Duncan Alderson

Duncan is a Director within PwC Australia's Cyber Security and Forensics practice. He has over 18 years experience in Offensive and Defensive Cyber Security roles and is the lead for the National Operational Technology Cyber Security capability and Perth Cyber Security team. He has worked in United Kingdom, Indonesia, Abu Dhabi, Singapore and Australia.

Hacking the Grid

Critical Infrastructure and Operation Technology (OT) have finally been getting the coverage and attention that they require when it comes to Cyber Security. Operational Technology has only recently been networked and now with the emergence of IOT or Industrial IOT these systems that were deployed over 10 years ago now have new threats that were never designed for. Many organisations are saying they are secure due to network segregation and even air gapped networks between corporate and operational networks but in the same breath talk about IT/OT convergence. So what is the real truth? During this talk Duncan will explain how his team have been hacking into Electrical grids, Oil Platforms and other Industrial sites over the last seven years and ways to make it a little harder for the adversary. 

Josh Armitage

Josh is a Principal Consultant in Mechanical Rock and has 10 years experience across a range of operations and development roles. Known as the giant one in Mechanical Rock with glorious hair, he regularly speaks around Perth on topics ranging from getting the most of our your local development environment to delivering deep presentations on core technical problems and solutions.

Having worked at companies during security incidents, and being charged with security remediation and building security in from the start in multiple scenarios, he is always looking to how to make security both understood and part of the team culture.

Internal Red Teams - Practicing what you preach

Being brought in as cloud native experts into organisations both big and small means that we need to be both current and succinct with our security guidance. As companies move into the cloud, it presents a different set of challenges, with different threat models relative to on premise installations. We believe the best way to distribute understanding and revise our processes is by stress testing them under realistic scenarios. This talk is the story of how we organised a surprise red team event orchestrated by a small group within the company to test not only our processes but also our people under fire.

Andrew Bailey

Andrew spent 15 years writing software products, mostly in the systems, application and network monitoring spaces. After being involved in the application security uplift as a developer in his previous role, he moved on to be a founding member of Telstra's Secure Code team, and is currently trying to help secure all the code they produce.

Validate your inputs! Is this really the message we want to send to developers?

Often one of the key bits of advice security professionals give is around input validation. We need to white list the correct data to prevent abuse cases. But is this really the right way we want to get developers to approach the problem. I am going to look at what I think the current methods for doing this are and a how that might not be the best way of doing things. And perhaps there is a better message we can send.

Tristan Bennett

Tristan has been in the security field for over a decade now and during this time has worked with organizations large and small. Logs files and Python now consume more hours of the week than is healthy but at least everyday is different.

How Testing A Monitoring Rule Led to A Microsoft Bounty

Testing SIEM rules is essential to their success as so many things can go wrong from log source to correlation. The best correlation rule is useless if the data being fed into it isn't what is expected. This talk will following through testing a number of easily deployed attacker tools and provide some tips on some of the things that can go wrong along the way. Logging that will be included is Windows Security, PowerShell, Sysmon.

Silvio Cesare

Dr Silvio Cesare is the Managing Director at InfoSect. He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He has reported hundreds of software bugs and vulnerabilities in Operating Systems kernels. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the scanner architect and a C developer at Qualys. He is also the co-founder of BSides Canberra - Australia’s largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, is a 4-time Black Hat speaker, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).

Coccinelle for Bug Discovery in C Source Code

In this talk, I use a tool called coccinelle to discover bugs in C source code. Coccinelle uses a Semantic Patch Language and takes code templates to identify and, if desired, make patches to the relevant source code. The Linux kernel team use coccinelle to prevent bug patterns in git commits. I've written over 50 templates that describe the majority of bugs listed in the SEI CERT C Coding Standard. From this, I've scanned 500 random packages in Ubuntu and found numerous bugs. I've also looked at every package in the Ubuntu 18.04 LTS repository and pulled out every SUID binary and its associated source. I automated this approach and have regular and frequent scans of these packages to identify accidental introduction of bugs. Finally, I've used the NSA released reversing tool Ghidra to decompile binaries in headless mode. I've dumped firmware from embedded devices uses the BUSSide, extracted filesystem images with binwalk, decompiled relevant non x86 system binaries, and passed the source code to my Coccinelle scripts. Overall, coccinelle is tool that makes writing custom and generic static analysis tools for source code practical for many people.

