Speakers 2016
Schedule
Speakers list
- Stephanie “Snow” Carruthers - This Phish Goes To 11
- Adhokshaj Mishra - LockPicker: Leaking data from live LUKS partition
- Ian Bouchard -Abusing PHP 7’s OPcache to Spawn Webshells
- Sun Huang & Wayne Huang - Unveiling One of the World’s Biggest and Oldest Cybercrime Gangs–Asprox
- Benjamin Brown - Check Yo Self Before You Wreck Yo Self: The New Wave Of Account Checkers And Underground Rewards Fraud
- Alfredo Ramirez -Powershell Penetration Testing
- Sarah Jamie Lewis - Untangling the Dark Web: Unmasking Onion Services
- Pierre Ernst - Fixing the Java Serialization mess
- Marc Dovéro - Le dispositif Français de lutte contre le cyber-terrorisme : Exemples par la pratique
- Aaron Guzman - Make iOS Hacking Great Again: The Easy Wins!
- Chad Dewey - Pentesting Cruise Ships OR Hacking the High Seas
- Michael Bennet - Clogging the Futures Series of Tubes: A look at HTTP/2 DDoS Attacks
- Cheryl Biswas & Haydn Johnson - Blue Team Reboot: Adaptive Proactive Defence Strategy
- Chris Nickerson - Adversarial Simulation: Why your defenders are the Fighter Pilots
- Chris (Suggy) Sumner - Some hypotheses on burnout and stress related illnesses in relation to Cyber Security practitioners with a ‘Hacker Mindset’
- Blake Cornell - Come Bring all your Drones to the Yard
- Aaron Hnatiw - Racing the Web
- Geoffrey Vaughan - Catching IMSI Catchers
- Sunny Wear - Exploit Kits: The Biggest Threat You Know Nothing About
- Paul Rascagnères - Windows systems & code signing protection
- RenderMan and Murdoch_Monkey - Hacking the Internet of Dongs
- Alexandre Guédon - Sécurité Docker en production
- Sylvain Desharnais & Nadia Vigneault - Stratégies de fouille et recherches de preuves
- Maxime Lamothe-Brassard - Hunting with LimaCharlie
- Peter Yaworski - Getting Beyond Bugbounty Noob Status
- Bernard Bolduc - Histoire d’un hack
- Olivier Arteau - Workshop: XSS Auditor Bypass
- Mathieu Lavoie & David Décary-Hétu - De-anonymizing Bitcoin one transaction at a time
- Johnny Xmas & Benjamin Brown - How I Darkweb Economies (and You Can Too!)
- Stephen Hall - Your configs are bad and you should feel bad
- Mohamed Haoues, Gabriel Desharnais, Gabriel Tessier, Nadia Vigneault, Sylvain Desharnais - Workshop : Techniques d’informatique forensique (laptop needed)
- Patrick Mathieu - BurpSmartBuster - A smart way to find hidden treasures, the next steps
- Mickael Nadeau - Game Hacking Exposed
- Cheryl Biswas - A Stuxnet for Mainframes
Stephanie “Snow” Carruthers
This Phish Goes To 11
“Testing your users and systems with generic phishing pretexts use to be enough, but now attackers are using open-source intelligence to customize their phishing campaigns.
Step up your game! Let Stephanie show you how OSINT methods can be used to create a tailored pretext augmented by a 2nd stage vishing strategy. The 2015 Verizon DBIR reveals that for two years “more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.” Hot on the heels of this and other data breaches we are seeing the industry move to complement the yearly pentest with phishing-based assessments.
Attendees will learn the following:
- How attackers use OSINT to build targeted phishing campaigns
- How adding vishing can make an ineffective phish still work
- How a tailored phishing assessment and meaningful training better prepare your organization’s employees”
Biography
Stephanie Carruthers is a social engineering professional. After winning a black badge at DEF CON 22 for the Social Engineering Capture The Flag, Stephanie started Snow Offensive Security in 2014, a small boutique consultancy that provides social engineering focused services such as phishing, vishing, physical security assessments. Stephanie specializes in Open Source Intelligence (OSINT) gathering and uses these findings to create highly effective custom pretexts for all her engagements. In her free time, she enjoys going to theme parks and playing table top games.
Adhokshaj Mishra
LockPicker: Leaking data from live LUKS partition
Since the disclosure of privacy by various whistleblowers, people have realized the value of data protection by using strong cryptographic measures including but not limited to full disk encryption. Various tools like dm-crypt, TrueCrypt, BitLocker etc have been developed for the very same purpose. It is silently assumed that whole technical stack which facilitates full disk encryption is not compromised in any way, or is hard to compromise in an undetectable way because basic security system is configured and up on the machine in question. However, it is still possible to compromise the security while maintaining high stealth, by infecting the filesystem layer itself. Since all the security solutions rely upon truthfulness of the filesystem (even if they bypass the usual filesystem I/O and talk to filesystem driver directly), this provides full stealth from such systems. The paper presents proof-of-concept of such an attack on Linux using a minimalistic functional filesystem in kernel space. The proof of concept in question is capable of leaking the data from encrypted file system, while the disk is encrypted using some full disk encryption solution like dm-crypt. Since it does not rely upon specifics of any full disk encryption system, it is possible to use the same attack vector for other solutions too, with minimal changes, if any. However, this attack vector is not foolproof, and therefore can be detected and prevented in many cases. Couple of detection and prevention mechanisms will also be discussed.
