Security news that informs and inspires

Welcome to Vegas! A Primer on Attending Black Hat & DEF CON


This is a general guideline aimed at first-time attendees to Black Hat and DEF CON, although there is probably decent advice to be had for all contained in this post. While the easy thing would be just to say "don't use or bring a cellphone or laptop at all", I would hope security professionals are capable of attending a conference without getting compromised. With that in mind and input from friends, I've pulled a few tips together that I hope can help. While applicable to most cons, there are a number of threats historically associated with BH/DC, and I've grouped them into three categories - nation state actors, security professionals/hackers, and regular crime elements.

Nation State Actors

There is typically a decent amount of foreign intelligence that attend BH/DC. Some of the attendees are those same characters you've read about online, or who are featured on the Duo Security Attribution Magic 8-Ball of Truth and Justice (my name for it). But a lot of them will be actual spies who do spy stuff, with a completely different set of scary skills. Some of these nation states send their spies simply because their enemy is sending spies.

And, of course, the various United States TLAs (short for Three-Letter Acronym, referring to the FBI, CIA, NSA, and other agencies, basically Scary Scary Spies) will be represented heavily, some to attend the conferences, but many to keep an eye on the aforementioned organizations. There are rumors that the number of government-rate rooms that are booked in Las Vegas hotels far exceed the number of BH/DC attendees from a TLA or military-industrial-entertainment-complex company. While a lot of these spies tend to do spy stuff on each other, on occasion they have been known to go after conference attendees.

There will be researchers, security companies, and representatives from all kinds of target companies these groups are interested in. Yes, there have been room break-ins in the past with attendees' tech devices targeted, but these are hardly the norm and somewhat rare. Most occur during dinner time when attendees are eating and heading out to vendor parties - during the day there is more foot traffic and housekeeping staff about.

Security Professionals/Hackers

This is a fairly significant threat. There will be a lot of hacker types, alcohol, and a weird form of "I must prove myself" posturing that can lead to collateral damage in the form of felonies committed against the tech you brought. You know that one person that if you are around you just want a cigarette, even if you quit years ago? Hacking can be that way, too. A “retired” hacker turned security professional meets up with that old buddy, they popped all those systems together back in the day, some old urges awaken after a couple of shots and stories about old times. Next thing you know, the laptops come out and bingo, more collateral damage.

The volume of the sheer crap, especially on the DefCon network, usually causes a near denial-of-service during peak times. I've worked at vendors who paid money to have their various products placed on security con networks just to see that crap, and it is spectacular. Believe it or not, 0day is usually rare at BH/DC. Remember there are a ton of security companies and security professionals all sniffing and looking for something interesting - if someone uses 0day then it is no longer 0day pretty much instantly. Also, we live in a world where 0day is actually worth a lot of money, rarely is it used for "the lulz" anymore. Things like Stagefright where the vulnerability is public and a patch is moving from Google codebase to cell phone vendor to downloadable patch to installation, it is possible some Android users will still be exposed as they arrive in Las Vegas. Recently patched vulns are the new lulz.

Regular Crime Elements

This also includes things like pickpockets, laptop theft, sexual assault, robbery, and a host of other crimes that has happened in Vegas. Quite frankly this is the area that I would be most concerned with, more attendees are hit with this than anything else.

Basic Guidelines

  • Wallets in front pockets, purses and laptop bags properly secured, carry in front of you if possible particularly in crowds and keep in your lap when sitting down.
  • Try to stay in groups, particularly at night in sketchy areas.
  • All the things you do before you put a system on the Internet, do that stuff to your system. Because a Vegas network during BH/DC is kind of like the entire Internet, minus the good stuff.
  • All tech you bring should be patched up. Avoid patching while in Vegas! Perfect way to get MITM'd.
  • Bluetooth and wifi on all tech - off.
  • Encryption is a must, VPNs etc, no plaintext anything. You are using Duo's 2FA product, right?
  • I hope your work laptop's drive is encrypted, and if you bring your personal laptop that drive should be encrypted too.
  • Your phone should be okay sticking to non-wifi and non-bluetooth. Rogue cell towers are possible, but remember that Uncle Sam is there hoovering up data like a madman, spying on spies. If and when these rogue cell towers occur, they'll want to shut it down ASAP. If the spies don't trust the cell phone network they won't use it, and Uncle Sam wants them using it.
  • Learn to drink. That means alternate between alcohol and water, and switch to water if you are getting too drunk. This helps prevent hangovers, and you don't want to be so impaired your mouth starts running with that cool tech person you just met who is trying to socially engineer you. Also, not drinking is perfectly fine, no one cares nor will pressure you. Generally not that type of crowd.
  • There are plenty of fine adult activities in Las Vegas, so make sure you are an adult and consider the situation you are getting yourself into. Foreign intel is aware of these fine activities as well, mainly for blackmail purposes. Because what happens in Vegas no longer stays in Vegas in this cell phone camera age.
  • Tinder/Grindr and the like. Again, foreign intel.
  • Vendor parties are great, you can meet fellow geeks. The events are usually at some club that us nerds could not get into normally, and they hold them like from 7-10pm. After the event is "over" at around 10 they let in the normals. At that point your risk of being pick-pocketed and roofied just increased substantially, I typically leave then. Besides, the music is usually deafening and we all prefer the techie conversations anyway.
  • Don't hack while there. With that much law enforcement presence, no point in gift-wrapping and hand delivering them more casework, right?

Ultra-paranoid Guidelines

  • Burner phone.
  • Burner laptop, or no laptop.
  • Carry all your tech with you constantly.
  • Don't attend, follow the madness via social media, claim you were there the whole time. Stealth mode!

Black Hat and DEF CON can be an educational, fun, and bonding experience but it can also become a horrible “this is why I hate Vegas” story. So be safe, maintain situational awareness, and most of all have fun while contributing in a positive way to our community.