Presentations at Kiwicon 4

Quick List


TitleRFID (in)securities
AbstractFew contemporary technologies raise as many security-related issues in the public consciousness as radio-frequency identification (RFID). Currently used in areas as diverse as commodity-chain management, building access, banking, livestock traceability, public transit and passports, RFID is promoted by government and industry as a reliable, efficient, convenient and secure communication technology. In contrast, mass media regularly report the relative ease with which signals can be boosted, viruses transmitted, databases hacked, privacies violated and freedoms denied. These kinds of utopian versus dystopian debates commonly accompany the introduction of new technologies, but rarely give people the conceptual and material tools needed to critically and creatively engage the social and cultural concerns at hand. By taking a closer look at some of the expectations, hopes and fears associated with RFID, this presentation aims to open new spaces of collaborative and collective action in the development and implementation of RFID and related technologies.
LocationSat 27 0915 @ RHLT1
Duration45 mins
NameDr Anne Galloway
OriginWellington, New Zealand
BioAnne is fascinated by the social and cultural dimensions of emerging technologies. When not doing research or teaching, Anne can be found reading comics and graphic novels, hanging out with The World's Best Cat and drinking hop-heavy beer.

TitleUnderstanding the Java Serialization Attack Surface

We have recently been asked to perform a number of security assessments which use Java serialized objects to communicate information between client and server. This approach is quite common, particularly in applications which implement some form of thick(ish) client. However, personally, whenever I see these things flying across my proxy I always get excited and think “there has to be something wrong here…”

So is there something really wrong? What should we be concentrating on when trying to attack these applications?

LocationSat 27 1000 @ RHLT1
Duration45 mins
NameDaniel Grzelak
OriginSydney, Australia
BioOh noes, no bio :(

TitleOperational Security For Hackers

So you think you're a hacker?

You’re lying in bed after a hard days hacking and you’re having trouble sleeping. You didn’t leave your IP address anywhere did you? Maybe you should just get up and check, just to be sure.

Hackers don’t get caught, and the last thing you want to do is become “famous”, or become bubbas best prison mate! This talk is about operational security for hackers. How you can sleep at night and hopefully stay out of prison.

I will show case studies from “famous” New Zealand hackers who have been caught including myself. This talk will show information from both sides of the coin, how to misdirect forensic investigators and details from those who work on the side of the law.

You might even get to see the rig I roll and the code I use to protect my data at home.

LocationSat 27 1100 @ RHLT1
Duration45 mins
OriginAuckland, New Zealand
BioEon, Created in Wellington in the early 90's.

TitleFull Circle Kiosk

At the very first Kiwicon I demonstrated a beta project I had started called iKAT. You may remember it, the pornographic themed website which automatically hacked internet Kiosks. Over the past three years I have not stopped developing iKAT and I have continued in my quest to become the "Self Proclaimed King of Kiosk Hacking"

39 Kiosk vendors later and I think I have the title! I have been able to break every off-the-shelf kiosk product that I can find, to top it off I am still lawsuit free! I thought it would be only appropriate for the 4th Kiwicon to revisit iKAT and to have a bit of fun hacking Kiosks on stage.

LocationSat 27 1145 @ RHLT1
Duration45 mins
NamePaul Craig
OriginAuckland, New Zealand
BioLit only with a dying fire, the piles of books and ephemera are circled 'round a solitary chair pulled close to the embers. One pale hand rests on the arm of the leather wingback, loosely holding a tumbler of clear, vicous liquid. Though the occupant's face remains hidden in shadow, you are convinced you are being appraised to some recondite measure. One finger crooks. Come closer, he says. Don't you want to learn...?

TitleCode Analysis Carpentry (or, how to avoid braining yourself when handed a SMT solving hammer)
AbstractThis talk will be one part "Oh look what we can do when we have a Python API for converting code into equations and solving them" and one part "Here's why the world falls apart when we try to attack every problem in this way". One popular method of automated reasoning in the past few years has been to build equational representations of code paths and then using an SMT solver resolve queries about their semantics. In this talk we will look at a number of problems that seem amenable to this type of analysis, including finding ROP gadgets, discovering variable ranges, searching for bugs resulting from arithmetic flaws, filtering valid paths, generating program inputs to trigger code and so on. At their core many of these problems appear similar when looked at down the barrel of an SMT solver. On closer examination certain quirks divide them into those which are perfectly suited to such an approach and those that have to be beaten into submission, often with only a certain subset of the problem being solvable. Our goal will be to discover what problem attributes place them in each class by walking through implemented solutions for many of the tasks. Along the way the capabilities and limitations of the modern crop of SMT solvers will become apparent. We will conclude by mentioning some other techniques from static analysis that can be used alongside a SMT solver to complement it's capabilities and alleviate some of the difficulties encountered.
LocationSat 27 1345 @ RHLT1
Duration30 mins
NameSean Heelan
OriginMiami, USA
BioSean is a security researcher with Immunity. His primary interests are in software verification/program analysis and it's applications to vulnerability detection, reverse engineering and exploit development. Before joining Immunity Sean was a student at Oxford University where his research focused on combining run-time dataflow analysis and decision procedures for exploit generation.

