The conference will be a one day event.
Gergana Winzer will be opening our conference this year and will talk about Emerging Cyber Trends in her keynote at Track One at Guthrie Theatre. As Cybersecurity professional, Gergana works with clients to develop creative and pragmatic approaches to reduce their cyber and data security risks. She assists organisations to improve their cyber security posture and supports them to achieve cyber resilience outcomes. Gergana believes that cyber is a business enabler; an intrinsic part of developing the business that can help organisations become more competitive in today’s world. Gergana has worked within several industries and assisted clients to achieve their cyber security goals in Federal, State and Local Government, Banking and Financial Services Industry, Health, Utilities, Education, Agriculture, Transport, Retail and others and is an experienced and respected member of the cybersecurity community in Australia and Asia and an engaging keynote and public speaker on cyber security and privacy matters, risks and issues to the business community. In her spare time, she mentors young professionals and is an advocate for diversity.
Thomas Roccia is Senior Security Researcher at Microsoft. He works in the Defender team to improve detection and research novel techniques. Previously Thomas was working at McAfee in the Advanced Threat Research team. He worked on threat intelligence, tracking cybercrime campaigns, and collaborated with law enforcement agencies. He performed worldwide incident response, malware hunting, and helped customers during major outbreaks. He speaks regularly at security conferences.
Adversarial machine learning (or AML) is a field growing in prominence that represents the ability to ‘hack’ artificial intelligence (AI) and machine learning (ML) algorithms by poisoning data sets imperceptibly before training, by evading classification, leaking confidential information or by hijacking the model’s function to make it do something it wasn’t intended to. The rapid uptake of AI/ML systems by organisations means the attack surface is growing significantly. I believe AI/ML security may soon join cyber security as one of the greatest technological and geostrategic threats. However, there is still time to learn from the lessons of cyber security, and speaking about AML at a great conference like BSIDES will help this to occur.
Harriet Farlow is a PhD Candidate in Cyber Security at UNSW Canberr and an Assistant Director at the Department of Defence. With a passion for bridging technical and non-technical disciplines, Harriet’s professional experience spans consulting, academia and a technology start-up. She has worked and lived in the UK and the USA. She holds a Bachelor of Science in Physics and Bio-anthropology, and a Master of Cyber Security, Strategy and Diplomacy.
Developers work hard to create software that users love but the topic of security is often seen as someone else’s responsibility. Developers rarely get the training they need to work with a security-first mindset. AppSec teams are there to point out coding problems and tear apart a developer’s beautiful software. This relationship can be fixed with a security-first approach for developers.
Erica Wass is Vice President of Product Management leading product and content teams and driving product strategy and roadmap at SecureCodeWarriors. Erica credits her lifelong interest in technology as driving her interest in product and its role in improving business outcomes. Before joining us, Erica was a Senior Director of Product in Zendesk’s Melbourne office. In 2018 she was honored and named a Leading Woman in Product in Australia. She moved to Melbourne from New York City with her family in 2014. Erica is a graduate of Barnard College in New York City and holds advanced degrees in journalism and law, where she focused her studies on digital storytelling and the Internet.
Software applications are no longer independent monoliths, instead, they are built up from thousands of different tools, components & services. This creates both huge opportunities and security challenges. Exploring recent examples & monitoring hackers in real-time we explore why the internet is broken and how to fix it.
Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a Australian health tech startup Conpago, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.
We live in a pretty awesome city, what are the worlds greatest urban littoral environments That is undergoing monumental change in terms of its infrastructure its character but also the technology we depend on as a city to live. The purpose of this talk is to provide an overview of wireless technologies That exist in a city like ours and extend to Attendees and opportunity to go exploring. I will cover off considerations of modern urban environments, pathways for reconnaissance And mapping out the environment, tools techniques and methods for exploring wireless technologies through software defined radio, And finally some of the cool stuff I have observed over the years. Wireless tech is still very much the undiscovered country, so let’s have some fun and see what we can find.
