Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Laptops at Security Conferences - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Laptops at Security Conferences

I’m often curious what other security folks do to keep their machine safe when they go to IT conferences. I often see what looks like standard office machines being used and wonder if any precautions have been taken. So here’s what I do and I’d love to find out what other measure you take.

I’m about to spend a few days a large security conference, so I’m just putting the finishing touches to laptop I’m taking with me. As I don’t have any real needs beyond email, typing notes and web browsing, it’s a simple job of installing a clean OS and a couple of must have applications*. In keeping with Joel’s previous Diary, it took the duration of some reality TV show to install all the various patches for these apps to be up to date.


Now this is where I then go through my normal additional hardening steps. This OS happens to be Windows 7, so I disable a bunch of services, kill IPV6 services, gleefully disable hibernation and add in a gaggle firewall rules (or should that be an annoyance of firewall rules?).
 

The last thing I do make a record of clean state of the computer.  This is the part I’m assuming most companies have if they have managed operating environments (MOE) or standard operating environments (SOE) as this is such an easy thing to do and provides a trusted baseline for the security teams to compare against.
 

In Windows there’s a bunch of ways to ask the computer what’s running, what services and software is installed, but I like PowerShell so here’s a quick and dirty way to get the info and save it to a file.
 

From a PowerShell prompt:

#Installed Software
gp HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |Select DisplayName, DisplayVersion, Publisher, InstallDate, HelpLink, UninstallString | out-file c:build\base.txt
#Running processes
Get-Process | sort company | format-Table ProcessName -groupby company | out-file –append c:build\base.txt
#Services installed
Get-service * | out-file –append c:build\base.txt
 

This gives me three pieces providing a baseline** of the system.
 

I’m now ready to skip from vendor booth to vendor booth, keen to look at their product case studies conveniently on handy novelty USB devices, while surfing the web on freely provided Wifi doing on-line banking, checking today’s nuclear launch codes and wondering why I keep seeing "Loading Please Wait" when clicking on links in emails from people I’ve never heard of.  - Although this is an attempt at humour (note attempt) having a baseline of the clean machine allows me to identify the more obvious signs of something bad happening to my system.

If I do feel a disturbance in the force or the laptop does something odd, I can re-run my simple PowerShell commands (with a different output name) and look for changes.
 

#Comparing in PowerShell
Compare-Object -referenceobject $(Get-Content c:build\ base.txt) -differenceobject $(Get-Content c:build\new.txt)

That gives me a quick indication if some has changed on my systems (barring root kits) and if I need to worry about.

Let me know what you do or don't do when taking your system to a conference.

 

* I can’t say I’m a big fan of live CD/DVD/USB, I see their uses, but they get out of date, especially the browsers, far too quickly.
 

**If you want to get more fancy with the base snapshot, it’s pretty easy to script that out to include registry keys, firewall rules and even files in directories with cryptographic hash.

 

Chris Mohan--- Internet Storm Center Handler on Duty

 

I’m mentoring SANS Hacker Guard 464 class in Sydney on the 7th of August - SysAdmins, this is for you! https://www.sans.org/mentor/class/sec464-sydney-aug-2012-mohan
 

Chris

105 Posts
ISC Handler
I usually just run a Live OS from a thumbrive or something. That way it doesn't matter what computer i'm on. I also run most stuff over my personal VPN. Yes, that may introduce hackers to my home IP, but such is life... My first time at BlackHat\DEFCON I was so paranoid I actually bought a "burn phone" (one of those pre-paid jobbers).

You know what'd be funny, if you ran something like DVL or Metasploitable on your laptop at a hacker con. You'd have the most active honeypot in the world for about 30 minutes haha!
pipefish

3 Posts
In all seriousness, nothing.

Between the crappy hotel wireless networks, skiddies packeting everything and everyone on the con wireless networks, and the general lack of anything I really need to check online while I'm at the conference, it's rare that I take my laptop out of my backpack while I'm at a con, let alone boot it up.

If I absolutely need to use a laptop at a security conference, I use a crappy netbook purchased from Craig's List. The on-board flash storage is wrecked so I boot a live distro from a micro-sized USB key. Any files I need are manually copied to a nodev/noexec/nosuid mounted partition on the USB key. When I get home I plug the key into another workstation with the nodev/noexec/nosuid options, copy the files off, and check them out on the machine (if it was a 'legit' conference that $work paid lots of money for) or a disposable virtual machine (if it was a con that actually had useful info). I'm at cons that require such measures once a year, at most.

