• Speaker Profile Pic

    Elevate your access; or elevators are not an access control

    Elevators, they're a thing that goes up and down, sometimes side to side even, but what if I told you that you can make it go up and down even when you're told they're not suppose to. In this talk we'll be covering how elevators work, how photos in 320x240 resolution lead to breaking the confidentiality of keys, eshays, and what you can do to remediate the risk

    Presenter: @evildaemond

    evildaemond is a person who does things, Day job as a team lead in Security Operations, and teaches phys-sec sometimes, spent more money on stickers than some companies

  • Speaker Profile Pic

    Testing whether your security works by roleplaying as cybercriminals

    You know all that security you spend all that time on? the stuff that's supposed to stop cyber threats in their tracks? how do you know it works? 🧐
    You can test whether it works by: just getting someone to try hacking you. For real. With the same techniques and goals as real cybercrime groups. If you're very, very lucky, that someone will be employed by you, and show you how they did it instead of selling the stolen data on the dark web 🤩
    For some reason, this is called Red Teaming 😳. I'm just as confronted by the name as you are.
    Come along and learn about how it works, how I do it, and stories of insane nonsense that's happened along the way.

    Presenter: 'Alex' - @mangopdf

    The 'Hacker' known as 'Alex' works on the Red Team at Atlassian, testing their security by roleplaying as a cybercriminal and writing very, very detailed confession letters.
    On the side, they're an organiser for purplecon, a gentle, pastel, inclusive security conference, known for not looking like the other conferences.
    One time they used an elite hacking exploit known as Inspect Element to find the passport number of former Australian Prime Minister, Tony Abbott, inadvertently entering into the Do Not Get Arrested Challenge. You can read about that story at https://mango.pdf.zone

  • Speaker Profile Pic

    Electron Apps Unplugged: Unveiling Digital Forensic Treasures

    With the rise of Electron Apps, lets discover the art of uncovering their digital footprints and forensic artifacts.

    Presenter: Claudia

    Claudia is an experienced Cyber Security all-rounder with experience within Digital Forensics and Incident Response space as well as Cloud Engineering and System Administration. Claudia is currently an Investigator at CyberCX and has 6 years experience in the industry.

  • Speaker Profile Pic

    Not Your Average Cyber Strategy: Tying in Co-design

    In today's cybersecurity landscape, traditional approaches can fall short. 'Not Your Average Cyber Strategy: Tying in Co-Design' explores a different perspective.
    The co-design framework connects technical expertise with the human side of cybersecurity, resulting in effective and long-lasting security solutions.
    Additionally, consider the shift from a survival-oriented cybersecurity mindset to one that encourages exploration and proactive engagement. This change impacts organizations, teams, and individuals. Discover how to transition from surviving to thriving within resource-constrained organizations and foster resilience within cybersecurity teams.

    Presenter: Lynore

    Lynore currently works at Flight Centre as a Security Analyst.
    Lynore is a seasoned Cybersecurity professional with extensive experience in working across various industries, delivering key projects that enhance security and mitigate risks.
    As the first Indigenous ICT Traineeship graduate in South Australia, Lynore is a passionate advocate for women especially other First Nations women, to explore a career in information technology.
    Lynore regularly speaks at industry events and mentors aspiring female cybersecurity professionals, sharing her knowledge and experience to help them achieve their goals.
    She believes that diversity in cybersecurity is essential to driving innovation and staying ahead of evolving threats. Her passion and dedication to encouraging more women to pursue careers in cybersecurity makes her a valuable role model and leader in the industry.

  • Speaker Profile Pic

    SecOps and IR - real world example of Living off the Land (LoTL) techniques

    Threat actors are increasingly targeting multi-cloud infrastructures to disrupt operations, demand ransom, exfiltrate sensitive data, and steal your bitcoins. To accomplish this while evading detection, they often adapt traditional Living-off-the-Land (LoTL) techniques for specific API-driven characteristics of the cloud. In this presentation, we'll: Dissect a real-world Living-Off-The-Cloud (LOTC) attack that enabled the threat actors to disrupt and demand a ransom payment.
    Discuss how the attack could have been detected, investigated, and contained at each phase of the Mitre ATT&CK kill chain.
    And provide practical advice to strengthen cloud detection and response capabilities and help answer the question “Am I collecting and analyzing the appropriate data and use of cloud tools to detect and stop cloud-native threats against my business?”

