Purplecon 2019
An excellent and very refreshing infosec con, with an audience that was not made up of the usual suspects! Purplecon is constructive, similar to the OWASP standard that all talks need to have solutions or mitigations, and this is starting to creep into everyone's expectations elsewhere as well.
The non-content aspects of Purplecon deserve highlighting:
- Ticket sales were staggered into three waves, so it wasn't all sold out in 5 minutes (like the 2018 edition), and gave time to people needing corporate signoff.
- Ticket sales were split into two categories, with half of them explicitly reserved for people self-identifying as a marginalised group of some sort, any sort, don't tell us the details, we trust you.
- The aesthetic was purple, flowery, sparkly rather than black hoodie death metal flames. We don't all have to rebel in the same way, as Alex said.
- Instead of coffee, we had complementary bubble tea.
- The afternoon break was a long one, with the explicit request to find new people to talk to, to ask & answer questions, and to keep an open space in circles to allow people to join easily ... I think this could have benefitted from being more structured, rather than being spontaneously successful.
The con was livestreamed, the talks are on Youtube (https://purplecon.nz/talks/, https://www.youtube.com/playlist?list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6) and every talk was a Keynote. On the topic of livestreaming – Purplecon consider the free streaming as a way to get more people to access infosec content, without having to take actual seats away from people who will benefit from being there live. At least one big org ran their own internal conference, with their content fitted in around the Purplecon stream – which was also available in two Wellington hostelries, Meow and Hashigo Zake ...
CHCon 2019 overall was, once again, an excellent infosec conference. Part of the appeal is the different audience, not everyone wants to be in Wellington, and not everything is an Internet-exposed service. There were a great broad range of topics, and perhaps because they're first off the rank in terms of dates my head (and notebook) were filling up with ideas faster here than during the next conferences.
But that's also been my takeout over the last few years as well – CHCon has a different type of energy than Kiwi/Kawaiicon, and a lower barrier to entry. The more people we get exposed to what infosec worries about, the more they might be able to reduce or fix things early.
Congrats to the crew, hope to see you next year!
Day 2 highlights from CHCon ...
Shaquin & Ben did a great job of getting the audience to get one step ahead of them every now and then, but still pulled out some surprises on the way. And included mitigations, like they should :–)
Adel's fingerprinting talk good, not only from the perspective that there is still unencrypted data out there but that traffic analysis even on its own is still a powerful too.
Sam sis well to remind us that even 5V is potentially enough to start a fire in a wall cavity, so hack safely! And if you leave evidence behind, it still won't ring any alarm bells if you do it professionally enough.
I liked Jed's talk because I'm approaching the same problems that he was showing a solution for, I've pinched a couple of his phrases and used them on management at $dayjob successfully!
CHCon SHAQUIN & BEN – SUPER SELF-SERVICE: HACKING KIOSKS USING BARCODES, https://2019.chcon.nz/talks/shaquin-ben/
Self-service kiosks with barcode scanners are everywhere – at supermarkets, visitor reception areas, airports, libraries, etc. Using the barcode scanner alone, it’s often possible to get an admin shell on a kiosk.
We’ll explain the different types/modes of barcode scanners, show you how to reconfigure them, and how to exploit their features to escape kiosk software. We may even drop an app to help you in your adventures :)
- So ... barcode scanners interpret the barcodes, and return representations back to the host computer.
- There are config barcodes that reconfigure the scanners directly ...
- Scanners can become “HID keyboards” ... and barcodes can encode keyboard keys, just like a rubber ducky
- https://github.com/LateralSecurity/BarSploit will build a PDF for your attack chain; display it on a kindle perhaps?
- Mitigations – don't put kiosks on the core network, perhaps run a 'real' lockdown machine as well?
CHCon KADE – PANOPTICON PROJECT, TRACKING STATE SPONSORED ACTORS AND WHY THAT'S IMPORTANT, https://2019.chcon.nz/talks/kade/
Kade will run through a project he started in 2017 for tracking advanced persistent threats (APTs) and other groups with similar capabilities. He will cover what he has learned about APTs, pathways for people to get involved in the project and reasons why tracking state sponsored actors is so important.
- A mostly documentation project, relying on published data (OSINT)
- Would like to be more machine-readable, needs help
- Has a domain language less obscure than STIX
CHCon KARL BARRETT – INDUSTRIAL SENSORSHIP, https://2019.chcon.nz/talks/karl/
Sensors are a critical component within the realm of human-machine interfaces, but how do they work? This talk will review a few common sensors, their implementations, and how to deceive them.
- How to subvert sensors – what are they really measuring vs what do we imply from them (i.e. 'IR motion sensors' are really tracking temperature changes)
CHCon SARAH WALKER – IAM CONFUSED: A DEEP DIVE INTO PERMISSIONS, https://2019.chcon.nz/talks/sarah/
One of the hardest things to understand in the world of cloud computing has to be AWS’ IAM – what is a role? what is a policy? how do I keep my engineers away from production systems? how do permission boundaries even work??
The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.
- Groot and the Guardians of the Galaxy (too many short animation loops on the slides though)
- Allow all the Avengers to use their stuff sometimes
- But not Spiderman, because Sony ...
- AWS documentation is sometimes incomplete and wrong
- AWS 'managed policies', ditto
- Third party tools: Netflix Aardvark, Salesforce Policy Sentry
- Principals can have permissions to take action on Resources
- Resources can also have permissions to grant actions to Principals
- Any explicit Deny trumps all other permissions
CHCon TOM ISAACSON – WHAT'S NEW IN WIFI, https://2019.chcon.nz/talks/tom/
The new Wifi 6 and WPA3 standards were released last year but what do they actually include, when might we see them introduced and are they as secure as they purport to be?
- WPA3 and WiFi6 ...
- Must admit to glazing over a little. Not sure we can trust any network any more.
CHCon ANTIC0DE & LOKIFER – TEACHING AN OLD DOG NEW TRICKS, https://2019.chcon.nz/talks/antic0de-lokifer/
lokifer and antic0de will go over a handful of bugs Insomnia Security has uncovered over the last few years which are interesting, and a bit more in depth than the common OWASP Top 10 examples. This will include code extracts, explanations, and demos of effectiveness.
- An un-streamed talk, so perhaps I shouldn't say much about it either.
- BUT – a live demo on the local conference LAN was disrupted because someone in the audience hit the setup URL before the attack payload demo could do so ...
CHCon JOSH BRODIE – SECURITY/ENGINEERING: AN INTRODUCTION TO INDUSTRIAL CONTROL SYSTEMS, https://2019.chcon.nz/talks/josh/
It seems that the cyberapocalypse is upon us. The news media are reporting that nation-states are all up in each other’s power grids. That’s right, Russia are not content with owning the entire US political system and have continued their streak by shelling other untrustworthy, vintage things that we wish we didn’t rely upon for safety. Battlefields are being prepared, with malware taking up residence in operational technology environments, reconnoitring industrial control systems.
Well, if they’re going to be our doom, we should at least know what they are: Could it potentially be dangerous to let Windows XP boxes control robot arms with welding torches attached? Is SCADA pronounced SKAH-DAH or SKAY-DAH? Is a data historian a person who works with antique computers? How does securing and attacking operational technology differ from the same in a corporate network? This talk will answer all these questions and one or two more.
- Talking about how ICS systems (e.g. Christchurch water system) are actually setup and operated
- Compares to an actual incident from the US which could have been much worse than it was
- Involves a lot of infosec trust
- Because other factors are more important in the physical world