X

Schedule

PRE CON

  1. Pre Registration Event

    Some of The Sleuth will be hanging out at the Embassy Bar on Elizabeth St in the city from 4PM. Come pickup your badge early (not merch) so you can get into the con quicker on Saturday morning. And hang out for a drink. Space is limited at the venue so apologies in advance if you can’t get in on the night!

TALKS

  1. The Doors Are Open

  2. Welcome to CrikeyCon X

    The Sleuth

  3. Nerds on a plane: what we can learn from the aviation industry

    Sarah Young - @sarahyo

    Ever watched Air Crash Investigation? You may not be an aviation nerd, but there are so many fascinating parallels between security and the aviation industry: the layering of safety controls, making sure there are different types of security controls in place, the improvements made after bad things happened, etc.
    In this talk I'll discuss some of some notable examples in both the aviation and security industry and what we can learn and take away from that as security professionals.
    Note: You don't have to be an aviation geek to enjoy this talk, promise!

  4. A look at radio direction finding tools to help mitigate GNSS jamming/spoofing issues

    David Robinson - @karit

    Recently, we have seen an uptick in GNSS jamming and spoofing, which is impacting aviation operations. GNSS is used for aircraft navigation, RNP approaches, and traffic management with ADS-B.
    Old navigation aids like VOR are being decommissioned which can be used to cross-reference GNSS. To save costs running primary radars, they are being decommissioned with ADS-B filling the gap. With the GNSS jamming/spoof do we need some other tools to help mitigate some of these risks? Can some of the radio direction-finding tools be of help here?

  5. AI Web App hacking

    Tim Grogan

    As AI is quickly becoming the next big thing, every application is rushing to incorporate it in some fashion. The same way every company had to have a mobile app, now every website needs to have an AI integration. The knock on affect is that these models are now drastically increasing the available attack surface of web applications. This talk will discuss how these models are being deployed, and how they may be attacked.

  6. Morning Break

  7. Insider Threat: Tips and Tricks from a Bad Guy ™ as a Service

    @MewSec

    As security professionals we strive to get things right. The right controls, the right technology, the right people. But what about when we get stuff wrong? What about when we make mistakes? How do we deal with those mistakes as people and as business professionals?
    This presentation aims to look at insider threat by going through some real world engagement outcomes and looking at what actions we can take today to protect against insider threat and what actions we could take if we want to be a Bad Guy ™ looking at insider threat.

  8. What actually is Detection Engineering, and why do I need it?

    Regan Carey - @rcegan

    Detection Engineering is a relatively new concept in the blue-team cybersecurity that has exploded onto the scene with popular projects such as Sigma, and the widespread adoption of the MITRE ATT&CK framework. The only issue is, everyone seems to have a different view of what it is, and what it's not. This talk aims to define and unobscure Detection Engineering, and provide some real-world examples of how you can put it to work in your SOC to stay one step ahead of the adversaries.

  9. SaaS: Sell assets and Soul?

    Jason Rumengan

    Many organisations rely on SaaS solutions for business-critical IT systems to save cost. But there is no free lunch; without the awareness that the organisation is still responsible for its data handed off to a vendor, they expose themselves to greater risks than expected. By the time cyber security issues are found, such as infrastructure and platform security misconfigurations, insecure Application Programming Interfaces, and poor information security practices, the SaaS solution is far too embedded, and fixing the issue (i.e. 'pulling the plug') proves too costly.
    This presentation will walk through the application of third party risk management techniques throughout the lifecycle of a SaaS solution to protect your organisation's data, from:
    • • Procurement - selecting a vendor for your project or business needs, and assessing risk based on what data the solution will process;
    • • Onboarding - ensuring the vendor will keep its security promises;
    • • Monitoring - actually ensuring the vendor continues to meet your security needs; and
    • • Offboarding - ensuring your vendor keeps your data secure (or wipes it) after your organisation stops using the solution.

    A case study will also be discussed, demonstrating what could go wrong if these steps are not followed.
    You will walk away from this presentation knowing what your organisation needs to do to find secure vendors, and ensure they stay secure. After all, SaaS shouldn't mean selling your assets and your soul.

  10. Tabletops & Dragons

    Colby Prior

    Tabletop exercises are often a boring compliance checkbox to fill which can offer varying levels of effectiveness. A well-thought-out scenario with an engaging and exciting tabletop exercise is far more effective than anything required from a compliance framework.
    There is a deceptively large overlap of skills required for running Dungeons and Dragons (D&D) and an effective cyber security tabletop exercise. Colby will show a unique perspective on running more effective tabletop exercises using knowledge from games like Dungeons and Dragons.The talk will initially focus on the overlap of D&D and tabletop exercises followed by key lessons on good scenario design:
    • • Supporting player agency by removing railroads
    • • Understanding actor motivations
    • • Building a narrative
    • • How to document a complex scenario

    The second half of the talk will focus on skills developed at the table from dungeon masters running a smooth scenario:
    • • Leading with principals and following with rules
    • • How to share the table spotlight in a diverse group
    • • Tricks for keeping things flowing instead of getting stuck in a bog
    • • How to handle non-linear and collaborative storytelling

    • Anyone attending this talk will walk away with tangible techniques they can use to make their next tabletop exercise both more fun and more effective.

