Pages

How Not to Get Hacked at Black Hat and DefCon

How is that for irony? Going to Black Hat and getting hacked? Here are some tips from our friends at Websense Security Labs and Qualys on how to make it hard for the hackers to make a fool out of you.
If you are at a security conference, you have to accept that there is someone probing the network for security vulnerabilities, sniffing network traffic to see who is sending sensitive data on the web without encrypting it, and pwning any attendees who didn't pick a strong password for their accounts. Some of the brightest minds in security are in attendance at Black Hat and DefCon. For the rest of us, it is in our best interests to be paranoid and exercise some caution.

Before You Even Get to Vegas
Security paranoia and best practices kick in long before you get to Las Vegas. First and foremost, make sure you have patched the operating system, browser, and installed software. Make sure your antivirus and security software are fully patched and up-to-date, too.
Go ahead and delete your cookies and clear the Web browser history and cache. Cookies contain a lot of information about you. If your notebook is stolen, the last thing you want is for the thief to be able to get access to information about you or your online activity.
If you don't already, encrypt sensitive files on your hard drive. If possible, go with full-disk encryption so that you don't miss an important piece of data.
Make a full backup of your computer and other devices and leave the backups at home (or if you trust the cloud, online). That way, if you accidentally lose your device, or if it gets stolen, you at least have your data waiting for you.

Black Hat 2013 Bug
When you get home, wipe your machine (in case you accidentally got hacked or infected) and revert back to this clean backup. While at the conference, consider saving to a cloud server or your own personal removable drive. Don't ask around for someone to give you a USB key at the conference; that's just asking to get an infected drive.
I actually just take a stripped down machine, with nothing on it from my normal usage. Just a patched OS, and whatever information I will need this week.

Just in General, Be Safe
While we are at it, while you are at Black Hat or DefCon, if you are prompted to install a patch or update, be really cautious. Odds are that it will be malicious.
We said it once, we will say it again. Do not accept storage devices, USBs or files from people you don't know. If you find a USB drive in your bag but you don't know how it got there, don't just pop it in to your laptop "to see what's on it."
Be careful about using ATMs, especially near Caesars Palace or Rio, where the conferences are. Anyone can install card skimmers. With Barnaby Jack's tragic death just last week, I am half-expecting someone to set up a fake ATM in his memory.

Device Security in Vegas
Keep an eye on all your devices. If you leave it behind, it may get stolen. It may also encourage someone to compromise it and leave behind a small present instead.
Turn off Bluetooth and Wi-Fi on all your devices. Make sure none of your applications can automatically turn them on. It may be best to leave any radio-frequency identification (RFID) enabled devices, such as your work badge, passport (some counties) or even some credit cards at home, or in your hotel room. If your phone has near-frequency-communications (NFC) chip, turn that off, too.
Do not charge phones, computers, or other devices in public charging stations. We've seen demonstrations at Black Hat where these stations can be hacked to link to your device and slurp data without your knowledge, or infect the device. An option is to invest in a portable battery pack that charges independently that you can use while on the go.

Network Security in Vegas
Be careful about connecting to wireless networks. It's not hard to set up a Wi-Fi Pineapple, a network access point that can sniff out your activity. "Be wary of the wireless networks throughout the venue, and your entire stay at Black Hat," Websense advises. In fact, when you can, stick to using a wired connection, especially in the hotel.

Use your VPN at all times! Connect to work servers over VPN, and if you don't have one, use any one of the VPN services we have looked at. We like VPNBook and Cyber Ghost VPN for free VPNs, although the ad-supported version of AnchorFree's HotSpot Shield is good, too.
Avoid sending sensitive data while onsite. "I avoid accessing data at all, but if you need to, use a VPN on a laptop to be safe," says Andrew Wild, CSO of Qualys.

"People think the cell phone is safe, but it's not. There are going to be two presentations this year where people are using a femtocell base station in a man-in-the-middle attack," says Wolfgang Kandek, CTO of Qualys. "Someone can put up a fake cell tower close to you, in the next room, so the air card would connect to it."

Consider sticking with 3G or 4G connectivity, if you can. I use my Android device as a portable hotspot, but that femtocell talk by iSec Partners this week may scare me off that option, too.
I grabbed a burner phone, because I didn't want to lose any information on my device. "If you are really paranoid, you can always leave your computer and devices at home (since hotel locks and even room safes can be hacked)," says Kandek.

But that's no fun. Black Hat and DefCon are full of great presentations and everyone is ready to share everything they know. Just be aware, think about security, and have a good time. Look for SecurityWatch if you are there and say hi.
A repost from pcmag.com
How Not to Get Hacked at Black Hat and DefCon