Spy vs. Spy: Hotels and business travelers | SC Media
Breach

Spy vs. Spy: Hotels and business travelers

November 9, 2010
How hard is it for anyone to gain access to a laptop in a hotel room or across a hotel business center's network?

One 2010 report issued to the U.S. government by defense company Northrop Grumman describes Chinese economic espionage as comprising 'the single greatest threat to U.S. technology.'

The feds see cyberespionage as one of three major cybersecurity concerns, the other two being cybercrime and cyber-terrorism.

We've lost the war [in cyberespionage] and we need to gain back ground." – Mark Culp, FBI San Diego Cybercrimes Division

Shocking but the black ops world of industrial espionage still has teeth even with malware infesting everything. Unfortunately a physical fortress with a network is still vulnerable – a hard learned fact causing quite a stir in the hotel industry this year. SC Magazine's Angela Moscaritolo reported several key points concerning hotel data security:

Cybercriminals last year targeted hotels more than any other industry for credit card theft, according to a recent report by data security company Trustwave.

Hotels are being targeted because they have large amounts of credit card data and frequently neglect to implement the most basic security precautions, such as changing default passwords or ensuring programs are up to date, said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs.

The Hotel Technology Next Generation (HTNG), a nonprofit hotel trade association, recently issued a security standard which defines how card data should securely flow between a hotel's various systems.

Additionally, large, brand-name organizations are beginning to take data security seriously, experts said. But many others are lagging."

Hotels: Globally targeted for industrial espionage

There's more to it than just credit card data being lost, but the same lax security principles affect your intellectual privacy as discussed previously. While there are ways to minimize risk, the ultimate reality is to simply assume that every time you leave your laptop in your hotel, someone else can and will try to gain access to it.

There are many underemployed private investigators, intelligence analysts and the like who [globally] have the ability to quickly gain access into a hotel whether through social engineering by financial incentive [Read: BRIBE] or through a cousin [Read: INSIDER]. In a conversation this last weekend with a retired LEO, the issue of a warrant to search a hotel room was mentioned in connection with our tales of war stories and 'there I was.'

The difference between law enforcement officers' approach and the private sector was underscored in the simple methods we used. Where they would get a search warrant in the course of an investigation I, acting [LEGALESE] as a private individual not acting as an agent of the law, would simply wave my investigation credentials at the clerk with a good story (sometimes accompanied by a couple dead presidents) and after a quick discussion often a room key would appear.

  1. What really worked about 95 percent of the time was when two LEOs were parked outside in squad cars because often they were after the very same bad guy.
  2. Good story like, these guys sitting behind me in the squad cars are waiting for their boss to show up with the search warrant. I'm supposed to recover the stuff and you'll really be saving me hours of work if I just go in with them right now and get it back.
  3. Twenty to 30 minutes later, my toss of the room was done and the key went back to the clerk.

What's important is that this trick was much harder to do as the price of the hotel went higher. What works at a flophouse fleabag won't work as the stars go higher than two, three or four, although a well-couched bribe of ‘this cash is for the takeout pizza which will soon be delivered here – help yourself' worked much better than the gauche, overplayed technique of just handing folded bills over.

See Social engineering, Part 1: No school like old school

Regarding Wi-Fi and hotel business centers: Don't!

One simple rule is: Don't use them. Ever. That pretty much covers the widespread threat of hotel networks, hotel business centers. Just like gas pumps and credit card skimmers have become so thoroughly compromised, everything short of your own WWAN cell-based solution and a VPN back to your home network is to be treated as completely unsecure and compromised. 

  1. Even WWAN has drawbacks: it gets costly when global roaming data charges are figured in.
  2. Further, as the YouTube source interview with a wireless executive for our previous Spy vs. Spy on mobile states, in some countries where no formal boundaries between government and commerce exist, even the cell towers are not considered secure and private data is captured while in motion.
  3. Finally, if you must use hotel networks, make it harder by using a VPN or, at the very least, https:// and changing your passwords and logins immediately upon returning home.

Let's talk about some of the methods to guard against the old school industrial espionage.

Three rules to counter hotel intelligence efforts

Rule one: You get what you pay for – justify spending more for increased security.

