Conference Opening
The Exploit Development Life Cycle: From Concept to Compromise
Introduction to the 2024 BSides Canberra badge
The Black Bag challenge is the sweet spot between hacking, espionage, physical security, and teamwork. We create a series of challenges contained within a physical space which test a wide variety of security skills. It’s called a black bag, because you cannot see into it. You do not know anything about each challenge until you are about to do it and it might require multiple skills to get through it. For this reason it is a team effort to complete a black bag.
This year you’ll work through challenges that are in and around the conference centre, before attempting to gain entry to ‘the server room’. Beware, however, the server room has heavy security and will require at least one person to physically enter to bridge an air gap, while others assist them from the outside to bypass systems. Your team will need every ounce of skill you can get. If you would like to prepare, here are some of the skills you might need: RF, Surveillance, Teamwork, Web exploitation, Attacking Windows, Attacking Linux.
To sign up head to https://hackersofmiddle.earth and make your user and team. You will not be able to see challenges until Thursday 0930, but it is always best to be prepared.
Building Your Brand
Are you interested in up skilling in cyber security or learning more about Capture-The-Flag (CTF) competitions? Come and join the Cybears CTF team for an interactive introduction to CTFs.
We will have two "Intro to CTF" presentations repeated at 9.30am and 2.00pm on Thursday the 26th of September. In between, we will also be working through some example beginner CTF challenges and helping you to get any tools you'll need on your computer to solve them.
- To register and play the BSidesCBR CTF 2024, visit here: https://ctf.cybears.io/
- To see the previous three Cybears CTFs at BSidesCBR, check out https://gitlab.com/cybears/
- To learn about what CTFs are, and how to get started, check out https://cybears.gitlab.io/training/posts/ctf_intro/
While there is some consensus about what exactly is meant by the term "threat hunting", most definitions are confined to the low-level act of searching for indicators or starting from a hypothesis. Because of this, the task itself often sits, blurred, between more traditional and well-defined roles in SOCs, Threat Intelligence, and even DFIR teams.
Rather than seek to re-define the term, I would instead like to introduce the audience to the idea of threat hunting as an operational art, alongside an effective and flexible methodology for arranging threat hunting activities. The F3EA process has gained very little public traction in the cybersecurity industry to date, but has proven to be optimally suited to guiding threat hunting operations at speed and scale.
Organizations and practitioners successfully integrating the F3EA process might find that it helps establish threat hunting as a niche in it's own right and dramatically increases the competitive advantage of defenders seeking to maintain control of large distributed networks.
Soldering irons will be available for all you tech wizards. You can use them to assemble your badge or for any other hardware hacks you have in mind. Need help with your conference badge? We've got your back! Our experts will be there to assist you.
The Hardware Village is the perfect space for you to learn and experiment.
So, hackers, mark your calendars for the Hardware Village - the ultimate haven for tech-savvy explorers. Prepare to be amazed, educated, and inspired like never before! Let's hack, solder our way to a tech-filled adventure together!
TBA
This talk will look at hypervisors as an enduring vulnerability research target. To maintain working
exploits, any enduring target needs a number of things that favour a research team:
- The target has a complex code base and a large enough attack surface that the bug supply is sustainable
- Attackers have the ability to interact with the target so that it makes reliable exploitation generally feasible (to perform heap grooming, use the results of infoleaks etc.)
- The target has some useful effect to attackers when a security boundary is violated (privescs, hypervisor escapes, etc.)
- The target has a level of ubiquity (i.e., an effect is generally of value)
Silvio will discuss bugs that he and others at InfoSect have found in hypervisors.
Careers Panel hosted by Ricki Burke
Germany's use of the Enigma and other cipher machines in WWII created such a volume of encrypted traffic that it drove the allies to accelerate the development of computing. Many view it as part of the very foundations of our industry today.
Most machines were intentionally destroyed, and its compromise kept secret for thirty years - so very few people ever get to see this technology actually working.
In this talk we'll have a short look at the initial design and development of Enigma, then dive in. First a live demo of a German 3 rotor Enigma, configured with the help of WWII codebooks. Then we'll switch to an interoperable pair of Swiss Enigmas to demo the end-end crypto process across a set of machines.
