'Whilst using a hotel internet service, did you ever wonder about security? According to Roger Grimes InfoWorld article "A Constant State of Insecurity" you have good reason to ask this question about public networks.

Grimes reports that “an acquaintance traveled around the world sniffing wireless and internet service access for passwords and was shocked at her findings. While I could think of better ways to spend my travel time, she used a program named Cain & Abel and her laptop to sniff the packets that passed through her NIC (network interface card). On an average day she could pick up 118 different unsecured passwords. How is this possible?

For one thing, most hotels use a hub for connecting everyone to the internet. A hub connect all devices as equals, meaning that every packet is passed to every device, including laptops. It is kind of like having all of the laptops on the same wire. So if you were entering a password or sending an email message, the packets with the password or message would pass through each and every laptop (device) in the hotel network and then to the internet, and therefore, is sniffable by any laptop running programs like Cain & Abel. In addition, most public networks do not use encryption, and, evidently, neither do laptop users.

According to Grimes, 41% of the passwords came from HTTP or webpage-type password entry. Nearly 40% of the passwords were entered for POP3, SMTP, or IMAP which are email protocols. The rest were stuff like FTP (File Transfer Protocol), ICQ (Chat), TelNet (interface for legacy accounting programs)….

Now this part is interesting: “My friend” found passwords to people’s TiVos, online poker games, and online chatting communities. What disturbed her was that often these personal passwords were identical to the use’s corporate passwords.

Now how scientific can this test be? An unidentified “acquaintance” travels the world for an unspecified period of time and sniffs however many connections at unidentified hotels and comes up with blaaa! Well, confession time, I had to try it myself. Saturday I went to lunch at a large Charleston hotel armed with my WiFi laptop loaded with Cain & Abel. I sat down at the table, started the program and ordered my meal. In just one hour I picked up 31 different user names and passwords, 18 were email protocols and 7 were web-based protocols. My experiment was not very scientific either, but it did highlight the danger of using public networks to access private information without encryption.