Sonia Bovio, tired but unable to sleep after her long journey from Phoenix to London last week, settled into her hotel room and was fiddling around on her laptop. One inadvertent click later, a file downloaded and she realized she had made a big mistake.
"It was terrifying," said the 43-year-old senior vice president with communications firm Brodeur Partners. "I had a pit in my stomach. My biggest concern was that I didn’t want to be presenting to a roomful of executives and have something pop up on my screen."
About the same time that was happening, the Internet Crime Complaint Center (IC3) – run in part by the FBI – was issuing a warning to Americans traveling abroad about getting duped into downloading malware while connecting to the Internet at their hotels. Malware can allow someone to take control of your computer, record passwords and personal information or disable the machine altogether.
The warning was specifically directed at "government, private industry, and academic personnel," suggesting this threat was more about what is on their machines and less about bank accounts and personal identities. Travelers, the FBI said, are allowing malware to infect their computers by clicking on pop-up windows that appear while they are getting on the hotel Internet connection. The pop-ups appear to be part of what looks like a routine software update.
It’s very easy for someone trying to dupe you to make a pop-up appear to be from a legitimate source, said Robert Siciliano, a consultant for the computer security firm McAfee Inc, a division of Intel Corp. "Be smart about what you click," he said. Just because it pops up and provides a message doesn’t mean it’s legitimate."
Jonathan Halloran-Koren, president of New Jersey-based United Global Concierge Inc, said he was at a hotel in Hong Kong in 2009 using the hotel Internet connection when he got multiple warnings from his Internet security software. He later found more than 50 viruses on his machine.
"I was so freaked out that when I got back to the States I moved all my important files to a USB drive, wiped my hard drive and reinstalled everything," said Halloran-Koren, 29.
Even an Internet security expert faced similar attacks. Damon Petraglia, director of forensic and information security services for Chartstone Llc, said that in both Romania and the Turks and Caicos his laptop came under attack. The attacks were blocked by his security software, he said.
Serious precautions need to be taken by anyone with anything of importance on their computers, said former Scotland Yard computer crime unit detective Steve Santorelli, now with the Internet security research firm Team Cymru.
"You’ve got to develop a healthy dose of paranoia," he said. "If you’ve got blueprints to the next big thing on your hard drive, they’ve got resources to come at you with a pretty good attack. If you’re a regular tourist you don’t have as much to worry about."
Both Santorelli and Rich Baich, principal in the Security & Privacy Practice division of consultancy Deloitte LLP, suggest the concern isn’t only about criminals, but about how certain governments conduct themselves. The rules that apply in the U.S. are not necessarily the same ones in other countries, they warn. "Whether it’s a hotel, whether it’s a cell phone or whether it’s a Wi-Fi you’re using, you could be subject to monitoring," Baich said.
Such concerns were highlighted in 2008 when the U.S. government issued a warning to those traveling to the Olympics in China that the contents of their electronic devices were at risk of theft. The Chinese government denied any effort was under way to steal intellectual property or trade secrets from visitors.
Companies are becoming so sensitive to the threat that they are issuing special travel laptops to executives that are then wiped clean upon their return, Baich said. And Santorelli said he knows of executives who simply throw away their travel laptops upon their return because they’re that worried about what might have been installed while overseas.
If you’re not in a position to use a throwaway laptop or your company isn’t providing travel laptops, Santorelli, other security experts and the FBI urge the following steps be taken:
* Update your operating system and applications regularly – particularly before travel
* Use an up-to-date browser
* Do not use the same password for multiple accounts
* Change passwords before you leave on a trip and when you return
* Keep your anti-virus software updated
* Back up your data
* Encrypt your files
* Use a secure company virtual private network VPN.L to access work files
* Keep your device with you at all times
Two big players in providing Internet connections at hotels, iBAHN and Swisscom Hospitality Services, said they’re doing what they can to protect users and that they have had no security breaches. Some attacks could appear to come from the network, but are really from another source, according to an iBAHN spokeswoman.
"iBAHN takes the security and protection of its customers’ information very seriously, provides its customers with the highest possible level of security, and relentlessly monitors attempted attacks," said senior global communications director Shannon R. Michael.
Swisscom spokesman Carsten Roetz said they have preventive and detective measures in place, and further suggests corporate users connect to their enterprise Virtual Private Network VPN.L to protect any potentially sensitive data.
If you’re aware of the threat, keep it in mind, and prepare, you should be able to protect your data, Santorelli said. "It’s all about risk," and just having virus protection is not enough, he said. "People can no longer abrogate responsibility for Internet safety."