Mastodawn

Dagan Henderson Aug 8, 2023

Tomorrow I head to DEF CON 31, and that means it time to go through my pre-conference checklist. There are a lot of DEF CON survival guides out there, but to be honest, it’s not as scary as it’s made out to be. To quote my co-presenter from the conference last year, “Nobody is burning an iOS zero-day at DEF CON just for the lulz.”

So if you’re not quite ready to buy a burner phone, alter your appearance, and change your name, here is my practical guide to DEF CON OPSEC:

1. Only take what you need. If you don’t need to take your company-owned device, don’t. I’m not saying you need to be paranoid about it, but as a general rule, minimizing your attack surface is a good thing.

2. Update all of your devices. It’s not uncommon for vendors to release updates just before a security conference where responsibly disclosed vulnerabilities are being presented. Make sure your phone, tablet, watch, and laptop are fully updated. This is true if you’re attending DEF CON or not.

3. Review your devices’ list of known wireless networks. You’ll probably be shocked at the number of unsecured hotel, airport, and airline WiFi networks your device is configured to automatically connect to (e.g., @Hyatt_WiFi, __LAX Free WiFi, and DeltaWiFi). A curious hacker (ahem, researcher) need only set up a hotspot with one of those SSIDs and your device will quite happily connect. Be careful.

4. Review app permissions and configurations. Be damn sure none of your applications are using insecure protocols to send sensitive information. The annual Wall of Sheep is littered with those using SMTP and HTTP to send credentials. Also, look through the apps on your mobile devices that have access to local networks, Bluetooth, and Bluetooth LE (Nearby Interactions on iOS). Does the list look right? Is there anything you can remove or disable? And for goodness sake, disable Airdrop and Nearby Share. If you enable them to share photos, restrict them to known contacts, the disable them again.

5. Use an RFID-blocking wallet. Their’s some nifty and affordable hardware available these days to quickly skim RFID cards (hotel room keys, credit cards, etc.). The devices certainly aren’t limited to DEF CON, but I’d certainly argue your odds of being in proximity to one are far greater at DEF CON than not. My daily wallet is RFID blocking, and I recommend everyone use one.

If your company is not officially sanctioning your DEF CON adventure, you may also want to think twice about wearing company t-shirts or displaying company stickers and swag. DEF CON’s photo policy strictly prohibits taking photos without consent, but let’s be honest—it happens.

As a parting note, I’ll point out that this list is something you should consider all of the time. It’s just good general OPSEC.

Dagan Henderson May 20, 2023

Unless your dev environment is fully sandboxed (it isn’t) *and* not accessible from untrusted networks (e.g., the Internet), you *must* enforce the same security controls there that you do in production. Labeling it “dev” is meaningless as a security control.

Dagan Henderson Feb 11, 2023

How many balloons do we have to shoot down to win the big stuffed bear?

Dagan Henderson Nov 27, 2022

I know I should be posting here. Something. Anything. But I'm putting effort into my personal website at the moment.