Staying Secure at Black Hat USA
Last updated: July 19, 2017
We asked our Director of Information Security, Josh Roark, and our Chief Architect, Kurt Wescoe, for some cybersecurity tips that our team and others can use at the forthcoming Black Hat USA conference (and beyond). If you are preparing to head to Las Vegas next week for Black Hat and/or DEFCON — which at this time of year is sometimes referred to as "Hacker Summer Camp" — here are a few things to keep in mind:
Connecting to the Internet
Most everyone will still have work they need to do while attending Black Hat, but the safest approach is NOT to use any WiFi or wired networks when in Vegas. Our security experts advise attendees to consider all networks to be hostile. Use these tips to connect more securely while on the road in Vegas and elsewhere:
- Turn off WiFi and use your mobile network for checking email and any internet usage that's required. Do not use the free travel kiosks at any of the hotel properties or on the Las Vegas Strip, as these are often prime targets for hackers.
- Tethering to your phone is a viable option if needing to work from your hotel room, but make sure to use a VPN.
- When tethering, use a very strong and very lengthy password for your tethered connection. And test your tethering configuration before you leave; tethering via a cable often requires different software and if you wait until you are in Vegas, you will be left with just the unsecured WiFi to do this on, which defeats the whole purpose.
It should go without saying, but you should not conduct any sensitive transactions over non-encrypted communications or websites. Josh Roark cautions, "DEFCON has a 'Wall of Sheep' that continuously scrolls the logins, passwords, and websites of attendees using insecure WiFi at the conference. Black Hat doesn't have the 'Wall' but, you get the point. You don't want to be one of the sheep."
Protecting Your Devices
- Ensure that your smartphone and laptop have the latest OS, security patches, and app updates before traveling.
- Never leave your electronics unattended and unsecured, not even in your hotel room.
- Close any open apps on your phone that you typically leave running in the background.
- It's also recommended to turn off Bluetooth. For iPhone users, make sure you turn off air drop or set to "contacts only" if leaving Bluetooth enabled.
- DO NOT accept/install any app, OS, or carrier updates pushed to your devices while in Vegas.
- Avoid the self-service charging stations for your smartphones and tablets, and always use your own charger and cable. It's a great idea to bring along a portable battery pack that can give your phone the extra charge it needs if you end up in a bind.
- Bring plenty of cash; do not use ATMs at the hotel properties or on the Strip. As Josh Roark noted, "ATM skimming is a real threat and fake ATMs have been rumored to show up in the past."
- Do not bring or use a personal bank card. If you don't want to travel with a lot of cash, consider limiting yourself to using a single credit card while you are there. That way, even if something does happen, it's contained to one account.
- If you have RFID enabled passports, IDs, room cards, etc., Place them within an RFID blocking wallet or sleeve. (Don't have one? Stop by booth #1660 to get one from us!)
- Avoid using smartphone-based payment apps like Apple Pay and Android Pay. Kurt Wescoe advises, "If a terminal is compromised, it could affect your device."
Being Aware of Your Surroundings
It's important to be aware of the activities around you at shows like Black Hat and DEFCON, partciularly since some attendees will be trying out their social engineering skills in addition to their hacking skills. As Josh Roark told us, "You'll notice some conference attendees with backpacks and antennas sticking out, blinking cool lights, etc. Those guys and gals are usually the ones walking around and sniffing out insecure comms and RFID."
One final, relatively simple addition to your security arsenal is a privacy screen for your laptop. This will come in handy every time to travel or find yourself working in a more public place, as it will protect your screen from the prying eyes of those who try to shoulder surf.
Subscribe to the Proofpoint Blog