Talks will be announced in two phases, on 30th Sept and 14th Oct. The current schedule may be subject to change.

Quick List


TitleA Tribute to Barnaby Jack - The Good Hacker
AbstractBarnaby Jack was a world-renowned security researcher and friend to many in the community. His passing earlier this year was a shock to all, and he will greatly be missed. This talk is intended to be a small tribute to Barnaby - reflecting on his personal qualities that endeared him to many, and his technical achievements that thrust him on to the world stage as a leader in security research.
LocationSat 09 0915 @ The Opera House
Duration15 mins
NameAmberleigh Jack & Mark Dowd
OriginAuckland, NZ & Sydney, Australia
BioAmberleigh Jack is a freelance writer In Auckland, having had work pop up in various magazines and websites such a Rip It Up magazine, Public Address and Metro.
Mark Dowd is the director of Azimuth Security, and a veteran in the security industry. He has uncovered numerous vulnerabilities in host and server-based applications used pervasively throughout the Internet. He has spoken at various security conferences around the world - including Black Hat, PacSec, CanSecWest, and Ruxcon. He is also the co-author of "The Art of Software Security Assessment".


[      和谐 / REDACTED FOR STATE HARMONY          ]

LocationSat 09 0930 @ The Opera House
Duration30 mins
NameThomas Lim
BioEthnically Chinese but not a Communist, Thomas Lim is the Founder and CEO of COSEINC and the Organiser of SyScan. As a great admirer of all immigration/custom officers and airport security personnels, he travels around the world under the pretense of attending conferences, but in reality, to experience first-hand their professional conduct and unbiased attitude in handling travellers like himself.

AbstractHypothesis: There is a strong correlation between the amount of bugs one can find in a specific piece of software and the amount of times said application's marketing team use the word 'Enterprise'.
Method: Hack all the things.
Conclusion: Well, you'll have to come to our talk..
This talk will be all about the bugs found in the applications that are designed to keep your favourite Zaibatsu, telco or goverment agency running smoothly. Who watches the watchers? We do. And now you can, too!
LocationSat 09 1000 @ The Opera House
Duration30 mins
NameDenis 'DoI' Andzakovic and Thomas 'Cartel' Hibbert
OriginAuckland, NZ
BioDenis Andzakovic works for as a security consultant, based out of the Auckland office. DoI enjoys breaking things and sometimes in his spare time sings songs about breaking things.
Thomas Hibbert has stepped into the light and works for as a Security Consultant. He enjoys [REDACTED], [REDACTED] and [REDACTED] and in his spare time likes to [REDACTED].

TitleKexecing Jokes
AbstractKexec is a Linux kernel feature that allows you to load and launch a new kernel. You might naively expect this to be implemented with some sort of rational mechanism that didn't allow userspace to stuff arbitrary code into the kernel in such a way that it then gets executed in ring 0 with no memory protection. Ha. Ha. Ha.
This presentation will give a brief overview of kexec, its implementation, terrifying things that are mentioned in its documentation, and some demonstrations of it being used for the lulz.
LocationSat 09 1100 @ The Opera House
Duration30 mins
NameMatthew 'mjg' Garrett
OriginBoston, MA, US
BioMatthew used to hack fruitflies[1], now he mostly hacks firmware. He's ported Zork to UEFI and has possibly run arbitrary code on your IPMI hardware, but by day he works to improve cloud security at Nebula.
[1] Mostly into a thin paste. Have you ever tried taking one apart? It's not easy.

TitleUAV systems and security
AbstractThe first drone pilot to suffer from shell shock, described confirming kills by observing enough white, 37°C pixels on the terrain surrounding the bodies, and if Iran can down a US drone, why can't we? There is obviously some gap between civillian (COTS) and military (MILSPEC) technology but, how much of a gap? This talk explores the technology, proposes some attacks, and their mitigations.
LocationSat 09 1130 @ The Opera House
Duration30 mins
OriginChristchurch, New Zealand
BioEveryone's favourite topic is themselves.

TitleEdward Snowden and the NSA: The Napster perspective

While the peoples of the Internet are busy arguing over the morality and legality of covert NSA programs unveiled by Edward Snowden, many of the bigger issues have been missed. Like, for example, how some NSA programs are clearly desperate attempts to stave off the inevitable advancement of technology set to make its life hell.

When Napster first popped up in 1999 the music industry had it covered. Dispatch the lawyers and problem solved, right? Riiiight?

