CHRS: CP437 2   
   MSGID: 1:18/200@fidonet 56316870   
   PID: MBSE-BBS 1.0.7.12 (GNU/Linux-x86_64)   
   TZUTC: -0400   
   TID: MBSE-FIDO 1.0.7.12 (GNU/Linux-x86_64)   
   From: https://tinyurl.com/y5qvmcoy (bloomberg.com)   
      
   ===   
   The Hotel Hackers Are Hiding in the Remote Control Curtains   
      
   Back doors to your personal data can be found in everything from smart fish   
   tanks to Wi-Fi pineapples. undefined   
      
   By Patrick Clark   
      
   Three men dressed for business travel in jeans and dress shirts loaded   
   backpacks into the trunk of a black coupe and wound their way through the   
   center of a major European city.  When they arrived at their hotel, they   
   unloaded their luggage and waited giddily to pass through the revolving   
   doors.  They were checking into the hotel to hack it.   
      
   Hackers target financial institutions because that's where the money is, and   
   they target retail chains because that's where people spend the money.   
   Hotels might be a less obvious target, but they're hacked almost as often   
   because of the valuable data that passes through them, like credit cards and   
   trade secrets.  Thieves have targeted electronic door locks to burgle rooms   
   and used malware attacks to log credit card swipes in real time.  They've   
   even used Wi-Fi to hijack hotels' internal networks in search of corporate   
   data.  Just about all of the industry's major players have reported   
   breaches, including Hilton Worldwide Holdings, InterContinental Hotels   
   Group, and Hyatt Hotels.   
      
   The group's leader checked in at the front desk.  One of his associates   
   strolled along the length of the reception area, noting that the property   
   used an outdated point-of-sale system, and another used a mobile app called   
   Fing to scan for hidden networks.  While they waited for the staff to finish   
   preparing their room, the hackers took coffee on a terrace.  They opened up   
   the published code for the hotel website and exploited an outdated plug-in   
   to compile a list of admin names.   
      
   Ultimately they were looking for a door.  Sure, they could slip a thumb   
   drive into the neglected register at the far end of the restaurant bar and   
   log credit card numbers until somebody noticed the device.  But they would   
   rather find a way into the property management system, or PMS, which hotels   
   use to take reservations, issue room keys, and store credit card data.   
      
   Better still would be to do what they did at a hotel in New York City.   
   After plugging the internet cable from the room's smart TV into a laptop,   
   they got into the hotel's PMS, which led to the chain's corporate system.   
   Emails Bloomberg Businessweek viewed show they gained access to credit card   
   information for years' worth of transactions across dozens of hotels.   
      
   If they had been crooks, the team would have sold the information on the   
   black market, where a Visa with a high limit can go for about $20.  These   
   hackers, however, were good guys: IT consultants who were frustrated with   
   their hospitality clients' lax approach to security.  To demonstrate the   
   industry's weaknesses, their leader arranged for a reporter to tag along on   
   an audit of one of his clients' hotels.  The conditions: The hackers   
   wouldn't break into the personal devices of hotel guests, and neither the   
   hotel, the city, nor the hackers could be named.   
      
   Once they got to their room, the hackers concentrated on finding the hotel's   
   internal network--the one used by staff, not the one guests use to stream   
   pornography and FaceTime their families.  In one famous example, hackers   
   breached the internet-connected fish tank in the lobby of a Las Vegas casino   
   and used that exploit to find a database of high rollers on the property's   
   internal network.   
      
   But this room was an older make, with a dumb TV, old phones, and a standard   
   minibar, equipped with Heineken and Toblerone but no internet.  Then one of   
   the hackers started rooting around in the window frame.  Nestled in a top   
   corner was an internet port, designed to let guests open and close the   
   curtains by remote control.   
      
   "This will be the way in," the leader said.   
      
   How much of the responsibility for guarding electronic transmissions lies   
   with hotels and how much with guests is "a nasty philosophical question,"   
   says Mike Wilkinson, global director at Trustwave SpiderLabs.  Mark Orlando,   
   chief technology officer for cybersecurity at Raytheon IIS, advises   
   corporate clients to avoid using personal devices altogether while on the   
   road.  That could mean requesting a loaner laptop or buying a burner phone.   
   Even ordinary travelers should use virtual private networks to connect to   
   the internet when outside the U.S., he says.   
      
