As the various intelligence agencies, computer security companies, and hackers prepare for the week of convention carnage that is Blackhat (Going on now), Defcon, and BSidesLV, it’s important to remember how easy it is for security professionals to end up on the dreaded “wall of sheep” (a very public listing of usernames and partially-redacted passwords pilfered from the network and displayed to all). It’s not considered a surprise to get hacked and infected while there – it’s almost expected. You have to be aware of your surroundings while schmoozing with hackers of every nationality, background, and moral code. You have to be prepared: mentally, physically, and digitally.
Before wading into an event as socially oriented as Defcon, you should know what you can and can’t talk about. People will understand if you can’t talk about something because of an NDA, but if you make it seem really juicy, you’re just making yourself a target and you probably shouldn’t have brought it up. If you can’t say to yourself: “My boss/security officer would be OK with this,” then you probably shouldn’t talk about it. While one question does not constitute a security threat, you should always be wary of disclosing information on corporate IT infrastructure if someone seems less than on the level.
In a community that rewards physical security intrusion prowess as much as it does digital intrusions (and any mix thereof) it pays to pay attention to physical security. Make sure anything sensitive to you or your company’s Operational Security is under lock and key(pad)). If that means putting your laptop in a safe because it’s an unwiped work laptop, then that’s what you should do. It’s not hard to trick hotel staff.
Items such as RFID cards, bluetooth devices without encryption, magstripe cards, and access tokens should be accounted for at all times, especially RFID cards, since they are easy to clone, even from a distance. All of these things can significantly impact your security and the security of your employer if lost or stolen. Unless absolutely nessecary, never bring RFID cards, Access or ID badges, or RSA tokens to a security conference – you might even be made an example of in a presentation if you do (it’s happened before).
This should be the most obvious to people, yet it never fails to be left undone. Update everything and check the week before you go, just in case there is a last-minute update from a vendor affected by something at the conference. You won’t want to be walking around with a vulnerable computer when everyone is looking for a target to test out the new exploit.
An oft-overlooked protection against theft is full disk encryption, but only when it’s used correctly. If you set up encryption on your laptop, make sure that hibernation and suspend states are being protected by something as well. Failing to do this could mean that all your preparation and encryption goes to waste if the computer is on while stolen. Be sure to also encrypt any sensitive files on your phone and your USB drives.
Double-check that your operating system’s auto-login feature is disabled, that you don’t have passwords stashed away inside the battery bay of your laptop or phone, and that your phone is set to require a password. Be sure to clean your touchscreen devices after entering your password so that a thief can’t use your fingerprints to determine the password.
Prevent Data Leakage:
Should you be crazy (or desperate) enough to use the wifi, be sure to use HTTPS connections with NO certificate errors. Even with this precaution, don’t be too sure. There have been several issues found in SSL implementations in programs in the past few years, and it’s best to be safe. If you have to use the internet, use your mobile phone as a tether or use SSH encryption.
SSH Tunneling is a great way to stay secure on the road by using it as a tunnel to another server (assuming you have one that you wish to use0. Create a tunnel to shove your internet traffic through by creating a local proxy with the -D command-line option. The syntax is ssh -D [PORT] [username]@[IP ADDRESS]. Then set the proxy settings on your browser of choice to “localhost” for the hostname of the proxy, and [PORT] for the port. It’s a socks proxy, so be sure to select that option. This method works on Windows using Cygwin or Putty as well as Linux.
SSH Tunnels encrypt your traffic to and from your server, ensuring the security of your local connection, so long as you heed any warnings about changed keys (this could mean someone is attempting to intercept your traffic).
Install tracking software with remote wipe and backup capabilities. Lookout is a great application for android that combines all the features together. You’ll sleep easier knowing that if your phone is lost or stolen, you can still wipe it and have all your data offsite.
Disable the following:
Any Ad-Hoc wireless network holdovers from XP (free public wifi, hpsetup, ect…) these can be used to connect to and take advantage of your computer in many nefarious ways.
Any phone wifi hotspots, unless you have WPA2 encryption with a strong password/passphrase.
Boot from CD (unless you are using a liveCD system)
Autorun (if not already disabled)
Any Unnecessary Services (Filesharing in particular)
Enable the Following:
Hard drive passwords
Check materials being brought to conference. Do I really need this USB drive to come with me?
Are my RFID badges out of my wallet?
Are my ID badges out of my wallet?
Do I have to bring my authentication tokens?
Do I have a safe place to put my tokens in the hotel?
Am I using an encrypted tunnel to the internet?
Are my thumbdrives encrypted?
Are my devices encrypted?
Did I do updates the same week I leave?
Are all the applications up-to-date, including my Antivirus?
Do I have login passwords set and required for all my devices?
Potential Rookie Mistakes:
If you want to go a notch above secure and just below paranoid, some people recommend that you use non-persistent liveCD operating systems booted from USB. I do NOT recommend this as they are usually at least somewhat out-of-date and can’t be updated (because they are non-persistent, even on USB).
Stay safe out there!
By Bryan Halfpap