Riverside Receptions, 50 Oxlade Drive, Brisbane QLD 4005
CrikeyCon is a community-led conference targeting those with an interest in information security around South East Queensland and beyond.
The informal style of the event is designed to facilitate knowledge sharing between all participants. CrikeyCon consists of presentations and demonstrations by industry professionals, security wizards, and enthusiasts alike.
CrikeyCon is run on a costs recovery basis, with surplus funds donated to worthy registered charities in the greater Brisbane area.Tickets Merchandise
Our lovely MC
The IDEs of March
Software is “eating the world”, and in the era of DevOps, those who are cutting the code often have privileged access to production systems and software delivery pipelines. A developer’s workstation is a fantastic place for an adversary to “be” in 2019.
We’re relentlessly and rightfully focused on secure design, code quality, and killing bugs. Are we hearing the call to protect the people and systems responsible for building and operating our squeaky clean code?
Through a in-depth breakdown of security bugs in client-side software development tooling (which are used by developers and hackers alike) and some crazy arm-waving and posturing about the CI/CD’s and the Jenkinses, we’ll explore the insecurities of software development software. How might an attacker gain control over a developer’s workstation? What might they do once they pop shell? And what can we possibly do to pursue business excellence through end-to-end secure delivery of software?
Justin is an independent AppSec professional, specialising in Application Security Review and Source Code Review. He has discovered and disclosed remote code execution vulnerabilities affecting software such as Ruby Version Manager (RVM), Visual Studio Code and Metasploit (yo dawg I heard you like exploits). He is the author of “Do Stack Buffer Overflow Good” (a popular introductory guide to stack buffer overflow exploitation launched at CrikeyCon 3), an avid bug bounty hunter and CTF competitor, and in his spare time he live-streams the exploitation of binary “pwnables” on twitch.tv
Heap metadata corruption on modern Linux
Heap metadata corruption attacks are not new. In July 2000, Solar Designer introduced the unlink write-what-where technique and heap exploitation from metadata corruption was born. The unlink attack has been prevented for more than a decade through metadata integrity checks and many more heap exploitation mitigations have been implemented since then.
Does heap metadata corruption still provide anything useful to an attacker on modern Linux?
The short answer is yes.
This presentation looks at some of the known attacks that still work to manipulate the Linux heap. We'll look at techniques like the House of Spirit, the House of Force, freelist poisoning, double frees, and the tcache changes introduced to the glibc allocator in recent years.
If you want to learn about the internals of the current Linux heap allocator, then attend this talk.
Dr Silvio Cesare is the Managing Director at specialist training provider, InfoSect (http://infosectcbr.com.au). He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. He is also the co-founder of BSides Canberra - Australia's largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).
How to lose a container in 10 minutes.
Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We’ll also look at what happens to a container that’s been left open to the Internet for the duration of the talk.E
Sarah is a security architect based in Melbourne, Australia.
She has a decade of experience in tech and is particularly interested in cloud security, container security and good ol' fashioned networking and infrastructure security (having previously worked as a network engineer).
In her current role, Sarah helps enterprises move their stuff into the cloud securely.
Sarah spends most of her spare time speaking at security conferences in various parts of the world, eating hipster brunches and high teas and spending a disproportionate amount of her income on travel.
She is still holding out hope that - despite the obvious blockers - either Justin Trudeau or Prince Harry will become her husband one day..
Stealing Chrome cookies without a password
Buckle up kiddo we're gonna commit digital sin
If you steal someone’s Chrome cookies, you can log in to their accounts on every website they’re logged in to.
Normally you need the user’s password to do it, but I found a way to do it without the password. You just need to be able to execute code on their computer. It works by using Chrome’s Remote Debugging Protocol. To my knowledge this is the only way to extract a user's Chrome cookies without their password, and by far the easiest way.
It involves plugging together several extremely forbidden and undocumented Chrome features, as well as figuring out how to speak the websocket protocol stealthily on a victim's machine.
This talk is about how the technique was found, how it works, and what you can do with it.
Alex does company-sponsored crimes (Red Teaming), recently completed Operation ACTUAL CRIMES, and can't wait until they're inevitably struck down by their own hubris. They're known for hacking a friend (with consent!) in Operation Luigi, being an organiser for purplecon (a defensive, inclusive, pastel-purple security conference) and for writing dumb blog posts on https://mango.pdf.zone.
This year they're looking forward to realising that the true exploits were the friends we made along the way.
Overwatch Offensive Digital Espionage
In the last few years we have seen a number of classified documents leaked from Wikileaks. This includes the data dump from the CIA’s entire hacking arsenal, which has been named “Vault 7”.
