.jpg)
BSides Melbourne 2022
BSides Melbourne 2022 was my first in-person cyber security conference and although I had attended a number of online conferences, I was looking forward to the full in-person conference experience.
The BSides conference took place over 3 days, from the 9th to the 11th of September at the new Seek HQ in Cremorne.
The Friday was a special training day, operating as a separate event from the actual 2 day BSides conference held on the Saturday and Sunday.
Friday - Training
I arrived at the Seek HQ on Friday morning ready for the "Introduction to Digital Forensics" training session.
I arrived 15mins before the session started and the room was already full.
Apparently I wasn't the only one who thought Digital Forensics would be a good topic to learn about.
I grabbed one of the few spare seats at the back of the room and set up my laptop.
The training session started around 9am and was broken up into 3 modules.
Module 1
Module 1 was an introduction to our teachers
Shanna Daly - A veteran of the industry with over 20 years’ experience in Info Sec, Digital Forensics and Incident Response.
Gyle dela Cruz - Incident responder with a Grad Cert in Incident Response and Master in Cyber Security - Digital Forensics.
Morgaine Timms - Senior Penetration Tester & Application Security Specialist.
Shanna was the main instructor, while Gyle and Morgaine drew from their own experiences and expertise to add comments from a different perspective to various topics.
Module 2
Module 2 covered what digital forensics actually is, and why it's needed.
We learned about the history of digital forensics, and the main areas that digital forensics ismost commonly used. We then moved into the various types of digital forensics, the digital forensics process, gathering evidence and chain of custody.
Module 3
Module 3 was the practical part of the session, that walked us through a DFIR CTF (Digital Forensics and Incident Response, Capture The Flag).
Following along during the practical part required downloading around 12GB of files ahead of time.
We were supplied links to the required files earlier in the week to give us time to download and set everything up.
There was also a usb with the necessary files available in class on the day for those who didn't get a chance to download everything beforehand.
While I did my best to keep up, my laptop started to struggle when I tried to run both FTK Imager and Autopsy at the same time.
So I abandoned my plans to play along with the CTF and spent the rest of the session taking lots of notes, knowing I can always continue the CTF by following the supplied walkthrough at a later date.
At 4pm, the training session ended and I was far from being an expert in digital forensics, however, the class was called "Introduction to Digital Forensics", and that's exactly what it was.
It was a comprehensive introduction, to a very complex subject that covered the basics needed as a jumping off point for further study.
The training session may have finished, but the day was far from being over.
Next up was a networking event/party at a bar on South Wharf kicking off at 6pm.
So I went back to my hotel room to freshen up and grab a bite to eat before making my way down to South Wharf.
The party had been going for about an hour when I arrived, so it was already pretty busy and everyone seemed to be having a great time. I stayed for a few drinks and chatted to a couple of people I'd met earlier that day before calling it a night and heading back to to my hotel.
So with the first of 3 days in the bag, I had a much greater understanding of digital forensics than I started the day with.
I also discovered a few new tools to play with and made some new friends along the way.
I headed off to bed, for some much needed rest in preparation for Day 1 of the Conference.
Saturday - Day 1 of the Conference
After a big day on Friday, I was a little late getting up and out the door, so I arrived at the conference in time to miss the first few minutes of Joff Thyer's keynote.
There were 2 rooms running talks simultaneously at the conference, the main room played host to the Keynote and Track A talks. The smaller room played host to the Track B and Career oriented talks.
As Joff's keynote had already started, I quickly found a seat and settled in to watch Joff effortlessly entertain the audience with insights and stories from his career and how they led him to where he is today.
Spoiler alert!! It wasn't all smooth sailing.
Like everyone, Joff's learnt from his fair share of mistakes along the way and was happy to share the lessons he'd learned in his helpful "Career tips for the 21st century".
The first talk on my list after the keynote, was Sajeeb & Maeesha Lohani's talk on Bypassing Captive Portals and Proxies, being held in the smaller room.
Sajeeb & Maeesha are siblings and both work in cyber security. Maeesha says she's the rookie of the pair who describes her brother has a humble expert.
Apparently their motivation for this talk came about when they were both running out of mobile data at the airport while waiting for a delayed flight.
To avoid bickering, they thought about all the ways they could potentially get free WiFi without having to give up their personal details to the WiFi's captive portal.
They took us through 10 different attack scenarios. First explaining how each attack worked, followed by the benefits of each attack, then finally the remediation of each attack.
Their talk was both informative and entertaining, as their unique dynamic allowed them to have fun at each others expense in a way that only siblings can get away with.
When asked if they used any of the exploits they came up with, they admitted that they ended up providing their details to the captive portal on the day, but went back and engaged with the airport as security consultants which allowed them to actually test out their attacks with the airports permission.
With the first two talks done, it was time for the morning tea break.
The BSides crew provided plenty of fruit, biscuits and cakes and even included gluten free options as well.
After a quick snack, there was still ample time before the next talk, so I took the opportunity to explore the rest of the conference.
The Seek building has a variety of great spaces that offer a multitude of configuration options, making it incredibly versatile for all kinds of events.
The layout for BSides worked well.You entered the building into a short entrance hall that opened out into the main foyer area, with access to the larger main room on the left and the smaller room directly opposite the main room.
Two large doorways at the opposite end of the main foyer took you to an atrium style area called the market place, which played host to the coffee cart, a few tables containing stickers and vendor/sponsor brochures and various seating arrangements offering a place to sit and eat or even just chat with a friend over coffee.
Just beyond the market place were a couple of glass-walled rooms where the BSides Capture The Flag (CTF) event was being held.
As tempting as it was to sign up to compete in the CTF, there were just too many talks I wanted to attend, so I moved on and kept exploring.
On the opposite side of the CTF area was another large foyer space with some couches and tables where you could relax and get away from the chaos of the conference.
These areas also played host to what Liam O'Shannessy from CyberCX later referred to as the "third, unofficial track" of the conference, affectionately known as "Lobby Con" or "Hallway Con".
There were 7 huge LG Crestron displays being used around various areas of the conference. 3 of which were in the main room and 1 in the smaller room, while the others were strategically placed in the foyer areas to display information about the conference, advertise the sponsors and display the gigantic QR codes you scanned to enter various prize draws.
The morning break was almost over, so it was time to head back into the main room for the talk: "Old Dog / New Tricks" with Mike Pritchard & Shanna Daly.
In this talk Mike Pritchard gave us glimpse into his personal collection of historical espionage and early cyber-tech gadgets, discussing the methodologies and usage of these tools throughout history, while Shanna drew comparisons to the modern day equivalent tools and methodologies we use in cyber security today.
Mike's passionate about vintage spy and espionage gear and has been building up his collection over a number of years. He's got some really cool pieces of kit, so if you have an interest in history, technology or engineering, then I highly recommend checking out one of MIke's talks.
As soon as Mike and Shanna finished, I headed straight into to the smaller room to catch Andy Vermeulen's talk: "Pay $2 shipping to receive your free iPhone", which chronicled his journey to uncover the secrets behind a subdomain takeover that was serving thousands of SEO spam pages.
In a tale almost as epic as a Tolkien novel, we followed Andy on his journey from GitHub accounts containing 157 repos filled with machine generated html pages, through to two days worth of failed attempts to de-obfuscate a 16kb JavaScript file, only to eventually discover that it did very little when he finally succeeded.
Undeterred he pushed on to ultimately find himself on a loading page containing 91 different ways to fingerprint your browser, before it decides on which page to redirect you to, based on the data it had gathered from you.
If it suspected you were trying to uncover it's secrets within, it would innocently redirect you to the TikTok page on the Google Play store.
For the unsuspecting however, it would redirect to one of it's many pages of fool's gold, promising untold riches, such as free iPhones for the mere sum of a $2 shipping fee, and many other such mythical treasures.
To my knowledge Andy never did find the elusive free iPhone treasure, but he did give his audience some wisdom to treasure:
"Be curious, keep failing, learn new things, keep notes and don't use Python to de-obfuscate JavaScript".
