By Bob Lewis
21 Oct 2008
Like many others, I endure a daily commute into London by train. Until
recently I passed my time reading a newspaper. Lately though I have
restricted myself to reading whatever I can see around me. Currently the
most easily viewable material, barring used copies of Metro, is people's
laptops, and as a self-confessed computer spotter with an interest in IT
security I never cease to be amazed at what is available. This amazement
has grown since Wi-Fi became free to travellers earlier this year.
Historically I have reserved my seat, sat where allocated, and have
largely limited my "viewing" to someone's laptop by electronic means.
This could involve searching for an incorrectly configured Wi-Fi card,
deploying Wireshark and Kismet (sniffers), or setting myself up as a
rogue access point. These days I do not bother. Invariably whoever sits
next to me automatically switches on their laptop, logs into the free
Wi-Fi and settles down to work. ADVERTISEMENT Every Page Counts For Low
This growing band of "train workers" conducts their business, no matter
how sensitive, with little or no interest in their surroundings. The
majority fail to consider even the most basic of security measures. User
names and login passwords are visibly entered, encrypted volumes opened
and virtual private networks accessed.
Once online and truly embroiled in their work, even those with a modicum
of security awareness appear to ignore their surroundings, and act as if
in their office. They are so engrossed that the person sitting near to
them, if quick enough, can note all of their logon and security details.
Even more helpful, many companies place their logo or identifying asset
tag prominently on the laptop, allowing quick and easy targeting.
Combined with an individuals' security pass, I am provided with all
manner of useful information. I can attempt to socially engineer that
person and if I cannot talk to them, I can at least indicate to myself
the sensitivity of what I am likely to see.
In the last month I have "shoulder-surfed" a high ranking officer from
the Ministry of Defence accessing his e-mails and reading documents
clearly marked with a caveat and watched a lawyer drafting legal
submissions for a well known company. My favourite though, is an
employee of a well-known security company drafting a document entitled
"IT policies and procedures for the use of laptops in public places".
Stifling a laugh, I watched him write, "laptops were not to be used on
public transport as they could easily be overlooked". He was right.
Combined with the company logo used as wallpaper for his desktop, I was
able to quickly ascertain that the policies were outdated, clearly not
followed, and in all probability the company's attitude to security
would be, at best, mediocre.
Remember next time you are sitting on a train contemplating working
whilst travelling, the advice "laptops were not to be used on public
transport as they could easily be overlooked". You never know who may be
sitting near you.
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!