Article by Seth Leonard and Dan Phillips,
ITS
News Flash: 4/4/01- �A survey
of IT professionals released today indicates that one in three U.K. businesses
has been the victim of a major security break in. �Foreign Secretary
Robin Cook warned that computer hacking may pose a greater threat to the
national infrastructure than military attack.�1 |
News Flash: 3/20/01- �A restaurant
busboy is accused of using the Internet and Forbes� list of the richest
people in America in a scheme to steal millions from such figures as Steven
Spielberg, Warren Buffett, Martha Stewart, Oprah Winfrey, Ross Perot and
Ted Turner. Police are calling it one of the most ambitious identify-theft
schemes they have seen. They are still tracing the complex electronic
trail to determine exactly how much was stolen, but fear it could be well
into the millions. �Court papers say [Abraham] Abdallah was carrying
the Social Security numbers, home addresses and birth dates of 217 CEOs,
celebrities and tycoons. �Abdallah, police say, also had more than 400
stolen credit card numbers, including some that were used to buy about
$100,000 of computer equipment and gold coins.�2 |
News Flash: 4/12/01- �In
a parking garage across from Moscone Center [San Francisco] �Peter Shipley
reaches up through the sunroof of his car and slaps a dorsal-shaped Lucent
antenna to the roof �snaking a cable into the car and plugging it into
the wireless network card slotted into his laptop. The computer is
already connected to a GPS receiver �and the whole apparatus is drawing
juice through an octopus of cigarette-lighter adapters. �The moment
he pulls out of the parking garage, the laptop displays the name of a wireless
network operating within one of the anonymous downtown office buildings�
Shipley�s custom software passively logs the latitude and longitude, the
signal strength, the network name and other vital stats. Seconds
later another network appears, then another� After 15 minutes�his jerry-rigged
wireless hacking setup has discovered 17 networks beaconing their location
to the world. After an hour, the number is close to 80. �These
companies probably spend thousands of dollars on firewalls,� says Shipley.
�And they�re wide open.� �Many here believe that hackers are already
cruising around metropolitan areas in cars and on bicycles with their laptops
listening for the beacons of wireless networks. Using such a network
doesn�t even require special software or hardware, an ordinary $150 consumer
wireless card will latch on to the beacons and put you on the Net.
Grand computer capers will be pulled off, not from bedrooms and college
dorms, but from windowless vans in company parking lots, and from park
benches and empty stairwells. �It�s fun, it�s the new thing.��3 |
News Flash: 3/30/01-
At the host hotel of the CanSecWest conference in Vancouver, B.C.
�By registration time, an attendee had already gotten the password to the
hotel�s phone system�and a day later, the hotel�s high-speed Internet system
had been accidentally crashed by another attendee who had taken over the
hardware connecting the hotel to the Internet. �Richard Johnson,
security administrator for the National Center for Atmospheric Research,
connected an Apple Airport wireless hub to his room�s high-speed Internet
port, so he could wander around his room and still use the Internet.
Within five minutes, he said, a handful of hackers from nearby rooms had
hitched a ride on his connection as well. �That sort of curiosity
made the conference�s wireless network a security nightmare. Almost
every person on it was either scanning every other person�s computer or
just passively listening to what the other computers were doing.
�Normally, a typical user with a personal firewall might see a handful
of alerts every hour, on a busy day. SourceFire�s Roesch�said he
saw 2,300 alerts on his computer in less than five minutes. By the
end of the conference, paranoia had set in. Type a password into
Yahoo? Someone most likely knows it. Send an e-mail to a friend?
Someone�s reading it right now. Suddenly, the Internet seemed a lot
less safe.�4 |
That is some scary reading. If I were a hotelier, I�d be really
concerned about my network connections, especially if they leave the hotel
itself to connect to corporate offices or to brand flag locations.
If I were a hotelier with high-speed Internet access in my hotel (more
so wireless), I�d be shaking in my boots by now.
Not shy on gumption (read testosterone, read kahonas), we decided to
enter the hacking world, albeit in a friendly manner. The following
information is excerpts from one of our internal reports. The names,
locations and MO�s have been left out or altered to protect the innocent.
We performed some network security penetration testing at a hotel providing
high-speed Internet access. The scope of this analysis was targeted
specifically at those facilities. The corporate network facilities
were not directly targeted in this audit. And, some specific testing
procedures were avoided due to their disruptive nature. The audit
was done from two perspectives, from inside the hotel (as a guest) and
from outside the hotel (as a hacker).
Inside Penetration Test Results
Free Internet Access / Risk Factor: HIGH
Within 10 minutes of entering the room, we were able to obtain free
Internet access. In addition, testing revealed that we could identify
whether other guests had purchased Internet access within the last 24 hours.
