"My Cyber is Trickling Down and other Diverse Problems of the Ageing Hacker"
"Active Incident Response"
"Attacking High Security Lock Systems"
"The Road to Shell is Paved with Good Intentions"
"EFF 'Secure' IM Scorecard Review"
"Adventures in Glitching PIC Microcontrollers to Defeat Firmware Copy Protection"
"Hacking Fibre Channel (FC) Networks"
"VoWiFi and you! - how someone could have read your text messages!"
"Why you shouldn't use SSL"
"Elevator Basics & Potential Future Vulnerabilities"
"Naval-gazing with Docker"
"Scrutiny on the Bounty (pun hall of fame plz)"
"Building Challenge Locks"
"Threat Landscape Gardening"
"Die Hard 7 - Passwords Please"
"Open Sesame - bypassing BMCs Tradecraft"
"Global Honeypot Trends"
"All your Bases are Belong to Us, the first 2^32 Years of Security"
"Countering Cyber Adversary Tradecraft"
Metlstorm - Keynote
My Cyber is Trickling Down and other Diverse Problems of the Ageing Hacker(Such as being asked to do keynote talks instead of technical content) Join Adam “metlstorm” Boileau as he leads his thought donkey along the beetling precipices of the infosec industry, a single misstepped hoof away from plummeting into the chasm of Policy, Governance and other Certain Dooms. Reflecting upon the lessons (nay! tragicomedy!) of a decade as an itinerant hacker-consultant, and closer to twenty in tech, metl endeavours to find some pearls of wisdom amongst the swine.
Bio:Adam ‘metlstorm’ Boileau is a principal with New Zealand infosec consultancy Insomnia Security, where he balances burgeoning curmudgeonhood with technical delivery and training up the country’s largest hacker crew. Metl’s voice is familiar to many as the news-pundit on weekly infosec podcast Risky Business and as the MC of the flaming stages of now nine Kiwicons. He was once the number one google image search result for “linux beard”.
Brian Candlish & Christian Teutenberg
Active Incident ResponseDuring the Pacnet breach in 2015, we developed a method which differs from the usual IR process for targeted attacks, utilising what we have termed ‘Full Spectrum Visibility' and ‘Targeted Containment’ which form like Voltron to create ‘Active Incident Response’. This method, utilising threat intelligence, hunting and establishing the basis for active defense gives incident responders the information the business needs to assess risk, and another avenue for actions to mitigate that risk. Examples of TTPs from the breach will be used throughout the presentation to demonstrate the Active Incident Repsonse process.
Bio:Brian is a threat researcher for Australias largest telecommunications company, who spends his days and nights making the internet a safer place. His interests in information security include attack and detection techniques, intelligence and “active defense”. He has spent the better part of his life playing offensive and defensive roles and enjoys hunting adversaries on large corporate networks.
Christian hunts for evidence of breach for Australia’s largest telco. His history includes incident response, forensics for the enterprise, and tech support for his two-year old daughter. Due to his time in packets and with filesystems he has developed a crush on PCRE and advocates for no other timezone option than UTC. He aspires to the day where any network that has been breached already has “full spectrum visibility” with that data centrally recorded.
Attacking High Security Lock SystemsThis presentation will focus on attacking high security lock systems and ways to compromise them without necessarily being able to pick these lock systems. We'll show why master-key systems are weak, how we can make our own master keys from your cylinders and explain why 'restricted' keys are 'restricted' and how that actually helps attackers.
We'll also make some suggestions as to how these issues can be avoided by organizations who are concerned about such attacks and what you can do.
Bio:The Melbourne Hacker space 'Hack House' has been quietly tinkering behind the scenes for some time, with most members being info-sec professionals, we use our knowledge from engagements coupled with our devious minds to come up with new ideas in our labs collaboratively. Topy, one of the founding members of this space will be presenting the research of several members (see lockpicking area for more details on Topy).
