Like many others, I endure a daily commute into London by train.
Until recently I passed my time reading a newspaper. Lately though
I have restricted myself to reading whatever I can see around me.
Currently the most easily viewable material, barring used copies of
Metro, is people's laptops, and as a self-confessed computer
spotter with an interest in IT security I never cease to be amazed
at what is available. This amazement has grown since
Wi-Fi became free to travellers earlier this year.
Historically I have reserved my seat, sat where allocated, and
have largely limited my "viewing" to someone's laptop by electronic
means. This could involve searching for an incorrectly configured
Wi-Fi card, deploying Wireshark and Kismet (sniffers), or setting
myself up as a rogue access point. These days I do not bother.
Invariably whoever sits next to me automatically switches on their
laptop, logs into the free Wi-Fi and settles down to work.
This growing band of "train workers" conducts their business, no
matter how sensitive, with little or no interest in their
surroundings. The majority fail to consider even the most basic of
security measures. User names and login passwords are visibly
entered, encrypted volumes opened and virtual private networks
accessed.
Once online and truly embroiled in their work, even those with a
modicum of security awareness appear to ignore their surroundings,
and act as if in their office. They are so engrossed that the
person sitting near to them, if quick enough, can note all of their
logon and security details.
Even more helpful, many companies place their logo or
identifying asset tag prominently on the laptop, allowing quick and
easy targeting. Combined with an individuals' security pass, I am
provided with all manner of useful information. I can attempt to
socially engineer that person and if I cannot talk to them, I can
at least indicate to myself the sensitivity of what I am likely to
see.
In the last month I have "shoulder-surfed" a high ranking
officer from the
Ministry of Defence accessing his e-mails and reading documents
clearly marked with a caveat and watched a lawyer drafting legal
submissions for a well known company. My favourite though, is an
employee of a well-known security company drafting a document
entitled "IT policies and procedures for the use of laptops in
public places".
Stifling a laugh, I watched him write, "laptops were not to be
used on public transport as they could easily be overlooked". He
was right. Combined with the company logo used as wallpaper for his
desktop, I was able to quickly ascertain that the policies were
outdated, clearly not followed, and in all probability the
company's attitude to security would be, at best, mediocre.
Remember next time you are sitting on a train contemplating
working whilst travelling, the advice "laptops were not to be used
on public transport as they could easily be overlooked". You never
know who may be sitting near you.