Advice for a Defcon Virgin
I have never attended a Defcon convention before and I am very excited to be attending this year. I need some help in making sure I am prepared for the event.
- If I bring my laptop and connect it to the internet, will it get hacked?
- If so, is there a way I can secure my connection or computer to prevent hacking or make it hard?
I am hoping to be able to tweet and blog while at the convention but I also don't want my server hacked and all the fun that goes with that. If you also have any other general advice for a defcon virgin please comment over on my blog at http://geek.michaelgrace.org/2009/07/advice-for-a-defcon-virgin/ so this can focus on keeping my computer and internet connection secure during the defcon convention. All your input and advice is much appreciated. ;)
Equipment I plan on bringing
- MacBook Pro
- iPhone 3g
- Digital Camera
Solution 1:
Remembering what I know about previous events (I've never attended DefCon either), some general things spring to mind:
- Don't use unknown or unencrypted (WEP counts as unencrypted) WiFi APs
- Use encryption everywhere (SSH/SSL)
- Do not, I repeat DO NOT log into your blog or twitter over an unencrypted connection
- Use VPN to connect to a secure server (always check certificate when connecting)
- Use secure passwords: 10-16 characters (maybe more?) with both lower and upper case letters and numbers, with a good deal of randomness
- Update your software to latest versions before you leave home
- Don't scan other machines, the other side will notice and get angry
Check what services your MacBook provides to the network and disable everything you don't need (you don't need SSH in there for sure). Don't know about the iPhone since I don't own one.
Solution 2:
If possible, don't even connect directly to your own server, even through SSH. Set up a Dreamhost account or something and tunnel the SSH through there. By making a connection of any kind to your own server, you're pointing to it as a potential target!
Solution 3:
- From a network perspective, assume that you are surrounded by hostiles.
- These hostiles will be friendly. Assume they will attempt social engineering attacks on you when you talk with them. Be a scrooge when handing out information. It should be easy enough to chit-chat without giving out your full name, etc.
- Social engineering may include beer. Beer is a wonderful way to get people to do things they wouldn't normally do - including giving out info.
- This may sound strange, but do not drink any beverage that doesn't come from a well-known brand in a factory-sealed container...unless you like waking up with your underwear as a hat in a strange location.
- If in doubt about what info to give, don't say it. Remember, people can now guess your social security number from just your birth date and city. A little info goes a long way for an attacker.
- If you insist on taking a computer, consider the software installation on it to be disposable and/or compromised; just burn whatever contents you get to a CD/DVD when you get back, and nuke it from orbit. No point in bringing home little wormy-worms and bugs on your machine.
- If you have to leave it in a room behind a locked door, assume you might not find it when you get back. Travel light and think "mobile" or "nomadic". Remember, they do demonstrations of how to pick locks...
Solution 4:
To be ultra-paranoid, configure your firewall to drop all outgoing traffic and only allow stuff that you explicitly want, and that you're sure is either encrypted or not sensitive. For example, it'd suck if you logged in to your machine and your AIM client decided to connect, promptly sending your password in clear text.