Biography
Adhokshaj Mishra is an independent security researcher with interest in theoretical and practical aspects of computer science. He mostly codes in C, C++, and assembly language. His primary domains of interest are cryptography, virology, cryptovirology, kleptography and mutation. He has been delivering lectures on various topics like malware techniques, reverse engineering, exploits etc at various overseas and Indian locations. In past he has also helped Uttar Pradesh Special Task Force in cracking various criminal cases related to cyber crime. He loves to attend and speak at various security conferences and meet-ups, and as a result has given talks in various Null/OWASP chapter meet-ups, and events like C0C0N(2014), DEFCON Lucknow (2015). He maintains a not-so-active blog at http://adhokshajmishraonline.in and can be followed on Facebook (AdhokshajMishra), and Twitter (@adhokshajmishra).
Ian bouchard
Abusing PHP 7’s OPcache to Spawn Webshells
PHP 7 comes with a new built-in caching engine called OPcache. With this caching engine, a 10x performance increase can be expected depending on your workload. What you won’t expect though, is that OPcache offers a new and stealthy way to inject malicious code even under hardened environments.
As the title suggests, this talk will cover a new exploitation technique allowing attackers to obtain and operate hidden webshells given the right circumstances. We’ll talk about how the technique works, how OPcache works internally, as well as some tools that can be used to facilitate exploitation and incident response.
Biography
Ian Bouchard is a freshman at the Laval University in Quebec City. He is the winner of the OWASP CTF at Hackfest 2015. Graduating college in computer science, he has worked as an intern with the security firm GoSecure in its R&D department. He is also a freelance pentester for Sekcore.
Sun Huang & Wayne Huang
Unveiling One of the World’s Biggest and Oldest Cybercrime Gangs–Asprox
Existing research on the Asprox actor has focused primarily on the malware they spread, but little has been published on who they are, how they operate and spread malware, and what resources they own. In this rare talk, we will disclose our many years of deep research on this actor: for example, since their initial operation in 2007, the Asprox gang now owns 2+ billion compromised emails, 2+ million compromised web servers (backdoored with webshells), 0.9+ million compromised SMTP accounts (some of which belong to the US military), 0.4+ million compromised FTP accounts, and SSH access to 1200+ compromised servers. We will detail how they’ve evolved into their currently sophisticated infection infrastructure, including their multiple layers of distribution and command-and-control servers, their anti-detection proxy servers, their malware obfuscation tool chain, their means of infecting endpoints, their large scale tool to auto-compromise websites and inject webshells, and their evolution in 2014 to Android malware and mobile botnets. We will study statistics such as daily downloads and conversion rate, and will explain their monetization methods within multiple underground economies, and the economics. Finally, we’ll cover how we’ve managed to collect our data, how we analyzed the data, and the many techniques we used in tracking this actor.
Biography
Wayne Huang was Founder and CEO of Armorize Technologies, and is now VP Engineering at Proofpoint. Huang is a frequent speaker at security conferences, including BlackHat ‘10, DEFCON ‘10, RSA ‘07 ‘10 ‘15, SyScan ‘08, ‘09, OWASP ‘08, ‘09, Hacks in Taiwan ‘06 ‘07, WWW ‘03 ‘04, PHP ‘07 and DSN ‘04. A diligent blogger on cyberthreats, his posts have been covered by the most influential media. Into security since 7th grade, he has led teams to develop security products ranging from source code analysis, web application firewall, vulnerability assessment, exploit & malware detection, anti-malvertising, email security, and APT defense. He received his Ph.D. in EE from National Taiwan University, and his B.S. and M.S. in CS from NCTU. He holds two US patents on source code analysis.
Sun Huang is a Senior Threat Researcher at Proofpoint. He has more than nine years of experience in information security. Huang has discovered many web application 0days, including those of CMS and C2 Panel. Huang has participated in many security contests and was one of the top 10 researchers in Paypal’s 2013 Bug Bounty Wall of Fame. He was also the third place AT&T bug reporter in 2013. Huang currently holds CCNA, ECSS, CEH and PMP certifications.
Benjamin Brown
Check Yo Self Before You Wreck Yo Self: The New Wave Of Account Checkers And Underground Rewards Fraud
There’s a new wave of account checker gangs and a coinciding explosion in the underground market for goods involving hacked rewards accounts. These groups use automated tools and botnets to roll through credentials leaked from other websites in an attempt to exploit the habit of using the same login credentials across multiple sites. Let’s dive into how these new account checker attacks work and how they are cashing out their ill-gotten gains. I’ll run through some my real-world and recent incident response events involving these criminal cretins and my subsequent research into the darknet markets that allow them to profit off of their purloined points, vouchers, and miles.
Biography
Benjamin Brown currently works on darknet research, threat intelligence, incident response, and adversarial resilience at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include darknet and deepweb ethnographic studies, novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, metacognitive techniques for intelligence analysis, threat actor profiling, and thinking about security as an ecology of complex systems.
Alfredo Ramirez
Powershell Penetration Testing
The purpose of this talk would to introduce the audience to using Powershell during internal network penetration tests. Powershell is almost always available on workstations in corporate networks and is incredibly powerful. During the talk we’ll cover what a typical pentest might like at, armed only with Powershell and an internet connection. This will include, port scanning and host discovery, privilege escalation, hunting down targets of interest on the network and pivoting our way through a network until Domain Admin is ours.
