Don't get pwned at Black Hat, DEF CON
Posted on 29 July 2013.
I am not a paranoid person and most industry conferences I go to donít generate any worries about security. You go and participate, but otherwise operate normally, working, emailing, texting, tweeting. But not at DEF CON, or even its corporate sister event Black Hat, which run next week in Las Vegas.

Those shows together attract the worldís top hackers and security researchers, who share research on the latest threats and attacks. With that many security experts in one spot, it is not uncommon to see some or other groups running cons, attacks and gaming devices, all in good fun, pushing the limits and testing boundaries. And there are also plenty of pranksters.

What does this mean for you, the attendee, exactly? It means that you have to really be vigilant about securing your computer and data when you are there, or you will end up on the famed Wall of Sheep, where usernames and passwords sniffed from the Wi-Fi network are displayed for all to see. Every year, many a security professional has fallen prey to that.

My colleagues and I were recently swapping best practice tips for battening down the hatches while we are in Las Vegas, and I thought Iíd share some thoughts in a blog post.

Hereís my short list:
  • On your phone, disable Bluetooth, NFC and Wi-Fi (Alternatively get a simple feature phone and put your SIM card in it)
  • Disable Wifi on tablets and laptops (Even better donít bring them to the show floor, lock them in your hotel safe)
  • If you have to connect to the Internet make sure the connection is encrypted (Using a VPN is the easiest way to ensure that)
  • Donít install any updates or patches while at the conference - they could be fake (Update to the latest level before you go)
  • Donít log in to sensitive accounts (Donít apply for a mortgage or student loan while at the conference)
  • Don't use/accept any third party storage or thrid party charging (the well-known infected USB sticks and the recent malicious charging cables)
If you are really paranoid, and many hackers are, maybe you should leave your computer at home, as past demonstrations have shown how hotel locks and room safes can be hacked. Maybe you should even leave your cellphone at home. After all, this year there are two presentations where people are attacking cellphones by using readily available femtocells (small base stations) to intercept all your cell phone traffic, including voice, texts and data. This attack also works on the little portable hotspots that give you data connectivity through the cell phone network.

My colleague Andrew Wild, Qualys CSO, is bringing a stripped down laptop and will limit his use of email and apps such as Twitter and Facebook on his smartphone. Also, he warns about the dangers of RFID sniffing, which grabs personal data from passports and driverís licenses that often have RFID chips embedded. There are RFID-blocking wallets that protect against sniffing.

And Mike Shema, our director of engineering who is giving a talk about Cross Site Request Forgery (CSRF) vulnerabilities and ways to avoid attacks, recommends using safe browsing practices, such as different browsers for different types of Web surfing. For example, use one browser for general ďunsafeĒ browsing to any site and a different browser for visiting sites that you log in to. This is because CSRF attacks are opportunistic in that they take advantage of cookie sessions that are exposed when Web surfers havenít logged out of a site, but only closed down the tab or window. Mike also recommends removing Flash and Java and making sure the browser is up-to-date with Qualys BrowserCheck.

Last, but not least, itís not just your bits and bytes you should be worried about. In past years, ATMs have been hacked with fake ones planted inside the hotels. Make sure you bring sufficient cash from home and donít need to resort to these ATMs.

Author: Wolfgang Kandek, CTO, Qualys.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th