Technical conferences often present new and innovative research concerning vulnerability assessment, exploitation, and mitigation controls. New offensive and defensive techniques have been evolving for well over a decade. In parallel to this, targeted attacks and the zero-day black-market have created a powerful underground economy that threaten the world's wealthiest enterprises.

Unfortunately in all this madness, the fundamental practice of vulnerability management has been neglected. Large enterprises often have huge IT estates ripe with technicalities, politics, and organizational constraints.  It would seem that relying purely on COTS solutions to manage vulnerabilities is deemed an easy way to tick a compliance box but is never a primary fool-proof solution for managing known vulnerabilities.

This presentation will run through various methods to potentially strengthen or overhaul existing vulnerability management setups.

Matt is a thought leader in procrastination and enjoys spicy food with beer.

If you thought that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I'll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2) based on my security review, which involved spending no more than 1 week on each framework. In most cases, I was able to get a shell in a HelloWorld application within 3-4 days. Presentation will also cover some of the ways to harden web applications built using these frameworks.

Meder Kydyraliev has been working in the area of web app security for the past 6 years. He's worked as a security consultant for one of the Big 4 and currently works in Google Security Team. Meder has contributed some of his time to open-source projects such as xprobe2 and webscarab and was a speaker at conferences such as HackInTheBox, Syscan and Bellua.

In the last 5 years, virtualization software have been massively adopted by companies as a mean to reduce costs, achieve instant scalability, and possibly better their security through isolation. Recent numbers indicate that 78 percent of companies have their production servers virtualized, and 20 percent of them actually only rely on virtualized servers. At the same time, security auditing of such software poses unique challenges, in particular when it comes to dynamic testing. In this paper, we describe a methodology for the security assessment of virtualization software based on switching the CPU mode to virtual 8086 mode in order to get access to the (possibly virtualized) hardware, that aims at being both generic (applicable to both x86 and x64 architectures) and extremely large in terms of code coverage. We have implemented this technology under the form of a dynamic testing tool which has proved to be very efficient in finding bugs in virtualization software.

Jonathan is a security engineer specilized in low level vulnerability discovery. He presented his researched in some of the best conferences worldwide, including h2hc (Brazil), Hackito Ergo Sum (Paris) -of which he is one of the core organizers-, Hack in the box (Amsterdam), Defcon (Las Vegas) among others.

Today’s information systems are giant mesh of complexity. Typical consumer systems have large numbers of software created by different software manufacturers installed on their machines. This mesh of software creates an ecosystem, where software is intertwined and in some cases dependant on each other. When one piece of the ecosystem gets out of line, it can have a dramatic effect on the ecosystem as a whole. A small vulnerability or even an “annoying” behavior from one piece of software can alter the behavior of a 2nd piece of software, a behavior which a 3rd piece of software is depending on for a security decision. Enter the world of blended vulnerabilities and attacks.

This talk will discuss the details of various “blended” attacks. The talk demonstrates the chaining of seeming low risk vulnerabilities and unusual design decisions from popular software together to create a higher risk exploit.

Billy Rios is currently a security researcher for Google where he studies emerging security threats and technologies. Before Google, Billy was a Security Program Manager at Microsoft where he helped secure several high profile software projects including Internet Explorer. Prior to his roles at Google and Microsoft, Billy was a penetration tester, making his living by outsmarting security teams, bypassing security measures, and demonstrating the business risk of security exposures to executives and organizational decision makers.

Before his life as a penetration tester, Billy worked as an Information Assurance Analyst for the Defense Information Systems Agency (DISA). While at DISA, Billy helped protect Department of Defense (DoD) information systems by performing network intrusion detection, vulnerability analysis, incident handling, and formal incident reporting on security related events involving DoD information systems. Before attacking and defending information systems, Billy was an active duty Officer in the United States Marine Corps.

Billy has spoken at numerous security conferences including: Blackhat briefings, Bluehat, RSA and DEFCON. Billy holds a Bachelors degree in Business Administration, Master of Science degree in Information Systems, and a Master of Business Administration.

