Loading…
View analytic
Wednesday, November 22
 

3:00pm

BSides Wellington 2017 Pre-registration
BSides Wellington attendees can pre-register for the conference by coming along to The Malthouse between 15:00 and 17:00 on Wednesday 22 November. Bring your tito registration confirmations and QR codes!

The Malthouse will have a selection of Kiwicon beers on tap next week including:
  • Epic Cyberwar
  • Liberty Harmonic 520
  • Garage Project Cyber Friends

Wednesday November 22, 2017 3:00pm - 5:00pm
The Malthouse 48 Courtney Place

3:30pm

Hacker Chix Meetup
Meet and socialise with other B-Sides attendees at a central location for drinks and nibbles.* Don't know anyone?  That's fine. There will be thinly veiled networking games! All people who identify as women who are interested in infosec and related fields are welcome, although B-Sides attendees may be given priority depending on the venue capacity. There will be door prizes and free t-shirts courtesy of Kiwicon and InfoSect / Hacker Chix Canberra.
As this event is run as part of B-Sides, it falls under the same Code of Conduct as the main conference. Men are welcome as the invited guests of women.

*ie, not dinner, you are going to have to figure that out yourself.

Wednesday November 22, 2017 3:30pm - 6:30pm
Meow 9 Edward St, Te Aro, Wellington 6011
 
Thursday, November 23
 

9:00am

Communication: An underrated tool in the infosec revolution

Whether it’s closing the talent gap, improving security awareness, sharing threat intelligence, or getting the resources we need to do our jobs, communication is key to addressing many of the most pressing issues in infosec. In this session, we’ll talk through some strategies for communicating effectively. We'll also explore how we can use these approaches to improve our industry, our organizations, and ourselves.


Speakers
KL

Katie Ledoux

Katie Ledoux is a senior security analyst at Rapid7 in Boston, Massachusetts. This is her first time in New Zealand, and she is extremely excited to meet you! She likes true crime, offbeat comedies with strong female leads, and college basketball. She's retweeting infosec memes and only getting vaguely political on... Read More →


Thursday November 23, 2017 9:00am - 10:00am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

10:00am

Keeping on top of Ubuntu and Debian security advisories: host agents and wild goose chasing

When ensuring a large number of heterogeneous Ubuntu and Debian machines are "up to date", there are questions that need to be asked.

What's even installed on all these machines? What constitutes "up to date"? Where does that information come from? Why the heck isn't it in a machine readable format already?

What started as an experimental attempt at solving the problem has become a useful, evolving free software web application for collating Linux distro security advisories and integrating with host instrumentation tools such as osquery and hostinfo.

I will talk about the history of the project, the challenges faced in obtaining the data we use and developing the applications, what we're working on at the moment to improve its performance, and show some live demos using osquery to detect problems and observe their remediation in realtime.


Speakers
MF

Michael Fincham

Fincham is a professional RFC fancier, packet jockey and reader of manual pages. During the week he works on an operations team running networks and infrastructure, on the weekend he's a "recreational sysadmin".
FV

Filip Vujičić

Filip is a junior operations dev at Catalyst.


Thursday November 23, 2017 10:00am - 10:45am
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

10:00am

Confessions of a Red Teamer

“Attackers have bosses and budgets too” — Phil Venables

This is a talk for the Blue Team.

In information security, we spend a lot of time analysing what doesn’t work to protect the crown jewels from being stolen. We’ve all seen the debates that have raged regarding the effectiveness of AntiVirus, the importance of modernising password management and the dazzling failure of security appliances everywhere.

Numerous talks have been given on how everything from physical memory (rowhammer) to users actions (clicking stuff) can cause exciting, controllable issues with systems that can result in a compromise and make the blue team cry into their drinks.

But what security controls and methodologies actually work in 2017?

This talk will explore defensive technologies that have been proven to prevent, hinder, annoy and significantly increase the cost of adversaries targeting your systems. The subject matter will be wide ranging and cover both high level and technical controls.

Backed by field experience with case studies, we’ll take the time to look at what actually works to destroy the budget of your adversaries while keeping the red team awake at night.


Speakers
P

Pipes

Officially hired as a Network Ransacker; Pipes spends his days looking at applications, executing red teams and generally musing about security for Insomnia Security. | | | | Hailing from Wellington, New Zealand but residing on a beach in Australia - he has come to unders... Read More →


Thursday November 23, 2017 10:00am - 10:45am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

10:45am

Morning Break
Thursday November 23, 2017 10:45am - 11:00am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

10:45am

Morning Break
Thursday November 23, 2017 10:45am - 11:00am
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

11:00am

Beer, Bacon and Blue Teaming

A famous man once said that he didn’t need to attend intel briefings because “I’m, like, a smart person”. Little did he know that those meetings would have provided him the essential knowledge of FedEx malspam that could have saved him from having his 7 year old, unpatched laptop owned along with the compromising tax records that were on it.

Intelligence matters in many ways, depending on how you define it. It can offer insight into the threat landscape, improve our ability to hunt and mitigate threats, and stop us from being cluelessly self-destructive. At it’s heart it is the collective work of an entire industry. Best of all, it can be free. When things are free, more of our security budget becomes free to spend on important things like beer and bacon.

This talk will step through a variety of sources of intelligence and look at how they can be consumed to better your security posture, provide an introduction to automating the deployment of honeypots, and demonstrate the use of freely available tools and techniques to hunt, dissect and respond to threats that ~~next generation~~ overpriced appliances may not.