This gave us the ability to assume the network identity of the other guest,
using their paid access for ourselves.
Monitoring Internet Usage of Guests / Risk Factor: HIGH
We were able to identify other guests who were actively using the high-speed
Internet system. We were able to re-route their Internet traffic
to go over our own computer. This would allow us to monitor all of
that guest�s Internet activities. This attack could garner personal
information such as credit cards, passwords, e-mail, Web sites visited,
and more.
Denial of Service / Risk Factor: MEDIUM
Testing revealed a malicious guest could cause severe network interruptions,
rending high-speed Internet unusable for all guests. Some of these
attacks would be capable of affecting the hotel�s corporate network facilities.
Offsite Penetration Test Results
Network Topology Discovery / Risk Factor: MEDIUM
By utilizing a number of freely available scanning programs, it was
possible to discover the topology of the hotel�s network(s). Testing
revealed the hotel�s high-speed Internet network as well as their corporate
network plus two other completely separate companies� networks. Further
scanning revealed several network routers, at least three Aironet wireless
LAN routers, at least two firewalls, several Windows NT computers and several
network switches. This information can potentially aid attackers
in finding weaknesses in the network. An attacker may choose to focus
the attack on a single point in the network.
Cisco SNMP Write Community Strings / Risk Factor: HIGH
Testing revealed that most of the Cisco equipment installed on this
network has Simple Network Management Protocol (SNMP) enabled for
remote administration. Community strings act like passwords to allow
remote updates using SNMP. In this hotel�s case, the password was
left at the commonly known default setting. This would allow for
easy sniffing and monitoring of both the high-speed Internet and the hotel�s
corporate networks by reconfiguring SNMP-enabled devices.
Cisco Web-enabled Management of Devices / Risk Factor: MEDIUM
Testing revealed many of the installed Cisco devices on the network
have remote, Web-based management utilities enabled. None of the
Web-enabled Cisco equipment was determined to have any default passwords
installed. This would allow an attacker to obtain administrator passwords
from which they could sniff or monitor activity by reprogramming the network
devices.
Access to One Other Company / Risk Factor: HIGH
Testing revealed the presence of a high-speed services device used
by one of the other companies mentioned earlier. This equipment had
TELNET administrative services, which allows engineers remote access with
a user login screen. The username field was already propagated, presumably
from previous access attempts. There was no password beyond the user
name. This access would allow one to reprogram the network to allow
unauthorized access to the high-speed services.
The hospitality industry will soon be hit with another wave of high-speed
Internet access vendors touting that they have solved all of the previous
problems. These new providers will be bringing content, like streaming
video, with high-speed access to make it more attractive to guests and
hopefully drive more revenue. However, the problems they think they
will have addressed will be things like their own financing (staying power),
marketing, take rates, deployment, ease-of-use and in-room equipment.
Because the lack of security on these systems has not become headline news
to date, they will not have addressed it.
If you are in the majority of hotels that have yet to install the high-speed
stuff, when you plan to do so, enlist the aid of a specialized security
analyst to help you protect your hotel from significant liability.
If you already have the stuff installed, run, don�t walk, to get yourself
an audit of your system to see just how vulnerable you are.
There is a Fortune 100 company that has a training facility/hotel that
they also rent out to other companies. The facility is loaded with
computers in public spaces that have access to the Internet. For
the ease of their own corporate users, direct connections to the company�s
Intranet are set up in a menu format with just a default password in the
way. Now, what would happen if one of their competitors happened
by one day and sat down at a terminal?
Or, try this thought out. Your high-speed Internet network is connected
to your PMS for billing purposes. Or, your hotel administrative network
is tied into the high-speed network for Internet access. Now, follow
the path:
-
Guest room (or outside hacker) to high speed network
-
High-speed network to PMS
-
PMS to back office accounting
-
PMS to reservations
-
Reservations to central reservations system
-
Back office accounting to management company network
-
Admin network to management company network
With just a little imagination, the honest person can see some real havoc
being raised here. Can you imagine what a malicious person can see?
KA-CHING!
Seth Leonard and Dan Phillips both work for ITS, Inc., an independent
consulting firm specializing in the technology and hospitality industries.
When they are not hacking into systems, they can be reached at (770) 569-5880,
or at [email protected].
1 By Will Knight, ZDNet, �One in three U.K. companies
have been hacked�
2 By Tom Hays, Associated Press writer, �Hacker Uses
Forbes List to Steal�
3 By Kevin Poulsen, SecurityFocus News, �War driving
by the Bay�
4 By Robert Lemos, Special to CNET News.com, �Curiosity
kills network at security confab�
© 2001 Hospitality Upgrade. No reproduction or transmission without
written permission. |