The National Cybersecurity and Communications Integration Center of the United States Secret Service has distributed a non-public advisory to companies in the hospitality industry, warning them that hotel business center PC are regularly targeted by hackers.
The advisory notes that,
‘In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software… The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts. The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.’
A number of basic security tips are offered, but according to security researcher Brian Kebs, the bottom line is that if attackers can gain physical access to the computers, then they can use a USB or CD to boot into Linux and access the underlying system files from there, making it ‘game over’,
‘The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware.’
What is good for the goose is good for the gander
What we feel is missing from this analysis however, is the fact that if attackers can boot into Linux, so too can legitimate users. In our article ‘Linux distributions built for security and anonymity’ we discuss secure Linux distros that boot directly from LiveCD or LiveUSB (TAILS being the most well-known).
These create completely isolated working environments, separate from any other Operating Systems or software (including malware) installed on the host computer, and which cannot be written to or interfered with from outside the environment.
Using such a Linux distribution as your sole working environment should foil even a very determined attacker, bearing in mind that no security measure can be regarded as 100 percent fool proof.
Use a software keyboard
As the advisory notes,
‘The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in the browsers, operating systems, or other software.’
In fact most of the attacks appear to be keylogging attempts, where malware introduced into the system records keyboard presses, from which attackers can gain access to passwords, usernames, bank account details, and more.
Because keylogging attacks record the physical strikes on physical keyboards, they can be usually be easily defeated using a software keyboard, where virtual keys are activated with a mouse click.
Now please do not get us wrong – using a virtual keyboard will not defeat many forms of attack, and can in no way be considered ‘secure’. Nevertheless, if you absolutely must use a public hotel computer, the risk of being compromised by keylogging software can be substantially reduced by using (at least while entering sensitive information) a software keyboard.
Windows has an On Screen Keyboard built-in, which you can find by going to Start -> Run -> and type ‘osk’ <enter>. In OSX, a virtual keyboard can be turned on by opening System Preferences -> Keyboard -> and check the box saying ‘Show Keyboard & Character Viewers in menu bar’. You can now click ‘Show Keyboard Viewer’ in the menu bar to bring up the virtual keyboard.
We will stress again that using a software keyboard should be viewed as an emergency measure, and only used for non-critical applications. We take no responsibility for any loss or damage caused through not using stronger security measures.
Don’t use hotel computers!
This might sound obvious, but it bears some consideration. If you have a laptop, of course, then there is very little reason to use untrustworthy public computers, although you should always remember to use VPN to encrypt your WiFi connection and protect yourself from packet sniffers.
Most people using a hotel business center do not have a laptop to hand (else why use the hotel computers), but it should be remembered that smart phones and tablets are remarkably powerful computers, and a surprisingly large amount of ‘serious’ work can be done on them.
Even a fairly humble smart phone with a Bluetooth keyboard and mouse, together with the Google Drive app (for example), can be used for most business needs at a pinch. Apps such as TeamViewer and Chrome Remote Desktop even allow you to dial into your home or office, and work with your full computer desktop displayed remotely on your mobile device!
Remember that VPN is readily available for iOS and Android devices, and that using to protect your data is just as vital when using a mobile device over public WiFi as it when using a more conventional computer.
If away from home and you need internet access, it is unwise to use hotel computers without major precautions (such booting into a clean, secure OS). If you really must use them, then then at least some of the more common dangers can be avoided by using a virtual keyboard, but it is probably better to consider how your much more secure mobile device can be pressed into service instead.
Whatever you do, always remember to use VPN to protect your data!