 


Speakers
CC

Chris Campbell

Chris began his career in the early 2000’s as a mere web application developer, but his malicious tendencies soon got the better of him. He is currently a security consultant for Jade Software - a software development and managed services provider - and also moonlights as... Read More →


Thursday November 23, 2017 11:00am - 11:30am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

11:00am

Shining a light on the Internet of Terrible
In order to find out more about this wonderful world of the Internet of Things, I've bought some 'smart' light bulbs. This is the story of exploring just how terrible these little devices are. How much data do they leak? Can one user control another user's devices? Universal Plug and Play? What happens when the Internet goes away? Let's find out!

Speakers
DW

Dan Wallis

Dan works as a Technical Sales Specialist at Lateral Security and also runs the Christchurch branch of Information Security Interest Group (ISIG). Formerly a sysadmin in a world of web developers, he's built, managed, maintained, fixed, and tested a good number of websites. Hardw... Read More →


Thursday November 23, 2017 11:00am - 11:30am
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

11:30am

Pkit Finder

Phishing is the easiest and most successful attack vector to harvest credentials, deliver malicious file, etc and it is being actively exploited by cyber criminals This talk is based on my recent research in finding phishing kits, extracting IoCs, and accumulating results.


Speakers
QK

Qasim Khan

I have been in Information security industry for more than 8 years now. For the last 2 years I have been working as cyber security incident responder with one of the leading banks in NZ. In this role, I have developed new processes, tools and written scripts to help/automate the... Read More →


Thursday November 23, 2017 11:30am - 12:15pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

11:30am

Layer 2 person spoofing and impostor syndrome

Now that infosec rock stars are appearing on TV shows, they're in headlines, and the stars of Golden Globe winning TV shows about hackers are giving Q&As at RSA, it's safe to say that security has some status (this may not be reflected in your current budget). With there now being 100s of security conferences around the world, Def Con now having 25,000 attendees (and apparently one shower) means that there is more research, more publications, and even more ego than ever.

And then there's me. Little old me.

"Impostor syndrome, a concept describing individuals who are marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a "fraud"."

I have this, or at least, people tell me I do. I'm not convinced I do, and just think I'm not worthy of being anywhere. Maybe this is you too? If you do, or know someone who does, I'd like to talk about my experiences with it, what has helped, what hasn't helped, and especially why I think it's so prevalent in both tech and especially infosec, and how we can bring the system down!


Speakers
BH

Ben Hughes

Ben Hughes refuses to acknowledge that is it not the late 90s any more both in style and a strong desire to sculpt really impressive ipchains rulesets. With a depressing 20 years of infosec experience, there are few issues of Phrack he hasn't at some point just read linenoise out... Read More →


Thursday November 23, 2017 11:30am - 12:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

12:15pm

Lunch Break
Thursday November 23, 2017 12:15pm - 1:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

12:15pm

Lunch Break
Thursday November 23, 2017 12:15pm - 1:15pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

1:15pm

Realtime cyber alerting
Getting tired of not looking at dashboards? Inbox full of alerts you send to trash? Your latest idea of using captchas to crowdsource screening for suspicious logs didn't take off? Well don't fear. You can achieve maximum cyber visibility with StreamAlert. Created by the clever folks at Airbnb, it enables realtime alerting on activity in your infrastructure, logs, hosts, developer machines or well anything really.

This talk is about:
  • How to deploy StreamAlert to AWS using Terraform.
  • Connecting your access logs to StreamAlert.
  • Writing your own rules in Python.
  • Connecting those rules to a Slack and PagerDuty.
  • Well, things didn't stop there. Jeremy went ahead and connected a few unconventional outputs to some alerts...

Speakers
JS

Jeremy Stott

Jeremy is now a totally legitimate security person having recently joined the security team at Vend. Before that, he had a slightly suspicious history of blowing up electronics, and breaking barcodes at Kiwicon with his pal Ryan. Jeremy has a background in software engineering, e... Read More →


Thursday November 23, 2017 1:15pm - 1:45pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

1:15pm

Actually, it's about ethics in penetration testing

This talk will feature as a rough guide to not being a Nessus-rebranding, haphazard shell-popping, DB-dropping, business-stopping cowboy. In it, I will provide words of caution against the tempting world of curiosity-driven unsolicited penetration testing (sometimes known as ‘actually being an attacker’). I'll detail a number of Career Limiting Moves: ethical missteps which may be made without a true appreciation for the impact on your ability to operate in this industry.

I’ll discuss why it’s necessary to be aware of business context, the challenges being faced by the clients and the realities of their operating environment in order to provide actionable advice. I’ll also detail the importance of ensuring they have a sufficiently thorough understanding of exactly what assurances can be provided by the testing scope you’ve been given to avoid creating a false sense of security… and I'll tie this all into the general theme of not being a jerk and your obligations to your employer and your client.

This talk is for you if you try your best to be a professional and are keen to see if I cover any areas you hadn't considered and could work on.

This talk is ESPECIALLY for you if you're on the red team and have ever blindly launched shellcodes you found on the internet at a customer system or tweeted a screenshot of a vulnerable app you were testing professionally.

The talk has a practical business-oriented focus and isn't going to use academic definitions or delve into ethical theory or philosophy.


