
How experts stay safe at the Black Hat security conference - shahryc
http://www.usatoday.com/story/tech/2015/08/03/black-hat-defcon-computer-security/31016809/
======
danpalmer
I was at a security consultancy that sent a lot of people (~30) to Defcon and
quite a few to BlackHat as well. I remember the pre-conference security
briefing.

No company laptops on the trip at all, regardless of hard drive encryption,
VPN (both of which were compulsory for off-site laptop use). Company phones
had to have a long unlock password, enforced centrally. No 2G - all been
hacked, no 4G, hacked, only 3G, but no client details over 3G. They
recommended a burner SIM, and to not use the company provided SIM at all.

~~~
BuildTheRobots
Don't suppose you have any more details on 4G being hacked? My understanding
is that the authentication phase is actually better/more secure than 3G.

~~~
TeMPOraL
I always thought that hacking 4G (and/or 3G) was done by jamming the signal
and thus forcing the phone to switch to older, already cracked protocol.

~~~
zobzu
yes, that's how its done

~~~
tedunangst
So what makes 3G more resilient to downgrades than 4G?

~~~
jpollock
I understand that 4G devices don't always use the 4G network for voice, they
may either use 2 radios, or drop the 4G connection. The 4G network is used for
data, and a 2G network for voice/SMS.

Eventually they will all start sending voice over the data link, but it isn't
guaranteed.

~~~
BuildTheRobots
As far as I know, none of the UK macro operators support Voice Over LTE yet,
so yes, if you receive a phone call on 4G you get a paging message telling you
to fall back to 2/3G circuit switched and answer the damn thing.

I'm assuming this is my stock S5 won't let me choose 4G only (calls become
impossible), where as I can lock it to _just_ 3G.

I don't feel this fully addresses the original statement of "no 4G, hacked",
though. If the downgrade-to-2G attack is the worry then 3G & 4G should be
perfectly fine.

edit: grammar: supported->support.

------
pvdebbe
Nice read. I could envision a Hollywood movie on this premise: Denzel
Washington, our protagonist is the country's leading hacker / security expert,
invited to give a talk. Only that an unknown Russian will crack him handily,
stealing some government secrets. Then the movie would quickly deteriorate
into gas explosions and "hacking tools" written in VB.NET.

~~~
sago
Flip the plot and make it a heist movie.

Movie opens with Chinese cyber-ops lab, head honcho brings in McGuffin device,
plugs it in. Cut to scenes in US of machines being compromised, data, leaking,
cars stopping, TV broadcasts being controlled.

Our protagonist is shown, recognising the attack and taking action: she
unplugs her computer and goes for a run past stranded trucks and cars.

Titles.

A few weeks later, media is still talking about the biggest attack on US
computers. CIA meeting discusses that the Chinese head of cyber-ops is known
to be attending Black Hat with the McGuffin (it never leaves him). CIA has a
team on trying to hack him, but two deepthroats in the room talk to each other
about their suspicion that one of the CIA team is a double-agent.

One Deep Troat, a high level agent from black-ops three letter agency
approaches our protagonist, an independent pentester, a hippy wunderkind
living in an RV in New Mexico. They ask her to take her team to Vegas, make
the hack and identify the CIA mole.

They plan the hack, involving lots of physical as well as digital subterfuge.
Then they go to Vegas, have scenes of being out of their element, then the
hack begins and they mostly raise their game. The CIA team detects them,
destroying their hopes of finding the mole, so they focus on the McGuffin.

At the last minute it turns out the Wunderkind's best friend on her team has
also been turned as a spy, and gives her identity to the CIA mole and Chinese
authorities. Wunderkind has to finish the hack alone, while being hunted down
by both agents.

She does so, even managing to tag her former friend so he can be picked up by
the authorities, as the Chinese leave him out to dry when they retreat. Movie
ends with Wunderkind receiving an offer from black-ops to work for shadow
3-letter agency full time. She returns to her RV and shreds the offer letter.

~~~
e12e
Black Hat 2?

