AirBnBeware: Short Term Rentals Long Term Pwnage

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

How safe are google wifi boosters?

👍︎︎ 1 👤︎︎ u/Aabbppll 📅︎︎ Sep 07 2019 🗫︎ replies

Captions

welcome to this session and just so we can make sure you're in the right place this session is Airbnb where short-term rentals long-term pwnage and our speaker is Jeremy Galloway the room is South Seas IJ so if that doesn't make any sense to you probably in the wrong place a couple of quick notices just before we let Jeremy get on first of all is to get you to stop by the business hall located in B side a B the black cap arsenals on the palm fweh on level three and of course the Arsenal reception is at five o'clock this evening and if you haven't picked up your merchandise today it's your last chance to visit the black hat swag and book store I cooked reminder if you've got your phone with you which I suspect you have can you put it on vibrate it's a lot more fun that way and saves disturbing everybody else that's in the room so without further ado Jeremy thanks thank you guys can you hear me okay awesome Suzy said my name is Jeremy really excited to present Airbnb where short-term rentals long-term pwnage so we've got a lot of content today so we're gonna jump in really fast and we're just going to keep the fast pace up for the rest of the talk so let's do it so as I said my name is Jeremy and I love hacking in security with every part of my body it's something I've been really passionate about since 2002 you know I try to stay involved whether it's security groups or conferences or like even if it's just submitting a simple bug report to an open-source security project I love all of you guys I love this community of intelligent deviants so let's jump in with the high level takeaways so there's a few things I want to convince you guys up the first thing is that Airbnb and these rental networks they're at this point they're too big to ignore anymore honestly I probably could have given this talk in 2013 when Airbnb was up and coming but at this point it's reached absolute critical mass the next thing is that connecting to these rental networks it increases your risk quite a bit quite more than you might think the next thing is that home networking hardware you know that modem that router sitting there yeah it's really worth targeting this is a big one man ha this is a big one this is something I think our industry and the media gets wrong a lot of times so it's really important that we try to get it right today the biggest threats you face aren't from some elite foreign government with zero days no it's the simple widespread threats that end up causing the most ownage lastly when attackers don't have physical access to hardware and devices risk is largely mitigated so let me ask everyone here have you ever got on a network and you log on and you start to get a funny feeling like kind of like a quiet eerie feeling like the hair raises on the back of your neck sort of like this intangible sense that the network is hacked or that you could hack the network or that it could be hacked soon see we security peeps we have this security sixth sense we sort of know this stuff but the average person just doesn't they just don't think twice about it so I was inspired for this talk earlier this year I took a snowboarding trip to Colorado with a bunch of my friends and admittedly I snowboard like a Texan so by the last day like I was totally beat up so I kind of wanted to like lift my spirits up so I thought oh I know I'll go back to the rental I'll hack the network to mess with my friends web browsing like that will be hilarious so my head I was like okay cool like it'll take a couple hours some poking some prodding but then when I walked up to the router I just saw it sitting there I could pick it up I could look at it I could touch it and within five minutes flat I own the network see that this talk is important not just because hacking is fun and owning networks is like a hobby of mine I'm giving the talk because my friends and I we don't stay at hotels anymore we pretty much only stay at Airbnb s and you know have friends and family and people that I love stay at Airbnb and even if they don't rent a lot of a lot of them our property managers and I don't want them to get owned I want them to sort of understand the risks and really what it takes to be safe so really big disclaimer here Airbnb is in the title of this talk nothing that I'm talking about is specific to Airbnb this all short-term rentals are affected so I'm kind of curious raise your hand if you've ever stayed at a rental or you have a rental property ever stay at an Airbnb ok quite a quite a number of people so if you've ever stayed at one of these rentals you know you know 99% of the time it's totally cool like it's no big deal but sometimes like some strange things can happen so I have a friend back in Austin and she manages like 10 properties and the suit-and-tie like normal business guy like super proper looking guy came to stay for the weekend stayed the whole time left nope no big deal so her maid come through came through to clean the place up and she gets to the bathroom and she calls my friend she's like you have got to come see this so my friend rushes over there and sure enough the bathtub was half-full with human hair so like the point is like your guests can really surprise you you don't know what they're doing at that rental