[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:16.60,Default,,0000,0000,0000,,{\i1}33C3 preroll music{\i0}
Dialogue: 0,0:00:16.60,0:00:21.66,Default,,0000,0000,0000,,Herald: So many of us\Ntraveled to this Congress.
Dialogue: 0,0:00:21.66,0:00:24.87,Default,,0000,0000,0000,,Probably most of us. And we all took
Dialogue: 0,0:00:24.87,0:00:29.65,Default,,0000,0000,0000,,trains, or planes, or… maybe somebody
Dialogue: 0,0:00:29.65,0:00:33.25,Default,,0000,0000,0000,,drove by car. But most\Ntook trains and planes.
Dialogue: 0,0:00:33.25,0:00:36.87,Default,,0000,0000,0000,,And have you guys ever wondered\Nabout the infrastructure
Dialogue: 0,0:00:36.87,0:00:40.97,Default,,0000,0000,0000,,of those travel booking systems?
Dialogue: 0,0:00:40.97,0:00:45.25,Default,,0000,0000,0000,,Even more interesting, have you ever
Dialogue: 0,0:00:45.25,0:00:49.36,Default,,0000,0000,0000,,thought how secure those systems are?
Dialogue: 0,0:00:49.36,0:00:56.73,Default,,0000,0000,0000,,Karsten Nohl and Nemanja Nikodijevic…
Dialogue: 0,0:00:56.73,0:01:02.03,Default,,0000,0000,0000,,Karsten has a really nice record\Nof security researches.
Dialogue: 0,0:01:02.03,0:01:06.97,Default,,0000,0000,0000,,He had talks about GSM protocols
Dialogue: 0,0:01:06.97,0:01:11.24,Default,,0000,0000,0000,,and last year he had his talk\Nabout payment system abuse
Dialogue: 0,0:01:11.24,0:01:13.34,Default,,0000,0000,0000,,which was really interesting.
Dialogue: 0,0:01:13.34,0:01:21.08,Default,,0000,0000,0000,,Together with Nemanja, he will show us\Nhis research on travel booking systems.
Dialogue: 0,0:01:21.08,0:01:25.38,Default,,0000,0000,0000,,And probably we will find out\Nhow we can get home free.
Dialogue: 0,0:01:25.38,0:01:31.84,Default,,0000,0000,0000,,Please give a really, really warm\Nwelcome to Karsten and Nemanja!
Dialogue: 0,0:01:31.84,0:01:41.42,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:41.42,0:01:45.33,Default,,0000,0000,0000,,Karsten Nohl: Thank you very much!\NAlways feels great to be back!
Dialogue: 0,0:01:45.33,0:01:49.97,Default,,0000,0000,0000,,I just today noticed that the first time\NI was speaking at this conference
Dialogue: 0,0:01:49.97,0:01:54.48,Default,,0000,0000,0000,,is 10 years ago. So 10 years of…
Dialogue: 0,0:01:54.48,0:01:59.54,Default,,0000,0000,0000,,{\i1}applause{\i0}\N.. thanks you.
Dialogue: 0,0:01:59.54,0:02:04.55,Default,,0000,0000,0000,,10 years of looking at 10 different legacy\Nsystems and finding vulnerabilities
Dialogue: 0,0:02:04.55,0:02:10.79,Default,,0000,0000,0000,,in all of them, so far. A lot of them were\Naround RFIDs, or mobile protocols.
Dialogue: 0,0:02:10.79,0:02:14.61,Default,,0000,0000,0000,,This time we’re looking at something\Ncompletely different, travel booking
Dialogue: 0,0:02:14.61,0:02:18.93,Default,,0000,0000,0000,,systems. And vulnerabilities in there.
Dialogue: 0,0:02:18.93,0:02:23.15,Default,,0000,0000,0000,,Relative to some of the other talks we’ve\Nbeen giving, this will have less ‘hacking’
Dialogue: 0,0:02:23.15,0:02:28.80,Default,,0000,0000,0000,,in it. Not because we lost our interest in\Nhacking but because much less hacking
Dialogue: 0,0:02:28.80,0:02:32.32,Default,,0000,0000,0000,,was actually needed to exploit\Nvulnerabilities here. {\i1}laughter{\i0}
Dialogue: 0,0:02:32.32,0:02:36.76,Default,,0000,0000,0000,,So, sorry for that if you expected a lot\Nof hacking. There’ll be a little bit,
Dialogue: 0,0:02:36.76,0:02:41.93,Default,,0000,0000,0000,,that’s why Nemanja is here, but\Na little bit less than usual. So we’re
Dialogue: 0,0:02:41.93,0:02:48.14,Default,,0000,0000,0000,,talking about travel systems. And there\Nare 3 main players, or actors
Dialogue: 0,0:02:48.14,0:02:53.33,Default,,0000,0000,0000,,in the commercial travel world. There are\Nthose people who provide travelling,
Dialogue: 0,0:02:53.33,0:02:59.10,Default,,0000,0000,0000,,airlines and hotels. There’s those people\Nwho help you book them, Expedia,
Dialogue: 0,0:02:59.10,0:03:04.19,Default,,0000,0000,0000,,websites like that or traditional travel\Nagencies. And then there’s brokers
Dialogue: 0,0:03:04.19,0:03:10.08,Default,,0000,0000,0000,,who make sure that whatever is available\Ncan be booked through those agents.
Dialogue: 0,0:03:10.08,0:03:15.45,Default,,0000,0000,0000,,So those are really the backbone of travel\Nsystems but you don’t really think
Dialogue: 0,0:03:15.45,0:03:19.38,Default,,0000,0000,0000,,about them much, or at least I didn’t\Nbefore looking into this research.
Dialogue: 0,0:03:19.38,0:03:25.97,Default,,0000,0000,0000,,The systems are very useful, as global\Nsystems. In fact, they’re called “global
Dialogue: 0,0:03:25.97,0:03:30.25,Default,,0000,0000,0000,,distribution systems”. And that tells you\Nhow old they are. This is before
Dialogue: 0,0:03:30.25,0:03:34.20,Default,,0000,0000,0000,,the internet was there. They go back to\Nthe 80ies and 70ies. So there was only
Dialogue: 0,0:03:34.20,0:03:38.30,Default,,0000,0000,0000,,one system that deserved the name\Nof a global distribution system of,
Dialogue: 0,0:03:38.30,0:03:43.03,Default,,0000,0000,0000,,in this case, data. And this was \Ntravel system. So it makes sense
Dialogue: 0,0:03:43.03,0:03:48.09,Default,,0000,0000,0000,,to have these systems because, of cause,\None seat on an airplane shouldn’t be sold
Dialogue: 0,0:03:48.09,0:03:51.28,Default,,0000,0000,0000,,multiple times, so there needs to be\Na global inventory somewhere.
Dialogue: 0,0:03:51.28,0:03:55.80,Default,,0000,0000,0000,,Also all airlines should be using just\Na few systems so that they can do
Dialogue: 0,0:03:55.80,0:04:00.16,Default,,0000,0000,0000,,'codeshare agreements', e.g. so that,\Nagain, the same seats on a flight
Dialogue: 0,0:04:00.16,0:04:05.46,Default,,0000,0000,0000,,aren’t booked multiple times. And,\Nconsequently, these booking systems,
Dialogue: 0,0:04:05.46,0:04:13.11,Default,,0000,0000,0000,,they maintain three types of information.\NThe first one, you are probably most
Dialogue: 0,0:04:13.11,0:04:19.38,Default,,0000,0000,0000,,aware of, are the prices. Airlines will\Nput their price lists into these systems
Dialogue: 0,0:04:19.38,0:04:23.96,Default,,0000,0000,0000,,for booking sites to fetch. They’re\Ncalled ‘fares’ in the travel world.
Dialogue: 0,0:04:23.96,0:04:28.64,Default,,0000,0000,0000,,The next important data item in there is\N‘availability’. So not everything can be
Dialogue: 0,0:04:28.64,0:04:33.29,Default,,0000,0000,0000,,booked that has a price. There needs to be\Na seat available at a certain booking class.
Dialogue: 0,0:04:33.29,0:04:37.80,Default,,0000,0000,0000,,And, finally, when somebody does find an\Navailable seat to a fare that they want
Dialogue: 0,0:04:37.80,0:04:42.05,Default,,0000,0000,0000,,to purchase that is then converted into\Na ‘reservation’. So this is after the seat
Dialogue: 0,0:04:42.05,0:04:48.77,Default,,0000,0000,0000,,is taken. You may have seen some of this\Ninformation before on travel web sites.
Dialogue: 0,0:04:48.77,0:04:54.66,Default,,0000,0000,0000,,Let me just show you the one that I like\Nto use the most. The ‘ita matrix’, has
Dialogue: 0,0:04:54.66,0:04:57.93,Default,,0000,0000,0000,,been bought by Google a few years ago.\NSo you can’t actually book through
Dialogue: 0,0:04:57.93,0:05:03.34,Default,,0000,0000,0000,,here any more. But they maintain the\Ninterface for whatever reason. And so,
Dialogue: 0,0:05:03.34,0:05:07.17,Default,,0000,0000,0000,,let’s say you search for a flight to\NSan Francisco from here, at the end
Dialogue: 0,0:05:07.17,0:05:13.65,Default,,0000,0000,0000,,of the year. This, like any other web\Nsite will give you plenty of options
Dialogue: 0,0:05:13.65,0:05:19.50,Default,,0000,0000,0000,,from the different airlines. What’s\Ndifferent for this web site is that
Dialogue: 0,0:05:19.50,0:05:25.31,Default,,0000,0000,0000,,they give you a lot more details,\Nif you know where to click.
Dialogue: 0,0:05:25.31,0:05:31.04,Default,,0000,0000,0000,,So the cheapest flight, really cheap\Nactually, 325 bucks to go to San Francisco
Dialogue: 0,0:05:31.04,0:05:37.24,Default,,0000,0000,0000,,for New Year’s, a one-way trip, and\Nwhat I like on this web site is the rules.
Dialogue: 0,0:05:37.24,0:05:42.98,Default,,0000,0000,0000,,So this is real data, that is kept in one\Nof these GDS systems. And this already
Dialogue: 0,0:05:42.98,0:05:50.02,Default,,0000,0000,0000,,looks like the 70ies, right? {\i1}laughter{\i0}\NThis would usually be shown on a terminal,
Dialogue: 0,0:05:50.02,0:05:54.52,Default,,0000,0000,0000,,maybe green font on black background, and\Nsomebody would read through here,
Dialogue: 0,0:05:54.52,0:05:59.37,Default,,0000,0000,0000,,and I would say, okay, so you wanna book\Nfor a certain day, it’s okay, the dates
Dialogue: 0,0:05:59.37,0:06:05.55,Default,,0000,0000,0000,,match, you wanna go on TAP (TP)\N– Portugal Airlines – so okay, that matches,
Dialogue: 0,0:06:05.55,0:06:10.49,Default,,0000,0000,0000,,and you could also take a few other\Nairlines, and then you have to meet
Dialogue: 0,0:06:10.49,0:06:16.98,Default,,0000,0000,0000,,certain other restrictions, e.g. you can\Nstop over here. So this flight goes
Dialogue: 0,0:06:16.98,0:06:20.31,Default,,0000,0000,0000,,through Lisbon, you can stay in Lisbon\Nfor up to 84 hours before flying on
Dialogue: 0,0:06:20.31,0:06:26.40,Default,,0000,0000,0000,,to the U.S. That’d be nice. And then\Nit has all these other rules in here,
Dialogue: 0,0:06:26.40,0:06:30.50,Default,,0000,0000,0000,,e.g. you can not cancel this ticket,\Nright? It’s non-refundable. But you
Dialogue: 0,0:06:30.50,0:06:36.34,Default,,0000,0000,0000,,can change it for a fee. And this goes on\Nand on and on. For just a single fare,
Dialogue: 0,0:06:36.34,0:06:41.64,Default,,0000,0000,0000,,and there’s, of course, tens of thousands\Nof fares available. Now this, you may be
Dialogue: 0,0:06:41.64,0:06:45.27,Default,,0000,0000,0000,,surprised to hear, is the only form in\Nwhich these fares are available. There
Dialogue: 0,0:06:45.27,0:06:49.48,Default,,0000,0000,0000,,isn’t an XML, there isn’t a web service,\Nthis is how the airlines publish them.
Dialogue: 0,0:06:49.48,0:06:52.98,Default,,0000,0000,0000,,And then a web site like Expedia, they\Nhave to write a parser for it to be able
Dialogue: 0,0:06:52.98,0:06:59.24,Default,,0000,0000,0000,,to present flight options to you. You\Nmay have noticed if you tried to change
Dialogue: 0,0:06:59.24,0:07:03.57,Default,,0000,0000,0000,,or cancel flights they don’t allow that\Nto web sites often. Expedia e.g. doesn’t,
Dialogue: 0,0:07:03.57,0:07:06.46,Default,,0000,0000,0000,,you have to call them. And if you call\Nthem they say: “Give me a moment,
Dialogue: 0,0:07:06.46,0:07:10.89,Default,,0000,0000,0000,,I have to read through the fare rules.”\NSo in that case that just didn’t parse
Dialogue: 0,0:07:10.89,0:07:19.33,Default,,0000,0000,0000,,all this information. That’s the first\Nthing that’s kept in these… or maintained
Dialogue: 0,0:07:19.33,0:07:25.46,Default,,0000,0000,0000,,in these large GDS, the booking systems:\Nthe fares. The other thing is
Dialogue: 0,0:07:25.46,0:07:29.34,Default,,0000,0000,0000,,the availability. That’s a little bit\Nharder to access through public web sites.
