Staying Secure and Productive at Black Hat and DEF CON
Are you going to Black Hat and DEF CON (colloquially known as security summer camp) and are tired of the “leave anything that plugs in at home if you don’t want to be pWn3d at one of the largest hacker conventions” advice that gets rehashed every year?
When I have conversations about how to stay safe at “Hacker Conferences” my main point is always “You shouldn’t treat working at a conference any differently than you treat working at your neighborhood Starbucks.”
After more than 10 years attending DEF CON and Black Hat here are some best practices to help you stay connected and safe during summer camp or anywhere you go broken down into a Technology and an Operations Section.
This section will cover anything that plugs into the wall or connects to the internet. If you have a Mac I automated most of these suggestions in a shell script in this repo.
Patch – You should take some time to make sure that your operating system and all installed software is patched and updated.
Enable full disk encryption – You should enable full-disk encryption so that if your laptop does get stolen the data is safe.
A step-by-step guide to encryption with macOS FileVault
A step-by-step guide to encryption on Windows 10
Pick up a privacy screen – 97% of adults admit to phone snooping. It’s not a stretch to see how this could be a major issue at a security conference. The solution, pick up a privacy screen.
You can easily find a privacy screen for your specific devices on Amazon.
Patch – Apple has been in the habit of releasing iOS patches near Black Hat and DEF CON for the last few years and this year is no different with the release of iOS 13 beta. You should take some time a week before the conference and check for system updates for your phone and also open your phone’s app store to make sure that all of the applications you have installed are updated as well.
USB power pack – If you can afford it, carrying around a power pack is a great way to not end up with a dead phone in Vegas. It also helps in case you need a charge and the nearest USB power source just happens to be a conveniently placed physical “honeypot.”
I like this Anker PowerCore+ as it can give my MacBook a boost as well.
USB Condom – A general rule of thumb is to not plug your device into any open port you find. If you must, I would recommend using a USB condom which is a small and unobtrusive dongle that effectively turns any USB cable into a secure ‘charge-only’ cable to allow safe recharging from untrusted USB ports. If you are going to charge your device on a USB port that you do not own you should use one.
I like the Orginal USB Condom.
Tracking – Make sure that you have location tracking for your devices – like Find My iPhone/Macbook – turned on so that if the worst happens you can find your devices.
Bonus Tip: You can share your location with a trusted person if you want someone to be able to check on you.
Wi-Fi – You should delete all the saved Wi-Fi SSIDs on your devices and turn off automatic connections. Broadcasting a fake, but commonly used Wi-Fi SSID (think ‘Google Starbucks’ or ‘Mandalay Guest’) from devices like wifi-pineapple are common tactics for man-in-the-middle attacks at security events.
Room charge – I like to charge as much stuff (meals, drinks, etc.) to my room as possible. It lets me not use my credit card or cash, and it *really* helps when I go to do my expense reports. If you are staying at an MGM property and going to Black Hat you can room charge there.
Cash – Cash is King in Vegas. I try to use cash everywhere I can’t room charge. On the other hand, getting cash is expensive. Most ATMs on the strip have a $10 minimum service charge, so it’s best to withdraw some cash before arriving at the show.
Credit Cards – Feel free to use your credit cards in Vegas just be sure you let your issuer know you are going and keep an extra eye on your statements.
Take off the badge
Please. If you are in an area where you do not need your badge please don’t wear it around Vegas. It broadcasts your name, who you work for, and why you are in Vegas to people who almost certainly don’t need that information.
Go brandless when going out
Last year I watched a group stand around the casino bar and complain about how terrible their company was … all while wearing backpacks with their company’s logo plastered on it. If possible, leave the logo gear at home unless you have booth duty, and even then, drop it off before your night starts.
Go ‘Off-Campus’ for important meetings
If you are meeting with an important client and need to discuss business you should leave the hotel you are in to avoid any covert eavesdropping. Most casinos will send you and your guests anywhere in Vegas in a nice town car for about $50.
Kenna Security will be at Black Hat, swing by booth #1641 to learn more about our solutions or visit our event page for details on our Black Hat activities.
Note: This is an update of my post for Black Hat 2018 from July 31, 2018.