Your Op-Sec Sucks (and so does mine)

A couple weeks back, I was on a flight leaving San Jose on a Friday morning. The flight left before dawn, filled to the brim with business travelers wanting to escape the Bay Area before a 3-day weekend.

I had my typical seat on an aisle in the second row of economy. My employer doesn’t let lowly managers book business class or first class, so I’m stuck in the back of the plane with the rest of the rabble. Fortunately, due to flying 100,000 miles per year, I’m in the front of the back. Next to me, in the middle seat, was a man about my age. He smiled and nodded as I sat down, but otherwise made no attempt to communicate. At 5:45 AM, this is a blessing.

As we crossed through 10,000 feet, the flight attendants let us know that we were free to use our computers. My seat-mate promptly pulled out his trusty Dell 17” laptop (with the extra 10-key) and connected to the airplane wi-fi. Pretty soon, his elbows started poking into my sides as he moved the mouse and typed. I tried to shift my position, but it did no good. So, I put on my headphones, pulled my hoodie up, put on my sunglasses, and pretended to sleep.

What I actually did was watch everything he typed. I quickly learned his name (Roger) and his employer [redacted]. I learned that he was the CMO of a 2,000 person company located in Dallas, with offices in 10 cities worldwide. I watched as he had a conversation over the LinkedIn chat system with a person they were planning to offer a director-level position to. I know what they were planning to pay him ($220,000 plus 25% performance bonus). I know the person currently holding this position is going to be surprised when they replace him.

Roger was using Outlook (not OWA) on his Dell and was not using a VPN. He pulled files from their SharePoint and worked on confidential slides for an upcoming board meeting.

This is not an isolated incident. It happens nearly every time I fly to some extent or another. I’m not nosy by nature, but when you’re stuck in a metal tube for hours on end, you need some entertainment besides the 3 episodes of Narcos downloaded on a tablet.

In December, I had an almost identical experience. Alex was sitting in coach, which annoyed him to no end. He had a class ring (2005, Texas A&M) and another from his military service. He was fit, smartly dressed, and used a Macbook Air. Every time a flight attendant walked past and moved the curtain to first class, he was visibly annoyed because the curtain touched his shoes. Each time, he would demonstratively move the curtain off his shoes, rather than moving his feet. When I put my arm on the armrest, he asked (with all the vitriol you can imagine) “Do you mind?”

Alex is a Regional Sales director for a company in Dallas in the cloud business. They have a project going with one of the most well-known companies in the world and the results of this project will have an impact on their revenues. The roll-out was failing and the big company was about to make a very public withdrawal. The panic was noticeable as he chatted with his sales reps and the VP of engineering over Slack. Again, I made note of the names as I pretended to sleep.

This time, I did not consider telling him of his op-sec failures, because, quite honestly, I hate to see a prick like that succeed. Sorry (not sorry).

Who’s at fault here? These guys are sales/marketing people and not security pros. However, they were both working for technology companies and we’re long past the point where anyone with a financial interest in a company can play dumb when it comes to security. The fault, though, lies with the CISO that let them into the open world without drilling op-sec into their brains.

In a way, I have my own failures, but it’s not letting people read over my shoulder on an airplane. I have a $35 3M privacy screen on my laptop and it only comes off if I want the person to read over my shoulder.