Talks

The year is 2016, dumped mailboxes are key presidential debate topics, ransomware runs rampant in corporate environments, toasters control large swathes of the internet and many alarming red lines on CSO powerpoint presentations are going up and to the right. In response, the $81 billion dollar cyber security industry is doubling down on blinky-lighted cyber divining rods, tarot card sharing platforms and neural network driven pcap ouija boards.

This talk will walk through some of the failed ideas we've seen and implemented in the last decade at Google while defending our environment, outline the alternative strategies that have genuinely worked, and preview some of the key technologies we’re betting on to protect our infrastructure in the coming years.

Darren is a Digital Janitor and Staff Security Engineer at Google, who currently manages the Sydney based Infrastructure Protection team. Over the past 10 years at Google he has played many roles including tech lead for the Global Incident Response team, manager of the European detection team, software engineer and application tester.

Prior to joining Google, he grew up on the mean streets of Auckland's North Shore, spent more time than is healthy on irc and staring at code, started some minor chaos, and paid his dues working in the NZ security consultancy salt mines.

People want stunt hacks of dog feeders and space shuttles. People need meaningful improvements in security. You can't always get what you want[1], even if you might get what you need[2].

But fuck that. This is Kiwicon. I'm going to give you what you want *and* what you need.

In 30 minutes you'll learn about a brand new defensive technology that'll mitigate a bunch of privilege escalation attacks and container escapes, something that'll let you verify that an Onion endpoint didn't boot an NSA software stack and a 2FA solution for checking nobody's replaced your system firmware with a thinly veiled pretext.

BUT WAIT. THERE'S MORE.

You'll also hear about terrible IoT devices, why nobody should be allowed to do their own encryption, how basically everybody screws up transfer of devices to new accounts and probably some more bullshit after I dig my way through the pile of boxes of dubiously sourced equipment sitting in my living room.

ALL THIS FOR ONLY 30 MINUTES OF YOUR TIME ACT NOW OFFER VOID IN NORTHERN TERRITORIES AND ADAMS ISLAND

[1] Rolling Stones, 1969
[2] Rolling Stones, 1969

Matthew Garrett is a qualified fruitfly geneticist and an unqualified software developer[1] who has spent too much time reverse engineering dreadful things and dearly wants to give something back to the world so he's not just remembered for that one time where he said some things about a smart plug and was suddenly big on Weibo

[1] although he has an RSA Stage 1 CLAIT in word processing, spreadsheets and databases (Distinction)

Graphical user interfaces (GUIs) contain a number of common visual elements or widgets such as labels, text fields, buttons, and lists. GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies.

In this session, we introduce GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. We present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications. We then present GEM Miner, an implementation of our GEM analysis for the Windows platform. We evaluate GEM Miner using real-world GUI-based applications that target the small business and enterprise markets, and demonstrate the efficacy of our analysis by finding numerous previously unknown access control vulnerabilities in these applications.

It's been known for some years now that encryption can be highly susceptible to fault attacks in which a memory or CPU glitch leads to a catastrophic failure of security. These types of faults occur mostly in conference papers, but there's one situation in which they're expected as part of normal operations: When the crypto is operated in a high-radiation environment like a nuclear reactor. This talk looks at the effects of radiation on computer security mechanisms (and computers in general), and outlines means of protecting crypto in environments where you need to expect data and computation results to modify themselves at random.

Anyone planning to have children in the future should avoid sitting in the first two rows during the demo.

For the purposes of a documentary. I got asked to hack a journalist. His request, verbatim was "I want to see how badly you can fuck up my life if you got control of my laptop".

okay.jpg

This was a trial by fire of "holy crap there aren't the tools to do this". This talk will describe the problem statement of "how 2 shot web" against osx, describe the process I took, what I learned along the way, and end with the horribly horribly written tool I wrote, some discussion about other tools that now exist (last year defcon these tools didn't exist), and some tradecraft around how to attack osx.

It'll be fun!

