canmove, Confirmed users
637
edits
Infrasec/Compute SecConf: Difference between revisions
m
→Recommendations
| Line 11: | Line 11: | ||
# Have some password diversity | # Have some password diversity | ||
## Don't use the same password for everything. Break them up into different levels such as company, personal, social network and banking. | ## Don't use the same password for everything. Break them up into different levels such as company, personal, social network and banking. | ||
# | # Rogue Access Points | ||
## This one is a tough one, at Blackhat typically there are people spoofing the conference access points, so beware of what you are using. If you can verify the MAC address of the access point, that is best, if not use a MiFi or your phone's data connection. | ## This one is a tough one, at Blackhat typically there are people spoofing the conference access points, so beware of what you are using. If you can verify the MAC address of the access point, that is best, if not use a MiFi or your phone's data connection. The BlackHat conference material will contain instructions on ensuring you're talking to the real BH access point, at least, but that definitely doesn't guarantee no snooping or tampering of content. | ||
# Tunnel and proxy out of the conference | # Tunnel and proxy out of the conference | ||
## Depending upon your host OS, it is best to use a secure connection such as IPSec, SSH or an SSL VPN to an outside host and proxy all of your traffic to that host. This would also require you to configure your host OS to proxy everything out. (Keep in mind, this isn't 100% depending upon what you are doing.) | ## Depending upon your host OS, it is best to use a secure connection such as IPSec, SSH or an SSL VPN to an outside host and proxy all of your traffic to that host. This would also require you to configure your host OS to proxy everything out. (Keep in mind, this isn't 100% depending upon what you are doing.) | ||
## This does two things, you can ensure that if you do have passwords flying around in plain text they won't be seen and if you have established this connection | ## This does two things, you can ensure that if you do have passwords flying around in plain text they won't be seen and if you have established this connection prior to the conference, you can ensure there isn't any tampering with your traffic. | ||
# Accepting untrusted SSL/HTTPS certificates or even SSH keys | # Accepting untrusted SSL/HTTPS certificates or even SSH keys | ||
## If you are making a connection to a site and it asks you to accept a key or certificate, you better know what you are doing. If this is something you have used in the past, don't accept it. | ## If you are making a connection to a site and it asks you to accept a key or certificate, you better know what you are doing. If this is something you have used in the past, don't accept it. | ||