July 14, 2014

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

A DHS/Secret Service advisory dated July 10, 2014.

A DHS/Secret Service advisory dated July 10, 2014.

In a non-public advisory distributed to companies in the hospitality industry on July 10, the Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) warned that a task force in Texas recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort Worth areas.

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The advisory lists several basic recommendations for hotels to help secure public computers, such as limiting guest accounts to non-administrator accounts that do not have the ability to install or uninstall programs. This is a good all-purpose recommendation, but it won’t foil today’s keyloggers and malware — much of which will happily install on a regular user account just as easily as on an administrative one.

While there are a range of solutions designed to wipe a computer clean of any system changes after the completion of each user’s session (Steady State, Clean Slate, et. al), most such security approaches can be defeated if users also are allowed to insert CDs or USB-based Flash drives (and few hotel business centers would be in much demand without these features on their PCs).

Attackers with physical access to a system and the ability to reboot the computer can use CDs or USB drives to boot the machine straight into a stand-alone operating system like Linux that has the ability to add, delete or modify files on the underlying (Windows) hard drive. While some computers may have low-level “BIOS” settings that allow administrators to prevent users from booting another operating system from a USB drive or CD, not all computer support this option.

The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure. That’s why I routinely advise people not to use public computers for anything more than browsing the Web. If you’re on the road and need to print something from your email account, create a free, throwaway email address at yopmail.com or 10minutemail.com and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.


97 thoughts on “Beware Keyloggers at Hotel Business Centers

  1. wayne

    Using a public computer is the cyber equivalent to licking a toilet seat in a public restroom.

    1. JATny

      Whoa, Wayne, good one! Colorful and definitely worth remembering. Just bought a super-lightweight notebook for business on the go. Still have to watch the wi-fi, but can’t have everything. Putting on security protection today.

  2. Robert

    One should look at self serve computer centers like FedEx and ups.

  3. kamener

    It is very hateful for the hackers to put keylogger on the hotel PCs. However, there are some real and legal keyloggers and you have to pay for them. You can try the free trial of kinds of keyloggers like Micro keylogger.

  4. Matt Kelly

    Just tried the link for yopmail.com and the site attempted to install some type of virus scan software.

  5. Daniel

    It’s not just software keyloggers you need to worry about. I’ve come across hardware ones installed between the keyboard and PC.

    For the top end of products the attacker doesn’t even need to touch the machine again to get the recorded data, it’s available through a wireless interface.

  6. Merv Green

    Shady advertising festoons both those sites. I would recommend instead mailinator.com and spamgourmet.com.

  7. Jeremiah Talamantes

    The battle for a “clean” publicly used system will probably never end. In most cases, the better route is to carry your own device. At least then, you have a better idea of it’s history and how dirty of a device it might be.

Comments are closed.