Wrong! In this talk Patrick Gray argues that in the medium to long term the NSA, like the music recording industry, will fail in trying to cripple consumer technology. This leads us to the ultimate question of Life, The Universe and Snowden: How can a government fulfil its obligation to protect its citizens when it can no longer reliably intercept electronic communications?

LocationSat 09 1200 @ The Opera House
Duration30 mins
NamePatrick Gray
BioAn Australian analyst, journalist, and commentator on information security, Patrick Gray has been covering the infosec space for over a decade. He produces and presents Risky Business, an information security podcast that has won four Lizzies (Australia’s premier IT journalism awards) -- including Best Audio Program and Best Technology Title. He has written about the Snowden leaks for Twitter: @riskybusiness.

TitleP0wning a public transport system
AbstractThe operators of a certain NZ public transport system told us it used a "safe and secure smart card", but of course it was proprietary, we just had to "trust" them. Someone might want to explain terms like "white-list", "encryption" and "server side validation" to them because they made some very non-smart security decisions. In this talk I'll explain the details of reverse engineering the system, the cards, protocols and formats used. While doing so I discovered a number of vulnerabilities in this smart card system. It turns out there are both client side and server side vulnerabilities, which allow total exploitation.
LocationSat 09 1345 @ The Opera House
Duration30 mins
NameWilliam "AmmonRa" Turner
OriginNew Zealand
BioSell out code monkey by day, DIY cyborg by night, AmmonRa has lurked around Kiwicon for the last few years and finally lucked into having something to talk about this year.

TitleAutomating Advanced XPath Injection Attacks
AbstractThe current tools available to exploit XPath injection suck. In this talk I will go logarithmic on their ass and introduce an injection tool that your mother would be proud of. From web developers who use XML there shall be much wailing and gnashing of teeth.
LocationSat 09 1415 @ The Opera House
Duration30 mins
NamePaul 'sss' Haas
OriginWellington, NZ
BioPaul Haas rejects the tyranny of ASCII and returns to you the 𝐛𝓮αʋ𝘁𝚒𝚏𝕦𝙡 𝚙𝙧𝛐𝚜𝖊 օ𝖋 𝐔𝑛ı𝖈໐𝘥℮. With over nine years of experience, he is currently employed with in Wellington performing a variety of computer security assessments. When not solving problems he enjoys increasing their complexity and is known to respond to Mario Kart duels with great gusto.

TitleResponsible Vulnerability Disclosure
AbstractDisclosing security vulnerabilities can be a dangerous business. While there are systems in place for handling disclosures to most major software companies, the process for disclosing vulnerabilities to local organisations is a lot less discussed.
As the discloser, there is always the chance that you are accused of hacking and get a visit from the police merely for identifying an issue. As an organisation, you can find yourself on the front page of the news when someone goes public with an issue.
This talk outlines the dilemmas faced when stumbling across that SQL injection in the local shopping site and proposes mechanisms to safely get the right people told about it. It also discusses how organisations can make it more likely that security vulnerabilities are reported to them directly, rather than through the press, and what the NZITF is currently doing to try and make things better.
LocationSat 09 1445 @ The Opera House
Duration30 mins
NameNick von Dadelszen & Ben Creet
OriginWellington, New Zealand
BioNick von Dadelszen is the technical director at Lateral Security. Nick has been performing professional penetration testing for over 12 years and has managed several successful penetration testing teams. He has worked with the majority of large corporates and Government agencies in New Zealand and is a regular presenter at OWASP and Kiwicon conferences.
Ben Creet is a senior policy analyst in the Department of Internal Affairs' information and technology policy team. Ben has worked in the health, justice, and information technology portfolios and joined the New Zealand Internet Task Force in 2012. He is studying towards a Masters in Strategic Studies and leads the NZITFs Responsible Disclosure Working Group

TitleCrypto Won't Save You Either
AbstractCryptographer Adi Shamir, the 'S' in RSA, once said that "cryptography is bypassed, not penetrated". In the light of the Snowden revelations about the NSA, various people have proposed the use of crypto in order to evade NSA surveillance. From games consoles to smart phones, this talk looks at ten years of trying to secure things with crypto that ultimately failed, not through anyone bothering to break it but because it was much easier to just bypass it. The lesson from all of this is that you need to secure every part of the system and not just throw crypto at one bit and assume that you'll be safe.
LocationSat 09 1515 @ The Opera House
Duration30 mins
NamePeter Gutmann
OriginAuckland, NZ
BioPeter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit, "Cryptographic Security Architecture: Design and Verification" (Springer, 2003), and an upcoming book on security engineering. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about the lack of consideration of human factors in designing security systems.

