Don’t get pwned at Black Hat, DEF CON
I am not a paranoid person and most industry conferences I go to don’t generate any worries about security. You go and participate, but otherwise operate normally, working, emailing, texting, tweeting. But not at DEF CON, or even its corporate sister event Black Hat, which run next week in Las Vegas.
Those shows together attract the world’s top hackers and security researchers, who share research on the latest threats and attacks. With that many security experts in one spot, it is not uncommon to see some or other groups running cons, attacks and gaming devices, all in good fun, pushing the limits and testing boundaries. And there are also plenty of pranksters.
What does this mean for you, the attendee, exactly? It means that you have to really be vigilant about securing your computer and data when you are there, or you will end up on the famed Wall of Sheep, where usernames and passwords sniffed from the Wi-Fi network are displayed for all to see. Every year, many a security professional has fallen prey to that.
My colleagues and I were recently swapping best practice tips for battening down the hatches while we are in Las Vegas, and I thought I’d share some thoughts in a blog post.
Here’s my short list:
- On your phone, disable Bluetooth, NFC and Wi-Fi (Alternatively get a simple feature phone and put your SIM card in it)
- Disable Wifi on tablets and laptops (Even better don’t bring them to the show floor, lock them in your hotel safe)
- If you have to connect to the Internet make sure the connection is encrypted (Using a VPN is the easiest way to ensure that)
- Don’t install any updates or patches while at the conference – they could be fake (Update to the latest level before you go)
- Don’t log in to sensitive accounts (Don’t apply for a mortgage or student loan while at the conference)
- Don’t use/accept any third party storage or thrid party charging (the well-known infected USB sticks and the recent malicious charging cables)
If you are really paranoid, and many hackers are, maybe you should leave your computer at home, as past demonstrations have shown how hotel locks and room safes can be hacked. Maybe you should even leave your cellphone at home. After all, this year there are two presentations where people are attacking cellphones by using readily available femtocells (small base stations) to intercept all your cell phone traffic, including voice, texts and data. This attack also works on the little portable hotspots that give you data connectivity through the cell phone network.
My colleague Andrew Wild, Qualys CSO, is bringing a stripped down laptop and will limit his use of email and apps such as Twitter and Facebook on his smartphone. Also, he warns about the dangers of RFID sniffing, which grabs personal data from passports and driver’s licenses that often have RFID chips embedded. There are RFID-blocking wallets that protect against sniffing.
And Mike Shema, our director of engineering who is giving a talk about Cross Site Request Forgery (CSRF) vulnerabilities and ways to avoid attacks, recommends using safe browsing practices, such as different browsers for different types of Web surfing. For example, use one browser for general “unsafe” browsing to any site and a different browser for visiting sites that you log in to. This is because CSRF attacks are opportunistic in that they take advantage of cookie sessions that are exposed when Web surfers haven’t logged out of a site, but only closed down the tab or window. Mike also recommends removing Flash and Java and making sure the browser is up-to-date with Qualys BrowserCheck.
Last, but not least, it’s not just your bits and bytes you should be worried about. In past years, ATMs have been hacked with fake ones planted inside the hotels. Make sure you bring sufficient cash from home and don’t need to resort to these ATMs.
Author: Wolfgang Kandek, CTO, Qualys.