Laptops at Security Conferences

Published: 2012-05-14
Last Updated: 2012-05-14 15:31:16 UTC
by Chris Mohan (Version: 1)
17 comment(s)

I’m often curious what other security folks do to keep their machine safe when they go to IT conferences. I often see what looks like standard office machines being used and wonder if any precautions have been taken. So here’s what I do and I’d love to find out what other measure you take.

I’m about to spend a few days a large security conference, so I’m just putting the finishing touches to laptop I’m taking with me. As I don’t have any real needs beyond email, typing notes and web browsing, it’s a simple job of installing a clean OS and a couple of must have applications*. In keeping with Joel’s previous Diary, it took the duration of some reality TV show to install all the various patches for these apps to be up to date.


Now this is where I then go through my normal additional hardening steps. This OS happens to be Windows 7, so I disable a bunch of services, kill IPV6 services, gleefully disable hibernation and add in a gaggle firewall rules (or should that be an annoyance of firewall rules?).
 

The last thing I do make a record of clean state of the computer.  This is the part I’m assuming most companies have if they have managed operating environments (MOE) or standard operating environments (SOE) as this is such an easy thing to do and provides a trusted baseline for the security teams to compare against.
 

In Windows there’s a bunch of ways to ask the computer what’s running, what services and software is installed, but I like PowerShell so here’s a quick and dirty way to get the info and save it to a file.
 

From a PowerShell prompt:

#Installed Software
gp HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |Select DisplayName, DisplayVersion, Publisher, InstallDate, HelpLink, UninstallString | out-file c:build\base.txt
#Running processes
Get-Process | sort company | format-Table ProcessName -groupby company | out-file –append c:build\base.txt
#Services installed
Get-service * | out-file –append c:build\base.txt
 

This gives me three pieces providing a baseline** of the system.
 

I’m now ready to skip from vendor booth to vendor booth, keen to look at their product case studies conveniently on handy novelty USB devices, while surfing the web on freely provided Wifi doing on-line banking, checking today’s nuclear launch codes and wondering why I keep seeing "Loading Please Wait" when clicking on links in emails from people I’ve never heard of.  - Although this is an attempt at humour (note attempt) having a baseline of the clean machine allows me to identify the more obvious signs of something bad happening to my system.

If I do feel a disturbance in the force or the laptop does something odd, I can re-run my simple PowerShell commands (with a different output name) and look for changes.
 

#Comparing in PowerShell
Compare-Object -referenceobject $(Get-Content c:build\ base.txt) -differenceobject $(Get-Content c:build\new.txt)

That gives me a quick indication if some has changed on my systems (barring root kits) and if I need to worry about.

Let me know what you do or don't do when taking your system to a conference.

 

* I can’t say I’m a big fan of live CD/DVD/USB, I see their uses, but they get out of date, especially the browsers, far too quickly.
 

**If you want to get more fancy with the base snapshot, it’s pretty easy to script that out to include registry keys, firewall rules and even files in directories with cryptographic hash.

 

Chris Mohan--- Internet Storm Center Handler on Duty

 

I’m mentoring SANS Hacker Guard 464 class in Sydney on the 7th of August - SysAdmins, this is for you! https://www.sans.org/mentor/class/sec464-sydney-aug-2012-mohan
 

Keywords: hardening laptop
17 comment(s)

Comments

I usually just run a Live OS from a thumbrive or something. That way it doesn't matter what computer i'm on. I also run most stuff over my personal VPN. Yes, that may introduce hackers to my home IP, but such is life... My first time at BlackHat\DEFCON I was so paranoid I actually bought a "burn phone" (one of those pre-paid jobbers).

You know what'd be funny, if you ran something like DVL or Metasploitable on your laptop at a hacker con. You'd have the most active honeypot in the world for about 30 minutes haha!
In all seriousness, nothing.

Between the crappy hotel wireless networks, skiddies packeting everything and everyone on the con wireless networks, and the general lack of anything I really need to check online while I'm at the conference, it's rare that I take my laptop out of my backpack while I'm at a con, let alone boot it up.