so so I kind of want to shift gears a little bit I want to shift to thinking about numbers and thinking about economics specifically so Airbnb is it's a small part of this much larger economic movement so the economists and the business crowd know all about the sharing economy do you you should I mean in InfoSec we like to you know kind of stay isolated keep our heads in the sand but the sharing economy is a global change it's influencing every industry including security so it's technically a misnomer to call it the sharing economy it's more accurate to call it the access economy but whatever you call it the economic impact is real in the gears that drive the sharing economy our efficiency and trust oh I need this one thing I don't want to buy ten of them oh I have that one thing here you go and you can kind of think of it as crowd-based capitalism so you guys probably recognize a lot of these companies companies you know and love Airbnb Kickstarter uber instacart they're all part of this bigger picture we live in a world where the largest car rental company owns no cars and the largest property rental company owns no property that's where we're at so Price Waterhouse Cooper they did a really major economic study on the sharing economy and a few years ago and even still today this is still one of the most important reports on the topic now take a close look at this if you work in security and the cover image doesn't make you uncomfortable you need to start looking for another job because this covers as scary as it is accurate ok so let's take a closer look at what's actually going on with Airbnb so it's become abundantly clear that short-term rentals have become a really major part of the u.s. tourism industry one estimate puts the market size at a hundred billion that's billion with a B and the number of people staying at these rentals has doubled in less than four years so first time I was like going through researching Airbnb else like wait does that say a hundred billion I was like there's no way let me zoom enhance on that did it really say a hundred billion I just had to check the numbers again I'm like there's no there's no way and the thing is is a number like a hundred billion it's huge in its abstract so I kind of wanted some concrete comparisons to sort of understand so I just whipped up a little graph so on the far left hand side in gray you see the Las Vegas gaming market clocked in about six point three billion dollar market size last year that's all of the casinos you see up and down this strip every one of them about six point three billion dollars next to that in yellow something we're all familiar with cyber security big money right right one over in purple at eighty five billion dollars is the global cocaine market / one more that's the rental networks at a hundred billion dollars and so I kind of wanted a comparison for something that was larger than a hundred billion and it wasn't really hard to find the cloud market so all things cloud in 2015 it was about a hundred and ten billion dollar market so now when I think of rentals I think they're somewhere in between the popularity of cloud and cocaine so anytime you're a company of this size you're going to get in the papers a lot and when you're air B&B the titles the the paper headlines look something like this they were valued at thirty billion dollars what thirty billion dollars that's like an oil company or Apple the thing is it's actually not really surprising once you look at the numbers a three over 350 X increase in less than five years now if you're an investor this slide should be making your pupils dilate in your mouth salivate they have more guests than many small and medium sized countries there's targets I mean listings I mean targets they're everywhere they've had over 60 million guests stay with them and they have presence in almost every single country now in my head I was like oh man more numbers like I need to make this more concrete so in my head I think of Starbucks as being ubiquitous right there's a Starbucks on every corner and on some corners there's two Starbucks so when you don't actually look at the numbers there's 23,000 Starbucks globally New York City alone just New York City has 40,000 Airbnb rentals okay if you add all of these up Oh 11,000 Walmart it's 30,000 Subway's McDonald's hotels every gas station in the world if you add all of that up it's still not even a drop in the bucket compared to the two million Airbnb rental networks that's two million networks you could own two million potentially vulnerable networks and it's not a u.s. thing they're in Paris Rome Amsterdam Rio it's totally a global phenomenon so just last year you see headlines like this 100 million dollar round they doubled their bookings again to 80 million and then OH yet we another private round of 1.5 billion dollars so New York City alone in 2016 this year they're projected to generate about six hundred and ten million dollars of economic activity just within New York City so it doesn't take a brilliant financial analyst to understand what's going on here Weezy can break it down Airbnb is a money machine a wildly popular money machine at that but every headline isn't a good one this particular study showed that forty percent of people surveyed that stay at Airbnb s they admitted to snooping and when you survey Millennials the number jumps up to fifty six percent the thing is it's not really all that surprising I