My free room.
Recently I was in Batam, Indonesia for a few days. While looking for a Wi-Fi signal on my macbook I discovered a bunch of open access points. Although I could get on a few networks I was not able to get web access. I did noticed several shared computers on one of the hotspots, one of which was named, “Reservations.” Also listed were several other non descript names like Sales, Marketing, HR and such.
Being the curious type, I clicked on reservations to find some office files. A quick view of a spread sheet with Mgr in the file name showed me every cent that went through one of the largest hotels in town. I could see how many rooms were available, vacant, walk-ins, no shows, average room rates, budgets and revenues for all 5 restaurants, laundry.. and how many complimentary rooms were in use.
The last bit there gave me an idea. I was staying at a smallish inexpensive hotel. I was by myself and a big cushy place did not make much sense for a what was basically a 48 hour trip. A nice cushy place would be fine though, if it was complimentary :)
I grabbed some screen shots of what I’d seen then walked down to the lobby and out the front door, turned right and continued down the road to the Big hotel.
I was wearing a Barcamp Auckland t-shirt, no shave, jeans and toting a Crumpler. Confidently, I asked the receptionist if I could speak to the GM. She asked what it was regarding and I replied that it was a security issue. They told me he was in a meeting but would be available in 20 minutes if I was able to wait. I took a seat and waited about 15 minutes.
The GM came up and introduced himself. I quickly got to the point and let him know that without any hacking I was able to see all kinds of information about the hotel over their public wireless network. I showed him some screen shots since I’d already deleted the files from my drive. He was obviously surprised and asked how I could have accessed all that information. I told him that I did not have much time left in town to help fix things but that if could set me up with a ‘complimentary room’ I’d be happy to tell him how to go about getting his IT people started on getting the problem fixed.
He said, “sure” without any hesitation. I got his email and was directed to the the front desk to get checked in.
10 minutes later I had a new room key and was heading back to my old hotel to checkout and grab my stuff.
I came back and went up to my room. I now had a pass to get on the same Wi-Fi that I’d seen from my rather bland room down the street. This was much better!
Here is the list of suggestions that I sent over to the GM.
Network Security Suggestions
- Remove all back office / hotel systems from Guest/Public Wi-Fi networks. Hotel employees and systems should be on a private network.
- Disable Windows File Sharing on all employee computers that would be using public Wi-Fi
- Disable broadcast of SSID for private Wi-Fi network. Use WPA or WPA2 type wireless encryption. Do not use WEP, unsafe / easily cracked.
- Implement official policy for employees and network security / best use practices. Don’t change settings without notifying IT admin, No windows file sharing on public networks, no P2P file sharing, don’t open attachments that you were not expecting, never open .exe or .vbs attachments, use firefox instead of IE, etc..
Should you ever have any queries please do not hesitate.
My room is great, thank you.
This is one of those circumstances where being a good samaritan paid off. Let me know if this ever works for you in a similar situation.
Popularity: 21% [?]