This presentation is based on the Verizon Business Data Breach Investigations Report1 (DBIR) and will be delivered by Mark Goudie, one of the co-authors of the report. The DBIR is a collaboration between the United States Secret Service Cyber Intelligence Section and Verizon Business to collect and analyse what we believe to be the world’s largest study of data breaches consisting of over 900 cases and 900 million compromised records across six years.

We have learned a great deal from this journey and we’re glad to have the opportunity to share these findings with you. As always, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of the audience. To ensure we provide an informative and balanced view, the presentation will show the effects of these attacks from two perspectives: firstly the number data breaches, and the number of records, or pieces of data, stolen.

Mark Goudie is the Verizon Business Managing Principal for Investigative Response in Asia-Pacific and brings more than 20 years experience in IT to this role. He is a Melbourne resident and an experienced computer forensics investigator that has led many high profile data compromise investigations. He is an author of the Verizon Business Data Breach Investigations Report and is a regular speaker at industry conferences including AusCERT, OWASP, PCI DSS Compliance Conference, and the INTERPOL Information Security Conference.

More and more organisations think an automatic web scanner can replace pentesters. Even if it may be true in some cases, I will demonstrate that most web scanners don't do a decent job and cannot be used to ensure that a website is secure.

Most arguments against web scanners are based on the fact that these scanners cannot understand the business logic behind applications, however we will see that scanners are not even able to properly find vulnerabilities like SQL injections or command injection vulnerabilities.

Based on commercial and open source tools, this presentation will take some examples of web vulnerabilities and go through each scanner's results for good lulz.

Snyff is a French security consultant working in Melbourne. He specializes in web security and tries not to waste his time on mouse-over-click-jacking or any others ridiculous web vulnerability. He also enjoys playing with commercial web scanners and lolling at how shit they are. His hobbies include drinking Fat Yak, mirc32.exe, yelling at strangers and wearing speedos.

Everyone wants better code coverage for their fuzzers. Work in the field has ranged from the extremely theoretical to the downright impossible. Recently, Microsoft and Charlie Miller both released research on using runtracing to select a set of templates in such a way that maximum code coverage is achieved. Trouble is, Microsoft have the advantage of source code access, and Charlie is using Valgrind. The bad news for people fuzzing Windows files is that there have been no viable options for closed source targets. Well, now there are. We're releasing some scripts to mine search engines for templates, a scriptable runtracer that doesn't suck, and the post-processing backend to select the minimal template set. We'll also drop some interesting fuzzing metrics based on our internal use of Prospector, and probably an 0day or two.

Ben Nagy is a senior security researcher with COSEINC, and recently moved from Kuala Lumpur to hack with a view of the mountains in Kathmandu. For over a year he has been exploring ways to improve fuzzing scalability, especially against complex, closed source targets like Windows and Office. Previously working on liver destruction with eEye in Geneva and Bangkok, Ben has written whitepapers on a number of subjects and presented at conferences in Europe, Asia and Australia. Ben is probably that guy over there drinking beer and talking about Ruby.

Shellcode is the crux of any exploit being run today. It dictates what the exploit aims to gain from its use -- without shellcode the exploit does nothing. Understanding what shellcode does can be a major step in the incident handling process. Shellcode can do anything you can imagine code could do. Not every shellcode used in an exploit downloads malware or spawns a shell. Times have changed and the targets have updated their protection. Shellcode today could be a straight forward API call to download a file and execute it or it could be code to just disable/create a firewall rule on your windows server.

Catching an exploit is a great step in understanding the purpose of an attack. Extracting and reviewing the shellcode will allow you to streamline your incident handlers to collect malware and focus their reviews on particular services or applications.

This talk will demonstrate methods on captured exploits for extracting shellcode and understanding its purpose.

