BSides Perth 2021
18-19 September 2021
18-19 September 2021
Building and scaling a security champions program and appsec community with insights from company culture, research about developer motivations and gaining leadership buy-in.
I'll share options to continually improve security awareness and secure code training programs. Also, how to reward and recognise security champions to maintain engagement over time and as vulnerabilities evolve over time.
Alice focuses on delivering creative business improvements through IT solutions and user-friendly ‘tech translation’ training. Her projects have included managing the development, UAT and roll out of a safety and risk app for mobile technicians, to delivering integrated management system solutions for multiple facilities and remote sites. Alice is a relative new comer to Security but after 3 years has found a great community, got more than a few greys hairs and now wears less hi-viz than in her previous life as a Health & Safety manager.
A look into the role of cryptography in warfare. What ciphers were used, how were they cracked and what were the consequences? And how will we protect our data during future cyber warfare?
Anthony is a WA local (repping the Wheatbelt) with a passion for all things edible and Cyber. He currently works as a Security Consultant for Kinetic IT and is the Co-Founder of the volunteer Cyber Security organisation Certification Station.
Being a rather flexible language, JavaScript gives rise to a variety of ways malicious code can be obscured from analysis. This talk picks apart how the most popular JavaScript obfuscator works, and demonstrates how the tool deobf can automatically undo all of that.
Aria is a UWA student and long-time pentester who occasionally goes professional. They have a keen interest in reverse-engineering, low-level code, and malware analysis. They also waste too much time playing rhythm games.
"Criminal enterprises, just like legitimate businesses, have needed to adapt to the changing environment to remain profitable and sustainable. Bex Nitert will present findings from her ongoing research into the operations, supply chain, victimisation, and money trail of a cybercrime actor and their progression from sole trader to criminal enterprise leader. This talk will contain a range of content including the technical and financial aspects of the cybercrime operations, OPSEC fails, investigation techniques, and much beloved war stories."
"Bex Nitert is a Managing Consultant in the Digital Forensics and Incident Response (DFIR) team at ParaFlare, where she delivers digital forensic investigation, incident response, threat hunting and cyber security consulting services to clients in the public and private sector. Prior to joining ParaFlare, Bex was the Digital Forensic Lead in Australia for a global professional services firm and a Managing Consultant of Cyber Security and Forensics at a global Fortune 500 IT services company. During her career in digital forensics and cyber security, Bex has conducted investigations into multimillion-dollar fraud schemes, employee fraud and misconduct, intellectual property theft, and unauthorised disclosure of information. She has also assisted clients with high impact incidents, such as ransomware attacks, the sabotage of IT systems by disgruntled employees, business email compromise, and cyber espionage. She uses her insights from digital forensic investigations to help organisations improve their cyber security posture and their ability to respond to and recover from security incidents."
"Operational technology, that is technology that controls physical processes, is a wily beast. It’s hard to update, expensive to replace, and mission critical for both production ($$$) and safety. So how do you secure it ? 20 years ago, the answer was “isolate it.” And for the most part, we’ve left it at that. But as systems become more reliant on interconnectivity, we need to think harder about the risks that our operational systems face and the controls we need to properly secure them. This talk will walk you through performing risk assessments on operational systems - what to consider, what to be concerned about, and most importantly, how this plays out irl (with names and products changed to protect the guilty, of course). "
Cairo (she /her) is a cyber security professional, specialising in governance, risk and compliance. She currently works for Octopus Deploy, leading the implementation of their GRC programme. Before moving to Octopus, she spent three years leading risk assessment and remediation at one of the world’s largest mining companies, working with technology across both enterprise and operational environments. Her previous experience includes consulting and internal positions, working with organisations across finance, government, healthcare, telecommunications and resources to assess their security posture and implement policy and process to increase security maturity. She is passionate about providing pragmatic security advice, increasing female representation in the Cyber Security industry, and Stardew Valley. She also has a degree in International Relations and a CISSP.
"Product Security is becoming increasingly important across Australian business, but the approaches and tooling being used is still quite legacy. Our reliance on expensive static analysis tools, manually running dynamic testing services, and trying to educate developers about the OWASP Top10 just isn't cutting it anymore and largely becoming ineffective, slowing productivity, and frustrating security professionals AND software engineers alike. This talk seeks to highlight the problems Australian enterprises face in the Product Security space, and what we should be investigating or investing in to uplift our ProdSec capability to be in line with GEU / NA peers."