Dialogue: 0,0:07:29.34,0:07:36.65,Default,,0000,0000,0000,,Expert Flyer is probably the best one\Nto use. And availability is important.
Dialogue: 0,0:07:36.65,0:07:40.77,Default,,0000,0000,0000,,If you actually wanted to fly to San\NFrancisco now for New Year’s
Dialogue: 0,0:07:40.77,0:07:45.57,Default,,0000,0000,0000,,we looked at the fare, well,\Nthis is Booking Class 'O', this is
Dialogue: 0,0:07:45.57,0:07:49.57,Default,,0000,0000,0000,,always the first letter. And then, if you\Nlook at the availability for Booking Class
Dialogue: 0,0:07:49.57,0:07:54.60,Default,,0000,0000,0000,,'O', unfortunately it says ‘C’ for ‘closed’.\NSo they don’t accept any more bookings.
Dialogue: 0,0:07:54.60,0:07:58.07,Default,,0000,0000,0000,,So just because there’s a price available\Ndoesn’t mean that anybody can actually
Dialogue: 0,0:07:58.07,0:08:03.43,Default,,0000,0000,0000,,book this flight. And, again, somebody\Nlike Expedia would have to now combine all
Dialogue: 0,0:08:03.43,0:08:07.80,Default,,0000,0000,0000,,of these different pieces of information\Nto present a list of flight options for you.
Dialogue: 0,0:08:07.80,0:08:12.67,Default,,0000,0000,0000,,So let’s assume they did that and you did\Nbook something. Then, the third data item
Dialogue: 0,0:08:12.67,0:08:18.20,Default,,0000,0000,0000,,is created in one of these GDS. And that’s\Nthe 'passenger name record', PNR.
Dialogue: 0,0:08:18.20,0:08:24.89,Default,,0000,0000,0000,,And that looks something like this. Again,\Nyou’ll notice the same 70..80ies style.
Dialogue: 0,0:08:24.89,0:08:30.64,Default,,0000,0000,0000,,With lots of private information.\NEd Hasbrouck - he is a
Dialogue: 0,0:08:30.64,0:08:36.37,Default,,0000,0000,0000,,privacy advocate in the U.S., probably \Nthe loudest voice to ask for more
Dialogue: 0,0:08:36.37,0:08:39.18,Default,,0000,0000,0000,,privacy around travel booking\Nand he was kind enough to make
Dialogue: 0,0:08:39.18,0:08:44.21,Default,,0000,0000,0000,,this available on his web site, for all\Nto see what information is kept. So,
Dialogue: 0,0:08:44.21,0:08:47.94,Default,,0000,0000,0000,,contact information, of course, things\Nlike e-mail. This one shows you again
Dialogue: 0,0:08:47.94,0:08:53.46,Default,,0000,0000,0000,,how old these systems are. So they\Ndon’t have the ‘@’ character! This is
Dialogue: 0,0:08:53.46,0:08:58.11,Default,,0000,0000,0000,,using a character set from punch cards!\NAnd in punch card you had 6 possible
Dialogue: 0,0:08:58.11,0:09:02.30,Default,,0000,0000,0000,,punches per character. So everything here\Nneeds to be encoded with a 6-bit character
Dialogue: 0,0:09:02.30,0:09:07.95,Default,,0000,0000,0000,,And there’s no space for ‘@’. So all\Nancient stuff. But still, a possible
Dialogue: 0,0:09:07.95,0:09:12.71,Default,,0000,0000,0000,,privacy hazard, right? You wouldn’t want\Nanybody to access this kind of information
Dialogue: 0,0:09:12.71,0:09:20.78,Default,,0000,0000,0000,,about yourself. The three main players who\Nrun GDS’s – Amadeus, mostly in Europe,
Dialogue: 0,0:09:20.78,0:09:25.20,Default,,0000,0000,0000,,Sabre, mostly in the US, and then there’s\NGalileo that merged with a few other
Dialogue: 0,0:09:25.20,0:09:29.76,Default,,0000,0000,0000,,things into ‘Travelport’. And Galileo\Nisn’t really so much used by airlines
Dialogue: 0,0:09:29.76,0:09:36.26,Default,,0000,0000,0000,,but it’s more used by travel agencies.\NAnd then, often, multiple of these systems
Dialogue: 0,0:09:36.26,0:09:40.16,Default,,0000,0000,0000,,they’re involved in the booking. So let’s\Nsay you go through Expedia and you book
Dialogue: 0,0:09:40.16,0:09:47.26,Default,,0000,0000,0000,,an American Airlines flight, the PNR has\Nto be kept in Amadeus as well as Sabre.
Dialogue: 0,0:09:47.26,0:09:51.47,Default,,0000,0000,0000,,So there’s two copies here. Or let’s say\Nyou go through a travel agency that’s
Dialogue: 0,0:09:51.47,0:09:55.45,Default,,0000,0000,0000,,connected to Galileo, and you book\Na flight that has both Lufthansa and
Dialogue: 0,0:09:55.45,0:09:59.42,Default,,0000,0000,0000,,Aeroflot segments it would be kept\Nin all three of them. So this is lots of
Dialogue: 0,0:09:59.42,0:10:06.38,Default,,0000,0000,0000,,redundancy depending on where your flight\Nsegments and booking agents come from.
Dialogue: 0,0:10:06.38,0:10:11.15,Default,,0000,0000,0000,,But sufficient to say there are three big\Ncompanies, who apparently hold on to the
Dialogue: 0,0:10:11.15,0:10:15.34,Default,,0000,0000,0000,,private information of all travelers.\NHundreds of millions of records
Dialogue: 0,0:10:15.34,0:10:21.25,Default,,0000,0000,0000,,for each of those systems. And we wanted\Nto find out whether they can sufficiently
Dialogue: 0,0:10:21.25,0:10:25.73,Default,,0000,0000,0000,,protect this information. And there’s, of\Ncourse, reasons to believe that they can’t.
Dialogue: 0,0:10:25.73,0:10:31.33,Default,,0000,0000,0000,,This is very old technology and it’s\Nunclear whether they ever did any major
Dialogue: 0,0:10:31.33,0:10:35.89,Default,,0000,0000,0000,,security upgrades. But at the same time\Nthere’s reasons to believe that they
Dialogue: 0,0:10:35.89,0:10:42.98,Default,,0000,0000,0000,,are very well secured because this PNR\Ndata, this very information about travelers
Dialogue: 0,0:10:42.98,0:10:47.41,Default,,0000,0000,0000,,that has been disputed between different\Ngovernments for a long time, in particular
Dialogue: 0,0:10:47.41,0:10:51.63,Default,,0000,0000,0000,,the U.S. Government, and asking for more\Nand more information since 9/11 in
Dialogue: 0,0:10:51.63,0:10:56.35,Default,,0000,0000,0000,,multiple waves, and the E.U. governments\Nthat say: “No, you can’t have more
Dialogue: 0,0:10:56.35,0:11:01.57,Default,,0000,0000,0000,,information than you absolutely need. So\Nthey agree politically that, yes, the U.S.
Dialogue: 0,0:11:01.57,0:11:05.63,Default,,0000,0000,0000,,can get information on those travelers\Ngoing to the U.S. but only certain data
Dialogue: 0,0:11:05.63,0:11:08.99,Default,,0000,0000,0000,,fields, and have to delete them after\Na few years. So this was years
Dialogue: 0,0:11:08.99,0:11:14.73,Default,,0000,0000,0000,,of negotiation. And you’d imagine that the\Nsystems at the forefront of this dispute
Dialogue: 0,0:11:14.73,0:11:21.21,Default,,0000,0000,0000,,they’d be secure enough that, let’s say,\Nwe couldn’t access those same information
Dialogue: 0,0:11:21.21,0:11:26.44,Default,,0000,0000,0000,,that even the U.S. Government is supposed\Nto not access. So we set out to answer
Dialogue: 0,0:11:26.44,0:11:33.97,Default,,0000,0000,0000,,this simple question: do these GDS’s,\Ndo they have normal, basic security.
Dialogue: 0,0:11:33.97,0:11:39.99,Default,,0000,0000,0000,,Do they constrain access, do they\Nauthenticate users well, do they protect
Dialogue: 0,0:11:39.99,0:11:46.42,Default,,0000,0000,0000,,through rate limiting from web attacks,\Nand do they log to be able to detect any
Dialogue: 0,0:11:46.42,0:11:51.84,Default,,0000,0000,0000,,possible type of abuse. We’ll go through\Neach of them to see where those systems
Dialogue: 0,0:11:51.84,0:11:57.19,Default,,0000,0000,0000,,stand. Let’s start with access control.\NAnd this is just drawing
Dialogue: 0,0:11:57.19,0:12:02.00,Default,,0000,0000,0000,,from public sources, so, again, Ed\NHasbrouck, this privacy advocate
Dialogue: 0,0:12:02.00,0:12:09.49,Default,,0000,0000,0000,,in California, he has been the loudest\Nvoice here, saying, there’s overreach by a
Dialogue: 0,0:12:09.49,0:12:15.72,Default,,0000,0000,0000,,lot of players already accessing PNR\Ninformation. So e.g. if you have a booking,
Dialogue: 0,0:12:15.72,0:12:20.60,Default,,0000,0000,0000,,let’s say a flight booking, anybody who\Nworks at this airline can access
Dialogue: 0,0:12:20.60,0:12:24.64,Default,,0000,0000,0000,,your information. But then, if you add,\Nlet’s say, a car reservation to the same
Dialogue: 0,0:12:24.64,0:12:28.86,Default,,0000,0000,0000,,booking, anybody who works at the car\Nrental company can also access
Dialogue: 0,0:12:28.86,0:12:35.63,Default,,0000,0000,0000,,let’s say the flight information. And\Nany agent at the booking agency
Dialogue: 0,0:12:35.63,0:12:39.90,Default,,0000,0000,0000,,that you use can access all of this\Ninformation. And if you keep adding
Dialogue: 0,0:12:39.90,0:12:43.63,Default,,0000,0000,0000,,information all of these people still have\Naccess to it. That’s just how these
Dialogue: 0,0:12:43.63,0:12:49.36,Default,,0000,0000,0000,,systems grew over time, but that’s a first\Nindication to me that this certainly
Dialogue: 0,0:12:49.36,0:12:54.71,Default,,0000,0000,0000,,wasn’t built with modern security\Nin mind. Most concerningly
Dialogue: 0,0:12:54.71,0:13:01.11,Default,,0000,0000,0000,,the people working at or for the GDS\Ncompanies, they have access to everything,
Dialogue: 0,0:13:01.11,0:13:05.14,Default,,0000,0000,0000,,absolutely everything. Including their\Nsupport stuff, as far as I understand.
Dialogue: 0,0:13:05.14,0:13:09.03,Default,,0000,0000,0000,,So these are external companies that\Nhelp debug the system, and they
Dialogue: 0,0:13:09.03,0:13:15.25,Default,,0000,0000,0000,,have access to hundreds of millions\Nof people’s private information.
Dialogue: 0,0:13:15.25,0:13:20.03,Default,,0000,0000,0000,,So way too many people have access\Nto way too much information, e.g. if you
Dialogue: 0,0:13:20.03,0:13:24.20,Default,,0000,0000,0000,,did an online booking your IP address\Nis stored there, basically forever,
Dialogue: 0,0:13:24.20,0:13:28.57,Default,,0000,0000,0000,,well, until the flight is over. But any of\Nthese people can now access your
Dialogue: 0,0:13:28.57,0:13:33.25,Default,,0000,0000,0000,,IP address, your e-mail address,\Nphone number and all of this.
Dialogue: 0,0:13:33.25,0:13:37.90,Default,,0000,0000,0000,,So definitely that doesn’t seem to be\Nfine-grained access control. But,
Dialogue: 0,0:13:37.90,0:13:42.89,Default,,0000,0000,0000,,as I said earlier, this has been known\Nfor a long time and criticized a lot.
Dialogue: 0,0:13:42.89,0:13:49.37,Default,,0000,0000,0000,,Not acted on, though, yet! How about\Nauthentication? The picture is actually
Dialogue: 0,0:13:49.37,0:13:53.82,Default,,0000,0000,0000,,even worse for authentication. And I want\Nto distinguish two different cases here.
Dialogue: 0,0:13:53.82,0:13:57.69,Default,,0000,0000,0000,,I wanna distinguish professionals\Naccessing records, so people working
Dialogue: 0,0:13:57.69,0:14:02.23,Default,,0000,0000,0000,,at travel agencies and airlines. And,\Nas a second case I wanna distinguish
Dialogue: 0,0:14:02.23,0:14:06.11,Default,,0000,0000,0000,,travelers accessing their own records,\Nlike when you check-in online e.g.,
Dialogue: 0,0:14:06.11,0:14:11.75,Default,,0000,0000,0000,,you access your own record. Professionals,\Nthe way they access it, typically, is that
Dialogue: 0,0:14:11.75,0:14:16.53,Default,,0000,0000,0000,,their agency is connected to one of these\NGDS’s through basically one account.
Dialogue: 0,0:14:16.53,0:14:20.98,Default,,0000,0000,0000,,So an entire agency system, or at least\Nan entire location uses one account.
Dialogue: 0,0:14:20.98,0:14:25.35,Default,,0000,0000,0000,,So years ago somebody typed in some user\Nname and password, and then it’s long been
Dialogue: 0,0:14:25.35,0:14:30.25,Default,,0000,0000,0000,,forgotten because locally they use\Na different access management.