Biography
I am a security researcher at SecurityScorecard, where I develop new threat intelligence datasets collected from across the Internet. Previously I was a security consultant and penetration tester focusing on network, web appsec and mobile appsec. I also spent some time working at Tenable as part of the Nessus research team.
Sarah Jamie Lewis
Untangling the Dark Web: Unmasking Onion Services
Life is difficult when you run an anonymous service. Being anonymous means being hyper vigilant and eternally aware, but just how many service operators are up to the challenge?
This is not your typical dark web presentation, this talk will demonstrate just how bad small opsec failures can be, how hints of metadata can unravel an entire operation and what happens when you scan the whole onionsphere trying to find patterns.
But let us not forgot, breaking is only half the battle, this talk will also explore how we can build stronger anonymous systems, for a more private and secure future.
Biography
Sarah Jamie Lewis is a security researcher currently living in Vancouver Canada. She has a passion for privacy and anonymity, and runs the OnionScan project, dedicated to discovering and improving anonymous communities.
In the past Sarah worked as a Computer Scientist for the British Government and she is currently a Security Engineer at Amazon analyzing threat models and designing defenses to protect against fraud and security risks.
Pierre Ernst
Fixing the Java Serialization mess
Deserializing untrusted input with Java has been known to be a risky proposition for at least 10 years. More recently, several vulnerabilities exploiting this flaw have been published. These deserialization vulnerabilities can be divided into 2 groups: endpoints allowing deserialization of arbitrary classes known to the application, or serialization “gadgets” allowing to weaponize malicious input for these endpoints. When it comes to fixing this class of vulnerabilities, it is hard to reach a consensus: some library maintainers consider that there is no point fixing the “gadgets” and that all application should simply stop accepting serialized input. Easier said than done…
While the root cause of the issue lies with a lenient Java API (not allowing to specify which class is to be deserialized), we need an immediate fix. This is why I came up with the seminal “Look-ahead Java deserialization” concept in 2013.
During this talk, the look-ahead mitigation will be bypassed with a live demo, and a more robust white-listing technique will be presented
Bonus: CVE-2016-3427 will be presented for the 1st time.
Biography
Pierre Ernst worked 10 years as a software developer in France, Belgium and Canada, in the telecom and biometric sector.
He spent the following 6 years working for IBM Canada where he was responsible for finding security vulnerabilities in 60 IBM products, mostly Java Web applications. Using a combination of manual testing and secure code review, he found more than 800 vulnerabilities.
More recently, Pierre Ernst had worked remotely for VMware (Palo Alto) focusing on attacking Java and Open Source and 3rd party Java components. He is currently employed by Salesforce (San Francisco, remote)
Marc Dovéro
Le dispositif Français de lutte contre le cyber-terrorisme : Exemples par la pratique
Mon intervention concerne le système de cyberdéfense mis en place en France dans le cadre du plan Vigipirate. Le plan Vigipirate est un outil central du dispositif français de lutte contre le terrorisme, il associe tous les acteurs du pays : l’État, les collectivités territoriales, les opérateurs susceptibles de concourir à la protection et à la vigilance, les citoyens. http://www.risques.gouv.fr/menaces-terroristes/le-plan-vigipirate
Je vous propose de présenter ce dispositif et de regarder son efficacité.
Je souhaite étendre cette présentation en comparant au système canadien si j’arrive à trouver un bon expert de ce domaine pour travailler sur cette comparaison.
Biography
Je me présente, mon nom est Marc Dovéro, je suis CISO d’une entité gouvernementale Française, je suis actuellement au Québec depuis un an et demi pour découvrir la gouvernance SSI en Amérique du Nord. Dans ce cadre je suis responsable de la conception du plan de cyber-sécurité et du modèle de défense de Industrielle Alliance.
J’ai reçu le prix du meilleur CISO de France pour ma participation aux dispositifs légaux en matiere de cyber-sécurité et la mise en place du Référentiel Général de Sécurité, je me ferai un plaisir de partager mon expérience et de comparer avec les systèmes en place au Canada et Québec.
- http://bfmbusiness.bfmtv.com/01-business-forum/coup-de-coeur-marc-dovero-530915.html
- http://www.lagazettedescommunes.com/204146/securite-informatique-on-ne-pourra-pas-faire-de-administration-sans-inspirer-confiance/
Aaron Guzman
Make iOS Hacking Great Again: The Easy Wins!
After analyzing hundreds of mobile applications, it is easy to identify where most mobile app developers breakdown. Penetration Testers are easily able to exploit basic iOS default configuration vulnerabilities,vulnerable iOS SDK API’s, and the many vulnerable frameworks developers employ. Join me as we uncover common vulnerabilities that will be easily spotted on your next mobile assessment using free and open source tools.
Biography
Aaron is a Principal Penetration Tester in the Los Angeles area with expertise in Application Security, IoT, Mobile, Web, and Network Penetration testing. He volunteers his time as a Chapter Board Member for the OWASP Los Angeles, President for Cloud Security Alliance SoCal, and a Technical Editor for Packt Publishing . Aaron is a contributor for various IoT guidance documents from CSA, OWASP, Prpl, and others. He has held roles with companies such as Belkin, Linksys, Dell and Symantec.
