Inspired by this article in the Guardian.
Short version: hotel wi-fi is incredibly insecure. This is partly because the people charged with protecting it are hotel people, who put service before security.
“Hospitality companies,” writes Bloomberg's Patrick Clark, “long saw technology as
antithetical to the human touch that represented good service. The
industry’s admirable habit of promoting from the bottom up means it’s
not uncommon to find IT executives who started their careers toting
luggage. Former bellboys might understand how a hotel works better than a
software engineer, but that doesn’t mean they understand network
architecture.”
Hackers love hotels because that's where people spend money. That means everything's vulnerable, including their credit cards, passport numbers, personal details - pretty much everything guests might have wanted kept secret. Moreover it doesn't stop at one hotel. Hack, say, Marriott in Ohio, and you probably have access to every Marriott in the chain.
The aftershock can be brutal. When Marriott did get hacked, it put at risk 383 million guest records, as well as more than 5 million unencrypted
passport numbers and more than 9 million encrypted payment cards.
I imagine most of you reading this have been to at least one sci fi or fantasy convention in your lives. Perhaps you go to several each year. Consider this a warning: you, too, could become a sad statistic in some future article about identity theft. You do have a Virtual Private Network, right?
It doesn't help that most hotels, anxious to keep expenses low, don't bother to upgrade out-of-date systems. Nor do their staff get trained on the best way to avoid trouble. If a customer asks to charge his phone, does the server plug it into the wall, or into the office computer? Are there unsecured, unwatched ports - say, in the bar?
With all that in mind, a scenario seed:
Puttin' On The Ritz
The agents are hired to infiltrate a high-profile hotel IT system, say one of the hotels in the Ritz-Carlton chain. That gives the Director plenty of options, from Washington DC to Tokyo. The client wants any and all data that can be retrieved about guests arriving and departing between a set of dates. Nothing's too trivial; if the hotel records how the guest likes her eggs, then the client wants to know about it.
The agents may believe they're being hired as deniable cut-outs for a major intelligence service, or by a mafia don on the make. If the target is somewhere high-profile, like the Ritz-Carlton Macau, then the agents may be able to work up full profiles about the guests' gambling habits as well.
The job ought to be simple, but there are two problems:
First, there's a guest in the penthouse suite who's very paranoid about security. Her machines are VPN protected, and she takes care not to let her guard down. Her personal assistant seems to be the one in charge; perhaps if the PA could be dealt with, it would be easier to get the data.
Second, Heat jumps through the roof shortly before the hack ends. The agents gain 3 points Heat, with no idea why. Turns out there's a VIP, a Saudi royal, who recently arrived at the hotel, and the VIP's complaining about everything from the olives in his martini to the laughable internet security. The VIP's particularly hot on internet security, because six months ago his identity was stolen and large purchases made with his credit card. The hotel's jumping like a flea on a hot griddle, which is why Heat spiked. If the VIP could be satisfied, things would go back to normal.
One of these two - the penthouse guest or the Saudi royal - has Conspiracy links, but the agents won't find that out until their plotlines have been dealt with. The question is, which?
Or are the agents' mysterious paymasters the ones with Conspiracy links?
Enjoy!
No comments:
Post a Comment