What the hacker saw

Alfred Hitchcock was right to warn us to beware of strangers on a train. The difficulty has always been that you cannot tell the...

Alfred Hitchcock was right to warn us to beware of strangers on a train. The difficulty has always been that you cannot tell the good guys from the bad, making commuting perilous for your company's security, writes Stuart King

For an increasing number of commuters their train journeys are an opportunity to plan the day's business, read and write e-mails or perform other business-related tasks.

On my morning trip - the 6.42 from Hitchin to Kings Cross - I decided to see what information I could glean by looking over the shoulders of fellow travellers, mostly working on their laptop PCs, and whether or not this information could pose a security threat to their organisations.

I got off to a flying start. As I stood in the aisle, clasping my coffee, I was clearly able to see the agenda for the day's business meetings being organised by the employee of a well-known City law firm. The e-mail contained his name, the names of the other people involved in the meeting and the names of the clients.

Moving through the carriage, my attention was drawn to a woman reading through a pile of CVs. Peering over the top of my Daily Mail, I could see the name and address of the job applicant. I could not deduce the company or position being applied for but I could see the applicants' current position and employer.

Two blocks of seats away, another gentlemen used the password "partytime" to log into his windows session, then proceeded to work on a Powerpoint presentation about a forthcoming business proposition. This included projected expenditure, the total budget for the project and the hierarchy of the project team involved.

All of this information is a potential goldmine for anyone intent on breaking into a network or committing other data-related misdeeds.

As the train pulled into a station a new stream of commuters boarded while others disembarked. While this was going on, a suited lady slept, her laptop case resting on the floor in the aisle by her seat.

The journey from the station to my client's office involves a walk through the City's main financial district. As I wandered along the pavement beside the Bank of England I was able to glance through an office window where I noted the name card on a desk and the operating system in use on the desktop PC - together with the version of the e-mail client.

In an era where many organisations are investing money in state of the art networks, intrusion detection solutions and other items to add to the security infrastructure, the weakest link remains the people we employ. The most securely stored data may be compromised the minute the manager opens his laptop on the train or leaves vital clues exposed on his desk.

Figures about how widespread the problem is are hard to come by, but articles by the infamous hacker, Kevin Mitnick, who was jailed for his data-related crimes, suggest that information gleaned from looking over people's shoulders or other carelessness on the part of end-users played a large part in helping him to get the information he needed to commit his crimes.

A recent survey of 150 office workers passing through London's Victoria Station, conducted by the organisers of the Infosec security conference, underlines the problem. It found that two-thirds of the respondents were willing to reveal their log-on passwords in a questionnaire on office habits.

Making staff aware of the implications of, and accountable for the outcome of their actions is a major part of IT security. Many professionals see it as just as important as installing a firewall or running anti-virus applications. An internal security awareness scheme with related training complements the security policy. It is an ideal means of informing users of their responsibilities as well as maintaining the integrity of business information.

The information gained during my journey could be used in a variety of ways. The names of personnel might be used in attempts to "engineer" information from a company. Internet searches through Usenet may reveal e-mail addresses and other pertinent information about the tools that the business uses (for example, John Smith of company XYZ may have asked a newsgroup for help with configuring a firewall or router - it does happen).

Knowing the operating system that an organisation works with can save the potential hacker time and allow him to deduce other information about the network. Similarly, if Outlook is seen as being the e-mail client, it is a sure bet that Microsoft Exchange is working as the server.

Most serious of all, business-confidential information should not be on display in train carriages at any time. It may end up as the topic of conversation in the coffee room of your biggest rival.

Personnel issued with laptop computers have a responsibility to look after them. Research from the Royal & Sun Alliance found that 67,000 laptops were lost in the UK last year, while Thames Valley Police estimate 8,000 went missing in their region alone - including the case of one MI5 officer who lost his laptop on a train. Many portable devices will hold sensitive information potentially far outweighing the value of the hardware.

We cannot prevent people working in public places, but we can dictate that they use common sense and take reasonable measures to safeguard their equipment and company data.

Use the corporate security policy to state what an end-user's responsibilities are. Most organisations these days have some form of policy. I asked the staff of one recent client, "Can you tell me where your security policy is?" Their response was worrying but not unusual. Not only could no one tell me where the policy was, or what its contents were: few employees were aware that there was such a policy.

The policy itself was comprehensive and thorough, so far as it went, but it did not cover use of laptops off-site, neither did it cover working procedures outside of the office. It cannot, therefore, be a surprise for an organisation to find that its plans are being compromised on the morning train.

Risks to avoid while commuting

  • Putting business-critical information on public view
  • Showing personal e-mails
  • Giving away passwords to prying eyes
  • Exposing company information
  • Falling asleep leaving business laptop in the aisle
  • Allowing eagle-eyed travellers to view enough information to mount a network attack.

Stuart King is an independent security consultant. E-mail: [email protected]


Join the Computer Weekly Infosecurity User Group, free to anyone with responsibility for IT security. For details e-mail : [email protected] rbi.co.uk

Read more on IT risk management