Those shows together attract the worldís top hackers and security researchers, who share research on the latest threats and attacks. With that many security experts in one spot, it is not uncommon to see some or other groups running cons, attacks and gaming devices, all in good fun, pushing the limits and testing boundaries. And there are also plenty of pranksters.
What does this mean for you, the attendee, exactly? It means that you have to really be vigilant about securing your computer and data when you are there, or you will end up on the famed Wall of Sheep, where usernames and passwords sniffed from the Wi-Fi network are displayed for all to see. Every year, many a security professional has fallen prey to that.
My colleagues and I were recently swapping best practice tips for battening down the hatches while we are in Las Vegas, and I thought Iíd share some thoughts in a blog post.
Hereís my short list:
- On your phone, disable Bluetooth, NFC and Wi-Fi (Alternatively get a simple feature phone and put your SIM card in it)
- Disable Wifi on tablets and laptops (Even better donít bring them to the show floor, lock them in your hotel safe)
- If you have to connect to the Internet make sure the connection is encrypted (Using a VPN is the easiest way to ensure that)
- Donít install any updates or patches while at the conference - they could be fake (Update to the latest level before you go)
- Donít log in to sensitive accounts (Donít apply for a mortgage or student loan while at the conference)
- Don't use/accept any third party storage or thrid party charging (the well-known infected USB sticks and the recent malicious charging cables)
My colleague Andrew Wild, Qualys CSO, is bringing a stripped down laptop and will limit his use of email and apps such as Twitter and Facebook on his smartphone. Also, he warns about the dangers of RFID sniffing, which grabs personal data from passports and driverís licenses that often have RFID chips embedded. There are RFID-blocking wallets that protect against sniffing.
And Mike Shema, our director of engineering who is giving a talk about Cross Site Request Forgery (CSRF) vulnerabilities and ways to avoid attacks, recommends using safe browsing practices, such as different browsers for different types of Web surfing. For example, use one browser for general ďunsafeĒ browsing to any site and a different browser for visiting sites that you log in to. This is because CSRF attacks are opportunistic in that they take advantage of cookie sessions that are exposed when Web surfers havenít logged out of a site, but only closed down the tab or window. Mike also recommends removing Flash and Java and making sure the browser is up-to-date with Qualys BrowserCheck.
Last, but not least, itís not just your bits and bytes you should be worried about. In past years, ATMs have been hacked with fake ones planted inside the hotels. Make sure you bring sufficient cash from home and donít need to resort to these ATMs.
Author: Wolfgang Kandek, CTO, Qualys.