The information security crowd knows all about bugs in Internet Explorer, but what about bugs with microphones in them? Listening devices planted in your organisation can pose a serious threat to security.
Les Goldsmith is the managing director of ESD Group, a Cairns-based bug detection and counter-surveillance operation. The following is an edited transcript of Patrick Gray's interview with Goldsmith, taken from the Risky Business security podcast.
Patrick Gray (PG): What types of organisations hire you to perform bug sweeps in the first place?
Les Goldsmith (LG): People who are involved in larger markets or in a very competitive market. It ranges from everything from hair product manufacturers and distributors through to governments and financial institutions.
PG: Hair products?
LG: Yeah. That is the oddest one we've had.
PG: Did you find anything?
LG: They were being monitored yes.
PG: You once told me that when you are called to do a bug sweep of a particular company you actually find something 10% of the time. Is that right?
LG: That is correct.
PG: Who is running around putting these bugs into all of these Australian organisations?
LG: In most cases it's someone that has ready physical access to your site. It can also be someone that is delivering a gift or otherwise. So you might give someone a plaque from a wall and the plaque might be bugged. Or you might replace the handset on the desk with a handset that is bugged. It is as simple as that. An example would be a cleaner who needs some extra money and a bit down on their luck and someone offers them a hundred bucks to replace a telephone sitting on someone's desk.
PG: Yes but obviously this stuff is illegal, so do you find it surprising that organisations are prepared to run the risk of being caught doing this?
LG: If they buy the device and have someone else install it... they are not going to get caught. There is nothing for them to be linked to it without physically having fingerprints (left behind).
PG: So in other words it is very hard to get caught.
LG: It is harder to get caught than more traditional espionage methods.
PG: Usually when someone gets you on the phone and says 'hey, we think we've got a problem here,' what sort of job role is that person in? Does it usually come from the board or management or does it come from people who work in information security or people in physical security?
LG: It is kind of a divided group here. Depending on the size of the company, if it is a very huge company then usually it would be IT security. If it is a government it would usually be the protocol office for that particular government's parliament that would make that initial contact, or it could even be an intelligence agency. If it is a small company it would usually be chief financial officer or chief information officer or the managing director of the company.
PG: This is obviously enough of a problem for you to have something like twenty employees in a few different countries.
LG: That is correct. It's a problem, but often most people don't realise it is going on because there isn't any formal reporting method for people to bring this sort of information forward and quite frankly most companies wouldn't want you to know that they had been bugged.
PG: It's the same with data breaches ... which is why there is a lot of debate around data breach disclosure laws here in Australia. One of the things making your life a little bit easier than that of your US counterparts is I understand it is illegal in the United States for a private citizen to own a listening device, making it very hard for people training in your particular art or science to learn. Here that is not so much a problem.
LG: That is correct. You can certainly do training courses in the United States which are a fantastic benefit and we have all done training courses within the US. However the availability of legal surveillance kit in the US is limited to government agencies. As a result in Australia we have the advantage of being able to import any surveillance devices we like and use those in training. Our US-based staff that means they can travel out here and do training with the more sophisticated surveillance devices and then take that training back with them to the US.
PG: Because we have surveillance devices available here legally, I guess it means that the bad guys can get a hold of them more easily, doesn't it?
LG: That is absolutely correct and that is a serious problem. We have so many spy shops within Australia and operating online which allow you to buy UHF devices readily over the internet or over the phone. As an example you can buy a UHF device that has a kilometre range for a few hundred dollars in Australia and that will be shipped direct to you, and there are no questions asked about how you are going to use the device. It is sold and it is your responsibility to abide by the law.
TOMORROW: Who's using spy kit?