Dialogue: 0,0:14:30.25,0:14:34.89,Default,,0000,0000,0000,,A few travel agencies were kind enough to\Nhelp us in this research, and their access
Dialogue: 0,0:14:34.89,0:14:39.47,Default,,0000,0000,0000,,credentials, we saw them using, they’re\Njust terrible. E.g. for one of the big
Dialogue: 0,0:14:39.47,0:14:44.36,Default,,0000,0000,0000,,systems that I won’t name you need the\Nagent ID, so that you can get pretty
Dialogue: 0,0:14:44.36,0:14:48.87,Default,,0000,0000,0000,,easily. And then a password for the web\Nservice, so of the modern way of accessing,
Dialogue: 0,0:14:48.87,0:14:54.79,Default,,0000,0000,0000,,this is WS for web service and the date\Non which the password was created.
Dialogue: 0,0:14:54.79,0:14:58.96,Default,,0000,0000,0000,,So even if you have to brute-force\N20 years, how many possible dates
Dialogue: 0,0:14:58.96,0:15:05.44,Default,,0000,0000,0000,,does a single year have? Times 20. This is\Nridiculously low entropy for an account
Dialogue: 0,0:15:05.44,0:15:12.54,Default,,0000,0000,0000,,that is supposed to protect information\Nof millions of people, if not more.
Dialogue: 0,0:15:12.54,0:15:16.41,Default,,0000,0000,0000,,This is the best authenticator\Nthat we found in these systems!
Dialogue: 0,0:15:16.41,0:15:19.21,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:15:19.21,0:15:24.49,Default,,0000,0000,0000,,It gets worse with travelers accessing\Ntheir own information. Because there
Dialogue: 0,0:15:24.49,0:15:27.60,Default,,0000,0000,0000,,they just simply forgot to give you\Na password, not even a terrible password
Dialogue: 0,0:15:27.60,0:15:33.09,Default,,0000,0000,0000,,like this; there just isn’t one. And what\Nthey use instead is the booking code,
Dialogue: 0,0:15:33.09,0:15:37.12,Default,,0000,0000,0000,,‘PNR locator’ it is sometimes called.\NI call it booking code.
Dialogue: 0,0:15:37.12,0:15:42.24,Default,,0000,0000,0000,,It’s a six-digit code. When you\Ncheck-in online you need that code.
Dialogue: 0,0:15:42.24,0:15:46.64,Default,,0000,0000,0000,,And you only need that code and your\Nlast name. So you’d imagine that,
Dialogue: 0,0:15:46.64,0:15:51.81,Default,,0000,0000,0000,,if they treat it as a password equivalent\Nthen they would keep it secret
Dialogue: 0,0:15:51.81,0:15:56.63,Default,,0000,0000,0000,,like a password. Only – they don’t,\Nbut rather print it on every piece
Dialogue: 0,0:15:56.63,0:16:00.94,Default,,0000,0000,0000,,that you get from the airline, e.g. on\Nevery piece of luggage you have
Dialogue: 0,0:16:00.94,0:16:07.39,Default,,0000,0000,0000,,your last name and a six-digit code.\NOn your boarding pass –
Dialogue: 0,0:16:07.39,0:16:11.43,Default,,0000,0000,0000,,it used to be there, and then it\Ndisappeared and then these barcodes
Dialogue: 0,0:16:11.43,0:16:15.20,Default,,0000,0000,0000,,showed up. So it’s inside the barcode.\NIf you decode the barcode there is
Dialogue: 0,0:16:15.20,0:16:20.32,Default,,0000,0000,0000,,your PNR in there. I erased it here,\Nthis is still for a valid booking.
Dialogue: 0,0:16:20.32,0:16:23.97,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:16:23.97,0:16:30.91,Default,,0000,0000,0000,,So, you have this six-digit codes printed\Neverywhere and you can just find them
Dialogue: 0,0:16:30.91,0:16:36.49,Default,,0000,0000,0000,,on pieces of scrap at the airport.\NCertainly these tags you find all over,
Dialogue: 0,0:16:36.49,0:16:39.70,Default,,0000,0000,0000,,but also people throwing away their\Nboarding passes when they’re done.
Dialogue: 0,0:16:39.70,0:16:44.56,Default,,0000,0000,0000,,And this is supposed to be the only way\Nof authenticating users. And we’ll
Dialogue: 0,0:16:44.56,0:16:51.24,Default,,0000,0000,0000,,show you in a minute what kind\Nof abuse is possible through that.
Dialogue: 0,0:16:51.24,0:16:56.19,Default,,0000,0000,0000,,But let’s first think about where else you\Ncould be able to find these PNR codes.
Dialogue: 0,0:16:56.19,0:17:00.93,Default,,0000,0000,0000,,Could it get any worse than somebody\Nprinting your password on a piece of paper
Dialogue: 0,0:17:00.93,0:17:04.65,Default,,0000,0000,0000,,that you throw away at the end of your\Njourney. Of course the internet can make
Dialogue: 0,0:17:04.65,0:17:11.05,Default,,0000,0000,0000,,it worse! And what better technology to\Nworsen the security problem than
Dialogue: 0,0:17:11.05,0:17:28.39,Default,,0000,0000,0000,,Instagram? So on Instagram…\N{\i1}laughter and applause{\i0}
Dialogue: 0,0:17:28.39,0:17:33.55,Default,,0000,0000,0000,,So you got all these bookings. And, in\Nfact, there was one guy here, you see, he
Dialogue: 0,0:17:33.55,0:17:38.58,Default,,0000,0000,0000,,actually erased the information. But for\None who knows what’s up, everywhere,
Dialogue: 0,0:17:38.58,0:17:43.24,Default,,0000,0000,0000,,there’s a hundred who don’t. And this\Nis really all information you need.
Dialogue: 0,0:17:43.24,0:17:47.86,Default,,0000,0000,0000,,I saw a Lufthansa one just now,\Nwhere was that? – Here.
Dialogue: 0,0:17:47.86,0:17:59.19,Default,,0000,0000,0000,,So here is a Lufthansa one. This is from\Ntoday, posted by markycz at Frankfurt.
Dialogue: 0,0:17:59.19,0:18:04.37,Default,,0000,0000,0000,,This is really all you need to get\Nsomebody’s…
Dialogue: 0,0:18:04.37,0:18:15.11,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:18:15.11,0:18:17.41,Default,,0000,0000,0000,,Let’s see if this works.\NYeah, sure enough. So.
Dialogue: 0,0:18:17.41,0:18:18.59,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:18:18.59,0:18:24.55,Default,,0000,0000,0000,,'Marky M.' on Instagram is apparently\NMarketa Mottlova
Dialogue: 0,0:18:24.55,0:18:28.16,Default,,0000,0000,0000,,and this is her booking reference.
Dialogue: 0,0:18:28.16,0:18:33.28,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:18:33.28,0:18:37.05,Default,,0000,0000,0000,,I was debating whether or not to show this\Nbut you guys are gonna do it anyway
Dialogue: 0,0:18:37.05,0:18:40.90,Default,,0000,0000,0000,,when I’m done with this talk.\N{\i1}laughter{\i0}
Dialogue: 0,0:18:49.24,0:19:01.60,Default,,0000,0000,0000,,{\i1}cheers and applause{\i0}
Dialogue: 0,0:19:01.60,0:19:06.96,Default,,0000,0000,0000,,So a flight today from Munich\Nto Frankfurt and then, on to Seattle.
Dialogue: 0,0:19:06.96,0:19:11.67,Default,,0000,0000,0000,,Let me point out one thing here.
Dialogue: 0,0:19:11.67,0:19:15.26,Default,,0000,0000,0000,,Where did I see the ticket number?
Dialogue: 0,0:19:15.26,0:19:23.04,Default,,0000,0000,0000,,{\i1}off camera mumbling on stage{\i0}
Dialogue: 0,0:19:23.04,0:19:32.56,Default,,0000,0000,0000,,Just use mine!
Dialogue: 0,0:19:32.56,0:19:38.74,Default,,0000,0000,0000,,It’s AndroidAPKN\NOops.
Dialogue: 0,0:19:38.74,0:19:50.08,Default,,0000,0000,0000,,And then let me write down the password.
Dialogue: 0,0:19:50.08,0:19:57.06,Default,,0000,0000,0000,,Okay. Alright.
Dialogue: 0,0:19:57.06,0:20:02.00,Default,,0000,0000,0000,,So what I wanted to point out is that\Nthis isn’t even a Lufthansa ticket.
Dialogue: 0,0:20:02.00,0:20:08.83,Default,,0000,0000,0000,,So she checked in with Lufthansa\Nin Frankfurt. But if you look at the
Dialogue: 0,0:20:08.83,0:20:14.95,Default,,0000,0000,0000,,ticket number, 016, that’s a United\N[Airlines] ticket. And it also includes
Dialogue: 0,0:20:14.95,0:20:19.95,Default,,0000,0000,0000,,flights on Alaska Airlines e.g.\NSo any of these airlines have
Dialogue: 0,0:20:19.95,0:20:27.23,Default,,0000,0000,0000,,full access to this PNR. And many of them\Nwill just grant people access to it
Dialogue: 0,0:20:27.23,0:20:32.86,Default,,0000,0000,0000,,if they know the PNR and the last name.\NAs Nemanja will show in a minute,
Dialogue: 0,0:20:32.86,0:20:38.57,Default,,0000,0000,0000,,even if they don’t know that yet. So...
Dialogue: 0,0:20:38.57,0:20:43.20,Default,,0000,0000,0000,,To recap for the moment: airlines give you\Na six-digit password that they print
Dialogue: 0,0:20:43.20,0:20:50.47,Default,,0000,0000,0000,,on all kinds of pieces of paper and\Nthat you will post on Instagram.
Dialogue: 0,0:20:50.47,0:20:54.69,Default,,0000,0000,0000,,Why shouldn’t you, everybody else does,\Ntoo, apparently. 75,000 people at least
Dialogue: 0,0:20:54.69,0:20:59.65,Default,,0000,0000,0000,,over the last couple of weeks. So\Nthe authentication model here is
Dialogue: 0,0:20:59.65,0:21:05.42,Default,,0000,0000,0000,,severely broken, too. And what\Nkind of abuse arises from this?
Dialogue: 0,0:21:05.42,0:21:10.18,Default,,0000,0000,0000,,Of course, you can now use this PNR,\Nlog in on Lufthansa as I have just done
Dialogue: 0,0:21:10.18,0:21:15.95,Default,,0000,0000,0000,,or a more generic web site, like\NCheckmytrip and look up peoples’
Dialogue: 0,0:21:15.95,0:21:19.04,Default,,0000,0000,0000,,contact information at the very least.\NSo there’s always an email address
Dialogue: 0,0:21:19.04,0:21:23.62,Default,,0000,0000,0000,,in there. There’s usually a phone number\Nin there. If in Lufthansa you click on
Dialogue: 0,0:21:23.62,0:21:29.20,Default,,0000,0000,0000,,“I wanna change my booking” probably\Nthey’ll ask you for your payment information
Dialogue: 0,0:21:29.20,0:21:32.91,Default,,0000,0000,0000,,and pre-fill the postal address for that.\NSo you get somebody’s postal address
Dialogue: 0,0:21:32.91,0:21:38.32,Default,,0000,0000,0000,,that they used for the booking, passport\Ninformation, visa information. If you
Dialogue: 0,0:21:38.32,0:21:41.52,Default,,0000,0000,0000,,travel to the U.S. as she does there’s\Ndefinitely passport information
Dialogue: 0,0:21:41.52,0:21:48.61,Default,,0000,0000,0000,,in the PNR. All of this information is now\Nreadily accessible. Now so far
Dialogue: 0,0:21:48.61,0:21:53.12,Default,,0000,0000,0000,,there was zero hacking involved. That’s\Nwhy we have Nemanja here who will
Dialogue: 0,0:21:53.12,0:22:00.19,Default,,0000,0000,0000,,show you some actual hacking to get even\Ndeeper into these systems.
Dialogue: 0,0:22:00.19,0:22:03.23,Default,,0000,0000,0000,,Can we switch the screen?
Dialogue: 0,0:22:03.23,0:22:09.56,Default,,0000,0000,0000,,Nemanja Nikodijevic: So when…\N{\i1}laughter{\i0}
Dialogue: 0,0:22:09.56,0:22:18.59,Default,,0000,0000,0000,,When we started this research we needed\Nto find lots of these boking numbers
Dialogue: 0,0:22:18.59,0:22:24.60,Default,,0000,0000,0000,,to see if there is some relation between\Nthem. So luckily we didn’t have to
Dialogue: 0,0:22:24.60,0:22:28.96,Default,,0000,0000,0000,,make any bookings that we had to pay\Nbecause there are web sites like this one
Dialogue: 0,0:22:28.96,0:22:33.27,Default,,0000,0000,0000,,where you can just make a booking\Nand pay it later but you get
Dialogue: 0,0:22:33.27,0:22:39.49,Default,,0000,0000,0000,,the booking reference number at the time.\NSo let’s make some very normal
Dialogue: 0,0:22:39.49,0:22:45.79,Default,,0000,0000,0000,,German name… {\i1}laughter{\i0}\N..looking for someone from Germany.
Dialogue: 0,0:22:45.79,0:22:52.55,Default,,0000,0000,0000,,Actually they check the phone number, so\Nit has to follow the certain form.
Dialogue: 0,0:22:52.55,0:22:59.97,Default,,0000,0000,0000,,Let’s find Germany… from Berlin,
Dialogue: 0,0:22:59.97,0:23:04.44,Default,,0000,0000,0000,,1234567.\N{\i1}laughter{\i0}
Dialogue: 0,0:23:04.44,0:23:09.39,Default,,0000,0000,0000,,And then ‘hans@sandiego.com’.
