Two unrelated news items caught my eye today, one an obscure case about a cheque modification fraud based on erasable ink pens, which I picked up from Bruce Schneier’s blog, and the other one a high profile news item about the bugging of Royal conversations by journalists. It’s always helpful to get occasional reminders of the vulnerability of written and spoken information to short-range physical attacks, even though such attacks are generally rare and a relatively low priority for most organisations.
The interesting thing I’ve always found about these threats is that they often seem to be counter-intuitive for many people. Most of us have a high confidence in the providence of paper and ink documents, even though they are extremely easy to forge. We are too trusting when it comes to the written word because forgeries are outside our everyday experience. Bugging is also an arcane practice that is not well understood by the average person. A paranoid executive might think that a crackly telephone line suggests a bug, when in fact the opposite is more likely, i.e. eavesdroppers prefer clear lines. And I know some executives that worry that their office might be bugged but still feel confident to pull out confidential papers on a train or plane, or perhaps talk openly in bars.
There’s nothing more instrusive than a planted bug or line tap, but fortunately such incidents are rare. These attacks are tricky to mount, as they present risks to the perpetrator and they require inside information and frequent access to the target office. The results can also be unpredictable and time-consuming to process. There are often cheaper and easier methods of gaining inside information, such as bribing a member of staff or hacking into an insecure database. The trick, of course, when considering potential attacks on information is always to put yourself in the attacker’s shoes.