Hallo, I'm Cole Cornford from the Hunter Valley in NSW. I work for Lendi and Telstra in the AppSec world. Previously, I've worked FedGov, Banks, NFP's and Tech in Silly Valley. In my spare time I enjoy reading the AFR while drinking terrible home-made long blacks and wondering when I'll get to leave my house again.
Open-source modules within ecosystems are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce critical vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.
"Senior Dev Advocate Snyk, Barayamal advisor. Dev/CTO/Maker/Geek/Speaker/MC/Hackathoner. "
After 20 years of Information Technology and Cyber Security Conferences I have seen the Good, the Bad and the downright Fugly when it comes to talks. This talk will focus on what not to do with some great recollections of past talks and also the best way to set up a talk to walk away from with your reputation in tact.
Father of 3, Director of PwC's Cyber Security & Digital Trust Practice and SANS Instructor in training.
TDD, dependency injection, DevOps – buzz-words galore! We constantly hear about how these practices improve software maintainability, increase productivity, and reduce time-to-ship. But what if these practices were applied to malicious software development? In this presentation, I walk through my journey building a real-world ransomware payload which was ultimately executed in multiple production networks, as part of a cyber security exercise.
Emanuel is a Perth-native Cyber Security Consultant and Software Developer at Retrospect Labs. Technology captured his interest from a young age, and he has been learning more and more about how the technology that we interact with every day works, ever since. He has a desire to help uplift the Cyber Security capability of organisations, and enjoys architecting robust and secure software solutions. When not tinkering with technology, he enjoys music, motorsport, discovering new food experiences, and going on road-trips.
"For decades, anthropologists, quantitative historians, and sociologists have discussed and proposed various explanations for the collapse of civilizations, from unsustainable complexity, decay of social cohesion, rising inequality and general misfortune. Using our time traveling phone booth, we’ll investigate historical collapses and conduct a root cause analysis to investigate why these collapses happened, and how we can observe similar issues in modern business environments. This talk provides an overview of how to identify cultural threats in an rapidly evolving business landscape, and how we can use modern day tools to identify these threats before they result in security culture collapse. Key points addressed - Who is impacting your culture - Identifying cultural problems - Building a diagnostic toolkit"
Buffy (she/they) currently works at Canva as a security engineer, born on a moonless night in an undisclosed location along the cyber ley lines. For the past five years, they have been using the mystical powers handed down for generations to tame Pythons and Gophers, manifesting themself into the security engineer they are today.
"Like almost any headline you see in 2021 there is a story behind the story, and this is the story of how major structural shifts in capitalism in the 1980s got SolarWinds breached in 2020. This talk explains dark patterns in financial engineering, the connections between the Gordon Gecko Wall Street of the 1980s and some of the major security beaches of the last 10 years. More importantly we finish with the question: who might be next? "
Gareth is a WA based IRAP assessor, contract CISO, and all round Infosec nerd interested in the non obvious side of cyber security. Will swap war stories for dim sum.
Application consent allows a third party service to gain persistent access to resources in your environment. This can be something simple like scheduled automation scripts, using a Github account to log into HacktoberFest, or granting access to email and calendar for your fancy smart whiteboard. Recent high profile security incidents have shown how API access have been exploited to be used for persistence. Management of the application consent process, and environment access for registered applications were free and unfettered in many environments, allowing bad guys to do what they wanted in a largely unobserved way. This talk will explain about the application consent process, and why as an application developer you need to ensure you request only the minimum permissions required for your application to work. The talk will explain to those responsible for administration and security of an environment how they can control and manage potential security risks in the environment caused by these allowed applications.
George is a dad, husband, best friend, worst friend, geek and Senior Consultant at Empired Ltd. George goes out of his way to learn new things every day, sometimes Cyber related and loves to share that knowledge to help make a difference in others lives. George finds purpose through service and is super excited to be here today.
For the past year or so, it seems that ransomware suddenly became the talk of the town. Companies in various industries have been targeted. Hospitals, transportation organisations and food supply chains were not spared. How did we get to this point? What can we do to prepare and protect our organisations? This presentation will cover a brief history of ransomware and how the TTPs of the ransomware gangs have evolved, and what actions can we take to prevent ransomware from further proliferating.