Catching 'Rays!Mobile phones are ubiquitous despite the well-known security threats. One threat of particular concern is the use of Stringray (aka IMSI Catcher) devices to perform a man-in-the-middle attacks. This attack can compromise the confidentiality of calls, the user's location privacy, and the system integrity of the mobile device.
The core of this talk is a tutorial-style introduction to constructing a mobile phone sniffer using GNURadio. We'll show how to identify mobile telephone signals of interest and construct custom software tools to demodulate, decode and analyze them. The software for constructing the sniffer is publicly available and can replicated with a couple of hours of directed effort. The wrap up will discuss the ongoing project to use enhanced versions of the sniffer together with other data sources to build a dedicated Stingray catcher.
Bio:Steve is a software engineer and security researcher. His research interests are in the areas of software and wireless security. Steve was the founder of the Osmocom OP25 project and is an advanced class radio amateur. When time allows he plays the trumpet.
liam & wily
The Road to Shell is Paved with Good Intentionsliam & wily are professional* computer hackers/Twitter thought leaders with some sweet ethical certifications and countless shells in countless billion dollar enterprises. In this talk they will discuss past, current, and future trends in information security and penetration testing.
This world-first presentation will include arguments, war stories, systemic issues, contentious heated discussions, and silver bullet solutions*. If you have ever found yourself asking the following questions, this presentation will be of "great benefit" to you:
- Do clients actually get any value from Red Team engagements?
- Can anyone trust bug bounty participants?
- Should I cross-skill in something other than computer hacking?
- Can I trust vendors?
- The threat intelligence campaign has the momentum of a runaway freight train, why is it so successful?
- Is Silvio really a celebrity chef?
Dan & Matt
EFF 'Secure' IM Scorecard ReviewIn recent years, the importance of using secure private messaging applications for communication has come to the forefront of public attention. One particularly interesting website is the Electronic Frontier Foundation (EFF) secure messaging scorecard, which aims to assist users in choosing "Which apps and tools actually keep your messages safe".
This type of score card drastically simplifies the problem domain, and leads one to question what the tradeoffs are when installing an application from the list. While the advocacy of privacy based communication is something we love to see reach a mainstream audience, we believe the scorecard misses many considerations and metrics that are critical to the discussion.
We have performed a review of the documentation and source code of a subset of applications in the EFF scorecard to understand their privacy versus security tradeoffs. This is a subtle and often overlooked difference - as passive monitoring may be disrupted with the use of encrypted communications, but attacks against software vulnerabilities can negate the advantage of using those IM applications in the first place. We believe sharing this perspective is important to assist users in deciding on the right balance between privacy and security.
We will present an introduction then run through the assessments we have performed of various clients. We will cover the attack surface present and look at a sample of vulnerabilities discovered, ranging from low-level memory management issues (e.g. heartbleed style information disclosures) to higher level web and XML type bugs that can also have a significant adverse security impact. We will then conclude with an analysis of the threat model of these applications and factor in the complex spectrum of threat actors for these applications.
Bio:Dan and Matt work at elttam security, where they each have their specialities, delivering high quality services to clients locally and abroad.
Adventures in Glitching PIC Microcontrollers to Defeat Firmware Copy ProtectionGlitching is a non-invasive fault injection attack. For microcontrollers, the clock and the voltage are typical vectors for glitching. In some previous talks, I came across PIC microcontrollers that were found in home alarm systems and remote keyless entry keyfobs. These PICs had copy protection enabled. Defeating that copy protection and getting the code and data would be pretty useful . It would allow me to hunt for vulnerabilities in firmware. In this talk, I'll document my approach and results having built a glitcher to attack these PIC microcontrollers. I tried clock glitching and voltage glitching using an FPGA coded with Verilog, a Pickit3 PIC programmer and custom electronics. I didn't get a complete result, but so far I've been able to defeat the data protection. This gives me a first step into defeating the code protection.
