http://www.computerweekly.com/Articles/2008/10/21/232765/computer-security-when-travelling-by-train-an-experts.htm



By Bob Lewis

Computer Weekly

21 Oct 2008



Like many others, I endure a daily commute into London by train. Until 

recently I passed my time reading a newspaper. Lately though I have 

restricted myself to reading whatever I can see around me. Currently the 

most easily viewable material, barring used copies of Metro, is people's 

laptops, and as a self-confessed computer spotter with an interest in IT 

security I never cease to be amazed at what is available. This amazement 

has grown since Wi-Fi became free to travellers earlier this year.



Historically I have reserved my seat, sat where allocated, and have 

largely limited my "viewing" to someone's laptop by electronic means. 

This could involve searching for an incorrectly configured Wi-Fi card, 

deploying Wireshark and Kismet (sniffers), or setting myself up as a 

rogue access point. These days I do not bother. Invariably whoever sits 

next to me automatically switches on their laptop, logs into the free 

Wi-Fi and settles down to work. ADVERTISEMENT Every Page Counts For Low 

Environmental Impact



This growing band of "train workers" conducts their business, no matter 

how sensitive, with little or no interest in their surroundings. The 

majority fail to consider even the most basic of security measures. User 

names and login passwords are visibly entered, encrypted volumes opened 

and virtual private networks accessed.



Once online and truly embroiled in their work, even those with a modicum 

of security awareness appear to ignore their surroundings, and act as if 

in their office. They are so engrossed that the person sitting near to 

them, if quick enough, can note all of their logon and security details.



Even more helpful, many companies place their logo or identifying asset 

tag prominently on the laptop, allowing quick and easy targeting. 

Combined with an individuals' security pass, I am provided with all 

manner of useful information. I can attempt to socially engineer that 

person and if I cannot talk to them, I can at least indicate to myself 

the sensitivity of what I am likely to see.



In the last month I have "shoulder-surfed" a high ranking officer from 

the Ministry of Defence accessing his e-mails and reading documents 

clearly marked with a caveat and watched a lawyer drafting legal 

submissions for a well known company. My favourite though, is an 

employee of a well-known security company drafting a document entitled 

"IT policies and procedures for the use of laptops in public places".



Stifling a laugh, I watched him write, "laptops were not to be used on 

public transport as they could easily be overlooked". He was right. 

Combined with the company logo used as wallpaper for his desktop, I was 

able to quickly ascertain that the policies were outdated, clearly not 

followed, and in all probability the company's attitude to security 

would be, at best, mediocre.



Remember next time you are sitting on a train contemplating working 

whilst travelling, the advice "laptops were not to be used on public 

transport as they could easily be overlooked". You never know who may be 

sitting near you.





__________________________________________________      

Register now for HITBSecConf2008 - Malaysia! With 

a new triple-track conference featuring 4 keynote 

speakers and over 35 international experts, this 

is the largest network security event in Asia and 

the Middle East! 

http://conference.hackinthebox.org/hitbsecconf2008kl/



Received on Fri Oct 24 2008 - 02:08:42 PDT