[https://www.youtube.com/watch?v=Qn2g9qGbH_k](https://www.youtube.com/watch?v=Qn2g9qGbH_k)

[ed: As usual for Hollywood movies of late, the trailer is considerably better
than the actual movie]

~~~
sago
Thanks, I'd not seen that :)

I was following 'Hollywood Plotting Cliches', seems the screenwriters of that
movie have the same book.

I like my heist movies with fewer gunshots though, even the trailer left me
cold.

------
BuildTheRobots
"He counsels staff and clients to keep their credit cards in specially
shielded envelopes to or stack them one on top of the other so the signals are
jumbled up."

Slightly terrifying advice. A few years ago Kris Padgett (iirc) demonstrated
that nearly all RFID "blocking" wallets were useless. That and they employ
some immense collision detection -if you can throw a binbag full of chips past
a reader and still manage to scan them all, I find it impossible to believe 2
cards stacked does _anything_ to help.

~~~
e12e
Why not just buy pre-paid VISA cards [ed: and even if they do -- the damage
will be limited] ? AFAIK they don't have RFID? I'd be more worried about my
passport (if it had RFID).

~~~
fractallyte
As soon as my RFID passport arrived, it went into the microwave for a few
seconds. No smoke, no discoloration - just a slightly raised outline.

And _no more_ RFID.

~~~
e12e
But is it then, technically, still a valid passport?

~~~
fractallyte
Valid enough for human validation! (Although, I think it's technically illegal
to deface a passport. But, at the same time, it's not technically
'defaced'...)

Edit: As a frequent (if reluctant) traveler, I've yet to encounter a necessity
for RFID at passport control. (I simply avoid that particular queue.)

I've been stopped twice for not being obedient: once because I refused to step
into a mm-wave scanner (after the controller refused to send me back through
the metal detector after I removed my belt...), and another time for not
staring into the hypnotic blinkenlights that were swirling around the cameras
above everyone's heads in the queuing area.

~~~
graedus
Can you elaborate on the 'hypnotic' lights? I've never seen or heard of this.

~~~
ethbro
Were there four lights? Or five?

~~~
fractallyte
I really can't recall. I wasn't looking up!

------
benmmurphy
I think you are mostly safe at Defcon/Blackhat. I think you have to worry if
you are a target for nation state / criminals (suspected of selling
vulnerabilities at the con) then your room is probably going searched.

[https://twitter.com/thegrugq/status/367364810729472000](https://twitter.com/thegrugq/status/367364810729472000)

~~~
Udo
The victims seem to agree the search was sloppy because it was obvious, but I
would argue the main value of searching your locked safe and leaving behind a
mess is exactly in sending this signal, letting you know you're being watched.
Over the years, this paranoia will add up, and some people do break down
because of it.

~~~
ikeboy
If they were trying to intimidate they'd have taken his shoe.
[http://www.telegraph.co.uk/news/11673700/Muslim-
campaigner-Z...](http://www.telegraph.co.uk/news/11673700/Muslim-campaigner-
Zionists-crept-into-my-home-and-stole-my-shoe.html)

~~~
graedus
Or worse, stacked them:
[http://i.imgur.com/a7app8J.jpg](http://i.imgur.com/a7app8J.jpg)

------
kriro
I've never been to one of the US based conferences (mostly CCC). Has the
attitude towards the NSA changed a lot in recent years? A while back it was
more or less friendly banter and the meet the FED panel was fairly relaxed
(from watching Defcon(?) videos). I remember they gave away mugs and joked
about them being bugged (which to me felt like they probably were somehow :P).

~~~
iNate2000
In 2012 General Keith Alexander gave a keynote at DEF CON; basically a
recruiting speech asking for white-hats to share with the government. Then,
after Snowden, In 2013 Dark Tangent (DEF CON founder) asked feds to take a
break. I believe he did last year as well.

------
some_furry
Personally, I just stay home. I go to local BSides conferences (where a
minimum wage worker can reasonably be expected to afford to attend without a
premeditated effort to save up) and give talks there.

I don't think I'll ever attend Black Hat. I might attend DEFCON, unless the
prices go up much higher. The interests of people who can afford tickets to BH
USA are already well served by the security consultants they can afford to
hire.

