the freshest artists from across the digital realm are coming to purplecon to drop their newest mixtapes. this is our lineup.
like, comment and subscribe: effective communication of security advice
for everyday people, security advice is confusing, boring, and ever changing. in response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”. there are two big problems here. first, how do we effectively communicate relevant security advice to non-experts? and secondly, is that advice even persuasive enough to encourage real behavioural change? what kind of advice should we be conveying, and to whom? in this talk we’ll cover why everyday people don’t follow security advice. to help us come up with some solutions, we’ll introduce concepts from behavioural design, psychology and medicine. and i’ll put the theory to the test by trialling some unconventional ways of communicating security to the masses.
delivered to you by: serena chen
serena chen is a professional pixel-pusher. she is an ex-physicist/mathematician, one-time teen magazine founder, and hacker at heart. she cares deeply about using technology to build a fairer, kinder, and better world.
building castles - a metaphorical journey through time and space
everyone whispers "security architecture" like it's some arcane art that you get taught on a mountaintop by a guru once you have your prerequisite 15 years industry experience and have submitted sufficient CPE points to the guild. but it's not. it's really simple. it's so simple that we're going to learn security architecture without even talking about computers. from people that lived a thousand years ago. these people didn't even know about germ theory or that the earth orbits the sun or that limes could prevent scurvy, but they knew how to select, layer, and implement mutually supporting security controls, and how to form them into cohesive, secure architectural patterns, resulting in structures that would stand the tests of both time and persistent, targeted attacks. come with us now on a journey through time and space, to the metaphorically fertile world of castle building
delivered to you by: liamosaur
liam has worked in many places and times. he is rumoured to be a wizard, but tbh it's just a prematurely grey beard. liam likes upright ducks and is the director of consulting at assurance
Developers Against the Dark Arts
Many web app frameworks are robust by design and embody good security practices. But why and how do sites get hacked anyway? What can developers do about it? And why are wizards involved? Come and learn how to defend your web app by taking a deep dive into the defences implemented by Professor Dumbledore against Lord Voldemort and his cronies. We’ll examine threat modelling, defence in depth, disaster recovery, mitigating common vulnerabilities, and how to avoid your best efforts being bypassed by an eleven-year-old with a keyboard or a copy of “Hogwarts, A History”. Warning: this talk will contain spoilers for the Harry Potter books.
delivered to you by: attacus
attacus was born 1757 during a full moon. During a long and eventful career, she accidentally became Pope, invented the tricycle, and wrote copy for fortune cookies. She is currently an internet gremlin at Assurance and in her spare time enjoys licking poisonous wallpaper and patting dogs.
Making Pentesters Sad: Low-hanging Fruit For Enterprise Defenders
As defenders of all things made from computronium, it is your duty to ensure attackers are miserable at all times. Unfortunately, you may never get to see the looks on their sad little faces. Fortunately, pentesting got invented by attackers who were scared of jail, and seeing pentesters be sad is almost as satisfying as the real thing. If you come see him talk, Mike is going to tell you what changes to implement in a typical enterprise Windows/AD environment that will actually make pentesters (and real attackers) be as sad as they ought to be, so you can watch. Once Mike's done betraying his profession, you'll be able to use what you've learned to avoid going through the screaming agony of change management for changes that won't make a lick of difference to attackers, and will only make you and your users sad. Mike also promises that he will not suggest that you 'just tell your users to choose better passwords' or 'patch every single thing all the time always', nor will he be trying to talk you into implementing complex architectural changes like BeyondCorp or Red Forest.
delivered to you by: Mike Loss
Mike Loss is a filthy turncoat. He spent years toiling as a noble sysadmin, but has spent the last few years working as a tester for Asterisk Information Security in Perth, Western Australia. He enjoys testing far too much and wants you to make it be less fun for him.
Linux Rapid Compromise Assessment
This talk discusses how to rapidly assess a Linux host for common and uncommon signs of compromise. We will discuss frequent signs of attack for rootkits, malware, and other malicious activity using standard system tools and without specialized knowledge. We'll also provide a triage checklist you can keep handy to quickly assess a Linux system for common signs of compromise.
Linux.Compromise.Detection.Command.Cheatsheet.pdf Linux.Compromise.Detection.Presentation.pdf youtube video
delivered to you by: Craig H. Rowland
Craig is the founder of Sandfly Security. Craig has been in multiple security startups over his career in the intrusion detection field as a founder or employee. They have been bought by companies like Cisco and 3Com. Craig's new company produces an agentless compromise and intrusion detection system for Linux. He spends a lot of time analyzing malicious code and finding ways to discover forensic traces scattered all around Linux.
How .tf to do Infrastructure as Code
Get started with Terraform and AWS - insights from a site reliability engineer and a developer. We’ll share what you need to know to be on the best path for the security and stability of your platform. Pray to the demo gods as we walk you through a data ingestion feature with role based access control across multiple environments.
