Kiwicon X (2016)

Welcome to my thoughts and review on Kiwicon X! Held at the newly-refurbished (?) Michael Fowler Centre on 17-18 November 2016, this was my second Kiwicon after 2008, and I am beyond excited to attend this wonderful (and quirky) conference. Without further ado, here are my thoughts on the talks:

Day 1 – 17 November

• “The Truth Is In Here” by Metlstorm: This wasn’t a talk per se; in fact, there wasn’t much talking apart of some deranged ramblings of a bearded lunatic (you know I adore you). There was a spectacular laser show; I had to close my eyes more than a few times to hopefully protect my corneas.
• “Defending the Gibson in the Age of Enlightenment” by Darren “sham” Bilby: I like this keynote, and my colleagues did too. It was sufficiently non-technical enough that people from all industries can take away something from this talk. I cannot exactly remember all aspects of the presentation, but I do remember it was mentioned that security awareness talks just do not work – and I tend to agree. I have ran numerous phishing tests, and I’ve learnt not to be surprised by the results, even when the staff have had a security awareness talk just weeks before the test. I had personal experiences of clients coming to us with Cryptolocker problems due to an executive blindly clicking links and executing attachments. Any new joiner to the organisation might be a potential entry point if he/she hasn’t gone through the necessary awareness training.
• “Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces” by Collin Mulliner: A long time ago, there was this software called Snadboy’s Revelation. A example coverage of this software can be found at Lifehacker. No doubt Collin’s research is able to do the same thing, and more. It doesn’t seem that I would use this much for my fieldwork though. Great research; check out the project at http://www.mulliner.org/security/guisec/.
• “Radiation-induced cryptographic failures and how to defend against them” by Peter Gutmann: This guy bought some radioactive material on stage (was it plutonium?) and then I wasn’t sure whether the part about lead suits for the front-row people was made in jest or not. A majority of the presentation flew over my head, but I was extremely impressed by the technicalities of his slides. This wasn’t something that I had considered, that radiation affects cryptographic operations. Who would’ve thought.
• “Active Incident Response: Kiwicon Edition” by Brian Candlish & Christian Teutenberg: This was the presentation which rekindled my interest in incident response. It is great the work that they do, and my aim is to be in that sort of role in 5 years (or less). This was, I think, the only presentation where they explicitly forbid any pictures or videos, and so, I would keep details of the presentation vague. Suffice to say, working for an ISP is beginning to sound interesting…
• “Out of the Browser into the Fire: Exploiting Native Web-based Applications” by Moloch & Shubs: This is by far the most interesting and most technical presentation in Kiwicon X, and I thoroughly enjoyed their exploits relating to Node.js and npm. I didn’t manage to find the slides or exploit code anywhere; maybe my Google-fu is weak. I think this team is definitely one to look out for when it comes to native web-based applications. Admittedly, I haven’t done much work with such applications, and so everything looks weird and wonderful.
• “Practical Phishing Automation with PhishLulz” by antisnatchor: We have been using Phishing Frenzy for a couple of months now to perform our phishing assessments. It works very well, and it is pretty simple to configure (see my script here). There are a few bugs and potential improvements in PF, but they aren’t showstoppers. antisnatchor has announced that he has written something to allow Phishing Frenzy to run on an Amazon AWS AMI, and that he has made some improvements such as all new templates, and BeeF integration. Most of my assessments do not go beyond retrieving the users’ passwords, but I predict that in future, some of our clients would want to take it a step further and see if we can use browser-level attacks to pivot into their networks. BeeF integration would thus be most helpful, but at the moment, it is the extra templates which are most enticing. My aim, once I have time, is to isolate the templates from the PhishLulz AMI and hopefully consider them for my engagements. The project can be found at https://github.com/antisnatchor/phishlulz.

The second day of Kiwicon had, in my opinion, fewer quality talks, but they were still talks which were worth sitting through for.

Day 2 – 18 November

• “Red Star OS will bring the imperialist aggressors and Park Geun-Hye clique to their knees” by Lord Tuskington: This is the first time I got lectured to by a walrus. There really is a first time for everything. And maybe this is just me, but I find the existence of a North Korea-branded OS which does extensive user tracking, terrifying and funny at the same time. Apparently the OS can be downloaded from http://www.openingupnorthkorea.com/downloads-2; I guess I know what I’ll be doing when I get bored over Christmas.
• “Kicking Orion’s Ass-sets” by Mubix: I like this talk. I cannot remember much about it, but I know it was some epic pwnage, and that the affected company responded favourably to Mubix’s security reports. Great work.
• “Contactless Access Control” by Ryan & Jeremy: I wish they’d make their ‘gun’ available for purchase. I know I cannot build it all by myself. It would have been so so useful in physical penetration tests. What they did was to use their research on exit buttons and electricity voodoo to splice together a piece of hardware that, when ‘fired’, remotely triggers the exit button and releases the door lock.

Fantastic summaries of the talks can be found on https://rodger.donaldson.gen.nz/tags/kiwicon10/.

I’ll definitely be suffering Kiwicon withdrawal symptoms this time next year. I think now is a good time for CHCon to rise up to the challengae. 🙂