top of page
Security Operations Team

The TSCM need in Infosec


When you say TSCM, most people look at you confused. The team at Jigsaw Security understands that TSCM stands for technical surveillance countermeasures and that it is a very important and almost always overlooked part of an organizations defense. Since the 1920's there have been threats of espionage in corporate security as well as the Government space. The need for qualified technical surveillance countermeasures is needed even more these days and most companies have no plans in place to provide this type of protection to their employees.

Recent Examples

In order to understand the needs we have to look at some recent examples of why TSCM is needed. For the last several years we have been reporting on gas pump and ATM skimmers. Security researchers are well aware of Russian activity in this space. The Secret Service has warned of the threat especially around holidays when travel increases on American roadways. Below are a few examples of skimming devices that have been reported to us or that we have seen previously.

An ATM keyboard overlay

As you can see many of these attacks are physical in nature. Here are a few more.

Here you can see a camera and skimmer combination at an ATM used to capture card information when the ATM is utilized.

FACT: Did you know that attackers can store and then retrieve devices later to gather credit card and ATM information. Many of the devices shown actually allow the attacker to store information and retrieve it when it is safe to go back to the crime scene.

It is extremely difficult to catch these threat actors in the act because in many cases they work as teams and can blend into the population easily when manipulating ATM machines, Gas Pumps and other vending type machines.

Here is a gas pump skimming device

So you may be asking yourself why would corporate America be worried about these attack vectors? The simple answer is that corporate America is not even aware of most of the more sophisticated attack vectors and are falling victim to these methods without even realizing it.

One of the most common methods for gaining access to corporate networks is through man in the middle WIFI attacks or similar WIFI trickery. Using cheap and commonly available components, it is easy for attackers to redirect your wireless devices to malicious networks even without your knowledge of this occurring. If you don't think it's happening have a look at the map below for a recent report on MITM attacks that have been detected.

As you can see in this map, with the exceptions of Governments spying on their own citizens, the US is right up there with the number of instances of MITM attacks. This activity indicates that the US is being targeted by outside third parties.

Not only is WIFI being attacked, adversaries are also attacking cellular communications networks. Both DHS and private security researchers including Jigsaw Security have been putting out warnings about rogue cellular network activity.

You can read about our report in a previous blog post here. Here is the DHS report on rogue access points recently reported in the news.

It is easier and cost effective to attack the mobile electronic devices of US citizens than to deploy spies. Nation state activity in this space is increasing and it is extremely difficult to prevent eavesdropping in our everyday connected lives. In addition to nation state activity, many businesses will look at the content of wireless traffic in exchange for providing free WIFI in coffee shops, hotels and airports. In fact many airports have been targeted directly due to the large number of people in a confined and closed area.

So why do I as a business owner have to worry about MITM wireless attacks?

Hackers are using these techniques to gain access to corporate networks. Even traditional recording of phone conversations still occurs frequently by both Governments, businesses and spies. Information is the key and once credentials are discovered when performing a MITM attack, threat actors can then simply login to public facing servers to unload malware that infects the entire organization. You do remember the Home Depot wireless attacks right?

Specific Known Threats (From Jigsaw Security Threat Intelligence) and Targeting

Over the last few months we have been looking at data in our threat intelligence and one thing is certain. Phishing is the number one vector of gaining access to most organizations. 95% of all attacks in 2018 begin with phishing. Even with training and awareness, end users sometimes fail to protect their networks and credentials. The solution is to enforce 2 factor authentication as well as sinkhole of known phishing sources, malware and virus locations. Jigsaw Security's FirstWatch sensor detects and denies the threat actor access to the malicious content to prevent these attacks even when an end user clicks on a malicious link. Once a user clicks on the malicious link, the threat actor captures passwords from Windows PC's, the browser cache and sometimes using forms on sites to request the user to login to a fake page for a particular service such as GMail or Office 365.

Some of the smallest listening devices we have seen in the field

Experts are disappearing at an alarming rate

Over the last few years we have witnessed many of the best TSCM practitioners go out of business, retire or stop doing this type of work. Many of the cold war trained Government specialist in this field are in their 70's and 80's and many have retired or passed on. Even the individuals that originally trained our team are no longer providing training or sweeps. Many of the Government spies that perfected the craft for years spying are gone.

We have been seeing a large number of businesses discovering spies within their midst, our only thought is that if their internal people were trained in the technical attack methods that possibly they could better protect themselves from these highly technical attacks.

Over the next few months we will be providing training to corporate partners and approved entities that want to prevent this type of attack. For more information contact us through the contact us page on the website or email us directly.


16 views0 comments
bottom of page