TitleHow Does Your Gut Stack Up?

Inspired by the work of Dan Farmer in his seminal survey of the exploitable internet population "Shall We Dust Moscow" (1997), we use two recently developed tools (WhatWeb by Andrew and BlindElephant by Patrick) to update the global vulnerability census for 2010, discovering unpatched and vulnerable devices and applications across a sample of 2 million hosts. We use the results to pose and discuss various (real and imagined) correlations of security posture to other factors, and surprise ourselves (and hopefully you) in the process.

Who is more up to date; the US or Nigeria? What about porn sites vs governments sites? *Nix based or Windows based? Now: *Why* do you think that, and if the actual answer surprises you, what does that help us learn about our thought process as analysts and security professionals? We bring data (and some pretty graphs and maps) to let you test your instincts against reality and learn to ask deeper questions.

LocationSat 27 1415 @ RHLT1
Duration30 mins
NameAndrew & Patrick
OriginWellington, New Zealand

Andrew Horton is a Wellington security consultant for He provides your favourite daily security news at

Patrick Thomas is a security research engineer with Qualys. He works on automated vulnerability detection tools, malware detection, pragmatic security, and dabbles in the security implications of public policy and vice versa. He percolates and occasionally dispenses ideas on the above at

TitleMonkeying Around on the APE

Internet Exchange Points (IXPs) exist all over the world for the purpose of, as the name suggests, exchanging internet dataz between networks. They're a pretty good way of keeping local traffic off transit links which has all sorts of benefits for network operators consumers of internets alike.

For relatively low cost, IXPs can also get an attacker layer 2 adjacent to a significant number of ISP routers for fun and profit. Sometimes those routers do things that their operators might not expect, and sometimes they do things that their operators probably don't want them to be doing.

Some of the reasons why connecting a Serious ISP Network to an IXP should be approached with a little more caution than it currently appears to be will be covered, along with some examples of what happens when appropriate precautions are not taken.

LocationSat 27 1445 @ RHLT1
Duration30 mins
NameMike Jager
OriginAuckland, New Zealand

Mike is Not A Security Professional, but does have keen interest in all things beer. This seems to fit in well with the security industry's interests.

He recently completed a 6 year stint at a web hosting outfit, where he herded packets, muttered at clouds, played Postman Pat, and snuck up on web applications, tricking them into scaling horizontally when they least expected it.

Having now jumped from the content-hosting to the content-consuming side of the internet services fence, he firmly believes that 240/4 is the solution to IPv4 address exhaustion. And if that doesn't save us, then large-scale NAT will.

TitleWindows Exploit Mitigation Techniques

There's a war going on and depending on which side of the fence you sit, we are winning. Finding a bug is only the beginning; it requires further specialised knowledge to turn that bug into a reliable working exploit that has a commodity value.

Since XPSP2, Microsoft started making advances in OS level mitigation techniques to prevent exploitation. As in any arms race, as one side builds a defence the other side develops a method to circumvent it.

This talk will cover methods introduced since XPSP2 and how these methods can by bypassed to successfully execute arbitrary code. It will also discuss recent advances in bypassing DEP and ASLR and how it is possible - in some cases relatively straightforward - to side step these defences.

One of the few techniques that is lacking in effective public bypass methods is SEHOP, and we will explain how this method developed by skape, 'may' actually be effective when correctly used.

EMET (Enhanced Mitigation Experience Toolkit) is Microsoft's 'strap on' security answer for applications that can't natively secure themselves. Is this the end of the race, or should we expect an Enhanced Exploitation Experience Toolkit to be released in the future?

Have I mentioned ROP?

LocationSat 27 1515 @ RHLT1
Duration60 mins
NameBrett Moore
OriginAuckland, New Zealand
BioNew Zealand's very own security pinup, Brett "Remote Code Execution" Moore has walked the mean streets of these savage lands for over a decade. Shatter attacks? Brett Moore. Heap freelist technique? Brett Moore. Cradling his head in his hands against the back wall of the Defcon stage so he didn't barf on the lectern during his talk? Brett Moore.