Matt is a Senior Threat Analysis escalation engineer located in the Brisbane SOC. He is working on getting his SANS GIAC Reverse Engineering Malware certification ( and hopes to have this cert prior to presenting ). Working in the SOC gives Matt a great perspective on active exploitation in the wild and the techniques used by malware authors and pentesters. Matt has a considerable employment history including deployment, pentesting and network administration.

After using the linux kernels native kprobe API for security purposes, it was a natural thought that using kprobes for anti-security was quite viable as well. We will be discussing the application of kprobes in general, some of the kprobe internals, and examples with proof of concept rootkit technology, and methods of hooking functions for other purposes using kprobes -- despite certain constraints that are implemented into the kprobe interface. The pros and cons of using kprobes for modifying kernel code will be discussed. We will also go over methods of preventing kprobe malware detection, as well as methods of detecting kprobes even when they are unlinked or hidden from sysfs.

Ryan O'Neill is a professional computer security researcher from the USA whose job entails kernel development for many innovative and exciting projects that fall under such categories as anti-forensics, forensics, RE, and solutions for exploitation prevention -- the list goes on.

Ryan holds a secret goverment clearance, and works mostly on projects funded by the DoD Through an un-named (but super elite and unique) company based in the US.

Ryan has been a security hobbiest since 1999 when he first installed Linux and began programming in C. Immediately security became an interest, and over the years Ryan has learned & developed a broad range of hacker technology such as exploits, rootkits, and anti-forensic technology. Of course this has not been without the help of friends and mentors along the way.

Ryan would say that he loves the security aspect of engineering code because of the vast amount of space left open for creativity and solving hard problems that sometimes require an artistic mindset... not to mention the everday experience to learn something new.

Virtualization and cloud computing technologies provide a unique set of security problems. Where one host runs multiple virtual guests, a new inter-guest attack surface is exposed. Several recent vulnerabilities have taken advantage of this, allowing for inter-guest attacks. This talk describes the key categories of virtualization related vulnerabilities, narrated by a time line of critical CVEs. Defence attempts are also discussed, with emphasis on SELinux and the efforts of the sVirt project.

David Jorm is a software engineer and technical writer based in Brisbane. He has worked on superannuation fund infrastructure, web apps security, optical character recognition, meteorological synoptic networks, Chinese hotel reservations and mental health education initiatives. He currently works as a technical writer for Red Hat, specializing in virtualization products. He also runs an international autonomous workers collective for web application development and studies Geography, Mathematics and Chinese at the University of Queensland.

This presentation aims to explain why security consultancies are losing the war in providing meaningful value to clients in Australia and what the security industry must do to affect positive change. Conversely, this talk will also cater to potential clients who wish to commission penetration tests what they need to do in order to gain the greatest value from them by creating an environment that is accepting of the problems and a willingness to properly remediate findings.

This talk is not intended to pinpoint blame but rather provide an industry update with some context. While the conclusions can be debated, the evidence presented will be irrefutable that changes are needed.

This presentation will be delivered by someone who has walked both sides of the fence - the client's side having hired multiple professional penetration testing teams and driven remediation efforts, to the consulting side and seeing the commercial realities facing consultancies and the pain experienced by multiple clients.

Jarrod Loidl is a Senior Security Consultant with Dimension Data specialising in Risk and Design services. He has presented at the Melbourne AISA and OWASP chapters as well as Dimension Data clients around the country. He holds a strong interest in security architecture, penetration testing and pragmatic approaches to security and risk management.

With the growing popularity of Computer Forensics and Electronic Discovery in both law enforcement and the private sector the recent focus has very much shifted towards vendors creating bigger, better and faster programs to analyse, examine, search and recover electronic evidence. Point and click tools and training courses churn out todays "certified" examiners, many of which forget the most important and fundamental tools of a good forensic operator: deep knowledge and skills.

Using real world case examples I will show how cases can be won or lost not on the power of the software used, but on the in-depth understanding of operator. I'll also give examples of how accurate results can be achieved using standard non-forensic tools and opensource utilities.

