PAXboy

This is a link to a Blog of someone who's opinion I trust highly. He is a very experienced technology man but widely travelled in the real world of business. He has been a 'road warrior' for many years and Gold Card with just about all. I have met him personally on a couple of ocasions and he would not write this if he was not sure.

Peter Cochrane's Blog: Beware the new phishers
During the past 12 months or so I have become increasingly aware of people 'cruising' airport lounges, concourses and trains. They walk up and down the aisles, generally acting strangely in public places where laptop and other personal screens are in use.

In every case they have seemingly been texting on their mobile phone but on closer inspection I think they have been taking photographs and making movies.

As far as I can see this activity is largely the domain of youngish men, and we might suspect they are taking photos of unsuspecting pretty females. But I think the real reason is more sinister. I reckon they are collecting screenshots in the hope of capturing some useful information. I also suspect they are making movies of keystrokes at some distance.

Here is the rest of the article.

Peter Cochrane's Blog: Beware the new phishers - Software - Breaking Business and Technology News at silicon.com

Load Toad

Strangely enough this isn't going to go onto my list of things I will worry about. I'm heartily sick of the be scared of everything culture,.

rothin

That's an impressively prepared blog. When I was commuting I was always surprised by the amount of confidential paperwork people used to study on packed trains. This would include personal bank statements, company accounts and legal case notes.
It's probably safer to occupy yourself with a crossword or Sudoku..

Big Harvey

Interesting. It sounds quite plausible to me. Many mobile phones nowadays have very high resolution cameras on them. Mine is 3 mega pixel, and it's several years old. There are higher resolution ones about now, and I would certainly have thought it would be feasible for a video to be made at a high enough resolution to record keystrokes, even from a distance.

Food for thought, and reason to look over your shoulder before logging on in a public place, but then again unscrupulous owners of internet cafes could probably do something similar with CCTV cameras, or else have spyware on their computers, so you're never entirely safe from phishing.

I personally won't be getting paranoid about it.

PAXboy

Well ... I wasn't intending anyone to get paranoid or bothered, just that it was interesting and some basic precautions to be taken. It was reading the thread about a credit card being skimmed/cloned that made it pertinent.

groundbum

if you figure a lot of these people in lounges are using WIFI to connect their laptop, then I'm sure there is a lot of spyware out there that can grab everything being transmitted and received anyway, despite encryption. So screenshots etc are rather passe in this wireless world. You can even get stuff for mobiles that "read" all the text messages that are being blatted about to other nearby mobiles, I'm sure the same is true for 3G data connections...

G

Load Toad

Should we also watch out for any one doing charcoal sketching or water colour as they walk past us trying to grab a screen shot on the off chance as they amble past we are keying in our passwords and ID etc onto a sensitive web site....?

Come on - as a way to gather useful 'puter information wandering up and down an airport lounge with a camera phone is pretty naff innit? It's possible but highly improbable.

Just looking again at the report in question:

More sinister than maybe taking photos of 'unsuspecting pretty girls'?

So you don't know what they are doing - you are supposing? How closer was the inspection - were you maybe - looking over their shoulders from close up?

So people are walking up and down holding their handphones in public places. This is 'strange'?

It's OK for you to act strangely in a public place taking pictures of peoples screens and keystrokes then?

Mostly when people are not doing something that needs to be hidden they don't actually care nor mind that there are people about - this is society in action.

Is it really? If you got any info that was not yours to have did you at least feel f' guilty - did you delete it, did you apologise?

..or all in a day of your work Peter.

Best of luck on working out how many are people innocently using their phones, how many are taking pictures of 'unsuspecting pretty girls' and how many are doing something more 'sinister'; man I wish I had your job.

I'm so glad you aren't a sinister criminal Peter - we can rest easy whilst you are on watch.

PAXboy

Goodness Gracious Mr Toad, that's an awful lot of bile. Could you not just have said, "I don't believe it" or something simple like that?

The man (who has a high reputation and whom I have met on several occasions, so send your bile at me rather than someone you have never heard of) saw a change in human behaviour, tracked it, tried it out and gave a clear indication that he found information that could be used by those who wished to take advantage.

I am not going to reply to every spurious point you make but this one:
If you got any info that was not yours to have did you at least feel f' guilty - did you delete it, did you apologise?
Doubtless you read the article in full and learnt that all material gathered was secured deleted and no records kept. You can imagine the problem of telling someone that you have just captured their PIN and that you have deleted it and they are not to worry. So, he took the opportunity to warn as many as he could of the risks they are running.

I posted the information here as a way to remind folks about keeping PINs and laptop screens private. I am soooooo sorry to have caused you such anguish.

nebpor

Paxboy, I agree with the core message - be wary of your privacy when revealing sensitive info in public. The problem is the blog deals in FUD and largely unsubstantiated claims - similar to the usual "police are warning about..." emails doing the rounds. I advise government and industry on IT security matters for a living incidentally so have my eyes fully open to the risks. Thus the message is correct, but the evidence of what these people MAY be up to is not conclusive at all and IMO there is virtually zero chance of a camera phone revealing anything - its scaremongering. What techniques criminals have are nothing compared to what governments have but this isn't about covert espionage

Final 3 Greens

Paxboy

I did have a go at a certain gentleman, for rubbishing the blog, but we both got our posts deleted for our efforts - fair enough

The 'naive realism' of some people on here does amaze me, since ID theft and phishing are a known problem.

