Sponsors

haxx melbourne

We provide technical security classes and support for women who wish to break into the technical security field.

About Us

haXX is an ethical hacking learning group for women trying to break into the technical security field. Founded in Melbourne in 2018, it provides hands on security classes for women with a burning desire to be in the technical security field with varying levels of technical experience.

Drop us an email if you would like to join our slack channel!

UPCOMING Events

previous WORKSHOPS

previous CTFS

previous TALKS

previous COURSES

PREVIOUS cAREER TALKS

PREVIOUS SOCIAL MEETS

PREVIOUS Courses

Introduction to Reverse Engineering Course - January to May 2020

Between January and May 2020, we ran a series of hands-on evening classes on reverse engineering and malware analysis for 20 participants in ​person.

What did the course cover?

A brand new course on reverse engineering and malware analysis running during the evenings between January and May at SEEK. We teamed up ​with two experts from the Microsoft Defender ATP Research Team in Melbourne, Hazel Kim and Ayoub Faouzi.

Hazel and Ayoub wrote and then delivered the hands-on course. Participants learned how to read low level computer language, reverse engineer ​applications without source code and investigate the behaviour of malware.

2020 being the year that it was, our first class was initially delayed due to the bush fires and our final class was moved to an online format due to ​the pandemic. HaXX is very proud of our instructors and participants who persisted all the way to course completion acquiring their new security ​skills along the way.

Introduction to Web Application Hacking Course - February to May 2019

Between February and May 2019, we ran a series of evening classes on web hacking and we were delighted to have received 96 applications for 20 spots!

What did the course cover?

We assumed no prior penetration testing experience and kicked off with information gathering and how an attacker targets a company and its employees.

The rest of the course focused on the most common web application security vulnerabilities and participants were taught how to identify if issues existed in a web application and how to exploit the issues in order to gain control of a customer’s computer or a server.

Topics covered included Cross-Site Scripting (XSS), SQL Injection (SQLi), insecure direct object references (iDOR), insecure file uploads, XML external entity (XXE) attacks, deserialisation attacks, strategies for competing in bug bounties and capture the flags (CTFs).

PREVIOUS WORKSHOPS

Title: Introduction to Software Defined Radio (SDR)

Speaker: Pamela O’Shea

Date: 21st March 2024, 6:30 - 8:30 AEDT

Location: 152 Elizabeth Street, Melbourne

A hands-on workshop to help you explore the radio signals all around us. We will show you how to scan for signals, view pager messages, view ​airplane location messages and how to analyse consumer devices with remote controls.

No experience with radio is required, just bring along a laptop that can boot a USB. We will also provide a RTL SDR USB dongle for receiving the ​signals during the workshop.

PREVIOUS SECURITY TALKS

Title: OpenID: Why SSO serious?

Speaker: Chuanshu Jiang

Date: 29th June 2023, 6pm - 8pm (AEST)

Location: 152 Elizabeth Street, Melbourne

Have you ever used Single Sign On (SSO) to log into other services or apps? You are likely familiar with using Google or Facebook to SSO into other accounts or even use Okta or Microsoft at work. This talk will provide an introduction to OpenID Connect, a common authentication protocol used for SSO. Once you are familiar with OpenID, we will cover some web application security bugs that can occur when using SSO with some real world examples. This is a great chance to deep dive into a technology we all use everyday and hear about some of the security issues that can arise. This talk does not assume any web hacking knowledge, we will guide you along the way. You'll then be able to look for these bugs yourself!

Key takeaways:

• An OIDC & OAuth walkthrough: What is OpenID and how does it relate to OAuth? What does an "OAuth" dance entail?
• A brief history of OAuth bugs: Token stealing through redirects; Client impersonation; Insecure flows and more...
• Real word bugs: The 2022 OWASP top bug - OAuth dirty dancing

PREVIOUS CTFS

Title: CTF Introduction Workshop

Hosts: Chuanshu Jiang & Pamela O’Shea

Date: 2nd Nov 2023, 6:30pm - 9:30pm (AEDT)

Location: 152 Elizabeth Street, Melbourne

The purpose of this CTF workshop was for people who wanted to try Capture the Flag in a friendly supportive environment. This workshop facilitated individuals or teams to play a series of challenges across different categories including crypto, forensics, reverse engineering and web application security. Our host, Chuanshu Jiang, also designed a series of original challenges called Nightmare Gallery, where hackers had broken into a gallery and it was the players job to restore the paintings to their original form.

Congratulations to our winners:

• 🥇Bithiah Koshy
  
• 🥈Shimsha Shetty
  
• 🥉Team Annie Nie & Sophie McDonald
  

First scores on the nightmare gallery challenges to restore the hacked paintings went to team Annie & Sophie and to Emily Trau.

A very special thank you goes to Emily Trau and Joseph Surin for their challenges and along with SiJing Zheng, provided support at the event!

All our winners had a choice of prizes including a number of women in hacking and technology books. Happy reading everyone! 📚 ✨

PREVIOUS Career Series

Our career series talks aim to motivate and guide women in their technical careers, come with your questions!

