Speakers 2017

Schedule

Click here to see the schedule

Speakers list

Dor Azouri

dor

BITSInject - control your BITS, get SYSTEM

Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file. Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path…) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject. Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow; We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer - a pythonic BITS server; A struct definition file, to use for parsing your BITS state file.

Biography

I am a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently doing security research @SafeBreach.

Marc-André Bélanger

mab

Les véhicules autonomes, leur télémétrie et l’impact sur la sécurité

Présentement, une intéressante transformation est en cours du côté de l’assurance automobile avec l’arrivé des ‘Usage Based Insurance’… La télémétrie associé a vos habitude de conduite est présentement enrichie par des données sur la façon dont vous faîtes l’entretien de votre véhicule, les différents mécanisme de sécurité tel l’arrêt d’urgence automatique et les détecteur de lignes. Cette transformation sera interrompu par l’arrivé imminente des véhicule autonome qui aurons une influence importante tant sur le marché de l’assurance que dans le domaine de la sécurité…

Biography

Conférencier a plusieurs reprise au Hackfest et au AtlSecCon.. Marc-André oeuvre présentement dans le domaine bancaire comme Analyste principal en Gestion de risques technologique. Sa recherche personnelle tente de vulgariser les enjeux de risque en mettant en lumière les similitudes entre les domaines connexes tel la fraude et la sécurité physique.

Steve Garon & John O’Brien

job sg

Introducing CSE’s open source AssemblyLine: High-volume malware triaging and analysis

The Communications Security Establishment (CSE), Canada’s national cryptologic agency and a leading expert in cyber security, believes in fostering collaboration and innovation. For the first time ever, CSE is releasing one of its own tools to the public as an open source platform. Developed internally, AssemblyLine is a cyber defence framework designed to perform distributed analytics at scale, focusing primarily on detecting and analyzing malicious files. Learn how AssemblyLine can not only minimize the number of innocuous files that cyber security professionals are required to inspect every day, but how you can collaborate with others to customize and improve the platform.

Biography

Steve Garon is an IT analyst at the Communications Security Establishment (CSE) and the lead developer for Assemblyline. Steve has been at CSE for 11 years and began as an analyst working on malware reverse engineering. His wish to speed up the process of triaging malware detection eventually lead to the creation of Assemblyline, which he has worked on for seven years. Steve is from Rimouski, Quebec and holds a Bachelor degree in Computer Science from the Université de Sherbrooke.

John O’Brien is a Senior Technical Advisor with the Communications Security Establishment (CSE), currently working for the organization’s Cyber Defence program. John has 12 years of experience in the field of incident response and forensics, spending 6 years as a senior IT security specialist with a focus on malware reverse engineering and the next 6 years leading a team specializing in malware triaging and detection. Since 2005, he has participated in the response efforts to a majority of compromises that have targeted the Government of Canada. John holds a Bachelor’s degree in Computer Science from the University of New Brunswick.

Pierre-Alexandre Braeken

pab

NOAH: Uncover the Evil Within! Respond Immediately by Collecting All the Artifacts Agentlessly

Imagine the moment you realize that a malicious threat actor has compromised your network and is currently going through your confidential information. Faced with this dreadful scenario, you initiate an Incident Response.

We have built an open source Incident Response framework based on PowerShell to help security investigation responders to gather a vast number of key artifacts without installing any agent on the endpoints thus saving precious time.

Our goal is to provide a community-driven scalable platform allowing Incident Response teams across the world to efficiently hunt from the get-go of an incident without having the need to develop ad hoc tools or waste time installing an agent on every endpoint when the incident occurs. We aim to present complex data in an understandable format therefore allowing investigators to respond as quickly as possible.

At a time when the malicious threat actors could have breached your network in multiple ways and left backdoors in the most inconspicuous locations, how fast would you want him found when every second counts?

Biography

Pierre-Alexandre Braeken is an accomplished and highly experienced security professional with over 14 years of experience in engineering and system architecture. In his career, having acquired the MCSE, MCSA, MCITP certifications, he has focused specifically on security and specializing in the implementation of large projects for businesses relying on the Microsoft infrastructure and alternative platforms. He is a Microsoft Certified Solutions Expert in Cloud Platform and Infrastructure.

He has an excellent command and understanding of information security, security architecture and secure application development, as well as strong analytical skills pertaining to enterprise situations, risk and contingency plans.

He’s focused on assisting organizations across Canada with implementing effective threat detection, response capabilities and performing red teaming activities.

He does unique security research and speaks at major international security conferences:

  • Black Hat USA 2017, Las Vegas - USA.
  • NorthSec 2017, Montréal - Canada.
  • Black Hat Asia 2017, Singapore.
  • Black Hat Europe 2016, London - U.K.
  • B-SidesDC 2016 - Washington, U.S.
  • SecTor 2016 - Toronto, Canada.
  • InfoSecurity Europe 2016 - London, U.K.
  • Hackfest 2015 - Quebec, Canada.

