View Latest Activity

Viewing 4 reply threads
  • Author
    • #76724
      Ronald Beal

        For those here that don’t know… ELINT is electronic intelligence, generally from electronic signals not directly related to communications.

        One type of ELINT involves receiving the spurious signals generated by modern electronics.

        In the late 90’s I saw a demo of a home brewed system where a guy could point an antenna at a CRT monitor several hundred yards away, and could reconstruct the video signal and display it on his own equipment. He drove down Wall Street in Manhattan, and by pointing at various brokerage houses, he could see what was on their computer monitors. Now that LED flatscreens have replaced CRT’s, doing that is a little bit harder, but that is what TEMPEST was designed to protect.

        Here is a good article on the TEMPEST spec that is required of government and military systems that carry classified data:

        Another form of ELINT is digital fingerprinting.

        Here is an ELINT story, relayed from a former co-worker, who was previously in Navy SIGINT in the late 80’s, early 90’s
        He was one of the signals guys on an EP-3E than flew surveillance routes in the pacific ocean. The following information is not classified.

        According to him, they had a receiver that listened to aircraft radars. Every radar had a distinct “fingerprint”… even among the same makes and models. minor variances in the electrical components would lead to minor variances in the radar pulse… one radar might have a small peak on the start of a pulse, while another radar might have a longer decay tail on the pulse, while another radar might show some transmitted harmonic distortion at the peak, etc. Their receiver could distinguish every individual aircraft radar, identify the radar, and they built a database that tied radars to specific aircraft, etc… By receiving a single radar pulse, and with no other transmitted info, they could for example say “That radar came from F-15 number 72, operated from the Ronald Reagan, piloted by Joe Blow… etc.”
        That was unclassified state of the art 20 years ago.

        If anyone read “No Easy Day” about the capture of Bin Laden… you may remember a bit where the operators had info on the make and model of voice recorder Bin Laden probably had. How did they do that?… similar process… by analyzing some of his audio recordings, they could match characteristics that were unique to that model voice recorder. Or maybe the recorder added metadata to the audio files.

        Metadata is another security weakness… If you take a picture with your cell phone… there is embedded data in the picture called EXIF that usually identifies the make/model of the camera, software version, date, time, location if GPS is enabled, etc…

        Here is a link on how just metadata can still pinpoint you:

        If your phone is on, you can be tracked. Or if it was on, your history can be determined. It is simply a matter of of getting the stored data from cell phone towers. Even if GPS is off, cell towers have small coverage areas, so getting a rough fix is not difficult for those with access to the cell site data. It is always amusing to so those on internet forums that claim they will shoot a bad guy and SSS: shoot shovel and shut-up. All well and good online, but the real world, the cops will become suspicious when the bad guys cell phone goes to your house, hangs out there, and then vanishes.

        Part of the whole NSA/Snowden issue is the fact that much of that data is being collected, and stored, which allows traffic pattern analysis.
        Here is a white paper link on traffic analysis (from http://www.NSA.gov click at your own risk): http://www.nsa.gov/public_info/_files/tech_journals/intro_traffic_analysis.pdf

        By following your digital trail, they can reconstruct large portions of your life, habits, interests, and predict behavior.

        Link on the MAINWAY database: http://en.wikipedia.org/wiki/MAINWAY

        Story on FOXACID the NSA servers that hack other computers: https://www.schneier.com/blog/archives/2013/10/the_nsas_new_ri.html

        So what does this mean for the average guy?

        Unless your opponent is the government, most of these technologies and techniques are beyond reach. There are maybe 2 dozen people outside of government employ that can build systems that can glean data from the spurious signals that TEMPEST protects.

        Signal fingerprinting is likewise, and an expensive and time consuming endeavor… you likely won’t see it outside of government.

        If you are trying to hide stuff from government, involve as few electronic devices as possible. If you have regular habits and patterns, realize those have already been logged…. deviations are notable, staying the same isn’t.

        Hope this helps, and feel free to add or correct as needed.


      • #76725
        Ronald Beal

          Cell Phone Tracking:

          There has been a lot in the news recently regarding the NSA, and phone metadata. Without actually listening to the phone call, the metadata is information from the phone such as what number was called, what time the call was made, how long the call was for, what cell tower(s) the call was made from. Additionally, even when a call isn’t being made, the phone is talking to cell towers, which log times. and of course the location of the tower.
          So what can an investigator do with just that info?

