@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube. "Finding Entra ID CA Bypasses - the structured way" @wearetroopers.bsky.social youtu.be/yYQBeDFEkps

If you missed my talk at BSides Canberra you can catch up on it now on YouTube

Big shout out to @cybliminal.com our first silver sponsor this year! Massive hugs for the returning support; can't wait to see you out at the showgrounds.

Lots of DMs asking for BSides Canberra 2025 talks — they’ll be on YouTube in a month+ 🎥 Speakers are reviewing their sessions first, so stay tuned! 👉 youtube.com/@bsidescanbe...

Celebrating 10 years of amazing artwork for BSides Canberra! 🎨 Huge thanks to Sydney-based Aussie Glenno for bringing our logos to life. Real artists > AI every time. www.instagram.com/glennoart?ig...

Thanks again to @bsidescbr.bsky.social for inviting me to present my research on living off the land on Palo Alto Networks firewalls as well as sharing new tools I’ve developed to creatively misuse 😜 firewall features for credential harvesting and port scanning. Some great questions too!

Thanks again to @bsidescbr.bsky.social for inviting me to present my research on living off the land on Palo Alto Networks firewalls as well as sharing new tools I’ve developed to creatively misuse 😜 firewall features for credential harvesting and port scanning. Some great questions too!

CTF early registration is now open! 🕹️ Get set up ahead of time so you’re ready to go when the CTF kicks off this Friday at BSides Canberra. Register here: ctf.sk8boarding.dog

Just one week to go until I present the research from my “Panning for Gold: A Hacker’s Guide to Next Generation Firewalls” paper. Come along and listen to it at @bsidescbr.bsky.social if you’d like to up your post-exploitation game or learn how to better defend your environment.

For the record, Expel silently updated their blog post to replace bypass with downgrade for this attack

This year at BSidesCbr, both the Main Track and the Off-Main Track will run across all three days. Main Track brings the big research, big ideas, and big names. Off-Main features beginner-friendly talks, deep dives, and unexpected gems—streamed to four theatrettes.

"Decoding Threat Actors: a Free Tool for Mapping Aliases" Fancy Bear or Forest Blizzard? Qakbot or Pinkslipbot? Dave Matthews reveals a free tool to untangle the threat actor name game - linking aliases, malware families & public research. cfp.bsidescbr.com.au/bsides-canbe...

"Ding Dong the EDR is DEAD" EDR isn't invincible. Ayman Sagy walks through a real-world exploit against Palo Alto Cortex XDR - earning CVE-2024-8690 and a $2K bounty. See how it was done. cfp.bsidescbr.com.au/bsides-canbe...

"Why Rust is Safe" Memory safety and C-level performance with no GC or runtime? Ben Williamson breaks down how Rust’s ownership model delivers safety guarantees at compile time, making it fit for kernels, firmware, and more. cfp.bsidescbr.com.au/bsides-canbe...

"Reversing Bytecode into Bounties" Jira and Confluence plugins can hide serious vulns, if you know where to look. Giuliana and Jamal from Atlassian will show you how to decompile, scan, and exploit like a pro. Whitebox your way to bounties: cfp.bsidescbr.com.au/bsides-canbe...

"Why I am (still) finding secrets in your code" Despite all the secret scanning tools, sensitive creds are still everywhere. Luke Marshall shares how he's found exposed secrets across ecosystems, and helped secure 40+ orgs. 🔗 cfp.bsidescbr.com.au/bsides-canbe...

"Bitsquatting dot gov.au domains" Ever blamed cosmic rays for DNS weirdness? Matt Belvedere explores a year of bitflip data in .gov.au traffic, digging into real-world bitsquatting and unexpected system-to-system auth. cfp.bsidescbr.com.au/bsides-canbe...

"DarkEngine – Researching a Global Phishing Campaign" nullifysecurity breaks down a large-scale phishing op that compromised 2,350+ WordPress sites via fake CAPTCHA lures. cfp.bsidescbr.com.au/bsides-canbe...

"Behind the Curtain of Dark Web and Cybercrime Operations" Join Alexander Wilczek as he reveals insights from a 4-year investigation into how cybercriminals move and launder money - using OSINT, blockchain tools, and strong OPSEC. cfp.bsidescbr.com.au/bsides-canbe...

I’m incredibly excited to be accepted by @bsidescbr.bsky.social to present my research on Next Gen Firewalls. I can’t wait to get up there for the first time to share it with you all!

Justin's talk title speaks for itself: “Well well well, if it isn’t the consequences of my own actions” - the time I got in the middle of 100,000 Linux machines and their LVFS firmware updates and then somehow bypassed the fwupd PGP signature checking

Open source sits at the base of the software supply chain. Fraser talks about how critical it is for open source to establish security response teams and infrastructure. Listen to the experiences learned from bootstrapping and leading the Haskell security response team.

