Business Center Insecurity – The Case for DRM

Right after your hotel thanks you for your business, let me than you for your business too. Right after the front desk person thanks you as you leave the airline lounge, I’ll thank you again. I’m not thanking you on behalf of the merchant, I’m thanking you for your data. OK, I’m not really doing the thanking, it would be the bad guys who are thanking you.

I’ve traveled a lot in the past 20 years or so. One of my favorite pastimes was to go to the hotel business center or airline lounge, or other public computers to see what has been left behind. I then notify the owners, when possible, and explain the situation. Then I delete the data. Throughout the years I have found all kinds of information, business and personal, on business center computers. I haven’t installed keystroke loggers, or any kind of software to find people’s data. I haven’t used social engineering. I haven’t exploited any vulnerabilities beyond Windows working as designed. I have used my eyes, and occasionally a stand-alone hex editor to view temporary files.

I’ve seen an air force general’s itinerary for a nearby base visit. In a temporary directory, I once found a Word temp file containing classified information. I know it was about government cybersecurity due to the name at the beginning of the document and the watermark on the document. I have no idea of the content beyond that. Sometimes ignorance is bliss. The document was deleted immediately. I’ve encountered business plans (mighty ambitious to overtake Disney Studios), financial portfolios, and even closing arguments from a federal DA. I’ve seen a spreadsheet listing the salaries and merit raises for all teachers at a Texas university. The pittance they are paid should be a crime. I have stumbled across an electronic boarding pass at a posh hotel. The boarding pass had the passenger’s name, seat number, mileage plan number, departure time, and destination. Perhaps I could have changed the passenger’s seat assignment, but that’s mischief and I can’t afford the karma. Mileage plan accounts are  a delicacy on the black market, but that’s a pretty tame attack. This is what would scare me, malice. If you call in an anonymous tip to airport security with the passenger’s name, flight number, departure time, destination and seat number, and report a terrorist, a drug runner, etc. it’s probably not going to be a good day for the victim. Tell officials the person in the seat next to them is in on the nefarious deed and you may even lend more credibility to the tip. Like they say, it’s all fun and games until your seat changes from aisle to middle.

There are at least two fundamental problems that must be addressed. A lack of education is a biggie here. Many companies have policies surrounding information confidentiality, however, when employees do not understand the intricacies of policies, such as the use of business center computers, they don’t even know they are out of compliance. Just telling employees not to use public computers is insufficient. Many people do not equate a business center computer with public computers. Airline lounges (good stuff) are restricted access, so how can that be a public computer? Right? Enterprises need to take a look at what makes sense to techies and assume it makes no sense to everyone else. Then create educational content.

However, people will still make mistakes. Hence another case for digital rights management (DRM). There is a wonderful mantra that states data should be encrypted at rest and in motion.  Sweet! We have a mantra. Currently, the mantra is more commonly a one-liner than a practice.

There is some good news on the public computer security front. To begin with, browsers have gotten better at not leaving copies of email and such behind. I used to be able to find copies of email such as a Bank of America statement that disclosed sources of income, businesses patronized, and other useful data for social engineering or even physical crimes such as burglary. It appears that within the last 3 years Comcast stopped downloading attachments from webmail as soon as the email was opened. Operating systems have gotten better at hiding files as well. That said, an OS crash can prevent the clean-up of data and leave files behind that should have been deleted on file or app closure.

But the biggest safety improvement is dedicated kiosks. Kiosks are becoming much more common in hotels and airports. The kiosks provide limited applications and prevent access to the file system. They make data dumpster diving quite disappointing; perhaps even a thing of the past.

Still, there is a hardware-based DRM product that is massively underused. It’s called a privacy filter. Honestly, when someone sits next to you with their laptop screen in plain view, aren’t you somewhere between a little and totally compelled to look? Yeah, me too. As I was passing time in a flying business center, the lawyer sitting next to me was reading a document about a hostile takeover bid. On another flight a man two or three rows forward was working on an HR presentation. I actually walked up and recommended a privacy filter, but he didn’t care that his screen was visible to other people. Busses, trains, and coffee shops are also good places that recommend the use of what I call hardware DRM.

I’d be remiss if I left out the use of VPNs. Once a place where people could socialize and speak loudly about trade secrets, coffee shops have become the business center for the people. Not only are screens without privacy filters wide open to snooping, but computers without VPNs are vulnerable to a variety of attacks, even with encrypted Wi-Fi access points.

Just as the enterprise perimeter has all but disappeared, the business center perimeter has too. Educating employees, and sometimes an ineducable CEO, is essential, but providing the right tools to help employees protect confidential information is defense-in-depth, and that’s a good thing.

In closing, I’ll make the same ask that I did when I wrote a similar blog for Webroot a few years ago. If you found this blog useful, then as a public service, when you come across an insecure business center computer leave a copy of this blog behind on the desktop. Title it something like “Confidential”,  “Do Not Open”, or “I Love You” for maximum readership.

Randy Abrams
Senior Security Analyst
SecureIQLab