Purple Teams, cables and continuous assurance; CHCon took place on November 5-6 in Christchurch in the historic Main Hall at the Arts Centre heritage site. Blacklock was proud to be a Bronze sponsor.
CHCon presented a perfect blend of talks that involved both technical and non-technical discussions. A few of the talks worth mentioning were:
- Security consultant, Matt Cotterell, of ZX Security talked about hacking OpenID Connect and OAuth2. The talk covered vulnerabilities related to the protocol, attack scenarios and the mitigation techniques.
- Jed Laundry spoke about the fascinating concept of using the Internet of Things to make his house remotely monitorable and hopefully burglar-proof.
- An excellent presentation about pen testing ICS/IoT do’s and don’ts came from Gavin Dilworth, who talked about why pen testers should and shouldn’t conduct a pentest or a purple team exercise. He covered some caveats, such as why black-box testing and nmap should be avoided.
- Presenters from the US talked about the JSON Web Token RSA key confusion vulnerability and how to stop the exploitation of OAuth by limiting JWT lifetime. They also told users to refresh/update/check their connected apps when they reset their passwords.
- Principal Consultant, Sam Shute, of Quantum Security reflected on password hash cracking. He talked about the mathematics and probability behind password-cracking and how even six quadrillion password combinations can be cracked if you wire your computer to experiment with changing letters to special characters, changing upper and lower case and forcing them in. Using a Frankenstein-wired computer, a hacker could run programmes that would take up a heck of a lot of memory and electricity. But it would theoretically take no more than 46 hours to try the several quadrillion combinations of letters in your eight-character hashed password.
The conference also involved side-rooms in which some of Christchurch’s brightest hackers completed a geography-themed hacking challenge, which stretched their abilities by picking some tough padlocks.
A huge shout out and thank you to the CHCon team for their efforts, who made it happen during this pandemic.
Why do we do all of this?
Because we care about sharpening the skill-sets of the country’s best White Hat hackers, with whom Blacklock likes to be involved with. Read more about the benefits of easy web-based penetration testing for your business, which is simple and cuts out the cost and cumbersome traditional pentest processes.
CHCon talks will be made available online here: