The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.
- According to the advisory issued by the Department of Homeland Security/Secret Services, (which can be found on osac.gov) Task force agents arrested a group of suspects that had installed keylogger software on computers in various hotel business centers.
The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers
What is a keylogger?
- Kaspersky, a well-respected, IT security vendor, explains keyloggers as “piece of software or hardware that has the capability to intercept and record input from the keyboard of a compromised machine”
- Software keyloggers are installed directly onto the machine, records keystrokes, and then transmits them to the attacker
- Hardware keylogger maybe a small device that sits as a connector between the keyboard and the computer, or a USB flash drive that is plugged into the computer. These are less common because of the difficulty involved in reaching the physical machine
How to check if a business center has been compromised
- Physically inspect your keyboards and computers and their connections to ensure no unknown devices are present
- Investigate active processes on the machine to determine if they are making malicious outbound communications that would be sending out the data collected by the keylogger
- Perform a hash analysis of all files on the drive to see if they match any known malicious hash values
What to do if you have a compromised business center?
- Remove or disconnect the computer from the network but leave the computer on and running
- Engage a security consultant to determine the scope of the potential compromise to determine the best approach to remediate
What should you tell your compromised customers?
- In accordance with state and industry breach rules, inform them of the facts
- Let them know the steps you’ve taken to ensure it won’t happen again
How can you protect your business center?
- Application and process whitelisting
- Disable unused USB ports
- Configure firewalls to block outbound connections to known malicious sites
Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.
Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.