How to Beat BlackHat at Its Own Game

It’s that time of year again, when the world’s hackers come together to reveal their latest achievements and discoveries at BlackHat and Defcon. Thousands of hackers, researchers and industry leaders are converging upon Las Vegas, flooding their schedules with meetings and sessions.

If you’re attending this year, I urge you to heed the warnings of years past: these shows are common staging grounds for bad actors, and curious individuals who might get caught up in the “hacking” atmosphere.

Just because we work in the field does not make us immune to their efforts; here are some tips to keep your personal and corporate devices secure.

1. Don’t be duped by spoofed email or fake websites.

There is a reason why phishing remains one of the top exploits for bad actors: it works. And according to Phishers’ Favorites, Microsoft just overtook Facebook as the most commonly spoofed brand in North America thanks to the growth of Office 365. Need to send or receive a large file? Better double check if you’re using Dropbox or WeTransfer, which also made the list of Top 25 Most Spoofed Brands.

2. Mind your devices – leave them behind.

Do you really need to take your laptop, tablet and cell phone to BlackHat? Think about it: this week in Las Vegas is perhaps one of the most hostile cyber environments in the world. Can you make do with just your phone? Once you know what you must take, make sure your software is updated beforehand, wipe personal and unnecessary data before you go and again once you leave. With the proliferation of cheap software defined radios (SDR), fake LTE cell towers have been set up every year. In 2016, some attendees were able to intercept data and infect connected devices with their fake LTE cell tower. If you want to eliminate any risk to your device, consider taking a burner phone and destroy it when you return home.

3. Free Wi-Fi? No, thank you.

From the moment you arrive at the airport until you return home, be wary of public Wi-Fi. Hackers consistently target Wi-Fi networks at airports, airlines, hotels, conference venues and local coffee shops to intercept traffic from and run exploits on unsuspecting victims. If you need Wi-Fi, set up your own and make sure you use VPN to access your corporate network. Ideally, the remote VPN should use two-factor authentication. And remember, you should connect to the VPN before logging into anything or opening a browser, so make sure to close any browser tabs and programs that automatically login prior to connecting to a network. Finally, turn off automatic Wi-Fi (and Bluetooth) connections on your devices.

4. Don’t even think about that USB.

See a cool-looking USB drive or a handy USB-powered fan? Don’t even think about taking it back to your hotel room, let alone home. Promotional USBs are one of the easiest malware delivery tools in existence. Just say no. It’s that simple.

5. …Who are you again?

It’s important at shows like these to be mindful of who you are talking to. Why is this person encouraging you to boast about past hacks or crimes? Is someone asking you about personal information like where you live or your birthday? Social engineers, law enforcement and nation state intelligence personnel attend these conferences for several reasons. Networking is one of the greatest opportunities at BlackHat/Defcon, but it’s advisable to be suspicious of anyone who is asking about sensitive information.

6. Protect your cards and get cash ahead of time.

While RFID theft isn’t necessarily mainstream, it’s a valid threat at shows like this one.

Some security experts downplay the risk of radio frequency identification (RFID) hacks, but it’s important to remember that BlackHat and Defcon are showcases for hackers to demonstrate their talents and reveal how threats are evolving. RFID attacks are still relatively unchartered territory, so you’re better off considering them a valid threat. And since we know ATM skimming has proven successful, you can bet the best place to get cash for the show is from your local bank branch before you leave.

Security professionals around the world are bracing for nothing short of an onslaught of information on new and lingering vulnerabilities from individual devices to whole industrial exposures. With these tips in mind, the only things you’ll take away from the show are insights, rather than exploits.