mean I know when I stay somewhere like I open the doors and I like check to see what's open and what's not I mean it's not that strange to be a little curious and the same thing when you get on the network - now some people are thinking like oh I'm a business dude I don't mess with Airbnb that's just let's just home users well if you think they've been aggressive about going after the vacation rental market you haven't seen anything yet they are going straight for the heart of business travel so show of hands has anyone here stated an Airbnb or rental through work either expense it to them or directly through work show hands okay so a few people a few people but it's getting more and more popular all the cool kids are already doing it Google Salesforce Twilio SoundCloud but they're not doing it because it's cool they're doing it because it actually makes a lot of business sense it's really convenient the rates are much cheaper they actually even have specific web apps just made for business travel managers to make billing and all this stuff all this tracking easier they even go so far as to just give away free credits just to get the business crowd so in short short-term rails are yeah business okay so I want to shift gears a little bit and start getting into the tech stuff so in the last six months show of hands and the last six months have you personally not your significant other not your network administrator have you personally updated your router security hands alright so a fair amount of people this is a security crowd I'm the security dude and I don't even normally think about my router that which unless something comes up so I kind of want to get interactive for a little bit it can't be the only one having fun so I have this really basic wireless router up here something you'd find in a rental unit if you're feeling brave the SSID is shown up here to Airbnb where no password to get in it's not connected to the Internet so what I want you guys to do is login to the router and I want you to browse around with the attackers mindset what can you change what buttons can you push what how can you influence the routing on this device and if you connect please don't be a weave please don't set an admin password don't dos the network okay if you don't trust me if you don't trust the wireless or if you don't trust your neighbor you can still totally follow along take your phone out take your device out and if you just google d-link emulator the first hit is it will give you like a full interface that you can login to click through and see the entire router operating system so I will not be offended I actually want you guys to go through this while I'm giving the presentation so I don't know if you guys remember earlier I was talking about you know you get a funny feeling on a network so I have this like mental scale of trust when I connect to a network for the first time so the far right side it's like your home network yeah yeah I'm like totally safe on my home network I know everything about this I know the vices you feel good kind of in the middle is like when I can actually University Network you know they probably have robust a really robust network but there's still thousands of students with malware doing who-knows-what so I'm a lot more careful when I'm on a university network the far left side is that random hotel kiosk you know you type your password in that and you're going to want to change it immediately and so for me Airbnb I kind of put out that 15 20 percent I mean it's not total chaos but you should be aware like when it comes to security you're usually kind of just like crossing your fingers going like I hope it's okay so quick little look at like a basic home network got clients watch home network I like your home router and the Internet so as an industry we do a really good job of protecting clients you got AV and code signing and local security Paul season if you work at a bigger company or a modern tech company you might even have an end point agent installed on your device and on the server side we do a really good job - we spent a lot of times like making certificates and firewalls we've got all these bug bounty programs and input filtering but on the home router side we basically have two things we have the password protected admin panel and the lack of physical access to the device and that makes me really sad that makes me really sad that's the only thing protecting these networks so when you connect to these rental networks you're exposing yourself to more risk but how much risk can it actually be quantified so if you guys have ever taken a sexual health class or sexual education class or health class you might have learned about something called sexual exposure what is it it's basically an algorithm that helps quantify risk so in this example the numbers that I'm using are from national averages so the first thing that ask you is how many partners have you had but in seven approximately how many partners have they each had four so even if you're only directly have contact with seven people you're actually indirectly exposed to over 9,000 people that's right over 9,000 people and so the way the way that they actually calculate that you're like how do you go from 7 and 9,000 the way it's calculated is using something called a finite geometric series now if you ask me about finite geometric series during the Q&A I will throw my laptop at you like a Pokemon so