lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 02 Oct 2008 12:29:51 -0400
From: Josh Ogle <jdo24@...nell.edu>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Hotel Network Security: A Study of Computer
 Networks in U.S. Hotels

I agree with you that if employees (of non-hotels, I believe you mean) 
were instructed as to the best, safest ways to take care of their own 
privacy while on the road traveling, this would be a non-issue. 
However, it's far more difficult to get every single company in the 
world with a traveling salesperson to instruct their non-techie 
employees on the dangers of computer networks, than it is to simply set 
in place technologies *on* those networks that will help prevent the 
attacks from being able to occur.  You'll notice, however, in the 
article I have (on the last page) a "clip out" of sorts to give to hotel 
guests, informing them of ways to keep themselves safe while on computer 
networks.

Secondly, and I'm not sure as to the importance of this point but it 
means something to me, I think people go to hotels with an assumption of 
security.  If a hotel (especially a "good" one) is in a bad 
neighborhood, you expect it will be supervised by a night 
watchman/doorman.  You expect that if you close the door to your hotel 
room, there will be a lock on it that you can close so that no one can 
get in easily.  Someone could still break in if they hit the door with 
an axe enough times, but the layer of protection is there nonetheless.

Likewise, I think it's a general assumption, albeit a false one, that 
hotel computer networks are inherently secure.  Even those people who 
know that wireless access points are sometimes unsafe do not realize 
that plugging one's computer into a network physically is oftentimes 
just as insecure.  The point being that people have a reasonably 
assumption of privacy and security in the hotel environment, and I think 
it's the hotels' responsibility to either a) uphold this, or b) be very 
clear that they are NOT upholding this, and that the computer network is 
very likely unsafe.

-Josh

J. Oquendo wrote:
> On Thu, 02 Oct 2008, Josh Ogle wrote:
> 
>> the technology exists to increase a hotel network?s security, a hotel 
>> could potentially be considered at fault for not taking the necessary 
>> precautions to protect their guests from hackers.
> 
> FYI, just because the technology exists does not mean
> hoteliers have to run out and accomodate everyone in
> deploying these technologies. If employees were trained
> in the risks associated with technology, many of these
> technologies would go the way of the dinosaur.
> 
> Supposing someone made you aware of the danger of
> logging into a network because of the impact of
> sniffers. Would you PERSONALLY be cruising random
> hotspots. If you knew definitively the person who
> runs the network could see and record everything
> you did, I'm sure the chances of you picking up
> any network to surf on would diminish.
> 
> Many people aren't aware of the dangers and this
> is the root of the problem. Technology is nothing
> more than a stepping stone. Corporations have the
> capabilities (or should have) to protect their
> assets on a layered approach and instances like
> this - employees hooking up from a hotel - can be
> mitigated way before the fact. Its called policy.
> 
> 
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, CNDA, CHFI, OSCP
> 
> "A good district attorney can indict a ham sandwich
> if he wants to ... The accusations harm as much as
> the convictions ... they're obviously harmful or it
> wouldn't be news.." - John Carter
> 
> wget -qO - www.infiltrated.net/sig|perl
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