|[Panorama view from mountain top near Puerto De Pollensa, Mallorca)|
Ahh... Vacation.. Those days of the year where infosec professionals get some time to glimpse into another parallel world, by some... wifes... referred to as "the real world". Anyway; I like to take a look around, even when I go on vacation. Here's a few security observations made this summer.
|[Results from Secunia online scan at Sunving resort, Alcudia, Mallorca]|
Back in June 2010 I wrote a blog post in Norwegian about some tips for internet junkies going on vacation. One of them was to be careful with publicly available computers at hotels etc. Well, we went back to the same hotel in Alcudia (Mallorca, Spain) this year. The above image shows the results from an online Secunia Online Scan, as the computer was "locked down" to protect both the computer & the user. I'm not expecting much objections when I cry out #FAIL over the results, as seen above.
Going for lunch & dinner at various restaurants in the area, there were lots of signs with info about their WLANs for guest access, including SSID and passwords. What raised an eyebrow with me from the above is trying to understand why the physical security company SecuritasDirect is just using WPA, while our hotel (SUNSPOT) uses WPA2 for providing FB access to their guests? And before you ask; those WEP networks are for guest access at restaurants as well.
During our stay there, I was anxiously waiting for Blackhat Las Vegas to start. And in the flood of information streaming out from every company that is lucky enough to get through with a submission, this story came out about hotel locks being easy to hack. So I had to take a look:
|[Why I suddenly wanted to use that in-room safety deposit box]|
Back to Norway for a quick change of clothes, then went to Denmark for a couple of days visiting family & going to Legoland. Sure brings back lots of memories, but also adds some new ones:
|[Sign appears after 15-20 minutes in line waiting to get on board a canoe]|
(Security) Usability: You have to be pretty stupid if you don't understand the above information when you see the Lego Canoe ride. Judging from the long line of people wanting to get on board with bags, cameras, purses etc, there apparently are many idiots in the world. Oh well, Legoland could still place the sign shown above OUTSIDE the entrance, instead of 1 meter away from where you get on board. (After waiting in line for 15-20-25 minutes with kids screaming for action, you do NOT want to abort mission at the very last second!)
|[Welcome to the Legoland Fire Brigade. You can trust us, just not Windows XP.]|
|[ATM with money slot strengthened to prevent installation/use of cash traps]|
I'm pleased to see that extra equipment to prevent easy mounting of cash traps can be found on ATMs in Denmark. This summer has seen an increase in that type of fraud back home here in Norway, where banks are now updating ATMs with similar equipment as well.
Flying back to Norway through Kastrup airport in Copenhagen suddenly reminded me about my last visit there: that ridiculously stupid Free WIFI solution where you get a captive portal (image below), requiring registration before use. I don't mind registering for getting access, its just that they will send you an e-mail to your registered e-mail address with a link valid for 10 minutes that must be clicked in order to get access. So before you get access, you must access your e-mail and click the link. Bravo Copenhagen airport, Bravo. (In Norway they ask for your cellphone number and sends you a message with user/pass, valid for 1 hour. If you break their AUP, your cellphone number will be enough to identify you, if necessary)
|[Free wifi at Copenhagen airport - anti-usability at its best]|
... or perhaps its just a load of FAT (= grease), with a hint of onion? :-)
|[200 grams of grease with small bits of onion, price approx $2/box)|
Oh well, the real world awaits. Time to sleep a little more before vacation is finally over.