really I mean the whole analogy is like even if you've only stayed at 3 or 4 Airbnb s you might actually be exposed to all kinds of people that have been on the network before you I want you guys to think twice before having a 1 Network stand I mean it's it's a silly phrase it's a silly phrase but it's a serious warning and I think the analogy but of the comparison of trading convenience for risk actually makes a lot of sense oh I know I should be using better security but it's just this one network it's fine I don't know is it I mean that's why we land here on the scale of trust I mean do you feel safe you shouldn't feel safe so I hope a lot of people and the audience recognize this gift this was one of my favorite hacks of 2012 the image of course is of the internet census 2012 where an anonymous researcher he popped like 400,000 boxes and scanned the Internet so inside his report he had this to say the vast majority of all unprotected devices are consumer routers and set-top boxes so now this particular attack and some of the other attacks that I'm about to talk about they're done remotely but I want you guys to keep your focus on the what not the house so the what of the network layer so back in 2007 this was really funny this was totally nostalgic for me so in 2007 you visit this adult web site and they're like oh you need to install a codec I'm like did we travel back to the 90s ask you to install this backdoor dmg and essentially the only thing that it did was add a malicious DNS server to the operating system but don't worry max don't get viruses so probably okay fast-forward a little bit in the future op ghosts click run by the FBI so the thing is I'm about as anti-authoritarian as they come I give the spooks a lot of flack but this was a major coordinated takedown that actually resulted in many arrests there was a cyber crime ring that was using DNS changing malware to perpetrate click-fraud so what they did was they were you know users would browse the web and they'd replace ads and they made over 14 million dollars before it got shut down so fast forward a little bit more 2013 polish shirt published information about another DNS changing malware this time a target Polish banking users now I have to say this was a really creative attack so what happened was these banking customers were sent a phishing email and whenever you click the link for the phishing email it actually launched a cross-site request forgery attack against your local router so the user clicks the link and then the request forgery tries admin admin admin password admin blank and it keeps doing this until it got into the router and once it will go into the router it would add a malicious DNS server then the users go to visit this polish banking website and they got man in the middle they got redirected to a phishing page and their accounts were harvested so in 2014 we had a little bit of stir in the industry when the moon was discovered it only owned a thousand routers but because it was self-replicating it got a lot of attention and it got a lot of people talking including dan gear and dan gear had this to say the router situation is as touchy as a gasoline spill and an enclosed shopping mall and when Dan talks I listen you should listen to he's one of the smartest and the most articulate guys in our industry and to me the router situation is best exemplified by a raging dumpster fire that's that's where we're at that's where we're at with security so even sooner I was doing research for this and this happened just a few months ago so there's an attack targeting South Koreans and the attack actually affected over a hundred thousand people and it was it was a Trojan but what it did was it installed a malicious proxy file on the user's browser so it was attacking that Network proxy layer and you fast forward all the way up to today yesterday you had crippling HTTP with unholy pact today actually right now there's a bad w pad talk going on and later this week toxic proxies at DEFCON all of these are sort of focusing on that proxy network layer obviously I could not be standing here I mean I'm standing on the shoulders of giants two years ago dr. Paul vixie and a couple guys from cert did a talk on abuse of customer premise equipment so like very like cert type jargon it's really just another way of saying like all of your local network here at home and with regards to threats they had this to say the home the home router is a network proxy for most things on your home network so you own that and even well-defended devices on the home network they're at risk and the thing is I love cert I love the advice that they give and this was a great talk but it doesn't even begin to cover the threats of letting other people touch your Hardware of using other random networks so this point you might be wondering okay everybody's popular I get that there some risk but really what's the difference between Starbucks Wi-Fi and an Airbnb like is there really any difference there is a difference it's hardware the thing is physical access changes everything if you let an attacker have physical access that's it it's game over so you guys know all about a PT's right so I have a new apt called the average paperclip threat and you don't need to be a MacGyver to use this if you can walk up to a router and you can undo a paperclip you can be an apt that's this is the only thing it takes to wipe out an entire layer of security so that admin