Hack.Sydney 2022

November 21-22Art Gallery of NSW, Sydney, Australia
Australia's premium InfoSec Training Event and Conference
Offensive and Defensive Cyber Streams

9:00 - 9:45

The (Cyber-Security) Risks of AI

Domain Theatre
Toby Walsh is an ARC Laureate Fellow and Scientia Professor of AI at UNSW and CSIRO Data61.
He is Chief Scientist of UNSW.AI, UNSW's new AI Institute.
He is a strong advocate for limits to ensure AI is used to improve our lives, having spoken at the UN, and to heads of state, parliamentary bodies, company boards and many others on this topic. This advocacy has led to him being "banned indefinitely" from Russia.
He is a Fellow of the Australia Academy of Science, and was named on the international "Who's Who in AI" list of influencers. He has written three books on AI for a general audience, the most recent is "Machines Behaving Badly: the morality of AI".
We'll have a limited number of his signed books to give away at the conference (first come first serve)

Venue

Art Gallery of New South Wales

The Art Gallery of New South Wales, founded as the New South Wales Academy of Art in 1872 and known as the National Art Gallery of New South Wales between 1883 and 1958, is located in The Domain, Sydney, Australia. It is the most important public gallery in Sydney and one of the largest in Australia.

HCKSYD 2022 will be held at The Art Gallery of NSW on 21 and 22 November.

Where to find the Venue

Art Gallery Road, The Domain, Sydney NSW 2000, Australia. On the eastern side of Sydney’s CBD, next to the Royal Botanic Gardens and the Domain, just down the road from St Mary’s Cathedral.

Parking

Domain Car Park – Book parking in advance via the Wilson Parking website or app. Please note the car-park lift closest to the Art Gallery is currently being repaired and is not operating.

By Bus

You can take the bus from the city center to the gallery throughout the day. Bus 441 – Departs from the York Street side of Queen Victoria Building and drops off near the Art Gallery.

By Train

St James and Martin Place stations are both about 10 minutes walk. For more information about public transport options, times or disruptions, contact the Transport Infoline on 131 500 or transportnsw.info

When you arrive

Landscape works at the front of the Art Gallery of New South Wales are currently underway as part of the Sydney Modern Project. We appreciate your patience and understanding while we work to create exciting new art experiences for everyone to enjoy.

More Info

ANNOUNCEMENT: Venue for this years HackSydney has been locked in - the iconic, prestigious and amazing Art Gallery of New South Wales!
ANNOUNCEMENT: Venue for this years HackSydney AfterParty has been locked in - The Metro Theatre Sydney

CFT is now closed for this year.
CFP is now closed for this year.
Check out the FAQ page for more info: FAQ
Platinum Sponsor for 2022



Become a Sponsor for 2022

HackSydney aspires to be an inclusive, diverse and educational InfoSec Conferences in the APAC region.
To be held in Austalia's biggest city, Sydney, HackSydney aims to bring together professionals from all aspects of the InfoSec industry.
The conference will cover all aspects of the industry, ranging from offensive security to defensive security and everything in between.

HackSydney will be held over five days, which will include three days of trainings, followed by by action-packed days of talks that will cover a wide range of topics and will feature some of the best minds in the industry.
The event will be held in the heart of the city of Sydney, Australia.

After.Party 2022

November 22Metro Theatre Sydney
We'll head off to the Metro after the conference talks on the final day for networking, fun and music at the:
HCKSYD AfterParty 2022

Schedule

9:00 - 9:45

The (Cyber-Security) Risks of AI

Domain Theatre
Toby Walsh is an ARC Laureate Fellow and Scientia Professor of AI at UNSW and CSIRO Data61.
He is Chief Scientist of UNSW.AI, UNSW's new AI Institute.
He is a strong advocate for limits to ensure AI is used to improve our lives, having spoken at the UN, and to heads of state, parliamentary bodies, company boards and many others on this topic. This advocacy has led to him being "banned indefinitely" from Russia.
He is a Fellow of the Australia Academy of Science, and was named on the international "Who's Who in AI" list of influencers. He has written three books on AI for a general audience, the most recent is "Machines Behaving Badly: the morality of AI".
Toby will share his thoughts about the risks of AI in cybersecurity.
We'll have a limited number of his signed books to give away at the conference (first come first serve)

09:45 - 10:30

The De-RaaS’ing of Ransomware

Domain Theatre
For the last several years, starting with the rise of GandCrab, Ransomware as a Service (RaaS) has been one of the drivers fueling the growth of ransomware. But, that seems to be changing. The high profile exposures of REvil, BlackMatter and Conti have made some affiliates skittish about joining a large RaaS group and they are choosing to “go it alone” instead. This talk will look at the current state of RaaS and the larger ransomware ecosystem and what this change means for defenders.