Speakers
JB

Josh Brodie

I'm Josh Brodie, a security consultant for Lateral Security with a focus on application security. Every day, healthcare providers, government departments, banks and telcos tell me "hey, come and be a jerk to our systems but not TOO much of a jerk because we would appreciate if th... Read More →


Thursday November 23, 2017 1:15pm - 1:45pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

1:45pm

IOP The Internet of Pancakes
2015 was an important year. NASA confirmed the presence of water on Mars, 195 countries signed the world’s first accord on climate change and the PancakeBot was released on Kickstarter. What’s the best thing to do with a CNC pancake maker? Why not put it on the internet?

Speakers
PJ

Peter Jakowetz

Peter is an electrical engineer turned security consultant from Wellington, NZ. He enjoys playing with open source hardware and software, playing with electronics, and breaking things in his spare time.


Thursday November 23, 2017 1:45pm - 2:30pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

1:45pm

Public WiFi isn't that bad, right?
What I found while refreshing my knowledge on WiFi security, to protect myself while travelling abroad. However this applies just as easily at your local coffee shop.

This talk will walk through the WiFi stack looking at common vulns and misconfigurations that apply today, as well as some that have been and gone.

I will present information I gathered about public WiFi while travelling.

Deliberately out of scope is Bluetooth, cellular and physical attacks.

Speakers
OE

Oliver Ewert

I've always had a strong interest in network security and wireless, which started when I had to find increasingly creative ways to get into my neighbor's WiFi during high school because my mum refused to pay for more than dial up! | | I studied network engineering and now I w... Read More →


Thursday November 23, 2017 1:45pm - 2:30pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

2:30pm

IoT - How to fight the tyre fire
Everyone knows that IoT is a tyre fire but what can we do to start putting it out? Take a tour through the new OWASP IoT Top 10, well-known IoT security cockups, other issues and maybe some personal anecdotes about things to be aware of and some possible ways of fixing them.

Speakers
TI

Tom Isaacson

I've been an embedded developer for 20 years. I haven't bothered learning web development because I still think the internet is a passing fad, but I've been forced to think about security after we added networking to our products.


Thursday November 23, 2017 2:30pm - 3:00pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

2:30pm

Investigation of recent targeted attacks on APAC countries
We have been tracking targeted attacks on countries and territories in APAC region for the past few years. By constantly improving the detection capabilities of our products we have managed to collect a large set of tools from these APT actors' toolsets, most of which have been meticulously analysed and reverse engineered. The targets of these attacks have been thoroughly researched and many artefacts have been carefully analysed in order to ascertain the identity of the groups behind these attacks. This talk will present the result of the most comprehensive research up to date on these APT actors which we consider as the most active actor in this region.

Speakers
NS

Noushin Shabab

Noushin Shabab is a cyber security researcher based in Australia specialising in malware reverse engineering and targeted attack investigations. She joined Kaspersky Lab in 2016 as a Senior Security Researcher in Global Research & Analysis Team (GReAT). Her research focuses on th... Read More →


Thursday November 23, 2017 2:30pm - 3:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

3:15pm

Afternoon Break
Thursday November 23, 2017 3:15pm - 3:30pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

3:15pm

Afternoon Break
Thursday November 23, 2017 3:15pm - 3:30pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

3:30pm

Journey to the top on BugCrowd: The untold tales of struggle and pain
The bug bounty scene has evolved tremendously over the years. It is now very competitve especially among the top echelon. Through this presentation, I'll share how I got to the top #2 in bugcrowd over the years. Getting there is a journey. Maintaining it is another. Learn how to hack smarter not harder. I'll provide and insight to some of the challenges I've faced and how I overcome them.

This talk will be helpful for those that want to start participating. This will includes a list of technique he used in reconnaissance phase on each different bug bounty programs he got invited. Also, some cool findings he found.

Speakers
AA

Ahmad Ashraff

7+ years as pentester. Active bug bounty participant since 2013. Currently in top 5 in Bugcrowd's All-Time leaderboard (https://bugcrowd.com/leaderboard)


Thursday November 23, 2017 3:30pm - 4:00pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

3:30pm

Gophers, whales and.. clouds? Oh my!

Go, Docker and Microservices; some great technologies and buzzwords that we hear so much about on the development side of the fence, but how can we leverage these technologies to improve our offensive capacity? Armed with a passion for new tech, a vague theory, and an ‘nsa-o-matic’ approved project name; gopherblazer was born.

Whether through dockerising and improving existing tooling, leveraging Function-as-a-Service (FaaS) offerings, or just distributing offensive capabilities; I’ll share what I learned on my journey into improving my offensive capacity and productivity (while having an excuse to play with shiny technologies along the way!).


Speakers
GD

Glenn 'devalias' Grant

Glenn ‘devalias’ Grant is a full-stack, polyglot developer with an acute interest in the offensive side of security. Whether building something new or finding the cracks to break in, there is always a solution to be found; even if it requires learning something entirely new... Read More →


Thursday November 23, 2017 3:30pm - 4:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

4:00pm

Secrets of a High Performance Security Focused Agile Team
Security does not have to be neglected when you’re planning, building & running a high performance development team. Kim will show us how to shift security left <- into the development team, with a set of light weight processes, practises & tools that have proven deadly to defective code and Teams.

Speakers
KC

Kim Carter

BinaryMist Ltd
Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd (https://binarymist.io/). OWASP NZ Chapter Leader. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 15 years... Read More →


Thursday November 23, 2017 4:00pm - 4:30pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

4:00pm

Operation Luigi: How I hacked my friend without her noticing

I’m at a ramen place with my friend Diana. Diana isn’t her real name, but we’re going to pretend it is because that’s what all the cool journalists do and I wanna fit in too so don’t ruin this for me okay.

