trial by fire: security @ def con 21
DESCRIPTION
DEF CON is the world's largest hacker conference, and it's easy to get PWND. Reed Loden leads Information Security at Lookout, and this is his summary of how to stay safe at DEF CON 21.TRANSCRIPT
TRIAL BY FIRE:SECURITY @ DEF CON 21
REED LODEN, INFORMATION SECURITY, LOOKOUT
It’s the world’s largest hacker conference
DEF CON IS AWESOME
Images via defcon.org and @mikko
But it’s easy to get burned
People will try to hack youIt’s a hacker conference after all...
DEF CON TOP 5 TIPS
• Be paranoid. Expect to be a target of social engineering.• Leave devices at home or in the hotel safe if you don’t need them.• Limit your texts and calls, and assume they’re being monitored.• Don’t connect to WiFi, Bluetooth, NFC, etc. • Remember hacking is not limited to computers and phones.
Things in your wallet or purse (like credit cards, passports, IDs, access badges) might have NFC or RFID.
CAN PREVENT HACKERSImage via www.smokeybear.com
Your computer can’t get hacked if you don’t take it!
What could happen if the stuff on your computer got leaked?
• Confidential documents or info• Source code• Privileged access• Other intellectual property
LEAVE YOUR COMPUTER
Image via www.razorreef.com
• Keep mobile devices turned off unless needed• Don’t install or update any software• Keep it locked with a passphrase• Turn off WiFi, Bluetooth, NFC, etc.• Maintain physical possession of your bags and devices—
don’t set them down!• Log out of work email, personal email, social networks so
they won't auto-connect
USE YOUR PHONE OR TABLET (SAFELY)
• Limit calls and SMSes. Expect all messages and calls to be monitored or recorded, so don't say anything confidential.
• Clear your list of saved WiFi networks and SSIDs to avoid wireless access point spoofing.
• If possible, back up your phone, wipe it and restore it later• Watch out for weird behavior that might indicate someone
is trying to intercept your calls, like: • Looks like you have full signal strength, but you can’t
make a call• Your signal keeps getting downgraded to 2G, EDGE or
GPRS
PHONE AND TABLET USE, CONT.
Download Lookout’s mobile security app before DEF CON!
Remember, your smartphone or tablet is just as critical as your computer, and probably has lots of sensitive personal and company data on it.
WAIT, YOU DO HAVE A SECURITY APP, RIGHT?
DON’T CONNECT TO NETWORKS
DEF CON networks are extremely hostile. Don’t connect to ANY of them!
• Avoid all networks at the Rio (where the con is hosted), all WiFi networks, all public networks... you get the idea.
• VPN from hotel networks. (Unless you’re at the Rio... in which case don’t connect!)
• Don’t log into your company’s services, like email, wikis, internal environments, etc.
ENJOY PUBLIC SHAMING? US NEITHERIntercepted account info will be posted to the infamous WALL OF SHEEP. So think twice before logging in to check Twitter (or trying to update your
MySpace like this example).
• Watch for social engineering• Don’t scan QR codes• Don’t use ATMs at the Rio; bring cash with you to Vegas• Beware of giveaways— CDs, USB sticks, anything electronic• Don’t use public charging stations. It might be juice jacking.• Don’t use dongles that aren’t yours, like adapters or converters
for DVI, VGA, Thunderbolt
BE PARANOID
If you do have to bring your RFID or NFC items (passports, credit cards, badges or IDs), wrap them in tin foil or put them in a copper-lined envelope to block hackers.
It’s like a DIY Faraday cage.
(Or check out DIFRwear.com)
TIN FOIL IS BACK
Image via badattitudes.com
BUT MOST OF ALLHAVE FUNBE SMART
LEARN SOMETHING
SEE YOU AT DEF CONCome to Lookout’s talk, DragonLady: An Investigation of SMS FraudOperations in Russia, with @ryanwsmith13 and @timstrazz
@lookout
/mylookout
blog.lookout.com
Download mobile security before DEF CON
STAY IN TOUCH BEFORE, DURING, AND AFTER DEF CON
See our full DEF CON security prep checklist