With parts of the dumps redacted and without access to the code base this will apparently make it harder for would-be hackers and governments to mimic the agency’s tool's.
So being a would be hacker and always dreaming and wanting my own cyber espionage weapon. This one quote from Charlie Miller constantly ringing in my ears “The difference between script kiddies and professionals is the difference between merely using other people's tools and writing your own."
I will present and demonstrate how I tried to develop my own cyber espionage weapon using “Vault 7” leaks as a development base.
I will discuss and demonstrate the development life cycle and how the “Vault 7” leaks helped me determine possible code base and testing metrics. I will show how the leaks allowed me to plan and begin my journey into my own personal cyber espionage weapon.
During my presentation I will discuss my requirements and how I tested my new toy in my lab environment (Family & Friends) and then in real world Red Team Assessments, discussing the lessons learnt from real world testing.
I will then take the plunge into the dark abyss and after talking the talk. I will walk the walk and demonstrate live, my new espionage weapon.
Wayne has conducted security assessments for a range of leading Australian and international organisations. Wayne has unique expertise in Red Team Assessments, Physical, Digital and Social and has presented to a number of organisations and government departments on the current and future state of the security landscape in Australia and overseas.
Blue Team Bluez
My presentation will go into the difficulty in monitoring and detecting red teams/attackers. Some lessons learnt and detail why building detections is a hard business. Mixed will a little red vs blue humour it should make for a good show.
Risky Risks are Risky
Risk is a strategy board game of diplomacy, conflict and conquest for two to six players. The standard version is played on a board depicting a political map of the earth, divided into forty-two territories, which are grouped into six continents.
Or is it?
The fact is I believe that the concept of risk is a massively misunderstood in our industry, by customers, by practitioners, and by vendors, even by people who put risk on their LinkedIn profile.
So laugh at me whilst I attempt to decipher the real game of risk, and why for many of us it’s simply the screwdriver we use as a hammer to nail post it notes to an office window because Gartner says security needs to be agile in 2019.
Eric has been breaking things just to fix them again since before he could walk, at 20, he spent his summer evenings as a nightclub bouncer, and read tarot cards during the day. He didn’t realise it back then, but nothing could have prepared him better for a career in Infosec, trying to predict the future, whilst ducking the punches.
Eric cut his teeth as a technologist for the BBC World Service in London, where he learned the importance of ‘educate, inform and entertain’ he also developed his passion for emerging technologies with a bent for security. Arriving in Australia in 2003 he landed an operational role at Australia’s first IP Telco, and has since served hard time at Telstra, Stratsec/BAE Systems, Datacom, CSC and Finally Hivint.
Eric has presented at Crikey, Cebit, AusCERT, AISA and AusNOG believes in a healthy level of cynicism and blogs about privacy, security and the myth of infallibility in humans.
Women's Stories from the Tech Trenches
A call was put out to women in technology across the globe for their stories of how they've been treated in the tech industry, to highlight things that have been done but are never spoken about...and the stories came *flooding* in. This discussion will go through some of those stories to shine a light on them and show they are not the exception, they are more common than you think; but it will also describe ways that you, as an ally to women and other minorities in this industry, can help and stamp out this kind of behaviour. We are one community and we want to lift *everyone* up!
Ops Witch, Lego zealot, WoW addict, purple-haired weirdo, geek, mum & Microsoft MVP! She/Her.💜 Provider of sarcasm, cynicism & profanity! 💜
Tales from the Dark Web : The Case of the Midday Hacker
"It was a dark and stormy night; the rain fell in torrents – except at occasional intervals, when it was checked by a violet gust of wind which swept up the streets (for it is in suburban Brisbane that our scene lies), rattling along the housetops, and fiercely agitating the scanty flame of the lamps that struggled against the darkness. (Edward Bulwer-Lytton, 1830) The river had swelled and the boats lay adrift from their moorings, whilst the haunting sounds of leaves from the trees, brushing against broken windows, bestowed the unfathomable foundation for what lie ahead.
Afoot was a sinister character, adorned in dark robes, a faceless mystique and a presence of unimaginable evil, plotting and planning a diabolical ruse. The scene is set. No actors garnish this script. Only the blackness that circles our souls and the fear of the exceptional that will leave you with a chill of insecurity down your spine.
Dare you enter this catacomb of mystery, treachery and deceit?