Lunchtime!!
Lunch was served in the main foyer area with plenty to choose from, there were gourmet party pies and sausage rolls, spring rolls, wraps, salad rolls and sandwiches, as well as vegetarian and gluten free options.
With the lunch break finished, we were half-way though the first day of the conference and the smaller room switched from the Track B talks in the morning to an afternoon of career driven talks.
The first of these was a Panel Discussion on Transitioning into Cyber Security.
The panel featured:
Rami Tawil - Technical Review Specialist at Bugcrowd
Liam Connolly - Chief Information Security Officer (CISO) at Seek
Dannielle Rosenfeld - Lovell - Security Consultant at CyberCX
Jocasta Norman - Security Analyst at Seek
With Aaron Robertson - Application Security Engineer at Atlassian, as the moderator.
The discussion focused on the various backgrounds of the panelists, what led them to where they are now and the challenges they had to overcome when making the transition into Cyber Security.
They offered some great advice and I found it quite inspiring to hear their stories that led them to their current roles.
Following on from the panel discussion was "Overlooked Concepts to improve your InfoSec Career" with Liam O'Shannessy from CyberCX.
Liam discussed a range of topics that I thought were incredibly helpful, including: short term vs. long term career investment, putting yourself out there and building a public profile, ignoring toxic behaviour, dealing with imposter syndrome and focusing on professional skills like writing, empathy, communication and people skills, as well as focusing on technical skills.
Another overlooked concept highlighted by Liam was what he referred to as the unofficial track of the conference: Hallway Con or Lobby Con.
What Liam was referring to was the numerous micro-talks happening between conference attendees as they chat and exchange ideas in the hallways and lobby areas of the conference. Lobby Con can provide incredible opportunites for networking and making new connections.
Liam offered some great ideas and advice, but there were two quotes of his that really stood out for me:
"Computers are easy, People are hard"
and
"Don't take criticism from someone you wouldn't take advice from".
I think Liam should start making T-shirts or stickers with that last quote on it!!
As soon as Liam had finished, it was straight back into the Main room to hear Jo (Bl3ep) tell us all about her experience of coming 2nd in the Social Engineering CTF (SECTF) at DefCon 27.
DefCon is one of the largest security/hacker conferences in the world, attracting over 20,000 attendees annually. A big part of the conference are the CTF (Capture The Flag) events.
At DefCon 27, the prize for winning the Social Engineering CTF was the DefCon Black Badge, which is the highest award you can win at DefCon and it guarantees you free entry to every DefCon event for the rest of your life. Not to mention some serious hacker cred as the DefCon CTFs are known for being incredibly difficult.
Given this was Jo's first time competing in the DefCon SECTF, coming second is an incredible achievement.
Jo happily shared with the audience all that she'd learned from her experience, and encouraged anyone who's considered entering the DefCon SECTF to just go for it.
She hopes that sharing her experience will inspire others in the Australian cyber security community to use what she learned and help them win a DefCon Black badge for Australia.
After the final break for the day, it was back into the main room for KatnissMelb's talk: "The Power of Community and OSINT4Good".
By day KatnissMelb uses her DFIR skills to fight crime and save the world (well, her clients' world at least) as an incident responder.
By night (and probably on the weekends too) KatnissMelb becomes the finder of things and the knower of secrets, as she volunteers for the non-profit group Trace Labs, who run OSINT CTFs to help authorities solve real-life missing persons cases.
KatnissMelb captivated us with tales of her journey from self-confessed BSides "groupie" in 2019 to the Trace Labs advocate and super volunteer that she is today, while also discussing the various facets of Open Source Intelligence (OSINT), its uses, tools and why she's so passionate about it.
Following KatnissMelb's talk, I stayed firmly planted in my seat ready for the next speaker - Matt Weiner.
Matt had recently joined a cult and decided to use his talk at BSides as a platform to recruit others to "Join the Cult of CyberChef".