By the way, pipefish, running DVL on the wireless net at cons is lots of fun. The more experienced folks think its funny to send messages to one another by defacing the distro's website and the skiddies go nuts throwing everything and the kitchen sink at it.
No Love.

37 Posts
Nothing, also, though I'd like to do many of the things you discuss. However, in the interest of security, I do not have admin access to my Win7 laptop. Seems like I'm in a Catch-22 situation. Yes, I'm a "security guy", but only the IT guys have admin access to our laptops.

Heading to a conference tomorrow. I'll take the standard issue company laptop because I need to do some work in the evening. The only thing I can do for a modicum of protection is to do everything through the company VPN.
Hal

50 Posts
Well, I don't really do anything different than I do day-to-day no matter where I am. I always presume someone wants unauthorized access to my system. My drive is fully encrypted and uses biometrics to begin with - with a heck of a strong BIOS password, all of which of course is only good protection against loss. Second, if I know I am going somewhere "higher risk", I will remove unneeded sensitive information to limit risk, and disable WiFi. I bring my own Internet (3G/4G) and don't use the WiFi connection for the hotspot (USB tethered). I don't usually use hotel or conference Internet at all. Then I use VPN for ALL connectivity. Of course, I never let the laptop out of my sight either (except for safe in room, etc). Oh, and I usually have 13+1 reasons that help ensure nobody will take my laptop concealed on my hip. I figure I have both physical and logical protection that way, and frankly, bringing my own Internet helps simplify issues with connecting to other WiFi, etc. Short of TEMPTEST type stuff and ensuring no shoulder surfing, that should address most concerns. Granted sometimes BYO Internet can be a problem with weak signal areas, but then I just actually pay attention to the conference. LOL
Anonymous
I disable wireless in the BIOS and don't plug jacks in. If I need access while I'm at a con, my work provides me with an EVDO board which I can use as needed. I think there are carriers now providing EVDO or similar cellular technology on month-to-month plans once you pay for the hardware?
peter

17 Posts
* Backup your laptop first.
* Encrypt your laptop hard drive, if you haven't already.
* Use a VPN for all connectivity.
* Configure your host firewall to permit VPN traffic to your VPN endpoint, permit dhcp client, and to permit all traffic on your VPN tunnel interface. Deny all other traffic.
* Keep your laptop with you at all times.
* Disable bluetooth.
* Avoid using any captive portals if possible.
geos73

3 Posts
I went a security conference a few months ago, and this is what I did. Brought a newly imaged/patched laptop, as well as an iphone and ipad. The laptop was used for everything related to the conference, never for email or access back home, the iphone and ipad were used for that. (via Good for enterprise app for email) End of the conference, erased the disk of the laptop and handed it back to IT, to re-image and re-issue to another person. I just assumed it was at risk, and didn't worry about what might have happened to it. I had admin, used conference network etc for laptop. IPhone/ipad used strictly cellular connectivity with wifi off during conference.
geos73
1 Posts
I have a second encrypted hard drive for my system that I swap in for conferences. It's a bit more locked down than I can afford on my day-to-day image. If I absolutely have to do work, I can swap in my normal hard drive out of hours. (Limited exposure and all.)
hacks4pancakes

48 Posts
I haven't been to a major IT security conference in a while, but I have to say after the first one I went to I stopped bothering to bring a laptop. The risk is high and the script kiddies have usually pounded the hotel network into uselessness, anyway.
Anonymous
I make a backup image of my laptop before conference, then wipe, clean install, patches, etc. Then I disable any unnecessary services. All of my connectivity to work is through 4G cell link with VPN client tunnelling everything. Sometimes I will boot from a live distro and 4G/VPN back into office as well. Just depends on how much time I have to prep for trip.

I absolutely *never* trust the hotel wireless network at any security conference!! I even clean up all SSID's on my phone and set it to require confirmation of any wireless connection, and also disable the wifi radio as well.
Anonymous
I always get annoyed when people think IPv6 is unsafe. Disabling IPv6 is just like putting your head in the sand. There are far better ways to handle with these things, like e.g. making sure your firewall also filters IPv6 traffic. There is _NO_ inherent threat in IPv6 or at least not more than in IPv4 and thus it should not be handled like there is. It is just like the a new Internet protocol, so make sure that you know what you are doing. Learning about IPv6 is what is going to protect you in the end, not disabling it as if it does not exist.
Rainbow Tux

3 Posts
@evdvelde: I think this falls under the category of "disable anything you don't need," though. If you won't be using any IPv6 networks, why leave it enabled? It's just another unnecessary exploit surface, in that case.
Anonymous
"I always get annoyed when people think IPv6 is unsafe."

