That's a wrap!


We want to give a huge shoutout to all attendees, sponsors, and presenters for attending CSECcon III. We had a blast and hope you did too.
Stay tuned on our socials for the talk and workshop recordings!

Activities

From P3 to P1: May the Exploits Be Ever in Your Favor

Talk

Vulnerable software is plentiful and you don’t have to be a hardcore security researcher to contribute! This talk goes into the methodology used to find 14 CVEs over just 3 weekends of effort and is easily replicable for those who want to follow along at home.

Speaker

Sajeeb Lohani

How to Find Your First CVE - A Different Perspective.

Talk

Vulnerable software is plentiful and you don’t have to be a hardcore security researcher to contribute! This talk goes into the methodology used to find 14 CVEs over just 3 weekends of effort and is easily replicable for those who want to follow along at home.

Speaker

Eddie Zhang

Using VPN overlays to access internal systems

Talk

A VPN is so 2000s. Nowadays there are a bunch of better ways of getting private access to internal systems. Things like Enterprise Browsers or tunnelling. A relatively new method that’s popped up is VPN Overlays which organise direct tunnelling connections between two systems using firewall hole punching and NAT traversal. This talk goes through Tailscale (and Netbird to a lesser extent). How it works at a low level, the pros and cons, and how you might possibly secure it.

Speaker

Matthew Strahan

Who are you Really? Weaknesses in Internet Identities

Talk

When you visit a website, you trust that you’re visiting the correct server. When you send and recieve email, you trust the sender/reciever is who it says it is. When you recieve an SMS, you trust the sender. When you see someone’s digital identity document, you trust that hasn’t been tampered with… But if hacker movies have taught us anything - it’s “trust NOBODY” - and for good reason! In this begginer-friendly talk I’m going to shatter your trust in identities on the internet by demonstrating how all these facets can be spoofed/rerouted/overtaken; and what can be done about them.

Speaker

Harrison Mitchell

Least privilege, impossible!?!

Talk

The principle of least privilege reduces security risks by limiting all access to necessary resources, but faces challenges. Modern systems are complex, requiring constant privilege adjustments, adding to administrative burden. Strict controls can impact productivity, and lack of visibility hampers accurate access tracking. Legacy systems may not support detailed controls, and “privilege creep” leads to unnecessary permissions. Manual privilege management is error-prone, and restrictive policies may face resistance. These challenges lead to this critical aspect of cyber security is often given lip service and has directly resulted in many of the largest breaches in history.

Speaker

Michael Smith

Red Teaming in the Cloud

Talk

This session will cover the tools and techniques used by red teams to breach modern SaaS-based IT environments. Participants will learn how to craft sophisticated phishing campaigns and use Adversary-in-the-Middle (AiTM) techniques to gain persistent access to cloud-hosted data.

Speaker

Gareth Batchelor and Taylor Li

While cybersecurity; Do software

Talk

This session will cover the tools and techniques used by red teams to breach modern SaaS-based IT environments. Participants will learn how to craft sophisticated phishing campaigns and use Adversary-in-the-Middle (AiTM) techniques to gain persistent access to cloud-hosted data.

Speaker

Ben Gittins

Microsoft Security at Era of AI

Talk

This guest lecture plans to cover five main topics: Security above all — around 10 mins, Henry will talk about why Security should be the top priority above everything we do, and how Microsoft is transforming this journey being one the biggest company in the world. Security for AI, and AI for Security — around 20 mins, Henry will talk about the latest AI development with security principles, Microsoft’s responsible AI, and Copilot for Security at a high level, might include some demos Microsoft Secuity solution overview — around 10 mins, Henry would like to cover what Microsoft security solutions are out there at a high level Secure Future Initiative — around 5 mins, cover at a very high level about Microsoft SFI focus. Security for young professionals, Career discussion, Q&A — around 15 mins for open mic and interactive session with students. The ideal target audiences would be anyone interested in a cyber security career in the future, but open to any students they are interested in these topics.