Chad M. Dewey
Pentesting Cruise Ships OR Hacking the High Seas
Vacationing on a cruise ship should be a relaxing, care-free endeavor that allows one to unwind, have a few drinks, explore new countries, and get a little sunburned. For most people, there is not much thought put in to how the cruise ships operate or how secure your stored information is on the ship. After all - they’re on vacation. In this presentation, three major cruise lines have been evaluated in several different areas over the last 10 years. These areas include pysical security, social engineering, wifi vulnerabilities, segregation of passenger network from operations network, financial transactions, information sanitization, and more. Some vulnerabilities are simple hacks to allow one to obtain free wifi, some are more complex that allow one to explore the ship in more obscure ways. In this presentation, successes and failures of hacking the high seas will be discussed.
Biography
Just a regular Joe with a background in network and information security, Chad M. Dewey is a Computer Science and Information Systems Professor at Saginaw valley State University in Michigan. While his interests include all things security, he takes a particular interest in the security of “weird stuff” like medical equipment, automobiles, and cruise ships. Earlier this year, Chad had participated in Intel’s Automotive Security Research Board, along with 15 other security professionals, to test the security of automobile “In-Vehicle Infotainment Systems”.
Michael Bennet
Clogging the Futures Series of Tubes: A look at HTTP/2 DDoS Attacks
The future is here! Errrm, well it arrived a couple years, but it’s starting to gain some traction! HTTP2 is the next generation of the HTTP protocol, designed from the ground up with performance in mind! It has a strong focus on loading full web pages and all of their dependencies faster through better network utilizations and less concurrent connections. But like any new technology, it brings with it a new set of challenges and issues that need to be discovered first, and then possibly remediated. HTTP2 is no exception to that with some security issues already identified. In this talk, I present some of my research into how HTTP2 makes it easier to launch layer 7 attacks and how attackers can leverage HTTP2 to launch new types of DDoS attacks. I also explore the readiness of the DDoS mitigation industry to detect HTTP2 based DDoS attacks
Biography
Michael Bennett is a full time DDoS consultant/developer from Toronto with a love for building new things. He currently works for Security Compass where he designs, develops, and launches DDoS attacks regularly as part of my job. When he’s not launching DDoS talks he’s often building a tool, automating something in his life, or just gaming.
Cheryl Biswas & Haydn Johnson
Blue Team Reboot: Adaptive Proactive Defence Strategy
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
Biography
Cheryl Biswas is part of KPMG Canada’s cybersecurity team in threat Intel. An early love of StarTrek eventually evolved into a fascination with APTs, ICS SCADA, mainframes, Shadow It and Big Data. She wields her specialized honors degree in political science and ITIL designation as she builds bridges along with security awareness. In addition to speaking at BSidesLV, Circle City, BSidesTO and the upcoming SecTor, Cheryl has been a guest on podcasts and television, and is an active writer and blogger. You’ll find her on Twitter as @3ncr1pt3d.
Haydn Johnson has over 3 years of information security experience within the Big4, including network/web penetration testing, vulnerability assessments, identity and access management, and cyber threat intelligence. He has a Masters in Information Technology, the OSCP and GXPN certifications. Haydn regularly contributes to the InfoSec community primarily via Twitter and has spoken at BSides Toronto, Bsides Las Vegas, and Circle City Con. Haydn wants to be a Purple Teamer when he grows up.
Chris Nickerson
Adversarial Simulation: Why your defenders are the Fighter Pilots.
Too many times do I hear the tales of PenTesters and “Red Teamers” awesomeness but never hear of the fight the “Blue Teamers” put up. Let’s face it, the value of most PenTesting is as good as being pushed down a flight of stairs then being told you are vulnerable to a “Sneak Attack Stair Renegotiation Vulnerability” or known in the media as SASR. In this talk I will explore what it is like to build, manage and operate a red team that is a VALUE to the organization not just a gang of PenTesters pointing out flaws. We will cover numerous engagements and 1000’s of simulation hours that show a clear and repeatable method to measure the success of a program. We will cover the setup and goals of the team, integration into the overall ecosystem of the company and the tricky metrics that actually let you answer the fabled question “How secure are we?”
Biography
Chris Nickerson, CEO of LARES, is an 18+ yr veteran of the Cyber Security industry. His main area of expertise is focused on real world Attack Modeling, Red Team testing and Adversarial Simulation. Mr Nickerson has held Sr. positions at Arrow Electronics, KPMG, and Sprint providing security testing and recommendations to corporations worldwide. Having spoken at most major Information Security conference in the world and is a TED speaker alumni. He is the featured member of the TrueTv series “Tiger Team” and author of the upcoming Red Team Testing book published by Elsevier.
Chris (Suggy) Sumner
Some hypotheses on burnout and stress related illnesses in relation to Cyber Security practitioners with a ‘Hacker Mindset’
This talk introduces a number of hypotheses, which if correct, suggest that Cyber Security practitioners with a ‘Hacker Mindset’ may be more likely to experience lower levels of well-being and greater levels of stress related illnesses than their peers and general society. If this is the case, what might be contributing factors and what are the broader implications for the industry and organizational/national security?
The talk explores the relationships between Cyber Security practitioners with a ‘Hacker Mindset’, well-being, stress related illnesses, pervasive developmental and personality disorders, personality traits and environmental factors such as childhood experiences, adult experiences and job related variables; it introduces existing research, research applied in different contexts and findings from a new, unpublished study specifically examining the relationship between Autism Spectrum Quotient and Burnout.