• In many profile pictures I have a cat on my head
• I have written Erlang for money in a surprising number of countries
• I have finagled myself a living drawing lucidchart diagrams, and attempting to convince people to do less terrible ideas
• It has been a long time since I danced on television in Poland
• A surprising number of these true facts would bear considerable scrutiny
• Wellington has the best coffee

Security breaches are becoming a daily occurrence now. Wake up, check your twitter and see who the latest victim is. In early 2015, during an acquisition by Telstra, Pacnet was breached -- and suddenly it was us. We spent most of the year responding to a series of security incidents in the Pacnet network which are linked together and believed to be targeted.

We will demonstrate using examples from the Pacnet breach and follow-on waves, how we responded to the incidents and the visibility required to respond to a security incident which spans a global network.

Using a combination of intelligence, hunting and active defense we explore actor TTPs, tools and activity associated with this campaign. Expect to see pcap decodes, command-line activity and actor typos.

Brian Candlish is a Security Researcher for Australia's largest telecommunications company, who spends his days and nights making the internet a safer place. His interests in information security include attack and detection techniques, intelligence and “active defence”. He enjoys hunting adversaries on large corporate networks.

Christian is a Senior Security Specialist for Australia’s largest telecommunications provider. He specialises in hunting for evidence of breach with endpoint, network and log data. He has over a decade of experience in information security, with a background focusing on intrusion detection, incident response and computer forensics for the enterprise.

If you do Phishing attacks on a regular basis, you will end up using a framework or scripts to automate some of the tedious parts. You have your preferred web stack for phishing pages, your custom SMTP delivery system (with SPF/DKIM enabled AND good reputation - of course), your payloads and so on, and you need to maintain all of that while evolving it at the same time.

Where do you host your phishing infrastructure? What happens if the target blacklists your phishing FQDNs or IPs? Moreover, do you have a template system for HTML emails, including victim fingerprinting with automated and targeted exploit delivery?

If you have such needs and you do all the above manually, then PhishLulz comes to the rescue.

PhishLulz is a Ruby toolkit to dynamically instantiate phishing instances on the fly. You can use Amazon, OpenStack, libvirt and much more (the ruby Fog gem comes to the rescue), which means you can use it to deploy internal phishing VMs, or have everything public in the cloud. It comes with a Debian Amazon EC2 image pre-configured with PhishingFrenzy, BeEF, Metasploit, ShellTer, Veil and other useful tools for phishing engagements (Mr.Robot will be lost, he uses SET !!).

PhishLulz allows to focus on pretext creation and payload customisation, automating for you all the tedious configurations related to the phishing infrastructure.

Multiple real-life stories from engagements done with PhishLulz will be discussed, including automated functionality to concurrently grep Outlook Web Access and Outlook 365 webmails with different credentials.

In the middle of all of this, we will also analyze some interesting real-life scenarios of phishing lures spotted in the wild.

As a side note, PhishLulz will be exclusively released at KiwiCon X.

This talk will give a tour about PHP Internals. It'll take the audience on a journey from the design behind a custom PHP fuzzer, to how PHP internal heap can be exploited. It will also cover some of the changes in PHP 7 Internals and what that means from an exploit dev perspective. A sample of interesting and unusual PHP bugs that I had discovered will also be presented. I hope to be able to share what had worked for me and what are some of the lessons I've learnt throughout this journey.

Emmanuel Law (@libnex) is a Principal Security Consultant from Aura Information Security. He works as a penetration tester during the day. By night he can be found fuzzing and exploiting binaries. Recently he has a new found hobby in hacking away at PHP internals.

PRNG? CSPRNG? Do these acronyms mean anything to you? What's the difference? Why does it matter? After all, your app's password reset tokens are definitely generated with a CSPRNG, right?

This talk covers the exploitation of unsafe random number generation across a number of languages. Just how practical is it?

In this talk we'll discuss a bit of background, what insecure random number generation looks like, and some practical examples of real-world exploitation. We'll then look at options that are available to developers to avoid these issues in their own applications.

What happens when a threat actor appears put of the blue?

You have a monster of an attribution problem.

This talk is all about performing attribution on recent events regardless of "vendor intelligence".

This talk is brought to you by [redacted]. After years working for [redacted] the gloves are finally off.