Gyle first got connected to the internet via her reliable 56k US Robotics modem and has been fascinated ever since with technology and security. She likes learning and sharing what she knows by mentoring, volunteering and presenting in different community-based infosec cons. She got her Graduate Certificate in Incident Response from the SANS Institute and her Master in Cyber Security – Digital Forensics from UNSW Canberra. Currently, she’s an incident responder with IBM’s X-Force IR team. When not doing cyber security stuff, she’s exploring the different farmers markets in quirky Melbourne and if there’s a lockdown, she reads recipe books and does a lot of experiments in her kitchen.
"Building a Security Operations capability from scratch is hard. How many people do you need? What processes should you use? What tools can you implement? Should you go 24/7 or 8/5? This presentation discusses some of the thought processes and key questions that are required in order to develop a successful Security Operations capability, and how you can develop a function that meets the needs of the business, whilst ensuring that stakeholders don't see it as a ""financial sink"" and see the value provided to the business."
Iain is the Full Spectrum Cyber lead for Leidos Australia, and provides oversight and support to all of Leidos' AU programs for technical cyber security. He is currently the Chief Cyber Architect for a program which provides a Security Operations capability to a Federal Government Department. He has previously worked as a Cyber Research Engineer and as an Assistant Director for Cyber Threat Intelligence within the Federal Government. He is also one of the founders of ComfyCon AU, a virtual conference founded as a direct response to the cancellation of cyber security conferences due to the COVID-19 pandemic.
Blockchain and smart contract technologies have taken the globe by storm and are rapidly evolving. As businesses begin to use smart contracts, we as cyber security professionals must be aware of the various sorts of attacks that can be carried out and how to best defend against them. This talk delves into the most well-known Ethereum flaw, re-entrancy, which was first unveiled with a 3.5 million ETH heist (worth $12.5 billion AUD today).
Jacob Larsen is a passionate and enthusiastic information security specialist with an insatiable curiosity. With a particular interest and fascination for advanced persistent threats, threat intelligence and blockchain technology, Jacob currently operates as both a Cyber Security Consultant and Cyber Intelligence Analyst for CyberCX.
Web Security is an every changing landscape: with sunrises and sunsets of protocols, ciphers, and client capabilities. And while your service you deploy may work, it may be implementing deprecated standards, and nearing he trailing edge of support. We'll cover some of the changes that have happened over the last decade, and then focus on the last 24 months and how you can continue to raise the bar on your workload, with no additional costs.
James is a Consulting Director at Modis, and serves as the Global Director of Cloud Solutions, and more specifically the global AWS Practice Director, with teams in the UK, Europe, USA, Bulgaria, Romania, Japan & Australia. He's been a Linux & Open Source contributor since the 1990s as a Debian Linux Developer, a Perl CPAN contributor, and conference chair for Linux.conf.au. James was the primary security technical specialist for AWS in Australia and New Zealand from the launch of AWS in Australia until 2014 (he opened the AWS office in Perth). He's worked in Higher Education, Finance, Advertising, and Government (Law Enforcement, Transport, Education, Health). With 9x AWS Certifications (and equal longest certified AWS Solution Architect in the world), AWS Certification Subject Matter Expert, AWS Partner Ambassador, having written whitepapers and bootcamps for AWS, having walked inside the fames US-East-1 AWS Region, he knows a fair amount about the AWS Cloud.
"In this presentation I’ll run through several campaigns that the PwC threat intelligence team have observed over the past 12 months. Then using these campaigns, show how threat lead mapping against MITRE can help organisations better defend themselves. PwC’s intelligence team tracks 100’s of campaigns every year, from large scale campaigns like Solarwinds to smaller more targeted campaigns against entities across Asia Pacific. As part of our everyday business we dissect these campaigns, determining the threat actors behind them, their motivations, and their likely targets. We also map out these campaigns against the MITRE framework to work out ways to define against the actors. Understanding the targeting and techniques used by threat actors is a key process in our threat lead mitre analysis. I’ll demonstrate how the output of this process can be used to increase organisations defence stand point through increasing their detection coverage. "
Jason is the threat intelligence lead in PwC’s Cyber and Digital Trust practice. He is responsible for leading the analysis and reporting of Advanced Persistent Threat and Organised Crime campaigns. He previously worked for PwC in the UK, Crowdstrike and before that the Australian Signals Directorate.
