purplecon 2019

The 87th annual purplecon was delightful and fun. Eschewing the typical black hoodies and replacing them with sparkles was an amazing choice and drove the friendly, welcoming feel of the entire con.

All talks were required to be:

  • positive,
  • defensive, and
  • actionable.

Which means they’re not just stunt hacking or dropping 0-days - they’re designed to improve the state of the art. The “great archive” is going to be a text archive summary of the talks, so…

you don’t have to watch a 45 minute youtube video to find that one piece of information.

- The hacker known as “Alex”

The schedule was great. I even read it before I turned up… fo sho. 😇 Onto the talks.

How to human in groups (sauramaia)

changing people’s minds is hard. each group has its own version of what’s normal. this talk is about how to work with the brain tools we’ve got to make the computer tools we want.

A great talk that I’ve seen before, which made me think about how to interact more effectively with those around me in order to achieve our goals together.

IAM confused: a deep dive into how permissions work (sera)

One of the hardest things to understand in the world of cloud computing has to be IAM - What is a role? What is a policy? How do I keep my engineers away from production systems? How do? The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.

IAM is hilariously complex, and sera explained a load of the different terms, how they’re applied and how they work together (or against each other).

  • Principal - who
  • Action - what
  • Resource - where

Don’t accidentally give people (g)root.

The default managed Lambda access policy gives you DynamoDB, s3* passRole… something I certainly didn’t realise.

  • salesforce has policy_sentry, an IAM Least Privilege Policy Generator, auditor and analysis system.
  • Netflix Skunkworks has aardvark which provides an API for providing IAM Access Advisor services.

Embracing Empathy (Shahn Harris)

how through necessity I went from realizing that while my approach to InfoSec had always been classed as “pragmatic” it was empathetic. And that Empathy worked wonders in the most trying time of my career.

Shahn’s tale about people realising he’s “the kid from Taumarunui” and how it shaped his interactions within the organisation.

Developing empathy for who people are and how they live, work, and think really changes the game.

The business is going to business

and

You don’t want a security event to drive change

Two awesome take-aways from his talk - especially because he was the NZ security lead for Equifax during their massive incident. He gave a heart-stopping talk at Kawaiicon about the personal impacts on teams during incidents, but sadly it wasn’t recorded.

*banging fists on table*
STATE MACHINES STATE MACHINES
(William)

State machines help us to reason about our programs, how they work, how they wont work, and why they didn’t work - and from there, how we can design programs to never fail at all. There are state machines all around us. Let me show you how we can use them in code for security and robustness.

State machines and mathematically provable algorithms make me happy in ways most people won’t understand, and this is a great introduction to the topic. Notes and code examples are in his GitHub repo FirstYear/purplecon_state_machines. One day I hope to learn Rust. 🤔

Another one of William’s great talks, from pyconAU2019 - the infamous lightning talk on politics and history 😀

Against Lies, H*cking Lies (Anton Black)

using science and statistics to make decisions about how you run security is a great idea - 𝘪𝘧 you can interpret and represent your data accurately. but statistics is rife with potential pitfalls that can lead you to all kinds of false conclusions.

Statistics. Yeah, that.

Who loves purple? Oh, pretty much everyone here? So, expanding that across all people in the world, clearly purple is loved by everyone, everywhere.

Statistics is a type of science, but it’s rarely used.

It’s important that we move to interventional studies instead of observational ones, and it’s even more important to understand the difference.

Words like “linked, related, correlated” ≠ “caused”

Studies, even particularly well designed ones, are only valid for the situation they were developed for and completed in.

Choose your own adventure: Password Reset (moss)

Password reset flows are a choose your own adventure where the players just want to be able to secret squirrel again, and if you’re in charge of one let’s learn about some game overs everyone would like to avoid.

Designing a password reset flow has never lead to someone being branded a hero.

It’s still important to do, and moss’ talk about considering the life cycle of the password reset and its tokens was fantastic.

Deploying Kubernetes Safer(ish) (James) (not me)

This talk will take you through some of the parts of the kubernetes setup that are commonly ignored (“oh yeah we’ll definitely $100% get to that later”), or excluded from scripts you piped from curl to bash, or are pretty easy to accidentally get wrong if you didn’t know about this other thing that wasn’t made immediately obvious.

snrk

(Alex) “The next talk is by James who has chosen to have the courage to present on a Linux laptop so it might be a little delayed

It all went perfectly for him, which was awesome - especially since his luggage had gone missing between Sydney and Wellington. Poor guy.