Don't miss this *** extraordinarily rare *** opportunity to see this tech up close and working, and get a better handle on the origins of cyber.
Every cool hackers movie has it, that one scene where they go "I'm In" and bam, they hacked the gibson, maybe they trigger a fire alarm system, or open a door. We know that in reality, most people don't get to do that, but what if we could? This is a rhetorical question, I got to, and in this talk, we'll discuss how you can too, looking into a set of real vulnerabilities for CVE-2024-29838-> CVE-2024-29845 on a electronic access control system, and maybe even a "I'm In" moment
Participants will learn how to create effective resumes and improve their chances of landing their desired roles.
"In the age of AI, where a single photo can make realistic deep fakes, how can you protect your personal photos?"
... were my thoughts when I saw the TikTok AI dance filter.
Join me, as I use AI security techniques to prevent my photos from being made into AI-based deepfakes dancing to Jojo Siwa!
This session will cover the practice of AI security with the following example use case: protecting my personal photos against misuse through AI-based deepfake generation. With an AI security lens, I will describe the different components of an AI-based deepfake model. Then I will walk you through an adversarial machine learning method to alter the photos to prevent them from being used by the deepfake models. We’ll then apply what we learnt on leading deepfake models, including the famous TikTok dance filter, to see what happens!
As AI systems are being rapidly adopted and developed, understanding how they can be exploited is important. With this deepfake example, I aim to show you that AI security techniques can provide us with an additional tool in our cyber toolbox.
This will be a practical and fun session for both users or developers of AI systems - and anyone else who is interested in learning about the surprising ways machine learning models can fail!
Attendees will have the opportunity to network with hiring managers seeking to expand their teams
We discuss an overview of the V8 and explain common exploitation techniques, using the n-day CVE-2023-3079 as a use-case. We show how to use the published advisory and public PoC code to exploit the vulnerability, covering a suggested approach, methodology and tooling that was used during the research.
Key Lessons from My Two-Year Journey as a Cybersecurity Mentor
Modern long range RFID credential theft requires custom hardware. This talk will show a new, modern, plug and play approach to creating efficient long range RFID credential stealers for physical penetration testers and red teamers utilising the Flipper Zero and a simple modular custom PCB design.
Are you interested in up skilling in cyber security or learning more about Capture-The-Flag (CTF) competitions? Come and join the Cybears CTF team for an interactive introduction to CTFs.
We will have two "Intro to CTF" presentations repeated at 9.30am and 2.00pm on Thursday the 26th of September. In between, we will also be working through some example beginner CTF challenges and helping you to get any tools you'll need on your computer to solve them.
- To register and play the BSidesCBR CTF 2024, visit here: https://ctf.cybears.io/
- To see the previous three Cybears CTFs at BSidesCBR, check out https://gitlab.com/cybears/
- To learn about what CTFs are, and how to get started, check out https://cybears.gitlab.io/training/posts/ctf_intro/
This is the story of popping shell on an Internet-connected cat feeder. From understanding how the device operates, delving into the network protocols it uses, to implementing custom tooling to interact with it and integrate it into home automation. This might sound straightforward, but it turned out to be a much more complicated ecosystem than I imagined. This talk will be a journey through obfuscated mobile apps, unencrypted HTTP APIs, custom peer-to-peer protocols, and home-rolled “encryption” with a sprinkling of reverse-engineering and protocol analysis. A fun and light-hearted talk for people of all backgrounds to inspire curiousity and encourage people to do some good, honest hacking in order to understand how their own devices and software work.
Breaking into the field of penetration testing can be a daunting task. This presentation will detail my personal journey in securing my first role in pentesting, offering insights into the strategies and steps that proved successful. Additionally, I will explore the various career paths available after gaining initial experience, providing guidance on how to advance and diversify within the cybersecurity industry. Attendees will leave with actionable advice on starting and progressing in their pentesting careers.
Ever wondered how someone from a completely different background makes it into cybersecurity? Let me share my story. As a First Nations woman who worked various jobs like fruit picking and delivery driving, and didn’t finish high school, my path to a cybersecurity career might surprise you. I found my way into this field without a technology degree or the typical background.