          Geolocation is the first tool. Knowing the general area that the phone was in, and when can tell a lot. If a phone is closest to the tower near someones home… it is probably a good bet that the phone is at the persons house. Likewise, if the phone connects to towers along an interstate highway, there is a good chance that the phone (and presumably its owner) are traveling down the interstate. Knowing the location of the towers, someone can even determine the approximate speed of travel of the phone, by the time it takes to move between towers.
          Imagine a criminal investigator trying to solve a crime. Just finding out what phones were in the area gives the investigator a starting list of possible suspects. Also, if a person goes missing, tracking the last locations of their cell phone is one of the first things searchers do.
          Remember, the NSA keeps phone metadata for a year. They can essentially track most of your movements, patterns of life, etc with a years worth of data.
          When do you leave for work? What route do you take? How often do you stop for gas? Where do you usually get gas, and what time? How often do you go to the range? Etc… Looking at those patterns, when you deviate from the pattern that can mark unusual circumstances. Were you committing a crime when you left your normal route home and went into a subdivision you normally don’t go to?
          The NSA claims personal data is not kept with the metadata, however researchers at Stanford have proven is trivial to link metadata to a person.
          Article here: https://threatpost.com/stanford-res…ing-metadata-with-user-names-is-simple/103272

          Geolocation gets even more precise, (and easier) if your phones GPS is on.

          How do you keep from being tracked? Turn your phone off. Regularly. Now. If the only time you turn it off is when you are up to no good, well that is a deviation from normal that could flag it as suspicious.
          Option 2. Make sure your phone continues is routine even if your are not attached to it. ;-)

          Your call metadata creates another field of study. Looking at who you call, who calls you, when you call, etc can establish a virtual “social network”
          If a known terrorist makes regular calls to your phone, then there is a good chance secret warrants will be issued to listen to the calls. If a known terrorist only makes one call to your phone, and then a terrorist event happens in your AO shortly thereafter, you better believe you will be in the top ten list of suspects.
          Read the link in the first post regarding metadata link analysis and the social network.

          This is all just a short synopsis… hope it helps.

        • #76726
          Ronald Beal

            Van Eck monitoring:
            When I earlier wrote about TEMPEST, the name of the method escaped me.
            It is called Van Eck monitoring or Van Eck Phreaking… Named after the guy that originally theorized about it.

            Here are 2 videos demonstrating the Van Eck method:

            Modern incarnations also include Van Eck monitoring of your keyboard.
            Story here:

            An iphone app that can determine what you are typing on a computer keyboard (if the phone is in a shirt pocket)

            If there is a microphone close enough, you can determine what someone is typing by the sounds the keys make. Much like the radar fingerprinting I described in the first post, each keystroke on a keyboard makes a slightly different sound, which can be mapped.
            Story here:

            The government requires electronics that carry classified data to be compliant to the TEMPEST standard.
            Here are a few TEMPEST compliant products:


            In short… if you are doing something you don’t want the government to know about, don’t use a computer.

          • #76727
            Ronald Beal

              Oops.. the Van Eck phreaking videos I posted above didn’t actually post.
              Here are the links:



            • #76728
              Ronald Beal

                Buran eavesdropping coupled with Van Eck

                In the late 1940’s Leon Theremin, Russian developer of the electronic musical instrument “theremin” (made lots of the creepy and sci-fi movie sounds) developed a bug for the Russians, that they hid in a wooden replica of the Great Seal of the United States, that hung in the ambassadors residence. The bug had no power, and emitted no radio waves. Instead, the Russians would aim a radio transmitter at the device (from a distance), when the device picked up sounds, a resonant cavity vibrated a small antenna, which disturbed the radio beam. A receiver on the other side would pick up the signal, decode the disturbances in the radio signal and turn it in to listenable audio. (this method was later called Buran Eavesdropping method)
                Here is a wiki link on the bug aka “the Thing”: http://en.wikipedia.org/wiki/Thing_(listening_device)

                and here is more on the great seal bug story:http://www.spybusters.com/Great_Seal_Bug.html

                This method was later developed by scientists in what is now known as the “laser microphone.” Laser microphones, bounce a laser off a window. The window vibrates at audio frequencies. The reflected laser beam is the decoded to extract the audio.

                Now there are systems that combine Van Eck, with Buran methods:
                A focused RF beam is pointed at a microphone or speaker. Mics and speakers generate electrical signals when they receive sound. These electrical signals disturb the radio beam, and those disturbances can be filtered out to reveal the audio, much like the laser microphone. The speaker and mic by nature are electrical transducers, and will locally generate the small electrical signals with now power present. In fact you could cut the wires, and as long as the diaphragm and coil are intact, it will still generate signal. If the speaker is powered, it will overpower what audio it could pick up, but then the surveillance will hear what the speaker is outputting.

                There is speculation that this method can be used on other computer components to capture actual digital data.

                The limits of this method… you need a team of experts to setup, and monitor the system… has to be reset any time the target speakers/mic move (i.E. harder for a laptop). Doesn’t work against TEMPEST hardened equipment or shielded rooms.

                More info for the group.

            Viewing 4 reply threads
            • You must be logged in to reply to this topic.