Helping people with computers... one answer at a time.
More and more hotels are offering both wired and wireless internet, but along with those connections comes a security risk most folks don't consider.
My friend's husband has been getting into her email even though she's not given him her password. He has confronted his sister about an email and when asked how he got into the email he says that where he works (A large hotel chain) they have a program that searches emails for keywords and brings info up. Could that be true?
•
Yes.
Hotel network security is one of the most overlooked risks travelers face. And I'm not just talking wireless, I'm talking any internet connection provided by your hotel.
In fact, I'm actually writing this in a hotel room, and yes, I have taken a few precautions.
•
It's a topic c|net blogger Michael Horowitz has also written about: Ethernet connections in a hotel room are not secure and the title says it all.
I'll put it another way: hotel internet connections are just as unsafe as an unsecured wireless hotspot.
Any hotel internet connection.
There are two basic issues:
Your ISP can see everything you do. When you're in a hotel, that hotel is your ISP. They provide the connectivity, the routers and other equipment that connects you to the internet. As a result, they have the ability to monitor any and all traffic on the network. And you need to realize that it's their network that you're using - they own it, they control it and they have the right to monitor its usage. And, as you've seen, employees can abuse that power to go snooping.
Your neighbors may also be able to see what you're doing. Depending on exactly how the network is configured, it's possible that you and the rooms around you are connected through a hub. The "problem" with a hub is that it's a dumb device - it sends everything it gets to everything connected to it. So when you send data through the hub, not only does the upstream internet connection see the data, as you want, but that data is also sent down the wires to your neighboring rooms. Any computers there should ignore it, but it's there for the taking if they do not. This is exactly like connecting via an open WiFi connection where anyone in range can "sniff" your internet traffic.
There's actually a third more sinister problem where an intentionally malicious hotel guest "poisons" some of the information used to route internet traffic and inserts his computer into the middle of your conversations.
So, what do you do? What do I do?
In a word: encrypt.
This basically boils down to following all the same steps one might take to stay safe in an internet cafe:
-
Use a Firewall: make sure your Windows or other software firewall is enabled.
-
Use https: only access sensitive websites, for example, banking, but also things like web mail, using an https connection. Most banks are secure by default, most web mail is not.
-
Encrypt your email: if you're using a normal email program and downloading your email via POP3 or IMAP, or sending your email via SMTP, then you need to make sure that those connections are encrypted. Check with your email provider for the appropriate settings.
Now there's one more aspect to internet usage that often gets overlooked, and that's simple web browsing.
For example, as I sit in this hotel room it's possible that if I didn't take appropriate precautions my neighbors, were they technically savvy enough, could monitor which web sites I'm browsing. In fact, if any of those web sites require me to login, they could potentially see my login information and password. Recall that I said most web mail is not encrypted using https? That's exactly what I'm talking about here: if you connect with a normal http connection any usernames and passwords you might enter are transmitted in the clear and are visible to anyone who has enough access to sniff your internet traffic.
Once again, the answer is a single word: encryption.
The most common solution is a VPN or virtual private network. There are several commercial services tailored specifically to folks who travel a fair amount. The way it works is simple; after signing up you create a VPN connecting to their servers and all your internet traffic is encrypted and routed through them. At the service, the data is decrypted and sent on to its final destination. Anyone in between - meaning your hotel guests, staff and whoever else might be peeking, cannot see your data. More correctly they can see your data, except it's encrypted and total gibberish to them.
So what do I do?
Well, I run Thunderbird as my email program, downloading and sending via POP3 and SMTP. I've configured each to connect to my mail servers using an SSL encrypted connection. My mail is secure.
For unencrypted (http without the s) websites, I establish an encrypted tunnel - think of it as a kind of partial VPN - to my server.
For encrypted websites (https with the s) I need do nothing, other than make sure that the connection remains "https" as I navigate from page to page.
My web surfing is secure.
Since I'm not using a "true" general purpose VPN, as I outlined above, I have to be careful about instant messaging programs. My approach to date has been to connect via remote desktop (which is encrypted) to one of my machines at home and run the instant messaging programs there. In fact, I use this technique for everything that access the internet that isn't web surfing, email or already inherently secure.
Is it all overkill? I think not. With more and more computers and more and more public internet access, hackers and thieves need very little in the way of technology to steal all sorts of sensitive information. Are they doing it here and now? I'd guess not.
But I'm not so sure of that guess that I'd let down my guard.
Better secure than sorry.
Article C3291 - February 14, 2008
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Hi Leo, I'm guessing this still does not stop the Hotel from seeing the amount of Traffic you are downloading?
24-Nov-2010
Posted by: Jessie at November 23, 2010 11:30 AM
Gmail now uses https for web mail by default. If you have an older account, you need to switch it from http. Also, Teamviewer is a free service that allows you to set up a VPN to your home machine. Then you can run your web browser from there. Either method should take care of the concern in this article.
Posted by: Lester at February 15, 2011 8:19 AMGood advice.
As Lester pointed out, Gmail was the first to offer HTTPS, now Hotmail has followed suit. I use it all the time for both services.
Posted by: Ron at February 15, 2011 11:34 AMHi Leo,
Please compare the security provided by VPN, VNC, and SSH.
Related to this, I have been trying to connect an iPad using iSSH to a Win 7-64 bit desktop and an XP laptop both running tightVNC and freeSSHd. The problem is that on both machines the SSH tunnel is established but then immediately disconnects without connecting to VNC no matter what settings I try. Perhaps you have a suggestion as to what might be wrong.
Posted by: Eric at February 15, 2011 1:24 PMHi guys,
I was wondering, with a VPN (such as hotspot shield) can the hotel still see the websites you visit?
Thanks.
25-Oct-2011