Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/28/2016
01:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

How To Stay Secure At The Hotel On A Business Trip

As POS malware attacks on hotels increase and threat actors target executives, traveling for business puts company data at risk.

In 2014, cybercriminals in the DarkHotel campaign targeted business executives staying at hotels in Asia. The attackers used spearphishing as well as kernel-mode keystroke logger attacks and cracked weak digital-signing keys to steal data from the victims’ devices.

Then in 2015, the hospitality industry suffered a string of point of sale (POS) malware attacks that included the Hilton Hotel properties, Trump Hotel Collection, Starwood, Hyatt Hotels, and Mandarin Oriental Hotel Group.

When employees travel for business, corporate data is at risk as hotels increasingly become targets of and venues for cyberattacks. Here are seven ways to stay secure at the hotel on a business trip.

1.     Avoid using public-use terminals.

Many hotels provide computers and printers, or a public-use terminal, for guests to print plane tickets and check email. When you’re on your way in or out of the hotel and in a rush, it’s tempting to use these spaces in a pinch, but doing so could put your organization's data at risk. “Those things are not maintained as well as an organization that would maintain their systems,” says Andrew Hay, CISO for DataGravity and speaker at next week's 2016 Interop Las Vegas.

2.     Use a VPN client when connecting to WiFi.

When traveling for business, it’s a given that you’ll need to access the WiFi. That being said, whenever you do connect, it’s important to use a virtual private network (VPN) when accessing your information. You don’t know if the hotel is using an up-to-date firewall or if they’re separating the traffic between you and your neighbors, says Hay. “There’s really nothing stopping someone from sniffing the traffic.”

3.     Keep your devices in hand while at breakfast.

The hotel continental breakfast buffet is almost a ritualistic part of traveling on the company dime. Hay, who travels a lot for business, says he’s always surprised by the number of people he sees leave their laptops and devices open as they quickly grab food.

“Physical access trumps all security,” says Christopher Budd, global threat communications manager for Trend Micro. POS malware and sketchy WiFi networks may be making headlines, but it’s always important to keep the hardware out of reach.

“It’s so easy for someone just to walk by, pick up a laptop, and keep walking,” says Hay, adding that someone could also quickly install malware on a thumb drive in the time it takes you to come back from the buffet.

4.     Get loaner devices from IT.

An easy way to protect your company data and stress less about all of the files that could be lost if your device is stolen is to ask your IT department for a loaner computer and phone to use while traveling. It can be inconvenient to have all your devices on your person all of the time, especially if you’re having dinner with clients or attending a formal event. It’s handy to just leave your loaner (and secured) hardware in the hotel room and rest assured that nothing of major significance will be lost if the device is stolen or compromised while you’re away.

Device and hardware theft can happen on the way to the hotel, too. “I have heard horror stories of intelligence agencies using Customs to swap out hardware, USB drives, or laptops while special screenings were being conducted,” Hay says. Having loaner equipment can help eliminate the stress of information and hardware theft while making your way through the airport.

5.     Don’t swipe your card at sketchy ATMs, gift shops, or hotel restaurants.

Many of the 2015 hotel malware attacks targeted gift shop and restaurant POS systems. “We’re seeing attacks there because they’re older systems, on the periphery of a network security,” Trend Micro's Budd says.

Instead of having your card swiped at these systems, both Budd and Hay recommend asking to have your bill charged to the card on file or your room. “Every time your credit card gets swiped, it broadens the attack surface and possibility for information to get stolen,” warns Budd.

Paying in cash may seem like an obvious way to avoid credit card information theft, but DataGravity's Hay cautions against using ATM machines that are rented by the hotel and not owned by major banks. “They’re in heavily trafficked areas, but not high security areas,” says Hay, adding that he steers clear of them based on research and attacks that have happened, and instead gets cash from his bank before he leaves.

6.     Install remote wipe software

If you have to bring with you on the road the company devices you use on a day-to-day basis, Budd recommends installing remote-wipe software on those devices. “Assuming that what you’re bringing with you will get lost or stolen at some point, you want to make it as hard as possible for someone to get what’s on there,” Budd says. Of course, you’ll want to back up all of your files before you leave as well in case you have to remotely wipe your devices for some reason.

7.     Avoid using desk and lamp USB ports

A lot of hotel rooms today offer direct USB plugins on desks and lamps as a convenience to their patrons, but Hay and Budd see these as a potential threat. Hay says to completely avoid using these ports because there’s a chance that information could be copied from your device by some mechanism in the lamp. Stick with wall plugs.

“If I’m using a USB based charger, it’s mine,” says Budd, adding that we’re long past days where a phones power cable is just a power cable. 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KPierson
50%
50%
KPierson,
User Rank: Apprentice
5/12/2017 | 6:44:37 AM
Thank you for sharing the blog
Your blog is really very helpful.We use to prefer some of the tips like close the windows, use of trackers for computer and mobile, use hotel room safe for valuable belongings, anti-theft bag. Your blog has some many nice tips for traveler security in hotels. Thank you for sharing.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 10:52:15 AM
Re: Get loaner devices from IT.
The potential for VM's is paramount here. Assuming your loaner devices are generic you could use them as a portal to log into a more defined resource.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 10:50:40 AM
Re: Avoid using public-use terminals
Exactly. To add on to this benefit your machine will still have its local security mechanisms iin place most likely to combat unwanted snooping such as a username and password to log in to your laptop and a timeout to ensure that the activity time is utilized by the owner.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:09:13 AM
Secure VPN
VPN works well when it is site-to-site setup. Such as in corporate offices. You can setup VPN server on your corporate server and use a VPN client in your end device, the communication between the end-device and the server would be encrypted so nobody but your corporate can access the data. No privacy but secure. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:07:52 AM
Re: Get loaner devices from IT.
 

"...  loaner device may be generic. ..."

This is also a good point, for a non-techy person another computer may simply mean he/she would not get his/her job done and additional stress.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:06:23 AM
Re: Get loaner devices from IT.
"... I don't see this being a common occurrence ..."

Agree with you. This was the case in the past, there is less likely an option anymore since we do have our own devices anymore in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:04:43 AM
Re: Avoid using public-use terminals
 

" ... Avoid using public-use terminals ..."

This is a really great tip. Your own laptop is always better, let's say if you are using Gmail on your own laptop it is already encrypted from your laptop to Gmail server. Better than using hotel PC.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
4/29/2016 | 9:52:25 AM
VPN client?
I like the list, quite informative. Just one comment, I love it when I see "use VPN client" option when it comes to secure communication and privacy. Does anybody really think that this is bringing any security or privacy? Every VPN client has a VPN Server which one most likely have no control over so it is not secure or private.
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
4/29/2016 | 8:33:19 AM
Get loaner devices from IT.
This is a good idea if your organization has extra devices. I don't see this being a common occurence because in many cases a loner computer isn't completely comprehensive solution for travel. For example, if you have a different role within the organization you may require different access, policies, etc. A loaner device may be generic.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 8:30:05 AM
Avoid using public-use terminals
This is definitely a good tip. Whenever I visit a hotel I always see someone on the public terminals and knowing the nature of human behavior there are going to be many times that you forget to log out of whatever you were doing...Email, bank, paypal. These sources can provide data that would make it very easier for a snooper to acquire the information they need.
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.