Identity theft is apparently the “in thing” these days.
By media accounts, hackers and evildoers lurk everywhere trying
to steal your personal information. In the past few months, one
company after another is being forced to admit customer data has
been lost or stolen.
In many cases, they have then come forth repeatedly over the next
few weeks, or even months revising the estimated number of impacted
customers. To date, I don’t think any have ever lowered those
numbers.
Identity Theft and Respected Companies
Generally speaking, these aren’t fly-by-night organizations.
These are respected companies who we’ve come to trust.
In many instances, the loss wasn’t even the work of a
“malicious hacker” or other mystical force beyond
their control; it was simple carelessness. The frequency of
such reports of identity theft is making it difficult for
consumers to feel confident in those with whom we do business.
Customers are outraged that companies are not doing more to
protect their information from the forces of evil.
You and Your Personal Information
What about you? How are you at keeping you personal information
under wraps? Some of these high profile incidents were the result
of a trivial mistake that could have happened to anyone, including
you.
Let’s consider two events that didn’t make the front page
of C|Net or CNN.
The Keys To The Castle
I consult for a client who doesn’t trust me. It’s nothing
personal, they don’t trust anyone. Whenever I visit this site,
I am forced to contact the client throughout the visit to have them
type a credential, or password, to grant access to a server or router.
It’s really annoying.
I really respect this client.
They don’t really know me; I’m “the consultant”.
They’re taking the proper steps when dealing with a consultant,
providing the absolute minimum amount of information required.
They would never give me unsupervised access to the network,
and certainly wouldn’t consider giving me passwords to
their servers or routers. Not on purpose anyway.
Then there was the day I was working alongside the client and needed
to reconfigure a router to complete a task. It’s a long walk
to the client’s office to get the password for that particular
router. Yes, this is a client who apparently has a unique password
for every piece of equipment they own. Conveniently the client does
keep a password protected file on a USB key that contained the needed
information. The client was completely appropriate and even asked
permission
before using my laptop to fetch the file. I consented, and even
made the gesture of turning away while he unlocked the file and
retrieved the required password.
Have you ever used Google Desktop Search? It’s a very
cool, and aptly named, program that is a Google for your PC.
It will index your files and make them searchable through
a fast, flexible, and easy to use interface. It’ll even
cache the contents of files so if you move it off your hard
drive, you’ll still be able to see the contents of what
was once there. Normally it does all this in the background
when you computer is sitting idle. It also does it anytime
you open a file.
Your Personal Information Is The Prize
You guessed it. Logins, passwords, public and private IP addresses.
You name it, I had it. The client who would never give me a single
password had turned over all of them at once.
What kind of wondrous data was now available? Personnel records,
salary data, trade secrets? Maybe, if this was a corporate client.
What about an academic, a University even? Student records, financial
aid forms, and grant information. The possibilities were endless.
I promptly deleted the cache. The customer didn’t want me to
have the information, nor did I.
Would You Hand Your Credit Card To A Stranger?
The previous example showed how simple it is to inadvertently reveal
a large amount of data. It’s funny how easily a person can
dismiss this type of loss. After all, it’s not your data, right?
So let’s get a bit more personal.
Convenience And Computer Security Are Rarely Compatible
I have a good trust relationship with my next client. She is quite
comfortable with me administering and securing the corporate network.
When it comes to her personal credit card information however, well,
not so much.
Pretty much every web browser available these days has quite a few
convenience features designed to make your day to day “net
experience simpler”. One of these convenience features came
into play in this example, specifically the Firefox browser’s
auto-completion feature.
Not too long ago, I was tasked by this client to make arrangements
for transfer of an internet domain to their ownership. Not a difficult
task, she could have handled it herself. She was quite a capable
computer user; she just didn’t want to be bothered with the
process.
I set aside 20 minutes to go through her domain registrar’s
step-by-step transfer wizard. I summoned the client to explain the
details of the transfer displayed on my laptop screen. Facing the
payment options screen the client asked if she could proceed. I
relinquished control of my laptop and she entered the credit card
information required to complete the transaction.
Web Browsers Cache Your Personal Information
Most modern web browsers, for convenience, will cache information
entered into web forms. The intent is to be able to recall
this information if it’s requested by another form. The
following day, I was in the process of registering another
domain with the same registrar and was surprised, for half
a second, when the payment screen pre-populated using the
same information used the day before. In addition to the credit
card information I also had my client’s personal home
address, and telephone number. This was quite a bit of personal
information the client never had any intention of giving me.
So What's Your Point?
These two examples are very different but do share two important
attributes. First, data the client intended to keep private was
revealed to me. Second, the reason for the “compromise”
of the data was due to the “victim” working with said
data on a computer they neither owned nor were familiar with. Under
different circumstances, the end results could have been quite devastating.
Conclusion
When using a computer system you do not own, perhaps at a
kiosk, or Internet Café, be aware that the computer
itself is going to remember a lot of what you’ve done
as part of basic functionality. Additionally, most entities
that are going to provide you with access to a computer, including
your employer, probably have systems in place that could collect
additional data you don’t desire to share. Even WiFi
hotspots that allow you to use your own notebook or PDA to
surf the web while sipping coffee can be a potential information
collector. The moral of the story is, when dealing with computer
systems that aren’t your own, never handle data or documents
that you wouldn’t want left behind unprotected. In all
odds, once you walk away from that computer, you’ve done
just that.
Erich currently specializes in providing network and security
solutions for small to medium businesses that frequently have to
resolve the conflict of need versus budget. His commitment to precision
and excellence is eclipsed only by his fascination with gadgets,
particularly ones that are shiny, or that blink, or that beep. Erich
is a staff writer for www.defendingthenet.com and several other
e-zines. If you would like to contact Erich you can e-mail him at
[email protected]
or [email protected].
If you would like to know more about computer security please visit
us at http://www.defendingthenet.com.
If someone you know has sent you this article, please take a moment
to visit our site and register for the free newsletter at http://www.defendingthenet.com/subscribe.htm.
