FBI Sounds Alarm on Hotel WiFi Caper
May 14, 2012 6:00 AM PT
The U.S. Federal Bureau of Investigation has warned overseas travelers to be careful when using hotel WiFi networks.
"Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms," a bulletin from the Internet Crime Complaint Center (IC3) said last week.
When travelers attempt to connect to a hotel WiFi network for the first time, the IC3 explained, a familiar pop-up window appears telling the user they need to update a popular app before connecting to the Internet.
When the computer operator choses the software update, malware is downloaded into their hardware.
The attack is novel, as well as clever, according to Stephen Cobb, a security evangelist with antivirus software maker ESET. Given the difficulty many road warriors experience connecting to the Internet in hotels, the attack is delivered "at the point at which the business traveler is going to click anything to get online," he told TechNewsWorld.
Although much remains unknown about the attackers' tactics, Cobb outlined a probable scenario.
First, find an Internet Service Provider who services a number of hotels. Hack into the log-in page the ISP uses for hotel log-ins. Plant an iFrame on the page that would trigger a pop-up window when it detects a first-time visitor.
iFrames are bits of code that perform tasks on a Web page but remain invisible to the user.
A good phony upgrade candidate for the pop-up window would be Adobe Flash Player, Cobb observed. "Flash is always good to use if you're a bad guy because there are frequent Flash updates and people are often confused as to whether they have the latest version of Flash," he said.
To avoid this kind of attack, Cobb recommended that travelers never upgrade software from a hotel network.
Worm Infections Growing in Iran
Ever since its nuclear development facilities became a guinea pig for testing the industrial strength computer worm Stuxnet, Iran has been plagued by malware.
Most recently, the country's Kharg Island facility -- from where 90 percent of the nation's oil exports are shipped -- had to be disconnected from the Internet, as well as the National Iranian Oil Company and the country's Oil Ministry, because of a malware attack.
Now, we're told, the problems could be even worse.
"I hear from a relatively good source that they are now reporting attacks across other sectors in Iran," Eric Byres, CTO and vice president for engineering of Tofino Security Products, told TechNewsWorld.
He characterized the malware firing the new attacks as "not beginner's stuff, but well-orchestrated, well-architected stuff."
Iran has been so concerned about malware infections since Stuxnet that it has launched its own antivirus software development program. Foreign security software is banned from the country because the government says it can't be trusted.
Byres was skeptical of Iran's antivirus program. "It's for propaganda purposes," he said. "They want to give their people some good news."
Secure Domain Proposed
A new group has formed to push the idea of creating a secure generic top level domain (gTLD) name.
Called "Artemis Internet," the group is a subsidiary of the UK-based NCC Group, a code and system testing outfit.
Companies in the dot-secure domain would have to meet a number of rigorous requirements to guarantee that their websites are among the safest on the Net.
Although the standards for the domain haven't been set yet, at a minimum they're expected to include:
- mandatory DNSSEC signing of every zone;
- use of TLS for all HTTP sessions;
- DKIM and opportunistic TLS for SMTP; and
- use of DPF to reduce the risk from rogue and compromised certificate authorities and to provide guaranteed email transport security between dot-secure domains.
Artemis hasn't started taking applications for the new domain yet, but parties can sign up to be on a mailing list to be kept abreast of dot-secure developments at the company's website.
- May 7: User names and passwords for some 50,000 Twitter accounts were posted to the Internet by unknown party.
- May 8: Plaxo informed users that Google temporarily cut the cord to some of the social networking site's members after it was discovered that a malicious party had compromised Plaxo's server connections to Google.
- May 9: University of North Carolina, Charlotte, reported 350,000 Social Security numbers and other sensitive data of students, staff and faculty has been publicly available for almost 15 years due to a configuration error in the school's computer systems.
- May 11: Clothing and shoe retailer Opening Ceremony reportedly advised customers of a breach of the seller's online boutique, exposing payment card details of customers who purchased items between Feb. 16 and March 21.
- May 21-25. Hack in the Box conference. Okura Hotel, Amsterdam. Standard: 899 euros. Walk-in: 1,199 euros.
- May 23. Code Red to Zbot: 10 Years of Tech, Researchers and Threat Evolution. Webcast. 2 p.m., ET. Sponsored by RSA.
- June 17-22. 24th Annual FIRST Conference. Malta Hilton. Sponsored by Forum of Incident Response and Security Teams. Late fee registration (April 1-June 1): $2,500.
- June 29. Third Suits and Spooks Anti-conference. Bel Air Bay Club, Palisades, Calif. Sponsored by Taia Global and Pacific Council on International Policy.
- August 20-23. Gartner Catalyst Conference. San Diego, Calif. Early bird price (before June 23): US$1,995. Standard price: $2,295.