CHCon '17

Journey to the Top on BugCrowd: The untold tales of struggle and pain

Presenter: Ahmad Ashraff

Twitter: @yappare

Recording: https://youtu.be/pZrIK9c-0Uk

The bug bounty scene has evolved tremendously over the years. It is now very competitve especially among the top echelon. Through this presentation, I'll share how I got to the top #2 in bugcrowd over the years. Getting there is a journey. Maintaining it is another. Learn how to hack smarter not harder. I'll provide and insight to some of the challenges I've faced and how I overcome them.

About the Presenter: 7+ years as pentester. Active bug bounty participant since 2013. Currently in top 5 in Bugcrowd's All-Time leaderboard (https://bugcrowd.com/leaderboard)

Hacking Medical Devices: An Engineer's Approach

Presenter: Agnetha Korevaar

Recording: not recorded

A few ideas on how to hack medical devices, hopefully without creating expensive bricks. Thinking like an engineer to figure out how to get in and observe what's going on before modifying the device's behaviour.

About the Presenter: Research engineer by day. Runner, tramper and cyclist by night.

Using Command Line Tools To Find Linux Compromises and Rootkits

Presenter: Craig Rowland (Sandfly Security Ltd.)

Recording: https://youtu.be/ll09jf9ANSs

In this talk we will discuss common signs of intrusion on Linux systems and how to spot them with command line tools. Most signs of intrusion can be detected by an admin with basic tools and a keen eye for things that are out of place without resorting to anything drastic.

In this talk, participants will learn what to look for as signs of intrusion, and how to detect them with built-in tools. These techniques do not require reverse engineering, memory analysis, or anything overly complex. Participants will also learn how to look for common stealth rootkits with these basic tools to unmask whether they are operating on a Linux system.

About the Presenter: Craig Rowland is an Internet security entrepreneur that has made his career in technology start-ups. His previous company, Psionic, was sold to Cisco Systems and he has worked as an early stage employee or consultant at other companies acquired by Cisco (WheelGroup Corp) and 3Com (TippingPoint Technologies).

Craig has helped develop automated network attack tools, intrusion detection and prevention systems, and the first automated security incident response product in the world (Cisco Threat Response).

Craig has founded a new start-up called Sandfly Security. Sandfly develops automated tools to help secure and respond to attacks against Linux servers and devices.

Pizza Roulette

Presenters: Catherine McIlvride and Fiona Sasse

Catherine and Fiona are security newbies in the world of bleepbloops. As their hunger for more knowledge on Security Testing grows, they attempt to chomp into the cyber realm of ordering pizza. Pull up a chair, grab a slice* and prepare yourself for a feast!

*Disclaimer: Pizza will not be included.

About the Presenters: Catherine and Fiona are software testers who have been united by their passion for pizza and their curiosity for wearing black and whites hats. They hammer and chisel their way through interfaces, databases, and all other places to identify cracks and gaps. Now they face their next adventure roaming unfamiliar territory in the security space.

One CERT, a V8 Interceptor and a Wasteland: 3 interesting stories from CERT NZ

Presenter: Declan Ingram (CERT NZ)

You're invited to come on a journey with CERT NZ Operations Manager, Declan Ingram to drive you through the attacks, investigations, surprises and human emotion of New Zealand’s cyber security wasteland. Since its beginning on 11 April 2017, newly established government unit CERT NZ joins other people and organisations (domestic and international) to help New Zealand better understand and stay resilient to cyber security threats. What we’ve seen so far is a Fury Road, and the tip of nomadic cyber threat.

Our 3 interesting stories are our top picks of what CERT NZ has seen to date, the controls that mitigate them and how we need your help.

About the Presenter: Declan Ingram is the Manager of Operations for CERT NZ, leading the technical side of the unit. Declan is a reformed penetration tester with a lot of experience in incident response and security architecture.

Eye in the Fi: The commodification of privacy

Presenter: Karl Barrett (Lateral Security)

Recording: https://youtu.be/wjvJQ3nCXNo

People provide personal information to strangers everyday, which can then be sold, shared, or stolen. They also carry various tracking beacons on their person, which is convenient for everyone involved. This talk will look at "what, how, and why" of personal data acquisition; whilst carefully avoiding "who, when, and supporting evidence". There will also be a flashy live demo - because a reality is worth a thousand pictures.