Speaker

Henry Yang

Lazy Man's Seasonal bugbounty hunting techniques

Talk

Ahoy, fellow bounty hunters! So you’ve dipped your toes into the world of application security and maybe felt the allure of the bug bounty seas. Yet, like many of us, you’ve hesitated to set sail, worried about the fierce competition out there. Well, I was in the same boat once. I don’t always have the time to deep dive into every program or treasure map, so I charted a course to find some low-hanging fruit and developed solid methodologies to help me plunder quick rewards. These have not only helped me uncover vulnerabilities swiftly but also kept me motivated to continue the hunt. In this talk, I’ll share with you my techniques, a few tales from my own bounty adventures, and help you hoist your first sails in this vast ocean. You see, to find that ultimate treasure—the “One Piece” of the bug bounty world—you’ll need to work as hard as Luffy, with persistence and grit. But today, I’m giving you your first wooden boat. From there, you’ll gather experience, grow stronger, and navigate through the programs with your nakama. So sharpen your swords and ready your crew—your journey toward becoming the Pirate King of bounties begins here! Disclaimer: These are not very amazing vulnerabilities and mostly targeted towards audience who has never tried it but wanted to do so. Take these are starter guide but you will have to do lot better than this to be able to stay on top of your game as they won’t work all the time. (Thanks to ChatGPT for rewriting my piece).

Speaker

Abartan Dhakal

Cyber Job Ready

Talk

“Cyber Job Ready,” offers insights into the cybersecurity job market, essential skills, and key industry trends. Learn how to build an effective resume, sharpen your interview skills, and prepare for job hunting. We’ll debunk common myths, explore critical skillsets like networking and cloud security, and discuss strategies for continuous improvement through certifications and hands-on practice. Attendees will leave with a clear path to aligning their skills with industry demands and boosting their employability in cybersecurity.

Speaker

Montii Abid

Data Breach Fatigue: Why Your Privacy Still Matters

Talk

Another day, another data breach — three data breaches to be exact. With the growing frequency of data breaches, people are starting to experience data breach fatigue. Or in other words, people feel it is inevitable that their personal information is not safe and that it will be breached one day. This talk will be focused on why your privacy still matters in the current digital age and what actions you can take to protect it.

Speaker

Jae Kim

From Psychology to Cyber Security: Making the Transition to Blue Team Roles

Talk

This talk examines the transition from non-tech (Clinical and Industrial Psychology) to Blue Team Security, showing the value of diverse perspectives in Cyber Security. Vhal discusses overcoming challenges as an international student and starting a Tech career from scratch. It highlights the role of relationships and professional networks in career development. The presentation offers insights into how diverse backgrounds can drive innovation and success in Cyber Security.

Speaker

Vhal Estacio

What is it like to work in a Managed Security Service Provider company?

Talk

Work experience is crucial in the field of cyber. I’ve had the privilege of accumulating one year of work experience with a managed security service provider (MSSP) based in Hong Kong. My role allowed me to operate directly on Splunk Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) solutions. These tools play a central role in the defence side of cybersecurity. I believe sharing this journey will provide valuable insights, especially to fellow students who might not yet have entered the cybersecurity workforce.

Speaker

Ka Shing Ng

Speedrunning Cybersecurity: How to break into the industry ASAP!!!

Talk

Are you stuck trying to break into the industry but met only with rejections? Tired of hearing the degree will get you the job but finding out that clearly isn’t enough. Join James Webb’s talk on Speedrunning CyberSec, and find out his secrets on how he landed his first job in the industry in just 6 months and how you too can Speedrun Cybersecurity! Learn how to Network and Upskill yourself, get practical advice on how to showcase your skills and stand out from the competition, and finally how to win employers over with your sexy Linkedin Profile & Resume. After this talk you’ll know what employers are looking for and how to not only meet, but exceed their expectations of a perfect candidate. The cybersecurity job market is fierce, but by following James’s proven strategies, you can leapfrog the competition and land a job just as quickly as he did. This isn’t just theory—it’s the roadmap James himself used to fast-track his career!

Speaker

James Webb

Email Security Retrospective

Talk

Do you send private email using your own domain name? How about password reset emails? Purchase receipts? Event invitations? The protections that provide email with integrity and identity have evolved. Follow along as we explore best practices for setting up a secure and private email system, either on premises or in the cloud, and the factors that drive their development and adoption.

Speaker

Sean Burford

Quantum Computing and the Future of Digital Privacy: A Cybersecurity Perspective

Talk

The rapid advancement of quantum computing presents significant challenges to digital privacy and cybersecurity, fundamentally threatening the integrity of current encryption methods. In this presentation we will discuss how quantum algorithms can effectively dismantle widely used cryptographic systems, such as RSA and ECC, which secure sensitive data and communications. As these quantum capabilities evolve, the risks to personal information, financial transactions, and corporate secrets increase exponentially. Furthermore, we will review the emergence of post-quantum cryptography as a necessary response, exploring its potential effectiveness and the barriers to its implementation across various industries. By analysing the implications of quantum technology on digital privacy, we will discuss the urgent need for proactive strategies to mitigate cyber threats and ensure robust protection of sensitive information in an increasingly quantum-capable world.