10:30 - 11:15

Game hacking like it’s 1999

Domain Theatre
Learn how to hack a classic real time strategy game. The talk will cover reverse engineering the game engine and player structures, hooking functions, performing DLL injection, and ultimately creating a working trainer.
Outline:
  • Understanding the game
  • Reverse engineering the game
  • Binary patching
  • Memory scanning
  • Player structures
  • Resource hacking
  • DLL injection
  • Working game trainer demo
  • 11:15 - 11:30

    Short Break

    11:30 - 12:15

    Pen-testing opensource databases (MySQL and PostgreSQL)

    Domain Theatre
    Are your database(s) secure? No, not the application, the database! Usually, everyone is focused on the application security and consider the database server to be “protected” by the network firewalls. But what if the first layer of defense fails and your database is exposed from the internet or via SQL injection? Will a bad actor be able to escape from the database and get root shell or exfiltrate other database tenants data? Penetration tester’s goal is to pretend to be a “bad actor” and try to find all the week spots in a simulated scenarios. I will show a number of “week spots” when dealing with opensource relational databases (MySQL and PostgreSQL) and how to protect from them.

    12:15 - 13:00

    Keeping Secrets Secret

    Domain Theatre
    Every team can improve their secrets management, but where do we start? This talk discusses the goals of good secrets management and shares the tools and approaches that will help teams improve their secrets management regardless of maturity.
    Having worked with a range of teams and organisations, from serverless startups, to big banks, to scientific organisations - we know there’s no one-size-fits-all approach to secrets management. We also know there are so many code bases out there with API Keys hard coded into them (Olly knows, he's found his fair share!).
    In this talk Olly lays out the fundamentals of good secrets management, identity and access management and the building blocks for workload identity. The talk also introduces some open-source tools and resources that will help enable teams to improve their secrets management with minimal time and effort. Olly answers the question of how do you move from committing keys to source control, to modern secrets management (e.g. HashiCorp Vault) in small, meaningful, approachable steps.

    13:00 - 14:00

    Lunch Break

    Foyer/Dining Area
    Lunch will be served in allocated areas in the Gallery.

    14:00 - 14:30

    Unconventional ways of getting into Cyber Security

    Domain Theatre
    This talk is focussed around some of the different ways of getting into the cyber security industry. I will be covering some of the mentoring programs the industry has on offer and some training options that most people starting out in cyber are not always aware of. I will also be talking about gender diversity within the field over time, with focus on women on security.

    14:30 - 15:15

    Conti Leaks: Practical walkthrough and what can we learn from it

    Domain Theatre
    Conti, one of the most prolific ransomware gangs in recent years, conducted multiple targeted attacks against companies with multi-million dollars in revenue. The Conti ransomware gang is a well-organized group, with an affiliate model using Ransomware as Service (RaaS). On February 28th, a major leak has been published on Twitter about the Conti group. The leaked chat logs revealed private discussions between Conti members and show the size of their network. The data provided a unique insight into the inner workings of the group.
    This presentation will provide a practical approach to exploit the chat logs using Python applied for threat intelligence. We will dissect the available information and learn more about their process and operation. Eventually, we will see how we can take advantage of the available information to pivot and hunt for additional context and threat intelligence.
    The talk will allow analysts to reuse the code and continue to search for the extracted information on their own. Additionally, it offers an out-of-the-box methodology for analysing chat logs, extracting indicators of compromise, and improving threat intelligence and defence process using Python.

    15:15 - 15:30

    Short Break

    15:30 - 16:15

    API Security testing: The good, the bad, the ugly

    Domain Theatre
    The Internet and Pets have an old relationship. It started with the infamous Pets.com. While unfortunately, the business crashed, it established that online was here to stay. To run a business online, we used to buy server hardware for operations. We named these with respect—animals, dragons, star wars, wines, or movie characters. Just like our pets. Fast forward to today, Infrastructure is overwhelmed with pets again. This time around, we are exchanging pet photos and ordering pet supplies. Suddenly, we have a flock of the APIs at our disposal.
    In this talk, we intend to explain the rationale behind integrating API security testing into your Development life cycle to build secure applications and APIs using various OSS and Enterprise tools. We will also discuss some real-world scenarios which will help you solve the ultimate debate on Delivery v/s Security and solve for cascading impacts, ever so common in today’s world of distributed systems.

