OpSec For DEF CON 30 (2022)

OpSec For DEF CON 30 (2022)
vadagas, s rip in e ew of ial ArviThStLaVeNe

DEF CON is a massive hacker conference which, as of writing, will have it's 30th year coming in the following months. This also means that rival hackers may even decide to mess with other devices, including your own. Hotels and establishments also have their security posture adjusted. A bouncer I met at a party at DEF CON 25 was even instructed not to turn on anything with batteries.

I will say that while the raised preparedness helps, you do not have to be paranoid, nor should you. Paranoia is not your friend. By putting security into your routine, also known as practicing good Operational Security, you'll be able to function normally with security being somewhat second nature. Before I dive into this, I should open with a disclaimer.

Warning: This guide is making assumptions about you, the reader.

Before we continue, you should understand that everyone's security needs are not the same. This guide is going to be making the following assumptions:

  • You reside in a country that, generally speaking, recognizes human rights. This guide is being written from a perspective from someone whose spent his entire life in the United States of America.
  • You are not in the public limelight, or taking part in activities that would make your likeness viral (such as being a government official or corporate officer).
  • You are not working in law enforcement, the military, or comparible institutions and organizations.
  • You are not holding a security clearance, nor are you working in an occupation which neccessitates a remarkably thorough personal background assessment (such as a Single Scope Background Investigation).
  • You are not taking part in activities that carries an inherant risk of putting your life or liberty on the line (protesting, civil disobedience, field journalist/reporting for example).
  • You are not being narrowly/specifically targeted by a Signals Intelligence outfit (ex. NSA, GCHQ, Unit 8200, etc), or an Advanced Persistant Threat group (ex. Fancy Bear, Lazarus Group, PLA Units 61398 & 61486, etc).
  • You are not a fugitive whose fleeing from law enforcement, or are avoiding being served with a summons.

It's also worth pointing out that this guide is being written by someone who has not been on the recieving end of violence or survaillence predicated on discrimination on the basis of race, gender, sexual orientation, or other immutible characteristics. While this guide may help those in marginalized communities, they may need to deviate, and even go above and beyond what is in this guide if they are being targeted.

For all intents and purposes, this article is a guide on ways to protect yourself from vanilla threat actors at the DEF CON Conference in Las Vegas, and everywhere else.

On Operational Security

Operational Security (or OpSec) for the purposes of this article can simply be defined as managing risks to your devices and information. This will require changes in behavior, as well as configuration changes to your devices and applications. This particular guide will be broken down into device security, and communications.

Device Security

Devices at DEF CON should be locked down so only you are able to use them if you do not intend to share them. This means that different devices may need to be configured in different ways, but generally speaking anything you bring with you should always be in your custody, and you should also be mindful of what information you might bring with you.

Maintaining Custody

Maintaining custody of your devices is a sound defense from parties that would seek to make modifications to your equipment, or outright steal your hardware. This means of security only requires you to make sure you know where your stuff is, and whose handling your stuff. Should your phone or notebook be stolen, it is possible that whatever contents you have on them can be retained by adversaries, or that your devices could have malware (be it spyware, or a remote access trojan) installed on them.

Taking Stock Of Your Data

Before bringing a notebook or phone, consider what could be on those devices, and what might happen if they were to be compromised. We all have contacts, messages, pictures, documents that may be used against themselves by somebody (your employer, ex-boyfriend/girlfriend/significant other, the cops, etc). If you believe that there is information that would pose an unnecessary risk to your work or well being, it is recommended that access to sensitive information by installed applications be minimized, and that storage devices be encrypted (more on that later). The absolute best way to prevent a data breach is not to have the data to begin with, which would involve deleting files you believe would pose a signifigant risk should your devices be broken into.

If you want to eliminate most of the guesswork, and you're only preparing for an atypical use case (DEF CON, protests, etc), you could setup seperate "burner" devices. These are personal devices that will not carry any personal data that you would typically take with you. The upside to this is that it drastically reduces the cost of a data breach. The downside is that it can be expense to purchase and setup another laptop or smartphone, especially one that you would not use most of the time.

Keep Up To Date

Any software on your laptop or phone should be updated to their latest versions. If you are using a discontinued OS that is no longer supported by the vendor, there are open source alternatives like Ubuntu or Linux Mint that works with a variety of hardware.

Data Storage Encryption

Having your hard disk and storage devices encrypted will disallow anyone who gets their physical, AFK hands on your stuff from accessing it's contents.

Multiple operating systems support the use of full disk encryption, including Microsoft Windows and several Linux distributions. This is but a few solutions to implement full disk encryption:

  • Windows BitLocker - Microsoft’s native storage encryption solution for Windows 10 and 11. The key is stored either on a storage device or a TPM built into a system/motherboard that cannot be conventionally read-on or written down. This is relied upon by several commercial enterprises who uses Microsoft Windows in their IT environment. Be aware: This feature is not available in Windows 10 Home Edition and Windows 11 Home Edition.
  • VeraCrypt - An open-source encryption solution that can be used to created encrypted storage volumes as well as whole storage devices. This is a fork of the discontinued TrueCrypt project. Multiple operating systems are supported.
  • Linkux Unified Key Setup (LUKS) - Linux hard disk encryption standard that is utilized in general use Linux distributions. This background application is used during the install of any Ubuntu based Linux distribution when the user elects to employ full disk encryption.

Encryption, and your constitutional rights

Full disclosure: I am not a lawyer.
If your devices require knowledge such as a PIN number or a passphrase, it is important to know that in the United States you do not have to provide this information to the police, per the 5th Amendment of United States Constitution.