  11. Lunch!

    Food Food Food

  12. Credential Stuffing Unmasked: Navigating the Threats and Fortifying Defences

    Zane Jarvis

    Credential attacks, such as credential stuffing, has emerged as one of the most prevalent and persistent threats to online accounts, leveraging breached username-password combinations to compromise systems at scale. It's not uncommon for these to impact the privacy of customers, cost significant money in both resourcing efforts for defending, fraud losses or both. This presentation dives into the anatomy of credential attacks, exploring how attackers exploit stolen credentials, bypass defences, and leverage automation to maximize their success.
    On the defensive front, the presentation evaluates a wide range of mitigation strategies, such as multi-factor authentication (MFA), rate-limiting, password hygiene enforcement and many others. Taking evidence from a variety of real-world incidents, we assess what works, what doesn't, and the measurable effectiveness of various approaches in reducing the impact of credential attacks.
    By the end of the session, attendees leave with a comprehensive understanding of the anatomy of the attack, practical recommendations for enhancing their defences, and insights into balancing security measures with user experience. Whether you are a cybersecurity professional, IT administrator, or researcher, this talk will provide actionable strategies to protect systems and users from credential attacks.

  13. How to create trust for your security team through simple communication tactics

    Kelsy Luengen

    This presentation aims to highlight the importance of security teams as being seen as trustworthy and legitimate within an organisation, rather than a compliance and punitive function, and how increasing levels of perceived legitimacy may allow security teams to further leverage employees as practical and informed security resources. The practical takeaway for participants will be how to elevate their communications to employees by working through examples of how to weave in trust and legitimacy rhetoric into written and verbal communications.

  14. SIEM-less security; Panacea or placebo

    Simon - @simbo

    A light hearted reflection on the misconception of modern day SIEM's and how vendors have railroaded security professionals into thinking of it as a technology rather than a system of working effectively. The talk with demonstrate how often SIEM projects are overpriced and under-deliver on expectation. The price tag creates a false sense of risk mitigation, whereas it really is 'solution-signalling' where the better brand comforts the smooth of brain. Final position of the talk is to reflect on how effective security operations can be achieved faster and more effectively (both economically and risk managementy) by modelling their SIEM as a collection of services.

  15. Afternoon Break

  16. Hacking Minds not machines: How meetings not malware can compromise your controls

    Georgia Turnham

    In this talk, we'll explore how social engineering tactics can bypass even the best technical defenses—using human interaction instead of code. Learn how meetings, emails, and casual conversations can be the real threats to your security posture, exploring the psychological tactics used by attackers to manipulate individuals and exploit human behavior. Whilst this talk will show you how social engineering works and can be performed, it will also 'MAPP' out a proactive prevention plan to support mitigating social engineering tactics and techniques to safeguarding your information.

  17. Security response for open source ecosystems

    Fraser Tweedale - @hackuador

    Open Source programming languages, libraries and frameworks sit at the base of the software supply chain. That's why it's critical for open source ecosystems to establish security response teams and infrastructure. I'll share my experiences and lessons learned from bootstrapping and leading the Haskell security response team. Attendees will learn how to establish or support an effective and sustainable security apparatus for the projects you participate in, or rely on.
    Particular topics I will cover include:
    • • Why it is important for Open Source ecosystems to have a security response/triage process.
    • • What team size, skills and scope of work are needed.
    • • Standards and services for advisory information and responsible disclosure, including OSV, VEX and VINCE.
    • • Where to find security advisories for the open source tools or libraries you use.
    • • Considerations for communication and coordination with redistributors and users.
    • • How publishing security advisories can strengthen development practices and tooling *within* your ecosystem.
    • • Why funding open source security work is important, and ideas for seeking it.

  18. “Well well well, if it isn’t the consequences of my own actions” - the time I got in the middle of 100,000 Linux machines and their LVFS firmware updates and then somehow bypassed the fwupd PGP signature checking 🙈

    Justin Steven

    One from the vaults. In 2020, Justin had a serendipitous encounter with a dangling legacy AWS S3 bucket once owned by the Linux Vendor Firmware Service (LVFS). “What if I registered it,“ he thought. “What's the worst that could happen?“ This is the story of how he wedged himself between 100,000 Linux machines and their firmware updates, stumbled upon a bypass in fwupd's PGP-based firmware update signature checking, traced the flaw back to its root cause, and ultimately returned the bucket to its original owner

  19. Closing Ceremonies

    The Sleuth

    Woo! We did it.

  20. Notworking Event

    BrewDog - Fortitude Valley (Opposite the Station)