From none to done training by John

Intro to web app hacking by Ben

Kali Purple By Malcolm

OSINT by Justina

Collect Conference entry badge

Welcome from the CHCon 2023 Crew

Earlier this year the National Cyber Security Centre published its cyber security framework. In this talk Ben Creet will run through why NCSC built a cyber security framework, what the framework is and how you can use it to organise your cyber security programme (if you don't already have a framework).

Optus and its customers had a very bad time in 2022, with a massive data breach resulting in PII being released into the wild. This apparently happened because a REST API was not properly secured. We’ll talk about practical steps you and your organisation can take to prevent this from happening to you.

I was once told it is impossible to guess a private key of another users crypto currency wallet. however I don't truly understand what 'impossible' actually means and wanted to prove this wrong. So deep in a covid lockdown and armed with insanely fast internet and compute power I decided to do it. This talk will go through what i did, how i did it, and the challenges i faced to become a Kiwi John Dillinger.

Application security is hard, not just technically but because our development teams (those best equipped to make the biggest impact) have no time, resources or support to address it.

What would happen if every team, worldwide spent 1 hour of every sprint on application security? What would this look like and what could we achieve?

Let me show you.

Few tools in network penetration testing have the enviable position of being run before Nmap. Responder is one such tool. It has been a mainstay in the network pentester's toolkit for over a decade since it was released in 2013. However sometimes while testing the password hashes just don't start coming. This talk will cover a couple of extra tricks to break that initial wall and start getting the rolling in.

Mainstream narrative within the cyber security industry tells us that financial loss, legal exposure, and organisational reputational damage are the most serious impacts that we can expect from malicious cyber activity. However, when examining the role that technologies play within delivering life-saving medical care via digitally-enabled medical devices, we begin to realise that the consequences of unmanaged cyber risk within this context can be literally life-threatening. Nick Baty will discuss why maintaining effective supply chain assurance, through the use of software bills of materials (SBOM), is a critical activity in managing the cyber security risk associated with digitally-enabled medical devices.

For those who remember "Smartifying your dumb home", it may come as no surprise that Jed has been busy trying to simplify the management control plane of his home automation empire. And in doing so, accidentally built a C2 framework. And in building a C2 framework, 'accidentally' trolls Microsoft, with a brand new approach to microservice architecture.

Over the years, counterfeiters have forced game console manufacturers to develop more advanced authentication and licensing systems for peripherals. This presents a problem for the competitive fighting game player: how do I use my fancy DIY custom controller?

This talk will explore the inner workings of the peripheral licensing system on recent PlayStation consoles, how certain third-party vendors work around it, and currently-known methods of extracting or re-using secrets from peripherals to build our own.

Are you struggling to balance security and agility in your organization? Join my talk on Implementing DevSecOps to learn practical tips and best practices for integrating security into your DevOps pipeline. Transform your organization's security posture and drive innovation with confidence.

In our industry we are constantly pressured to improve the security of those we work for / with. Part of this is knowing and understanding our risks. But are we missing our biggest security risk because of our biggest security risk?

AI has taken the world by storm recently, and is the current hyped piece of technology that promises to revolutionise anything and everything in our lives. But how can this be used with cyber security? This talk will provide a few different ways typical cyber security processes can be integrated with AI technologies and automated (which is in itself a bit of a buzzword) to provide value for both security professionals or individuals alike. While this may sound like a dodgy salespitch for a grossly expensive vendor product, the main goal of this talk is to provide some practical examples and inspiration for cyber teams who are looking to level up their game by embracing AI (read: chatgpt) and automation (read: averagely written python code)

Solarwinds Orion was perhaps the most devastating attack in recent memory. A highly skilled crew of hackers, having compromised a widely-used piece of networking software, gained deep access into the US government for a period of fourteen months. This talk takes you on a deep dive into this attack- from what the attackers did to gain access to the remarkably simple way the whole operation was brought down. We’ll see excellent red and blue tradecraft and gain insight into how real-world networks are attacked and defended.

Continuous-integration and continuous-deployment systems. We know 'em, we love 'em. git push, some magical automation happens, and BAM your code's in the right environment. Glorious.

What does this mean for organisational security though? The days of a surly set of sysadmins holding the private keys are gone, and your devs are now also ops. What happens if a dev is compromised? Scratch that, what happens if an intern is compromised!

This talk is going to walk you through exploiting a modern CI/CD enabled system and show how your latest tranche of Summer-of-Tech interns may just have all the necessary juice to take over... everything! We’ll look at compromising CI/CD infrastructure, credential harvesting, lateral movement and compromising the production systems.

By showing how to practically loot a CI/CD enabled environment, we can elucidate the hacking voodoo and start some robust discussions around how to keep a modern deployment system safe.

