David Strom tell us why hotel networks are sieves for leaking data and why you simply MUST be careful.
From David Strom’s Web Informant – My very first column for PC Week back in 1988 was called The Practical Networker, and the first topic was about hotel connection problems.
Back then, we just had to take apart the phones in our rooms to gain
access to the little red and green wires to hook up our modems.
Sometimes it required surgical skills for those hard-wired phones.
Those days seem so quaint now.
Today we have a much more difficult problem, that of insecure and
leaky hotel networks. Most hotels don’t really spend the time and
energy to lock down their networks, and most business travelers don’t
spend the time and energy to lock down their computers. The result is
a boon for any corporate spy that has a laptop and minimal skills. Go
to any center city convention hotel today and within minute you can
collect Powerpoints, secret documents, and business plans on just
about any industrial topic. And you don’t need any skill, other than
showing up at the right time and place.
The problem is several-fold. First, hotels typically don’t segment
their guest LANs ¬? meaning that everyone in the hotel is on the same
segment, has the same access, and can see anything across the entire
network. This is true for wired and wireless access. Obviously, if a
wireless user can sit in the parking lot of the hotel and gain access
to the entire hotel LAN, this is even more trouble waiting to happen.
The best situation is to have every single guest on a separate virtual
LAN so they can’t see anyone else’s traffic. This requires them to use
more expensive switching hardware, of course.
Second, many hotels don’t understand their Internet connectivity, and
provide little beyond the kind of consumer-grade access that you and I
use from our homes. Some even have little or no protection on their
Internet connection, as unbelievable as that sounds. There was one
hotel I remember vividly in San Diego that had no firewall between its
network and the Internet. None, nada. I was attending a conference
there during one of the virus outbreaks, and sure enough, a lot of
people got infected on Monday morning before they came down for their
sessions. In some cases, hotels will give you a public IP address so
that you can get out and use your VPN connection. Under these
circumstances, these public IPs are >really< public, you know what I mean? Some of the Internet providers also don't understand security, and don't do anything to protect their customers either. We'll get back to this in a moment. Third, most laptop travelers don't use personal firewalls, still. And if they do use them, they don't have their configurations setup properly to mask themselves from curious guests who know how to bring up Windows Network Neighborhood and surf around for open file shares. I recently did a demo with a vendor who was sitting in a hotel parking lot somewhere in Salt Lake City. In a minute or two, we were looking at the open file shares on a dozen or more users, all of whom were completely exposed. We were browsing one person's extensive music collection in a few mouse clicks. Lucky for him, our tastes weren't similar. (Just kidding.) Finally, there is the whole wireless issue that just makes things even more insecure. There are hotspots called "evil twins" that are just traps run by clever people that use common names and are set up for the unsuspecting traveler to login to ¬? I have begun noticing these traps more and more when I bring up my laptop. And let's not even get into how poor wireless security can be. How prevalent is all of this? Two colleagues, Lisa Phifer and Craig Mathias, traveled around the northeast and tested 24 hotels this past summer. They found trouble almost everywhere they went. Just one in four sites could prevent wireless eavesdropping and block all notebook probes. You can download their report here.
But here are a few choice tidbits.
“Hotels can thus be excellent venues for those interested in stealing
confidential data from business travelers. Users may assume they are
insulated from outsiders, but really have no idea whether any firewall
lies between their notebook and the Internet. Business travelers
willing to connect to any network that offers ‘free Internet access’
are especially vulnerable to such attacks ¬? it is literally impossible
to tell the good from the bad in this case.”
“Hotspot users might be unpleasantly surprised to discover they are reachable
from the Internet [when they choose public IP addresses]. We expected
paid networks would protect users from each other or Internet attacks
more often than free hotspots, but this was not the case. Several free
hotspots had noteworthy exposures, but so did paid networks,
including the most expensive sites. ”
The only two Internet providers that passed all their security tests
were I-Bahn and T-Mobile. They segregate traffic by user and prevent
people from inadvertently sharing their connection. The others,
including Guest-Tek, Passsym, Starwood, TurboNet, StayOnline, and
Wayport, all had security problems.
So, spend some time today making sure your own laptop is properly
configured. By all means, if you don’t have a personal firewall on it,
now is the time to download one. Zone Alarm is what I use on Windows
and it works very well. And the next time you travel, you now have
some additional options for in-room entertainment that are absolutely
free of charge.