Key takeaways:

  • Read all the bootstrap documentation.
  • Read a lot more, especially the “don’t do this in production” notes.
  • Lock down etcd hard. If it’s pwned, your entire cluster is.
  • Most everything else is pretty wide open, without TLS, by default. Don’t do that.

This looks interesting - k3s.io - k8s that runs on a RasPi

A novice red teamer’s guide to self help (bl3ep)

advice and learnings from a newbie’s first year: how to get better hacking yourself, hacking others, and defence against the se arts.

An incredible talk about some concepts to learn for dealing with the terror of being new, or new at something, especially red team exercises.

  • Anxiety reappraisal - say you’re doing great, especially when you’re not - it’s the perfect way to hack your brain!
  • Mental rehearsal - run through things in your mind in super deep detail, so you can live through the fear before it happens.
  • Cunningham’s Law - “the best way to get the right answer on the internet is not to ask a question; it’s to post the wrong answer.” People love being helpful, or right, to their own detriment.
  • Enclothed cognition - you are what you wear, so wear things that show how you want to feel…

\^_^

To Identity and Beyond! (Ben Dechrai)

In this talk, you will learn about OAuth, OpenID Connect, and JSON Web Tokens; where they came from, how they work, and how they can simplify your projects, from single-page apps to the APIs that drive them, and everything in between.

Ben’s from auth0 and speaks much truth about auth and identity things. You really don’t need to let Facebook or LinkedIn log into your email address, and other similar patterns.

Similarly, store the data you need, not what you think would be handy at some point down the track - or heaven forbid - what marketing says you need.

Risk management without slowing down (Mikala Easte)

some thoughts on how to set up lightweight risk management processes to empower teams to make informed decisions and not just rely on what the security person thinks of it.

Half-assing something is infinitely better than not doing it at all, especially when it comes to risk analysis.

  • Write.
  • Things.
  • Down.

Incident Response Drills: How to play games and get good (Kirk)

using incident response exercises to develop their people. We will learn how these synthetic experiences can be devised against specific environments and standards with measurable outcomes. Finally we will cover ways to easily scale difficulty and iteratively improve your exercise program.

The CDC had a zombie outbreak preparedness campaign that worked better than any previous campaign, because it grabbed people’s attention and made it relevant to their interests.

An Introduction to Ghidra (Helen)

A five minute overview on getting started for the overwhelmed and/or the lazy.

Helen’s lightning talk was a great introduction on what Ghidra is, where it came from, and where it’s going - with a side order of NSA jokes.

Protecting people from social media harassment (Tom Eastman)

Twitter’s own mechanisms that are supposed to protect users sometimes seem to be pretty inadequate to the task.

Tom talked about the things he considered when developing secateur.app, an open source toolset for protecting your Twitter account from abuse. It’s hosted (and free) but you can also host it yourself in case your threat model includes “someone running that service, or their linked identities”.

Face your fearful foes to dodge a dark and dreary phishy fate (Brendan Shaklovitz)

…in this talk we’ll skip past basic tech-support scams and talk about lovingly hand-crafted “spear phishing” campaigns specifically targeting individuals based on publicly available information. who knew your gaming habits would be your downfall?

Reconnaissance is powerful and empowering for attackers. The slack logos on your laptop give them an in.

Reward reporting of possible security incidents, don’t punish victims. Victims have learnt their lesson, and punishing them only hurts you.

Security confessions of a small country (Laura Bell)

how does being a small country affect our approach to security and how can we learn to love our little island thinking and use it as a superpower.

It’s important to recognise that security advice needs to be tailored to the people receiving it. The apple picker’s biggest security issue is the unlocked iPad with no screen lock, not the lack of MFA.

My first penetration test was a bull insemination place… not a polite office. Most people don’t work in nice offices

A discussion and call to action for locals to contribute to Open Security NZ.

Final thoughts

I’m so glad I went, and I look forward to future projects by the con team 🥰



#purplecon #conferences #security #work #new zealand