Dialogue: 0,0:23:09.39,0:23:14.94,Default,,0000,0000,0000,,As you can see I tried quite some…\N{\i1}laughter{\i0}
Dialogue: 0,0:23:14.94,0:23:19.95,Default,,0000,0000,0000,,So for this one we already got\Nour booking reference number
Dialogue: 0,0:23:19.95,0:23:28.58,Default,,0000,0000,0000,,which is Y56HOY.\NAnd this one, in a minute.
Dialogue: 0,0:23:28.58,0:23:33.34,Default,,0000,0000,0000,,Okay, we have to wait a bit. Y5LCF4.\NSo if you notice
Dialogue: 0,0:23:33.34,0:23:39.11,Default,,0000,0000,0000,,they are very close to each other, so\Nthey both start with Y5 which means
Dialogue: 0,0:23:39.11,0:23:44.16,Default,,0000,0000,0000,,that they were booked on the same day.\NProbably because one is on Lufthansa,
Dialogue: 0,0:23:44.16,0:23:49.56,Default,,0000,0000,0000,,the other one is on Air Berlin, there is\Nslight difference. They are not exactly
Dialogue: 0,0:23:49.56,0:23:53.16,Default,,0000,0000,0000,,sequential. But we can say that they are\Nconcentrated in a certain range
Dialogue: 0,0:23:53.16,0:23:58.41,Default,,0000,0000,0000,,for a certain day. What we can do now is
Dialogue: 0,0:23:58.41,0:24:03.91,Default,,0000,0000,0000,,we can go to one of our servers. At first
Dialogue: 0,0:24:03.91,0:24:08.38,Default,,0000,0000,0000,,we have to check if checkmytrip works
Dialogue: 0,0:24:08.38,0:24:12.84,Default,,0000,0000,0000,,because I had some issues\Nwith the network.
Dialogue: 0,0:24:12.84,0:24:17.51,Default,,0000,0000,0000,,That’s… ooh!\N{\i1}laughter{\i0}
Dialogue: 0,0:24:17.51,0:24:22.26,Default,,0000,0000,0000,,This is a bit unexpected.\NWe will have to skip this part
Dialogue: 0,0:24:22.26,0:24:28.21,Default,,0000,0000,0000,,where we actually look for Carmen\NSandiego in one of our bookings.
Dialogue: 0,0:24:28.21,0:24:29.21,Default,,0000,0000,0000,,But…
Dialogue: 0,0:24:29.21,0:24:32.99,Default,,0000,0000,0000,,Karsten: Well, this is a side effect of\Nresponsible disclosure. So you tell
Dialogue: 0,0:24:32.99,0:24:37.88,Default,,0000,0000,0000,,a company that on this day you’ll do that\Nthing to that web site, and they just
Dialogue: 0,0:24:37.88,0:24:41.58,Default,,0000,0000,0000,,either block the IP ranges here or just\Ntook down the web site which they
Dialogue: 0,0:24:41.58,0:24:48.43,Default,,0000,0000,0000,,have done a few times before.\NWhat you can do is… – say it again!!
Dialogue: 0,0:24:48.43,0:24:52.59,Default,,0000,0000,0000,,From audience: Can you test the hot spot?
Dialogue: 0,0:24:52.59,0:24:56.88,Default,,0000,0000,0000,,Karsten: Actually, I think the whole\Nweb site is turned off.
Dialogue: 0,0:24:56.88,0:25:03.71,Default,,0000,0000,0000,,Nemanja: What we can demonstrate, I think,\Nis that if we go with this booking number,
Dialogue: 0,0:25:03.71,0:25:10.31,Default,,0000,0000,0000,,to Air Berlin web site, and then\Ntype last name, “Mueller”.
Dialogue: 0,0:25:10.31,0:25:16.85,Default,,0000,0000,0000,,And actually, because it’s six-bit\Nencoding it has to be “UE”, no Umlauts
Dialogue: 0,0:25:16.85,0:25:27.26,Default,,0000,0000,0000,,allowed. So, “Select all the food!”\N{\i1}laughter and applause{\i0}
Dialogue: 0,0:25:27.26,0:25:29.35,Default,,0000,0000,0000,,Let’s see if we can find this flight.
Dialogue: 0,0:25:29.35,0:25:32.42,Default,,0000,0000,0000,,Karsten: The part of the demo that you\Ndidn’t show is just brute-forcing
Dialogue: 0,0:25:32.42,0:25:37.44,Default,,0000,0000,0000,,these ranges. If you know which ranges\Nare used in a day you can try them all.
Dialogue: 0,0:25:37.44,0:25:44.59,Default,,0000,0000,0000,,Or at least we did many times. That\Nwould then, in theory, give you access
Dialogue: 0,0:25:44.59,0:25:48.36,Default,,0000,0000,0000,,to all of this. And not just in theory, in\Npractice, unless they take down their
Dialogue: 0,0:25:48.36,0:25:52.59,Default,,0000,0000,0000,,entire web site which they knew we were\Ngonna use for this demo.
Dialogue: 0,0:25:52.59,0:25:58.27,Default,,0000,0000,0000,,Nemanja: But on this, for example, if we caught\Nthat flight that we wanted to catch…
Dialogue: 0,0:25:58.27,0:26:05.67,Default,,0000,0000,0000,,Karsten: We’ll show it later. But at least\Nthe first win for privacy: no information
Dialogue: 0,0:26:05.67,0:26:09.69,Default,,0000,0000,0000,,is leaked through this web site\Nfor the rest of this talk, at least!
Dialogue: 0,0:26:09.69,0:26:12.30,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:26:12.30,0:26:21.01,Default,,0000,0000,0000,,Can we switch back to the other screen?\N{\i1}ongoing applause{\i0}
Dialogue: 0,0:26:21.01,0:26:24.87,Default,,0000,0000,0000,,One thing that you would have noticed had\Nthis not just been a flight reservation
Dialogue: 0,0:26:24.87,0:26:29.39,Default,,0000,0000,0000,,but an actual ticket: it would have\Ngiven you options to rebook it,
Dialogue: 0,0:26:29.39,0:26:34.25,Default,,0000,0000,0000,,to add a frequent flyer number, all of that\Ngood stuff. So what’s the abuse potential
Dialogue: 0,0:26:34.25,0:26:38.85,Default,,0000,0000,0000,,here? So far we’ve only talked about\Nprivacy intrusion. And privacy intrusion
Dialogue: 0,0:26:38.85,0:26:43.13,Default,,0000,0000,0000,,is bad enough. Imagine somebody is\Nsnapping a picture of your luggage,
Dialogue: 0,0:26:43.13,0:26:48.32,Default,,0000,0000,0000,,that person has your email address and\Nyour phone number, right there, right then.
Dialogue: 0,0:26:48.32,0:26:55.56,Default,,0000,0000,0000,,But the abuse potential goes much\Nbeyond that. For instance, you can fly for free!
Dialogue: 0,0:26:55.56,0:26:59.54,Default,,0000,0000,0000,,You can fly for free using different\Nmethods. You can find somebody else’s
Dialogue: 0,0:26:59.54,0:27:04.12,Default,,0000,0000,0000,,booking and just change the date.\NThe ticket… in fact, we can show it
Dialogue: 0,0:27:04.12,0:27:09.74,Default,,0000,0000,0000,,a little bit later. We had prepared for\Nthis demo that we are going to find
Dialogue: 0,0:27:09.74,0:27:13.20,Default,,0000,0000,0000,,through a little bit of brute-force that’s\Na flexible ticket. So you can just change
Dialogue: 0,0:27:13.20,0:27:16.89,Default,,0000,0000,0000,,the date, and change the email address.\NYou just take that flight yourself.
Dialogue: 0,0:27:16.89,0:27:22.77,Default,,0000,0000,0000,,And as the airline checks… compares the\Nticket and your passport – oftentimes
Dialogue: 0,0:27:22.77,0:27:26.11,Default,,0000,0000,0000,,they do it visually. What they’ll do is\Nthey’ll send you a PDF, you change
Dialogue: 0,0:27:26.11,0:27:31.76,Default,,0000,0000,0000,,the name, you take it anyway. But at least\Nin Schengen, in the EU, people don’t even
Dialogue: 0,0:27:31.76,0:27:38.45,Default,,0000,0000,0000,,do that. Let’s say you wanted\Nto take it in your name. You can,
Dialogue: 0,0:27:38.45,0:27:43.10,Default,,0000,0000,0000,,depending on the airline, call them up\Nor even use their web sites to cancel
Dialogue: 0,0:27:43.10,0:27:48.90,Default,,0000,0000,0000,,the ticket, and the issue a refund to you\Ninside the PNR, and then use the money
Dialogue: 0,0:27:48.90,0:27:54.60,Default,,0000,0000,0000,,that’s freed up there to book a new\Nticket. Some airlines also give you
Dialogue: 0,0:27:54.60,0:28:01.37,Default,,0000,0000,0000,,MCOs – miscellaneous charges orders.\NAmericans will know this very well,
Dialogue: 0,0:28:01.37,0:28:05.76,Default,,0000,0000,0000,,every time you get bumped from a flight\Nthey give you an MCO, “sorry, we can’t
Dialogue: 0,0:28:05.76,0:28:09.42,Default,,0000,0000,0000,,fly you home today, you’ll have to go\Ntomorrow, but here is $1,000 towards
Dialogue: 0,0:28:09.42,0:28:17.31,Default,,0000,0000,0000,,a new ticket”. It’s real airline cash.\NAnd those same MCOs you can issue
Dialogue: 0,0:28:17.31,0:28:21.06,Default,,0000,0000,0000,,based on flight cancellation. So you\Ncancel somebody else’s ticket and you get
Dialogue: 0,0:28:21.06,0:28:26.09,Default,,0000,0000,0000,,airline money to book your own ticket.\NAnd, again, there are no passwords
Dialogue: 0,0:28:26.09,0:28:30.96,Default,,0000,0000,0000,,involved. The only authenticator is this\Nsix-digit sequence that people post
Dialogue: 0,0:28:30.96,0:28:36.48,Default,,0000,0000,0000,,on Instagram, print on their boarding\Npasses and that Nemanja should be able
Dialogue: 0,0:28:36.48,0:28:42.27,Default,,0000,0000,0000,,to brute-force on their web sites. What\Nelse can you do, once you have somebody’s
Dialogue: 0,0:28:42.27,0:28:47.82,Default,,0000,0000,0000,,PNR? You can change or add a mile number.\NAnd some tickets are really attractive
Dialogue: 0,0:28:47.82,0:28:54.88,Default,,0000,0000,0000,,for mile collection. Take a round trip to\NAustralia in 1st class, get 60,000 miles
Dialogue: 0,0:28:54.88,0:29:01.87,Default,,0000,0000,0000,,right there, for one round trip, for one\NPNR. And that will get you a sweet, free
Dialogue: 0,0:29:01.87,0:29:11.28,Default,,0000,0000,0000,,flight to somewhere nice, or even some \Nvoucher for online and offline shopping.
Dialogue: 0,0:29:11.28,0:29:17.78,Default,,0000,0000,0000,,One website that I wish was still\Nworking is, of course, this one.
Dialogue: 0,0:29:17.78,0:29:20.44,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:29:20.44,0:29:26.60,Default,,0000,0000,0000,,But they shut down business, apparently.\NUnrelated to this talk.
Dialogue: 0,0:29:26.60,0:29:30.07,Default,,0000,0000,0000,,{\i1}laughter and single claps{\i0}
Dialogue: 0,0:29:30.07,0:29:36.74,Default,,0000,0000,0000,,So you have access to somebody’s PNR,\Nyou can not just stalk them but change
Dialogue: 0,0:29:36.74,0:29:44.26,Default,,0000,0000,0000,,their flights or – which may trigger some\Ncuriosity – that flight can be taken twice.
Dialogue: 0,0:29:44.26,0:29:48.84,Default,,0000,0000,0000,,But you can very stealthily add your mile\Nnumber everywhere, well, a new mile number
Dialogue: 0,0:29:48.84,0:29:57.40,Default,,0000,0000,0000,,matching that name to collect those sweet\Nmiles. Now, are all airlines affected
Dialogue: 0,0:29:57.40,0:30:03.27,Default,,0000,0000,0000,,by that? The demo that we didn’t get to\Nshow brute-forced for one last name,
Dialogue: 0,0:30:03.27,0:30:10.25,Default,,0000,0000,0000,,Sandiego, all the PNRs for a day. And it\Nquickly found, in fact, a bunch of records.
