Staying safe, but still connected, at security conferences

Question

If one is to spend some time away from home and work in a hotel environment where neighboring users can at least be presumed to be mischievous (if not actually malicious), what are some measures that can be taken to stay safe from said users while still staying connected?

Available resources:

• Spare laptop
• Spare Windows license
• Work-provided VPN
• Personal "dumb" cell phone (not dumb as a rock, but it's not going to MIT any time soon)
• Work smartphone
• Various forms of removable media (USB HDD, DVD-R, Flash Drive, MicroSD, etc.)

Planned activities:

• Web browsing
• E-mail
• Social networking
• Online gaming
• Personal & work calls & SMS.
• Remote access (RDP w/ NLA) to personal & work computers.

I plan on leaving my "daily driver" personal laptop at home, and might consider going without the smartphone if I can get away with it. I'd like to be able to perform the above activities within a reasonable level of comfort, while ensuring that any data I handle (including my login credentials) stays confidential. Also, of course, I'd like make sure no malware finds its way into my systems - at least, not through anyone's fault but my own.

It probably should be noted that I'm currently a native Windows user, with little to no experience in other OS's.

Answer 1

There's no reason to use Linux instead of Windows under the premise that one is 'more secure' than the other (this is not a simple query to answer).

Software

If the Laptop you have is running Windows then it's OK to stick with it, just do the following:

• Make sure it is fully updated with the latest patches
• Enable and configure Windows Firewall
• Disable any extra services you don't need (if running an FTP server, etc.)

This won't make you 'unhackable', but nothing will. Choosing Linux over Windows is a fairly arbitrary choice, neither OS will protect you from 0day exploits.

Network

You say you have a company VPN? Assuming it is encrypted this is ideal for this situation. Configure your system to only send network traffic over your VPN.

Assuming this is encrypted then your credentials should be relatively safe.

Answer 2

Unfortunatly there is no safe, there is only the amount of risk you are willing to assume and the amount you are willing to pay (money, resources, and convenience) to protect your assets.

Protection has cost. Assets have value. And threats are variable. The basic security equation is: Risk = threat x vulnerability x exposure.

The risk is to your assets, so I'll make my best guess as to what those are.

Assets:

personal Email acount, work email account, web site accounts, online social identity, online game accounts, personal mobile phone account, work mobile phone account, personal voicemail account, work voicemail account, work IT accounts, integrity of personal laptop, integrity of home desktop machine, personal financial accounts (checking, savings, investment, retirement).

Threats:

For your question the threats are attendees at the conference. Threats are motivated by different goals, have different levels of skill, and different assets to use against you. You face different types of attacks from mischievous and malicious threats.

Vulnerability:

Just by patching and keeping your system up to date you greatly reduce the number of vulnerabilities in equipment. A threat (person) need to either know about or discover a vulnerability to use it in an attack. It is far easier for threats to use known vulnerabilites and find systems that have not be updated or patched than to discover new or not generally known vulnerabilites. Just know that you can never eliminate all vulnerabilites, but you can eliminate the ones for which patches and updates exist.

Exposure:

This is the area where you have the most control but it also costs you the most in terms of convenience and other resources. For example by not using your e-mail you reduce the direct exposure of your e-mail account to zero, but the cost is reduced convenience and resources for communicating. Instead consider how and when to use your e-mail. For example, you might want to protect the confidentiality of your work e-mail by only accessing it when no one can see your keyboard or screen (your hotel room), and when you have a network connection to a trusted network connection (authenticated encrypted national/regional ISP, as opposed to unauthenticated public unencrypted WiFi).

Web browsing

Consider installing multiple browsers for different purposes. I personally use Pale Moon Portable with very restricted capabilities for more confidential browsing. I would also suggest adding a separate account(s) with little to no personal data to use when you need to prevent information leakage.

E-mail

Similar to web browsing, consider installing multiple e-mail clients with different configurations and createing separate account(s) to isolate the information available when logged into a particular account. The Bat! is a popular mature e-mail client. Consider updating your passphrases/words after returning from the conference.

Social networking

This one really depends on how you value these accounts and what information you wish to be confidential. Consider updating your passphrases/words after returning from the conference.

Online gaming

Unless any of your gaming accounts is tied to financial assets, with online gaming I think you are only likely to see attacks from mischevious threats: i.e. cheating, distraction, and annoyance. Consider updating your passphrases/words after returning from the conference.

Personal & work calls & SMS.

Consider taking both phones: personal and work. Before leaving for the conference make sure you have a strong passwords on your accounts and that a PIN or password is required to access voicemail or account information even if calling from your mobile phone. Most mobile phones allow you to forward calls to another number which could be your hotel room or your other mobile. If you are concerned about the vulnerability of your smartphone then you can turn it off (all the way off, remove the battery if in doubt) when you are most exposed: i.e. a presentation on mobile phone hacking. When you return from the conference consider chaging your voicemail PIN or password.

Remote access (RDP w/ NLA) to personal & work computers.

You probably want to have minimal exposure when accessing remote personal and work computers, because with this activity you are putting assets not normally vulnerable to conference attendees at risk. I prefer when noone can see my screen or keyboard and I am connected to a trusted encrypted authenticated network.

Note: I have no affiliation with Pale Moon or The Bat!

Answer 3

What about a LiveCD of your choice of Linux distro for the social networking, browsing, and such and a thumbdrive for any documents you compose/download, etc. That would cover most of the computing; online gaming I can't say..but could you do without it for the time? Email, web browsing are the same on Linux & windows if you consider firfox/chrome.

Answer 4

You can get a very decent level of security by encapsulating things in a virtual machine: the host OS is a barebone installation which acts as a firewall for the guest OS, which runs in the virtual machine. VirtualBox is easy enough to setup, and efficient (but it requires some extra RAM; if you want the performance of a 2 GB machine in the VM, you'd better have 4 GB of physical RAM).

The host OS should be an operating system in which you are competent, so that you may update it and strip it down by closing all unneeded network services, and such that firewall configuration on that OS is no problem for you. If that's Windows, then go for Windows.