BSides Perth 2018


How to land a job in InfoSec

Ricki Burke


This workshop is for those that are or will be looking to work in the security industry. It is competitive and can be difficult to land that first job and Ricki will show how a proactive person can increase their chances of job offers and not be just another number in the job application black hole. It will be a step by step guide on how to:

    Build a network
    How to find the jobs that aren’t advertised
    How to apply for a job
    Write a CV
    What skills you should be learning
    Build your online presence

This Workshop is provided by Ricki at CyberSecPeople and BSides Perth for FREE – all we ask is that you register your interest here


Ricki is the Director and Founder of CyberSec People and partners with organisations around ANZ to hire infosec (Cyber Security) professionals. He is embedded in the security community, is active at cons and Meetups and built many friendships along the way. With a passion for supporting people to break into security, he has helped many land their first job in the industry.



“London Calling, VoIP hacking for fun and profit… mostly profit”

Kai Frost


VoIP and its umbrella technology converged telecommunications is an area of InfoSec which even after 20+ years of deployment still has very little institutional focus.

Millions of dollars of fraud are executed globally by highly sophisticated adversaries across a wide range of public, SOHO and carrier level infrastructure. This fraud often goes largely undetected or is written off by the carriers as unrecoverable.

In this talk, I will cover some of the standard business models of VoIP hackers, methodologies they use to make sure their tracks are multi-jurisdictional and trans-corporate in such a way that almost guarantees they will be largely left alone. I will also give some practical examples of quick and easy ways to sweep up large collections of unsecured endpoints and show how these can be used to generate stable revenue for criminal groups or unethical individuals.


Kai is an IT professional with 20 years of experience in national scale networks. Apart from his usual job of automating major parts of this workday, Kai has an unhealthy interest in VoIP, encryption, and data security. He has spoken previously at WAhckon and BSides on VoIP security and hacking as it affects modern voice providers.


“SecDevSecOpsSec: let’s stop throwing around the buzzwords.”

Sarah Young


Everyone likes throwing the phrase “DevSecOps” out there at the moment, right? It’s a security industry buzzword. But how many of us actually know what this means? We have DevSecOps, SecDevOps, secure pipelines, security toolchains, etc. too often used interchangeably and with no clear “official” definition. In this talk, Sarah will attempt to distill the exact meanings of each of these and use examples from her own experiences of creating automated security processes to explain how each can be effectively used, and the tools that she has used to do this.


Sarah is a security architect currently based in Melbourne, Australia. She has previously worked in New Zealand, London and various parts of Europe across a range of industry sectors. In her current role, Sarah helps enterprises move their stuff into the cloud securely. She spends most of her spare time eating hipster brunches and high teas.


“Malware Meets Industrial Safety System and the Consequences”

Paresh Kerai


A Middle East Industrial Safety System was recently attacked with malicious malware designed specifically to enable the damage or destruction of industrial equipment. This malware known as Triton, or Trisis, aimed to interfere with or shut down completely Schneider Electric’s Triconex safety instrumented system (SIS) The SIS are used by human operators to monitor industrial processes in order to detect potentially dangerous conditions, triggering alerts or shutdowns to prevent accidents or deliberate acts of sabotage which could result in an explosion, damaged machines, property destruction, injury or loss of human life. Triton is one of less than a handful of known cases worldwide where malware has been specifically designed and executed to sabotage industrial control systems and the attack appeared to be a sophisticated state-sponsored style coordinated attack on the organisation plant. This presentation will give an overview of the attack timeline, highlight the capabilities of the malware and the attack flow, and explain just how the attackers compromised the SIS device.


I am an Industrial Control System (ICS) Security Engineer and researcher, specializing in in cyber security in control systems and network infrastructure, and computer forensics. Currently enrolled in Doctor of Philosophy at Edith Cowan University, his research focus is on the security of Modbus protocol used in critical infrastructure systems and the security framework of industrial control systems. He is also interested in computer forensics, wireless security, IoT devices, threat hunting and threat intelligence.


“Caring for our pen tester friends”

Brendan Seerup


Quality assurance teams are becoming more context driven and collaborative. QA Testers are now needed from design through to supporting their applications into production.

Yet we still ask external security testers to test our applications engaging them at the end just before we ship to production. Often armed with very little handover we ask them “Did we built it securely?”.