I ask her if it would be okay for me to try and hack all her stuff. She’s instantly visibly excited. I explain how this could result in me seeing everything she’s ever put on a computer ever. She tells me she thinks this is going to be “so good”. We lay down some rules:

I’ll start some time in the next 12 months No deleting anything she has No disrupting her daily life Stop asking if she’s sure it’s okay Bonus rule from me: Do this entire thing in stealth mode. Don’t ever let Diana know that I’ve started until it’s too late.

I mean, obviously it worked since you and I are having this nice little textual discourse right now. Take my hand metaphorically, and I’ll guide you through the what I tried, my many flubs1, and how to protect yourself from what I did2.

And uh also at the end Mario’s green friend is there.


Speakers
Q

"Alex"

Alex is a certified Luigi Technician, RFC skimmer, 5 time celebrity MasterChef winner, and tries earnestly to be a Good Boy. He works in incident detection and response at Atlassian which is /sort of/ like being an adult but with like, ice cream? In 2016 Vice Motherboard referred... Read More →


Thursday November 23, 2017 4:00pm - 4:30pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

4:30pm

Lies, damned lies, and security. Defending your systems like a CERT-er
SSH key? Yup. Strong encryption? Uh huh. Systems patched? You bet. So you think that will save you when the end times come? Think again. Demonstration of how most people get it wrong, and how to save yourself from armageddon when the hackers come knocking.

Speakers
MS

Michael Shearer

By day, Michael is the securer of things at CERT NZ. By night, enjoys Scandinavian death metal, and the finest ranges of gummy confectionary the internet has to offer.


Thursday November 23, 2017 4:30pm - 5:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

4:30pm

Let's think about drinking
How often do you think about drinking? OK, but how often do you _really_ think about drinking? Why we do it, and how it influences our lives? Drinking is a part of our culture: if you live in New Zealand, if you work in tech, if you participate in the infosec community, if you've ever been a student, whether you drink or not, alcohol influences the ways we all work, relax and interact, often in ways we don't even realise.

Petra, an information security consultant at SafeStack and former actual historian of drinking, will give you a closer look at our drinking culture, its unintended consequences, and what we can do as individuals and as a community to make our workplaces, social spaces and events better for everyone by changing the way we think about drinking.

Speakers
PS

Petra Smith

SafeStack
Petra is an information security consultant at SafeStack, former historian, secret librarian and giant nerd. She is bad at finishing thi


Thursday November 23, 2017 4:30pm - 5:00pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

5:00pm

Mental Health in Infosec - Hackers, hugs, and drugs
The infosec community is difficult to compare to any other. We are composed of intelligent, driven, passionate, opinionated individuals. When you combine the pressure and stress we put on ourselves in the form of research, learning, teaching, and creating it starts to build up. Not only do we put pressure on ourselves, but we also take it on from our bosses, co-workers, and family in many different forms. The majority of roles we fill cater to our drive and willingness to be behind a keyboard for hours on end. The end result is that many of us are broken. Broken in different ways, at different times, and for different reasons. We need to bring to light a topic that shouldn't be as faux pas as it is. I'll share my personal struggles, stories of friends and family, and hopefully help us come closer together as a community to help you or people around you.

Speakers
AB

Amanda Berlin

Amanda Berlin is a Sr. Security Analyst for a consulting firm in Southern Michigan. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. Amanda has been involved in implementing a secure Payment Card Indust... Read More →


Thursday November 23, 2017 5:00pm - 6:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

7:00pm

WarGames Movie Night
Want to hang around post-con and enjoy a terribly tacky movie? Join us!

Thursday November 23, 2017 7:00pm - 10:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140
 
Friday, November 24
 

9:00am

Influencing Meat Puppets Through Memes
The UK voted to leave the EU and The Donald is president, what a time to be alive. With the Russian government purported to be an influencer in both these events, it got me thinking.  How hard is it to actually influence an election? What methodology would you employ and how far out from the election would you need to start?  What does it take to run your own sock puppet army? How would you tailor your messages to have maximum impact?  What is the state of the art in detecting these attacks? This presentation will answer those questions and many more, leaving you begging the question - should I run in 2020?

Speakers
SB

Simon "bogan" Howard

Security Consultant, ZX Security
@bogan is currently "on a break" from running Kiwicon with his cyber friends. He is the owner of ZX Security, a Wellington-based InfoSec consultancy, runs the Wellington ISIG meet-up and enjoys long burnouts in the Hutt.


Friday November 24, 2017 9:00am - 10:00am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

10:00am

Rapid Reaction - Foundations of Incident Management

With the exception of a few organisations, it seems that the effort put into establishing an information security incident management and response capability is limited to developing a documented process. Most do the bare minimum required to tick the “has an incident response process” box, with little to no regard about how effective the process is. That’s why very few organisations actually detect information security (or cyber security if you prefer) incidents in a timely manner, and fewer still are able to handle and resolve them in an efficient and effect way to minimise the impact.

The talk will start by setting the context for incident management as a risk management activity, emphasising that it is not just a technical issue, and then get some terms and definitions out of the way. This will be followed by presenting a standard incident management process, discussing its steps, describing a recipe for building your own capability and highlighting the most commonly encountered "tar pits". At the end of the session, the floor will be open for questions and sharing experiences (without disclosing sensitive information).