TitleDetecting and preventing data-crime in a petabyte world
AbstractIn 2013 most medium enterprises are dealing with terabytes of data; large enterprises petabytes. This presents some difficulties when attempting to detect data-crime where often the traces left behind measure only in bytes. This talk will discuss this problem and look to the future in solving it and demo some free tools that can be used to expedite investigations.
LocationSat 09 1615 @ The Opera House
Duration30 mins
NameDavid Litchfield
OriginPerth, Australia
BioDavid Litchfield is a computer security researcher working for Datacom TSS in Australia. He is the author of the Oracle Hacker’s Handbook and co-author of the Database Hacker’s Handbook, SQL Server Security and the first edition of the Shellcoder’s Handbook. He is pioneer in the field of database forensics and developed the first comprehensive suite of tools for database breach investigations. In 2011, he helped investigate the Sony Playstation Network data breach, the largest breach to date, and was able to produce a detailed activity map and timeline of what the hackers did to the database once they’d broken in. He has worked for Accuvant, NGSSoftware, @stake, Cerberus Information Security and Exodus Communications and contracted for GCHQ and provided training and advice to the Security Service, the NSA and the BSI.

TitleSocially Awkward: Overview of Social Engineering and practical strategies to combat them
AbstractIn this presentation I'm going to cover the techniques to hack your fellow Human! I'll tie these into a real life audio example (anonymised of course), showing escalating from no access to an authorised and authenticated user to gain remote access to a internal network by implementing these techniques. I'll also provide practical techniques which can be used to combat them without having to social engineer the bank to fund them!
LocationSat 09 1645 @ The Opera House
Duration30 mins
NameRobin Lennox
OriginWellington, New Zealand
BioMy name is Robin Lennox, I work as a Security Consultant at Aura Information Security in Wellington. My current role as a security consultant is built on over 8 years experience of testing, securing, administrating and developing IT systems. During this time I have been responsible for: Security reviews and penetration testing of servers and network infrastructure. Security testing implementations of web applications. Red-teaming including developing social engineering attacks.

TitleThunderbolts and Lightning ⚡ Very, Very Frightening

People keep talking about Thunderbolt DMA attacks as though they're a foregone conclusion. Thus far, we haven't seen one that doesn't involve using a Thunderbolt to FireWire adapter. This kind of attack, when performed against current hardware, is subject to the same limitations and mitigations as the FireWire DMA attacks we've seen since Kiwicon's very own Metlstorm winlockpwned his way to fame in 2006.

In this talk, rzn and snare will discuss their approach to attacking systems with a Thunderbolt port. Will our heroes triumph over evil, or will they get hit by a bus?

LocationSat 09 1715 @ The Opera House
Duration30 mins
Namesnare & rzn
OriginMelbourne, Australia and Auckland, NZ
Biosnare is an internationally renowned hacker, who is loved and respected by security groupies, rock stars, and Prime Ministers the world over. rzn is not.

TitleDisrupting the Norm with Supernatural Shenanigans
AbstractEvery day, technology quietly fails us. The causes of these failures can have serious ramifications. One could MitM large userbases - intercept email, web, voice and more - without detection or disruption. Or all of it could stop working, a universal Denial of Service.
Technological defenses to protect against such attacks can be bypassed, and by doing so allow attackers to undermine core Internet infrastructure. These attacks have been discussed before, but the depth of the issue is greater than previously thought. Let me tell you just how out-of-this-world this problem is, and why it's important for network operators to step up to protect their users.
LocationSat 09 1745 @ The Opera House
Duration30 mins
NameNick 'vt' Freeman
OriginAuckland, NZ
Biovt (no, not Vertical Tab), otherwise known as Nick Freeman, works at in (mostly) Auckland. When not hacking to bring home the smokiest of bacons, he enjoys hanging out with his cat, playing Mortal Kombat and working on one of SA's most cherished research projects, dubbed 'cheeseburger assessment'.

TitleMEGA's approach to accessible E2E - insecure by design?
AbstractMEGA's primary design goal was easily accessible client-side cryptography. Using the world's most ubiquitous runtime environment seemed like a natural choice, but was it really a good one from a security/trust perspective?
LocationSun 10 0930 @ The Opera House
Duration30 mins
NameMathias Ortmann and Bram van der Kolk
OriginAuckland, NZ
BioMathias is CTO of Mega Ltd. and Bram is chief programmer. Previously with Megaupload.

