Latest Publications

Bluevox: Attacking One Time Passwords at 1100Hz

19th November 2012 | Graeme Neilson and Shingirayi Padya

Graeme Neilson and Shingirayi Padya presented at Kiwicon 6 about cracking Audio One Time passwords.

Demonic Possession of Browsers. BeEF Issue #666

19th November 2012 | Mike Haworth

Mike Haworth presented Demonic Possession of Browsers. BeEF Issue #666 at Kiwicon 6

X-Excess: WebApps meet Native Apps

7th November 2011 | Mike Haworth and Kirk Jackson

Mike Haworth and Aura associate Kirk Jackson talked at Kiwicon 5 about issues where the boundary between web apps and native apps gets blurry.

Hack-Ed: Boost your defenses!

24th August 2011 | Andy Prow and Kirk Jackson

Andy Prow and Kirk Jackson presented at Microsoft Tech-Ed NZ 2011 - the largest tech conference in New Zealand. They have compiled a "Cheat Sheet" of defenses for the common web risks for ASP.NET, MVC and SharePoint developers.

File Upload Considerations

7th July 2011 | Kirk Jackson

Kirk Jackson presented at OWASP New Zealand Day 2011 on File Upload Considerations.

Taking Information Security to the Exec Team

16th June 2011 | Gary Hinson

Gary Hinson of ISECT presented at the Annual CIO Summit on behalf of Aura.

Cloud Security Policies

24th May 2011 | Andy Prow

Andy Prow gave a presentation at the Cloud Security Summit on what's happening in the Cloud Infrastructure as a Service (IaaS) space, including the pros and cons of using a Cloud provider and the security implications and risks. He also explained how to mitigate these risks by implementing specific cloud security policies.

Feeling Insecure about your Web Testing?

30th March 2011 | Scott Fletcher

Scott Fletcher presented at the Australia & New Zealand Testing Board on 30 March 2011 on beginner testing strategies for five of the OWASP Top Ten web security threats. These strategies will help testers ensure the security of web applications.

Welcome to Rootkit Country

11th March 2011 | Graeme Neilson

Graeme Neilson presented at the CanSetWest Conference in Vancouver (March 11 2011) on developing rootkits for the top ten firewall / UTM manufacturers.

Tales from the Crypt0

11th March 2011 | Graeme Neilson

Graeme Neilson presented with Kirk Jackson from Xero on cryptography at the OWASP Day New Zealand 15th July 2010.

Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users.

Netscreen of the Dead

2008, 2009 | Graeme Neilson

Graeme Neilson presented at RuxCon in Sydney Australia (2008) and BlackHat, Las Vegas USA (2009).
The presentation covered Graeme's research on how he's developed a trojan ScreenOS operating system that when loaded onto any Juniper Firewall turns it into a ZOMBIE, giving Graeme full access to the underlying firewall, bypassing all rules and passwords

We must of cause mention Juniper at this point - "we express our appreciation for your pragmatic and careful handling of this case" (Juniper, 28 Nov 08). They also released a tech bulletin: PSN-2008-11-111, "ScreenOS Firmware Image Authenticity Notification" which states: "All Juniper ScreenOS Firewall Platforms are susceptible to circumstances in which a maliciously modified ScreenOS image can be installed."

Proactive Software Assurance

2nd December 2008 | Andy Prow

Andy Prow presented at the ISACA Computer Security Day in Wellington. Andy's presentation focussed on the "SANS Defensive Wall 1 - Proactive Software Assurance", covering the steps you should take as an organisation to proactively protect your systems against attack.

Better than the regular script kiddie: w3af

The w3af framework project is the up-and-coming Metasploit of Web application security. It's flexible design allows new attack vectors to be easily written and includes many features which are only available in the grossly expensive commercial tools. Mark's presentation will discuss why we need webapp scanners and demo the w3af framework and how to automate the Discovery, Audit and Attack of web applications.

Scanberry: Advanced Attacks via a trojaned Blackberry

Building on the Blackjacking tools presented at DefCon, Graeme will present some advanced tools for attacking internal networks via Blackberrys. For example how to use TicTactrojan on a Blackberry to port scan an internal network from the comfort of your external host.

Quality Software - Designed to be Hacked

Andy will focus on how software quality MUST include security considerations during the requirements, design, implementation, testing, roll-out and maintenance phases. He will also include some examples of real-world security issues that "make you think..."

It only takes a Pin Prick to burst your Enterprise Security bubble

The presentation highlights the need for an organisation to have there own "trusted in-house hacker" who thinks like a hacker would.

Some of the other topics covered are:

  • Some of the latest tools hackers use
  • A sample of common vulnerabilities and how they can be exploited
  • How to protect your network against these exploits

All presentations are the copyright of Aura Information Security Ltd 2013, All Rights Reserved.

You may download these presentations for research purposes only.
Any re-use or reproduction of these presentation may only be performed with express permission from Aura Software Security Ltd.