The list is pretty endless.<\/p>\n\n\n\n
Then we get into the world of \u2018physical\u2019 social engineering which takes a certain element of tradecraft and bravado to pull off:<\/p>\n\n\n\n
- Piggy-backing<\/li>
- Tailgating<\/li>
- Impersonation<\/li>
- Dumpster diving<\/li>
- Shoulder surfing<\/li><\/ul>\n\n\n\n
All relatively easy concepts to understand as they pretty much do what they say on the tin.<\/p>\n\n\n\n
Shoulder surfing is a good one as it is often explained as someone looking over your shoulder to see what you are up to on a screen or how your hands move on a keyboard whilst typing in credentials etc. And you may think \u2013 \u201cHow likely is that to take place whilst I am at work?\u201d. The reality is of course that unless the attacker has been able to get physical access to where you are sitting (through tailgating or piggy-backing perhaps?) \u2013 then it is not likely at all. (Unless you work with a bunch of \u2018disgruntled employees\u2019!)<\/p>\n\n\n\n
However, don\u2019t know if you have noticed recently that things have changed?<\/p>\n\n\n\n
Technology now means that each and every one of us is equipped and has the ability to record, photograph and video at the drop of hat \u2013 whoever, whatever, whenever. That is what a mobile phone is for. More camera less phone.<\/p>\n\n\n\n
Life now means that more and more of us are working away from the office and we are all busy people. <\/p>\n\n\n\n
We work routinely from home, check our emails on the toilet, we answer calls in the coffee shop, we arrange video meetings on the move which unfortunately means that the social engineer no longer needs to come to us as we come to them!<\/p>\n\n\n\n
On a recent trip up North (where it wasn\u2019t at all grim) I was sat on a London North East Railway train doing what most people do on trains.\u00a0 Reading a book, listening to music and playing with my phone.\u00a0 Nobody raised an eyebrow at any of this.\u00a0 However, two seats in front of me was a very busy person working on that all important Teams meeting and although she wasn\u2019t talking she was typing.\u00a0 This was the view from my seat.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2021\/11\/Screenshot-2021-11-18-161740.jpg\")
<\/figure><\/div>\n\n\n\nLook carefully, you can see her shoulder.<\/p>\n\n\n\n
I don\u2019t have a particularly \u2018smart\u2019 smart phone but it does allow me to zoom in nicely with the camera and video recorder. And so, from two seats away, hidden in plain sight \u2013 I am shoulder surfing like a pro.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2021\/11\/Screenshot-2021-11-18-161757.jpg\")
<\/figure><\/div>\n\n\n\n- Personal chat<\/li>
- Contacts<\/li>
- Personal Identifiable Information<\/li>
- Company confidential information<\/li>
- Email addresses<\/li>
- Email login and content<\/li>
- Customer contacts and information<\/li><\/ul>\n\n\n\n
(Naturally, for ethical reasons I have blurred the screen but trust me when I tell you that I could read it very clearly)<\/em><\/p>\n\n\n\n
All whilst listening to the Beachboys greatest hits. Surfing LNER.<\/p>\n\n\n\n
This is not the first time I have observed this type of activity and it probably won\u2019t be the last. Possibly the best\/worst case I have seen was when a chap I was sitting next to on a flight to France, opened up his laptop and started working on a spreadsheet shortly after take-off. That time it was PII, financial records, emails, phone numbers, business records and a whole host of other stuff which I am certain I wasn\u2019t supposed to be privy to.<\/p>\n\n\n\n
To quote the great Tom Jones \u2013 \u2018It\u2019s not unusual\u2019 to see this type of activity everywhere – as we are busy people. We need to do things when we are out and about \u2013 and I totally get it. <\/p>\n\n\n\n
But we also need to be aware and \u2018street smart\u2019.<\/p>\n\n\n\n
Even if it isn\u2019t Evil-Dude the hacker who is looking over your shoulder it might be someone who has a vested interest in what you are doing or saying. Or becomes interested based on what they can see.<\/p>\n\n\n\n
Personal data is personal, company confidential data is confidential, data protection is all about protecting data \u2013 it is all quite a simple concept really – and remember it is not just you that you are protecting.<\/p>\n\n\n\n
Think about your working practices. Think about the working practices of your staff and members of your team. Have a chat about data protection and what data can be accessed on mobile devices. Have a chat about how secure that data is whilst it is safely encrypted at rest and in transit when using the VPN. <\/p>\n\n\n\n
Have a chat about how insecure that data is whilst it’s being used for all to see.<\/p>\n\n\n\n
After the chat \u2013 draw up a specific security policy or amend your existing ones. Then turn the chat into a user training and awareness session so nobody misses out on the message.<\/p>\n\n\n\n
You could always boost your training sessions with some Beachboys music playing in the background (optional).<\/p>\n","protected":false},"excerpt":{"rendered":"
Anybody remember the classic Beachboys song \u2018Surfing USA\u2019? Well how about \u2018Surfing LNER\u2019 as an alternative? I am getting dismayed in my classes as my references to all time great music hits are now being met with sideways glances and … <\/p>\n","protected":false},"author":1,"featured_media":273,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-272","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","grid-sizer"],"_links":{"self":[{"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=272"}],"version-history":[{"count":7,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":284,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions\/284"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=\/wp\/v2\/media\/273"}],"wp:attachment":[{"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cyberphil.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}