George Coldham

George Coldham has been a techie and tinkerer since the days of dial-up BBS and still yearns for the simple days of VGA, low resolution and watching a VGA image load line by line... A Consultant in the Modern Workplace Practice at Empired he gets to play with a blend of new and old technology, on premises and "as a service" all day long. George is the Vice Chair of the Australian Computer Society in Western Australia, and sits on the Management Committee for the Australian Computer Society nationally.

Learning new things is what keeps his passion for technology thriving, followed only by sharing what he has learned. Loving a good chat about most things tech, food and life, don't be shy to come and say hi!

Raspi Workshop

For this Raspberry Pi workshop, George will cover set up and configuring of A Raspberry Pi Zero W for use in penetration testing or general network administration. If you'd like to attend, don't forget to grab your pack from https://coreelec.io/kitbsideperth. You will need the contents of this pack to participate in the workshop, in addition to a laptop.

Iain Dickson

Iain is a software engineer / data scientist who has fallen into the Cyber profession. He has previously worked as a Cyber Security Research Engineer, and as a Cyber Threat Intelligence Technical Lead for the Australian Government. He currently acts as a Security Operations Team Lead for Leidos Australia on an Australian Government contract.

Cyber Threat Intelligence - It's not just about the feeds.

Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.

Aaron Doggett

Aaron is an infosec generalist who has played this game long enough to recognise that there are plenty of ways to make it in this industry.

Bad Career Advice

Ever wanted to build an infosec career, or possibly a company in this space but don't want to rely on talent, capability, good ideas, and the need for years of hard work? Then this talk is for you.

This session will present a short-cut to stardom and riches in cyber-security, showing you how to get your profile, reputation and company squarely in the top-right quadrant in a 100% legal way.

Or you could view this talk as things to watch our for and avoid, but I like the other way more.

Ricki Burke

Ricki is the Director and Founder of CyberSec People and partners with organisations around ANZ to hire infosec (Cyber Security) professionals. He is embedded in the security community, is active at cons and Meetups and built many friendships along the way. With a passion for supporting people to break into security, he has helped many land their first job in the industry.

Wanna get into Infosec? Here's what you need to know

Aimed at students and those looking at getting into information security, this presentation endeavours providing information to those looking to get into this highly competitive and challenging field. Join Ricki and Lukasz to get the perspective from a recruiter and hiring manager, and be provided with a step by step guide to:
-Explaining the industry, consultancies, internal teams, research teams, etc
-Highlighting the motivations behind each one of these places, what they do
-Breakdown of jobs
-Certifications
-What skills to learn for relevant jobs
-How to make yourself stand out in a competitive industry

Plus, a brief story of how Lukasz and others got into the industry. Also, career guidance for experienced industry professionals.

Lukasz Gogolkiewicz

Lukasz works for Context Information Security, based in Melbourne Australia. He has been in the field of security for a while now and has tested many pens.

Wanna get into Infosec? Here's what you need to know

Aimed at students and those looking at getting into information security, this presentation endeavours providing information to those looking to get into this highly competitive and challenging field. Join Ricki and Lukasz to get the perspective from a recruiter and hiring manager, and be provided with a step by step guide to:
-Explaining the industry, consultancies, internal teams, research teams, etc
-Highlighting the motivations behind each one of these places, what they do
-Breakdown of jobs
-Certifications
-What skills to learn for relevant jobs
-How to make yourself stand out in a competitive industry

Plus, a brief story of how Lukasz and others got into the industry. Also, career guidance for experienced industry professionals.

Julian Gutmanis

Julian is a Perth native, who up until recently held an expatriate position for a major oil and gas company in Saudi Arabia. During this time, he and his team uncovered a state sponsored attack against a PetroChemical facility that was later branded Triton/Trisis. Julian has over 12 years experience in IT and OT security, and has worked throughout Asia-Pacific, USA, Europe and the Middle East.

