Talks will be announced in two phases, on 30th Sept and 14th Oct. The current schedule may be subject to change.
|Title||A Tribute to Barnaby Jack - The Good Hacker|
|Abstract||Barnaby Jack was a world-renowned security researcher and friend to many in the community. His passing earlier this year was a shock to all, and he will greatly be missed. This talk is intended to be a small tribute to Barnaby - reflecting on his personal qualities that endeared him to many, and his technical achievements that thrust him on to the world stage as a leader in security research.|
|Location||Sat 09 0915 @ The Opera House|
|Name||Amberleigh Jack & Mark Dowd|
|Origin||Auckland, NZ & Sydney, Australia|
|Bio||Amberleigh Jack is a freelance writer In Auckland, having had work pop up in various magazines and websites such a Rip It Up magazine, Public Address and Metro.
Mark Dowd is the director of Azimuth Security, and a veteran in the security industry. He has uncovered numerous vulnerabilities in host and server-based applications used pervasively throughout the Internet. He has spoken at various security conferences around the world - including Black Hat, PacSec, CanSecWest, and Ruxcon. He is also the co-author of "The Art of Software Security Assessment".
[ 和谐 / REDACTED FOR STATE HARMONY
|Location||Sat 09 0930 @ The Opera House|
|Bio||Ethnically Chinese but not a Communist, Thomas Lim is the Founder and
CEO of COSEINC and the Organiser of SyScan.
As a great admirer of all immigration/custom officers and airport
security personnels, he travels around the world under the pretense of
conferences, but in reality, to experience first-hand their professional
conduct and unbiased attitude in handling travellers like himself.|
|Abstract||Hypothesis: There is a strong correlation between the amount of bugs one
can find in a specific piece of software and the amount of times said
application's marketing team use the word 'Enterprise'.
Method: Hack all the things.
Conclusion: Well, you'll have to come to our talk..
This talk will be all about the bugs found in the applications that are
designed to keep your favourite Zaibatsu, telco or goverment agency
running smoothly. Who watches
the watchers? We do. And now you can, too!
|Location||Sat 09 1000 @ The Opera House|
|Name||Denis 'DoI' Andzakovic and Thomas 'Cartel' Hibbert|
|Bio||Denis Andzakovic works for Security-Assessment.com as a security
consultant, based out of the Auckland office. DoI enjoys breaking things
and sometimes in his spare time sings songs about breaking things.
Thomas Hibbert has stepped into the light and works for
Security-Assessment.com as a Security Consultant. He enjoys [REDACTED],
[REDACTED] and [REDACTED] and in his spare time likes to [REDACTED].
|Abstract||Kexec is a Linux kernel feature that allows you to load and
launch a new kernel. You might naively expect this to be implemented
with some sort of rational mechanism that didn't allow userspace to
stuff arbitrary code into the kernel in such a way that it then gets
executed in ring 0 with no memory protection. Ha. Ha. Ha.
This presentation will give a brief overview of kexec, its
implementation, terrifying things that are mentioned in its
documentation, and some demonstrations of it being used for the lulz.
|Location||Sat 09 1100 @ The Opera House|
|Name||Matthew 'mjg' Garrett|
|Origin||Boston, MA, US|
|Bio||Matthew used to hack fruitflies, now he mostly hacks firmware.
He's ported Zork to UEFI and has possibly run arbitrary code on your
IPMI hardware, but by day he works to improve cloud security at Nebula.
 Mostly into a thin paste. Have you ever tried taking one apart? It's
|Title||UAV systems and security|
|Abstract||The first drone pilot to suffer from shell shock, described confirming kills by observing enough white, 37°C pixels on the terrain surrounding the bodies, and if Iran can down a US drone, why can't we?
There is obviously some gap between civillian (COTS) and military (MILSPEC) technology but, how much of a gap? This talk explores the technology, proposes some attacks, and their mitigations.|
|Location||Sat 09 1130 @ The Opera House|
|Origin||Christchurch, New Zealand|
|Bio||Everyone's favourite topic is themselves.|
|Title||Edward Snowden and the NSA: The Napster perspective|
While the peoples of the Internet are busy arguing over the morality
and legality of covert NSA programs unveiled by Edward Snowden, many
of the bigger issues have been missed. Like, for example, how some NSA
programs are clearly desperate attempts to stave off the inevitable
advancement of technology set to make its life hell.
When Napster first popped up in 1999 the music industry had it
covered. Dispatch the lawyers and problem solved, right? Riiiight?