Speaker

Ric Centellas

Ctrl+Alt+Secure: Breaking into Cybersecurity

Talk

The demand for skilled cybersecurity professionals has never been greater. “Ctrl+Alt+Secure: Breaking into Cybersecurity” is an engaging panel designed to introduce students to the myriad of career opportunities in the cybersecurity field. As cyber threats become more sophisticated, the industry faces a significant skills shortage, creating a unique gateway for aspiring professionals to enter the workforce. This panel will explore various career paths within cybersecurity, including insight into roles from cybersecurity professionals. We will discuss essential skills and certifications that can set students apart in the job market, alongside practical advice to help you prepare for the industry. By attending this panel, you will not only enhance your understanding of cybersecurity pathways but also be equipped with the knowledge needed to break into this dynamic field. Join us to discover how you can be part of the solution in securing our digital future!

Speaker

Dr. Queen Aigbefo, Tonee Marqus, Jamie McPherson

From uniform policing to cyber security - decisions at 20 do not need to determine your life's career journey!

Talk - Career journey

Talk on the career journey of Mastercard’s Regional Security Manager. From a police officer in the UK and Australia into the private sector.

Speaker

James Spalding

Achieving Supply Chain Security on a Budget

Talk - Supply Chain Security

Have you ever wondered about how to set up a supply chain security practice in an organization, or curious about the supply chain security of your own packages? If yes, then this is the talk for you! This talk explores the importance of supply chain security, the evolving threat landscape, and cost-effective solutions for managing these risks.

We will discuss approaches to identify and classify risks in software projects and endpoints, along with the use of practical tools and strategies for mitigation. We will also cover developing tailored incident response plans and techniques for selling supply chain security initiatives to board members and leadership, emphasizing compliance, collaboration, risk reduction and return on investment.

Key takeaways will provide comprehensive guidance on setting up your supply chain security practice, implementing effective strategies, and showcasing its value to leadership.

Join us for an engaging talk that will empower you to become a supply chain security hero, even on a limited budget.

Speaker

Sajeeb Lohani, Ben Christian

Dreaming of auto-magical dependency updates

Talk - Web Application Security

Modern day apps include hundreds or thousands of third party dependencies. While SBOMs promise to make it easier for us to know what dependencies we have, it doesn’t auto-magically do our dependencies upgrades which remains a largely manual effort.

In this talk, we explore the limitations of SBOMs and common gaps in the dependencies discovered by commercial and OSS tools. We continue to evaluate existing auto-PR features of Github Dependant, Snyk, etc and identify the complaints and issues your Software Engineering teams will encounter while using these, including ‘death by a thousand PRs’, broken builds, (regressions to) immutable builds, etc.

We finally introduce Renovate, a tool from mend.io that is available under both free and commercial models. We see how it helps address these challenge and how it can make regularly upgrading your dependencies a little bit easier.

Speaker

Andy Vermeulen

Bridging the Gap for Future Professionals

Talk - Information Technology

Embarking on a cybersecurity career? Join me for a talk on seamlessly transitioning from a cybersecurity degree to a thriving profession.

In a rapidly evolving cybersecurity landscape, skilled professionals are in high demand. But bridging the gap between theory and practice can be daunting. Discover actionable strategies to equip yourself with the skills and mindset needed for success

Speaker

Montii Abid

GRC - An Intro to Governance, Risk and Compliance

Talk - GRC

Discover the world of Governance, Risk, and Compliance (GRC) with Cam La in this informative talk. Gain valuable insights into the fundamental concepts of GRC and its significance in today’s dynamic landscape. Cam brings her expertise from a range of infosec domains to shed light on the crucial role GRC plays in bridging the gap between domains, to help support an organisation’s cybersecurity posture.

Speaker

Cam La

Rabbit holes into privacy

Talk

Speaker

Jenny Yang

Getting into and excelling within cybersecurity!