Sylvain Desharnais & Nadia Vigneault

Propriétés des preuves numériques et considérations relatives à leur cueillette

Lorsqu’une infraction ou un crime numérique est commis, les preuves de cet acte doivent être recueillies le plus tôt possible. Le prélèvement de ces preuves doit être fait en se conformant aux meilleures pratiques du domaine de l’investigation numérique, faute de quoi ces preuves pourraient être rejettées lors d’un procès ou d’une instance administrative. Bien sûr, la personne effectuant la cueillette devra utiliser des logiciels d’informatique forensique. Mais elle doit surtout connaître les propriétés de ces preuves numériques et les principes de cueillette de toute donnée numérique et savoir en vertu de quels principes cette cueillette doit être faite.

Biography

Sylvain Desharnais est diplômé en cyberenquête de l’école Polytechnique, en administration des affaires (comptabilité) des Hautes études commerciales de Montréal et en enseignement de l’éducation physique de l’université du Québec à Trois-Rivières. De 1996 à 1999, Sylvain a été spécialiste en perquisition d’ordinateur au bureau de Montréal et de 1999 à 2013, il fut enquêteur régional en informatique (zone Québec-Atlantique) pour l’Agence du revenu du Canada. Il est chargé de cours aux baccalauréats en informatique et génie logiciel de l’Université Laval (Québec) et de l’École Polytechnique (Montréal). Il œuvre à titre de consultant privé en matière d’investigation numérique et est l’auteur du livre « Comprendre l’informatique judiciaire » et de deux formations en investigation numérique, disponibles chez Kéréon : Expressions régulières et Procédures d’investigation numérique.

Nadia est détentrice d’un baccalauréat par cumul regroupant un certificat en informatique, en cyberenquête et en cyber-sécurité des réseaux de l’École Polytechnique de Montréal. Elle est présentement conseillère en sécurité de l’information au Bureau de sécurité de l’information de l’Université Laval et chargée de cours au Programme de Cyberenquête du Cégep Garneau.

Michael Vieau & Kevin Bong

Make a Thing – Creating a Professional-Quality Embedded Device on a Budget

It used to be that only professional engineering shops had the knowledge and resources to design and fabricate embedded devices. However, with the availability of open-source software, inexpensive quick-turn fabrication services and community how-to documents, it is easy for hobbyists to build professional-quality embedded systems from scratch.

This presentation is targeted at hardware-hacking beginners and will demonstrate the end-to-end steps to create an embedded device. The talk will cover circuit design fundamentals and prototyping, PCB design using open source tools, fabricating a PCB, surface-mount soldering techniques, and how to utilize small-batch manufacturing services. At each step, the presenters will share tips, tricks and pitfalls to help ensure your project is a success.

Biography

Michael is a Senior Consultant with Sikich. Michael takes great pride in furthering his education to maximize his value to clients. His academic background augments his already extensive experience in the information technology, health care and manufacturing industries. His familiarity with these fields makes him an excellent resource for organizations looking to tackle compliance mandates from NIST to CIS and beyond. When he’s not working diligently on consulting, you can find him heads-down studying new exploits, giving talks at events like DerbyCon or teaching up-and-coming infosec professionals as an adjunct associate professor. He also currently maintains the MiniPwner project for the pocket-sized MiniPwner penetration testing device used to gain remote access to a network. Michael has a Master of Science degree in Computer, Information and Network Security from DePaul University. In addition, he holds the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) certifications.

Kevin is a Manager at Sikich focusing on information security and compliance issues faced by financial institutions. Prior to joining Sikich, Kevin spent 12 years as a Vice President of a multi-billion-dollar financial group, leading the bank’s security and IT risk management activities. With his experience performing audits, penetration testing, risk assessments and forensic investigations, Kevin provides invaluable guidance to institutions affected by standards such as those related to the FFIEC, NIST, HIPAA and PCI. Kevin is the creator of the MiniPwner, a pocket-size penetration testing device used to gain remote access to a network. He’s also an author, instructor and a speaker at conferences like RSA, DerbyCon, Security BSides and WACCI. Kevin has a Master of Science Degree in Information Security Engineering from the SANS Institute. In addition, he is a Payment Card Industry Qualified Security Assessor (QSA) and a Project Management Professional (PMP) who holds numerous Global Information Assurance Certifications (GIAC), including GIAC Security Expert (GSE), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Perimeter Protection Analyst (GPPA), GIAC Security Essentials (GSEC), GIAC Certified Forensic Analyst (GCFA) and GIAC Assessing and Auditing Wireless Networks (GAWN).

Keith Hoodlet

Attack Driven Development: Getting Started in Application Security

Software Security professionals often express the concern that we do not teach Computer Science students about the dangers of insecure software as they begin their formal education. Moreover, when students learn about either software development or application security, they tend to learn about these topics serially – rather than in parallel. With the ever-increasing pace of new software development techniques and frameworks, Attack Driven Development lays out a process through which students and professionals alike can learn about the tools, techniques, and procedures for software development and application security in parallel.

