Kawaiicon(external link), formerly known as Kiwicon, is a technical computer security conference in the Australia-Pacific region. Held over two days at the Michael Fowler Centre, the con hosted 27 presentations on a huge range of security related topics. I was proud to learn that 9% of these presentations were by delegates from Catalyst.
This year was the 13th conference organised by the Kiwicon “crüe” since their debut in 2007 and they are an extraordinary team. They strike a great balance between serious content and light-heartedness that doesn't make you think you are at a two-day conference. When the audience demands crickets, the audio desk delivers within a second, and an uncomfortable silence breaks into laughter. Electronic fireworks, sparkles, and a lock-picking competition, as well as the badge challenge, are just some of the extras that attendees can experience while learning about the various facets of information security.
Opening
Being the first conference since the start of the pandemic, the crüe was keenly aware of the precautions needed for running an event of this size, and implemented a range of measures to keep everyone as safe as possible. The conference was opened with a karakia, followed by a Llama in a space helmet, of course. Our host, Metlstorm (most efficiently described as a wizard in cargo pants) was a gracious and hilarious guide to the day.
Presentations
The presentations ranged from practical tools for identifying security issues, to strategic approaches to responding to immediate security threats, through to the endless, bewildering complexity of analysing the state of your system. I won’t pretend to have understood every word that was spoken or every diagram I saw, but I definitely gained a better appreciation of the importance of embedding security awareness in our daily operations.
Without listing and summarising all 27 presentations (which would probably fill a weighty textbook), I’d like to share with you some of my main highlights.
Active Directory
Did I mention that three of the presenters were from Catalyst? Andrew Bartlett(external link), from the Catalyst Samba team, did us proud sharing his experiences with Active Directory, which could be summarised by, “Oh hai, I found some publicly documented instructions for how to break your stuff, let me help you fix it.”
Mahara
Kristina Hoeppner(external link), from the Mahara team, stole the show by teaming up with a big fluffy purple creature known as Faily Monster (note: not an actual monster). Together they regaled us with true stories of less-than-ideal communication about security problems, and of course, how to do it better.
Get some good quality fuzz
I’m a bit fuzzy on Douglas Bagnall(external link) though... I also make hilarious puns! Key points from Douglas (also from the Catalyst Samba team): get some good quality fuzz into your test data and throw it at your system.
Moonshots and Space Debris(external link)
Darren Bilby kicked off the con with a review of the past year’s major security incidents, i.e. the Solarwinds Hack, the Log4J Vulnerability, and the Colonial Pipeline Hack. He shared what went well, what didn’t, and what we can learn from it all. He looked closely at the way these incidents feed into establishing new tools and standards at a government and industry level, and how individuals contribute to this process.
Malware Analysis when you don't have time for Malware Analysis(external link)
Adrian Hayes showed us a range of tools and techniques for quickly and safely analysing the contents of any suspected Malware, to help you make decisions about what to do next.
Deep breaths and lean the f**k in. A user’s guide to Incident Response(external link)
Nadia Yousef shared her experiences leading New Zealand government and industry’s response to several major incidents. Nadia emphasised the importance of timely and clear communication and collaboration during these critical events.
SaaS - Security as a Secondthought(external link)
I found this talk particularly helpful as a way of understanding, representing, and talking about an organisation’s current status through a security lens. Jeremy Stott showed us an example of using a mapping tool to map out the people in your organisation, which services they’re connected to, and what their relationship is to the organisation and the service. You can then identify your most important information assets and what the impact would be of losing them. Once you’ve identified all these connections in code, using a tool like Grafana shows them graphically. This allows you to easily see your current SaaS relationships, and therefore all the pathways that could lead to a specific impact, e.g. losing the company!
Security as a product - A different way of approaching building scalable security systems(external link), and a progressive security culture within an organisation
I was really impressed with this talk because it told the story of how an amazing product owner applied their skills to transform security from ‘that thing we should really do one day’ to ‘that thing we’re doing and have now done.’ Kandice McLean was far too humble about her instrumental role in prioritising and churning through a security backlog.
Prizes for most entertaining go to:
Dylan, Frenchie & the Chamber of Secrets (Red Teaming in Zero Trust: No Malware Needed)(external link)
I’m told it was about how API keys and credentials scattered throughout your infrastructure can lead to security holes, but my main memory was two grown men in capes on stage casting spells on each other. Magical.
IoT your Pet, Sure can(external link)
After a suspenseful narrative about how this presenter hacked into his SurePetCare IoT Hub, Feeder and Pet Door, we were treated to a REAL LIVE DOG jumping through a dog flap. Cute. There may have been some other point about the relative ease of obtaining the hub’s certificate.
Hiding Malware in Docker Desktop's virtual machine(external link)
This by far generated the most laughs per minute of the con. As a security researcher for Atlassian, “Alex” related the relatively simple steps they went through to discover that when you run Docker Desktop on macOS, it actually runs on a Linux virtual machine, and therefore you can hide all sorts of malevolent stuff in this VM which is completely undetectable by your actual machine. Woah.
I find it astounding that there is a large community of people, who are incredibly talented and skilled in endlessly complex technologies, dedicated not only to understanding how these technologies could become vulnerable to attacks, but also willing to share and teach ways of preventing these attacks from occurring.
I feel a huge sense of gratitude to anyone who specialises in security, allowing me to carry on building things in relative safety. And of course, I’ve taken away a much more heightened awareness of why being security conscious is so important.
A big thank you to Catalyst for sponsoring me to attend the conference.