To be announced on the day.
Understanding Real Threats for Real Security
Threat Intelligence over the last decade has gone from being primarily a government function to being seen as a critical part of the security landscape. There is a greater understanding than ever before on how government backed threat actors operate with a flood of reports on named attacker groups and indicator feeds, but has that understanding led to a proportionate increase in security for the average user or organization?
In this talk Shane will cover some of what he’s learnt tracking these threats over the last ten years and what matters. It will also cover how the reality of threats differs from the predictions of security researchers and the opportunities and challenges ahead to create a more secure world.
Shane Huntley is the director of Google's Threat Analysis Group. Since joining Google in 2010 he and his team detect, analyze, and disrupt serious and government backed threats against Google and Google users.
Shane's core interests lie in combining Google’s technology and resources, delivering tools that aid in the analysis of targeted malware, disinformation and phishing attacks. This work is also fundamental to separating reality from hype about the world of government backed attacks, and in devising strategies for what we can do about the real threats.
Prior to joining Google, Shane was a technical director in the Australian intelligence community.
Intelligent Application Security
Over the past 20 years we have seen application security evolve from analysing application code through Static Application Security Testing (SAST) tools, to detecting vulnerabilities in running applications via Dynamic Application Security Testing (DAST) tools. The past 10 years have seen new flavours of tools to provide combinations of static and dynamic tools via Interactive Application Security Testing (IAST), examination of the components and libraries of the software called Software Composition Analysis (SCA), protection of web applications and APIs using signature-based Web Application Firewalls (WAF), and monitoring the application and blocking attacks through Runtime Application Self Protection (RASP) techniques.
The past 10 years has also seen an increase in the uptake of the DevOps model that combines software development and operations to provide continuous delivery of high quality software. As security has become more important, the DevOps model has evolved to the DevSecOps model where software development, operations and security are all integrated. There has also been increasing usage of learning techniques, including machine learning, and program synthesis. Several tools have been developed that make use of machine learning to help developers make quality decisions about their code, tests, or runtime overhead their code produces. However, such techniques have not been applied to application security as yet.
In this talk I discuss how to provide an automated approach to integrate security into all aspects of application development and operations, aided by learning techniques. This incorporates signals from the code operations and beyond, and automation, to provide actionable intelligence to developers, security analysts, operations staff, and autonomous systems. I will also consider how malware and threat intelligence can be incorporated into this model to support Intelligent Application Security in a rapidly evolving world.
Cristina is a Senior Director of R&D, serves as the Director of Oracle Labs Australia and is an Architect at Oracle. Headquartered in Brisbane, the Lab focuses on Intelligent Application Security aiming at making intelligent security of applications a reality, at scale.
For a more indepth bio: http://labs.oracle.com/people/cristina
"☣️The Security of Emojis☣️"
"Finding Tony Abbott’s passport number and entering the Do Not Get Arrested Challenge 2020"
"Understanding the reality of fraud victimisation"
"Easy LPEs and common software vulnerabilities"
"The defender’s new clothes"
"Cold case - catch a killer in 16 bytes?"
"Attacking the TCache in GLibc 2.32"
"Electronic Hardware Design"
"Oh my Pod: Lessons from building one of Australia’s biggest CTFs"
"13 Nagios Vulnerabilities, #7 will SHOCK you!"
"Context Aware Content Discovery: The Natural Evolution"
"Return to Sender: Bypassing Email Spam & Malware Filters"
☣️The Security of Emojis☣️
Presented by: Adrian Justice
To some, Emojis are just a subset of Unicode, whilst to others, they are their own language. These days Emojis are everywhere and they have some pretty interesting ramifications to both red and blue teams.
Is this presentation I'll answer all of the questions you never knew you had including:
- What actually is an Emoji?
- Can I call my Active Directory forest 🔥dc🔥.💎💎💎?
- Is 🚫⌚🐂💩 an uncrackable password?
- What happens when I pass an Emoji to my favourite security tool?
- How badly can I break things by putting Emojis in the wrong place?
Adrian is an Incident Responder/Hunter and, occasionally, a security researcher. During his free time he enjoys flying drones and developing games. @Zeroedtech on Twitter.
Finding Tony Abbott’s passport number and entering the Do Not Get Arrested Challenge 2020
Presented by: "Alex"
I found Tony Abbott’s passport number in the HTML of Qantas’ “manage booking” page. The manner in which I found it did not possess ANY intent to subvert the Commonwealth of Australia. Wanting to do the right thing, I spent the next six months participating in the Do Not Get Arrested Challenge 2020, in which I try to tell the government about this in precisely the manner which avoids instant jail.