About the Presenter: Karl is a security consultant for Lateral Security in Christchurch, New Zealand. His areas of interest include hardware hacking and advanced XSS techniques. In his spare time, Karl enjoys climbing rocks and popping locks.

L2 Attacks against Virtual Devices

Presenter: Kylie McDevitt (BSides Canberra)

Twitter: @kylieengineer

Recording: https://youtu.be/iNckg7jk54o

The growth of datacentre consolidation and on-demand compute has shifted the direction of computer networks to virtualisation. With the increasing popularity of programmable networks such as Cisco ACI and VMware NSX and the industry-wide push towards network automation, we are seeing more and more networks pushed down towards the hypervisor and implemented as virtual switches. This talk investigates traditional network attacks done against network hardware and how they apply to the virtualised network successors. I will cover L2 ARP attacks, VLAN hopping and STP. I will also cover an introduction and preliminary investigation into the new protocols underlying SDN.

About the Presenter: Kylie studied Telco Engineering at ANU in the late 90s and has a Masters in Computer Networking with CSU. She has worked primarily within Network Engineering across government and private sectors and currently is a technical security consultant specialising in computer networks. In her spare time she enjoys building and breaking networks, pushing boundaries in security and knowledge.

New Zealand’s Cyber Security Strategy – what have we done and where to next?

Presenter: Paul Ash (National Cyber Policy Office)

Twitter: @bikesbooksbrews

Two years have passed since New Zealand’s Cyber Security Strategy was launched. Since that time, New Zealand has come a long way – we had our first ever Cyber Security Summit, aimed at promoting cyber security at the executive and governance level; we have set up a CERT; we are making good progress on developing a pipeline into the cyber security profession, and; we are working with our international partners to improve our understanding of threats and our ability to respond. But, we cannot be complacent. The cyber security threat is rapidly evolving and we need to evolve with it. Paul Ash, Director of the National Cyber Policy Office, will talk about what has been achieved in New Zealand over the past two years and where we need to head to ensure New Zealand is secure, resilient and prosperous online. And you might have some ideas you want to share...

About the Presenter: Paul Ash is the Director of the National Cyber Policy Office in the Department of the Prime Minister and Cabinet. They are responsible for advising the government on cyber security and developing the Cyber Security Strategy for New Zealand.

From Rogue One to Rebel Alliance: Building Developers into Security Champions

Presenter: Peter Chestna (Veracode/CA)

Twitter: @PeteChestna

Recording: https://youtu.be/kyuiJi8a8V4

There just aren’t enough security experts to go around. You have to support the multitude of Agile and DevOps teams that are making production software changes anywhere from once a month to several times a day. The lack of resources coupled with the ever increasing responsibilities can make you feel like a rouge warrior in the battle against cybercrime. What’s a security professional to do? Whether you are a team of one or five, there aren’t enough hours in the day and even if there was more budget, good luck finding someone to fill that security role. What if I told you that through careful selection and good training it is possible to build your own army from the very people who own the development process?

About the Presenter: As Director of Developer Engagement at Veracode/CA, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec practitioner experience as both a developer and development leader, Pete provides information on best practices amassed from personal experience in addition to working with Veracode’s 1,000+ global customers. He led Veracode’s transformation from Waterfall to Agile to DevOps and from monolith to microservice architecture. He is certified as both a scrum master and product owner. From his experience as both a practitioner and consultant, Pete has spoken internationally at both security and developer conferences on the topics of Application Security (AppSec), Agile and DevOps.

2FA War Stories

Presenter: David Robinson aka Karit (ZX Security)

Twitter: @nzkarit

Recording: not recorded

Reflecting on recent times, there have been a large number of data breaches which included hundreds of millions of dumped passwords. Attackers then used the passwords from these breaches to access other sites a user may have been registered with. If you are involved in running a website, you must assume that your users will reuse their passwords, but you still need to protect your site against this style of attack. This is where Two Factor Authentication (2FA) comes in, password reuse becomes less of an issue because the attackers likely won’t have access to the user’s 2FA token (hopefully). Adding support for 2FA isn’t the Holy Grail though, and implementations can easily be messed up. This talk will share war stories of failed 2FA implementations and what you can do to avoid the same pitfalls.