Edward Farrell is a security consultant with over 12 years’ experience in cyber security and 17 years’ experience in the IT industry. As the director of Mercury, one of Australia’s leading independent security firms, he has conducted or overseen the delivery of 800 security assessment activities and incident responses in the past 7 years. His professional highlights include lecturing at the Australian Defence Force Academy, being rated in the top 200 bug bounty hunters in 2015 and running an awesome team of security professionals.
SIM Swapping has traditionally been a very strong attack vector - the ACMA have implemented new legislation in an attempt to mitigate it, but has it been effective? An exploration of SIM Swapping and the security of SMS-based MFA in 2022.
John Abood is a Security consultant at CyberCX, with a background in Infrastructure Support and before that a career in Radio operations! I am horrible romantic for social engineering, physical penetration testing and any other unorthodox methods of hacking.
It's 1960's Berlin - the Cold War is never colder and the stakes never higher. Missiles have been discovered in Cuba, JFK's been assassinated, Soviet and US tanks face off less than 100 metres apart on Friedrichstrasse. Foreign Military Intel teams have mutually sanctioned access to each others territory but aggressively evade their "watchers" in pursuit of unsanctioned access. Multiple nation states work furiously on both sides of the Berlin Wall to exploit the others weaknesses, communicate covertly.
Mike Pritchard has been part of the IT industry over 30yrs, the cyber sector over 10yrs and is keen to use his (ahem) greybeard years to "give back" to the community. Mike has more recently joined an Aussie startup and begun showing the core collection that will go into the first cyber / espionage museum in Australia.
Misconfigured DNS can be the downfall of a client's entire security model. This talk will *walk* you through how DNS can be fun with war stories about spoofing federal government email, DNS zone dumping paypal.com and collecting credentials from the sun.
Harrison Mitchell is a Senior Security Consultant at CyberCX within the Adversary Simulation Team.
Encrypted USB Hard Drive enclosures are a challenge for forensic investigators when passcodes have conveniently been forgotten. This talk demonstrates the process of investigating the underlying hardware and determining attack vectors. Buses were sniffed, communication protocols were reverse engineered and lots trial and error until a solution was found to determine the passcode to decrypt the hard drive contents.
Robert Fearn has worked in Digital Forensics for over 10 years with a background in Electrical and Software Engineering. He has worked for Law Enforcement, legal firms, cybersecurity and is currently a Security Engineer at Canva. He has a keen interest in hardware hacking, building circuits with microcontrollers and medieval musical instruments.
The conference will be a one day event.
The stage is set - You've been a CyberSecurity Professional for a few years, developed the magical CyberSecurity Skills that show you're a wizard, and you're seeing that you are being charged out at a high Daily Rate and want some of that for yourself. This talk takes the audience from zero to hero with 8 steps needed to start a CyberSecurity Consultancy with Global Reach.
Gordon Draper is the Director and CEO of the CyberSecurity Consultancy Fortsafe.com which includes clients in the Banking and Finance Industry. He has over 20 years’ experience in the IT Industry and oversees services including Red Teaming, Penetration Testing, Incident Response, Governance Risk and Compliance including Cyber Security Assurance. He has developed Cyber Security Questionnaires based on the NIST 800-53 Controls Framework, ISO 27k and CSA-CCM which assess Vendor’s solutions for clients. He has presented at the International Conference Defcon 27 and SecTalks covering previous research into Bitcoin Hackers trying to steal money from a honeypot. In his spare time he hunts for Bug Bounties and develops training courses for the next generation of Info Sec professionals.
Introducing the interesting world of Supply Chain Security. This talk will provide attendees with a look at the current state of supply chain security, look at core supply chain concepts and provide a roadmap for organisations of all sizes.
Ben Gittins is a Senior DevSecOps engineer working in Canva’s supply chain team. He has a background in system administration, security and DevOps with extensive experience and tertiary education to match. He is passionate about developer driven cybersecurity.
