24 Sep 2009View Comments
Hotel chain recently joined the ranks of companies owning up to significant
breaches of computer systems, compromising credit and debit card data.
Like many professionals, I have travelled extensively. Being a security expert, along the way I have made a number of observations, which highlight how often security has not been a high priority.
Some time ago at a hotel in Cyprus, I was directed to place my bags in an unlocked baggage room. I noticed the flashing lights of a computer in a cupboard. Opening the door, I was looking at and had access to the hotel’s IT systems, including the primary server, complete with keyboard and monitor. It was completely insecure, and allowing interaction with the system.
This would be of little use to most guests. But the hotel had gone one step further by supplying a user manual and notes complete with passwords. Backup media was placed on a shelf, and a USB stick was plugged into the server. Of course, I did nothing untoward, but I am not able to account for any of the other guests who passed through.
At a hotel in Paris, I subscribed to the pay-as-you-go Wi-Fi service. After a short time, the service terminated and I was unable to get back on, so I investigated further. Using a simple sniffer tool Wireshark supported by a few DOS commands, I was soon in a position to map the local network and have visibility of, and access to, some of the private hosted servers.
Ironically, I was attending a security conference run by a well-known computer security firm, and I found access to that company’s server, including an open share for documents. I reported this to the hotel staff, and received a blank look for my trouble. I also mentioned it to the security vendor, who looked a little flushed.
Such lapses in security are still far too common. Awareness of security standards and regulations is growing but it seems most organisations are happy to wait until after they fall victim to a breach before they act on them.
John Walker is a global board member of the Information Systems Security Association
Does Google know too much about you?
The trend towards non-desktop-based devices is enabling more flexible working practices and behaviours
Date: 29 May 2013
THIS EVENT HAS BEEN POSTPONED DUE TO ILLNESS. Business intelligence is enjoying an upsurge of interest. In an era in which businesses and organisations...
Date: 11 Jun 2013
The enterprise mobility summit will examine how organisations can manage the increasing array of endpoints which are enabling mobile computing in business....