Speakers
AE

Ahmed ElAshmawy

Senior Consultant, Axenic Ltd
Ahmed is a Senior Consultant at Axenic Ltd with considerable experience as an Incident Handling trainer and hands-on practitioner. He has been a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor, delivering CERT training courses since 2008... Read More →


Friday November 24, 2017 10:00am - 10:45am
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

10:00am

When do we Belong?

Impostor syndrome is rampant in the tech communities and it’s hard to understand why. Drawing on her DevOps background and using Contempt Culture as a lens, aurynn analyses how tech culture builds group membership and constructs belonging, the difficulties that creates.

In this talk, aurynn dives in-depth on how impostor syndrome and deep feelings of alienation are the only possible result of how tech culture operates. By using Contempt Culture as our guide, we examine what belonging in tech looks like, how the ideas like the meritocracy are created, and how these ideas cause us to give ourselves impostor syndrome and deny us the tools to shed these feelings.

From how we construct impostor syndrome, aurynn will talk about how we can work to disrupt the feedback loop of isolation and alienation, and work towards building a more inclusive and welcoming culture.


Speakers
AS

aurynn shaw

aurynn is the founder of Eiara, a DevOps consultancy based out of Wellington, New Zealand, focussing on helping clients develop technical DevOps capability, and the cultural knowledge to use it. With over a decade as a professional software developer, aurynn’s expertise ranges from modern cloud deployments to massively parallel supercomputer environments. As the defining voice... Read More →


Friday November 24, 2017 10:00am - 10:45am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

10:45am

Morning Break
Friday November 24, 2017 10:45am - 11:00am
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

10:45am

Morning Break
Friday November 24, 2017 10:45am - 11:00am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

11:00am

Reversing the Killchain - An Actionable Framework for Defending Against Common Threats
The Intrusion Kill Chain, sometimes called the Cyber Kill Chain, is a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise. Everyone talks about the cyberkill chain(tm) and along with it comes abundant misinformation and scare tactics. Instead of scaring you we'll focus on the most effective steps you can take to protect your organization from the vast majority of threats by breaking down the actions along with defensive mitigation and monitoring. Use cases such as ransomware, webserver vulnerabilities, shadow IT, data exfiltration, and lateral movement will be broken down for a better understanding of how to improve the standard of defense at each level. Use cases in general are important for showcasing situations that may put critical infrastructure, sensitive data, or other assets at risk. By demonstrating defense in depth, each layer ends up providing additional defensive mitigations for a continued decrease in risk. Following the creation and implementation of security controls around use cases is the testing of tabletop exercises and drills as a proof of concept.

Speakers
AB

Amanda Berlin

Amanda Berlin is a Sr. Security Analyst for a consulting firm in Southern Michigan. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. Amanda has been involved in implementing a secure Payment Card Indust... Read More →


Friday November 24, 2017 11:00am - 11:45am
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

11:00am

Pandas and Rabbits: Xen Meets American Fuzzy Lop

Xen is an open-source hypervisor that powers some of the world’s biggest public and private cloud infrastructure, such as Amazon's EC2 and Rackspace Cloud.

American Fuzzy Lop is an open-source fuzzing tool that has found vulnerabilities in tons of software, such as OpenSSL, PHP, Internet Explorer and Android.

Fuzzing programs that handle discrete sources of data such as files and network connections is simple, but how can we integrate AFL with a hypervisor like Xen to find bugs? In addition, how can we turn any bugs we find into exploits that break out of a virtual machine and gain access to the entire physical host?

Come and find out what goes on beneath your virtualised operating system as I describe the process of finding and exploiting bugs in Xen through fuzzing with AFL. You'll learn about paravirtualisation, hypercalls, page tables, ring buffers, Qubes, and what happens when you accidentally replace every process on a system with an instance of Python.


Speakers
MD

Matthew Daley

Security consultant and general weirdo. I may not have sweet paper from bug bounties, but I have some exciting mailing list posts... ;_;


Friday November 24, 2017 11:00am - 11:45am
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

11:45am

#cyberisnotanoun
I'm going to put a strong case for why "cyber" and "cyberspace" are harmful not helpful. **Words matter**. Hand-waving encouraging words like "Cyber" hinder useful conversations, get in the way of information transfer and make you sound stupid.

Precise language provides clarity, allows to us actually talk about real issues in a mature way and can help us make things more secure. As well as ranting about people saying silly things, we're going to cover how we can get non-techs to start using good words.

Speakers
C

Creeture

Creeture (aka Ben Creet) is a policy professional(ish), infosec & strategy nerd. An NZITF member and strategic studies post-grad Creeture's wheelhouse is where infosec, strategy, policy and wider Internet issues collide. Most importantly Ben is parent/pack-leader to LilCreeture... Read More →


Friday November 24, 2017 11:45am - 12:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

11:45am

Onionland Explorers!
An introduction to Tor, an introduction to Onionland! We'll discuss the basics of how Tor works, attacks against it, how people have been caught while using Tor in the past, and how you might be able to use Tor to preserve your anonymity. We'll cover some of the basic tools you might be touching, like Onionscan.