"After discovering a subdomain takeover that was used to serve an obfuscated JavaScript, I went down the rabbit hole to figure out what it was doing... A typical response to a subdomain takeover is to remove the dangling DNS records, however few teams bother to investigate further, report it SaaS/Cloud providers to coordinate takedown of these malicious accounts and infra, share IoCs, etc. JavaScript especially seems to scare many and is rarely talked about in the InfoSec community, yet the web is an often used avenue to deliver malvertising or malware to users that we all use every day. By telling my own journey of discovery, I hope to encourage others to do the same and educate attendees in various techniques used to obfuscate, deobfuscate, or hinder deobfuscation of JavaScript files."
Andy Vermeulen joined Rokt, an e-commerce marketing technology start-up, as a JavaScript developer almost 10 years ago. His role evolved quickly into full-stack web app development and as the company grew he started getting involved with Cloud infrastructure and Dev(Sec)Ops pipelines. For the last 6 years 'Sec' has taken the forefront and Andy now manages the Security team, where he is responsible for application, infrastructure and endpoint security controls.
Have you ever fallen victim of a phishing campaign? Or know someone who has? Chances are the answer is yes. Phishing campaigns are becoming increasingly difficult to detect. The evolvement in these campaigns throughout time has led to a high level of sophistication. Now add deepfakes into the mix, and detection becomes even more challenging. This talk will provide examples of phishing campaigns using this technology, explain why OPSEC is so important, and the future implications.
Venessa Ninovic Ever since her first Tracelabs CTF in 2020, Venessa has dived head first into the OSINT space and not looked back. Participating in various CTFs, engaging with the OSINT community, and writing blogs in her spare time, Venessa is constantly learning new skills and techniques. She is currently an intelligence analyst, and won the AIPIO 'Emerging Intelligence Practitioner' Award for 2022.
Triskele Labs presents their DFIR experiences from 2022, which has included many ransomware and BEC incidents, often involving sophisticated Threat Actors such as Conti and Black Basta. We discuss trends, techniques, indicators, and deep dive into a particularly ruthless attack in which the Threat Actor achieved complete domain compromise, exfiltration and ransomware execution in just 14 hours.
Jack Rutherford is the CTO of Triskele Labs, an Australian cyber security boutique. Having spent 5 years at Triskele Labs and 10 years in cyber, he comes from an offensive security background, previously leading the penetration testing and red teams within Triskele Labs. Before that, he spent several years working in cyber security in government at both Defence and the ATO. Jack sits on the Australasian Advisory Board for CREST International and represents the Australasian chapter on the CREST International penetration testing subcommittee.
Richard Grainger has 15 years of experience working within technical IT roles, with the last 10 years being dedicated to law enforcement and industry in specialist digital forensic, incident response and cyber investigation. More recently, Richard has combined his deep skill-set in digital forensics, with skills required to respond quickly and effectively to real-time and ongoing incidents, in an incident response capacity. On a daily basis, Richard is helping organisations recover from devastating cyber attacks whilst preserving and collecting digital evidence to ensure the organisation is safe in the future. Richard is also responsible for assisting the Triskele Labs 24x7x365 SOC with ongoing investigations, Threat Hunting and driving continuous improvement.
As APIs are being utilized to normalize data transfer from various application endpoints and 3rd party resources we have created interconnectivity that invites attacks. Instrumenting one's self to ensure data integrity and security can be the difference between a minor incident and a major data breach. In this talk I will discuss what my research has shown about Indicators of Compromise that already exist in your APIs. I will go over recent attacks that we have fended off as well as those that have been observed at other organizations. Within this discussion will be how to instrument yourself to pull the indicators from the data.
Jason Kent For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.
We’ve come a long way since the early days of client-side security when injection attacks like XSS and SQLi were rampant. Modern frameworks come with a lot of out-of-the-box protections. But with the frameworks, the attackers have also evolved. In this talk, Kaif Ahsan, a Product Security Engineer at Atlassian, will share the most common ways modern web applications are hacked. Many of which he regularly comes across at work. These talks will be beneficial to a wide range of audiences, both offensive and defensive. Kaif will share various techniques and examples of exploiting modern web applications like React, Angular etc. These would be useful for Pentesters and bug bounty hunters. Furthermore, we will be exploring various best practices to tackle these vulnerabilities and build secure web apps which are relevant for security engineers and developers.
