Here’s a whole mess of notes I made as part of my week at AusCERT 2016. It’s my first conference, and I didn’t know what to expect, but it was an overall good experience. Tuesday I couldn’t get into any of the tutorials, so I ended up working. Sigh :(

Monday

I got into the Monday tutorial “Cyber Incident Handling” run by AusCERT’s General Manager, Thomas King. A day-long summary of the NIST guide and the ASD ISM along with some discussion about incidents. More high-level and aimed at managers than I was expecting, but worth going to.

Wednesday

Chris Soghoian, ACLU

• reminded us that encryption’s required for everything we do.
• the intelligence community says they’re going for bad guys, but that also means us, because we’re in the way.
• overall, an amazing speaker and I can’t wait to look up more of what he’s up to.

Nick Savidies, Symantec

• saving ourselves from the top 1% really requires us to focus on the rest of the 99% of the stuff we should be doing.

Free Stuff!

• CSO - LootCrate “Summon” from September 2015 - review here
• AusCERT polo shirt and calico bag
• ZScaler soft hammers
• LEGO Minifigure, Kendo Fighter from Series 15! :)

Tech #1 John Bambenek - malware

• He runs Fidelis Security
  • https://barncat.fidelissecurity.com/users/login
• MISP / www.misp-project.org
• Spoke about Kev, great project pulling apart malware.
  • also malwareconfig.com
• Gave great advice to remember to mine your:
  • spam folders and blocked things
  • proxy logs
  • anything else you’ve got that can provide data, don’t ignore the blocks

Tech #2 Justin Clacherty - Building Automation

• KNX building automation standard
  • unauthenticated
  • not encrypted
  • fairly easy to hack

This stuff is going to get more and more problematic unless vendors really engage with security, I’m surprised there aren’t more problems.

Tech #2 Hinnie Hetterna - Welcome to the after-hack part : Detecting and mitigating the pivot

• talking bout tools turning into weapons, defending the fortress etc.
• I’d love to see his full course on tactics, techniques, procedures
• Packet beat - profile data on the fly - I’m definitely going to check this one out.

Tech #3 Mark Carey-Smith - Maximising Efficiency in Security Operations

Mr Carey-Smith’s talk had a point, but I think it missed it. Collaborating with customers, automating repeated tasks and fostering communication are important points. The talk got waylaid by a needless, too-technical but not-technical-enough introduction into BIND RPZ which was only tangentially related to some really cool things they’re doing with finding Fast Flux/Dynamically Generated Domains.

Death by powerpoint was a terrible risk - everything that was said was written on the slides - when will people learn?

Thursday

Darren Kitchen - The Curse of Convenience: How Plug and Play became Plug and Pwned

• “Over 9000” dropped twice, cute. :)
• talked about:
  • the original pineapple
  • the rubber ducky
  • the turtle
• Great speaker, very good at what he does.

Aamir Makhani - Spies, Geeks, and Tracking: using Threat Intelligence to hunt for data

• He bought old drives and phones etc. mined it and found gold.
• Remember to check out your devices’ location data - frequent locations are amazing
• Facebook - put in the phone number, get name/profile - never get notified
• Photobucket recent uploads - the mobile app automatically uploads everything to a public feed by default, it’s amazing what you can find.

Zoltan Balazs - Sandbox Detection: Leak, Abuse, Test

Good overview of how bad actors can detect that they’re in a sandbox. It’s the things you don’t think about until you have to which matter :)

Bradley Schatz - Speeding up Forensics

Bradley’s done a lot of great work, and he gave a good talk on the history of Forensic imaging techniques. Smelt heavily of an ad by the end however.

Friday

Troy Hunt

• Hoodies + green text + bad music = hackers
• Want to get ready for hacking in windows? Open cmd and type “color a”
• <hackertyper.net> - used in the cujo security-in-a-box ad
• You (we?) should learn to use sqlmap.py
• Motherboard: “another day, another hack: is your fisting site updating its forum software”
  • http://motherboard.vice.com/read/rosebuttboard-ip-board
• El Reg wins the combined headline/stock photo competition.
  • http://www.theregister.co.uk/2016/05/11/embarassing_data_breach/

Zoltan Balazs the Hungarian - Hacking highly secured enterpise environments

• I won a Rubick’s cube!
• “they think the barrels are full of fish, but they’re actually full of hobbits”
• He does his demos in pre-recorded video, not live - I think this is much better idea for most presenters - though there’s some notable exceptions who are amazing! :)

Wayne and Sun Huang from Proofpoint - Russian actors

• Ten minutes of showing us uninteresting PHP scripts rather than talking about the details of the hack, sounded amazing, but I had to leave.

By the end of the conference I was quite drained, a week of trying to concentrate while sitting in terrible hotel chairs, and sleeping in a bed which could be best described as horrible took a toll. I definitely learned a lot, and had some good chats with vendors about their upcoming products. I’m sure I’ll be fending off salespeople for months, but I can see some good things on the horizon. :)