I see a big gap between external security testers and development teams, its making life hard for both teams. I also see the damage it does to good security testing. Its time to bring these two team closer together and start take better care of our pen tester friends.

This talk covers advice for both engineering teams and their external penetration testers on collaborating more, ensuring the right context is exchanged and the teams work together for better security testing outcomes.


Brendan (@SparkleOps) is an Application Security Specialist who loves helping teams with secure development, threat modelling and being involved with the penetration testing of their applications.

Outside of Application Security Brendan leads a threat hunting group dedicated to finding and disclosing threats to NZ’s internet space to our CERT.

Brendan spends his spare time slowly studying towards a masters of wine and reading comics in his blanket fort.


“Secure SDLC Speed-run”

Matt Jones


Writing software comes with a lot of challenges – different industry trends and ways of working, legacy stuff to factor in, then there’s all the constraints along the way as deadlines approach.

Writing *secure* software then has its own set of challenges. The industry has in some ways evolved well past the old approach of waterfall style projects with a penetration test at the end where people grumble risk acceptance. There’s a variety of security assurance approaches various types of organisations use with varying success at different phases of a software projects.

In reality though, there’s a lot of considerations to be made on a case by case basis to ensure energy is used wisely, the right people are rationalising threats you may or may not face, and you mature things incrementally factoring all of this in.

This presentation will:
0) Quickly introduce Secure Development Lifecycles
1) Talk through managing threats for code you build on versus code you write
2) Run-through a bunch of examples, i.e. eradicating entire vulnerability classes, understanding technology edge-cases, catching low-hanging fruit yourself, getting defence in depth stuff in your requirements/design, how some security activities can be part of your internal QA, how to setup a vulnerability disclosure process, and whatever else we can squeeze in.
3) How to best scope and engage third-party security assurance
4) A tonne of decent resources for you to learn more


He’s a Partner at elttam.


“Exploiting Steganography Image in MS Office Documents”

Lordian Mosuela


Dating back as far as ancient Greece, steganography involves concealing a message inside another message or image. Digital steganography uses modern digital technology to conceal a file, message, image, or video within another file, message, image or video. In the last few years, malicious digital steganography has grown increasingly popular as hackers have adopted the technique to trick internet users and evade detection to deliver dangerous payloads.
Traditionally, malicious digital steganography has been distributed through a browser in order to load and execute the malicious code, as well as C&C communications channels. However, cybercriminals are constantly adapting their techniques to ensure maximum attack exposure. Because many cybersecurity solutions can now be configured to detect malicious steganography images, it lends to reason that hackers will evolve their attack techniques to hide malicious payloads in other sources, such as MS Office document. To date, no evidence of digital steganography has been found hidden in an MSOffice document, however, the possibility of this type of threat is entirely plausible and realistic, as I will demonstrate in this proof-of-concept paper and presentation.


Since 2009, Lordian Mosuela has served as a Malware Analyst with Cyren, Inc.,. an internet security-as-a-service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions. His expertise is focused in the areas of dynamic and static analysis on reverse engineering of malwares and exploits. He previously held positions at F-Secure and TrendMicro. Lordian holds a bachelor of science degree in computer engineering from Pamantasan ng Lungsod ng Maynila in Manila, Philippines.


“Not If but When?” Leveraging AI to jettison mantras of the Past: How AI will Liberate Security of the Future

John McClurg


John is working with the FBI to fix the problem of reactive security. For decades, proactive prevention has eluded the industry. The FBI’s InfraGuard program is being redesigned after 20 years to help fix this problem.


McClurg currently serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts.
He has previous history in lead security roles at Dell, Honeywell and was one of the FBI’s first Cyber Warriors assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center or what was later known as the National Infrastructure Protection Center within the Department of Homeland Security. John was also responsible for creating the US Department of Energy’s Cyber-Counterintelligence program.


“Automating Arbitrage”



Ever wanted to make free money? Me too! I wrote a program that automatically trades cryptocurrency using a technique that ‘proper’ traders use, and I guess it technically works? This is a journey through the life of the program, and the hurdles encountered during development.