Kaif Ahsan is a coder by passion and a hacker by profession. He started his journey in tech as Software Engineer but soon fell in love with the art of breaking software. His knowledge of development and cybersecurity has naturally led him to the Application Security space, where he currently works as a Product Security Engineer at Atlassian. Kaif is a big proponent of education and open access to knowledge. He regularly volunteers to run cybersecurity workshops at various universities as well as giving talks at local meet-ups and conferences. He is also the co-host of YT channel, Everything Cyber, where he shares hands-on and conversational videos on tech and cybersecurity. His videos target intermediate-level professionals and help them gain expertise through practical content.
It seems that almost every week we hear about a data breach that involves personal information of customers being sold to anyone interested in acquiring it for their nefarious purposes. We may be faced with deadlines at work or try to make the most with limited resources while facing technical debt in our different organisations. It seems that almost everybody in our industry is overworked and probably suffering from burn out. Our consolation is attending infosec conferences during weekends and commiserating with our fellow infosec tribe members. How about if we just take a step back and look at the human aspects behind all these attacks?
Gyle dela Cruz first got connected to the internet via her reliable 56k US Robotics modem and has been fascinated ever since with technology and security. She got her Graduate Certificate in Incident Response from the SANS Institute and her master’s in cyber security – Digital Forensics from UNSW Canberra. She is a product of the Project Friedman, which is an initiative by WomenSpeakCyber and AWSN to produce more conference-ready women speakers. She contributes to the infosec community by volunteering for different community-based organisations, mentoring others and advocating for diversity, inclusivity, and better mental health support for everyone in the community. When she can’t sleep, she listens to various types of music where she gets ideas for her presentation titles.
Artificial intelligence (AI) is a part of everyday life. Daily schedules are organized using voice assistants. Streaming services offer recommendations for movies to watch. AI helps manufacturers create new and better products. It can also be used to predict and prevent the spread of bushfires. There are several elements that the mentioned AI governance frameworks and principles have in common. These components can be used by an organization to inform its own AI governance strategy.
Hafiz Sheikh Adnan Ahmed's journey started back in 2005 as a Quality Assurance Engineer and over the years, he shaped his career in the areas of information and communications technology (ICT) governance, Information and Cybersecurity, business continuity and organizational resilience, data privacy and protection, risk management, enterprise excellence and innovation, and digital and strategic transformation. He is an analytical thinker, writer, certified trainer, global mentor, and advisor with proven leadership and organizational skills in empowering high-performing technology teams. He is a certified data protection officer and won chief information security officer (CISO) of the Year awards in 2021 and 2022 by GCC Security Symposium Middle East and Cyber Sentinels Middle East, respectively.
Hafiz is a public speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, information and cybersecurity, and data privacy. He is an ISO Lead Auditor and ISO Management Systems Auditor for ISO 9001, ISO 20000, ISO 22301, ISO 27001, and ISO 27701 Management Systems. He volunteers at the global level of ISACA® in different working groups and forums. He is the Co-Founder and CIO of AZAAN Cybertech Consulting, and his role is to drive and align business strategies of the company’s esteemed clients towards Information and Cybersecurity centric and to oversee the people, processes, and technologies within the organizations to ensure they deliver outcomes that support the goals of the business. To know more about AZAAN Cybertech consulting, log on to: https://azaan.net.au Hafiz can be contacted through email at hafiz.ahmed@azaanbiservices.com
Kernel security continues to become an increasingly important issue, as it presents an attractive alternative to userland targets. One of the fastest developing areas for kernel security is the heap, with new protections and improvements being frequently implemented. This talk serves as an overview of kernel-heap defences - covering what they protect against, but also what they don't.
Zac Ecob is a first year computer-science student studying at UNSW with an interest in binary exploitation and systems programming. Zac competes in CTFs with the team Blitzkrieg, who've won the past two iterations of DownUnderCTF. He has also given a talk on introductory kernel exploitation at UNSW's student cybersecurity conference SCONES.
