After discovering a crumpled Post-It note with BlackBerry log-on details on, in one of the hotels near the RSA conference centre in San Francisco, Ducklin said that, even though the note doesn't record the name of the person whose BlackBerry Enterprise Server (BES) connection it relates to, it's fairly easy to research and work out what BES the user credentials relate to.
"So often you can tie discarded data fragments - such as the pictured PostIt [note] - back to a company, and in many cases, to an individual. It's not even rude if you're caught trying to make out someone's nametag across the lobby. That's what nametags are for, after all", he said in his latest security blog posting.
Turning that sort of connection converts raw data into personally identifiable information (PII) which, he says, really needs to be kept private.
According to Ducklin, the moral of this BES credential giveaway story is clear: don't allow yourself to fall into bad data leakage habits whilst you're on the road.
"Data doesn't just leak from electronic devices such as laptops and phones. Hastily scribbled notes, memos to yourself and carelessly discarded invoices and tickets can help identity thieves to accumulate PII which they can abuse or sell on at a later stage", he explained.
The Sophos ANZ head of technology went on to say that, if you're a sysadmin, you should not fall into the habit of choosing trivial passwords because they're easier to read out to users when they're on the road.
"As an aside, teach yourself and your fellow administrators the NATO Phonetic Alphabet and you'll find it much easier to describe arcane command lines and to read out complex passwords", he said.
"The password in the pictured example is especially amusing", he added, since it brings a whole new excitement to the concept of a dictionary attack, owing to the fact that 'a' is always the very first entry in any dictionary of the English language.