Rainboe

I do believe it is time to inject a note of realism and suggest people film someone working on a laptop discretely, just as a stranger in a public place is supposed to, and see if you can glean any useful information and find out what they are typing! I would suggest it is a rather unproductive exercise. I don't believe it.

PAXboy

Thank you to the more sober posters (which includes Rainboe). My point is this: If I did not know this man, and had been reading his blog for a couple of years and it's predecessor diary for five years or more and his books ... then I would not have bothered you folks and would dismiss it as scaremongering. But he is an engineer who functions in an entirely logical manner and who deals only with empirical data. He has been a road warrior since before the term was invented and knows his way around the world on public transport.

That is why I wasted my time in posting his unique research here.

Anyway, who cares if the other guy gets his data ripped off? As long as it's not mine.

nebpor

Paxboy, I'm going to bite at that, as you don't seem to think I'm one of the more sober posters

I'm as sober as they come - you have to be when assessing threats and developing a strategy for protection against them.

I'll restate - the core message is correct .... beware of your privacy.

The evidence gathered in the article is just not good enough though for the conclusions reached. Do you think foreign criminal gangs have seeded these youths to walk up and down trains etc. capturing the pictures? If so, what value does the information collected have?

A snippet of the odd document isn't worth much on the open market.

If a user is typing their password in you would need close video of their fingers on the keyboard to get a reasonable chance of grabbing it - the user would more than likely notice such an aggressive intrusion.

I don't care how many miles your esteemed friend has travelled - I am an old-hat road warrior as well, but unlike him I am also a security professional. I can see why he reached the conclusions he did, but on balance I don't agree that the techniques he thinks are being used ARE being used - it is something else.

For example: "What a way of gleaning strangers' passwords, account numbers and much more. In the security and hacker communities, this is probably recognised and well understood but the general public are oblivious.What a way of gleaning strangers' passwords, account numbers and much more. In the security and hacker communities, this is probably recognised and well understood but the general public are oblivious."

I am well hooked into the hacker community, having been a white-hack hacker for about the last 20 years, well before there was a WWW to steal things from. I have never read about such a technique being used.

There are obvious parallels with cash machine / camera ploys where people are filmed entering their PIN, but that is a different scenario from the one in question here.

So I'll say again, just in case anyone missed it - be very aware of where you are working on sensitive information and where you authenticate yourself. Just don't be scared of boys on trains with camera phones

TightSlot

nebpor - could you list for us road-warrior (yeah, I know) types either the most common security errors or the most common hacker access methods? In short, using your experience, what can we all learn?

PAXboy

nebpor you are a sober poster because, you gave a reasoned response in both responses. I only mentioned Rainboe by name as people usually consider him too 'lively' (to the point of unreason) in his responses, whereas I make a point of looking out for his responses.

You confirm the core risk and then provide cogent evidence against the proposition. That is the very best that I could have hoped for. That is what discussion forums are for (an old fashioned whimsy, I know ).

Scumbag O'Riley

On a transatlantic flight, I once read a whole powerpoint presentation on how BAA was going to entice us to spend more money in their departure lounges. It was on somebody's laptop sitting across the aisle in the row in front. It was an interesting read, have forgotten the details, but I remember thinking they are very cunning in their attempts to get at your cash and don't like giving you lots of seats while hanging around in there.

deltayankee

There are two simple security precautions for using your laptop to view confidential information in public:

1. Buy one of those plastic sheets that covers the screen so that it can only be viewed from a narrow angle. I won't mention the brand because that might look like advertising.

2. Don't do it.

Looking over the shoulders of strangers is not the preferred technique of hackers anyway because there are so many other ways. But you need to be careful what you are reading because a competitor might be sitting right next to you.

ProM

I am not convinced about the keystrokes stuff but I absolutely believe that there may be people deliberately looking over peoples shoulders in airports to read excepts from documents etc . Far fetched?

How about a national intelligence services outfit bugging aircraft to listen in on conversations for commercial gain? That would be even more far fetched ...except they got caught didn't they

I have gleaned information quite accidentally when in a hotel by some competitors next to me. I am sure a deliberate effort would be worthwhile, especially at airports at the time of certain conferences

I have experienced (from the innocent side) a few episodes of commercial espionage, and some of those would have seen much more far fetched (one I still don't believe myself).

PAXboy

One of the most amusing discoveries I made was staying at an upmarket hotel a few years ago, and having to use their business center PC for an urgent letter. Naturally, I deleted the letter and all the tmp files that WORD creates.

Whilst there, I decided to look through the documents that other guests had left on the PC ... amongst other business and social documents, was a letter in commercial confidence to the President of the country from an overseas delegation. They had been finalising details of the deal. I did them the favour of deleting it.

Load Toad

Don't be touchy Paxboy - I didn't attack you nor did a do an ad hominem axe job on Mr. Peter.

I'll reiterate though it is far fetched scaremongering & that's why I shredded his report like I did. I also find it bizarre that Peter needs to go around carrying out his research on the general public - surely these methods of data collection could be done in a controlled lab environment without recourse to even attempting to photograph members of the general public using their lap tops / recording their screenshots and key inputs?

And thus him advising he has deleted the data (whether 'secret' or not) does not to me sound like the actions of a fine and upstanding person - does it to you?

I'm sure Mr. Peter is a staunch crusader for great and good things but in the case of this report he has at best failed miserably.