- 08:00: Doors Open
- 09:00: CHCon Crew - Introduction
- 09:15: Kate Pearce & Dr. Lucy Stewart - All Your Bases are Belong to Us, The First 2^32 Years of Security
- 10:15: Drewe Hinkley - Hacking the Road
- 10:45: Grace Nolan - Condensed History of Lockpicking
- 11:00: Break
- 11:30: Brendan Jamieson - Not So Random - Exploiting Unsafe Random Number Generator Use
- 12:15: Valentinas Bakaitis - Adventures in USB Land
- 12:45: Ben Humphreys - Securing Data in Use
- 13:00: Lunch
- 14:00: Kirk Jackson - The Hacks Inside Mr Robot
- 14:45: Emmanuel Law - Hitchhiker's Guide to Fuzzing your Favourite Interpreter
- 15:15: Lukas Korsika - Capability-Based Security; or Global Variables Are Bad
- 15:35: Break
- 16:10: Alex Hogue - Politely Socially Engineering IRL Using Sneaky Magician Techniques
- 16:40: Benjamin Kearns - Fun with HTTP/2
- 17:25: Karl Barrett - Weaponizing WiFi Drones
- 18:00: CHCon Crew - Closing
- 18:30: Afterparty (Location TBA @ Con)
All Your Bases are Belong to Us, The First 2^32 Years of Security
Speakers: Kate Pearce & Dr. Lucy Stewart
Abstract: Biology and computer security are about the same thing - managing information with limited resources. In BC 45 000 000 001 war was beginning.
Often we talk about security as a result of problems around, technology, people or process. It isn't, it's actually a result of evolution. But, evolution has been working in the universe far longer than humans have been trying to outdo one another. In this talk we, a microbiologist and a security consultant, draw lessons from biology to illustrate how the security of technology is echoing both problems and solutions seen in the universe around us.
Nothing is secure in geological time; nobody cares that you're secure if you're extinct.
Time: 09:15 > 10:15
Catherine Pearce (@secvalve) is a New Zealand based Kiwi who moonlights by day as a Senior Security Consultant at Cisco. She refuses to specialise and as a result spends some time security testing, some time helping the builders, and sometime dreaming about breaking a better world. She has spoken at conferences you've heard about but don't care about, as well as those you would care about if you had heard about them - and also Kiwicon. She wears yellow. If this doesn't make sense to you then you haven't seen her live - yet.
Dr. Lucy Stewart (@lcsnz) is a microbiologist with a focus on astrobiology. She is determined to find the limits of life and in so doing has become very practised at not quite killing very hardy organisms. She has "collaborated" with "volunteer" microbial test subjects from many walks of life. These include residents of the boiling water in hydrothermal vents at the bottom of the ocean, natives of the arid and frigid Antarctic dry valleys at the bottom of the world, and will soon swell to include immigrants from active volcanos on isolated islands. Luckily, she doesn't get sea sick on research vessels...quite as much as some other scientists on board. She is not THAT kind of doctor.
Hacking the Road
Speaker: Drewe Hinkley
Abstract: An analysis of the true threat of vehicle hacking. Summarizing what systems can be exposed and controlled, infiltration methods, and the part Hollywood has to play in spreading hysteria.
Time: 10:15 > 10:45
Condensed History of Lockpicking
Speaker: Grace Nolan
Abstract: In the years long gone locks were seen as impenetrable items of hardware. Their security was held so highly that locksmiths even offered lock picking bounties - similar to the bug bounties offered by software and hardware developers at present. This lightning talk will look at these early lock mechanisms, along with the bypass techniques, perceptions of security and the security businesses of the time.
Time: 10:45 > 11:00
Grace Nolan (@GracieNoLag) is a recent computer science graduate of the University of Waikato in Hamilton, New Zealand and a full-time systems developer for Enable Ltd, a fibre broadband company in Christchurch. Amongst her passions for the field is a keen interest in the societal implications of technology, and the need for better representation and gender parity in CS. She gives talks to secondary students and their teachers, working closely with CS outreach organisations, and attending 'Women in Tech' workshops and conferences (such as the Grace Hopper Celebration). She's an enthusiastic choral singer, tea fanatic, and paints watercolours of flowers when she's not devouring the latest in tech news.
Not So Random - Exploiting Unsafe Random Number Generator Use
Speaker: Brendan Jamieson
Abstract: PRNG? CSPRNG? Do these acronyms mean anything to you? What's the difference? Why does it matter? After all, your app's password reset tokens are definitely generated with a CSPRNG, right?
This talk covers the exploitation of unsafe random number generation across a number of languages. Just how practical is it?
In this talk we'll discuss a bit of background, what insecure random number generation looks like, and some practical examples of real-world exploitation. We'll then look at options that are available to developers to avoid these issues in their own applications.
Time: 11:30 > 12:15
Brendan Jamieson (@hyprwired) is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG, OWASP New Zealand Day, and involved in a number of Kiwicons as a speaker; a trainer; and also co-event organiser for the Hamiltr0n CTF.