protect your password panel yeah it's not really much protection there and honestly you don't even need to reset the router most the time if you can if you can walk up to that router if you can pick it up if you can put it to your face you can look at it you have the default credentials right there it just doesn't get easier than that so when an attacker can touch your hardware you don't just have bad network security you have no network security so all the tax we like we've talked about before like none of this requires O'Dea or crazy exploit code I mean things like changing DNS servers using W pad to push proxies I mean these are old techniques and I know in our industry we're all about cutting-edge like cloud 3.0 containerized front end big data but I'm here to tell you guys network hacking isn't dead yet it's not just last year the e FF sponsor is so hopelessly broken just like a router hacking contest and they publish dozens of vulnerabilities for home routers you have specific hacking resources just for router sites like router pone can find default passwords security bypasses you have the big players in the game Metasploit they've had backdoors four Netgear Belkin Linksys router they've had these for years they even have specific content and pre-built tools focused on embedded router hacking it's just too easy and what I like to say is if a bored teenager can hack your network you're in trouble so here's a few bored teenagers you guys might recognize this is Jeremy Hammond at DEFCON in 1999 he had call rat who rocked NASA really hard when he was 15 years old he was indicted shortly after that and killed himself Jake this 14 year old kid hacked Xbox Live and hack Call of Duty 2 so would you feel secure with them on your network so let's talk about attacks I want to shift to attacks so go ahead and log back in to the router if you guys want to follow along like looking at the router interfaces go ahead and poke through that so some people are asking like oh come on man is it really that bad like is it really that bad well when your network is owned the impacts are things like exposure of sensitive information modification of trusted data and injection of data so yeah it is that bad it doesn't really get much worse than that so one of the easiest attacks that you can perpetrate on on a router easiest thing is just enabling remote administration that way you can log back in a week from now a month from now six months from now long after you've stayed at the air B&B and the funny thing is like even though the software for these routers are terrible they actually have some features so in this particular router you can create an inbound filter so that only you can remotely manage the device so if you scan it from the internet or scanner from the outside you won't see anything one of the scariest types of attacks I think is just the passive adversary that just sits Waits and listens they add them you can do things like add yourself as a syslog server just keep tabs on what's going on in the network you can even use dimed dns to remotely manage the network you know it's probably the router modem has using DHCP so the IP address is going to change you can use this so that you always have tabs on it one of the simplest attacks ever can be done in just a couple clicks all you do is back up the router setting download a GUI windows program called a router pass Q from near soft Next Next Next load up the backup file and it spits out plaintext credentials dead simple tool anyone can use this tool it's so easy sync can reveal things like PPTP passwords l2tp passwords isp credentials more I mean if you want to be a troll on a network if you control the router you can do things like block access to specific websites one of my favorite things to do when I hack my friends networks is just turn on parental controls they hate that you can do troll things like reduce the speed of the network change it from full duplex to half duplex you want to get a little more malicious you can start doing things like adding hosts to the DMZ so if you had a host the DMZ basically what it does it removes that network firewall so the client is just sitting there naked on the Internet and when they're sitting on the DMZ a lot of attacks that only work over a LAN or that only work over full man-in-the-middle will actually work of the full Internet you can do really innocuous things like reducing the security by enabling security features like you turn on WPS and that's a hard setting to detect that someone changes that average person it's going to be it's really hard for them to notice things like that you can even do things like add your self as an NTP server to control network time now admittedly I only know of one attack that's based off of NTP that was the iOS Auto bricking update issue we saw earlier this year but the point is that you can deeply influence various aspects of the network if you can control these routers if you want to of course you can't talk about router hacking without someone mentioning firmware modification realistically this is a pretty fairly advanced attack it would take a lot of etat a lot of time more importantly it takes a lot of motivation but the thing is it acted is plausible and it would be extremely extremely difficult to detect along the same lines would be remote administration through something called tr-069 so TR o-69 is what ISP is used to push out firmware updates and send updates