Hotel Insecurity

We haven’t looked at the sorry state of hotel security for a while, but we have done articles on hotel locks, and hotel business center computers before.  The Naked Security blog recently published a story about the Russian hacker collective known as Fancy Bear, and their involvement in the use of the leaked NSA exploit Eternal Blue to launch Advance Persistent Threat (APT) attacks against hotels.  So far, this attack has been seen only in European hotels, but I am certain that we will see this spread to the Unites States (and the rest of the world) in due time.

This attack is usually launched with an email containing an infected Word document attachment, and is designed to stay hidden.  The probable targets are high-value guests travelling for governmental or business reasons.  Connecting to the hotel guest wireless or Ethernet connection will make you a potential victim of this exploit.

The way to stay safe is to do something that I find myself doing more frequently – BYOW or bring your own Wi-Fi.  When given the choice between an unsecured but free public Internet connection, and my metered but secure Wifi from my smartphone, I go smartphone all the time.

Another good solution is to use a VPN any time you connect to any network that is not your home network or your business network.  And considering the way APTs are showing up at home and the office, maybe you should use your VPN all the time.

I might as well give another plug to Rubica, the personal cybersecurity service I wrote about on August 16th.  The VPN proxy service at the core of their offering, coupled with the machine learning and human cybersecurity operatives, will keep you out of harm’s way.

So basically, you can’t trust hotel door locks, the business center computer has more infections than the hotel whirlpool, and the guest network has probably been compromised.  Have fun on your next trip!!  And yes, I do travel for business and pleasure.  I never leave anything in the room that I can’t live without, and I do not use the provided guest Internet service any more.


More Information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.