Joe FitzPatrick - Technical Keynote
Making the most of your Hard(ware) workIt's true. Hardware is hard, and the cards are stacked against it. Longer dev cycles, fewer iterations, tangible costs and nonzero risk of bricking stuff makes software look warm and fuzzy by comparison. On the flip side, a little bit of hardware goes a long way. Due to ignorance or laziness, it often catches the blind eye, which makes for some surprisingly vulnerable entry points to a system. I'll start by showing off a few simple tricks (including a couple new ones) that depend on electrical, logical, and physical access to a system that might seem trivia, insignificant, or out of scope - but then we'll take a look at several scenarios where we could chain those tricks and escalate to full-blown system pwnage. I'll then pick apart each scenario to see what we can learn from a strategy perspective - how we make the most of a little hardware know-how, and how we can leverage simple hardware solutions to hard software problems - as well as how we can measurably harden a system against basic hardware attacks with just a little effort. Hopefully you'll come away realizing that hardware isn't always as hard as it seems, so both attacking with and defending against it are not only feasible, but essential.
Bio:Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontroller. He has spent the past 5 years developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
Peter Gutmann - Technical Keynote
Cyberwar before there was Cyber: Hacking WWII Electronic Bomb FusesWhile the Allies went to war with mechanical and chemical bomb fuses whose origins dated back to the 19th century, Germany put a large amount of effort in the 1920s and 1930s into designing and fielding high-tech electronic fuses, which were far more reliable and versatile than standard chemical and mechanical ones. This led to an ongoing arms race that lasted throughout most of the war, with Allied bomb disposers coming up with increasingly ingenious ways of hacking the fuses and German armourers countering with ever-more-fiendish fuse designs. "Cyberwar before there was Cyber: Hacking WWII Electronic Bomb Fuses" covers the details of the contest between the attackers and defenders.
Bio:Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit, "Cryptographic Security Architecture: Design and Verification" (Springer, 2003), and an upcoming book on security engineering. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about the lack of consideration of human factors in designing security systems.
"Program analysis for reverse engineers: from T to ⊥"
"unrubby: reversing bytecode for the lazy"
"Secure Corroding with Rust"
"seL4 & Family: Fast, Trustworthy, Cheap, Deployed"
"It's a UNIX System - Intel ME, JTAG and FOSS BIOSes"
"BSides Entertainment System - Wearable gaming but your princess is in another castle"
"Contactless Access Control 2: Life, uh, finds a way"
"How much can commodity hardware help on closing microarchitecture timing channels?"
"Spectre and Meltdown: Speculative Execution Considered Harmful"
"Microarchitectural attacks: reflecting on 45 years of research since 'A note on the confinement problem'"
Social, OSINT & Locksport
"Freedom of Information - Hacking the Human Black Box"
"Operation Luigi: How I hacked my friend without her noticing"
"Low-Tech Answers to High Security Locks - Keying the Lockwood V7"
"The Count's A-to-Z of Windows Privilege Esclation"
"AWS Serverless Exploitation Public Attack Vectors"
"Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy"
"Zero clients in the enterprise - Skating on THIN ice"
"A Wolf Among the Crowd"
"Hacking Deterministic Bitcoin Addresses"
"Demystifying SharePoint Security"
"Introduction to Cisco IOS analysis"
"Just because it works doesn't mean it's not broken"
Program analysis for reverse engineers: from T to ⊥Program analysis is about developing tools and techniques to automatically reason about other programs. It has been an active research area for decades, and as a reverse engineer you probably use tools that do some sort of program analysis all the time - whether it’s generating a control flow graph in IDA Pro or monitoring the execution of malware in Cuckoo Sandbox. This talk will focus on some of the more “academic” program analysis techniques, and how we can apply them to reverse engineering. We’ll throw away most of the dense mathematical notation in favour of practical applications of techniques such as abstract interpretation, automated theorem proving and symbolic execution. The aim is to make a dense research field accessible to all!
