DEF CON Forum Site Header Art


No announcement yet.

DefCon Essential Security Practices

  • Filter
  • Time
  • Show
Clear All
new posts

  • DefCon Essential Security Practices

    What's reasonable protocol to not get completley pwned ⛳️ when I walk into this conference. I'll be running up-to-date iOS + OS X on an iPhone/M1 MBPro, respectively.

    I'll be running WireGuard through a Streisand node.

  • #2
    Originally posted by kevinkatz View Post
    What's reasonable protocol to not get completley pwned ⛳️ when I walk into this conference. I'll be running up-to-date iOS + OS X on an iPhone/M1 MBPro, respectively.

    I'll be running WireGuard through a Streisand node.
    I do not know your skill level. These answers are provided for you and anyone else who reads your question and also wants answers.

    Mobile devices, security, and features:
    Some people say, "don't bring your devices! they will get hacked at DEF CON!" Other people say, "Any devices you bring you should zero-out before con and then zero-out after con and maybe only ever use at con." Others say, "If you are a security professional, and you advocate not bringing your devices to DEF CON, then you should not bring the same devices to anywhere in public, because even if chances for security risks are more likely at DEF CON than being in public, they exist in both places. If your device, policies and practices don't work at DEF CON, they don't work in public and on the Internet." Other people say, "if you need tech to participate in a contest, village, event, presentation, then of course bring it!" Then other people say, "Whether you need a device or not, it is best to avoid using them: DEF CON is a social event. If you are spending much of your time on social networking (twitter, IRC, twitch, discord, etc.) while at DEF CON, you are missing out on the in-person social aspect of DEF CON." Only you know what you should do.

    General guidance for bringing any device:
    Upgrade firmware, OS, Applications, plugins, services, and "apps" of all tech before you bring it anywhere (DEF CON or otherwise.)
    If you have an android device, best to bring one that was *released* with the latest android OS within the last year. Anything not released with the latest android OS less than 1 year ago probably won't have or get more security updates.
    If you have an iPhone or iPad or OS X devices, you probably should make sure you have a device first released less than 3 years ago. "Best Security" is a moving target. With iPhone, older models have been around long enough for entities to find ways to defeat hardware/firmware protections to allow users you didn't authorize to gain access to data contained on the device. The newer the device, the less likely entities have developed a reliable method for bypassing physical security on the device. Eventually they probably will, but before then, if your device s stolen, you have a chance to remote-wipe it before bad people steal your data.
    Laptops/Desktop: similar to iPhone, but how old depends on hardware vendor. Some vendors do not keep up with security BIOS/Firmware updates as long as others. Some may stop support after purchase, others after 1 year, some as long as 5 years, and very, very few as long as 10 years... (Spot the fed!... or financial institution employee, or medical services employee, etc. that have extended support contracts with a vendor.)

    Consider "WiFi Reg" at DEF CON: DEF CON has historically had a more-secure-than-usual WiFi network with special setup and configuration not supported by all devices (hardware+software.) The DEF CON NOC provides information about it on their website, which should be available as we get closer to con. You can run a VPN after you connect to it if you don't trust it, but it is probably safer than leaving your mobile carrier data service enabled and using it.

    If you can alter which forms of mobile network your device supports, it may be of help. Older protocols associated with 1G, 2G, and 3G have fairly well known security risks, especially when a rogue mobile network AP is setup to ask devices to use it. (See Stingray and successors.) Weaknesses have been reported in 4G and some in 5G, too. If you have a 5G device and you can limit to only 5G, maybe that would help avoid known issues in 1G, 2G, 3G, and 4G. There are also risks in spectrum for various regions with respect to international mobile network. For example, in the US, some of the "900MHz" spectrum is available for consumer equipment, but not used by US mobile carriers. Some of the 900MHz is however used (or was used) in countries outside of the US. If your device supports multi-band, international roaming, your device might be convinced to talk to a device using a frequency not used by any US carriers. If you are from the US or have a US phone with US frequency support, altering your device to not support international roaming for data and voice may help avoid some of this, but does nothing if the would-be computer-criminals squat on frequencies used by mobile carriers in the US.

