Peter Cochrane's Blog: Security trap shows people are weakest link

Gleaning confidential info from some unsuspecting train-riders

Written in a railway station coffee shop somewhere in the UK and transmitted to via a commercial wi-fi node within the hour.

A few hours ago I boarded a train at a major UK hub at 16.00 on a working day. The car rapidly filled with people - among them an older man and two young ladies, who were obviously excited and voluble.

As I read my magazine I couldn't help but overhear that they had just been to a lively and controversial meeting. Some people had been rude and objectionable, while others had been constructive and positive.

Just for fun I decided to operate in 'vacuum cleaner mode' and record information as the journey progressed. Soon I had a list of their colleagues' names, departments and organisations.

I was then able to record from their three identical laptops the department, serial, asset, and purchase order numbers - which were displayed on big black-and-white printed labels in the same place on every lid. I was even able to glean the login name and password of the young lady on my right - just by glancing at her screen and watching her keystrokes.

The conversation continued (loudly!) and I continued to record more information. From the young lady to my right, who continued to show me her screen and placed her paperwork between us, I recorded the following details:

  • The names and duty codes of all three people
  • Their department details and office address
  • All three email and snail mail addresses, and phone numbers
  • A list of all names and departments represented at the meeting
  • The time, place and agenda of the meeting
  • Specific briefing/query/detail notes as they were emailed out
  • The IT support contact's name, email and phone number
  • The name and details of a confidential project which was not meant to be discussed in public
  • Ideas and thoughts on a pending follow-up meeting and strategy

By this time my hand was getting tired and my brain was hurting. So I did a visual and electronic scan of their hardware to see what that offered.

They all had identical security dongles and all three were online using 3G...