1.2 chcon-2024 2024-11-21 2024-11-23 3 00:05 https://pretalx.com Pacific/Auckland Te Akatoki Training Day 2024-11-21T08:00:00+13:00 08:00 09:00 Learn the foundational and basics of Operational Technology (OT) / Industrial Control System (ICS) Cyber Security. Understand the differences between an Infosec / Information Technology and OT / ICS, why some of the traditional security controls and countermeasures can increase organisational risk rather than decrease it. This training will also explain some alternative approaches to mitigate risks associated with critical infrastructure, if you work in an environment that has OT or ICS, or are curious to know more about securing these environments this is a great first step. chcon-2024-51113-ics-ot-cyber-security-crash-course Training Gavin Dilworth en This crash course covers foundational and basic information on what is ICS and OT, how to understand their functions and why they require a unique approach to security controls and countermeasures. Aside from the theory required, there will be some exercises on Ladder Logic, Purdue Model, and effective countermeasures. Finally, at the end of the day, there will be a demonstration using SCADA and PLC software. false https://pretalx.com/chcon-2024/talk/JN7FQY/ https://pretalx.com/chcon-2024/talk/JN7FQY/feedback/ Room of Requirement Training Session 2024-11-21T08:00:00+13:00 08:00 04:00 With Cybersecurity incidents becoming more prevalent across the globe, it is now a matter of when not if something will occur. Our training will help you understand the phases that are normally part of an incident and what role you would likely need to play according to your organisation's response plan (you know where yours is and test it regularly right?). Equip yourself with the knowledge you need to help reduce the impact of a cyberattack. chcon-2024-51158-incident-response-101 Training DJ en The training session covers a simulated fictitious incident where teams need to work together to resolve the incident as quickly as possible. This provides participants the opportunity to gain first-hand experience of key concepts in an incident, with multiple repetitions through it to help to solidify core concepts. The training prepares teams with the foundational knowledge of how people may respond under pressure, setting the groundwork for a common language and understanding before moving to more advanced exercises (e.g. tabletop exercises, purple teaming). It also covers each phase of the NIST Incident Response Lifecycle. false https://pretalx.com/chcon-2024/talk/UZ9NMX/ https://pretalx.com/chcon-2024/talk/UZ9NMX/feedback/ Room of Requirement Training Session 2024-11-21T13:00:00+13:00 13:00 04:00 As an introduction to web application security through Python, this training session aims to give attendees the tools to understand the most common security vulnerabilities faced by web applications as well as how to fix them. chcon-2024-51585-an-introduction-to-web-application-security-through-python Training Ethan McKee-Harris en This training aims to introduce attendees to common web application vulnerabilities through a hands on format. This workshop will use a vulnerable Flask website to demonstrate various vulnerabilities from the OWASP top 10 and other common vulnerabilities I've found through my career. For each vulnerability covered, it will be laid out in roughly the following format: - An introduction to the issue at a high level. This will cover things such as what the issue is, potential impact to applications and how to test for it in your own applications. - Hands on hacking where each attendee will attempt to exploit the issue in the vulnerable Flask application, experienced helpers will be on hand to help walk you through exploiting each issue. Time permitting, we will also aim to complete the following steps for each issue: - After exploiting the issue, we will discuss mitigating steps and ways to fix this in your applications. - Attendees can then fix the issue on a local version of the vulnerable site and verify their fix, with experienced helpers on hand to assist with this step. This workshop will also introduce attendees to various tooling for both exploiting vulnerabilities as well as Python tooling to help prevent the vulnerabilities in the first place. Participants will require the following: - The ability to provide a laptop to use throughout the workshop. - The ability to run BurpSuite Community Edition. This is free and we will teach the users the required knowledge for how it will be used in the workshop on the day. - An internet connection to receive the lab files. A requirements file and source code will be provided on the day. false https://pretalx.com/chcon-2024/talk/LXRXD7/ https://pretalx.com/chcon-2024/talk/LXRXD7/feedback/ Bentleys Training Session 2024-11-21T08:00:00+13:00 08:00 04:00 Embark on a journey into the heart of WiFi technology with our dynamic training program. Delve into the core principles while keeping pace with the latest advancements in the field. This immersive experience isn't just about theory; it's about hands-on learning. Navigate through virtual wireless arenas, applying newfound skills in real-world exercises. From tackling personal networks to infiltrating enterprise setups, this training equips you to handle diverse challenges. Explore both fortified and vulnerable configurations, honing your expertise in thwarting attacks. And with a focus on the cutting-edge WPA3 standard, you'll be prepared for the newest frontiers of WiFi security. chcon-2024-52095-wifi-novice-to-professional Training Toby Reynolds en Embark on a journey into the heart of WiFi technology with our dynamic training program. Delve into the core principles while keeping pace with the latest advancements in the field. This immersive experience isn't just about theory; it's about hands-on learning. Navigate through virtual wireless arenas, applying newfound skills in real-world exercises. From tackling personal networks to infiltrating enterprise setups, this training equips you to handle diverse