Here are some last-minute security and general “staying vertical” notes I shared with a few folks who are headed to B-Sides/Diana/Queercon/Blackhat/DEF CON. There are lots of other posts on Vegas survival, and I’ll post a list of them in a little bit… This one is focussed on super practical personal and operational security.
I’ve tried to keep it very simple and accessible, and to encourage a productive paranoia for folks who are attending without going full tinfoil hat/burner phone/all the things.
Before you leave…
- Delete WiFi auto-join connections from all devices: Laptop, phone, watch, etc. For more info on why, Google “WiFi Pineapple” or “Karma attack” – https://9to5mac.com/2018/07/20/mac-how-to-forget-wireless-networks/ – I got on the Wall of Sheep for this in 2013 🙂
- Run updates on every device you intend to bring. Old software is insecure software and is generally the most targeted.
- Configure your Firewall to deny ALL connections especially engineers and folks who run services (e.g. test websites and databases on their machines. http://osxdaily.com/2013/08/28/block-all-incoming-network-connections-mac-os-x/
- Set up and test your VPN. Bonus points: Configure auto-connect http://osxdaily.com/2016/08/10/auto-connect-vpn-mac-boot-login/
- Consider the data on the devices you’re bringing. Do you really need it? If you lose it, it will get pwnd… So have a reason for bringing it.
- Prepare your payment options. Cash is best, followed by Apple Pay/Google Pay.
- Put privacy screens on everything.
As you travel:
- Watch your OPSEC. Shoulder-surfing and eavesdropping are the two bigs ones to look out for.
- Bonus: Use the heightened awareness to enjoy how bad most other people are at this in airports, on planes, and in public places. 🙂
- Power down your laptop before you go through TSA. This is a corporate security issue in case anyone gets pulled aside – It’s unlikely, but it does happen.
- Treat everything from leaving home to arriving back as hostile to the same degree. There will be 40,000 hackers on planes across the USA on Monday.
On the ground (security stuff):
- Devices: If you’re not using if turn it off.
- Connections (NFC, Bluetooth, WiFi): If you’re not using it, turn it off.
- If it’s not yours, don’t plug it in.
- Assume someone is listening to you.
- Avoid using the WiFi for any reason. If you have to, make absolutely sure your VPN is active.
- Use Signal if you’re so inclined, and especially if want to connect and network with hackers/gov/IC folks.
- If your phone downgrades from LTE to 3G, you’re likely being MITM’d. Turn your cellular off for a while. This will get more common near the end of the week as LE and hobbyists monkey with the cell towers.
- Treat your hotel room like it’s a restaurant or other semi-private public space with respect to where you put your personal belongings. Keep electronics with you if you can or think you should.
- Always power down your laptop if you leave it in the room, even if it’s in the safe or hidden.
- Do remember your NDAs and common discretion. Loose lips sink ships.
- Avoid trash talk and be especially mindful of how you speak of others when you’re representing. This is good policy at any time… But word travels like lightning down there. Don’t be that person.
- If you need cash, use the Casino cashier or the ATMs closest to the cashier. They’re the most watched and generally, the least tampered with. Avoid any ATMs that aren’t viewed by CCTV or in a generally shady area.
- Don’t worry about super-spies and arch-evil genius criminal masterminds… The biggest threat for attendees is industry opsec failures, getting caught in ruckus hackery cross-fire, the hotel staff themselves, and general opportunistic badness that tends to happen around Vegas.
On the ground (other stuff):
- Expect things to break. Fire alarms may go off, elevator may act weird, general ruckus is likely. Roll with it, and look for conference staff and peers to help you navigate it if need be. Honestly, this is part of what makes the experience fun.
- Don’t expect the chaos to be limited to DEF CON. Blackhat has been getting progressively rowdier from a attendee standpoint, and more actively hostile from a cybersecurity risk standpoint.
- Decide one or two things that you want to get out of the week, and focus on those things. There will be PLENTY of incidental value and learnings along the way.
- Don’t expect to get into talks unless you plan well ahead. I’m planning to spend the little free time I have around the villages during DEF CON, and the booth during Blackhat.
- 3 hours of sleep, 2 meals, and 1 shower per day at a minimum. Vegas is specifically designed to help you forget to do these things.
- Have fun, but be responsible. You only get one reputation.
Most of all… Have fun, meet people, and learn something new!
This is the gathering point for much of our cybersecurity (builder/breaker/defender, and everything around and in-between) tribe, and my favorite and most feared week of the year.
See you in the desert.