Opening and welcoming of everyone to BSides Joburg 2025

In a world increasingly mediated by digital systems, algorithms have become the unseen architects of our reality. From social media feeds to search engine results, these mechanisms operate quietly in the background; curating content, shaping narratives, and reinforcing personalised viewpoints. As machine learning systems evolve, their influence deepens, subtly guiding what we see, think, and believe. While this is happening all over the world, fragile countries, such as South Africa, are especially at risk.

This talk will explore the hidden power of algorithms and AI in shaping perception and "truth", by examining how recommendation engines amplify bias, how engagement-driven design warps public discourse, and how reality itself becomes subjective under the influence of machine-curated content. Who controls these systems? What values are encoded in their logic? And as artificial intelligence grows more sophisticated, are we seeing the world as it is or only as it is being rewritten for us? Are we seeing South Africa as it is, or as the "Ghost in the Machine" portrays it.

Cyber risk management is often treated as a purely technical discipline, when in reality, human psychology and biases shape risk perception, prioritisation and management. This talk will explore some of the these human factors and offer guidance on potential management strategies.

AWS presigned URLs have become a popular way to provide secure and sane access to S3 buckets and other resources. But the security of presigned URLs greatly relies on the implementation and integrations made with individual systems, and simple mistakes can result in unwittingly signing sensitive data away to an attacker. As S3 buckets continue to be an abundant source of low hanging fruit for threat actors, we discover that presigned URLs might not be the silver bullet that S3 security needs.

In this talk, I will cover the cardinal sins that can be committed when implementing presigned access to S3 buckets, the resulting attacks that can arise from these mistakes, and how developers can best avoid them.

Alternate longer title : Geo-locating WiFi data as a Proxy for Human Population Distribution (or Vibe coding with Google, Apple WLS and Wigle)

This talk explores the geo-location of WiFi access point data - as a novel proxy for estimating human population distribution. I examine how open-source data—previously leveraged in research such as Erik Rye's work with Apple's WiFi location API—can be harnessed for localised analysis. Rye’s approach, which utilizes Apple’s API to return locations of BSSIDs and their neighboring networks, inspired a deeper question: Could one "crawl" outward from a single point to systematically map all BSSIDs in a region?

This talk distills frontline lessons from real-world cyber incidents into a practical, fast-paced session. We’ll unpack each phase of the incident response lifecycle, examine actual attack patterns using open-source tools, and explore how to triage threats under pressure.

From phishing to ransomware, we’ll share what works, what fails, and how to avoid common traps. Whether you're part of a small IT team or a growing SOC, this talk offers actionable insights to help you detect, contain, and recover from cyber incidents with greater confidence and efficiency.

In a world where proprietary pipelines and opaque risk scores drive threat feeds and dashboards, what does it mean to see the vulnerabilities for yourself?

This talk exposes how vulnerability data, while open in theory, is often filtered through black-box interfaces. In Duck Safari, we flip the script: using browser-native tools like ShinyLive, DuckDB-WASM, and duckplyr, we create a transparent, interactive CVE explorer that puts raw data and clear logic back in the hands of cybersecurity teams.

You'll walk away with a no-installation tool to explore vulnerabilities by vendor, severity, or time - rewriting your team's relationship with the shadowy systems that mediate risk and visibility.

Despite robust capabilities, many organizations still struggle with misconfigurations and overlooked vulnerabilities in their identity infrastructure. This session examines the most prevalent security issues in Microsoft Entra ID (formerly Azure AD) and Active Directory, including over-permissioned accounts, weak access policies, and gaps in monitoring. Through real attack scenarios and lessons learned, attendees will discover best practices for hardening identity systems, leveraging Entra ID Governance, and automating access lifecycle management to prevent compromise and maintain compliance

HSMs (hardware security modules) and their legacy processes are the silent backbone of our core payments infrastructure. Quantum computing poses a significant threat to our cryptographic landscape, and evolving our payments infrastructure to meet new threats requires planning and orchestration between many organisations. This talk is primarily aimed at security professionals in the financial sector who work with HSMs or write policy on managing them. In addition, those preparing for quantum computing or who would like some insight into core payments infrastructure and HSMs will benefit from this talk. Technical topics will be explained sufficiently so that those with no HSM experience can learn how they work and what the ecosystem looks like. Key takeaways are how quantum computing changes the HSM threat model, and the steps that can be taken to prepare for quantum computing. A change in key exchange process is suggested which will assist in preparation for quantum computing and improve operational efficiency.

This talk explores how skills from ethical hacking naturally translate into other domains; in this case, game hacking. What started as casual curiosity, sparked by a familiar security tool (dnSpy), evolved into dynamic game manipulation, memory patching, and architecture analysis - all in indie Unity games. The goal isn't to showcase elite-level techniques, but to highlight accessible, transferable skills and the mindset behind them. Attendees will see how everyday hacker tooling applies beyond its intended scope, and how game hacking can serve as a fun, beginner-friendly gateway into deeper technical exploration.