In this presentation, I propose to take the audience through my journey—how a love for air conditioning, taking chances on new opportunities, embracing a growth mindset, and building resilience helped me grow in this field to cultivate my own version of success. I will also highlight alternative pathways to get into tech and why diversity is crucial for innovation and security. Whether attendees are just starting out or looking to pivot into cybersecurity, this session aims to provide the humorous insights, practical advice and hopefully a wee bit of inspiration needed to carve their own paths.
As part of a recent client engagement, I was tasked with crafting phishing emails. These phishing emails were to focus on impersonating users to extract information from employees. This inspired me to investigate the current capabilities of email spoofing in 2024 and revealed some interesting quirks within both Outlook Web and Desktop.
When sending emails from external domains to internal Microsoft Organisation email addresses, the recipient will be inundated with security warnings identifying the sender as outside the organisation. This provides an easy way for the user to identify which emails originate from inside the company. By interacting with the SMTP protocol directly, I found a way to augment these emails so that they do not receive external tagging.
Outlook implements another feature called the "first contact safety tip" to alert users to emails from new addresses. These alerts are inserted into the email body and identify the sender as uncommon. I found that by including some characteristics of encrypted emails, I was able to fool Outlook into thinking the email was encrypted and prevent these security messages from being added onto the email.
My next topic for investigation focused on how different email providers handle and display messages to the user. I discovered that by taking advantage of these differences I could spoof emails from personal addresses which passed verification checks. Using similar techniques, I was also able to force Outlook to display any email address to the user.
Finally, using the knowledge I had gained so far, I uncovered a technique to spoof emails from any address to an Outlook inbox whilst passing verification checks. These emails were not labelled as external and even rendered the profile pictures of the users' I was impersonating.
This presentation aims to highlight how a combination of these techniques can allow attackers to impersonate individuals and send convincing phishing emails which users are expected to fall for.
Cyber security is a broad career, with so many different specialisations, which can be confusing for beginners. This presentation will clarify the different specialisations within the cyber security field.
A session providing an update on what the cyber security industry in Australia looks like in terms of jobs in the market and trends in the industry. I have been tracking this data for over nearly two years.
This is the story of how I escaped the sandbox of the popular code execution system Judge0 by chaining multiple vulnerabilities. Utilising this chain, an attacker can escalate their privileges to root access on the host machine despite Judge0 being deployed inside a Docker container. These vulnerabilities were patched and were allocated CVE-2024-29021, CVE-2024-28185 and CVE-2024-28189.
Starting from an interest in understanding how code execution sandboxes can be implemented securely, my research took me into reviewing the source code of Judge0, which is the self-proclaimed “most advanced open-source online code execution system in the world”. Judge0 is used by software developers in the areas of programming interviews, competitive programming contests, and online code sandboxes.
In this deep dive I will cover a wide range of vulnerabilities, from server-side request forgery and path traversal to blacklist bypasses and command injection. The journey was not easy or straightforward, so I hope to guide you through my process as I ran into problems and overcame them. The end result is multiple full chain exploits going from unprivileged API access to unsandboxed code execution as root.
HackerChix is an empowering networking event dedicated to women in the cybersecurity and tech industries. This gathering provides a supportive and inclusive environment where women can connect, share experiences, and build lasting professional relationships.
Whether you're a seasoned expert or new to the field, HackerChix offers a unique opportunity to engage with like-minded peers, mentors, and industry leaders. This event aims to foster a strong community of women who are shaping the future of technology.
Join us at HackerChix to expand your network, gain valuable insights, and celebrate the achievements of women in tech!
In this session, we will cover a variety of techniques to gain code execution on Microsoft IIS servers, ranging from simple webshells to reflectively loading .NET assemblies via exploits.
After performing each attack, we will conduct an incident response to determine what happened and discuss remediation options for recovering from this attack as well as ensuring we can better detect the technique next time.
Setup Steps: https://zeroed.tech/blog/bsides-2024/
Slides and Code: https://zeroed.tech/blog/bsides-2024-code/
The Black Bag challenge is the sweet spot between hacking, espionage, physical security, and teamwork. We create a series of challenges contained within a physical space which test a wide variety of security skills. It’s called a black bag, because you cannot see into it. You do not know anything about each challenge until you are about to do it and it might require multiple skills to get through it. For this reason it is a team effort to complete a black bag.