Wrong! In this talk Patrick Gray argues that in the medium to long
term the NSA, like the music recording industry, will fail in trying
to cripple consumer technology. This leads us to the ultimate question
of Life, The Universe and Snowden: How can a government fulfil its
obligation to protect its citizens when it can no longer reliably
intercept electronic communications?
|Location||Sat 09 1200 @ The Opera House|
|Bio||An Australian analyst, journalist, and commentator on information
security, Patrick Gray has been covering the infosec space for over a
decade. He produces and presents Risky Business, an information
security podcast that has won four Lizzies (Australia’s premier IT
journalism awards) -- including Best Audio Program and Best Technology
Title. He has written about the Snowden leaks for Wired.com. Twitter:
|Title||P0wning a public transport system|
|Abstract||The operators of a certain NZ public transport system told us it used a "safe and secure smart card", but of course it was proprietary, we just had to "trust" them. Someone might want to explain terms like "white-list", "encryption" and "server side validation" to them because they made some very non-smart security decisions. In this talk I'll explain the details of reverse engineering the system, the cards, protocols and formats used. While doing so I discovered a number of vulnerabilities in this smart card system. It turns out there are both client side and server side vulnerabilities, which allow total exploitation. |
|Location||Sat 09 1345 @ The Opera House|
|Name||William "AmmonRa" Turner|
|Bio||Sell out code monkey by day, DIY cyborg by night, AmmonRa has lurked around Kiwicon
for the last few years and finally lucked into having something to talk about this year.|
|Title||Automating Advanced XPath Injection Attacks|
|Abstract||The current tools available to exploit XPath injection suck. In this talk I will go logarithmic on their ass and introduce an injection tool that your mother would be proud of. From web developers who use XML there shall be much wailing and gnashing of teeth.|
|Location||Sat 09 1415 @ The Opera House|
|Name||Paul 'sss' Haas|
|Bio||Paul Haas rejects the tyranny of ASCII and returns to you the 𝐛𝓮αʋ𝘁𝚒𝚏𝕦𝙡 𝚙𝙧𝛐𝚜𝖊 օ𝖋 𝐔𝑛ı𝖈໐𝘥℮. With over nine years of experience, he is currently employed with Security-Assessment.com in Wellington performing a variety of computer security assessments. When not solving problems he enjoys increasing their complexity and is known to respond to Mario Kart duels with great gusto.|
|Title||Responsible Vulnerability Disclosure|
|Abstract||Disclosing security vulnerabilities can be a dangerous business. While there are systems in place for handling disclosures to most major software companies, the process for disclosing vulnerabilities to local organisations is a lot less discussed.
As the discloser, there is always the chance that you are accused of hacking and get a visit from the police merely for identifying an issue. As an organisation, you can find yourself on the front page of the news when someone goes public with an issue.
This talk outlines the dilemmas faced when stumbling across that SQL injection in the local shopping site and proposes mechanisms to safely get the right people told about it. It also discusses how organisations can make it more likely that security vulnerabilities are reported to them directly, rather than through the press, and what the NZITF is currently doing to try and make things better.
|Location||Sat 09 1445 @ The Opera House|
|Name||Nick von Dadelszen & Ben Creet|
|Origin||Wellington, New Zealand|
|Bio||Nick von Dadelszen is the technical director at Lateral Security. Nick has been performing professional penetration testing for over 12 years and has managed several successful penetration testing teams. He has worked with the majority of large corporates and Government agencies in New Zealand and is a regular presenter at OWASP and Kiwicon conferences.
