Blog

Staying Secure and Productive at Black Hat

Are you going to Black Hat and Defcon (colloquially known as summer camp) and are tired of the “leave anything that plugs in at home” advice? Here are some realistic best practices to help you stay connected and safe during summer camp or anywhere you go.

Laptop

Patch – You should take some time to make sure that your Operating system and all installed software is patched. I wrote MacOS-Maid that does this for me: https://github.com/jgamblin/MacOS-Maid

Enable full disk encryption – You should enable Full Disk Encryption so that if your laptop does get stolen the data is safe.

OS X Lion or later: https://support.apple.com/en-us/ht204837

Windows 10 (Education, Pro, or Enterprise edition), Windows 8 (Professional or Enterprise edition), Windows 7 (Enterprise or Ultimate edition): https://support.microsoft.com/en-us/help/4028713/windows-10-turn-on-device-encryption

Pick up a privacy screen – 97% of adults admit to phone snooping. It’s not a stretch to see how this could be a major issue at a security conference. The solution, pick up a privacy screen.
You can easily find a screen for your specific devices on Amazon.

Phone

Patch – Apple has been in the habit of releasing iOS patches near Black Hat and Defcon for the last few years. You should take some time a week before the conference and check for system updates for your phone and also open your phone’s app store to make sure that all of the applications you have installed are updated as well.

USB power pack – If you can afford it, carrying around a power pack is a great way to not end up with a dead phone in Vegas. It also helps in case you need a charge and the nearest USB power source just happens to be a conveniently placed physical “honeypot.”

I like this one as it can give my MacBook a boost as well: https://www.amazon.com/Anker-PowerCore-Ultra-High-Capacity-Portable/dp/B014ZO46LK

USB Condom – A general rule of thumb is to not plug your device into any open port you find. If you must, I would recommend using a USB condom which is a small and unobtrusive dongle that effectively turns any USB cable into a secure ‘charge-only’ cable to allow safe recharging from untrusted USB ports. If you are going to charge your device on a USB port that you do not own you should use one.

I like this one: https://www.amazon.com/Syncstop%C2%AE-The-Original-USB-Condom/dp/B01N0HCJOW

Connectivity

Tracking – Make sure that you have location tracking for your devices – like Find My iPhone/Macbook – turned on so that if the worst happens you can find your devices.

Bonus Tip: You can share your location with a trusted person if you want someone to be able to check on you.

VPN – Find or build a VPN that works for you. I personally like PIA for the speed and support it offers.

Wi-Fi – You should delete all the saved Wi-Fi SSIDs on your devices and turn off automatic connections. Broadcasting a fake, but commonly used Wi-Fi SSID (think ‘Starbucks’ or ‘Mandalay Guest’) from devices like a pineapple are common tactics for man-in-the-middle attacks at security events. Not to mention a bunch of new tools are going to be released (and tested) at summer camp: https://twitter.com/singe/status/1012615390390824960

Money

Room charge – I like to charge as much stuff (meals, drinks, etc) to my room as possible. It lets me not use my credit card or cash, and it *really* helps when I go to do my expense reports. If you are staying at any MGM property and going to Blackhat you can room charge there.

Cash – Cash is King in Vegas. I try to use cash everywhere I can’t room charge. On the other hand, getting cash is expensive. Most ATMs on the strip have a $10 minimum service charge, so it’s best to withdraw some cash before arriving at the show.

Credit Cards – Feel free to use your credit cards in Vegas just be sure you let your issuer know you are going and keep an extra eye on your statements.

Operations

Take off the badge – Please. If you are in an area where you do not need your badge please don’t wear it around Vegas. It broadcasts your name, who you work for, and why you are in Vegas to people who almost certainly don’t need that information.

Leave the swag at home (Or At Least In Your Room) – Last year I watched a group of coworkers stand around the casino bar and complain about how terrible their company was… all while wearing backpacks with their company’s logo plastered on it. If possible, leave the logo gear at home unless you have booth duty, and even then, drop it off before your night starts.

Go ‘Off-Campus’ for important meetings – If you are meeting with an important client and need to discuss business you should leave the hotel you are in to avoid any covert eavesdropping. Most Casino’s will send you and your guests anywhere in Vegas in a nice town car for about $50.