Schedule 2021

It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers. In March 2013, there was a talk at Ruxmon Sydney titled “Release the Hounds! A look inside Bugcrowd.” At the time we had a total of 10 programs, 1,500 hunters, and a $50,000 “Ramen-noodle round” from Startmate under our belts; and were getting ready to depart for Silicon Valley in April... In this talk, Casey will provide a long-overdue status update (apologies... got a bit sidetracked) on Australia’s crowdiest export and indulge in a few tall tales of the crazy stuff that happens as you build a multi-national, venture-backed category creator. More importantly, he’ll dig into the evolution of crowdsourced security and vulnerability disclosure, where it’s going next, and what that means for an Internet and a global userbase who are undergoing some pretty dramatic change.

To protect digital businesses, companies are increasingly employing active defense capabilities, at the same time they put basic cyber-hygiene protocols in place. This means maintaining up‐to‐date intelligence from both internal and third‐party sources, mitigating insider threats, engaging attackers on the company's own network, and partnering to mitigate external threats. However, organisations are increasingly questioning whether or not they have (or ought to have) a right to 'hack back' as an offensive retaliatory measure. Revenge is sweet, but is it legal? This presentation explores the current legal positions and evolving debate, proposing the time has come to permit hacking back in particular circumstances and lightening the nudge with a tongue-in-cheek addendum to NIST (The ‘Revenge’ Function).

Time and time again we see breaches occurring that happened because, with 20/20 hindsight, something incredibly simple was missed. So if it was simple, if it was basic, if it was common sense - why was it missed? This talk will highlight some of the basic security items that are often forgotten, ignored or are marked as "too difficult ". Be prepared for a passionate talk, told from the perspective of someone who's been down in the trenches as a sysadmin and is now helping other organisations rise to the challenge of fixing the "old and busted ". Covering a wide range of topics including identity, server management, hybrid cloud and security systems, this talk will take us all Back to Basics. The basics are your foundations - if you don't get them right, everything else will crumble.

I will be submitting a discussion on the threats posed by Cognitive Hacking to society and the population, and the lack of a solution to such a threat. Cognitive Hacking, disguised as the manipulation of social media has now become common practice, with this vulnerability being increasingly exploited by nation states and opportunistic individuals alike. It has given actors unprecedented access and ability to cause fundamental shifts in the way targeted demographics think and behave, and it has now become a weaponised tool that warfare is able to be waged. The use of information and the media to wage war is far removed from the traditional concepts of warfare, but has surged in popularity amongst actors today because its cheap, largely risk free readily accessible and easy to do. It’s notoriously difficult to pinpoint where these campaigns originate and whether they’re state-sponsored or rogue individuals, and in many cases, it’s likely that even the actors carrying out the profiles and activities themselves don’t know exactly by whom, or to what ends their actions are directed. Salient examples of Cognitive hacking are found in the US 2016 election, and the BREXIT leave campaign. Other examples include the Internet Research Agency, a russian backed group waging concerted disinformation campaigns that attempt to stoke and inflame both sides of a debate. The use of cognitive hacking, information manipulation and influence operations as a mode of warfare and in modern conflict has expanded the scope of the battlefield and the ability to conduct war out of the purview of the state and state actors, and into the hands of the girl next door. This blurring of the battlefield is embellished in the recent Solar Winds event breach. Of most concern is the lack of any one solution to this problem. China for example has moved to isolationist protective measures to prevent the impact of this threat, regulating their own intranet through the Great Firewall of China. However, a problem with this is that government actors and big wigs are still able to influence the message that does reach the population. And not only that, but such measures are incongruous with many democratic social norms. Another possibility is to continue pressing on educating people regarding awareness and cyber hygiene, but as a security consultant who spends a lot of effort pursuing this, I must confess that I have serious doubts on the efficacy of these endeavours. Another commonly suggested silver bullet, is that of simply regulating the big social media companies, but I think we can all agree that in actuality, the viability of this in such a complex and dynamic landscape is moot. To further this, any attempts by states and international institutions to codify the “laws of war” for the cyber and ICT space are fraught with the same difficulties of conventional protocols and doctrines in that states can ratify and adopt these at their disclosure. So, with that in mind - what does this mean for our future?

Bug bounties have become an established process in organisations with a mature security posture. Over the last five years, I have been submitting vulnerabilities to companies in almost every industry. By participating in bug bounties over such a long period of time, there has been an evolution in the skills, reporting and payouts. There is a broad perception in bounties that there is a secret to unlock to be successful and only a handful of individuals are capable of that success. This presentation will break down why that is not the case. I will walk through all of my favourite bugs that I have found in the last five years, explaining step by step what led to the discoveries. I will discuss some of the lessons I have learned from my participation, and how you can replicate my success.

For most people 2020 was a shitty damp squib of a year, but for both Cybercriminals and Cybersecurity folks alike, it was a bit of a banger. Allow me (The cyber equivalent of Bert Newton) to present my top 20 moments of the past 12 months. What will they be? - I don't know yet, I haven't thought that though!

Webauthn is a standard allowing browsers to communicate between an authenticator device and a web server to perform cryptographic authentication. Seen as the future of login and "the end of passwords " by microsoft and many others, this standard and it's behaviour will only become more important - and relevant - in the field of security. In this talk we'll explore the benefits of webauthn to end users and deployments, how webauthn works, and we'll dive into some of the darker cobweb ridden corners that yield some surprising - and common - mistakes in implementations. For defense, you'll walk away knowing more about why webauthn is the future of auth and how to avoid common pitfalls that may impact your deployments. For offense, you'll learn about ways to bypass or reduce the strength of webauthn when incorrectly implemented.

If there's anything that the Solarwinds hack has taught us, it's that our industry needs to look internally and really try to understand WHY developers are not embracing security. Simply saying we need to "shift left " is bullshit hype and means nothing. This talk will lay out the behaviours and workflows that developers use and how that affects the security of the products they built. It will also talk about the management and business requirements that encourage developers to build insecure products. I will use public and proprietary data to underpin the arguments and show how things are getting worse, instead of better in a public cloud-focused world.

This talk will cover how to use publicly available information to stand up table top discussion excercises to train incident response scenarios in a fun and engaging way. The talk will give you the skills and knowledge to go back to your workplace and run Incident Response training and table top execises with your response team.

I found Tony Abbott’s passport number in the HTML of Qantas’ “manage booking” page. The manner in which I found it did not possess ANY intent to subvert the Commonwealth of Australia. Wanting to do the right thing, I spent the next six months participating in the Do Not Get Arrested Challenge 2020, in which I try to tell the government about this in precisely the manner which avoids instant jail. Anyone thinking about participating in the 2021 challenge, my #1 tip is: do not do a crime. Things this talk is about: Boarding pass security, what happens when there isn’t boarding pass security, the consequences of my actions, calling everyone in Australia one-by-one, desperately struggling to contact the right person for the disclosure of cyber treason, my Twitter DMs

How do you go about Securing the Cloud for Enterprise? Where do you start? It can be a huge and overwhelming task to take on, so I'll help you with some guiding tips and pointers (learned the hard way) to help you on your journey.

AI attacks, and especially adversarial ML is an evergrowing threat that has finally been given an appropriate threat model. However, the field is still deeply lacking in defensive theory. The goal of the talk is to go over the current threats posed by Adversarial ML and other AI attacks and discuss the proposed theories for fixing these problems. The goal of the talk will be to make sure pentesters know what to look for when attacking AI solutions, and that defenders know what to consider when protecting these systems.