Didier Stevens

Monday 2 April 2007

Digital Self Defence

Filed under: Vulnerabilities — Didier Stevens @ 8:49

I’m back from Black Hat Europe 2007. Black Hat’s theme is “Digital Self Defence”, and that is just what I did. Because I took a reverse engineering training by Halvar Flake, I had to take my Windows laptop with me. I explain how I protected my Windows laptop when accessing an insecure wireless network at the conference.

The threats I faced when enabling my wireless connection at the conference were:

  • someone compromising the integrity of my system
  • confidential data theft
  • credentials theft

In a normal situation I protect my OS and data with these procedures and tools:

  • keeping my OS and software patched
  • running McAfee Anti-Virus and update it
  • running Kerio’s free Personal Firewall
  • connecting to the Internet with a NAT router
  • using a WPA secured WiFi connection
  • using FireFox with NoScript and CookieSafe for web browsing
  • storing all my data in a TrueCrypt volume
  • making regular system backups with Acronis TrueImage on a dedicated USB hard disk
  • using a non-admin account

At home, before I left for the conference, I took a full backup of my laptop.

In the hotel, there was unencrypted, free WiFi available in the rooms and on the conference floor. My laptop has a (hardware) switch to disable WiFi. I would only switch it on when I really needed to access the Internet. And by preference in my hotel room on the 16th floor, not on the conference floor.

Each time I enabled WiFi access, I unmounted the TrueCrypt volume with all my data.

Whenever I accessed a website that needed credentials (like Gmail), I made sure that it used HTTPS or else I would use TOR as a proxy (I didn’t use TOR all the time because of the slow connection).

For the training, I installed a new virtual machine (with VMware), and installed all the software Halvar gave us and did all the exercises on this machine.

My hotel room had a laptop safe, and I would always store my laptop in it whenever I didn’t need it.

I didn’t notice an incident on my laptop when I was at Black Hat. But back home, I decided to restore my laptop, not because I feared my laptop was compromised, but mainly as an exercise to test my backup procedure.

Here is how I did it:

  1. make a new backup of my laptop, just in case the restore goes wrong
  2. copy my TrueCrypt volume with data and the training virtual machine to an USB hard disk, because I need to keep this
  3. restore the backup from before the conference
  4. copy my TrueCrypt volume with data from the USB hard disk back to the laptop

It took a long time, but the procedure is simple and everything went fine. I learned that the Acronis True Image’s progress bar during the restore is confusing. The time remaining would increase, not decrease. At the end, it was 5 hours, and then Acronis True Image rebooted my laptop. Windows was running normal, and connected immediately to my WiFi network at home. All traces of the WiFi network at Black Hat were gone.

My laptop has forgotten it was at Black Hat Europe 2007.

The key ingredients of the restore procedure are:

  • a full system backup
  • a clear separation of system files and data files


  1. Excellent steps and post! My only suggestion would be optional, but I personally would just change my password on anything I accessed while at the show. 🙂

    Comment by LonerVamp — Monday 2 April 2007 @ 15:56

  2. Very good suggestion LonerVamp!

    Comment by Didier Stevens — Monday 2 April 2007 @ 16:44

  3. […] Quickpost: Back from Black Hat Europe 2008 Filed under: Hacking, Quickpost — Didier Stevens @ 7:44 Back from Black Hat Europe 2008, my laptop has undergone another lobotomy. […]

    Pingback by Quickpost: Back from Black Hat Europe 2008 « Didier Stevens — Tuesday 8 April 2008 @ 7:45

  4. […] year Didier Stevens wrote up some of the precautions he took for Black Hat Europe 2007. My work laptop is already using whole disk encryption, so I’m not worried about that and […]

    Pingback by Network Security Blog » More thoughts on convention security — Monday 4 August 2008 @ 16:08

  5. […] Quickpost: Black Hat Europe 2009 Filed under: Hacking, Quickpost — Didier Stevens @ 5:46 Black Hat Europe 2009 is over for more than a week now, and my laptop has undergone yet another lobotomy. […]

    Pingback by Quickpost: Black Hat Europe 2009 « Didier Stevens — Monday 27 April 2009 @ 5:46

  6. One evil observation… 😉

    > “Whenever I accessed a website that needed credentials (like Gmail), I made sure that it used HTTPS or else I would use TOR as a proxy (I didn’t use TOR all the time because of the slow connection).”

    Did you know that by default the GX session cookie used by gmail will be provided whether or not the session is https? This means that somebody could supply a redirect in response to one of your unencrypted wireless URL requests, and have it go to gmail via http rather than https. Your browser would then happily upload the session cookie in the clear so that it could be snarfed and used to impersonate you. Check out H. D. Moore’s Karma/Metasploit integration for more wireless exploitation.

    If forced to use an unencrypted wireless network at a hacking convention, I would first establish a VPN tunnel to another secure location such as work, and then ensure that all of my application traffic was going through that tunnel (split tunneling is a bad thing).

    Personally, I think anybody who offers unencrypted wireless access to the public (Starbucks, this means you!) deserves all of the lawsuits they will eventually be served with when the public figures out what terrible risks using it exposes them to.

    Comment by John McCash — Tuesday 28 April 2009 @ 14:58

  7. @John

    Thanks for the evil observation 😉

    I did some tests and the Gmail GX session cookie is an HTTPS cookie if you configured your Gmail account to use HTTPS only. If you don’t, then it is a normal cookie.

    Last year I didn’t use TOR, but my own SSH tunnel. And this year, I even refused to use the wireless network for services that required authentication. For example, I read my e-mail on my mobile over 3G.

    Comment by Didier Stevens — Tuesday 28 April 2009 @ 16:14

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.