Brian Pennington

A blog about Cyber Security & Compliance



Hospitality Industry alerted by the U.S. Secret Service on the threat of Keyloggers

The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.

What happened?

  • According to the advisory issued by the Department of Homeland Security/Secret Services, (which can be found on Task force agents arrested a group of suspects that had installed keylogger software on computers in various hotel business centers.

The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers

What is a keylogger?

How to check if a business center has been compromised

  • Physically inspect your keyboards and computers and their connections to ensure no unknown devices are present
  • Investigate active processes on the machine to determine if they are making malicious outbound communications that would be sending out the data collected by the keylogger
  • Perform a hash analysis of all files on the drive to see if they match any known malicious hash values

What to do if you have a compromised business center?

  • Remove or disconnect the computer from the network but leave the computer on and running
  • Engage a security consultant to determine the scope of the potential compromise to determine the best approach to remediate

What should you tell your compromised customers?

  • In accordance with state and industry breach rules, inform them of the facts
  • Let them know the steps you’ve taken to ensure it won’t happen again

How can you protect your business center?

  • Application and process whitelisting
  • Disable unused USB ports
  • Configure firewalls to block outbound connections to known malicious sites

Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.

Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.

Hotel association to create unified security standards for Credit Card payments

Image by (aka Brent) via Flickr

Under the banner of the Hotel Technology Next Generation (HTNG), 16 major hotel groups from around the world are planning to work together to develop an industry specific IT Security framework  for handling sensitive and credit card data.

The HTNG will be a not for profit trade body which will develop solutions and standards that can be used in the hospitality industry.

Hotel credit card transactions are more difficult to secure than in other industries.  During the hotel reservation process, sensitive data often flows across systems managed by different companies. The data could be stored for weeks or months from the initial booking, to the checking in, charges for additional services e.g. bar bills all the way through to the final check out.

There are lots of different systems and software used in the processing of reservation making Security Standards very important.

Solutions like tokenization can provide an answer for a single hotel or hotel chain but they will require a great deal of sharing and integration if more than one company wishes to share the same token.

Wiki leak definition of Tokenization is “the process of breaking a stream of text up into words, phrases, symbols, or other meaningful elements called tokens. The list of tokens becomes input for further processing such as parsing or text mining. Tokenization is useful both in linguistics (where it is a form of text segmentation), and in computer science, where it forms part of lexical analysis“.

To find out more about Tokenization download the Tokenization for Dummies booklet by clicking here, registration is required.

While major hotel companies have invested heavily in security within their own systems, they have no control over the hundreds of third-party systems that may touch their reservations prior to their guests arrival.

Early discussions indicate a broad agreement that a single industry framework is required, and that the framework needs to work with existing security approaches in place at major hotel companies and in commonly used systems for example PCI DSS.  There was also agreement on the key elements needed for the industry framework.  The group intends to document this framework conceptually in a white paper that will form the basis for subsequent standards development.

Doug Rice, CEO of HTNG, said organization initiated the process for the industry security framework in June. A charter has been created to ensure the hotels and organizations involved are on the same page. The group’s first meeting will take place in November.

Rice said everyone involved in accepting payments in the hotel industry needs to agree on the same framework for it to work effectively. Online travel agencies, distribution partners and payment processors will all need to be on board. The plan is for the major hotel companies to inform their partners of the plan at approximately the same time. Vendors will realize this is what they need to do if they want to meet the needs of the hotel industry, he said.

Once the partners are on board with the solution, independent hotels will start getting involved, too.

Rice said education will not necessarily be the role of HTNG. However, the group expects to work with organizations such as the Hospitality Financial and Technology Professionals to help implement the solution and spread the word in the industry.

“This is not going to be an overnight solution, it’s a journey, but it’s something that the industry has recognized needs to be addressed,” Rice said

Read the HTNG Press Release here.

Also read “77% of Hospitality Sector Mistakenly Believe They Are PCI Compliant“.


Create a free website or blog at

Up ↑

%d bloggers like this: