This is a link to a Blog of someone who's opinion I trust highly. He is a very experienced technology man but widely travelled in the real world of business. He has been a 'road warrior' for many years and Gold Card with just about all. I have met him personally on a couple of ocasions and he would not write this if he was not sure.

Peter Cochrane's Blog: Beware the new phishers
During the past 12 months or so I have become increasingly aware of people 'cruising' airport lounges, concourses and trains. They walk up and down the aisles, generally acting strangely in public places where laptop and other personal screens are in use.

In every case they have seemingly been texting on their mobile phone but on closer inspection I think they have been taking photographs and making movies.

As far as I can see this activity is largely the domain of youngish men, and we might suspect they are taking photos of unsuspecting pretty females. But I think the real reason is more sinister. I reckon they are collecting screenshots in the hope of capturing some useful information. I also suspect they are making movies of keystrokes at some distance.

Here is the rest of the article.

Peter Cochrane's Blog: Beware the new phishers - Software - Breaking Business and Technology News at silicon.com (http://software.silicon.com/security/0,39024655,39398406,00.htm)

Strangely enough this isn't going to go onto my list of things I will worry about. I'm heartily sick of the be scared of everything culture,.

That's an impressively prepared blog. When I was commuting I was always surprised by the amount of confidential paperwork people used to study on packed trains. This would include personal bank statements, company accounts and legal case notes.
It's probably safer to occupy yourself with a crossword or Sudoku..

Interesting. It sounds quite plausible to me. Many mobile phones nowadays have very high resolution cameras on them. Mine is 3 mega pixel, and it's several years old. There are higher resolution ones about now, and I would certainly have thought it would be feasible for a video to be made at a high enough resolution to record keystrokes, even from a distance.

Food for thought, and reason to look over your shoulder before logging on in a public place, but then again unscrupulous owners of internet cafes could probably do something similar with CCTV cameras, or else have spyware on their computers, so you're never entirely safe from phishing.

I personally won't be getting paranoid about it.

Well ... I wasn't intending anyone to get paranoid or bothered, just that it was interesting and some basic precautions to be taken. It was reading the thread about a credit card being skimmed/cloned that made it pertinent.

if you figure a lot of these people in lounges are using WIFI to connect their laptop, then I'm sure there is a lot of spyware out there that can grab everything being transmitted and received anyway, despite encryption. So screenshots etc are rather passe in this wireless world. You can even get stuff for mobiles that "read" all the text messages that are being blatted about to other nearby mobiles, I'm sure the same is true for 3G data connections...

G

Should we also watch out for any one doing charcoal sketching or water colour as they walk past us trying to grab a screen shot on the off chance as they amble past we are keying in our passwords and ID etc onto a sensitive web site....?

Come on - as a way to gather useful 'puter information wandering up and down an airport lounge with a camera phone is pretty naff innit? It's possible but highly improbable.

Just looking again at the report in question:

As far as I can see this activity is largely the domain of youngish men, and we might suspect they are taking photos of unsuspecting pretty females. But I think the real reason is more sinister.

More sinister than maybe taking photos of 'unsuspecting pretty girls'?

In every case they have seemingly been texting on their mobile phone but on closer inspection I think they have been taking photographs and making movies.

So you don't know what they are doing - you are supposing? How closer was the inspection - were you maybe - looking over their shoulders from close up?

They walk up and down the aisles, generally acting strangely in public places where laptop and other personal screens are in use.

So people are walking up and down holding their handphones in public places. This is 'strange'?

For several weeks I have been opportunistically taking pictures of screens whenever and wherever I can. The objective has been to establish the quality of the pics and what one might be able to read or discern from them.

It's OK for you to act strangely in a public place taking pictures of peoples screens and keystrokes then?

My first big surprise was the sheer number of unattended screens out there. The second was how easy it was to take shots without being detected or raise suspicion. The third was just how close you can get to people without them even noticing your presence, let alone the fact you have a mobile phone peeking over their shoulder.

Mostly when people are not doing something that needs to be hidden they don't actually care nor mind that there are people about - this is society in action.

Did I get any interesting info? That's a secret.

Is it really? If you got any info that was not yours to have did you at least feel f' guilty - did you delete it, did you apologise?

In my view you would have to take an awful lot of pictures, and make a lot of movies, before you got lucky. But if you are a criminal then it's all in a day's work,

..or all in a day of your work Peter.

So it's back to people-watching for me, and an attempt to estimate how many of these snappers there are.

Best of luck on working out how many are people innocently using their phones, how many are taking pictures of 'unsuspecting pretty girls' and how many are doing something more 'sinister'; man I wish I had your job.

Oh, on a matter of security: All the original pics (and there were an awful lot) taken during this experiment and the material recovered have been deleted and there is no record of location or subject. Also, I am not about to release the technical data and practical experiences that saw an improved data recovery rate with time.

