Hilton Tokyo - ID stolen via Wifi (January 2016)

[Prof Henry]

Re: Hilton Tokyo - ID stolen via Wifi

Since it still seems unclear just which part of OP's security was breached first, we are rightly concerned about various aspects of our IT security (especially, but not exclusively, while travelling). Like mel1, I'm not understanding all of this, but can someone say whether LastPass or DashLane really do enhance the security of username/passwo logins?

And, following up lovetravelingoz's comment –

1/ Cryptically storing the login/username (BUT not the password) buried within numerous folders in an email account if it is not something that I will 100% remember (ie some use email addresses and so need to store). My most used usernames (ie main bank, Amex) I just remember, and so it is more for accounts that are not regulars. ie credit cards that I am churning etc.

– can I naively, I know, ask: why not store the passwords using the same method? (i.e. distributed through various email or other folders?

 

[Jo145]

Re: Hilton Tokyo - ID stolen via Wifi

Rookie question: Can my keystrokes be identified? ie if I am putting in a password to a bank account can a hacker "see" what I've done? If not then I'm safe as everything is in my head. If so, then I am REALLY worried as I only use public wifi available in hotels, etc ...

 

[Jack_OC]

Re: Hilton Tokyo - ID stolen via Wifi

I'm not a total luddite when it comes to IT, but I'm struggling to fully understand some of this discussion. I wonder if someone more clued in might be able to answer some or all of the following questions:

1. Should I start using a VPN? I understand it won't provide complete protection, and may or may not have prevented this attack, but is it still worth doing?
2. I use LastPass to generate very long and random passwords for everything. Is that just giving me a false sense of security, or is it genuinely making it difficult for people to target me?
3. I use Dropbox (in combination with 2FA and a long and random password generated by LastPass). I store copies of passports etc in Dropbox. Should I stop doing that?
4. I also have the Dropbox folder containing the passport copies synced to my PC - so the files are saved on my PC hard drive too, and indeed on my iPad. Should I stop doing that?
5. Should I avoid WiFi in hotels/airports/public places altogether? I understand that would probably be the ideal approach to take, but as someone who travels a lot and needs to be online most of the time, this would mean using a hell of a lot of mobile data.

I should clarify that I know it's impossible to completely eliminate risk. I'm looking for some sort of balance between being able to get on with my work and life without great inconvenience, and avoiding falling victim to an attack such as that which Cynicor experienced. Thanks in advance for any advice!

 

[harvyk]

Re: Hilton Tokyo - ID stolen via Wifi

Cynicor, when you joined the HH wifi where you prompted to download anything or accept anything?
The reason why I ask is that whilst SSL (technically it's TLS these days) is very secure, if you where prompted to download something to join the wifi connection something called a "root certificate" could also be installed at the same time.

Such actions would not show up in any malware scan, in fact you need (trusted) root certificates to be able to be able to access anything encrypted on the internet. It's just if some bad guys got a root certificate onto your computer and then controlled your connection (ie by hosting public wifi), they would be able to decrypt anything you sent over the internet.

Just curious (I've seen other "public wifi's" insist that you download some sort of "helper", just wondering if this was the case here)

 

[harvyk]

Re: Hilton Tokyo - ID stolen via Wifi

Rookie question: Can my keystrokes be identified? ie if I am putting in a password to a bank account can a hacker "see" what I've done? If not then I'm safe as everything is in my head. If so, then I am REALLY worried as I only use public wifi available in hotels, etc ...

If a hacker has a keylogger installed on your computer, then yes.
This is a big part of the reason that 2 factor authentication exists, so someone can't just replay the same keystrokes and get into your accounts.

 

[Daver6]

Re: Hilton Tokyo - ID stolen via Wifi

A few people have asked the benefits of using LassPass or similar and whether it is worthwhile.

That main benefit here is having a different password for every site. That way, if your password is found out for site A, the hacker doesn't have access to all other sites you may use. So its damage minimisation. LastPass and the like are convenience tools for generating and remembering strong passwords.

So in summary, yes continue to use them. They ARE providing a security benefit.

 

[harvyk]

Re: Hilton Tokyo - ID stolen via Wifi

I'm not a total luddite when it comes to IT, but I'm struggling to fully understand some of this discussion. I wonder if someone more clued in might be able to answer some or all of the following questions:

1. Should I start using a VPN? I understand it won't provide complete protection, and may or may not have prevented this attack, but is it still worth doing?
2. I use LastPass to generate very long and random passwords for everything. Is that just giving me a false sense of security, or is it genuinely making it difficult for people to target me?
3. I use Dropbox (in combination with 2FA and a long and random password generated by LastPass). I store copies of passports etc in Dropbox. Should I stop doing that?
4. I also have the Dropbox folder containing the passport copies synced to my PC - so the files are saved on my PC hard drive too, and indeed on my iPad. Should I stop doing that?
5. Should I avoid WiFi in hotels/airports/public places altogether? I understand that would probably be the ideal approach to take, but as someone who travels a lot and needs to be online most of the time, this would mean using a hell of a lot of mobile data.

I should clarify that I know it's impossible to completely eliminate risk. I'm looking for some sort of balance between being able to get on with my work and life without great inconvenience, and avoiding falling victim to an attack such as that which Cynicor experienced. Thanks in advance for any advice!

1. I don't use a VPN, personally I rely on using SSL connections, and validating the certificate that it gives you. One of the issues I have with VPN's is that you are completely relying on the other end been trustworthy as you are routing all your internet traffic via them, and all it would take is for them to include something like a root certificate in a "VPN Installer" application that they give you and voila, they can view all you internet traffic, even stuff which was encrypted.

2. Something like last pass is like putting all your keys to the kingdom in the one place. Not necessarily bad and certainly better than using the same password for thisgreatwebsite.com and your internet backing. A general rule to follow is not to use something in the top 1000, and make sure it's different passwords between your internet banking, your email accounts and other websites.

3. No problems in using drop box that I am aware of

4. See above

5. I use public wifi all the time, the general rule I follow is that I won't download and install any programs (technically it would be unsigned programs I don't trust, but that is a whole other level of explanations), since any programs could contain code injected by the wifi provider without your knowledge. I also make sure that the websites SSL certificate is valid, since if it's not it's likely that the wifi provider is attempting a man-in-the-middle attack. It is for this reason that I don't download any programs over public wifi, it would be very easy to sneak in a "root certificate" into a program. A false root certificate would not show up on any virus or malware scanners, but would give the wifi provider the ability to decrypt encrypted connections virtually undetectable.

 

[Jack_OC]

Re: Hilton Tokyo - ID stolen via Wifi

Thanks Daver6 and Harvyk, very helpful (and reassuring!).

One question though Harvyk - you lost me with this bit: "not to use something in the top 1000". Top 1000 what? Passwords? How would I know? In any case, as I use LastPass to randomly generate passwords for every different account/website, I'm guessing I'm ok on that front?

I understand the risk with LastPass is that if someone gets into my LastPass account, then yes, they have the keys to the kingdom. However, I use two factor authentication, and my PC and apple devices require me to re-enter my password/scan my fingerprint every time I access it. I have also disabled access to my LastPass account from most countries worldwide (except for the ones I visit frequently, including Australia, of course), which I think probably helps a little too. Also, needless to say, my LastPass password isn't something like p@ssw0rd1! Anyway, I know nothing is foolproof, but it seems to me that it would be pretty hard for someone to get into my LastPass account - hope I'm not just being naïve there!

The simple fact is, there is just no way I would be able to remember unique, complex passwords for every account - so for me LastPass is the only way I can have different passwords for everything.

 

[harvyk]

Re: Hilton Tokyo - ID stolen via Wifi

Thanks Daver6 and Harvyk, very helpful (and reassuring!).

One question though Harvyk - you lost me with this bit: "not to use something in the top 1000". Top 1000 what? Passwords? How would I know? In any case, as I use LastPass to randomly generate passwords for every different account/website, I'm guessing I'm ok on that front?
<snip>

Yeap, I mean the top 1000 passwords list, see here -> PasswordRandom.com - Top 10000 most common passwords list Page 1

Every year "they" compile a list of the most popular passwords used in various places. I'm not quite sure where the source data comes from but long story short if you see your password in one of those lists you should change it asap, because if someone was to attempt to guess your password you can be pretty sure that this list is the first set of passwords they will try.

 

[timster]

Re: Hilton Tokyo - ID stolen via Wifi

I was all set to put my (pseudo) expert's hat on and tell you how this happened, but the more detail that emerges the less obvious it becomes. Since the AFP's experts were involved (who hopefully know more than any of us), can you ask them to explain EXACTLY how this was done ? I think that it is really important to find out.

My gut is that it's either something somewhat sophisticated (given the extent of the compromise), or something relatively simple involving malware installation, or something dead easy (eg room service logged into the unattended laptop and/or removed the HDD and imaged it). Either way it sounds like the laptop contained too much (unprotected) information.

If it were something really sophisticated though, it would happen more often to more people who thought they were well protected, as whatever the current best tools are they are readily available / traded. And intelligence agencies would have those tools and so be a lot more successful with cyber-criminals than they seem to be.

I have TOR installed on my travel laptop, with known legit bank site links, so that I can protect any banking transactions. And my bank passwords are different to everything else (and not written down in any document or app). If I had to carry information that would allow me to be compromised, it would be in an encrypted partition.

TOR saves having to think "should I really be doing this on this network ?", having to check closely for https, etc. Of course I don't google for bank sites, use email links to banks, etc. And I chain my laptop to the steel spine inside my locked suitcase when I have to leave it in a hotel room !

But for general browsing (ie non-banking), I use a standard browser (Firefox or Chrome).

