T 5.104 Espionage

In addition to the large number of technically complex attacks, there are often much simpler methods for obtaining valuable information. Since sensitive data is not adequately protected in many cases, it is possible to obtain this data using visual, acoustic, or electronic methods.

Examples:

• Most IT systems are protected against unauthorised use by identification and authentication mechanisms, for example in the form of user ID and password verification. However, if the passwords are transmitted in unencrypted form over the cables, it may be possible for an attacker to read the passwords.

• In order to be able to withdraw money from an automatic cash dispenser using an EC or credit card, the user must enter the correct PIN. Unfortunately, the privacy protection offered by these machines is often inadequate, and an attacker can watch customers entering their PINs simply by looking over their shoulder. If the attacker is then able to steal the card later on, he can use it to raid the account. The customer then has the additional problem of trying to prove that he did not handle his PIN negligently, i.e. that he did not write it down on the back of the card.

• In order to obtain access rights to a user PC or to otherwise manipulate the PC, an attacker could provide the user with an email containing a Trojan horse disguised as a supposedly useful program. According to experience and in spite of all warnings to the contrary, users will still open email attachments even if they did not expect to receive an attachment or the attachment bears an unusual name. In addition to the direct damage caused by Trojan horses, they may also be used to collect information on the individual computer, and possibly even on the local network. In fact, the goal of many Trojan horses is to obtain passwords or other access data.

• In many offices, the workplaces are not properly protected to prevent people nearby from listening in on conversations. This way, colleagues, but also visitors may listen in on conversations and may obtain information that was not intended for their ears or is even confidential.