Layer 2 attack risks on non-IPv6 enabled LAN: malicious IPv6 router announcement / NDP hijacking, coupled with malicious DHCPv6 server pointing to a rogue recursive DNS host.

Cannot be suppressed by IPv4 L2 security features such as DHCP snooping.

IPV6 RA guard has also been found to have serious holes.


Mysid

146 Posts
@Orv: That is possible of course, although it is in my opinion a very minor surface. It should not expose more services than already exposed by IPv4 connectivity and in itself it does not hold a (big) risk

@Mysid: First of all, please do not call malicious IPv6 router announcement / NDP hijacking Layer 2 attack risks since IPv6 is very much Layer 3. Secondly, ever heard of ARP spoofing? The same can hapen to an IPv4 network and I am pretty sure you are not disabling IPv4. These problems are inherent for both protocols and should be countered by e.g. encryption to avoid snooping in case of spoofing.
The DHCPv6 server and RDNS issue: there exist mailicious DHCPv4 servers as well, although chances are bigger that the network administrator is already hunting these down. Here I like add again that education should be the real protection, not disabling IPv6. RDNS might be a problem, and if really concerned, you could only disable that part, but also there it is better to keep it in check with other measures instead of just blindly disabling things.

IPv4 has mostly the same security issues, some are in IPv4 that have been solved in IPv6 and vice versa and yet many people see IPv4 as safe and IPv6 as dangerous, is it just because it is the new guy around the block? I pretty much think so! Start learning people, IPv6 is here to stay and shutting your eyes "while you still don't need it" is not going to help you in the (near) future.
Rainbow Tux

3 Posts
@evdvelde: IPv6 NDP is a Layer 2 protocol similar to ARP. IPv6 is not strictly Layer 3; an IPv6 network stack has Layer 2, Layer 3, and Layer 4 components that are activated by turning on IPv6.

The most serious vulnerabilities introduced by enabling IPv6 are L2 and L3 based attacks that can lead to MITM or misdirection of user traffic.

They are especially dangerous, when security monitoring practices and software have not yet been tooled for IPv6. The security monitoring might miss rogue V6 traffic, since it was not designed to deal with it; before deploying V6 it is important that security practices are updated to deal with it.


"Secondly, ever heard of ARP spoofing? The same can hapen to an IPv4 network"

I am fully aware of ARP-based hijacking. No, it cannot really happen on a properly secured IPv4 network. Switches provide multiple layers of security functions with IPv4 that mitigate the risks you describe, and a robust IPv6 equivalent these security features does not exist in any form:

* Port Security / "Station Movement" protection -- MAC address filters prevent MAC spoofing, by refusing to allow a known MAC address from moving between ports, and refusing to allow a single port the simultaneous usage of multiple MAC addresses.

* 802.1x wired and wireless Port Security (/ WPA2): Stations connecting to a secure LAN are authenticated using a machine security certificate or username/password (a more secure alternative to security based on physical port only).

* DHCPv4 Snooping (No DHCPv6 equivalent available) -- Certain ports are marked "trusted" on the switch, the DHCP server ports. Other ports are marked untrusted, when a DHCP response is sent to a trusted port, the switch BINDs the allowed IP address to the MAC address, and the MAC address to the port.

* Dynamic ARP Inspection (No NDP/IPv6 equivalent available) -- Works together with DHCP snooping and port security features. All ARP traffic is suppressed/discarded from untrusted ports, until the trusted DHCP server port assigns an IP address. After an IP address is assigned, any ARP messages sent with a MAC address or IP address not assigned to that port are suppressed.

* MAC Address Filtering on the DHCP Server: DHCPv4 servers can be configured to refuse to assign IP addresses to MAC addresses associated with network infrastructure components such as default gateways; together with Dynamic ARP inspection, this means it is not possible to spoof an IPv4 default gateway.







Mysid

146 Posts
IPv6 NDP is a Layer 2 protocol similar to ARP. IPv6 is not strictly Layer 3; an IPv6 network stack has Layer 2, Layer 3, and Layer 4 components that are activated by turning on IPv6.