This is a true story, never before told in public, of how a certified hacker was arrested and charged by Queensland Police in February, 2013 and faced 20 years jail for offenses under CRIMINAL CODE 1899 - SECT 408E - Computer hacking and misuse, which were alleged to have occurred on the Australia Day long weekend in January 2013 - the weekend when Cyclone Oswald took hold and damaged the Queensland coast, leaving a trail of natural destruction.
The events that followed unravel in a web of deceit, corruption and a maniacal need to exhibit power on those considered lesser in the minds of those who consider themselves as untouchable.
In August, 2015, the matter finally came before a Brisbane court. What happened on that ill-fated day, will leave you shocked and appalled. But leave you will, with a memory that will haunt your soul for ever more."
Warren Simondson is managing director and founder of Ctrl-Alt-Del IT Consultancy, an Australian firm established in 2002. The company is known globally for its commitment to expertise and knowledge sharing throughout the community and the provision of its Freeware applications to extend the functionality and management of server based computing environments. Locally, the company is also well respected in the area of I.T. Forensics, for which Warren personally dedicates an ethos of truth and justice in the investigation of allegations of hacking and computer misuse. Warren has worked in the information technology field for over 25 years and is an evangelist for emerging technologies in mobility, IoT, server based computing, cloud and virtualisation. Warren holds various qualifications in post graduate study as well as industry based certifications in Citrix, Microsoft and VMware Technologies to name a few. He is an EC-Council CEH (Certified Ethical Hacker, CHFI (Computer Hacking Forensic Investigator) and a CEI (Certified EC-Council Instructor). He has spoken at many major conferences around the world and commits himself to community collaboration.
Check out www.ctrl-alt-del.com.au and be sure to follow his Twitter handle: @CADITC.
Breaking in with DNS rebinding
Improved ways of doing DNS rebinding, just how bad the trashfire is and where there are tonnes of problems (and how to find lots of 0days) and a demo of breaking into someones house by using DNS rebinding on a home automation system.
Senior Security Consultant for ContextIS and security researcher. Also official CrikeyCon web bitch...but he didn't add this bit, i wonder when/if he will realise :)
Helping make better security decisions with ATT&CK
Aimed at people that want to be able to speak to a non-technical audience, and/or, a non technical audience. This presentation certainly fits in to the business excellence and passionate ranting" section.
By illustrating three quick scenarios how the open source information within the MITRE ATT&CK framework can be used, explained and visualised for management we can not only solve the problem of the ""detection bingo card"" (aka:""we must detect everything""), but we can also help set intelligence priorities and start establishing exactly what is important for us, and our security programs.
Promoting industry vertical collaboration based around the ATT&CK matrix, as it becomes easier to share relevant information without exposing potential problems or holes in security."
After working for five and a half years within Government, two and a half years in finance, Kevin now works as Symantec's Australia Pacific Japan Manager of Cyber Intelligence. Key elements of his variety of intelligence roles has always been explaining key concepts to non-technical internal stakeholders and fostering inter-agency and inter-organisation intelligence sharing and collaboration.
Reverse Engineering an Endpoint Protection and Response (EDR) product
Endpoint Detection and Response (EDR) product vendors will give you the spiel on what they do and their capabilities, but how do they actually work at the lowest level? And how can we discover weaknesses in these products to develop bypasses or evaluate them?
Join me as we reverse engineer an EDR product and the windows kernel to unveil its inner-workings, alongside the windows kernel structures and functions EDR products rely on to operate, and by doing so discover weaknesses and gaps in their protections that allow actors to bypass the product’s defenses, rendering them null&void.
Finally, by abusing an identified weakness I’ll use a custom-build mimikatz to dump all the hashes on a machine protected by EDR.
I am a Security Consultant at Context Information Security, I’ve worked on all types of engagements including testing critical infrastructure (autonomous trains, air-traffic control systems) and red teaming, with knowledge and experience in Windows internals and Windows kernel programming. Recent research includes reversing endpoint security products.
Electric Blue: Lessons Learned from a blue team securing Azure
Like a lot of companies, we've been transitioning infrastructure to the cloud. As a SOC analyst this meant that our protection needed to be extended to incorporate the new infrastructure, while also ensuring detection and mitigation of new attacks and risks.
This involved undertaking a deep assessment to understand threats and vectors in the environment, this presentation details some of the interesting things that have been uncovered, and could help both red and blue teams respectively.
Sean is a senior security analyst that works at one of the nations top financial institutions by day, and by night he's tinkering and experimenting with new technologies. He's worked in red teams, blue teams, and as an engineer developing the infrastructure for both.