Attack Driven Development uses the acronym “A.D.D.” purposefully, as it is designed to recursively work through a process of learning, building, breaking, and fixing applications – with each of these steps intended to occur in micro-bursts. In order to keep up with the pace of new frameworks and tools, this process makes use of learning several things at at a time – with each step of the process further developing and honing skills that have been previously built-up. The end result of leveraging this process is an understanding of how to test applications for security flaws, as well as develop more-secure software.

Biography

Keith started on his path toward a career in Information Security in the mid-90’s as a kid playing Blizzard’s popular PC title, “Diablo”. It was at that time he learned how to use Telnet to spoof multiple connections to Blizzard’s online platform, “Battle.net“, using unauthenticated Diablo trial accounts. Needless to say it wasn’t long before he became hooked on text user interfaces and networking protocols.

Keith graduated from Keene State College with a B.A. in Psychology in 2009, and recently attended classes in Computer Science at University of New Hampshire – during which time he also interned at Veracode as a Code Security Engineer. Since then, Keith has worked as an Engineer on the Customer Success team at Rapid7, and now works as a Trust & Security Engineer at Bugcrowd. In his free time he continues to develop his skills in Web Application Development and Security, and is the Co-Trainer of the “Offensive Web Hacking” course offered at DerbyCon 7.0 “Legacy”.

@4n6Kendra

Practical Analysis of Awareness

Many organizations today participate in some form of Security Awareness training. Whether it be something that is produced internally or supplied by a third-party vendor, the goals are very much the same: educate the end user to prevent becoming the next big breach news story. We all know the phrase ‘you can’t patch humans’, but what metrics can we use to see if our awareness efforts and methods are effective? Believe it or not, as Security Analysts, we have a lot of valuable information at our fingertips that can show us just how effective these programs are… and no, I’m not just talking about the results of your last phishing campaign.

Biography

Kendra has over five years of experience in several areas of Information Security including user administration, security operations and compliance. She focuses primarily on Incident Response and user education. Kendra holds a Bachelor’s degree in Digital Forensics and the CISSP certification.

Kendra speaks regularly at Security related events and is an advocate for practicing proper security hygiene. In her free time she enjoys wine and memorizing movie lines.

Michelle

Superhéros Tous! Comment l’empathie peut aider l’inclusion des personnel avec ASD/ADHD

Infosec est un milieu attirant pour les personnes avec ASD où ADHD mais on a du mal encore a les intégrer ou comprendre. Comment travailler en équipe avec des gens qui se comportent un peu différement? Et c est quoi exactement l’ ASD ou ADHD? Quels sont les défis a résoudre?

Biography

I have a background in teaching and training with a focus on Inclusion. I am interested in applying this to infosec, to make it more inclusive and empathetic. I am British but live in California, USA is my spiritual home but do miss tea.

Johnny Xmas

How To Pwn an Enterprise in 2017 (or 2016, or 2015…)

Johnny Xmas is here to “reveal the magicians’ secrets on all of the “low-hanging fruit” penetration testers and hackers used to compromise your enterprises in 2017. This will be a detailed discussion around how and why the attacks work, and what steps you can take to proactively defend against them. Participants will walk away with highly-actionable tasks to immediately take to work on Monday to not only bump their security posture up a distinctive notch with little to no hit to their budgets, but also inherently render future penetration tests more cost-effective by eliminating potential “cheap shots” pentesters love to take.

Biography

Johnny Xmas is a Security Researcher for the US-based ICS Cybersecurity firm Uptake Technologies. He’s been speaking Internationally on the topics of Information Security, Career Advancement and Social Engineering for nearly 15 years, both in and very far outside of the Information Security community. His infamous mixture of humor, raw sincerity and honest love of people often leads to lighthearted, but at their cores, serious discussions revolving around our innate desires to get in our own way.

Hackfest

Quebec Fail Panel (French)

Nous sommes heureux de vous présenter les Fails de l’année 2016-2017 du Québec et Canada.

Nous présenterons par catégorie plus de 20 fails rendus publique dans les médias, et ce de plusieurs organisations, organismes gouvernementaux et quelques mentions spéciales de nos journalistes et plus encore!

Préparez-vous pour une heure amusante, parce que la sécurité est un enjeux si sérieux, qu’il faut quand-même s’amuser.

Biography

Un tas de personnes déguisés. C’est la semaine de l’halloween après-tout!

Patrick Fussel

Between You and Me and the Network Security Boundary

Many organizations have IT environments with zones of varying security requirements. These zones are usually networks that are created to encompass systems that serve different functions, from production web applications to PCI in-scope database servers.

An organization has to make a decision about implementing a security boundary that protects high-security areas from low-security areas. Designing and deploying these solutions can be a complex task, contending with hurdles from compliance requirements and management all the way to just making sure the users can remember how to access all the necessary systems. This complexity leaves many holes that can be exploited by bad guys to get access to the most sensitive data. Most penetration testers will tell you that getting past these barriers, even ones that implement fancy security features such as multi-factor authentication, become bypassable once user systems have been compromised.