Dialogue: 0,0:30:10.25,0:30:15.08,Default,,0000,0000,0000,,There’s not just one Sandiego flying that\Nday. But in some airlines they’re
Dialogue: 0,0:30:15.08,0:30:19.05,Default,,0000,0000,0000,,a little bit smarter. For instance American\NAirlines, the largest airline in the world,
Dialogue: 0,0:30:19.05,0:30:24.79,Default,,0000,0000,0000,,they don’t just want the last name\Nbut also the first name. And if you’re
Dialogue: 0,0:30:24.79,0:30:28.15,Default,,0000,0000,0000,,interested in one specific person, let’s\Nsay ‘Carmen Sandiego’, you would still
Dialogue: 0,0:30:28.15,0:30:32.92,Default,,0000,0000,0000,,find that person. But if you want to\Nconduct fraud that becomes a little bit
Dialogue: 0,0:30:32.92,0:30:39.58,Default,,0000,0000,0000,,more tricky. A fraudster would just pick\Na random, very popular last name and
Dialogue: 0,0:30:39.58,0:30:45.61,Default,,0000,0000,0000,,brute-force PNRs there. And that becomes\Nmore difficult if also you have to guess
Dialogue: 0,0:30:45.61,0:30:51.99,Default,,0000,0000,0000,,a first name. However, even American\NAirlines, those records can be accessed
Dialogue: 0,0:30:51.99,0:30:57.20,Default,,0000,0000,0000,,through other web sites. For istance Viewtrip,\Nthis is another generic web site like this
Dialogue: 0,0:30:57.20,0:31:02.05,Default,,0000,0000,0000,,infamous Checkmytrip that just went\Noffline. And Viewtrip allows you
Dialogue: 0,0:31:02.05,0:31:08.88,Default,,0000,0000,0000,,to brute-force by just last name and PNR,\Nagain. So there’s multiple ways to access
Dialogue: 0,0:31:08.88,0:31:13.57,Default,,0000,0000,0000,,the same information. Some of which are\Nmore secured than others. And, of course,
Dialogue: 0,0:31:13.57,0:31:18.83,Default,,0000,0000,0000,,only the weakest link mattered. So\NViewtrip, what they would say is
Dialogue: 0,0:31:18.83,0:31:24.55,Default,,0000,0000,0000,,they found the record and they can’t give\Nyou access to the information but then
Dialogue: 0,0:31:24.55,0:31:29.09,Default,,0000,0000,0000,,TripCase will which, again, takes only\Nlast name and reservation number.
Dialogue: 0,0:31:29.09,0:31:32.98,Default,,0000,0000,0000,,And they will tell you the first name\Nalso that then you can type in to
Dialogue: 0,0:31:32.98,0:31:34.96,Default,,0000,0000,0000,,the American Airlines web site again\N{\i1}laughter{\i0}
Dialogue: 0,0:31:34.96,0:31:42.56,Default,,0000,0000,0000,,to change the booking, let’s say. So\Nthere’s all these different ways to access
Dialogue: 0,0:31:42.56,0:31:47.92,Default,,0000,0000,0000,,a person’s information here. And everybody\Nis slightly different. So let’s look at the
Dialogue: 0,0:31:47.92,0:31:55.83,Default,,0000,0000,0000,,entire universe of travel web sites,\Nstarting with just three big travel providers.
Dialogue: 0,0:31:55.83,0:32:02.95,Default,,0000,0000,0000,,Each of them uses six-digit booking codes.\NBut they use these six-digits rather
Dialogue: 0,0:32:02.95,0:32:08.25,Default,,0000,0000,0000,,differently. Sabre e.g. they don’t use any\Nnumbers which of course severely impacts
Dialogue: 0,0:32:08.25,0:32:16.53,Default,,0000,0000,0000,,the entropy. But then others, e.g. Amadeus,\Nthey don’t use 1 and 0, because that could
Dialogue: 0,0:32:16.53,0:32:23.86,Default,,0000,0000,0000,,be confused with i and o, and then\NGalileo drops a few other characters. So
Dialogue: 0,0:32:23.86,0:32:27.95,Default,,0000,0000,0000,,at the end of the day none of them really\Nused the entropy of even a six-digit
Dialogue: 0,0:32:27.95,0:32:34.49,Default,,0000,0000,0000,,pass code. All of them are in entropy\Nlower than a randomly chosen 5-digit
Dialogue: 0,0:32:34.49,0:32:38.41,Default,,0000,0000,0000,,password. And we will never recommend\Nanybody to use a 5-digit password, right?
Dialogue: 0,0:32:38.41,0:32:44.03,Default,,0000,0000,0000,,So this is strictly worse. And what\Nmakes it even worse, at least for
Dialogue: 0,0:32:44.03,0:32:47.91,Default,,0000,0000,0000,,privacy-intruding attacks, is the\Nsequential nature of these bookings.
Dialogue: 0,0:32:47.91,0:32:53.18,Default,,0000,0000,0000,,You saw the two that Nemanja just now\Ngenerated. Both of them were from
Dialogue: 0,0:32:53.18,0:32:57.93,Default,,0000,0000,0000,,the same, very small sub set. So if you\Njust wanted to know all the bookings
Dialogue: 0,0:32:57.93,0:33:01.82,Default,,0000,0000,0000,,that a person did today, you can\Nbrute-force this in 10 minutes
Dialogue: 0,0:33:01.82,0:33:06.90,Default,,0000,0000,0000,,with a few computers running in parallel.\NIt’s not so easy on Sabre because
Dialogue: 0,0:33:06.90,0:33:12.16,Default,,0000,0000,0000,,they seem to be chosen more randomly.\NHowever, Sabre has the lowest entropy,
Dialogue: 0,0:33:12.16,0:33:18.46,Default,,0000,0000,0000,,so if you just randomly want to find\Nbookings for popular last names Sabre is
Dialogue: 0,0:33:18.46,0:33:27.41,Default,,0000,0000,0000,,your system of choice. They’re all weak,\Nbut the weaknesses differ in shades of grey
Dialogue: 0,0:33:27.41,0:33:31.61,Default,,0000,0000,0000,,for this privacy intruding and for the\Nfinancial fraud-type attacks.
Dialogue: 0,0:33:31.61,0:33:37.39,Default,,0000,0000,0000,,As one example, though, of how easy it is\Nto find these booking codes, if you
Dialogue: 0,0:33:37.39,0:33:45.03,Default,,0000,0000,0000,,look up 1,000 just randomly chosen booking\Ncodes in Sabre for the last name ‘Smith’
Dialogue: 0,0:33:45.03,0:33:50.97,Default,,0000,0000,0000,,five will come back with current bookings.\NSo half a percent of the entire name space
Dialogue: 0,0:33:50.97,0:33:55.90,Default,,0000,0000,0000,,is filled with current bookings for people\Ncalled ‘Smith’! Now, add in all the other
Dialogue: 0,0:33:55.90,0:34:01.67,Default,,0000,0000,0000,,last names, their name space must be\Npretty damn full. And it’s only 300 mio.
Dialogue: 0,0:34:01.67,0:34:05.55,Default,,0000,0000,0000,,records if you calculate the entropy.\NSo it looks like almost every record
Dialogue: 0,0:34:05.55,0:34:09.65,Default,,0000,0000,0000,,is used up and they’re running out of\Nspace. So they’ll have to fix this anyway
Dialogue: 0,0:34:09.65,0:34:14.58,Default,,0000,0000,0000,,at some point. But that, of course, makes\Nit all the easier to randomly find and
Dialogue: 0,0:34:14.58,0:34:22.41,Default,,0000,0000,0000,,abuse other people’s bookings.\NEach of those providers runs a website
Dialogue: 0,0:34:22.41,0:34:26.24,Default,,0000,0000,0000,,that allows you to access all the PNRs in\Ntheir system if you know the PNR and
Dialogue: 0,0:34:26.24,0:34:31.54,Default,,0000,0000,0000,,the last name. And one German reporter\Nwriting about this, he calls the
Dialogue: 0,0:34:31.54,0:34:38.28,Default,,0000,0000,0000,,websites that you didn’t know existed,\Nthat you have no use for but that, anyway,
Dialogue: 0,0:34:38.28,0:34:43.51,Default,,0000,0000,0000,,put your privacy at risk. So there doesn’t\Nseem to be any up side to these web sites.
Dialogue: 0,0:34:43.51,0:34:47.59,Default,,0000,0000,0000,,I certainly don’t need to use them\Nbut they’re there, and they’re bad.
Dialogue: 0,0:34:47.59,0:34:52.47,Default,,0000,0000,0000,,Because when we did the research none of\Nthem had any protection from brute-forcing
Dialogue: 0,0:34:52.47,0:34:56.60,Default,,0000,0000,0000,,meaning we could try 100,000, even\Nmillions of different combinations
Dialogue: 0,0:34:56.60,0:35:01.87,Default,,0000,0000,0000,,– PNR and last name – and those\Nwebsites wouldn’t complain even a bit.
Dialogue: 0,0:35:01.87,0:35:09.39,Default,,0000,0000,0000,,We did expose Amadeus to way more\Nqueries that the others and at some point
Dialogue: 0,0:35:09.39,0:35:13.04,Default,,0000,0000,0000,,they did notice, maybe also because some\Nreporters just asked them for comments
Dialogue: 0,0:35:13.04,0:35:19.48,Default,,0000,0000,0000,,on the research. They have tried to\Nimprove. So the classic checkmytrip.com
Dialogue: 0,0:35:19.48,0:35:24.09,Default,,0000,0000,0000,,website that was just killed a few days\Nago – R.I.P., thank you, it’s gone,
Dialogue: 0,0:35:24.09,0:35:29.78,Default,,0000,0000,0000,,50% of the problem solved. But the other\Nwebsite, that was still around up until
Dialogue: 0,0:35:29.78,0:35:35.71,Default,,0000,0000,0000,,literally half an hour ago. What they\Ndid over the last couple of days was,
Dialogue: 0,0:35:35.71,0:35:41.39,Default,,0000,0000,0000,,they added a captcha. But the captcha gave\Nyou a cookie. And the cookie you could
Dialogue: 0,0:35:41.39,0:35:45.89,Default,,0000,0000,0000,,again use for indefinite number of queries.\N{\i1}laughter{\i0}
Dialogue: 0,0:35:45.89,0:35:51.84,Default,,0000,0000,0000,,It’s a company that just hasn’t done web\Nsecurity before. But then they also
Dialogue: 0,0:35:51.84,0:35:56.82,Default,,0000,0000,0000,,limited the number of requests per IP\Naddress. Now, we do this from Amazon,
Dialogue: 0,0:35:56.82,0:36:01.92,Default,,0000,0000,0000,,so it’s not so difficult to spawn new\NIP addresses, but still… it severely
Dialogue: 0,0:36:01.92,0:36:10.72,Default,,0000,0000,0000,,slows us down. About 1.000 requests per\NIP address. Even if they now took down
Dialogue: 0,0:36:10.72,0:36:15.50,Default,,0000,0000,0000,,checkmytrip for good, of course, this is\Nnot the only pass to a reservation.
Dialogue: 0,0:36:15.50,0:36:21.24,Default,,0000,0000,0000,,As we’ve seen before you can just use\Nthe provider’s web site directly. And the
Dialogue: 0,0:36:21.24,0:36:26.35,Default,,0000,0000,0000,,popular ones in Germany, they differed in\Nsecurity quite a bit when we checked
Dialogue: 0,0:36:26.35,0:36:30.08,Default,,0000,0000,0000,,a few weeks ago. So Lufthansa itself\Ndiffered on their different properties.
Dialogue: 0,0:36:30.08,0:36:35.19,Default,,0000,0000,0000,,The standard website asked for a captcha,\Nnot the first time, but I think starting
Dialogue: 0,0:36:35.19,0:36:39.74,Default,,0000,0000,0000,,from three requests, so a really good\Ncompromise. They make it comfortable
Dialogue: 0,0:36:39.74,0:36:44.54,Default,,0000,0000,0000,,to use for really anybody who just wants\Nto look up their own records. But then
Dialogue: 0,0:36:44.54,0:36:48.25,Default,,0000,0000,0000,,they make it a little bit more painful\Nfor somebody who tries to look up
Dialogue: 0,0:36:48.25,0:36:52.96,Default,,0000,0000,0000,,too many. But then the mobile version e.g.\Ndidn’t have that captcha. And again,
Dialogue: 0,0:36:52.96,0:36:58.69,Default,,0000,0000,0000,,weakest link principle applies. Air\NBerlin, they had some rough IP filter,
Dialogue: 0,0:36:58.69,0:37:02.36,Default,,0000,0000,0000,,again, 1.000 requests per IP, that’s\Na little bit too much, they introduced
Dialogue: 0,0:37:02.36,0:37:08.59,Default,,0000,0000,0000,,a captcha today! So, again, in response\Nto this. This is already showing
Dialogue: 0,0:37:08.59,0:37:13.94,Default,,0000,0000,0000,,some effect. Thank you to checkmytrip\Nand Air Berlin for working on this
Dialogue: 0,0:37:13.94,0:37:19.65,Default,,0000,0000,0000,,over the holidays, much appreciated.\NMaybe, if you know anybody, thank you!
Dialogue: 0,0:37:19.65,0:37:28.34,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:37:28.34,0:37:35.02,Default,,0000,0000,0000,,On the other GDS’s the situation is much\Nworse still. They’re still as bruteforceable
Dialogue: 0,0:37:35.02,0:37:41.97,Default,,0000,0000,0000,,as they ever were, as are the web sites.\NExcept for the little bit of first-name
Dialogue: 0,0:37:41.97,0:37:48.81,Default,,0000,0000,0000,,extra complication on American Airlines,\Nevery web site we have tried is not protected
Dialogue: 0,0:37:48.81,0:37:55.54,Default,,0000,0000,0000,,from brute-forcing. And this is surprising\Nto me. In my consulting work I have
Dialogue: 0,0:37:55.54,0:38:00.48,Default,,0000,0000,0000,,never seen a web site where not the first\Npentester ever looking at it would say:
Dialogue: 0,0:38:00.48,0:38:04.19,Default,,0000,0000,0000,,“Oh, you didn’t have rate limiting in it,\Nplease add it!” and then, two days later
Dialogue: 0,0:38:04.19,0:38:10.31,Default,,0000,0000,0000,,they had. So for most of this industry\Nthat is yet to happen. So no cookie here,
Dialogue: 0,0:38:10.31,0:38:18.95,Default,,0000,0000,0000,,either. Let’s talk about one more abuse\Nscenario that’s… I can say they’re very
Dialogue: 0,0:38:18.95,0:38:22.40,Default,,0000,0000,0000,,relevant but that’s maybe because in my\Nconsulting life I’ve been dealing with
Dialogue: 0,0:38:22.40,0:38:28.11,Default,,0000,0000,0000,,human security for the last couple of\Nyears, appreciating that technology
Dialogue: 0,0:38:28.11,0:38:32.61,Default,,0000,0000,0000,,is mostly not the weakest link but the\Nthe gullibility of people working
Dialogue: 0,0:38:32.61,0:38:38.22,Default,,0000,0000,0000,,in the company. And the same probably goes\Nfor travelers. Imagine the scenario where
Dialogue: 0,0:38:38.22,0:38:42.40,Default,,0000,0000,0000,,you made a booking, just a few minutes\Nago. And now that airline, or at least
Dialogue: 0,0:38:42.40,0:38:46.86,Default,,0000,0000,0000,,it looks like that airline, sends you an\Ne-mail saying “Thank you for making
Dialogue: 0,0:38:46.86,0:38:53.16,Default,,0000,0000,0000,,this reservation, here is all your booking\Nstuff, summarized for you, please update
Dialogue: 0,0:38:53.16,0:38:57.48,Default,,0000,0000,0000,,your credit card information, though.\NThe booking didn’t go through.