And if I ever do speak at DEFCON, it will be repeating a talk I already gave
to the local Bsides event. Communty > Industry.

~~~
nly
If you're in Europe, CCC[0] is cheap and worth going to. That said, attendance
has apparently skyrocketed the last few years.

[0]
[https://en.wikipedia.org/wiki/Chaos_Communication_Congress](https://en.wikipedia.org/wiki/Chaos_Communication_Congress)

~~~
rasz_pl
was cheap, they bumped price this year considerably

~~~
nly
€80 (2013) -> €100 (2014). I still think that's pretty cheap for a 4 day
conference at such a quality venue.

~~~
rasz_pl
and >300 this year

~~~
nly
Source?

------
stephendicato
Leave your technology at home and actually _meet people_. That's the biggest
benefit of not having your laptop and primary phone with you.

Granted, the crowds and general culture of the conference doesn't always
support this, but to me it's the best part.

------
Labyrinth
I am planning on trying to go for defcon next year what should I prepare for,
in terms of room, restaurants, and other attractions?

~~~
jff
A lot of the paranoia is just that--paranoia. Still, there are a lot of people
messing around on the wifi and some playing with cell stations, so some
caution is justified.

If you're going on the company dime and thus have a rental car, the best thing
to do is stay at a hotel somewhere else. I haven't gone since they changed
venues, but I used to stay at a chain hotel on the other side of the Strip
from the Rio. I'd use their hotel wifi but push all my communications over an
ssh tunnel, which is what you should be doing anyway on ANY public wifi.

When I got to the conference, I tended to just put my phone in airplane mode
and leave it like that. I'd bring a spare laptop and boot Linux off a USB
stick so I could take notes; I sometimes turned on wifi but never signed in to
anything online, just looked up wikipedia articles and such. You're probably
not at such a great risk because security is a lot better these days (SSL and
whatnot), but you'll pay more attention to the talks if you don't have your
usual set of distractions available.

Go see the Strip, but after you've seen it once I've never felt much draw to
go back. If you have a car, drive over and see Red Rock Canyon in the evening,
it's just outside of town and very beautiful. Lots of good restaurants around,
just pick what you're interested in. I had some pretty authentic and tasty
Chinese food about a mile off the strip last time I went.

It's a lot of fun, relax and enjoy!

~~~
lfowles
A geeky nearby attraction is the National Atomic Testing Museum.

[http://www.nationalatomictestingmuseum.org/](http://www.nationalatomictestingmuseum.org/)

~~~
jff
How could I have forgotten this! Definitely go to the testing museum, it's
about 1 block from the strip and is super cool.

------
arkem
While shenanigans do go on at Defcon and Blackhat most of these "no computers,
no cell phone" precautions are overreactions.

~~~
baby
People don't drop 0days at BlackHat, and if they want to do, they will do it
during a briefing not in the lobby exploiting people's
phones/laptops/smartcards.

------
zobzu
this stuff's funny

except for paranoids - if you're not able to use your regular tools at
blackhat by fear of being compromised, this means you don't trust your tools,
go fix em - because if they're not safe at bh/defcon, they're safe nowhere.

in reality, even the wifi is pretty safe, LTE-only networking with VPN works
out fine etc.

------
mrits
I put on a condom before I even clicked the link.

~~~
singlow
I should have - clicking the link crashed my browser hard (chrome-stable in
ubuntu/gnome-shell). Pretty sure it was just something in one of the 2000 ads
and social media widgets on the USA Today page.

I haven't had chrome crash that hard since I switched back to the stable
branch six months ago. The tab crashed first, but the whole Gnome Shell
actually went unresponsive except for desktop switching. Apport was running
wild and I had to kill it from the console to get X to start responding again.

------
snake_plissken
Actually this sounds kind of fun sans the whole someone will read your
credit/debit card from 5 feet away. Buy a laptop on craigslist for $100, re-
format, get some throw away email accounts and see if you can go about your
somewhat normal daily life on the 'Net without getting stomped as you connect
across potentially hostile and un-trusted networks. The challenging part would
be verifying you got through the conferences ok without any intrusions or
someone sniffing your passwords.

~~~
at-fates-hands
Better be checking the "wall of sheep" frequently then!