Pentester at Hivint with many unfinished side projects


“Double D! Diagnose | Detonate”

Nicholas Cairns


As defenders of devices, networks and systems we need to understand the threats we face! Without knowledge and wisdom (leveraging Diagnosis) we cannot combat cybercriminals. To gain knowledge, we must dive deep into the face of peril, let’s call that Detonate.

There is an ever growing problem in cybersecurity because people want to know how things happened but don’t want to take the time to understand “”why””.

I will lead you through a malware infection chain that results in defensive recommendations. I will also show you why and how it happened and how we can gain intelligence, knowledge and wisdom.

Over the years I have failed so many times that I know where the gaps are and how we (as a collective) within infosec can fill those gaps. Knowledge transfer is king! I want to empower you to fail more, ask more and gain wisdom through, asking why!


Nicolas is a Lead security professional with over seventeen years’ experience leading and performing Penetration Testing, Intelligence Operations, Malware analysis and Incident Response.


“Security practice is broken. How can we fix it?”

Jodie Siganto


I’d like to look at the information security profession. As information security practitioners we think of ourselves as professionals with a special expertise. But is this perspective real? Or are we more like security brokers negotiating an acceptable outcome with the business? If we are a profession, then who is shaping that profession? If we are experts, is education producing the right person? By looking at some of these questions, I hope to start a conversation about how we might re-shape security practice to delivery better results for practitioners, their employers and the community more generally.


A lawyer who accidently strayed into security about 18 years ago and never been able to get out. Fascinated by what happens at the interface between humans and technology, particularly in the security and data privacy realm. Intrigued by what shapes security practice and our failure to change.


“Subdomain Takeovers – Beginners to Advanced”

Michael Skelton


This talk aims to introduce hackers of all levels to subdomain takeovers. This talk will cover enumeration, exploitation, and how to properly use a claimed subdomain in an attack chain. As a closing piece, some lesser known takeover types in both Amazon Web Services (AWS) and Microsoft Azure will also be covered in detail, using previous bug bounty reports as examples.


Senior Security Consultant for NCC Group, active open source developer and lover of bug bounty programs.


“Bug Hunting in Open Source Software”

Silvio Cesare


In 2002 I performed a code review of the open source Operating System kernels. In total, I found more than a hundred security vulnerabilities. Fast forward to the present day in 2018. For most of the year, I’ve been performing code review against a variety of open source targets including kernel code and userland applications. As such, I’ve found vulnerabilities in userland Linux and the Linux, FreeBSD, and NetBSD kernels. I’ve even been streaming some of the code review sessions on twitch and YouTube. Moreover, I’ve been holding public code review sessions at InfoSect, my Canberra-based hackerspace, generally finding security vulnerabilities in every session. This presentation looks at some of those vulnerabilities and the response by vendors.


Dr Silvio Cesare (@silviocesare) is the Director of Education and Training for Cyber Security at UNSW Canberra @ ADFA. He is also the co-organizer of BSides Canberra, CSides, and InfoSect (


“Hardware Slashing, Smashing, Deconstructing and Reconstruction for Root access”

Deral Heiland


During this presentation I will be focusing on what is typically referred to as destructive methods for data acquisition from embedded devices. Focusing on the process of removing embedded Multimedia Media Controller (eMMC) devices from circuit boards to gain access to their contents. But we will take it a step further by covering how to restore the device back to operation including methods and technics on altering the devices firmware prior to rebuilding, to allow for full root level access to functional system after recovery. Topics covered will include, Device removal, eMMC firmware extraction and modification methods. Hot air and infrared reflow methods, BGA re-balling manually and with re-ball kit.


Deral Heiland, serves as a Research Lead (IoT) for Rapid7 and lives in the United States in Ohio. Deral has over 20+ years of experience in the Information Technology field, the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.


“What Your RF Signature Says About You”



Invisible, inaudible, and ignored, your devices are currently screaming out large amounts of information about you, your habits, your pattern of life to anyone who cares to listen. I will show you how to listen in, what is commonly being broadcasted, what can be done with this information, and how you can minimise the risks.


Hoodie-wearing, staying up late, and lurking in darkened rooms: all part of a balanced diet in InfoSec. Hailing from a bedroom in the South Pacific, exported to the financial hub of Singapore, and now available at your conference in Perth, it’s a Cyber Expert!