Get best of the week

Visual hack: what threatens and how to protect yourself from spying

Hello, Habr!

My name is Alisa Shevchenko. In 3M, I work in the department of protection against visual hacking, which makes films on screens - for the visual protection of data. Among other things, I explain to users why carrying secret documents without folders and sending screenshots of internal software is a bad idea. For a long time I have been wondering what percentage of all the high-profile hacks that the media write about starts with a visual data leak. During the search I gathered a lot of interesting information: survey results, examples of visual hacking, notions from popular science magazines. I will share the most interesting findings.

By the way, now this is more relevant than ever - statistics say that even before self-isolation, employees did not protect much information from peeping, and while working from home, they completely relaxed. In the meantime, the leak of confidential data can have serious consequences, including criminal liability.

image

Visual Hacking Examples


Today, when jobs are becoming more mobile, traditional means of protection - at least software, at least hardware - have ceased to be a panacea. If at all they could ever claim such a role.

More and more enterprises allow employees to bring their own gadgets (BYOD) for work. More and more people work with confidential information from insecure places: in open-type offices, cafes, airport lounge, public transport.

Content just asks for it to be viewed or photographed by someone else - sitting nearby or just passing by. Especially considering the fact that everyone now has powerful cameras in smartphones.

When someone forgets to fence off their screens and prints from prying eyes, he risks becoming a victim of visual hacking. Such embarrassments arise now and then:

  • A UK government official took a train in front of his laptop, with sensitive data on the screen. The journalist who was riding in the same car took a picture of the poor fellow and wrote a story about him in the national media. [2]

    image

  • Through the windows of the St. Petersburg branch of Bank of America, passers-by could see the personal data of the bank's customers. [3]
  • An employee of the help desk, succumbing to the tricks of the fraudster, provided him with screenshots of the corporate IT system. These screenshots helped the villain reverse the IT system and hack it. [4]
  • , , 10 ( - ) . , . [5]

    image
  • , , 10. , . . - . [6]

    image

How often do such embarrassments occur? And where do their legs grow from? To understand this, I studied the results of open polls and collected some statistics. As you know, I was interested in data leakage from monitors, so here are the most interesting facts about it.

Nearly 90% of employees are at risk, but only 30% are protected from hacking: extracts from surveys

At least 50% of enterprises allow employees to bring their own gadgets (BYOD) for work. [1] 90% of employees addicted to BYOD work not only in the office, but also in public transport: on the way to work and on the way home [10], spending from 7 to 14 hours a week on this [9]. Most of them are sure that their activity is impossible without mobile access to email and instant messengers.

80% of public transport passengers read from other people's screens at least once; the same picture is observed among the guests of the catering. 80% of office employees do not exclude that someone outsider and unauthorized could peek confidential information from their screen. 80% of managers are sure that the employees of their enterprise will not be puzzled about protecting their screens from viewing by strangers. [1]

I found such data in open sources. Plus, it also initiated a separate survey of a business audience, implemented jointly with the Tecart consulting group. Representatives of 200+ foreign and Russian companies from the financial sector (banks, insurance), consulting, telecom, pharmaceuticals, manufacturing, construction, and trade took part in it. 72% of respondents are senior and middle managers.

It turned out that 86% of employees of any company work with personal or confidential data. 54% work in open-type offices. 19% go on business trips more than 10 times a year.

image
Diagram 1. Frequency of business trips,% of the total number of respondents

28% noticed that they were spying on their screen. About 30% take some actions in this regard.

Approximately the same number of respondents (31% of representatives of international companies and 20% of Russian companies) said that their companies paid attention to the issue of security.

image
Diagram 2. The share of companies that care about the security of corporate devices, in the context of areas of activity

Among the most common measures of visual protection (personal or corporate):

  1. minimization of working windows,
  2. screen lock,
  3. expanding the screen so that outsiders can not look into it,
  4. differentiation of workplaces in the office (separate office, table spread from a window, partition, etc.),
  5. movement only on corporate transport.

We also found out how many people use protective films. It turned out that there are only 5% of them. Even though this is a simple and obvious solution.

image

We already wrote about protective films 7 years ago in another post on HabrΓ© [7], right down to what physics, optics and chemistry are behind, so I won’t repeat myself.

From the survey it also became clear which corporate gadgets are most in demand. 72% use laptops, 46% use desktop computers, 40% use smartphones, and 8% use tablets.

How paranoid ones protect themselves from visual hacking


When I saw that only 5% used protective films, I began to look for what people generally do to protect against visual hacking. Delving into popular science magazines, I came across an article [8] in IEEE Transactions on Consumer Electronics. An interesting way of protection is described there. I do not want to judge how practical it is, but it was interesting to get acquainted with it. I give a description as a lyrical digression.

Schematically, the protection looks like this:

image

She has software and hardware. It keeps track of unauthorized persons (in the literal and figurative sense of the word) who glance at your screen. Having noticed a stranger, protection creates visual effects on the screen (manipulates brightness and contrast) so that the stranger could not see what he should not see. With reduced brightness or contrast, only the user sees the contents of the screen.

The hardware part of the craft includes three sensors: a video camera, an ultrasonic range finder, and an ambient light sensor. The craft works as follows.

image

Take frames from a camcorder. He searches there for paired eyes that look at the screen. Counts how many people do it. If there are more than one, then it adjusts the brightness and contrast on the screen. Moreover, it regulates taking into account how far the user is from the screen and what kind of lighting is around him.

Five steps to the visual security of your gadgets


Based on the results of the polls, we have prepared recommendations that will help ensure visual security. These recommendations are relevant primarily for those managers and employees who regularly travel on business trips or work in an open space office, as well as for working remotely.

  1. First, find out which of your data is confidential. Classify them according to how critical they are. This step then facilitates the configuration of role-based access to data.
  2. , , . , . . , (, ) .
  3. , . -: ( , ) – , (, Wi-Fi) – .
  4. , . , , .
  5. . , .

It seems to be obvious recommendations, especially the latter. But the survey results and numerous embarrassments, such as those described at the beginning of the article, shout that we still have something to strive for in terms of providing visual security.

Bibliography

1. multimedia.3m.com/mws/media/950026O/secure-white-paper.pdf
2. www.dailymail.co.uk/news/article-1082375/The-zzzzivil-servant-fell-asleep-train- laptop-secrets-view.html
3. multimedia.3m.com/mws/media/950026O/secure-white-paper.pdf
4. www.ey.com/Publication/vwLUAssets/EY_Data_Loss_Prevention
5. www.telegraph.co.uk /news/politics/8731143/Minister-accidentally-reveals-Afghanistan-documents.html
6.www.telegraph.co.uk/news/uknews/5129561/Bob-Quick-resigns-over-terror-blunder.html

More articles:


All Articles