challenges. Explore both fortified and vulnerable configurations, honing your expertise in thwarting attacks. And with a focus on the cutting-edge WPA3 standard, you'll be prepared for the newest frontiers of WiFi security. false https://pretalx.com/chcon-2024/talk/Y9X3W8/ https://pretalx.com/chcon-2024/talk/Y9X3W8/feedback/ Bentleys Training Session 2024-11-21T13:00:00+13:00 13:00 04:00 Reverse Engineering for Education/Entertainment provides an introduction to analysing code, bytecode, and application binaries. chcon-2024-52914-rev-eng-e Training /media/chcon-2024/submissions/LT8GHD/ai-boilerplate_zCE7DXs.png Karl Barrett en This session will cover: * The use and abuse of common developer tools * Live debugging techniques * Fantastic tools and where to find them false https://pretalx.com/chcon-2024/talk/LT8GHD/ https://pretalx.com/chcon-2024/talk/LT8GHD/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T08:45:00+13:00 08:45 00:15 Welcoming to Christchurch Hacker Conference as performed by Kevin and Dan chcon-2024-57443-conference-opening Crew en The opening of the conference false https://pretalx.com/chcon-2024/talk/ZRFTXG/ https://pretalx.com/chcon-2024/talk/ZRFTXG/feedback/ Ngaio Marsh Theatre Long time good talk 2024-11-22T09:00:00+13:00 09:00 01:00 The crew will roll the DnD dice. The first number will be the talk number on the schedule, the second will be the slide. We will show the slide and you will talk about that one until we pick the next. This is a place holder for your real talk and we would not actually do this. chcon-2024-55855-we-re-all-scared-too-10-years-of-lessons-from-cybersecurity-mentorship Main Track Lesley Carhart en We're All Scared, Too: 10 Years of lessons from Cybersecurity Mentorship false https://pretalx.com/chcon-2024/talk/HRWPKQ/ https://pretalx.com/chcon-2024/talk/HRWPKQ/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T10:05:00+13:00 10:05 00:25 The goal of this talk is to give people interested in getting into cyber security, or who have just started but aren’t sure where you’re going to land, an idea of: where you can start, where you can go, and what you can do to get there. chcon-2024-55340-fellowship-of-ring-0-how-to-hack-into-a-cyber-security-career Main Track Jed LaundrysputBen Creet en In the 90s, cybersecurity was still pretty underground and mostly revolved around hackers and government suits. Now in 2024, you can get an actual university degree in it. Cybersecurity has grown into a proper full grown industry, even though the image it holds still screams 90s cyberpunk future. We know this can be pretty daunting to newbies on the outside, looking to get involved. In this talk, three industry ‘veterans’ will talk about our path in cyber security, the jobs we’ve done, what we do now, and try and de-bunk some of the gatekeeping you may have encountered. false https://pretalx.com/chcon-2024/talk/XVD9XM/ https://pretalx.com/chcon-2024/talk/XVD9XM/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T11:05:00+13:00 11:05 00:25 The Cybersecurity industry is full of weird and wonderful people, however much like any other industry, there are often some colourful characters who can make a questionable comment or two which can really crush a young, hopeful Cybersecurity consultant's spirit. This talk will go over some of the most humiliating and thought provoking experiences that we have experienced while working in the Cybersecurity industry. Including how to deal with these situations and most importantly how not to be a dick in the industry. Allow Justina and Lou to recount their work horror stories of people being dicks, and how to not be a dick. chcon-2024-53197-how-to-not-be-a-dick-in-the-it-industry Main Track JustinaLouise Kendall en We are currently consultants from Bastion Security and have been working in the industry long enough to collect a number of work stories illustrating how people can just be dicks. Think gaslighting you. Think ignoring you. Think telling you that you don't know what 2FA is! The goal of this talk is to educate our peers to better understand how their actions may impact other people, and what they can do to make sure we are encouraging and supporting new people into the industry. We also want to give you some simple advice so that you feel better equipped to handle situations where you feel like someone is being a dick. In this talk we recount 3 horror stories from our own experiences - but with a positive spin and a key theme. The key themes we will be sharing as part of these stories are: - Have your listening ears on - don't think you know everything, we do have important things to say - especially when we are telling you that MFA is not working. - Be careful with your words - words are mightier than the sword, so please don't tell me I've done something wrong in front of an entire office of people. - Make sure everyone feels seen - in a meeting of 3 people, it's still easy to leave one person feeling like their perspective is not seen or heard. We hope that by sharing with you these stories, we educate people how to not be a dick - ultimately making the industry a better place for everyone. false https://pretalx.com/chcon-2024/talk/B7GE3Y/ https://pretalx.com/chcon-2024/talk/B7GE3Y/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T11:35:00+13:00 11:35 00:25 Asked an experienced staff member to explain their investigative process to a new starter and been met with a blank stare, a hand wave and a vague "I just do what makes sense"? Even worse, "I re-image the machine and move on"! As an industry, we can do better than this, and this talk will show you how you can apply a decision making model around your thinking - from level one SOC to in-depth system investigation - to enhance your investigations today. chcon-2024-50533-better-investigations-with-ooda-loops Main Track /media/chcon-2024/submissions/B9CK8B/OODA_Loop_554V14t.png LukeP en Militaries around the world have been using OODA loops for years at both strategic and tactical levels to quickly make solid decisions that revolve around disrupting and