like, comment and subscribe: effective communication of security advice

for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”. there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom? in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.

a lil worksheet.pdf links and resources.md youtube video

building castles - a metaphorical journey through time and space

everyone whispers "security architecture" like it's some arcane art that you get taught on a mountaintop by a guru once you have your prerequisite 15 years industry experience and have submitted sufficient CPE points to the guild. but it's not. it's really simple. it's so simple that we're going to learn security architecture without even talking about computers. from people that lived a thousand years ago. these people didn't even know about germ theory or that the earth orbits the sun or that limes could prevent scurvy, but they knew how to select, layer, and implement mutually supporting security controls, and how to form them into cohesive, secure architectural patterns, resulting in structures that would stand the tests of both time and persistent, targeted attacks. come with us now on a journey through time and space, to the metaphorically fertile world of castle building

purplecon.pdf youtube video

Developers Against the Dark Arts

Many web app frameworks are robust by design and embody good security practices. But why and how do sites get hacked anyway? What can developers do about it? And why are wizards involved? Come and learn how to defend your web app by taking a deep dive into the defences implemented by Professor Dumbledore against Lord Voldemort and his cronies. We’ll examine threat modelling, defence in depth, disaster recovery, mitigating common vulnerabilities, and how to avoid your best efforts being bypassed by an eleven-year-old with a keyboard or a copy of “Hogwarts, A History”. Warning: this talk will contain spoilers for the Harry Potter books.

Devs Against the Dark Arts.pdf youtube video

Making Pentesters Sad: Low-hanging Fruit For Enterprise Defenders

As defenders of all things made from computronium, it is your duty to ensure attackers are miserable at all times. Unfortunately, you may never get to see the looks on their sad little faces. Fortunately, pentesting got invented by attackers who were scared of jail, and seeing pentesters be sad is almost as satisfying as the real thing. If you come see him talk, Mike is going to tell you what changes to implement in a typical enterprise Windows/AD environment that will actually make pentesters (and real attackers) be as sad as they ought to be, so you can watch. Once Mike's done betraying his profession, you'll be able to use what you've learned to avoid going through the screaming agony of change management for changes that won't make a lick of difference to attackers, and will only make you and your users sad. Mike also promises that he will not suggest that you 'just tell your users to choose better passwords' or 'patch every single thing all the time always', nor will he be trying to talk you into implementing complex architectural changes like BeyondCorp or Red Forest.

MakeMikeSad.pdf youtube video

Linux Rapid Compromise Assessment

This talk discusses how to rapidly assess a Linux host for common and uncommon signs of compromise. We will discuss frequent signs of attack for rootkits, malware, and other malicious activity using standard system tools and without specialized knowledge. We'll also provide a triage checklist you can keep handy to quickly assess a Linux system for common signs of compromise.

Linux.Compromise.Detection.Command.Cheatsheet.pdf Linux.Compromise.Detection.Presentation.pdf youtube video

How .tf to do Infrastructure as Code

Get started with Terraform and AWS - insights from a site reliability engineer and a developer. We’ll share what you need to know to be on the best path for the security and stability of your platform. Pray to the demo gods as we walk you through a data ingestion feature with role based access control across multiple environments.

How .tf to do Infrastructure as Code.pdf my_first_terraform-master.zip https://github.com/duckalini/my_first_terraform user-login.gif youtube video

Caring for our pen tester friends

Quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production. Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them "Did we built it securely?". I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends.

youtube video

Advanced Endpoint Protection: Securing the Meaty Bits

You know how it is -- you want to make your work/flat/Sailor Moon fanclub/open source project more secure, so you come up with a brilliant plan, get things set up juuuust right...and people ruin all your hard work by ignoring your advice and finding ways round your security measures. What can you do? Give up, pour a stiff whisky, and go on another Slack rant about how stupid and lazy users are? Focus on the bits you can control, and make sure everyone knows it’s not your fault when something goes wrong? Or would you rather understand why people keep thwarting your efforts, so you can get them on board and develop a security programme that works? Let’s take a deep dive into the most complex and hard-to-secure component of your network: people. Why don’t they seem to listen or care? What can you do about it? And what does any of this have to do with mysterious fifteenth-century manuscripts and dinosaur facts? In this talk you’ll learn about some of the unpatched vulnerabilities in human information processing and communication protocols that make them infinitely frustra...err, fascinating, and discover how you can (lovingly and respectfully) exploit them to help make your life easier and your security efforts more effective.

AdvancedEndpointProtection.pdf youtube video

What does it take to run a bug bounty program?

"Run a bug bounty!" This advice has been shouted to the rooftops across the security community. But what does it actually take to run a bug bounty program? Learn about the benefits of running a bug bounty program, as well as what challenges you'll likely encounter and how you can mitigate them.

