I was somewhere around the Paris Hotel on the edge of the Las Vegas Strip when the paranoia began to take hold.
I glanced down at my phone. Sitting in a talk by Lavabit CEO Ladar Levison, I noticed my WiFi was left turned on, though it wasn’t connected to a network.
Was someone sniffing my phone’s data? Could I have been hacked?
I quickly turned it off and put it back in my pocket.
This is what it’s like to attend Def Con, the world’s largest hacker conference and home to what’s billed as the most “profoundly hostile” wireless network anywhere. Before that, I was at Black Hat USA, the information security conference during the same week.
Though both are a fun time to meet awesome people, learn from the best, and party, it can be overwhelming to the first-time attendee like me.
Chances are, my small error didn’t inspire any mischief among the “black hat” hackers who blend in among government agents and the “white hat” types who protect companies from attack. But it was a moment of realisation that would come up repeatedly over the week: The possibility of getting hacked — “owned” as they say in the hacker world — is not something that should be feared by the vast majority of people, but for journalists, activists, and even hackers themselves, a little paranoia can be a good thing.
This realisation is particularly evident when there’s a giant screen projected inside a room on the Bally’s 26th floor showing off the “Wall of Sheep” — the unlucky souls who were letting data packets with usernames, passwords, and other information fly out in the clear, with Def Con’s “packet hunters” picking them up.
It also didn’t help that some were spreading rumours of people employing IMSI catchers to intercept phone calls, while others on Reddit were saying feds were setting up the infamous “Stingrays” around the hotels. I wasn’t able to confirm that either way.
The idea of staying on guard was made clear while attending a talk earlier in the week at Black Hat USA, in which Claudio Guarnieri and Collin Anderson debuted three years of research on what is believed to be multiple groups of government-linked Iranian hackers targeting external human rights groups and dissidents within the country.
The methods they used were crude, but effective: Simple emails enticing victims to click a link to a website the attacker loaded with malicious code, or others came with attachments that download malware.
At Def Con, there were speakers focused on hacking cars, or exploiting software specifically designed to thwart hackers such as Little Snitch. Two security researchers even debuted the first-ever ransomware on a smart thermostat.
All in all, the week of hacking conferences I attended made me greater appreciate the work that security researchers do in pointing out vulnerabilities, as well as their attempts at patching them.
But it also reinforced the importance of the user to proactively keep themselves safe online. If I learned anything during a week of talking with and hanging around hackers, it’s that it’s easier than ever for even inexperienced hackers with high-tech tools to target someone.
The Wickr Foundation’s “tips for surviving Def Con” say to completely turn off WiFi and Bluetooth, cover cameras with tape, never use ATM’s, and never connect phone chargers except for your own — even at the airport. While this may be totally paranoid advice for a week where 20,000 hackers are in town, it can be overkill for the average journalist or activist.
Still, the absolute basics are so simple to implement that it’s incredibly surprising to see so many people leave themselves wide open to attack. Though they won’t make a person “unhackable” — that’s not possible — taking basic precautions will make for a hard target, which can immediately deter an attacker and cause them to move on to someone else.
For example, a hacker can execute a “man-in-the-middle” attack on the coffee shop’s WiFi network and intercept everything, but if you used a free VPN service they’d see nothing but encrypted traffic. And while a brute force attack or social engineering a target can glean a super simple password, it would be much harder if a victim was using a password manager like 1Password or LastPass to generate 30-plus character passwords that are safely stored.
Most importantly, no one should just mindlessly click on a link they have been emailed by someone they don’t even know.
Perhaps my paranoia will wear off. But, if you hacked me at Def Con, please activate my webcam and let me know. Or shoot me an email with the key ID 8948807D.
I’d be happy to chat about how to do better next time.
Business Insider Emails & Alerts
Site highlights each day to your inbox.