    16:15 - 17:00

    Hacking Kubernetes: Live Demo Marathon

    Domain Theatre
    This talk introduces advanced security concepts to guide attendees through the tricky parts of securing Kubernetes clusters with simple demonstrations, views of historical attacks, and the use of modern lightweight threat modelling techniques.
    In a live evocation of the recent O’Reilly title Hacking Kubernetes (Martin, Hausenblas, 2021), this ultimate guide to threat-driven Kubernetes defence threat models and details how to attack and defend your precious clusters from nefarious adversaries.

    09:00 - 09:45

    A critical analysis of the Australian cyber security industry

    Domain Theatre
    Cybersecurity strategy will always trump technology. A critical analysis, informed by on the ground reality is needed to make informed decisions.By the end of this talk, attendees will have an appreciation for on the ground cyber security realities to prepare for the foreseeable years ahead. As i find myself and my own business grow and mature, I’ve also found myself regularly analysing the marketplace of an industry I have found a place in over the past 12 years. Every few months there’ll be a proclamation of “{X} {trade} is dead” all the way through to some cryptocurrency washout come thought leader reinventing bug bounties. Having attempted to conduct several qualified assessments of the market and provide commentary on these through a number of mediums, I wanted to take some time out to provide a “strategic overview” with a technological grounding as to where our awesome industry is heading. Fundamentally, Im concern theres a risk of a “dot com” bubble style recession as a result of maligned expectations, growth and lack of necessity. Areas I intend to focus on include:
  • Market and domain overview from a supplier standpoint relative to demand.
  • Vulnerabilities in the internal structure and client processes for delivery.
  • A critical analysis of the skills shortage.
  • Risks of an impending oversupply of capability relative to waning demand.
  • Opportunities to ensure a sustainable, meaningful industry.
  • 9:45 - 10:30

    Tropic Troubles: In this Campaign, Your Tool Hacks You

    Domain Theatre
    The talk covers a cluster of activity making use of the Trojan YAHOYAH, as described in Trend Micro’s original report about the “Tropic Trooper” group. It explores, with great caution, the apparently fantastical motive implied by the use of Trojanized “SMS Bomber” Denial-of-Service tools as part of the attack. We delve into the newest escapades of a threat actor with ties to Tropic Trooper, a group documented by Trend Micro that has targeted the Philippines, Hong Kong, and Taiwan. Featuring cursed programming languages that your AV will shoot on sight, bog-standard backdoors that are somehow never done and always need new features, strange homebrew AES, and hacking tools ‘tweaked’ to compromise the unfortunate end user – the details paint a picture of a focused, capable actor, and give us a worrying glimpse into a future of malware hand-crafted to torture malware analysts.

    10:30 - 11:15

    How leaky can it git? Discovering and exploiting leaked secrets in repositories and containers

    Domain Theatre
    Exposed secrets, like API keys and other credentials, are a growing problem. 6 million secrets were leaked publically on GitHub in 2021 according to one study and nearly 5% of dockers’ images contain a secret. This talk examines how these are leaked, discovered, and exploited by hackers.
    This presentation assumes a Black Hat position to look how offensive security teams can abuse this widespread problem to gain initial access to a specific target. To achieve this objective we examine why secrets are so frequent in public spaces despite being a highly valuable asset, how these secrets are leaked and the types of secrets frequently found in both public git repositories and public Docker images. Building on this we break down three recent successful attacks, all of which used different methods to extract publicly exposed secrets that granted initial access to the attackers.
    These are CodeCov2021, which exposed secrets via a public docker image, SolarWinds 2020, which exposed a secret in a public git repository belonging to an employee and the Lapsus breaches of 2022 which exposed secrets inside private source code via insider access. Examining each methodology of these attacks we review down exactly how we can replicate each to exploit other specific targets. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.

    11:15 - 11:30

    Short Break

    11:30 - 12:15

    Simplifying MISP - Threat Intelligence for dummies

    Domain Theatre
    Threat Intelligence is a key component for DFIR teams. Having a place for tracking IOCs, being able to quickly identify threat actors and their techniques for quick wins and to help guiding the strategy for the investigation is a must. We will discuss the challenges to implement the most simplified use of Malware Information Sharing Platform (MISP) and the lessons learned. Liz and Ben will share real-world examples from their day-to-day cyber security roles in this talk and will take the audience through the steps that they take in order to get the most out of MISP. Both Liz and Ben have many years of experience working on large-scale security incidents and the range of their work experience covers everything from small businesses all the way to some of the biggest enterprises in the world.