Bio:Adrian is a research engineer with the Australian Defence Science and Technology (DST) Group and a visiting researcher at the Australian National University (ANU). His interests are in reverse engineering, program analysis and software security. For the last three years he has focused on applying program analysis techniques to reverse engineering problems. He spent the last year at the École polytechnique fédérale de Lausanne (EPFL) in Switzerland, where he worked on the latest release of the S2E symbolic execution engine (http://s2e.systems). He continues to maintain and improve S2E.
unrubby: reversing bytecode for the lazy
richö buttsObfuscating code is typically the domain of native code, or at least statically dispatched bytecode VM's. Despite this, the rise of SaaS companies, combined with the existing enterprise market is producing increased interest in attempts to obfuscate more dynamic, and higher level languages. Presented will be a tool call unrubby, which uses a novel technique to generally defeat all obfuscation engines currently on the market. Instead of analyzing the obfuscated source, we abuse the dynamism of the containing vm to insert our instrumentation after the loader has run. Furthermore, by instrumenting runtime behaviour of the VM itself, attempts to obfuscate the resulting bytecode can be largely overcome without paying much heed to the techniques used, providing significant durability against upstream development, and excellent coverage on black box targets. While the implementation presented is targeted toward MRI, the gold standard ruby interpreter, the techniques are applicable to all languages with a dynamic bytecode VM.
Bio:richö is one of them security jerks. He used to live in 'straya but then he sold out and moved to the US of A. If we're to be honest he spends the bulk of his time testing gravity still works so you don't have to- but he also works on mitigations at stuff at Stripe where they pay him to push the buttons on computers, and in his spare time he's been known to poke around inside bytecode VMs, move data about with noises, and debug processes.
ZemmiContain Yourself! is a talk some of the hard lessons I’ve learned running Docker and Kubernetes in production. In this talk I’ll be taking you on a wild ride, showing you how to exploit “standard configurations” for fun and how to mitigate these features for profit.
Bio:Eliza is a recovering Systems Administrator now working as a Security Engineer for a little software company based out of Melbourne working on the next big thing™
It's a UNIX System - Intel ME, JTAG and FOSS BIOSes
James "ec0" HebdenIn this talk I will explain the current threats to security and freedom presented by the various processor management engines (Intel ME, AMD PSP), the security footprint, and steps that can be taken to mitigate them. I will include a complete breakdown of where the ME and BIOS fit into hardware initialisation and how they interact with the host operating system, and host CPU, including memory access and control potential. I will also include a practical demonstration of building and installing coreboot, discuss free BIOS/UEFI payloads and implementations, including secured boot processes such as Heads, including the tools required, as part of demonstrating what can be done to reduce the risk posed to your computing by these technologies. I'll also discuss the newly discovered JTAG interface which allows dumping and inspection of the ME via USB on the host, and what it means for ME and host security. I will also have with me the tools needed for flashing compatible laptops and will bring it with me to the HHV. I'm probably going to try convince you to run Linux on your machine, too.
Bio:Voider of warranties, old hardware and FOSS enthusiast.
BSides Entertainment System - Wearable gaming but your princess is in another castle
PeterJust before Christmas 1995, mum purchased a Nintendo Entertainment System and asked “how long should I let them play?” to which the answer was “let them use it as much as they want, the will get sick of it”. She is still waiting for that day. In a never ending quest to make things work where they shouldn’t, the BSides NES emulator was born. Come with me across the mushroom kingdom to find hardware power ups and software pitfalls in a quest to build a device fit for a princess. Topics covered will include Arduino IDE, C/C++, MVC design, NES internals, Emulator basics, SPI, NodeMCU, Graphics and hardware optimisations.
Bio:Peter is a secure software developer for the Australian Department of Defence where he spends his time writing software applications for critical systems. Outside of work he enjoys making devices do things they shouldn’t and then never using them. Peter has previously worked as a software engineer for Robert Bosch and Thales Australia.
Low-Tech Answers to High Security Locks - Keying the Lockwood V7
Oliver ClaytonThe Lockwood V7 is a well known high-security lock. The interesting pin setup coupled with the restricted keyway makes creating keys for the V7 a challenge. Learn how to create your own keys from easily accessible tools and materials.
Bio:Oliver is a Security Analyst and locksport enthusiast. He has a particular interest in the mechanics behind high security locks and the different ways you can bypass them.
Freedom of Information - Hacking the Human Black Box
Elliott BrinkFOIA (otherwise known as the Freedom of Information Act or FOI/Freedom of Information in Australia) are government-based initiatives to permit the public to request information on various government records. In practice, these acts enable transparency of the operations of government to the masses with relative ease. For the past couple of years I've been hacking this human black box in order to determine the boundaries/limitations of what could be considered potentially malicious requests. I have been performing various technology-focused FOI requests in an attempt to answer one simple argument: Can you utilise freedom of information to enumerate technical information from government agencies? Do you ever wonder if a government employee would provide you with such information if you asked really really nicely? Let's find out together! Together we will study case studies of actual FOI requests performed on Australian and USA-based government institutions and (some) of the data revealed. Attendees will gain practical knowledge about: what FOI is, the caveats of FOI, how can you utilise FOI on red team engagements and other open source intelligence gathering activities and finally (for the gov employees) how to monitor for and prevent such attacks against your institution.
Bio:Elliott Brink (Twitter: @ebrinkster) Elliott is an information security consultant based out of Melbourne, Australia. He specialises in internal/external pentesting, security architecture and social engineering. He loves computer history, tracking bad guys, honeypots, sparkling shiraz, an expertly crafted bloody mary, and traveling the globe.
Operation Luigi: How I hacked my friend without her noticing
"Alex"Yep so I asked my friend if I could hack her and she said yes. This is about what worked, what went wrong, all the flubs I made, the critical business services of LinkedIn, and how to not suffer the same fate as her. Also Mario's green brother is there, and then that part takes a sinister turn.
Bio:Alex is your best pal, a five-time celebrity MasterChef winner, and your sweet mango boy. He fell off the back of a gently glowing ute 17 years ago, and now /haunts the Earth/. Critics have called him "aggressively wonky". He works on the Blue Team at Atlassian, doing incident detection and response. In his "spare" "time" he blogs at https://mango.pdf.zone.
The Count's A-to-Z of Windows Privilege Esclation
Lukasz GogolkiewiczThis talk is a humorous view into the art of escalating ones privileges within a Windows environment. Lukasz plans to run through the alphabet, and correspond a Windows privilege escalation technique to be used offensively with each letter (there are so, so many). The idea behind this talk is to highlight the many ways one can escalate within a Windows environment, from Low to High, not from High to Higher.
Bio:Lukasz is a Managing Consultant with Alcorn Group, a Brisbane based company that provides security assurance services. Lukasz has been testing pens for a while now, working both in Australian and abroad, testing many many pens.
How much can commodity hardware help on closing microarchitecture timing channels?
Qian GeWe investigate how different categories of microarchitectural state on recent ARM and x86 processors can be used for covert timing channels and how effective architecture-provided mechanisms are in closing them. We find that in recent Intel processors there is no effective way for sanitising the state of the branch prediction unit and that, contrary to often held belief, flushing the translation lookaside buffer on Intel processors does nothing to mitigate attacks based on this component. We further show that in both ARM and x86 architectures flushing all the hardware caches is not effective to close cache-based timing channels. The implication of this is that resetting the microarchitecture state is basically impossible with operations provided on the commodity hardware.
