Security at Conferences28 May 2018
It’s only paranoia if they aren’t out to get you!
Anyone involved in fintech—from hodlers to developers and from new founders to seasoned executives—should already be on his or her toes. The space is rife with security compromises. Attacks come in all shapes and forms across multiple domains.
Trash is being searched and homes have been broken into. Spear-phishing attacks are launched every day and phone numbers are being ported away with frightening regularity.
This may sound paranoid, but these are actual thing that have happened to people in this industry. Of course, that doesn’t mean they will happen to you, but it’s important to keep one thing in mind: if you aren’t a target, it’s because you aren’t a target yet; give it a minute…
What does all this have to do with conferences? Everything…
So many fish.
Conferences, by their nature, attract a lot of people who share a common interest. And if you’re looking for people who share that interest, then what better opportunity to find a whole bunch of them congregating?
If you are looking to compromise people in the blockchain space, is there a better place than Consensus? This year, over 8,500 people attended.
If you are looking to compromise people in the security industry, is there a better place than blackhat? Last year, over 15,000 people attended.
Conferences are also where people often are at their most vulnerable from a security standpoint. Despite being in an unfamiliar and challenging environment, they often let their guard down. They connect their laptops to unknown Wi-Fi access points to print an important document on the hotel’s business center printers. They plug their phones in any available USB port just to get a little extra juice for another five minutes of tweeting.
It’s as if all common sense goes out the door. And just when you need common sense the most.
Nowhere is that more clear than at DEFCON which features the infamous Wall of Sheep. At a conference where attendees really ought to know better, not even a minute goes by without a password, username or other sensitive information getting transmitted unencrypted over an open Wi-Fi network.
Security on a day-to-day basis.
Security is something you live and breathe. That doesn’t mean that security considerations will permeate every aspect of your computing experience. But it does mean that security considerations will at least factor in and inform several of your decisions.
There’s a set of baseline practices that everyone ought to be following. Nothing too controversial or extreme. Common sense stuff really:
Encrypt all the things!
In the past, encryption, when available, was not only cumbersome to set up but using it meant taking a major performance hit. So, most people avoided using it.
That is no longer the case. Modern operating systems have integrated encryption capabilities and modern CPUs have support for accelerating encryption operations. It’s 2018 and there’s no need to not encrypt all your devices.
Use a password manager!
Face it. You are horrible at choosing random passwords. You are even worse at remembering random passwords. If you don’t already have a password manager, get one. Then just pick a single strong password and use that as your master password. Let the tool do the rest for you.
Let’s be very clear: that one password should be a damn good one. Don’t just pick random characters or randomly substitute letters for numbers or symbols. Pick, instead, a good passphrase that will be easy to remember. Check out this xkcd comic for one technique to do so.
Practice safe hex!
Did you know that often time, hackers begin their assault by dropping a couple of USB sticks in a company parking lot and waiting for someone to take the bait? It usually doesn’t take long. A laptop can be fully compromised in no time at all using a device called a Rubber Ducky.
Don’t connect unknown or suspicious devices to your phone or computer. That means things like USB sticks, SD cards and more. It also means not using the many random phone charging kiosks that keep popping up.
To be on the safe side, grab yourself a “charge-only” cable or adapter (colloquially known as a USB condom) and use that cable when travelling. Here’s one option but there’s plenty more out there.
Disable Wi-Fi and Bluetooth when you don’t use them!
Both of these technologies broadcast signals that include an identifier unique to your device, accessible to anyone who’s listening. And if you think nobody is, think again: garbage cans are tracking your every move and companies are collecting information about who passes by storefronts to better target their advertising.
Newer versions of iOS and Android try to mitigate the damage by obfuscating that unique identifier, but why not just turn those services off? If nothing else, you’ll save some battery. Keep in mind that iOS often lies to you about whether Wi-Fi and Bluetooth are off.
Use common sense!
Common sense is, apparently, not very common at all.
- Use two-factor authentication whenever you can (see https://twofactorauth.org/ for a list of sites) but avoid using your phone number as a second factor.
- Don’t log into sensitive websites, like your bank, broker or cryptocurrency exchange, your health insurance, or that site where you post about that thing that you don’t want the world to know about.