Adam has over 15 years of experience in the it industry specialising in data conversion, data recovery, computer forensics, and electronic discovery. He has given evidence in just about every major court jurisdiction in Australia on everything from high profile corporate crime to murder cases, as well as performing large scale investigations for the ACCC, ASIC, and the CDPP among others. He designed and developed the protocols for the conversion of all legacy computer media for the national archives of Australia and has managed some of the largest e-discovery jobs performed in the country.

There has been a rise in the popularity of picking locks for fun in the last decade. Through live demonstrations, this presentation will introduce the unfamiliar to the weaknesses of pin-tumbler locks. An informal hands-on workshop and discussion will follow.

Graeme is an IT professional by day, and can usually be found playing music and drinking in overpriced Melbourne bars by night. After he has mastered picking locks, the unicyle is next.

An in-depth look into Data Execution Prevention on Windows systems, and how it can be bypassed. Multiple different bypass techniques will be explained in technical detail, covering Windows 2003 through to Windows 7.

Examples will cover both stack and heap exploitation scenarios, and will cover DEP optin/out/permanent states.

Having conducted vulnerability assessments, network reviews, and penetration tests for the majority of the large companies in New Zealand, Insomnia founder Brett Moore brings with him over six years experience in information security. During this time, Brett has also worked with companies such as SUN Microsystems, Skype Limited and Microsoft Corporation by reporting and helping to fix security vulnerabilities in their products. Brett has released numerous whitepapers and technical postings related to security issues and has spoken at security conferences both locally and overseas, including BlackHat, Defcon, Ruxcon, and the invitation only Microsoft internal security conference called BlueHat.

The Kindle is an ebook reader device with a number of unique features. There are a number of security layers in this device, all of which are easily defeated. In this talk Peter will discuss the existing methods of bypassing these security layers and then onto some non-conventional uses of one particular feature: the celluar data connection. The outcome of which the establishment of an SSH tunnel via this device. Tethering your kindle? Yes.

Peter Hannay is a PhD student, researcher and lecturer based at Edith Cowan University in Perth Western Australia. His PhD research is focused on the acquisition and analysis of data from small and embedded devices. In addition to this he is involved in smart grid research and other projects under the banner of the SECAU research organisation.

Sooner or later, most IT folks will be asked to do some form of investigation, whether it's looking into misuse of email or the Internet, investigating a system compromise or even a rogue employee stealing company secrets. Most will have the technical skills and interest to help, but can easily get caught in the minefield of technical, legal and procedural traps that computer forensic investigations entail. Based on the philosophy that it's always good to learn from mistakes - especially someone else's - this presentation will be full of war stories and practical advice to help you get results while staying well clear of the deep stuff.

Nick started life as an IT auditor before moving into IT security back in the 90's, when companies started connecting to the Internet. He worked in the High Tech Crime team of the Australian Federal Police on cases ranging from counter terrorism to computer hacking, before joining Deloitte's Forensic practice in 2005. Last year he started his own independent computer forensic company based in Sydney and hasn't seen much daylight since. Today his investigations include financial fraud, corruption, employee misconduct, theft of IP, authenticity of evidence, commercial litigation, e-discovery, online child abuse and even a bit of good old fashioned SQL injection.

This talk will show an attempt to build the typical manual reverse engineering process of identifying what data structures a program uses into an automated tool that you could run before ever having to look at a binary.

Along the way we will look at some specific implementation details, some prior work in this area, and some ideas interesting tools and ideas from academia that I stumbled into while trying to attempt this, examine what I did wrong, how doing it wrong helped and hindered me, and possibly release a working tool for people to use.

kuza55 isn't really sure why he still goes by his handle, given you can pretty easily find his real name by now, however he's been giving presentations (mostly on web security) with it since 2007 at conferences such as CCC, Bluehat, XCon and Ruxcon. Currently kuza55 is working for Azimuth Security where he gets to build cool stuff like the above in his work time!

The Australian Communications and Media Authority (ACMA) are helping in the fight against botnets with the Australian Internet Security Initiative (AISI), an anti-botnet initiative developed in house.  This talk will provide an overview of our activities within the ACMA, focusing on the AISI, its data sources and technology used and related systems such as the Spam Intelligence Database (SID).