This speaker brings their wealth of knowledge to the stage. A career that is nothing short of stellar. Nothing.

Few major companies have not met with this speaker at one time or another.

All the things are and/or will be on AWS now but the public state of the art AWS hacking techniques are some combination of 1. Search Github for access keys, 2. Start up EC2 instances and mine Bitcoin. That's pretty poor and not at all realistic.

The talk will be presented as a guide on how to hack an AWS account start to finish:

Security teams have historically been the scary people in black with stompy boots off in the corner, not talking to anyone. We're not talking to anyone because they're scared of us, and that fear has caused more bugs than we've ever fixed. It's also stopping us from talking to the teams that can do more to help us than anyone else, designers.

Wait, designers, really? And what's this about candy?

Lemme tell you a story about a different way, why you'd really like to change how you work, and how you get there. You don't even have to get rid of the boots, I promise.

Eleanor Saitta has been fucking around with the Internet since 1994, when she had the unfortunate experience of learning FORTRAN 77 on IRIX. It's mostly been uphill since then, including eight years working for a string of consultancies (IOActive, Security Innovation, iSec Partners, and Stach & Liu), a few years doing security support and toolbuilding for NGOs and news organizations targeted by nation states, a lot of work on the Trike threat modeling tool, and a bunch of conference talks (ToorCon, CCC, Hack-in-the-Box, Hack.lu, O'Reilly Velocity, &c). She's now a staff engineer and the security architect for Etsy.

Basically we poked a thing, turned out to be a decade (+) of Iranian espionage - then we broke it.

I grew up @ Geraldine/Timaru, left NZ on my OE in '95 and kinda forgot to come back...

Simon is a Senior Threat Intelligence Analyst in Palo Alto Network’s Unit 42 research group. He draws upon more than 25 years of international experience in the fields of computer and Internet infrastructure, networking, and security and investigation, including several years in the Microsoft Security Response Center. He was involved in founding Microsoft's CSS Security & Internet Crime Investigation teams and the International Botnet Task Force.

There have never been more infrared signals, from the remote control toys and televisions that we all know, to audio distribution systems and unintentional emissions from electronic equipment.

Off the shelf receivers have helped people to decode signals in the past, however these existing techniques lack the ability to detect high speed communication signals without prior knowledge of protocol. Using low cost hardware that anyone could put together, we have been able to apply Software Defined Radio techniques to infrared signals.  In doing so, we are able to detect and interpret unknown infrared communications and emissions, opening the door to a new era in exploration.

As a proof of concept, I'll demonstrate how anyone can reverse engineer a simple IR protocol using hardware that they can build at home.

GPS is used for life critical services like finding a date on Tinder, hailing an Uber to drive to the date and checking the time to ensure you are not late to the date. What happens when GPS breaks? Well for less than US$500, GPS can be spoofed, so you can be anywhere on the planet, at any time in history.

This talk will look at spoofing GPS and what happens when the time no longer travels forward, at the rate of 9,192,631,770 vibrations of the ¹³³Cs atom. We can make NTP go backwards. We can make the GPS on your iPhone think it is 1970 all over again. What happens to your systems in 2038 or on 31 December 9999? What happens to time based two factor authentication when the assumption of time only goes forward is broken?

“Oh noes, how can we stop all these fun GPS shenanigans?” Well that is where gpsnitch steps in.

Everyone is talking ML this and AI that as if they expect some kind of Utopian beast to be waiting just behind the next door and whisk us all away to a technological-paradise. It would seem dire warnings of every Sci-Fi book and movie ever haven't been enough to dissuade people from cooking statistics and math into an techno-optimist soup of dubious origin and expecting us to swallow. Obviously security can't just sit here and watch the catastrophes unfold. I aim to lay out some of the most awful yet still amusing examples of how and why we can and will break things. This presentation attempts to offer the audience a refreshingly realistic look at the terrible flaws in ML, the ease of altering outcomes and the dangers ahead..

Winner of the KiwiCon7 "best dressed" award. Also president of flyingpenguin, co-author of the book “Securing the Virtual Environment: How to Defend the Enterprise Against Attack,” and author of upcoming book about the infrastructure flaws behind learning systems: "The Realities of Securing Big Data".