Finding Trisis

This presentation will provide an overview of the approach taken to investigate a real world incident that was traced to a nation state attacker with significant mal-intent.

Luke Jahnke

Luke (@bitcoinctf) is a security researcher working for elttam in Melbourne, Australia. He enjoys playing CTFs as part of the team TheGoonies, which recently won the Kiwicon and Crikeycon CTFs.

Session IPA: Sessions' Interesting Protection Anomalies

PHPSESSIONID, rack.session, play_session, JSESSIONID.... do these terms seem familiar ? In most languages and framework, the internals of session management are completely hidden from developers. In this talk, we are going to cover how sessions work across different languages and frameworks as well as what advantages and disadvantages implementations bring. We will also look at vulnerabilities impacting sessions in the recent years.

Louis Nyffenegger

Louis (@pentesterlab) is a security engineer based in Melbourne, Australia. He performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for web penetration testing.

JWT Parkour

Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues.

Matt Jones

Matt works at elttam, and is interested in low-level code auditing and cooking big pots of curry on weekends.

Understanding the Chromium Sandbox on Windows

This talk will look at the Chromium sandbox, an important piece of technology that is being used by the worlds most popular web browsers to help protect systems from full system compromise. The area of browser sandboxing is relevant to everyone, and will very likely continue to be for sometime.

The goal of the talk is to provide a good overview of what the Chromium sandbox is, how it works on Windows, how it's gone so far, and where this space may be going. The talk will include:
- An introduction on the history, architecture, and design of the Chromium sandbox
- A walk-through and a bunch of demos to understand the evolution of browser sandboxing on Windows - the types of offensive research and exploits that we've seen, how countermeasures have been developed, and how Windows 10 has been evolving till now to support the Chromium sandbox.
- Closing with a look at the future for browser sandboxing on Windows

Paresh Kerai

Paresh Kerai is currently a Technical Manager part of the Sapien team, managing the technical aspect of the technology and infrastructure.

He is also a security researcher specialising in cyber security for control systems and network infrastructure, as well as computer forensics. Paresh has over 10 years of computer and networks security and industrial control system experience, where he has consulted to various organisations, both in the private and government sector. Paresh has a Bachelor of Computer and Network Security with First Class Honours and holds various computer security industry certifications. He is passionate about threat intelligence, threat hunting computer and network forensics, wireless security, IoT devices, penetration testing and operation technology security.

Paresh is a strong information technology professional with currently pursuing Doctor of Philosophy (PhD) focused in Industrial Control Systems and SCADA Security from Edith Cowan University.

Unknown Security Wounds in Local Market

Application security for organisations within Australia have been forgotten and more focus is put on infrastructure, network and device security. We have seen so many database breaches of Personal Identification Data, almost everyday we hear a database breach in news. This shows that organisations are not putting more focus on secure application design, configuration and application.
The talk will run through few critical application vulnerabilities/security mis-configurations of web applications I discovered while doing security research, that exposed critical customer and user databases. The talk will share some experiences of working with the team to solve the issues, constrains and challenges we face to solve such security vulnerabilities.

Sajeeb Lohani

Sajeeb Lohani is a penetration tester at Privasec, with years of prior development experience. Having graduated from Monash University with a Bachelor of Software Engineering (Honours) in 2017, Sajeeb remains passionate about contributing to and improving cyber security research. Sajeeb gives back regularly to the Melbourne cyber security community by founding the Monash Cyber Security Club, presenting at SecTalks, and mentoring at the Australian Women in Security Network (AWSN) Cadets workshops. Sajeeb also runs initiatives which attempt to responsibly disclose security issues within open source software projects, making the world of software ‘more secure’.

C.I. can make $$$ from thin air

We have all used free tools, easily available on the internet, however these tools are often open to misuse due to the lack of visibility and planning performed by the project team. This talk covers how people can utilise such resources, outside of their intended use case, in a malicious way. Using TravisCI as an example, we will look into what essentially can become a distributed super computer, to mine bitcoins, perform distributed password cracking, and distributed denial of service attacks, free of any cost whatsoever. This attack will be displayed in a demo. We then introduce core threat modelling concepts, which allow us to look into how such edge cases can be identified and how they can be remediated prior to publicly releasing such software.

