Here are some last-minute security and general “staying vertical” notes I shared with folks who are headed to BSidesLV/Diana Initiative/Queercon/Blackhat/DEF CON.
I’ve tried to keep it very simple and accessible, and to encourage a productive paranoia for folks who are attending without going full tinfoil hat/burner phone/all the things.
There are lots of other posts on Vegas survival, and I’ll post a list of them in a little bit… This one is focussed on super practical personal and operational security.
For a list of the stuff Bugcrowd is up to including parties, villages, and talks by the team and yours truly, this page is your friend: https://www.bugcrowd.com/event/black-hat-2019/)
Before you leave…
- Delete WiFi auto-join connections from all devices: Laptop, phone, watch, etc. For more info on why, Google “WiFi Pineapple” or “Karma attack” — https://9to5mac.com/2018/07/20/mac-how-to-forget-wireless-networks/ — I got on the Wall of Sheep for this in 2013 :)
- Run updates on every device you intend to bring. Old software is insecure software and is generally the most targeted.
- Configure your Firewall to deny ALL connections especially engineers and folks who run services (e.g. test websites and databases on their machines. http://osxdaily.com/2013/08/28/block-all-incoming-network-connections-mac-os-x/
- Set up and test your VPN. Bonus points: Configure auto-connect http://osxdaily.com/2016/08/10/auto-connect-vpn-mac-boot-login/
Consider the data on the devices you’re bringing. Do you really need it? If you lose it, it will get pwnd… So have a reason for bringing it.
- Prepare your payment options. Cash is best, followed by Apple Pay/Google Pay.
- Put privacy screens on everything.
As you travel…
- Treat everything from leaving home to arriving back as hostile to the same degree. There will be 40,000 hackers on planes across the USA on Monday.
- Watch your OPSEC. Shoulder-surfing and eavesdropping are the two bigs ones to look out for.
Bonus: Use the heightened awareness to enjoy how terrible most other people are opsec in airports, on planes, and in public places. :)
- Power down your laptop before you go through TSA. This is a corporate security issue in case anyone gets pulled aside — It’s unlikely, but it does happen.
On the ground — GOLDEN RULES…
Devices: If you’re not using if turn it off.
Connections (NFC, Bluetooth, WiFi, etc): If you’re not using it, turn it off.
If it’s not yours, don’t plug it in.
Assume someone is listening to you.
On the ground — OTHER STUFF…
- Avoid using the WiFi for any reason. If you have to, make absolutely sure your VPN is active.
- Use Signal if you’re so inclined, and especially if want to connect and network with hackers/gov/IC folks.
- If your phone downgrades from LTE to 3G, you’re likely being MITM’d. Turn your cellular off for a while. This will get more common near the end of the week as LE and hobbyists monkey with the cell towers.
Treat your hotel room like it’s a restaurant or other semi-private public space with respect to where you put your personal belongings. Keep electronics with you if you can or think you should.
- Always power down your laptop if you leave it in the room, even if it’s in the safe or hidden.
- Do remember your NDAs and common discretion. Loose lips sink ships.
- Avoid trash talk and be especially mindful of how you speak of others when you’re representing. This is good policy at any time… But word travels like lightning down there. Don’t be that person.
- If you need cash, use the Casino cashier or the ATMs closest to the cashier. They’re the most watched and generally, the least tampered with. Avoid any ATMs that aren’t viewed by CCTV or in a generally shady area.
- Don’t worry about super-spies and arch-evil genius criminal masterminds… The biggest threat for attendees is industry opsec failures, getting caught in ruckus hackery cross-fire, the hotel staff themselves, and general opportunistic badness that tends to happen around Vegas.
- Expect things to break. Fire alarms may go off, the elevator may act weird, and general shenanigans are likely. Roll with it, and look for conference staff and peers to help you navigate it if need be. Honestly, this is part of what makes the experience fun.
- Don’t expect the chaos to be limited to DEF CON. Blackhat has been getting progressively rowdier from an attendee standpoint, and more actively hostile from a cybersecurity risk standpoint.
Decide one or two things that you want to get out of the week, and focus on those things. There will be PLENTY of incidental value and learnings along the way.
- Don’t expect to get into talks unless you plan well ahead. I’m planning to spend the little free time I have around the villages during DEF CON, and the booth during Blackhat.
- 3 hours of sleep, 2 meals, and 1 shower per day at a minimum. Vegas is specifically designed to help you forget to do these things.
- Get yourself a buddy and check in with each other every now and then, even if you’re not in the same place. I’ve found the very simple thing of having someone remind me that I haven’t stopped in $x hours can mean the difference between crashing out, and maintaining what is effectively a long series of sprints.
- Have fun, but be responsible. You only get one reputation.
Most of all… Meet people, connect and network, and learn something new!
This is the gathering point for much of our cybersecurity (builder/breaker/defender, and everything around and in-between) tribe, and my favorite week of the year.
See you in the desert!