Title: My security career journey

Speaker: Lidia Giuliano

Date: 18th June 2020, 6pm - 7pm (AEDT)

Location: Online

Lidia is a Black Hat USA speaker, organiser of BSides Melbourne, on the paper review board for Black Hat Asia, DevSecCon and countless other ​major activities she is involved in. Above all, Lidia is a genuine mentor to our industry and we are super lucky to have some of her time to share her ​career stories and what it is like being a technical security consultant in the USA and in Australia.

Title: Stories from the trenches: Events and happenings from years of incident response

Speaker: Kevin Manderson

Date: 14th May 2019, 6pm - 9pm (AEDT)

Location: SEEK, Melbourne

Kevin started in defence as a mainframe engineer in the 1970s and then industrial systems in the early 1980s. In 1988 he started in Incident Response by playing a small part in the containment of the Morris worm while working in Adelaide. In the 90s, he commenced his own business in consulting, web development and information security. He built a startup which undertook security gateway monitoring and incident response and sold it in 2000. Since then Kevin has been involved with a number of SOCs, has been an IT auditor, managed a large SCADA system and is now back in Incident Response. He has been either responder, manager or provided technical support for over 115 Cyber Incidents.

Among the many incidents and investigations managed by Kevin include the qbot malware event at the Royal Melbourne Hospital. Currently, Kevin performs incident response and threat intelligence at Telstra.

Title: That’s not my name: Tales from half a career in IT forensics and security

Speaker: Dr. Joanna Dalton

Date: 16th April 2019, 6pm - 9pm (AEDT)

Location: SEEK, Melbourne

Joanna Dalton has been called many things in her life, but boring is not one of them. Join us for a haXX special presentation where Jo will be discussing how she got started in digital forensics, switched to security and now combines the two as a network forensic specialist. She has a wealth of experience from working in large corporates, small businesses, as a contractor and an expert witness and will be giving a brutally honest description of how she balances her career, family and sanity. There’ll be tales from the front line of her investigations and other career highlights, including a bodyguard, a warehouse full of lingerie and an explanation as to why one bank refers to her as “XXX Gooch.”

Title: Weaponising your social awkwardness: a novice red teamer's guide

Speaker: @bl3ep

Date: 24th September 2019, 6pm - 8pm (AEDT)

Location: SEEK, Melbourne

We are delighted to host @bl3ep , who recently won 2nd place at the international DEF Con 27 social engineering capture the flag competition in Las Vegas, USA. An amazing achievement, earning her place by fighting the top competitors from around the world. @bl3ep will talk about her long preparation for the competition, how it went on competition day and what it is like to work as part of an amazing red team in her day job at Loop Secure. @bl3ep will also provide her advice and learnings from a newbie's first year. How to get better at hacking yourself, hacking others, and defence against the SE arts.

Title: Introduction to reverse engineering, malware analysis and anti-virus software

Speakers: Hazel Kim and Ayoub Faouzi

Date: 1st October 2019, 6pm - 8pm (AEDT)

Location: SEEK, Melbourne

Join us in welcoming two researchers from the Microsoft Windows Defender team here in Melbourne. The areas discussed in this talk will cover an introduction to reverse engineering, malware analysis and anti-virus software. As well as a brief history of malware and how they have evolved over the years. Hazel and Ayoub will also discuss how they they use reverse engineering in their jobs as security researchers at Microsoft.

Hazel Kim - Security Researcher at Microsoft

Hazel is currently working on improving the protection against various types of threats for Windows Defender. Since her first job at AhnLab from 2012, Hazel is getting into the rabbit hole of reverse engineering and malware world. She is also a n00b yogi and a passionate metalhead lml

https://www.linkedin.com/in/hs-hz-kim; https://twitter.com/Hazelash6

Ayoub Faouzi - Security Researcher at Microsoft

Ayoub Faouzi is a security researcher working at Microsoft, where he is involved with malware analysis cases, reverse engineering and security development projects. In the past, Ayoub worked for Avira and Lastline. In his free time he likes to spend time with his family and to travel around the world.

https://www.linkedin.com/in/ayoub-faouzi; https://twitter.com/LordNoteworthy

BookList

We have a great selection of books to give away as prizes at our events!

Category: Hacking

• Blue Fox: Arm Assembly Internals and Reverse Engineering by Maria Markstedter
  

Category: Australian Security and Signals History

• Radio Girl: The story of the extraordinary Mrs Mac, pioneering engineer and wartime legend by David Dufty
  

• Factory: The Official History of the Australian Signals Directorate, Vol 1 by John Fahey
  

Category: UK Security and Signals History

• The Bletchley Girls: War, secrecy, love and loss by Tessa Dunlop
  

• Agent Sonya: Lover, Mother, Soldier, Spy by Ben Macintyre
  

Category: USA Security and Signals History

• The Woman Who Smashed Codes by Jason Fagone
  

• Code Girls: The Untold Story of the American Women Code Breakers of World War II by Liza Mundy
  

Category: Women Inventors & Engineers

• Broad Band: The Untold Story of the Women Who Made the Internet by Claire L. Evans
  

• Hedy's Folly: The Life and Breakthrough Inventions of Hedy Lamarr, the Most Beautiful Woman in the World by Richard Rhodes
  

• The Thrilling Adventures Of Lovelace And Babbage by Sydney Padua
  

Category: Information Security Journalism

• Countdown To Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter