Successfully reported this slideshow.

Lookout's DEF CON Preparedness Guide and Checklist


Published on

DEF CON is the world's largest hacker conference, and it's easy to get PWND. Reed Loden leads Information Security at Lookout, and this is his guide to keep all your personal and company information safe at DEF CON.

Published in: Technology
  • Be the first to comment

Lookout's DEF CON Preparedness Guide and Checklist

  1. 1. PREPARING FOR DEF CON Security Guide and Checklist to Not Get PWND Reed Loden, Information Security
  2. 2. SECURITY GUIDE DEF CON is home to the most hostile network in the world. As such, precautions need to be taken to ensure that both your and your company’s data and equipment are kept safe. Taking some time now to prepare for Vegas will make your days much happier. Laptops ⋅ If at all possible, don't bring your laptop at all. ⋅ If you absolutely need to bring it, do not bring it to the Rio at all (leave it at your hotel). Keep it completely turned off (not just sleeping) and locked up (in the room safe). ⋅ If you do want a laptop at the Rio, bring a burner laptop (nothing company-specific on it). ⋅ For all Internet traffic, use full-tunnel (“redirect gateway”) back to your company’s VPN. Phones ⋅ Minimize phone call usage and prefer short SMS messaging or some other data-based messaging. ⋅ Watch out for weird behavior from your phone (e.g., full signal strength, yet can't make a call; consistently downgraded to 2G / EDGE / GPRS). If your phone starts acting weird, stop using it and power it completely off. Weirdness means it is possible somebody is actively trying to intercept calls. ⋅ If possible, back up your phone, wipe it completely for the con, and restore when back home. Wallets / Bags ⋅ Leave any badges, NFC/RFID cards, and passports at home. If you need to bring something with you, store it in a copper-lined envelope or wrap in tinfoil (srsly). ⋅ Leave any non-essential USB / portable drives at home. General Tips ⋅ Be at least a little bit paranoid. Healthy dose of suspicion will go far. Social engineering tactics will be in full swing by some attendees. ⋅ Do not use any data connection other than your phone's non-WiFi capabilities. ⋅ Do not scan QR codes. ⋅ Do not use any kind of CDs, floppies, USB drives, or other device you may acquire that connects to your phone or computer. ⋅ Do not use any unknown dongles. Bring any VGA/Thunderbolt adapters/converters you may need. ⋅ Do not use any type of public / free charging station. Bring your charger with you if needed. ⋅ Do not disclose any private / confidential company information, even something minor. ⋅ Do not install or update any software on your devices.
  3. 3. General Tips, Cont. ⋅ Expect any phone calls / text messages sent within 500-1000 feet of the Rio to be monitored or recorded, so do not say or send anything confidential ⋅ Be careful around ATMs anywhere at or near the Rio. If you need to use one, use the ones on the casino floor or those at your hotel. ⋅ Store any equipment you are not actively using in your hotel room safe. Burglaries can and do occur. ⋅ This is Vegas, so watch out for prostitutes, muggings, and druggings. Do not accept handouts. A few simple things to do as your plane lands in Vegas... ⋅ Disable WiFi, Bluetooth, NFC, etc. on all phones and tablets. ⋅ Clear lists of saved WiFi networks and SSIDs. ⋅ Disable USB debugging or side-loading on your phone. ⋅ Disable data on phone if you only want to use it for calls or texting.
  4. 4. DEF CON SECURITY CHECKLIST Phones / Tablets o Ensure strong passcode set o Enable auto-lock (<= 5 minutes of inactivity) o iPhone/iPad: Disable "Simple passcode" (Settings > General > Passcode Lock) o iPhone: Disable voice dial (Settings > General > Passcode Lock) o iPhone/iPad: Enable erase data (Settings > General > Passcode Lock) o iPhone/iPad: Disable SMS preview (Settings > Notifications > Messages) o iPhone/iPad: Set up Find My Phone o iPhone/iPad: Enable Safari security settings & clear databases (Settings > Safari) o iPhone/iPad: Clear location settings database (toggle) (Settings > Location Services) o iPad: Disable smart cover unlock o Android: Disable debugging (Settings > Applications > Development > USB Debugging) o Android: Turn off side loading (Settings > Security > Unknown sources) o Android: Set screen lock to pattern or password (Settings > Lock screen) o Android: Disable NFC, S Beam, & related (Settings > More... > NFC) o Android: Enable encryption (Settings > Security > Encryption) o Android: Disable sending location data to Google (Settings > Location services) o Disable Bluetooth o Remove any saved WiFi networks/SSIDs o Ensure e-mail settings set to use SSL (and accept all SSL certs is unchecked) Phones / Tablets Checklist, Cont. o Ensure Lookout Mobile Security app is installed o Ensure phone OS up to date o Take backup o Set temporary passwords (both on corporate and personal accounts) Laptops o Remove any saved WiFi networks/SSIDs o Remove any company source code / confidential documents / intellectual property o Disable Bluetooth o Disable auto-login (Mac: System Preferences > Users & Groups > Login Options) o Ensure encryption active (Mac: FileVault) o Ensure firewall active (also, enable stealth mode on Mac / ICMP-Echo on Linux) o Ensure OS up-to-date (Microsoft Update or Apple Software Update) o Ensure browsers up-to-date (Firefox, Chrome, Safari, IE) o Ensure e-mail settings set to use SSL (and accept all SSL certs is unchecked) o Mac: Disable location services and sharing of data with Apple o Disable sharing
  5. 5. o Update antivirus (and ensure some form of antivirus is installed) o Update Java o Update Flash o Update other Adobe products o Update Office o Disable guest user o Set screensaver (<= 5 minutes of inactivity) – use hot corners to lock! o Require password to unlock screensaver o Set up VPN (full tunnel) o Take backup