How .tf to do Infrastructure as Code.pdf my_first_terraform-master.zip https://github.com/duckalini/my_first_terraform user-login.gif youtube video
delivered to you by: Duck Lawn & Alix Klingenberg
Duck Lawn is a Site Reliability Engineer for a payments company. They spend their day building AWS infrastructure and promoting DevOps practices within their engineering team. They have a passion for sustainable on call rosters and shared responsibility for production systems. In their spare time they do content management for @BernardOfKRoad and would love to peruse cat pictures. Alix is a software developer working at Auror HQ. Don’t ask her about facial recognition.
Caring for our pen tester friends
Quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production. Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them "Did we built it securely?". I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends.
delivered to you by: SparkleOps
Brendan is an Application Security Specialist who loves helping teams with secure development, threat modelling and being involved with the penetration testing of their applications. Outside of Application Security Brendan leads a threat hunting group dedicated to finding and disclosing threats to NZ's internet space to our CERT. Brendan spends his spare time slowly studying towards a masters of wine and reading comics in his blanket fort.
Advanced Endpoint Protection: Securing the Meaty Bits
You know how it is -- you want to make your work/flat/Sailor Moon fanclub/open source project more secure, so you come up with a brilliant plan, get things set up juuuust right...and people ruin all your hard work by ignoring your advice and finding ways round your security measures. What can you do? Give up, pour a stiff whisky, and go on another Slack rant about how stupid and lazy users are? Focus on the bits you can control, and make sure everyone knows it’s not your fault when something goes wrong? Or would you rather understand why people keep thwarting your efforts, so you can get them on board and develop a security programme that works? Let’s take a deep dive into the most complex and hard-to-secure component of your network: people. Why don’t they seem to listen or care? What can you do about it? And what does any of this have to do with mysterious fifteenth-century manuscripts and dinosaur facts? In this talk you’ll learn about some of the unpatched vulnerabilities in human information processing and communication protocols that make them infinitely frustra...err, fascinating, and discover how you can (lovingly and respectfully) exploit them to help make your life easier and your security efforts more effective.
delivered to you by: Petra Smith
Petra grew up wanting to be Sailor Mercury – the awkward blue-haired one who used computers to protect the world from evil. Now she’s a #purpleteam security consultant at Aura Information Security, which is pretty close. She gets kind of ranty about privacy, trust, and making digital spaces safe and inclusive for everyone.
What does it take to run a bug bounty program?
"Run a bug bounty!" This advice has been shouted to the rooftops across the security community. But what does it actually take to run a bug bounty program? Learn about the benefits of running a bug bounty program, as well as what challenges you'll likely encounter and how you can mitigate them.
Bug Bounty Introduction, Common Problems and Practical Solutions - article.pdf Bug Bounty Introduction, Common Problems and Practical Solutions - slides.pdf youtube video
delivered to you by: Anton Black
Anton is a stats nerd pretending to be a graduate security engineer at Atlassian. He appreciates pretty pictures of all kinds, especially graphs.
WebAuthn: Multi-factor Auth for Everyone!
Everybody knows that passwords suck. Implementing better things, like multi-factor authentication, can be really tricky and require a bunch of specialist bits though. Or does it? The new WebAuthn standard makes it dead simple to add multi-factor authentication to your web app. Let’s find out how!
delivered to you by: Benno Rice
Benno is a software engineer who has worn many hats. Among those have been such hats as that of a Python developer (he co-created the behave BDD tool for Python), a FreeBSD developer (he started its PowerPC port among other things), a FreeBSD Core Team member (community management is hard, folks), and a conference speaker on subjects ranging from the history of I/O to the problems of leading large open source software projects. He currently lives in Melbourne and works for Yubico making the world a better place.
Do you know what your containers are made of?
Containers are a great way to run software; you can think about the container as a black box that provides you a service and get on with your life of writing our own business critical software. Then one day you'll do a review with professional security people, and they'll be like "hey, these docker containers; how much do you trust redis:latest?" and then it's time to embark on a journey of discovery until you get back to Ken Thompson's "Reflections on Trusting Trust" paper from 1984 and throw up your hands ¯\_(ツ)_/¯ We'll talk about building up a system to have confidence in the building and deploying of containers; from pulling public containers to having your own pipeline, and the benefits that brings.
delivered to you by: Moss
Moss has worked in the exciting industries of online payments and enterprise billing, where he has been called "a great defense against the dark arts teacher".