A shortage of skilled Cyber Security professionals has been identified as a key barrier to the growth of the security sector and the ability for nations and organizations to respond to Cyber threats. Understanding well-being and stress related symptoms in relation to the Cyber Security sector is an important area and relatively unexplored area of study, as many of the personality traits that characterize a good Cyber Security practitioner may also predispose them to depression or stress symptoms.
Biography
Chris (Suggy) is a data scientist in the Cyber Security team at Hewlett Packard Enterprise. In addition to his corporate responsibilities, Chris serves on the DEF CON call-for-papers review board and is a co-founder of the not-for-profit Online Privacy Foundation who contribute to the field of psychological research in online contexts. He has authored papers and spoken on this line of research at leading Security, Psychology and Machine Learning conferences.
Blake Cornell
Come Bring all your Drones to the Yard
The Suffolk County Correctional Facility in Riverhead, New York now has the ability to detect unauthorized UAV’s that approach and/or breach its secured perimeter. This first-in-the U.S. technology initiative has been implemented and is operated by the Suffolk County Sheriff’s Office. This solution was designed to prevent the smuggling of mobile phones, drugs, weapons and other contraband into the jail.
Throughout this project - from the vision, putting together the right team, technical requirements, negotiations, design, implementation and testing - there were many challenges to overcome. We’ll discuss this project from start to finish, other solutions available today as well new bleeding edge technologies that all aim to combat Criminal Drone Operators.
Biography
Blake Cornell, Chief Technical Officer, Integris Security, New York USA, has been an IT innovator and developer with over a decade of experience within software and security. He has consulted Fortune 500 companies and various law enforcement agencies with hopes of enacting solutions to ease every day issues.
Mr. Cornell had previously presented a topic at an FBI cyber security conference detailing the threats of domestic terrorist cell’s using Unmanned Aerial Improvised Explosive Devices (UAIED) within the US mainland. Thirteen months later Rezwan Ferdaus was arrested, charged and eventually sentenced to a 17 year prison sentence for attempting to execute what Mr. Cornell had outlined during his presentation. As well, Cornell has created several unique technologies including remotely controlled full disk encryption appliance platform, intrusion detection and prevention, three-factor authentication solutions, OSINT Acitve Denial System (internal use blacklist) and more. In 2003, Mr. Cornell designed, wrote and implemented a semi-passive network tracking technology which revealed the identify of the IT administrator hosting a majority Islamic Terrorism websites at that time.
Aaron Hnatiw
Racing the Web
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions are a well known issue in software development, and they often result in program crashes and poor usability. Most instances of race conditions can be difficult to test, as they may only occur in one in one thousand uses, and under very specific conditions. Due to this fact, it can be rare that these bugs manifest themselves with any regularity. But what happens when a race condition exists in an application that accepts thousands of concurrent connections? Suddenly the likelihood of unintended behaviour increases exponentially, and the consequences can be devastating.
In a web application, user sessions are often treated the same as desktop user sessions- a user is expected to perform a single task at a time, while the server processes the information and performs the indented functionality for that user. But what would happen if a user tried to perform the same task hundreds or thousands of times simultaneously? If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”.
The focus of this talk is the security implications of this exact scenario, detailing specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
Biography
Aaron Hnatiw is a Security Consultant for Security Compass, and a professor of Application Security at Georgian College. Prior to that, he was the founder of Inspectral Security, a company that provided customised red team services to medium-sized businesses across a wide range of industries. Aaron’s background has covered most areas of IT- he is a former system administrator, web and desktop developer, and network security engineer, and his current role involves pentesting and advisory work in both application and network security. In his free time, Aaron writes open-source security tools in the Go programming language, and participates in the occasional CTF from his home in Ontario, Canada.
Geoffrey Vaughan
Catching IMSI Catchers
Hunting the hunter, can you tell if your phone’s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray? Learn strategies to detect rogue cell phone towers and hear stories from adventures war walking Las Vegas during Defcon. Learn about IMSI catchers their capabilities, LTE to GSM downgrade attacks, and ways to protect yourself from these devices. Discover open source projects and other ways you can get involved to help make cellular technologies safer for users.
Biography
Geoffrey is a security engineer with Security Innovation. He spends his time hacking and securing web applications, mobile apps, robots, 3D printers, infrastructure, embedded devices, and anything with a Biometric. He is passionate about security and helping others build secure products.
Sunny Wear
Exploit Kits: The Biggest Threat You Know Nothing About
Exploit kits are an ever-present threat that can compromise innocent Internet users indiscriminately. As malware payloads such as ransomware are becoming more successful, so is the sophistication of these exploit kits. Such sophistication and stealth creates an enormous challenge to defend and combat. The beginning of our defense against Exploit kits is with understanding what EKs are and how we can secure our applications against them.
Biography
Sunny Wear, CISSP, GWAPT, GSSP, CSSLP, CRISC, CEH is an Application Security Architect and Web Application Penetration Tester. Her breadth of experience includes network, data, application and security architecture as well as programming across multiple languages and platforms. In her 20 years of professional experience, she has participated in the design and creation of many enterprise applications as well as the security testing aspects of platforms and services. She is the author of several security-related books including her most recent entitled Secure Coding Field Manual: A Programmer’s Guide to OWASP Top 10 and CWE/SANS Top 25 (http://www.amazon.com/SCFM-Secure-Coding-Manual-Programmers/dp/1508929572 ) which assists programmers in more easily finding mitigations to commonly-identified vulnerabilities within applications. She conducts security talks and classes locally and at conferences like BSides Tampa and AtlSecCon.