The conference will be a one day event.
This workshop will use crAPI (completely ridiculous API), an open-source vulnerable API as a base to provide a developer-centric API security training ground. Developers will be able to learn about API attacks and remediations. Blue Team/Product Security/Security Champions shall learn how to deliver API-centric security training to developers.
Jayesh Ahire is the Founding Product Manager at TraceableAI where he runs the Company’s API Security initiative. He is the maintainer of OWASP crAPI (https://github.com/OWASP/crAPI), Hypertrace, and many other notable OSS Projects. He is AWS ML Hero, Twilio champion, and runs API Security Global Community. He also runs AWS UG, Elastic UG, TensorFlow UG, and many other communities in US and India. His research interest involved Distributed neural computers and Defi. In his free time, he likes to read and these days he is learning to play the piano
02:00 PM - 05:00 PM
A hands-on workshop in which you will learn a black box approach to evaluating thick client applications, split between general purpose thick application testing techniques, and specific techniques and tools for .NET applications. The practical workshop is based on defeating security controls within two applications, concluding with how thick client applications break in the real world.
Clinton Kerrison After several years operating an end-user support business, Clinton began engaging with the infosec community and joined Alcorn Group in 2018. Now with CyberCX, Clinton is a senior consultant, with experience in web app, mobile app, and thick client penetration testing, wireless and hardware assessments. Clinton has presented at BsidesMelbourne 2022, AusCert 2022, CrikeyCon 2018, QuestNET 2018, and the SecTalks Toowoomba community meetup on topics from security implant devices to pathways into the industry and has delivered training on .Net thick client pentesting, SSDLC, OWASP Top 10, and Security Awareness.
BSides Sydney 2022
Call for Sponsorship is now OPEN. Please contact for a Sponsorship Pack: info@bsidessyd.org
info@bsidessyd.org
We have NO TOLERANCE for physical/verbal/sexual harassment of any human!
Our “Code of Conduct” is “Be Excellent to Each Other” AKA the Golden Rule. Failing that, it is “Do not be an Ass* or we will kick your ass out!”.
Why do we have an official anti-harassment policy for BSides Sydney? First, it is necessary (unfortunately). Harassment at events is incredibly common. Second, it sets expectations for behavior at the event. Simply having an anti-harassment policy can prevent harassment all by itself. Third, it encourages people to attend who have had bad experiences at other events. Finally, it gives event staff instructions on how to handle harassment quickly, with the minimum amount of disruption or bad press for the event.
Harassment includes offensive verbal comments related to gender, sexual orientation, disability, gender identity, age, race, religion, deliberate intimidation, stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention. Participants asked to stop any harassing behavior are expected to comply immediately.
Asking questions of a speaker during their talk, to get clarity or debate a point is NOT being an ass – heckling or haranguing the speaker IS. Harassment online or in electronic venues will be treated as seriously as physical harassment. If you are not sure, ask, or err on the side of basic decency and common courtesy. If what they are doing would not be acceptable to have done to you, your best friend, your worst enemy, your sister, niece, daughter, brother, nephew, son, mother, father, or any human being, do not let them treat anyone else that way – whether you know them or not. If someone asks you to stop – stop.
If a participant engages in harassing behavior, BSides Sydney organisers may take any action they deem appropriate, including warning the offender or expulsion from the event. If you are being harassed, notice that someone else is being harassed, or have any other concerns, please contact a member of conference staff immediately. Our Event Staff can usually be identified by special badges/attire. Please note, while we take all concerns raised seriously, we will use our discretion as to in determining when and how to follow up on reported incidents and may decline to take any further action and/or may direct the participant to other resources for resolution.
BSides Sydney staff will be happy to help participants contact venue/event security or local law enforcement, provide escorts, or otherwise assist those experiencing harassment to feel safe for the duration of the conference. We value your attendance.
We expect participants to follow these rules at all event venues and related social events.
*Staff/Volunteers reserves the right to determine what constitutes “Being an Ass”.