- Use secure messaging services like Signal whenever possible. If your friends don’t use it, do them a favor and ask them to.
More generally, think things through.
That one offer that’s too good to be true? It probably is too good to be true.
That email from your long-lost relative asking you to wire money because he’s in trouble overseas? It’s probably a scam.
That phone call from “your bank” with an “important message” that you can only get if you “verify” your credit card number, card security code, expiration date, PIN and social security number? That’s probably a phishing attempt.
Mind your surroundings and keep an eye on your stuff.
Your stuff won’t stay yours long if you don’t keep an eye on it. It’s trivial for someone to swipe a device in the blink of an eye. Don’t believe me? Check this out!
Be aware of your surroundings and never leave your devices exposed, not even when they’re safely in your pocket: at Consensus in New York, while walking outside the hotel, I felt my phone shift position in my pocket and I instinctively reached down, only to find someone else’s hand in there, trying to yank my phone out. I was lucky enough to catch the perp in the act, which led to her dropping the phone, shattering the glass in the process, and running away.
Now, stealing newer smartphones doesn’t pay, because they can be remotely wiped and “locked” so that they can’t be activated. But most other devices, including laptops don’t have that feature; whether that’s good or bad, is for you to decide. Besides, stealing isn’t always the goal. Plugging a Rubber Ducky into your laptop may be the goal.
Invest in a good backpack with anti-theft features. The MetroSafe series from PacSafe has some good features and is low-key, which is important.
OH AND PLEASE JUST SHUT THE HELL UP!
You got in on Bitcoin in the early days and now you’re set for life. That’s great, and I’m very excited for you. I hope you’re filing your taxes and that you’re shutting the hell up. Advertising to the world that you are the proud owner of millions of dollars’ worth of something that can be irreversibly transferred in a few minutes is probably not the smartest idea.
All this seems pretty reasonable, right? It is; this is advice that you should follow all the time. But what about at a conference? What then? Well, all of that still applies… Kinda.
The rules are the same… just different.
You just need to turn it up to 11.
Before I go on let me just say that security doesn’t exist in a vacuum. I’m pretty confident that all my above suggestions are applicable, regardless of your situation. Going above and beyond? You need to do a threat assessment first. Your threat model isn’t the same as mine, and what works for me may not work for you. The EFF has an excellent write up to get your started with threat modeling and performing a security self-assessment.
Take these suggestions with a grain of salt. Maybe they go too far. Or maybe they don’t go far enough. You need to understand your threat model and then evaluate.
Your wallet is the easiest thing to steal and you won’t even know it’s happened. Again, pickpockets are very skilled, and conferences are juicy targets.
I wish I could tell you to leave your wallet back home, but that’s not really practical. Instead, what I recommend is that you bring it along but give it a good clean first and only carry the bare minimum.
- Keep your wallet in an interior zippered pocket of your anti-theft bag or backpack, and keep the bag zipped closed. If you don’t mind the trouble, use a small padlock to lock the zipper ends together.
- Carry pre-paid debit cards. They can be had at most grocery stores and can be activated without having to divulge any personal information. Use that instead of your regular cards.
- Get an emergency credit card from an issuer other than your regular bank. Don’t configure it for automatic payments and never use it, unless it’s an emergency.
- Keep all cards in RFID shielding sleeves.
- Carry and use cash.
Try to minimize the amount of personally identifiable information in your wallet. The biggest offender here is probably your driver’s license. But how can you leave that behind?
There’s an option: use a passport card. The passport card is acceptable as a form of ID and doesn’t have your home address. Make sure to keep it in an RFID shielding sleeve.
This is simple: The fewer devices you have, the better off you’ll be. In fact, ideally you wouldn’t bring any electronics—not even a phone—with you. But that’s not always practical, is it?
Still, ask yourself whether you really need to bring your phone with you. The same phone that has a couple of years’ worth of private messages archived on it, along with some spicy photos and your browsing history, which is… shall we say eclectic?
Ask yourself whether you really need to bring your laptop with you. The same laptop that you use for online banking and logging into a cryptocurrency exchange which also has the latest copy of your employers highly sensitive financial, legal and engineering documents and your tax returns from the last ten years on it.
You should try to use a burner phone: So buy a cheap, prepaid burner phone. You don’t need anything fancy. The dumbest feature phone will do.