Paul Rascagnères
Windows systems & code signing protection
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-know rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
Biography
Paul Rascagnères is a malware analyst and researcher for the Sekoia’s CERT. He is specialized in Advanced Persistant Threat (APT) and incident response. He worked on several complex cases such as government linked malware or rootkits analysis. He is a worldwide speaker at several security events.
RenderMan and Murdoch_Monkey
Hacking the Internet of Dongs
There is an under researched branch of the Internet of Things: The Internet of Dongs. Sex toys have now become internet connected devices and subject to a whole host of risks and vulnerabilities. More so than many IoT devices, IoD devices, due to their private and intimate nature, should consider security and privacy more than any others. They should, but it turns out that they dont.
This talk will explore the latest generation of connected sex toys on the market and the analysis of the security on some of these devices we’ve acquired and tested so far. This talk will also talk about the IoD project and how we are trying to influence vendors to be more secure with their devices.
Biography
RenderMan: Pope of the Church of Wifi. Breaker of things. Don of Dongs
Canadian born and raised. He hacks banks during the day and other random things at night. Last time he was hacking air traffic control, now he’s hacking sex toys. His interest is very diverse and has led him to do work that has allowed him to speak all over the world and change it a few times.
Murdoch_monkey: Official trunk monkey of the Church of Wifi
The result of a 10 year joke that Hackfest was the one to finally get. He follows RenderMan on his travels getting into monkey business. When he’s not being thrown from high places on questionable parachutes, he is provides his commentary on events and conferences through his twitter account @murdoch_monkey
Alexandre Guédon
Sécurité Docker en production
Exposer les différentes techniques disponibles pour sécuriser les containers Docker, leurs limites et les mitigations possibles.
L’objectif de cette présentation est de sensibiliser les utilisateurs de containers actuels ou en devenir aux enjeux de sécurité qu’ils amènent.
Biography
Alexandre Guédon est responsable de l’infrastructure pour Delve Labs, une startup en sécurité Informatique. Il a été formé par les BBS, moulé par Linux et éduqué par un bacc en informatique ainsi qu’une maîtrise en sciences de l’information. Il s’intéresse depuis longtemps aux questions d’infrastructures, des système distribués et de la sécurité. Il a participé à différents projets dans le privé et le public, plus récemment comme responsable technologique d’une plateforme scientifique, tout en s’impliquant dans les groupes de données ouvertes, aux communautés de sécurité et de logiciels libres. Ses intérêts actuels portent sur l’automatisation des services (DevOps/SRE), la gestion de la croissance (Scaling) et la sécurité des microservices.
Sylvain Desharnais & Nadia Vigneault
Stratégies de fouille et recherches de preuves
- Nous présenterons les différentes stratégies de fouille d’une média : mots-clé, expressions régulières, arborescence, etc.
- Nous ferons le tour de l’excellent outil FTK Imager dans le cadre d’une enquête informatique.
- Nous ferons des démonstration de ces stratégies et techniques de fouille.
Biography
Nadia Vigneault:
- Conseillère en sécurité de l’information
- Bureau de sécurité de l’information de l’Université Laval
- Chargée de cours au Collège Garneau
Sylvain Desharnais:
- Chargée de cours à la Polytechnique de Montréal et à l’Université Laval
- Consultant privé en matière d’investigation numérique
- Auteur de formations en investigation numérique chez Kéréon
Maxime Lamothe-Brassard
Hunting with LimaCharlie
LIMA CHARLIE (LC) is an Open Source, crossplatform endpoint security monitoring and mitigation solution focusing on detecting and prosecuting APTs. The endpoint sensors communicate in nearreal time with a cloud software stack. Detection and monitoring capabilities are implemented mostly in the cloud and to a lesser extent in the sensor. By “going live” on the sensor, operators are also able to perform live investigations and mitigation.
LC focuses on providing quick detection capability development, easy integration with other industry products tighter detectioninvestigation cycles.
This talk with provide an overview of LC as a platform. A live portion will demonstrate a reallife scenario where an anomaly is detected, investigated, detection modules are generated and the threat is prosecuted.
LC is provided under Apache v2 license and can be found at: http://github.com/refractionpoint/limacharlie
Biography
Maxime currently works for Google. His career has been centered around advanced computer attacks. He worked for the Canadian Intelligence apparatus in functions ranging from development of cyber defence technologies through Counter Computer Network Exploitation and Counter Intelligence. Maxime led the creation of an advanced cyber security program for the Canadian government and received several Director’s awards for his service.
Leaving the government, Maxime provided direct help to private and public organisations in matters of cyber defence, working at CrowdStrike and eventually cofounding Arcadia, architecting advanced cyber defense solutions. For the past few years Maxime has also been providing analysis and guidance to major Canadian media organisations.
Peter Yaworski
Getting Beyond Bugbounty Noob Status
In this chat, I’ll talk about my experience hacking on the HackerOne platform, specifically, how I got into it, what it means to hack ethically, what bug bounties are / are not, what I’ve learned from other hackers and my advice for interacting with the community. I’ll include advice for getting started, do’s and don’ts, etc.