Speakers

Friday November 24, 2017 11:45am - 12:15pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

12:15pm

Lunch Break
Friday November 24, 2017 12:15pm - 1:15pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

12:15pm

Lunch Break
Friday November 24, 2017 12:15pm - 1:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

1:15pm

Project Walrus, an RFID and Contactless Card App
Project Walrus is an Android app we're developing to let pentesters make better use of their contactless card devices, like the Proxmark and the Chameleon Mini.



It lets you use each device to read cards into a common wallet, where they can be stored and used later. I will talk about the app and give a quick demonstration of its capabilties.

Speakers
DU

Daniel Underhay

Pentester by day, Project Walrus developer on the weekend. Enjoying being alive.


Friday November 24, 2017 1:15pm - 1:30pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

1:15pm

Crescent Wrenches and Debuggers: Building Your Own Toolkit For Rational Inquiry
Software exists in a constant state of failure, facing pressure on many fronts - malicious intruders, hapless users, accidental features, and our own limits of imagination all conspire to bring our system to a screeching halt. Untangle even the most tangled of Gordian Knots by building your own toolkit for inquiry, by relying on the simplest technique of all: asking "why?"

Speakers
KM

Kerri Miller

Kerri Miller is a Software Developer and Team Lead based in the Pacific Northwest. She has worked at enterprise companies, international ad agencies, boutique consultancies, start-ups, mentors and teaches students, and finds time to work on Open Source projects. Having an insatia... Read More →


Friday November 24, 2017 1:15pm - 2:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

1:30pm

Hacker: Crook or Crusader?
I believe people hold particular ideas about hackers and hacking derived from media and pop culture, implicating their security behaviours. I am going to identify these beliefs and assess their effects for my Honours/Masters research project I am interested in observing why people believe or apply particular characteristics to whom they deem to be hackers, how this has come to be, and whether it implicates the security behaviours of these individuals. Is it just a media fuelled image of a teenager in a dark room wearing a hoodie by their computer? Who perceives this? I am interested in finding out more about this, as I feel it may relate to the security behaviours of individual computer users and possibly in an organisational setting.

Speakers
LF

Lauren Flutey

Lauren is an Honours/Masters Information Systems student at Victoria University, and she also works on a casual basis at PwC in the Cyber Security team in Wellington. Lauren is originally from Wanganui where she grew up using Windows 95, playing guitar as well as hunting and shoo... Read More →


Friday November 24, 2017 1:30pm - 1:45pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

1:45pm

The CIO's new process
Have you ever wondered what would have happened if Hans Christian Anderson had lived 180 years later, worked in IT but still wrote books? Well children, its time for a bedtime fantasy story about Unicorns, CIOs, processes and money so make yourselves comfortable and we shall begin…

Speakers
AH

Andrew Hood

With over 20 years in the IT and Security industry each, Andrew Hood and Derek Robson have seen their fair share of management trends, hype and new ideas. Written by Andrew after too many repeats of his children listening to the Emperor’s New Clothes, he and Derek thought would anyone be brave enough to tell a CIO that his wonderful new process may be a little bit... Read More →


Friday November 24, 2017 1:45pm - 1:55pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

1:55pm

Protect yourself against the bees
In the meatsphere, you can utilise an apiarists cowl or smoke to protect yourself from the buzzing pollinator. But in the cyberword, how do you project against a single bee emoji? This talk discusses how the humble bee emoji could be used to destroy your database, and how you can protect yourself.

Speakers
KM

Katie McLaughlin

Katie McLaughlin is an SRE, and a senior apiarist on the BeeWare Project (yes, really), who is not a security professional, but she goes drinking with them, and they scare her. She enjoys sharing this fear with others in order to improve the privacy and safety of web users, an... Read More →


Friday November 24, 2017 1:55pm - 2:15pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

2:00pm

Reusing breach data for attack and defence
Data breaches and their disclosure have become commonplace and yet reusing contents from a breach for security testing or enhancing an organisations defences been poorly explored. Whilst technical complexity and time of execution is not comparable to more elegant threats, The accessibility and ease of exploitation of password should be of concern to individuals and businesses. Having collected and analysed such information over the course of two years, it was only natural to start reusing it in penetration testing.

This talk will go through through some of the insights into the collection of data, its reuse in security testing, our development of an internal database for material from breaches, as well as how it can be used in a defensive function.

Speakers
EF

Edward Farrell (AKA Faz)

Edward Farrell is an independent information security consultant who specialises in penetration testing and incident response. In addition to starting up his own security practice, Edward is an avid participant in the Australian information security community and is a lecturer at... Read More →


Friday November 24, 2017 2:00pm - 2:45pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

2:15pm

Mistakes were made
#Mistakes were made



"Mistakes were made" said by an engineer describing the issue of losing the admin password on our GPS hardware. John describes the development process and implementation of a password reset feature and lessons learned along the way.

Speakers
JG

John Grant

John Grant - Jungle Beast | | Software Developer, IT Guy who works on GPS Time Sync sometimes. Other times a dad and ponderer of the IoT/S apocalypse.


Friday November 24, 2017 2:15pm - 2:30pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

2:30pm

Give your users better feedback about rubbish passwords with zxcvbn
An introduction to zxcvbn, an open source library that provides better password feedback, rating passwords on how long they would take for a brute force cracking tool, or if they are a commonly used sequence. We'll see how to implement zxcvbn in your frontend in order to give better advice to your users.