Bug Bounty Introduction, Common Problems and Practical Solutions - article.pdf Bug Bounty Introduction, Common Problems and Practical Solutions - slides.pdf youtube video

WebAuthn: Multi-factor Auth for Everyone!

Everybody knows that passwords suck. Implementing better things, like multi-factor authentication, can be really tricky and require a bunch of specialist bits though. Or does it? The new WebAuthn standard makes it dead simple to add multi-factor authentication to your web app. Let’s find out how!

Do you know what your containers are made of?

Containers are a great way to run software; you can think about the container as a black box that provides you a service and get on with your life of writing our own business critical software. Then one day you'll do a review with professional security people, and they'll be like "hey, these docker containers; how much do you trust redis:latest?" and then it's time to embark on a journey of discovery until you get back to Ken Thompson's "Reflections on Trusting Trust" paper from 1984 and throw up your hands ¯\_(ツ)_/¯ We'll talk about building up a system to have confidence in the building and deploying of containers; from pulling public containers to having your own pipeline, and the benefits that brings.

https://github.com/mossnz/purplecon-docker youtube video

Cyber Ethics: 10 Cmdlets to Creating Trust in Cyberspace

As a society, we need a shared culture and rules to engage with others. Rules are important because they give us something we can trust, certainty we can rely on. More and more of our world is moving to cyberspace but digital trust seems to be deteriorating on a daily basis. Why? In meatspace, we divulge our secrets to lawyers we hire, trusting that they abide by a code of ethics which prevent them from leaking those secrets. We have no such trusted professionals in cyberspace. Security professionals and developers are often privy to confidential information of individual users but there is no code of ethics across the industry to establish trust with the end user. Just as lawyers and legislators are wordsmiths in a position of trust in meatspace, security professionals and developers need to step up and help create trust in cyberspace!

Cyber Ethics_ 10 Cmdlets to Creating Trust in Cyberspace.pdf youtube video

Encoding Privacy

Privacy - its about giving people control of their information in the face of technology that lessens that control. Developers are critical to privacy - they shape how an agency collects information, how it stores it and what it uses it for. Throughout the development process Developers have the ability to help agencies do good privacy. Plus, no one wants to be responsible for leaking the details of everyone's affairs *cough* Ashley Madison.

slides.pptx youtube video

Roast Criminals, not Marshmallows

It's 6am and you awake to the smell of freshly brewed coffee and the sound of eggs rattling away in the boiling water of a sauce pan. You rub your half-open eyes, stretch your arms out and enjoy yourself a solid, life-giving yawn. After slipping your feet into your plush Merino slippers you hobble toward to the curtains of your expansive bedroom and draw them open. Outside, your once flourishing corn fields lay scorched and smoldering, and the neighboring paddocks are dotted with llamas who are somewhat oblivious to the pine forest inferno that rapidly approaches them from the South. "Honey, grab the marshmallows, we got ourselves a bush fire", you excitedly announce. 2017 saw the birth of group of vigilante blue teamers who had a collective agreement that there were a lot of fires in our backyard and no shortage of people finding amusement (or nourishment) in them - but nobody proactively finding them. Thanks to an abundance of spare time, a bit of Kiwi ingenuity and the inception of our wonderful national CERT, the team of 6 have tirelessly worked away at developing their capabilities so they can find and resolve the problems that others seem to ignore. Breaking his code of silence, Chris will introduce you to the evolution of the group and the platform that enables them, discuss some of their insights, and equip you with tools and techniques so you too can join the hunt.

youtube video

Surviving Your First Incident

Incident Management is the often hidden, and not glamorous side of computer security. It is also one of the most important. I'll explain an methodology for handling incidents both large and small, and hopefully afterwards you won't find it as daunting when you need to handle one yourself.

Bryan Nolen - Surviving Your First Incident (Purplecon 2018).pdf youtube video

Agloe - What the map makers of the 1930s can teach us about protecting our data in 2018.

What does the little town of Agloe, Colchester, NY have in common with modern day data protection? Why when I look for directions to Agloe, Colchester, NY do I only get a partial match? And what do yellow small birds have to do with anything? In this talk we are going to do the time warp back to the 1930's and see what the General Drafting Company can teach us about securing data and breach notification and how to apply these concepts in the modern day. Using free and open-source solutions I'll show you that information security isn't all about expensive third-party products and Security Operations Centers' (SOC), rather, by using some defensive thinking and a bit of creativity, with your exisiting infrastructure and services you too can easily identify data breaches, and catch the bad guys in the act with the tools you already use in your own environment. Come along for a lesson on the anatomy of the canary.

agloe_what_the map_makers_of the_1930s_can teach_us_about protecting_data_in_2018.pdf youtube video