If I absolutely need to use a laptop at a security conference, I use a crappy netbook purchased from Craig's List. The on-board flash storage is wrecked so I boot a live distro from a micro-sized USB key. Any files I need are manually copied to a nodev/noexec/nosuid mounted partition on the USB key. When I get home I plug the key into another workstation with the nodev/noexec/nosuid options, copy the files off, and check them out on the machine (if it was a 'legit' conference that $work paid lots of money for) or a disposable virtual machine (if it was a con that actually had useful info). I'm at cons that require such measures once a year, at most.

By the way, pipefish, running DVL on the wireless net at cons is lots of fun. The more experienced folks think its funny to send messages to one another by defacing the distro's website and the skiddies go nuts throwing everything and the kitchen sink at it.
Nothing, also, though I'd like to do many of the things you discuss. However, in the interest of security, I do not have admin access to my Win7 laptop. Seems like I'm in a Catch-22 situation. Yes, I'm a "security guy", but only the IT guys have admin access to our laptops.

Heading to a conference tomorrow. I'll take the standard issue company laptop because I need to do some work in the evening. The only thing I can do for a modicum of protection is to do everything through the company VPN.
Well, I don't really do anything different than I do day-to-day no matter where I am. I always presume someone wants unauthorized access to my system. My drive is fully encrypted and uses biometrics to begin with - with a heck of a strong BIOS password, all of which of course is only good protection against loss. Second, if I know I am going somewhere "higher risk", I will remove unneeded sensitive information to limit risk, and disable WiFi. I bring my own Internet (3G/4G) and don't use the WiFi connection for the hotspot (USB tethered). I don't usually use hotel or conference Internet at all. Then I use VPN for ALL connectivity. Of course, I never let the laptop out of my sight either (except for safe in room, etc). Oh, and I usually have 13+1 reasons that help ensure nobody will take my laptop concealed on my hip. I figure I have both physical and logical protection that way, and frankly, bringing my own Internet helps simplify issues with connecting to other WiFi, etc. Short of TEMPTEST type stuff and ensuring no shoulder surfing, that should address most concerns. Granted sometimes BYO Internet can be a problem with weak signal areas, but then I just actually pay attention to the conference. LOL
I disable wireless in the BIOS and don't plug jacks in. If I need access while I'm at a con, my work provides me with an EVDO board which I can use as needed. I think there are carriers now providing EVDO or similar cellular technology on month-to-month plans once you pay for the hardware?
* Backup your laptop first.
* Encrypt your laptop hard drive, if you haven't already.
* Use a VPN for all connectivity.
* Configure your host firewall to permit VPN traffic to your VPN endpoint, permit dhcp client, and to permit all traffic on your VPN tunnel interface. Deny all other traffic.
* Keep your laptop with you at all times.
* Disable bluetooth.
* Avoid using any captive portals if possible.
I went a security conference a few months ago, and this is what I did. Brought a newly imaged/patched laptop, as well as an iphone and ipad. The laptop was used for everything related to the conference, never for email or access back home, the iphone and ipad were used for that. (via Good for enterprise app for email) End of the conference, erased the disk of the laptop and handed it back to IT, to re-image and re-issue to another person. I just assumed it was at risk, and didn't worry about what might have happened to it. I had admin, used conference network etc for laptop. IPhone/ipad used strictly cellular connectivity with wifi off during conference.
I have a second encrypted hard drive for my system that I swap in for conferences. It's a bit more locked down than I can afford on my day-to-day image. If I absolutely have to do work, I can swap in my normal hard drive out of hours. (Limited exposure and all.)
I haven't been to a major IT security conference in a while, but I have to say after the first one I went to I stopped bothering to bring a laptop. The risk is high and the script kiddies have usually pounded the hotel network into uselessness, anyway.
I make a backup image of my laptop before conference, then wipe, clean install, patches, etc. Then I disable any unnecessary services. All of my connectivity to work is through 4G cell link with VPN client tunnelling everything. Sometimes I will boot from a live distro and 4G/VPN back into office as well. Just depends on how much time I have to prep for trip.

I absolutely *never* trust the hotel wireless network at any security conference!! I even clean up all SSID's on my phone and set it to require confirmation of any wireless connection, and also disable the wifi radio as well.

Diary Archives