Tuesday, 2 December 2008

Social engineering

Social engineering;
Psychology, sociology and intelligence gathering

In this article, we think and take a good look at ourselves and others around us…

Human nature is a very complex subject, but social engineering is a fundamental building block from which good intelligence can be gathered, if managed correctly.

The history of social engineering goes way back in time when man started to lie to woman, each day we say something engineered to get a desired response, “of course your bum does not look big in that dress”.

Social engineering within intelligence gathering was refined as we know it today during World War II and later in the Cold War when all parties started looking for the upper hand and made use of psychology for the first time in its more “advanced” form, although the use of psychology and sociology in intelligence gathering and warfare is documented in the ancient Chinese text, “The art of War”.

Today many intelligence agencies employ fulltime psychologists and sociologists not only in an analogy role, but also part of the fundamental training programme, each potential intelligence officer is looked at for possible weakness and “suggestiveness”, that is, can the agent be manipulated, to be turned or weaken, to divulge sensitive information.

The very art of social engineering is to gather intelligence through conversation, electronic of physical, one party unwittingly divulging information without even being aware that they are doing so or in thinking that the information being given is to an official body, company or organisation. It is an art form that rarely receives the praise that is justified, an agent lulling a target individual in to a false sense of security, making that person give over information freely.

Whilst there are many techniques such as “Pretexting”; the art of making a telephone call with the view of fooling the person on the other end in to giving you personal or sensitive information. If for instance you knew that a target banked with “the bank of mars”, you could telephone that individual and state that you were from the bank, wishing to discuss account activity – first asking direct probing security questions; mother maiden name, social or national security number; passport number etc.

This information then could be used for fraudulent activity; this technique is also it has to be said employed by companies carrying out corporate investigations. Pretexting is an important tool in intelligence gathering, often making use of female “soft/sweet speaking” operatives for best effect. A well trained operative could get any information with ease from the right target at the right moment, a moment of weakness when trust can be misplaced.

Many government agencies and all specialist intelligence firms employ psychological methods to gain vital intelligence. While the use of these methods may be more long term, they more often than not produce the best results, be it over a period of time.

Social engineering is one of the most widely known methods deployed today, this can easily be described as building up a relationship and or false confidence with an individual in order to get that person to divulge information, sometimes without them even knowing that they have done so or the value of the said information.

Top experts in espionage will pin point key personnel within an organisation or company to target, this member of personnel will have access to sensitive often and confidential data, the individual will be targeted with a number of things in mind; generally a weakness that can be exploited in order to gain intelligence.
Often we will see more than one social engineering technique being used; for example; “Pretexting” used in combination with “Phishing”; not relying on only one method of intelligence gathering; spreading the odds of gathering usefull intelligence.

“Phishing” is a relitivily new technique, first appearing on our computer screens in the mid to late 1990’s; with the expansion and growth of the internet and “email” usage. Phishing involves either an email supposedly from your bank or, for example “eBay”, asking for you to logon via a given link or webpage. The idea being that the link what is given is a page or set of pages controlled by the individual sending the said email.

The web page would be an exact copy or your banks own login page; you enter your login details – if they are pushing there luck they will ask you additional security questions too! Before you know it, you have a login error and give up – by now your bank login details are being used in Nigeria and money is being withdrawn.

While the banking community is always striving to improve its security policy’s, both for telephone and internet banking, the criminal will always try to stay one step ahead – social engineering techniques are one of the best weapons available; free of charge.

The Russian intelligence services were expert in selecting a target who could be exploited to the maximum, often taking great time and effort in cultivating a relationship long before any information would change hands. The system used by the Russians was referred to by the acronym MICE, standing for Money, Ideology, Coercion, and Ego. Money is self-explanatory; individuals who have a poor financial situation and face debt will often pass over sensitive documentation for the right price.

Of course other intelligence organisations and firms have there own version of MICE, some even employing personnel with degree’s or PhD’s in psychology who can easily spot a good victim.