Bio:Dr. Silvio Cesare is the Director of Anti-Malware Engineering at Qualys and is an adjunct lecturer on Reverse Engineering Malware at the Australian Defence Force Academy (ADFA/UNSW). Silvio is also author of the book Software Similarity and Classification, published by Springer. He has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of Qualys - now the world's largest vulnerability assessment company. He is one of the organisers of BSides Canberra and lives there locally.
Hacking Fibre Channel (FC) NetworksFibre Channel (FC) is the protocol used in most large Storage Area Networks (SANs).
SANs provide the storage for datacentres and medium to large enterprises. Furthermore, with the increase of server virtualisation, including boot from SAN and roaming server profiles, we are seeing a growing use of Storage Area Networks in the enterprise with little to no security incorporated in these largely unaudited networks.
It's not unusual to have multiple servers in a network sharing the same FC storage network, in fact, it is reasonable to encounter internal servers sharing this network with DMZ servers. By attacking the FC network, this could allow an attacker to gain access to internal data from an untrusted location on the network.
This talk covers the creation of an inexpensive FC test lab, how to inspect FC frames, some of the attacks that can be done on FC networks, and the possible (if any) mitigations.
Bio:Although a regular attendee at both networking and security conference, this is Kylie's debut at giving a conference talk. Kylie studied Telco Engineering at ANU in the late 90s and has a Masters in Computer Networking with CSU. She has worked primarily within Network Engineering across government and private sectors and currently consults as a Network Engineer. In her spare time she enjoys building and breaking networks, pushing boundaries in security and knowledge.
VoWiFi and you! - how someone could have read your text messages!Voice over Wi-Fi(VoWifi) is being implemented by carriers around the world. Similar to VoLTE (Voice over LTE) there are security implications and problems that carriers need to address when implementing VoWifi. This talk will explain what VoWifi is & how it works and will also give an example of a real world insecure VoWifi registration implementation.
Bio:David is a security engineer at Atlassian where he breaks and fixes things. In his spare time he likes to *reacted* and *redacted*.
Why you shouldn't use SSLFeds and intelligence agencies use taxpayer dollars to perform dragnet surveillance of Internet traffic. Using SSL makes their job hard, and increases the cost of intercepting your traffic. TLS makes it even harder. This talk starts with a very brief intro to encryption, moves into the history of SSL and why you shouldn’t use it, and finishes with coverage of its successor TLS. Current best practices on implementing TLS, including recommended ciphers and browser compatibility will be discussed. Lesser known gotcha’s such as weak Diffie-Hellman and “imperfect” forward secrecy will also be covered. Trust the maths, not the programmer.
Bio:Security Consultant. Researcher of TLS/SSL. Yank by birth, Aussie by choice.
Wizzy (aka Josh)
Elevator Basics & Potential Future VulnerabilitiesThis presentation will cover some of the basic aspects of elevators including roping, motors, control systems, shaft access and safety. Once the basics are covered some of the more recent advances in the industry and potential security repercussions will be covered.
More recent advances in elevators are centered around efficiency in dispatching elevators to passengers and ensuring the quickest trip, including in elevator entertainment. These newer advances are generally being built on IP networks. For example, new hall panels that allow you to type in your desired floor are generally connected using Ethernet and in elevator entertainment is delivered using IP, transmitted to the elevator using VDSL technology. The use of these commodity network technologies bring these systems into the realm of more security professionals, all you need is an Ethernet connection. This presentation hopes to spur ideas and discussion around the future security of Elevators.
Bio:Like many of us Joshua has had an interest in computing and security for as long as he can remember. However, out of high school he pursued a career as an Elevator Technician (Electrician) where he spent over a decade in various roles including rescuing trapped passengers and designing security interfaces. More recently Joshua has transitioned into a role as a security consultant for a Sydney based firm.
This talk aims to cover:
- Intro to Docker,
- Demo: How to use Docker to deploy your tools to The Cloud™,
- Known attacks (& subsequent security patches) against different versions of Docker,
- boatloads of puns.
Bio:I'm totally going to break the 4th wall here, and say that I'm far too biased to answer this. I asked @justinsteven to write this for me, but instead he just got drunk on whiskey, and conveniently "forgot" his credit card PIN when it was his turn to pay the tab. You still owe me a scotch Justin.
