14
Jul 14

Beware Keyloggers at Hotel Business Centers

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

A DHS/Secret Service advisory dated July 10, 2014.

A DHS/Secret Service advisory dated July 10, 2014.

In a non-public advisory distributed to companies in the hospitality industry on July 10, the Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) warned that a task force in Texas recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort Worth areas.

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The advisory lists several basic recommendations for hotels to help secure public computers, such as limiting guest accounts to non-administrator accounts that do not have the ability to install or uninstall programs. This is a good all-purpose recommendation, but it won’t foil today’s keyloggers and malware — much of which will happily install on a regular user account just as easily as on an administrative one.

While there are a range of solutions designed to wipe a computer clean of any system changes after the completion of each user’s session (Steady State, Clean Slate, et. al), most such security approaches can be defeated if users also are allowed to insert CDs or USB-based Flash drives (and few hotel business centers would be in much demand without these features on their PCs).

Attackers with physical access to a system and the ability to reboot the computer can use CDs or USB drives to boot the machine straight into a stand-alone operating system like Linux that has the ability to add, delete or modify files on the underlying (Windows) hard drive. While some computers may have low-level “BIOS” settings that allow administrators to prevent users from booting another operating system from a USB drive or CD, not all computer support this option.

The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure. That’s why I routinely advise people not to use public computers for anything more than browsing the Web. If you’re on the road and need to print something from your email account, create a free, throwaway email address at yopmail.com or 10minutemail.com and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.

Tags: , , , , , , , , ,

97 comments

  1. I swear I’m not a shill for WebConverger. It’s an amazing web-only Linux distro. If you need to create a kiosk PC, it’s the only way to go. Trust me, I looked around and have been using it for a year now. http://www.webconverger.com/

    • That’s all good until they put a physical key logger in the back of the machine. You are better off not using a public computer for anything other than basic web browsing. If you do have to use it to login to an account use the on screen keyboard instead of the keyboard to enter your password. Then change your password as soon as you can from a trusted computer.

  2. What about display/kbd carts in data centers?

    • As long as your employees aren’t bad guys, I can’t see this being an issue, the company should be able to control physical access.
      Unless I’m not understanding what you mean …

      • Hi PJJ-

        I believe that he’s talking about access to the actual computers in these business centers. Typically they are not supervised at all, all you need is your hotel key to get on. and as he said, they get a room/key with a stolen credit card. these centers are wide-open, and very easy access. you could get in and get out in a few minutes.

    • you_are_a_dumbass

      Did you read the part about how people were actually using credit cards to buy a room at the hotel?

    • Bring your own keyboard, these keyboards could always have a key logger built into them. All depends on how secret your info is and how much you trust the system you are using.

      • LMAO, “bring your own keyboard.”

      • The keyloggers in question are installed in the operating system, so any keyboard connected gets its keystrokes logged.

        I can understand the confusion, old school keyloggers were a physical device you connected in-line with the keyboard that repeated (and logged) any keystrokes it received from the keyboard to the computer.

        Those devices still exist but aren’t particularly in vogue now, since USB makes their operation easier to detect (have to mirror the device ID of the keyboard that’s plugged in, otherwise the system will detect the keyboard’s changed – and few mirror the ID). Plus you have to return later to retrieve the device from the system in order to access the log, which is dangerous.

  3. You cannot trust any machine that you do not control – hotels, internet cafes, work…

    If you want your private accounts to remain (reasonably) private, only use them on your own PC, in their own browser, with relevant plugins. Your security can still be defeated, but you’re no longer a pushover.

    In the meantime, hope that the next HTTP (I think it was) specs include always-on encryption (not sure about the protocol off-hand, but do remember that it was facing fierce resistance – always a sign that it’s good for the individual).

  4. Clean Slate huh? Interesting! Last I checked Drive Vaccine was cheaper, but this may be easier to use – I haven’t tested either of them yet.

    Steady State should be a requirement even for home computers with XP, as that OS is end of life anyway!

