Our lead infosec analyst Pierre and I recently had the opportunity to attend CyberCon 2019 in Melbourne. The event is organised by AISA in collaboration with the Australian Cyber Security Centre (ACSC). This event brings in 140+ infosec speakers and individuals from over 24 countries.
With so many interesting sessions in technical, governance, and commercial ‘tracks’ it was difficult to select just one for any given hour-long block of time! Many of the sessions were so packed, people were standing in the lobby watching a feed of the session delivered to screens outside the conference rooms.
After some ‘haggling’ over who would go to what session, we managed to attend a fair many of these sessions and demos over the 2 days, as well as engage in some networking with colleagues and industry experts.
Day 1 - Attack (dis)information
Day 1 started with a keynote speech by Dr Karl on Critical Thinking being our Last Line of Defence against attackers. It’s always interesting to hear Dr Karl talk on serious subjects with his usual brand of humour, which I find indicative of a deep passion for the subject matter.
The human brain is such a malleable thing, and it’s in human nature to be trusting – something that malicious actors take advantage everywhere. We live in a world of ‘fake news’, advertising impersonating legitimate content and flat-earth conspiracy getting air-time. Improving our critical thinking skills can only help us in a world where the speed of information accelerates daily.
The rest of the day was filled with sessions and presentations from cybersecurity leaders in government and enterprise. Technical sessions ranged from detailing the use offensive espionage tools, identifying vulnerabilities in credentials, the importance of secure coding practices, and even a capture the flag (CTF) event! Governance sessions covered the commercial impact of cybersecurity, security by design, cybersecurity in the financial sector, improving security awareness, and more.
The look on this speakers face whilst looking at his slide speaks to his topic – state/local Government InfoSec maturity. Thanks to the ACSC we had the opportunity to meet Kevin Mitnick – “The world’s most wanted hacker” – at a book signing event. Kevin revealed to us he’s currently in talks with Sam Esmail of Mr. Robot fame for a movie deal. Interesting!
The events for the day ended with a plenary speech and on-stage hacking demonstration by Kevin Mitnick on how hackers attack and how we should fight back. Kevin demonstrated the use of USB drops and other social techniques to obtain administrative access to systems, expressing the general ease of attack through a human target and importance of security awareness.
Kevin currently acts as ‘Chief Hacking Officer’ for KnowBe4, a company specialising in security awareness training services for organisations.
What a night! Shortly after the final keynote, the party started at the South Promenade Wharf with food, drinks, and live music entertaining a 1,400 strong crew of conference attendees. Paella stations, ice cream vendors, interesting networking opportunities and a beautiful view of the Melbourne dockside made this a night to remember.
Speaking with some of the delegates there, I found a consensus of this event being the most valuable CyberSec focused conference in Australia. I have to agree.
Day 2 – Censured Actions?
The day 2 keynote speech by Bruce Schneier detailed securing the world of increasingly physically capable computers, focusing specifically on the Internet-of-Things and ubiquitous “smart” devices.
Code quality takes a backseat to speed of delivery in this world of ‘release early, release often’. Because of this, bugs are a certainty, and exploitation of those bugs to compromise a system is just a matter of time. An autonomous car is not a word processor, and rushing out code can put lives at risk when a vulnerability allows your brakes to be hacked.
Also covered were so-called “collective action” problems. In many areas of insecurity, secure solutions have existed for some time – but they require collective initiative and action to implement. Too many of us are waiting for the ‘next guy’ to do something before we start on it. If everyone is waiting, no-one acts, and we’re all exposed.
Bruce’s recommendation is regulation, and argues technologists should influence or at least be a part of policy making decisions by government. He expresses that it is the role of technologists to instruct industry on how to act and what to act on regarding ensuring the confidentiality, integrity, and availability of these “computers with things attached”.
Pierre then attended talks on issues surrounding drone security, and governance sessions giving recommendations on how we should humanise cybersecurity for a greater influence and impact. I took off for some meeting, but made it back in time for the open-mic.
We were both treated to open-mic sessions with cybersec industry icons Brian Krebs and Bruce Schneier, where they were able to ask questions about the future of information security. The forum called for questions to be submitted through a mobile app, with all attendees able to see each question posed.
Some hard-hitting and sometimes censured questions around Brian’s involvement with Russian cybercriminals led to laughs, groans, and an overall compelling conversation.
One of the final sessions was delivered in the plenary hall by Paula Januszkiewicz, CEO and founder of CQURE Inc. Paula is one of the few non-Microsoft employees in the world with access to the source code for the Windows operating system.
She worked onstage to give an amazing live demo of the top 10 ways to make hackers excited, detailing her exploits in social and technical pentesting engagements. Her passion for the field carried her overtime, and you know a session is good when the organisers are reminding the speaker twice that their time is up!
The event ended with 2 keynote speeches on overcoming barriers to innovation, and how to live in a resilient world. An amazing close to an amazing event. Can’t wait for the next one.