Shoulder surfing is a technique that is commonly used by hackers. Their thinking is why spend hours, days or weeks trying to hack into a system from outside when many times they can get information by just being observant.
Shoulder surfing is watching someone use their computer from “over their shoulder”. Many times you can catch sensitive information and passwords by watching a computer user. You don’t need to sneak into a building to do this either, people are very careless at Wi-Fi hot spots, libraries, airplanes, air port lounges, etc. Johnny Long covers many of these topics in his “No Tech Hacking” book.
In his book he shows pages of pictures that he was able to take of people using their computers. He was also able to take videos of people using their PCs, all without them noticing. Johnny did red team penetration tests on government systems. Many of these pictures he took of government type workers were at public locations.
When I did network field support you would not believe the things that I saw. Many times people would write their password on a piece of paper and tape it to the monitor or under their keyboard. Or worse yet, they would just walk away from their computer and leave it logged in. If the person wasn’t at their keyboard, or out sick, and I needed to work on their system, co-workers knew the password of the missing person.
Many times doing support at large companies, as an outside contractor, you need to go to users pc to check settings. When walking into their office and saying I needed to use their computer and needed their password, only twice in 15 years did people challenge me to see who I was, what company I was from and who internally I was working with. Usually the response was, “no problem, have at it, I’ll go get some coffee”.
One time this was at a bank (once!) and one time was just a random salesman in a manufacturing company. I was actually stunned about the salesman, no one else at that company ever did that, I was very impressed.
So, how do you defend against these types of attacks? Don’t use corporate laptops in public places. If you need to, makes sure it is not plastered with company logos, your business card or your password. Sit with your back against a wall to hinder shoulder surfers. Also, make sure YOU are not wearing your company badge or a company shirt, hat etc. Just a heads up, hackers can usually get your company name, and your name from your badge. By going to your company website and looking at contact e-mail addresses, they can deduce your login name.
Don’t leave your password out for all to see. Also, companies may want to think twice about ID stickers that tell the world the IP address and name of company equipment. If you need to walk away from your PC for any reason, hit the Windows key and “L”, this will lock your workstation and require a password to unlock it. It will resume where you left off after putting in your password.
If you do not know the person, do not give them your password. Do not give your password out over the phone or e-mail. Yes, the IT person may be a little flustered waiting while you call the IT department to verify their ID, but it is much safer than just accepting by blind faith that they are who they claim to be.
In the recent Air Force phishing test, users were more than willing to hand over their personal credentials to an unknown website. Companies need to be active in preaching computer security safety. We are all responsible for securing our part of this country’s digital borders.