About the Presenter: Dave/Karit (@nzkarit) has worked in the IT industry for over 10 years. In this time he has developed a skillset that encompasses various disciplines in the information security domain. Dave currently works as a Penetration Tester at ZX Security in Wellington. Since joining ZX Security Dave has presented at Kiwicon, DefCon, Unrestcon, BSidesCBR and at numerous local meetups; along with running training at Kiwicon and Syscan. He has a keen interest in lock-picking and all things wireless.

Visual Hacking - Seeing is Believing

Presenter: Drewe Hinkley (ISIG)

Recording: https://youtu.be/7OkicAheocA

Exposing the risks of visual hacking in a modern business environment, and the offensive defense mitigation strategies that can be deployed. Studies have shown that focused visual hacking attacks have an 88% success rate, with 20% of visually hacked data classified as highly sensitive or above. This talk will outline the methodologies of visual hacking, explore the mindset of the attacker, and define the defensive measures that form the foundation of strong operational security.

About the Presenter: Drewe Hinkey, CISSP. Governance and Risk Management Consultant for various global industries. Has managed numerous Information Privacy and Protection audit and compliance projects throughout Asia Pacific. Specializes in the boring stuff that allows tech heads to do the fun stuff.

The Internet of Pancakes

Presenter: Peter Jakowetz

Twitter: @ch4db0t

Recording: https://youtu.be/ApUXcRXC7oA

2015 was an important year. NASA confirmed the presence of water on Mars, 195 countries signed the world’s first accord on climate change, same-sex marriage became a right in the US and the PancakeBot was released on Kickstarter. PancakeBot is a CNC robot that can make pancakes from vectorised images. So, the obvious progression was to put the PancakeBot on the internet and create an Internet of Pancakes.

This talk discusses the challenges of hacking together cheap electronics to put pancakes on the internet.

About the Presenter: Peter is an electrical engineer turned security consultant from Wellington, NZ. He enjoys playing with open source hardware and software, playing with electronics, and breaking things in his spare time.

Free Open Source Network Security Monitoring

Presenter: Frank Keating

Recording: https://youtu.be/TG1OVeXL0Rg

For many people in the security industry Kali is a common tool as it is a swiss army knife of testing. Like Kali, Security Onion is an amazing all in one distro that installs everything you need to start with network security monitoring. The goal of this talk is show zero to hero an install, configuration and basic demo of the features of Security Onion.

About the Presenter: I have been working within the IT industry since the late 90s. Not being able to settle, I have tried my hand at many roles and currently interested in expanding my security knowledge and learning where I am wrong or just new and interesting things.

A Wolf Among the Crowd

Presenters: Nilesh Kapoor and Logan Woods

Twitter: @nileshpisces

Unbeknown to them, a lone hacker has gained physical access to their secure office. Sitting amongst them, hiding in plain sight, the hacker manipulate and weave through the social fabric of the office. A smile here, a nod there, building trust everywhere. Our hacker remains focused on his objective: the coveted server room. Mustering up all his confidence, he reached for the door handle and...

This talk draws deep upon our experience in physical security assessment. We will share our real-life experience and methodology in gaining access to places where we shouldn’t. We will focus on practical tips and tricks to enlight and delight the audience. Learn how to be seen, but not seen. See how we convince (or confuse) our targets.

About the Presenter: Nilesh Kapoor is currently working as a Senior Security Consultant with Aura Information Security. He is the co-author of “Security Testing Handbook for Banking Applications” published by IT Governance. He has over 10 years of experience in security consulting, red-teaming, physical security assessments, application security, network security, enterprise solution security, host reviews, and mobile security. He is also a registered penetration tester with CREST, CISSP and a CEH certification holder. His articles are published on IITP blogs and also maintain own security blog at http://nileshkapoor.blogspot.com

Onionland Explorers!

Presenter: ss23

Twitter: @ss2342

Recording: https://youtu.be/BO1PFAzGRAg

An introduction to Tor, an introduction to Onionland! We'll discuss the basics of how Tor works, attacks against it, how people have been caught while using Tor in the past, and how you might be able to use Tor to preserve your anonymity. We'll cover some of the basic tools you might be touching, like Onionscan.

About the Presenter: After working as a developer, I now annoy people on IRC while penetration testing in my spare time.