Chris McCormick

Chris McCormick is a freelance software developer and open source hacker building apps for business, decentralized web, procedural art, and music tech.

Bugout: practical decentralization on the modern web

Bugout is a JavaScript library for building decentralized applications on the web. This talk demonstrates how to build your own decentralized peer-to-peer and client-server web apps using Bugout. The talk will also cover the the cryptography and architecture of the library, its relationship to Webtorrent (Bittorrent for the web), and ways of accomplishing traditionally centralized activities in a decentralized setting.

Kylie McDevitt

Kylie McDevitt has been working in infosec for the past 10 years and is currently a Technical Director leading a team performing security research on emerging technologies. Prior to this she was a Senior Engineer at Australia's largest telco. Kylie co-found and organises BSides Canberra as well as lectures part-time at UNSW Canberra.

Changes in the Core - a security analysis of future networks

Modernisation of society with the adoption of IoT, smart devices, and massive machine-to-machine type communication has led to proposed changes of the underlying network infrastructure. This talk is a deep dive into network concepts that are current hot topics and their relative security impact.

Hannah McKelvie

Hannah left her job in IBM's UK development laboratory back in 2006 "for one year". She then spent the next 11 years working throughout South East Asia, before moving to glorious Perth. After 15 years on the other side of the IT fence, in 2017 she moved into Cyber Security and she now leads two teams - Secure Code and DevOps Security.

Is there anyone on board who can fly a DevSecOps plane?!

We are three years into our Enterprise Secure Code program, and last year we embarked on DevSecOps at scale. We are one of Australia's largest Telcos, and we are fundamentally transforming the way our company releases code into production.

We have a huge and exciting goal of securing every line of code (*that we own and have written) without slowing down our development teams. In this talk I will describe the evolution of the Secure Code team and then walk through examples of how our initiatives are succeeding in helping projects to go live with fewer vulnerabilities and fewer interactions with Cyber Security.

Born out of the Secure Code team, we also have a DevOps Security team with an equally exciting goal of delivering Security at Speed. In this session I will also share how DevSecOps has evolved for us, who were our stakeholders, how we built and established critical relationships, and look at where we have landed with DevSecOps today, before diving into one of our key initiatives - our Security Champion Program.

Touching on the people, process, and technology aspects of creating an Application Security Capability that supports DevSecOps, I hope to leave you with an understanding of the approach we took, and key examples of what is working really well so that your Monday morning will be full of ideas about who to persuade and convince in your own organisation.

Tim Peters

Tim is a security consultant with DXC Technology and has been around the block a few times. Over the last 20 years he has worked in a variety of security roles in many organisations which has given him a unique perspective.

Tim dabbles in all aspects of security and in his spare time loves long walks on the beach, sunsets and popping shells

Security In A Box - The Poor Persons Guide To Security

A lot of organisations don't have the budget and don't know where to start. I will take you through some easy steps to get your security program up and running without breaking the bank.

Good security is about finding a balance between protection, control, budget and productivity and with the right approach, you can implement a robust security program on the cheap.

I will provide you with real world templates and examples on how you can get started even if you are new to security. I will discuss the importance of and how to;

- Developing A Strategy & Roadmap The Easy Way
- Gain Visibility Of Your Environment
- What To Invest Your Money On (The Top 5)
- reducing Your Attack Surface
- Educating Your Users
- Measuring Your Progress

This will get you started on your journey and improve the overall security of your organisation.

Josh Qwek

Josh is the cyber security architect for the university of western australia, and is passionate about making cyber easier for everyone not in cyber.

The language of Cyber Risk.

How long can you scare your customers or cry wolf before they stop believing in you? We need to change the way we engage our client to something more positive and position the professions as a business enablers and much more than just a gate keeper.

Using the SABSA framework/methodology, the presentation will present at an approach to frame the risk context in a meaningful and productive manner to our stakeholders.

