Main Event

Both Days

09:00 > 16:30: CTF.

09:00 > 16:30: Badge challenge.

09:00 > 16:30: Locksport challenge.

Friday 26th

09:00 CHCon Crew: Introduction+Housekeeping
09:15 Grace Nolan: Nightmares Untangled: Selected Short Stories on Supply Chain Attacks [Keynote]
10:00 Pete Gent: OSINT Hollywood style
10:15 Break
10:45 Karl Barrett: That's Pretty Neat
11:15 Fiona Sasse: War Games... In the Office
11:45 Lukasz Gogolkiewicz: The Count's A-to-Z of Windows Privilege Esclation
12:30 Break
13:30 Kylie: IPv6 Security
14:00 Chris Wong: Variance, with ponies
14:15 Ben Knight: Router Hacking
14:45 Gabor Szathmari: Hacking law firms with abandoned domain names
15:30 Break
16:00 Ivan Reutskiy and Dan Capper: ...and I am calling you from the technical department
16:30 Steve Brorens: "White Hat" Phishing: lessons learnt from two years of doing it
17:00 sharrow: Optimising Your Paranoid Nihilism
17:30 CHCon Crew: Day Close-Out
17:45 Unofficial Events

Saturday 27th

09:00 CHCon Crew: Introduction+Housekeeping
09:15 Erica/sput: If the Galactic Empire had better OpSec: Comparing security in a galaxy far, far away to ours
09:45 Ahmad Ashraff: How I Met Responder
10:15 Break
10:45 Heidi Winter: The kids are alright
11:15 Sarah Young: Security through the eyes of a 15 year old in 2002
11:45 Clay Hamilton: Analysis Tradecraft
12:15 Break
13:30 Goldstein: 3D printing your way through physical security
13:45 Craig Rowland: A Walk Down Intrusion Detection Memory Lane
14:15 Peter Jakowetz: X Gon' Give It To Ya
14:45 Prashant Mahajan: ADRecon - Active Directory Recon
15:00 Kathy: Detection at Scale
15:30 Break
16:00 Brendan Seerup: Caring for our pen tester friends
16:45 Logan Woods: Please do the thing
17:30 CHCon Crew: Event Close-Out and Prizegiving
17:45 Official Afterparty


Nightmares Untangled: Selected Short Stories on Supply Chain Attacks

Grace Nolan (@__nolang)

Friday, 09:15 > 10:00

The mist is low over the ground. You walk past the rubble of ransom'd hard drives, manipulated PCBs, and broken systems. The air is heavy with disappointment from keys lost, and the silent betrayal of infected third party libraries. The power has been out for so long and you have lost track of time. But you see a path forward, and It fills you with determination.

About Grace: Grace is a Cyber Witch at Google working in Detection & Response. Her role is to cast hexes and traps to catch malicious actors attempting to do The Bad Things at Google. She likes watercolour painting in her spare time, and furiously introspecting about absolutely anything and everything.

OSINT Hollywood style

Pete Gent

Friday, 10:00 > 10:15

What can Hollywood teach us about OSINT? Come for a short journey through Will Smith's movie back catalogue to see what OSINT tips can be gleaned and put into practise.

About Pete: By day Pete is a spectrum planner. That means making sure that New Zealand's radio spectrum is planned, so you can use all your shiny toys from aliexpress (hopefully) without problems.

That's Pretty Neat

Karl Barrett

Friday, 10:45 > 11:15

Sometimes when you find a vulnerability, you just have to say "That's pretty neat!". Maybe it's insecure by design or just that the most intuitive/common implementation isn't the most secure. This talk draws attention to some unusual security flaws, how they came about, and what you can do about them.

About Karl: Karl is a security consultant for Lateral Security in Christchurch, New Zealand. His areas of interest include hardware hacking and advanced XSS techniques. In his spare time, Karl enjoys climbing rocks and popping locks.

War Games... In the Office

Fiona Sasse

Friday, 11:15 > 11:45

A website set to exfiltrate 2GB of data every 2 minutes...
An email about phishing sent from "Security"...