    I should have thought VPN would be a mitigation for most of these situations too – but I only quickly perused the article – My apologies for my short examination.

  5. Jeffery Niemuth

    What about public libraries, public schools and the Apple Store, etc? Many folks out there cannot afford home based “high speed” internet and are forced into these easily targeted marketplaces.

    • One note about public institutions (especially schools) if they take e-rate $ then then must be filtered at a minimum. It then depends on the strength/capabilities of the filters..Still it is one step up than an hotel kiosk, so great care should be taken using anything that is not “yours”

    • AmbientOffline

      I don’t know that Apple Stores are “easily targeted”. I’m not saying that the stores or that Mac OSX are immune from malware. But I’d think it’s not a pushover. The last I heard, all Macs in an Apple Store have their OS reinstalled every night. You can observe this process through the store windows after hours.

  6. Oops, logging people’s data is the secret service’s job. No wonder they are angry.

    • “Oops, logging people’s data is the secret service’s job. No wonder they are angry.”

      Actually your are so far off the mark it’s not funny.

      The mission of the United States Secret Service is to safeguard the nation’s financial infrastructure and payment systems to preserve the integrity of the economy, and to protect national leaders, visiting heads of state and government, designated sites and National Special Security Events.

    • I think you’ve gotten the Secret Service confused with No Such Agency.

      • True statement. But unfortunately they’ve lost their way as well. They’re now too busy watching what the citizenry does, and are regularly surprised by foreign actors.

  7. Karoly Negyesi

    I would keep Windows on an external drive that customers can get from the front desk and they need to hand it in and every time someone hands the drive in, it gets reimaged. You’d need about twice the customers in drives to make sure there’s always one fresh but the disks are cheap. There are docks aplenty to make this easy.

    Problem solved?

    • If you look only at the technological side of things, this may solve your problem. But someone has to foot the bill.

      And who exactly would pay for all that stuff, the manpower needed to reimage the drives constantly etc., all just to privide a free internet access kiosk?

      • Actually, you only need a few more copies than the number of computers available in the business center.
        Many of these are located near the front desk, a guest would ask the front desk for access to the business center and receive a USB.

      • I’ll be the first to say it-

        Joe User, on average, isn’t smart enough to manage this- even if you’ve got the drive in a removable cage. Also, hotel desk clerks have enough to do, their management isn’t going to make them “computer drive babysitter” too.

  8. It’s so terrible to install keyloggers at Hotel Business Centers!!! As far as i concerned, the keylogger is very dangerous if it was used for illegal uage. but for legal use, such as parents use it to watch kids safe online, it would be a good parental control tool!

    • Spying on your kids is legal use?

      Since when were good parenting, trust and instilling a good common sense for the dangers out there replaced by a USB keylogger?

      • A parent who trusts their 6 year old to not talk to strangers on the internet will soon learn why such ideals aren’t grounded in reality.

        They’re children. They’re going to do stupid things. Because that’s what children do. Your role, as a parent, is to try and prevent them from doing something so stupid that they kill themselves before they turn 18.

        • A parent that lets a 6 year old on the internet unsupervised isn’t doing their job.

      • Wow… and you have how many kids?

      • Yes, spying on your kids under 18 IS LEGAL. You’re the parent, they are the kids. You are responsible for what they are doing. They set a building on fire? You, the parent, are responsible.

  9. Bob Stromberg

    Faronics Deep Freeze (http://www.faronics.com/products/deep-freeze/; requires annual subscription) can restore a Windows or Mac computer to a preset state (i.e., malware free) while allowing users to save data to a “Thaw Space” if the administrator desired. A reboot resets the computer to the preset state.

    When using a public PC, always reboot. There’s a chance that the machine does not have the latest patches and the previous user might have run across a drive-by download. (If that has happened, a reboot should clear up the malware.)

    Deep Freeze requires that the computer be thawed to apply patches or do other configuration tasks, then re-frozen.