A pentester's guide to automating security

Presenter: Benjamin Kearns (Lateral Security)

Twitter: @pipline_tux

Recording: https://youtu.be/ye5UcXb7RXI

As with many technical people, I have an overengineered home setup, involving an unhealthy mix of media devices, hacky home made apps, self-hosted open source apps, IoT devices and of course PCs/phones/tablets. As a pentester, it would be kind of embarrassing if any of these got popped, and I have good "friends" who make sure it's constantly being tested.

This talk is an exploration of the tools and techniques I use to automate securing my network and applications with as little ongoing effort as possible, in the face of skilled adversaries who have the wifi password.

About the Presenter: Hi, I'm pipeline. I'm a reformed Rails developer originally from Christchurch now breaking all manner of things for Lateral Security in Wellington. In my spare time I like to build things which make breaking things easier. Then I test them on unsuspecting bug bounties.

CTF - The Gateway Drug

Presenter: Toni James (Orion Health)

Twitter: @_tonijames

I can't stop thinking about it, I can't wait for my next fix, it keeps me up late at night, and I always want more. Flags that is, what did you think I meant? A live walkthrough of my favourite CTF challenges, the ones I think would entice other devs and wanna-be hackers to give it a try. "The first one's free." A how-to and where-to-start, accompanied by a casual discourse about imposter syndrome, sexism in tech, and pondering the harsh realities of vim (not really because I never use vim, I'd never be able to get out of it).

About the Presenter: I'm a snowboarder turned software engineer with an addiction to security. I've won a few scholarships in my quest to get more women into tech and I'm really good at supporting others to do 'all the things'. I'm a firm believer in you need to see it to be it and I'm trying to put myself out there so others will step up and challenge the status quo.

Building a Certificate Authority with Yubikeys

Presenter: Ryan (Chaotic Neutral)

Twitter: @ryankurte

An introduction to Public Key Infrastructure (PKI), why you would need it, and how to build your own Certificate Authority (CA) using yubikeys.

About the Presenter: Ryan is a (mostly embedded) *ware engineer, PhD student, programming language hipster, and producer of artisanal, ethically sourced Bad Ideas™.

Bounty hunting, how hard can it be?

Presenter: Jeremy Stott (Vend)

Twitter: @jsstott

Recording: https://youtu.be/SiXyGs8aXuY

One day Jeremy foolishly decided he to could get some sweet loot hunting security bounties. Have you wondered what this glamorous life is like, and if you should quit your day job? Well wonder no more. Be prepared for some fun stories, laugh at Jeremy's misfortune, and come away with a few tips on bounty hunting.

About the Presenter: Jeremy is now a totally legitimate security person having recently joined the security team at Vend. Before that he had a slightly suspicious history of blowing things up with his pal Ryan at Kiwicon.

Project Walrus, an RFID and Contactless Card App

Presenter: Daniel Underhay

Twitter: @dunderhay

Recording: not recorded

Project Walrus is an Android app we’re developing to let pentesters make better use of their contactless card devices, like the Proxmark and the Chameleon Mini.

Come and see how Walrus can help you on your next red team, or just come so I can clone your access cards.

About the Presenter: Pentester by day, Project Walrus developer on the weekend. Enjoying being alive.

Operation Luigi: "I got permission to hack my friend and..."

Presenter: "Alex" (Atlassian)

Twitter: @mangopdf

Recording: https://youtu.be/ZyGahmpXTKA

Yep so I asked my friend if I could hack her and she said yes. This is about what worked, what went wrong, all the flubs I made, and how to not suffer the same fate as her. Also Mario's green brother is there, and then that part takes a sinister turn.

About the Presenter: Alex is a kid with a laptop and a pocketful of memes. He's an incident detection and response boy at Atlassian, a magician, and a five-time celebrity Masterchef winner. Get amongst his dumb internet antics at mango.pdf.zone.

Rev.eng.e

Level: Intermediate

Duration: Half Day

Trainer: Karl Barrett (Lateral Security)

Brief

Reverse Engineering for Education/Entertainment is an informal training session to teach tools and techniques useful in application analysis.

The goal is to provide attendees with a high-level introduction to a variety of free (and predominately open source) toolsets; breaking down the stigma of reverse engineering being magical voodoo.

Learnings

• The ability to manipulate and decipher a variety of programming languages (both interpreted and compiled).
• An understanding of common debugging techniques.
• Knowledge of basic reversing toolsets, and how to use them.