to routers so if you guys remember ROM pager or the misfortune cookie vulnerability last year that was based on TR o-69 so again it's it's more advanced but it's totally plausible being that these are routers it should be no surprise that they let you change and manipulate the routes hey add yourself as a network gateway and you can start your man-in-the-middle attack that easy you can make static routes you can make yourself the network gateway if there's any CCNA holders in here you'll appreciate this this router you can actually program it with rip you can actually configure this thing with rip the attackers just sitting back just waiting they can manipulate their traffic or they can just watch you so a lot of the talks we talked about earlier focused on DNS so it's definitely a prime target so show of hands does anyone know why an attacker might want to change one DNS server but not both you can just shout it out if you know exactly you don't want to overload yourself when they load up you know Netflix or some not-safe-for-work site you don't want all the traffic flooding your DNS server so much so that's going to knock it over you want to make sure things still look legit so when into attacker gets control of DNS it looks something like this yeah yeah it's basically just like that and the reason is because once you get that DNS foothold in the network your opened up to a lot more attacks you can do things like ssl downgrading things like fishing farming capturing hashes you can do things like send malicious updates to computers and even some of those w pad attacks that we talked about earlier you can do some of those so specifically with w pad if you can answer a w pad dns query that network is in trouble that network is like shane mcmahon getting stunned and your network is left dead flat on its back that's what happens if an attacker control w pad on your internet so for the attacker the hardest thing is picking which attack they want to use i mean there's no zero day there's almost no exploit code at all if you use Metasploit Zotto pone there's exploit code in there but there's people tools you don't really need a lot of infrastructure these attacks can be totally automated that can be passive they can be really difficult to detect because there's so little forensic recording done on a router you can wipe the logs no problem so I'm gonna give you a quick little demo so for this demonstration me as the attacker all I've done is log into the router and add myself or add my DNS server so let's see what it looks like from the client-side so with videos there are no demo gods so this should work so alright oh cool yeah just got to my Airbnb man I'm trying to get on the Internet oh let's see it's time to Netflix and chill yeah okay let's see Netflix what what the hell secure Wi-Fi now hold on let's try lewin chill okay Hulu and Chu man what is this thing I'm wants me to authenticate blah blah blah secure Wi-Fi secure router and your username password okay sure username je Galloway password this password is super secure boom okay cool let's see if we can browse the Internet now let's try good old Google see if that'll get us there type it in ok cool we're on the Internet back to Netflix and chill so at this point the user has completely forgotten about the captive portal and on the attacker side we've got a few things going on so you see a lot of these domains and things scrolling by all of these are web requests coming from people in the network hey I'm trying to reach this resource and we're saying no go to my captive portal go to my captive portal we're sitting there waiting and boom we just got their credentials so these are the ntlm hashes you can take this we can copy these and crack these later so up here you see some things like we have anything that ends in com come to me anything that matches my wild card send to me and once they send the ntlm hashes send them back to the regular internet at that point the attackers gotcha they've got you the thing is Pokemon can make anything funny but if those are creds to your corporate network you wouldn't be laughing so these attacks I don't want you to focus on that particular attack that was really just an example of a whole range of attacks that you can perform so you can be really subtle like the actors for Operation ghost click just doing subtle things like replacing ads or you can be more direct you can force users to your page you can customize the attack based on their traffic you can be just an annoying troll or you can actually perpetrate some devastating attacks some of the attacker types you might want to consider think about is Bobbie tables you know that bored teenager mom and dad are off UPS country skiing for a few hours he should just bored at home and wants to play on the network you have trolls and you know you have full-blown blackouts out there unsurprisingly and honestly admittedly I don't think there's going to be any kind of like multi-million dollar crime ring from Airbnb s but I wouldn't I wouldn't worry about that but what I would worry about is the opportunistic criminal right the guy that's not trying to rob the bank the guy that's trying to walk up and just check see if you left your car door unlocked that's that's the threat that we're talking about here so with these attacks you can't target an individual person with these but you can do some semi targeted attacks like targeting conferences and trade shows