Call Us: 555-555-1234

KEY LOGGER IN HOTELS


Advisory: download pdf


The Threat: Recently several major hotels customers have been targeted by cyber criminals to steal their login credentials and passwords and gain access to account such as web based emails, financial transactions, investing services or company login information. Two suspects were recently arrested for accessing a hotel’s business center and placing malicious key logging software on the hotel’s business center computers.  The key logger enabled the suspects to exfiltrate large amounts of information such as Personal Identifiable Information (PII), banking login credentials, webmail passwords, as well as other sensitive data out of the business center’s computer via the internet to the suspect’s web based email accounts. 


In most cases the attack vector utilized by cyber criminals is a network based exploit or vulnerability from your browser, link, attachment or scanning your system. Attackers who gain physical access to a computer can easily compromise the system to further their efforts. An unauthorized or unescorted visitor can be a physical threat and steal logical data. Any device that is connected to your business network must be protected to ensure that it cannot be turned into a tool to be used in an attack. Hotels in the area should be on alert and take immediately action and check their business center computers for malware such as key loggers and also assess their current physical and logical security environment.


KEY LOGGER:



A Key logger also known as a keystroke logger can monitor and track the keys struck on a keyboard. Keylogging can be hardware or software based and along with others types of malicious code. Although each types of keystroke logging programs have their own features most record, monitor your actions secretly and actively transfer the data to another system through e-mail, file transfer, or other means. The attackers in this case utilized a software based key logger application in which they saved and downloaded from their Gmail accounts.  The attackers would rent a hotel room with stolen credit cards, access the business center’s computers, login to their Gmail accounts and execute the malicious key logging software on to the business center’s computer. The key logger was an automated malicious program which exfiltrates all captured keystrokes to the attackers Gmail accounts.


When arrested the suspects were in possession of numerous printed records and log-in credentials of hotel customers who accessed several hotel business centers. The investigation has also revealed that the suspects had already compromised several major hotels in the area and were planning to target others.  Although the breach occurred outside of the company’s enterprise system and was on two stand alone computers with independent segmented internet access, having your patron’s data compromised can be devastating to a company’s brand, causing legal and financial risks. The vulnerabilities also represent potential costs, time, and exposure for visitors of these centers as well.


This type of attack was not very sophisticated, nor did it require a high degree of technical skill. It simply highlights the level of exposure involved when attackers utilize a low-cost, high impact strategy to access a physical system and steal sensitive logical information.



NEED FOR CONVERGENCE
Physical and Logical Security (Cyber Security):



This particular type of criminal activity highlights the importance of the need for convergence of Physical and Logical security and the fact that they are interdependent of each other. Physical events can have cyber (logical data flow) consequences and Cyber events can have physical consequences.  As a dual mission agency, the United States Secret Service has long recognized the importance of this methodology in its Protective mission of protecting people and events. The United States Secret Service Critical System Protection methodology focuses on both the Physical and Logical (Cyber) assessment of events and has recognized that to be truly effective in protecting any system you must establish, monitor and maintain control over both the physical and logical access of that event.  


This methodology applies not only to the protection of people and events but should also be  utilized across all critical infrastructure and key resource sectors such as Commercial Facilities, Banking and Finance, Information Technology, Telecommunications, and Industrial Control Systems in protecting their systems.  In most companies the physical security personnel and information Technology specialist may not understand each other roles. Yet both are focused on the same goal of protecting their business systems, personnel, customers and clients.  With the accelerated pace of technological and a changing threat landscape, the separation of physical and logical security is no longer possible.  Convergence provides an enterprise wide perspective that brings together technical staff, engineering, physical security specialist and management together to help maintain business continuity and provide a company with better accountability for managing risk. Convergence and collaboration does not necessarily mean integration and it certainly does not mean staff reductions. Most security budgets already lack the funding and resources to keep up with the cyber criminals of today who are well organized, well funded and can take advantage of the latest technology.


But a collaborative effort which may require adaptive changes is needed. The numbers of devices connected to the internet are growing exponentially.  With global travel and network connectivity threats to your systems can come from anywhere in the world.  Mobility and customization of devices are expected in the changing work force while cloud and virtualization services are becoming the norm.  In today’s environment cyber security must be designed to be flexible and ready for change.  The convergence of physical and logical security is a proactive approach that increases our chances of identifying attack methodologies while building a better response such as automation to stop, reduce or mitigate future damages. While we can never remove risk completely, you can certainly try to reduce it. The hotel industry like others in the commercial facilities sector will see greater efficiency with a more holistic management structure that communicates and collaborates together to:


•Understand the risk threats and vulnerabilities facing their enterprise system. (Both Physical/Logical)
•Knows what you have that other may want (Both Physical /Logical)
•Takes complete inventory of their network topology. (Physical nodes and logical flow of data)
•Assess the network access control (logical) and access control (physical) that serve as the gateway in and out of their business. 


 

RECOMMENDATIONS:
Securing a business system with public access.


• Understanding that you will always have to balance risk with convenience


•Control physical access to business center and any other areas where company systems are stored. Employ advanced authentication techniques for computer user login (two-factor authentication)  making sure they are set to log out automatically if left unattended for more than a few minutes.


•Make sure your system receives automatic updates and patches to make sure you have the latest protection. Any software that you install must be kept up-dated. 


•Deploy banner: cautioning customers from accessing bank, brokerage or other financial information at publically accessible places.


•Operate Under the Principle of Least Privilege: consider using a standard or restricted user account for day-to-day activities.


•Consider running any stand alone system with a virtual operating system or virtual browser. In case of a malicious malware infection you have the ability to wipe and reinstall the same system monthly, weekly or even daily.


•Individual unique log on credentials be generated for access to both business centercomputers and Wi-Fi;ix this may deter individuals who are not guests from logging in.


•All accounts be given least privilege accesses; for example, guests logging in with thesupplied user ID and password should not be able to download, install, uninstall, or savefiles whereas one authorized employee may have a need for those privileges to carry outdaily duties.


•Virtual local area networks (VLANs) are made available for all users, which will inhibitattackers from using their computer to imitate the hotel’s main server.


•All new devices are scanned (e.g. USB drives and other removable media) before theyare attached to the computer and networkxii; disabling the Auto run feature will alsoprevent removable media from opening automatically.


•Predetermined time limits are established for active and non-active guest and employeesessions.


•Safe defaults are selected in the browsers available on the business center desktops (e.g.Internet Explorer, Mozilla Firefox). Options such as private browsing and ‘do not track’for passwords and websites are some of the many available.


 

CONSUMER REMEDIATION:


 

Monitor your credit report or sign up for a credit report monitoring service

  1. Place a fraud alert or security freeze on all three national credit reports (Equifax, Experian and TransUnion). A freeze will block access to your credit file while a fraud alert will alert them of possible fraud.
  2. Change any passwords to accounts you may have accessed and check any related accounts If attackers have access to your email account they may gather information about other account. 
  3. Consumers may also contact the Federal Trade Commission (FTC) at (877) 438-4338 or via their website at www.consumer.gov/idtheft or law enforcement to report incidents of identity theft.