Conference OpSec Fail

As conference season rolls on, there is no shortage of lessons learned reflecting on speaker's presentations, networking with attendees, and seeing shenanigans. During the most recent security conference I attended, I saw something particularly concerning and wanted to discuss what I saw.

Due to getting tied up with networking in the lobby area, I walked into one of the presenting tracks shortly after it started. I promptly took a seat in the back row to not disturb other attendees or any of the ongoing recording of the talks, by grabbing a seat in the back. It is not uncommon for people to use a notebook or computer to jot down notes, write down questions, or communicate with others during a talk. I saw one attendee in front of me sitting with his computer screen open and what followed was very concerning.

The following illustrates what information was exposed to any wandering eyes curious enough to glance at the screen:

1. Slack was open, and the workspace had a company logo
   

2. The logo matched the privacy shutter covering the webcam
   

3. The user navigated to Gmail which was also company-branded with the logo and exposed the actual name of the user's employer
   

4. The email being reviewed was a security alert for a malware infected host for one of their clients.
   

5. I could see the affected hostname, the name of the malware triggering the alert, and the customer name
   

6. I then watched a query in the Endgame EDR (endpoint detection and response) platform to review host information
   

7. Finally the Slack workspace exposed all of the rooms the user had access to, people currently talking in the rooms, and individuals he had privately messaged
   

While I can appreciate the struggle of not only working in a SOC, but also one that is transitioning from regular work hours to 24/7, while being understaffed, there is hardly an excuse to be conducting IR activity during a conference, in a speaking track. Not only was the analyst completely oblivious to their surroundings, but there were no precautions taken to protect the screen in the form of a privacy shield or any other number of steps taken to protect the data. An alternative he could have taken would be to quietly step out to find a private location to conduct IR, sit in the back of the room against the wall to ensure no one could shoulder surf or any number of other steps.

There are many great reasons to attend a security conference. The opportunity to learn from onsite training, get inspired by presenters, and the opportunity to network with other attendees and vendors grants valuable connections. You can also learn from other mistakes, such as don't test the wrath of the live demo gods, and be aware of your surroundings, you never know who might be over your shoulder.

I happen to be not only familiar with the company the user was an employee of, but also know the client whose information was on screen. I confirmed the attendee was an employee and was able to provide all of the information that was inadvertently exposed not only to me but possibly to others. Hopefully they can allow for their analysts to attend conferences and not have to work, and if they must, provide them with the tools and guidance to protect their company and customer data from wandering eyes.