This talk will review several common solutions of separating and accessing network zones such as VPNs, bastion hosts, and virtualization along with each solution’s most common pitfalls. As we review each implementation, I will talk about both low-hanging and high-hanging fruit in terms of bypass methodologies, while giving real-world examples of leveraging weaknesses such as race conditions and configurations flaws to gain access to secured networks. I will do a deep dive into the architectures that most efficiently secure protected networks such as Microsoft’s Privilege Access Workstations (PAWs) as well the management practices that create effective long-term security barriers.

Biography

While working in the information security industryyears Patrick Fussell has spent time in numerous roles helping to increase the security of electronically stored data for customers while maitaining a focus on continually developing his skill set. With a background predominantly in penetration testing, security assessment, and auditing he spent much of the last few years working with a wide range of consulting and analysis based engagements. Currently based out of Monterey, CA he regularly performs penetration tests for clients of all sizes and has a strong desire to contribute to the larger community with his projects.

Philippe Arteau

phil

Static-Analysis Tools: Now you’re Playing with Power!

You are performing penetration testing on Web applications. Do you systematically perform code reviews when you have source code access? Code review is an exercise that can prove to be an important ally. However, code review can be difficult. Thousands or even millions of lines of code will be targeted. How to prioritize and perform an effective assessment? With tools and automation of course! In this presentation, an overview of the static analysis tools will be made. The presentation of a basic methodology will also be presented. Demonstrations with FindSecBugs (Java/JVM), Brakeman (Ruby) and Bandit (Python) tools are to be expected.

Biography

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs. He created a static analysis tool for .NET called Roslyn Security Guard. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and a few others. Instructor in application security, he also presented at several conferences including Black Hat Arsenal, ATLSecCon, NorthSec, Hackfest, Confoo and JavaOne.

Masarah Paquet-Clouston

Beating the Disinformation Drift: Facts about the AlphaBay Market

In July 2017, the AlphaBay market was taken down by law enforcement and the alleged Canadian mastermind behind it was arrested in Thailand. Since the takedown, various information related to the market circulated, most of them twisted, decontextualized or simply untrue. This presentation is about beating the disinformation drift by presenting an accurate and global picture of the marketplace, one that can be translated to new illicit marketplaces currently emerging.

Based on three scientific studies, the true size of AlphaBay - compared to other illicit platforms - and the market’s degree of competitiveness will be presented. Then, AlphaBay’s governance system along with vendors’ tendency to favor local rather than international trades will be discussed. Finally, based on economic and criminological frameworks, this presentation will show that, contrary to the image depicted by the mainstream media, such “darknet” marketplaces are more likely to stay within a small size and scope.

Biography

Masarah is a security researcher at GoSecure and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, her research’s goal is to understand complex social problems that emerge from technological innovation and help society overcome them. She presented at various international conferences such as Black Hat Europe, Botconf, the International Society for the Study of Drug Policy and the American Society of Criminology. Besides doing research, she’s passionate about programming, defending online privacy and discussing politics.

Patrick Colford

pc

The Bottom of the Barrel: Scraping Pastebin for Obfuscated Malware

Started in 2002, pastebin.com has become the largest service of its kind in the world, serving 18 million visitors monthly and hosting 95 million pastes. Though used for lots of legitimate content, malicious actors have been using the site to distribute obfuscated malware for years. In this talk, I’ll explain the processes by which malware is hidden on Pastebin and other similar sites and how to use a scraper to find these obfuscated samples. Whereas most pastebin scrapers look for keywords like “password” to detect data dumps, this presentation will feature “FIERCECROISSANT”, a pastebin scraper designed to look for obfuscated malicious binaries, decode them, and use sandboxing environments to extract networking information from them. I’ll also show how many samples were found, the associated malware families, common behaviors of malicious pastes, and trends as well as unusual cases.

Biography

Patrick is a Security Analyst with Cisco Umbrella (formerly OpenDNS). Formerly a Customer Service Representative with nearly 10 years of experience, he joined the analyst team in 2016 to help support Umbrella’s London office. He is passionate about security education and hopes to inspire people all over the world to learn more about whatever interests them.

Adam Reiser

Selenium: dark side of the moon

Script the deep web! Selenium is a set of technologies for browser automation with powerful offensive applications. With seemingly every product today including a slick web interface built on the latest popular framework, automated interaction with dynamic, script-dependent sites is an essential tool for every attacker’s arsenal. Learn how to…

  • Extract tokens from complex application flows without re-implementing the protocols
  • Simulate users interacting with your malicious webpages
  • Automate the steps leading up to an attack that begins deep inside dynamically generated content
Biography

Adam is a security engineer with Cisco’s Advanced Security Initiatives Group. His work includes pentesting, redteam, and application security. He cultivated an early interest in infosec as a sysadmin at the Open Computing Facility at UC Berkeley, while there completing his physics degree. His interests include exploit development, acroyoga, and riparian restoration.

