Last Modified:                                                                                                

Homepage / Publications & Opinion /

Security trap shows people are weakest link
Gleaning confidential info from some unsuspecting train-riders
Written in a railway station coffee shop somewhere in the UK and transmitted to via a commercial wi-fi node within the hour.

A few hours ago I boarded a train at a major UK hub at 16.00 on a working day. The car rapidly filled with people - among them an older man and two young ladies, who were obviously excited and voluble.

As I read my magazine I couldn't help but overhear that they had just been to a lively and controversial meeting. Some people had been rude and objectionable, while others had been constructive and positive.

Just for fun I decided to operate in 'vacuum cleaner mode' and record information as the journey progressed. Soon I had a list of their colleagues' names, departments and organisations.

I was then able to record from their three identical laptops the department, serial, asset, and purchase order numbers - which were displayed on big black-and-white printed labels in the same place on every lid. I was even able to glean the login name and password of the young lady on my right - just by glancing at her screen and watching her keystrokes.

The conversation continued (loudly!) and I continued to record more information. From the young lady to my right, who continued to show me her screen and placed her paperwork between us, I recorded the following details:

  • The names and duty codes of all three people
  • Their department details and office address
  • All three email and snail mail addresses, and phone numbers
  • A list of all names and departments represented at the meeting
  • The time, place and agenda of the meeting
  • Specific briefing/query/detail notes as they were emailed out
  • The IT support contact's name, email and phone number
  • The name and details of a confidential project which was not meant to be discussed in public
  • Ideas and thoughts on a pending follow-up meeting and strategy

By this time my hand was getting tired and my brain was hurting. So I did a visual and electronic scan of their hardware to see what that offered.

They all had identical security dongles and all three were online using 3G...

For the most part there seemed to be no sign of wi-fi or Bluetooth, but curiously there seemed to be some glitch where each laptop gave a burst of wi-fi as the laptop lid was either closed or opened.

I got some data identifying each machine, but I'm not sure how useful it might be, and I didn't have a full suite of software with me to do anything more powerful.

So it looks like IT did a good job in securing these devices, but unfortunately they then gave them to insecure people!

The man made several phone calls, they continued to discuss the meeting, including writing several emails, and I got even more insight into their work.

Once I came within 20 minutes of my destination, I became moved to disclose my activity. I said: "Excuse me folks but I have something I have to ask you, have you had any security training?"

They responded with silence and a quizzical look, so I revealed what I knew about them. They then looked a little ashen!

I saw no reason to introduce myself or give them any information about me, but I did say I am not from 'the dark side', and then explained what I would do if I was. Their shade went a little greyer!

After a brief discussion about not making themselves obvious targets, I tore up my paper notes in front of them and left them on the table. I also assured them that I had committed nothing to memory, and was not using the voice recorder on my laptop. I then left the train and headed for the coffee shop.

Should I have done this? I don't know! But I hate to see people putting their data and their careers at risk unnecessarily.

Does this type of incident happen often? Well, I have to say more than I would like. Last week in a coffee shop I sat behind a man booting up a laptop with a most interesting login screen: the American eagle embedded in the badge of the CIA. Now to someone with a different mindset than mine, that could have been a laptop worth stealing!