Speakers
JZ

Jen Zajac

Catalyst
Jen Zajac is a senior front-end developer at Catalyst in Wellington. She has been 'messing around with computers' since the early 90s, and has been based in Wellington since immigrating from the UK six years ago. She was the director of nz.js(con); 2017, the national JavaScript c... Read More →


Friday November 24, 2017 2:30pm - 2:45pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

2:45pm

IT Risk and Security Management in Small and Medium Organizations - The Bare Minimum
This talk will show 1) a ‘bare minimum’ IT risk and security management (ITRSM) framework for small and medium organizations (SMOs), 2) key research findings about barriers to adopt and use the framework in SMOs as well as 3) potential ways to overcome these barriers.

Speakers
AD

Andreas Drechsler

Dr Andreas Drechsler is Senior Lecturer at Victoria University's School of Information Management. Since 2012, he has been researching ways to improve current IT management, IT risk management and IT project management practices, with a special emphasis on small and medium organi... Read More →


Friday November 24, 2017 2:45pm - 3:00pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

2:45pm

Māori cultural ethics in digital security
If you are in government, this presentation will satisfy Treaty of Waitangi considerations; if you want to be respectful of Māori culture this presentation is for you; If you are just curious, this is a good presentation to listen to; if you are a commercial company looking to secure Iwi and Māori clientele, this presentation will give you lots of great ideas.

The hardest part about speaking about Māori cultural ethics and digital security is not to offer to much information on vulnerabilities that can be used against Māori by unethical security practitioners and in reverse by unethical Māori security people back in the law abiding security community.

It is my intention to briefly touch on multiple topics to give you an idea of some of the ethical issues. More so, a number of ethical issues I have witnessed and anticipate will be common in the near future.

It is important to state here that just because someone is Māori, it does not mean they were brought up Māori and understand Māori culture and language etc. Some Māori who were brought up Māori chose to simply ignore it and assimilate into modern society.

Simple things such as imagery of tattoos, face, the dead and specific landmarks are very sensitive topic as is their storage location and where and how it is accessed.

Biometric security, DNA storage, Databases with names, data storage in the cloud are all new areas that have an impact on Māori culture.

Specifically targeted cyber attacks on Māori using automated translations or deliberately targeting self identifying Māori is a risk that should be considered and monitored.

Laying cables and consideration of where they are could be offensive due to the fact that information goes through them and some places are sacred.

Māori names as passphrases and halving Māori names is offensive as could using Māori names for networks and servers or be really ideal names that give your network and servers some cool personified meanings in the Māori language.

IOT and the risks and benefits to Māori culture is a wide area of new consideration that has yet to be explored.

Speakers
KT

Karaitiana Taiuru

An advocate and proponent for online and digital Māori rights, data sovereignty/digital colonialism, te reo Māori revitalisation with technology, cultural appropriation, Māori representation and Intellectual Property Rights for the past 22 years. In more recent times raising tikanga Māori and mātauranga Māori awareness in digital and water issues. Responsible for significant online Māori developments. This has included many national and international achievements including: Controversially highlighted wide spread major cultural appropriation by Māori in digital (2017) Author of a major ICT/Social media Dictionary of the Māori Language with over 375,000 translations (2016) Compiled a list and analysis of Māori ICT organisations, thus expelling many industry myths and concerns (2016) Compiled the first ever dictionary of Moriori and digitally distributed the publication. (2016) Author of the definition... Read More →


Friday November 24, 2017 2:45pm - 3:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

3:00pm

Security for Small to Medium-sized Businesses

You may think you are small business and not a target group for cybercriminals!  MBIE has published that there are more than ½ million small businesses in New Zealand.  That makes you part of the biggest targeted group!

  • Why are SMBs in the biggest targeted group

  • What can you do to protect yourself

Speakers
SH

Sai Honig

Originally from the United States, Sai is now residing in New Zealand. Sai Honig is a multipotentialite who has worked in differing roles in various industries. Sai has experience in governance, audit and operations of IT. Her industrial experience includes manufacturing, healthcare, and education. Sai has volunteered for Grameen Foundation assisting their global efforts in microfinance and alternative methods of assisting those to access capital in order to improve their lives, their families and their communities... Read More →


Friday November 24, 2017 3:00pm - 3:30pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

3:30pm

Afternoon Break
Friday November 24, 2017 3:30pm - 3:45pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

3:30pm

Afternoon Break
Friday November 24, 2017 3:30pm - 3:45pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

3:45pm

Design for Security

This is BSides, so you already know how crucial security is. Yet it's a rare topic outside of conferences and circles such as these.

There's a misconception — perpetuated by green lines of incomprehensible code in movies — that security is a niche for masterminds. But in the real world, most security breaches don't come from 0days or convoluted hacks. In fact, most errors are human. Simple scams that have worked since the internet began.

There's a massive missed opportunity here. What if designers and security experts teamed up? What if we approached security problems with a design perspective?

Good user experience design is necessary for good security. We can craft paths of least resistance that match paths of most security. We can educate our users on what is good practice and what is security theatre. We can design secure flows that are usable, not obstructive or annoying.

In this talk, we'll walk through secure design principles. We'll cover perceived security: how we can make our users feel safer as well as be safer. And to round it off, we'll walk through some common flows, and dissect how approaching security problems from a different perspective can offer interesting (and sometimes simple) solutions.


Speakers
SC

Serena Chen

Serena is a product designer, ex-physicist, one-time teen magazine founder, hacker at heart, and hosts a feminist podcast.