Bio:Qian Ge s a fourth year PhD student who is working on eliminating timing side channels from seL4 with lightweight countermeasures. Qian is supervised by Prof. Gernot Heiser and Assoc. Prof. Kevin Elphinstone. My main research interests are in operating systems. Currently, the main theme of my research is inventing highly optimised operating system mechanisms for managing system resources. In particular, I am working on offering flexible kernel mechanisms to deploy information flow policies for enforcing temporal isolation. For example, I am investigating mechanisms for cloning kernel window mappings in order to mitigate the hidden information low through a shared kernel image. I implement research prototypes on the seL4 microkernel and the Linux kernel.
seL4 & Family: Fast, Trustworthy, Cheap, Deployed
Ihor KuzSince the breakthrough of the world’s first formally verified OS kernel in 2009, seL4 has been extended with new features, ported to new platforms, embedded with high-assurance user-level software, demonstrated to protect against cyber attacks in unmanned helicopters, robot, autonomous trucks… In this talk we will give an overview of the latest achievements to make verified software a reality in real-world deployed systems and of the progress towards the remaining challenges to make verified software become mainstream.
Bio:Ihor has spent a lifetime playing with and programming computers and is now a principal research engineer at Data61/CSIRO working on microkernel-based operating systems and high-assurance software. He is part of the team responsible for seL4 - the formally verified operating systems kernel. He is also a senior lecturer at UNSW, teaching distributed systems and supervising amazing students.
When not at the computer Ihor likes to spend time outdoors doing activities that could lead to bruises and broken bones, but is smart enough to (usually) avoid those results.
Spectre and Meltdown: Speculative Execution Considered Harmful
Yuval YaromSpectre and Meltdown are two recently disclosed attacks that exploit a vulnerability in speculative execution, a processor design feature aims at improving processor utilisation. Due to the widespread use of speculative execution, most modern processors, and, by extension, most computing devices are vulnerable to the attack. This talk provides an introduction to the Spectre and Meltdown attacks, describe how they work and reviews suggested mitigation strategies.
Bio:Yuval is a Senior Lecturer at the University of Adelaide. His interests are in computer security and in cryptography, with a focus on microarchitectural attacks.
Secure Corroding with Rust
Cameron FordWe all want to make our programs more secure and thankfully we have things to help us like static code analysis and coding standards. But what if you wanted to make a programming language more secure? That's one of the questions that motivated the development of the Rust programming language. Rust is a systems programming language with 3 goals: safety, speed and concurrency. This talk will look at 3 common bug classes (buffer overflows, use after free and data races) explore how they occur in code and then examine how Rust tries to contain or even prevent these bugs in it's programs.
Bio:Cameron is enthusiastic about security and software development. As a day job this means leading a team developing tools to make red teaming faster and more reliable. In his own time Cameron can be found deving on other interesting problems that have caught his attention.
AWS Serverless Exploitation Public Attack Vectors
Matt FlanneryFunctions-as-a-Service (FaaS) is an emerging application architecture quickly replacing traditional monolothic application architecture. Applications are moving towards microservices Service Oriented Architecture (SOA) which has presented an entirely new set of problems, of which education is sparse. During the talk, Matthew will demonstrate how functions implemented within AWS Lambda can be used to exfiltrate sensitive customer data in absence of best security practices, which are unfortunately often neglected due to suggested default policies and application architecture experience. Some of the examples included will be:
- Common enumeration /recon paths for identifying a FaaS based architected application
- Exploitation vectors within the newly identified application
- Realistic exploitation attack vectors
- Methodologies for exfiltration of sensitive data, regardless of the security controls following best practices you may have implemented
Bio:Matt is a technology management consultant, currently working for Deloitte in Sydney, Australia. He is a passionate technologist with deep interests in Cloud, Information Security and DevOps and is currently working towards providing education for how Security can and should be automated throughout stages of the software delivery and operations process.
MarisaAs long as there have been multiplayer games online, there have been cheaters. Where there are cheaters, there is anticheat. Video game hacking shares many similarities with traditional hacking - hackers and anti-cheat developers are in a constant tug of war, with each constantly attempting to out-maneuver one another. This talk will examine this arms race by discussing how I built a radar hack for a popular online first person shooter. We will demonstrate how cheats have changed over time to adapt to more and more invasive anticheat measures: from the simple modification of game files to exploiting vulnerabilities in kernel drivers.
Bio:Marisa is an infosec enthusiast with a background in systems programming and networks.
