The US Secret Service has quietly warned hotels that malware slingers are increasingly targeting PCs in hotel business centers to harvest sensitive information. In a non-public advisory, obtained by investigative journalist Brian Krebs, law enforcement officials have arrested members of a criminal gang that is accused of …
Don't use business center computers. Use own laptop instead. Duh.
Then again how do you print things out? Like boarding passes. Thankfully credentials are short lived. Then again, a bogus boarding pass might be used for... (as the helicopters emerge over the horizon)
@Herby - Then again how do you print things out? Like boarding passes.
If you have your laptop and just want to print something from it. I would say the moderately safe and easy way is to take a USB stick with you. Use your laptop to download your boarding pass, and save the pass file as a pdf (or picture) onto the stick and then use the stick in the business centre, that way you don't have to type anything into the probably compromised business centre computer to print out the pass.
Obviously, treat the USB stick as horribly contaminated before using again. Even better use a CD which you can bin afterwards. The alternative is to use an airline which doesn't need you to print out the pass (there are some), you just display the pass on your phone.
I always assumed the business centre computers or any public computers were riddled with malware. Useful for a bit of simple impersonal surfing (e.g. looking for a local restaurant, checking the news) but never try logging into anything secure.
I always assumed the business centre computers or any public computers were riddled with malware.
I was a member of a group that held meetings at a local university. There were PCs and overhead projectors in all the classrooms. I wanted to use the overhead as part of a presentation I was giving. I had loaded the presentation on a thumb drive with a variety of portable apps (I did not know what the computer would have installed) and ran the portable AV product when I plugged it in. It had its work cut out for it. It seems that installing an AV product or using any sort of common sense was right out on those systems.
I know to treat these systems as the infected cesspools they are, but it surprises me that hotels don't take better care than they do. They only offer "free" computer access to their customers, meaning it isn't really free and might open them up to liability issues.
Used to be there were USB drives with Real Switches (TM) which would block the write enable lines to the flash. Safe to plug into biohazard IV environments.
Most are gone now, and many remaining wannabes have Fake Switches (TM) which are only software constructs behind the physical switch, and one can't trust those. Indeed, you can't even trust a Real Switch (TM) manufacturer not to change the device to Fake Switch without telling anyone.
It would be adequate to have a reliable way to zeroize the USB stick, but then you'd have to trust some software to accurately zeroize an infected stick (the software would run off of bootable CD of course in a machine with no HD).
Finally it has a real purpose...
"The crims reportedly didn’t bother to bring their malware with them on a USB stick or CD. Instead they allegedly stored the malware in the cloud, and simply downloaded it onto the hotel's computers."
Yes - previously these guys may have downloaded the stuff from... say, a web server but now The Cloud is there it is all so much more mysterious and exciting! Thank goodness.
That's all, over and out.
"some business centre computers may have taken the safeguard of not allowing anyone to log in with Administrator rights"
I leave it as an exercise for El Reg readers to determine one of the key problems here.
It's a fixed part of any security-for-execs talk: do not use 3rd party computers for business access.
Interestingly, it's not the possible loss of access credentials that gets especially the brass (that tends to be understood the moment you mention it), but the fact that they have just left behind a copy of whatever file they have looked at when using corporate webmail (as I mentioned before here, Windows-R, enter "explorer %temp%" and you can see them all). We've worked with a few hotels who now tend to use Macs in guest mode - the moment a client logs out all data and history is zapped. That turns out cheaper than liability insurance, and it's quick to implement for those who don't seek to gouge clients for lobby Internet access - an attitude usually found in the more upmarket establishments (i.e. definitely not the EasyHotels of this world).
At a corporate level, we simply do not allow webmail, also because its use tends to seduce people into attempting to set easy passwords (which our password test software then detects and rejects). Our corporate email is only accessed through screened and controlled devices, and our range of options is wide enough to keep most people happy (nope, no BYOD for us, the device costs are negligible vs. the risk exposure). However, we are a company where exec level has at least a clue when it comes to security, which cannot be said of every organisation we deal with :(.
So if I understand this right... terrorists should use hotel lobby computers to email each other because if/when they are then caught, they can claim the messages were not sent by them but by 'malware installed by criminals'? And the NSA could be called to give evidence in their favour in court. Marvellous.
Hackers can get very personal information that they need by hacking. Sometimes, they can even find out the password using special hack tools. It's worth mentioning that hack can be very useful in certain condition. A child of my neighborhood behaved erratically some time ago, her parents used Micro keylogger to get her FB password to find that someone was trying to tempt her into taking drugs. That is terrible.