Dialogue: 0,0:38:57.48,0:39:03.31,Default,,0000,0000,0000,,I would click on that. I expect them to\Ne-mail me, I know that sometimes
Dialogue: 0,0:39:03.31,0:39:08.17,Default,,0000,0000,0000,,credit cards are fuzzy, I would click on\Nit and enter my credit card information
Dialogue: 0,0:39:08.17,0:39:13.83,Default,,0000,0000,0000,,again. And how is this possible? Of course\Nwe can stay ahead of the current pointer
Dialogue: 0,0:39:13.83,0:39:18.41,Default,,0000,0000,0000,,in this sequences and find bookings\Nthat were made in the last, let’s say,
Dialogue: 0,0:39:18.41,0:39:23.95,Default,,0000,0000,0000,,half an hour, for popular last names\Nagain. And each of those bookings will
Dialogue: 0,0:39:23.95,0:39:28.37,Default,,0000,0000,0000,,point us to an e-mail address, and give us\Nall the context we need to include in this
Dialogue: 0,0:39:28.37,0:39:33.74,Default,,0000,0000,0000,,very, very targeted phishing. If nothing\Nelse, I think this should convince
Dialogue: 0,0:39:33.74,0:39:38.48,Default,,0000,0000,0000,,the airline industry to close these loop\Nholes because the evilness of the internet
Dialogue: 0,0:39:38.48,0:39:43.19,Default,,0000,0000,0000,,will not ignore this forever. Phishers are\Nalways looking for new targets, and
Dialogue: 0,0:39:43.19,0:39:52.37,Default,,0000,0000,0000,,this will be a very juicy one. So we\Nlooked at the three big GDS’s now.
Dialogue: 0,0:39:52.37,0:39:59.33,Default,,0000,0000,0000,,There’s a few other players, e.g. SITA.\NIt looks like on the way out but these two
Dialogue: 0,0:39:59.33,0:40:03.83,Default,,0000,0000,0000,,very big airlines, they still use it. So\Nthey’re certainly still relevant. They are
Dialogue: 0,0:40:03.83,0:40:08.43,Default,,0000,0000,0000,,even worse. They use, instead of a\Nsix-digit booking code they use five digits.
Dialogue: 0,0:40:08.43,0:40:12.54,Default,,0000,0000,0000,,And one digit is fixed per airline. So if\Nyou know you’re looking for Air India
Dialogue: 0,0:40:12.54,0:40:18.77,Default,,0000,0000,0000,,you don’t even have to brute-force that\Nleaving just four digits to go through,
Dialogue: 0,0:40:18.77,0:40:23.56,Default,,0000,0000,0000,,and to brute-force. Now we don’t have\Na demo for this because we found three
Dialogue: 0,0:40:23.56,0:40:28.67,Default,,0000,0000,0000,,other more fun ones to demo. So…\N{\i1}laughter{\i0}
Dialogue: 0,0:40:28.67,0:40:35.91,Default,,0000,0000,0000,,Nemanja will now show you RyanAir, Oman\NAir and Pakistan International Airlines.
Dialogue: 0,0:40:35.91,0:40:42.71,Default,,0000,0000,0000,,Note that all of these are connected to\Nbig GDS systems. So it’s now the web sites
Dialogue: 0,0:40:42.71,0:40:48.36,Default,,0000,0000,0000,,that make it even worse than we already\Ndiscussed before. And can we switch over
Dialogue: 0,0:40:48.36,0:40:51.85,Default,,0000,0000,0000,,to the other computer again? Thanks.
Dialogue: 0,0:40:51.85,0:40:57.90,Default,,0000,0000,0000,,Nemanja: Yeah, I guess, many people\Nfly with Ryan Air here.
Dialogue: 0,0:40:57.90,0:41:02.36,Default,,0000,0000,0000,,They use Navitaire which is now owned by\NAmadeus.
Dialogue: 0,0:41:02.36,0:41:06.78,Default,,0000,0000,0000,,So they don’t share the same address space.\NBut on the Ryanair web site you can
Dialogue: 0,0:41:06.78,0:41:10.51,Default,,0000,0000,0000,,either search for the reservation with the\Ne-mail address and the reservation number
Dialogue: 0,0:41:10.51,0:41:15.02,Default,,0000,0000,0000,,or the last four digits of the credit card\Nthat you used for booking.
Dialogue: 0,0:41:15.02,0:41:16.02,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:41:16.02,0:41:20.77,Default,,0000,0000,0000,,Karsten: Again, great authenticator,\Nright? Ten thousand options.
Dialogue: 0,0:41:20.77,0:41:29.82,Default,,0000,0000,0000,,Nemanja: As they don’t have captcha\Nwe can have a look for…
Dialogue: 0,0:41:29.82,0:41:34.43,Default,,0000,0000,0000,,So we know that the last four digits of
Dialogue: 0,0:41:34.43,0:41:36.30,Default,,0000,0000,0000,,Carmen Sandiego’s card are these.
Dialogue: 0,0:41:36.30,0:41:38.55,Default,,0000,0000,0000,,Karsten: And if not we can just try all\Nten thousand.
Dialogue: 0,0:41:38.55,0:41:42.13,Default,,0000,0000,0000,,Nemanja: We can just try, yeah. We can\Ndo the other way around. So this way
Dialogue: 0,0:41:42.13,0:41:48.27,Default,,0000,0000,0000,,we know that… and that it starts\Nwith these characters. And let’s try
Dialogue: 0,0:41:48.27,0:41:54.13,Default,,0000,0000,0000,,to brute-force it. In the meantime\Nlet’s have a look at the Oman Air.
Dialogue: 0,0:41:54.13,0:41:57.89,Default,,0000,0000,0000,,They ask for the booking reference\Nand for the departure airport. But
Dialogue: 0,0:41:57.89,0:42:01.90,Default,,0000,0000,0000,,departure airport doesn’t have to be just\Nthe departure airport but it can also be
Dialogue: 0,0:42:01.90,0:42:07.08,Default,,0000,0000,0000,,any airport that is within the reservation.\NSo for Oman Air we think that it’s
Dialogue: 0,0:42:07.08,0:42:13.09,Default,,0000,0000,0000,,Muscat which is the capital.\NSo usually… most of these slides
Dialogue: 0,0:42:13.09,0:42:18.42,Default,,0000,0000,0000,,go through there. Let’s see\Nif we can find someone who is…
Dialogue: 0,0:42:18.42,0:42:24.43,Default,,0000,0000,0000,,Karsten: And he’s now just trying random\Nbooking codes that are valid within
Dialogue: 0,0:42:24.43,0:42:28.82,Default,,0000,0000,0000,,that name space. So, again, they don’t\Nreally use the full entropy. So that makes
Dialogue: 0,0:42:28.82,0:42:32.83,Default,,0000,0000,0000,,the search a little bit quicker but other\Nthan that it’s just a pure brute-force.
Dialogue: 0,0:42:32.83,0:42:37.83,Default,,0000,0000,0000,,Nemanja: And as there is no captcha as you\Ncan see we can go on to the next one.
Dialogue: 0,0:42:37.83,0:42:39.87,Default,,0000,0000,0000,,So this one is the winner!
Dialogue: 0,0:42:39.87,0:42:44.18,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:42:44.18,0:42:53.61,Default,,0000,0000,0000,,They trust you that it’s yours!\N{\i1}strong applause{\i0}
Dialogue: 0,0:42:53.61,0:43:00.78,Default,,0000,0000,0000,,And let’s see … so we already have one\Nfor the Oman Air. Okay. This is the one…
Dialogue: 0,0:43:00.78,0:43:01.78,Default,,0000,0000,0000,,this is where…
Dialogue: 0,0:43:01.78,0:43:04.91,Default,,0000,0000,0000,,Karsten: That was RyanAir, huh?
Dialogue: 0,0:43:04.91,0:43:07.18,Default,,0000,0000,0000,,Nemanja: This is the RyanAir, yeah.
Dialogue: 0,0:43:07.18,0:43:10.67,Default,,0000,0000,0000,,So we didn’t bring these two characters.
Dialogue: 0,0:43:10.67,0:43:15.11,Default,,0000,0000,0000,,But… because we wanted to hide it. If we\Naccidentally hit some booking with that
Dialogue: 0,0:43:15.11,0:43:18.84,Default,,0000,0000,0000,,card number we don’t want to show the\Nbooking reference number of someone else.
Dialogue: 0,0:43:18.84,0:43:27.82,Default,,0000,0000,0000,,So it might be even some\Nof the people here. We can try…
Dialogue: 0,0:43:27.82,0:43:33.95,Default,,0000,0000,0000,,Even got one from the Pakistan. Carmen\NSandiego is flying from SXF to TSR.
Dialogue: 0,0:43:33.95,0:43:45.75,Default,,0000,0000,0000,,And here we can just enter the…\Nwhat was the, I think… if I’m right…
Dialogue: 0,0:43:45.75,0:43:54.14,Default,,0000,0000,0000,,Let’s see if this will work. Yeah, okay.
Dialogue: 0,0:43:54.14,0:43:55.40,Default,,0000,0000,0000,,Hello Carmen Sandiego.
Dialogue: 0,0:43:55.40,0:44:01.10,Default,,0000,0000,0000,,Karsten: So now we know where Carmen\NSandiego is, finally. The point is,
Dialogue: 0,0:44:01.10,0:44:05.45,Default,,0000,0000,0000,,we made, you can brute-force these web\Nsites rather easily and you don’t really
Dialogue: 0,0:44:05.45,0:44:10.41,Default,,0000,0000,0000,,trigger any alerts there, apparently.\NWhich, again, coming from
Dialogue: 0,0:44:10.41,0:44:15.18,Default,,0000,0000,0000,,an IT security background I find pretty\Nshocking. Can we switch back to
Dialogue: 0,0:44:15.18,0:44:25.14,Default,,0000,0000,0000,,the other screen? Let’s look at the last\Nsecurity feature that we would expect
Dialogue: 0,0:44:25.14,0:44:30.09,Default,,0000,0000,0000,,any IT system to have, these days.\NEspecially knowing that it has been
Dialogue: 0,0:44:30.09,0:44:33.88,Default,,0000,0000,0000,,criticized for lack of IT security for\Na long time. And that, of course,
Dialogue: 0,0:44:33.88,0:44:40.26,Default,,0000,0000,0000,,is accountability, logging. At least track\Nwho’s legitimately or illegitimately
Dialogue: 0,0:44:40.26,0:44:45.01,Default,,0000,0000,0000,,accessing these records. It turns out\Nthat it has been asked for a long time
Dialogue: 0,0:44:45.01,0:44:50.41,Default,,0000,0000,0000,,by different people, again most notably\NEd Hasbrouck, this privacy advocate,
Dialogue: 0,0:44:50.41,0:44:55.40,Default,,0000,0000,0000,,but also other reporters and other\Nadvocates have come across this
Dialogue: 0,0:44:55.40,0:44:59.95,Default,,0000,0000,0000,,for years, saying “there’s rumors that,\Nlet’s say, the Department of Homeland
Dialogue: 0,0:44:59.95,0:45:05.04,Default,,0000,0000,0000,,Security in the U.S., they have root access\Nin these GDS’s. Where are the records,
Dialogue: 0,0:45:05.04,0:45:10.31,Default,,0000,0000,0000,,whether they are accessing it or not.\NWhere are the records for abuse by
Dialogue: 0,0:45:10.31,0:45:15.39,Default,,0000,0000,0000,,support stuff in these GDS companies.\NWhere are any records?
