28 January, 2009

Old-fashioned spying

Dave Aitel, who once worked at the NSA, had a funny email on his list that included a mention of Saubhe Aldellemy, who operated a restaurant near NSA headquarters and Ft. Meade. Aldellemy was charged and apparently accepted a plea agreement for acting as an unregistered foreign agent (PDF) of Iraq, which is essentially legal speak for spying on behalf of the Iraqi Intelligence Service.

Using a restaurant near desirable targets is a well known method of gathering intelligence. It has been going on for decades at the least, and possibly as long as restaurants and a desire for non-public information have existed. I expect that the method was used extensively in the post-WWII and Cold War era.

Ira Winkler
, another former NSA employee, discusses the method in his book, Spies Among Us. Winkler also mentions a related method he uses when penetration testing, which is to go into restaurants near his target and take the business cards out of the fishbowls that a restaurant will set up for free drawings. Once he finds business cards from people at the target business, it gives him information to assist in social engineering and at times, in lieu of work identification, a business card can get him onto the grounds of the target business.

I suspect that spying against private entities is more attractive than it used to be, while spying against governments is still widespread. Whether it is for profit or government intelligence, you can bet that countries like the U.S.A., China, Russia, and many in the Middle East and EU all have programs like this. I also assume that at least some of the governments assist with spying against foreign corporations, not just government entities.

No matter the method of intelligence gathering, spying still goes on. Any company or government with sensitive information needs to be careful about methods like this. I have been in restaurants near government agencies, military bases and large companies, and they are definitely target-rich environments. Even the most paranoid and careful employees are likely to talk about something that could be useful to outsiders, either directly or to leverage additional information.

If you have information that is valuable enough, any company or entity that does not actually address the issue is asking for trouble.

No comments:

Post a Comment