Are You Putting Your Organization At Risk?

Apple, formerly Apple Computer, is legendary in its secrecy. In the late 20th century, I was working for Tandem Computers down the road from Apple in Cupertino. There were stories of undercover agents roaming the tables of local eateries listening for employees talking about things that were not to be divulged in public then reporting their names back to the mother ship. In 2012, Apple announced plans to built its own off-campus restaurant to prevent anyone but employees from overhearing each other’s conversations.

Fast forward to modern times, and we’re in the always-connected era. Not only are employees probably talking about your latest secret project in public, they probably are working on it. Unless the information I am viewing is publicly available (like an article or conference presentation), I do not use my notebook, tablet, or phone for anything except playing movies and music on airplanes, in a coffee shop, or any other public location. As an information security professional, I know how easy it is for people to see what I am working on, even if they are hundreds of feet away from me.

Some organizations might mandate the use of privacy filters to limit viewing by seat mates, but take a look at your screen from the row behind you or standing in the aisle and be surprised. Most privacy filters only protect you from the side and not from over your shoulder. There are some with reflective surfaces that can help prevent shoulder-surfing but they may also diminish your own view. In fact, you might find out that your employees are removing the filters entirely because they cannot see the screen properly themselves.

If you travel a lot like I do, you have probably overheard a sales rep trying to close a deal on the rental car shuttle bus. More than once I’ve been able to deduce the company and the deal they were working on. “Look, we can underbid XXX, win the deal, then use the cost rider to get our margins back.” Wouldn’t you be surprised and pleased if XXX was your company and you were on your way to the same vendor meeting?

I was at a conference a couple weeks ago and overheard two people at a table behind me talking about their plan to hire college students to ride elevators at another conference and take notes on what was being said if the conversation included certain keywords. Since there is no expectation of privacy in a public place, this is perfectly legal. I guess they could also pay the older students to hang out in the conference hotel’s drinking spots.

Earlier I mentioned that it’s easy for people to see what I am working on, even if they are hundreds of feet away from me. How can this be? Free Wi-Fi. Unless your employees are using a virtual private network (VPN) connection, the information flowing from device to data center is unencrypted. And even if someone is using a VPN, or some versions of SSL, a rogue hotspot can watch everything go by as the “man in the middle” (MiTM).

MiTM

How does this work? I am sitting in a coffee shop (or burger bar, hotel, airplane, etc.) and I fire up Wi-Fi on my device. I see a hotspot called Stabrucks so I link to it. Re-read the last sentence – carefully. This is a rogue hotspot. When I create my VPN, or use SSL to talk to a server, the computer behind the hotspot creates 2 connections; one between the device and itself, and one between itself and your company’s network. Each thinks it is running securely, but the MiTM can read every piece of information going back and forth.

There are ways of guarding against a MiTM attack, but they need to be carefully implemented and used.

Frankly, I wouldn’t be surprised if foreign governments paid agents to ride elevators, hang out at Starbucks and Peets, and fly in first class, all in the name of espionage. What are your thoughts?

Post a Comment