I'm so glad you aren't a sinister criminal Peter - we can rest easy whilst you are on watch.

Goodness Gracious Mr Toad, that's an awful lot of bile. Could you not just have said, "I don't believe it" or something simple like that?

The man (who has a high reputation and whom I have met on several occasions, so send your bile at me rather than someone you have never heard of) saw a change in human behaviour, tracked it, tried it out and gave a clear indication that he found information that could be used by those who wished to take advantage.

I am not going to reply to every spurious point you make but this one:
If you got any info that was not yours to have did you at least feel f' guilty - did you delete it, did you apologise?
Doubtless you read the article in full and learnt that all material gathered was secured deleted and no records kept. You can imagine the problem of telling someone that you have just captured their PIN and that you have deleted it and they are not to worry. So, he took the opportunity to warn as many as he could of the risks they are running.

I posted the information here as a way to remind folks about keeping PINs and laptop screens private. I am soooooo sorry to have caused you such anguish. :hmm:

Paxboy, I agree with the core message - be wary of your privacy when revealing sensitive info in public. The problem is the blog deals in FUD and largely unsubstantiated claims - similar to the usual "police are warning about..." emails doing the rounds. I advise government and industry on IT security matters for a living incidentally so have my eyes fully open to the risks. Thus the message is correct, but the evidence of what these people MAY be up to is not conclusive at all and IMO there is virtually zero chance of a camera phone revealing anything - its scaremongering. What techniques criminals have are nothing compared to what governments have but this isn't about covert espionage :)

Paxboy

I did have a go at a certain gentleman, for rubbishing the blog, but we both got our posts deleted for our efforts - fair enough :}

The 'naive realism' of some people on here does amaze me, since ID theft and phishing are a known problem.

I do believe it is time to inject a note of realism and suggest people film someone working on a laptop discretely, just as a stranger in a public place is supposed to, and see if you can glean any useful information and find out what they are typing! I would suggest it is a rather unproductive exercise. I don't believe it.

Thank you to the more sober posters (which includes Rainboe). My point is this: If I did not know this man, and had been reading his blog for a couple of years and it's predecessor diary for five years or more and his books ... then I would not have bothered you folks and would dismiss it as scaremongering. But he is an engineer who functions in an entirely logical manner and who deals only with empirical data. He has been a road warrior since before the term was invented and knows his way around the world on public transport.

That is why I wasted my time in posting his unique research here.

Anyway, who cares if the other guy gets his data ripped off? As long as it's not mine.

Paxboy, I'm going to bite at that, as you don't seem to think I'm one of the more sober posters :E

I'm as sober as they come - you have to be when assessing threats and developing a strategy for protection against them.

I'll restate - the core message is correct .... beware of your privacy.

The evidence gathered in the article is just not good enough though for the conclusions reached. Do you think foreign criminal gangs have seeded these youths to walk up and down trains etc. capturing the pictures? If so, what value does the information collected have?

A snippet of the odd document isn't worth much on the open market.

If a user is typing their password in you would need close video of their fingers on the keyboard to get a reasonable chance of grabbing it - the user would more than likely notice such an aggressive intrusion.

I don't care how many miles your esteemed friend has travelled - I am an old-hat road warrior as well, but unlike him I am also a security professional. I can see why he reached the conclusions he did, but on balance I don't agree that the techniques he thinks are being used ARE being used - it is something else.

For example: "What a way of gleaning strangers' passwords, account numbers and much more. In the security and hacker communities, this is probably recognised and well understood but the general public are oblivious.What a way of gleaning strangers' passwords, account numbers and much more. In the security and hacker communities, this is probably recognised and well understood but the general public are oblivious."

I am well hooked into the hacker community, having been a white-hack hacker for about the last 20 years, well before there was a WWW to steal things from. I have never read about such a technique being used.

There are obvious parallels with cash machine / camera ploys where people are filmed entering their PIN, but that is a different scenario from the one in question here.

So I'll say again, just in case anyone missed it - be very aware of where you are working on sensitive information and where you authenticate yourself. Just don't be scared of boys on trains with camera phones :ok:

nebpor - could you list for us road-warrior (yeah, I know) types either the most common security errors or the most common hacker access methods? In short, using your experience, what can we all learn?

nebpor you are a sober poster because, you gave a reasoned response in both responses. I only mentioned Rainboe by name as people usually consider him too 'lively' (to the point of unreason) in his responses, whereas I make a point of looking out for his responses.

You confirm the core risk and then provide cogent evidence against the proposition. That is the very best that I could have hoped for. That is what discussion forums are for (an old fashioned whimsy, I know :rolleyes:).

On a transatlantic flight, I once read a whole powerpoint presentation on how BAA was going to entice us to spend more money in their departure lounges. It was on somebody's laptop sitting across the aisle in the row in front. It was an interesting read, have forgotten the details, but I remember thinking they are very cunning in their attempts to get at your cash and don't like giving you lots of seats while hanging around in there.