I know for a fact I can guarantee many people at blackhat and at Def Con are staying at Airbnb s right now you can do things like target specific locations like think about like super hipster developer neighborhoods in Silicon Valley in San Francisco and think about the people that stay there even in DC you can target high-end rentals for high-end targets even things like military bases there's a military graduation thousands of people come in to see it the hotels get booked up and a lot of people end up staying at Airbnb ease now a military professional would not send their secret credentials over an Airbnb Network right right it just makes me really sad that that's how bad it is so Dan Kaminsky spoke yesterday he's one of the key holders to DNS one of the key holders to the Internet so thank you Dan so I can goes through crazy measures to make sure your DNS is secure they have these keys locked cages they up like iris scanning and smart cards and weight detection and all this stuff this is how I can secure your DNS this is how you secure your DNS do you have security compute that says no so let's shift gears a little bit we talked about all the ways you can get owned get yourself owned so I kind of want to spend some time talking about how you can keep yourself safe on these nasty networks so the first thing it's simple hard-code dns and your devices whether it's Google DNS or Open DNS hard-coded into your phone hard-coded into your laptop whatever device you're using it's it's really easy the next thing is you definitely want to make sure that automatic proxy discovery is turned off that's that's what W Pat attacks so admittedly the W pad issue it does affect Windows computers more they're a lot noisier but even if you've run a Mac it's a good idea just check and make sure that the automatic proxy setting is turned off so of course you can't talk about using insecure networks without talking about VPNs so I have no official relationship with tunnel bear don't use their paid product or anything like that but I really like their software because it's so simple and the thing is most VPN software is just needlessly complex this software one-click to install a browser extension one click to turn the VPN on and admittedly you know any free service especially services like this there's definite limitations in this case they limit your traffic to 500 megabytes a month which is pretty small but the thing is you don't need to be VPN ting your Xbox Live you don't need to VPN you know your video streaming all the time what you should do is just turn it on when you need to make a secure transaction we need to buy that plane ticket whenever you need to log in and check that email so I know a lot of you thinking oh I'm good I've got a corporate VPN I've got I've got that Cisco VPN setup I'm good I'm safe well I hope you guys have time to check out some of those other talks because you might be not as secure as you think so many of these corporate VPNs are actually still vulnerable to some of those proxy attacks and a lot of corporate proxies most of the ones that I've used they implement something called split tunneling which what split tunnel routing is it means if you try to access internal my office comm it's going to go out the VPN if you try to access Facebook Gmail it goes out the other connection and it ends up leaving really exposed so even if you use a corporate VPN you know make sure that you're not leaking anything this one's a little less obvious for people I think if you just straight up just don't trust the network you should use a mobile app off of Wi-Fi so this way the client can verify the server and the server can verify the client all without touching the rental network at all another really simple option turn your phone into a hotspot bypass the network entirely again you're using your mobile data so you probably don't want to go pirating like 10 blu-rays but if the network isn't trusted it's a really easy option to have a side Channel of course I probably need to tell you guys this never use plain text off even if you're using a VPN never use plain text aw think of Lana from Archer nope and of course use two-factor for every account that you care about so these are someone like the technical mitigations but there's actually something way more important than that stuff I want you guys to focus on behavioral medications things that actually change the we think about security things that change the way you interact with your devices if I could give one piece of advice one piece of security advice to the average user I would tell them to watch mr. robot if you watch that show you're exposing yourself to more security than 99% of the population there's people in our community see junkie helps edit the show and make sure that the hacks are actually accurate and if you watch that you're at you'll be at the top 1% this is something I can't reiterate enough just be skeptical when you're off of your trusted network be skeptical be aware think about the first time you travel out of the country or the first time we traveled somewhere new you don't want to be paranoid but you know you want to be cautious you want to beware so even if you're just traveling at an air B&B in the United States you should still be really cautious be aware be skeptical so it's really important we do everything we can to protect ourselves but it's really really important that we hold website owners accountable for