About the Trainer

Karl is a security consultant for Lateral Security in Christchurch, New Zealand. His areas of interest include hardware hacking and advanced XSS techniques. In his spare time, Karl enjoys climbing rocks and popping locks.

Building Security into your Development Team(s)

Level: Intermediate

Duration: Full Day

Trainer: Kim Carter (BinaryMist)

Brief

Kim will lead the class through the tools, techniques and thought processes of both red and blue teams along with how to combine these attributes into the purple team focussing on security, productivity, and tasked with continuously delivering sustainable maintainable technical solutions to market.

Kim will explain the roles of 'T' shaped professionals, including placement of security champions to create your purple Development Team(s).

We will work through how to implement the Sensible Security Model (SSM) within each and every Sprint, including:

1. Creating actionable countermeasure Product Backlog Items
2. Integrating them into the same Product Backlog that your Development Team has been pulling business focussed items from
3. Ordering them based on the risk ratings you create for each

Kim will discuss how and where Agile Development Teams often fail, along with how to succeed with security with a familiar anecdote. Then augmenting your Scrum process within each and every Sprint, with a collection of development focussed processes and practises, tools and techniques that have proven their value at drastically reducing defects before production deployment.

Kim will walk us through the SSM threat modelling process with theory and hands on exercises in areas such as Physical, People, VPS, Network, Cloud and Web Applications. Including sub topics such as Docker, Serverless, PowerShell and many others.

More Detail

Training material will be augmented with Extracts from Kims interviews on Software Engineering Radio with security experts such as Diogo Mónica (Docker Security Team Lead) and Haroon Meer (creator of Canary tools and tokens).

Copies of the first two parts of Kims book series "Holistic Info-Sec for Web Developers" (weighing in at aprx 700 pages) which this training is based on, will be provided as: companion course material to accompany the training, ongoing self learning, and as a valuable reference resource long after the training has finished.

Learnings

Coverage of topic chapters

• Physical
• People
• VPS
• Network
• Cloud
• Web Applications

About the Trainer

Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd. OWASP NZ Chapter Leader. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 15 years of commercial industry experience across many domains, Kim enjoys teaching others how to apply information security to their Agile processes, bringing the security focus up front where it's the cheapest to implement, increasing profit and reducing costs. Co-organiser of information security conference OWASP NZ Day, International trainer, speaker published author, and Software Engineering Radio podcast host, focusing on

• Software and network architecture
• Web development and engineering
• Information security

Kim is also a regular blog poster at blog.binarymist.net. Kim loves designing and creating robust software and networks, breaking software and networks, then fixing them and helping organisations increase productivity.

Introduction to Secure Web Coding

Level: Intermediate

Duration: Full Day

Trainer: Gavin Porter (Catalyst IT)

Brief

This course was developed to meet a government client requirement for all development staff to be trained on the principles of secure web development. It evolved into a full day course that draws upon the Australian Government and New Zealand Information Security Manuals and the OWASP Top Ten with practical exercises.

The course has evolved over the last few years and has been presented to staff and customers across three countries.

This is not a course that covers exploitation and is not aimed at penetration testers. The course is aimed at software developers and testers with a reasonable understanding of web technologies. It aims to impart knowledge of good development principles and the common OWASP security issues to search for when testers, or to avoid when developing. The course is focussed on explaining the security vulnerabilities and how to prevent them.

The course is very useful for anyone developing a web application that needs to demonstrate compliance against a security standard such as PCI DSS or NZISM. For other web applications, such knowledge is good practice to help organisations produce secure websites.

Learnings

Participants will finish the day knowing what common security vulnerabilities, such as SQL injection, XSS and CSRF are and how to avoid them.

About the Trainer

Gavin is currently the Security Manager at Catalyst IT. He has been involved in security for 20 years in a variety of roles including web development, penetrating testing and forensics. He created this course to meet customer requirements for Catalyst staff to be suitably training on secure coding and has since also presented it to external clients.

Gavin is also the project champion for an open source solution to meet the OWASP Top Ten 2013 A9 issue about using components within known vulnerabilities. This project will be publicly launched in time for CHCon 17.

Security Testing for Software Testers

Level: Basic

Duration: Full Day

Trainers: Nick Malcolm and Sam Macleod (SafeStack)

Brief

Testing is a key part of development life cycles, from checking your functional requirements actually work to constraining development to keep code focused and concise (TDD). Security testing however is often not conducted inside our life cycles. We often wait until development is completed and ask third party penetration testing firms to find our issues for us. Bugs are often missed or are found too late to remediate. Cost of remediation escalates and our systems become tightly coupled and increasingly fragile as a result.