Career Panel - Infosec

This panel will bring together diverse professionals to shed light on the different ways to get into infosec. The panel includes experts with startup, corporate, consulting, and unconventional backgrounds, offering invaluable perspectives on career trajectories. Topics covered include personal career decisions, choosing between offensive, defensive, or policy roles, and the essential skills required for success in a corporate cybersecurity environment. Gain insights into career choices and effective communication strategies in the cybersecurity realm!

Speaker

UTS:CSEC

Unravelling Lumma Stealer: Hands-on Malware Analysis

Workshop - Malware Analysis

Jump in on this workshop to learn malware analysis using real-world scenarios, focusing on analysing the Lumma Stealer malware. Through practical exercises, you will analyse malware behavior, Wireshark dumps, and use other techniques to uncover useful information. This workshop equips attendees with valuable skills related to cyber investigation and response, and will give you many threads to pull on to learn more! Ideal for 2nd and 3rd-year students seeking to get into in malware analysis.

Speaker

Sharath Shamachar

Dashboards and Duct Tape: An Industry Introduction to Incident Response

Workshop - Cyber Security Incident Response

When your organisation suspects a cyber security incident may be afoot, there are many moving parts to co-ordinate to ensure that you and your team can put their best feet forward and rise to the challenge of identifying, analysing, containing and eradicating the attack, and everything else that a major incident can throw at you. Participants will work through a realistic Incident Response Table Top Exercise (TTX) that is reflective of a real-world incident and can expect to improve their understanding of incident response processes, be more confident, and better prepared for the inevitable.

Speaker

Jamie McPherson, Queen Aigbefo, Tai Tran

Fuzzing: automated edge case searching

Workshop - Vulnerability Research and Zero Days

Writing tests for mission critical software is an important part in mitigating potential vulnerabilities, however there are many edge cases that can’t easily be conceived or spotted by us programmers, so that’s where fuzzing comes in. It is reported that Google has found over 25,000 bugs in Chrome alone via fuzzing, and another 36,000 in other open source projects that they make use of. In this workshop, we will demonstrate live how to set up fuzzing on a basic Rust project (allowing the audience to follow along), and catch multiple security vulnerabilities along the way.

Engage with this talk

Google's resources on fuzzing
Speaker

UTS Programmers' Society

Alex's security journey: a cautionary tale

life story/cautionary tale

Wow, you are trying to figure out how to study or even find gainful employment in security, and I have recently studied and found gainful employment in security. Perhaps we can make something happen, talk business, have your people talk to my people? In this talk I will calmly and coherently walk you through my story of not knowing what security is, being vaguely interested, being REALLY interested, and then a thrilling Act 3 conclusion where I show you all the things I think are cool about it.

Speaker

"Alex"

Using malware to destabilise a country

Threat Intel & IR

In this talk, you’ll learn about the high impact and profitable malware incident that affected Colonial Pipeline in 2021. This deep dive will touch on the technical details and show the real world consequences of cyber attacks. Come with us to learn what failed, what lessons we can learn from this, who are the people behind it and what else they’ve been up to.

Speaker

Santiago

Active Directory Hacking Speedrun!

Network Security

A fast and furious run through as many AD/Windows Domain attacks as possible, focusing on only the most critical information for pentesters and hackers.

Speaker

Alexei Doudkine

The mind is the battleground - Human cognition in cyber security

The Human Factor

Trusted users within an organisation responding to phishing emails remain the most common form of cyber-breach. A single click by a staff member can overcome the most stringent of technical defences allowing attackers access to otherwise secure systems. Therefore an effective defence against attackers using social-engineering tactics requires an understanding the human within the system - and specifically the cognitive processes that users deploy in making cyber security related decisions.\n\nThis talk will introduce the problem of human behaviour in cyber security, touch on the major theoretical models of human decision making and then delve into a case study of Employees within a major Australian bank.

Speaker

Dan Conway

Introduction to Capture The Flag (CTF)

CTF

Introduction to Capture Flag (CTF) will run through the basics of all things CTF: Why we play them, where you find them and how to get started? We will also cover a couple of basic challenges from DownUnderCTF 2021. This talk should hopefully give you the confidence to try DownUnderCTF 2022 and all future CTFs :)

Speaker

Max Caminer + DUCTF Crew

Practical RSA Cryptanalysis

Cryptography

RSA Cryptography is ubiquitous on the internet and a fundamental part of our daily lives but many, even in cybersecurity have only a vague understanding of how it works. Did you know its based on relatively straightforward mathematics? Did you know that there are series of simple ways you can tell if it has been used incorrectly in a way that compromises it?

