Purplecon 2019 sera, iam confused: a deep dive into how permissions work, https://purplecon.nz/talks/#sera, https://www.youtube.com/watch?v=t0wkQinlRso&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=4
one of the hardest things to understand in the world of cloud computing has to be iam – what is a role? what is a policy? how do i keep my engineers away from production systems? how do? the aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.
Purplecon 2019 sauramaia, how to human in groups, https://purplecon.nz/talks/#sauramaia, https://www.youtube.com/watch?v=rq6IWQbjdMI&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=2&t=0s
if you’ve ever tried to convince your high school friends that being racist is kinda terrible, or your work friends that they should use a password manager, this talk is for you.
changing people’s minds is hard. each group has its own version of what’s normal. this talk is about how to work with the brain tools we’ve got to make the computer tools we want.
- Change causes conflict and can hurt feelings
- Security boundaries probably represent change ...
- Join a group (perhaps via an advocate), consider the Overton Window of ideas, and using no negative language “should no must you etc” present your reasons
Purplecon 2019
An excellent and very refreshing infosec con, with an audience that was not made up of the usual suspects! Purplecon is constructive, similar to the OWASP standard that all talks need to have solutions or mitigations, and this is starting to creep into everyone's expectations elsewhere as well.
The non-content aspects of Purplecon deserve highlighting:
- Ticket sales were staggered into three waves, so it wasn't all sold out in 5 minutes (like the 2018 edition), and gave time to people needing corporate signoff.
- Ticket sales were split into two categories, with half of them explicitly reserved for people self-identifying as a marginalised group of some sort, any sort, don't tell us the details, we trust you.
- The aesthetic was purple, flowery, sparkly rather than black hoodie death metal flames. We don't all have to rebel in the same way, as Alex said.
- Instead of coffee, we had complementary bubble tea.
- The afternoon break was a long one, with the explicit request to find new people to talk to, to ask & answer questions, and to keep an open space in circles to allow people to join easily ... I think this could have benefitted from being more structured, rather than being spontaneously successful.
The con was livestreamed, the talks are on Youtube (https://purplecon.nz/talks/, https://www.youtube.com/playlist?list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6) and every talk was a Keynote. On the topic of livestreaming – Purplecon consider the free streaming as a way to get more people to access infosec content, without having to take actual seats away from people who will benefit from being there live. At least one big org ran their own internal conference, with their content fitted in around the Purplecon stream – which was also available in two Wellington hostelries, Meow and Hashigo Zake ...
CHCon 2019 overall was, once again, an excellent infosec conference. Part of the appeal is the different audience, not everyone wants to be in Wellington, and not everything is an Internet-exposed service. There were a great broad range of topics, and perhaps because they're first off the rank in terms of dates my head (and notebook) were filling up with ideas faster here than during the next conferences.
But that's also been my takeout over the last few years as well – CHCon has a different type of energy than Kiwi/Kawaiicon, and a lower barrier to entry. The more people we get exposed to what infosec worries about, the more they might be able to reduce or fix things early.
Congrats to the crew, hope to see you next year!
Day 2 highlights from CHCon ...
Shaquin & Ben did a great job of getting the audience to get one step ahead of them every now and then, but still pulled out some surprises on the way. And included mitigations, like they should :–)
Adel's fingerprinting talk good, not only from the perspective that there is still unencrypted data out there but that traffic analysis even on its own is still a powerful too.
Sam sis well to remind us that even 5V is potentially enough to start a fire in a wall cavity, so hack safely! And if you leave evidence behind, it still won't ring any alarm bells if you do it professionally enough.
I liked Jed's talk because I'm approaching the same problems that he was showing a solution for, I've pinched a couple of his phrases and used them on management at $dayjob successfully!
CHCon SHAQUIN & BEN – SUPER SELF-SERVICE: HACKING KIOSKS USING BARCODES, https://2019.chcon.nz/talks/shaquin-ben/
Self-service kiosks with barcode scanners are everywhere – at supermarkets, visitor reception areas, airports, libraries, etc. Using the barcode scanner alone, it’s often possible to get an admin shell on a kiosk.
We’ll explain the different types/modes of barcode scanners, show you how to reconfigure them, and how to exploit their features to escape kiosk software. We may even drop an app to help you in your adventures :)
- So ... barcode scanners interpret the barcodes, and return representations back to the host computer.
- There are config barcodes that reconfigure the scanners directly ...
- Scanners can become “HID keyboards” ... and barcodes can encode keyboard keys, just like a rubber ducky
- https://github.com/LateralSecurity/BarSploit will build a PDF for your attack chain; display it on a kindle perhaps?
- Mitigations – don't put kiosks on the core network, perhaps run a 'real' lockdown machine as well?
CHCon KADE – PANOPTICON PROJECT, TRACKING STATE SPONSORED ACTORS AND WHY THAT'S IMPORTANT, https://2019.chcon.nz/talks/kade/
Kade will run through a project he started in 2017 for tracking advanced persistent threats (APTs) and other groups with similar capabilities. He will cover what he has learned about APTs, pathways for people to get involved in the project and reasons why tracking state sponsored actors is so important.
- A mostly documentation project, relying on published data (OSINT)
- Would like to be more machine-readable, needs help
- Has a domain language less obscure than STIX
CHCon KARL BARRETT – INDUSTRIAL SENSORSHIP, https://2019.chcon.nz/talks/karl/
Sensors are a critical component within the realm of human-machine interfaces, but how do they work? This talk will review a few common sensors, their implementations, and how to deceive them.
- How to subvert sensors – what are they really measuring vs what do we imply from them (i.e. 'IR motion sensors' are really tracking temperature changes)
CHCon SARAH WALKER – IAM CONFUSED: A DEEP DIVE INTO PERMISSIONS, https://2019.chcon.nz/talks/sarah/
One of the hardest things to understand in the world of cloud computing has to be AWS’ IAM – what is a role? what is a policy? how do I keep my engineers away from production systems? how do permission boundaries even work??
The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.
- Groot and the Guardians of the Galaxy (too many short animation loops on the slides though)
- Allow all the Avengers to use their stuff sometimes
- But not Spiderman, because Sony ...
- AWS documentation is sometimes incomplete and wrong
- AWS 'managed policies', ditto
- Third party tools: Netflix Aardvark, Salesforce Policy Sentry
- Principals can have permissions to take action on Resources
- Resources can also have permissions to grant actions to Principals
- Any explicit Deny trumps all other permissions
CHCon TOM ISAACSON – WHAT'S NEW IN WIFI, https://2019.chcon.nz/talks/tom/
The new Wifi 6 and WPA3 standards were released last year but what do they actually include, when might we see them introduced and are they as secure as they purport to be?
- WPA3 and WiFi6 ...
- Must admit to glazing over a little. Not sure we can trust any network any more.