As a fellow cult member, I was looking forward to learning more about CyberChef and Matt did not disappoint.
CyberChef is referred to as a "Cyber Swiss Army Knife" by its creator.
It's also an open source web app that combines a whole bunch of useful tools for manipulating data in an easy to use Graphical User Interface (GUI), that allows you to create, save and share various tool combinations or "recipes" that you can re-use next time you need to perform the same process.
After explaining the basics of CyberChef, Matt took us through the 4 main tenets of the cult of CyberChef:
1. Love thy interface
2. Master thy Regex
3. Practice thy skills
4. Know thy Limits
All while giving examples and demonstrations of CyberChef that continued to increase in complexity until my brain stopped trying to keep up and instead took to reminding me that it was getting late in the day and I needed caffeine.
After Matt's talk and a quick caffeine fix, it was into the smaller room for "Meet an Industry Expert". Another career oriented panel discussion featuring industry experts including Liam Connolly, Allen Baranov, Shana Daly, Dr Joanna Dalton and possibly a couple of others who's names I didn't manage to make note of (Sorry!).
This was a candid Q&A session where the panelists shared their answers to questions like:
- The Pros and Cons of working in cyber security.
- What they feel is the biggest problem currently facing the industry
- And the one piece of tech they believe newcomers should focus on.
Throughout the discussion we discovered some of the Pros of working in cyber security include: learning about constantly evolving, new technologies and that there's great variety of career paths to choose from.
However, it's not all sunshine and lollipops.
Some of the Cons of working in cyber security highlighted by the panelists include: suffering from imposter syndrome, and burnout due to long hours and lots of pressure.
Some of the biggest problems in the industry were believed to be: not getting the resources needed to work effectively in their role, difficulties shifting company cultures towards a security mindset, too much complexity within organizations and a lack of people with the needed skills.
The majority of answers to the one piece of tech the panelists believe newcomers should focus on were Microsoft Office apps like Excel, Word and PowerPoint, but also included the advice to not focus on any specific tool, but to learn the underlying methodologies and frameworks instead.
With the panel discussion closing out the talks in the smaller room, it was a quick stop back in the main room for the Day 1 wrap.
After a few thank you's and a quick overview of what to expect on the final day, the first day of the conference was over.
In the main foyer on the way to the exit were a couple of Bsides crew members handing out goodie bags that included a BSides branded, hardback notepad and pen, a copy of the "Backdoors & Breaches" card game by Black Hills Security and a USB data blocker among a few other freebies.
So with Day 1 of the conference done and dusted and a goodie bag full of freebies in my hand, I headed back to my hotel for the night, ready for the final day.
## Sunday - Conference Day 2:
I arrived at the Seek HQ around quarter to nine on Sunday morning to a delicious breakfast that the BSides crew had laid out for everyone.
So I grabbed a quick bite to eat before heading to the Main room for the opening talk of the day:
Laura Bell Main's Keynote: "The Proximity Problem".
Laura talked about how our proximity to any particular problem is often proportionate to the amount of attention it receives from us (The closer it is, the more we care. The further the distance from us, the less we care about it), and explained that proximity doesn't just refer to physical distance, but can also relate to time-passed or population size/density.
An example that Laura gave in relation to the latter was "diffusion of responsibility", where in a small group there's often a sense of responsibility shared by each member of the group, but as the number of people in a group grows, there's a greater diffusion of responsibility, as more members of the group start to assume "It's someone else's responsibility" and not their own.
Laura went on to highlight the similar diffusion of responsibility we face in cyber security and the assumption that "It's someone else's responsibility" to think about cyber security.
In an effort to tackle this, Laura ended her talk by announcing that her company, safestack.io, are making cyber security training freely available, by giving everyone a thorough grounding in security and privacy awareness topics, whatever their role or prior level of experience may be, as part of the safestack.io free plan.
Check out https://learn.safestack.io/ if you'd like to find out more about what's on offer.
Next, it was straight into the smaller room for the first Track B talk of the day: "OpenSSF's Package Analysis: Improving open source security by scanning package repositories for malicious behaviour", by Caleb Brown.