A good example of Social Engineering and use of MICE was in 2005, a British accountant at KPMG Financial Advisory Services in Bermuda was telephoned by a man identifying himself as Mr Nick Hamilton. Hamilton said he needed to meet to talk about matters of utmost importance.

Nick Hamilton was not an agent of Her Majesty's secret service and the documents never found their way to the British government. Nick Hamilton was in fact a former British agent Nick Day and co-founder of a private intelligence company Diligence LLC, the client of which was Barbour Griffith & Rogers, a lobbying firm from Washington DC. Barbour Griffith represented a Russian conglomerate whose archrival, IPOC International Growth Fund Ltd., was being audited by KPMG's Bermuda office.

Within Day’s company Diligence the KPMG campaign was codenamed Project
Yucca, at lunch, Day, who is a typical English Gentleman, said the assignment he had in mind for Enright was top secret and involved Britain's national security. Day it is alleged kept the conversation vague, not mentioning IPOC or the audit. Day told the accountant he would have to carryout a British government background check to ensure that he was up to the task. Day it is alleged produced an official-looking but fake British government questionnaire, complete with government seal at the top and asked for information about Enright's parents, his professional background, any criminal history, and political activities etc.

Over the course of two meetings, it is alleged that Hamilton led the KPMG accountant to believe he was a British intelligence officer. He told the accountant he wanted information about a KPMG project that Hamilton said had national security implications for Great Britain.

Posing as Nick Hamilton, Day it is alleged agent built up a trustworthy relationship with the accountant in question and obtained much documentation and advance information regarding the audit.

KPMG were hired by Russian conglomerate Alfa Group Consortium hired Barbour Griffith & Rogers through a subsidiary and the lobbying firm in turn hired the firm co-founded by the former British Agent. Alfa was duelling with IPOC for a large stake in the Russian telecom company MegaFon. Soon, after another meeting Enright was handing over confidential audit documents, including transcripts of interviews KPMG had conducted in the IPOC investigation. It is said that Diligence was paid handsomely for its work. An invoice produced in a federal court proceeding in Washington involving IPOC and Diligence shows that Barbour Griffith was billed by Diligence "For Bermuda report and Germany work--A Telecom."

The bubble on this operation burst on October 18th 2005 after an unidentified individual dropped off a pile of paperwork which included Diligence business records and e-mails with details of Project Yucca.

On November 10th, 2005, KPMG Financial Advisory Services sued Diligence for fraud and unjust enrichment in U.S. District Court in Washington. On June 20, 2006, the case settled. Diligence paid KPMG $1.7 million, according to a person familiar with the settlement.

On November 10th, 2005, KPMG Financial Advisory Services sued Diligence for fraud and unjust enrichment in U.S. District Court in Washington.
On June 15th, 2006, IPOC sued both Diligence and Barbour Griffith & Rogers in the same District Court, alleging civil conspiracy, unjust enrichment, and other misdeeds. That case is pending.

On June 20th, 2006, the case settled. Diligence LLC paid KPMG $1.7 million.
The manipulation of others is human nature – one technique that has come to light in recent years is using the psychology of human weakness in our inquisitiveness; for example you send an email to a victim with an attachment, you clearly mark the email so that the individual knows full well that the email was sent to them in error; the attachment contains a virus in the form or a Trojan, spy-wear, monitoring software.

Individuals have even been tricked into switching off anti-virus software to be able to open an attachment that they think contains “juicy” information, for example information on what wages are being paid to who or client information. Eight out of ten people will open that attachment; the same too can be said if you left a disk around with a clear label stating that it is something to do with accounts or personnel files – it wont get handed in until people have looked at it, just like a paper file that say’s “confidential”; peoples inquisitiveness will get the better of them.

Social engineering is no exact science; there is no right and wrong way to use its many varied techniques, its all about what works and with whom, no one single person can be fooled at any given time, it is all about approach, timing, confidence and believability; these things along with the state of mind of the victim at that given moment in time.