Anyone thinking about participating in the 2021 challenge, my #1 tip is: do not do a crime.
Things this talk is about: Boarding pass security, what happens when there isn’t boarding pass security, the consequences of my actions, calling everyone in Australia one-by-one, desperately struggling to contact the right person for the disclosure of cyber treason, my Twitter DMs
“Alex” is an Australian citizen with no convictions of cyber treason. Their hobbies include origami and Following the Law. They work on a Red Team, committing metaphorical crimes, and writing really really detailed confession letters.
On the side, they organise purplecon, a gentle, pastel, inclusive security conference, but it’s unclear whether the whole thing is like a joke, or what. Follow them on SoundCloud at https://mango.pdf.zone.
In 1633 “Alex” was excommunicated by the Catholic Church for insisting the Earth revolves around the sun.
Understanding the reality of fraud victimisation
Presented by: Cassandra Cross
In 2019, Australians reported over $634 million lost to fraud, up from $489 million in 2018. This amount has continued to rise for more than a decade. Business email compromise (BEC) fraud was the highest category of financial loss for the first time, totalling $132 million, followed by investment and romance fraud at $126 million and $83 million respectively. From the outside, it is difficult to understand how so many people continue to lose such large amounts of money, given the prevalence of warnings and education campaigns. It is easy to blame victims and think that they should have known better.
This presentation examines the reality of fraud victimisation. It focuses on the techniques used by offenders to successfully persuade an individual to do something they would not ordinarily do. Offenders are argued to be highly skilled, tech savvy individuals who can easily identify a weakness or vulnerability in a person and manipulate and exploit this for their own financial advantage. Despite what we may think, no one is immune to the potential of fraud victimisation.
Drawing from my own research in this area, this presentation outlines examples of various social engineering and psychological abuse tactics used by offenders to gain compliance to their requests. In doing this, the presentation counters the negative stereotype of fraud victims, and instead highlights the complex and dynamic characteristics of fraud victimisation. Finally, the presentation concludes with what can be done in the future to strengthen individuals against fraud.
Dr Cassandra Cross is currently a Senior Research Fellow, Cybersecurity Cooperative Research Centre (CRC), and an Associate Professor, School of Justice, Queensland University of Technology. In 2011, while working for the Queensland Police Service, she was awarded a Churchill Fellowship to examine the prevention and support of online fraud victims worldwide. Since taking up her position at QUT in 2012, she has continued her research into fraud, publishing over 60 outputs across the policing, prevention, and victim support aspects of fraud. Further, she has been awarded over AUD$1.3million in funding, largely to drive her research in this area. She is co-author (with Professor Mark Button) of the book Cyber frauds, scams and their victims published by Routledge in 2017.
Easy LPEs and common software vulnerabilities
Presented by: Christopher Vella
When learning vulnerability research I commonly heard how difficult 0-days are to find and exploit especially with the advent of ASLR and other mitigations. Turns out there are vulnerability types that are actually super common in software, even really common software you'd find on almost any PC in someone's home or organization (AVs, PDF viewers, etc).
In this talk I'll be walking through real examples of 0-days in common software I discovered during personal research (some patched, some still 0days), with a focus on the methodology and tooling leveraged to discover these vulnerabilities to demonstrate how some bugs are relatively simple to find. Most bugs are LPEs with the occasional RCE, all relating to third-party software on windows.
Security Researcher @ MSFT, typically a windows vulnerability researcher (incl. Hypervisors) and low-level dev (emulators, hypervisors, etc) with newer ventures in macOS/iOS fuzzing and ARM64 dev.
The defender’s new clothes
Presented by: Eldar Marcussen
Proving vulnerabilities in modern web applications is significantly harder than it used to be thanks to WAFs and other protection measures. This talk will discuss and showcase several approaches to bypasses ranging from simple to advanced.
Eldar (@Wireghoul) is a lead security researcher and penetration tester. He is a long time bug hunter with a large number of published advisories, exploits and conference presentations at leading security conferences all over the world. He was a recipient of the first CVE 10K candidate numbers.
In addition to finding vulnerabilities he contributes to and maintain several open source projects in his spare time aimed at web application security and penetration testing. These include graudit, doona, lbmap, dotdotpwn, nikto and more. His tools and research are featured in most security oriented linux distros as well as many industry leading books.\
Cold case - catch a killer in 16 bytes?