    Presenter: Matt Gurr

    Matt is a Senior Security Engineer with Amazon Web Services (AWS). He is the operations lead for incident responders in the APJ region, a team that provides support to customers during active security events. Apart from being a cybersecurity journeyman and drinking tequila at conferences, Matt has gained some technical skills along the way and holds a Masters of Information Technology from QUT and some other industry certifications from AICD, ISC2, ISACA and SABSA. In his spare time (LOL), he likes hanging out with family and friends, sipping fine wine out of fancy glassware and competing with his wife for BBQ management honours.

  • Speaker Profile Pic

    Yi-kes! Spooky action at a distance, or, taking the security out of your home security camera

    Do you have one of those cheap security cameras at your home/office? That one you bought off eBay or similar online market place. If so, you might want to watch this talk as we take a look at one such example, and go through some iffy design decisions, bad crypto, incorrect bugfixes, and shonky scripting. But is it classy enough?

    Presenter: John Bird

    As a large language AI model, I'm unable to write your speaker bio. (Bonus, hidden content that says: ChatGPT - Born with a curiosity for all things electronic, John Bird's journey began as a hobbyist, dismantling gadgets and understanding the intricacies of circuitry. His fascination with surveillance technology sparked a unique passion for tweaking and enhancing CCTV systems, setting him on a path of expertise in a niche yet vital field.)

  • Speaker Profile Pic

    Keeping up with the Pwnses - A walk-through of Talkback

    Have you ever tried to have 'read relevant infosec news' as part of your morning routine, to quickly face challenges such as deciding which Netsec thread to spend your time on wondering whether to trust the title or upvotes? Or glancing over to your feed on Twitter to see something like "@thoughtleader: . A thread:", in which you curiously click filled with false hope and read until your nose bleeds? Or have you ever worried if that weird DM you got with a link was legit or actually a phishing attack sponsored by the likes of someone like old mate Kim Jong?
    This presentation will start by looking at the challenges of keeping up with news and research in infosec, and then provide an overview of a recently released tool that can help you use your time more efficiently and effectively. A number of features and data feeds will then be demo'd that have been specially designed to help budding security enthusiasts, practitioners, and researchers use their time more wisely on the regular, along with helping technical researchers optimise their workflows.

    Presenter: Sebastien Macke - @Lanjelot

    Seb is a Security Engineer at elttam where he works on developing security tooling to support a team of hackers.

  • Speaker Profile Pic

    How a Young Security Researcher and a Security Firm Challenged Vendor Vulnerability Misconceptions

    This presentation will chronicle the riveting journey of a tenacious young and upcoming security professional who uncovered a series of critical vulnerabilities used by popular software. Faced with the inertia of administrative channels, the researcher partnered with an innovative local security firm to navigate the complexities of responsible disclosure. Through a tale of unwavering determination against software vendor scepticism, misunderstanding and bureaucratic resistance, this session promises to unveil the strategies employed to advocate for over thirty patches, ultimately fortifying the cyber defences of educational institutions. Attendees will gain insights into the delicate act of protecting individuals while challenging corporate reluctance, highlighting the broader implications for cybersecurity advocacy and the crucial role of persistent, ethical engagement in the tech community.

    Presenter: Jack Misiura

    Jack has eighteen (18) years of experience as a software engineer with exposure to several programming languages and frameworks. He is aware of different practices for software development teams from SCRUM, Kanban to even the waterfall model. Combined with his expertise and passion for security this puts him in a unique position to be able to “speak the language” of other development teams to put forward vulnerability fixes, security improvements and training before any vulnerabilities make their way into production - where they are most costly to fix. He is also acutely aware of the tight line between perfect production code and needing to hit commercial targets, having been in the position himself many times before. Throughout his career Jack has worked with people from many disciplines and backgrounds, whether other developers, third party vendors and small businesses to large corporate clients. He has worked on both on-prem and cloud solutions for Australian corporate and small business clients, UK Corporates and with many third party vendors. Unlike other consultants, Jack's primary role is application security. His goal is to ensure your development team is producing quality, secure code and any existing design or production code vulnerabilities are addressed before the final product is released to your consumers while maintaining maximum commercial velocity to achieve production targets.