Adventures in USB Land
Speaker: Valentinas Bakaitis
Abstract: A somewhat pessimistic talk on the state and the future of USB security. A number of attacks on USB have been discovered in the past. This talk covers the commons traits that these attacks share, the suggested protections and the ways these protections fail. The talk includes insights learned while using USB attacks for real red-team engagements. It also features a demo of things you can build in your own garage or in somebody's office while they're AFK.
Time: 12:15 > 12:45
Valentinas Bakaitis (@vbakaitis) is a software developer turned security consultant. Valentinas has 10 years of experience in IT industry, with last three years working as a security consultant. His interests include IT security, physical security and hardware hacking.
Securing Data in Use
Speaker: Ben Humphreys
Abstract: We have ways of securing data at rest and data in transit, but what about securing data in use? Being forced to decrypt data before it hits the CPU has meant that we have had to trust cloud providers with, at least, some of our private data, some of the time.
Time: 12:45 > 13:00
Ben Humphreys is a security consultant for Lateral Security in Wellington, New Zealand. He believes that the words, "Internet" and "Spynet", have become interchangeable. In his spare time, Ben enjoys practising other languages with tourists and drinking kombucha, homemade from yerba mate and manuka honey.
The Hacks Inside Mr Robot
Speaker: Kirk Jackson
Abstract: The TV show Mr Robot has struck a chord with the infosec community for its realistic portrayal of hacking technology. Let's look at the hacks from the first two seasons of the show, deconstruct and recreate them, and learn something new along the way. It will be just like being inside a TV show, minus the morphine addiction!
Time: 14:00 > 14:45
Kirk Jackson (@kirkj) is an infosec person, living in Wellington, NZ. He currently leads the OWASP Wellington chapter, and helps organise the OWASP NZ Day.
Hitchhiker's Guide to Fuzzing your Favourite Interpreter
Speaker: Emmanuel Law
Abstract: It'll take the audience on a journey behind the scene of a custom PHP fuzzer. At the end of the talk, the methodology used can be applied to design your a fuzzer for your favourite interpreter.
Time: 14:45 > 15:15
Emmanuel Law (@libnex) is a Principal Security Consultant from Aura Information Security. He works as a penetration tester during the day. By night he can be found fuzzing and exploiting binaries. Recently he has a new found hobby in hacking away at PHP internals.
Capability-Based Security; or Global Variables Are Bad
Speaker: Lukas Korsika
Abstract: This presentation is a brief summary of capability-based security concepts, including the advantages and disadvantages of this approach. It includes examples of the Confused Deputy problem, which is becoming increasingly relevant with the resurgence in shared computing systems ("cloud services"), and explains how this problem can be avoided through the use of capabilities.
Time: 15:15 > 15:35
Politely Socially Engineering IRL Using Sneaky Magician Techniques
Speaker: Alex Hogue
Abstract:This talk is about using the same techniques a magician or pickpocket would use, but for social engineering and physical security mischief. We'll exploit the wonky default settings of human brains for the sake of sneaking what you're doing past people. To a magician, your brain is probably running the wetware equivalent of Windows 95, so come along and get patched.
Maybe you're a sneaky red-teamer, and it's time for you to put your building pass into the returns bin. Everyone is watching. They see you put the pass in the bin, and hear it land. They don't even know they're seeing something sneaky! Of course, you've somehow got your building pass hidden in your other hand. You put on your 1986 mirror-finish Aviators and walk out of the building just as it explodes in a fireball of best practices.
We'll really be skating on the line of breaking the magician's code here so buckle up and remember to bring your wallets in your left pockets.
Time: 16:10 > 16:40
Alex (@_notlikethis) is a kid with a laptop and a pocketful of memes. Currently he's a Security Something at Atlassian, which is a little bit like being an adult but with more ice cream. He makes dumb novelty websites as a substitute for getting out more. Ask him to do a magic trick, I dare you.
Fun with HTTP/2
Speaker: Benjamin Kearns
Abstract: In the beginning (the mid nineties), there was HTTP/1.0. Pages consisted of mostly text and all was good. Since then, we've had people start caring about the user experience which comes along with pretty pictures and obsessing over round trip times. HTTP/2 was finalised last year which is a radical change to the underlying protocol to facilitate the changes in the type of content being delivered and the way modern web applications work.
This talk will cover what HTTP/2 is, how it works, what sort of protocol/implementation level vulnerabilities we'll be seeing over the next couple of years, and what you'll need to think about when designing or defending frameworks/applications. It'll also be accompanied by a tool release to test for those vulnerabilities.
Time: 16:40 > 17:25
Hi, I'm pipeline (@pipeline_tux). I'm a reformed Rails developer from Christchurch now breaking all manner of things for Lateral Security in Wellington. In my spare time I spend too much time doing almost-work-like-things (TM), such as writing tools to make breaking things easier and testing them on unsuspecting bug bounty participants.
Weaponizing WiFi Drones
Speaker: Karl Barrett
Abstract: WiFi is a readily available technology available on laptops, mobile devices, and now... micro drones.
This talk will step through the process of reverse engineering a $40 camera drone, and highlight the benefits of having open access to its control system.
Time: 17:25 > 17:55
Karl is a security consultant for Lateral Security in Christchurch, New Zealand. His areas of interest include hardware hacking and advanced XSS techniques. In his spare time, Karl enjoys climbing rocks and popping locks.