TitleThe 七 of Big Data: Finding Whiro
AbstractWe know many different types of data are generated and captured at high speed but what do we know about weaknesses introduced? Security still is widely misunderstood and discussed haltingly with regard to Big Data. This presentation brings forward the giant Hadoopy elephant in the room and offers the audience some real-world puzzles to solve. Examples are presented of humorous failures as well as successes.
You might think your security problems are a pain until you are asked tohelp find Whiro in the 七 of Big Data.
LocationSun 10 1000 @ The Opera House
Duration45 mins
NameDavi Ottenheimer
OriginSan Francisco, CA, USA
BioOver 18 years managing global security operations and assessments, including a decade of leading incident response and digital forensics. Co-author of the book "Securing the Virtual Environment: How to Defend the Enterprise Against Attack". Currently Senior Dir of Trust for EMC. Formerly responsible for security at Barclays Global Investors (BGI) the world's largest investment fund manager. Prior to BGI a "dedicated paranoid" at Yahoo! managing security for hundreds of millions of mobile, broadband and digital home products.

TitleFinding the fox - Firefox forensic
AbstractWeb browser forensic plays an increasingly important role in modern computer forensic. This is because more and more law and/or incident cases depend on user internet activities. In this presentation I will explain the artifacts involved in Firefox forensic:
  • Auto-complete
  • Bookmark
  • Cookie
  • Downloads
  • DOM storage
  • Extension
  • Firefox Cache files format + cache records
  • web history
My open source tool called f0xchas3r will be demonstrated for evidence investigation at the end of presentation.
LocationSun 10 1115 @ The Opera House
Duration30 mins
NameAndy Yang
OriginMelbourne, AU
BioAndy Yang is a senior security consultant and researcher at Securus Global, where he works on security testing to protect client’s critical information assets. He is passionate about all sorts of security things and has published security advisories for a number of tech giants.

TitleEvolving Ecosystem Security
AbstractOver the last decade Microsoft has invested heavily in security though initiatives like the SDL, and the result has been a reduction in the attack surface and vulnerabilities in our products and services. More recently Microsoft has focused on reducing the window of opportunity that attackers have to exploit vulnerabilities through the Microsoft Active Protections Program (MAPP) and releasing tools like EMET. Microsoft is now focusing its attention on reducing the lifespan of not only the vulnerabilities used by miscreants but also the infrastructure they use to conduct their attacks. This session will look at the new initiatives and tools coming out of the MAPP program. The mission for the MAPP team is simple: mitigate entire classes of attack and protect customers.
LocationSun 10 1145 @ The Opera House
Duration30 mins
NamePaul 'narc0sis ' McKitrick
OriginRedmond, USA
BioPaul is a Senior Security Strategist in the Microsoft Security Response Centre and is responsible for managing Microsoft's international relationships with the incident response community. Now residing in the beautifully misty shores of Seattle, Paul is originally from New Zealand and worked for the .NZ ccTLD, prior to that he worked the NZ government for the better part of a decade. Paul still gets warm fuzzies from the fact that he was the founding Chair of the New Zealand Internet Task Force (NZITF)

TitleOperation Damara
AbstractThe AFPs CyberCrime Operations area conducted an investigation into the activities of the hacker known as “evil”. This presentation will chronicle that investigation.
LocationSun 10 1215 @ The Opera House
Duration30 mins
NameAlex Tilley
BioAlex has been in IT security for almost 12 years, his background is in (legitimate) online casinos and banking

TitleSerialization Formats Aren't Toys
AbstractDear Web App Developers,
Do you have an API? Do you accept input from users? Do you accept it in XML? What about YAML? Or maybe JSON? How safe are you? How sure are you about that?
It's not in the OWASP Top 10, but you don't have to look far to hear stories of security vulnerabilities involving deserialization user inputs. Why do they keep happening?
In this talk I'll go over what the threat is, how you might be making yourself vulnerable and how to mitigate the problem. I'll cover the features (not bugs, features) of formats like XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them.
Because here's the thing: If you are using, say, a compliant, properly implemented parser to parse your stuff, you are NOT safe. Possibly quite the opposite.
LocationSun 10 1400 @ The Opera House
Duration30 mins
NameTom Eastman
OriginWellington, NZ
BioTom is a senior Python developer and technical lead for Catalyst IT, New Zealand's largest company specialising in open source. Prior to that he worked as a developer and system administrator for the University of Otago Faculty of Medicine and as a Computer Science tutor for same. Tom has developed a healthy paranoia as a direct result of drinking with penetration testers.

