I was at a security consultancy that sent a lot of people (~30) to Defcon and quite a few to BlackHat as well. I remember the pre-conference security briefing.
No company laptops on the trip at all, regardless of hard drive encryption, VPN (both of which were compulsory for off-site laptop use). Company phones had to have a long unlock password, enforced centrally. No 2G - all been hacked, no 4G, hacked, only 3G, but no client details over 3G. They recommended a burner SIM, and to not use the company provided SIM at all.
I understand that 4G devices don't always use the 4G network for voice, they may either use 2 radios, or drop the 4G connection. The 4G network is used for data, and a 2G network for voice/SMS.
Eventually they will all start sending voice over the data link, but it isn't guaranteed.
As far as I know, none of the UK macro operators support Voice Over LTE yet, so yes, if you receive a phone call on 4G you get a paging message telling you to fall back to 2/3G circuit switched and answer the damn thing.
I'm assuming this is my stock S5 won't let me choose 4G only (calls become impossible), where as I can lock it to _just_ 3G.
I don't feel this fully addresses the original statement of "no 4G, hacked", though. If the downgrade-to-2G attack is the worry then 3G & 4G should be perfectly fine.
Interesting reading; thank you. Though after following the threads for a while and going through the original fulldisclosure posts, I've come to the following thoughts:
Generally seems a bit of a grandiose story with no real evidence backing it up and likes of which have never been repeated, either (though if you know of other 3/4G hacks please say). This was also the same year Karsten Nohl was cracking GPRS [1] (which was extremely novel) and I wonder if the these two events have gotten conflated.
The little bit of evidence given on the FD post [2] and the comments on your reddit link seem to imply this was very much a hack against WiMAX, which whilst called a 4th Generation technology, bears little or no resemblance (or history) to the 3GPP standard known as LTE/4G. I think this is where the confusion comes about and the reason why 3G wasn't broken as a side-effect. We're both using the term "4G"/"LTE" but we mean different technologies.
Nice read. I could envision a Hollywood movie on this premise: Denzel Washington, our protagonist is the country's leading hacker / security expert, invited to give a talk. Only that an unknown Russian will crack him handily, stealing some government secrets. Then the movie would quickly deteriorate into gas explosions and "hacking tools" written in VB.NET.
Movie opens with Chinese cyber-ops lab, head honcho brings in McGuffin device, plugs it in. Cut to scenes in US of machines being compromised, data, leaking, cars stopping, TV broadcasts being controlled.
Our protagonist is shown, recognising the attack and taking action: she unplugs her computer and goes for a run past stranded trucks and cars.
Titles.
A few weeks later, media is still talking about the biggest attack on US computers. CIA meeting discusses that the Chinese head of cyber-ops is known to be attending Black Hat with the McGuffin (it never leaves him). CIA has a team on trying to hack him, but two deepthroats in the room talk to each other about their suspicion that one of the CIA team is a double-agent.
One Deep Troat, a high level agent from black-ops three letter agency approaches our protagonist, an independent pentester, a hippy wunderkind living in an RV in New Mexico. They ask her to take her team to Vegas, make the hack and identify the CIA mole.
They plan the hack, involving lots of physical as well as digital subterfuge. Then they go to Vegas, have scenes of being out of their element, then the hack begins and they mostly raise their game. The CIA team detects them, destroying their hopes of finding the mole, so they focus on the McGuffin.
At the last minute it turns out the Wunderkind's best friend on her team has also been turned as a spy, and gives her identity to the CIA mole and Chinese authorities. Wunderkind has to finish the hack alone, while being hunted down by both agents.
She does so, even managing to tag her former friend so he can be picked up by the authorities, as the Chinese leave him out to dry when they retreat. Movie ends with Wunderkind receiving an offer from black-ops to work for shadow 3-letter agency full time. She returns to her RV and shreds the offer letter.
"He counsels staff and clients to keep their credit cards in specially shielded envelopes to or stack them one on top of the other so the signals are jumbled up."
Slightly terrifying advice. A few years ago Kris Padgett (iirc) demonstrated that nearly all RFID "blocking" wallets were useless. That and they employ some immense collision detection -if you can throw a binbag full of chips past a reader and still manage to scan them all, I find it impossible to believe 2 cards stacked does _anything_ to help.
Why not just buy pre-paid VISA cards [ed: and even if they do -- the damage will be limited] ? AFAIK they don't have RFID? I'd be more worried about my passport (if it had RFID).