gaining an advantage over their adversaries. In an industry first, I'm taking some military terminology and applying it to Cyber Security! Come with me on a practical journey through the triage of both security alerts, and findings from system investigations, and practice applying the OODA (Observe, Orient, Decide, Act) decision making model. Through this application, you'll learn how to make good investigation repeatable, trainable, and easily communicable, leading to better outcomes for you AND your customers! false https://pretalx.com/chcon-2024/talk/B9CK8B/ https://pretalx.com/chcon-2024/talk/B9CK8B/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T12:05:00+13:00 12:05 00:25 Curious on what the Windows built-in Data Protection API (DPAPI) is? Want to understand how it can be abused from an offensive perspective? This talk will explain how the DPAPI works under the hood, various abuse scenarios, and what to consider when developing Windows applications that use the DPAPI chcon-2024-48139-windows-data-protection-api Main Track Claudio Contin en Come and learn how developer can use the Windows Data Protection API (DPAPI) to encrypt secrets, and how applications, including browsers, use this API. You will gain a basic understand on how the DPAPI works under the hood in Windows systems, and how it is often abuse from an offensive perspective. false https://pretalx.com/chcon-2024/talk/RLJDSS/ https://pretalx.com/chcon-2024/talk/RLJDSS/feedback/ Ngaio Marsh Theatre 45er 2024-11-22T13:35:00+13:00 13:35 00:45 Microsoft is planning to kill off NTLM (New Technology Lan Manager) authentication in Windows 11 and above. Let's speedrun coercing hashes out of a few more things before it fades into obscurity over the next twenty five years or so. There will be a deep dive on several new bugs we disclosed to Microsoft (including bypassing a fix to an existing CVE), some interesting and useful techniques, combining techniques from multiple bug classes resulting in some unexpected discoveries and some absolutely cooked bugs. We’ll also uncover some defaults that simply shouldn't exist in sensible libraries or applications as well as some glaring gaps in some of the Microsoft NTLM related security controls. chcon-2024-51776-ntlm-the-last-ride Main Track Jim RushTomais Williamson en This talk is based on a series of unexpected discoveries that spiraled into a full-blown research project after a coworker innocently suggested I provide an NTLM challenge to what I thought was simple blind SSRF (Server Side Request Forgery). Several round trips to the MSRC (Microsoft Security Response Centre) and bug bounties later, we came up for air with a new appreciation on how to coerce NTLM authentication out of applications with a minimum amount of fuss. While capturing a Net-NTLMv2 hash on a web application penetration test can be a good finding, being able to coerce hashes on port 80 in an internal network can be absolutely devastating and result in large amounts of lateral movement and privilege escalation within a domain. This talk will be beneficial to pentesters, security researchers, bug hunters and red teamers as we deep dive into Windows authentication and bypassing trusted zones. There will be ideas for weird and wonderful places for the red team to to try and find NTLM hashes. For the blue team, there will be details on what you need to be looking for and securing in your environment. We will also have a closer look at some of the legacy Win32 APIs to find out why Windows can't do anything without trying to authenticate. false https://pretalx.com/chcon-2024/talk/LEKAFY/ https://pretalx.com/chcon-2024/talk/LEKAFY/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T14:25:00+13:00 14:25 00:25 It’s been five years, two kids, six jobs, four Taylor Swift albums, one global pandemic and eleventy billion security incidents since I last spoke at CHCon, so what’s changed in the global security landscape and how we talk about security incidents and breaches? chcon-2024-53071-it-s-me-hi-i-m-the-problem-it-s-me-a-five-year-review-of-security-communications Main Track Izzi Lithgow en More and more, security incidents and breaches are becoming familiar to people outside the security industry. As awareness grows, incidents and how they’re responded to are no longer judged by the technical response alone; solid communications is critical to both response and recovery. This whirlwind tour of some of the great and not-so-great responses to security incidents over the last five years will share where incident communications have improved, where things have got stuck, and where we need to go in the next five to keep making people and systems safer. false https://pretalx.com/chcon-2024/talk/HSFAZH/ https://pretalx.com/chcon-2024/talk/HSFAZH/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T15:25:00+13:00 15:25 00:25 When it comes to cybersecurity, sometimes the thing that people forget is that a solution or an account is only as secure as the individuals who are authorised to access it. By targeting the human element, an individual does not have to try break through firewalls or defense mechanisms or access accounts. All they need to play to is the person that takes the time to respond - to elicit a reaction strong enough to make that person think that what they are doing is for their benefit or required. The best way to do that, is by targeting one's emotions. Let's talk about some of the ways this can be successful using technology, focusing on Advance-Fee Fraud, Romance Scams, and Phishing Attacks. chcon-2024-54063-the-exploitation-of-others Main Track Dana Windsor en My talk is based on the research I did for my final post grad research paper, titled "Hijacking Human Emotion: The Exploitation of Others Through Technological Scamming". I feel passionate about this topic because people are so quick to blame the individual who have been scammed without even realising the effort and in-depth thought that can go behind it nowadays. Scams have been around for a long time, and they are getting increasingly sophisticated, especially