TitleAleatory Persistent Threat

Over the years, exploitation objectives have changed alongside the associated efforts by vendors to protect their software. Exploitation has moved from remote exploits on Unix servers to the community focusing on client-side targets, such as document viewers and browsers.

Some prime examples of these are the Aurora and IE peers zero-days actively exploited in the wild. These bugs answer many questions related to what the new breed of attacker is focusing on, yet all hype aside the real lesson is: botnet authors are learning how to fuzz for these vulnerabilities but are not able to write reliable exploits to accompany them.

With that premise in mind, this presentation intends to explore the techniques used to exploit the "use-after-free" bug class on Internet Explorer 8, diving into the API internals, reviewing the art of heap crafting and presenting new techniques to improve it.

LocationSat 27 1645 @ RHLT1
Duration45 mins
NameNico Waisman
OriginBuenos Aires, Argentina
BioNicolas Waisman joined Immunity in February 2004. Nicolas has experience in all areas of offense-related software security, from vulnerability analysis to exploit and trojan development. Nico is an internationally recognized heap expert and teaches Immunity's most advanced class, heap exploitation. Nico has taught governments and commercial sector students from all over the world in both private and public classroom settings.

TitleHow to FAIL at Fuzzing
AbstractHow many fuzzing presentations have you seen that more or less go 'omg i am awesome, and so is my awesome framework' ? I've seen a lot - hell I've GIVEN some. So screw all that - this time I want to bring out the dirty laundry. Here, in all their glory, are my most fantastic fuckups, my most epic errors, my most laughable lessons learned - mistakes I have made so that you don't have to. This talk is not about code, or specific fuzzing tools - it's about wrong approaches, misconceptions, oversights and things that 'should work in theory'. Point, laugh, drink beer, maybe learn something - what's not to love?
LocationSat 27 1730 @ RHLT1
Duration45 mins
NameBen Nagy
OriginKathmandu, Nepal
BioNagy is a senior security researcher with COSEINC, currently working from Kathmandu, Nepal - braving power cuts, wild dog packs and amusing diseases such as typhoid and cholera. For almost two years, he has been exploring ways to improve fuzzing scalability, especially against complex, closed source targets like Windows and Office, and has been credited (inordinately) with 'pioneering' industrial fuzzing. Ben has spoken at quite a few conferences around the world, mainly for the free beer. Except the one in Pakistan. That one had great kebab, though.

TitleHooray for Reading: Hacking the Kindle
AbstractA discussion of kindle security, getting around it and what can be done with the device once all those pesky security measures are defeated. SSH via your kindles free internet connection? Yes.
LocationSun 28 1000 @ RHLT1
Duration45 mins
NameKronicd (Peter Hannay)
OriginPerth, Australia
BioPeter Hannay is a PhD student, researcher and lecturer based at Edith Cowan University in Perth Western Australia. His focus has been in the forensics field, examining GPS devices, video game consoles and embedded systems. In addition to this he enjoys alcohol, long walks along the beach and loves (but is allergic to) cats.

TitleUnsolvable Problems in Computer Security
AbstractThe field of computer security contains many tough problems. Some of them though go beyond simply being hard to being completely unsolvable. This doesn't mean that they're merely currently unsolved, but that they have no general solution, or at least no technology-based one. Using the concept of wicked problems from the field of social planning, this talk looks at some of the more notable - and troublesome - unsolvable problems in computer security. While pointing out that certain problems are in general unsolvable presents a bit of a conundrum, identifying this fact may allow them to be addressed at the business-model or political rather than the technological level.
LocationSun 28 1100 @ RHLT1
Duration30 mins
NamePeter Gutmann
OriginAuckland, New Zealand
BioPeter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about the lack of consideration of human factors in designing security systems.