Am I totally safe, no ? Am I safer than most ? Hopefully. As long as I'm not low hanging fruit I feel reasonably secure.

 

[por930]

Re: Hilton Tokyo - ID stolen via Wifi

cynicor, did all of you get the 'hacked' funds credited back to your account by the various financial institutions?

 

[james007]

VPNs don't really help in the majority of cases: your bank should be using SSL connections ('a padlock in the toolbar'). If you're using a security-aware browser, Chrome in particular, you're likely to notice any attacks if you try to connect to a dodgy wifi network.

A good quality password manager is a great advantage, since it will produce long and complex passwords that you never need remember. Something like LastPass is good, though I also use the password manager built-in to Chrome. (See your passwords at passwords.google.com ). I trust Google's security far more than I do anyone else's. You could also run a password manager on your mobile phone.

One caveat: LastPass and others do produce browser plugins. I'd caution against using these: it's one more thing to be attacked. Trust the Chrome password manager, and/or type passwords in.

Two-factor authentication is a must, since it stops you being shoulder-surfed. If you are running a reasonably new Android phone, it will simply prompt you to hit a button on your phone when logging in - even more secure than typing in the number.

Network sharing - where you inadvertently share a folder or even your whole computer over a network - would seem to be the most obvious here. Things like DropBox and Google Drive are used by many different companies, and therefore should be pretty secure.

Personally, I only run a Chromebook which is relatively impregnable, and occasionally also run a Mac (which I've renamed so it isn't saying it's "Joe Bloggs's Mac" to the entire network). I've not run Windows or any anti-virus software since 2006. I'm constantly amazed at the random stuff I find on other people's computers - and especially wouldn't touch a communal computer, like one in an airport lounge or a hotel lobby, for anything that requires me to log in.

 

[Mal]

Based on what has been discussed, I see Three main possibilities:

- Laptop was cloned (ie, a copy of the hdd was made, and the personal details stored on it later used to answer security questions when setting up the later attack)
- Laptop had file sharing enabled when on the wifi network (pretty uncommon in default configurations of laptops etc these days, but can still be set up accidentally )
- Email compromised and like the laptop contained enough personal identification to bypass security checking.

This wasn't a simple attack. The perps needed enough personal information to bypass security for porting phones, logging into internet banking (or to get the password reset to log on)

There is much more to this!

 

[moa999]

VPNs don't really help in the majority of cases: your bank should be using SSL connections ('a padlock in the toolbar'). If you're

Find a bank that doesn't use SSL/TLS.
Indeed find a webmail or social media app that doesn't use it these days

I personally think SSL provides pretty good protection against most vectors.
People installing a keylogger on unlocked laptops is probably biggest risk I see.

 

[desafinado74]

Oh dear, i am going to stay at the Hilton Tokyo in mid November.
I think i will just rent a pocket wifi and turn on my VPN when i am there.
Does anyone know if the hotel has been notified of this hacking ?

 

[cmon0005]

I use Fritz box router(German made) at home which has an inbuilt VPN gateway. When I am overseas I VPN into my home VPN then I know exactly where my traffic is going. Trust this more than 3rd party VPN. You can buy Fritz box for about ~$250 in Aus from speciality computer stores.

 

[Guvner]

I use Fritz box router(German made) at home which has an inbuilt VPN gateway. When I am overseas I VPN into my home VPN then I know exactly where my traffic is going. Trust this more than 3rd party VPN. You can buy Fritz box for about ~$250 in Aus from speciality computer stores.

I also have a Fritz, but nearly all routers have a VPN server inbuilt these days.

As an aside, one feature I do like with the Fritz is that if you have a VOIP service at home you can use the Fritz Phone App on your iPhone via wifi thru a VPN back to the router, and make calls from anywhere in the world on your home phone using VOIP rates. Most VOIP services have free local calls so if you are O/S you can use a free a (secure) wifi connection to make free calls to any landline in Aus from your mobile. (little travel tip there)

 

[Daver6]

I use Fritz box router(German made) at home which has an inbuilt VPN gateway. When I am overseas I VPN into my home VPN then I know exactly where my traffic is going. Trust this more than 3rd party VPN. You can buy Fritz box for about ~$250 in Aus from speciality computer stores.

Main downside to this is your internet is as slow as your outbound speed at your home. If aDSL, that's pretty bloody painful.

 

[Deleted member 29185]

Main downside to this is your internet is as slow as your outbound speed at your home. If aDSL, that's pretty bloody painful.

So will NBN be a saviour here? High(ish) speeds with extra security via this Fritz thingy? Also, if OS, will we still need to use the hotel wifi to access Fritz?

 

[Daver6]

So will NBN be a saviour here? High(ish) speeds with extra security via this Fritz thingy? Also, if OS, will we still need to use the hotel wifi to access Fritz?

Depends. Do you mean what's promised with the NBN or what's delivered?