Bitcoin, InfoSec & VC geek. Security beard @ ThoughtWorks.
Nathaniel & Shubs
Scrutiny on the Bounty (pun hall of fame plz)This presentation will look at the relationship we’ve had with bug bounty programs over the last two years. We’ll be outlining methodology and releasing tools that we’ve developed solely to increase the return on time invested to get the best pay-outs possible for the least time put in. We'll be covering multiple methods for identifying assets belonging to an organization, visualization of data, and distributed brute forcing amongst other things. This presentation includes the release of two tools, Altdns and Assetnote, both being a contributing factor to our successes in bug bounties.
Bio:@nnwakelam: I work as a consultant and in my downtime I do hood rat stuff with my friends.
@infosec_au: Shubham Shah is a Security Analyst at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. Shubham’s primary areas of expertise are application security assessment, source code review, and mobile application security.
Shubham is a former bug bounty hunter who has submitted high-critical risk bugs to the bug bounties of large corporations such as PayPal, Facebook, and Microsoft. He regularly conducts web application security research and frequently contributes to the security of open-source projects. He has presented at Ruxcon, Wahckon and Kiwicon. He's known in Australia for his identification of high-profile vulnerabilities in the infrastructures of major mobile telecommunication companies.
Prior to joining Bishop Fox, Shubham worked at EY. At EY, he performed web application security assessments and application penetration tests. Additionally, Shubham has been a contractor for companies such as Atlassian. As a contractor, he conducted external web application security penetration tests. Shubham also develops and maintains open-source projects such as Websec Weekly that assist the web application security industry.
Building Challenge LocksOr more simply: improving your existing pin tumbler locks. Following an introduction to the design & function of pin-tumbler locks (e.g. your front-door lock) and quick-entry attacks against them, this talk looks at common tricks used by the lock-sport community in building ‘challenge locks’ for each other, and offers lessons learned for improving the existing pin tumblers in your possession, e.g. making locks bump resistant.
Bio:klepas is a German web designer and quasi-front-end developer, specialising in web accessibility and UI design, now thinking of breaking into the security industry — he likes locks, most things security, and well-set type.
Threat Landscape GardeningThis talk discusses visualisation and threat landscapes of "discrete technology solutions" that we encounter every day in public spaces, at work and as consumers of technology services.
The talk shows a process for solution component and potential exposure mapping through comparison with known solutions or concepts, by inferring from observable features, or just through digging and guessing.
By applying your experiences and understanding of other integrated solutions you can determine or infer what components would be likely to be in use in the solutions you encounter. Plus it passes the time on the way to work.
- discovery - mapping to known concepts
- researching the target solution
- threats: finding the edges
- gaining advantage
- threats: control improvement post-*
Bio:Neal Wise is director of Melbourne-based Assurance which he co-founded in 2005.
Neal's >25 year career as a sysadmin and consultant has centred around distributed solutions and the network and security duct-tape that holds them together.
Die Hard 7 - Passwords pleaseSince the FBI have decided to pull the legal lever rather then the technical lever it might be good time to explain how secrets are extracted from hardware and how this can be prevented with judicious application of expensive chips and pricey consultants.
This talk will cover in simple terms:
- Quick intro into modern chip design
- Review of attack techniques used and how they work.
- Cable TV cards, Secure Elements and "Chip n' PIN" cards
- Secure processors and Tamper resistance.
- How this prevents economically viable attacks.
Open Sesame - Bypassing BMCs TradecraftOwning BMCs. From Access Control Systems, HVAC, Fire Alarm Systems, Radio Signals Processing, Media Distribution Equipment, Telephony, Carrier Routing Equipment, Surveillance Systems and Elevators. These controls are ever present, highly common and almost always ownable. Join this session for tradecraft and lulz in covering the vulnerabilities and weaknesses contemporary within the design of BMC systems, and share with you techniques to assess and exploit weak points within control systems and anything that supports a Building Management Environment in the current climate.
