Securing Yourself at DEF CON 26
By- August 07, 2018
That time of year is just around the corner again! DEF CON 26 is next week and we here at Tinfoil Security are super excited!
Over the next week the largest gathering of security professionals, researchers, and enthusiasts in the world will be taking place at Caesars Palace and Flamingo Hotels in Las Vegas, NV. The conference is incredible—it consistently ranks among the highlights of the year among nearly everyone I know—but it does have a reputation for being host to all sorts of nefariousness. So if this is your first time going, pay close attention to make sure you have a fun and safe time!
Why be cautious? Well just as an example, one year during DEF CON, hackers installed a fake ATM in the Rio hotel when it was held there, and used it to steal credit card information. Needless to say, don’t use ATMs at Caesars Palace and Flamingo Hotels if you can help it - bring cash with you. Every year people get owned at DEF CON, but with a little preparation, you can secure yourself against all but the most ludicrous of attacks. Incidentally, while our advice is most applicable to DEF CON and Blackhat, it is also applicable to any other conference you go to. Hackers don’t just hide in holes and hibernate until DEF CON every year - they are everywhere.
DEF CON is known for sporting the “world’s most hostile network.” A good rule of thumb is to assume that any communication going on within 1000 feet of Caesars Palace and Flamingo Hotels are going to be intercepted. If the idea of your phone calls being listened in on, your SMS messages being intercepted, or your web traffic being sniffed bothers you, leave your devices at home. If that’s not feasible, backup and wipe your electronics before the conference: the inconvenience garnered by using a clean laptop for a week is insignificant compared to the damage caused by accidentally leaking source code or other confidential information. This is also true of your mobile device - if you must bring it, back it up and wipe it before and after the conference.
Make sure you are completely up to date on patches, software updates, browser updates, and have the latest AV software. You want to make sure you do this far away from Las Vegas, as downloading anything while in Vegas is probably the worst possible idea. Do not download anything, turn off automatic updates, and be very wary of any “SSL Certificate Errors” you might otherwise have ignored.
Clear your cache, cookies, temporary files, and just about anything else. A lot of websites often cache very sensitive information that can be stolen if accessed by an attacker. Encrypt your data on-disk using full-disk encryption. On Mac, you can do this by setting up FileVault. On Windows, your best bet is probably BitLocker.
If you must bring a phone or a laptop to the conference, keep all of the radios disabled when not in use. Your phone should be in airplane mode, your WiFi should be disabled, and perhaps most importantly, your list of trusted network SSIDs should be cleared - tools like the WiFi Pineapple can spoof access points, trivially allowing an attacker to man-in-the-middle your network traffic. Even the RSA conference, widely regarded as one of the most “professional” security conferences, has had a pineapple as well a few years ago.
The best prevention mechanism for pineapples (if you must enable WiFi) is to disable auto-joining of known networks and delete all of your existing known networks. The way a pineapple works is by listening to your device broadcast its known networks: “Hey, is Tinfoil Security Wireless around?” Then, of course, the pineapple responds: “Yup, I’m right here! Just connect and enjoy your wonderful internet access!” And, by then, it’s game over.
An absolute necessity for network access at DEF CON is the use of a VPN. If you have access to one, use it. If you don’t have access to one, we can help you get set up in five minutes, at no charge. As far as we’re concerned, using a VPN is one of the most important things you can do to secure yourself at DEF CON (or anywhere, for that matter), but it also isn’t sufficient. Even if you’re using a VPN, you should still avoid accessing sensitive information while at the conference. Don’t log into internal services like your company wiki or source control, and avoid checking email at all costs. Be wary of relying on VPNs on mobile devices - it can be difficult to see how traffic is being routed, and whether the VPN is configured properly.
If your phone is acting weird, or wonky, or it looks like you have full LTE service but every call gets dropped: it is a safe bet that you are being intercepted. Turn your phone off immediately, walk somewhere else, and try again. A device “acting weird” at DEF CON is something to be concerned about.
Even charging your phone or laptop could result in your device being compromised. It’s not uncommon to see public charging stations scattered around the Caesars Palace and Flamingo Hotels, and as with nearly everything at DEF CON, it should be assumed that these are being used as a vector for exploitation: entire products have been built around protecting users from malicious USB ports.
If you can avoid it, don’t plug anything in at DEF CON, and if you must, bring your own cables: here is a great example of an exploit that was leaked which allows an attacker to eavesdrop on a computer using a modified VGA cable. It sounds absurd, but these are the kinds of attacks you need to be thinking about. Your best bet is to just minimize your exposure surface by reducing your usage of electronics as much as possible.
Something as innocuous as a “promotional” USB stick giveaway might be an attempt to load malicious code onto your system. Even scanning a QR code might be the first stage in an exploit to root your device. There’s no limit to the creativity of hackers, and if anything is evidence of that, it’s the mind blowing hacks that crop up at DEF CON every year.
If this interests you, you should watch (or participate in!) the Social Engineering CTF. It is incredible what people will tell you if you ask them nicely, and talk with a little confidence. There's even a Social Engineering CTF for Kids. That’s right - every year, Fortune 500 companies have data leaked and stolen by children. If it can happen to them, it can happen to you, so always be a little wary when meeting with new people - most of them will be great, but keep yours eyes out for anything fishy.
For some hackers, getting a free lunch from a company after cloning their VP of Engineering’s badge at DEF CON is the pinnacle of social engineering. There is no reason to bring your company badge or RFID / NFC enabled credit card (the kind you can tap) to DEF CON. If, for some reason, you absolutely have to take it with you to DEF CON, put it in a copper-lined envelope, and wrap it in six layers of aluminum foil (or, as the case may be, tinfoil).
This sounds insane, but these cloning devices are rampant all around the conference, and it's not unheard of for some to be sold on the premises.
We could go on for pages about the different types of attacks you might run into, and what you can do to protect yourself against them, but really it just comes down to having the right mindset about security - don’t take anything at face value, and assume that everyone is somehow out to exploit you. It sounds scary, but a little common sense goes a long way, and even amidst the fake ATM scares, and things like the Wall of Sheep, DEF CON is an experience that shouldn’t be missed. Nobody likes getting “owned” though, so if it’s your first time, take our advice to heart, and think twice before doing anything that might compromise your security.
If you are going to Blackhat or DEF CON, let us know and ping us at: firstname.lastname@example.org and we would absolutely love to catch up and buy you a beverage. If there is anything else you’re doing to prepare, let us know: we’d love to hear about it!
Most importantly, have fun - and stay safe. :)