Ben Creet is a senior policy analyst in the Department of Internal Affairs' information and technology policy team. Ben has worked in the health, justice, and information technology portfolios and joined the New Zealand Internet Task Force in 2012. He is studying towards a Masters in Strategic Studies and leads the NZITFs Responsible Disclosure Working Group
|Title||Crypto Won't Save You Either|
|Abstract||Cryptographer Adi Shamir, the 'S' in RSA, once said that "cryptography is bypassed, not penetrated". In the light of the Snowden revelations about the NSA, various people have proposed the use of crypto in order to evade NSA surveillance. From games consoles to smart phones, this talk looks at ten years of trying to secure things with crypto that ultimately failed, not through anyone bothering to break it but because it was much easier to just bypass it. The lesson from all of this is that you need to secure every part of the system and not just throw crypto at one bit and assume that you'll be
|Location||Sat 09 1515 @ The Opera House|
|Bio||Peter Gutmann is a researcher in the Department of Computer Science at the
University of Auckland working on design and analysis of cryptographic
security architectures and security usability. He helped write the popular
PGP encryption package, has authored a number of papers and RFC's on security
and encryption, and is the author of the open source cryptlib security
toolkit, "Cryptographic Security Architecture: Design and Verification"
(Springer, 2003), and an upcoming book on security engineering. In his spare
time he pokes holes in whatever security systems and mechanisms catch his
attention and grumbles about the lack of consideration of human factors in
designing security systems.|
|Title||Detecting and preventing data-crime in a petabyte world|
|Abstract||In 2013 most medium enterprises are dealing with terabytes of data; large enterprises petabytes. This presents some difficulties when attempting to detect data-crime where often the traces left behind measure only in bytes. This talk will discuss this problem and look to the future in solving it and demo some free tools that can be used to expedite investigations.|
|Location||Sat 09 1615 @ The Opera House|
|Bio||David Litchfield is a computer security researcher working for Datacom TSS in Australia. He is the author of the Oracle Hacker’s Handbook and co-author of the Database Hacker’s Handbook, SQL Server Security and the first edition of the Shellcoder’s Handbook. He is pioneer in the field of database forensics and developed the first comprehensive suite of tools for database breach investigations. In 2011, he helped investigate the Sony Playstation Network data breach, the largest breach to date, and was able to produce a detailed activity map and timeline of what the hackers did to the database once they’d broken in. He has worked for Accuvant, NGSSoftware, @stake, Cerberus Information Security and Exodus Communications and contracted for GCHQ and provided training and advice to the Security Service, the NSA and the BSI.|
|Title||Socially Awkward: Overview of Social Engineering and practical strategies to combat them|
|Abstract||In this presentation I'm going to cover the techniques to hack your fellow Human! I'll tie these into a real life audio example (anonymised of course), showing escalating from no access to an authorised and authenticated user to gain remote access to a internal network by implementing these techniques.
I'll also provide practical techniques which can be used to combat them without having to social engineer the bank to fund them!|
|Location||Sat 09 1645 @ The Opera House|
|Origin||Wellington, New Zealand|
|Bio||My name is Robin Lennox, I work as a Security Consultant at Aura Information Security in Wellington.
My current role as a security consultant is built on over 8 years experience of testing, securing, administrating and developing IT systems. During this time I have been responsible for:
Security reviews and penetration testing of servers and network infrastructure.
Security testing implementations of web applications.
Red-teaming including developing social engineering attacks.|
|Title||Thunderbolts and Lightning ⚡ Very, Very Frightening|
People keep talking about Thunderbolt DMA attacks as though they're a foregone conclusion. Thus far, we haven't seen one that doesn't involve using a Thunderbolt to FireWire adapter. This kind of attack, when performed against current hardware, is subject to the same limitations and mitigations as the FireWire DMA attacks we've seen since Kiwicon's very own Metlstorm winlockpwned his way to fame in 2006.
In this talk, rzn and snare will discuss their approach to attacking systems with a Thunderbolt port. Will our heroes triumph over evil, or will they get hit by a bus?
|Location||Sat 09 1715 @ The Opera House|
|Name||snare & rzn|
|Origin||Melbourne, Australia and Auckland, NZ|
|Bio||snare is an internationally renowned hacker, who is loved and respected by security groupies, rock stars, and Prime Ministers the world over. rzn is not.|
|Title||Disrupting the Norm with Supernatural Shenanigans|
|Abstract||Every day, technology quietly fails us. The causes of these failures can have serious ramifications. One could MitM large userbases - intercept email, web, voice and more - without detection or disruption. Or all of it could stop working, a universal Denial of Service.
Technological defenses to protect against such attacks can be bypassed, and by doing so allow attackers to undermine core Internet infrastructure. These attacks have been discussed before, but the depth of the issue is greater than previously thought. Let me tell you just how out-of-this-world this problem is, and why it's important for network operators to step up to protect their users.
|Location||Sat 09 1745 @ The Opera House|
|Name||Nick 'vt' Freeman|
|Bio||vt (no, not Vertical Tab), otherwise known as Nick Freeman, works at Security-Assessment.com in (mostly) Auckland. When not hacking to bring home the smokiest of bacons, he enjoys hanging out with his cat, playing Mortal Kombat and working on one of SA's most cherished research projects, dubbed 'cheeseburger assessment'.|
|Title||MEGA's approach to accessible E2E - insecure by design?|
|Abstract||MEGA's primary design goal was easily accessible client-side cryptography. Using the world's most ubiquitous runtime environment seemed like a natural choice, but was it really a good one from a security/trust perspective?|
|Location||Sun 10 0930 @ The Opera House|
|Name||Mathias Ortmann and Bram van der Kolk|
|Bio||Mathias is CTO of Mega Ltd. and Bram is chief programmer. Previously with Megaupload.|
|Title||The 七 of Big Data: Finding Whiro|
|Abstract||We know many different types of data are generated and
captured at high speed but what do we know about weaknesses introduced?