Friday November 24, 2017 3:45pm - 4:15pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

3:45pm

Take a Lesson from Snowboarding and Recruit Kickass Women
15 years in the snowboard industry driving the initiative to raise the level of female participation in a male-dominated sport gives me a unique perspective on what infosec can learn from our experiences of recruiting women when ‘pink it and shrink it’ was an acceptable form of marketing.
Some concrete ideas on how the security and software industries need to look outside the tech industry and adopt successful initiatives to increase the participation of women in tech. We talk a mean talk about cultural fit, and then fail to look at industries based on culture that have tackled gender inequality and won.
Burton Snowboards started the Women’s Leadership Initiative which has seen the leadership team grow from 10% female to over 40% in the last 10 years. Nearly everything they do as a company is transferable to the tech industry, so come and see what works for you.

Speakers
TJ

Toni James

I’m an snowboarder turned software engineer with an addiction to security. I’ve won a few scholarships in my quest to get more women into tech and I’m really good at supporting others to do ‘all the things’. I’m a firm believer in ‘you need to see it to be it’ and I’m putting mys... Read More →


Friday November 24, 2017 3:45pm - 4:15pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

4:15pm

Let me secure that for you
Writing secure applications is hard, and often vulnerabilities are found after your application has already been released to production.

But what happens if you're not able to fix the vulnerabilities quickly? If you don't have the source code? Or if the vulnerable application is "Enterprise Software" and you aren't ever going to be able to fix it? Wouldn't it be great if the someone else could secure your website for you?

In this talk we describe the approach we use to shield customer's websites when all other avenues have failed, or when urgency requires a fix as soon as possible. This process of virtual patching works well in the real world, and allows people to have comfort that all their known vulnerabilities are fixed and their applications are as secure as can be.

This talk demonstrates the process of virtual patching using a suite of open source tooling that you can go back to your company and use straight away - tools like mod_security and nodejs. Our approach is different to the typical approach of WAF vendors, and avoids false-positives by only patching exact, known vulnerabilities discovered in a penetration test, and so we avoid the risk of affecting legitimate users.

Prior knowledge: This talk assumes understanding of the HTTP protocol, and common OWASP Top 10 vulnerabilities. Some experience reading Javascript would be useful, however the examples presented should be explained in a way that makes sense to non-coders.

Speakers
KJ

Kirk Jackson

Kirk is a Security Researcher at RedShield, where he analyses security vulnerabilities in customer applications and comes up with a plan to protect them. He organises the Wellington OWASP Chapter, and helps organise NZ's biggest security defence conference OWASP NZ Day. Kirk has... Read More →


Friday November 24, 2017 4:15pm - 5:00pm
Shed 6 - Room 2 4 Queens Wharf, Te Aro, Wellington 6140

4:15pm

When Bugs Bite - why neglecting your edge cases can kill

Two people died because of a Unicode support error. Another died because of a camera’s inability to distinguish colours from one another, and yet another died because of bad GPS data. Many thousands more deaths could have been prevented by a single variable, if the developers had thought to include it.

As developers and security testers, our skills and ideas are increasingly crucial for keeping the world running. We don’t have time to test for, find, and fix all of the bugs. It's common to think of information leakage and unauthorised manipulation as the worst outcome of a software flaw, but the most innocuous of bugs can sometimes lead to an actual loss of life.

No software ever holds up to contact with reality, but in this talk, you'll see some of the more extreme consequences of tech debt and seemingly small bugs, and learn how your team can more easily identify assumptions, document weirdness, and eliminate edge case behaviour when building and breaking software. That boring task hiding in your backlog might just save a life.


Speakers
A

attacus

Lilly is a software and systems engineer from Australia. She spends her days building and breaking corporate identity systems. | | | | Following a stint as an academic specialising in the surveillance mechanisms of medieval Europe, she has spent more recent years teaching... Read More →


Friday November 24, 2017 4:15pm - 5:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

5:00pm

Metlstorm's Empiricism Emporium: Unpleasant Truths Our Speciality
The saying goes, "you can lead a horse to water, but you can't make it drink." After twenty years in infosec, I'm about ready to grab that nag's mane and shove its stupid wizened up old prune-face in the trough. We all know it ain't gonna rehydrate itself, but at least I'll feel better while it coughs and splutters, and maybe, just maybe, it'll think about what it's done while it tries to choke down its nosebag full of dry cloud oats after.

In this talk, Metl will talk about how he feels about the state of Infosec in New Zealand (spoiler: cranky), how to hack everyone and everything (spolier: easily) and what we're going to do about it (spoiler: cry?).

Speakers
AM

Adam 'metlstorm' Boileau

Adam 'metlstorm' Boileau is a hacker with burgeoning local consultancy Insomnia Security, news pundit with Risky Biz, and has, on occasion, appeared on the flame-kissed stage of the odd Kiwicon or two. | | Metlstorm enjoys free time, not organising hacker conferences, and lon... Read More →


Friday November 24, 2017 5:00pm - 5:30pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

5:30pm

BSides Wellington 2017 Conference Close
Prize giving, some statistics (ooh, how exciting!) and a whole bunch of thank yous from the BSides Wellington Crew.

Friday November 24, 2017 5:30pm - 6:00pm
Shed 6 - Room 1 4 Queens Wharf, Te Aro, Wellington 6140

6:30pm

BSides Wellington 2017 After Party
TBA

Friday November 24, 2017 6:30pm - 11:00pm
TBA 4 Queens Wharf, Te Aro, Wellington 6140