I’ve been quite busy the past week with DT writing, so I haven’t had much chance to post here, or really get a grip on the latest NSA news that’s going on. For your benefit and mine, here’s a bunch of links we should all read, starting with the most recent and working backwards:
Can someone please enlighten me as to why the sudden anti-Walmart explosion. I know we’ve all hated the company (while shopping at its stores) for years, but the recent shift agains Walmart is pointed and strange. Either I’m missing a key part of the story, or somebody is pushing this agenda hard. (My bet is on both.)
"Director Clapper will not be a part of the group, and is not leading or directing the group’s efforts," Caitlin Hayden, a White House spokeswoman, told The Hill on Tuesday.
"The White House is selecting the members of the Review Group, consulting appropriately with the Intelligence Community," she said, adding that the administration expects to announce the members of the group soon.
“The surveillance landscape is far worse than it has ever been and I feel like everything we do is now observable. All of our transactions and communications are all fused together into total information awareness apparatus. I don’t think any of this can be fixed merely by the application of cryptography. It is going to require some push back in the policy space.”—Phil Zimmermann, creator of PGP encryption, speaking with GigaOm
Technology has made targeting high-profile individuals and journalists easier than ever. Any location where journalists and sources gather, conferences, airports, hotels and events, are particularly vulnerable environments. DEF CON, the largest hacker gathering in the world, highlights these risks more than anywhere in the world.
Below are some tips I give to journalists and other VIPs attending DEF CON. These tips have evolved over the years based on new attacks demonstrated at the event. I suggest using these to protect you and your sources while in Vegas and beyond:
#1 Create a Password Strategy
Conferences are a whirlwind of information and events so be sure to keep all of your accounts secure and within your control. Create and use a password strategy to ensure that confidential emails containing breaking news are not compromised. A few tips to creating your strategy:
Use a pattern on the keyword instead of words from the dictionary.
Rotate this pattern regularly. Change your passwords after each conference.
Use a unique password for each important account.
Be careful when selecting password hints or security questions as the answers can often be easily guessed using information you’ve posted to social sites.
Do not send passwords in clear text.
Change your passwords before you leave and as soon as you get home.
#2 Leave Important Data and Devices at Home
The safest way to protect your data and devices is to leave them at home. Assume all information and devices you bring to the event may be compromised. Many attendees bring a burner laptop and phone just for this event. If you delete data from your devices, make sure to shred the data so it really is gone. You could also bing a paper and pen. There are no known remote access attacks this measure.
#3 Use Masking Tape and Headphone Jack
Watch out for front-facing cameras on your phone, tablet, computer and TV. Masking tape is still the best solution. It is also good to plug your headphone jacks.
#4 Shield RFIDs
Keep your RFID credit cards, keys and IDs at home or in a special wallet. They can be legally scanned from over 200ft away.
#5 Turn Off Sharing and Airwaves
To protect your sources and content, turn off file-sharing, wireless, Bluetooth capabilities. Put your phone in Airplane mode when not in use. If you don’t want your location physically tracked, consider removing your battery or shielding your phone in a tempest wrapping when you are not using it. Some intelligence agents use this method to prevent physical tracking of their location.
#6 Beware of Public Wi-Fi
Do not use any wireless networks at DEF CON or the airport unless you want to be hacked aggressively. There is a wired network for you in the press room that is more secure.
#7 Avoid Public USB Charging Devices
Public chargers can quickly pull all data from smartphones.
#8 “Opt Out” in Airport Security Line
Let the DHS representative know you are opting out and allocate for more time to be frisked. The information collected in this scan is stored in a database. Hackers, pilots and kids don’t go through the high-tech sniffers at the security check-through in airports. Should you?
#9 Keep Your Devices Close and Password Protected
Do not let phones, computers or tablets out of sight, even for a moment, especially at the airport security line. It only takes a second for someone to download all the info off your phone or scoop a valuable lead from your inbox.
#10 Pick Your ATM Carefully, Bring Cash
Be careful withdrawing cash. Avoid using unprotected ATM machines while traveling, especially in Las Vegas. Look for bank-sponsored or guarded machines for assurance and accountability. Do not use ATMs anywhere within a few blocks of DEF CON and Black Hat. Bring cash and a low balance credit card with just enough to get you through the week.
#11 Guard Your Keycard
Keep your keycard deep in your wallet or purse.
#12 Not Safe to Trust the Hotel Safe
Hotel safes are easy to break into. Keep valuables at home or on you.
#13 Protect Your Anonymous Sources
Do not add important people to your Contacts on your phone or computer; find a safe place to keep this information. Use anonymous forms of communication. Email, text and cell are easily traced.
#14 Save Your Contacts
#15 Talk in Code
When on deadline, be sure your sources are safe – by encrypting your messages. Do not communicate with sources on an unprotected phone, email, or SMS channel. Unencrypted messages are easy to access by even inexperienced hackers.
#16 Be Careful What You Say
People are watching you/listening to you at all times, especially if you are new to the scene. Talk quietly. Conduct confidential phone calls off site.
#17 Watch Out for Metadata
Clear meta data (GPS locations, device ID, original photo) from pictures using photo editing software before you share or publish online. This information can be used against you and your sources.
#18 Accept No Gifts
Do not accept gifts. USB drives and CDs can be deadly to your important data.
#19 Use the Elevators
The rumor is true - elevators can be hacked, just like everything else. I still use them. There are stairs, but the Rio is tall. Security is all about weighing the risks.
#20 Bring Your Tinfoil Hat
There is no proof that tinfoil works, but it is sure to make you friends.
#21 Have Fun!
Welcome to DEF CON 21. Prepare to hack and be hacked. Let the games begin!
Nico Sell has been helping organize DEF CON for over a decade. She is also the CEO and founder of r00tz and Wickr.
Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police.