These were the only warning signs of a war brewing in the workplace. Can these innocent office pranks escalate into a vicious blood bath? Will anyone be safe from the mayhem that ensues? An office divided... Them, and us... Red, and Blue. Maybe it's not too late to press 'esc', in favour of a nice game of chess?"

About Fiona: Fiona is still very new to all things security. Fiona worked as a software tester for two years, and has recently stepped into a Security Role. Having unsuccessfully tried to hack her way to free pizza, Fiona has decided to move her antics a little closer to home by waging war with her colleagues. What could possibly go wrong?

The Count's A-to-Z of Windows Privilege Esclation

Lukasz Gogolkiewicz (@synick)

Friday, 11:45 > 12:30

This talk is a humorous view into the art of escalating ones privileges within a Windows environment. Lukasz plans to run through the alphabet, and correspond a Windows privilege escalation technique to be used offensively with each letter (there are so, so many). The idea behind this talk is to highlight the many ways one can escalate within a Windows environment, from Low to High, not from High to Higher.

About Lukasz: Lukasz works for Context Information Security, based in Melbourne Australia. He has been in the field of security for a while now and has tested many pens.

IPv6 Security

Kylie (@kylieengineer)

Friday, 13:30 > 14:00

There are currently over 50,000 IPv6 routes on the Internet. Despite the slow uptake of the IPv4 replacement, OS vendors enabling IPv6 by default on standard network interfaces means that a security practitioner can no longer put their head in the sand and only focus on IPv4. This talk is a practical introduction to the security risks around IPv6 with some demonstrations of the current attacks seen.

About Kylie: Kylie is Director of Emerging Technology Security in her day job. She also lectures part-time at UNSW Canberra and is co-founder of BSides Canberra and InfoSect (a training and security research space in Canberra).

Variance, with ponies

Chris Wong (@LambdaFairy)

Friday, 14:00 > 14:15

Everyone knows that an apple is a fruit. But is a bag of apples also a bag of fruit?

To answer this question, we need to use an idea called variance. Variance is a set of rules that govern when it's okay to cast a generic type to another. These rules can be found in any language that supports both generics and subtyping: C#, TypeScript, even Rust.

This talk will explain how variance works, using practical code examples. There will also be a pony.

About Chris: Chris is a developer at Verizon Connect, where his software prevents truck drivers from working too long.

Router Hacking

Ben Knight (@zantedotnz)

Friday, 14:15 > 14:45

Initially motivated by a need to reconfigure my old home router's iptables rules to redirect Google DNS traffic so I could watch US Netflix, I started looking at options for gaining access to features not implemented through the web interface. I found my home router is well researched and a shell can be enabled by modifying the encrypted backup configuration file. I chipped-off the NAND from the router and dumped it with a TSOP chip programmer. I moved onto looking at newer routers. After many lessons learnt, I found command injection vulnerabilities in two current generation routers.

About Ben: Ben previously worked for law enforcement as a Digital Forensic Analyst, examining mostly computers and mobile devices for digital evidence related to criminal cases. Ben now works as a Security Consultant at Insomnia Security. He has a special interest in mobile and embedded devices as these often have limited user friendly front-ends and interesting back-end functionality.

Hacking law firms with abandoned domain names

Gabor Szathmari (@gszathmari)

Friday, 14:45 > 15:30

When law firms merge or wind-up, internet domain names are often abandoned, allowing anyone to re-register and take ownership of the former firm's domain name. In this talk, we explore how we managed to gain access to, or reset passwords for online services and profession-specific portals via abandoned domain names. These online services store documents, emails and other information relating to a legal practice, including financial details, personal information, confidential information and client-legal privileged information. We also make recommendations as to measures legal practices and other businesses can take to stop this threat.

About Gabor: Gabor Szathmari is a cybersecurity expert with over ten years experience, having worked in both private and public sectors. He has helped numerous big-name clients with data breach investigations and security incident management. In his professional life, Gabor helps businesses, including many small and mid-size legal practices improve their cybersecurity at Iron Bastion. He is also the president of CryptoAUSTRALIA, the leading authority promoting a society where all Australians can learn to defend their privacy.

...and I am calling you from the technical department

Ivan Reutskiy and Dan Capper

Friday, 16:00 > 16:30

This presentation focuses on so-called "cold call scams" how they came to be, why so many targeting NZ and what to do and what not to do and what telco industry does to improve the situation.