This year you’ll work through challenges that are in and around the conference centre, before attempting to gain entry to ‘the server room’. Beware, however, the server room has heavy security and will require at least one person to physically enter to bridge an air gap, while others assist them from the outside to bypass systems. Your team will need every ounce of skill you can get. If you would like to prepare, here are some of the skills you might need: RF, Surveillance, Teamwork, Web exploitation, Attacking Windows, Attacking Linux.
To sign up head to https://hackersofmiddle.earth and make your user and team. You will not be able to see challenges until Thursday 0930, but it is always best to be prepared.
We have been auditing the secure boot reference implementations of two of the largest MCU vendors on the market: ESP32 and STM32. While both microcontroller families are solving similar problems, their system architecture and hardware security design are different.
In this session, we'll talk through the results of our work and the approaches taken for design review, code auditing, fuzzing, and exploitation. We'll also have live demos of tools created to assist in the hax, as well as the bugs found and how we gained code execution on a vulnerable device.
We hope that by the end of this session, you'll have a deeper understanding of the concepts of MCU boot security and have the tools required to jump-start your own auditing projects.
The presentation will cover the essential skills and techniques for effective immediate incident response, drawing from my own experiences and learning. It will begin with a foundation of necessary skills and knowledge for being an effective analyst and responder, including technical foundations, understanding your environment, knowing adversary techniques, creative thinking, and effective communication.
Building on these foundational skills, the discussion will explore techniques for conducting efficient investigations. Borrowing from other Cyber disciplines, this will include using Structured Analytic Techniques, the MITRE ATT&CK framework, and maintaining calm and focus during incidents.
The talk will conclude with practical advice on how to acquire these skills and techniques. Suggestions will include observing other analysts, using home and online labs, reinforcing that working with similar environments is conducive to learning and skill enhancement.
Soldering irons will be available for all you tech wizards. You can use them to assemble your badge or for any other hardware hacks you have in mind. Need help with your conference badge? We've got your back! Our experts will be there to assist you.
The Hardware Village is the perfect space for you to learn and experiment.
So, hackers, mark your calendars for the Hardware Village - the ultimate haven for tech-savvy explorers. Prepare to be amazed, educated, and inspired like never before! Let's hack, solder our way to a tech-filled adventure together!
TBA
Did you know that not all APIs are RESTful? Me neither at some point in the relatively recent past! This talk will explore bits and bobs related to GraphQL. We'll look at how it works, how to find GraphQL endpoints, and look at some GraphQL exploit techniques from the lens of the OWASP Top 10.
Join us for an epic fantasy quest. Meet dragons, solve puzzles, learn computers and make friends along the way!
A CTF is a computer and cyber security challenge where participants can solve technical puzzles to earn points. It is open to all skill levels. Bring along your Crypto-Wizards, Web Elves, Reverse Engineering Dwarves, Misc Rogues and Binary Exploitation Warriors to build the perfect merry band of adventurers!
In the fifth installment of DownUnderCTF, we brought a CTF-first open hardware category to the public, with real hardware.
Our presentation discusses the development of the custom tools and hardware built, the challenge creation process and the operations of this category.
This presentation will start with an intro to Talkback (talkback.sh), a smart infosec resource aggregator that was built to help keep up with relevant resources and news more efficiently.
The presentation will then walk-through several features, including demos for how security practitioners and researchers can use the tool and also integrate with its API and data feeds.
The talk will cover:
* How Active Directory (AD) and LDAP are interrelated.
* The types of AD information that can be gathered from LDAP and the security relevance.
* What AD enumeration tools make use of LDAP, how do they work and what are their limitations.
* How you can identify AD domain controllers on an unfamiliar network.
* What are the specific network access and authentication requirements for connecting to AD via LDAP.
* Common approaches to detect LDAP enumeration and potential detection bypasses.
The EBPF subsystem of linux aims to to make the kernel more extensible by allowing userland to submit custom 'EBPF' program that can be hooked to various kernel events. The security verifier of EBPF aims to prevent any dangerous programs from being accepted and ran - however this verifier is subject to a variety of bugs, allowing unsafe programs to be introduced into a kernel context.
