Has this happened to you? I am staying at a hotel where the Wifi creates one flat network, and of course, there are numerous people who don’t know the first thing about basic security practice. Why do I know this? Because I can see several of them who have file sharing turned on for their PCs. They are listed by name in my Mac’s Finder (John Jones Computer, Sid Smith Computer, etc.) and it is a bit scary.
When I travel, I remember to turn off the file sharing setting on my PC for precisely this reason. It is a simple step, but a critical one.
So last night I was in this hotel in Silicon Valley and I was feeling somewhat puckish. I noticed that one person’s computer was listed. I clicked on his computer to see if file sharing was turned on. It was, and in a moment, I could see his entire hard drive, including a “private” folder filled with PDFs of his credit card and other banking statements, loads of business documents, and the bonus: before/after pictures of his wife’s implants. (I Had To Look. Nice work, btw.)
So I took one of my newfound friend’s documents, it was a boating license or something, and copied it to a USB key and printed it out at the business center. I put it and a note to my friend and left it at the front desk, suggesting that:
a) He turn off file sharing tout suite if he didn’t want anything else shared with the entire hotel for the rest of his stay and
b) He might want to invest in some hard disk encryption, particularly for all the stuff that he very conveniently left in his “private” folder for everyone to see.
Most hotels don’t really spend the time and energy to lock down their networks, and most business travelers don’t spend the time and energy to lock down their computers. The result is a boon for any corporate spy that has a laptop and minimal skills. Go to any center city convention hotel today and within minute you can collect Powerpoints, secret documents, and business plans on just about any industrial topic. And you don’t need any skill, other than showing up at the right time and place.
As I saw this week, many hotels typically don’t segment their guest LANs – meaning that everyone in the hotel is on the same segment, has the same access, and can see anything across the entire network. This is true for wired and wireless access. Obviously, if a wireless user can sit in the parking lot of the hotel and gain access to the entire hotel LAN, this is even more trouble waiting to happen. The best situation is to have every single guest on a separate virtual LAN so they can’t see anyone else’s traffic. This requires them to use more expensive switching hardware, of course.
How prevalent is all of this? Two colleagues, Lisa Phifer and Craig Mathias, traveled around the northeast and tested 24 hotels back in 2006. They found trouble almost everywhere they went. Just one in four sites could prevent wireless eavesdropping and block all notebook probes. Sadly, the situation isn’t much different in 2013.
“Hotspot users might be unpleasantly surprised to discover they are reachable from the Internet [when they choose public IP addresses]. We expected paid networks would protect users from each other or Internet attacks more often than free hotspots, but this was not the case. Several free hotspots had noteworthy exposures, but so did paid networks, including the most expensive sites. “
The only two Internet providers that passed all their security tests were I-Bahn and T-Mobile. They segregate traffic by user and prevent people from inadvertently sharing their connection. The others, including Guest-Tek, Passsym, Starwood, TurboNet, StayOnline, and Wayport, all had security problems when the pair did their original research.
So don’t forget the security basics when you travel. Don’t leave your USB key drives lying around with all sorts of private stuff on them. Use a simple PIN to protect your phones. This isn’t rocket science: it is just basic Security 101, or not even but still something that everyone should just do and internalize. And if you stay at a hotel that has a flat network, use disk encryption and a VPN to keep people like me from looking around your computer’s hard drive.