Cutting to the core of Apple WiFi
iPhones have an enviable reputation for security. The close link between hardware and software, curated AppStore, and frequent security updates make exploitation of the iPhone difficult. This has, however, not deterred malware companies and others from compromising iOS devices exploit security flaws in the browser, the 4G baseband processor, and the Wireless Network Interface Controller (WNIC).
In this presentation we focus on exploiting the WNIC. This avoids many of the defences built into iOS and exposes a new set of otherwise inaccessible attack surfaces within the iOS kernel. We’ll also take a look at how Apple makes the iOS WiFi stack “think different”. This includes a brief coverage of Bonjour and the Apple Wireless Direct Link (AWDL) protocol that’s at the heart of AirDrop, AirPlay, and similar services. These protocols have been implemented, in part, by offloading some of their processing onto the WNIC itself - and we’ll look at how this might help exploit the device. The approach taken here follows in the steps of Gal Beniamini’s Project Zero articles and that of SEEMOO's NexMon framework and we’ll bring things up-to-date in light of Apple’s latest security controls. In practical terms, we’ll show how to find, analyse, reverse engineer, and patch the WNIC's firmware and conclude with a discussion of WiFi fuzzing and exploit hunting.
Steve is a developer, researcher, and educator specialising in network and software security.
The Boring Security Talk
We all know that securing our applications is a necessity, but it can be incredibly boring. With time and budget constraints, we often focus on the more exciting security aspects and tools. In this talk, we'll be looking at some of the aspects to our application security that are often overlooked; the software we depend upon, CI/CD infrastructure, sending email and resolving DNS.
Vulnerabilities here might not result in a newsworthy breach, yet they are still worth discussing and defending.
Kieran Jacobsen is the Head of Information Technology at Readify and a Microsoft MVP for Cloud and Datacenter Management. Kieran maintains several PowerShell modules, supports Planet PowerShell (https://planetpowershell.com), and writes the Posh Security (https://poshsecurity.com) blog. Kieran is a regular speaker at a various conferences and user groups including NDC Sydney, CrikeyCon and Experts Live.
The PLC Skill Tester is a special booth at the conference where attendees take turns in some hands-on attacking of a Programmable Logic Controller. Setup as a gamified machine, visitors can hijack PLC traffic to dispense a prize (think arcade claw machine with better odds). No experience is necessary, everyone is encouraged to have a try and ask questions!
The PLC Skill Tester is a fun, novel machine that demonstrates basic PLC logic and interference in an interactive, gamified, mini-CTF kind of way. PLC hacking is something that’s not often shown in a hands-on way, and this provides an introduction in a way that people will enjoy.
Joshua is a well-rounded security professional who has undertaken penetration testing for universities, financial institutions and numerous other corporations. Over the past decade, he has established a formidable reputation in technical consulting. With a background as a senior network engineer and head of infrastructure designs, he uses his knowledge of enterprise technology to provide insight in securing corporate systems.
Come open locks...without the keys!
Ever picked a lock? Know how to get yourself out of handcuffs with just a paper clip?
Come join the crew for some lockpicking fun, learning, competition and everything locks
All you need to know.
We will continue to grow a grass-roots, not-for-profit, community-led conference targeting security folk around South-East Queensland and beyond. The event is to be informal to encourage a greater flow of information between attendees and speakers.
CrikeyCon was founded in 2014 to address the Brisbane local demand for a community styled security conference. CrikeyCon is a not-for-profit, community-led conference targeting those interested in information security around South-East Queensland and beyond.
The informal style of the event is designed to facilitate knowledge sharing between all participants. The event consists of presentations and demonstrations by Industry Professionals, security wizards and enthusiasts alike.
Active participation is strongly encouraged with Q&A sessions after each presentation to draw on the intellect of the speakers and participants to help break new ground.
The focus is on Information Security with the usual mix of infrastructure- and application-space shenanigans.
We want to push out from the core though, so are keen to get submissions on the social, political and environment twists on the theme, the impact of technology on our daily lives, shifting perspectives and pretty much anything that interests you if you’ve poked around the site this far. Dig out your old survivalist txts and give us a history lesson.
We want to maintain the informal and interactive air about the conference, encouraging information exchange and quality discussion.
To support this, the venue for the event is a riverfront reception venue with food and drink facilities. For the entrance fee, the attendees will get access to great talks, some side activities, and great people (organisers excepted). Food and drink are not included in the cost.
Talks will be in a dedicated room with AV, speakers are encouraged to keep the presentations as active as possible rather than making attendees suffer Death by PowerPoint. Active Q&A sessions are expected after each talk concludes.
We’ve got access to some additional spaces this year, and will have some other activities going on during the day to keep you entertained if you want a change of scenery.