Security still is widely misunderstood and discussed haltingly with regard
to Big Data. This presentation brings forward the giant Hadoopy
elephant in the room and offers the audience some real-world puzzles
to solve. Examples are presented of humorous failures as well as successes.
You might think your security problems are a pain until you are asked tohelp find Whiro in the 七 of Big Data.
|Location||Sun 10 1000 @ The Opera House|
|Origin||San Francisco, CA, USA|
|Bio||Over 18 years managing global security operations and assessments, including a decade of leading incident response and digital forensics. Co-author of the book "Securing the Virtual Environment: How to Defend the Enterprise Against Attack". Currently Senior Dir of Trust for EMC. Formerly responsible for security at Barclays Global Investors (BGI) the world's largest investment fund manager. Prior to BGI a "dedicated paranoid" at Yahoo! managing
security for hundreds of millions of mobile, broadband and digital home products.|
|Title||Finding the fox - Firefox forensic|
|Abstract||Web browser forensic plays an increasingly important role in modern computer forensic. This is because more and more law and/or incident cases depend on user internet activities. In this presentation I will explain the artifacts involved in Firefox forensic:
My open source tool called f0xchas3r will be demonstrated for evidence investigation at the end of presentation.
- DOM storage
- Firefox Cache files format + cache records
- web history
|Location||Sun 10 1115 @ The Opera House|
|Bio||Andy Yang is a senior security consultant and researcher at Securus Global, where he works on security testing to protect client’s critical information assets. He is passionate about all sorts of security things and has published security advisories for a number of tech giants.|
|Title||Evolving Ecosystem Security|
|Abstract||Over the last decade Microsoft has invested heavily in security though initiatives like the SDL, and the result has been a reduction in the attack surface and vulnerabilities in our products and services. More recently Microsoft has focused on reducing the window of opportunity that attackers have to exploit vulnerabilities through the Microsoft Active Protections Program (MAPP) and releasing tools like EMET. Microsoft is now focusing its attention on reducing the lifespan of not only the vulnerabilities used by miscreants but also the infrastructure they use to conduct their attacks. This session will look at the new initiatives and tools coming out of the MAPP program. The mission for the MAPP team is simple: mitigate entire classes of attack and protect customers.|
|Location||Sun 10 1145 @ The Opera House|
|Name||Paul 'narc0sis ' McKitrick|
|Bio||Paul is a Senior Security Strategist in the Microsoft Security Response Centre and is responsible for managing Microsoft's international relationships with the incident response community. Now residing in the beautifully misty shores of Seattle, Paul is originally from New Zealand and worked for the .NZ ccTLD, prior to that he worked the NZ government for the better part of a decade. Paul still gets warm fuzzies from the fact that he was the founding Chair of the New Zealand Internet Task Force (NZITF)|
|Abstract||The AFPs CyberCrime Operations area conducted an investigation into the activities of the hacker known as “evil”.
This presentation will chronicle that investigation.
|Location||Sun 10 1215 @ The Opera House|
|Bio||Alex has been in IT security for almost 12 years, his background is in (legitimate) online casinos and banking|
|Title||Serialization Formats Aren't Toys|
|Abstract||Dear Web App Developers,
Do you have an API? Do you accept input from users? Do you accept it in XML?
What about YAML? Or maybe JSON? How safe are you? How sure are you about
It's not in the OWASP Top 10, but you don't have to look far to hear stories
of security vulnerabilities involving deserialization user inputs. Why do
they keep happening?
In this talk I'll go over what the threat is, how you might be making
yourself vulnerable and how to mitigate the problem. I'll cover the features
(not bugs, features) of formats like XML, YAML, and JSON that make them
surprisingly dangerous, and how to protect your code from them.
Because here's the thing: If you are using, say, a compliant, properly
implemented parser to parse your stuff, you are NOT safe. Possibly quite
|Location||Sun 10 1400 @ The Opera House|
|Bio||Tom is a senior Python developer and technical lead for Catalyst IT, New
Zealand's largest company specialising in open source. Prior to that he
worked as a developer and system administrator for the University of Otago
Faculty of Medicine and as a Computer Science tutor for same.
