COVID 19-Driven Telework from Hotels - May Pose a Risk - X-Industry

Though very tempting to get out of the house and conduct “work to home” (WTH) in a nice and quiet hotel room, this practice is fraught with dangers that need discussing. Red Sky Alliance can help with current and past cyber reporting, as we have been collecting, analyzing, and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.

The installation, updating and monitoring of firewalls, use of a virtual private network (VPN), and proper user training are keys to blocking attacks. Our RedXray and CTAC tools help support routine cyber defenses with providing pro-active indicators of compromise collected from outside a network. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

Another great resource is the US based Infragard network. Also, consider joining and becoming active in your local Infragard chapter. Infragard provides very valuable information and there is no charge for membership www.infragard.org

PUBLIC SERVICE ANNOUNCEMENT FROM THE FBI: 06 OCTOBER 2020

The US Federal Bureau of Investigation (FBI) has issued an announcement to encourage Americans to exercise caution when using hotel wireless networks (Wi-Fi) for telework.[1] FBI has observed a trend where individuals who were previously teleworking from home are beginning to telework from hotels. US hotels, primarily in major cities, often advertise daytime room reservations for guests seeking a quiet, distraction-free work environment. While this option may be appealing to get out of your house, accessing sensitive information from an open hotel Wi-Fi poses an increased security risk over home Wi-Fi networks. Malicious actors can exploit inconsistent or lax hotel Wi-Fi security and guests’ security complacency to compromise the work and personal data of hotel guests. Following good cyber security practices can minimize some of the risks associated with using hotel Wi-Fi for telework.

DANGERS OF USING HOTEL WI-FI

Attackers target hotels to obtain records of guest names, personal information, and credit card numbers. The hotel environment involves many unaffiliated guests, operating in a confined area, and all using the same wireless network. Guests are largely unable to control, verify, or monitor any hotel network security. Cyber hackers can take advantage of this environment to monitor a victim’s Internet browsing or redirect victims to false login pages. Criminals often conduct an “evil twin attack” by creating their own malicious network with a similar name to the hotel’s network. Guests may then mistakenly connect to the criminal’s network instead of the hotel’s, giving the criminal direct access to the guest’s computer. That is not good.

Hotel networks are often built favoring guest convenience over strong cyber security practices. Smaller hotels will often post placards at the service desk stating the password for Wi-Fi access, and change this password very infrequently. At its most robust, access to a hotel Wi-Fi network is typically governed by a combination of room number and password. This combination only governs devices accessing the hotel’s network but does not provide a secure internet connection. Currently, there is no hotel industry standard for secure Wi-Fi access. If teleworking from a hotel, guests should never trust that the hotel has properly secured their network or is monitoring it for attacks.

Hotels often hire lower level employees, at minimum pay scales. This invites the possibility of an insider threat, where the clerk, maintenance or housekeeping staff may be assisting a bad cyber actor(s). This is out of a user’s control yet is an additional vulnerability when taking a day off from WTH and using a nice hotel room.

SECURITY FACTORS OUTSIDE OF GUEST CONTROL

Much of a hotel’s network infrastructure is entirely out of the control of the hotel guest. Guests generally have minimal visibility into both the physical location of wireless access points within the hotel and the age of networking equipment. Old, outdated equipment is significantly more likely to possess vulnerabilities that criminal actors can exploit. Even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware of that equipment or whether the hotel has changed the equipment’s default passwords. The hotel guest must take each of these factors into consideration when choosing whether to telework on a hotel network.

SPECIFIC RISKS TO BUSINESS DATA

Connecting personal or business devices to the hotel’s wireless network may allow malicious actors to compromise the individual’s device and then access the business network of the guest’s employer. Once the malicious actor gains access to the business network, they can steal proprietary data and upload malware, including ransomware. Cybercriminals or nation-state actors can use stolen intellectual property to facilitate their own schemes or produce counterfeit versions of proprietary products. Cybercriminals can use information gathered from access to company data to trick business executives into transferring company funds to the criminal.

SIGNS YOUR DEVICE HAS BEEN COMPROMISED

If your device is hacked, it probably will not resemble the entertainment industry’s portrayal of computer hacking. There may be no visible changes to your device. Some signs that may indicate your computer, phone, or tablet has been compromised include:

mobile device slows down suddenly;
websites automatically redirect away from the website you are attempting to visit;
the cursor begins to move on its own;
a mobile device begins to launch apps on its own;
an increase in pop-up advertising;
a sudden increase in data usage;
faster than usual decrease in battery life;
unexplained outgoing calls, texts, or emails.

WHAT TO DO IF YOUR DEVICE HAS BEEN COMPROMISED

Do not forward any suspected e-mails or files.
Disconnect the device from all networks immediately and turn off Wi-Fi and Bluetooth.
Consult with your corporate IT department, ensuring they are notified of any significant changes.
If there is no IT department, consult with qualified third-party cyber security experts.
Report cyber attacks or scams to the Internet Crime Complaint Center at IC3.gov.