Cheryl Biswas

Banking on Insecurity: Why Attackers Can Take the Money and Run

This is the ongoing fairytale of securing financial institutions. So many banks in so little time. We should expect cyber attacks on financial institutions because it’s just so much easier to pillage online than to coordinate a get-away car, guns and comfortable ski masks. Over the past year, exploits against banks have seriously upped the game: jackpotting ATMs, DDoS, messing with trusted messengers. The recent attacks on Polish banks initially went unnoticed. That’s a mistake we can’t afford to make, but the attackers are banking on it. When source code revealed that a much bigger player was involved, everyone jumped in. But that was days later. What are we missing because we choose to see what we expect, instead of what is really there? After last year’s massive breaches, and some significant financial attacks, financial organizations need to be prepared. The attackers aren’t just going after the money. They want the data too.

Biography

Cheryl Biswas, aka @3ncr1pt3d, is a Project Manager, Cyber Security, with an offensive security firm in Toronto, Canada. Recently, she was a Cyber Security Consultant with a a Big4 firm and worked on GRC, privacy, breaches, and DRP. Armed with a degree in Poli Sci, she engineered a backdoor into an IT role with CP Rail’s helpdesk over 20 years ago, and went on to initiate the security role within JIG Technologies, an MSP. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security in blogs, in print, on podcasts, and speaking at conferences.

Konstantinos Karagiannis

Hacking Smart Contracts

It can be argued that the DAO hack of June 2016 was the moment smart contracts entered mainstream awareness in the InfoSec community. Was the hope of taking blockchain from mere cryptocurrency platform to one that can perform amazing Turing-complete functions doomed? We’ve learned quite a lot from that attack against contract code, and Ethereum marches on (even though multi-million dollar hacks still happen). Smart contracts are a key part of the applications being created by the Enterprise Ethereum Alliance, Quorum, and smaller projects in financial and other companies. Ethical hacking of smart contracts is a critical new service that is needed. And as is the case with coders of Solidity (the language of Ethereum smart contracts), hackers able to find security flaws in the code are in high demand. Join Konstantinos for an introduction to a methodology that can be applied to Solidity code review … and potentially adapted to other smart contract projects. We’ll examine the few tools that are needed, as well as the six most common types of flaws, illustrated using either public or sanitized real world” vulnerabilities.

Biography

Konstantinos Karagiannis is the Chief Technology Officer for Security Consulting at BT Americas. In addition to guiding the technical direction of ethical hacking and security engagements, Konstantinos specializes in hacking financial applications, including smart contracts and other blockchain implementations. He has spoken at dozens of technical conferences around the world, including Defcon, Black Hat Europe, RSA, and ISF World Security Congress.

Olivier Bilodeau

Lessons Learned Hunting IoT Malware

Permeating the entire spectrum of computing devices, malware can be found anywhere code is executed. Embedded devices, of which many are a part of the Internet of Things (IoT), are no exception. With their proliferation, a new strain of malware and tactics have emerged. This presentation will discuss our lessons learned from reverse-engineering and hunting these threats. During our session, we will explain the difficulty in collecting malware samples and why operating honeypots is an absolute requirement. We will study some honeypot designs and will propose an IoT honeypot architecture comprising several components like full packet capture, a man-in-the-middle framework and an emulator. Additionally, reverse-engineering problems and practical solutions specific to embedded systems will be demonstrated. Finally, we will explore three real-world cases of embedded malware. First, Linux/Moose, a stealthy botnet who monetizes its activities by selling fraudulent followers on Instagram, Twitter, YouTube and other social networks. Second, a singular encrypted connect-back backdoor that uses raw sockets and can be activated by a special handshake. Third, LizardSquad’s LizardStresser DDoS malware known as Linux/Gafgyt. Attendees will leave this session better equipped to hunt this next generation of malware using primarily open source tools.

Biography

Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, Olivier managed large networks and server farms, wrote open source network access control software and recently worked as a Malware Researcher. Passionate communicator, Olivier has spoken at several conferences like Defcon, Botconf, SecTor, Derbycon and many more. Invested in his community, he co-organizes MontréHack — a monthly workshop focused on applied information security through capture-the-flag challenges —, he is in charge of NorthSec’s training sessions and is hosting NorthSec’s Hacker Jeopardy. His primary research interests include reverse-engineering tools, Linux and/or embedded malware and honeypots. To relax, he likes to participate in information security capture-the-flag competitions, work on various open-source projects and brew his own beer.

Matthieu Faou & Frédéric Vachon

Stantinko : Un botnet aux multiples facettes opérant depuis plus de 5 ans

Stantinko est un botnet découvert en 2017 par des chercheurs d’ESET et dont la taille est estimée à un demi-million de machines. En plus de sa prévalence, ce botnet nous a étonnés par la sophistication des techniques utilisées pour contrecarrer la détection et l’analyse des différents malware de cette famille. Ceci lui a permis de rester relativement inconnu pendant plus de cinq ans. Sa principale fonctionnalité est de faire de la fraude publicitaire, mais son arsenal comprend aussi une backdoor permettant d’exécuter du code arbitraire sur la machine infectée.

Cette présentation couvre les résultats d’une traque de 6 mois de ce botnet.