Traditional fuzzers in the area, particularly syzkaller, do not interface particularly well with the EBPF subsystem, due to EBPF being very highly structured. As such, this talk covers my own custom fuzzer targeted towards EBPF, talking about the design choices used to accurately model the system, and the various issues encountered alongside development.
Everyone is unique in the way that they think about a problem or situation. Understanding the way we think can improve efficiencies, encourage innovation and give us confidence in the decisions we make.
This talk will demonstrate how critical thinking can be applied to wider SOC, DFIR, Threat Hunting and Cyber Threat Intelligence functions but can be adapted to multiple streams in the industry. How many times have you decided to go down a rabbit hole without taking a step back to understand why you're doing it?
Log4j, shellshock, and Heartbleed. What do these vulnerabilities have in common? They add hours (if not days) of toil for IT operations – i.e., long days and long nights to identify and patch these critical vulnerabilities. Many organisations struggle to coordinate a timely response, and they’re often still identifying vulnerable systems after the initial response. Not to mention the large associated costs, including labor, recovery, communications, compliance, and lost productivity.
Why are we still having an issue with this today? Manual identification of vulnerable systems is not scalable when dealing with hundreds or even thousands of systems. Manual remediation is also fraught with human error.
What is the solution? By leveraging software engineering and DevOps tooling, we can automate identification methods specific to each CVE at scale to identify and remediate vulnerabilities.
Delve deeper into the dark and mysterious world of Kubernetes security. Start your journey deep inside the target infrastructure, collecting flags as you exploit your position in the environment and hunt for vulnerabilities, thwarting Captain Hλ$ħ𝔍Ⱥ¢k in his quest of destruction.
Attendees can play three increasingly beguiling and demanding scenarios to bushwhack their way through the dense jungle of Kubernetes security. Everybody is welcome, from beginner to hardened veteran but attendees will be expected to be hands-on to understand more about core Kubernetes components and how they can be misconfigured and compromised.
Each attendee will be given access to their own Kubernetes cluster built within our bespoke sandboxed training environment. A laptop with an SSH client is required to participate.
Want to bypass WAF or DDoS protections provided by CDNs such as Cloudflare, AWS and Azure? Don't want to have to change your payload to outsmart the WAF?
What if we can get direct access to the web server bypassing these protections completely?
In this talk, we will cover how to bypass WAF and DDoS protections by attacking the origin web server directly. We will look at the different ways web servers can be configured to prevent this kind of direct access and some of the surprising ways they can be bypassed too - including by using the CDN to bypass the CDN.
We will also discuss more secure configurations and various fixes defenders can implement to prevent these bypasses.
Large Language Models (LLMs) have emerged as a transformative generative AI technology, powering a wide range of applications from conversational AI to content generation. However, as with any powerful tool, LLMs are not immune to vulnerabilities and potential exploitation. This talk delves into how prompts can be misused to extract sensitive information, inject malicious content, or manipulate the model's outputs in unintended ways. Importantly, we also discuss how you can mitigate these risks.
Through real examples and live demonstrations, we'll explore techniques like prompt injection attacks, data leakage exploits, and adversarial prompting. You'll witness firsthand how carefully crafted prompts can bypass security measures, access restricted information, or trigger unexpected behaviors, highlighting the critical need for robust security measures and responsible development practices.
This session will equip you with a deeper understanding of the potential vulnerabilities in LLMs, allowing you to stay ahead of emerging threats and learn best practices for securing these powerful models against exploitation...and avoid the prompting pandemonium that can ensue if LLMs are not appropriately secured.
Doing DNS reconnaissance at a large scale sometimes reveals quirks of the internet that were never expected.
Initially starting as an annoyance and thought to be an isolated issue, we discovered that any domain with name servers hosted in China would return poisoned DNS responses when the subdomain contained specific words or characters.
We detail several practical client-side attacks that can result from this DNS poisoning. These attacks impact every domain on the Internet that uses a nameserver located in China. It's estimated that more than 30 million domains are vulnerable to this.
Digging into the patterns that lead to the poisoning, we discuss some theories about this behaviour and why companies with a web presence in China find this issue challenging to remediate.
