The Helsinki summit between US President Donald Trump and Russian leader Vladimir Putin this month was a global event attended by hundreds of members of the press, all eager to tell the world about the surreal events taking place in front of them.
Funny thing about Helsinki: it’s also the home of Finnish cybersecurity conglomerate F-Secure. Sean Sullivan, F-Secure’s security advisor was in attendance, and as laid out in a new blog post from the company, he spotted some pretty abysmal security practices.
According to Sullivan, many reporters left their laptops unattended and unlocked while they went elsewhere — presumably to use the toilet, or grab a coffee. Security 101 guys. Don’t do that.
Sullivan wrote that they’d tilt the lid to a 45-degree angle, in order to prevent their machines from sleeping and to deter passersbys from jumping on, but make no mistake, it’d be trivial for an attacker to gain access.
“Our consultants plus a USB device plus thirty seconds would equal a compromised machine,” Sean said.
That’s bad for a lot of reasons. Firstly, it’d present the opportunity for someone — say, a member of the security services — to dig into the reporter’s files, and find out who their sources are. If you care about protecting your sources, this isn’t ideal.
But it also presents the opportunity for someone to publish an article or Tweet under the reporter’s byline or name, or to edit an existing article with disinformation.
(Mental note: next time I’m at TNW’s Amsterdam office, jump onto editor Alejandro Tauber’s computer and publish the Unabomber manifesto from his WordPress acccount.)
Sullivan saw some other shonky security practices, noticing that many computers and phones identified their owners by name, making it easier for an adversary to launch a targeted attack against a particular reporter or publication.
Many devices had Bluetooth open, which he describes as “potentially an open door into your PC.” Unlike a USB port, however, Bluetooth opens the potential for wireless attacks.
In the run up to the event, F-Secure offered free OPSEC advice for journalists in attendance. The proof is in the pudding, and from what Sullivan found, it’s clear that not many took it up on the offer.