How To Stay Secure At Hacker Conferences

Having Fun While Being Diligent

Hacker cons, such as the upcoming Blackhat, BSides LV and Defcon conferences are really fun experiences, great networking opportunities, and a chance to learn something new about security. While we have fun at these conferences, we must remember not to lose sight of our personal security and/or OPSEC. We recently ran two segments on Paul’s Security Weekly to help people have fun and stay safe at hacker cons!

How We Came Up With The List

Over the last few years, we have hired a few new employees here at Security weekly, and for the first time our new employees do not have a security background. They will be attending hacker conferences with us, shooting video footage, making connections for sponsors, and recruiting guests for the shows. When we realized this would be a “perfect storm” for a security incident, we created a list of 20 rules to follow at hacker conferences and decided to share it with the world so everyone can benefit! The videos of the segments that ran on the show provide extra insights and tips from the Security Weekly crew, who have over 15 years of security conference attendee experience.

Part 1 – Protecting Your Stuff At Hacker Cons

  1. Secure Your Phone – Disable WiFi, Bluetooth, and NFC. Always use a passcode or swipe pattern to unlock your phone, and set the automatic lock time to 30 seconds or less. Your phone must also be encrypted.
  2. Never Give Your Phone To Anyone – Do not lose your phone and never give your phone to anyone else, ever. Never leave your phone unattended. Even at the bar, do not put it down and turn away to talk to someone.
  3. Laptops – Never leave your laptop unattended, ensure passwords are required to login, and data must be encrypted. Never, ever, under any circumstances, connect to WiFi or Bluetooth at a conference. Never, ever, ever, EVER take a device (USB, Bluetooth, SD card, etc.) and put it in your laptop, ever.
  4. Disable Stuff – WiFi, Bluetooth, and any other wireless communications (except 4G in certain conditions) must be disabled on all devices.
  5. Internets – Only use 4G to connect to the Internet, and limit the use of authenticating to sensitive systems (social media is okay as long as two-factor authentication is in use, but Amazon and other services are a no-go).
  6. Lies – Defcon is never cancelled.
  7. Demos – Never use your work or personal laptop for a demo or other such things inside or outside the booth.
  8. Authentication – Use two-factor authentication on all services that allow it.
  9. Disposable Gear – When in doubt, use a disposable phone and/or laptop with just a few accounts on it, then wipe it when you return to the conference.
  10. Losing Stuff – Do not leave anything of value unattended (laptop, phone, wallet, license, two-factor auth token, laptop bag, etc.).

Part 2 – Protecting Yourself At Hacker Cons

  1.  Device Connectivity – Never plug your device, phone or laptop into anything. Do NOT charge your phone on a public or any USB charging port, ever. Do not plug your laptop into any Ethernet port, ever. Bring a battery pack and appropriate cables to charge your devices.
  2.  Browsing – Never, ever go to a URL that someone tells you to go to or sends you in a message. Also, never click on a 3D barcode and go to the website inside the barcode, ever.
  3.  Badges – Do not leave your badge for the conference unattended or let anyone borrow your badge, ever.
  4.  Show Me The Money – Never use an ATM or anything that takes credit cards that is not being operated by a person (use discretion, and be aware if you have to use a parking meter, and realize this rule mostly only applies to Defcon).
  5.  Call For Help – Always have each other’s numbers on your phone, and only ever use Signal to send text messages to each other. Make sure you have trusted contacts at each conference that you can contact if there is an emergency or you are in varying degrees of trouble (e.g. I lost my wallet, I can’t find my room, I’ve had too much to drink and require assistance, I can’t find my pants, I am stranded at a party/strip club/gas station/underground poker tournament, I’ve been arrested, There is a dead hooker in my room, I am trapped in an elevator, I can’t find the party, I’ve been kidnapped by ninjas, etc.).
  6.  Patching – On any device you bring to the conference, all of the software and operating systems must be up-to-date. This means your phone is running the latest version of iOS/Android and ALL of the apps are updated to the latest version.
  7.  Strange Behavior – If an application is acting funny and displaying error messages, SSL certification errors, or anything that does not seem normal, abort it immediately. Never enter your password in this situation, and consider wiping the device at this point in the game.
  8.  Identity Protection – Any passports, credit cards, or other access cards with RFID should be left at home or stored in a wallet that blocks all radio communications.
  9.  Hotel Room – Never tell anyone your room number, and never write down your room number on your key or anything that could be associated with your room key. Put a towel in the door handle and put all electronics in the safe.
  10.  Hotel Room, Con’t – Never leave your laptop in your room. If you must, always put the Do Not Disturb/Privacy sign on your door. You don’t want the cleaning staff letting someone into your room to steal your laptop. Always lock your hotel room door, use the additional safety latch, and roll up a towel and put it inside the handle to prevent someone from pulling the handle down with a device.
Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.