TitleWTF is this thing…?
AbstractPeople gave us digital content. We have to make sure we can access the information encoded in the file and accurately return it to researchers at any time. My problem is, what do we do when we have no idea what the file are looking at is? Sometimes I prod them until UTF-8 falls out. Sometimes I go on missions to track down the original creating software. Sometimes I make a best guess, based on other things we've seen that appear the same. Sometimes we try and reverse engineer the data and turn a binary 'blob' into a working file. Very occasionally they go in a pile of things that have stumped me :( I will briefly describe our current practices and then show a few file types where we literally have no idea wtf to do with them. Then you can tell me how you would figure it out…
LocationSun 10 1430 @ The Opera House
Duration15 mins
NameJay Gattuso
OriginWellington, New Zealand
BioI'm a digital preservation analyst for the National Library of New Zealand. I help look after some the New Zealand's digital heritage content. My role is technical preservation analysis, with a specific focus on "file format". Amongst other things I try and make sure that our library folks can access digital content properly and that they are looking at the data through a suitable lens. I've been doing this for 3 years, before that I worked in Digital Forensics in the UK for the MPS, and the Home Office.

TitleFailure, 挫折
AbstractHave you ever failed? Of course you have. This talk expounds some of my recent failures and what I learned (if anything). Topics may include Vendors, SNMP, BGP and Bitflipping. There may be a nice slide at the end with a picture of the internet.
LocationSun 10 1445 @ The Opera House
Duration15 mins
OriginWellington, New Zealand
Biotrogs has been reading your emails, listening to your voip calls and cleaning up all those csv files you left in /tmp since ages ago. He knows a lot about tubes

TitleA Practical Guide to Avoiding Prism
AbstractIn this lighting talk, Jen and Aurynn will take you on a whistle-stop tour through some of the simple, not-so-simple and really-bloody-annoying things you can do to avoid your every digital thought being subject to inspection, and assess how practical and effective such techniques are (versus how obnoxious they are to implement).
LocationSun 10 1500 @ The Opera House
Duration15 mins
Nameaurynn & jenofdoom
OriginWellington, New Zealand
BioNot to be mistaken for the itinerant crime fighting duo, Nej and Nnyrua, Jen and Aurynn are devs at Catalyst IT, where they do open-sourcey-developy stuff.

TitleCollapsed Pavlova & Apple Crumble
AbstractImagine what treasures you might find if you had a searchable and indexed database of decompiled mobile applications. Collapsed Pavlova & Apple Crumble is to the Android and iPhone ecosystem what Low Hanging Kiwifruit is to the web. This presentation will provide a brief overview of a new tool (Mobile Application Decompilation Security & Hacking Inspection Toolkit) and a more detailed look at some of the weird and wonderful things that have been packaged into mobile applications (accidentally?).
LocationSun 10 1515 @ The Opera House
Duration15 mins
NameKarl Chaffey
OriginAuckland, New Zealand
BioKarl is a Solutions Architect in the NZ office of a large US corporate working in the financial sector. He has an unhealthy inclination towards mobile application security and a healthy appreciation of extreme sports and alcohol.

Title Botnets of the Web – How to Hijack One
AbstractA relatively small but also somewhat unknown type of botnets are automatically attacking web servers and joining them together into a classic C&C botnet. These bots are flawed by design and often use code from each other, thus the same types of flaws are consistent among almost all bots encountered. This presentation dives into finding these botnets, what the flaws in these bots are, how to exploit them, and a live demo.
LocationSun 10 1600 @ The Opera House
Duration30 mins
Name Hans-Michael Varbaek
OriginCopenhagen, Denmark
BioHans is a Security Consultant at Sense of Security and is an active part of the penetration testing team. He is an IT security specialist, independent researcher, and penetration tester.

TitleClosing Thoughts: When Thought-leadership becomes thought-crime
AbstractOur final guest needs no introduction. So we're not going to give him one.
But we'll give ya some clues:
  • He once called Flavor Flav a try hard.
  • He only wears suits he had handmade in China.
  • He's had more jobs than Andrew Kelly.
  • His GCSB file has been described as engorged.
  • He's loud. He's proud. He's wrong.
  • And he's coming...
LocationSun 10 1630 @ The Opera House
Duration30 mins
NameMr Blue
OriginThe Mahler Gobi
BioHe one day hopes to rid himself of crabs.