Video Screencast Help
Security Community Blog

The Last Laugh

Created: 27 Apr 2009 • 6 comments
khaley's picture
+5 5 Votes
Login to vote

 It’s happened to all of us, hasn’t it? You’re being driven to an important meeting. You prepare for the meeting by reading a top secret document, something related to national security. The chauffeur pulls up to the building and in a hurry to get to the meeting your grab your papers and portfolio and jump out of the car. Exiting the car you are greeted by the press. They take your picture. You give a brief wave and head into your meeting. Happens all the time. Unfortunately the top secret document you were carrying was sitting on top of your portfolio, in just the right position that most of the contents of the document can easily be read in the all photographs that were taken. Don’t you just hate when that happens to you?

Okay, maybe you can’t relate. You don’t have a chauffeur, top secret documents or even people other than your mom wanting to take your picture. Someone who can relate is Bob Quick, the former assistant commissioner of London’s Metropolitan Police. He was Britain’s most senior counterterrorism officer. I say was, because he resigned after the furor created when he was photographed carrying a document containing details of an active investigation into suspected terrorists. You can see the pictures here: http://www.guardian.co.uk/uk/2009/apr/09/bob-quick...

If you followed the story you may have been amused that someone could be so dimwitted. You may be chuckling a little right now. Be careful. You may not have the last laugh. Most of us don’t have top secret documents, but we do have information on our computers considered company confidential. Do you have a laptop? Ever sat in a coffee shop, airport, or on a plane, with the laptop open and a company document on your screen. Think carefully, because if you have you’re really not much different than Bob Quick.

It’s called shoulder surfing. We talk about how little technical knowledge you need these days to do crimeware. You don’t even need the “ware” here. Anyone with good vision can do it

We can’t write virus definitions to protect you from losing company data that way. And although encryption and Data Leakage Protection are important prevention technologies they are not going to help here. You’re on your own. So be smart. Don’t let someone else have the laugh on you.

Comments 6 CommentsJump to latest comment

mon_raralio's picture

I saw the link. That was unwise of him. Anyone can bump into him and grap those papers. Why doesn't he carry a bag or briefcase. Stuff it in. People in the movies do it no matter the urgency.

It also makes me think of how employees can casually disclose company secrets during conversations. I've heard things in coffee shops - groups trying to one-up each other as to who has the better company secret. I walk away knowing a little more about their companies - how they are organized or disorganized, the problems they're facing, what viruses are in their system. I lean ovver a second and check their ID tags and then I know their company.

“Your most unhappy customers are your greatest source of learning.”

+1
Login to vote
vikram3500's picture

 I saw this article on BBC and thought someone so high up having secret docs doesnt know of such simple controls as a bag, where you keep your stuff. Its a example for all of us to be on lookout for such issues and educate all our employees or various social engineering techniques as well...

+1
Login to vote
shaun_b's picture

Great article. This is why i'm so aggressive towards Security Awareness training. You can implement all the technologies in the world to protect you against risks, but in the end, it's up to the end user's knowledge and education.

Was Bob Quick trained and notified that he shouldn't let confidential documents in plain view on the top of his car? probably not because upper managment probably didn't think something this apparant needed to be emphasized. It's often the simplest things that have the most detrimental consequences. Social engineering is a great example of this.

+1
Login to vote
Nel Ramos's picture

This only means to say that security would never be taken for granted in meeting deadlines. Never let your guard down at all times because passwords are all they need to ruin a impregnable system.
Nice article by the way. 

Nel Ramos

+1
Login to vote
khaley's picture

 What's your secret?  Most people I talk to begin to tear there hair out when I talk about Security Awareness training.  The problem seems to be twofold, it's hard to get the chance to do the training.  And when they can, it usually doesn't stick.  Endusers just can't get their head around the subject.

+1
Login to vote
Sheila Marie's picture

we have to train people ..
specially the non techies that might be the breach for viruses...

+1
Login to vote