About Ivan: Been working in NZ telco/ISP industry for a while, background is systems and storage engineering and recently converted into information security.

"White Hat" Phishing: lessons learnt from two years of doing it

Steve Brorens (@snori74)

Friday, 16:30 > 17:00

A key vector for all sorts of malware and intrusion is users falling for clickbaity "phishing" emails. Traditional training is boring and ineffective, so "phishing fire drills" are appropriate - however, there are a number of ethical and technical issues that you need to be aware of if you are considering doing this.

I'll be giving a brief overview of these issues; and the approach that we've been taking over the past couple of years. The focus will be on general user awareness, but I'll also cover the extra issues around more targetted "spear phishing".

At the technical level, I'll be talking about our use of a private instance of gophish and some custom scripts – but the lessons will apply regardless of the platform used. There will be discussion about issues like SPF and DKIM and custom domains to ensure deliverability; and a brief overview of some of the issues around email tracking.

Finally, some thought on follow-up with staff and management.

About Steve: I've been in the computer business since before birth of the PC, so I've been involved in a wide range of areas - but for the last several years have been concentrating on defensive security for our company and clients.

Optimising Your Paranoid Nihilism


Friday, 17:00 > 17:30

It is a truth universally acknowledged that a company that is in possession of computers must be in want of a red team. However, if for various prejudicial reasons this seems unlikely to happen, there are number of things you can learn from hanging out with the sort of people who wear black hoodies with the hoods up, even if they're not all up in your network shares reading spreadsheets. Looking at your setup from a adversary's perspective can be very helpful in figuring out what your threat model actually is; what do you care about? how would they get there? and can give you the chance to build some effective real-world defences against them. It can also help you manage the long tail of technical debt and "heritage environments” that are too old to be patched, and too important to turn off. It cannot help your nihilism, but at least you don't have to write reports.

About sharrow: Sharrow still kinda wants to be an archaeologist. Instead of happily building a comparative collection of coprolites, she daily wades through the general sewers of sysadmins administration, trying to determine the use of ritual node.js objects in critical infrastructure. Otherwise, she inflicts bunting, glitter, and fancy verbiage on the rest of the Kiwicon Crue. She is overly fond of punctuation, footnotes, ruining her sleeping patterns, and the Oxford comma.

If the Galactic Empire had better OpSec: Comparing security in a galaxy far, far away to ours

Erica/sput (@sputina)

Saturday, 09:15 > 09:45

A long time ago there was an epic space opera full of adventure, war, hyperspace jumps, and adorable fury alien races. It also had new technology: prosthetics and cybernetics, drones and robots, space travel, planet-destroying lasers.

Despite appearing to be a galaxy with mature technology, they failed at some of the security basis. And, spoiler alert, the death star was ultimately destroyed due to a data breach and poor defenses. Although we are moving full speed toward some neat technology advances of our own, we still see a number of high impact incidents resulting from the same bad security hygiene.

This talk is going to go through some of the famous Resistance and First Order security blunders, and show how they relate to the recent incident data that CERT NZ has collected. Perhaps this galaxy far, far away isn't too far off the truth.

About Erica: Her twitter bio says “info sec, cat, and ketchup enthusiast” which summarises her quite nicely. Erica works at CERT NZ as a Senior Incident Manager on the Operations team. She also causes general mayhem with Kiwicon, Code Club Aotearoa, and (previously) BSides Wellington.

How I Met Responder

Ahmad Ashraff (@yappare)

Saturday, 09:45 > 10:15

The presentation is about speaker's experience in using the Responder for the first time after almost 6 years of doing penetration testing. Started his career in 2010, for his knowledge, infrastructure pentesting is just about running Nessus and dumping all the outdated patches report to the client. Not until he joined Aura Information Security in 2016 when he told his manager "I'm weak in network pentest" and then he was introduced to Responder, an awesome tool by SpiderLabs.

About Ahmad: Ahmad Ashraff was a Chemical Engineering graduate but have interest in application security. 7+ years in penetration testing industry and a semi-active bug bounty hunter. In 2016, he started expanding his interest in infrastructure pentesting and combining the knowledge in application security to develop interesting way of exploiting a vulnerability.