    However, I don’t have recent experience with Deep Freeze.

    • Yep! I always reboot before AND after using the computers at my local library! I glad you posted this reminder for KOS readers! I’m not sure what they are using, but it may be the “steady state using Microsoft technologies” that mech-be-gone posted somewhere here.

  10. On top of not allowing boot from a CD/USB, protecting BIOS setup with an Admin password and using CleanSlate/Steady StateI would encrypt the Windows image and make it only able to register to the Proxy server with AD authenticated credentials. Or simply use one of the many excellent Linux images. Surely for some browsing and printing needs even a slightly technically challenged guest will be able to get by.

  11. An even more worrying aspect is the ignorance of people of even basic security precautions when using a hotel (or other public ) computer.
    I was recently using a hotel guest computer (just looking at a news website 😉 ) and noticed the word doc resume of one of the senior hotel managers with cover letter saved to the desktop. This was just the start; the Internet Explorer history was accessible and cookies hadn’t been cleared for ages as well as various other data that should have been secured being accessible.
    The advice in the article ‘That’s why I routinely advise people not to use public computers for anything more than browsing the Web’ is just so important!

  12. TheOreganoRouter.onion.it

    When I used a hotel public access computer to print flight boarding tickets a few years back , I just ran a third party browser off a encrypted thumb drive.

    • You do realize that did nothing to increase your safety, correct?
      Encryption only prevents data being read without the encryption key. Using an alternate browser also does nothing as most malware resides nestled in the OS, not the browser itself.

      • Paranoid.Android

        You do realize that this did NOTHING to prevent physical keyloggers either right? In fact if they’re doing it right, they only need access to the security camera. The computer can be completely clean, but if they capture every keystroke via cam, you’re still toast.

        Short answer – treat public computers like public toilets in a third-world slum: they’ve probably got all sorts of nasty things in them. Use at your own risk. This includes libraries, electronic cafes, and the like. And if you use your own equipment but go over a third-party wifi, use a VPN (set up via an IP address not a DNS name on the connection). It at least prevents local hijacking. Backbone hacks are another story (thanks AT&T).

        • THIS guy knows what’s up :3

          Paranoid.Android, How do you feel about a VPN (let’s assume OpenVPN since most of the alternatives are either crap or broken crap) versus just tunnelling everything through an SSH connection? Obviously the VPN is easier to handle for the non-tech savvy, but do you know of any other benefits?

        • “treat public computers like public toilets in a third-world slum”
          +1

        • Good points: Personally, I ALWAYS carry my own laptop, I connect using my own hotspot and when I can’t, I simply connect on the WiFi network via VPN to a dummy computer at home, then via SSH to access it.

          I always advise my wife to stay away from those.

          Otherwise, public computers are good for the forecast and morning news while taking your coffee in the public area and other kids Facebook…

        • This!

          Although, I’m not familiar with what he’s getting at with regard the “ATT Back hack”?

  13. Giving business users a clean hard drive every time is a reasonable solution instead of putting up with the garbage some would leave on the computer. Also, I’ve used the free version of Mailinator for over a decade (http://mailinator.com/) and should me mentioned along with yopmail.com or 10minutemail.com as an alternative. I like the alternative domain names they provide.

  14. Go back 15 years in time and every public school and library computer had Back Orifice installed on it by kids who were using it to log keystrokes, passwords,…

    It seems the only things that have changed are the motives of the culprits.

    • Back Orifice! Man, that takes me WAY back! LOL, long live the Cult of the Dead Cow! 😉

    • God yes.

      I spent months removing this crap on the local school district’s machines in the early 2000s. I could tell you stories…

  15. Seren Thompson

    This is one instance where 2-factor authentication would help, at least in the case of credential theft. Many services now support this, including google, facebook, amazon, microsoft, apple. You need a mobile (preferably smart) phone and to take the time to enable on the services you use.
    A word of caution: 2-factor auth doesn’t protect you from having information stolen if, for example, you enter your credit card number on a compromised computer. It doesn’t even prevent your password from being stolen. What it does do is prevent your password from being used elsewhere, even if it has been stolen.

