Data leakage and dictionary attack stories from RSA

Last year, I wrote several Naked Security articles about computer security problems which can put travellers in harms’ way. The topics I covered were:

  • The free WiFi service at San Francisco airport with Terms and Conditions which authorised the network operator to access your device and the information stored on it.
  • The no-responsibility-for-your-property attitude of the private security company at Canberra airport – a company which nevertheless insists on separating you from your laptop for an indeterminate amount of time during screening.
  • The chap at Sydney airport who used a kiosk computer in the the Qantas lounge and left behind a veritable audit trail of personal email information – including his name, employer, job and details of recent business meetings.
  • Paul Craig’s live demonstration at Kiwicon of the woeful insecurity of many internet kiosks, even if you avoid the self-inflicted data leakage problems of the previous story by clearing browser history and logging out when you’re finished.

I’m now on my way back from the RSA conference in San Francisco – where I can tell you that the WiFi Terms and Conditions at the airport are still as onerous as they were last year – with an amusing fifth anecdote to add to my Travellers Beware series.

The crumpled-up PostIt note you see above was dropped in the lobby of one of the big hotels near the Moscone Center, the outsized conference venue near Union Square at which the RSA event is held.

The note doesn’t record the name of the person whose BlackBerry Enterprise Server connection it relates to. But conference delegates have a habit of leaving their nametags on, even back at the hotel. This seems to be a subcultural nicety of the conference circuit.

So you can often tie discarded data fragments – such as the pictured PostIt – back to a company, and in many cases, to an individual. (It’s not even rude if you’re caught trying to make out someone’s nametag across the lobby. That’s what nametags are for, after all.)

Making that sort of connection converts raw data into PII, or Personally Identifiable Information. And PII really needs to be kept private.

Don’t let yourself fall into bad data leakage habits whilst you’re on the road. And data doesn’t just leak from electronic devices such as laptops and phones. Hastily scribbled notes, memos to yourself and carelessly discarded invoices and tickets can help identity thieves to accumulate PII which they can abuse or sell on at a later stage.

And please choose decent passwords. If you’re a sysadmin, don’t fall into the habit of choosing trivial passwords because they’re easier to read out to users when they’re on the road. (As an aside, teach yourself and your fellow administrators the NATO Phonetic Alphabet and you’ll find it much easier to describe arcane command lines and to read out complex passwords.)

The password in the pictured example is especially amusing. It brings a whole new excitement to the concept of a dictionary attack, since a (and not aardvark, as popularly imagined) is always the very first entry in any dictionary of the English language.

So here is a short and straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Download toolkit