BSides Canberra 2018 Panel

Saturday 2.30pm - 4.00pm

Speakers:

Peter Gutmann

Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit, "Cryptographic Security Architecture: Design and Verification" (Springer, 2003), and an upcoming book on security engineering. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about the lack of consideration of human factors in designing security systems.

Jessica Smith

Jessica works (@itgrrl) within government to help ensure that ICT systems protect the data and privacy of citizens. She believes that trust underpins the successful delivery of government services, and that security, integrity, and transparency are critical to earning that trust. Jessica has a background in system and network administration, supplemented by experience in business and technical team leadership. Jessica is part of the ACT Government’s Cyber Strategy & Governance team, and is currently pursuing a Master of Cyber Security Operations at UNSW Canberra, ADFA.

Liam O’Saurus

Liam laboured for many years in the government cybermines before switching public-sector defence for private-sector offence. Liam's work involves attacking the information systems of businesses and government. His passion is not just breaking systems, but providing empathetic and actionable advice on how they can be improved. Liam is the Director of Consulting at Assurance...

Joe FitzPatrick

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontroller. He has spent the past 5 years developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Adam ‘metlstorm’ Boileau

Adam ‘metlstorm’ Boileau is a principal with New Zealand infosec consultancy Insomnia Security, where he balances burgeoning curmudgeonhood with technical delivery and training up the country’s largest hacker crew. Metl’s voice is familiar to many as the news-pundit on weekly infosec podcast Risky Business and as the MC of the flaming stages of now ten Kiwicons. He was once the number one google image search result for “linux beard”

Introduction:

Welcome to the BSides Canberra 2018 panel discussion! Ask the panelists questions as we go. Make it interactive!

The past year has been busy for cyber security. But it's been a busy every year for at least the past 15! We do, however, live in a post-snowden world where James Bond style cyber attacks are in the arsenals of nation states. It's a rebirth of the cold war with cyber being the medium of the choice for countries looking to maintain, rebuild, or develop power and capability.

Switch over to the home user and their personal information may or may not be in the posession of criminals. Their details may or may not be released in a database leak. Most users won't know either way. Their passwords are probably already in a database dump while they think they are watching youtube and reading secure email because no-one knows the name of their dog Benji and no-one will certainly be able to gain access via that secret security question.

The BSides Panel will look at the big topics. Well, at least we think they are big. Isn't exploit mitigation a big topic? Or mandatory data breach notification. Please god, can we go one year without discussing the shadowbrokers or Russia? Unfortunately, that year isn't this year.

Why are techies paid less than their managers?

It's a simple question. why? Is it right? Is it wrong?

WannaCry

What’s the story and who's to blame? Fact is certainly stranger than fiction. The NSA developed an exploit against Windows machines known as Eternal Blue. This exploit was stolen from the NSA and then released by the Shadow Brokers group believed to be Russian state sponsored actors. It’s claimed North Korea turned Eternal Blue into Ransomware which subsequently infected a high number of machines. To top it off, a kill switch was found by a researcher, who was then later arrested under the charges of writing malware. What’s the story we are missing? Who’s to blame? The NSA? The Russians? North Korea? End users? Microsoft?

Mandatory data breach notification

The laws have come into effect in Australia this year – How will it affect us?

Hardware and microarchitecture attacks

Spectre, meltdown, rowhammer. What else is out there? What are we going to find out about Intel ME?

Kaspersky a Russian plant?

What about Huawei? The supply chain? TAO group in the NSA? Is there anything we can do to trust our software and systems?

Is attacking and exploitation getting harder?

Are OS mitigations working? Is it easier to attack the hardware? Is newly developed code more secure? Are IOT devices going to take us back to zero? What about ipv6? Has offense moved entirely into web app testing?