Tuesday, 25 July 2017

Some solid advice

https://media.boingboing.net/wp-content/uploads/2017/07/upsstore_100729948_medium.jpgCeaser's Palace in Las Vegas is holding this year's Defcon, a conference about hacking and security.  There are good reasons to believe that scoundrels will be attempting to hack everything in sight and even better reasons to believe they have the skills to pull it off.

For this reason, the UPS business centre in the hotel has decided only to accept print jobs that come as an email attachment, not on a USB stick or via a link. This is a reasonable precaution and probably the best compromise they can make while still doing business. Email attachments aren't at all safe either, of course, but people will need to print stuff, I guess. In general, reducing the number of attack vectors is worthwhile but at a conference like this it might just goad people into getting creative...

Cory Doctorow reports at Boing Boing (from where I borrowed the photo for this post), also noting that Andy Thompson (aka @R41nM4kr) has offered a list of security essentials for attendees.  They are pretty sensible. I follow an almost identical list of rules whenever I am forced to leave the house.

Here's the part of Thompson's list concerned with internet access and connectivity:
  1. Unless absolutely necessary for a job function, disable WiFi.
  2. Disable Bluetooth on your computer and phone.
  3. Disable NFS connectivity on your phone and computer.
  4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
  5. Always use a VPN as soon as you obtain WiFi access.
  6. Do NOT plug any network cable into the laptop.
  7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone. 
The importance of not connecting to public WiFi unless you really need to and then only doing so over a VPN cannot be overstated. I'd love to know more about the pscyhology behind the willingness we have to connect to random networks just because they happen to be there. We generally have no idea about whether they are secure, whether they have been compromised or whether the operators have malicious intent. We don't even know if the network is legit: we tend to assume that if there's a WiFi signal with the same name as the venue, then it's operated by that venue.

It's frighteningly easy to intercept traffic on unencrypted wireless networks. It's almost as easy to write scripts to scan for things that might be passwords flying about the place.  So if you do need to use public or commercial WiFi, be sure to use a VPN.

I use my phone as a mobile hotspot with a VPN rather than use other people's WiFi.  I only make an exception when there's no mobile signal. Something tells me this won't be a problem in Vegas.

My list, if I happen to be leaving the country (especially to the US) has some additions:
  1. Log out of social media, email and messaging accounts on your laptop and phone. Remove any cookies that store passwords.
  2. Use a hardware token (I use a Yubikey Neo) to protect access to your password manager (you're using a password manager, right?)
  3. Send the hardware token in your checked luggage, don't carry it with you.
That way, nobody can force you to reveal your passwords. Of course, they might refuse you entry to the country and it will be quite inconvenient when your luggage is inevitably lost, but if these prices seem like they are worth paying, go for it. Also, you'll feel kind of like a spy.

No comments:

Post a Comment