around a time where we are still developing into the technological sphere and people have a false sense of security online. Some scammers are in the game for the long haul, and they will use technology, something that is deeply imbedded in today's society, to their advantage. The purpose of my presentation is to hopefully get across that you do not need to be a technological mastermind in order to scam someone out of something. My talk covers technological characteristics and expected or conditioned human responses that are taken advantage of in conjunction with one another in order to successfully scam another individual. It is getting more and more relevant. Consider the story at the beginning of the year where a financial assistant handed over tens of millions of dollars thinking he was doing what his boss wanted. AI was used instead to manipulate his response and encouraged him to do what he thought he was being told to do. This is one of the few crimes, if not the only crime where the malicious person is not actively stealing anything or breaking into anything to achieve their goal. The intended target is voluntarily providing the money or account information, albeit under false pretenses. There is no active 'taking'. That is the point I want to get across. false https://pretalx.com/chcon-2024/talk/LX3BUC/ https://pretalx.com/chcon-2024/talk/LX3BUC/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T15:55:00+13:00 15:55 00:25 Attack surface management is an age old challenge that organisations face. With cyber attacks being reported frequently in the media it can be easy to lose hope as a consumer, let alone a technology professional. This presentation aims to remove some of the "magic" behind threat emulation and simulation that internal Red Teamers and Offensive Security Specialists have picked up from studying the "bad guys" by looking at real world examples and going through "what's next" after you've been handed your Red Teaming report. chcon-2024-54491-fantastic-ingress-points-and-where-to-find-them Main Track MewSec en This presentation aims to examine the life cycle of offensive security testing and how it ties into continuous security improvement. Mewsec is a Security Researcher and InfoSec professional from over the puddle hailing from the land of koalas. When she is not "Hacking the Planet", you could probably spot her at an Aussie con. false https://pretalx.com/chcon-2024/talk/PDNLNS/ https://pretalx.com/chcon-2024/talk/PDNLNS/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T16:25:00+13:00 16:25 00:25 Gone are the days when developers had to craft their own session management systems and rely on CGI calling Perl scripts (hopefully!). Today, programming languages and frameworks offer a wealth of built-in security features—often for free. But what exactly do these features provide, and how can we leverage them to elevate our security code reviews, penetration testing practices, and even compliance efforts? In this talk, we'll explore the security mechanisms that modern frameworks and languages offer out of the box. We'll dive into how understanding these built-in tools can transform your approach to code review and penetration testing, allowing you to focus on the nuances and deeper issues that could compromise your application’s security. Whether you're a security professional, developer, or compliance officer, this session will equip you with the knowledge to make the most of the features at your disposal and ensure your applications are as secure as possible. chcon-2024-55217-what-developers-get-for-free Main Track Louis Nyffenegger en Developers! Developers! Developers! Developers! Developers! Developers! In this talk, we’ll dive into the evolving landscape of built-in security features provided by modern frameworks and languages. We’ll start with a look at Ruby on Rails, which pioneered many security features such as protection against SQL injection and XSS, and how these innovations set the stage for today’s robust frameworks. We’ll then explore contemporary frameworks like Django and ASP.Net Core, which offer advanced security features such as automatic password hashing upgrades and extensive built-in protections. We'll demonstrate how these features can enhance your development practices and why they matter. In addition, we’ll discuss the significance of comprehensive documentation and error-proofing to prevent developers from reinventing the wheel and to streamline focus on critical areas. We’ll also cover how developers can contribute to this ecosystem, whether by implementing similar practices internally or by contributing to open-source projects to expand the availability of these built-in security features. Finally, we’ll examine the impact of these built-in features on penetration testing, code reviews, and compliance. By leveraging these features, you can strategically target your efforts on custom code and integrations. Or, by focusing on these widely-used features, you have the opportunity to uncover high-impact vulnerabilities that many developers rely on—making it harder to find issues, but offering significantly higher rewards when you do. false https://pretalx.com/chcon-2024/talk/N7LHKK/ https://pretalx.com/chcon-2024/talk/N7LHKK/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T17:10:00+13:00 17:10 00:25 The most common definition of OT (Operational Technology) includes ICS (Industrial Control Systems). This talk will present an alternative view which better aligns to current practice, both in NZ and globally. The talk will address some of the conflict in terminology and discourse around what good OT cyber security looks like - generally from a defender perspective. The talk will include key insights and takeaways technical and non-technical, regardless of your OT security maturity. chcon-2024-53038-ics-is-not-ot-redefining-operational-technology Main Track /media/chcon-2024/submissions/QCWLAT/ICSisnotOT_jvWJvIP.png Peter Jackson en Industrial cyber security is a harder problem than corporate/enterprise cyber security. The