The Raxis pentesting team is at DefCon in Vegas this weekend. It’s an awesome conference that has lessons and contests for everything from lock picking and car hacking to new network and application exploits that our team may try on your next penetration test.
For those of you who may not have attended before (or just the curious) , here are a few guidelines to help ensure that you have a safe and enjoyable experience at DefCon (or if you are anywhere nearby in Vegas this weekend).
Connectivity
Trust nothing. DefCon is regarded as the most hostile wireless environment on the planet. Do not connect to the conference wifi – or any wifi network except for those that you verify. I suggest making note of the hotel network’s AP BSSID and confirming that you’re actually connected to it before doing anything. When inside the conference center, Airplane mode is a really good idea. Bluetooth is best left off unless you’re actually using it and disable discovery in such instances. Some folks use burner phones, but that’s not really necessary if you’re smart about phone use. You do you.
VPN
When online, use a VPN at all times and enable the ‘killswitch’ feature if you have it. Don’t use a VPN that uses split tunneling because it does not protect all your data in transit. Use a VPN that forces all traffic across the tunnel. Nord, PIA, and ExpressVPN are solid options.
Cellular
IMSI catchers (aka stingrays) are in use. When using your phone, make sure you’re on a 4g or 5g connection. Check the cell tower ID against something like Shodan if possible, to minimize the chance that you get MitM’d. Text / SMS messages on a downgraded connection are the easiest to target, so use end to end encryption when messaging. I recommending using a tool such as Keybase.
Physical Security
When your laptop is not in use, shut it down fully so that it’s locked by disk encryption. If you leave it in your hotel room, even to go get ice or whatever, put it in the room safe. Alternately, I’ve seen people just leave their work laptop behind with some kind of secure remote access setup.
ATMs
Better to just bring cash, but, if you must use an ATM, use one that is a few miles from the conference center. Use one that is actually attached to a bank and check it for skimmers.
Payments
Don’t make purchases on a check card. Use an actual credit card to make sure you have fraud protections in place. Personally, I use a single Amex card while there and cancel it afterward.
Don’t use NFC to pay.
And Finally
Keep your hotel key shielded when out and about.
See You There
I think that about covers it. Now it’s time to learn some cool stuff and have a blast!