Security at Conferences

With Consensus 2018 in the rear-view mirror, and DEFCON and blackhat fast approaching, I figured it would be a good time to talk a little about security.

It’s only paranoia if they aren’t out to get you!

Anyone involved in fintech—from hodlers to developers and from new founders to seasoned executives—should already be on his or her toes. The space is rife with security compromises. Attacks come in all shapes and forms across multiple domains.

Trash is being searched and homes have been broken into. Spear-phishing attacks are launched every day and phone numbers are being ported away with frightening regularity.

This may sound paranoid, but these are actual thing that have happened to people in this industry. Of course, that doesn’t mean they will happen to you, but it’s important to keep one thing in mind: if you aren’t a target, it’s because you aren’t a target yet; give it a minute…

What does all this have to do with conferences? Everything…

So many fish.

Conferences, by their nature, attract a lot of people who share a common interest. And if you’re looking for people who share that interest, then what better opportunity to find a whole bunch of them congregating?

If you are looking to compromise people in the blockchain space, is there a better place than Consensus? This year, over 8,500 people attended.

If you are looking to compromise people in the security industry, is there a better place than blackhat? Last year, over 15,000 people attended.

Conferences are also where people often are at their most vulnerable from a security standpoint. Despite being in an unfamiliar and challenging environment, they often let their guard down. They connect their laptops to unknown Wi-Fi access points to print an important document on the hotel’s business center printers. They plug their phones in any available USB port just to get a little extra juice for another five minutes of tweeting.

It’s as if all common sense goes out the door. And just when you need common sense the most.

Nowhere is that more clear than at DEFCON which features the infamous Wall of Sheep. At a conference where attendees really ought to know better, not even a minute goes by without a password, username or other sensitive information getting transmitted unencrypted over an open Wi-Fi network.

Security on a day-to-day basis.

Security is something you live and breathe. That doesn’t mean that security considerations will permeate every aspect of your computing experience. But it does mean that security considerations will at least factor in and inform several of your decisions.

There’s a set of baseline practices that everyone ought to be following. Nothing too controversial or extreme. Common sense stuff really:

All this seems pretty reasonable, right? It is; this is advice that you should follow all the time. But what about at a conference? What then? Well, all of that still applies… Kinda.

The rules are the same… just different.

You just need to turn it up to 11.

Before I go on let me just say that security doesn’t exist in a vacuum. I’m pretty confident that all my above suggestions are applicable, regardless of your situation. Going above and beyond? You need to do a threat assessment first. Your threat model isn’t the same as mine, and what works for me may not work for you. The EFF has an excellent write up to get your started with threat modeling and performing a security self-assessment.

Take these suggestions with a grain of salt. Maybe they go too far. Or maybe they don’t go far enough. You need to understand your threat model and then evaluate.

Wallet

Your wallet is the easiest thing to steal and you won’t even know it’s happened. Again, pickpockets are very skilled, and conferences are juicy targets.

I wish I could tell you to leave your wallet back home, but that’s not really practical. Instead, what I recommend is that you bring it along but give it a good clean first and only carry the bare minimum.

Try to minimize the amount of personally identifiable information in your wallet. The biggest offender here is probably your driver’s license. But how can you leave that behind?

There’s an option: use a passport card. The passport card is acceptable as a form of ID and doesn’t have your home address. Make sure to keep it in an RFID shielding sleeve.

Electronics

This is simple: The fewer devices you have, the better off you’ll be. In fact, ideally you wouldn’t bring any electronics—not even a phone—with you. But that’s not always practical, is it?

Still, ask yourself whether you really need to bring your phone with you. The same phone that has a couple of years’ worth of private messages archived on it, along with some spicy photos and your browsing history, which is… shall we say eclectic?

Ask yourself whether you really need to bring your laptop with you. The same laptop that you use for online banking and logging into a cryptocurrency exchange which also has the latest copy of your employers highly sensitive financial, legal and engineering documents and your tax returns from the last ten years on it.

You should try to use a burner phone: So buy a cheap, prepaid burner phone. You don’t need anything fancy. The dumbest feature phone will do.

Use it at the conference but try to keep it off as much as possible. Reset the phone at the airport, before boarding. Then, from the comfort of home, visit cell phones for soldiers and send it in. A soldier will thank you.

If you need a computing device larger than a phone, please consider a tablet; if you absolutely need a laptop, that’s fine, but these days tablets are almost always sufficient. Regardless, the device should be sterile—that is, it must have no personal or other identifying information, and it should be running the latest available version of its operating system. And, of course, it should not be logged into any of your online accounts.

And prefer to keep your electronics with you at all times. After all you don’t want someone malicious getting his or her hands on your gear.

Hotel living

And who is more malicious that evil hotel maids? There’s an entire class of attacks named after them, after all! Evil maid attacks can have devastating consequences. The best way to avoid them is to never leave your electronics in your room.

The biggest problem with hotels (and, more generally with temporary lodging) is that your room is basically open to the world. The stark reality is that anyone can waltz into your room while you’re away and do anything they want. Assume that your room will be broken into and searched. Oh, and that hotel safe in the closet? It’s no good.

Luckily, there are some things that you can do to help protect yourself.

First, stock up on glitter nail polish. In addition to being a fashion accessory, it is also a security buff’s best friend. You can use it on the screw heads of your laptop to help add a layer of tamper-evidence.

Second, make sure that any devices you leave in your room are fully powered down. Not sleeping. Not hibernating. Off. All the way. This can help prevent some categories of attack that can recover encryption keys from memory.

If you want to go all out, purchase tamper-evident bags that are large enough to fit your electronics into; Put the bag in the hotel safe and then, liberally sprinkle some crumbled potato chips on top of it. Take a picture of your handiwork and tada! Anyone attempting to access your laptop will have to disturb the potato chips and putting them back in just the right spot is nigh impossible. You can get a bit of extra security by placing an Android phone running Haven on top of it (just remember, that phone should not contains anything sensitive, since it will have to be powered on).

Communicating

If you’re on the road, securing your communications is a lot easier than it used to be. Sure, many websites these days are migrating over to HTTPS, which is great, but a lot of data is still unencrypted. And who knows who is monitoring the data being sent over whatever network you’re connected to.

If you have a phone that can act as a hotspot, you can help mitigate that risk by connecting to it instead of to some random hotspot. Be mindful that your carrier may charge you for tethering.

Regardless of how you connect, be sure to batten down the hatches before you connect. Make sure that your computer’s firewall is enabled and configured as tightly as possible.

A good next step would be to sign up for a VPN. There are a lot of providers out there and I hesitate to recommend one, but I know that Private Internet Access allows you to purchase a subscription using cryptocurrency or store giftcards which is pretty cool. And their prices seem reasonable.

A VPN gets you two things:

  1. It hides your traffic from the prying eyes of whomever is running the network you’re connected to. Of course, it doesn’t hide anything from the people who operate the VPN, so keep using encryption.
  2. It can help obfuscate your location. IP-based geolocation can be very precise and leak information about your location to the Internet.

If you want something more, then consider using Tor which can significantly improve your privacy. Using the Tor Browser, which includes additional safeguards, when on the road is a great idea. Keep in mind that the network can still be a bit slow so don’t expect to be video-chatting or downloading large files. Also some administrators do (foolishly) attempt to block access to the Tor network.

Privacy

This is a topic I could write an entire blog post about, and there’s no “one size fits all” solution to the privacy issue.

Conferences are a great way to network and meet new people. They’re also a great way to reveal a lot about yourself. To the conference organizer, anyone that buys the list of attendees from the organizer and even to anyone attending: Your name is on your badge. And you will probably hand out business cards containing, at a minimum, e-mail addresses and phone numbers to anyone that asks.

Privacy and conferences, in a way, don’t quite go hand-in-hand. But if you want to fly a little under the radar, avoid wearing branded gear and consider flipping your badge. If you’re asked for a business card, claim that you’re fresh out of them and gladly accept the other person’s. Now, I realize that many may think that this last bit is overkill. It may be. But it’s something to keep in mind.

Have fun

Conferences are stressful and tiring but they can be fun too. Plan ahead and take security precautions when you’re there, but use the opportunity to meet new people, catch up with old acquaintances, learn new things and have some fun. Oh, be sure to keep an eye on your stuff!