Spam, ransomware, phishing, spear phishing and SQL injection are all known attacks which can, and do, breach company and individual security. However QA finds many people do not think about the physical element (what can be physically seen and heard). Firewalls, antimalware, two factor and authentication do not protect against someone over-hearing a conversation, or seeing a screen. It is often said “people are the weakest link”.
Loose lips sink ships
A QA cyber expert was on a flight from a London airport to another location in the United Kingdom, and observed someone unlock their phone, from three rows back on the plane. This was the pattern:
Let’s consider for a second what a criminal actor could do, if it was them who had observed the unlocking, rather than QA’s expert.
Perhaps the phone belonged to a solicitor, who had worked on sensitive cases. The phone is therefore likely to contain much sensitive information that is potentially of interest to one party in the deal. How would a hacker go about gaining access to the target’s phone?
Step 1, Open source intelligence: On the law firm’s website, it talks about the deal and names this man as the solicitor participating in this high profile deal. The website lists his details, a Vcard and LinkedIn profile. Scour social media profiles and see where he lives, and timings.
Step 2, Observation. Put the office under surveillance, find out when he comes in and leaves, and where he goes to drink. One day tail him somewhere, visibly see his smartphone’s swipe pattern (it was, after all, visible from three rows back on a plane) and note it down. Leave him be.
Step 3, Intervention. Another day, stage a mugging and steal his phone.
The phone can be accessed with the swipe pattern, and with no technical wizardry, and the hacker has now broken through all of the other defences without leaving a trace on the law firm’s network.
The same applies to people carrying documents, or reading emails on a laptop or smartphone and entering passwords on a tablet or laptop. Every so often a government document is leaked as carried into a meeting, caught out by the long lens of a photographer outside No.10 Downing Street. Ministers may now be careful and carry documents in an envelope, but QA’s experts have observed multiple examples of people reading sensitive documents on paper or laptops whilst on public transport (including sensitive government documents).
Protecting information responsibly
The defences against such attacks are simple.
First, organisations should work to change norms and behaviours in their teams. Individuals should be aware of their surroundings, and the risks of conversations being overheard, or screens being seen. Raising awareness should be the first priority.
Second, a range of very-simple ‘off-the-shelf’ tools are available to reduce the risk. Most mobile phones now have fingerprint or face recognition, and using this reduces the risk that a passcode is stolen. Ensure all phones and laptops have privacy screens, limiting the angle of vision. Carry documents in envelopes.
These are low cost solutions, to what could be a very expensive problem. Data security doesn’t just mean high-tech; behavioural solutions are required too.
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
11 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Hostile reconnaissance: What is it and how do we stay safe?
My partner is a landscape gardener – who would want to hack me?
7 cybersecurity tips for wedding photographers – or anyone, really
Cyber Security for everyone - what we all should know
Cyber risks are too often ignored by management
Rise and Fall of Bitcoin
Endpoint and network firewalling needs to change
The perils of single-factor authentication