"Have you ever been stuck in the airport and run out of the one hour free WiFi? Have you ever been in a hotel that makes you pay for WiFi? Our talk, Unlimited WiFi, helps understand the common flaws within captive portals and proxies. On restricted networks, these methods can be used to exfiltrate information, where it may seem rather difficult, and download necessary exploits (please stop blocking exploit.db… makes pen testing a pain!). Finally, we will talk about how we developed a mini-authentication framework over DNS, allowing us to turn on IoT devices when stuck in a plane and WiFi connectivity is questionable! This talk brings in the concepts of misusing whitelisted software, writing scripts to bypass restrictions, writing your own authentication, and general software vulnerabilities. Our audience should gain a good understanding of the most common weaknesses within our target software and interesting ways to use the flaws they expose to our advantage! "
"Maeesha Lohani is a security consultant at CyberRisk and a passionate student studying Computer Science, majoring in Cyber Security. When not studying hard for her university courses, Maeesha contributes to the Australian Women in Security (AWSN) Cadets initiative, as a member of the committee. Fulfilling her duties in this committee, Maeesha was awarded the runner-up for ""Best Student Security Leader"" award by CSO. She also has spoken at multiple conferences including Kids Securiday, Bsides Melbourne, AllTheTalks Online, and AWSN’s local events. Sajeeb Lohani is the lead Platform Security Engineer at Bugcrowd, who graduated with honours from Monash University with a Bachelor of Software Engineering (Hons.) in 2017. Sajeeb holds OSCP and OSWE. Constantly passionate about contributing to and improving cyber security research, Sajeeb currently holds 120+ CVEs and is also a core contributor and co-developer of Interlace, a popular open-source project used for organising and automating penetration testing workflows. Sajeeb is also ranked within the top 40 of BugCrowd and #2 of DVuln."
"This talk will introduce the open source tool Velociraptor for remote incident response. We will cover off concepts, core capabilities, and workflow, then showcase unique functionality that pushes the boundaries beyond expensive paid tools. The goal of the talk is sharing knowledge with the community and hopefully inspire future Velociraptor herders."
"Matt works Velociraptor project as a Principle Software Engineer for Detection and Response at Rapid 7. During the day he spends his time focusing on writing content and research to uplift the project as a community resource. Matt has worked in information security for almost 15 years across end user, vendor and consulting space. With a heavy bias in endpoint based DFIR, he also enjoys threat research and always learning from each collection."
Software supply chain attacks are becoming an increasingly large problem, and at Canva we are no different. The problem is becoming increasingly challenging and large in scale due to the complex nature of the software supply chain. This is also caused by the challenges of identifying all the dependencies in your software and tracking compromises of those dependencies. The Canva detection & response team has started their journey in dealing with this threat and wants to share critical lessons they have learnt, and how other organisations can prepare for attacks against their software supply chain.
Raymond is the technical lead in the Canva Detection & Response team. There he is responsible for detecting and responding to attacks against Canva and its global user base. Prior to joining Canva Raymond was the regional manager for a global incident response team and helped build up a managed detection & response practice.
"Something about InfoSec fundamentals, building the compute platform so its resilient to operator errors, inbound attacks, hardware failures and the like. Protecting against Corporate Policy, Creating graceful failure patterns, Looking after the front-line technical staff. that kind of operational thing. Content to cover OS, virtualisation, SysAdmin/SysOps content."
"Renée is a compulsive disassembler of all things- an engineer at heart - with a drive to understand how all things work. Her cars are regularly gaining features (that's why they're broken), her home compute lab is also ""in feature enhancement"", as she's now permanently distracted playing violin.
IT was an accident, where she became a multi-flavoured Unix SysAdmin. She's escaped that now, having evolved into a technical design lead for
Ever wondered what application control is? Maybe you've implemented application control and are wondering if you've made any mistakes. Or maybe you, a nefarious hacker, want to know how to bypass it so you can drop your malware. In this talk, we're going to take a look at the various application control methods, and some of the misconfigurations and weaknesses that you might come up against in the wild.