Dialogue: 0,0:45:15.39,0:45:19.25,Default,,0000,0000,0000,,The GDS companies have always said,\N“oh, we can’t keep any records, it’s
Dialogue: 0,0:45:19.25,0:45:26.24,Default,,0000,0000,0000,,not technologically possible.” I call BS\Non that. They are logging… in the tiniest
Dialogue: 0,0:45:26.24,0:45:30.52,Default,,0000,0000,0000,,minutia, any change to a reservation\Nthere’s a log for. And then access log
Dialogue: 0,0:45:30.52,0:45:34.91,Default,,0000,0000,0000,,does not exist? And it’s not\Ntechnologically possible? I think there’s
Dialogue: 0,0:45:34.91,0:45:40.12,Default,,0000,0000,0000,,a completely different reason behind here.\NIf, in fact, these companies gave access,
Dialogue: 0,0:45:40.12,0:45:45.13,Default,,0000,0000,0000,,unlawful access, or at least in violation\Nof privacy laws in, let’s say,
Dialogue: 0,0:45:45.13,0:45:49.58,Default,,0000,0000,0000,,the E.U. or Canada, if, in fact, they gave\Nthat access to other governments
Dialogue: 0,0:45:49.58,0:45:54.53,Default,,0000,0000,0000,,the last thing you want is a trail of\Nevidence showing that people have
Dialogue: 0,0:45:54.53,0:46:01.07,Default,,0000,0000,0000,,access to records. So this has nothing to\Ndo with technological restrictions, this is
Dialogue: 0,0:46:01.07,0:46:05.57,Default,,0000,0000,0000,,purely – those companies don’t wanna be\Nin the middle of a debate where probably
Dialogue: 0,0:46:05.57,0:46:10.81,Default,,0000,0000,0000,,some sealed order in the U.S. makes them\Ndisclose all this information but laws
Dialogue: 0,0:46:10.81,0:46:14.82,Default,,0000,0000,0000,,in Europe make them not disclose the\Ninformation. They just don’t wanna have
Dialogue: 0,0:46:14.82,0:46:20.92,Default,,0000,0000,0000,,evidence either way. But that leaves us\Nin a very peculiar position where now
Dialogue: 0,0:46:20.92,0:46:26.02,Default,,0000,0000,0000,,we know that these systems are insecure,\Nuse very bad authenticators, expose this
Dialogue: 0,0:46:26.02,0:46:31.16,Default,,0000,0000,0000,,over web sites that can be brute-forced\Nand don’t keep any record of if that
Dialogue: 0,0:46:31.16,0:46:36.78,Default,,0000,0000,0000,,actually happens. So it’s completely\Nunknown how much abuse may be
Dialogue: 0,0:46:36.78,0:46:41.81,Default,,0000,0000,0000,,happening here. I think we can be pretty\Ncertain that the flight changes for people
Dialogue: 0,0:46:41.81,0:46:45.47,Default,,0000,0000,0000,,to fly for free, that they are not\Nhappening very frequently because that’s
Dialogue: 0,0:46:45.47,0:46:50.58,Default,,0000,0000,0000,,the only one of these attack methods that\Nwould leave very clear evidence, somebody
Dialogue: 0,0:46:50.58,0:46:55.40,Default,,0000,0000,0000,,actually complaining, saying “I wanted to\Ntake my flight but apparently somebody
Dialogue: 0,0:46:55.40,0:47:01.18,Default,,0000,0000,0000,,else already took it before me, or\Ncanceled it and took off with the money.
Dialogue: 0,0:47:01.18,0:47:04.63,Default,,0000,0000,0000,,But the other cases we have no idea\Nwhether or not they’re happening.
Dialogue: 0,0:47:04.63,0:47:08.48,Default,,0000,0000,0000,,They’re technologically possible, and\Nnobody seems to be looking for these
Dialogue: 0,0:47:08.48,0:47:17.04,Default,,0000,0000,0000,,abuse patterns. In summary, there’s just\Nthree big global databases, two in the U.S.,
Dialogue: 0,0:47:17.04,0:47:24.24,Default,,0000,0000,0000,,one in Europe. They keep all the\Ninformation on all the travelers.
Dialogue: 0,0:47:24.24,0:47:29.23,Default,,0000,0000,0000,,This information includes your personal\Ncontact information, payment information,
Dialogue: 0,0:47:29.23,0:47:34.25,Default,,0000,0000,0000,,your IP address. So lots of stuff that in\Na lot of other systems we consider
Dialogue: 0,0:47:34.25,0:47:39.70,Default,,0000,0000,0000,,sensitive, private even. And it should be\Nprotected with a good password. We would
Dialogue: 0,0:47:39.70,0:47:44.49,Default,,0000,0000,0000,,advise people to use an 8-character or\Nlonger password, with special character.
Dialogue: 0,0:47:44.49,0:47:48.84,Default,,0000,0000,0000,,None of that exists here. The passwords\Nhere are six-digits. They are less than
Dialogue: 0,0:47:48.84,0:47:53.77,Default,,0000,0000,0000,,five digits at worth of entropy. They’re\Nprinted on scraps of paper that you
Dialogue: 0,0:47:53.77,0:47:58.72,Default,,0000,0000,0000,,throw away. They are found on Instagram\Nan they’re brute-forcable through numerous
Dialogue: 0,0:47:58.72,0:48:04.29,Default,,0000,0000,0000,,web sites by the GDS companies and through\Nthe travel providers. So this is very,
Dialogue: 0,0:48:04.29,0:48:10.92,Default,,0000,0000,0000,,very far away from even weak internet\Nsecurity. This really predates the internet
Dialogue: 0,0:48:10.92,0:48:17.97,Default,,0000,0000,0000,,in stupidity and insecurity. And while\Nthere’s multiple scenarios in which
Dialogue: 0,0:48:17.97,0:48:23.98,Default,,0000,0000,0000,,either privacy of users is at risk or even\Nfraud could happen none of this is even
Dialogue: 0,0:48:23.98,0:48:28.57,Default,,0000,0000,0000,,logged, and nobody knows or has any way\Nof knowing the magnitude to which
Dialogue: 0,0:48:28.57,0:48:33.13,Default,,0000,0000,0000,,these systems are already abused.\NSo what do we need here?
Dialogue: 0,0:48:33.13,0:48:38.26,Default,,0000,0000,0000,,We clearly need more limitations on who\Ncan access what. This is not just my ask.
Dialogue: 0,0:48:38.26,0:48:43.02,Default,,0000,0000,0000,,This has been asked for 10 .. 20 years.\NBut more on the technical level,
Dialogue: 0,0:48:43.02,0:48:48.73,Default,,0000,0000,0000,,in a long term, we need passwords for\Nevery traveler. You should be able
Dialogue: 0,0:48:48.73,0:48:53.38,Default,,0000,0000,0000,,to post a picture of your boarding pass\Non Instagram without having to worry
Dialogue: 0,0:48:53.38,0:48:57.14,Default,,0000,0000,0000,,about somebody abusing it. This is a piece\Nof paper that you will throw away.
Dialogue: 0,0:48:57.14,0:49:02.87,Default,,0000,0000,0000,,There should be nothing secret about it.\NIf you wanna share it – feel free to.
Dialogue: 0,0:49:02.87,0:49:08.01,Default,,0000,0000,0000,,Somebody else needs to add a password\Nto make that safe again.
Dialogue: 0,0:49:08.01,0:49:12.76,Default,,0000,0000,0000,,But that’s a very long-term goal. These\Ntravel companies, they’re so interwoven,
Dialogue: 0,0:49:12.76,0:49:18.08,Default,,0000,0000,0000,,as we saw today, that all of them really\Nhave to move at the same time.
Dialogue: 0,0:49:18.08,0:49:24.86,Default,,0000,0000,0000,,The GDS’s have to do their share. But then\Neach of interconnected airlines has to do
Dialogue: 0,0:49:24.86,0:49:29.12,Default,,0000,0000,0000,,their share. We saw this one random ticket\Nfrom Instagram, so this was a Lufthansa
Dialogue: 0,0:49:29.12,0:49:35.81,Default,,0000,0000,0000,,ticket with some Alaska Air components\Nissued by United. So at least those three
Dialogue: 0,0:49:35.81,0:49:40.02,Default,,0000,0000,0000,,companies have to work together. And how\Nmany more different airlines today have
Dialogue: 0,0:49:40.02,0:49:44.67,Default,,0000,0000,0000,,code-share agreements. So we’re talking\Nabout hundreds of companies who have
Dialogue: 0,0:49:44.67,0:49:50.26,Default,,0000,0000,0000,,to come together and decide “we wanna\Nintroduce pass codes, passwords”,
Dialogue: 0,0:49:50.26,0:49:54.73,Default,,0000,0000,0000,,whatever you wanna call them, “for each\Nbooking”. So that is a long-term goal.
Dialogue: 0,0:49:54.73,0:49:59.10,Default,,0000,0000,0000,,In the short term, though, at the very\Nleast we can expect, is for all these
Dialogue: 0,0:49:59.10,0:50:04.72,Default,,0000,0000,0000,,web sites that do give access to travelers’\Nprivate information to do the bare minimum
Dialogue: 0,0:50:04.72,0:50:09.46,Default,,0000,0000,0000,,of web security. At the very least\Nsome rate limiting. Don’t allow us
Dialogue: 0,0:50:09.46,0:50:16.00,Default,,0000,0000,0000,,to throw millions of requests at your\Nproperties, and give us back honest
Dialogue: 0,0:50:16.00,0:50:22.23,Default,,0000,0000,0000,,answers. That is unheard of anywhere else\Nin the “cloud”. But for travel systems
Dialogue: 0,0:50:22.23,0:50:27.80,Default,,0000,0000,0000,,who claim for themselves to be the first\Ncloud ever this seems to be very standard.
Dialogue: 0,0:50:27.80,0:50:32.24,Default,,0000,0000,0000,,And then, finally, until all of this can\Nbe guaranteed, until there’s passwords
Dialogue: 0,0:50:32.24,0:50:36.35,Default,,0000,0000,0000,,and until there is good rate limiting\NI think we have a right to know
Dialogue: 0,0:50:36.35,0:50:40.85,Default,,0000,0000,0000,,who accesses our records, and there must\Nbe some accountability. Especially,
Dialogue: 0,0:50:40.85,0:50:46.30,Default,,0000,0000,0000,,knowing how insecure these systems are\Ntoday. This is a long way, and I can only
Dialogue: 0,0:50:46.30,0:50:52.54,Default,,0000,0000,0000,,hope that we are starting a journey by\Nannoying large companies like Amadeus.
Dialogue: 0,0:50:52.54,0:50:58.26,Default,,0000,0000,0000,,They have done their little bit of fixing\Nover the weekend now, so hopefully
Dialogue: 0,0:50:58.26,0:51:02.41,Default,,0000,0000,0000,,some others will follow suit and we\Nwill have better systems. Until then,
Dialogue: 0,0:51:02.41,0:51:07.05,Default,,0000,0000,0000,,of course, I can only encourage all of you\Nto look at more of these travel systems
Dialogue: 0,0:51:07.05,0:51:10.95,Default,,0000,0000,0000,,because there’s plenty more to find.\NWe’re only scratching the surface here.
Dialogue: 0,0:51:10.95,0:51:14.65,Default,,0000,0000,0000,,And, more generally, to look at more\Nlegacy systems. I think we’re spending
Dialogue: 0,0:51:14.65,0:51:20.12,Default,,0000,0000,0000,,way too much time making some already\Nreally good crypto just a tiny bit better
Dialogue: 0,0:51:20.12,0:51:25.06,Default,,0000,0000,0000,,or finding a really good mobile operating\Nsystem the next little jailbreak
Dialogue: 0,0:51:25.06,0:51:31.78,Default,,0000,0000,0000,,that will be fixed two days later anyhow\Nignoring all these huge security issues
Dialogue: 0,0:51:31.78,0:51:36.25,Default,,0000,0000,0000,,that have been there for many, many years\Nin systems that are a little bit less sexy
Dialogue: 0,0:51:36.25,0:51:40.29,Default,,0000,0000,0000,,and riddled with bug bounties than\Nsomething else that we do spend a lot
Dialogue: 0,0:51:40.29,0:51:46.97,Default,,0000,0000,0000,,of time on. So I hope I could encourage\Nyou to do that. I wanna just hand out
Dialogue: 0,0:51:46.97,0:51:52.69,Default,,0000,0000,0000,,a few thankyous to members of our team\Nwithout whom this research wouldn’t
Dialogue: 0,0:51:52.69,0:51:58.31,Default,,0000,0000,0000,,have been possible, and to a few industry\Nexperts who were kind enough to
Dialogue: 0,0:51:58.31,0:52:02.63,Default,,0000,0000,0000,,read over these slides and provide\Nfeedback, and help us hopefully
Dialogue: 0,0:52:02.63,0:52:07.88,Default,,0000,0000,0000,,not have any major gaps on our\Ninformation. And then, to you for
Dialogue: 0,0:52:07.88,0:52:11.50,Default,,0000,0000,0000,,showing up in such great numbers,\Nthank you very much!
Dialogue: 0,0:52:11.50,0:52:29.92,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:52:29.92,0:52:33.56,Default,,0000,0000,0000,,Herald: Wow, great talk. Thank you\Nvery much! We have five minutes
Dialogue: 0,0:52:33.56,0:52:38.55,Default,,0000,0000,0000,,for Q&A. So please line up on the\Nmicrophones, and we’ll take
Dialogue: 0,0:52:38.55,0:52:40.56,Default,,0000,0000,0000,,some questions. First one!
Dialogue: 0,0:52:40.56,0:52:44.30,Default,,0000,0000,0000,,Question: Do you have any indication of\Nhow secure the systems are on the other
Dialogue: 0,0:52:44.30,0:52:48.67,Default,,0000,0000,0000,,end, that the airlines supply their\Nfares into the entire systems?
Dialogue: 0,0:52:48.67,0:52:53.87,Default,,0000,0000,0000,,Is there any indication that those systems\Nmight be more secure than
Dialogue: 0,0:52:53.87,0:52:59.18,Default,,0000,0000,0000,,on the customer side? Or would it\Nbe easy to inject a cheap fare, e.g.
Dialogue: 0,0:52:59.18,0:53:02.86,Default,,0000,0000,0000,,by impersonating the airline\Nwith weak passwords?