If we use for an example the Church, while a not the most politically correct of examples; how often has the church been accused of manipulating parishioners into giving or bequeathing monies when they could be seen as being at there weakest or lowest point. We too could use as an example the beggar with the dirty child or little puppy at there side, or the loan business man duped by the blonde in the hotel bar – all social engineering, all psychology, sociology and intelligence gathering.

Finally it must be added that the very nature of human behaviour and our weakness can be easily exploited to gather intelligence by the use of basic and advanced psychological techniques; this aside; good intelligence can too be gathering via the observation and or eavesdropping on others; for sometimes those with the intelligence we require will freely give up there knowledge in boasting and bragging to there peer group, in twisted form if you can make an individual brag or boast via social engineering, that’s good, but one must question the quality of intelligence gathered in this manner, just as one would question intelligence gathered via the use of torture or physiological pressure.

Of course today these very techniques are being used not only by intelligence agencies and police forces worldwide, but by marketing agencies, fraudsters, scammers, and hackers; why? Because it’s low cost, highly effective and relatively easy to understand and practice the basic techniques.

Alex Bomberg is the founder of UK based International Intelligence Limited www.int-int.co.uk is a member of RUSI and a former aide to the British Royal family. Alex advises a number of governments, Royal families, corporations and individuals on the issues of counter espionage, TSCM sweeps, covert surveillance and intelligence, technical and physical. Alex is an expert telephone tapping and email interception.

Saturday, 29 November 2008

Countering Espionage - A modern threat

Countering Espionage - A modern threat

Corporate Espionage was once thought of as a risk that only affects the richest of companies in high-risk sectors or emerging markets, the latest trends suggest that this is far from the truth.The history of espionage, thought by some as the second oldest profession in the world, can be traced back to biblical times with more than 100 references in the Old Testament. Sun Tzu's book "The Art of War", written around 500BC deals specifically with intelligence networks and intelligence gathering. Unfortunately as is often the case, history has not taught us the most basic of lessons; that intelligence is power, whether in business or war, he who has intelligence has the upper hand.Many are naive enough to think that espionage comes straight out of the pages of Ian Fleming's James Bond, confined to Governments and the largest of corporations. They are very much mistaken. No one wants to be a victim, least of all admit to being a victim, yet the rewards for those carrying out espionage far outweighs the risks or expense involved.

Sad as it may seem, a simple device bought for as little as two hundred pounds can cost a company millions through lost corporate intelligence. At the lower end of the scale there is the office refuse, if this is not disposed of in the correct manner it can be yet another source of leaked information within companies or organisations.Directors, management and IT personnel of many companies fail to understand the fundamental basics of countering espionage and the techniques employed by those carrying out such activities. Millions of pounds are spent each year on eavesdropping transmitters, computer keystroke loggers and telephone recording systems.

Everyone wants to know what everyone else is doing in business, and for some it makes sense to have a budget for "intelligence" prior to entering into litigation suits, hostile takeovers or mergers and acquisitions.Litigation, for example, is an area of complex issues, cross border or otherwise, where technical surveillance has in the past, been used to affect the outcome of a given case.

When a case is worth £500 million, spending £50,000 on winning makes sense to many companies, and far outweighs the risks of becoming the loser.The level of the risks involved in Corporate Espionage is all relative to the financial rewards. The level of the technology employed is relative to the investment.It is more and more evident that few security companies fully understand the technology involved, how communications operate or are intercepted/manipulated, leaking vital corporate intelligence to competitors.

Some Technical Surveillance Counter Measures (TSCM) firms are so far behind that the advice that they pass on to their clients is often futile. With budgets in the tens of thousands of pounds, a telephone can be intercepted miles away from the target location and monitored from the other side of the world, live. Each call is time and date stamped, in turn recorded on a computer for later evaluation. The fact of the matter is, in some cases a TSCM sweep is of no use when technical surveillance can be so remote. Better understanding is needed, both of the modus operandi and of the latest technology.