Cyber Ethics: 10 Cmdlets to Creating Trust in Cyberspace
As a society, we need a shared culture and rules to engage with others. Rules are important because they give us something we can trust, certainty we can rely on. More and more of our world is moving to cyberspace but digital trust seems to be deteriorating on a daily basis. Why? In meatspace, we divulge our secrets to lawyers we hire, trusting that they abide by a code of ethics which prevent them from leaking those secrets. We have no such trusted professionals in cyberspace. Security professionals and developers are often privy to confidential information of individual users but there is no code of ethics across the industry to establish trust with the end user. Just as lawyers and legislators are wordsmiths in a position of trust in meatspace, security professionals and developers need to step up and help create trust in cyberspace!
Cyber Ethics_ 10 Cmdlets to Creating Trust in Cyberspace.pdf youtube video
delivered to you by: Judy Ting-Edwards
Privacy - its about giving people control of their information in the face of technology that lessens that control. Developers are critical to privacy - they shape how an agency collects information, how it stores it and what it uses it for. Throughout the development process Developers have the ability to help agencies do good privacy. Plus, no one wants to be responsible for leaking the details of everyone's affairs *cough* Ashley Madison.
delivered to you by: Sophie Richardson
Sophie is a long time security enthusiast, first time security conference speaker. Sophie works for the Office of the Privacy Commissioner and advises on all things privacy and security related. In a previous life Sophie was a Customs Officer busting the bad guys and playing with the sniffer dogs (no I did not take your banana, that’s MPI). Sophie has also worked for the Inspector-General of Intelligence and Security and can neither confirm nor deny that she was involved in the Jason Bourne programme. In her spare time Sophie bakes for Good Bitches Baking and runs half marathons to burn off the baking.
Roast Criminals, not Marshmallows
It's 6am and you awake to the smell of freshly brewed coffee and the sound of eggs rattling away in the boiling water of a sauce pan. You rub your half-open eyes, stretch your arms out and enjoy yourself a solid, life-giving yawn. After slipping your feet into your plush Merino slippers you hobble toward to the curtains of your expansive bedroom and draw them open. Outside, your once flourishing corn fields lay scorched and smoldering, and the neighboring paddocks are dotted with llamas who are somewhat oblivious to the pine forest inferno that rapidly approaches them from the South. "Honey, grab the marshmallows, we got ourselves a bush fire", you excitedly announce. 2017 saw the birth of group of vigilante blue teamers who had a collective agreement that there were a lot of fires in our backyard and no shortage of people finding amusement (or nourishment) in them - but nobody proactively finding them. Thanks to an abundance of spare time, a bit of Kiwi ingenuity and the inception of our wonderful national CERT, the team of 6 have tirelessly worked away at developing their capabilities so they can find and resolve the problems that others seem to ignore. Breaking his code of silence, Chris will introduce you to the evolution of the group and the platform that enables them, discuss some of their insights, and equip you with tools and techniques so you too can join the hunt.
delivered to you by: Chris
Many teachers throughout Chris' education described him as "a boy who has a complete inability to follow instructions and will probably end up a criminal". Turns out that's not overly untrue. Chris is obsessed with studying criminal systems and methods and identifying ways that physical and logical security can be improved to detect and defeat them. By day he is a blue teamer for a MSP, and in the evenings he hunts bad people on the internet and co-organises the Christchurch ISIG and CHCon.
Surviving Your First Incident
Incident Management is the often hidden, and not glamorous side of computer security. It is also one of the most important. I'll explain an methodology for handling incidents both large and small, and hopefully afterwards you won't find it as daunting when you need to handle one yourself.
Bryan Nolen - Surviving Your First Incident (Purplecon 2018).pdf youtube video
delivered to you by: Bryan Nolen
I have been working in DFIR for the better part of the last decade, and for some large household names.
Agloe - What the map makers of the 1930s can teach us about protecting our data in 2018.
What does the little town of Agloe, Colchester, NY have in common with modern day data protection? Why when I look for directions to Agloe, Colchester, NY do I only get a partial match? And what do yellow small birds have to do with anything? In this talk we are going to do the time warp back to the 1930's and see what the General Drafting Company can teach us about securing data and breach notification and how to apply these concepts in the modern day. Using free and open-source solutions I'll show you that information security isn't all about expensive third-party products and Security Operations Centers' (SOC), rather, by using some defensive thinking and a bit of creativity, with your exisiting infrastructure and services you too can easily identify data breaches, and catch the bad guys in the act with the tools you already use in your own environment. Come along for a lesson on the anatomy of the canary.
agloe_what_the map_makers_of the_1930s_can teach_us_about protecting_data_in_2018.pdf youtube video
delivered to you by: errbufferoverfl
errbufferoverfl is a "white rabbit" hacker by day and a Python developer by night, she loves good looking code, poisonous plants and spending time dreaming up new security tools that eventually (someday) get published. She also suffers a chronic case of refactoring syndrome and checklist-itis. In errbufferoverfl's post-hacker life she worked for SaaS providers trying to make information security and policy more accessible and fun, giving workshops on lock-picking and vulnerability management. If left unattended too long she will resume her Pavlovian-style training to get people to improve security practices.