We're a week away and we wanted to say another big thank you to our sponsors. This year Cybliminal has joined us as a Silver sponsor! Big thanks to Cybliminal #crikeycon

Come learn with Kelsy how to develop your cyber team as trustworthy within an org, rather than a compliance function, and how increasing levels of perceived legitimacy may allow security teams to further leverage employees as practical and informed resources!

Jumping on stage we have Simbo who will be talking all things SIEM in the talk "SIEM-less security; Panacea or placebo". Join us March 22 to see this talk and more at CrikeyCon. Get your ticket here: events.humanitix.com/crikeycon-x

We're excited to announce we have Georgia back on stage with us to present 'Hacking Minds not machines: How meetings not malware can compromise your controls'!

Hey cyber people, Cybliminal have a ticket to @crikeycon.bsky.social X on 22nd March in Brisbane to giveaway. DM us if you are keen to attend.

Colby joins us on stage to talk Cyber security exercises D&D style. Get emersed through his talk on building scenarios and narrative, supporting player agency, and keeping things flowing in Tabletops & Dragons. #crikeycon

Next up we have Zane on stage to dive into the anatomy of credential attacks, exploring how attackers exploit stolen credentials, bypass defences, and leverage automation to maximize their success. Does MFA work, how well, and what else can you do in 'Credential Stuffing Unmasked'?

This year NTT is supporting our Women of CrikeyCon event on 20th March. Women of CrikeyCon provide a chance for attendees identifying as women, friends, and the wider community to meet before CrikeyCon to promote diversity and inclusion. Register here: events.humanitix.com/crikeycon-x-...

Exciting times! We have now published the events and presentation schedule for CrikeyCon X next week! crikeycon crikeycon.com/schedule/ Workshops will be running on the day too - we'll send out details and registration forms to ticket holders soon...

Less than 4 weeks to go till @crikeycon.bsky.social X! Woot! Check out our updated website for events, and speakers TBA announced soon. www.crikeycon.com

The Decipher Bureau crew are back both as Silver sponsors and running our CrikeyConnect. With massive experience recruiting for the cyber security industry, come grab a refreshment and get some tips on what’s happening in the job market.

Brand new at CrikeyCon X, Australia’s first-ever Meshtastic CTF event! Explore off-grid comms with our open-source, decentralised system using LoRa! Come with your LoRa kit (e.g. Heltec V3) and challenge our LoRa Mesh on March 22! [We've got a few to borrow.]

Fantastic news, we've just cracked 400 tickets! We're a week away from announcing our talks and events, but one thing we can talk about is our new Meshtastic CTF extension. We have two friends switching on a cracking set of challenges, come join us to net some solid points!

Meanwhile, bit of an update from events, some great progress and shaping up really nicely! We're looking at: 1. CTF (prizes for 1st, 2nd, 3rd, and 11th 😁) 2. A dedicated room for lockpicking! 3. A surprise update for the Post-con event (coming soon!)

6 weeks to go, Droppy and the Sleuth are wrapping up reviews of the over 40 submissions! Some brilliant talks coming, we'll be sharing the schedule soon! Huge hugs for your support! If you haven't got your ticket yet, join us for our 10th birthday: events.humanitix.com/crikeycon-x

Thank you to everyone that's submitted for CFE and CFP, we've had a huge range and numbers. We're super excited to get to responding to each and every one of you! We'll have an update early next week.

Cybliminal is joining us in 2025 as a Silver sponsor! Big hugs and thanks to the crew @cybliminal.com for your support!

Excited to support @crikeycon.bsky.social as a 2025 Silver sponsor! Cybliminal is all about supporting hackers, builders, breakers, and defenders in the community. We can’t wait to see what is in store for next year + celebrate everything that makes this community amazing. C u there! #CrikeyCon2025

#PaloAltoNetworks has just released a PANOS update, 10.2.13, which includes this interesting little fix. Looking at the portal logs from the management console or CLI I can't see any cleartext passwords being logged in regular or debug mode. docs.paloaltonetworks.com/pan-os/10-2/...

Droppy and the Sleuth are open for 2024! Come join us: events.humanitix.com/crikeycon-x

We hitting full throttle on our CFP already! Do you have something to share at CrikeyConX? Join us at: docs.google.com/forms/d/e/1F...

Most enterprise environments that I have seen would not be impact by this as the majority of their users have the portal address configuration locked down except for IT staff who may need to change it for troubleshooting purposes. 🧵