H.D. Moore wasn't taking chances.
During the spring of 2009, the information specialist traveled to Shanghai on a work trip. For a computer, though, he carried only a stripped down Netbook that he modified using a trick even James Bond would have admired. He sawed off the end of one of the laptop case screws and mashed a small bit of a crushed Altoids mint into the hole before putting the screw back in. After leaving it in his hotel room for a few hours, he came back to find that the powder had disappeared. Something had caused the battery to fail, and one of the three passwords protecting his machine had been wiped.
"More than likely it was tampered with," Moore, chief security officer at security firm Rapid7, said. While he concedes a "slim chance" that the battery just happened to die when he left the room, he notes that it's odd for dead batteries to start working again upon reboot, as his did. Not to mention the fact that the powder in the screwhole would have had to displace itself at the same time.
Welcome to the world of international corporate espionage, where USB sticks are a favored tools for spies and bribable hotel workers are a dime a dozen. The problem is rampant, particularly in China, where the secrets in laptops of U.S. officials and businessmen can reshape an industry or change the course of a war.
"Foreign Spies Stealing U.S. Economic Secrets in Cyberspace," a report issued last October by the U.S. Office of the National Counterintelligence Executive, warns of the dangers. "Whether traveling for business or personal reasons, U.S. travelers overseas -- businesspeople, U.S. government employees, and contractors -- are routinely targeted by foreign collectors, especially if they are assessed as having access to some sensitive information. Some U.S. allies engage in this practice, as do less friendly powers such as Russia and China. Targeting takes many forms: exploitation of electronic media and devices, surreptitious entry into hotel rooms, aggressive surveillance, and attempts to set up sexual or romantic entanglements."
Similarly, the report "China 2012 Crime and Safety Report: Beijing" warns: "All hotel rooms and offices are considered to be subject to onsite or remote technical monitoring at all times. Hotel rooms, residences, and offices may be accessed at any time without the occupants' consent or knowledge... All means of communication -- telephones, mobile phones, faxes, e-mails, text messages, etc. -- are likely monitored."
Sources within the U.S. government claim that during Commerce Secretary Carlos M. Gutierrez' trip to Beijing in December 2007, anand relieved of data that was then used to try to hack into government computers in the U.S.
For Moore, the concern was that spies would get access to his corporate e-mail or pull schematics off his laptop related to the high-end network testing gear made by BreakingPoint Systems, where he worked at the time as security research director. He was in China specifically to show the equipment to government officials.
"I took a temporary laptop out for the trip," he said. "I wanted to make sure I had something I could destroy and set fire to later if I had to."
Specifically, Moore was worried that someone would copy his data to an external drive or install a program that could be used to remotely spy on the computer. To keep snoops out, he set up a password on the BIOS (Basic Input/Output System), as well as for the hard drive and used a TrueCrypt boot password too.
"Even with that level of paranoia, I had to step out of the hotel in Shanghai (French Quarter business hotel, not Western style), left my Netbook in the room, and two hours later when I returned the BIOS password had been wiped and the powder was gone from the screw hole," he wrote in an e-mail. "I didn't turn it on again until I landed in South Korea and had some time to inspect the motherboard. As far as I can tell, the BIOS was reset through the CMOS (Complementary metal-oxide-semiconductor) jumper/battery short, but no other changes were made."
Kevin Mitnick, who spent five years in prison on computer hacking charges, believes his background made him a target for surveillance during a trip to Colombia in 2008. (He was alsocoming back to the U.S. after that trip, but believes the spying incident is totally unrelated. Weird things just kind of happen to Mitnick.)
The 'aha' moment
Mitnick was in Bogota to give a speech to the newspaper El Tiempo and to visit his then-girlfriend. One night he had left his laptop in the room when he went out to dinner. When he came back his hotel room key wouldn't work. A yellow light appeared when he tried to open the door, which would indicate that it was locked from the inside. He didn't think too much about it, until this happened twice more following visits back down to the front desk to get new keys. The fourth key unlocked the door, finally.
But nothing seemed to be amiss with his computer, so Mitnick wasn't initially worried. Later, the laptop got dented on the flight back to the U.S. so he took it to an Apple store after he got home to get the chassis replaced. There he found that the screws were very loose and one was missing. He knew the screws had been tight because he'd installed a blank drive right before the trip as a security measure.
"That was the 'aha' moment," Mitnick said, referring to when he saw the loose screws and flashed back to the mystery hotel key failures. "I always suspected somebody cloned my hard drive... I highly suspect it happened but I have no proof. After that I was in paranoid mode."
Now he never leaves equipment in his room unattended. "I carry it with me wherever I go," said Mitnick, who is an author and security consultant. "I just put it in a book bag."
For people who absolutely can't take their computer with them for some reason, Mitnick suggests they put it in a "soft-cloth," untearable FedEx envelope, seal it, mark the closure with pen and put it in the hotel safe so if it is opened it will be noticeable. Spies can still get to it, but they'll find it difficult to tamper with it undetected, he said.
In one of the craziest tricks "spy hunter" James Atkinson has ever seen in his many years in the business, an executive took a micro SD card that contained sensitive data, wrapped it in plastic, and carried it inside his mouth between the gum and cheek.
"That's pretty extreme," said Atkinson, who is president of Granite Island Group and has taught counterintelligence to more three-letter U.S. government agencies than I care to name. "If they are in China and someone tries to take them into custody, they will swallow it and hope the government releases them before they have to go to the bathroom."
Spy versus spy
A common ploy to throw spies off is to store unimportant "decoy" encrypted data on a system, like song files or video, mixed in with some more interesting but still not sensitive files. The spies won't immediately know how important the files are until after they've wasted time and energy decrypting it. "Feed them garbage," Atkinson said.
There's also the old video recorder-in-the-clock technique. "That wind-up clock you had on your dresser (facing your laptop), every time it sensed movement it recorded it," he said. "Or the power supply for your laptop had a recording system built into it and you set it on your desk and it videotaped everybody who touches your computer."
The video recorder can be deactivated when the user lays a gold ring with a special triggering magnet on the power supply. When the user puts the ring on his finger the video recorder starts recording again.
"I've known people who have taken laptops outside the country, who set them up in their hotel room with a hidden video recorder in the room and put the computer out strictly as bait," and left the hotel room, Atkinson said. When they came back and checked the video they saw "two people coming in with a briefcase, plugging in (a data stealing device) and copying everything on the computer," he said. "That was in Europe."
Atkinson recommends that before and after people travel, they should weigh their computer without the battery, weigh the battery by itself, and weigh the power supply separately too. This way you can find out if someone managed to put a bug in any of the equipment.
"They may bug the power supply of a computer, bug a computer, suck everything off a computer, or just take the battery out, remove some cells from the battery and put a listening device in it," he said. "A good bug weighs no more than a fourth of a sugar cube, or a few paper clips."
He also suggests taking multiple power cords and batteries to confound eavesdroppers. "They put bugs in power cords, record the room audio, digitize it and slowly transmit it through the power lines, sneaking through (government) filters of classified areas," Atkinson said.
It's not only government officials and corporate executives who are at risk. Students from prestigious universities studying aeronautics, science, and other areas that may land them future government jobs are targets for blackmail by foreigners eager to recruit spies.
"As soon as you go through the airport and you have to show your passport to leave the United States, at that point in time you can trust nothing until you get back home," he said.