Premièrement, nous présenterons le vecteur d’infection de Stantinko. Il s’agit d’un downloader connu sous le nom de FileTour. Installant un nombre considérable de programmes indésirables, FileTour permet de dissimuler l’installation furtive de Stantinko.

Deuxièmement, nous détaillerons les différentes techniques utilisées par les développeurs de Stantinko pour ralentir l’analyse et la détection. Parmi ces techniques se trouve le chiffrement du code responsable de la communication avec le serveur de contrôle avec un clé unique par machine. Ce code est parfois stocké dans le registre Windows. Il est ainsi plus difficile d’avoir accès à tous les éléments nécessaires à l’analyse. L’utilisation d’un obfuscateur maison rend la phase de rétro-ingénierie longue et fastidieuse. Finalement, l’intégration de code provenant de projet open source dans les binaires malicieux rend le travail des équipes de détections plus difficile.

Troisièmement, nous détaillerons les modules finaux délivrés aux machines infectées. Envoyés par le serveur de contrôle et directement chargés en mémoire, ces modules ne sont pas persistants et ne se retrouvent jamais sur le disque. Bien que difficiles à obtenir, ils contiennent le code malicieux et sont indispensables à la compréhension de Stantinko. Les modules que nous avons trouvés comprennent des installeurs d’extension de navigateur faisant de la fraude publicitaire, un module pouvant brute-forcer des sites Joomla ou Wordpress, un module faisant de la fraude sur Facebook en générant, entre autres, des faux comptes et des faux likes, un module permettant de faire des recherches massives et distribuées sur Google et une backdoor donnant un contrôle total aux attaquants sur la machine infectée.

Biography

Matthieu Faou is a malware researcher at ESET where he performs in-depth analysis of malware. He has a strong interest for cybercrime and especially click fraud. He finished his Master’s degree in computer science at École Polytechnique de Montréal in 2016. In the past, he has presented his research at Virus Bulletin.

Frédéric Vachon is a Malware Researcher at ESET. Formerly History student, he traded his love for old stories to play with rusty computer language like assembly. He cherishes the past and can’t quite understand why modern GUI supplanted good old terminal based UI.

Mahdi Braik & Thomas Debize

madhi

Hadoop safari : Hunting for vulnerabilities

With the growth of data traffic and data volumetric analysis needs, “Big Data” has become one of the most popular fields in IT and many companies are currently working on this topic, by deploying Hadoop clusters, which is the current most popular Big Data framework. As every new domain in computer science, Hadoop comes (by default) with truly no security. During the past years we dug into Hadoop and tried to understand Hadoop infrastructure and security.

This talks aims to present in a simple way Hadoop security issues or rather its “concepts”, as well as to show the multiples vectors to attack a cluster. By vectors we mean practical vectors or to sum it up: how can you access the holy “datalake” after plugging your laptop onto the target network.

Moreover, you will learn how Hadoop (in)security model was designed explaining the different security mechanisms implemented in core Hadoop services. You will also discover tools, techniques and procedures we created and consolidated to make your way to the so-called “new black gold”: data. Through different examples, you will be enlightened on how these tools and methods can be easily used to get access to data, but also to get a remote system access on cluster members.

Eventually and as Hadoop is the gathering of several services and projects, you will apprehend that patch management in this field is often complicated and known vulnerabilities often stay actionable for a while.

Biography

Mahdi BRAIK and Thomas DEBIZE are French security enthusiasts and work as infosec auditors at Wavestone, a French consulting company. They work on all kinds of security audits, penetration tests and incident responses through the company CERT. They both developed a specific interest in Hadoop technologies few years ago: as they got to know how immature this ecosystem was, they decided to hunt for vulnerabilities in it. That said, they both like to git push new infosec tools (check https://github.com/maaaaz) and write some blog posts, either in the corporate blog or in infosec-specialized french magazines.

Christopher Ellis

chris

Genetic Algorithms for Brute Forcing

Machine Learning algorithms have many applications in Cyber Security; while, most of these applications are directly related to defensive aspects such as intrusion detection and prevention, machine learning algorithms may be used to attack systems as effectively as it can be used to defend them.

This brief talk introduces a tool that leverages a basic machine learning solution–a genetic algorithm–as a way to brute force obfuscated or randomly generated URLs. Compared to some traditional methods (such as a naive brute force) this approach can have a high success rate.

Biography

Chris entered into the security space accidentally as a hobby first, and now works for a large company as part of a red team and penetration testing group.

In his spare time, Chris builds security-related tooling and scripts that fall in a wide variety of spaces from data exfiltration and ransomware distribution to brute forcing and vulnerability scanning.

Gabriel Ryan

gabriel

The Black Art of Wireless Post-Exploitation

Wireless is an inherently insecure protocol. Most companies recognize this, and focus their resources on minimizing the impact of wireless breaches rather than preventing them outright. During red team engagements, the wireless perimeter is cracked within the opening days of the assessment, or it isn’t cracked at all. From an attacker’s perspective, the real challenge lies in moving laterally out of the isolated sandbox in which network administrators typically place their wireless networks. Enterprise network teams are typically aware of this fact, and many will attempt to justify weak wireless perimeter security by pointing out how difficult it is to pivot from the WLAN into production.