You know all that security you spend all that time on? The stuff that's supposed to Stop Cyber Threats in Their Tracks or whatever?
How do you know it works? 🧐
You can test whether it works by just getting someone to try hacking you. For real. With the same techniques and goals as real cybercrime groups. If you're very, very lucky, that someone will be employed by you, and show you how they did it instead of selling the stolen data on the dark web.
For some reason, this is called Red Teaming 😳. You can use it to actually test what parts of your security work and what parts don't, instead of just believing some guy who says it's good because he sounded really confident.
Come along and learn about how it works, how I do it, and stories of insane nonsense that's happened along the way.
Have you ever told a friend a secret? How did you know you could trust them? How did they know to trust what you said? As social creatures, humans have an inherent need for communication, but what does that mean for security?
Join me on a journey from the playground to the battleground, from whispers to cyphers, from handshakes to deep fakes, as we explore the evolution of secure communication and its impact on society!
Cryptography is largely seen as one of the few technologies that Defenders have advantage over the Attackers.
However there are some seismic shifts coming up in the field of cryptography which could tip the advantage in favour of the Attackers.
Is Australia ready for it?
This talk is based on some of my work over the last 6 months where I authored a multi-year strategy for cryptography and key management for a Critical Infrastructure organisation in Australia.
We'll be touching briefly on where cryptography has been, where it is today, why change is necessary, and where cryptography needs to go in order to prepare for the future (including an era of Quantum Computing).
Mainstream narrative within the cyber security industry tells us that financial loss, legal exposure, and organisational reputational damage are the most serious impacts that we can expect from malicious cyber activity.
However, when examining the role that digital technologies play within delivering life-saving medical care via digitally-enabled medical devices, we begin to realise that the consequences of unmanaged cyber risk within this context can be literally life-threatening.
Nick Baty will discuss why taking a 'whole-of-lifecycle' based approach is the only proportionate way to managing cyber security risk associated with digitally-enabled medical devices. This session will cover off:
o What is a digitally-enabled medical device (it's not always what you think)?;
o Cyber threats facing digitally-enabled medical devices today, and what the impact can be;
o Recent examples of digitally-enabled medical device compromises;
o What is meant by a 'life-cycle' based approach?;
o How might it be implemented, and what are the challenges facing adoption?; and
o How can cyber security professionals support the adoption of this approach in their own small way
Join us for an unforgettable Friday night at our conference's exclusive social event!
This lively gathering offers the perfect blend of networking, entertainment, and relaxation, creating an ideal atmosphere to unwind after a day of engaging sessions. Whether you're looking to connect with fellow professionals, share insights, or simply enjoy the vibrant ambiance, this event has something for everyone. With music and delectable refreshments, it's the perfect opportunity to forge new connections and strengthen existing ones. Don't miss out on this chance to mingle with the best and brightest in the field—see you there!
The Black Bag challenge is the sweet spot between hacking, espionage, physical security, and teamwork. We create a series of challenges contained within a physical space which test a wide variety of security skills. It’s called a black bag, because you cannot see into it. You do not know anything about each challenge until you are about to do it and it might require multiple skills to get through it. For this reason it is a team effort to complete a black bag.
This year you’ll work through challenges that are in and around the conference centre, before attempting to gain entry to ‘the server room’. Beware, however, the server room has heavy security and will require at least one person to physically enter to bridge an air gap, while others assist them from the outside to bypass systems. Your team will need every ounce of skill you can get. If you would like to prepare, here are some of the skills you might need: RF, Surveillance, Teamwork, Web exploitation, Attacking Windows, Attacking Linux.
To sign up head to https://hackersofmiddle.earth and make your user and team. You will not be able to see challenges until Thursday 0930, but it is always best to be prepared.
Join us for an epic fantasy quest. Meet dragons, solve puzzles, learn computers and make friends along the way!
A CTF is a computer and cyber security challenge where participants can solve technical puzzles to earn points. It is open to all skill levels. Bring along your Crypto-Wizards, Web Elves, Reverse Engineering Dwarves, Misc Rogues and Binary Exploitation Warriors to build the perfect merry band of adventurers!
