Speakers 2015

John McAfee

The unconventional truth (English talk, remote)

John McAfee presents the uncut truth of IT security, the hardships companies face from daily threats, and how to combat the ever-changing security landscape.

Are you ready?

Johnny Xmas

Twitter

1993 BC: Get Off my LAN! (English Talk)

Since the Second Industrial Revolution, technology has been advancing at a rate beyond anyone's estimates. That means us old folks got to hack a whole lot of awesome stuff in our short lifetimes, much of which is already long since obsolete. Here, Johnny Xmas will deliver one of his famous "When I Was Your Age" rants, this time aimed at the 1990's and the Rise of the Internet, and the explosion of the hacker community that happened back then, just as it is happening now. Topics covered will probably include cable TV piracy, wardialing, offensive payphonery, mainframe hacking, "Hackers Vs. Crackers", the mere difficulty of Internet & computer access, and how so many of the "modern" web exploits you use today are really decades old.

Zee Abdelnabi

The Art Of Hacking A Human (English talk)

This talk is going to focus on being successful interacting with others in your work space. People have their own firewalls and we setup the interaction rules. Do we want to allow or block this person in our comfort zone? I will go over security techniques on how navigate different personalities using traditional hacking techniques.
- Determine what "operating system" they are running
- What patches are in place
- What vulnerabilities you can exploit
- What configuration issues does this person have?
Which then result in being able to work with different personalities based on what the hacking results tell you?

Mike Larkin

Kernel W^X Improvements In OpenBSD (English talk)

Until recently, systems would allocate writable memory as executable by default. W^X is a memory protection policy that states that a page of memory should not be writable and executable at the same time. For many years OpenBSD has had user-mode support for W^X, but until recently the kernel support for W^X on amd64 and i386 platforms had received less attention. This talk will contain a brief history of W^X protection mechanisms present in OpenBSD and detail the recent effort to make the kernel W^X support as robust as possible. The talk will describe the challenges faced in both identifying the regions to be protected, and ensuring the W^X policy was enforced across all of them. The talk will also detail the special challenges faced while upgrading the i386 hardware platform's legacy page table format to a version that supports W^X more easily.

Benjamin Brown

On Defending Against Doxxing (English talk)

Doxxing is the Internet-based practice of researching and broadcasting personally identifiable information about an individual. It is also a scourge on our internet lives that can quickly boil over into the physical realm. Often wielded as a weapon of hate or manipulation and a tactic for intimidation doxxing easily leads to real-world threats of violence, financial harm, sexual assault, career damage, or even murder. Examples of these impacts can be seen surrounding the recent events of 'GamerGate' through the targeting of Anita Sarkeesian, Felicia Day, Tara Long, and Brianna Wu. Doxxing also often leads to another tragic outcome; that of targets for hate being misidentified leading to unaffiliated individuals becoming the subjects of attack. Occurrences of this can be found in such online sagas as Anonymous vs. Scientology, the Amanda Todd case, and the incorrect fingering of Sunil Tripathi as the Boston Bomber. Given the real world impacts of being doxxed what can we do to protect ourselves, our friends, and our loved ones? In this talk I will highlight common methods employed by doxxers as well as methods to safeguard the information they seek. I will move from the easy wins and low-hanging fruit, with an eye for practicality, to the more complex and long-term defenses employed by professionals. While this is a pertinent topic for everyone I believe it is especially important for those who's livelihoods involve spending copious amounts of time interacting with the internet. Our Doxxing attack surfaces are larger than those for others.

Damien Bancal

La France sous attaque! (Conférence en français)

Comment la France a été attaqué en janvier 2015 par des jeunes musulmans après les attentats contre Charlie Hebdo.
- Qui était les pirates
- Ce qu'ils voulaient
- Ce qu'ils ont fait
- Ce qu'ils ont caché

Jean-Francois Cloutier

CHEKS Research project: developments and preliminary results (Conférence en français)

Détail à venir

John Menerick

Backdooring Git (English talk)

Join John Menerick for a fun-filled tour of source control management and services to talk about how to backdoor software. We will focus on one of the most popular, trendy SCM tools and services out there – Git and GitHub. Nothing is sacred. Along the way, we will expose the risks and liabilities one is exposed to by faulty usage and deployments. When we are finished, you will be able to use the same tools and techniques to protect or backdoor popular open source projects or your hobby project.

Kent Backman

Inside Terracotta VPN (English talk)

Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). Operating with more than 1500 end nodes around the world, FirstWatch has confirmed that many of these end nodes are compromised Windows servers and have evidence that many of them were illegally “harvested.” The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world.