RECOMMENDATIONS FOR REDUCING THE RISKS OF HOTEL WI-FI

If possible, use a reputable Virtual Private Network (VPN) while teleworking to encrypt network traffic, making it harder for a cybercriminal to eavesdrop on your online activity.
If available, use your phone’s wireless hotspot instead of hotel Wi-Fi.
Before travelling, ensure your computer’s operating system (OS) and software are up to date on all patches; important data is backed up; and your OS has a current, well-vetted security or anti-virus application installed and running.
Confirm with the hotel the name of their Wi-Fi network prior to connecting.
Do not connect to networks other than the hotel’s official Wi-Fi network.
Connect using the public Wi-Fi setting, and do not enable auto-reconnect while on a hotel network.
Always confirm an HTTPS connection when browsing the internet; this is identified by the lock icon near the address bar.
Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
Follow your employer’s security policies and procedures for wireless networking.
If you must log into sensitive accounts, use multi-factor authentication.
Enable login notifications to receive alerts on suspicious account activity.

The FBI encourages victims to report information concerning suspicious or criminal activity to their local field office (www.fbi.gov/contact-us/field-offices) or to the FBI's Internet Crime Complaint Center (www.ic3.gov). For additional resources and best practices for staying safe while teleworking—such as guidance on managing VPNs, videoconferencing, or using wireless devices for telework—visit https://www.cisa.gov/telework

Cyber threats in the Travel Industry

Three weeks ago, UK based TravelPulse posted an article referencing a report conducted in collaboration with security experts - 6point6. 6point6 is a UK technology consultancy excelling in digital transformation, emerging technology and cyber security. Its report revealed that even some of the world’s largest travel and hospitality operators have failed to address vulnerabilities in their online platforms’ security, even though some have already suffered high-profile data leaks.[2]

Experts assessed the cybersecurity of 98 different travel companies and exposed hundreds of vulnerabilities that exist on the websites of major airlines, hotel chains, cruise lines, tour operators and booking sites. The investigation's findings were collected in June 2020.[3]

Marriott, British Airways and EasyJet were among the five worst companies when it came to gaps in data security, having potentially the most serious and highest number of risks. All three firms have already suffered cybersecurity breaches that collectively exposed around 350 million customers’ private information details on the dark web and resulted in the UK’s Information Commissioner’s Office (ICO) regulators proposing hefty fines for the companies. Examined was not only each company’s main website but also all related domains and subdomains, including promotional sites and employee login portals, where any vulnerabilities offer hackers opportunities to target user information.

Investigators noted that they did not engage in any complex hacking to reveal these weaknesses, and only utilized lawful, publicly available online tools to conduct their search. As noted above, the FBI stated cyber criminals are always scanning for such susceptibilities and, using illegal methods, would doubtless be able to find even further security gaps and weaknesses to exploit.

Marriott: Experts found 497 vulnerabilities on Marriott-owned websites alone, 96 of which were labeled ‘high impact’ issues and another 18 deemed ‘critical’ (ranked according to an industry-standard scoring system). One of the world’s largest hotel chains, Marriott has already been the source of two of the travel industry’s worst data breaches in recent memory. In 2018, the company conceded that 339 million of its guests’ records had been maliciously accessed by cybercriminals. Then, another cyber-attack in March 2020 compromised a further 5.2 million customers’ personal information.

EasyJet: The low-cost carrier suffered its own data breach back in May 2020, which affected around nine million customers, 2,200 of whom had their credit card details accessed. Investigators discovered 222 total vulnerabilities scattered across nine of EasyJet’s domains. Two of these flaws were judged to be critical, “with one so serious that, if exploited, an attacker could hijack someone’s browsing session,” presenting opportunities to steal their private data. An EasyJet spokesperson explained that none of these subdomains were linked to EasyJet.com, and it has seen, “no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information.”

British Airways: A 2018 breach of British Airways’ systems saw cybercriminals make off with roughly 500,000 customers’ names, email addresses and credit card information. The ICO proposed a fine of $230 million—the largest fine ever levied under the European Union’s General Data Protection Regulation (GDPR) act—and publicly criticized the carrier’s poor security protocols. Experts identified 115 potential vulnerabilities on British Airways’ websites, 12 of which were deemed critical.

Most of these chinks in the company’s online armor were reportedly applications and software that seemed not to have been updated, rendering them vulnerable to attacks by hackers. In its response to the investigation, BA did not mention whether it would take steps to address the issues identified. A BA spokesperson said, “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified.”

American Airlines: American Airlines is singular in that it has not yet experienced a high-profile data breach, but researchers did find 291 potential vulnerabilities across its websites, 30 of which were high-impact and seven critical. The examination found that most of AA’s susceptible sites seemed to be those used internally by its employees, although there was a high-impact flaw on an American Airlines credit card business website. If an attacker were to obtain a login password for the site, he/she could potentially mess with the content or systems used to support the website.

The editor of TravelPulse offered his conclusions regarding the vulnerabilities of the hospitality industry: “Our research suggests that Marriott, British Airways and EasyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals. Travel companies must up their game and better protect their customers from cyber threats, otherwise, the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.”

For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com