This year for the first time I made my way down to Wellington in New Zealand to attend Kiwicon 9. Kiwicon is a security / hacker conference that has been held each year since 2007.
I’ve previously attended Ruxcon 6 times, which is another computer security conference but here in Australia so it’s a bit easier for me to get to. After my experience with Kiwicon I am definitely interested in going back, it was easily the best security conference that I’ve been to so far.
As this was my first trip overseas I was interested in spending a couple of days either side of the event in New Zealand to look around and do some typical tourist type things. I arrived in New Zealand on the 8th of December with a group of people from work and the conference itself was run on the 10th and 11th of December. We were then scheduled to leave on the 14th – so almost a full week in NZ.
On the 8th there were “pre drinks”, essentially this was the party before the pre party on the 9th, I met up with lots of people from Australia that I knew which was a bit strange as there were so many people there I knew but in a completely different country.
On the 9th there was some paid and free training available, early registration was also open so that we could pick up our tickets the day before the conference. There was of course more drinking involved here.
This is also when the badge challenge started. After receiving the hand book with various bits of information in it, there was a link on one of the pages with no further information. Being interested, I of course opened this random link up that I’d read off of a piece of paper at a hacker conference at once. It loaded up a page with a bunch of text that had been encoded, after decoding the text some further instructions were given which involved sending an SMS with my badge number to a specified New Zealand phone number. I sent an SMS and waited, but nothing happened.
After about half an hour or so we tracked down one of the staff members that was responsible for the badge challenge and confirmed that it would not work as I had an international number at the time, it would only respond automatically to a New Zealand based number. With this information in hand I quickly tracked down one of my colleagues who is based in NZ and had a phone number with the NZ country code, he sent the SMS on my behalf and we instantly received a Dropbox link.
After going to the random Dropbox link and of course downloading a random PDF file and opening it, a string of hex was provided with cryptic instructions saying to watch the video.
Myself and a friend who were working on the challenge worked out that on our badges that had been provided were unique codes, and there seemed to be at least 10 of them. Using a combination of the codes on our badges and performing an XOR against the string in the PDF we revealed some of the content which appeared to be a YouTube link, however we needed more badge codes to complete it.
I hit up Twitter and after performing a search for Kiwicon instantly found lots of other happy conference goers uploading pictures of their badges, which was perfect. We noted down all of the codes and almost had everything we needed except for one. We figured there’d be a bunch of Kiwicon attendees walking around the streets and we were right, we had to ask about 20 people before we got what we needed and then finally had the full link to the YouTube video.
The video basically requested we send another SMS with a provided code, after relaying this via my colleague with the NZ phone number at around 10pm the response said that we’d receive further instructions via SMS in the morning on the next day. Unfortunately this message was sent to my colleague who was delayed in forwarding it onto me and by that time I had started the CTF which is what I was more committed to so at that point I dropped out of the badge challenge. At the start of day 1 there was a score board for the badge challenge, it seems I was the 20th person to get the YouTube link.
There was a presentation during one of the breaks that covered the full extent of the badge challenge which I recorded and can be viewed at the link below, it’s very interesting and definitely worth a watch – there were many more steps after I stopped playing.
It was cool that the challenge started in a sort of secret manner, if you didn’t visit the URL in the book you never would have really known about it and overall it was done very well.
Kiwicon – Day 1
The first day of the actual conference was on the 10th of December, despite various fun events for the previous two days.
The intro was done really well as it involved a combination of fire, lasers and hilarity, (for a taste see https://www.flickr.com/photos/4nitsirk/23584792992/in/album-72157659970319023/) followed of course by the start of the presentations. I managed to catch the first couple of presentations for the day and then after the break I was working with my team on the capture the flag (CTF) for the rest of the day (and night, until 2am). Here’s a summary of the presentations that I saw on the first day.
- The Internet of Garbage Things – Matthew “mjg59” Garrett & Paul McMillan: This talk covered how the recent internet of things (IoT) concept is taking off with most of the devices out there being basically trash and extremely insecure, it was quite interesting but definitely not surprising with all the junk products coming out with Internet connectivity.
- Fear and Loathing on your Desk: BadUSB, and what you should do about it – Robert Fisk: This talk demonstrated custom hardware that had been created in order to help increase the security of plugging in USB devices, while there were certainly various limitations it was a very interesting project to help reduce these sort of attacks.
