.

From the Duh Dept: Study Shows Hotel Wireless Insecure

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Oct 07, 2008 11:36 am

From the Duh Dept: Study Shows Hotel Wireless Insecure

So is it just me, or does this fit into one of those categories of useless spending on studies to prove what is common knowledge? Or is the general computing public really that naive about security still?


Study: Hotel network security lacking

Most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from internet security problems, claims a study published by Cornell University.

The study, “Hotel Network Security: A Study of Computer Networks in U.S. Hotels” examined the security of 147  hotels through surveys, interviews and on-site testing.

“Many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests,” the study says.

One of the study authors, Josh Ogle, a Cornell University graduate and founder of IT services company TriVesta, performed on-site testing at 46 hotels in Virginia, North Carolina, Texas, Maryland, Tennessee and Pennsylvania - making sure to hit both tourist and business travel destinations.

Ogle tested wireless networks at 38 hotels and wired networks at eight.  He found the majority were vulnerable to attacks.

“Out of the 38  wireless, I was able to break into 33,” Ogle told SCMagazineUS.com Monday. “And by break into I mean, accept data from someone else's computer that wasn't meant to be on mine.”

Ogle used the Linux distribution BackTrack, meant for network testing. In addition, following recommendations of hackers on vulnerability mailing list Full Disclosure, Ogle used a high-power wireless card and high-gain omnidirectional antenna to crack the networks. The setup cost less than $100, he said.

Ogle said using this method a hacker can see all unencrypted information coming into and leaving the network -- including passwords, email messages and any web pages people are viewing.

Of the hotels compromised, each took about 10 minutes to breach. Some hotel employees inadvertently assisted in the breach by providing passwords and access instructions.

“They are extremely unsecure,” Ogle said of hotel wireless security. “I was very disheartened by what I saw. I wasn't surprised, but I was disheartened.”

Ogle recommended that all hotels use Wi-Fi Protected Access (WPA) encryption, which requires a password to get on the network and encrypts all data transmitted. Of the hotel networks that Ogle was not able to crack, the majority used WPA encryption

For guests, Ogle recommended connecting to the internet using a Virtual Private Network (VPN), having updated anti-virus and firewall software and making sure each secured website starts with “https://” rather than “http://”.

The danger of not securing a hotel's network is that a malicious user could gain access to guest information or other confidential files, Domenic Carmona, director of IT at the W Dallas-Victory hotel, told SCMagazineUS.com Monday.

Carmona recommended hotels use WPA encryption as the minimum standard. He also stressed the importance of having a robust set of firewalls that are managed and properly configured, splitting networks, and educating staff of the importance of security standards.



Original story:
http://www.scmagazineus.com/Study-Hotel ... le/118819/

Don
Last edited by don on Tue Oct 07, 2008 11:38 am, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Oct 07, 2008 12:32 pm

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

Good post don & I've got to state it's all true. A buddy of mine sits takes his Alfa USB 500mW WiFI Adapter with him each time he goes on vacation, runs his aircrack tool and free internet. Despite people who actually pay for internet services in hotels, it's pretty crazy just to imagine what an attacker can do passively on the network(consider dns spoofing, sniffing, etc). Hotels need to start "beefing" up their security. It's honestly gotten to the point where mere script kiddies can show up to a hotel and run automated tools like Spoon WEP or Wesside-ng to get keys and then a lot of peoples privacy can be invaded. I think it's good he made this widely known and the article is posted maybe it'll serve as a wake up call. Thanks for the good read don.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Sat Nov 01, 2008 6:58 pm

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

don wrote:Or is the general computing public really that naive about security still?


I'm afraid so. Not only do hotels almost universally have poor wireless security, but they also provide one of the single best hunting grounds that someone looking to snare sensitive information could ever wish for. Even worse than many people being naive about security is that they are wilfully so.
<<

gstefanick

Newbie
Newbie

Posts: 3

Joined: Sun Dec 28, 2008 8:23 pm

Post Sun Dec 28, 2008 11:34 pm

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

Having an extensive 802.11 background and having designed various type of WLAN networks over the years i learned quickly that hotels spend little money on hotel wireless. In fact, Im a frequent traveler and i cant tell you how many times you could gain access to the routers and or aps with the default values. I've seen some really scary designs where high mW radios with high gain antennas have been used which isnt ideal for reliable connectivity.