Day 1 wrap up

Opening of Day 2

What happens when your web application uses the default sign in manager function that is subject to a race condition? Shall we attempt to brute force it? Why not? Whats the worse that could happen? An 8.1 CVSS! This talk will cover race condition I found in .NET’s default sign in manager. I will discuss how I found it, how I exploited it, and potential mitigation's to prevent it from being abused.

"What do an artistic walrus, a tiny tiger and a sneaky hippo have in common? And how does this relate to security anyway?

As it turns out, more than you might think. Come with me on this strange safari of memorable animals as we begin to solve the mystery of how these seemingly innocent creatures are roaming wild around New Zealand and reducing the security of many networks. "

"This talk will reveal weak cryptographic implementations in the commonly used ICT TSEC line of card readers for physical access control systems. Attendees will gain insights into three vulnerabilities that can be exploited by malicious actors, including AES-CBC plaintext manipulation, weak key exchanges, and default encryption keys.

Recommendations will be shared for developers to prevent these vulnerabilities on their own systems, covering topics such as authenticated messages, secure key management, and off-the-shelf encryption technologies like TLS. Real-world examples and proof-of-concept exploits will be presented to demonstrate the severity of these vulnerabilities.

By the end of the talk, attendees will understand the importance of strong cryptography practices in physical access control systems and will be empowered to secure their systems effectively."

"Ever watched Air Crash Investigation? You may not be an aviation nerd, but there are so many fascinating parallels between security and the aviation industry: the layering of safety controls, making sure there are different types of security controls in place, the improvements made after bad things happened, etc. In this talk I'll discuss some of some notable examples in both the aviation and security industry and what we can learn and take away from that as security professionals.
Note: You don't have to be an aviation geek to enjoy this talk, promise!"

In this talk, we'll explore some novel techniques you can use to break and bypass zero trust security controls. We aim to share with you actionable techniques we've explored, orchestrated or defended against in the wild. This goes beyond the basics but looks at thinking outside the box to exploit flaws in how these networks are designed. These networks are often architected to be perfect, but they rarely end up that way due to business needs. We'll share common flaws we've seen in how they are built and how to exploit them as a part of operation.

This should help red teamers explore new potential attack surfaces and confidently target zero trust networks without resorting to malware for initial access in every operation. There'll also be some valuable pointers to fend off common mistakes we see when building out these networks, so there will also be some helpful info for the blue teamers.

In this engaging presentation, I will share the challenges of developing secure systems for immunisations, contact tracing, and vaccination certificates during the Covid-19 pandemic. I will highlight our team's adaptation to the ever-changing landscape, employing agile methodologies and collaborating with third-party vendors, especially in penetration testing. Key takeaways will offer valuable insights for professionals and organizations in high-stakes environments.

A crucial aspect of the talk will explore the role of penetration testing and configuration reviews in securing Covid response tools. I will discuss overcoming challenges in conducting assessments at speed and under tight deadlines while ensuring optimal security. Strategies and best practices for collaborating with third-party vendors and adapting security testing approaches to a rapidly evolving crisis will also be shared.

With Security people generally in short supply, how do you maximise the few people you have and make them a force multiplier in your organisation's security maturity journey?

Come and learn from my wins (and past failures) at building teams that might give you some new ideas to make your journey smoother, whether it be providing opportunities for people to widen their skills in a T shape (sometimes giving them a gentle nudge), changing public opinion of being the department of ‘no’ to supporting the business, and to just getting stuff done, inspiring employees to want to follow and be part of the team.

In which I share the various ways I teach my children rhetorical tools, and they use these tools to convince me I should give them ice cream. It also makes them more resilient in a world where understanding persuasive techniques is increasingly critical.

I will be presenting the basic "Assurance process" that New Zealand Government agencies and nationally significant organisations (Teleco's, Banks, etc.) follow in an easy to digest and (hopefully) entertaining manner. This will go over the "Certification & Accreditation" process, what this achieves, and how it impacts developers/ PMs/ architects/ etc.

Memory leaks and Access Violations are intrinsically bad code, with the potential for being exploited by bad-actors. In some languages, for example C++, they are easy to create. The talk demonstrates one tool, GFlags, that can be used to help to identify the presence of such bad code, and to provide confidence that once fixed, they stay fixed.

Imagine you’re a web application penetration tester and you’re on-site at a client’s office, testing a web application before it goes live. Problem is, the app lives in their Special Devops Lab environment and is only accessible from an internal network jump box…which doesn't have Burp Suite installed, of course. You protest but the client tells you, “Sorry, we don’t allow hacking tools in the Special Devops Lab.” If I had a dollar for every time this happened to me, I’d have $3 which isn't a lot but it's weird that it happened three times. This talk will show you how use built-in web browser Developer Tools to replicate Burp Suite’s intercepting proxy and Repeater functionality so that if this ever happens to you, you’ll be able to tell the client “No worries, mate!” and proceed to tear that app apart with your bare web browser.

Conference Closing