  • Speaker Profile Pic

    Why the rental crisis is helpful for scammers - OSINT from the mail room

    Why do scammers love the rental crisis and cost of living? How much information can really be tied to just a name alone? This talk answers just that, highlighting the verbose way OSINT can identify who's behind a name, and highlight the importance of OpSec in a day and age where we're focused on the cloud.

    Presenter: Georgia Turnham

    Georgia is a cyber security specialist working in Government who has a passion for all cyber, dogs and MAF'S. Georgia learned to love and hone her social engineering and OSINT skills from a young age, having to pretend to like her sister's home-made pancakes, while also tracking down her teenage celebrity idol's every movement. Georgia has several industry certifications, all of which mean something and nothing all at once, but like every conference, are listed ahem ISO27001:2013 (LI), CRISC, GIAC GSLC and has a number of other certifications in AI, Phishing etc. etc. Georgia performs pentesting of blue, black and red ones; but doesn't extend her services to ballpoint or felt tip ones. You can tell she lives alone with her dog because she thinks that joke is funny.

  • Speaker Profile Pic

    Let's get these tests to the (home)lab(rador)

    Experience can be hard to come by when breaking into the cyber security field, and while a lot of people advocate for capture the flag competitions and bug bounties as a way to demonstrate your chops, the sometimes overlooked concept of a homelab can also hit the mark. While it's often a time (and money) sink, and can be difficult to juggle with other individual responsibilities, it can often be invaluable to help develop skills not only in cyber security, but in understanding the overarching ICT environment that cyber operates within, and to help evolve your career into new heights.
    This presentation talks about the definitions of a homelab, the different sizes and complexity (from the simple and easy to use, to the dedicated and hard core deployments), what tools can assist in developing and maintaining it (and can be used in your work day to day as well!), and a summary of how you can focus and communicate your home project to employers to demonstrate your cybersecurity prowess.

    Presenter: Iain Dickson - @wan0net

    Iain is the Full Spectrum Cyber Practice Lead for Leidos Australia, providing oversight and support to all of Leidos' Australian programs for cyber security including its military platform work. Iain has previously worked as a Cyber Research Engineer and an Assistant Director for Cyber Threat Intelligence within the Department of Defence. Iain is one of the founders of ComfyCon AU, a virtual conference founded in response to the cancellation of cyber security conferences due to the COVID-19 pandemic.

  • Speaker Profile Pic

    Pwnagotchi: Build your own offensive security tool that reminds you of your childhood

    Do you remember those cute little Tamagotchi 'virtual pets' from when you were a kid? The ones where you could feed and nurture a fake pet on a tiny little monochrome screen, and connect with other Tamagotchi devices to make friends (both between the virtual pets over an infrared connection, and between the owners IRL!). Well, Pwnagotchi takes this concept and turns it from being fun, cute and cuddly into something that offensive security practitioners can use to break into networks!
    Pwnagotchi is a network attack tool built on a Raspberry Pi that de-authenticates wifi and steals handshake packets using AI (reinforcement learning). It's also a Tamagotchi friend that wants to be taken on walks so it can feed on networks, and share that data with other Pwnagotchis along the way... in that way, it quite literally gamifies cybersecurity (which can be both useful, but also dangerous if managed poorly)...

    Presenter: Chaz Mathieson

    Chaz is a Computer Science student in the final year of study at QUT, minoring in networks and cybersecurity and has been studying security outside of uni for five years. Chaz is a proficient coder in Python and C#, and also builds hardware for security in their home lab for fun. In Chaz's day job, they also work as an analyst at Cognitio Digital, a Brisbane based cybersecurity start up who are excited to assist Chaz in preparing for this talk. Whilst Chaz is relatively new to security, the thing that excites them most about the industry is the opportunity to be 'hands on' with technology in a way that lets me solve wicked problems before an adversary does!