In most cases, the easiest way to secure a public wireless solution is via an appliance like bluesocket or asa where you can block peer to peer connections and do https connections .However layer 2 is still wide open and will be for sometime ....
Last edited by gstefanick on Sun Dec 28, 2008 11:38 pm, edited 1 time in total.
CCNA, CWNA, CQS-CWLANSS
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Sun Dec 28, 2008 11:41 pm

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

Unfortunately, there seems to be little incentive for hotels to do anything about the issue. I don't imagine the situation changing any time soon.
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Tue Feb 17, 2009 7:02 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

i dont think so hotel administration or hotel IT guys didnt think of this , obv they have thought of it , but not taking any intiatives on this as the more security u give to the wifi , the more the problems in clients getting connecting to it , as most of the old laptops dont support new version of wifi encrption, so they didnt proceed with any further steps for the security
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Feb 17, 2009 10:05 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

Funny anecdote about hotel wireless...
I was taking the GPEN class which was being held at a hotel. During the section on wireless and how bad open wireless is, I decided to run my own excercise and sniff the wireless for five minutes. I looked through the capture during the break which followed and found I had grabbed email credentials for two people in the class. Ironic, discussing the insecurities in a hacking class and two people enter clear text passwords at the same time.

(I did tell them and asked them to change their passwords, one had to call is ISP to do it.)
twitter.com/timmedin | http://blog.securitywhole.com
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Feb 17, 2009 10:11 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

Don,
I do think its still not really apparent to the common person. I am not sure if its really their fault to some extent, as I feed to some degree the security community do not take the responsibility to share the required awareness, so it just sits in the InfoSec security space.

I see it as my responsibility as an InfoSec professional to educate the people (I am sure I bore many), but it if saves a few people getting owned, its worth it.

Sadly it will long continue, but ona positive keeps us working :)
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Tue Feb 17, 2009 11:06 pm

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

dalepearson wrote:I do think its still not really apparent to the common person. I am not sure if its really their fault to some extent, as I feed to some degree the security community do not take the responsibility to share the required awareness, so it just sits in the InfoSec security space.


I disagree. If you're going to use the technology, then it's your responsibility to learn how to use it safely. Ignorance is no excuse.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Wed Feb 18, 2009 12:23 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

“Out of the 38  wireless, I was able to break into 33,” Ogle told SCMagazineUS.com Monday. “And by break into I mean, accept data from someone else's computer that wasn't meant to be on mine.”


Actually, I am really suprised the number isn't higher.
twitter.com/timmedin | http://blog.securitywhole.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Feb 18, 2009 1:49 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

dalepearson wrote:I see it as my responsibility as an InfoSec professional to educate the people (I am sure I bore many), but it if saves a few people getting owned, its worth it.

jason wrote:I disagree. If you're going to use the technology, then it's your responsibility to learn how to use it safely. Ignorance is no excuse.


I can understand both sentiments, and I definitely believe that personal responsibility should be increased. However, I know when I've tried to explain the latest and greatest (or oldest and best understood) exploit or vulnerability to a non-techie, I've had people's eyes glaze over (like BofH's 'dummy mode') and often respond with 'don't care'.

Ultimately, if people (in any situation) don't have to deal with the consequence of the 'if' then they don't see the benefit in taking the longer, correct route.

This could be the fault of helpful techies, how many of us have repeatedly shaken our heads when friends and families or clicked something they shouldn't (please upgrade codec to view your pr0n...) but then taken the machine off their hands for a day to fix the issue. If we made them clean it themselves they might think twice about clicking that link next time...

just my thoughts (and it's too early without a coffee for coherent thought ;) )
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Thu Feb 19, 2009 1:39 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

there are 2 kind of people who visit HOTELS
they are , either for vacation or for business
both of them just need connection they dont have to bother if its secured or not secured, if secured how much, they just need there deim connection, where the IT engineer have to scumb for there calls they can't make the guest understand tht " there WPA or WEP is stronger and they need to do some changes in the laptop, and they get a big reply NO just connect me now" poor security has to say OK SIR
then how are we suppose to make them educate to say that this securities is for there own safety , we need to think abt this
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Thu Feb 19, 2009 9:33 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

RoleReversal wrote: I've had people's eyes glaze over (like BofH's 'dummy mode') and often respond with 'don't care'.

Ultimately, if people (in any situation) don't have to deal with the consequence of the 'if' then they don't see the benefit in taking the longer, correct route.


Great. That's their choice to make. I'm not going to follow them around and make sure that they're using a jimmy hat either. There's a whole Rush song about all this business  :P
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Sat Feb 21, 2009 2:42 am

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

sure wht it ends with is who has what and who has lost what, if they ignore our words :)
<<

Soolari

Newbie
Newbie

Posts: 13

Joined: Thu Feb 19, 2009 10:00 pm

Post Thu Mar 12, 2009 9:02 pm

Re: From the Duh Dept: Study Shows Hotel Wireless Insecure

Hey..guyz ur boi need hlp am about 2 hack wireless with wep key how do i do dat plz
Next

Return to Wireless

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software