Securing Yourself at DEF CON

As much as the security community likes to joke, DEF CON isn’t canceled this year. Over the next week the largest gathering of security professionals, researchers, and enthusiasts in the world will be taking place at the Rio in Las Vegas, NV. The conference is incredible—it consistently ranks among the highlights of the year among nearly everyone I know—but it does have a reputation for being host to all sorts of nefariousness.

Just a few years ago, hackers installed a fake ATM in the Rio, and used it to steal credit card information. Needless to say, don’t use ATMs at the Rio - bring cash with you. Every year people get pwned at DEF CON, but with a little preparation, you can secure yourself against all but the most ludicrous of attacks. Incidentally, while our advice is most applicable to DEF CON and Blackhat, it is also applicable to any other conference you go to. Hackers don’t just hide in holes and hibernate until DEF CON every year - they are everywhere.

Preparation

DEF CON is known for sporting the “world’s most hostile network.” A good rule of thumb is to assume that any communication going on within 1000 feet of the Rio is going to be intercepted. If the idea of your phone calls being listened in on, your SMS messages being intercepted, or your web traffic being sniffed bothers you, leave your devices at home. If that’s not feasible, backup and wipe your electronics before the conference: the inconvenience garnered by using a clean laptop for a week is insignificant compared to the damage caused by accidentally leaking source code or other confidential information. This is also true of your mobile device - if you must bring it, back it up and wipe it before and after the conference.

Make sure you are completely up to date on patches, software updates, browser updates, and have the latest AV software. You want to make sure you do this far away from Las Vegas, as downloading anything while in Vegas is probably the worst possible idea. Do not download anything, turn off automatic updates, and be very wary of any “SSL Certificate Errors” you might otherwise have ignored.

Clear your cache, cookies, temporary files, and just about anything else. A lot of websites often cache very sensitive information that can be stolen if accessed by an attacker. Encrypt your data on-disk using full-disk encryption. On Mac, you can do this by setting up FileVault. On Windows, your best bet is probably BitLocker.

Communication

If you must bring a phone or a laptop to the conference, keep all of the radios disabled when not in use. Your phone should be in airplane mode, your WiFi should be disabled, and perhaps most importantly, your list of trusted network SSIDs should be cleared - tools like the WiFi Pineapple can spoof access points, trivially allowing an attacker to man-in-the-middle your network traffic. Last year at the RSA conference, widely regarded as one of the most “professional” security conferences, there was a pineapple as well.

The best prevention mechanism for pineapples (if you must enable WiFi) is to disable auto-joining of known networks and delete all of your existing known networks. The way a pineapple works is by listening to your device broadcast its known networks: “Hey, is Tinfoil Security Wireless around?” Then, of course, the pineapple responds: “Yup, I’m right here! Just connect and enjoy your wonderful internet access!” And, by then, it’s game over.

An absolute necessity for network access at DEF CON is the use of a VPN. If you have access to one, use it. If you don’t have access to one, we can help you get set up in five minutes, at no charge. As far as we’re concerned, using a VPN is one of the most important things you can do to secure yourself at DEF CON (or anywhere, for that matter), but it also isn’t sufficient. Even if you’re using a VPN, you should still avoid accessing sensitive information while at the conference. Don’t log into internal services like your company wiki or source control, and avoid checking email at all costs. Be wary of relying on VPNs on mobile devices - it can be difficult to see how traffic is being routed, and whether the VPN is configured properly.

If your phone is acting weird, or wonky, or it looks like you have full LTE service but every call gets dropped: it is a safe bet that you are being intercepted. Turn your phone off immediately, walk somewhere else, and try again. A device “acting weird” at DEF CON is something to be concerned about.

Physical Attacks

Even charging your phone or laptop could result in your device being compromised. It’s not uncommon to see public charging stations scattered around the Rio, and as with nearly everything at DEF CON, it should be assumed that these are being used as a vector for exploitation: entire products have been built around protecting users from malicious USB ports.

If you can avoid it, don’t plug anything in at DEF CON, and if you must, bring your own cables: just this year an exploit was leaked which allows an attacker to eavesdrop on a computer using a modified VGA cable. It sounds absurd, but these are the kinds of attacks you need to be thinking about. Your best bet is to just minimize your exposure surface by reducing your usage of electronics as much as possible.

Social Engineering

Something as innocuous as a “promotional” USB stick giveaway might be an attempt to load malicious code onto your system. Even scanning a QR code might be the first stage in an exploit to root your device. There’s no limit to the creativity of hackers, and if anything is evidence of that, it’s the mindblowing hacks that crop up at DEF CON every year.

If this interests you, you should watch (or participate in!) the Social Engineering CTF. It is incredible what people will tell you if you ask them nicely, and talk with a little confidence. There's even  a Social Engineering CTF for Kids. That’s right - every year, Fortune 500 companies have data leaked and stolen by children. If it can happen to them, it can happen to you, so always be a little wary when meeting with new people - most of them will be great, but keep yours eyes out for anything fishy.

ID Badges

For some hackers, getting a free lunch from a company after cloning their VP of Engineering’s badge at DEF CON is the pinnacle of social engineering. There is no reason to bring your company badge or RFID / NFC enabled credit card (the kind you can tap) to DEF CON. If, for some reason, you absolutely have to take it with you to DEF CON, put it in a copper-lined envelope, and wrap it in six layers of aluminum foil (or, as the case may be, tinfoil).

This sounds insane, but these cloning devices are rampant all around the conference, and it's not unheard of for some to be sold on the premises.

Healthy Paranoia

We could go on for pages about the different types of attacks you might run into, and what you can do to protect yourself against them, but really it just comes down to having the right mindset about security - don’t take anything at face value, and assume that everyone is somehow out to exploit you. It sounds scary, but a little common sense goes a long way, and even amidst the fake ATM scares, and things like the Wall of Sheep, DEF CON is an experience that shouldn’t be missed. Nobody likes getting pwned though, so if it’s your first time, take our advice to heart, and think twice before doing anything that might compromise your security.

If you are going to Blackhat or DEF CON, drop us a line and we would absolutely love to catch up and buy you a beverage. If there is anything else you’re doing to prepare, let us know: we’d love to hear about it! Most importantly, have fun - and stay safe. :)


Shane Wilton

Shane Wilton is the Grand Magistrate of Security at Tinfoil Security, and the company's resident programming language theorist. When he isn't coding in a functional language like Elixir, he's probably hacking on an interpreter for an esolang of his own, or playing around with dependent types in Idris. Security is always at the forefront of his thoughts, and he enjoys building tools which make it easy for other engineers to write secure code. His love for security is matched only by his love for bad movies - and does he ever love bad movies.

Tinfoil Security Blog

Tinfoil Security provides the simplest security solution. With Tinfoil Security, your site is routinely monitored and checked for vulnerabilities using a scanner that's constantly updated. Using the same techniques as malicious hackers, we systematically test all the access points, instantly notifying you when there's a threat and giving you step-by-step instructions, tailored to your software stack, to eliminate it. You have a lot to manage; let us manage your website's security.