    12:15 - 13:00

    Learning from the mistakes of others; preventing and preparing for incident response

    Domain Theatre
    “… learning by the mistakes of others is a far simpler and less expensive process than making them all yourself.” - American Machinist, 1920. Despite being over 100 years old, this quote is still relevant to businesses trying to maintain their security today. So let’s learn from other’s mistakes!
    Join me on a journey through the compromise of a fictitious company, from initial access all the way through to mission complete. We’ll take stops along the way to zoom in on how the attacker did what they did, and discuss what the victim could have done to prevent these actions from being successful. We’ll also talk about steps the victim could have taken to make their environment more “investigation ready”, and highlight that because these steps were not taken, the investigation was not conclusive. Being derived from real-world incident response engagements, you’ll literally be learning from the mistakes of others.

    13:00 - 14:00

    Lunch Break

    Foyer/Dining Area
    Lunch will be served in allocated areas in the Gallery.

    14:00 - 14:30

    Career Track | How to use a recruiter to get a $30k pay rise

    Domain Theatre
    In this Cyber Security Careers talk, Riki will run through the basics of recruitment, why the industry exists and how to use the industry to secure your next role and a pay rise.
    These are the topics that will be covered:
  • Current market insights
  • Where to start if you are a student
  • Basic breakdown of what recruiters actually do
  • How to make yourself noticed
  • Salary negotiation tips
  • Why you should engage with recruiters
  • 14:30 - 15:15

    Throw Away Your Passwords: Trusting Workload Identity

    Domain Theatre
    The move to Cloud has fundamentally changed the way workloads are deployed and managed. What hasn’t changed is the need to secure access to the secrets and services our applications rely on to operate. How can we leverage workload identity to aid us in the struggle against secrets proliferation.
    How can we authenticate access between the workloads that we deploy without an explosion in the number of secrets that we need to manage? How do we effectively protect access to the remaining secrets that we do still need? Wouldn’t that itself require another secret? Can we find a firm footing, a secret zero, or is it really turtles all the way down?
    In this talk Mario aims to demystify workload identity, what it is and how it can be used to address these challenges. By making use of a platform such as Kubernetes as a trusted identity provider workloads can be provisioned with an identity from the outset, halting the infinite regress of secrets needing to be managed. Federation of these identities outside the cluster can also be achieved, extending the trust domain to your Cloud provider and beyond.

    15:15 - 15:30

    Short Break

    15:30 - 16:30

    Network pivoting with SaltStack

    Domain Theatre
    While researching a customer’s SaltStack implementation I discovered some interesting template injection opportunities that can be used to pivot through a network using its own Salt management tools. If you ever find yourself attacking an environment that uses Salt, you will want to know these tips and tricks to pivot upstream from minion-to-master and master-to-master using intended and unintended functionality. I will demonstrate what a common Salt setup looks like, how to recon it from a low privilege perspective, and how to abuse common Salt templating issues to RCE your way to success.

    17:30 - 19:30

    HCKSYD 2022 AfterParty

    Metro Theatre Sydney CBD
    We'll head off to the Metro after the conference talks on the final day for networking, fun and music at the: HCKSYD AfterParty 2022

    Tickets

    Early Bird

    $200
    15 June - 15 July.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    General Admission 1

    $250

    16 July - 31 October.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    General Admission 2

    $300
    1 November - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    Student

    $120
    20 September - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    Partners

    Included
    1 September - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    Volunteers

    Included
    1 September - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    Sponsors & Partners

    Want to become a sponsor? Get in touch

    CFP


    CFT for trainings is now Closed for 2022
    CFP for presentations is now Closed for 2022

    • Offensive Security
    • Network Security
    • Application Security
    • Incident Response
    • Exploit Dev
    • Secure Coding
    • Threat Intelligence
    • Penetration Testing
    • Hardware Hacking
    • Mobile Security
    • Malware Analysis and Reverse Engineering
    • Digital Forensics

    All other InfoSec topics will also be considered, as long as they are technical, hands-on in nature.
    Trainings: 2-days or 3-days
    Presentations: 45 min (Including Q&A)