Valid enough for human validation! (Although, I think it's technically illegal to deface a passport. But, at the same time, it's not technically 'defaced'...)
Edit: As a frequent (if reluctant) traveler, I've yet to encounter a necessity for RFID at passport control. (I simply avoid that particular queue.)
I've been stopped twice for not being obedient: once because I refused to step into a mm-wave scanner (after the controller refused to send me back through the metal detector after I removed my belt...), and another time for not staring into the hypnotic blinkenlights that were swirling around the cameras above everyone's heads in the queuing area.
I think it was UK Gatwick Airport, on the way to passport control. The passengers were shepherded into lines, and spaced at intervals above each line were ceiling-mounted cameras. Bright LEDs around the camera lens were flashing in rotational patterns - designed to instinctively draw attention, and hence make facial recognition easier.
Because RFID is a family of technologies operating at 4 different frequency bands and using 2 different coupling mechanisms, it is difficult to generalize. For the use case of ID cards, 13.56MHz and inductive coupling are the relevant characteristics. Anti-collision is pretty weak in most 13.56MHz transponders, and it is no better than it was 8 years ago.
I think you are mostly safe at Defcon/Blackhat. I think you have to worry if you are a target for nation state / criminals (suspected of selling vulnerabilities at the con) then your room is probably going searched.
The victims seem to agree the search was sloppy because it was obvious, but I would argue the main value of searching your locked safe and leaving behind a mess is exactly in sending this signal, letting you know you're being watched. Over the years, this paranoia will add up, and some people do break down because of it.
When you really consider what people are suggesting it's silly. My important apps use SSL, no one is going to waste an SSL break at DEFCON. Turning data off is just an inconvenience, though it does make the conference seem more excited for the uninitiated.
Blackhat is so expensive that it's almost entirely government and corporate employees. Always struck me as a bit of a misnomer.
The thing is, it only takes one non-TLS web request to be harmed. There are a number of attacks that can be done that require MITM and/or local snooping that are easily done at a conference like this (the TLS export-level security downgrade recently, BREACH/CRIME, etc). There were a number a few years back before HSTS was around where it would hijack people going to http://google.com and capture their cookies before it redirected to https://google.com. These might seem trivial now, but what will people think 5-10 years ago about the things that are possible now.
I've never been to one of the US based conferences (mostly CCC). Has the attitude towards the NSA changed a lot in recent years? A while back it was more or less friendly banter and the meet the FED panel was fairly relaxed (from watching Defcon(?) videos). I remember they gave away mugs and joked about them being bugged (which to me felt like they probably were somehow :P).
In 2012 General Keith Alexander gave a keynote at DEF CON; basically a recruiting speech asking for white-hats to share with the government. Then, after Snowden, In 2013 Dark Tangent (DEF CON founder) asked feds to take a break. I believe he did last year as well.
Personally, I just stay home. I go to local BSides conferences (where a minimum wage worker can reasonably be expected to afford to attend without a premeditated effort to save up) and give talks there.
I don't think I'll ever attend Black Hat. I might attend DEFCON, unless the prices go up much higher. The interests of people who can afford tickets to BH USA are already well served by the security consultants they can afford to hire.
And if I ever do speak at DEFCON, it will be repeating a talk I already gave to the local Bsides event. Communty > Industry.
A lot of the paranoia is just that--paranoia. Still, there are a lot of people messing around on the wifi and some playing with cell stations, so some caution is justified.
If you're going on the company dime and thus have a rental car, the best thing to do is stay at a hotel somewhere else. I haven't gone since they changed venues, but I used to stay at a chain hotel on the other side of the Strip from the Rio. I'd use their hotel wifi but push all my communications over an ssh tunnel, which is what you should be doing anyway on ANY public wifi.
When I got to the conference, I tended to just put my phone in airplane mode and leave it like that. I'd bring a spare laptop and boot Linux off a USB stick so I could take notes; I sometimes turned on wifi but never signed in to anything online, just looked up wikipedia articles and such. You're probably not at such a great risk because security is a lot better these days (SSL and whatnot), but you'll pay more attention to the talks if you don't have your usual set of distractions available.
Go see the Strip, but after you've seen it once I've never felt much draw to go back. If you have a car, drive over and see Red Rock Canyon in the evening, it's just outside of town and very beautiful. Lots of good restaurants around, just pick what you're interested in. I had some pretty authentic and tasty Chinese food about a mile off the strip last time I went.
