2021 Speakers

Main Track

Cassandra Cross

"Understanding the reality of fraud victimisation"

Christopher Vella

"Easy LPEs and common software vulnerabilities"

Samir Ghanem

"13 Nagios Vulnerabilities, #7 will SHOCK you!"

Iggy

"Cold case - catch a killer in 16 bytes?"

Adrian Justice

"☣️The Security of Emojis☣️"

Josh Johnson

"Electronic Hardware Design"

Understanding the reality of fraud victimisation

Presented by: Cassandra Cross

In 2019, Australians reported over $634 million lost to fraud, up from $489 million in 2018. This amount has continued to rise for more than a decade. Business email compromise (BEC) fraud was the highest category of financial loss for the first time, totalling $132 million, followed by investment and romance fraud at $126 million and $83 million respectively. From the outside, it is difficult to understand how so many people continue to lose such large amounts of money, given the prevalence of warnings and education campaigns. It is easy to blame victims and think that they should have known better.

This presentation examines the reality of fraud victimisation. It focuses on the techniques used by offenders to successfully persuade an individual to do something they would not ordinarily do. Offenders are argued to be highly skilled, tech savvy individuals who can easily identify a weakness or vulnerability in a person and manipulate and exploit this for their own financial advantage. Despite what we may think, no one is immune to the potential of fraud victimisation.

Drawing from my own research in this area, this presentation outlines examples of various social engineering and psychological abuse tactics used by offenders to gain compliance to their requests. In doing this, the presentation counters the negative stereotype of fraud victims, and instead highlights the complex and dynamic characteristics of fraud victimisation. Finally, the presentation concludes with what can be done in the future to strengthen individuals against fraud.

Bio:

Dr Cassandra Cross is currently a Senior Research Fellow, Cybersecurity Cooperative Research Centre (CRC), and an Associate Professor, School of Justice, Queensland University of Technology. In 2011, while working for the Queensland Police Service, she was awarded a Churchill Fellowship to examine the prevention and support of online fraud victims worldwide. Since taking up her position at QUT in 2012, she has continued her research into fraud, publishing over 60 outputs across the policing, prevention, and victim support aspects of fraud. Further, she has been awarded over AUD$1.3million in funding, largely to drive her research in this area. She is co-author (with Professor Mark Button) of the book Cyber frauds, scams and their victims published by Routledge in 2017.

Easy LPEs and common software vulnerabilities

Presented by: Christopher Vella

When learning vulnerability research I commonly heard how difficult 0-days are to find and exploit especially with the advent of ASLR and other mitigations. Turns out there are vulnerability types that are actually super common in software, even really common software you'd find on almost any PC in someone's home or organization (AVs, PDF viewers, etc).

In this talk I'll be walking through real examples of 0-days in common software I discovered during personal research (some patched, some still 0days), with a focus on the methodology and tooling leveraged to discover these vulnerabilities to demonstrate how some bugs are relatively simple to find. Most bugs are LPEs with the occasional RCE, all relating to third-party software on windows.

Bio:

Security Researcher @ MSFT, typically a windows vulnerability researcher (incl. Hypervisors) and low-level dev (emulators, hypervisors, etc) with newer ventures in macOS/iOS fuzzing and ARM64 dev.

13 Nagios Vulnerabilities, #7 will SHOCK you!

Presented by: Samir Ghanem

Nagios XI and Nagios Fusion are popular IT infrastructure monitoring tools that retrieve, store, and display device health on customisable web dashboards. Since a large portion of the Nagios code base is open source, it didn’t take long to realise the PHP code was littered with bugs. So, the challenge was set to find 13 vulnerabilities before Friday. After finding 13 vulnerabilities, we used the spare time to build an attack platform that leverages the vulnerabilities to take full control of a Nagios XI / Fusion deployment. This talk will provide details of the bugs and how we chained them together to create the attack platform now known as SoyGun.

Bio:

Samir is currently a technical lead in Skylight Cyber Security, where he conducts deeply technical assessments of organisations’ cyber security posture. As part of his work, Samir engages in original security research, often resulting in newly discovered software vulnerabilities and exploitation tools.

Cold case - catch a killer in 16 bytes?

Presented by: Iggy

CSI Miami fans will tell you that forensics is all about cool shades and mood lighting but what happens when the tools can’t tell the story?
In 2019 I was approached by some associates in a national law enforcement agency who wanted to know if I was interested in doing them a favour and having a look at a task that had the tools stumped. This presentation covers how I approached a forensic data recovery on an “old school” digital consumer device in my home lab, how the tools we rely on can fool us and how just 16 bytes of data can help catch a cold case murderer.

Bio:

Iggy stated out as a broadcasting technician baby sitting high power TV and radio transmitters on a mountain while also doing contract software development on CP/M and industrial control systems including the infamous Australian Microbee.
Before it became the norm he automated radio stations 2MG, 2PK and 2RG to allow unmanned after hours operation. He spent time as a Unix system admin, service manager of a multi-outlet Apple & IBM dealership and small IT business owner before trying his hand as a NSW cop.
Iggy is often blamed for setting up the first sanctioned NSW Police intranet server (Win NT, Apache, MySQL, PERL), acting as a technical advisor during the NSWP restructure in 2002 and writing a lot of J2EE applications which continued to haunt his former police colleagues until well after he left "the job" in 2004. He then spent an interesting period as the CIO of a diverse food and wine industry company which he fondly describes as “like being stuck in a 3 year version of the Devil Wears Prada”.
For the past 13 years Iggy has "worked for the government" in various roles related to national security, "cyber" and electronics engineering.
Iggy was proudly kicked out of school in year 8 for spending too much time wagging, time he spent reading electronics magazines and writing software for the Department of Education psychologist!
His interests include electronics, embedded systems, digital forensics, information security, radio control modelling, volunteer road crash rescue, fire fighting and anything shiny!
Iggy was also the designer of the inaugural bsides Canberra badge in 2016.
He has no formal qualifications except an electronics trade certificate but is an avid learner with 14 SANS information security and forensics courses under his belt as well as many other electronics design, manufacturing and maintenance courses.

☣️The Security of Emojis☣️

Presented by: Adrian Justice

To some, Emojis are just a subset of Unicode, whilst to others, they are their own language. These days Emojis are everywhere and they have some pretty interesting ramifications to both red and blue teams.
Is this presentation I'll answer all of the questions you never knew you had including:

  • What actually is an Emoji?
  • Can I call my Active Directory forest 🔥dc🔥.💎💎💎?
  • Is 🚫⌚🐂💩 an uncrackable password?
  • What happens when I pass an Emoji to my favourite security tool?
  • How badly can I break things by putting Emojis in the wrong place?

Bio:

Adrian is an Incident Responder/Hunter and, occasionally, a security researcher. During his free time he enjoys flying drones and developing games. @Zeroedtech on Twitter

Electronic Hardware Design

Presented by: Josh Johnson

Whether it be in your car, vacuum cleaner, or light bulb, embedded electronic devices are playing an increasingly important role in our lives. This talk will discuss how to design electronic hardware at home, allowing the benefits of modern technology to increase our quality of life. It will provide a high level, tool agnostic overview of the hardware design process, taking the audience from concept generation through to an assembled product, discussing key steps along the way with tips to ensure success in their project.

Bio:

Josh is passionate about electronics and spends his days designing the next generation of vehicles at Ford. He utilises his spare time to work on varying projects spanning embedded systems to RF, along with educating others about the wonderful world of electronics.