Modern security teams face an ecosystem where product-based threat feeds vary wildly in quality and consistency. Simply consuming these feeds falls short of effective defense. This talk explores how to build your own network threat feeds, transform network data into actionable controls, and codify these feeds using infrastructure as code. Attendees will gain a practical roadmap for moving past passive reporting into active, resilient network defense.

Phishing and its variants remain one of the most persistent threats in cybersecurity, yet the focus often stays on end-user awareness or reactive responses after people have already been scammed and had their money stolen. What if we could identify them before they reach our inbox or SMS. In this talk, I’ll share my hands-on journey of discovering and analyzing phishing links and websites in the wild, from following suspicious URLs to getting them taken down. I’ll also dive into how you can get ahead of phishing threats by using open-source tools, recognizing patterns, and applying investigative techniques. This isn’t just about the analysis, it’s about shifting the mindset from reactive defense to proactive discovery.

Firebase is a popular serverless application platform with a fundamental fail-open flaw. In 2021, I created a tool for exploiting that flaw, which I still use today. In this talk, I'll showcase the kinds of vulnerabilities I commonly find in Firebase applications, explain why these vulnerabilities persist, and discuss how developers should approach secure Firebase development.

As cyber adversaries expand their reach beyond terrestrial networks, the risk to space-based infrastructure—satellites, spacecraft, and critical communications has never been greater. Recent cyber incidents targeting satellite networks and space systems have demonstrated the potential for adversarial manipulation, data breaches, and operational disruption. These threats have significant implications for commercial enterprises, financial institutions, and national security.

Java remains to be the bedrock of enterprise software. Its widespread use makes it a valuable target for attackers to pursue, and for pentesters to understand. Despite that, opportunities to test Java applications seem fewer than they should be, so we're excited to discuss the results of this research.

In this talk, we provide insights into the exploitation of arbitrary class loading on the JVM, focusing on an illustrative vulnerability we discovered in the Graylog server (CVE-2024-24824) to facilitate the discussion. We will provide an overview of the methodologies we used to find it, highlighting the tools and techniques that proved effective in our research.

We will explore the various exploitation opportunities this vulnerability allowed, including XXE and SSRF attacks, among others. Furthermore, we will also discuss the limitations we encountered that prevented us from exploiting it further.

By sharing our findings, we aim to enhance the understanding of arbitrary class loading vulnerabilities in Java applications and foster a dialogue on the importance of robust security practices in software development.

In today’s fast-paced development cycles, integrating security early aka "shifting left" can feel like just another thing on a long to-do list. But what if you could embed security into your existing Software Development Lifecycle (SDLC) with minimal disruption?

This lightning talk is for busy developers, security champions, and DevOps teams looking for practical and lightweight ways to get started with DevSecOps. We’ll explore real-world tips and tools that don’t require a massive security overhaul, just a few smart changes that add big value.

In a mobile-first world, malware doesn’t just steal—it rewrites realities. This talk offers a developer-centric walkthrough of state-of-the-art mobile malware targeting Android mobile devices, with a spotlight on GoldDigger, a sophisticated mobile application malware that abuses Android’s Accessibility Services to silently hijack user interaction and cause harm.

Through a technical analysis of GoldDigger’s behaviour and infection chain, we’ll unpack the overlooked mechanisms it leverages and why security engineers need to take note. The general public will be shown GoldDigger’s effects. In addition, developers, security enthusiasts, and pen-testers will walk away with actionable insights on designing with defence in mind, hardening their applications, and detecting behavioural anomalies.

This isn’t just another malware overview. This session distils findings from real-world research, offering protective coding strategies rarely discussed outside red team circles. Attendees will leave with:
• How GoldDigger operates and why it's a threat worth tracking
• Practical safeguards Android developers can implement today.
• Emerging trends in mobile malware — and what’s next on the horizon.

Forget the optimism of 2024—in 2025, the threat landscape has matured, and the attacks have become more subtle, contextual, and embedded in the platform itself. As builders of the mobile experience, developers are on the frontlines—whether knowingly or not, they’re shaping the future of security. Let’s start rewriting realities the right way—together

Listen to how a former accountant turned dev learned the hard way what it takes to get AI off the ground—and how you can shortcut the pain

AI is eating the world—but not before a lot of promising projects get quietly killed behind closed doors.
In security-conscious organisations, AI initiatives often die early—not due to technical failure, but because they lack strategic alignment, measurable business impact, or risk transparency. From CISO pushback to data governance red flags, security is no longer an afterthought—it’s often the silent veto.

This talk dives into why AI projects get canned at the executive level, even when the models work, and what cybersecurity professionals, engineers, and data teams can do to build AI projects that don’t just survive—but lead to real, trusted adoption.

SocVel Live: Command the Breach is a 45-minute interactive tabletop meets "choose-your-own-adventure" experience. Inspired by recent North Korean threat campaigns, the audience will guide a live breach investigation - voting on decisions, uncovering consequences, and tracking the impact on time, resources, and business reputation. No boring slides. No fixed-path. Just instinct, pressure, and collective response.

Closing of BSides Joburg and thanking everyone involved.