Stupid user tricks

Sometimes, even good policies don't help when your vulnerability is your users

It wasn't exactly the usual scene at the security checkpoint at Washington Dulles International Airport. For one thing, the sparse crowds made the soaring terminal look larger than usual. For another, the Transportation Security Administration staff was being professional and polite. Apparently they were taking their customer-service classes seriously.

One thing that hadn't changed, however, was the wait by the X-ray machine's conveyor belt while a TSA staffer used her wand to detect anything nefarious in our laptop computers. For some reason, alarms never went off over computers containing Microsoft Outlook, despite its hazards.

I was in line with a few other business travelers, waiting for our laptops to be scanned, when I glanced down at the computer belonging to the man following me in line.

It was your usual Dell notebook, but what was remarkable were the notes stuck to the laptop case. On a piece of paper (apparently torn from a yellow legal pad) was the word "Computer:" followed by a name. The paper was taped to the outside of the computer just above another one. That one said "Server:" followed by a different word. A third note said "Dial in:" and included a phone number and a password.

I looked at the man who owned the computer. The polyester suit would have given away his status as a federal employee if I hadn't seen his agency security badge hanging around his neck in plain view. He looked at me as we waited. "This security stuff is sure a pain," he said. I thought about agreeing, but I wasn't sure whether he was referring to the wait by the X-ray machine or the requirement that he remember passwords.

A few weeks earlier I had stopped in at the Red Carpet Club to check e-mail before a trip to Las Vegas. On the desk I saw a piece of hotel stationery. Written on it were complete, detailed log-in instructions — including phone numbers, passwords, prompts to expect, and even the name of the directory that the note's author was supposed to access. I briefly thought about calling the company involved, but I only had a few minutes, so I tore up the note and tossed the remains.

Two incidents, two significant breaches of computer security, one International airport. I wondered how often such information fell into the hands of the wrong person.

I realize there's little that can be done to prevent all security leaks such as these, especially when the common variable is user stupidity. You can reduce the exposure, however. Actively check computers in your company for things such as notes with passwords. Take action when you find breaches, either by educating the employee in question, or if necessary, eliminating his or her access to sensitive data.

But most of all, pay attention to what those users are doing. Most of them have exhibited carelessness in the past and all you need to do to prevent it is know about it.