In this talk we intend to describe how RSA works in simple terms. We will also describe some common RSA implementation mistakes, how you can spot them and why they might be interesting to know about for a cybersecurity student or professional. We’ll go on to give practical steps on how you can break RSA when used incorrectly and how that has been demonstrated in the real world at scale on the internet.

This talk is for Students or professionals with an interest in math and or math in security CTF players who mostly skip the cryptography category Security engineers who want to know more about RSA for use during application security reviews

Speaker

Kris Hunt

Incident Response: A practical beginners guide to phishing

Incident Response

Phishing emails are ever present and come in many forms. Especially in large environments how do you scale your response and effort to ensure you’re resolving these security risks without dedicating your life to phishing.

Speaker

Ian Szklinski

What to do once you compromise a developer's account

CI/CD security

Alex’s talk will be about what CI/CD pipeline runners are and how widespread they are in the systems we use, like GitHub, as well as cover the risk they pose to organisations. His talk will then discuss and provide examples on how red teams abuse these mistakes, and briefly explain what organisations should look out for so they can better protect themselves.

Speaker

Alex Hill

Easy(-to-break) Anti-Cheat

Game Security

Online video games have always had the a hidden battle that exists similarly to the cybersecurity world: the battle between devs and cheaters. Anti-cheats are the cheat code to preventing cheaters from gaining advantages in games. But anti-cheats aren’t perfect.

This talk will provide an overview of anti-cheats, and go in-depth through a method of gaining code execution in an Easy Anti-Cheat protected game.

Speaker

George Dan

Introduction to Web3 hacking: hunt, reverse engineer and fix a smart contract vulnerability

Web3 Security

Web3 security is a whole new world where we should re-learn and change our perspective on AppSec. In this session, I will introduce Decentralised Apps (dApp) from security angle. I will then go under the hood of a dApp (Solidity) vulnerability and reverse engineer a security vulnerability. I will conclude with ways to effectively eliminate the vulnerability.

Speaker

Pedram Hayati

The Art of Threat Detection: Literally the last line of defence.

Network Security

You can’t respond to what you don’t catch. Threat detection is a vital security function that is both fun and exciting! Come on a journey with me to explore the art and joy of finding badness in networks. This talk will explore the systems, methodologies, and processes behind security detection engineering. You’ll get a chance to see how a detection rule is completed from start to finish. Who knows, if the demo works you may even see the detection rule in action during the presentation ;-) !

Engage with this talk

Detection in Depth by Joshua Prager
Speaker

Darsh Shah

The kids are not alright: How some Millennials and Gen Zers are cybersecurity liabilities

Network Security

The generally accepted stereotype is that younger generations are more tech savvy; however, younger individuals are far more reckless in their browsing behavior. What does this mean for individuals and consumers alike? How you leap into a digital first world and succeed?

Speaker

Laura-Rose Carbone

Embedded Device Hacking 101: A story of 2 root shells with Nokia' s 5G router

Web Application Security

Have you ever wondered how secure that router your ISP provided you actually is? Or how you might go about evaluating a device like that?

This talk is an introduction to embedded device hacking spanning both software and hardware techniques.

As a case study, we looked into the security of Nokia produced 5G routers deployed as a part of Optus’ 5G home broadband packages.

Attendees should walk away with the knowledge to begin looking at embedded devices around them and an increased level of distrust/paranoia.

Speaker

Victoria Cheng, Tiara Wong, Eddie Zhang

Getting into AppSec

Web Application Security

Companies are increasingly turning to software engineering to solve their business challenges. As security professionals, we need to help our engineers design and operate secure systems. But the pathway into Application Security isn’t clear and most people I know have stumbled into it accidentally, or from an adjacent discipline.

This talk will give an overview about what ‘AppSec’ is, the types of things you’ll be doing to secure software applications and help engineers, and steps you can take to prepare yourself for a career in this space.

Speaker

Cole Cornford

The Journey to The Self-Driving SOC

SecOps and Automation

Twenty years ago, few believed self-driving cars could happen yet they’re here. Will the same principles pave the way towards self-driving security? Sean Duca explores what an autonomous SOC looks like, why it’s needed and how getting there requires a revolution in innovation. Sean will also detail potential pitfalls along the way.

Speaker

Sean Duca