Microarchitectural attacks: reflecting on 45 years of research since "A note on the confinement problem"
Paul Harvey2018 started with Meltdown and Spectre, some of the most difficult and expensive industry-wide vulnerabilities we've seen. But did you know that branch mis-prediction side-channels had been measured as a threat to inter-process isolation in 2014? Or that hardware fault injection attacks against RSA encryption have been discussed since 1997? Or that the threat high-resolution timers pose was first discussed in 1974? 44 years later, web browsers are only now softening high-resolution timers in response to Meltdown/Spectre... We'll take a whirlwind tour through a random sampling of attack and defense research over the last few decades that punches holes through the most basic layers of abstraction we've long been complacent with: the humble CPU, and the hardware around it. We'll see how the microarchitectural complexity alarm bells have been ringing for quite some time, how "the confinement problem" has evolved over the years, and what design principles are needed for resilient solutions today.
Bio:I'm a software developer with electronics background trying to build defendable things out of open source; a security engineering enthusiast adding technical debt at every layer of the stack. I've built Linux and web-related stuff, data things, embedded systems, and electronics for scientific computing, laboratory instrumentation, explosive gas atmospheres and communications environments. I also help out at my local hackerspace (MakeHackVoid), and you should too!
Zero clients in the enterprise - Skating on THIN ice
Eldar MarcussenThe use of thin, ultra thin and zero clients are on a rapid rise across enterprises. Large scale deployment of these solutions offers significant cost reductions in hardware, power consumption and technical support, while centralizing corporate assets through remote access. However, it also leads to heterogeneous networks that depend upon network connectivity and central management. The proprietary software can prevent administrators from applying stronger security measures and offers limited monitoring and logging solutions. Using traditional bug hunting skills, this presentation will demonstrate how to analyse a system from basic access to discovering a large number of significant flaws. These flaws are then combined to make a simple attack that will lead to enterprise wide rootkit/worm infection, capable of persisting past factory resets. The presentation includes background knowledge on thin or zero clients covering the software used and design problems faced during enterprise wide deployments. Strategies for finding and exploiting bugs will be covered in-depth, including combining multiple vulnerabilities for maximum impact.
Bio:Eldar is a penetration tester and security researcher with HackLabs. He is also an assessor for CREST Australia New Zealand and has worked closely with bugcrowd in the past. A highly skilled bug hunter and exploit developer, Eldar was a recipient of the first CVE 10k candidate numbers. He has also developed and delivered training courses on the art of bug hunting. In addition to finding vulnerabilities and writing exploits, he utilises his spare time to contribute to and maintain several open source projects aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more.
Contactless Access Control 2: Life, uh, finds a way
Ryan and JeremyHave you ever spent days waiting to clone the right card to get (back) into your highly secure access controlled building? Remembered your lockpicks but left the proxmark and sdr at home? We have a solution for you! Presenting the sledgehammer approach to completely avoiding the problem and exploiting the weakest link with our latest must-have portable-ish physical security appliance. Now 86% less likely to explode…
Bio:Ryan is an aspiring hardware whisperer and academic-in-training with an incurable and likely fatal side project problem. Jeremy is a dark wizard disguised as a security person who has dedicated his life to freeing the helpless blue smoke trapped inside modern electronics. Together they travel the solar system (at roughly the same speed as pretty much everyone else) bringing overly complicated hardware to life to solve real world problems.
Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy
Mike LossAD Group Policy is a very big gun, and admins shoot themselves in the foot with it all the time. In this talk, l0ss covers the basics of what Group Policy is, what it's for, and how it works, followed by a practical approach to identifying and abusing the most commonly seen mistakes admins make with this under-explored but extremely powerful feature of Microsoft AD. Also, a script to make things easier, because hackers like scripts.
A Wolf Among the Crowd
Nilesh KapoorUnbeknown to them, a lone hacker has gained physical access to their secure office. Sitting amongst them, hiding in plain sight, the hacker manipulate and weave through the social fabric of the office. A smile here, a nod there, building trust everywhere. Our hacker remains focused on his objective: the coveted server room. Mustering up all his confidence, he reached for the door handle and … This talk draws deep upon our experience in physical security assessment. We will share our real-life experience and methodology in gaining access to places where we shouldn’t. We will focus on practical tips and tricks to enlight and delight the audience. Learn how to be seen, but not seen. See how we convince (or confuse) our targets.