However, preventing an attacker from doing so is only easy when the network in question is used exclusively for basic functions such as providing Internet connectivity to employees. When wireless networks are used to provide access to sensitive internal infrastructure, the issue of access control gets significantly messier. A door must be provided through which authorized entities can freely traverse. As with cryptographic backdoors, a door that requires a key is a door no less.

In this presentation, we will focus on methods through which red team operators can extend their reach further into the network after gaining their initial wireless foothold. We’ll begin with a quick recap on how to use rogue access point attacks to breach all but the most secure implementations of WPA2-EAP. We’ll then demonstrate methods of evading the most commonly used methods of WLAN access control, and explore whether segmentation of a wireless network is truly possible. Finally, we will demonstrate how contemporary network attacks can be combined with wireless man-in-the-middle techniques to create brutal killchains that would be impossible to achieve over a wired medium.

Biography

Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company’s research division, GDS Labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Gabriel Ryan

gabriel

(Workshop) Advanced Wireless Attacks Against Enterprise Networks

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and preconfigured live USBs will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment.


Areas of focus include:

  • Wireless reconnaissance and target identification within a red team environment
  • Attacking and gaining entry to WPA2-EAP wireless networks
  • LLMNR/NBT-NS Poisoning
  • Firewall and NAC Evasion Using Indirect Wireless Pivots
  • MITM and SMB Relay Attacks
  • Downgrading modern SSL/TLS implementations using partial HSTS bypasses
Biography

Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company’s research division, GDS Labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Gal Bitensky

gal

Vaccination - An Anti-Honeypot Approach

Malware often searches for specific artifacts as part of its “anti-­VM\analysis\sandbox\debugging” evasion mechanisms, we will abuse its cleverness against it.

The “anti-­honeypot” approach is a method to repel (instead of luring) attackers, implemented by creating and modifying those artifacts on the potential victim’s machine.

Once the created artifacts are found by the malware – it will terminate.

The session will include motivations for attackers to use evasion techniques, some in-­the-­wild examples and effective countermeasures against it.

Biography

Gal Bitensky 29 years old geek from Tel-­Aviv Senior analyst and security researcher, currently repelling attackers on enterprise scale at Minerva. “Full stack researcher” – experienced in anything from debugging exploit kits to ICS protocols reverse engineering.

Guillermo Buendia & Yael Basurto

guillermo yael

How to obtain 100 Facebooks accounts per day through internet searches

Back in 2016, it was very new the way how the Facebook mobile application implements content through “Instant articles”. A user can view content from third parties directly in the Facebook platform without requiring to open the Browser, for instance. This content can also be shared, saved, opened in browser and so on.

In this talk, we will share how this Instant articles, and the way the were shared, lead us to the possibility to access Facebook accounts and how through internet searches this became a huge problem! We’ll discuss how we identify the issue and how it was tested, reported, fixed, rewarded and also we talk about a new vector attack for further research.

Biography

Guillermo is a Cyber Security Penetration Testing Consultant at Deloitte Mexico; he has worked for many Financial Institutions and Public sector for the last 5 years.

Yael is a Cyber Security Snr. Consultant at Deloitte Mexico and has been working as a Security Specialist in different organizations for the last 4 years. He is really into programming and his laziness has lead into writting some code to automatize certain things at work; nmap and nessus reports for instance (github.com/zkvL7), and some other work not ready to see the light.

Matthew Eidelberg & Steven Daracott

Matthew Eidelberg Steven Daracott

SniffAir – An Open-Source Framework for Wireless Security Assessments

SniffAir is an open-source wireless security framework. Its primary purpose is to provide penetration testers, systems administrators, or others eager about wireless security a way to collect, manage, and analyze wireless traffic. SniffAir was born out of the hassle of managing large or multiple pcap files, manually reviewing the information, and subsequently formulating an attack. SniffAir allows testers to thoroughly cross-examine and analyze traffic while looking for potential security flaws or malicious traffic. Testers can also employ SniffAir to carry out attacks based on this information. We created SniffAir to collect all the traffic broadcasted and sort it by Client or Access Point. Testers can create custom rules to help define the scope, and SniffAir can be instructed to parse collected information based on those rules. SniffAir then uses the rules to move the in-scope data to a new set of tables, allowing the framework to compare filtered data against the original table for anomalies. If applicable, the tester can then load the desired information into SniffAir’s wireless attack modules, allowing them to carry out various sophisticated wireless attacks directly through the framework. By making this project open-source, our hope is to stir the community’s interest in wireless security, whether it be by contributing to the framework directly, or by discovering new methods to assess or attack wireless networks which can then be incorporated into the framework.

