BSides Perth 2018


“London Calling, VoIP hacking for fun and profit… mostly profit”

Kai Frost


VoIP and its umbrella technology converged telecommunications is an area of InfoSec which even after 20+ years of deployment still has very little institutional focus.

Millions of dollars of fraud are executed globally by highly sophisticated adversaries across a wide range of public, SOHO and carrier level infrastructure. This fraud often goes largely undetected or is written off by the carriers as unrecoverable.

In this talk, I will cover some of the standard business models of VoIP hackers, methodologies they use to make sure their tracks are multi-jurisdictional and trans-corporate in such a way that almost guarantees they will be largely left alone. I will also give some practical examples of quick and easy ways to sweep up large collections of unsecured endpoints and show how these can be used to generate stable revenue for criminal groups or unethical individuals.


Kai is an IT professional with 20 years of experience in national scale networks. Apart from his usual job of automating major parts of this workday, Kai has an unhealthy interest in VoIP, encryption, and data security. He has spoken previously at WAhckon and BSides on VoIP security and hacking as it affects modern voice providers.


“SecDevSecOpsSec: let’s stop throwing around the buzzwords.”

Sarah Young


Everyone likes throwing the phrase “DevSecOps” out there at the moment, right? It’s a security industry buzzword. But how many of us actually know what this means? We have DevSecOps, SecDevOps, secure pipelines, security toolchains, etc. too often used interchangeably and with no clear “official” definition. In this talk, Sarah will attempt to distill the exact meanings of each of these and use examples from her own experiences of creating automated security processes to explain how each can be effectively used, and the tools that she has used to do this.


Sarah is a security architect currently based in Melbourne, Australia. She has previously worked in New Zealand, London and various parts of Europe across a range of industry sectors. In her current role, Sarah helps enterprises move their stuff into the cloud securely. She spends most of her spare time eating hipster brunches and high teas.


“Malware Meets Industrial Safety System and the Consequences”

Paresh Kerai


A Middle East Industrial Safety System was recently attacked with malicious malware designed specifically to enable the damage or destruction of industrial equipment. This malware known as Triton, or Trisis, aimed to interfere with or shut down completely Schneider Electric’s Triconex safety instrumented system (SIS) The SIS are used by human operators to monitor industrial processes in order to detect potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or deliberate acts of sabotage which could result in an explosion, damaged machines, property destruction, injury or loss of human life. Triton is one of less than a handful of known cases worldwide where malware has been specifically designed and executed to sabotage industrial control systems and the attack appeared to be a sophisticated state-sponsored style coordinated attack on the organisation plant. This presentation will give an overview of the attack timeline, highlight the capabilities of the malware and the attack flow, and explain just how the attackers compromised the SIS device.


I am an Industrial Control System (ICS) Security Engineer and researcher, specializing in in cyber security in control systems and network infrastructure, and computer forensics. Currently enrolled in Doctor of Philosophy at Edith Cowan University, his research focus is on the security of Modbus protocol used in critical infrastructure systems and the security framework of industrial control systems. He is also interested in computer forensics, wireless security, IoT devices, threat hunting and threat intelligence.


“Exploits in Wetware”

Robert Sell


Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.
Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff.
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired?
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally‚ a culture shift.


Robert is a Senior IT Manager in the aerospace industry where he spends most of his time managing InfoSec teams. While his teams focus on the traditional blue/red team exercises, lately he has spent an increasing amount of time building defenses against social engineering. Robert has spoken about the rising SE risk at numerous events and on different security podcasts.
In 2017 he competed at the Social Engineering Village Capture the Flag contest at Defcon 25. He placed third in this contest and since then has been teaching organizations how to defend against SE attacks and reduce the OSINT footprint.
Robert is the creator of the Trace Labs Organization which is a crowd sourced OSINT platform for locating missing persons. The organization is also creating a OSINT curriculum for first responders.
Robert is also a nine year veteran with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker. While one may think that SAR has little do to with InfoSec, tracking lost subjects in the back country has many of the same qualities as tracking individuals or organizations online with OSINT.


“Secure SDLC Speed-run”

Matt Jones


Writing software comes with a lot of challenges – different industry trends and ways of working, legacy stuff to factor in, then there’s all the constraints along the way as deadlines approach.

Writing *secure* software then has its own set of challenges. The industry has in some ways evolved well past the old approach of waterfall style projects with a penetration test at the end where people grumble risk acceptance. There’s a variety of security assurance approaches various types of organisations use with varying success at different phases of a software projects.

In reality though, there’s a lot of considerations to be made on a case by case basis to ensure energy is used wisely, the right people are rationalising threats you may or may not face, and you mature things incrementally factoring all of this in.

This presentation will:
0) Quickly introduce Secure Development Lifecycles
1) Talk through managing threats for code you build on versus code you write
2) Run-through a bunch of examples, i.e. eradicating entire vulnerability classes, understanding technology edge-cases, catching low-hanging fruit yourself, getting defence in depth stuff in your requirements/design, how some security activities can be part of your internal QA, how to setup a vulnerability disclosure process, and whatever else we can squeeze in.
3) How to best scope and engage third-party security assurance
4) A tonne of decent resources for you to learn more


He’s a Partner at elttam.


“Exploiting Steganography Image in MS Office Documents”

Lordian Mosuela


Dating back as far as ancient Greece, steganography involves concealing a message inside another message or image. Digital steganography uses modern digital technology to conceal a file, message, image, or video within another file, message, image or video. In the last few years, malicious digital steganography has grown increasingly popular as hackers have adopted the technique to trick internet users and evade detection to deliver dangerous payloads.
Traditionally, malicious digital steganography has been distributed through a browser in order to load and execute the malicious code, as well as C&C communications channels. However, cybercriminals are constantly adapting their techniques to ensure maximum attack exposure. Because many cybersecurity solutions can now be configured to detect malicious steganography images, it lends to reason that hackers will evolve their attack techniques to hide malicious payloads in other sources, such as MS Office document. To date, no evidence of digital steganography has been found hidden in an MSOffice document, however, the possibility of this type of threat is entirely plausible and realistic, as I will demonstrate in this proof-of-concept paper and presentation.


Since 2009, Lordian Mosuela has served as a Malware Analyst with Cyren, Inc.,. an internet security-as-a-service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions. His expertise is focused in the areas of dynamic and static analysis on reverse engineering of malwares and exploits. He previously held positions at F-Secure and TrendMicro. Lordian holds a bachelor of science degree in computer engineering from Pamantasan ng Lungsod ng Maynila in Manila, Philippines.


“Not If but When?” Leveraging AI to jettison mantras of the Past: How AI will Liberate Security of the Future

John McClurg


John is working with the FBI to fix the problem of reactive security. For decades, proactive prevention has eluded the industry. The FBI’s InfraGuard program is being redesigned after 20 years to help fix this problem.


McClurg currently serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts.
He has previous history in lead security roles at Dell, Honeywell and was one of the FBI’s first Cyber Warriors assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center or what was later known as the National Infrastructure Protection Center within the Department of Homeland Security. John was also responsible for creating the US Department of Energy’s Cyber-Counterintelligence program.