Robert Masse

Hunting down enemy nation states within your organization (English talk)

For the last 10 years, we have seen major growth of attacks from Advanced Persistent Threats. In our experience, the majority of these groups are well funded government agencies & organized crime syndicates who have been wreaking havoc across important institutions around the world. As FBI director James Comey said in 2014, “there are two big types of companies in the US – those who’ve been hacked by the Chinese and those who don’t know they have been hacked by the Chinese”.

Just two years ago, I wouldn’t have believed this myself.

With the recent uptick of attacks against organizations with massive databases containing personal information, more companies than ever are at risk from being compromised. This presentation will cover real-life experiences of several investigations we have done around the world and provide valuable lessons learned on how to detect and protect yourself from these advanced threat actors.

François Gagnon

Les communications sécurisées dans les applications mobiles : What a meSS(L) (Conférence en français)

Quelques études sont sorties récemment concernant des failles lors de l’établissement de connexions sécurisées dans les applications mobiles. Dans cette présentation, nous regarderons un projet du Cyberseclab @ Cégep Ste-Foy allant dans cette direction. L’objectif étant d’aider les développeurs à tester leurs applications mobiles au niveau de la sécurité des communications (Ex., validation de certificats SSL côté client). Nous regarderons aussi quelques epic fails qui démontrent bien l’ampleur de la
problématique (Ex., à quel point c’est facile de scraper la cryptographie quand on ne sait pas trop ce qu’on fait). Une démo du projet sera présentée (pending approval from demo Gods).

Roy Firestein

Cymon - An Open Threat Intelligence System (English talk)

In this talk we will debut the first formal public offering of a new cyber monitoring tool we have called Cymon. It is a freely-available tracker of open-source security reports on malware, botnets, phishing and other malicious activities. At the time this abstract was written, on a daily basis Cymon was ingesting well over 60K events and 17K unique IP’s from almost 200 sources across the Internet to build a threat profile and timeline for IP’s, Domains and URLs.

This talk will demonstrate some of the system’s capabilities and show examples of how you can use Cymon to research suspected malicious sources. The architecture and lessons learned when building a scalable system for big data analysis will also be discussed in detail.

Nadeem Douba

BurpKit: Using WebKit to Own the Web (English talk)

Today's web apps are developed using a mashup of client- and server-side technologies. Everything from sophisticated Javascript libraries to third-party web services are thrown into the mix. Over the years, we've been asked to test these web apps with security tools that haven't evolved at the same pace. A common short-coming in most of these tools is their inability to perform dynamic analysis to identify vulnerabilities such as dynamically rendered XSS or DOM-based XSS. This is where BurpKit comes in - a BurpSuite plugin that integrates the power of WebKit with that of BurpSuite. In this presentation we'll go over how one can leverage WebKit to write their own web pen-testing tools and introduce BurpKit. We'll show you how BurpKit is able to perform a variety of powerful tasks including dynamic analysis, BurpSuite scripting, and more! Best of all, the plugin will be free and open source so you can extended it to your heart's desire!

Julie Gommes

La cryptographie, vecteur d’identité chez les djihadistes (Conférence en français)

Cryptographie, réseaux sociaux, aujourd’hui l’utilisation d’outils en ligne ou servant à protéger leurs communications permet aux djihadistes d’affirmer leur appartenance à des mouvances djihadistes.

Dans Les trois ages du terrorisme, Marc Hecker, chercheur au centre de sécurité de l’Ifri et auteur de Intifada française? et War 2.0: Irregular Warfare in the Information Age, rappele que « L’utilisation croissante du Web a entraîné une décentralisation de la mouvance djihadiste. »

Internet est dans un premier temps devenu un outil incontournable en termes de communication : le nombre de sites appelant au djihad est passé de 28 en 1997 à plus de 5000 en 2005. L’utilisation basique de ces sites à des fins de communication classique au début des années 2000, a été remplacée par celle des réseaux sociaux, permettant une communication de masse quasi instantanée.

Les études du Middle East Media Research Institute (MEMRI) tendent à démontrer qu’Al Qaeda utilise des outils de chiffrement depuis bien longtemps : « Since 2007, Al-Qaeda’s use of encryption technology has been based on the Mujahideen Secrets platform which has developed to include support for mobile, instant messaging, and Macs. » Le chiffrement des communications s’arrêtait alors aux emails et à la plateforme « moudjahidin secret ».