requirements are different. Most systems and protocols are insecure-by-design. Many systems are un-patched and/or un-patchable. The part-art and part-science of OT cyber security is far less mature than more well-established IT or conventional cyber security. Add into the mix, a 'cylinder of excellence' (silo) problem. Most technology in an organisation sits in the IT 'cylinder'. For OT, there is always an interface with operations/engineering/generation/manufacturing because you're working on technology that can have real-world implications (a key feature of OT). In working in the area of ICS/OT for ~20 years, the last ~10 years in ICS/OT cyber security, Peter will bring some insights in dealing with some of the hard problems in ICS/OT cyber security. One area of development is the clarification of roles and responsibilities. More organisations are changing their strategies in who is responsible for 'OT'... and even how we define 'OT'. His experience is informed not only though work in the sector (NZ and internationally) but supported by several years as an intentionally-recognised award-winning OT cyber security expert and international conference presenter. His work supporting the ICS/OT cyber security community extends to ~dozens of presentations across NZ, running the NZ ICS/OT Cyber Technical Network (established 2019), facilitating NZ ICS/OT seminars/conferences (since 2017), and supporting the 62443 series as a member of ISA-99. false https://pretalx.com/chcon-2024/talk/QCWLAT/ https://pretalx.com/chcon-2024/talk/QCWLAT/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T17:40:00+13:00 17:40 00:25 In an era where budget constraints are ever-present and the threat landscape is constantly evolving, organisation must optimize their cybersecurity spending with precision. This technical presentation delves into the integration of Cyber Threat Intelligence (CTI) within detection engineering frameworks to maximize the effectiveness of limited cybersecurity resources. The presentation will explore the strategic application of actionable intelligence to tailor defensive measures, enabling organisations to prioritize their security efforts based on tangible and relevant threat insights into adversary tactics, techniques, and procedures (TTPs). Attendees will gain a deeper understanding of how to interpret threat actor telemetry to engineer more robust targeted defenses and identify the most pertinent threats to their operations. This session offers a comprehensive guide to deploying a targeted cybersecurity strategy that not only mitigates cyber risks but also enhances the protection of critical assets within resource-constrained environments. chcon-2024-49714-intelligence-driven-defense-a-cti-story Main Track Chathura Abeydeera en What will attendees learn/gain from the presentation? An approach to understand the telemetries used by threat actors and gain insights using statically analytical techniques. A methodology to mitigate cyber threats that are likely target the organisation. false https://pretalx.com/chcon-2024/talk/KATQUL/ https://pretalx.com/chcon-2024/talk/KATQUL/feedback/ Ngaio Marsh Theatre Talk 2024-11-22T18:10:00+13:00 18:10 00:25 The advancement of A.I within the last few decades has sparked some concern in the general public such as fears of political impersonation or a robot uprising. However, there has been an ongoing and persistent threat with the use of A.I that is only just making it's way into the mainstream media. The production of deepfake pornography has been increasing within the last ten years. This technology is used to make non-consensual adult media often targeting women including famous people and non-celebrities. This talk will unpack the history of deepfake porn, explain how the technology developed, evaluate the prevention and mitigation efforts, and discuss what services and legislation are in place in New Zealand to protect people affected by this. chcon-2024-54798-deepfake-p-rn-the-real-people-behind-the-image Main Track elle en Deepfakes and A.I in general have permeated into the social discourse most notably over the last few years. As with most technological development there is a darker and more illicit history behind the advancements and notoriety surrounding this technology. Whilst chat bots and A.I image generators were entering the mainstream, an established subset of deepfakes has been persisting in popularity on the Internet - that is the use of deepfake technology to produce synthetic pornography. Deepfake pornography shares a similar history with most modern technologies in that it's advancement stems from a demand for sex on the Internet. However, due to the ease of accessibility and low technical requirement to utilise it, it has become a common vector to target and exploit women on the Internet. A superficial glance at deepfake pornography in mainstream media highlights the effects on mostly Western celebrity women. This talk will also explore the people who have been exploited by this technology but haven't received the same levels of attention, consideration, and support. The primary aim of this talk is to raise awareness about the negative impacts this technology is having on women and consider how we can do better as an industry. false https://pretalx.com/chcon-2024/talk/TKPQWN/ https://pretalx.com/chcon-2024/talk/TKPQWN/feedback/ Ngaio Marsh Theatre Long time good talk 2024-11-23T09:00:00+13:00 09:00 01:00 Stop me if these phrases sound familiar: "Management just doesn't understand the issue", "The executives don't care about security", or "If the board would just give us the budget......". You've probably heard or even uttered many of these common phrases yourself. There seems to be this perennial divide between our technical security practitioners and engineers, and the leadership at the top levels of an organization. Have you ever considered what it would be like to be an executive, what you’d do differently, or even wondered if it’s possible to move from a technical security role into the C-Suite of a multi-billion dollar