Trial by Fire: Security @ DEF CON 21

TRIAL BY FIRE:SECURITY @ DEF CON 21

REED LODEN, INFORMATION SECURITY, LOOKOUT

It’s the world’s largest hacker conference

DEF CON IS AWESOME

Images via defcon.org and @mikko

But it’s easy to get burned

People will try to hack youIt’s a hacker conference after all...

DEF CON TOP 5 TIPS

• Be paranoid. Expect to be a target of social engineering.• Leave devices at home or in the hotel safe if you don’t need them.• Limit your texts and calls, and assume they’re being monitored.• Don’t connect to WiFi, Bluetooth, NFC, etc. • Remember hacking is not limited to computers and phones.

Things in your wallet or purse (like credit cards, passports, IDs, access badges) might have NFC or RFID.

CAN PREVENT HACKERSImage via www.smokeybear.com

Your computer can’t get hacked if you don’t take it!

What could happen if the stuff on your computer got leaked?

• Confidential documents or info• Source code• Privileged access• Other intellectual property

LEAVE YOUR COMPUTER

Image via www.razorreef.com

• Keep mobile devices turned off unless needed• Don’t install or update any software• Keep it locked with a passphrase• Turn off WiFi, Bluetooth, NFC, etc.• Maintain physical possession of your bags and devices—

don’t set them down!• Log out of work email, personal email, social networks so

they won't auto-connect

USE YOUR PHONE OR TABLET (SAFELY)

• Limit calls and SMSes. Expect all messages and calls to be monitored or recorded, so don't say anything confidential.

• Clear your list of saved WiFi networks and SSIDs to avoid wireless access point spoofing.

• If possible, back up your phone, wipe it and restore it later• Watch out for weird behavior that might indicate someone

is trying to intercept your calls, like: • Looks like you have full signal strength, but you can’t

make a call• Your signal keeps getting downgraded to 2G, EDGE or

GPRS

PHONE AND TABLET USE, CONT.

Download Lookout’s mobile security app before DEF CON!

Remember, your smartphone or tablet is just as critical as your computer, and probably has lots of sensitive personal and company data on it.

WAIT, YOU DO HAVE A SECURITY APP, RIGHT?

DON’T CONNECT TO NETWORKS

DEF CON networks are extremely hostile. Don’t connect to ANY of them!

• Avoid all networks at the Rio (where the con is hosted), all WiFi networks, all public networks... you get the idea.

• VPN from hotel networks. (Unless you’re at the Rio... in which case don’t connect!)

• Don’t log into your company’s services, like email, wikis, internal environments, etc.

ENJOY PUBLIC SHAMING? US NEITHERIntercepted account info will be posted to the infamous WALL OF SHEEP. So think twice before logging in to check Twitter (or trying to update your

MySpace like this example).

• Watch for social engineering• Don’t scan QR codes• Don’t use ATMs at the Rio; bring cash with you to Vegas• Beware of giveaways— CDs, USB sticks, anything electronic• Don’t use public charging stations. It might be juice jacking.• Don’t use dongles that aren’t yours, like adapters or converters

for DVI, VGA, Thunderbolt

BE PARANOID

If you do have to bring your RFID or NFC items (passports, credit cards, badges or IDs), wrap them in tin foil or put them in a copper-lined envelope to block hackers.

It’s like a DIY Faraday cage.

(Or check out DIFRwear.com)

TIN FOIL IS BACK

Image via badattitudes.com

BUT MOST OF ALLHAVE FUNBE SMART

LEARN SOMETHING

SEE YOU AT DEF CONCome to Lookout’s talk, DragonLady: An Investigation of SMS FraudOperations in Russia, with @ryanwsmith13 and @timstrazz

@lookout

/mylookout

blog.lookout.com

Download mobile security before DEF CON

STAY IN TOUCH BEFORE, DURING, AND AFTER DEF CON

See our full DEF CON security prep checklist