The kids are alright

Heidi Winter (@winter_heidi)

Saturday, 10:45 > 11:15

Capture the Flag (CTFs) are competitions and puzzles based on real world information security vulnerabilities and challenges that are played online or at security events and conferences. Individuals or teams race against the clock solving complex and fun exercises gathering 'flags' to earn points. It's an opportunity for existing and new skills to meet and grow in a great environment, but especially good as a staring point for those new to security, or an introduction to those unaware of the field. CTF workshops can be run for children as well as adults! In this presentation I'll answer frequently asked questions on how to successfully engage children from pre-teen age in cyber security games, no matter their skill level.

About Heidi: Heidi is an Australian security professional currently specializing in cyber security risk management, incident management and operations. She has worked in IT project management, system administration, telecommunications and compliance, before making the switch to cyber security, where she has had the opportunity to experience both government and enterprise environments. She has a strong interest in offensive and deceptive security projects and has recently been delving into malware analysis and cyber threat intel. While also being a self-declared perpetual n00b, Heidi spends her time giving back to the infosec community by the volunteering at conferences across Australia and New Zealand, organising meet ups and CTFs, and running various other community projects to educate young and old on the joys of the cybers. When all of that is done, she uses whatever energy she has left to spam cat GIFs on Twitter.

Security through the eyes of a 15 year old in 2002

Sarah Young (@_sarahyo)

Saturday, 11:15 > 11:45

Recently I found some of the pieces of work that I did for IT security when I was about 15/16 at school in a random folder. Aside from the fact they use cringeworthy fonts, clipart and rainbow wipe backgrounds on everything, it's interesting to go through them and look at how security principles haven't actually changed that much, and also to look at how we're teaching IT security in schools and how that's developed since about 2002. This is intended to be a lighthearted security talk rather than hardcore tech, and also to allow everyone to laugh at how much one teenager can use clipart in a PPT.

About Sarah: Sarah is a security architect based in Melbourne, but has also lived and worked in Wellington and various bits of Australia and Europe. She was a network engineer in a previous life but let all her Cisco certs expire, so she now helps enterprises move their stuff into AWS securely. Sarah spends most of her free time eating brunches and high teas...

Analysis Tradecraft

Clay Hamilton (@ClayDoesSec)

Saturday, 11:45 > 12:15

"A mind is like a parachute. It doesn’t work if it’s not open." – Frank Zappa

As incident responders, firefighters, hacktivists, and *hats, we're tossed into situations where our judgement is demanded sooner than we've interpreted the situation. This stress creates challenges for the mental models we rely on to be mindful of the emerging situation and comprehensively assess and respond. And even when no stress is exerted for a particular response, our mental models can still be challenged by our personal and professional experience as humans with diverse cultural beliefs and identities.

This talk touches the surface of how and what biases can effect analysis, anecdotes on premature closure, and analytical strategies & methods that can help externalize and decompose problem sets without compromising your mental model.

About Clay: Incident responder, threat hunter, operations lead, analyst, and avid walker learning about Aotearoa based in Pōneke. Clay enjoys coffee & the outdoors, preferably both, while meeting new people and discussing cats, life, and what's good in NZ. My opinions in this talk are my own, science is real.

3D printing your way through physical security

Goldstein (@EricGoldsteinNZ)

Saturday, 13:30 > 13:45

The security of locks has, for a long time, revolved around the difficulty of duplicating keys. This can be seen in keys marked 'Do Not Copy' and by key manufacturers limiting who they will sell their blanks to. 3D printers are changing this by making it possible for spooks and hackers alike to print new keys in the office or at home. This talk will cover my trial and error with creating workable patterns and keys.

About Goldstein: Sam has been interested in locks and physical security for as long as he can remember. This started with pulling apart locks and learning to use lockpicks, and eventually moved onto him winning Te Kuiti Warrior at Kiwicon 8 and Kiwicon X. He has also been involved in teaching hundreds of students how to lockpicking and physical security works through the University of Waikato Cyber Security Challenge.

