How to avoid getting pwn3d at Black Hat

There's a lot to learn at Black Hat and DEFCON, and if you're not careful you might find attackers making an example of you and letting you learn about security the hard way.

The 16th annual Black Hat security conference will soon invade Las Vegas. Thousands of attendees will invade Sin City to attend hundreds of sessions and briefings exposing the seedy underground of computer and network security.

Black Hat and DEFCON are designed to educate and inform--not train the next generation of cyber thugs--but it's not called "Black Hat" for nothing. The RSA Security Conference held in San Francisco each year is the more "professional" security conference, and focuses more on security vendors pitching their latest and greatest tools. Black Hat and DEFCON are oriented more toward security researchers and exposing attack techniques that break those latest and greatest security tools. There are likely more than a few actual "black hat" security researchers attending, and it's safe to say that many attendees at least fall into that large gray area between white hat and black hat. 

So how do you avoid getting pwned? Having attended both Black Hat and DEFCON numerous times, Wolfgang Kandek, CTO at Qualys, has some advice to share. Some of this may seem like simple common sense, especially to security professionals, but it's worth repeating. Just. In. Case.

  • Use a VPN
  • Disable Bluetooth, NFC, and Wi-Fi
  • Don't use Ethernet
  • Use a prepaid mobile phone with your SIM card in it
  • Don't install any patches or updates while you're there
  • Don't log into bank, credit card, or other sensitive accounts from any device
  • Bring lots of cash to avoid hacked or fake ATMs

If you're truly paranoid, you should also consider leaving your laptop, mobile phone, and tablet at home. Hotel locks and hotel room safes can be hacked, and have been the subject of presentations in previous years at Black Hat and DEFCON.

“People think the cell phone is safe, but it’s not. There are going to be two presentations this year where people are using a femto base station in a man-in-the-middle attack,” Kandek says. “Someone can put up a fake cell tower close to you, in the next room, so the air card would connect to it.”

Andrew Wild, Qualys’ CSO, also suggests carrying your driver's license and/or passport in an RFID-blocking wallet to avoid  hackers pulling information from them remotely. “I avoid accessing data at all, but if you need to, use a VPN on a laptop to be safe,” Wild says.

If you're attending Black Hat or DEFCON, though, most of all have fun. Just watch your back and check for your wallet frequently. 

New! Download the State of Cybercrime 2017 report