Bio:Currently working as a senior pentester with Aura Information Security. He is the co-author of “Security Testing Handbook for Banking Applications” published by IT Governance. He has over decade of experience in security consulting, red-teaming and application security. He is also a registered penetration tester with CREST and a CISSP certification holder.
Just because it works doesn't mean it's not broken
SharrowIt is a truth universally acknowledged that a company that is in possession of computers must be in want of a red team. However, if for various prejudicial reasons this seems unlikely to happen, there are number of things you can learn from hanging out with the sort of people who wear black hoodies with the hoods up, even if they're not all up in your network shares reading spreadsheets. Looking at your setup from a adversary’s perspective can be very helpful in figuring out what your threat model actually is; what do you care about? how would they get there? and can give you the chance to build some effective real-world defences against them. It can also help you manage the long tail of technical debt and “heritage environments” that are too old to be patched, and too important to turn off. It cannot help your nihilism, but at least you don’t have to write reports.
Bio:Sharrow (localised to en_AU.UTF-8 as Shazza) still kinda wants to be an archaeologist. Instead of happily building a comparative collection of coprolites, she daily wades through the general sewers of sysadmins administration, trying to determine the use of ritual node.js objects in critical infrastructure. Otherwise, she inflicts bunting, glitter, and fancy verbiage on the rest of the Kiwicon Crue. She is overly fond of punctuation, footnotes, ruining her sleeping patterns, and the Oxford comma.
Hacking Deterministic Bitcoin Addresses
Michael McKinnonBitcoin addresses are generated using Elliptic Curve cryptography, specifically secp256k1, which until Bitcoin started, wasn't that widely used. In short, it provides an input of up to 256-bits of entropy - which is all that separates you from an untold fortune! A Bitcoin address is nothing more than a convoluted hash of the EC public key, and while it might avoid exposing that same public key prematurely on the blockchain, there is still an opportunity to brute-force it. For example, feeding a password cracking wordlist into a home-made "deterministic" Bitcoin address generator reveals some interesting results. The theft of Bitcoin is nothing new, but it's still happening, right now, to victims who know no better.
Bio:Michael is the Practice Manager at HackLabs in Melbourne, where he manages a team of penetration testers, helping provide technical assurance and guidance to some of Australia's best-known brands. Having served previously in a global role at AVG Technologies (acquired by AVAST) as Director of Security Awareness. With a deep technical background, Michael enjoys researching and writing about security on his personal blog. Interests include Cryptography, Risk Management, Business Management for Cybersecurity Resilience, Security Automation & DevSecOps, and the emerging risks related to Cryptocurrencies. Michael has also been a past member of the Steering Group Committee for the Australian Government's Stay Smart Online initiative.
Demystifying SharePoint Security
Michael SkeltonA SharePoint security talk taking the perspective of an attacker, penetration tester or internal administrator to demonstrate common weaknesses in SharePoint, and how to identify them.
Bio:Currently working as a Security Consultant for NCC Group with a focus on Web Application testing. Coming from a software development and SharePoint consulting background Michael aims to help improve the SharePoint Security space. Additionally, Michael maintains a number of open source security products including NoSQLMap and VHostScan.
Introduction to Cisco IOS analysis
Adrian Justice2015 saw the discovery of SYNful Knock, the first known instance of malware for Cisco IOS devices. Fast forward to 2018 and no additional samples of IOS malware have been found which begs the question, is no one writing IOS malware anymore or are we just not finding it?
This presentation will provide a look at what makes up an IOS system image and memory dump, how to process IOS system images so they play nicely with traditional analysis and reverse engineering tools and ultimately lower the barrier for security researchers to get started analysing Cisco IOS and discovering new malware.
We will also take a quick look at some of the non-malware based attacks that are being utilised today.