A Walk Down Intrusion Detection Memory Lane

Craig Rowland (@SandflySecurity)

Saturday, 13:45 > 14:15

This talk is about my experiences working behind the scenes as a developer, consultant, or founder at companies that were early pioneers in the intrusion detection and prevention space. Also covered will be modern problems with endpoint security and where I think the industry is going. The talk will have lots of behind the scenes stories and give insight into how IDS products came into being.

About Craig: Founder of Sandfly Security. I have been in multiple security startups over my career in the intrusion detection field. They have been bought by companies like Cisco and 3Com.

X Gon' Give It To Ya

Peter Jakowetz (@pjakowetz)

Saturday, 14:15 > 14:45

DMX – Most commonly known as a rapper, but less famously a standard for digital communications networks used for controlling stage lighting and effects. While the internet of things is the normal thing for people to hack and mock, DMX has been around for well over 30 years and is much more broken.

You may think a 30 year old serial protocol used for turning lights on and off would be kept to that, but why not connect it to flame machines, stage automation and make it wireless.

About Peter: Peter is an electrical engineer turned security consultant from Wellington, NZ. He enjoys playing with open source hardware and software, poking cars, and breaking things in his spare time.

ADRecon - Active Directory Recon

Prashant Mahajan (@prashant3535)

Saturday, 14:45 > 15:00

ADRecon is a tool which extracts and combines various artefacts (as highlighted below) out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.

The tool is useful to various classes of security professionals like auditors, DFIR, students, administrators, etc. It can also be an invaluable post-exploitation tool for a penetration tester.

It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) account. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.

About Prashant: Prashant Mahajan is a Senior Security Consultant at Sense of Security Pty Ltd. He has experience with various aspects of Information Security including penetration testing, vulnerability analysis, digital forensics and incident response. Prashant is a founding member of Null - The Open Security Community and frequent speaker at industry events.

Detection at Scale


Saturday, 15:00 > 15:30

Security detection often feels like being stuck in an endless cycle. Acquire new data, sift through the data, get overloaded, drive new automation initiatives to get us out of our backlog, and then we break stuff all over again. What if detection at scale wasn't this at all? What if our job wasn't to process logs at all?

The Google Detection & Response team would like to show you how we are re-framing our perspective of what security engineers should be experts in. Stepping back from the day to day analysis of endless log sources. Instead, we research new detection ideas and codify those into a framework supported by end to end testing. Examples of how real Google security engineers approach this idea included.

About Kathy: Kathy is a Security Engineer at Google working in Detection & Response. She works in the team of security engineers who innovate and evolve Alphabet's detection systems to match the ever increasing sophistication of attackers. In her spare time she likes running and hiking, cooking various types of cuisines.

Caring for our pen tester friends

Brendan Seerup (@SparkleOps)

Saturday, 16:00 > 16:45

Quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production.

Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them "Did we built it securely?".

I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closes together and start take better care of our pen tester friends.

About Brendan: Brendan is an Application Security Specialist who loves helping teams with secure development, threat modelling and being involved with the penetration testing of their applications. Outside of Application Security Brendan leads a threat hunting group dedicated to finding and disclosing threats to NZ's internet space to our CERT. Brendan spends his spare time slowly studying towards a masters of wine and reading comics in his blanket fort.

Please do the thing

Logan Woods (@InfoSnekNZ)

Saturday, 16:45 > 17:30

Security testing is all about convincing systems to do something they shouldn't. Whether it's getting a database to spew out it's contents, or convincing a PA that's it's OK to give you a 24/7 access card for the building, the name of the game is encouraging an outcome that, if the security controls were effective, shouldn't be possible. This talk is about some of the ways I've convinced systems, both technical and human, to do things they shouldn't, and the reasons why this worked - plus some bonus details of the impact this had on the target orgs.

About Logan: Logan is a Security Consultant at Aura Information Security. He specialises in being places he shouldn't really be, whether it's through bypassing physical security controls or convincing friendly people that he's supposed to be there.

Get In Touch


Get in touch with the CHCon crew and fellow attendees.

The Christchurch Hackers Conference

UCSA Events Centre

90 Ilam Rd, Riccarton, Christchurch

October 25-27 2018