Dive into the crucial world of Governance, Risk, and Compliance (GRC) at BSides! Explore how GRC forms the backbone of effective cyber security, ensuring that organisations not only stay ahead of threats but also align with evolving regulations and standards. Our sessions will demystify the complexities of managing security controls across intricate systems, offering insights into creating robust governance structures, assessing risks accurately, and ensuring compliance in an ever-changing technological landscape. Whether you're a seasoned professional or new to the field, discover how mastering GRC can elevate your cyber security strategy and safeguard your organisation's future. Join us to transform the way you perceive and implement cyber security governance!
Schedule of events is as follows:
09:00 to 09:15 - Introduction and Village Welcome (Faz)
09:15 to 10:30 - Introduction to threat modelling (Faz)
10:30 to 11:30 - Panel Discussion (Chris, Brad & Craig)
11:30 to 12:00 - Introduction to Cyber Security Architecture (Bruce)
12:00 to 13:00 - Lunch break and Games
13:00 to 13:30 - Threat Informed GRC (Chris)
13:30 onwards- Games
Unlock your capabilities in open source security research by leveraging CodeQL for vulnerability discovery. This 1-day training session will explore CodeQL as a powerful Static Application Security Tool (SAST), guiding you through the development of custom queries to identify known vulnerable code patterns in software.
Learn to maximize your security research efficiency with Variant Analysis Campaigns on GitHub, enabling you to scan multiple code repositories simultaneously with your custom rulesets, all for free on open-source software. Gain insights on refining your queries and conducting differential analysis to uncover previously undetected vulnerabilities.
Attendees will leave this session equipped with practical skills to enhance their security research using CodeQL, transforming how they detect and address vulnerabilities in open-source software.
The world of iOS exploitation is daunting and intimidating to even seasoned security researchers. High barriers of entry, the mysterious world of exploit brokerage and a list of exploit mitigations that seem to perpetually go on and on... One core component of iOS exploitation is the construction of JOP/ROP chains and stack pivoting. If you don’t know what that is, this is the talk for you. Even the most untechnical security researcher will walk away knowing exactly how to find stack pivots used in real world iOS exploits.
Soldering irons will be available for all you tech wizards. You can use them to assemble your badge or for any other hardware hacks you have in mind. Need help with your conference badge? We've got your back! Our experts will be there to assist you.
The Hardware Village is the perfect space for you to learn and experiment.
So, hackers, mark your calendars for the Hardware Village - the ultimate haven for tech-savvy explorers. Prepare to be amazed, educated, and inspired like never before! Let's hack, solder our way to a tech-filled adventure together!
TBA
DISCLAIMER: This particular vulnerability was responsibly disclosed to Apple's Security Team in February 2024 and is presently under patch progression. The update to rectify this security loophole is expected to be ready by summer 2024 (June-September).
During my research endeavors in early 2024, I explored one of Apple's built-in application, universally deployed across their operational systems: iOS, WatchOS, MacOS, and VisionOS platforms. An intriguing discovery was made upon manipulating certain functionalities and applying unconventional methods within this application.
The application vulnerability permitted execution of arbitrary commands on MacOSX systems, circumventing the in-built security features designed to prohibit such arbitrary code or script execution. Furthermore, it is also possible reading of arbitrary files across all Apple operating systems, enabling leakage of file contents to any remote host.
A critical point of concern with this attack vector stems from abusing Apple's native infrastructure to disseminate malicious payloads to unsuspecting victims. Rendering it a potent tool for drive-by-download phishing attacks. The payload is legitimely signed by Apple and can be set into motion without any security alerts. Unwary users who fall prey to such attacks subsequently face serious security risks.
This presentation aims to publicise the intricacies of this vulnerability and encourage a discourse on potential exploitations within the Apple ecosystem that might give rise to novel attacks. We seek to cast light on this vulnerability to encourage the development of protective measures and reinforce user safety.
Typically, we trust what is written to the security logs on Windows servers and workstations to be accurate, even just viewing these logs requires local administrator rights.
More importantly log based detections as well as some Endpoint Detection & Response products will utilize process creation events written to Windows Security to either enrich detections and show an analyst exactly what was run, or they will be part of the detection itself.