Caleb is a Senior Software Engineer who works for Google's Open Source Security Team on the Package Analysis project.
Caleb talked about the project and how the recent increase in supply chain attacks on open source software has been one of the main reasons the project came into existence. He then detailed how they monitor packages uploaded to the NPM and PyPi repositories and analyse them for malicious code.
Caleb also mentioned a number of other open source software security programs including: [Google's Open Source Software Vulnerability Reward Program](https://bughunters.google.com), openssf.org and https://sos.dev, and encouraged anyone with an interest in securing open source software to get involved.
After a quick morning break, it was back to the small room to see Jamie Duke talk about his adventures in "Hacking Rental e-Scooters - Real World Examples".
The subject of Jamie's talk had clearly generated a lot of interest, as the room was packed.
According to Jamie, the motivation behind his research was assessing the re-usability of ex-hire e-Scooters, to stop them from potentially adding to the ever increasing issue of e-waste, while also uncovering any potential vulnerabilities in a bid to better secure his own personal e-Scooter in the process.
Jamie proceeded to recount his adventures from obtaining ex-rental hardware, reverse engineering and modifying firmware, conducting network packet capture and analysis, comms protocol documentation and creating his own e-scooter app. The eventual conclusion to his research was the discovery of a great deal of test code and default keys left by developers in the production software/firmware, that led to a number of easily exploitable vulnerabilities.
I believe this was Jamie's first time presenting a talk at a conference and I thought he delivered a very
informative talk that highlighted the ongoing issue of vulnerabilities in IoT (Internet of Things) devices, while still entertaining the audience by giving us a few laughs off the back of some well delivered jokes.
I stayed seated in the smaller room for the next talk "16,000 Jobs and Nobody to Fill Them", by Donny Pereira and Ben Christian, two University of Technology Sydney (UTS) students.
Both Ben and Donny are involved in the UTS Cyber Security Society (UTS CSEC), a student-run society, that they hope can help bridge the gap between the academic knowledge of recent graduates and the real-world experience and skills required by the industry.
Having both experienced this reality themselves, they shared their thoughts around this issue.
They believe part of the problem stems from a lack of cyber security education in secondary schools, but more importantly, their experience led them to believe there are many tertiary educators with little to no relevant industry experience, delivering a great deal of outdated content, with very little focus on practical skills development.
I think Donny and Ben's talk raised a very valid point. In an industry that's constantly shifting and evolving at a rapid pace, tertiary courses need to frequently adapt to keep their content relevant.
Lunchtime!!
Yet again, the BSides crew had catered up a storm with an excellent selection on offer for all.
With a belly full of lamb koftas and chicken kebabs, it was back into the main room for Dr Joanna Dalton's talk: "We don't talk about breaches oh no no".
Joanna is the Cyber Defence Lead at REA Group and a self-confessed lover of memes.
Her talk was centered around a particular Magecart Attack that she and her team had previously responded to.
Joanna's meme game is strong, so her presentation was highly entertaining and also the main reason I forgot to take many notes.
However, the most memorable part of the talk (for me at least) was the audio-visual meme masterpiece shown as the finale.
Joanna and her work colleagues had created a music video, that shared the title of her talk, by skillfully overdubbing their own lyrics that encompassed the details of the Magecart attack, to the song "We don't talk about Bruno" from the movie Encanto.
Brilliant!!
After Joanna's talk I headed back into the smaller room to catch Jocasta Norman's talk: "Ingredients for Change: A Career Tale!"
Currently working as a security analyst at SEEK and a volunteer at the Australian Women in Security Network (AWSN). Jocasta took us through her career journey comprising various roles, across multiple industries and multiple continents, before deciding to make the move into cyber security.
Jocasta highlighted how important her transferable skills were in making the shift to cyber security and hoped that sharing her story would help others to understand the value of their current skills and experience in relation to a career in cyber security.
I stayed firmly planted in my seat for the next talk in the smaller room:
"My first 12 months in cyber security" by M. Miller-Furesh.