  16. I’m astounded at everyone thinking booting the machine into Linux is the be-all-end-all cure.
    Hardware keyloggers will STILL function.
    The bottem line is DO NOT EVER USE A MACHINE YOU CAN’T TRUST.

    When I’m out and about, I will ONLY use my nexus 7 tablet (with a custom rom who’s source I’ve torn through myself) or my netbook running FreeBSD 10. NOTHING else can be trusted.
    On top of that, I’m not always able to use a secured connection I trust, so SSH Tunnelling through a machine using Dual Factor Auth and a LONG password I change every 3 days, and/or a VPN are the order of the day as well.

    YOU CAN NEVER TRUST ANYTHING EXCEPT WHAT YOU YOURSELF CONTROL EVERY SECOND OF THE DAY.

    My home computer, you’d think I could trust that, yes? I monitor every. single. packet.
    Any unrecognized IPs or domains are ruthlessly investigated.

    YOU CAN NEVER TRUST ANYTHING EXCEPT WHAT YOU YOURSELF CONTROL EVERY SECOND OF THE DAY.

    • REPEATING YOURSELF IN ALL CAPS IS ALWAYS THE BEST WAY TO GET YOUR POINT ACROSS! …or is it?

    • Crips wouldn’t it just be easier to quit using your gear altogether?

      I stopped using a smartphone for the same reasons. Made my life a bit more complicated but no worries on security. No dates, no friends locations when I’m out. Hmm no fun either.

      We have to make some compromises to continue our lives. Are you really doing anything that is so secret you need to watch every packet leave your network?

      Sure protect your identity and your accounts from criminals, forget about the Government they will get what they want no matter what you do.

      At some point you have to ask yourself if it is worth all the trouble.

      Is no trust = no happiness?

    • Where do you find the time? Do you not work, don’t you have a social life or family?

      Also, “all caps” makes you come across as a wanker.

  17. Brian,
    Have there been any reports of ‘bad guys’ taking frequent flier rewards or messing with frequent flier accounts? I only use the business centers at hotels for printing boarding passes.

    • As far as I can tell, most airlines now allow you to print your boarding pass without logging in to your account at their site. In most cases, you merely need to know your frequent flyer number and the destination city and date of travel to pull up your boarding pass.

      • I believe that’s correct. I used a hotel computer in Vegas a couple years ago to print out a boarding pass. I recall my security “senses” telling me that it would NOT be a good idea to login to the airline website with my credentials, but alas, the webpage only required a couple of pieces of information from my itinerary. I did not have to login with full credentials…

  18. There is a newer version (2.0) of the 10 Immutable Laws. The changes are minor, but here is the link FYI:
    http://technet.microsoft.com/en-us/library/hh278941.aspx

  19. Richard Rushing

    Long ago, it was the Night Clerk, or Auditor that would make copies of the Credit Cards. Guess what “Things have not changed that much” Why use them, your laptop is upstairs, your smartphone out of juice. No real reason, if there is you can weight the risks

  20. So how do I get a signed copy of the PDF version ?

    😉

  21. 4-5 years ago, I was staying at the Indianapolis Marriot, came down early and found the lobby public use PC hung. I rebooted it and it came up with a (very comprehensive) keylogger’s splash and configuration screen…which included an unchecked box to hide those screens! I told the the front desk staff, who looked at me like I was speaking Greek and said that they would have their tech look at it…who turned out to be a janitor cum maintenance man knowing nothing.

    Sometimes it’s pointless to tell people they’re holding a firework with a lit hissing ffuse.

  22. And that, kids, is why you combine a least-privilege account with Software Restriction Policy.

    On a practical note, users of Win7 or Win8 can set up the equivalent of WinXP’s old SteadyState. It’s called a Mandatory User Profile. See this KB for the how-to:

    http://www.microsoft.com/en-us/download/details.aspx?id=24373

    Where I work, I have one public PC that uses a Mandatory User Profile, combined with a low-rights account and Software Restriction Policy. The PC in the employee-break area is also set up that way.