delivering the best security possible that means things like asking that they support stand like HTTP HTTP strict Transport Security and things like HTTP public key pinning security standards like this public key pinning can stop a man-in-the-middle attack dead niche tracks unfortunately it's not that widespread net craft did a survey of the entire Internet they scan the entire internet for public key pinning and they found that less than 3,000 sites were doing it correctly so the thing is these things don't change unless you demand them so if you want better network security you need to demand it so I had a lot of interest from property owners when I started talking about this they were really interested in it they really care about keeping their guests safe single best piece of advice remove physical access take that router lock it in a closet lock it in a secured room if you stay at an Airbnb you know it's normal for there to be a locked closet or a lock room it's not that crazy think of our Kelly keep your hardware trapped in the closet okay real life you can't always just like move your hardware around in real life a lot of times your gear is kind of it is where it is and I really like these pieces of atypical hardware it's like these electronic enclosures they make them specifically for Wi-Fi access point so it's not going to do anything like diminish the signal it's not going to degrade the wireless but you lock this thing up and it keeps it keeps it away from the people that are curious they have indoor/outdoor models for these things there's plenty of sizes and shapes to accommodate your hardware now the thing is I tell this to a hacker the first thing they're gonna say is man I could pick past that lock in five minutes and if J Gore were here I bet he could pick it in 30 seconds but the point isn't to create perfect security the point is to raise the bar keep honest people honest right now the only thing an attacker needs to do to own a network is one - okay we just need to make it a little bit harder than that I know this sounds crazy you could just not offer Wi-Fi gasp I know I know it sounds crazy but I've actually stayed at multiple Airbnb is for a night and just use my mobile network it was honestly not a problem this is something you guys probably no never ever share your personal Wi-Fi connection so even if the attacker doesn't have access to it you know their routers in your front house and they're staying in the back house you should still never share your wireless connection you're just exposing yourself far too much instead just get a separate low bandwidth line it's inexpensive if you're using Airbnb as a business it makes business sense to do that some other options you can just backup and restore your router settings every once in a while I'm not saying do it after every guest but just make it part of your air B&B routine maybe do it every few months this is a really big one it's some of the nicer Airbnb is I've stayed at they have these guest guides and they say things in there it's like a nearby entertainment and nearby restaurants and it's really easy just to add a couple lines about online safety and security I mean you don't need to write a whole diatribe just a couple lines that reminds people to be safe online and be skeptical and be aware so unfortunately I can't leave you guys with with good news the thing is this problem is not going away it's not going away anytime soon so rain forest puppy disclosed sequel injection and frack back in 1998 so tell me why is it that we've been saying 2011 year of the breach 2012 year of the breach 2016 year of the breach sequel injection has been the root cause for many many many of these breaches even though it's almost two decades old why why because it's simple its widespread and there's no easy fix there's no update you install to fix sequel injection and the Airbnb Network situation is the same thing there's no one button push there's no CVE to result there's no update there's no one-button fix so start wrapping this up guys some of the takeaways in conclusion whether you're staying at a rental or not just you be skeptical and be aware when you're traveling and if you don't trust the network you don't trust the network at all just don't use it use a VPN use your mobile data be conscious ABI of that risk convenience trade-off when you have a one network stand use network protection a PT's average paper clip threats they're simple but potentially devastating and finally if you love security never let an attacker have physical access so I'm gonna give you guys a little bit of homework I want you guys to ask security professionals and hackers here at blackhat and at DEFCON ask them that they would use an airbnb network without a VPN and then ask them what they do to protect themselves and their devices when they're on a random network thank you guys for time thank you for sharing your blackout with me if you want to get in touch or if you want to send me your best phishing email you can reach me here if you guys want to bounce you can if you want to stick around I think we have just a couple minutes for Q&A if you'd like if there are any questions all right thank you guys

Info

Channel: undefined

Views: 130,090

Rating: 4.238318 out of 5

Keywords: Black Hat USA 2016, Information Security, BlackHat, Black Hat, InfoSec

Id: 9fAnRkJ6N3s

Channel Id: undefined

Length: 44min 37sec (2677 seconds)

Published: Tue Aug 16 2016