Why would we want to finish engineering before finding fundamental security issues? Shouldn't we try to find these as early and often as possible? Shouldn't we take every opportunity to identify security flaws in our applications?

This course will help teams weave security testing into their own testing life cycles and tool chains without compromising agility or innovation.

Learnings

• How to plan test scenarios, and foundation concepts behind testing against the OWASP top 10.
• The risks associated with common web application vulnerabilities.
• Hands-on lab experience testing common web application vulnerabilities, and an introduction to testing tools.

More Detail

A fast-paced course aligned with the Open Web Application Security Project (OWASP) top 10 application security vulnerabilities. In addition to these vulnerabilities, students will gain a solid grounding in how to bring security into their testing toolsets and working practices. This includes:

• Security test cases, stories and what to test
• Manual security testing key skills (parameter tampering, proxying and other basics)
• Introduction to security testing frameworks
• Automated security testing
• Introduction to vulnerability scanning
• Automated vulnerability scanning as part of development tool chains

About the Trainers

Nick is a security consultant, working at SafeStack. He comes from a software development background, having led the development of a global cloud security product protecting millions of users from account takeover attacks. This required setting and maintaining a secure development culture within the team at both a code and process level, and provided the opportunity to create and deliver conference presentations and blog content for developer communities. Now in an advisory role Nick is able to use his years of on the ground experience to understand and explain security topics in an accessible way, and provide achievable and practical security solutions.

Nick will be accompanied by his colleague Sam Macleod.

Support Sponsorship

Cost: (Covering international speaker travel expenses, media coverage/article/promotion of the event)

Includes:

• Publication of the sponsor logo on the event web site.

Bronze Sponsorship

Cost: 1500NZD+GST

Includes:

• Everything from the Support Sponsorship plus:
• Publication of the sponsor logo in the agenda at the conference.

Silver Sponsorship

Cost: 3000NZD+GST

Includes:

• Everything from the Bronze Sponsorship plus:
• Publication of sponsor advertising in the agenda and mention in the official communications with the attendees at the conference.
• The possibility to distribute the company brochures, CDs or other materials to the participants during the event.

Gold Sponsorship

Cost: 5000NZD+GST

Includes:

• Everything from the Silver Sponsorship plus:
• The possibility to have a promotional banner or sign in the lobby (to be provided by the sponsor, size subject to approval by the CHCon team).
• 3 conference tickets and Green Room access.

Platinum Sponsorship

Cost: 8000NZD+GST

Only two available.

Includes:

• Everything from the Gold Sponsorship plus:
• Being promoted as a leading sponsor.
• The possibility to have a promotional banner or sign to the side of the stage (to be provided by the sponsor, size subject to approval by the CHCon team).
• 6 conference tickets and Green Room access.

Special Event Sponsorship

Cost: (Help to cover the costs of an event, such as a speakers dinner, capture the flag event. We’re open to your ideas.)

Includes:

• Everything from the Bronze Sponsorship plus:
• A great feeling knowing that you have helped the technology community in Canterbury & NZ, as that is what CHCon is all about. You're likely to get business from this.
• Recognition from the people involved in the event.
• The possibility to have a promotional banner or sign at the Special Event that you sponsor (to be provided by the sponsor, size subject to approval by the CHCon team).

Were the presentations recorded?

Yes. The majority of the presentations at CHCon this year were recorded. We’ve released the videos for which we have permission on our YouTube channel. You can view them all in the 2017 playlist, and they are linked individually from each presentation description here.

What and when?

CHCon is a conference for security professionals and hackers in Christchurch, NZ. Training will be run on Thursday 26th October, and presentations on Friday 27th and Saturday 28th. A CTF will be run across all three days. All official conference events will be held at the UCSA Events Centre at 90 Ilam Rd, Riccarton. There'll soon be a more detailed schedule below. Be sure to send through a CFE submission or to email us if there's something in particular you'd like to see happen!

Who is it for?

You! IT security professionals, web developers, software developers, students, wannabes, hackers, enthusiasts, [your title here].

Who will be speaking/training?