It is a period of civil war. You, mighty MODERN JAVASCRIPT DEVELOPER (insane person) wield the power of cutting-edge hipster technologies on your NodeJS utility belt. With npm, you can swap-in other people’s code^W^W^W any new hipster technology you want with a single command, ready to deploy to your production environment at a moment’s notice. Sipping your salted-caramel spiced chai latte, you pleasantly think to yourself “It’s so wonderful that NodeJS and npm are such great things, I couldn’t possibly imagine a way in which they could ever go bad”. You sit peacefully, knowing that everything in life is so serene and secure.

In this talk, we crush your hopes and dreams of using NodeJS for anything in a safe way. We talk a little bit about trust, why you shouldn’t have any, and restore freedom to the galaxy...

In May of this year the government announced new investment to establish a National CERT. Since then there has been a flurry of activity to make it all happen. What is it about? What does it mean for you? When does it go live? Come to our lighting talk and find out!

Declan has been floating around the industry for some time doing penetration testing, responding to incidents and trying to bring a heavy dose of reality to risk assessments. He is working on the CERT NZ establishment project and generally having a great time having escaped Australia for Wellington.

In the 1990s, comrade Torvalds and the Respected Marshall Richard Stallman brought socialist innovations to the field of operating system development, guided by the principles of Kim Il-Sung thought. It wasn't long before imperialists in both the USA and Germany perverted this peoples' movement by appropriating open source code for profit, now generating billions of dollars a year to fill their coffers and fund their unwarranted aggression towards the Workers' Party of Korea. The Democratic Peoples Republic of Korea, under the wise guidance of First Secretary of the Workers' Party of Korea Kim Jong-Un, has now produced a revolutionary new Linux distribution that will rapidly become adopted as the world's operating system of choice, and spur a movement to overthrow the oppression of the imperialist capitalist system.

This talk will showcase the many advanced features of Red Star OS that are not present in modern imperialist distributions, including:

• Sys-V Init, as systemd is reactionary and incompatible with Juche ideology
• Intuitive interface inspired by the work of the deceased comrade Jobs
• Powerful anti-virus enabled by default

Unbeknownst to many web developers, a common "feature" of link elements in HTML can leave a website wide open to a tabnapping attack. Jen will show this wonderful "feature" in operation, demo how easy it is to exploit, and talk about mitigations.

Jen is a frontend dev at Catalyst in Wellington. She is alto responsible for making last year's Kiwicon website have wayyyyyy too many buttons, and is the director of next March's national JavaScript conference, nz.js(con);

In the 1800s Windows 0days were extremely rare, so hackers at the time had to settle for the delicate art of lockpicking. In this short talk, we’ll learn about some of the zany lock mechanisms the aristocracy came up with to secure their valuables. We’ll talk about lock picking bounties and the transient era of perfect security. Yes, that’s right. Perfect Security. These ARE your great-great-great grandparents’ stories, so buckle up kiddo, you’re in for a wild ride.

Grace Nolan is a recent computer science graduate of the University of Waikato in Hamilton, New Zealand and a full-time systems developer for Enable Ltd, a fibre broadband company in Christchurch. Amongst her passions for the field is a keen interest in the societal implications of technology, and the need for better representation and gender parity in CS. She gives talks to secondary students and their teachers, working closely with CS outreach organisations, and attending 'Women in Tech' workshops and conferences (such as the Grace Hopper Celebration). She's an enthusiastic choral singer, tea fanatic, and paints watercolours of flowers when she's not devouring the latest in tech news.

Have you ever forgotten your swipe card? Locked yourself out of your secure facility or don't know anybody on the inside? Don't worry, we've got your back. With our patent pending contactless cyber door-access control system, we'll have you back inside in no time. Does it involve high voltages? Yes. Will you require a license to broadcast? Maybe. Would Marconi be pleased? No.

Jeremy and Ryan are embedded engineers who like to look way too hard at silly things. Occasionally they find hilariously broken things that they like to share.