Biography
Peter Yaworski is a self-taught developer turned bugbounty hacker / author. He started with bugbounties on the HackerOne platform in December 2015 and has been publicly thanked by Twitter, HackerOne, Shopify, drchrono, Moneybird, Veris and other private bug bounty programs. He is also the author of Web Hacking 101: How to Make Money Hacking Ethically which as been read by over 2,500 hackers. He also records Hacking Pro Tips Interviews with successful hackers to help others learn and improve.
Bernard Bolduc
Histoire d’un hack.
Un site web s’est fait hacker, voici l’histoire.
Biography
Administrateur de Systemes Unix, DevOps, Generaliste en Securite des Reseaux et Systemes, 17 annees d’experience en TI dont 11 a mon compte au sein de ma propre entreprise de consultation, Secure Logique, je fais de la securite en entreprises dans les secteurs des telecommunications, mediatiques, banquaires ainsi que des entreprises gouvenementaux depuis 2008.
Je joue dans les nuages en ligne et hors ligne.
Olivier Arteau
Workshop: XSS Auditor Bypass
XSS protection provided by the browsers is getting more and more sophisticated. This workshop will guide you in understanding how you can bypass them and make XSS payload that work in the real world. XSS auditor bypass for both Internet Explorer and Google Chrome will be covered. The workshop will be divided in two parts. The first part is a presentation on the subject. The second part is a few exercises in which you can get your hands dirty. Do note that if you wish to do the Internet Explorer exercises, you must have either a Windows virtual machine available or Windows installed on your laptop.
Biography
Olivier Arteau est un professionel en sécurite informatique depuis quelques années et fait partie de l’équipe de test d’intrusion de Desjardins. Il est aussi un amateur de CTF qui a gagné à plusieurs reprises le CTF du NorthSec avec l’équipe HackToute et participe fréquemment à d’autres CTF avec l’équipe DCIETS. Mais ce qu’il aime le plus, c’est parler de lui-même à la troisième personne dans sa bio.
Mathieu Lavoie & David Décary-Hétu
De-anonymizing Bitcoin one transaction at a time
The aims of this presentation are twofold. The first is to present an open-source tool we developed that analyzes all of the bitcoin transactions and regroups bitcoin addresses based on their incoming and outgoing transactions. This allows for a more accurate mapping of individuals’ online activities no matter how many bitcoin addresses they are using.
The second aim of this presentation is to provide real world use cases for the tool to better understand online illicit activities. To do so, we will present two case studies of extortion scams and online drug dealing. Each case will follow the growth of the illicit activities through time and the strategies used to manage the incoming bitcoins.
Biography
David Décary-Hétu
Prof. Décary-Hétu has a Ph.D. in criminology from the University of Montreal. He has worked as a Senior Scientist at the School of Criminal Sciences of the Université de Lausanne before his current position as an Assistant Professor at the School of Criminology of the University of Montreal. His thesis focused on the impact of the Internet on crime as well as how offenders have adapted to the virtual environment. Prof. Décary-Hétu has since continued his research on online illicit markets and is now particularly interested in cryptomarkets, 2nd generation online illicit markets. He has developed the DATACRYPTO tool that he uses to collect large amounts of information on cryptomarket participants. His research goals are to better understand the structure of markets and the social network of actors who participate in them as well as to understand the performance in the context of online illicit markets. To achieve these objectives, Prof. Décary-Hétu uses a quantitative approach that takes advantage of big data, data mining and social network analysis. The results of his research, funded by both the provincial and federal governments, have been published in journals such as the Journal of Research in Crime and Delinquency, have been presented at numerous conferences and have been disseminated to a wide audience in a number of interviews with the media.
Mathieu Lavoie
Graduated from ETS, Mathieu works as a pentester for a large financial institution.He previously worked as a malware researcher at ESET and as a computer security freelancer. During his free time, he is an avid participant to many CTFs with others gin addicted from DCIETS where he developed a deep love-hate relationship with Crypto Challenges or DEFCON’s so-called ““Web”” Challenges. As such he was multiple times a finalist at the CSAW competition, and can even be seen somewhere on their website (no points for this flag) He speak at some security conferences including the first NorthSec and HOPE conference.
Johnny Xmas & Benjamin Brown
How I Darkweb Economies (and You Can Too!)
Since the infamous Silk Road takedown by the FBI in 2013, the Darkweb economy has been exponentially increasing in both user base and revenue year-over-year. The need for essoteric knowledge in order to engage in transactions via this shadow Internet has subsided greatly, allowing average computer users access to the vast underground of illicit economies. 2016 in particular has seen turbulent growth and high-profile media coverage, puttng it in the forefront of everybody’s minds. In this talk, we’ll present the cold hard truth behind the various commodities being bought and sold via this pseudo-anonymous marketplace, with a depth and insight The Media is simply not able to provide. Topics covered will include: money laundering via cryptocurrency, Hacking as a Service, hitmen for hire, human trafficking, and much, much more!
Biography
Johnny Xmas
Johnny Xmas ( @J0hnnyXm4s ) is a penetration tester for the Chicago-based Security Assessment Firm “RedLegg.” He’s been speaking Internationally on the topics of Information Security, Career Advancement and Social Engineering for nearly 15 years, both in and very far outside of the Information Security community. His infamous mixture of humor, raw sincerity and honest love of people often leads to lighthearted, but at their cores, serious discussions revolving around our innate desires to get in our own way.