There are two simple security precautions for using your laptop to view confidential information in public:

1. Buy one of those plastic sheets that covers the screen so that it can only be viewed from a narrow angle. I won't mention the brand because that might look like advertising.

2. Don't do it.

Looking over the shoulders of strangers is not the preferred technique of hackers anyway because there are so many other ways. But you need to be careful what you are reading because a competitor might be sitting right next to you.

I am not convinced about the keystrokes stuff but I absolutely believe that there may be people deliberately looking over peoples shoulders in airports to read excepts from documents etc . Far fetched?

How about a national intelligence services outfit bugging aircraft to listen in on conversations for commercial gain? That would be even more far fetched ...except they got caught didn't they

I have gleaned information quite accidentally when in a hotel by some competitors next to me. I am sure a deliberate effort would be worthwhile, especially at airports at the time of certain conferences

I have experienced (from the innocent side) a few episodes of commercial espionage, and some of those would have seen much more far fetched (one I still don't believe myself).

One of the most amusing discoveries I made was staying at an upmarket hotel a few years ago, and having to use their business center PC for an urgent letter. Naturally, I deleted the letter and all the tmp files that WORD creates.

Whilst there, I decided to look through the documents that other guests had left on the PC ... amongst other business and social documents, was a letter in commercial confidence to the President of the country from an overseas delegation. They had been finalising details of the deal. I did them the favour of deleting it.

Don't be touchy Paxboy - I didn't attack you nor did a do an ad hominem axe job on Mr. Peter.

I'll reiterate though it is far fetched scaremongering & that's why I shredded his report like I did. I also find it bizarre that Peter needs to go around carrying out his research on the general public - surely these methods of data collection could be done in a controlled lab environment without recourse to even attempting to photograph members of the general public using their lap tops / recording their screenshots and key inputs?

And thus him advising he has deleted the data (whether 'secret' or not) does not to me sound like the actions of a fine and upstanding person - does it to you?

I'm sure Mr. Peter is a staunch crusader for great and good things but in the case of this report he has at best failed miserably.

In Support of Paxboy,
I recall watching a short TV programme late last year which detailed how anyone can be 'scammed' by dodgy folks using these methods, it appears that it is a real threat.
Two particular methods were highlighted and they both used laptops to set up bogus wifi networks in cafe's or other public areas such as airports and mobile phones with Hi-Def cameras to either achieve screen captures or film keystrokes. Also highlighted was the vulnerability of your blutooth devices to 'capture' by other devices and how they could then use your number to make free calls.

Be aware of your surroundings and be cautious.

used laptops to set up bogus wifi networks

There is one easy precaution to take to avoid these traps. Never connect to anything with an obviously bait-like network name along the lines of "Free WiFi".

Real free networks have the name of the operator or whoever is paying for the service, so the wifi network in the lobby of the Quebec November Hotel will be called something like quebec_november or the name of the hotel chain.

Some people go the other way and choose a network name like cia-network or pentagon-ufo-network to attract foolish hackers. Others name their computer or network "connection error" or "stack overflow" to discourage the curious.

Tightslot - I fully intend posting some nice, easy to follow advice for folk on here - I'm just waiting to get the time to do it properly :)

deltayankee.
Pity you hadn't seen the TV show. The presenters of the show set up in a Hotel lobby and managed to scam no fewer the 20 people who visited the reception area in the space of a few hours. Their bogus website was set up to look even more convincing than the Hotels own wifi site and it wasn't offering free connection the majority who fell for it were business folks arriving at the Hotel to meet business acquaintances.
Personally I avoid using wifi in public areas and prefer always to hard wire into a Hotel's network if I can if it is cheaper (or free) than using my own wifi dongle supplied by a well know mobile phone network V-something...

The TV presenters approached each of the victims after they had been dupped and explained what they had been doing, all took it in good humour.

...and managed to scam no fewer the 20 people


I am not at all surprised given the sloppy way some hotels and airports run their networks. But you can avoid all but the most sophisticated scams by following some simple rules.

1. Only connect to networks you know exist. When you go to a hotel or airport find out what networks are available by reading signs or asking and don't just scan the air to see what there is.

2. Never connect to a network that requires no authentication. This is possibly legitimate but too suspicious.

3. Be very wary of networks where everyone shares the same username and password. This kind of network is much too easy to spoof, though it can sometimes be legit -- the lounges at AMS use this system.

4. Prefer those networks where someone at the desk prints a personal username/password combination for each person for each visit, but in this case try mistyping the password sometimes just to make sure it is really testing it. A simple spoof for this system is to prompt for the password but then accept anything.

Apart from this never do secret things over a public wifi network. Just assume that everything you type goes straight to your worst enemy.

Just assume that everything you type goes straight to your worst enemy.

Everything typed on t'internet goes to my wife?

Kin 'ell!