Cyber-criminals have been targeting business people staying at top international hotels and stealing confidential data from their computers in an attack called DarkHotel, security researchers recently revealed.
DarkHotel is an extremely sophisticated attack, and one that has been around for several years without detection. Once a hotel network is infected with DarkHotel, malware attempts to compromise guests' computers when they log on to the hotel's Internet service over Wi-Fi or via Ethernet. In an especially sinister twist, the criminals also attempted to compromise computers by sending emails to specific business executives to entice them to click on malicious links.
Security researchers at Kaspersky Lab believe the DarkHotel attacks started as long ago as 2007, thus evading detection for about seven years. Although it has mainly affected hotel guests in Japan, visitors to hotels in the U.S., Germany, Ireland, South Korea, India, China, and Russia were also targeted.
This begs an important question: What other sophisticated attacks - possibly sponsored by foreign governments or their security agencies - are being carried out on business travelers connecting to the Internet in a hotel, airport or conference center?https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The bad news is, it is not possible to say for sure until they are discovered.
This leads to another important question: If you have no option but to treat all public Internet access as suspect - which is prudent from a security perspective - what security measures should you take to minimize the possibility of your computers being compromised and confidential data being stolen?
Here are 10 important security precautions to keep you safe while on the road:
Update Software Before You Go
DarkHotel made use of zero day exploits to compromise machines by taking advantage of vulnerabilities which were not previously known and for which no known security updates existed.
Zero day exploits are relatively rare; a more common way attackers can compromise your machine is by exploiting known vulnerabilities in commonly installed software like Windows or Adobe Reader before the software is updated to remove the vulnerability. That's why it's a security best practice to update your software as promptly as possible.
Many software updates are signed by the vendor using a digital certificate to "prove" the software has not been altered, but Dark Hotel used forged certificates to convince victims to download and install apparently genuine updates that contained more malicious software.
It's never a good idea for business travelers to download and install software from a suspect network, as DarkHotel proved. Thus if a security update is issued while you are traveling, there's a tricky decision to be made as to whether to risk downloading the update from a suspect network or to continue using unpatched software.
Download Updates from Vendor Websites
If your computer tells you that your software needs updating, don't click on a button to download and install the update there and then; the "update" could prove to be malware. A better solution is to go to the vendor's website and download any updates directly from the site.
Always Use a VPN
Any time you use public Internet connections such as those offered at airports, hotels or conference centers, your data can be intercepted and read relatively easily unless it is encrypted. That includes user names and passwords and the contents of email and documents you send.
Websites and email services that use https and display a locked padlock in your browser encrypt your data automatically. However, it's a much more secure practice to encrypt all traffic coming and going from your computer when using a public network by using a VPN.
Many businesses have their own corporate VPNs, or you can subscribe to a VPN service such as Black Logic, HotSpotVPN, Proxpn or StreamVia. Most such services allow you to subscribe for a short period or annually.
Beware of Rogue Access Points
Hackers may set up Wi-Fi hotspots in public areas such as conference centers or airports to try to entice you to connect to them so they can snoop on your data. Often these will have official-sounding names, so it's sensible to establish the exact name of the legitimate Wi-Fi service being offered to ensure that you avoid connecting to a rogue one.
Only Connect to Wi-Fi Services that Require a Password
Open access points that anyone can connect to are very insecure and should only be used as a last resort, in conjunction with a VPN. Wi-Fi services that require a (WPA) password encrypt the wireless part of the connection.
(Even if the Wi-Fi password is freely available to everyone, it still provides protection. That's because this common password is used to generate unique session keys for each user, so your data can't be decrypted by anyone else, even if they know the Wi-Fi password.)
Since this type of encryption only affects the data in transit over the wireless network, but no further, it still makes sense to use a VPN to protect your data for the rest of its journey over the Internet.
Consider Using a Cellular Network-based Personal Hotspot
You can avoid using public Internet services by using your cell phone's 3G or 4G data connection instead. Most smartphones provide personal hotspot functionality, or you can use a personal hotspot device.
Cellular data networks can be slow and expensive to use, however. Also, since they could also be compromised, it is still sensible to use a VPN while using cellular networks.
Most U.S. carriers offer devices for domestic use. For international travel, a cheaper option may be to rent an XCom Global MiFi device.
Don't Trust Public Computers
Computers in hotel business centers and Internet kiosks should never be trusted. You have no way to know if a keylogger has been installed to capture your keystrokes, including user names and passwords, as you type.
Such machines should only be used to visit public information websites, never for business purposes such as editing documents or connecting to websites or other services that require a password.
Protect Yourself from Other Users on the Network
To protect yourself against malicious users connected to the same business center or hotel network, connect your laptop though a travel router that plugs into an Ethernet jack.
A travel router such as the TP-Link AC1900 acts as a highly effective hardware firewall which helps keep your computer isolated from other users on the network. (Most computers have a software firewall installed, but these can be disabled by viruses and other malicious software.)
Don't Forget Physical Security
Your data is at risk any time you leave your computer unattended while traveling - in a hotel room, for example. It is also susceptible to being lost or stolen.
Sensible precautions include:
- Setting a login password if there is not one already - although this only offers a low level of protection
- Requiring a password to be re-entered after a relatively short idle period
- Disabling booting from CD or USB drive in the BIOS to prevent hackers bypassing a login password, and then setting a BIOS password to prevent the BIOS settings being changed
- Encrypting the hard drive with a utility such as Microsoft's BitLocker or equivalent product from vendors including Symantec , WinMagic and Intel/McAfee , or with a self-encrypting hard drive from vendors including Seagate and Western Digital
- Using a locking cable to prevent a thief from easily removing your laptop from a hotel room
Assume the Worst
If you accept that your security is at a higher than normal risk of being compromised during business travel, then it is prudent to assume that it may have been. That means it makes sense to change all your passwords after you have returned from traveling. This can be inconvenient, but using a password manager such as LastPass can make this much easier.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.