The threat of shoulder surfing should not be underestimated

13.01.2016
Author note: This article does not intend to personally criticize the author in question. However, it will criticize the ideas and beliefs expressed in the column. It is also important to note that there is frequent use of the word, ignorant, in this article, which is defined as unknowing. I believe the lack of understanding on the subject expressed in the column in question serves as a great lesson in the need for awareness on many physical security concerns, as well as the history of hacking.

Normally when I see a column I don’t agree with, I let it go. Highlighting something, whether for good or bad, brings more attention to it. However, I recently read an article criticizing security terms and tools in a way that trivializes significant security concerns. I believe it deserves to be set straight.

While the column, Visual hacking is not hacking, was listed as an opinion piece, as is this article, it can be considered a dangerous opinion if it ever gets traction. At the same time, the ignorance (defined as unknowing) serves to identify a critical area to consider regarding security and security awareness.

The column in question criticizes 3M’s use of the term “Visual Hacking,” which for lack of a better term is shoulder surfing. This is where you look at a computer or monitor, over someone’s shoulder, and watch what the person types, such as their passwords, or what is on their screen. There are incredibly naïve statements that if you are in the workplace, looking over someone’s shoulder is collaboration and teamwork. The column also says that only creepy people will look at your iPad while you are in the elevator, and that you shouldn’t be using your iPad in an elevator.

Let’s first examine the criticism of the term, “hack” in the column. There is a fundamental misunderstanding of security. The article implies that the term is a computer term that has now been bastardized for non-computer related issues, such as “Life Hacks”. As a person who has been in the security field for decades, I’ve observed there is a gross lack of knowledge of the history of the hacking field.

The term “hack” was coined long before computers, and for computer purposes seems to have originated at MIT where computer hacking was iconic. Hacking is defined as a clever, benign, and ethical prank. The computer field essentially hijacked the term, as early “hackers” did so to bypass controls to make the computer more useful, or to overcome the lack of documentation. Claiming the term originated to define breaking into computers, displays ignorance of the field. Hack has also been used as an expression in countless other settings, including golf, taxis, chopping, and horses, which all can possibly lay claim to the origination of the term hack with regards to computers.

The column also claims that true hackers only focus on hacking computers. Well, there is the Defcon Capture the Flag contest, which focuses on social engineering -- which is not hacking per that definition. Also having presented on social engineering and other non-technical hacks at Black Hat on multiple occasions, non-technical attacks are of interest to the “real live hackers.”

The article gets dangerous by trivializing the importance of screen protectors to prevent “visual hacking”, while promoting shoulder surfing as a tool of teamwork and collaboration.

I prefer the use of shoulder surfing over visual hacking, however it is a highly critical issue for security practitioners. First, lets examine the straightforward claim of teamwork and collaboration. The column assumes that everyone inside a company is entitled to see all information inside a company. Anyone who has been in a modern office environment knows that there is little privacy. While some people might have data that is OK for the entire organization to know, there are visitors that can go through the facility. There are many areas where information should be restricted, such as accounting, human resources, engineering, legal, sales, customer data, vendor data, and any area where there is intellectual property of any note. There are also many areas where information is legally restricted from distribution. I really wonder what environment wants free collaboration.

Then I am bewildered by the comment about the odds that, “the dude next to us gives a rat’s behind about what is on our screen.” This is just gross ignorance. It is a major awareness and security concern for people traveling with sensitive information, and in some cases organizations are legally required to protect the information.

Let’s be clear about the comments being made; the article contends that being concerned about shoulder surfing is ridiculous and is easy to take care of by shouting, “teacher, he’s copying me!” (that is written in the column.) There is of course the ignorance of not realizing that someone may not know when someone is actually looking over their shoulder.

Shoulder surfing is a serious issue, and has legal implications as well. Despite the column appearing in CIO magazine, where the “I” stands for “Information” and not computers, it fails to understand that companies have to protect information in all of its forms, and not just the underlying technology of computers. A “hacker” doesn’t care if they get the information by compromising computer technology, stealing a laptop from a car, or looking over someone’s computer on an airplane. More important, there are more than just “real live hackers” in Las Vegas, but criminals, competitors, malicious insiders, and even the “creepers” that he refers to as well.

A “real live security professional” knows that they have to protect information in all of its forms. They know that laptops frequently outnumber desktops. They know that they have to secure mobile workforces. They know that there are frequently computer monitors in public spaces, where you want to limit the observability of information available on computer screens, not withstanding medical offices, security desks, any computer with personally identifiable information, etc.

While this article is not intended as endorsement for 3M privacy filters, these serve a critical role in securing corporate information. I began writing this article to stress that shoulder surfing was a critical physical security concern that security programs should address with a combination of increased awareness about the concern, as well as with other protections, such as 3M privacy filters. I grew more horrified by the lack of security awareness the more I read.

And for the record, training your users to yell, “teacher, he’s cheating off me,” is not enough. Users need to know that shoulder surfing is a serious concern, and companies need to also take other precautions, like investing in privacy filters, to secure users further. Awareness needs to be proactive, as should the other countermeasures you put in place.

Ira Winkler, CISSP can be reached through his company Secure Mentem at www.securementem.com

(www.csoonline.com)

Ira Winkler