In my last article, I spoke about my Taiwan trip 10 years ago where I stayed (without laptop) at a low-end hotel directly across from the business I visited. While this worked out fine, as a savvy traveler I had eyeballed the state department recommendations ahead of time. Had physical safety been a factor in Taiwan, I would have bumped the accommodations up to provide another layer of security.

Taking all into consideration, after my business was concluded I made for Taipei and a higher level accommodation for my final night.

Six months later, I was bound for Mexico City to do partner training in a party of five. At the time (and currently as well), there was a state department travel advisory warning of widespread kidnapping in Mexico City, not to mention a risk of earthquakes.

After a quick discussion with another traveler who was also prior military with nearly the same security background, we agreed first on a four-star hotel and second on the justification for the extra cost being the margin of safety it offered. This followed rule one of getting what you pay for and we leveraged our available corporate experience.

Rule Two: Leverage the corporate experience you have.

The company we worked for trusted us to set the standard based on our travel experience in less than friendly areas (Somalia, Haiti, Arabian Gulf) and our entire contingent had a safe and eventless visit.

On rule two, after meeting one night at the free buffet dinner, we found each of us had separately based our theory on observing what the military did outside the U.S. when we/they had to operate (not vacation) out of civilian hotels – stay at the high-dollar ones which had higher standards of internal security. Essentially your tax dollars at work lowered our risks by spending just a bit more each night.

Side note: I've yet to be in any company which had an IT division which didn't have at least one military veteran hired. While simply being a vet doesn't make someone a security expert, in the land of the blind the one-eyed man is often king. Most global militaries have a formalized counter-intelligence program which begins in basic training. My further recommendation is to find out who of the veterans had further formalized training in anti-terrorism (AT) which is NOT the Jack Bauer / 24 stuff known as CT, and ask their opinions prior to finalizing travel plans.

Rule Three: Harden the target and make bad guys work for a living.

Counterintel: Corporate travel checklist

  1. What role does this traveler have?
  2. Where is this person heading?
  3. Who are they visiting?
  4. What information can they completely leave behind?
  5. What information must they have to perform their duties?
  6. What sensitive projects or information may they need to access while they are traveling?

When in Rome vs. HOTSU

Let's face it, the top way to cope with jet lag is not by sleep. In the industrial espionage game, however, industrial espionage interrogations aren't a water-boarding affair – unless you count body shots done at a karaoke bar.

When in Rome, we do as the Romans do. Since 85 percent of the world's business population would be offended by a guest not partaking in a host's offer to go, we go along with, and the hardware we carry either stays in the hotel or in the host's office.

Think that part through – if, as is recommended in other Spy vs. Spy articles, you don't have the hardware then you make the bad guy work for a living. As for the human element, the acronym HOTSU is often applicable: He's Out To Screw U: whether intentionally or unintentionally, a good night getting sloshed puts your common sense into a hurt locker.

  1. After a very late night out with the locals who pour you back into a cab, you arrive at your hotel with 12 to 16 hours to recover before your flight.
  2. Hard to remember what you said if too much, and even harder to notice if anything in the room has been moved.
  3. On top of everything, nobody wants to tote a laptop all around Tokyo/Paris/London/Dubai or Singapore, so chances are you'll leave it someplace deemed 'secure enough' by reasonable standards.

How to have a fun time guilt free

Thwart the risk by restricting the data you're carrying with you whether through file encryption (okay), or physically carrying it in a small encrypted micro-SD data drive (better), or leaving the main laptop at home (best).

Make the potential espionage bad guy work for a living. Read Spy vs. Spy: Two traveler tools under $10.

In other Spy vs. Spy articles, we'll look at more ways out of the darkness of industrial espionage. For now, answering these questions within the IT department as a process provides at least the fundamental risk assessment. For those who think that industrial espionage simply doesn't exist, I refer you to Ira Winkler, who works with Stanislav Lunev, a former GRU Colonel. Both now consult for corporate counterintelligence. Some of Col. Lunev's testimony is on record in the Senate, do a search and you'll find plenty of precedence.

prestitial ad