While we as security professionals regularly watch out for such dangers as creepy “free” Wi-Fi hotspots, evil hoodied hackers typing in their fingerless gloves unleashing havoc, and the dreaded nation-state spy rings assaulting us for our corporate secrets, there are, perhaps, other dangers one should look out for - ourselves.
Photo 1: A sea of unmonitored bags at the “check your bag” area at a security conference this year.
OPSEC. It stands for operational security, and while it has a much more expansive meaning than I’m going to cover here, I did want to make a few points. I’ve talked about attending conferences before, and given you a few tips for remaining safe for your travels.
Your biggest danger is probably going to be regular crime. I recently returned from Las Vegas after attending Black Hat and DEF CON, saw some remarkably bad OPSEC, and took a few photos. While attending a security conference, I guess I expected a community centered around computer security would think about all security issues pretty much 24/7, and a few pics were tweeted out with my pithy remarks. But it did occur to me that I could probably explain things in a slightly more helpful manner than 140-character chunks of gut reaction, and point out fairly common pitfalls when it comes to OPSEC.
Near the end of my visit, I learned of three separate individuals that I know personally (and heard of several others) that experienced issues with OPSEC and stolen items, so I thought I’d turn some of those tweets into something a little more constructive.
Trading Trust For Convenience
In Photo 1 above, there are a large amount of rollerboards and other travel bags, all belonging to various Black Hat conference attendees. As an added convenience, the conference organizers had worked out with Mandalay Bay (where the conference was being held) for a resort bellhop to operate a checked bag area. This way, conference attendees didn’t have to traverse the entire property to go to the bell desk to check bags if they were heading to the airport at the end of the day.
Now, the main front desk area where bags are stored are off-limits to everyone except hotel staff. They have highly organized shelves, and are watched by cameras located near the main doors and on the edge of a casino floor. However in this makeshift front desk area in the conference, there were no shelves, meaning a larger footprint was used; the plastic poles and nylon bands between them were the security barrier; and they were in a walkway area that led to the vendor floor. Granted, this was a side entrance to that vendor floor, but a legitimate entrance nonetheless.
I didn’t conduct a serious examination, but it appeared that there were no cameras that I could see in this area, since it didn’t involve an entrance nor gaming of any kind. There was a single table that functioned as a desk for the bellhop, and the first time I went by there, there was no bellhop in sight. In fact, there was a second table behind the first one next to the bags, and a couple of gentlemen were taking a break from the conference to have a chat at that table.
As you can see in the picture, everything is remarkably out in the open, and I think anyone could have walked up and grabbed a bag from the back. About 30 minutes later, I walked by again and the bellhop was there, but so were the two chatting gentlemen who were obviously not asked to leave.
The safer thing to do would be to use the main front desk with its additional security and just deal with the long walk. Avoid this satellite operation lacking all of the safeguards to protect bags.
Photo 2: Free power for charging your phone, available in two flavors.
While Photo 2 itself doesn’t show what I believe to be an actual problem, one would normally have to be fairly trusting to simply power up your phone with a strange cable where you can’t see the other end of it. This was at a vendor booth in one of the main hallways at Black Hat, where they’d set up a lounge area with comfortable seating and tables. They offered free charging, which again is convenient.
A lot of us use portable chargers, and I would encourage investing in one. It gives you that extra freedom of not being on the lookout for a power source because you’ve been using your phone all day at the conference and can’t find an open outlet. It has obvious advantages when it comes to travel, either at the airport terminal or during a long flight.
Like I said, this was probably safe in this instance, but it encourages a mindset that any and all free power sources for phone charging are safe - for example, like those sketchy-looking USB ports at the airport.
Unattended Personal Items
Photo 3, left: On the other side of the unattended canvas bag is a purse. Photo 4, right: A conference attendee saves a lunch spot.
Leaving your valuables unattended is a no-no. Photo 3 was taken during Black Hat in the vendor area on the second level. While I didn’t feel I could get a photo from the proper angle without looking really creepy to the owner, the canvas bag in the photo contained swag from the her employer’s vendor booth right around the corner, and blocked the view from my phone’s camera of her purse. The bags stayed there for at least 30 minutes (I watched her drop them off), and from the angle I was at I could have easily stole it unseen.
In Photo 4 during lunch, a Black Hat conference attendee placed his laptop bag on a table to save his spot, and proceeded to turn his back on the bag and began to fill his plate. As I snapped that picture I heard several attendees around me snicker and one commented “one of us should grab his bag to teach him a lesson.”
If you have something valuable, keep it on your person, or lock it up in some way. A travel lock to secure a strap around a table leg is nice, and some bags have all kinds of anti-theft security features - while not perfect there are many deterrents one could use. Anything that causes a thief to think twice will hopefully motivate them to find easier targets.
Keep It With You, But Safe
Photo 5, left: Items nearly falling out of pockets. Photo 6, right: Backpack with DEF CON guide, next to it were apparently travel documents.
Both Photos 5 and 6 had either items falling out of pockets or in wide-open pockets that were easily accessible. This is the kind of thing a pickpocket would look for - easy targets with a high chance of undetected success.
Don’t overstuff your pockets, put them into a small bag or backpack, keep wallets and purses in front, and if your valuables are on your back, secure them. Again, travel locks are your friend for locking things together like zippers, and at least consider non-essentials in outer exposed pockets (or leaving them empty) if you can’t readily secure them.
It is possible that due to a position you hold within your organization, or what your organization does, there might be direct targeting of you - the person at the conference wandering about. While your level of OPSEC might be a little more heightened, don’t forget about some of the physical aspects. The precautions mentioned above still apply - but if you work in a sensitive industry like many attendees of security conferences like Black Hat and DEF CON do, you should definitely step up your game.
There is nothing wrong with being paranoid and overly cautious. My main point is to be realistic with your threats - don’t get caught up and worry about someone using a zero-day and targeting just you at the expense of all other considerations, because a zero-day being deployed at a security conference is rare event.
Another thing to keep in mind - getting pwned at a security conference like DEF CON is most likely going to be an embarrassing doxing, while having your ID, credit cards, laptop, cash and phone stolen is going to be an absolute nightmare (especially getting through security at the airport to head home).
What we are talking about here is risk assessment at a very basic level - when you are in a town filled with drunk tourists carrying gambling money, there is a greater risk of being pickpocketed or having a bag stolen than of having your system compromised. In other words, this type of advice is more about what one tells anyone visiting Las Vegas, or any other similar large city you might be unfamiliar with. You’re in a strange place where the rules are slightly different - adjust your risk level accordingly.
Stay safe, be aware of your environment at all times, watch your valuables like you watch those security logs, and try to make things harder for the bad guys.