Police may however obtain and execute a warrant to obtain tangible info or items that can be used to unlock your devices. While your password is a product of your mind, a token is not, and therefore not subject to 5th Amendment protections.

Kill Unnecessary Wi-Fi Transmissions

Some devices will retain a history of SSIDs that they have connected to. If your device is set to connect to an access point automatically, it may send multiple probe requests containing an SSID that you have previously connected to. This can be used to set up a rouge AP, and force your device to connect to it.

Unless you are using a access point, it is recommended that you leave your wi-fi feature disabled. When connecting to new access points, ensure that you will not be connecting to them automatically.

Grab Tails

Tails is a Linux distribution made to work with Tor users and the privacy conscious. By default, it will route all your web traffic through Tor. You can even boot it off a live disc or external storage so any information that is in the live environment will be wiped when you turn your computer off. This is useful if your primary OS fails, as you would be able to fall back on the live distro to work with.

Communications

Attendees interested in monioring and observing radio frequency traffic may monitor the entire wireless spectrum, including the ISM band (what Wi-Fi and Bluetooth uses) and cellular bands. The following tips can mitigate threats of eavesdropping and Man-In-The-Middle attacks.

DEF CON Secure Wi-Fi

Prior to the event, you can setup your device to work with DEF CON's secure wireless networks. Check DEF CON's Twitter feed for when they post the registration link.

Secure Tunnels

Communications on the wireless spectrum are going to be constantly sniffed by other attendees that are interested in the wireless traffic at the conference. It is recommended that you use a service that routes all your traffic through an encrypted tunnel, and forwards it to the rest of the internet, so nothing that gets intercepted can be read.

Virtual Private Networks

A VPN is a third party intermediary that you can forward all your traffic to through an encrypted tunnel. This protects all data in transit between your VPN connected device, and the VPN service itself, thus thwarting any local monitoring attempts.

There are several to choose from, but it is recommended that you do your research on them, as they will have different policies with respect for your privacy, what they keep tabs of, and implement their solutions differently. TorrentFreak has a reoccuring blogpost that examines several different VPN services, and inquires about different aspects of the service such as how they handle different legal requests, external vendors they use, how they keep and maintain logs, and other details.

Tor

Tor is the only truly free traffic tunneling and anonymizing service. It is maintained by The Tor Project, as well as all the volunteers that maintains their own Tor nodes to use. Along with the aforementioned Tails OS, Tor is also accessible through the Tor browser.

This is also useful if you do not use, or cannot afford a VPN subscription. Other 'free' services exist, but they likely make their money by selling the information they mined from their userbase. These no-cost VPN or proxy services may even sell you out to the authorities when it is convenient for them to do so (as Hide My Ass did with a lulzsec hacktivist). If you're not being sold a service, chances are you are the product.

One major drawback with using Tor however is that you may be locked out of several services that you would normally be able to connect to. This is mainly because several different people are trying to visit the same sites using the same exit node, and this can be interpreted as automated connection attempts to the server. Exit nodes may also deny listed due to the fact that Tor could be used for criminal activity, and the maintainers of a service do not want anonymous users connecting to their services.

E2E Applications

SMS communications are likely to get read by anyone who happens to be sniffing the cellular bands. There are applications availible that provide end to end encryption in the event that messages do get intercepted. They have their own specific purposes and needs, but they have been useful to me:

  • Signal - An open source application from OpenWhisper systems. This application has the lowest barrier to entry to deploying secure communications by phone. Features like message verification, video chat, and disappearing messages come standard. While there is a work around for this, it will require a phone number to setup as intended.
  • Keybase - A service that uses social media contacts to verify public keys, which provides secure messaging services as well. Contacts can be searched by linked account handles in order to get in touch with someone, so you can directly message them without exchanging phone numbers.
  • Threema - This is a chat application with it's own wide variety of features. It's services are based in Switzerland, which has very comprehensive privacy laws (also GDPR compliant). The application also does not require a phone number or email to use, and only uses an ID number (Threema ID) as a unique identifier. The only drawback is that it costs money to install on your phone.

All this isn't just for DEF CON

While this guide was written for preparation for DEF CON, in reality this advice is useful wherever you go within most of the United States. I've observed the local establishments going above and beyond in their security efforts in Las Vegas, and this may be happening because all of the threats are the most overt while the conference is happening.

Even after DEF CON is over, criminal outfits are still going to commit data breaches, ad companies will still be trying to scrape information about your online habits, and governments will continue their cyberwarfare efforts against their enemies. They will be doing all of this without all the outright tells of a hostile network environment.

What you do at DEF CON for OpSec can be taken beyond the conference to deter the possibility of being a victim of a crime, or make it more difficult for other parties to track you.

Version History

  • Updated July 12, 2022:
    • Amended disclaimer for more nuanced overview of assumptions being made, and emphesis on the vanilla use case.
    • Updated taking stock section with recommendations to harden storage, as well as considering outright deletion. Added option for burner devices.
    • In data encryption: Replaced description schemes with products that facilitate data-at-rest encryption.
    • Reworded the constitutional rights section.
    • Reworded the secure tunnels section, and reworded the VPN section. Removed PrivateInternetAccess recommendation.
    • Updated URL to TorrentFreak's VPN service provider questionnaire.
    • Replaced 'blacklisted' with 'deny listed'.
    • Reworded the conclusion.
Creative Commons License


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.