=> Please do not confuse the OSI layers, NDP is Layer 3 with cross-layer elements, please do not confuse those things. IPv6 has _nothing_ to do with Layer 4, I cannot imagine which part of IPv6 could mislead you so.

I am fully aware of ARP-based hijacking. No, it cannot really happen on a properly secured IPv4 network. Switches provide multiple layers of security functions with IPv4 that mitigate the risks you describe, and a robust IPv6 equivalent these security features does not exist in any form:

* Port Security / "Station Movement" protection -- MAC address filters prevent MAC spoofing, by refusing to allow a known MAC address from moving between ports, and refusing to allow a single port the simultaneous usage of multiple MAC addresses.

=> MAC addresses, so also possible in IPv6 environment

* 802.1x wired and wireless Port Security (/ WPA2): Stations connecting to a secure LAN are authenticated using a machine security certificate or username/password (a more secure alternative to security based on physical port only).

=> Possible for IPv6 too

* DHCPv4 Snooping (No DHCPv6 equivalent available) -- Certain ports are marked "trusted" on the switch, the DHCP server ports. Other ports are marked untrusted, when a DHCP response is sent to a trusted port, the switch BINDs the allowed IP address to the MAC address, and the MAC address to the port.

=> DHCPv6 snooping exists: e.g. http://www.juniper.net/techpubs/en_US/junos/topics/concept/dhcp-extended-snooped-packets.html although probably very recent.

* Dynamic ARP Inspection (No NDP/IPv6 equivalent available) -- Works together with DHCP snooping and port security features. All ARP traffic is suppressed/discarded from untrusted ports, until the trusted DHCP server port assigns an IP address. After an IP address is assigned, any ARP messages sent with a MAC address or IP address not assigned to that port are suppressed.

=> agreed

* MAC Address Filtering on the DHCP Server: DHCPv4 servers can be configured to refuse to assign IP addresses to MAC addresses associated with network infrastructure components such as default gateways; together with Dynamic ARP inspection, this means it is not possible to spoof an IPv4 default gateway.

=> agreed, is more or less same as above


I see however that you miss a few very important issues here:
- You assume you have control over the network and are able to enable all these security measures. When roaming on other networks with your laptop, this is often not the case.
- You claim that most serious isues in IPv6 lie with the MITM attacks. I have to disagree though: if you really care, you use secure protocols. Anyone sending traffic over not-encrypted links at a security conference or at any big public place does not know what he is doing or is clearly out of his mind. There is no difference here between IPv4 and IPv6: if you care about your privacy, you use SSL, VPN, etc.
Rainbow Tux

3 Posts
@evdvelde Encryption is great, but at a security conference, it's not a safe assumption that stuff outside the Network stack, such as physical hardware; transmission medium aren't subject to attack as well -- no IP firewall or encryption can stop a malformed Layer 1 MAC protocol frame from exploiting a hardware vulnerability in your NIC or WiFI that results in DMA to improper memory addresses, resulting in execution of arbitrary code in ring0, for example.

An unreported vulnerability in the SSL or VPN implementation might lead to remote code execution, certificate related or downgrade attack that becomes exploitable when traffic is hijacked via Layer 1 (Data link) and Layer 2 (IP Layer) based attacks.

Encrypted traffic might be brute forced in order to decrypt later, at the attacker's convenience.

IPv6 does operate at Layer 4. Specifically: DHCPv6 is a Layer 4 Application layer protocol.

Rogue Route advertisements can be broadcast to a LAN; This is a Layer 2 attack, because RAs are NDP messages, and NDP messages are based on ICMPv6 which is a Layer 2 (IP Layer) protocol; this is similar to IPv4 Layer 1 attacks which involve the generation of false ARP messages.

However, the IPv6 version is a simpler attack, because the Rogue RA can be broadcast. RA guard can be avoided through exploits that are well-known.

MAC address spoofing of the default gateway in IPv4 is not a very robust attack, for intercepting all traffic on a LAN.

Broadcasting a false gratuitous ARP to an entire LAN in IPV4 generates all kinds of warnings on devices, because it's a "change of MAC address".

Such gratuitous arps are not always accepted, and their duration is limited, because of the fact the default gateway will send ARPs too.

But on a network with no legitimate RAs; one fake Route Advertisement is a very convenient attack, that can be produced very easily -- special purpose attack tools are not required, but can also be used to circumvent "RA Guard"
through the use of option headers.
Mysid

146 Posts

Sign Up for Free or Log In to start participating in the conversation!