Network Observations

SecurityDude, CISSP-ISSAP is an information technology consultant and blogger at large with over 20 years IT experience.

Friday, I found myself at the San Jose airport almost four hours before my flight home. As many frequent travelers do, I headed for the (relative) comfort and quiet of the Admiral’s Club. I grabbed a seat at one of the many cubes they provide, plugged in my laptop, and launched my Verizon broadband card to review some documentation over the Cisco SSL VPN connection to my office servers.

As the afternoon progressed, the cubes quickly filled with technology professionals. I usually try to tune out the people who speak too loudly on their cell phones, but two guys seemed to be competing for highest volume. One of the gentlemen worked in the marketing department of a very prominent Silicon Valley equipment manufacturer. I was privy to the details of a product launch that had not been announced to the public.

A woman sitting behind me was working on a quarterly financial presentation to the board of directors of another well-known local company. Just for grins, I turned on my web cam and pointed it at her screen. She was oblivious to the fact I could watch. Were I an industrial spy, I could have covertly recorded a movie with audio and video using a tool called Camtasia. I use Camtasia to record audio with PowerPoint presentations and publish them to Microsoft Media Player or QuickTime movie formats.

These are examples of data disclosure vulnerabilities that no firewall can protect you from. What could these people have done differently to increase their privacy?

• Invest in a 3M Privacy Screen. It significantly restricts the viewing angle of the laptop monitor and deters ’snoops’ and spying.
• Alert callers that you are speaking to them in a public area and that you can be overheard. Be conscious of your surroundings.
• Avoid typing user names and passwords into public computers. Hardware keyboard loggers such as the Key Ghost can be easily deployed and recovered. Key Ghost cannot be detected by any means other than physical examination of the keyboard cable. Even if you log into your email over an encrypted VPN link, the keystrokes on the local keyboard are intercepted BEFORE they hit the browser. Some SSL VPN clients now feature a “virtual keyboard” that mitigates this exposure.
• If using a public wireless hot spot like T-Mobile, login to your corporate VPN before accessing your email. POP mail and SMTP authenticate in clear text and all of the message bodies are sent in the clear. Absent the VPN, your business becomes everyone’s business.