After these couple of talks there was a short break and then our team got stuck into the CTF. It was really great that the venue was open and the CTF stayed up until well passed 10pm. Our team was behind the UNSW team K17 at the end of day 1 in second place, however myself and another team member that stayed back to work on the WiFi challenges managed to solve one of them that no one else completed for the rest of the CTF right before they kicked us out which was good timing.
Kiwicon – Day 2
After staying up late working on some of the offline CTF challenges I’d got to the point where I’d basically exhausted my “mad hacker skills” so I spent the first half of the day catching some presentations which were all really good.
- Swinging From the Cyberlier: How to Hack Like Tomorrow Doesn’t Exist Without Flying Sideways of Regulations – Katie Moussouris: This presentation was really good, it was definitely different in that it started with Katie singing a song that involved backup dancers, fire and lasers, before suddenly ending and then beginning the presentation as if nothing had happened. The talk itself was regarding export controls on software and various policies that could see you being pulled aside at customs when entering the country if you are in possession of 0day exploits for instance.
- Building the Internet of Wrongs – Steve Lord: This was one of my favourite talks, it was basically all about removing the “hipster threat” from Wellington by trolling them with a series of devices that Steve had created, including a simple device to send wake on LAN packets for Mac devices so that they would wake up and use up all of their battery quickly, as well as performing a man in the middle style attack on DNS requests to social media networks to prevent them from uploading pictures.
- REDACTED – [REDACTED]: We didn’t know what this talk was going into it, it turned out to be a short talk from the current acting director of GCSB (essentially New Zealand’s national “cyber” security center) which mostly seemed to be them recruiting, however it was still interesting and great to see the government getting involved and recognizing the hacker conference as a friendly (for the most part) community rather than a bunch of hackers on the Internet trying to blow things up.
- Face Off – Hiding in plain sight – ferrouswheel: This talk focused on mass surveillance mainly in the form of CCTV and how what you’re doing in public is being recorded with more and more cameras being constantly added without any ever being removed. The talk discussed methods of avoiding being automatically recognized and detected as well as the different ways that facial recognition algorithms work and how they have improved over time.
- The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election – Vanessa Teague: I’ve previously seen Vanessa present this talk at Ruxcon in Melbourne Australia, however it was a little different this time with a bit of NZ spin added in which was interesting and amusing. It covered different vulnerabilities that had been found within online voting systems used within Australia and how it would have been possible for someone to manipulate the votes without anyone actually knowing, which was a bit worrying.
After these presentations I went back to the CTF as a couple of new challenges had been added that I thought I’d have a go at, however it turned out that they were broken so I didn’t get a chance. Throughout the day we managed to pull ahead of K17 for first place, and ended up coming first and winning the CTF. Our prize was an assortment of various infosec books, two of which I had been planning on purchasing myself in the near future so that worked out quite well.
After the conference officially closed we headed to the after party at Bodega for some more beverages and talk.
After the conference the weekend consisted of mostly tourist things, such as climbing mountains and visiting museums. We ran into plenty of other Kiwicon attendees (as identified by their Kiwicon shirts/hoodies) over the next few days as they seemed to be all over the place roaming the streets which was pretty cool, we ran into the guys that came second in the CTF at the top of mount Victoria and had a chat about some of the CTF challenges in the rain with a view of Wellington in the background.
The only other security conference that I’ve attended, as mentioned, is Ruxcon in Australia. Based on my Kiwicon experience I definitely liked it much better than Ruxcon mainly because overall it was just more fun and to be honest, better in almost every aspect.
I liked that Kiwicon had a single track of presentations, there was no need to pick and choose between multiple presentations going on at the same time. Everyone got to sit in the same room and enjoy the same show. The presentations and the whole conference itself for that matter were far less serious which made it really fun.
I personally preferred the venue as well, the theatre offered 3 floors of seating and the chairs rose up toward the back which made it easy to see, whereas at Ruxcon all of the seating is on the same level making it difficult to see anything unless you’re close to the front.
I also found the CTF more fun and the badge challenge was something new for me and also really fun.
I had a really good time in Wellington, the weather was consistently nice as it doesn’t get too hot or too cold there and all of the food that I had was amazing, I could definitely see myself living there in the future so I’ll keep working on my poor NZ accent until then.
Overall Kiwicon was really great, the presentations that I saw were overall of high quality and the capture the flag and badge challenge were very fun. The whole environment and atmosphere of it not taking itself seriously made it all the more better and easier to enjoy, and let’s not forget the copious amounts of drinking with a bunch of people that share similar interests.