Few TSCM firms understand just how far an espionage budget of £20k can go. TSCM sweeps as part of a security housekeeping policy do make sense if carried out to include computer systems, rooms and telephone lines to local exchange level. It is true to say that the basic technical principles of espionage technique have not changed too much over the past twenty years since the end of the cold war. However the movement in technology and with the vast use of communications spanning the world has lead the public into a false sense of security and apathy when employing these communication techniques. Any type of electronic communication can be intercepted at one level or another; the role of the TSCM firms should be best utilised identifying the areas of weakness and employing measures to combat these possible areas of weakness.

Office Security
Many large companies fall foul of size and general lack of in-house security policies, making espionage far easier and easier still with inside information. The placement of bugging devices in offices or boardrooms is not always the first option for espionage; often the logistical problems involved in a live covert device far outweigh the benefits. However, should access have been gained via inside information or chance, many of those carrying out espionage prefer to install hardwired GSM based devices, solving power and distance issues.

Cat5 cabling for example is a good carrier for installing covert microphones. A GSM device being located elsewhere in the complex acts as a "voice activated transmitter" and is almost impossible to locate during a TSCM sweep of the given boardrooms or offices. Having a good internal security policy will aid a company and deter potential offenders. Staff should challenge visitors not displaying a visitors badge; visitors should be met at reception and not left unattended. Workmen also should not be left unattended and all companies should employ a clean desk policy where possible.

A device placed on the telephone line can be as far as five miles away prior to the line entering the local exchange. A simple device that tests line voltage or impendence will not detect hi-tech devices unavailable to the general public.

These varieties of device are normally of GSM type and utilise the power from other sources within the local exchange/cabinet. They are nigh on impossible to detect without a physical check of the line up to the local cabinet (green roadside cabinet) level. Securing an external landline to the property need not be an expensive encryption system; replacing an analogue system with digital ISDN/ADSL system will ensure that the line is far more secure. Fibre-optic cables cannot be tapped into with ease unlike a twisted copper pair; a "pod-splitter" and true line identification are required.

Cellular telephones
The fact is, that while it costs in excess of £250k for the necessary equipment for intercepting a cell phone, jamming the phone's signal costs less than a tenth of that price and is far easier on an operational basis. A target uses a cellular telephone because she/he thinks that it is the most secure way of communicating. A cellular jammer can be deployed to jam the cellular telephone, forcing the target to use the landline that is intercepted. Keeping it simple counts, low risk and high gains.

Computer Systems/Email
Trojan Viruses sent to targets via email can contain complex keystroke logging programmes or open back doors to computer systems. At the lower end of the scale, there are many of such programmes freely available on the Internet, at a low cost or for no cost at all. At the higher end of the scale there can be hackers targeting a business/director in order to gain given intelligence on sensitive financial matters. The cost of the latter option, whilst in the thousands of pounds mark is, as I have previously covered, worth the risk in the larger cases.

New, off-the-shelf, computers are not as secure as users might think; the default settings are insecure and need to be configured prior to connection to the outside world. The most basic of steps should always be taken, updating anti-virus software on a weekly basis, backing up networks and installing a hardware firewall are just some of the easiest options to employ as a counter measure. The best answer to computer security is file and email encryption, this though, only providing that the computer system is firewall protected.

Bluetooth™ and Wireless connections
Wireless computer connections are high risk and can, if not set up correctly be intercepted at ease by external attack. This risk has been highly reported over the past two years, but many manufacturers have still failed to change the default settings of their devices, thus enabling other "attacking" systems to connect and download vital information such as address books and other files; all without the user's knowledge. Overall what must be taken on board is that no one wants to work in a locked down environment, but in a secure one. All security recommendations need to be both affordable and workable, the simpler the better, realistic and in keeping with the level of possible threat.

Don’t arm terrorist

Alex Bomberg and John Bradridge reveal how UK security manufactures should guard against their equipment falling into the wrong hands.

In the defence industry today more then any other, due diligence must play a vital roll in the war against terror and, as part of any company’s housekeeping policy, it should be employed at the initial stages of any joint venture and agent selection.

While the task of carrying out due diligence can involve complex networks of ownership, directors and links to government officials, in some ways common sense is the first indicator.
It is a fact that people do more to carry out checks on potential partners in relationships than they do when it comes to financial deals and business partnerships, but what could once have been sealed with a handshake now requires a series of checklists, meetings, decisions and the added cost of peace of mind.

So what is due diligence? It is best described as: “The process of systematically evaluating information, to identify risks and issues relating to a proposed transaction, i.e. to verify that information is what it is proposed to be”.

Due diligence must in every case be measured, reasonable investigation into a company, group of companies or individuals to obtain intelligence which allows you to make an informed decision based on what you have discovered, without being totally reliant on it.

The definition of due diligence is simple. What is not simple is how to carry it out, when to carry it out or even how much should be built into the budget to pay for carrying it out.

But what link does this all have with terror, you might ask? The answer is that in 2004/5, there were two cases where separate companies both sold defence products to companies in the Middle East. Items from both companies have since been found on dead Taliban fighters and an investigation is underway by the authorities.

Due diligence can be split down in to sections:
  • Company information - director's names, formation and ownership details
  • Financial information - current turnover and past returns
  • Legal history - judgements past, present or pending
  • Political risk indication - country and region

While the above can be broken down further into complex discussions and argument, it represents the fundamental basics of what needs to be investigated to help with decision-making. Every company can undertake a level of due diligence at no cost whatsoever just by having a set standard in place and a check list for every supplier, agent or end-user. This information must, of course, be verified, but just asking for it will in itself add to a company's security.Prior to any business relationship, basic information should be requested in a formal document drawn up as part of either a non-disclosure agreement (NDA) or as a stand-alone document. Gathering copies of documentation and basic information will act as basis, the start of a lengthy process that will culminate in founded decision.

A formal request should be made for the following:

  • Names, addresses and dates and places of birth of all company directors
  • Past employment of directors
  • Names, addresses and dates and places of birth of all company shareholders (non-listed companies)
  • Company formation documentation
  • Company structure
  • Company insurance documentation
  • Office locations and registered head office

Any company being asked to submit the above information will, if intending to commit any fraud or unlawful act, think twice before proceeding with any transaction.

Available today on the internet is a vast arsenal of information which is easy to use and can save a company thousands of pounds on the cost of due diligence. Understanding how search engines work can be daunting, but the basics for finding out information are quite simple and rudimentary facts can be obtained via this method.

However, investigation or intelligence gathering is only a part of due diligence because financial data needs to be examined just as filly for abnormal, unexplained rises or falls in turnover or profit. Whilst Companies House in the UK can be a great source of information on a UK-registered company, many other countries do not have what can be described as reasonable company registration procedures.

Where a country does not have an easily accessible database of listed companies, and financial or tax returns listings, the process of due diligence becomes more complex and expert help is required.

Many UK companies call on the service of business intelligence providers to carry out due diligence on their behalf and, while a report may be forthcoming, the report in all its glory cannot in itself be relied upon when making a final financial decision; this can only be up to the instructing party.

Uncovering legal history can also be a headache even in most economically developed countries; it’s a case of knowing where to look for the information. Many companies are not going to quickly volunteer any legal complication they may have had in the past, yet this area is key to the success of any possible relationship.

Since the internet has evolved, the task of uncovering legal history has in some cases become easier and misdemeanours, case history and legal judgements are also reported on within the national, local and business press. However, this may not be the case in some jurisdictions and, in the age of jet travel, it is perfectly possible that some individual or groups of individuals may have committed and/or been charged with a crime in another part of the world. The possibility of this happening should not be overlooked or underestimated.

Political risk indicators about whether a particular country or region is stable should also be examined. Always ask yourself whether a sudden change of government, government policy or law in the country concerned would put an end to any deal you may have been planning?
This area is far from uncomplicated. Our own government often fails to read or judge what is happening and little foresight is a poor excuse and is no defence for not trying to address this issue or, at the very least, to consider the implications. History is often not that good an indicator of possible upheaval; so keeping abreast of changes in the laws of a country is more a matter of having your finger on the pulse, investigation and monitoring situations as they develop.
But remember – any due diligence report is only a snapshot in time, so fresh investigations should be carried out at regular intervals to identify changes in company directors, ownership and company direction.

Alex Bomberg
is a member of the Royal United Services Institute and an expert in intelligence gathering and counter espionage.

John Bradridge
is a former senior Police Officer. They both work for Cotswold-based International Intelligence Limited which acts for corporate and govenment clients.

Wednesday, 26 November 2008


The number of high profile espionage cases reported in the world press cover all business sectors; from Sport and Retail through to IT and International Aviation; this shows that in business today espionage is on the rise due to the narrowing of profit margins and the emergence of new markets.The counter espionage training course encompasses basic through to intermediate understanding of espionage technique with an emphasis on countering such a threat. This course also serves to give an understanding of Technical Surveillance Counter-Measures sweeps (TSCM) and the deployment of technical counter-measures equipment.

Who would benefit from this course?
This course is designed for Company Managers and Directors who the have a responsibility for company and personnel security and for other professionals working in sensitive project areas or in litigation.

What skills will you gain?

The ability to:
  • Understand the fundamental basics of espionage technique
  • Understand financial and economic implications
  • Carry out a basic espionage risk assessment
  • Identifying risk & implement sensitive project security procedures


This course is based on Special Forces doctrine and high risk surveillance operations, and covers technical and physical surveillance to advanced level. This course is designed for those who have either completed our Surveillance course or who have past experience of basic surveillance technique.

Who would benefit from this course?
Anyone who wishes to work in the field of surveillance and investigations or members of Close Protection teams who wish to raise there individual level of awareness and training.

What skills will you gain?

The ability to:
  • Plan and execute a surveillance high risk operation
  • Undertake intelligence gathering and research
  • Close target surveillance
  • Carry out covert eavesdropping
  • Undertake covert filming tasks
  • Understand team management & roles


This surveillance course covers basic through to intermediate skills that are required to carry out surveillance. Surveillance is a complex subject and covers a number of skill sets; the aim of this course is to enable a surveillance operative to plan and carry out a surveillance operation that is within the law, gather evidence and progress through to writing a report that is admissible within a UK court.

Who would benefit from this course?
Anyone who wishes to work in the field of surveillance and investigations or members of Close Protection teams who wish to raise there individual level of awareness and training.

What skills will you gain?

The ability to:
  • Plan and execute a surveillance operation in a rural or urban environment
  • Take covert video or photography and understand techniques employed
  • Carry out counter-surveillance drills
  • Understand the basics of surveillance and the UK law
  • Report writing and an understanding of the evidence UK courts require


The Defensive Driving Course will benefit the overall service that you are able to give your Client. Our course is aimed at reducing not only the loss of personnel and vehicle by Road traffic incidents, hi-jack or ambush, but also will go a long way to educate the workforce as to the real dangers of terrorist and criminal activities and help them to recognise a potential situation before it develops.The course content will be delivered by former members of The British Army and Police Officers using tried and tested Police Advanced Driving and Special Forces techniques.

The course is aimed at professional drivers and individuals who face a certain level of threat. Whilst defensive driving takes time to master, the course will teach safe and progressive driving skills with further education into areas of risk and threat assessment.As drivers you are responsible for your vehicle and those travelling within. The threat of hijack or kidnap is real. The tried and tested techniques learnt will give you the confidence and awareness to make quick and effective decisions in crisis situations.

The ability to execute:

  • Safe driving standards to RoSPA Level
  • System of car control
  • Anti ambush/hi jack drills
  • Counter surveillance
  • Personal security awareness
  • Hazards and observations
  • Route planning


  • RoSPA Advanced Drivers Test Certificate
  • BTEC Level 2 in Driver Development
  • Intelligent Training International Limited Certificate in Security driving competence