that instead of, for example, installing a hardware key logger we wrap a small cable tie around the keyboard cable of a targeted workstation. This is usually adequate in most cases. Whilst the discussion of covert bugs and taps is a fascinating one, we’re the good guys and consequently more interested in finding and disabling those left by the bad guys. We’ve got a whole chapter dedicated to counter-intelligence that covers a range of subjects including covert bugging.

A creeper box is a small form PC that’s covertly deployed on a target network. It should be a ‘fire and forget’ device, i.e. once deployed it should require no further intervention for it to function. What the box does is up to you but it’s mainly used to quietly sit in the background and gather passwords, emails and other network information which is dutifully delivered back to you at key intervals.

There are factors to consider when building your own creeper box: • Form: Obviously the smaller the overall box, the better. There are

many small form factor pc cases on the market. Buy one that meets your needs.

• Autonomy: Once deployed, a creeper box needs to perform its tasks without human intervention for the duration of its mission. This requires that software is stable and power won’t be interrupted. • Communications: The information you gather has to be transmitted

back in a secure form. If available, you can use a local internet connection for this. However, you can also use a mobile comms card to burst data once a day via a data (GPRS/3G) connection.

• Function: Building a box solely to capture passwords is relatively straight forward. However you should consider other possibilities