Presented by: Iggy
CSI Miami fans will tell you that forensics is all about cool shades and mood lighting but what happens when the tools can’t tell the story?
In 2019 I was approached by some associates in a national law enforcement agency who wanted to know if I was interested in doing them a favour and having a look at a task that had the tools stumped. This presentation covers how I approached a forensic data recovery on an “old school” digital consumer device in my home lab, how the tools we rely on can fool us and how just 16 bytes of data can help catch a cold case murderer.
Iggy stated out as a broadcasting technician baby sitting high power TV and radio transmitters on a mountain while also doing contract software development on CP/M and industrial control systems including the infamous Australian Microbee.
Before it became the norm he automated radio stations 2MG, 2PK and 2RG to allow unmanned after hours operation. He spent time as a Unix system admin, service manager of a multi-outlet Apple & IBM dealership and small IT business owner before trying his hand as a NSW cop.
Iggy is often blamed for setting up the first sanctioned NSW Police intranet server (Win NT, Apache, MySQL, PERL), acting as a technical advisor during the NSWP restructure in 2002 and writing a lot of J2EE applications which continued to haunt his former police colleagues until well after he left "the job" in 2004. He then spent an interesting period as the CIO of a diverse food and wine industry company which he fondly describes as “like being stuck in a 3 year version of the Devil Wears Prada”.
For the past 13 years Iggy has "worked for the government" in various roles related to national security, "cyber" and electronics engineering.
Iggy was proudly kicked out of school in year 8 for spending too much time wagging, time he spent reading electronics magazines and writing software for the Department of Education psychologist!
His interests include electronics, embedded systems, digital forensics, information security, radio control modelling, volunteer road crash rescue, fire fighting and anything shiny!
Iggy was also the designer of the inaugural bsides Canberra badge in 2016.
He has no formal qualifications except an electronics trade certificate but is an avid learner with 14 SANS information security and forensics courses under his belt as well as many other electronics design, manufacturing and maintenance courses.
Attacking the TCache in GLibc 2.32
Presented by: Jayden Rivers
Attacks on the GLibc dynamic memory allocator have been continuously evolving over the past 20 years. New mitigations include double free detection, metadata validation, and now pointer signing. The bar is always being raised. However, sometimes a mitigation can extend the complexity of a program or library. In this added complexity, new techniques or bugs can be discovered.
This talk has two major parts. The first is a high level overview of PtMalloc with a focus on the TCache. The second is a continued focus on the TCache from the perspective of an attacker attempting to bypass new mitigations. In particular, I detail the variants of a bypass which successfully overcomes Safe-Linking within the constraints set by Check Point Research's threat model.
I'm (@Awarau1) a second year Computer Science student at the University of Sydney. While completing my studies I've also been working at InfoSect doing vulnerability research and exploit development. My main interests are vulnerability discovery through automated and manual static analysis, binary exploitation, and theory of computation.
Electronic Hardware Design
Presented by: Josh Johnson
Whether it be in your car, vacuum cleaner, or light bulb, embedded electronic devices are playing an increasingly important role in our lives. This talk will discuss how to design electronic hardware at home, allowing the benefits of modern technology to increase our quality of life. It will provide a high level, tool agnostic overview of the hardware design process, taking the audience from concept generation through to an assembled product, discussing key steps along the way with tips to ensure success in their project.
Josh is passionate about electronics and spends his days designing the next generation of vehicles at Ford. He utilises his spare time to work on varying projects spanning embedded systems to RF, along with educating others about the wonderful world of electronics.
Oh my Pod: Lessons from building one of Australia’s biggest CTFs
Presented by: Sam
What will Western Australia export when we can’t dig anything more out of the ground? Could it be hackers? For four consecutive years, a volunteer team of pentesters, incident response specialists, software engineers, and infosec professionals from the Perth community have come together to build and run one of Australia’s largest CTFs.
WACTF0x04 was a two-day event that saw some 350 hackers around Australia pop shells and solve DFIR cases across 52 challenges. More than 300 players were W.A. locals who competed for more than $15,000 in prizes. With over 3,600 Docker containers, 1.28Thz of compute, and 300GB of RAM – the challenges we overcame as volunteers while building and scaling WACTF would put some enterprise teams to shame.