Sam Reid

Sam is a Senior Penetration Tester for Trustwave (formally Hivint) in Perth. He also leads the technical side of WACTF, the states largest standalone CTF event. When not stressing about that, you can find him politely educating people on the correct pronunciation of “gif” or performing cutting edge research into maximising your swipe:match ratio on Tinder. This presentation however is somewhat less serious.

A blindfold for my cat? I Wish.

Behind Amazon and Alibaba, Wish is the largest e-commerce marketplace in the US by sales. It also tried to sell me a fossilised Alien penis for $40 one day. What has the world come to? And why does Wish dominate our feeds when most of the products advertised breach Facebook and Instagram’s policies, or are completely nonsensical? And most importantly, is $40 reasonable? Let’s learn about the algorithm that determines your need for a plastic tongue and why Wish is happy to pay $100 million a year for it to continue doing so.

Raymond Schippers

Raymond Schippers is the lead incident response analyst for Check Point in the APAC region. He has over a decade of IT security experience and is loves tracking down bad guys and working with organisations on how they can enhance their defenses to deal with threats.

Attackers in the Castle: Responding to persistent attackers inside your systems.

Based on lessons learnt from our investigations into targeted attacks, by both cyber criminals and state sponsored attackers, defenders will be provided advice on how to better defend their castles, common mistakes made when building new castles, and better ways of responding to these incidents quickly and effectively. This includes easy changes that can be made to Active Directory to harden it, using open source intelligence to look for common attack patterns, ensuring business continuity plans are in place and work, and ensuring defenders don't make common configurations we have seen in the cloud. The talk will also discuss if an attacker did compromise the system, how can you detect it, and what steps you need to take to start cleaning up post invasion.

Barnaby Skeggs

Barnaby Skeggs is a Digital Forensic and Incident Response (DFIR) analyst from Western Australia with an interest in cloud security and automation of incident response procedures.

After establishing his career in forensic consulting, Barnaby moved across the globe to Canada, where he worked internal security operations for a Credit Union in Vancouver.

Barnaby has returned to Perth and now performs incident response as a Senior Security Consultant with FireEye Mandiant.

Investigating Google Cloud Platform Compromise Using Timeline Analysis

In this presentation Barnaby Skeggs will step through an investigation into Google Cloud Platform (GCP) compromise. Barnaby will demonstrate how to acquire, manipulate, normalise and review GCP logs using two tools which he is open sourcing for this presentation: 'gcp_log_toolbox' and 'gcp_timeliner'

Michael Skelton

Michael (also known as codingo) is heavily active in the open source space as https://github.com/codingo. Michael has written and maintains a number of tools, focused on web application security including but not limited to Reconnoitre, NoSQLMap, VHostScan, and Interlace. Michael also helps to maintain a number of online resources of interest to defensive teams including tools and datasets for the mitigation of ransomware, crypto jacking, key verification, and fingerprinting of services that are vulnerable to subdomain takeovers.

Michael spoke at BSides Canberra in 2018 on SharePoint Security presenting new research in the space as well as a variety of PowerShell scripts to aid in SharePoint security assessments. Michael also presented an overview on subdomain takeovers at BSides Perth in September of 2018 with an emphasis on detection for organisations that have a reliance on cloud-based services. In September of 2019, Michael will be presenting on complex attack chains at BSides Perth.

In 2019 Michael won Bugcrowd's community champion award and has also been nominated for both the AISA Cyber Security Professional of the Year and the AISA Rising Star awards, to be decided in late 2019. In 2019 Michael has also teamed up with Jason Haddix to author the Bug Hunters Methodology, which is expected to be released late 2020.

Bug Chaining - and why to address low risk issues

Not all bug classes are built identically, and not all are interesting or necessarily even fun to exploit. Additionally, exploitation of minor bug classes is often halted prematurely with far too many XSS exploitations being performed with an “alert(1)” when so many more interesting things can be done.

This talk is a visual demonstration of the importance of defence in depth. It aims to cover two interesting attack chains where a number of low priority issues were combined in interesting ways to cause the equivalent outcome of more severe bug classes in software. The intention of this talk, and demonstration is to highlight the importance of properly closing low priority issues, and not only resolving higher risk ones.