Russ is a Senior Penetration Tester at Trustwave in Perth, who often jumps across to the blue team. In a previous life he was a sysadmin at an MSP and wears those scars proudly. Outside of work, he's developed challenges for multiple WACTFs and talked at SecTalks.
Short range wireless technologies are everywhere. Statistics show that total NFC usage grew by 82% from 2018-2020 and it is estimated that 20% of the worlds population have access to NFC. Novel uses of short range wireless technologies, such as biological RFID and NFC implants are also becoming commonplace. What are the security implications and can they be used offensively?
Bloodhound wins in a complex environment + bloodhound for Linux. Also - If we're running short we will be adding in some Falco wins for Linux and plugging that blind spot and providing some bespoke alert use cases that EDRs might not be able to provide and potential alerting hurdles with commercial EDR solutions ( will place those in a git for everyone to use ).
"Zane is a passionate cyber defence practitioner with 10 years in the field, first starting on the help desk at iinet as a young man with no idea what a router was (kinda still doesn’t), and now is the Senior Defence Engineer for the Wesfarmers: Cyber Fusion Center. Zane is responsible for developing the “CFCs” rapid defence prototype and working directly with some of the largest retailers and industrial services within Australia. Zane has a strong interest and skillset in detection, #thunting, and security uplifts. Tristan has been in the security field for over a decade now and during this time has worked with organizations large and small. Lately there has been a strong focus on utilising and understanding attack tools & techniques such as Bloodhound/Kerberoasting/PrintNightmare in a defensive context in order to build a set of common uplift activities. #thunting "
"This talk will introduce the open source tool Velociraptor for remote incident response. We will cover off concepts, core capabilities, and workflow, then showcase unique functionality that pushes the boundaries beyond expensive paid tools. The goal of the talk is sharing knowledge with the community and hopefully inspire future Velociraptor herders."
"Matt works Velociraptor project as a Principle Software Engineer for Detection and Response at Rapid 7. During the day he spends his time focusing on writing content and research to uplift the project as a community resource. Matt has worked in information security for almost 15 years across end user, vendor and consulting space. With a heavy bias in endpoint based DFIR, he also enjoys threat research and always learning from each collection."
From Nigerian princes to questionable medicinal remedies - social engineering, or human hacking, is becoming more of an issue for individuals and organisations. Dive into phishing, vishing and smishing (yes, the latter two are real things), as well as other clever tactics used by attackers both physically and over the internet - cryptocurrency included - to trick you into unknowingly giving access to confidential information and assets.
Learn how to identify such attacks and how you and your organisation can become more aware.
Andre is a final year cyber security student from Curtin University working as a security engineer with a deep interest in forensics and social engineering.
What if I told you that in 2021 you could still brute-force the PIN on an Android phone?
I will show you how to turn your Kali Nethunter phone into a brute-force PIN cracking machine. Unlike other methods this works on phones out of the box, so you won't need ADB access to your locked phone, or to have previously rooted the Operating System. While not every phone is vulnerable, many are, and the version of Android doesn't matter. Although Android itself is reasonable secure, each handset manufacturer has made their own lock-screen with custom brute-force protection and some of them are easily cracked.
Andrew Horton aka urbanadventurer has been in the information security space for over 10 years. During that time he has been fortunate to have been providing services to some of the world’s biggest companies and working alongside some of the most elite ethical hackers in the world. Andrew is best known for his open-source software contributions to the security community, forming part of the standard arsenal of penetration testers and blackhat hackers alike, along with mentions in university textbooks and professional methodologies. You can find some of his contributions in Kali Linux, the most popular Linux security distribution used daily by security professionals. Beyond penetration testing, Andrew is on the advisory boards of start ups, mentors up and coming security professionals, occasionally gives conference presentations, and also hosts the popular information security news aggregator at https://www.morningstarsecurity.com/news.
If you're looking to promote your business and support the Western Australian infosec community, here is your chance. We have many sponsorships packages available.
BSides Perth is on again! Running over the 18th-19th September 2021. You know why you're here
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.
Lorem ipsum dolor sit amet, consectetur adipisicing elit. Mollitia neque assumenda ipsam nihil, molestias magnam, recusandae quos quis inventore quisquam velit asperiores, vitae? Reprehenderit soluta, eos quod consequuntur itaque. Nam.