A first-time presenter and relatively new to the cyber security industry, M. Miller-Furesh is currently working as Quality Assurance Manager at Cydarm Technologies.
M. gave an insight into their first 12 months in the cyber security industry. First detailing many of the frustrations they'd endured in both their personal and professional life, before highlighting the events that inspired a major career shift into cyber security, and with it, the discovery of a supportive community of like-minded industry peers.
Next up in the smaller room, was a Resume Building workshop with Ricki Burke, the founder of CyberSec People and host of the "Hacking into Security" podcast.
Throughout his career Ricki has reviewed thousands of resumes and Linkedin profiles and knows what works and what doesn't.
He was kind enough to share his insight on what hiring managers and recruiters look for in a resume, while including some handy resume related tips and resources before taking some time to answer a few questions before we headed into the final break of the day.
The final talk of the day in the smaller room was Darren Pauli's "Writing with clarity / talk for hackers who can't write good and wanna learn to do other comms stuff good too".
The Zoolander inspired title set the tone for a very entertaining talk about effective communication.
Coming from a background in journalism, Darren has spent the last 10 years writing about all things infosec and cyber security, so effective communication is something that Darren knows a thing or two about.
Darren began by explaining that he usually gets an hour to give this talk, but since he was only given a 30 minutes at BSides, he got a chance to practice what he preached.
He not only talked about effective communication, but it could be said that he also gave a practical demonstration of it as he sped through his presentation while still managing cover all the topics and keep it entertaining for his audience.
However, this didn't seem to affect the quality of his content, it was an experience similar to listening to an audio book or podcast at double speed, you just had to really pay attention to keep up.
Darren also shared links to some helpful resources and despite the rushed format, still managed enough time to take a few questions at the end.
With the smaller room now closed,
I headed into the main room for the final talk of the conference, a panel discussion titled "Founder Secrets".
On the panel were:
Sam Crowther, CEO and founder of Kasada
Laura Bell Main, CEO SafeStack Academy
Vaughan Shanks, co-founder and CEO of Cydarm Technologies
Tracie Thompson, CEO HackHunter
The presener tasked with moderating the panel was CyRise COO, Kirstin McIntosh, who had the occasionally difficult job of prompting the panelists to answer audience questions.
When Kirstin did manage to get the answers flowing, we were given insights into, how and why the panelists came to be the founder of their own companies, the biggest hurdles they've had to overcome, their greatest successes so far, what they hoped for the future, and shared their thoughts on why others should consider becoming a founder.
Although each of their experiences were vastly different, each panelist had similar views on why they think anyone else should consider becoming a founder of their own company:
Essentially, if you're sick of the corporate hierarchy and have an idea that you're passionate about, then you should back yourself and just give it a go.
So with the final talk of BSides Melbourne 2022 over, all that was left was the Day 2 wrap up in the main room.
The BSides crew thanked everyone who helped make the event a such great success, before announcing the various prize winners, which included the top 3 highest scoring CTF teams, who were rewarded for their efforts with some very cool Lego kits (Note to self: Get better at CTFs before next year!!).
And just like that, the BSides Melbourne conference for the year of 2022 was over.
## Final Thoughts
Although I enjoy the convenience of online conferences, there's a level of commitment required when attending a conference in person.
I feel like the effort and cost of booking accommodation and flights (if applicable) as well as physically travelling to conference puts a greater value on the conference experience as a whole.
There's none of the distractions you're susceptible to when attending an online conference from your computer at home, so you become more engaged in the conference.
One of the things I really liked about this conference was the dedication of the smaller room to supporting those who are new to the industry, by offering a range of career oriented talks and by giving new and first-time speakers a chance to share their knowledge and experiences in the Track B talks.
I think this is a great way to help foster growth in our industry while also creating an inclusive and supportive cyber security community.
I'd just like to to say a big thanks to everyone who was involved in putting on the event, including the organisers, volunteers, sponsors and the amazing people who put in so much time and effort to speak at the event.
I look forward to doing it again in 2023.