organization? In this presentation we’ll follow the journey of someone who did just that. Alyssa Miller, a childhood hacker who grew up in the hacker culture of the 80’s and 90’s is now the CISO of such an organization. She’ll share the lessons learned as a hacker that helped her understand and influence executives at the highest levels of leadership. She’ll give you tips, tricks, and even warnings about potential pitfalls to avoid if your goals include the C-Suite at some point in your future. You’ll learn that you don’t need to abandon your hacker roots to join the management ranks, and in fact you’ll see how those tools uniquely equip you to be exceptional in such a role. Come join us for fun stories, learning from examples, and inspiration to chase those dreams in your most authentic way. chcon-2024-52312-hacking-the-suite-the-journey-from-hacker-to-executive Main Track Alyssa Miller en This presentation will include an origin story but will not focus on it. Instead, that origin story will be used to draw specific learning experiences to be shared with the audience. Tales of successes and failures will be shared, connections between hacker skill sets and the skills needed to be successful in the C-Suite will be drawn, and attendees will leave the session feeling prepared and inspired to take their hacker persona to the boardroom. false https://pretalx.com/chcon-2024/talk/HA77NH/ https://pretalx.com/chcon-2024/talk/HA77NH/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T10:05:00+13:00 10:05 00:25 MFA, everyone says you should be using it. We say that too, but not all MFA is created equal, and some MFA implementations have issues. Having tested many systems over the years we have seen some “interesting” implementations with weird behaviour which allows for bypassing MFA. Knowing these gotchas will help you find these issues and hopefully avoid the same mistakes. chcon-2024-52595-mfa-stories-that-make-you-go-huh Main Track David RobinsonJacob Hawthorne en This talk will provide background on what MFA is and why we should be using it. MFA often has pitfalls in its implementation, allowing attackers to bypass it. We will present a range of bypass techniques that we have seen through our testing over the years & how to identify them. In addition, we suggest how these issues could have been avoided. This discussion will also help the hunters with new ideas of what they can be looking for when reviewing MFA implementations or trying to bypass MFA on a red team. We finish with what you should be doing to avoid these MFA implementation issues. false https://pretalx.com/chcon-2024/talk/CKPEZY/ https://pretalx.com/chcon-2024/talk/CKPEZY/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T11:05:00+13:00 11:05 00:25 Security controls such as endpoint detection and response (EDR) continue to mature, thereby increasing the amount of effort adversaries must invest to successfully execute intrusions, remain undetected and achieve their objectives. This presentation will cover techniques that red teams can use to perform post exploitation against web applications hosted by Microsoft’s Internet Information Services (IIS) while evading modern security controls. The concerns that come with using traditional “cmd.exe” web shells will be discussed before demonstrating more mature web shells which make use of reflective assembly loading and deserialisation. chcon-2024-55419-don-t-touch-disk-disk-is-lava Main Track Marc en The presentation will cover: - Talk will reference real world experience conducting red team engagements - Why traditional web shells that are dependent on executing child processes from the IIS worker process should be avoided - Using reflection within ASPX to reflectively load assemblies for post exploitation - Exfiltration of IIS machine keys to maintain persistence and achieve code execution through deserialisation - Adaption of public tooling to build a “fileless” web shell which uses deserialisation to reflectively load assemblies false https://pretalx.com/chcon-2024/talk/EYU7C9/ https://pretalx.com/chcon-2024/talk/EYU7C9/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T11:35:00+13:00 11:35 00:25 At 1851’s Great Exhibition, locksmiths offered prizes to anyone who could defeat their so-called “unpickable” locks. This hugely successful marketing stunt heralded the modern security industry, with vendors stoking fears of Sophisticated Hackers™ to create demand for expensive high-tech security solutions, while daring safe-breakers kept finding ways to thwart even the most impenetrable so-called “burglar proof” safe. In this talk we’ll meet some notorious characters from this now-forgotten golden age of safecracking. We’ll take a look at their criminal exploits, and how safecrackers’ methods and security countermeasures evolved over a century. chcon-2024-55240-a-very-brief-history-of-safecracking Main Track Petra Smith en This talk is a whimsical yarn based on historical research I've been doing over the last few years on NZ safecrackers. It gives case studies of a few infamous NZ safecrackers, covering their origins and how they became highly technically specialised professional criminals, the exploits that made them notorious in their day, and their eventual downfall. It briefly examines the techniques used in safecracking and how they changed over time, as well as changes in safe/strongroom technology (some addressing actual emerging threats, others driven by industry FUD and planned obsolescence). This talk is not meant to be a lesson on what history can teach us about how to improve corporate cybersecurity (boring, anachronistic, big LinkedIn energy), but it will ✨subtly✨ nod at some timeless wisdom and obvious parallels to modern-day hackers and security. false https://pretalx.com/chcon-2024/talk/WSBPZP/ https://pretalx.com/chcon-2024/talk/WSBPZP/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T12:05:00+13:00 12:05 00:25 Quantum Threats to Crypto: Should We Be Afraid? This talk about the security challenges presented by quantum computing, covering key Quantum Computing