~~~
benmmurphy
I tried to dump fake credentials / XSS - SQLI the wall of sheep 2 years ago
but I couldn't get it to display any of my requests.

------
mrdrozdov
Typo. I think that

    
    
        Having to protect a single laptop isn't that big a deal, Black said. "We get over 20,000 unauthorized probes on our system every minute," he said.
    

Should be (Black -> Blech)

    
    
        Having to protect a single laptop isn't that big a deal, Blech said. "We get over 20,000 unauthorized probes on our system every minute," he said.

------
tedunangst
Who are the people saying this? (I've never heard of Proficio before, but
apparently they have a sponsored nascar car.)

------
shahryc
"And because it's an event that brings in high-level government and corporate
staff, there's also plenty of data and networks to entice the nefarious.It's
one-stop shopping, a place were every major security executive is gathered..."
\---- I wonder who's got hacked in the past

~~~
Animats
Read old DefCon reports. In 2009, someone remotely read the RFID chips on
government secure IDs.[1]

[1] [http://www.wired.com/2009/08/fed-rfid/](http://www.wired.com/2009/08/fed-
rfid/)

~~~
shahryc
wow, that's crazy --- thanks for the share!

------
beamatronic
Is it completely unreasonable/paranoid to not bring any electronics or credit
cards when attending these kinds of conferences?

------
tripzilch
> That means "the rules are a little different," said Stan Black, chief
> security officer for Citrix in Fort Lauderdale, Fla. For example, he's
> bringing his schedule printed out on a piece of paper so he doesn't have to
> turn on his cell phone to check it.

> "And they're all staying in the same hotel," said Steve McGregory, director
> of threat and application intelligence for Ixia, a security firm in
> Calabasas, Calif..

> Jon Miller, vice president of the security firm Cylance in Irvine, Calif.,
> doesn't see the hacking at Black Hat as malicious so much as simply
> intellectually curious. But he still turns off Wi-Fi and Bluetooth on his
> phone and only logs on to the Internet from his hotel room using a virtual
> private network.

Ok I get it, it's a hacker's con, with hackers hacking hackers. If you don't
want your phone hacked, don't bring it to Blackhat. "It's to be expected",
right?

But isn't also a little bit insane?

What about the people working there? Hotel staff, catering, nearby bars,
shops, etc. Do they get debriefed about security countermeasures like this? Or
are they left to their own devices? (or should I say "0wned devices")

Do the hotels use computers? Do they get help protecting their systems from
damage? How do they manage to get their systems back into a safe and stable
state for the rest of the year for when, you know, the place isn't swarming
with people for whom "the rules are a little different".

Sounds to me the waiting staff will be the ones with the least protected
phones, attracting the "intellectually curious". I'm just thinking of these
additional scripts available, not the exploits, but the ones designed to slurp
data after a way in has been found. They are targeted at the common types of
accounts/usage, facebook and gmail, automated email digging, further
escalation to ID theft, etc. Most security researchers/consultants know of
these tools but they never _really_ get to use them in their day job, because
usually you don't have to follow an exploit all the way through to begin
protecting your client from it. But now, _they 're on Blackhat!_ And the rules
are a little different! Finally!

And even after all the hackers leave, the exploit's still in your phone.

Perhaps I'm being a bit hyperbolic here, but grant that it is a pretty crazy
situation and I'm actually curious, how do the local people working there deal
with this?

Imagine going to a gun convention and being advised to better prepare by
wearing a bulletproof vest, because "the rules are a little different" there
:)

------
benihana
Do break-ins increase during security conferences because hackers realize the
watchmen are busy? Or do they go down during these conferences because the
people breaking in are also the people at the conferences?

~~~
TeMPOraL
You put a bunch of people who do pwning for fun and/or a living in one room;
it's not surprising if some will start pwning each other to show off or just
for teh lulz.

