Like many others, I endure a daily commute into London by train. Until recently I passed my time reading a newspaper. Lately though I have restricted myself to reading whatever I can see around me. Currently the most easily viewable material, barring used copies of Metro, is people's laptops, and as a self-confessed computer spotter with an interest in IT security I never cease to be amazed at what is available. This amazement has grown since Wi-Fi became free to travellers earlier this year.
Historically I have reserved my seat, sat where allocated, and have largely limited my "viewing" to someone's laptop by electronic means. This could involve searching for an incorrectly configured Wi-Fi card, deploying Wireshark and Kismet (sniffers), or setting myself up as a rogue access point. These days I do not bother. Invariably whoever sits next to me automatically switches on their laptop, logs into the free Wi-Fi and settles down to work.
This growing band of "train workers" conducts their business, no matter how sensitive, with little or no interest in their surroundings. The majority fail to consider even the most basic of security measures. User names and login passwords are visibly entered, encrypted volumes opened and virtual private networks accessed.
Once online and truly embroiled in their work, even those with a modicum of security awareness appear to ignore their surroundings, and act as if in their office. They are so engrossed that the person sitting near to them, if quick enough, can note all of their logon and security details.
Even more helpful, many companies place their logo or identifying asset tag prominently on the laptop, allowing quick and easy targeting. Combined with an individuals' security pass, I am provided with all manner of useful information. I can attempt to socially engineer that person and if I cannot talk to them, I can at least indicate to myself the sensitivity of what I am likely to see.
In the last month I have "shoulder-surfed" a high ranking officer from the Ministry of Defence accessing his e-mails and reading documents clearly marked with a caveat and watched a lawyer drafting legal submissions for a well known company. My favourite though, is an employee of a well-known security company drafting a document entitled "IT policies and procedures for the use of laptops in public places".
Stifling a laugh, I watched him write, "laptops were not to be used on public transport as they could easily be overlooked". He was right. Combined with the company logo used as wallpaper for his desktop, I was able to quickly ascertain that the policies were outdated, clearly not followed, and in all probability the company's attitude to security would be, at best, mediocre.
Remember next time you are sitting on a train contemplating working whilst travelling, the advice "laptops were not to be used on public transport as they could easily be overlooked". You never know who may be sitting near you.
This was first published in October 2008