CrikeyCon is proud to support the IN Security Movember, and acknowledges IN Security for its Code of Conduct Template. See IN Security - The Code of Conduct for further information.
Security events present opportunities to learn, share knowledge and network. As a security event organiser, we believe these events should represent a safe, enjoyable and inclusive environment for all people, irrespective of gender, race, ethnicity, age, sexuality, religion, disability, socioeconomic background, experience, size, shape and so on. No one should undergo harassment, bullying or abuse. Any sign of such behaviour will be deemed unacceptable and will be handled in line with our zero-tolerance policy. We will apply consistent, specific sanctions regardless of the circumstances to ensure they do not reoccur. This code of conduct explains exactly what we mean by unacceptable behaviour and it outlines the steps someone subjected to such behaviour at an event can take to report it.
Unfortunately, unacceptable behaviour still occurs and whilst harassment metrics are yet to be introduced and measured, anecdotal reports are widespread and have been reported in the media and social media platforms for years. This has reportedly resulted in increased dissatisfaction and non-attendance by some minorities who feel disenfranchised and threatened. The purpose of this code of conduct is to get participants fully aligned on what constitutes unacceptable behaviour, how the aggrieved can report it, and what will be done about it.
Our code of conduct is for event attendees, speakers, sponsors, partners, facilities staff, committee, and board members.
People's interpretation of acceptable or unacceptable behaviour is subjective and influenced by personal experience, religion and cultural background. That's why we believe it's important to define what we mean by both.
As an event organiser, we expect everyone to be professional and respectful to others at all times. Everyone should be aware of the impact their behaviour can have on others. We ask that you:
Unacceptable behaviour is offensive in nature - it disturbs, upsets or threatens. It lowers self-esteem or causes overwhelming torment. It is characteristically and can take the following forms:
Option 1. Speak up. See it, say it, sort it. If you are disrespected, or witness this happening to someone else, engage politely with the person involved, if you feel able to, and let them know that you find their behaviour unacceptable and offensive. Sometimes the best way to change unacceptable behaviour is by bringing it to the perpetrator's attention and giving them an opportunity to acknowledge this and apologise.
Option 2. Report it to us via any of the following ways:
When reporting, please provide as much detail as possible, preferably:
Note: you can remain anonymous if you so wish and providing any of the above information is optional.
We don't have a time limit for reporting unacceptable behaviour, although we encourage you to do it as quickly as possible, as it can be difficult to obtain accurate witness statements the longer time passes. If you report unacceptable behaviour more than 3-months after an incident, you should explain why as it may impact the ability to respond accordingly. We will consider your explanation and then endeavour to deal with your report.
We are committed to ensuring that you experience a positive, enjoyable and inclusive event. We strive for customer service excellence when reporting unacceptable behaviour. That's why, for the duration of our event, we will have a number of reporting mechanisms available (e.g. suitable informed event staff , event feedback forms etc.). When you report unacceptable behaviour to us we will respond promptly and with care, consideration and respect. Our process does not replace nor remove the formal mechanisms available to you as an individual to report inappropriate or offensive behaviour such as making a police report.
Our process is as follows:
Proposals on topics not listed above, but related to the conference interests (i.e. information security / hacking) may also be accepted, especially if they are interesting, different, or edgy.
Is this may your first time speaking? If so and you want some help, please get in touch. We want to encourage everyone to join in on the fun and we can put you in touch with someone that can help. So, if you want to bounce your ideas off someone, want some help with polishing your presentation, or want advice in doing a live demo, then let us know! [email protected]
Good question .. Good question ..
We have a Google form here: CrikeyCon VI CFP
Or if you prefer the retro feel (and making work for us), send the following information to [email protected]
NOTE: Training will be held the day before the conference.
We are seeking training proposals on any of the following topics (in no particular order):
Proposals on topics not listed above, but related to the conference interests (i.e. information security / hacking) may also be accepted, especially if they are interesting, different, or edgy.
Good question. Send the following information to [email protected]:
Training classes are assumed be 1 full day (0900 hours - 1700 hours). Please inform the CFT committee if your training is shorter than 1 day during your CFT submission.
All submissions must be in English. The more information you provide, the better the chance for selection. CrikeyCon understand that there are people who cannot afford to pay for training events and we want to encourage the next generation of security professionals. Therefore, we will be offering a number of free seats to any training event.
Some events and workshops that will give you a good idea of what we are seeking:
Good question. Send the following information to [email protected]om:
All submissions must be in English. The more information you provide, the better the chance for selection.