concepts as well as the vulnerabilities of current cryptographic algorithms. We will discuss NIST's efforts in standardizing quantum-resistant cryptography and emphasize the importance of education in preparing for a quantum-enabled future. chcon-2024-54550-quantum-threats-to-crypto-should-we-be-afraid Main Track Jagan Boda (Jay) en Our presentation explores the imminent dangers posed by quantum computing to cryptography, the specific risks, and how we can prepare for a more secure future. false https://pretalx.com/chcon-2024/talk/ZVPA7D/ https://pretalx.com/chcon-2024/talk/ZVPA7D/feedback/ Ngaio Marsh Theatre 45er 2024-11-23T13:35:00+13:00 13:35 00:45 With voice cloning now available to the masses, just how secure is your average voice authentication system? Come dive into the world of AI voice generation systems; learn how to clone someone's voice, as well as discussion surrounding the trends we are seeing in voice authentication systems and AI voice generation. chcon-2024-50485-your-voice-confirms-my-identity Main Track Ethan McKee-Harris en Ever-increasingly voice authentication is seen as the next step forward in a simplified user experience which also decreases costs for companies. Unfortunately, this same step can often be seen as a step backwards for user's security. This presentation aims to discuss topics such as the over-reliance on a user's voice as a primary security boundary. A demonstration of tools available for cloning a user's voice (mine). Along with the current pitfalls with the use of voice authentication. Further to this, we also dive into practical voice cloning of users using their digital presence. Audience members should be able to walk into this presentation with little to no prerequisite knowledge and leave with the following: - Knowledge of current voice cloning techniques - Considerations around the usage of voice as a security boundary within their own applications - A better awareness of where we see the voice authentication and AI voice generation sectors trending towards as well as the pitfalls associated with them false https://pretalx.com/chcon-2024/talk/8ZETCE/ https://pretalx.com/chcon-2024/talk/8ZETCE/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T14:25:00+13:00 14:25 00:25 The importance of making more sustainable choices in our daily activities is now deeply embedded within our social practices and is a core part of what we teach our children. Indeed, most modern businesses have ‘green’ policies that underpin regarding how they source products and services, consume energy, and dispose of waste. A good example of this is the growth of the use of highly automated Internet-connected building management systems within the construction of environmentally friendly homes and commercial buildings. Dropping down to the consumer-level, many individuals are also increasingly embracing green technologies in terms of how they live their lives. We are seeing a massively increased usage of electric and hybrid vehicles, e-bikes, IoT-enabled electrified public transport, smart bulbs, and solar-powered Internet-enabled security cameras. However, on closer review, many critical security vulnerability and privacy assurance mechanisms are absent within these increasingly autonomous technologies. Many green tech companies are working on cutting-edge technologies that have not yet been thoroughly tested or implemented on a large scale. This could lead to situations where, if a malicious actor took over an intelligent thermostat or door-locking mechanism, they could create an internal climate which was excessively hot or cold, or remotely disarm a premises door locking mechanisms. Scenarios such as this have physical safety implications for building occupants. They also have serious reputational harm implications for the business owners associated with these green buildings. chcon-2024-50426-moving-towards-a-carbon-zero-more-sustainable-and-digitally-insecure-world-managing-cyber-security-vulnerabilities-within-green-tech Main Track Nick Baty en This session will cover off: o What are current and emerging examples of green technology, o Cyber threats facing green technologies today, and what the commercial and personal impact can be, o Recent examples of green technology compromises, o What remediation options are available to address cyber security risks within green technologies, o Remediation implementation: how a partnership-based approach is the best way forward, and o How cyber security professionals can work with green technology consumers and vendors to address this growing trend. false https://pretalx.com/chcon-2024/talk/QMC7NK/ https://pretalx.com/chcon-2024/talk/QMC7NK/feedback/ Ngaio Marsh Theatre Lightning 2024-11-23T14:50:00+13:00 14:50 00:15 Common Criteria is an international standard required by most government and entities to protect their mission-critical resources. It is a pre-requisite for qualified products under the European Union digital signature laws and is required by the US government under the National Information Assurance Partnership (NIAP). This presentation sheds lights on the TLS certificates requirement for this regulation and the common pitfalls to look out for. chcon-2024-52658-fellowship-of-the-keys Main Track Marjonel Montejo en One key to rule them all and one key to find them One key to bring them all and in the network bind them The Fellowship of the Keys tells the story of TLS Certificates and how it plays a major role in making network connections secure. It also talks about the importance of getting your Certificate verification right in order to meet the requirements for NIAP/Common Criteria certification. false https://pretalx.com/chcon-2024/talk/X8G3XD/ https://pretalx.com/chcon-2024/talk/X8G3XD/feedback/ Ngaio Marsh Theatre Lightning 2024-11-23T15:40:00+13:00 15:40 00:15 I finally work somewhere which cares about security! These are the tools we're using to improve our products. chcon-2024-48131-putting-the-s-for-security-into-iot Main Track Tom Isaacson en There are any number of talks about security tools for