Saturday, November 4, 2017

Internal Audits, Lawsuits, and Love Letters

What Comes to the Business Center Computer Stays on the Business Center Computer

Several examples of data left behind on public computers will be shared in this blog. When possible or deemed necessary attempts were made to notify the owners of that their data had been at risk. Sensitive content was also deleted from these computers. Typically I deleted all temporary files as well as those left behind in common locations.

Before I continue I want to make it clear that I am not a hacker. It took no special skills to find the files in the examples used below. If a computer was reasonably well locked down, and some are, I wouldn’t know how to hack into it. The only “special tool” I used that was not on the computers inspected was a hex editor. A hex editor is very useful in determining the true file type of a file that does not have its regular extension.
Please Help

Do any of my readers know how many bags of mints every United Airlines flight leaving St Louis should have onboard? I found a copy of the Trans States Airlines (TSA) August 2009 Bid Quiz on a public computer in a hotel. I have been dying to find the answer to this question ever since.

Tools of Social Engineering

Trans Sates Airlines is or was a regional carrier for United Airlines. As I was looking through some “temporary” files on a computer in Austin, TX I came across a “bid quiz” and a PDF containing a training roster that included the names of several flight attendants, what appears to be their employee numbers, dates of training and training locations. However I did not find this quiz and PDF in 2009, it was 2012 when I first encountered it three years on that computer before I removed it.

What comes to the business center computer stays on the business center computer.

The story does not end there. I only had time to review a few of the temporary files at the time so I copied the rest of them onto a thumb drive for later perusal and use as training material.

In 2016 I finally got around to inspecting the files as I was creating a new training presentation. Seven years after the file had been left for dead in that temporary directory it was still relevant. In early 2017 there were at least 5 flight attendants still employed by TSA (not the TSA). At least one or two flight attendants had gone to work for other airlines. Finding the flight attendants was as simple as typing their names into a LinkedIn search box. From 2009 to 2012 the file was publically available as a weapon of social engineering. Today it may be an even more effective attack tool. Knowing several years of a victims past and colleagues can be quite convincing.

“Hey, I remember you. We talked on some flights between St, Louis and was it IAD?” Wow this brings back memories. Do you know what Jane is up to now? She was such a sweetheart. Last I heard she opened a yoga studio in Australia.”   Nice foundation for a confidence scam, except there is a lot more on social media now to build on. I did reach out to TSA. I offered to return their data if they wanted it and I requested the answer to the question about the mints. I received no reply.

Are You Traveling for Business or for Pleasure?
If you are a home user you might want to know what you could be leaving behind on these computers. My favorite finds are Yahoo emails that can be found in the temporary internet files directories. Temporary files from html email frequently have names that look like this “H2YDZKEU.htm.”

Those files then open in the browser like this

Aside from the fact that the email was sent to me, there were several other email addresses on the “TO:” line. Sometimes the emails indicate a transfer from a work account to a home account. Protecting yourself really isn’t as easy as telling a browser to delete all of the temporary files, at least Internet Explorer doesn’t remove them all. There are several other places to find temporary files on a windows computer.

I am a Security Professional, I got it

If you are responsible for enterprise IT/security I have some solid advice for you. Pray. Pray really hard. I do not care if you are an atheist, pray!  If you play D&D you are already a step ahead of me.

You might want to let the CEO know what things have been found on these computers. We’re not talking about the malware threats. Why let the CEO know? Aside from the fact that the CEO may be an offender, you may need some support to get the funds required to protect proprietary information. I’ll give you a bit of ammo below. Examples relevant to Finance and HR can be found.

An Internal Audit and a Bit More

While dumpster diving on a business center computer I came across an internal audit for a major chain that provides cash advances. I discovered which branch was being audited, the contact at the branch, and the auditor’s findings. While the branch received a satisfactory rating, issues such as a check missing a payee and a missing disclosure were noted.


On the same computer a document concerning a cash advance was also found. The document contained the customer’s name, address, phone number, customer number, and transaction logs.

Yeah, there’s no legal liability there… is there?

A Lawsuit

On one occasion I discovered correspondence between a very large law firm and their client. The client was filing a claim against the Manville Trust. In this case the PDF was sent to the claimant’s yahoo account, and was also sent via snail mail to the claimant at the hotel he was staying at. I did not include the law office’s logo on the letter head. It was not the lawyers who opened the doc on the public computers, they employ about two dozen lawyers who could make life hard for me if they were made aware that I exist and they are board or just mean.

The Love Letter – A Picture Paints a Thousand Words

Olga, the one who opened the email, may not care if the world knows that Kenny is in love with her, but she might not want her email address to be shared. I didn’t email her to find out though.

Not all correspondence is a love letter. One document left behind was titled:  “A Letter to Just One of the Other Women”

If the letter, a Word document) had been to Mary, or Sue, or Linda, I would not have redacted the name. The letter was to a woman whose first name is unique. There is only one person with that name on Facebook. The letter was much longer and contained information that corroborated identification. Even with a more common name personal identification may have been possible through correlation of a variety of social networking sites. The document was also probably edited or even composed on the hotel computer. One can speculate that the letter was sent as an attachment and the original was forgotten.

The odds are that you do not have a letter to the other woman, but have you ever composed anything that required discretion or read any such items on a public computer? Perhaps saved them?

Did you ever print out a boarding pass? I could have re-assigned a middle seat to a passenger late last year. His flight didn’t depart for hours! It was a long flight too.

In early 2017 I found a number of items on the computer in an executive lounge at an airport. I came across a financial advisor’s communications in a document that indicated it contained proprietary information and trade secrets.

Typically strategic development plans are not for public consumption. I have only included a small part of this document.

In this case I’m not really sure that the company cared. They never got back to me on Facebook. Also found was an investment firm’s communications with an indicator that the content included proprietary trade secrets. It actually appeared to be boiler-plate, but I don’t know.

Amusingly, on the same computer was a PDF with installation instructions for a Chamberlain garage door opener. I left the installation instructions on the computer for the benefit of others who may find them useful.

A few additional examples.

The spreadsheet I found with the names, salaries, and merit raises for faculty at a university in Texas should never have been there. Of course the faculty are woefully underpaid. Teachers need to be appreciated more.

Online banking is like money in the bank.

There was enough information in the HTML file to identify the account owner, where he lived, multiple sources of income, and places he frequented.

Finally, there are always the selfies and the pets. Out of respect for private citizens I have anonymized these pictures.

A Most Gratifying Experience

On one hotel computer I found a spreadsheet with the names of the salespeople, their team leaders, and how much product each had sold. This information belonged to a fairly large company that is the leader in their field. When I contacted the appropriate person, among her first words were “we will begin training immediately?” That is what this is all about.

Understand private and corporate risk, and act accordingly

This blog does not address the malware threats. I will be writing about that on the Quttera blog.

One final word of caution. Should you decide to look for what was left behind on a business center computer, there are somethings that you can never un-see…

I warned you.

My blog dealing with the malware risk when  using public computers is live at Public Computers and Malware

Randy Abrams
Senior Security Analyst at Quttera Labs

No comments:

Post a Comment