|
Summary: More and more hotels are offering both wired and wireless internet, but along with those connections comes a security risk most folks don't consider.
Yes. Hotel network security is one of the most overlooked risks travelers face. And I'm not just talking wireless, I'm talking any internet connection provided by your hotel. In fact, I'm actually writing this in a hotel room, and yes, I have taken a few precautions. • It's a topic c|net blogger Michael Horowitz has also written about: Ethernet connections in a hotel room are not secure and the title says it all. I'll put it another way: hotel internet connections are just as unsafe as an unsecured wireless hotspot. Any hotel internet connection. There are two basic issues: Your ISP can see everything you do. When you're in a hotel, that hotel is your ISP. They provide the connectivity, the routers and other equipment that connects you to the internet. As a result, they have the ability to monitor any and all traffic on the network. And you need to realize that it's their network that you're using - they own it, they control it and they have the right to monitor its usage. And, as you've seen, employees can abuse that power to go snooping. "... hotel internet connections is just as unsafe as an
unsecured wireless hotspot."
Your neighbors may also be able to see what you're doing. Depending on exactly how the network is configured, it's possible that you and the rooms around you are connected through a hub. The "problem" with a hub is that it's a dumb device - it sends everything it gets to everything connected to it. So when you send data through the hub, not only does the upstream internet connection see the data, as you want, but that data is also sent down the wires to your neighboring rooms. Any computers there should ignore it, but it's there for the taking if they do not. This is exactly like connecting via an open WiFi connection where anyone in range can "sniff" your internet traffic. There's actually a third more sinister problem where an intentionally malicious hotel guest "poisons" some of the information used to route internet traffic and inserts his computer into the middle of your conversations. So, what do you do? What do I do? In a word: encrypt. This basically boils down to following all the same steps one might take to stay safe in an internet cafe:
Now there's one more aspect to internet usage that often gets overlooked, and that's simple web browsing. For example, as I sit in this hotel room it's possible that if I didn't take appropriate precautions my neighbors, were they technically savvy enough, could monitor which web sites I'm browsing. In fact, if any of those web sites require me to login, they could potentially see my login information and password. Recall that I said most web mail is not encrypted using https? That's exactly what I'm talking about here: if you connect with a normal http connection any usernames and passwords you might enter are transmitted in the clear and are visible to anyone who has enough access to sniff your internet traffic. Once again, the answer is a single word: encryption. The most common solution is a VPN or virtual private network. There are several commercial services tailored specifically to folks who travel a fair amount. The way it works is simple; after signing up you create a VPN connecting to their servers and all your internet traffic is encrypted and routed through them. At the service, the data is decrypted and sent on to its final destination. Anyone in between - meaning your hotel guests, staff and whoever else might be peeking, cannot see your data. More correctly they can see your data, except it's encrypted and total gibberish to them. So what do I do? Well, I run Thunderbird as my email program, downloading and sending via POP3 and SMTP. I've configured each to connect to my mail servers using an SSL encrypted connection. My mail is secure. For unencrypted (http without the s) websites, I establish an encrypted tunnel - think of it as a kind of partial VPN - to my server. For encrypted websites (https with the s) I need do nothing, other than make sure that the connection remains "https" as I navigate from page to page. My web surfing is secure. Since I'm not using a "true" general purpose VPN, as I outlined above, I have to be careful about instant messaging programs. My approach to date has been to connect via remote desktop (which is encrypted) to one of my machines at home and run the instant messaging programs there. In fact, I use this technique for everything that access the internet that isn't web surfing, email or already inherently secure. Is it all overkill? I think not. With more and more computers and more and more public internet access, hackers and thieves need very little in the way of technology to steal all sorts of sensitive information. Are they doing it here and now? I'd guess not. But I'm not so sure of that guess that I'd let down my guard. Better secure than sorry. Related:
Article 12228 | Posted February 14, 2008 |
Stay Informed Archives Advertisers |
|
•
For more on this subject see
Posted by: Michael Horowitz at February 18, 2008 09:21 PMDefending against insecure hotel networks with a VPN
http://blogs.cnet.com/8301-13554_1-9874115-33.html
I hate to burst your bubble Leo but using SSL is no more secure these days than unencrypted connections. With modern poisoning programs (ie Cain, Wireshark) you can easily sniff https as well as http.
-Leo
Posted by: N3T D3VIL at August 1, 2008 03:42 PM