Use it at the conference but try to keep it off as much as possible. Reset the phone at the airport, before boarding. Then, from the comfort of home, visit cell phones for soldiers and send it in. A soldier will thank you.
If you need a computing device larger than a phone, please consider a tablet; if you absolutely need a laptop, that’s fine, but these days tablets are almost always sufficient. Regardless, the device should be sterile—that is, it must have no personal or other identifying information, and it should be running the latest available version of its operating system. And, of course, it should not be logged into any of your online accounts.
And prefer to keep your electronics with you at all times. After all you don’t want someone malicious getting his or her hands on your gear.
And who is more malicious that evil hotel maids? There’s an entire class of attacks named after them, after all! Evil maid attacks can have devastating consequences. The best way to avoid them is to never leave your electronics in your room.
The biggest problem with hotels (and, more generally with temporary lodging) is that your room is basically open to the world. The stark reality is that anyone can waltz into your room while you’re away and do anything they want. Assume that your room will be broken into and searched. Oh, and that hotel safe in the closet? It’s no good.
Luckily, there are some things that you can do to help protect yourself.
First, stock up on glitter nail polish. In addition to being a fashion accessory, it is also a security buff’s best friend. You can use it on the screw heads of your laptop to help add a layer of tamper-evidence.
Second, make sure that any devices you leave in your room are fully powered down. Not sleeping. Not hibernating. Off. All the way. This can help prevent some categories of attack that can recover encryption keys from memory.
If you want to go all out, purchase tamper-evident bags that are large enough to fit your electronics into; Put the bag in the hotel safe and then, liberally sprinkle some crumbled potato chips on top of it. Take a picture of your handiwork and tada! Anyone attempting to access your laptop will have to disturb the potato chips and putting them back in just the right spot is nigh impossible. You can get a bit of extra security by placing an Android phone running Haven on top of it (just remember, that phone should not contains anything sensitive, since it will have to be powered on).
If you’re on the road, securing your communications is a lot easier than it used to be. Sure, many websites these days are migrating over to HTTPS, which is great, but a lot of data is still unencrypted. And who knows who is monitoring the data being sent over whatever network you’re connected to.
If you have a phone that can act as a hotspot, you can help mitigate that risk by connecting to it instead of to some random hotspot. Be mindful that your carrier may charge you for tethering.
Regardless of how you connect, be sure to batten down the hatches before you connect. Make sure that your computer’s firewall is enabled and configured as tightly as possible.
A good next step would be to sign up for a VPN. There are a lot of providers out there and I hesitate to recommend one, but I know that Private Internet Access allows you to purchase a subscription using cryptocurrency or store giftcards which is pretty cool. And their prices seem reasonable.
A VPN gets you two things:
- It hides your traffic from the prying eyes of whomever is running the network you’re connected to. Of course, it doesn’t hide anything from the people who operate the VPN, so keep using encryption.
- It can help obfuscate your location. IP-based geolocation can be very precise and leak information about your location to the Internet.
If you want something more, then consider using Tor which can significantly improve your privacy. Using the Tor Browser, which includes additional safeguards, when on the road is a great idea. Keep in mind that the network can still be a bit slow so don’t expect to be video-chatting or downloading large files. Also some administrators do (foolishly) attempt to block access to the Tor network.
This is a topic I could write an entire blog post about, and there’s no “one size fits all” solution to the privacy issue.
Conferences are a great way to network and meet new people. They’re also a great way to reveal a lot about yourself. To the conference organizer, anyone that buys the list of attendees from the organizer and even to anyone attending: Your name is on your badge. And you will probably hand out business cards containing, at a minimum, e-mail addresses and phone numbers to anyone that asks.
Privacy and conferences, in a way, don’t quite go hand-in-hand. But if you want to fly a little under the radar, avoid wearing branded gear and consider flipping your badge. If you’re asked for a business card, claim that you’re fresh out of them and gladly accept the other person’s. Now, I realize that many may think that this last bit is overkill. It may be. But it’s something to keep in mind.
Conferences are stressful and tiring but they can be fun too. Plan ahead and take security precautions when you’re there, but use the opportunity to meet new people, catch up with old acquaintances, learn new things and have some fun. Oh, be sure to keep an eye on your stuff!