Dialogue: 0,0:53:02.86,0:53:08.45,Default,,0000,0000,0000,,Karsten: Honestly, we don’t know.\NIt was definitely on our list to research
Dialogue: 0,0:53:08.45,0:53:14.16,Default,,0000,0000,0000,,but we don’t have time for everything so\Nwe focus more on the customer privacy.
Dialogue: 0,0:53:14.16,0:53:18.66,Default,,0000,0000,0000,,But one thing that I really would want\Nto test if I had any way of doing it:
Dialogue: 0,0:53:18.66,0:53:24.28,Default,,0000,0000,0000,,imagine the parsers for these strings.\NImagine injecting some special characters
Dialogue: 0,0:53:24.28,0:53:32.19,Default,,0000,0000,0000,,in that. I don’t know who creates these\Nstrings and maybe I don’t wanna know.
Dialogue: 0,0:53:32.19,0:53:37.99,Default,,0000,0000,0000,,But if anybody does and you could play\Nwith some SQL commands I think a lot of
Dialogue: 0,0:53:37.99,0:53:42.88,Default,,0000,0000,0000,,web sites would wake up understanding that\Non that front they don’t do enough
Dialogue: 0,0:53:42.88,0:53:44.97,Default,,0000,0000,0000,,security either.
Dialogue: 0,0:53:44.97,0:53:48.30,Default,,0000,0000,0000,,Herald: Okay, question\Nfrom the Signal Angel?
Dialogue: 0,0:53:48.30,0:53:52.04,Default,,0000,0000,0000,,Signal Angel: A question from IRC.\NRecently, U.S. Customs And Border Patrols
Dialogue: 0,0:53:52.04,0:53:56.43,Default,,0000,0000,0000,,started collecting social media identifiers\Nfor foreign citizens trying to enter
Dialogue: 0,0:53:56.43,0:54:00.47,Default,,0000,0000,0000,,the U.S. on a Visitor Visa. Could that\Ninformation be accessible through PNR’s?
Dialogue: 0,0:54:00.47,0:54:04.83,Default,,0000,0000,0000,,Karsten: That’s a good question.\NI don’t think you would be.
Dialogue: 0,0:54:04.83,0:54:07.03,Default,,0000,0000,0000,,From Audience: They are!
Dialogue: 0,0:54:07.03,0:54:08.68,Default,,0000,0000,0000,,Karsten: So, I…
Dialogue: 0,0:54:08.68,0:54:11.43,Default,,0000,0000,0000,,From Audience: Yes, they are!
Dialogue: 0,0:54:11.43,0:54:13.58,Default,,0000,0000,0000,,Karsten: They are in the PNR?
Dialogue: 0,0:54:13.58,0:54:15.14,Default,,0000,0000,0000,,From Audience: Yes!
Dialogue: 0,0:54:15.14,0:54:16.39,Default,,0000,0000,0000,,Karsten: Okay.
Dialogue: 0,0:54:16.39,0:54:18.65,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:54:18.65,0:54:25.59,Default,,0000,0000,0000,,I would have imagined that it’s\Nmore a case like this journalist,
Dialogue: 0,0:54:25.59,0:54:32.59,Default,,0000,0000,0000,,Cyrus Favia. He requested through\NFOIA disclosure all the records that
Dialogue: 0,0:54:32.59,0:54:36.60,Default,,0000,0000,0000,,the U.S. Government kept on his\Ntravelling. And he found a lot more stuff
Dialogue: 0,0:54:36.60,0:54:41.90,Default,,0000,0000,0000,,than just in the PNR. They had notes in\Nthere like “he’s a journalist”, “we had
Dialogue: 0,0:54:41.90,0:54:45.56,Default,,0000,0000,0000,,to search him extra for that”, stuff like\Nthat. So they don’t wanna write that
Dialogue: 0,0:54:45.56,0:54:49.93,Default,,0000,0000,0000,,into the PNR. But the Government keeps\Nseparate records that may be indexed
Dialogue: 0,0:54:49.93,0:54:51.88,Default,,0000,0000,0000,,by PNR, I don’t know.
Dialogue: 0,0:54:51.88,0:54:54.78,Default,,0000,0000,0000,,Herald: Okay, microphone here!
Dialogue: 0,0:54:54.78,0:54:58.69,Default,,0000,0000,0000,,Question: Can you say something about\Nhow long information will be stored
Dialogue: 0,0:54:58.69,0:55:04.70,Default,,0000,0000,0000,,in those travel systems, and whether users\Nhave a right to get them deleted?
Dialogue: 0,0:55:04.70,0:55:11.50,Default,,0000,0000,0000,,Karsten: That’s a good question. I think\Nthat differs by system. So in Amadeus
Dialogue: 0,0:55:11.50,0:55:17.18,Default,,0000,0000,0000,,records are removed pretty quickly. Days,\Nor at most, weeks after the last flight is
Dialogue: 0,0:55:17.18,0:55:21.35,Default,,0000,0000,0000,,finally done. But in Sabre I had the\Nimpression that much older records was
Dialogue: 0,0:55:21.35,0:55:25.96,Default,,0000,0000,0000,,still in there. Which may explain why\Ntheir data set is so dense. If you keep
Dialogue: 0,0:55:25.96,0:55:29.50,Default,,0000,0000,0000,,accumulating all the information. By the\Nend of the day this is all going back
Dialogue: 0,0:55:29.50,0:55:33.86,Default,,0000,0000,0000,,to mainframe technology. So I don’t think\Nanybody understands these algorithms
Dialogue: 0,0:55:33.86,0:55:36.21,Default,,0000,0000,0000,,any more. They just kind of work.
Dialogue: 0,0:55:36.21,0:55:38.17,Default,,0000,0000,0000,,Question: The deletion?
Dialogue: 0,0:55:38.17,0:55:41.75,Default,,0000,0000,0000,,Karsten: The deletion, yeah. I don’t think\Nyou can request anything to be deleted.
Dialogue: 0,0:55:41.75,0:55:45.89,Default,,0000,0000,0000,,I don’t think they consider you\Na person that they wanna talk to.
Dialogue: 0,0:55:45.89,0:55:47.56,Default,,0000,0000,0000,,You’re not the customer!
Dialogue: 0,0:55:47.56,0:55:49.68,Default,,0000,0000,0000,,Question: Thanks!
Dialogue: 0,0:55:49.68,0:55:52.15,Default,,0000,0000,0000,,Herald: Okay, the microphone\Nthere, in the…
Dialogue: 0,0:55:52.15,0:55:56.43,Default,,0000,0000,0000,,Question: It seems that the immediate way\Nto abuse these systems is, like you said,
Dialogue: 0,0:55:56.43,0:56:01.71,Default,,0000,0000,0000,,with abusing money, and the mileage etc.\NIt seems that those paths are actually
Dialogue: 0,0:56:01.71,0:56:05.80,Default,,0000,0000,0000,,somehow monitored by airlines, so if I’m\Ncollecting miles and take it not under
Dialogue: 0,0:56:05.80,0:56:09.46,Default,,0000,0000,0000,,my name that would raise some flags.\NYou think that’s not the case?
Dialogue: 0,0:56:09.46,0:56:15.70,Default,,0000,0000,0000,,Karsten: Yes, I should have been more\Nexplicit how this attack works,
Dialogue: 0,0:56:15.70,0:56:19.95,Default,,0000,0000,0000,,the mile diversion. So, of course, you\Nhave to have an account in the same name
Dialogue: 0,0:56:19.95,0:56:24.57,Default,,0000,0000,0000,,as the person flying. So had his demo\Nworked, he would have a PNR for
Dialogue: 0,0:56:24.57,0:56:28.65,Default,,0000,0000,0000,,a lady Carmen Sandiego. You can just go\Nto miles&more and create an account
Dialogue: 0,0:56:28.65,0:56:33.59,Default,,0000,0000,0000,,under that name. A lot of airlines, though,\Nthey also allow you to change your name.
Dialogue: 0,0:56:33.59,0:56:38.47,Default,,0000,0000,0000,,So you just change it whenever you found\Na round trip Australia ticket,
Dialogue: 0,0:56:38.47,0:56:42.51,Default,,0000,0000,0000,,you change the name to whatever that\Ntarget name is. And I know for a fact
Dialogue: 0,0:56:42.51,0:56:49.04,Default,,0000,0000,0000,,that people are doing that right now, not\Nyou guys, before even. Based on Instagram
Dialogue: 0,0:56:49.04,0:56:53.72,Default,,0000,0000,0000,,photos. So people are diverting miles by\Ncreating new accounts or by keeping
Dialogue: 0,0:56:53.72,0:56:58.11,Default,,0000,0000,0000,,changing the names of the accounts.\NAnd yes, airlines do sometimes notice this
Dialogue: 0,0:56:58.11,0:57:04.79,Default,,0000,0000,0000,,but only when it becomes excessive.\NAnd sure, that’s their money. I just hope
Dialogue: 0,0:57:04.79,0:57:08.79,Default,,0000,0000,0000,,that it will become so excessive that\Nit’s such a big problem that it can’t be
Dialogue: 0,0:57:08.79,0:57:13.76,Default,,0000,0000,0000,,ignored any more. And then the privacy\Nissues get fixed on the same token
Dialogue: 0,0:57:13.76,0:57:18.47,Default,,0000,0000,0000,,where privacy is never enough to convince\Na big company. But if you throw in
Dialogue: 0,0:57:18.47,0:57:20.80,Default,,0000,0000,0000,,a little bit of fraud it may be enough.
Dialogue: 0,0:57:20.80,0:57:29.08,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:57:29.08,0:57:31.62,Default,,0000,0000,0000,,Herald: Okay, one last question.\NMicrophone here!
Dialogue: 0,0:57:31.62,0:57:36.60,Default,,0000,0000,0000,,Question: Hi Karsten! When people use\Nlike GDS’s they have these really archaic…
Dialogue: 0,0:57:36.60,0:57:41.18,Default,,0000,0000,0000,,there are not even… there are like actual\Nterminals, not even pseudo-terminals.
Dialogue: 0,0:57:41.18,0:57:45.19,Default,,0000,0000,0000,,And then they expose like these EPI’s for\Nthe sake of writing your code in like Java
Dialogue: 0,0:57:45.19,0:57:49.26,Default,,0000,0000,0000,,or whatever. I’m wondering if there’s\Nresearch to be done at that level?
Dialogue: 0,0:57:49.26,0:57:53.88,Default,,0000,0000,0000,,Or did you just not look at that, or\Nthat’s just an area of further research?
Dialogue: 0,0:57:53.88,0:57:59.33,Default,,0000,0000,0000,,Karsten: We did, quite a bit. But we found\Nno way of making that public in any way
Dialogue: 0,0:57:59.33,0:58:05.72,Default,,0000,0000,0000,,that wouldn’t require a login from a\Ntravel agency and all of that good stuff.
Dialogue: 0,0:58:05.72,0:58:11.55,Default,,0000,0000,0000,,So I think the most I wanna say about that\Nis the logins that travel agencies have,
Dialogue: 0,0:58:11.55,0:58:15.63,Default,,0000,0000,0000,,they’re terribly secured. But, of course,\NI can’t encourage anybody to go out
Dialogue: 0,0:58:15.63,0:58:20.63,Default,,0000,0000,0000,,and hack them. But if you did and you had\Naccess you’d be logging in to something
Dialogue: 0,0:58:20.63,0:58:24.76,Default,,0000,0000,0000,,that looks like a terminal. And you’d be\Ntyping some commands. And the next thing
Dialogue: 0,0:58:24.76,0:58:29.94,Default,,0000,0000,0000,,you know it throws a Java stack trace at\Nyou. So these just look like terminals.
Dialogue: 0,0:58:29.94,0:58:33.58,Default,,0000,0000,0000,,They have moved well beyond that while\Nstill maintaining this look and feel
Dialogue: 0,0:58:33.58,0:58:38.11,Default,,0000,0000,0000,,of a mainframe. And they’re terribly\Ninsecure. So these stack traces, they just
Dialogue: 0,0:58:38.11,0:58:41.51,Default,,0000,0000,0000,,come left and right even if you\Ntry to do the right thing!
Dialogue: 0,0:58:41.51,0:58:43.20,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:58:43.20,0:58:45.29,Default,,0000,0000,0000,,Question: Thanks!\NHerald: Okay we have one question
Dialogue: 0,0:58:45.29,0:58:47.10,Default,,0000,0000,0000,,from the internet!
Dialogue: 0,0:58:47.10,0:58:52.97,Default,,0000,0000,0000,,Signal Angel: Somebody wants to know,\Nhow do you avoid DDoS’ing those services
Dialogue: 0,0:58:52.97,0:58:56.73,Default,,0000,0000,0000,,when you just brute-force the booking\Nnumbers?
Dialogue: 0,0:58:56.73,0:59:01.81,Default,,0000,0000,0000,,Karsten: A good question. Of course we\Ndon’t wanna hurt anybody, so we tried to
Dialogue: 0,0:59:01.81,0:59:07.49,Default,,0000,0000,0000,,keep the rates low. And it turns out if\Nyou throw 20 Amazon instances at them
Dialogue: 0,0:59:07.49,0:59:09.71,Default,,0000,0000,0000,,they don’t go down yet. And…
Dialogue: 0,0:59:09.71,0:59:11.46,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:59:11.46,0:59:14.26,Default,,0000,0000,0000,,Herald: Okay. Thank you very much,\NKarsten and Nemanja!
Dialogue: 0,0:59:14.26,0:59:20.56,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:59:20.56,0:59:23.90,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:59:23.90,0:59:45.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join and help us!