L’année 2013 marque un tournant dans la généralisation du chiffrement : Messagerie instantanée en février, avec Pidgin, SMS en septembre avec Twofish, textes sur des sites web en décembre avec AES. Les révélations d’Edward Snowden, qui ont débuté en juin 2013, ne sont donc pas le point de départ du « cryptodjihad » mais semblent avoir joué le rôle d’accélérateur. Les chercheurs du MEMRI ont alors démontré l’utilisation d’outils de cryptographie grand public, de la famille des logiciels libres : Pidgin, un outil de messagerie instantané type MSN, permet aux djihadistes de la mouvance Asrar al Dardashan de chiffrer leurs communications avec OTR (pour off the record).

En analysant l’adoption de nouveaux outils et l’utilisation de logiciels libres, on s’aperçoit que l’accent est mis sur la cryptographie destinée aux outils mobiles.

Shane MacDougall

I Am Joe's Twitter Profile: An OSINT/Social Engineering Journey Through An IT Pro's Social Media Profile (English talk)

This hands on presentation will travel through the very public profile of a real life IT professional and will follow his various trails online, both current and abandoned, illustrating in graphic detail the gory details that he has left behind that would enable an attacker to successfully target him. From image intelligence via Flickr, to attack intelligence from code repositories, we disassemble five years of online social media presence to tell a cautionary tale of why security professionals should use social media with extreme caution.

Marc-André Bélanger

Le Top 5 des meilleures façon d'être responsable de la perte d'un million de dollars (Conférence en français)

Ce deuxième volet de la série sur la Fraude, présenté au Hackfest, se veut toujours comme une expérience pour rapprocher les menaces technologique des menaces d'affaire. Dans ces quelques minutes, on regardera les différentes menaces technologique et leurs relations dans le contexte des scénarios les plus populaire de fraude occupationnel.

Thomas Dupuy & Olivier Bilodeau

Internet of {Things,Threats} (Conférence en français)

De plus en plus de périphériques se retrouvent connectés sur Internet. Sous la bannière "Internet of Things" (IoT) ces équipements, que ce soit une pompe à insuline ou un système de caméra de sécurité, tournent généralement sous un système GNU/Linux embarqué d'architecture MIPS ou ARM. La difficulté de mettre à jour ces équipements ainsi que le peu d'effort dans l'analyse en font des cibles de choix. Ces derniers mois, nous avons analysé plusieurs logiciels malveillants ciblant ces architectures. Que ce soit par l'exploitation d'une vulnérabilité (Shellshock) ou encore un défaut de configuration, ces systèmes exposés sur Internet peuvent être compromis.

Notre présentation couvrira quelques une de ces analyses:

- Linux/Moose, un malware se propageant automatiquement qui fraude les réseaux sociaux (par exemple Facebook, Twitter et YouTube)
- LizardSquad et acteurs étrangers qui utilisent des systèmes embarqués compromis pour réaliser des dénis de service distribué (DDoS)
- Win32/RBrute est un logiciel malveillant qui tente de changer les paramètres de routeurs dans le but de faire du "DNS poisoning". Il a été distribué par le populaire botnet Sality.
- Un kit d'exploits qui utilise seulement le navigateur de leur victime avec le même objectif, c'est-à-dire faire du "DNS poisoning".

Enfin, des conseils seront proposés à l'audience pour l'aider à se protéger de ces menaces.

Pierre-Alexandre Braeken

Twitter

Powershell - Reveal Windows Memory Credentials (Conférence en français)

Lors de cette conférence les sujets suivants seront abordés:
* Historique des vulnérabilités
* Présentation de mon outil et de son fonctionnement
* Mitigation du risque

Un nouvel outil sous PowerShell permettant de révéler les mots de passes stockés en mémoire sous windows vous sera présenté. Cet outil permet même de s'exécuter sur des architectures différentes.

Ainsi je présenterai les problèmes liés à l'attribution de droits parfois trop importants aux utilisateurs sous Windows et démontrerai les enjeux qu'une entreprise risque quel que soit son niveau de sécurité périmétrique.

François Harvey

WordPress : attaque, audit et protection (Conférence en français)

Les sites sur plate-forme WordPress compte pour une bonne part du traffic Web visité mais aussi compte pour une grande part des sites Internet piratés diffusés dans les médias québecois.

Le but de cette conférence est de couvrir l'aspect offensif contre les plate-formes WordPress (quels sont les attaques communes à cette plate-forme et ses faiblesses), de quelle façon procéder à son audit/revue de codes pour identifier les vulnérabilités dans les thèmes et plugins ainsi que mettre en place des mesures de protection pour la protéger efficacement.

