- A Senior in a Juniors World
This evening we will have Toni James as guest speaker... “What Do We Want? Learning Opportunities! When Do We Want Them? Now!” With security and tech sprawling at such a phenomenal rate, no one person is an expert in “all the things” and everyone knows we need more people. And guess what, no matter where they come from or what their background, they are going to be a beginner in something. So let’s set them up for success. Practical advice on how to both be a better beginner by contributing your unique experience and expertise in a meaningful way and be a better workplace by listening to your potential employees.
- Workshop - Solving real-world information security problems
In this session, we're looking to get the security smarts of those that have it into the hands of those that need it. ==================================================================== If you play a part in: 1. Delivering technical solutions 2. Working on or managing a project 3. Have concerns about the security of your project, team, or organisation your project could be software, hardware, anything in between, anything that requires a level of information security. You may have been attacked, or are becoming more aware that you need to do something to improve the security of what you're developing, yourself, your team(s) and/or your organisation. We will break into teams to discuss, analyse, (code review if required) threat model, and create a road map for the security concern(s) you are facing that you can take away and work on implementing. You are welcome to anonymise as much or as little as you're comfortable with. At the end of the breakout session, we'll come back together and continue to bounce possible solutions off of each other. Attendee Types: 1. Those that need answers 2. Those that provide answers (our usual security experts) If you have a security problem that you'd like to bring, or discus in private, reach out to me. Beer and Pizza will be provided.
- CERT NZ followed by Sandfly Security
We will be having two talks. One from Declan (CERT NZ) and another from Craig Rowland (Sandfly Security). Declan (CERT NZ) CERT NZ is your first port of call when you need to report a cyber security problem. We support businesses, organisations and individuals affected by cyber security incidents, and provide trusted and authoritative information and advice. Almost one year since CERT NZ became operational, we will show you a snap shot of the NZ threat landscape, talk about standout incidents/campaigns we saw, the challenges we faced, what we learnt in our first year, and the where to now. ====================================================== Craig Rowland (Sandfly Security) Sandfly Security is a startup in Christchurch that is releasing a product to detect compromised Linux systems automatically. During this talk, founder Craig Rowland will talk about what Sandfly is, the techniques it uses to investigate Linux systems for compromise, and discuss general principles and ideas behind Linux forensic investigations to detect intruders. This is an opportunity to see behind the scenes of intrusion detection system development, design considerations, tactics and techniques for automating linux forensics, and any other topics around startups and software development that may come up.
- Securing your data (your business) using SQL Server 2016
This evening we are privileged to have Anupama Natarajan all the way from our capital speaking. Anupama's website: http://www.anupamanatarajan.com Anupama's twitter: https://twitter.com/shantha05 Data Security is a key industry trend and every business invest a lot in it to build trust and credibility with their customers. SQL Server has great data security features and with SQL 2016 it has much more to offer for the businesses. Data protection is really important for each and every business. Is your business ready to face the security challenge? Microsoft is spending $1 billion per year to ensure that its products are secured so that businesses are protected. These features are built into the Data Platform. How can you prepare your business to secure their data using SQL Server 2016? This session will walk you through the new security features in SQL Server 2016 along with cool demos. You can learn the tips and implement them in your business and secure your customers’ data. I will show how you can secure sensitive data in SQL Server 2016 with out-of-the-box features.
- Web Developer Quiz Night
We're going to be getting into small teams and attacking a set of carefully curated questions around info-sec, white hat, black hat, attack and defense. I'll be covering: • Threat modelling • Developer security • Physical security • Social Engineering • VPS security / hardening • Network Security • Cloud Security • Application Security There will be prizes worth working for, especially the team that takes first place. If you want to win, I'd suggest getting familiar with the content in my book series: https://leanpub.com/b/holisticinfosecforwebdevelopers Questions have also come from many other sources Good luck!