    I agree with the overall point: don’t use a publicly-accessible computer for anything that you want to keep private. Even the precautions I described above wouldn’t stop a hardware keylogger dongle from capturing keystrokes, since the computer chassis aren’t physically secured.

    Thanks Brian for the alert.

    • Indeed, a SRP on a restricted account, that disallows all executables from running under the user’s profile (sorry, Google, spread your botnet somewhere else) and all removable drives, along with a locked down BIOS that prevents access to the BIOS and booting off third party media, is fairly hardened.

      But for a determined, knowledgeable individual with physical access it’s just a stumbling block. The good news is determined, knowledgeable individuals don’t grow on trees.

    • That’s great mechBgon! Thanks!

  23. Brian – I’d be curious as to your thoughts on security tips for using the hotel’s guest WiFi network. Back in my Windows XP days, I was able to browse the network folder while on the hotel WiFi and sometimes be able to see other users’ computers. In one case I was able to see files on some guy’s laptop.

    • That’s still the case today with misconfigured systems. They should treat the hotel WiFi as a public (unsecured) network which disables access to file sharing, etc. via the built-in firewall. The problem is that people don’t pay attention and click on the wrong thing when first connecting to the hotel network, because they’re in such a rush to update their Facebook page.

  24. I was just thinking about public institutions such as universities’ computer labs. My son is going off to college this fall & I seem to recall walking by an open computer lab during orientation. I would imagine it would be pretty easy to get a careless students ID or log-in then install key loggers or spyware of some sort onto those computers.

    • Most universities I’ve been to use Faronics Deep Freeze; although I don’t necessarily agree that it is the best solution for those of us that are ultra paranoid, or may be facing nation state attacks on intellectual property or other business related espionage.

    • The computers in labs are typically wiped every time the system is rebooted, with the student’s files kept on a server that’s only accessible with their login & password.

      They also undergo periodic sweeps. When you have 90+ systems setup exactly the same way, anomalies are easy to spot.

  25. In most public library computer centers today users need to sign in to use computers at the individual station, using a verified account number. The sign-in software that checks the accounts also times the sessions. When the user logs out of the session or it times out, the computer will automatically reboot to a clean, pre-set image as a function of the exit. Hotels and other public computer labs could easily adopt this configuration with clean disks shipped out by corporate IT departments or by designing network access to clean images, though the latter might lead to other problems, I suppose.

    • Any kind of reasonable client & server infrastructure could implement that kind of setup, the problem is that most hotels are run by incompetent buffoons who have fired all their IT staff and are incapable of implementing reasonable security as a result.

    • Or simply use the Guest account built into Windows which wipes the profile on every logoff.

  26. The software keylogger I saw 4-5 years at the Marriot had config options for an email to send the logs to, how often to send them, what content the logs should have. And they have to have gotten more sophisticated and powerful since then.

  27. Once I was using the paid computers at the airport and just for the heck of it i ran a malwarebytes scan off my usb and it found 1 zbot detection

  28. To be honest, a USB keylogger is a little obvious to see in the back of the public computer, the most dangerous thing is that they install some keylogger software secretly on their computer for illegal use. I’ve saw a website that introduce a Microkeylogger, which can be installed on the computer and invisibly log everything done on the PC, really terrible~

  29. It’s a shame that it has to be this way but I agree that the only way to completely prevent this situation from occurring is to avoid accessing your private accounts on public computers at all costs. I think that taking the precaution to access something on your own computer rather than a hotel computer is worth keeping your personal information from being shared.

  30. While most hotel and public computers are vulnerable to malicious attacks, certain system, such as VSi FreshStart reboot the hard drive upon each log out, so even though it doesn’t stop the keylogger from logging data, they’re most likely logging only their own activity