As DerbyCon fast approaches, I have put together a list of items that I do before going to any security conference in hopes that it helps better protect my laptop (after all we are at a security con with folks that have skills). Here are my tips (in no particular order) – I would love to hear yours:
1. Change your password – something perhaps a little harder than usual that you only have to remember while at the conference. I recommend changing it again on your return. This “con” password should be different from your “normal” passwords so if cracked there would be no indirect information that an attacker could gain about your “normal” passwords.
2. Encrypt your harddrive – incase of physical theft. Make sure you have a good preboot password.
3. Back up your harddrive – in case you get infected or anything else happens to the “trustworthiness” of your laptop you should have a known good point ot go back to. I typically image the drive before going out.
4. Shred sensistive information – you have a good back up now go ahead and shred anything sensitive on the laptop. No need to have more on it than the bare minimum. If you are against destroying it you can encrypt it in its own container.
5. Forget/delete any wireless networks you “auto connect” to – Just do a quick google for the pineapple mark IV and other such tools that prey on the wireless “auto connect” feature. If you have a backup then you can restore them after the con.
6. Bring a cable lock and use it – anyone going to the lock-picking area of the con will likely think these locks are a joke -and to them they might very well be; however, to the maid/service person in your room they may be enough to help. If you want to splurge there are cable locks that sound alarms when tampered with.
7. Put your favorite internet sites into your host file – why yes it is easy to jack with DNS so why rely on it.
8. Use a vpn/encrypted proxy to surf – all your traffice should be encrypted outside of whatever wireless security is deployed. I prefer UltraSurf And KISS but anything that adds a layer of encrytion on top of what is out there is better than nothing.
9. Make sure all your web mail uses SSL – yes SSL too can be hacked but its better than showing up on the “wall of sheep” for hitting the site in http.
10. Patch everything – your OS, adobe, java – everything that can be patched. At least this way if you get broken into they had to work at it a bit. This should include your AV/AM software signatures.
11. Install security tools – most tools allow you to test them for 15-30 days – you can leverage this to install new tools if you want just for the con. Some I recommend, provided you tested them and made sure they don’t break anything, are Deep Freeze (will prevent anything installed from gathering a perminant footprint) and Malware bytes (the trial version will allow for real time scanning).
By no means do I mean to imply by doing these, or any subset of them means you’re 100% safe but hopefully it will be enough to make the hacker want to look at anohter victim. As the joke goes – you don’t have to out run the bear just the slowest person. Have other ideas? I would love to hear them.
I also don’t want to scare anyone away by implying that any con is malicious – I am just cautious.
9/25 UPDATE: So far I received several comments in favor of imaging before con and restore after con – guess there are some more paranoid (or safer) than myself. The other two I thought worth mentioning are:
1. Erase cookies – many websites (banking sites in particular) use a “step up” authentication. To determine whether or not a computer is trusted they will often set cookies. When removed you may have to jump through more hoops to get in but so will the “bad” guy/gal.
2. Disable network cards – If you want to use it for note taking or viewing presentations simply disabling the network cards until in a “safe” area (away from con – and no the hotel doesn’t count if its the same one the con is in). That way you’re sure not to get “attacked” – granted it is not as useful.
Got more in today:
3. Change how you log into your phone – if you use no password, pattern, or pin change it to a con specific password. After the con change it back to what you are used to (best security is complex password)
4. If you use Google 2-step authentication – There is an option to “untrust” all trusted computers choose to do so when you return. Yes, it will be a pain to retrust them but its not too hard.