The saying ‘Loose lips sink ships’ was displayed prominently on posters during the second world war to advise military personnel and others to avoid chatter involving information that could be used by the enemy. A key question is to what extent does this apply now that mobile technology can be found everywhere. Undertaking 100% of one’s work inside an office is a thing of the past and a significant portion of professional work can be undertaken from any location including trains, aeroplanes and more commonly now in coffee shops. How can information on laptop screens, hand written notes and discussions between people be used by external observers?
Earlier this year in London, while sitting in a coffee shop, I was close enough to overhear a conversation about a security incident. Sound travels and without any real effort to listen or intention to earwig, it was obvious what these men were talking about and were concerned that a data breach may have occurred. Initially the information could have been about any company, anywhere or any system. It could have been about their employer or one of their employer’s client’s systems. The details here have been left intentionally vague, but the conversation didn’t end there:
- Clients won’t be happy – such a reference indicated that a data breach could have occurred with one of their internal systems involving their customer data, rather than a system belonging to one of their clients.
- Branded stationery – overhearing a conversation was one thing but getting up for a coffee refill made corporate stationery visible without any effort or intention to spy; everything was in my face as I walked past them.
- Laptop screensaver – corporate stationery is often given away to clients for marketing and brand awareness reasons, therefore it was not a given that these individuals worked for the company whose stationery was visible but returning to my seat and noticing a corporate screensaver on one of the laptops advertising the business was additional confirmation.
- Identified vulnerability – the discussion overheard was sufficient for me to understand the nature of the issue and how someone would exploit it.
How this information could be used requires little imagination.
Several years ago, I overheard two people discussing their Last Will and Testament over dinner in a restaurant and how they really needed to get them replaced due to changes in circumstances. Shortly after when a neighbouring couple were ready to leave, he approached them and said, ‘Sorry, I couldn’t help overhear you mention that you needed new wills. Here is my business card. Give me a call’. This is an innocuous example, however depending on the context, the consequences could be quite severe, such as revealing information that could influence stock prices.
- Completely avoid discussing sensitive issues in public.
- Avoid using names of companies in discussion. Using alternatives such as ‘we’ and ‘the client’ will often be more than sufficient.
- Use anonymous tagging of corporate laptops so that nothing on the outside identifies its ownership in the event that it is lost or stolen. The value of the data on the laptop will depend on the owner, and effort is less likely to be expended if ownership is completely unknown.
- Remove visible branding from the operating system so that if the laptop is turned on it is not possible to identify the owner in the event that it is lost or stolen. This may harder than it sounds if the company name has been used as the DOMAIN.
- Using BitLocker Device Encryption (Windows Vista through to Windows 10) with a boot-up password will prevent the operating system from loading until the correct password has been entered. An unauthorised user won’t be able to identify corporate ownership.
Being security conscious in public places is essential. Almost every time I have coffee somewhere, I hear something which could be used against someone in some way.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.