Unfortunately, there has existed a technique for some time now which allows an attacker to stop what is really being run on the command line from being logged. This works for process creation logs generated by Windows itself, Sysmon and even Defender XDR Device logs.
This presents attackers with an opportunity to evade some types of detection and if they pair EDR/logging bypass techniques with this technique it makes the job of an analyst trying to deconstruct what has actually occurred.
In certain circumstances an attacker could even change the command to something which occurs often within an environment get basically trick an analyst into thinking certain detections are likely false positives.
In this presentation we will go through the following;
- Understanding how a process log is created under normal circumstances.
- How useful process creation logs can be to analysts and security teams
- Showing how an attacker can use a previously discovered technique to mask the true command which is run.
- A breakdown of the code used to produce the incorrect logs and why this cannot currently be fixed.
- A number of scenarios demonstrating how both logging detections and EDR detections can be impacted by this technique.
Included in this session will be either live demonstration or pre-recorded attack where we can clearly see the malicious commands run and the resultant logs within the Windows system.
Many organisations that have adopted a cloud-native stack are under the misinterpretation that the security of Kubernetes (K8s) clusters fall within the remit of cloud service providers. This misconception leads them to believe that either cluster offensive security is not required, or is considered a low priority exercise. As a result, organisations are not fully aware of the business value-add and significance associated with engaging in offensive security testing for K8s cluster.
In my investigations across multiple organisations, it was observed that there is an underestimation regarding the potential risks associated with misconfigurations in K8s clusters and integrated components within the cloud-native stack.
In this talk, I will share why organisations need to conduct offensive security assessments on K8s clusters, along with attack chains reflecting real world techniques on infiltrating and exploitation of a K8s cluster. The audience will acquire knowledge on how to attack a K8s cluster and learn about key controls that enhance the security posture of K8s cluster using defense in depth methodology.
The cybersecurity industry has traditionally used the term Advanced Persistent Threats (APTs) to describe the highest level of threats from nation-states, known by their sophisticated and relentless attacks against organisations. eCrime threats were viewed as only opportunistic and less sohisticated. However, in recent months, eCrime groups have started targeting large organisations with remarkable speed and aggression, employing advanced and lesser-known tactics to reap substantial financial gains. These groups have significantly advanced their techniques, remaining hidden until the last moment and engaging in knife fights with defenders when necessary.
In this talk, I'll delve into the tactics, techniques, and procedures (TTPs) that these eCrime threat actors are employing, and discuss strategies for detecting, defending against, and responding to them. This talk is a fast-paced exploration of the evolving landscape of advanced eCrime threats and how defenders can stand their ground when the heat is on.
Through this talk, we will use the knowledge of actual attacks that have devastated large organisations to learn from these events to talk through ways of performing effective incident response.
One of the best parts of hacker summer camp is the glitz and glam of the Vegas Strip. Many have explored hacking casinos (on and off stage). Unfortunately, it’s not like it is portrayed in the Ocean’s franchise… In real life there’s much less action, no George Clooney, and it’s a lot harder to pull off a heist than it seems.
Or is it? Well, fortunately we’re not your typical hackers and this isn’t an Ocean’s movie. We’re AI and Cyber experts, and we use the latest hacking and adversarial machine learning techniques to socially engineer our target, and then disrupt, deceive and disclose information from Artificial Intelligence systems.
We chose our target very carefully: Canberra Casino. It’s the best casino in our city… it’s also the only casino but that’s not the point.
The casino industry is at an interesting inflection point. Many large casinos have already adopted AI for surveillance and gameplay monitoring, smaller casinos are starting to make the transition, and there’s only a couple of companies in the world that provide this software. It’s ripe for exploitation.
In this talk, we are going to show you how we socially engineer our target, bypass casino AI systems - facial recognition, surveillance systems and game monitoring - and deepfake our way out of trouble.
AI Security is the new cyber security threat, and attacks on AI systems could have broad implications including misdiagnoses in medical imaging, navigation errors in autonomous vehicles… oh, and successful casino heists.
This talk was last delivered at DEF CON in Las Vegas, so we come with many lessons learnt straight from the source (and may or may not be on a few watch lists).
Here the results of the competitions and join us for the closing ceremony.