web development but very few for IoT. In my new job we're using Github (Dependabot, Secrets Manager, CodeQL), SonarQube, Mend, Nessus and others. I will go through how we use these and how useful they are, particularly because we're using Yocto which isn't directly supported by some of these. false https://pretalx.com/chcon-2024/talk/XT93HS/ https://pretalx.com/chcon-2024/talk/XT93HS/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T15:55:00+13:00 15:55 00:25 Human lives are finite, but the internet remembers all. What does, will, or should happen to all the accounts, passwords and other data after a person becomes dead or otherwise unavailable? chcon-2024-48436-beyond-delete-my-browser-history-infosec-after-death Main Track notnotcharlie en An intersection between death, information security and legal things. Relevant to absolutely everyone. false https://pretalx.com/chcon-2024/talk/7ALPRL/ https://pretalx.com/chcon-2024/talk/7ALPRL/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T16:25:00+13:00 16:25 00:25 The increased dependency on the digital life to participate in society means, digital life is real life. With that, the consequences of failure in confidentiality, integrity and availability of our digital self, can have dire consequences. So, I threat modelled living in 2024; and it’s more fragile than I thought! How digitally resilient do you think you are? Let’s talk about that, and some things we can do about it. chcon-2024-55341-what-is-my-life-that-fragile Main Track hoodiePony en As a cyber security professional, it’s often our job to keep the organisation safe from cyber threats and manage its risks. We know that these are very context sensitive; especially the consequences. We do these assessments with the organisations’ perspective in mind. But, when was the last time you genuinely considered the risks and consequences, from your own perspective and the ones you love? While doing my own digital housekeeping, I did just that, and it felt confronting - the risk profile was very different. In this talk, I’ll explore that, and walk through a threat model where the perspective is of an individual human - you and me. It was quite surprising how things can go wrong. Could a single “incident” potentially deny your ability to continue living your life? Let’s find out. What we individually can and collectively must do about it? Especially as we become dependent on our digital lives to live our meatbag ones. false https://pretalx.com/chcon-2024/talk/ZMQBTS/ https://pretalx.com/chcon-2024/talk/ZMQBTS/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T17:25:00+13:00 17:25 00:25 There are trillions of PDFs in the world, and their very ubiquity makes them a file type where 'bad people' might store malicious code. The ability to quickly identify malicious files is essential and tools such as Remnux, peepdf and RUPS will be discussed, along with some examples of other things that can be hidden within the PDF file format. chcon-2024-50509-pdf-structure-and-places-where-you-can-hide-things Main Track Roger Dunham en PDFs are ubiquitous, and a relatively simple format. However that simplicity supports multiple places where code, or other information can be stored. We will have a quick overview of the overall structure of PDFs, and see three places (if there is time) where code can potentially be stored. We will also look at some tools that can be help to identify the presence of such code. false https://pretalx.com/chcon-2024/talk/LRLZYE/ https://pretalx.com/chcon-2024/talk/LRLZYE/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T17:50:00+13:00 17:50 00:25 ASB's Kashin has been an icon in many young peoples lives, helping them learn how to save. This talk recounts the process of researching the Clever Kash device, generally discusses why IoT security matters, and common techniques used to reverse engineer hardware. chcon-2024-54807-hackin-kashin Main Track Thomas Hobson en we looked at a yellow elephant under a microscope false https://pretalx.com/chcon-2024/talk/Q9LJLG/ https://pretalx.com/chcon-2024/talk/Q9LJLG/feedback/ Ngaio Marsh Theatre Talk 2024-11-23T18:15:00+13:00 18:15 00:25 Everyone knows that in 1996, David Levinson saved the world by hacking the aliens with his trusty Macintosh PowerBook. Despite the memes you may have seen, this cyberattack is actually plausible, and I can prove it. Let's break down the famous ID4 hacking scene, map it onto Lockheed-Martin's Cyber Kill Chain, and give Mr. Levinson some well-deserved credit! chcon-2024-49850-the-independence-day-1996-hacking-scene-was-good-actually Main Track /media/chcon-2024/submissions/J9PJQY/Screenshot_2024-04-30_at_11.19.09AM_UhYuEZd.png Ben Loula en "But Ben," I hear you protest, "Dean Devlin and Roland Emmerich only intended for the aliens to be defeated by a computer virus as a nod to the alien invasion in H. G. Wells's _War of the Worlds_ being defeated by organic viruses! It wasn't meant to be realistic!" That's where you're wrong, kiddo. Devlin enlisted Chris Weaver (Distinguished Professor of Computational Media at Wesleyan, Director of Smithsonian Spark!Lab Outreach Initiatives, and the founder of Bethesda Softworks LLC!) as the technical consultant and inspiration for the character of David Levinson. There absolutely is a sound 1990s-era cybersecurity foundation here and it goes way beyond Devlin's half-arsed AMA explanation that Levinson simply flipped zeroes and ones to invert the alien signal! We'll cover some very important technical context featured in the novelisation (also written by Dean Devlin) and deleted scenes from the movie, and follow the cyberattack step-by-step through the Lockheed-Martin Cyber Kill Chain from Reconnaissance to Actions On Objectives. Finally, we'll talk about what the aliens did wrong, and how to remediate these vulnerabilities to ensure good cybersecurity hygiene for a successful planetary invasion. (And I promise I'll keep the "fan wank" to an absolute minimum.) false https://pretalx.com/chcon-2024/talk/J9PJQY/ https://pretalx.com/chcon-2024/talk/J9PJQY/feedback/