I didn’t need the FBI to tell be hotel Internet is bad

That hotel Internet connections are dicey at best is not surprising to those of us who travel frequently. In that respect, fresh warnings from the FBI about an uptick in hotel Internet-based malware is a bit of a yawner. But it is a good excuse to review some defensive measures.

Let’s start with the news, as written by Network World colleague Michael Cooney:

“The FBI today warned travelers there has been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections. The FBI wasn’t specific about any particular hotel chain, nor the software involved but stated: ‘Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.’ The FBI said typically travelers attempting to set up a hotel room Internet connection were presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

Many of us have stories about getting infected through bad hotel connections. A work-issued Dell I used to have started its slow descent into death by blue screen after it got infected through an Internet connection I was using during a stay in New York City. I haven’t stayed at a Comfort Inn since that unfortunate 2005 experience.

I trust the five-star business-class hotels a bit more, but you never can tell what you’re getting into. And so I found these tips — emailed to me on behalf of Zscaler’s Kapil Raina — useful enough to share:

1. Update all software prior to leaving a known, safe location. 
2. Ensure you have security software that can protect you on any device, no matter where you are that can be updated for you and covers the latest threats. Remember, Trojans can trick or prevent your anti-virus software from updating.
3. If you must connect to a hotel Wi-Fi network, verify with the front desk the exact procedure (SSID name, process for payment, etc.). You do not want to connect to a fake access point. Some hotels have direct connections (physical cables) you may opt for. In some cases, consider using your phone via 3G/4G as the connection point rather than Wi-Fi.
4. Ensure you have a VPN tunnel enabled at all times in a public location (your hotel room is public from a security perspective). This way, if you have to update software while on the road, you can do so slightly more safely.
5. Never click on a pop-up, ever. No major, reputable site requires a pop-up to work or function. 
6. Confirm via another source that any message indicating a security issue is valid. For example, if you believe an application or web site is indicating a security update is valid, check from another computer (go to the hotel’s businesses computer and check that vendors site for security update notes).
7. Above all else, if you believe that you were hit – put your computer in hibernate or sleep mode until you can get expert help in repairing or restoring the system. Taking the system offline as fast as possible can prevent further data and damage in some cases.”

I’m going to L.A. and San Diego on business next week, but I won’t be using hotel Internet this time. I’ll be staying with friends both nights, and I’ll be relying on my Verizon Mi-Fi. Wish me luck.