L'ensemble de cette présentation sera ponctuée de cas concrèts que j'ai observé dans des contextes d'audits et de gestion d'incidents.

Paul Timmins

Security Implications of the Public Switched Telephone Network, with Q&A (English talk)

Why is caller ID spoofing nearly impossible to prevent? What are the strengths and weaknesses of the telecommunications network? What are the security considerations you have to consider when converging your voice and data telecommunications? What are the biggest mistakes people make when installing new telephone equipment that open them up to fraud, denial of service, and eavesdropping? Learn from my daily experiences how to safely deal with the oldest telecommunications network in the world. Why some simple solutions in the industry are not that simple, but some harder solutions are easier than you think. How can you get a start in the industry without a lot of money? Why your lowest technology equipment can be the strongest security risk in your entire company.

Mario Contestabile

RASP vs. WAF (English talk)

Hackers, meet your match. No longer are web applications an easy target. You have been getting away for too long with laughing at poor programming practices, pissing on every parameter,and downloading entire tables from Web requests. In this talk, I will show a hands-on demo of a live application with a RASP, and without. I will cover the benefits of a RASP over a WAF, and explain how web sites should no longer rely on dumb traffic level regex tools for their security.

I will attack a vulnerable web application, and demonstrate how a typical attack is carried out on it. Afterwards I will repeat the exercise on the same application, but this time with a RASP installed. I will point out what the key differences are, and in a vendor neutral manner show key mechanisms which differentiate a RASP from a WAF or a firewall.

I will cover how brute force protection is done right, how aggregating application usage and sharing this data is beneficial, and how using a RASP can even be integrated into a SDLC.

Christine Gagnon

Analyse du comportement humain : Identifier le «Red Flag» et s’en servir (introduction) (Conférence en français)

(Introduction au workshop du soir) À travers un processus d’approche relationnel faisant appel aux principes de base de la synergologie (non verbal), Christine Gagnon vous amène à recourir à l’interrogatoire pour questionner selon le geste observer. Être en mesure de décrypter les gestes permet de comprendre l'attitude, de décoder le mouvement, de révéler le non-dit.

Votre cible se dévoile bien plus qu’il ne le pense à travers sa façon de s’exprimer et sa gestuelle. Ayez une longueur d’avance à la collecte d’information en identifiant les signes importants. Le décryptage des gestes devient un atout, un outil de facilitation, un identificateur de malaises et, dans certains cas, un support à la détection du mensonge.

Nadia Vigneault & Sylvain Desharnais

Forensic 201 (Conférence en français)

Enquêtes, Processus, Outils & Techniques utilisées pour collecter des preuves numériques d'une utilisation non autorisée des équipements, de vol de temps, de téléchargements illégaux, de perte de données, etc... Nous verrons les 4 grandes étapes d'une enquête informatique : acquisition, extraction/restauration, analyse et rapport. Nous verrons aussi des techniques comme le network forensic, le remote forensic et le live forensic.

Quels sont les outils utilisés dans le domaine du forensic? Quels sont les défis?

Quelques vidéos-démos seront présentés avec des outils importants du domaine comme Volatility Framework, FTK Imager, Bulk Extractor, Autopsy, FTK Toolkit, etc.

Nadia est une passionnée du domaine forensic et vous promet une belle conférence.

Julien Mbony & Patrick Roy

L’impact du Blockchain (Bitcoin) dans le monde virtuel (Conférence en français)

Depuis 6 ans, le réseau peer-to-peer Bitcoin fait beaucoup jaser à cause de l’aspect monétaire, mais qu’en est-il de sa technologie révolutionnaire?

Au cours cette présentation, il sera question de l’impact du Bitcoin dans le domaine du jeu et du « Cloud computing ». Nous allons également explorer plusieurs applications basées sur le « Blockchain » pour répondre aux enjeux tels que la protection de la vie privée, la transparence et la liberté.

Logan Best

Multi-Layer DDoS Mitigation Strategies (English talk)

This session will focus on real world deployments of DDoS mitigation strategies in every layer of the network. It will give an overview of methods to prevent these attacks and best practices on how to provide protection in complex cloud platforms. The session will also outline what we have found in our experience managing and running thousands of Linux and Unix managed service platforms and what specifically can be done to offer protection at every layer. The session will offer insight and examples from both a business and technical perspective.