   But no amount of personal digital security could have saved travelers from   
   the massive attack Marriott International Inc.  discovered last year.  In   
   early September 2018, an automated security tool flagged a suspicious query   
   in the reservation database for Starwood Hotels & Resorts Worldwide Inc., a   
   company Marriott had acquired two years earlier.  In the weeks that   
   followed, security investigators discovered a remote access trojan (RAT),   
   software that lets hackers take control of a target computer, as well as   
   another piece of malware that scours computer memory for usernames and   
   passwords.   
      
   Clues left behind by the digital trespassers suggest they made off with as   
   many as 383 million guest records, as well as more than 5 million   
   unencrypted passport numbers and more than 9 million encrypted payment   
   cards.  Marriott hasn't found any evidence of customer data showing up on   
   dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in   
   March.  That sounds like good news but may actually be bad.  The lack of   
   commercial intent indicated to security experts that the hack was carried   
   out by a government, which might use the data to extrapolate information   
   about politicians, intelligence assets, and business leaders.   
      
   "From an intelligence standpoint, there are some real advantages to   
   understanding where high-profile people are going to be ahead of time," says   
   Gates Marshall, director of cyber services at CompliancePoint Inc., whose   
   consulting clients include airports.  "There's a market for travel   
   itineraries.  It's not a commercial market, it's more of a geopolitical   
   one."   
      
   Sorenson has said he doesn’t know who's responsible for the attack—and   
   likely never will.  Others have been more willing to point the finger,   
   including U.S. Secretary of State Mike Pompeo, who attributed the hack to   
   China in an interview with Fox & Friends in December.   
      
   Hospitality companies long saw technology as antithetical to the human touch   
   that represented good service.  The industry's admirable habit of promoting   
   from the bottom up means it's not uncommon to find IT executives who started   
   their careers toting luggage.  Former bellboys might understand how a hotel   
   works better than a software engineer, but that doesn't mean they understand   
   network architecture.   
      
   There's also a structural issue.  Companies such as Marriott and Hilton are   
   responsible for securing brand-wide databases that store reservations and   
   loyalty program information.  But the task of protecting the electronic   
   locks or guest Wi-Fi at an individual property falls on the investors who   
   own the hotels.  Many of them operate on thin margins and would rather spend   
   money on things their customers actually see, such as new carpeting or   
   state-of-the-art televisions.   
      
   The result is a messy technological ecosystem that runs on old software.   
   Many hotels use Opera, sold by Oracle Corp., as their PMS.  A common version   
   was designed for a legacy Windows operating system, and directs users to   
   disable security features to make the software work.  An instruction manual   
   for the software starts with a step-by-step guide on how to lower your   
   defenses: First, turn off data execution prevention, a feature that protects   
   system memory from malicious code.  Next, deactivate user account control,   
   making it easier for hackers to gain administrator privileges.  Finally,   
   disable Windows Firewall.  Now you're ready to book reservations and take   
   credit card payments.  (Oracle's security guide advises users to "harden"   
   their operating systems after installation.)   
      
   Even worse, many hotels put their PMS online, letting hackers break in from   
   thousands of miles away.  Joshua Motta, CEO of cyber insurer Coalition Inc.,   
   ran a search of the admin page used to support Opera online and found 1,300   
   instances of the application running on the public internet, from   
   Newfoundland to the Maldives.  "All of a sudden your system is only as   
   secure as a username and password," Motta says, "which hackers have   
   repeatedly shown isn't terribly effective." "Customers are encouraged to   
   upgrade their systems and software to the most recent version to provide the   
   highest level of security measures available," says Oracle spokeswoman   
   Deborah Hellinger.   
      
   While hotels are struggling with basic cybersecurity, they're building   
   massive databases of personal behavior.  One of the ironies of the Marriott   
   breach is that the company acquired Starwood because Sorenson thought adding   
   its popular loyalty program and fancy hotels would give him a moat against   
   digital middlemen, who seek to collect fees for helping travelers find hotel   
   rooms.  Marriott's new heft would give customers more incentive to book   
   directly with the company, cutting out Expedia, Booking.com, and other   
   online travel agencies, as well as advertising giants Google and Facebook.   
      
