More and more hotels are offering both wired and wireless internet, but along with those connections comes a security risk most folks don't consider.
My friend’s husband has been getting into her email even though she’s not given him her password. He has confronted his sister about an email and when asked how he got into the email he says that where he works (A large hotel chain) they have a program that searches emails for keywords and brings info up. Could that be true?
Hotel network security is one of the most overlooked risks travelers face. And I’m not just talking wireless, I’m talking any internet connection provided by your hotel.
In fact, I’m actually writing this in a hotel room, and yes, I have taken a few precautions.
It’s a topic c|net blogger Michael Horowitz has also written about: Ethernet connections in a hotel room are not secure and the title says it all.
I’ll put it another way: hotel internet connections are just as unsafe as an unsecured wireless hotspot.
Any hotel internet connection.
There are two basic issues:
Your ISP can see everything you do. When you’re in a hotel, that hotel is your ISP. They provide the connectivity, the routers and other equipment that connects you to the internet. As a result, they have the ability to monitor any and all traffic on the network. And you need to realize that it’s their network that you’re using – they own it, they control it and they have the right to monitor its usage. And, as you’ve seen, employees can abuse that power to go snooping.
There’s actually a third more sinister problem where an intentionally malicious hotel guest “poisons” some of the information used to route internet traffic and inserts his computer into the middle of your conversations.
So, what do you do? What do I do?
In a word: encrypt.
This basically boils down to following all the same steps one might take to stay safe in an internet cafe:
- Use a Firewall: make sure your Windows or other software firewall is enabled.
- Use https: only access sensitive websites, for example, banking, but also things like web mail, using an https
connection. Most banks are secure by default, most web mail is not.
- Encrypt your email: if you’re using a normal email program and downloading your email via POP3 or IMAP, or sending your email via SMTP, then you need to make sure that those connections are encrypted. Check with your email provider for the appropriate settings.
Now there’s one more aspect to internet usage that often gets overlooked, and that’s simple web browsing.
For example, as I sit in this hotel room it’s possible that if I didn’t take appropriate precautions my neighbors, were they technically savvy enough, could monitor which web sites I’m browsing. In fact, if any of those web sites require me to login, they could potentially see my login information and password. Recall that I said most web mail is not encrypted using https? That’s exactly what I’m talking about here: if you connect with a normal http connection any usernames and passwords you might enter are transmitted in the clear and are visible to anyone who has enough access to sniff your internet traffic.
Once again, the answer is a single word: encryption.
The most common solution is a VPN or virtual private network. There are several commercial services tailored specifically to folks who travel a fair amount. The way it works is simple; after signing up you create a VPN connecting to their servers and all your internet traffic is encrypted and routed through them. At the service, the data is decrypted and sent on to its final destination. Anyone in between – meaning your hotel guests, staff and whoever else might be peeking, cannot see your data. More correctly they can see your data, except it’s encrypted and total gibberish to them.
So what do I do?
Well, I run Thunderbird as my email program, downloading and sending via POP3 and SMTP. I’ve configured each to connect to my mail servers using an SSL encrypted connection. My mail is secure.
For unencrypted (http without the s) websites, I establish an encrypted tunnel – think of it as a kind of partial VPN – to my server.
For encrypted websites (https with the s) I need do nothing, other than make sure that the connection remains “https” as I navigate from page to page.
My web surfing is secure.
Since I’m not using a “true” general purpose VPN, as I outlined above, I have to be careful about instant messaging programs. My approach to date has been to connect via remote desktop (which is encrypted) to one of my machines at home and run the instant messaging programs there. In fact, I use this technique for everything that access the internet that isn’t web surfing, email or already inherently secure.
Is it all overkill? I think not. With more and more computers and more and more public internet access, hackers and thieves need very little in the way of technology to steal all sorts of sensitive information. Are they doing it here and now? I’d guess not.
But I’m not so sure of that guess that I’d let down my guard.
Better secure than sorry.