- PHP Hurts Programmers (and other tales)
Tonight we have the privilege of having Solvam Corporation Ltd's Lead Architect and Engineer Keith Humm help us: Find out some of the sneaky ways the web’s favourite language-to-hate can give unsuspecting users just enough rope to hang themselves with. Take a slightly deeper dive into a few real-world bugs, and see how to (hopefully) avoid them in your own code. We'll be giving away some prizes for those paying attention to Keith, they'll be worth it. Also don't forget to checkout the great lineup we have for NZ Day comming up on the 20th April (https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017#tab=Presentation_Schedule)
- Applying Cold War Learnings to our Daily OPSEC
At this MeetUp, Chris Campbell - a big fan of cold war history and spy tactics - will dive deep into an application he developed to take care of a small but important task: sharing secrets. A dead drop is a method of exchanging secrets between two agents, whereby the secret is stored in a safe, predetermined location for collection, thus meaning that the two agents never have to meet and are able to maintain operational security. Where there is concern that a drop may be compromised, an additional key to decrypt the secret may be transferred using a different channel. This method was incredibly popular and effective during the cold war, and served as the inspiration for Chris' application "DeadDrop (https://deaddrop.jadeworld.com/)". In fact, the inspiration for DeadDrop goes beyond the time of the cold war and into the present, realising that there is a decreasing level of trust in service providers - so also offers a "host proof" mode of operation and is open-sourced. Gone are the days of transferring secrets (e.g. credentials) in plaintext emails and texts. This session will look into a few aspects of DeadDrop: • A short history lesson: the inspiration for DeadDrop • The importance of OPSEC in our daily lives • The theory behind effective secret sharing • Cryptography 101. • .NET and JS cryptographic considerations • Code breaking 101.Chris • Wed, 8:11 PM DeadDrop Source Code: ( https://bitbucket.org/t0x0/deaddrop ) Chris's Blog Post: (https://bytefog.blogspot.co.nz/2015/09/burn-after-reading.html)
- Security Regression Testing with ZapAPI and NodeGoat
Don't go to Dimension Data. Thanks Catalyst for providing the room at short notice. Kim Carter of BinaryMist (http://binarymist.io/) will provide a whirlwind tour of a Proof of Concept covered in his new book "Holistic Info-Sec for Web Developers (https://leanpub.com/holistic-infosec-for-web-developers/read#process-agile-development-and-practices-security-regression-testing)", that he has since implemented for a large international client. This hands-on session will show web developers how to leverage the abilities of the OWASP Zap API to discover many vulnerabilities in your web application as you are creating it, rather than at the end of the project. This is essentially like having a full time penetration tester on your development team, continuously security regression testing your product as a CI or nightly build as it's being developed. For a very minimal set-up cost. github source (https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API) Teaser: https://youtu.be/DrwXUOJWMoo ############################################# In order to participate in this session, you'll need a computer that has one of the following. From most preferred to least: 1. VirtualBox installed to run a vbox image (That's a VirtualBox VM) 2. Some virtualisation software installed that can create a VM with the supplied vmdk disk image 3. Be prepared to setup all components from scratch using ( https://github.com/binarymist/NodeGoat ) and ( https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API ). This generally has a few unexpected hurdles that trips many up. I'll be passing a VM around via NTFS formatted (for files over 4GB) USB stick. Please also bring some USB sticks that can carry the large files (8.1GB, so 16GB stick needed) to help propagate amongst your pairs, so we can get up and running as quickly as possible. Look forward to seeing everyone there :-)
- Qubes OS Discussion (https://www.qubes-os.org)
Qubes is a highly secure operating system virtualisation environment that runs on top of the Xen hyper-visor using Linux. Qubes was designed from the beginning to assume all operating systems and applications are going to have security vulnerabilities. By taking this approach, Qubes focuses on isolation between untrusted and trusted compartments to ensure that a security breach will not allow critical data to be compromised. By using hardware virtualisation, Qubes provides extremely high security even in hostile environments and unknown attack threats to include zero-day kernel level system compromises that would normally be fatal for most operating systems. In this talk, Craig will go over what Qubes is and why it’s not just a virtual machine running on a host. He will also explain why those looking for very high security workstations would want to run it, and how it can also be used to run highly anonymous browsers such as the Whonix TOR distribution that need ultimate security. He will also discuss how Qubes can be used in environments where security is absolutely essential. Examples are critical command and control networks, sensitive administration tasks, or any other application where high security is a must. Qubes can even be used as an everyday workstation where you need to ensure that work and casual use on the same hardware cannot compromise the system. ### Biography ################### Craig Rowland is an Internet security entrepreneur that has made his career in technology start-ups. His previous company was sold to Cisco Systems, and he has worked as an early stage employee or consultant at other companies also acquired by Cisco and 3Com. Craig began his career working with U.S. Air Force Information Warfare Center veterans to break into computer networks for a living. He also helped develop automated network attack tools, intrusion detection and prevention systems, and the first automated security incident response product in the world. As a seasoned entrepreneur, Craig has experience in executive management, venture capital fundraising, marketing, sales, and software engineering. He holds several patents and is a published author.
- UAC, Governance and Managing the External Infosec Audit
We (OWASP NZ Chch) have the privilege of hosting Drewe Hinkley taking us through an informative and eye opening session on the following: Popular culture has stereotyped information security as a realm of acronyms, mystery and caffeine. Television shows such as CSI:Cyber, NCIS and Legends lead many to believe that unless you have dedicated laboratory’s full of equipment with unpronounceable names and analysts who can type faster than a concert pianist, then they are at the complete and utter mercy of legions of “Hackers”. Often, this is what inspires many newcomers to our industry – under false pretenses. Reality on the other hand, shows that information security is a balance of controls and methods, often very mundane, which when implemented correctly can be easy to manage and highly effective. In “Setting the Scene”, we will look into the ground work that needs to be implemented as the first step of any successful information security program. Before the “technical” is even considered, before a firewall is activated, before a host intrusion system is installed, let’s start at the beginning – as a real world business. What are we securing? Defining the difference between information, critical information, confidential and proprietary information, payment card industry information and personal identifiable information. How are we securing? User access controls, physical security, environmental security, business continuity and disaster recovery (yes – there is a difference!) and operational management We will discuss all of the items that relate to securing and protecting information that do not involve flash technical wizardry – and by the way – it is often these mundane items that are the cause of a “security breach”, not a energy drink loaded hacker! Drewe Hinkley (CISSP) has over 5 years experience in the Information and Communication Technology industry, working first as an Area Systems Specialist for an international hotel chain as New South Wales state IT Manager, and 2IC for Australia, before progressing into an Asia Pacific Regional role as a Consultant – Governance and Risk Management, acting as a lead contact for many external information security and PCI DSS audits.