Tom has developed a healthy paranoia as a direct result of drinking with
|Title||WTF is this thing…?|
|Abstract||People gave us digital content. We have to make sure we can access the information encoded in the file and accurately return it to researchers at any time.
My problem is, what do we do when we have no idea what the file are looking at is?
Sometimes I prod them until UTF-8 falls out. Sometimes I go on missions to track down the original creating software. Sometimes I make a best guess, based on other things we've seen that appear the same. Sometimes we try and reverse engineer the data and turn a binary 'blob' into a working file. Very occasionally they go in a pile of things that have stumped me :(
I will briefly describe our current practices and then show a few file types where we literally have no idea wtf to do with them. Then you can tell me how you would figure it out…
|Location||Sun 10 1430 @ The Opera House|
|Origin||Wellington, New Zealand|
|Bio||I'm a digital preservation analyst for the National Library of New Zealand.
I help look after some the New Zealand's digital heritage content.
My role is technical preservation analysis, with a specific focus on "file format".
Amongst other things I try and make sure that our library folks can access digital content properly and that they are looking at the data through a suitable lens.
I've been doing this for 3 years, before that I worked in Digital Forensics in the UK for the MPS, and the Home Office.
|Abstract||Have you ever failed? Of course you have.
This talk expounds some of my recent failures and what I learned (if anything).
Topics may include Vendors, SNMP, BGP and Bitflipping.
There may be a nice slide at the end with a picture of the internet.|
|Location||Sun 10 1445 @ The Opera House|
|Origin||Wellington, New Zealand|
|Bio||trogs has been reading your emails, listening to your voip calls and cleaning up all those csv files you left in /tmp since ages ago. He knows a lot about tubes|
|Title||A Practical Guide to Avoiding Prism |
|Abstract||In this lighting talk, Jen and Aurynn will take you on a whistle-stop tour through some of the simple, not-so-simple and
really-bloody-annoying things you can do to avoid your every digital thought being subject to inspection, and assess how practical and effective such techniques are (versus how obnoxious they are to implement).
|Location||Sun 10 1500 @ The Opera House|
|Name||aurynn & jenofdoom |
|Origin||Wellington, New Zealand|
|Bio||Not to be mistaken for the itinerant crime fighting duo,
Nej and Nnyrua, Jen and Aurynn are devs at Catalyst IT, where they do open-sourcey-developy stuff.|
|Title||Collapsed Pavlova & Apple Crumble|
|Abstract||Imagine what treasures you might find if you had a searchable and indexed database of decompiled mobile applications. Collapsed Pavlova & Apple Crumble is to the Android and iPhone ecosystem what Low Hanging Kiwifruit is to the web. This presentation will provide a brief overview of a new tool (Mobile Application Decompilation Security & Hacking Inspection Toolkit) and a more detailed look at some of the weird and wonderful things that have been packaged into mobile applications (accidentally?).|
|Location||Sun 10 1515 @ The Opera House|
|Origin||Auckland, New Zealand|
|Bio||Karl is a Solutions Architect in the NZ office of a large US corporate working in the financial sector. He has an unhealthy inclination towards mobile application security and a healthy appreciation of extreme sports and alcohol.|
|Title|| Botnets of the Web – How to Hijack One|
|Abstract||A relatively small but also somewhat unknown type of botnets are automatically attacking web servers and joining them together into a classic C&C botnet. These bots are flawed by design and often use code from each other, thus the same types of flaws are consistent among almost all bots encountered. This presentation dives into finding these botnets, what the flaws in these bots are, how to exploit them, and a live demo.|
|Location||Sun 10 1600 @ The Opera House|
|Name|| Hans-Michael Varbaek|
|Bio||Hans is a Security Consultant at Sense of Security and is an active part of the penetration testing team. He is an IT security specialist, independent researcher, and penetration tester.|
|Title||Closing Thoughts: When Thought-leadership becomes thought-crime|
|Abstract||Our final guest needs no introduction.
So we're not going to give him one.
But we'll give ya some clues:
- He once called Flavor Flav a try hard.
- He only wears suits he had handmade in China.
- He's had more jobs than Andrew Kelly.
- His GCSB file has been described as engorged.
- He's loud. He's proud. He's wrong.
- And he's coming...
|Location||Sun 10 1630 @ The Opera House|
|Origin||The Mahler Gobi|
|Bio||He one day hopes to rid himself of crabs.|