The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.

What happened?

  • According to the advisory issued by the Department of Homeland Security/Secret Services, (which can be found on Task force agents arrested a group of suspects that had installed keylogger software on computers in various hotel business centers.

The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers

What is a keylogger?

How to check if a business center has been compromised

  • Physically inspect your keyboards and computers and their connections to ensure no unknown devices are present
  • Investigate active processes on the machine to determine if they are making malicious outbound communications that would be sending out the data collected by the keylogger
  • Perform a hash analysis of all files on the drive to see if they match any known malicious hash values

What to do if you have a compromised business center?

  • Remove or disconnect the computer from the network but leave the computer on and running
  • Engage a security consultant to determine the scope of the potential compromise to determine the best approach to remediate

What should you tell your compromised customers?

  • In accordance with state and industry breach rules, inform them of the facts
  • Let them know the steps you’ve taken to ensure it won’t happen again

How can you protect your business center?

  • Application and process whitelisting
  • Disable unused USB ports
  • Configure firewalls to block outbound connections to known malicious sites

Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.

Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.