The saying ‘Loose lips sink ships’ was displayed prominently on posters during the second world war to advise military personnel and others to avoid chatter involving information that could be used by the enemy. A key question is to what extent does this apply now that mobile technology is everywhere. Undertaking 100% of professional work inside an office is a thing of the past; people work from any location including trains, aeroplanes and more commonly now in coffee shops. External observers can take advantage of the information on laptop screens, handwritten notes and discussions between people.
Earlier this year in London, while sitting in a coffee shop, I was close enough to overhear a conversation about a security incident. Sound travels, and without any real effort to listen or intention to earwig, it was apparent what these men were talking about and were concerned that a data breach may have occurred. Initially, the information could have been about any company, anywhere or any system. It could have been about their employer or one of their employer’s client’s systems. The details here have been left intentionally vague, but the conversation didn’t end there:
- Clients won’t be happy – such a reference indicated that a data breach could have occurred with one of their internal systems involving their customer data, rather than a system belonging to one of their clients.
- Branded stationery – overhearing a conversation was one thing but getting up for a coffee refill made corporate stationery visible without any effort or intention to spy; everything was in my face as I walked past them.
- Laptop screensaver – companies often give away corporate stationery to clients for marketing and brand awareness. Therefore it was not a given that these individuals worked for the company whose branded pens were visible but returning to my seat and noticing a corporate screensaver on one of the laptops advertising the business was additional confirmation.
- Identified vulnerability – the discussion overheard was sufficient for me to understand the nature of the issue and how someone would exploit it.
How to use this information requires little imagination.
Several years ago, I overheard two people discussing their wills over dinner in a restaurant and how they needed to get them replaced due to changes in circumstances. Shortly after, when a neighbouring couple was ready to leave, the man approached them and said, ‘Sorry, I couldn’t help overhear you mention that you needed new wills. Here is my business card. Give me a call’. This example is innocuous; however, depending on the context, the consequences could be quite severe, such as revealing information that could influence the stock market.
- Avoid discussing sensitive issues in public.
- Avoid using names of companies in the discussion. Using alternatives such as ‘we’ and ‘the client’ will often be more than sufficient.
- Use anonymous tagging of corporate laptops so that nothing on the outside identifies ownership if it is lost or stolen. The value of the data on laptop computers will depend on the owner, and effort is less likely to be expended if ownership is unknown.
- Remove visible branding from the operating system, so if it is lost or stolen, and someone turns on the laptop, it is not possible to identify the owner. More challenging than it sounds if the network domain name and the company name are the same.
- Using BitLocker Device Encryption (Windows Vista through to Windows 10) with a boot-up password will prevent the operating system from loading until you enter the correct password. An unauthorised user won’t be able to identify corporate ownership.
Being security conscious in public places is essential. Almost every time I have coffee somewhere, I hear something which someone could use for malicious purposes.
Robert is an information security professional with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through Telegram.