Bio:Dan is a lead security consultant at a bespoke independently managed cyber security consultancy. Covering the areas of security penetration testing and assurance, incident response and investigations, and technical security research. Dan specialises in network security and infrastructure exploitation, electronic and physical social engineering and intelligence analysis.
Global Honeypot TrendsMany of my computer systems are constantly compromised, attacked, hacked, 24/7. How do I know this? I've been letting them. This talk will cover over one year of my research running several vulnerable systems (or honeypots) in multiple countries including the USA, mainland China, Russia and others. We'll be taking a look at: a brief introduction to honeypots, common attacker trends (both sophisticated and script kiddie), brief malware analysis obtained and the statistical analysis of attackers based on GeoIP. Are there differences in attacks based on where a system is located based on GeoIP? Let's investigate this together! Beginners to the topic of honeypots/threat intelligence fear not, the basics will be covered.
Bio:Elliott is an Information Security Consultant based out of Melbourne. He specializes in internal/external pentesting, security architecture, and social engineering engagements. He loves computer history, tracking bad guys, honeypots, an expertly crafted bloody mary and traveling the globe.
Kate Pearce & Dr Lucy Stewart
All your Bases are Belong to Us, the first 2^32 years of securityBiology and computer security are about the same thing - managing information with limited resources. In BC 45 000 000 001 war was beginning.
Often we talk about security as a result of problems around, technology, people or process. It isn’t, it’s actually a result of evolution. But, evolution has been working in the universe far longer than humans have been trying to outdo one another. In this talk we, a microbiologist and a security consultant, draw lessons from biology to illustrate how the security of technology is echoing both problems and solutions seen in the universe around us.
Nothing is secure in geological time; nobody cares that you’re secure if you’re extinct.
Bio:Catherine Pearce (@secvalve) is a New Zealand based Kiwi who moonlights by day as a Senior Security Consultant at Cisco. She refuses to specialise and as a result spends some time security testing, some time helping the builders, and sometime dreaming about breaking a better world. She has spoken at conferences you've heard about but don't care about, as well as those you would care about if you had heard about them - and also Kiwicon. She wears yellow. If this doesn't make sense to you then you haven't seen her live - yet.
Dr. Lucy Stewart is a microbiologist with a focus on astrobiology. She is determined to find the limits of life and in so doing has become very practised at not quite killing very hardy organisms. She has "collaborated" with "volunteer" microbial test subjects from many walks of life. These include residents of the boiling water in hydrothermal vents at the bottom of the ocean, natives of the arid and frigid Antarctic dry valleys at the bottom of the world, and will soon swell to include immigrants from active volcanos on isolated islands. Luckily, she doesn't get sea sick on research vessels...quite as much as some other scientists on board. She is not THAT kind of doctor.
Countering Cyber Adversary TradecraftCybersecurity is a people problem. Hackers don’t hack computers; hackers hack human assumptions and logic on which computers are built. This condition can also benefit defenders. Understanding offensive cyber tradecraft can present defenders with a range of opportunities. “Getting inside the hacker’s head” is essential to anticipating their actions. “Fighting the enemy where they are not” (Sun Tzu) defenders can regain the initiative.
The Offensive Cyber Tradecraft (OCT) taxonomy deconstructs the operational activities of an Advanced Persistent Threat (APT) – a manually driven, highly targeted operation to fulfil an enduring requirement. The OCT taxonomy’s four high-level tactics of Discover, Access, Assure and Leverage are deconstructed into 10 sub-tactics and then further into 28 techniques. The OCT can serve as a guide in hunting APT activity – activity that is undetected or undetectable by existing security appliances and detectable only by the defender with an understanding of offensive tradecraft.
Fifth Domain has used the OCT taxonomy in teaching cyber self-defence to a wide range of cybersecurity professionals. It has helped with understanding the principles of offensive tradecraft which is needed to innovate new techniques in defending against the ever evolving APTs.