Mark Chaffe is a security professional living in Melbourne.  He works in the e-Security Operations Section at the Australian Communications and Media Authority.

The Australian Federal Police's High Tech Crime Investigations area deals with an increasingly wide variety of cases and incidents each year. In this presentation you will be taken through a few of the more interesting cases and incidents with an eye to providing the audience with an insight into the types of work the AFP are tasked to undertake each day.

Alex has been in IT security for almost 10 years, his background is in (legitimate) online casinos and banking IT security. He is currently fighting the good fight with the AFP's High Tech Crime Operations/Investigations area. He is a Queenslander who is trying to deal with the weather in Melbourne where he now lives.

Silvio developed a signature based Malware detection system using control flow graphs as features for his Masters work. Two academic papers were published during this time. He continues the work on malware classification in his PhD. The work is distinguished from previous research by being able to approach the speed and efficiency of traditional Antivirus, yet with the significantly increased effectiveness of using control flow based signatures. Control flow is seen a more accurate identifier of malware variants and relies on fingerprinting program structure instead of the byte-level content. The system is designed to scale for potential applications including desktop Antivirus, E-Mail and Internet gateways.

Silvio Cesare is a PhD student at Deakin University. He has recently submitted a Masters thesis on "Fast Automated Unpacking and Classification of Malware" to CQ University. Silvio has previously worked in the United States, France, and his home of Australia in the security industry before pursuing academic studies. His past work includes being the Scanner Architect for vulnerability management company Qualys. He has presented at academic and industry security conferences including Blackhat and Cansecwest. Silvio presented at the first Ruxcon in 2003 documenting vulnerabilities resulting from an audit of the opensource operating system kernels. He has published full papers for partial results of his Masters thesis at AINA2010 and AusPDC2010.

Hackerspaces are creative places for geeks.  They're workshops full of equipment, tools and materials, where people come together to work on projects, share ideas and collaborate.  Ever wanted to use a 3D printer?  Cut metal in a CNC miller?  Need a soldering iron at 3am?  Then hackerspaces are for you.

Robots & Dinosaurs runs a space for hackers in Sydney.  It has a DNA sequencing machine, a MakerBot 3D printer, multiple CNCs, a furnace, a woodworking shed, two sewing machines, ADSL2 and a frankly unreasonable number of soldering irons.  It's also a really open community: every geek is right at home.  People work on a huge range of projects in a big communal space.  There are active spaces in every capital city, which you can find at hackerspaces.org.

Hackerspaces embrace open standards, including the Open Hardware Definitions, open source software, and collaborative software sites. 

A show and tell of some members projects will be done including 3D printers, quadcopters and animatronic squid hats, amongst others.

Gavin Smith is the president of Robots & Dinosaurs, the Sydney Hackerspace.  He built a MakerBot 3D printer, and runs it at the space alongside a a CNC milling machine and "Mr DNA", the DNA sequencing machine.  He competed in Rocket Car Day XII, beating several other cars with his innovative 'big block of wood' design.  Professionally he's a robotics and automation engineer, and worked on commissioning the storage ring RF system at the Australian Synchotron.

Project 25 (P25) is the standard used by police and emergency first-responders across the US, Australia and New Zealand. OP25 is a free software project we've initiated that allows us to receive, analyse and transmit P25 traffic using the USRP/GNUradio software-defined radio suite.

This presentation will give an introduction to the basics of software-defined radio using the GNURadio framework, provide a detailed analysis of some of the security flaws present in P25 and show how these can be exploited to conduct targeted denial-of-service attacks and key-recovery attacks.

Matt Robert is an independent security researcher with an interest in GNUradio, wireless/RF technology and cryptography. He is employed as a IT Infrastructure engineer. In his spare time he enjoys flying competition aerobatics in a small, high powered biplane called the Pitts Special over the outskirts of Sydney.