Benjamin Brown
Benjamin Brown currently works on darknet research, threat intelligence, incident response, and adversarial resilience at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include darknet and deepweb ethnographic studies, novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, metacognitive techniques for intelligence analysis, threat actor profiling, and thinking about security as an ecology of complex systems.
Stephen Hall
Your configs are bad and you should feel bad
Let’s talk about that linux server on the network that seems to be neglected, you know the one that linux box that is there for some reason that predates you. An offensive person has a multitude of ways at which they can escalate privileges, pivot and gain access to linux systems. Identifying the weaknesses and what changes you can make to help address the misconfigurations as a defensive will also be covered. We will talk about some of the common known misconfigurations and some not as well spoken about configurations. WIll also go over how to spot the weaknesses, how to leverage them and how you can fix or lower the risk of them being used against you.
Biography
Consultant at Security Compass, with more than five years of experience in the infosec domain, during which he has worked on various challenging client engagements in industries such as financial, energy, healthcare, and technology. He specialized himself at pentesting through development of CTF style challenges geared towards helping the beginners in learning the trade of hacking. He wrote phishing methodology and assess multiple client on this particular exercise. He is often found wearing a Santa hat throughout the year.
Mohamed Haoues, Gabriel Desharnais, Gabriel Tessier, Nadia Vigneault, Sylvain Desharnais
Workshop : Techniques d’informatique forensique
L’atelier “Techniques d’informatique forensique” est une activité d’application des stratégies de fouille de média, d’une part, et d’initiation à l’examen d’une mémoire RAM et du du fichier “Pagefile.sys” (mémoire de débordement de Windows). Il y aura une séance de “hands-on” sur les stratégies de fouille à l’aide d’un l’image forensique d’une clé USB fournie. Cette image permet d’appliquer chacune des stratégies de fouille (signature, extension, empreinte numérique, intra et para données, expression régulière, mots-clés, exploration des données et de l’arborescence, exploitation des lieux probables, vestiges d’information et informations furtives). Les participants seront assistés pour une réussite assurée. Finalement, une séance d’analyse d’une mémoire RAM et d’une mémoire de débordement sera offerte.
Les participants doivent apporter avec eux leur laptop équipé d’un système d’exploitation. Nous leur fourniront les gratuiciels qui seront utilisés dans le cadre de la présentation ainsi que les images forensiques et autres fichiers nécessaire à la réalisation des exercices. Dans cet atelier, les participants confirmeront leurs connaissances en forensiques à l’aide d’exercices pratiques.
Biography
Mohamed Haoues
B.Ing. (ULaval) et M.Sc. Ing. (Polytechnique, mémoire déposé)
Gabriel Desharnais
Étudiant Bacc. Physique USherbrooke
Gabriel Tessier
B.Sc. Informatique (ULaval)
Nadia Vigneault
Université Laval
Sylvain Desharnais
Université Laval, Polytechnique
Patrick Mathieu
BurpSmartBuster - A smart way to find hidden treasures, the next steps
Bruteforcing non-indexed data is often use to discover hidden files and directories which can lead to information disclosure or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the tools are lacking the application context and aren’t using any smart behaviour to reduce the bruteforce scanning time or even be stealthier. BurpSmartBuster, a Burp Suite Plugin offers to use the application context and add the smart into the Buster!
This 20 minute presentation will reveal this new open-source plugin and will show practical case of how you can use this new tool to accelerate your Web pentest to find hidden treasures! The following will be covered:
- How to add context to a web bruteforce tool
- How we can be stealthier
- How to limit the number of requests: Focus only on what is the most critical
- Show how simple the code is and how you can help to make it even better!
Biography
Patrick est cofondateurs du Hackfest.ca et s’implique dans le domaine de la sécurité informatique depuis plus de 20 ans. Il travaille en tant que pentester et lead purple-team et est spécialisé dans la sécurité applicative. Patrick possède un Bacc. et un DEC en informatique et de plus, il a toujours été actif dans la communauté et dans les évènements de sécurité.
Mickael Nadeau
Game Hacking Exposed.
Talking about everything needed to hack a game and all the broken concept behind a video game that could be turned into vulnerabilities. Also explaining the basics behind ““game hacking”” and doing quick demo of my research and how dangerous it could be to reverse engineer a game and how easy it is to create a responsive hack when the game engine is leaking to much informations.
Biography
Mickael loves vegetables and a healthy lifestyle. Big fan of harp melodies and classical music. You’ll never find him using a computer - you’ll have more chance finding him on his yoga mat, invoking the Flying Spaghetti Monster. Joking aside, Mick is a rock singer and a Vulnerability Researcher at Sucuri. You can find him on Twitter at @Mick4Secure.
Cheryl Biswas
A Stuxnet for Mainframes
You say SCADA, I say … mainframes. In this talk, I’ll show you some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Notably, that what each system manages is critical to our lives. And that their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. I extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. You’ll learn how SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man. And I’ll present to you the scenario of a Stuxnet for Mainframes.
Biography
Cheryl Biswas is a Threat Intel Consultant in Toronto, Canada, equally fascinated by Stuxnet and StarTrek. She loves to connect the dots using her degree in Political Science, ITIL, and many years experience in IT. She writes, blogs (see LinkedIn, AlienVault and Tripwire), and actively indulges her Twitter addiction. She has spoken at BSidesLV, BSidesTO, Circle City Con and will be speaking at SecTor.