(I haven’t posted in a while, since I meant to do a post about various apps a security professional might want on their Windows Mobile/Pocket PC phone. Aside from other engagements, I’ve just been having too much fun playing with the different programs available for my phone to actually write anything down. It’s very addictive, but I promise you’ll see the fruits of all the tinkering on here soon. Really :) . )

Most security conscious people make use of their operating system’s “Lock Workstation”, “Lock Screen”, or similar locking functionality whenever they need to step away from their computer for a moment. It’s convenient, since all of your programs are still running and sitting there just like you left them, unlike having to start from a clean slate by logging out and back in. Some people may have picked up on using this security feature, due to an office culture of pranks (such as humorous wallpapers) pulled on those who leave their computers unattended. If your organization’s policy doesn’t put a damper on such pranks already, it can be an effective way (though not necessarily the best way ;) ) to get people to lock their screens.

One important aspect of screen-locking that people don’t normally consider is the environment in which the screen will be unlocked. If you’re sitting at your desk working on a confidential document and someone walks into your office, you can minimize the document before they see it (if you can’t, rearrange your office!). However, if someone is already in your office, followed you in during a discussion, or is otherwise in viewing range of your screen when you sit down to unlock your session, it will be a race for you to minimize the sensitive data once you have unlocked, and the chances of a glimpse are much higher. This can be an even more serious issue, when it comes to laptops, where the situations they are locked and unlocked in may vary greatly as they are carried around (imagine a worst case scenario of it being unlocked while hooked up to a projector).

So what do you do? You make a habit of hitting the “show desktop” (or equivalent) button to minimize everything before locking your screen. Then, once you unlock, you can selectively bring applications back up from minimization, as the situation allows.

As the title advertises, it’s a little thing. However, it doesn’t take much time, it’s easy to explain to your users, and can prevent some cases of accidental disclosure.


I’ve neglected this blog a little bit for the past few days while I’ve been playing with my new toy (a Cingular 8125, basically a re-branded HTC Wizard). I should be back soon, with a neat post or two about the sort of tools a security geek might want on his or her Windows Mobile phone. I’ve had a lot of fun with it so far.

To tide you over until then, I ran across this post, by HD Moore, on the Full-Disclosure list today:

[Full-disclosure] You shady bastards.

This is interesting for a couple reasons. One, it gets you thinking about the potential value ex-employee email addresses have to a company. The temptation to continue monitor incoming mail on these addresses is high. Is it legal? As you can tell by the discussion already on the list, it all depends on the agreements the employee has signed. Pretty soon you’ll start seeing clauses about post-employment on consent-to-monitoring agreements, if you haven’t already seen it.

Another reason this is interesting is that HDM pulled a neat, low-tech trick to verify that someone was reading mail to the address he was sending mail to. I’ve done this before, and it works fairly well :) . In a way it’s similar to the phish-baiting techniques that I’ve written about before on here. This is something you can add to your bag of tricks (also works well for other protocols: IM, IRC, etc.), and it’s something you can keep in mind when you’re given a link by someone in a situation like this.

© 2012 McGrew Security Suffusion theme by Sayontan Sinha