    For any device you bring with you, seriously consider adding support for a VPN. The latest OpenVPN compiled against the latest OpenSSL support TLS 1.3 combined with a limited cipher/hash suite, and enforcing "captive" aka "Full Tunnel" VPN could help protect some of your plain-text content at DEF CON. (You probably don't want to appear on the "Wall of Sheep".) Use of IPSec VPN and some of the IKEv2 and mobile IKE service support and carefully selected ciphers and hashing with "captive" or "full tunnel" support could also be good. VPNs are not perfect. They are designed to *only* protect your content between your device and the VPN server, not beyond. Also, you have to be careful with any VPN to ensure that DNS and DNS over HTTPS and NTP *all* are routed through the VPN. AnyCast DNS Servers can provide GEOIP leakage as to "where" the requests originate, and/or have region-specific resolution differences. An example? Amazon Prime appears to use DNS lookup details to deny access to Amazon Prime Video even if you are on a VPN, but your device leaks DNS lookups outside of the VPN an an AnyCast DNS Server outside the regions where they have licenses.

    There are steps you can take for each to go "even deeper" with protections, but the learning curves become steeper, the deeper you look.
    For example: OpenVPN server supports a "redirect-gateway" option with features like "allow the remote device to connect to devices on their local subnet" which is really nice for home users, so they can access their network printer, network scanner, network storage, and network media devices, but would be a bad idea when out in the public, and you want to deny even their local subnet access, but what about DHCP requests if required to keep the device online when on WiFi? This option has many settings.
    Others: "setenv opt block-outside-dns" , "etenv opt register-dns" , and then there is "auth-user-pass-verify" to add a username/password authentication in addition to openvpn cert/key match and validation, if using ciphers which rely on DH, then make sure your DH option is as large as can be supported like maybe 4096 bits, enable support for "crl-verify" and keep your CRL updated an published *daily*, "tls-auth" is useful, but maybe "tls-crypt" is better and worth the overhead for you, for clients and servers to help mitigate some DoS attacks, also consider restrictions on TLS support with "tls-version-min 1.3", understand risks associated with compression before enabling or making available "comp-lzo" (compression and encryption have a long and unhappy history), use the "dhcp-option" to pass NTP and DNS servers for IPv4 and IPv6, make sure your vpn tunnel supports full tunnel support for IPv4 and IPv6 (or make sure whichever (IPv4 or IPv6) is NOT tunneled is *blocked* by the client device on the VPN (if IPv6 is not blocked and your tunnel uses IPv4, you may leak IPv6 session data outside of your VPN), consider TLSA records in DNS for OpenVPN clients which use that to verify CA sig before accepting and fo client config, consider "verify-hash" which allows clients that support it to verify the cert offered to them from the server has a hash which matches your client config.
    Not all of these are supported by all OpenVPN Servers and Clients. You should test for leakage before using. Look at your client logs to see which options are ignored or unused. Verify no leakage via DNS or NTP or DNS over HTTPS. (Common leaks include: DNS, NTP, DHCP, and IPv6 when your client gets dual-stack support on its local subnet, but tunnel only provides IPv4, and VPN client does not block IPv6.) (Uncommon or less common: malicious DHCP servers push host-only routes to client device which are given priority over larger subnet routing to make your device part of a "full" tunnel, and more.)
    IPSec has a similar collection of advanced features but is even more complex as there is more than IKEv2 available for devices and some options break other options, but on the plus side, most devices have support for IPSec built-into the OS, so no extra applications are required.

