February 25, 2005
Wayne Rash: Stupid Security Tricks
By Wayne Rash
I'd just finished tying my shoes, and then looked up at the conveyor belt as the flood of personal items emerged from the X-ray machine. The security screeners at Washington-Dulles International Airport were trying their best to be helpful, but were clearly harried. One of them started to hand me an IBM ThinkPad as it came toward me, but it wasn't mine. I'd just placed my nearly identical laptop in my briefcase.
Then I saw something I couldn't believe. As the TSA guy put the laptop back into the gray plastic tray, I saw a piece of yellow paper attached to the surface. On it was a list of access numbers, user names and passwords, all neatly typed. Clearly, this computer was owned by someone who couldn't remember their login information. I wasn't surprised, considering that there were a half dozen logins written out.
That was alarming, but what happened next was even more alarming: I noticed that the owner of the computer had a government ID card around his neck, identifying him as working for an agency heavily involved with fighting terrorism. An attacker could compromise agency security simply by being fast with a camera phone, or just by remembering what he read.
You'd think that with all the focus on security, such things wouldn't happen. But if you think that, you'd think wrong. Despite all of warnings, people do still write down their passwords. Even so: attaching those passwords directly to the laptop is a new low.
That lapse was more obvious than usual, but no more stupid than usual. While there are limits to most types of human behavior, stupidity knows no bounds.
Simply avoiding stupidity can go a long way toward enhancing security on your system and network.
Reply With Quote