Data leakage and dictionary attack stories from RSA

Filed Under: Data loss, Privacy

Last year, I wrote several Naked Security articles about computer security problems which can put travellers in harms' way. The topics I covered were:

* The free WiFi service at San Francisco airport with Terms and Conditions which authorised the network operator to access your device and the information stored on it.

* The no-responsibility-for-your-property attitude of the private security company at Canberra airport - a company which nevertheless insists on separating you from your laptop for an indeterminate amount of time during screening.

* The chap at Sydney airport who used a kiosk computer in the the Qantas lounge and left behind a veritable audit trail of personal email information - including his name, employer, job and details of recent business meetings.

* Paul Craig's live demonstration at Kiwicon of the woeful insecurity of many internet kiosks, even if you avoid the self-inflicted data leakage problems of the previous story by clearing browser history and logging out when you're finished.

I'm now on my way back from the RSA conference in San Francisco - where I can tell you that the WiFi Terms and Conditions at the airport are still as onerous as they were last year - with an amusing fifth anecdote to add to my Travellers Beware series.

The crumpled-up PostIt note you see above was dropped in the lobby of one of the big hotels near the Moscone Center, the outsized conference venue near Union Square at which the RSA event is held.

The note doesn't record the name of the person whose BlackBerry Enterprise Server connection it relates to. But conference delegates have a habit of leaving their nametags on, even back at the hotel. This seems to be a subcultural nicety of the conference circuit.

So you can often tie discarded data fragments - such as the pictured PostIt - back to a company, and in many cases, to an individual. (It's not even rude if you're caught trying to make out someone's nametag across the lobby. That's what nametags are for, after all.)

Making that sort of connection converts raw data into PII, or Personally Identifiable Information. And PII really needs to be kept private.

Don't let yourself fall into bad data leakage habits whilst you're on the road. And data doesn't just leak from electronic devices such as laptops and phones. Hastily scribbled notes, memos to yourself and carelessly discarded invoices and tickets can help identity thieves to accumulate PII which they can abuse or sell on at a later stage.

And please choose decent passwords. If you're a sysadmin, don't fall into the habit of choosing trivial passwords because they're easier to read out to users when they're on the road. (As an aside, teach yourself and your fellow administrators the NATO Phonetic Alphabet and you'll find it much easier to describe arcane command lines and to read out complex passwords.)

The password in the pictured example is especially amusing. It brings a whole new excitement to the concept of a dictionary attack, since a (and not aardvark, as popularly imagined) is always the very first entry in any dictionary of the English language.

Watch how to choose a decent password here:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

If you're concerned about privacy - your own and that of your valued customers - why not download our free Data Security toolkit?

Download toolkit

, , , , ,

You might like

8 Responses to Data leakage and dictionary attack stories from RSA

  1. Frank · 1160 days ago

    Blackberry Enterprise activation passwords are on-time use passwords. Once it's been used, it's useless.

    Presuming this person wouldn't have thrown away their instructions until after they had used them, then this piece of paper has far less on it than a business card - and it's not like there's a shortage of them at RSA

    • Paul Ducklin · 1160 days ago

      Presuming they threw it away at all, of course. In this case, it seems they simply dropped it, or that it fell off the device it has been stuck to. It wasn't in an ashtray or a rubbish bin, for example.

      And it does provide some hints as to the likely security practices of the sysadmins at the company concerned.

      So it's still a bad sign. As the HBGary hack^H^H^H^Hbreak-in [*] shows, lots of little bits of information can add up to a lot of trouble...

      [*] See comment and reply by "spookie" below.

  2. It's also worth noting that the password on the Post-It note is not necessarily "a". It could just be shorthand for "you know, the password we often use that begins with a"...

    • Paul Ducklin · 1159 days ago

      We had a chuckle when we found the note, and writing it up here was meant to be as much a metaphor for shoddy password processes as a literal suggestion that whoeveritwas would get broken into as a direct result.

      However, if you have a habit of choosing "the password we often use that begins with a", then it sounds as though you are skating on thin password ice (that's metaphorical, too, of course) anyway. As HBGary found out.

  3. jyane · 1159 days ago

    I enjoyed RSA this year but that is just fail. try doing that at blackhat/defcon/hope/etc ... you would probably learn your lesson the hard way.

  4. spookie · 1159 days ago

    Could we PLEASE quit misusing the word hacker? Hacking is a noble and honorable occupation many of us aspire to, and the name has been co-opted by the media to imply a hostile and illegal nature that simply isn't what the word intended when we adopted it. "Cracker" is a better term for "cracking' a system or password.

    Please. I've aspired to be a hacker in the tradition of Steve Wozniac and Linus Torvalds, using "playful cleverness" to solve problems, all my life. Intrusion is not synonymous with hacking. A security expert with a security firm should know better.

    • Paul Ducklin · 1159 days ago

      I have edited my earlier comment from "HBGary hack" to "HBGary break-in" to keep you happy.

      I don't disagree with you about the origins of the word hacker - indeed, I even argued that point for you (and against my own friend and colleague Graham Cluley) here:
      http://nakedsecurity.sophos.com/2010/05/25/may-20...

      But since the term "hacker" _is_ ambiguous we ought simply to avoid it altogether - unless we are in select company in which its meaning, one way or the other, would be unambiguous.

  5. Chris Brown · 1159 days ago

    You write this as though there's Admins out there who don't know the NATO phonetic alphabet? How do these people hope to explain to users that they should type in P instead of T or D? It's one of the first things I learnt in AdminSchool(TM)!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog