TRIAL BY FIRE:
SECURITY @ DEF CON 21
REED LODEN, INFORMATION SECURITY, LOOKOUT
It’s the world’s largest hacker conference
DEF CON IS AWESOME
Images via defcon.org and @mikko
But it’s easy to get burned
People will try to hack you
It’s a hacker conference after all...
DEF CON TOP 5 TIPS
• Be paranoid. Expect to be a target of social engineering.
• Leave devices at home or in the hotel safe if you don’t need them.
• Limit your texts and calls, and assume they’re being monitored.
• Don’t connect to WiFi, Bluetooth, NFC, etc.
• Remember hacking is not limited to computers and phones.
Things in your wallet or purse (like credit cards, passports, IDs,
access badges) might have NFC or RFID.
CAN PREVENT HACKERS
Image via www.smokeybear.com
Your computer can’t get
hacked if you don’t take it!
What could happen if the stuﬀ on
your computer got leaked?
• Conﬁdential documents or info
• Source code
• Privileged access
• Other intellectual property
LEAVE YOUR COMPUTER
Image via www.razorreef.com
• Keep mobile devices turned oﬀ unless needed
• Don’t install or update any software
• Keep it locked with a passphrase
• Turn oﬀ WiFi, Bluetooth, NFC, etc.
• Maintain physical possession of your bags and devices—
don’t set them down!
• Log out of work email, personal email, social networks so
they won't auto-connect
USE YOUR PHONE OR TABLET (SAFELY)
• Limit calls and SMSes. Expect all messages and calls to be
monitored or recorded, so don't say anything
• Clear your list of saved WiFi networks and SSIDs to avoid
wireless access point spooﬁng.
• If possible, back up your phone, wipe it and restore it later
• Watch out for weird behavior that might indicate someone
is trying to intercept your calls, like:
• Looks like you have full signal strength, but you can’t
make a call
• Your signal keeps getting downgraded to 2G, EDGE or
PHONE AND TABLET USE, CONT.
mobile security app
before DEF CON!
Remember, your smartphone or
tablet is just as critical as your
computer, and probably has lots of
sensitive personal and company
data on it.
WAIT, YOU DO HAVE A SECURITY APP, RIGHT?
DON’T CONNECT TO NETWORKS
DEF CON networks are extremely hostile. Don’t connect to ANY of
• Avoid all networks at the Rio (where the con is hosted), all WiFi
networks, all public networks... you get the idea.
• VPN from hotel networks. (Unless you’re at the Rio... in which
case don’t connect!)
• Don’t log into your company’s services, like email, wikis, internal
ENJOY PUBLIC SHAMING? US NEITHER
Intercepted account info will be posted to the infamous WALL OF SHEEP.
So think twice before logging in to check Twitter (or trying to update your
MySpace like this example).
• Watch for social engineering
• Don’t scan QR codes
• Don’t use ATMs at the Rio; bring cash with you to Vegas
• Beware of giveaways— CDs, USB sticks, anything electronic
• Don’t use public charging stations. It might be juice jacking.
• Don’t use dongles that aren’t yours, like adapters or converters
for DVI, VGA, Thunderbolt
If you do have to bring your RFID
or NFC items (passports, credit
cards, badges or IDs), wrap them
in tin foil or put them in a copper-
lined envelope to block hackers.
It’s like a DIY Faraday cage.
(Or check out DIFRwear.com)
TIN FOIL IS BACK
Image via badattitudes.com
BUT MOST OF ALL
SEE YOU AT DEF CON
Come to Lookout’s talk, DragonLady: An Investigation of SMS Fraud
Operations in Russia, with @ryanwsmith13 and @timstrazz
Download mobile security before DEF CON
STAY IN TOUCH BEFORE, DURING, AND
AFTER DEF CON
See our full DEF CON security prep checklist