I still recommend a rental car if you can afford it; walking around in the August heat is awful. Go check out the strip after dark, when it's cool enough to walk a lot without getting heatstroke.
People don't drop 0days at BlackHat, and if they want to do, they will do it during a briefing not in the lobby exploiting people's phones/laptops/smartcards.
except for paranoids - if you're not able to use your regular tools at blackhat by fear of being compromised, this means you don't trust your tools, go fix em - because if they're not safe at bh/defcon, they're safe nowhere.
in reality, even the wifi is pretty safe, LTE-only networking with VPN works out fine etc.
I should have - clicking the link crashed my browser hard (chrome-stable in ubuntu/gnome-shell). Pretty sure it was just something in one of the 2000 ads and social media widgets on the USA Today page.
I haven't had chrome crash that hard since I switched back to the stable branch six months ago. The tab crashed first, but the whole Gnome Shell actually went unresponsive except for desktop switching. Apport was running wild and I had to kill it from the console to get X to start responding again.
Actually this sounds kind of fun sans the whole someone will read your credit/debit card from 5 feet away. Buy a laptop on craigslist for $100, re-format, get some throw away email accounts and see if you can go about your somewhat normal daily life on the 'Net without getting stomped as you connect across potentially hostile and un-trusted networks. The challenging part would be verifying you got through the conferences ok without any intrusions or someone sniffing your passwords.
"And because it's an event that brings in high-level government and corporate staff, there's also plenty of data and networks to entice the nefarious.It's one-stop shopping, a place were every major security executive is gathered..." ---- I wonder who's got hacked in the past
> That means "the rules are a little different," said Stan Black, chief security officer for Citrix in Fort Lauderdale, Fla. For example, he's bringing his schedule printed out on a piece of paper so he doesn't have to turn on his cell phone to check it.
> "And they're all staying in the same hotel," said Steve McGregory, director of threat and application intelligence for Ixia, a security firm in Calabasas, Calif..
> Jon Miller, vice president of the security firm Cylance in Irvine, Calif., doesn't see the hacking at Black Hat as malicious so much as simply intellectually curious. But he still turns off Wi-Fi and Bluetooth on his phone and only logs on to the Internet from his hotel room using a virtual private network.
Ok I get it, it's a hacker's con, with hackers hacking hackers. If you don't want your phone hacked, don't bring it to Blackhat. "It's to be expected", right?
But isn't also a little bit insane?
What about the people working there? Hotel staff, catering, nearby bars, shops, etc. Do they get debriefed about security countermeasures like this? Or are they left to their own devices? (or should I say "0wned devices")
Do the hotels use computers? Do they get help protecting their systems from damage? How do they manage to get their systems back into a safe and stable state for the rest of the year for when, you know, the place isn't swarming with people for whom "the rules are a little different".
Sounds to me the waiting staff will be the ones with the least protected phones, attracting the "intellectually curious". I'm just thinking of these additional scripts available, not the exploits, but the ones designed to slurp data after a way in has been found. They are targeted at the common types of accounts/usage, facebook and gmail, automated email digging, further escalation to ID theft, etc. Most security researchers/consultants know of these tools but they never really get to use them in their day job, because usually you don't have to follow an exploit all the way through to begin protecting your client from it. But now, they're on Blackhat! And the rules are a little different! Finally!
And even after all the hackers leave, the exploit's still in your phone.
Perhaps I'm being a bit hyperbolic here, but grant that it is a pretty crazy situation and I'm actually curious, how do the local people working there deal with this?
Imagine going to a gun convention and being advised to better prepare by wearing a bulletproof vest, because "the rules are a little different" there :)
Do break-ins increase during security conferences because hackers realize the watchmen are busy? Or do they go down during these conferences because the people breaking in are also the people at the conferences?
You put a bunch of people who do pwning for fun and/or a living in one room; it's not surprising if some will start pwning each other to show off or just for teh lulz.
No company laptops on the trip at all, regardless of hard drive encryption, VPN (both of which were compulsory for off-site laptop use). Company phones had to have a long unlock password, enforced centrally. No 2G - all been hacked, no 4G, hacked, only 3G, but no client details over 3G. They recommended a burner SIM, and to not use the company provided SIM at all.