Computer hackers can easily access confidential corporate documents or detailed personal banking information from unsuspecting business travellers while sitting in the comfort of a hotel lobby, according to experts.
"You would be surprised at how easy it is to do," says Brian Bourne, co-founder of the Toronto Area Security Klatch (TASK), one of the largest user groups in Canada for computer hackers.
"Companies spend all kinds of money on securing their server and the corporate network, but the information is open and vulnerable when their executives are on the road."
Bourne says one of the most common ways thieves get access to that information is to set up a "rogue access point."
A hacker will sit down with a laptop in a hotel or busy café and pretend that computer is the actual server. When anyone attempts to log on to the server, they are actually connecting to that laptop. Any web pages they view - including banking websites, e-mails or online documents - is recorded on the rogue access point and can be accessed later.
The software tools to do it can be easily found and downloaded from the Internet, he says.
"Most hotels and open public hotspots don't use encryption. Everything going in and out (of your computer) can be seen by practically anyone," says Bourne, who adds his "day job" is president of Toronto-based CMS Consulting.
Bourne says using a wire-based connection for your computer versus a wireless network is generally safer. But hotel business centres set up with computers and other amenities, however, are an even easier target for hackers.
"You could so easily have a keystroke logger installed on one of those machines or any kind of a virus or malware. That's not safe in the least."
One of the most legendary hackers in North America is Mark Loveless, known among the largely online community as Simple Nomad. In 2006, he appeared at any industry convention and made a presentation called "Hacking the Friendly Skies at 30,000 Square Feet."
It explained how to spend time accessing other passengers' computer information while waiting in an airport departure lounge or flying at high altitudes. Loveless said the ideas started because of weather delays, cancelled flights, layovers, gadgets and toys and "idle hands," according to the copy of a PowerPoint presentation obtained by Business Edge.
It included instructions on how to change the screensaver image on all nearby laptops to pornographic images and loudly play an audio file saying: "Wow, this porn is hot."
Bourne says the vast majority of hackers are doing it for the challenge rather than for any gain. But regardless of why a business traveller's laptop is being accessed, it's still vulnerable.
"It's like parking your car in a high-crime neighbourhood overnight. Would you just leave it unlocked?" he asks.
Computer security expert and author Bruce Schneier, the founder and CTO of BT Counterpane, says one of the biggest problems is that computer information theft often goes unreported.
"I mean, if you were a big bank and hackers were able to somehow get company information from one of your executives staying at a hotel somewhere, would you want the press to know?
"As researchers, we want to learn about how widespread a problem this is, but nobody can really put their finger on how often it happens," he says.
Schneier explains users need to look at their entire computer network and where people are accessing certain types of data from.
"I can put the best lock in the world on the front door of my home, but if my ground floor windows aren't secure or the back door then it won't do any good," he says.
"The best suggestion I have for people is to back up their data. Back up, back up and back up.
"More and more our businesses depend on information and that's one of the best ways you can protect it," Schneier says.
"Make sure you have the latest firewall and anti-virus software installed on your laptop, too," he adds.
Andrew Berkuta, whose business card lists him as a senior security evangelist/strategist with McAfee anti-virus software, says he's seen lots of examples of unprotected data.
"The new threat for businesses is at the data level. It's quite scary and the threat is quite real.
"I think one of the worst is data on a laptop that isn't even encrypted. Your laptop gets left in the back of a cab or stolen somewhere. If the data is encrypted then it's not that big of a problem," he says.
"If it isn't encrypted, you're (in trouble)."
McAfee's Canadian head office is in the north Toronto suburb of Markham, but it also has a 25,000-sq.-ft. research and product development facility in Waterloo where programmers are kept busy trying to stay ahead of the latest computer virus.
"Everything has vulnerability because it's made by humans. I would never say our software was a hundred per cent foolproof because the first time someone says that, guess what every hacker in North America will be trying to do?" he says.
"I believe you have to manage the risk. You have to take steps wherever you are to protect your data, on your laptop or on a memory stick or anywhere."
Computer safety tips
Computer security experts say there are simple steps business travellers can apply when using unsecured networks in airport terminals, train stations and hotels: * Ask the venue if they actually have a network available and what the access point is named. One method of computer hacking involves arranging a fake local area network using common names like Server or Home. If your wireless network card is set up with any of those names, it will instantly recognize the fake server and connect to that.
* When using a supposedly secure website, check the address bar for the initials https:// before the website name. The letter 's' stands for secure. If you get a pop-up window questioning the website's security certificate, stop immediately.
* Establish your own virtual private network (VPN) back at your office and access the Internet through that when you're on the road.
* Finally, use common sense. Be aware of what data you're using and how vulnerable you might be in that particular environment.
(David Hatton can be reached at hatton@businessedge.ca)