We'll be able to confirm once we've sorted through the CFP and CFT submissions, which are open until Saturday 26th August.

Who is running this thing?

CHCon is being coordinated by a collaboration of people from the local OWASP and ISIG chapters. These are two web application security and information security groups which meet regularly in Christchurch. Follow us on Twitter: @CHCon_nz.

Where is the event held?

The training and official events like the afterparty and CTF are to be held at Bentleys, in the UCSA Events Centre at 90 Ilam Rd, Riccarton (directions). The conference is to be held in the events centre itself. Don't worry, there will be plenty of signage to ensure you don't get lost!.

How do I attend?

Tickets to the conference and training are (no longer) available through Eventbrite.

Where can I buy merchandise?

Merchandise pre-orders are offered when purchasing your conference ticket. If you'd like to make a bulk order or didn't order your merchandise when purchasing your ticket, please contact us via email ([email protected]) at your earliest convenience. If for whatever reason you find that you haven't pre-ordered it and the conference is tomorrow, don't fret as there will be a limited amount available for purchase at the registration and on the day.

Where in CHC can I stay?

That's a tricky question to ask a local. The conference and all associated events are being run in or near Riccarton (our 'new CBD') - so we'd recommend staying around there (view options).

How can I help promote CHCon?

Spread word of the conference to anyone you think could be interested in attending, and make sure to tag @CHCon_nz in your tweets!

Code of Conduct

CHCon is dedicated to providing a harassment-free conference experience for everyone, regardless of gender, gender identity and expression, sexual orientation, disability, physical appearance, body size, race, age, or religion. We do not tolerate harassment of conference participants in any form. Sexual language and imagery is not appropriate for any conference venue, including talks. Conference participants violating these rules may be sanctioned or expelled from the conference without a refund at the discretion of the conference organizers.

Harassment includes, but is not limited to:

• Verbal comments that reinforce social structures of domination related to gender, gender identity and expression, sexual orientation, disability, physical appearance, body size, race, age, or religion.
• Sexual images in public spaces.
• Deliberate intimidation, stalking, or following.
• Harassing photography or recording.
• Sustained disruption of talks or other events.
• Inappropriate physical contact.
• Unwelcome sexual attention.
• Advocating for, or encouraging, any of the above behaviour.

Enforcement

Participants asked to stop any harassing behaviour are expected to comply immediately.

If a participant engages in harassing behaviour, event organisers retain the right to take any actions to keep the event a welcoming environment for all participants. This includes warning the offender or expulsion from the conference with no refund.

Event organisers may take action to redress anything designed to, or with the clear impact of, disrupting the event or making the environment hostile for any participants.

We expect participants to follow these rules at all event venues and event-related social activities. We think people should follow these rules outside event activities too!

Reporting

If someone makes you or anyone else feel unsafe or unwelcome, please report it as soon as possible. Harassment and other code of conduct violations reduce the value of our event for everyone. We want you to be happy at our event. People like you make our event a better place.

You can make a report either personally or anonymously.

Anonymous Report

You can make an anonymous report via this form.

We can’t follow up an anonymous report with you directly, but we will fully investigate it and take whatever action is necessary to prevent a recurrence.

Personal Report

You can make a personal report by:

• Calling or messaging this phone number: (to be confirmed). This phone number will be continuously monitored for the duration of the event.
• Contacting a conference volunteer, identified by an orange t-shirt.
• Email us at [email protected].

When taking a personal report, our volunteers will ensure you are safe and cannot be overheard. They may involve other event volunteers or the conference organisers to ensure your report is managed properly. Once safe, we’ll ask you to tell us about what happened. This can be upsetting, but we’ll handle it as respectfully as possible, and you can bring someone to support you. You won’t be asked to confront anyone and we won’t tell anyone who you are.

Our team will be happy to help you contact local law enforcement, local support services, provide escorts, or otherwise assist you to feel safe for the duration of the event. We value your attendance.

• Organiser Email: [email protected]
• Organiser Phone Number: (to be confirmed)
• Police (Emergency): 111
• Police (Non-Emergency): 03 363 7400
• 24hr Sexual Assualt Support Line: 03 377 5402
• Emergency Medical: 111
• Non-Emergency Medical (Pegasus Health 24 Hour Clinic): 03 365 7777
• Healthline (Medical Support Line): 0800 611 116
• Blue Star Taxis: 03 3799 799