TitleB&E for breakfast: practical urban exploration in NZ
AbstractThe physical world: in an age full of inter-cubicle tweets and farmville key performance indicators it's easy to forget that it exists, but it's out there and it's packed to the brim of interesting shit to see and semi-legally explore. This presentation will focus on the practicalities of going places you're not supposed to go without permission and actually getting away with it afterwards. Ever wanted to see some of New Zealand's most beautiful real-world critical infrastructure... from the inside? Hospitals, storm drains or power stations it's all there for the taking, so smash your hug-boxes and we'll show you how.
LocationSun 28 1130 @ RHLT1
Duration45 mins
NameAlhazred & Rob
OriginNew Brighton, Christchurch
BioCrawling on their stunted flipper arms from the poisoned radioactive wasteland of Christchurch's premier seaside resort and sewerage treatment suburb of New Brighton, Rob and Alhazred have together busticated into more industrial sites than you've eaten Mrs Mac's steak & cheese pies. Rob enjoys walks on the beach, little fluffy kittens, and reading books on nuclear reactor theory. Alhazred enjoys walks on the beach, collecting pressed flowers, and fucking shit up.

TitleBending Light: Optical trickery for the 21st Century

The whole world is connected with light these days. You probably don't know, or notice (your desktop is just plugged into an rj45 wall jack, right?), but it's likely that your home or office network has some kind of fibre optics in it's path to the Internet, or the other sites in your WAN. In this talk I'll try and explain some of the risks around using fibre optics, as opposed to copper technologies, and what you can do about detecting and protecting from them (what is that encryption stuff anyway?).

I'll also try and explain some of the more commonly used types of fibre technologies and how they're all tied together, to give a better overview for those who just haven't had to work with the stuff before. This bit is probably just more informative than hackery related.

LocationSun 28 1330 @ RHLT1
Duration30 mins
NameBlair Harrison
OriginWellington, New Zealand
Biotrogs. Blair. Sysadmin. Used to run a WISP, but managed to escape. Have been working for a NZ fibre optic networking company for a few years now, and a large managed hosting provider before that, over in the UK.

TitleWho's afraid of the Search and Surveillance Bill?
AbstractA guided tour of the catacombs. Examination orders, residual warrants and production orders vs privacy, interception capability and the privilege against self-incrimination; and what implications this "tecnhology neutral" law reform has for computer searches. The latest specifics to support, or allay, your deep misgivings.
LocationSun 28 1400 @ RHLT1
Duration15 mins
NameMarissa Johnpillai
OriginOtautahi, New Zealand
BioMarissa works at her local community law centre and would love a beer, thanks.

TitleDistributed Cracking with no 8 Wire

Don't have NSA budget? Don't have a stack of graphics cards or FGPA's lying around collecting dust? Never fear, your cracking efforts can be slightly less pathetic if you spread the effort across all your workmates PC's!

A tool for distributing password/hash cracking, and results from running a dictionary attack against a few thousand AP's I passed on my leisurely sunday stroll through Auckland.

LocationSun 28 1415 @ RHLT1
Duration15 mins
OriginAuckland, New Zealand
BioA corpo-whore sellout working for the man.

TitleWeapons of Mass Storage Destruction
AbstractHave you ever thought about how hard it is to really destroy a large amount of data in a short amount of time? Cartel has. This talk will cover , among other things: FIPS fills, Guttman fills, zerofills, onefills, keyfills, firmware corruption, ATA command overflows, killswitches, burn keys and physical destruction.
LocationSun 28 1430 @ RHLT1
Duration15 mins
OriginAuckland, New Zealand
BioCartel is a cypherpunk with a mission. When he's not laughing manaiacally while herding innocent mobile devices into the enterprise gas chamber, he is the director of Thoughtcrime, an organisation dedicated to the proliferation of encryption technology and the advancement of his radical crypto-anarchist agenda.

TitleThere's something shiny in that Word doc!

Silverlight and Microsoft Office are two quite different products produced by our favourite multinational software company. Together their powers combine showing what could happen when you let people upload Word or PowerPoint files to your website.

Microsoft Office documents can contain hidden files that will get past your average virus scanner, and won't be noticed while they sit on your SharePoint server. They could also contain Silverlight applications, meaning an attacker can cross all kinds of domain boundaries, and have the word document execute in your browser.

This was done as part of the research for TechEd with Andy Prow from Aura Software Security.

LocationSun 28 1445 @ RHLT1
Duration15 mins
NameKirk Jackson
OriginWellington, New Zealand
BioKirk is a developer at Xero, makers of the world's easiest accounting system.