Let me show you how we do it. From development through DevOps, infrastructure through Internet. We’ll explore the challenges of building an environment designed to be hacked and takeaways applicable to conventional networks. We’ll run through our efforts to minimise the Kubernetes attack surface, the difficulties of hard multi-tenancy, and how to own clusters in the real-world (or other CTFs 😉). Lastly, we’ll share what’s instore for WACTF0x05.
Sam (@sudosammy) is a principal penetration tester and tech lead for Trustwave (formerly Hivint) in Perth. Also a SecTalks Perth and WACTF organiser, he pronounces ‘gif’ as ‘jif’ religiously which puts significant strain on his professional and personal relationships.
13 Nagios Vulnerabilities, #7 will SHOCK you!
Presented by: Samir Ghanem
Nagios XI and Nagios Fusion are popular IT infrastructure monitoring tools that retrieve, store, and display device health on customisable web dashboards. Since a large portion of the Nagios code base is open source, it didn’t take long to realise the PHP code was littered with bugs. So, the challenge was set to find 13 vulnerabilities before Friday. After finding 13 vulnerabilities, we used the spare time to build an attack platform that leverages the vulnerabilities to take full control of a Nagios XI / Fusion deployment. This talk will provide details of the bugs and how we chained them together to create the attack platform now known as SoyGun.
Samir is currently a technical lead in Skylight Cyber Security, where he conducts deeply technical assessments of organisations’ cyber security posture. As part of his work, Samir engages in original security research, often resulting in newly discovered software vulnerabilities and exploitation tools.
Context Aware Content Discovery: The Natural Evolution
Presented by: Sean Yeoh, Patrick Mortensen, Huey Peard, Michael Gianarakis, Shubham Shah (@assetnote)
Content discovery involves the exploration of files, folders and API endpoints that may be accessible on a web server. Hackers must have a good understanding of what is accessible, in order to effectively test it for security vulnerabilities. Without knowing what is accessible, security testing against servers being targeted can be incomplete and not as effective.
For the longest time, innovation in content discovery has usually been about making existing tooling faster, so larger wordlists can be used. While this has been a welcomed innovation by many people in the security industry, we believe not enough time and effort has been spent on making the actual process of content discovery more effective and hasn’t kept up with modern technologies.
Modern technologies such as Ruby on Rails, Django, Flask, Node.js and Golang typically define endpoints in a way that may explicitly require certain HTTP methods, headers, parameters and values in order to be reached. Present bruteforcing tools are not aware of this context and will fail to discover these specific API endpoints. Consequently, how much attack surface are security testers missing?
Our approach involves scanning the internet at large in order to scrape structured API documentation (JSON) allowing us to amass a large dataset (10k+ Swagger files) which facilitates context aware content discovery. By reverse engineering this large dataset of structured API documentation, the team has developed a comprehensive content discovery wordlist which provides context for each request being made (HTTP methods, headers, parameters, values).
In addition to releasing this dataset, the team will also release a specialised tool which is capable of reading our wordlist and rapidly sending these requests to any target server. We will demonstrate the effectiveness of our new context aware bruteforcing approach in direct comparison with all of the current content discovery tooling available.
If you test web application servers, our presentation will give you the tools to be more effective at content discovery against modern technologies.
This project was a collaborative effort amongst friends, with each member of the Assetnote team working on different facets of the research. Each individual has years of experience in offensive security and bug bounties and have presented at conferences around the world including DEF CON, Black Hat Asia, 44Con, Hack In The Box, THOTCON, BSides Canberra and BSides Las Vegas.
* Sean Yeoh - Back End Wizard * Huey Peard - Chief Number Runner * Pat Mortensen - Employee Number One * Shubham Shah - Junior Vice President of Number Running * Michael Gianarakis - Full Time Guitarist, Part Time CEO
Return to Sender: Bypassing Email Spam & Malware Filters
Presented by: Sebastian Salla
Ever wished you could bypass spam & malware filters to guarantee delivery of your spear-phishing email?
In this talk we’ll focus on a set of extremely widespread and seemingly unknown security vulnerabilities that plague organisations across the globe. We’ll show how these vulnerabilities can be abused at-scale and how they expose what spam or malware filtering technologies are in-use, the rules, the scoring of inbound mail and ultimately if we can bypass the filters all together – all without any form of user interaction.
I’m currently a Cloud Security Engineer with McAfee but I’ve also got a background in security operations, offensive security and risk management. I prefer a hands-on approach and strive to think with an attacker’s mind-set when working with my customers.
Outside of work, I love to work on open-source offensive security tooling and re-creating security breaches to keep up with the latest trends.