If you're just joining us, this post is part of a Black Hat Attendee Guide series that starts right here.
When traveling to industry conferences, most people prepare their electronic companions (laptops, cell phones, etc) by asking: “Did I pack the right charger in my carry on?”
The premier gathering of the world's best and brightest hackers might be a great opportunity for you to up your travel security game. This post serves as a quick guide on how to keep your information safe from well-meaning researchers, prank-playing fellow attendees, and the occasional bad apple.
Keeping it simple, Black Hat and the surrounding hotel property will offer some of the most “accountable” networks you’ll use. Honestly, you should probably be operating year round at the level of electronic discipline outlined below; then again, you don’t want to drive the mechanic’s car.
Top Tier, Paranoia-at-Maximum Overkill Mode
People can’t steal what you don’t bring.
Let's start off with the easiest solution to the problem at hand. When I touch down at McCarran International Airport, my laptop, cellphone, tablet, and most importantly, sensitive data are all locked up safely at home. I travel with a $20 pre-paid “burner phone” (as seen on TV crime shows) and a sub-$200 Google Chromebook. Both are fresh out of the box and contain no information or passwords. The number for my burner is circulated the week before to friends and coworkers, and I’ve configured call forwarding with my regular carrier just incase they forget it.
As for the Chromebook, it comes with Verified Boot, a feature allowing the device to be easily and quickly reset back to a new-out-of-the-box state if you suspect anything fishy might have happened.
A good password manager like LastPass and a physical two-factor authentication device like YubiKey or an RSA token will get you into your email and SaaS applications remotely. Of course, an out-of-office notification reminding people that--for security reasons--you have limited access to your phone and email will also free you up attend more parties.
On the return trip, the cell can be dropped off at any major phone retailer where it will usually be donated to a good cause or recycled for you. The Chromebook is relatively cheap and easy to find a good home for. Most importantly, neither should return to your home or office to avoid spreading any nasties they might have picked up to other electronics and networks you care about.
For the other 95% of you
“But I can’t live without Angry Birds!”
If you do bring your primary laptop or cell phone with you, remember that you will be subject to attacks up to and including new and cutting edge research. While the vast majority of researchers are white hat hackers and might not be after your bank account details, the audience members are not vetted, and many are smart enough to duplicate the on-stage results within hours. Simply having up-to-date antivirus definitions isn’t going to protect you.
Talk to your corporate IT department before you leave, requesting a minimal-access VPN, similar to the VPN service used to work from home, but hosted outside your firewall (no direct access to the enterprise network).
If this isn’t available, consider a reputable service supporting your desktop and mobile operating systems (the EFF also has a good overview on picking one). This won’t guarantee end-to-end security, but it will keep your network traffic relatively safe until it gets far away from Las Vegas.
- Based on past talks and summaries of upcoming ones, anything that receives or transmits a signal is a potential target.
- Leave gadgets--like wireless mice, headsets, others--at home.
- Keep Bluetooth turned off.
- Set your phone in Airplane mode when in the conference area, out to dinner, or not expecting a call. (Anyone who has been to Vegas before knows that you are unlikely to get a decent signal in and around the casinos.)
- If the OS isn’t current, and you aren’t planning on doing forensic studies on a fully Stall0wn3d machine, leave it at home.
- Patch ALL THE THINGS. If you can’t patch the OS, applications, and browser plugins up to right-NOW-current, leave it.
- This goes without saying, but if it isn't encrypted, leave it. Only Full-Disk Encryption or device encryption need apply.
- If it communicates, unless you know what you’re doing, turn off:
- Firewall ON.
- VPN all the things. Refer to the EFF’s overview.
- 2-Step Authentication on all the things. Stay away from stuff you can’t. Nuke sessions and rotate passwords when you get home, on devices you trust.
- Keep track of your stuff. Anything of value can be physically stolen.
- Honor OpSec: Be aware of your surrounds, eyes and ears. Loose lips sink ships, and everything in Vegas is recorded by someone, usually hotel security, and certainly not for you. Be careful in what you discuss, be aware of sensitive documents you discard.
- When you leave your room or hardware, power off machines ALL THE WAY (not hibernate or sleep) to eliminate side channel opportunities.
- Shut off cellular data, unless you need it. This will ration your battery and limit exposure.
- USBs: If they aren’t yours, don’t trust theirs.
- ATMs: Don’t use them near Black Hat (Mandalay Bay) or DEF CON (Paris/Bally’s). Seriously. No.
- RFID shields: Leave work badges at home. Consider a shielding if you're worried about passports, room keys or anything else.
- Use your own chargers for your devices, or make the USB port power-only, if you carry that kind of hardware.
- Messaging—avoid unencrypted SMS. Use iMessage, Signal, Wickr, PQChat or some other way to communicate.
Mind the real threats
Even with reasonable electronic protections, your devices are still subject to good old fashioned crimes like physical theft. Beware of the usual pickpockets and hustlers that set up shop in any tourist destination if you leave the watchful eye of strip casino security.
If you meet a new friend in the bar, think twice before inviting them back to your room for another drink.
Also, when attending events after the sun goes down, try to not wear your passport and life savings around your neck in a fancy travel wallet. Instead make use of your in room safe (yes, they aren’t perfect) and keep a minimal number of cards and cash in your front pocket.
One final thing to be aware of is information solicitation. While not a direct attack on your devices themselves, learning more about your company's defenses over a drink or three is a great way to set up for a future attack.
Hopefully with a few basic precautions you can avoid ending up on the Wall of Sheep, or worse.