Philippe Arteau

Rosetta Flash And Why Flash Is Still Vulnerable (Conférence en français)

Rosetta Flash is a vector of attack that take advantage of JSONP API. The vulnerability has create a shock wave as many big websites were affected : Google Accounts, Facebook, eBay, Twitter, LinkedIn and many mores. Adobe has release a fix in July of 2014 to mitigate the obvious scenario. The presentation will review the history of the vulnerability and it will present many variations of this attack that are still effective. You might discover that your website is vulnerable..

Kellman Meghu

DevOps For The Home (English talk)

This is the story one mans personal trip to the cloud (and back) as he rebuilds his home network in a devops model, supported by virtual private cloud service. This presentation takes a micro look at cloud services, and the benefits and risks that come along with it for the average home user, as well as the business. You shouldn't be
surprised to see that they are the same, just at a micro level. With realtime micro level data we can tell a story, without all the abstraction, that can sometimes reveal more than all this big data. With a glimpse into the detailed benefits of a DevOps environment supporting cloud integration, and featuring the feedback of the HomeNet CISO, 'Security Cat', we will have some fun stripping away all the pretty abstraction and explore the benefits of the integration of public cloud services. I said I would never do it, but alas, here I am, I'm in the cloud.

Numaan Huq

Dissecting Data Breaches – The Everyday Cybercrime (English talk)

Data breaches are daily news items. Reports of data breaches in Government, Hospitals, Universities, Financial Institutions, Retailers, etc. dominate news stories with increasing frequency. This is merely the tip of the data breach iceberg with the vast majority of breaches remaining unreported and undisclosed.

A wide range of sensitive data is compromised across all industries from businesses both big and small, and also from individuals. These include: Personally Identifiable Information (PII), Financial data, Health data, Education data, Payment Card data, Login Credentials, Intellectual Property, etc. In news stories data breaches are almost always attributed to Hacking or Malware attacks. While Hacking or Malware attacks play a big role in data breaches, they do not account for all breaches. Other breach methods frequently observed are: Insiders, Theft or Loss, and Unintended Disclosures. The perpetrators compromising sensitive data are a diverse group that includes Insiders, Individual criminals, Organized groups, and State sponsored groups. It has been observed that the stolen data is commonly used for committing crimes such as Financial fraud, Identity theft, Intellectual Property theft, Espionage, Blackmail, and Extortion.

In this talk we present statistical analysis of publicly disclosed data breach incident reports. We look at the different types of crimes commonly committed using stolen sensitive data. Based on our analysis we present a Bayesian Network to model commonly observed data breach scenarios. We survey criminal marketplaces hosted in the Deep Web to profile the different types of sensitive data available for purchase and their asking prices. Finally we outline defensive methods businesses and individuals can practice to prevent becoming victims of data breach crimes.

Nicolas Grégoire

Server Side Browsing (Conférence en français)

SSRF vulnerabilities (aka CWE-918) allows attackers to submit arbitrary URL to vulnerable applications, and have the application (or one of its components) browse this URL. The talk describes my latest findings regarding this narrow field of AppSec. Of course, being under NDA during my penetration tests, I'll only covering bugs reported to bounties
programs. That includes Yahoo, Facebook, Prezi, PayPal, Stripe, CoinBase, and more!

Highlights: I was able to compromise some large service providers and earned around 50,000$ for that. Several blacklists were bypassed using little-known quirks in the parsing of URL.

Roberto Salgado

Hacking like a boss (English talk)

Sometimes the difference between being able to penetrate a system successfully or fail miserably can be the knowledge of a certain tool, a one line command or being able to evade AV/Firewall detection. Hacking doesn't always have to be complicated, with simple techniques one can usually obtain Domain Admin privileges in a few steps. This talk will include tips & tricks to "Hack like a Boss" and gain an advantage when pentesting a system. It will present some essential tools, evasion techniques for filters, firewalls, proxies, and antivirus to not trigger any alarms, show methods to obfuscate Metasploit payloads and bypass heuristic detection to be FUD, Unicode attacks and much more.

Damien Bancal

Le protocole d'alerte zataz (Conférence en français)

Damien présentement dans un format décontracté, une conférence de soir décrivant le protocole d'alerte zataz:
- 60.000 entreprises aidées bénévolement;
- Une centaine de ".ca";
- Comment ca fonctionne?;
- Pourquoi?;
- Qui participe.

Theo de Raadt

Pledge: A new security technology in openbsd (English talk)

In this late night talk, Theo will presents a new security feature in openbsd : Pledge.