Shoulder Surfing – CompTIA Security+ SY0-401: 3.3

| September 9, 2014


What could be easier to social engineer than a shoulder surf? In this video, you’ll learn about shoulder surfing and some methods to protect yourself against this tactic.

<< Previous Video: Watering Hole AttackNext: Dumpster Diving >>


From a social engineering perspective, shoulder surfing is exceptionally easy to do. And the reason people want to shoulder surf and see what you’re doing on your laptop or your tablet computer is because you have access to very important information. You may have sales information in a spreadsheet. You may be looking at internal company details.

And there is always somebody else who’s out there, a competitor or somebody who can sell this to a competitor who would like to learn more about what you are doing. This is very, very simple. And you could do it in so many different places.

You may be in a coffee shop. You may be at an airport. You may be on a flight. You may be somewhere where your machine is just open and available.

I’ve seen people get up from a coffee shop and walk and grab a coffee, look at something else inside of the coffee shop, and leave their computer unattended with the information right there on their screen. They were working on a spreadsheet, they were working on sales information. They don’t know who I am. I may be a competitor of theirs and yet, they left that machine now unattended.

There you can also surf from afar. There are people that will get a room in a building next door. They’ll get high-powered binoculars. They’ll get some telescopes. And they’ll watch and see what’s going on.

You can also watch from afar by monitoring webcams and setting up other views of what you may want to see. Whether you’re setting up a webcam that can spy on a desktop or whether you’re setting up a webcam that can spy on what other people are doing inside of an organization, all of these details become extremely important to consider when you’re trying to stop somebody from doing shoulder surfing.

So how do you prevent this? How can you keep somebody from seeing what’s going on? Well, one way is just to be aware of what you’re doing and where you are.

If you’re in an environment where other people can see your computer, perhaps, this is not the best time to bring up that confidential spreadsheet or that confidential PowerPoint presentation. You also want to think about maybe adding some additional hardware to your computer and doing things, like these privacy filters.

Probably the biggest manufacturer of these is 3M, and they work remarkably well. I was on a flight, literally, sitting next to somebody. I’m in coach so I’m really right next to somebody. And I’m watching him work on his computer.

And I’m thinking he’s a little bit crazy because I see his computer screen and it’s completely black. I could not see a thing of what he’s doing on his computer and I’m sitting right next to him. So these filters are designed so that you can only see if you’re looking straight on at what’s on the screen.

If it turns in any way, it now blacks out and people who are sitting next you have no idea what you’re doing on your screen. It is a very, very nice way to protect yourself if you’re in those types of environments.

You should also make sure that your desk is not one where your monitor is visible. Make sure you’re not working in a place where people are walking by and can see what you’re doing. This is a very big concern for organizations where you’re dealing with financial information and medical information. That information should always stay private.

And perhaps, this is the best thing I can tell you is just don’t sit in front of me on a flight. It’s so hard not to see what somebody’s doing on their screen. It’s difficult not to see what’s happening there. It’s right in front of you.

Maybe you should just pull up you’re Angry Birds, pull up solitaire and do something else if you know that you’re going to be on a flight and other people are going to be around you shoulder surfing.

Tags: , , ,

Category: CompTIA Security+ SY0-401

Comments are closed.

X