TitleNuke The Site From Orbit (the Final solution of the scraper arms-race question)
AbstractScraping is painful. You all know the drill. Jetstar vs Flightcentre, Sky vs everyone, cellpadding 5 vs cellpadding 6. Ad nauseum. Tools are evolving, but countermeasures are evolving too. Arms races are one of the most fun games to play. But adjusting your one-page imdb victimisation script for the 18th time in a month gets old really fast. It's time for a revolutionary (but still supremely lo-tek) approach. In this lightning talk I will be explaining how to do it right, dare i say, sustainably, and with a lot less work for lazy hackers who just want to get on with doing something cool with their 'liberated' data. After all, scrapers don't steal data, but They Sure Do Help!
LocationSun 28 1500 @ RHLT1
Duration15 mins
OriginWellington, New Zealand
BioOddy is best known for pwning Microsoft's thanksgiving with a "funny domain name" a few years back, followed by hacking up a scanner to spy on all of japan's offices through videoconferencing gear. After a couple years testing pens at a cumbersomely-hyphenated Auckland infosec firm, he is now terrorising the great city of Wellington with advanced datamining technology that he couldn't possibly talk about unless you ply him with beer.

TitleWardriving in the age of Arduino
AbstractGone are the bulky mainframes from the old days of wardriving, learn about a wardriving rig that will fit in the palm of your hand. Not that anyone other than Google is still wardriving these days. And the Germans aren't too keen on know the rule, "don't mention the wardriving". What else is there to say? It's a wardriving rig. It fits in the palm of your hand. You could make one yourself. I'll show you. How many words does this thing have to be anyway?
LocationSun 28 1515 @ RHLT1
Duration15 mins
OriginChristchurch, New Zealand
BioFollower hails from the recently devastated city of Christchurch (the local elections hit hard). Like a P-wave (no, not that sort) his Arduino-related security ramblings have spread from Kiwicon III to DEFCON 18, who knows where they'll spread next? Your only hope is to score an Arduino in some manner and wire up your own device of doom. Then talk about it.

TitlePlaying the Shell Game: Non-Root-Kits

If you're a white hat sellout owning unix boxen during red-team style pentests, you can't really go dropping a kernel mode rootkit on someone's production front frontend internet banking site. Sure, you still need what a root kit offers - hiding files and processes, a persistent access backdoor - but you can't be the guy who takes out the "too critical to pen-test" service (that took your sales guy five months to negotiate testing live) when you bodge in your hacked up kernel module with your shit-ass /dev/mem insmod tekneeq. Sometimes even local privesc is too much for them to handle.

So whats left? You play the shell game.

LocationSun 28 1600 @ RHLT1
Duration30 mins
OriginWellington, New Zealand
BioMetlstorm is a cashed up, card carrying whitehat sellout, writing up customers for ICMP timestamping and SSLv2 like Qualys told him to. When he's not faffing with his word templates, he spouts poorly thought through faux-pinions on the podcast, and organises (largely by sulking about off topic posts on #kiwicon) the second best hacker con in New Zealand. Don't let the beard fool you - he loves Windows, and heartily endorses products made by Computer Associates. Metl has bored previous Kiwicons, Ruxcons, Syscan, a Defcon and a Blackhat, pottered around a few networks (including yours) and in his spare time stuffs his face with pies and griefbacon. Metl aspires to work for EDS in an audit and compliance role, so recruiters, please contact him IMMEDIATELY.

TitleMoneyshot: 45cal HTTP Packets

Let's be honest: hacking webapps sucks.

All that time stumbling around blind. Injecting data, crafting links with 50/50 chance of working, stomping over filesystems with uploaded files*. It all results in pain.

This is a "Panadol" talk. It will look at a couple of short, sharp and hopefully handy pills that will help take the effort (and therefore pain) away from finding vulns and popping shell

LocationSun 28 1630 @ RHLT1
Duration30 mins
OriginWellington, New Zealand
BioHello ladies. Look at your man, now back to pipes. Now back to your man, now back to pipes. Sadly, he isn't pipes, but if he stood on a stepladder, he could be as tall as pipes. Look down, back up. Where are you? You're at a hacker conference with the man your man could be as tall as. Look at your man, now back at pipes. He has an iPad. With an apple-branded case that he loves. Anything is possible when you're as tall as pipes. He's on a horse.

TitleWas that a hacker wearing a Jacobean ruff?
Abstractaka A potted history of select photographic moments in the history of NZ Hackery
LocationSun 28 1700 @ RHLT1
Duration15 mins
OriginAuckland, New Zealand

fosm hails from the land of orcs and has a penchant for minivacs, mini vans, mini golf, mini skirts, Minnie Riperton, Mac Minis, Big Macs, masturbation and drunken h@x0r photography. One day he hopes to open his own kimono store.

If you have ever helped him prop up a bar and vaguely remember hearing "just one more" about 15 times, then you may be part of this presentation.

Would you like to *wink* come upstairs and see his credit card collection?