[ISN] Computer security when travelling by train – an expert’s observation

From: InfoSec News <alerts_at_private>
Date: Fri, 24 Oct 2008 04:08:42 -0500 (CDT)

By Bob Lewis
Computer Weekly
21 Oct 2008

Like many others, I endure a daily commute into London by train. Until 
recently I passed my time reading a newspaper. Lately though I have 
restricted myself to reading whatever I can see around me. Currently the 
most easily viewable material, barring used copies of Metro, is people's 
laptops, and as a self-confessed computer spotter with an interest in IT 
security I never cease to be amazed at what is available. This amazement 
has grown since Wi-Fi became free to travellers earlier this year.

Historically I have reserved my seat, sat where allocated, and have 
largely limited my "viewing" to someone's laptop by electronic means. 
This could involve searching for an incorrectly configured Wi-Fi card, 
deploying Wireshark and Kismet (sniffers), or setting myself up as a 
rogue access point. These days I do not bother. Invariably whoever sits 
next to me automatically switches on their laptop, logs into the free 
Wi-Fi and settles down to work. ADVERTISEMENT Every Page Counts For Low 
Environmental Impact

This growing band of "train workers" conducts their business, no matter 
how sensitive, with little or no interest in their surroundings. The 
majority fail to consider even the most basic of security measures. User 
names and login passwords are visibly entered, encrypted volumes opened 
and virtual private networks accessed.

Once online and truly embroiled in their work, even those with a modicum 
of security awareness appear to ignore their surroundings, and act as if 
in their office. They are so engrossed that the person sitting near to 
them, if quick enough, can note all of their logon and security details.

Even more helpful, many companies place their logo or identifying asset 
tag prominently on the laptop, allowing quick and easy targeting. 
Combined with an individuals' security pass, I am provided with all 
manner of useful information. I can attempt to socially engineer that 
person and if I cannot talk to them, I can at least indicate to myself 
the sensitivity of what I am likely to see.

In the last month I have "shoulder-surfed" a high ranking officer from 
the Ministry of Defence accessing his e-mails and reading documents 
clearly marked with a caveat and watched a lawyer drafting legal 
submissions for a well known company. My favourite though, is an 
employee of a well-known security company drafting a document entitled 
"IT policies and procedures for the use of laptops in public places".

Stifling a laugh, I watched him write, "laptops were not to be used on 
public transport as they could easily be overlooked". He was right. 
Combined with the company logo used as wallpaper for his desktop, I was 
able to quickly ascertain that the policies were outdated, clearly not 
followed, and in all probability the company's attitude to security 
would be, at best, mediocre.

Remember next time you are sitting on a train contemplating working 
whilst travelling, the advice "laptops were not to be used on public 
transport as they could easily be overlooked". You never know who may be 
sitting near you.

Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Fri Oct 24 2008 - 02:08:42 PDT

This archive was generated by hypermail 2.2.0 : Fri Oct 24 2008 - 02:17:59 PDT