    Mobile network security is also similar, with deep and spread-out details on risks, but much of telco data service is "closed source" with government required "backdoors" (USA: see CALEA)

    For any precautions you take, test them while at home. Use a sniffer. Look for leakage. Try to make a fake VPN server answer your request with a bogus cert, setup an evil DNS proxy to answer local requests and try to MitM your own vpn. Does the VPN server you are using support SUPER weak ciphers like "null" which are super easy to MitM? Weak ciphers or busted hashes? Any product or service you rely on is almost certainly a security risk. Failures in coding and protocols exist. Commercial VPN have thin margins for profit, so many will prefer WEAKER security if if affords greater support for more devices, and fewer support tickets. Some reason, "if the consumer wants better security, they can alter their client config." They also probably rely on other libraries or services which have security risks. Underlying hardware has a security risk. Verifying and validating the thing you are using do what you want before you visit con is a good idea. Running your own VPN Server on your own hardware with an OS you installed can be a little safer (if you know what you are doing) than running a VPN Server on your own instance with a "cloud service" which can be safer than some random VPN service which can make claims about security, logging, and support but no way for you to validate. Using a server that someone else controls (commercial VPN service or cloud instance) removes visibility to when a subpoena or search warrant is issued, but running your own personal VPN server on your own hardware can make DoS against your server an issue you might need to address, and remove privacy, especially if you are the only user.

    TL;DR: the decision to bring a device to DEF CON is a complicated one. There is no single correct answer for everyone. Weigh your options and make the best decision you can with the resources and knowledge you have.

    Good luck!
    Last edited by number6; July 8, 2021, 20:00.


    • #3
      Originally posted by kevinkatz View Post
      What's reasonable protocol to not get completley pwned ⛳️ when I walk into this conference. I'll be running up-to-date iOS + OS X on an iPhone/M1 MBPro, respectively.

      I'll be running WireGuard through a Streisand node.
      A few years ago when I first made it known that I would be going to Defcon, I was immediately given all kinds of unsolicited "advice" about what precautions I should take when attending. This, of course, was from people who had never attended. :)

      They were offering me "suggestions" such as to buy a burner phone and discard it after the Con, and use my old laptop and again trash it after the Con and take out a Protonmail account and give that address to anyone who you meet at the Con.

      This was, of course, when I was far less technically adept than I am now, but still not a total n00b.

      When I mentioned this to the guys who had talked me into attending (multi year Defcon veterans), we all had a good laugh, and then a real good discussion about what should and should not be done in the real world.

      "You're streetwise, just don't do anything stupid!"

      I think the big bottom line is to keep your guard up and think critically about any time you connect to anything or share any kind of data.

      We talked about stupid $#!+ not to do, and a few of the items I remember are:

      If you see a thumb drive just lying around, let it lie around, better yet, take it and flush it so somebody else does not get taken.

      If some d00d wants to borrow or just take a look at your phone, tell him No {f-bomb}ing way!

      Watch out what WIFI SSIDs you connect to!

      Be discreet when talking casually about what carriers and services you use, what OS you use, etc.

      Be cautious about giving out any screen names or any kind of PII.

      Don't use credit cards.

      If any app, site or whatever wants you to re-enter or verify your credentials, disconnect, as in NOW!

      This was back when I was less technically adept than I am now, but as far as I know I have never made a guest appearance on the Wall Of Sheep! :)

      Anyway, as to what I do personally, here's what I've been doing the last few years I've attended, and please excuse me being a bit vague on some of the details.

      I'll be taking my personal cell phone, a late model well-known brand from one of the major carriers. Latest versions of about everything. Yeah, I'll probably have Bluetooth enabled for the headset but WIFI off and hotspot mode off.

      For a laptop, I've taken one I have which is more of a maker/techie tool/toy than it is a regular laptop, but it does do web and email and about anything I would need to except maybe run VMs. This particular one is unique in that I can easily create a "virgin" image to "sacrifice" if needed in about 10 minutes and physically swap it in when needed and out when I return. (Hint: This particular one is brightly colored and I did see a couple of others each year.) :)

      One of the better-rated commercial VPN services on both the phone and laptop.

      Oh, if you're curious and just sitting around waiting for something to start, pull out your phone and launch a WIFI stumbler and look at the rat traps and honeypots that are out there! :)


      • #4
        These are both gold. Serious, serious thanks to both of you. Stoked to swarm this.


        • #5
          Anazing the ignorance about safety precautions with people in general.

          However, your post made me even more aware of what could happen.