New Reebok ZigKick Tactical line re-engineers el... » St. Louis, MO: Warson Brands, official licensee of Reebok tactical footwear, introduces the new Reeb... Security Council extends UN mission in South Sudan... » A wide view of the Security Council in session. UN Photo/Devra Berkowitz (file) Vigilance can ... Fire training in the build up to be... » Lee Coates, Wrightstyle's technical director, looks at fire training in the build up to Christmas... Running For Their Lives? Reflections On The Curren... » The present mass movement of humans has been more widely described as that by “migrants” than that b... BSIA welcomes revision of British Standard BS7958 » James Kelly, CEO, BSIA The British Security Industry Association (BSIA) has welcomed the rev... ASIS International announces three Board certifica... » Alexandria, Va. (Oct. 9, 2015) – ASIS International (ASIS), today announced that the American Counci... NATO Secretary General strongly condemns terrorist... » Jens Stoltenberg I strongly condemn the terrorist attack in the centre of Ankara that killed and ... Securonix joins the Intelligence and National Secu... » LOS ANGELES: Securonix has announced that it is proud to join The Intelligence and National Security... Digital Guardian acquires Code Green Networks » London, United Kingdom: Digital Guardian has acquired Code Green Networks, a provider of Data Loss P... QuintessenceLabs selected as a SINET top 16 emergi... » SAN JOSE, Calif: Vigilance can report that QuintessenceLabs is a winner in the annual SINET 16 Innov...


Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.


Subscribe to Vigilance Weekly

Information Security Header

London (UK): While organisations are spending millions securing their networks, with budgets predicted to rise in 2014 and beyond (according to industry analysts), a recent walk along the streets of London’s financial district discovered many are failing to consider their physical vulnerabilities. A study sponsored by AppRiver, the cloud-based email and Web security specialist, found practically every street visited in the City of London (known as ‘the Square Mile’) and home for many high profile businesses and organisations, has at least one window (the good old fashioned glass variety) framing a user’s screen on the first floor. In fact, some of the streets surrounding Cheapside not only had screens visible on the first floor, but banks of them at street level. One corner, flanked by two different high profile banking institutions, had over 150 screens between them on the ground floor, facing the street and just a few meters from the glass - half of which included a users’ nameplate above the workstation. The practice leaves the organisations vulnerable to ‘walk-by’ data theft.

The survey showed credential ‘log in’ boxes, emails, what appeared to be corporate database entry screens and numerous ‘documents’ all visible to the naked eye. While detailed information was not captured as part of the study, someone with malicious intentions, time and a zoom lens could potentially piece together the information needed to launch an attack against any of these organisations.

David Liberatore, senior director of technical product management from AppRiver, explains the implications of this revelation, “Historically, if you wanted to rob a bank, you had to physically go into the branch and ‘hold up’ the staff. But with advances in technology, the money moved online and criminals simply followed. As a result, and with the constant evolution of IT security enhancements, many of the virtual ways into these establishments are being systematically sealed with criminals looking for new ways to engineer their attacks and liberate the funds. What better way than collecting freely available information by looking through the physical windows of these businesses.”

One example of how an attack may manifest itself is akin to a ‘confidence trick’. An employee is observed for a period of time, allowing the scammer to glean enough details about the individual’s life to strike up a conversation at an unrelated opportunity – a bar, coffee house, etc. duping the employee with familiarity. At the very least, the criminal will know the person’s name and the company they work for but adding details learned from observed emails, company documents etc. could add weight to the conversation, trick the person into believing there’s a relationship and ultimately fool them into disclosing additional information that’s used in a targeted attack. And it doesn’t always mean the organisation is exposed, the employee could be duped into revealing enough information that allows the criminal to steal their identity for fraudulent gain.

Another method is akin to the ‘art of illusion’. The voyeur monitors, and then replicates, the typical emails received and read by the employee (from design to companies being dealt with, etc.) The scammer then creates and deploys a targeted spear phishing campaign to dupe the individual to treating the malicious message as benign and following the instructions. If successful, the results could be catastrophic to the organisation involved. The infamous RSA breach is testament to the power of this type of attack method.


Liberatore concludes, “We know criminals are collecting information from social network sites, such as Facebook and LinkedIn, to launch targeted attacks and this is potentially another avenue for them to exploit. Organisations exposing corporate information through an open window are perhaps more vulnerable than if they had a key logger installed at the back of the device. Many organisations have become so focused on their virtual security, that physical practices are being ignored, and that means the very information they’re trying to protect could be stolen by passers-by. This needs to change.”