Spies in the Skies
Am I nosy or am I just an investigator? When I notice an interesting piece of information or catch a glimpse of something out of the ordinary my brain can’t help but go into overdrive and want to figure out the whole story.
As Cybersecurity Awareness Month comes to a close, I can’t help but feel like this situation was presented to me by some cyber deity to provide a real world case study on what not to do to protect your privacy and security, and to serve as a reminder to practice good cybersecurity hygiene both in and out of the office.
On the way back from a recent work trip to San Diego I ended up in the very last row of the plane thanks to changing my flight at the last minute. While I was prepared for the lack of legroom, no reclining seat and constant traffic from flight attendants and passengers queuing up for the lavatory, I wasn't prepared for what I noticed while trying to take in the sights out the window across the aisle from me. A woman in her late 30s to early 40s, first mistaken by me as an off-duty flight attendant on a return flight from her plain but freshly pressed black skirt and suit jacket, had her laptop open on her tray table. What immediately caught my attention was that she, like myself, was an apparent fan of “dark mode,” and whatever software she was using had largely inverted her display from the normal black text on a white screen to white text on a black screen. When your job entails staring at a monitor for the majority of your day, anything to take a bit of strain off the eyes is a welcome feature and for me dark mode accomplishes that. The second noteworthy item on display was that she was drafting an email in ProtonMail, a privacy-focused and encrypted email provider that is popular among information security professionals, hackers and criminals and anyone who simply takes their online privacy and security hygiene seriously.
I was immediately intrigued by the possibilities of who this woman might be. Was she an Anonymous hacktivist trying to right the world’s wrongs from behind a keyboard? A security researcher for one of the big Bay Area tech companies? A fellow investigator with a focus on open source and cybersecurity? The answer was no, but I only know that for sure because of the insight into her life that the majority of the four-and-a-half hour flight provided me. While she might have taken some precautions toward protecting her online privacy and security via her choice of email provider, her real-world situational awareness really needed some work.
Almost as quickly as I saw ProtonMail flash on her screen she switched to another application. This time, as if on display for the flight attendants preparing for beverage service and the gentleman exiting the lavatory, up pops her personal Quicken accounting software. The next piece of information shook me more than the turbulence we were passing through and had me questioning every life choice I had made up to that very moment. “Net Worth $9,852,674.20.”
Yes, you and I both read that right. $9 million net worth. Why was she sitting in the very last row of economy class with me? Was she self-made and exceptionally frugal, having built that wealth from a series of very smart investments? Was her $9 million tied up in investments, leaving very little in the way of liquid assets? Was she returning from an estate attorney’s office having just found out that her long-lost uncle left her $9,850,000? My mind was spinning.
Fortunately, or unfortunately, not only did that startling number appear on screen, but because of poor situational awareness, perhaps being caught up in the moment or not realizing that anyone could potentially catch a view of her screen, a plethora of other information appeared. This data was prominent enough that anyone sitting next to her or standing behind her would have had a front row seat to:
B*****@protonmail.com
D**
Bill L*****
David C******
S*******
1215 ******** *** Short Term Rental *******
C***** Investments
7** ***** Investments LLC
H*******
D****** ******** **************
These (redacted) pieces of information were enough for me to identify who the mysterious woman across the aisle was, two of her email addresses, who the email being drafted was to, what it was about, other investment vehicles owned and operated by the woman, her husband’s name and her daughter’s name all from social media, news articles and other pieces of open-source information.
The amount of information available on the internet for all of us is simply astounding. If a bad actor were sitting in my seat on the plane, this mystery woman might become the target of phishing/whaling attacks, SMSishing, SIM swapping, identity theft or potentially worse given what someone could learn from 10 minutes of Google searching after taking notice of her screen.
One simple solution to this problem would be a privacy screen protector that would prevent prying eyes, more nefarious than mine, from being able to gather someone’s intimate personal and financial details while waiting for the airplane lavatory.
Perhaps even more risky than having her personal information on display for the other 180+ passengers on this 737-800 was that she connected to the premium in-flight WiFi, seemingly without a VPN solution - ProtonVPN, sister product to ProtonMail, perhaps. This meant that if a bad actor or I had brought my DEF CON-impulse buy-WiFi Pineapple then I could spoof the airline WiFi’s SSID address and intercept data from the woman or anyone trying to connect.
Hopefully this story serves as a display not only of my occasionally uncontrollable need to investigate, but a warning that if you must conduct sensitive personal or business computing in public it’s best to take at least a few basic steps to safeguard your information from overzealous investigators or more nefarious bad actors.