   At some properties, hotel brands are already collecting data on what   
   temperature you like your room and how you like your eggs, betting that   
   knowing that stuff can translate into better service.  Other kinds of   
   customer data--the annual conferences you attend or the date of your wedding   
   anniversary--are largely untapped marketing opportunities.  Some companies   
   are also experimenting with putting voice assistants in their rooms or using   
   facial recognition to streamline check-in.  Privacy issues abound, but even   
   more mundane advances are fraught with trade-offs between convenience and   
   security.  It's increasingly common for travelers to check in to a hotel   
   from a mobile app, bypass the front desk, and get into their room by using   
   their phone as an electronic key.   
      
   In an interview in June, Sorenson said that the hack had forced his company   
   to take a harder look at how it manages cybersecurity, adopting forensic   
   tools that it used in the wake of discovering the breach as part of its   
   daily security hygiene.  He also argued that privacy issues are manageable.   
      
   "The information that we want and you may want us to have, that allows us to   
   better serve you, is often not that sensitive," he said.  "The fact that you   
   like feather pillows, or a low floor, or a high floor.  Now it is personal.   
   But we're not collecting information about which man or woman you show up in   
   our hotel with and whether one's a spouse and one's not."   
      
   The internet-connected drapery hadn't led the hackers into the hotel PMS,   
   but it did set the team on a frenzied search for other connections.  One   
   hacker dragged a chair into the vestibule and balanced on the arms, the   
   better to lift a mahogany ceiling panel.  Another found an internet port in   
   the ceiling of the walk-in closet.  Only one problem: No one had brought a   
   10-foot cord.   
      
   "We should call housekeeping and ask for a ladder," one of them said.   
   "We're trying to hack into your network," he joked.  "Can I have a ladder?   
   Of course, sir.  Is there anything else I can do for you?" Instead, they   
   balanced an ironing board on an ottoman, rested a laptop on top of it all,   
   and plugged in, using a network scanner tool to search for IP addresses that   
   looked as if they could be hosting the PMS.   
      
   While they waited to find a signal, they took stock of the failures and   
   successes of the hotel's defenses.  All things told, the security was better   
   than the team expected, but it was still disconcertingly porous given the   
   presumption of safety most guests think they have inside a hotel.  If they   
   were actually trying to breach the network, they would have tried to crack   
   the hotel staff's accounts to try to take control of the hotel website.  At   
   a minimum, it would have let them collect credit card info from every new   
   booking.  Before they'd checked in to their room, the leader had used his   
   phone's hotspot to create a new Wi-Fi network, naming it after the hotel.   
   Within minutes, six devices had joined his spoofed network, exposing their   
   internet activity to the hackers.  (If he really wanted to go after guests,   
   he would have used a device called a Wi-Fi pineapple to automate the   
   process.)   
      
   It wasn't all bad.  When one of the hackers asked a waitress to charge his   
   phone, she went out of her way to plug the device into a wall charger   
   instead of her computer.  More important, the hotel's internal network was   
   well protected.   
      
   Impatient to speed up the process, the team leader called his office and had   
   a colleague look up the correct IP range for the hotel network.  The PMS,   
   however, didn't respond.  The door was locked.   
      
   But then another door opened.  One of the hackers used a kind of attack   
   called a distributed denial of service to kick a guest device, "Jamie’s   
   iPad," off the hotel Wi-Fi.  That could have been the prelude to tricking   
   her iPad into joining the spoofed network, and snooping on her   
   communications.  On the bright side, the hackers might never find out what   
   Jamie likes for breakfast.   
   ===   
      
   Later,   
   Sean   
       
   --- MultiMail/Win   
    * Origin: Outpost BBS * Limestone, TN, USA (1:18/200)   
   SEEN-BY: 1/123 15/2 18/200 226/17 227/114 229/200 354 426 452 1014   
   SEEN-BY: 240/5832 249/206 317 400 280/464 317/3 322/757 342/200 393/68   
   SEEN-BY: 633/280   
   PATH: 18/200 229/426