Biography

Matthew Eidelberg is a husband, father, and big security fanatic. Matthew works as a Security Consultant on Optiv’s Attack and Penetration team. Matthew’s primary role is to conduct security penetration testing and red teaming assessments for Optiv’s clients, while also developing detailed remediation procedures in order to provide the best value to Optiv’s clients. Previously, Matthew worked as a Security Consultant for the Herjavec Group in Canada, providing the same type of work for clients in Canada, the United States and Asia. Matthew received his Bachelor of Technology in Informatics and Security, Seneca@York University in 2012 and was certified as an Offensive Security Certified Professional in March of 2015.

Steven works as a Security Consultant on Optiv’s Attack and Penetration team. Steven’s primary role is to conduct security penetration testing and red teaming assessments for Optiv’s clients, while also developing detailed remediation procedures in order to provide the best value to Optiv’s clients. Previously, Steven worked as a Space Systems Operator for the US Air Force, conducting space based missile defense for North America. Steven was certified as an Offensive Security Certified Professional in September of 2014.

Francois Gagnon

francois gagnon

Fingerprinting Android malware packaging process through static analysis to identify their creator

In this talk, we will look at some elements of Android malware static analysis: what interesting information can be extracted from an APK and what might allow to distinguish between malware and legitimate apps.

Statistics from an effort to analyze >200,000 malware will be presented. This will help us understand the current situation and possible artefacts present in malware samples.

Finaly (at most importantly), we’ll look at some strategies that allow us to cluster malware samples around their origin. That is, how can we tell that two samples are form the same creator, without knowing exactly who that creator is, by fingerprinting the malware packaging process.

This project is the result of a collaboration between cybersecurity R&D lab at Cegep Sainte-Foy and the Canadian Cyber Incident Response Center (Public Safery CCIRC).

Biography

François is teaching computer science at Cégep Ste-Foy where he leads the cybersecurity R&D lab. He holds a Ph.D. in computer science (network security) from Carleton University and a M.Sc. in computer science (crypto) from Université Laval. He worked on several R&D projects in security in partnerships with private and public sector organizations.

Damien Bancal

damien

Élection présidentielle Française 2.0

Comment Internet a failli transformer une élection démocratique en une immense anarchie numériques entre fuite de données, piratage, failles et fake news. Suivez sept mois de l’élection Française sur le web.

Biography

Experienced Journalist with a demonstrated history of working in the computer and network security industry (zataz.com, …). Skilled in News Writing, Communication, Editing, Media Relations, and Journalism. Bref, en Français, je suis pas beau, mais rigolo :)

Raul Alvarez

raul

Dissecting a Metamorphic File-Infecting Ransomware

Virlock is a polymorphic file-infecting ransomware. It is capable of infecting executable files and at the same time, hold your computer hostage.

Running a single infected file is a sure way of infecting your computer all over again. That is one of the main goals of Virlock. As a ransomware, the malware makes sure that you won’t be able to use your computer until you pay the ransom demand. And to make our lives, even harder, Virlock employs an on-demand polymorphic algorithm, where each and every copy of the infected executable file is different from each other. And there is more, Virlock is not only a polymorphic file-infecting ransomware. The initial set of the malware code is metamorphic in nature.

Biography

I am a Senior Security Researcher/Team Lead at Fortinet. I am the Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.

I have presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, and InsomniHack.

I am a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where I have published 22 articles.

Nikhil Kulkarni

nikhil

How my SV Machine nailed your Malware

As we know the Android Application Industry from a security perspective, it is also quite well known that the Android platform is succeptible to malicious applications. And with the recent trend where all the vendors and customers going completely mobile, android has now become an attack surface for most of the malicious attacks. Moreover, the mechanisms used for android malware detection comprise of several known methods, and we also know that most of these mechanisms are permission based or based on API usage. But, when we go deeper in the analysis, we also realise the fact that these mechanisms are open to instruction level obfuscation techniques. Hence, we decided to bring in the approach of Machine Learning to the Android Malware analysis such as using the functional call graphs, and Hash Graph Kernel (Hido & Kashima) method which could be combined to implement a mechanism that could be used to find the similarities among the binaries while being stringent against these obfuscations used. This Project implementation is based on well known machine learning algorithm which is Support Vector Machines for solving the problem of android malware analysis. This method involves the mechanism of detection of android malware by effeciently embedding the functional call graphs along the feature map. The gamechanger in this concept would be the optimal utilization of the SVM Algorithm(Support Vector Machine) that proves to be better than other approaches with a minimalistic amount of false positives found and a higher detection rate. With the help of clean & real malware android application samples, an explicit classification model is developed. The functional call graphs are extracted out of the android applications, then the linear-time graph kernel based explicit mapping is deployed in order to efficiently map all the call graphs to the explicit feature space. After the above methods are implemented, the SVM algorithm is then trained to thoroughly differentiate between the real and the malicious applications.

Biography

Nikhil.P.K is an Independent Security Researcher and an International Trainer. His area of interest includes Web Application Penetration Testing, Network Forensics, Mobile Application Security. He is currently pursuing an extensive research in “Implementing Machine Learning into Security”. He has presented his talks at International and National level Conferences and meets such as Cocon International Cyber Policing and Security Conference, DEFCON Bangalore 2012, Null Open Security Meet Bangalore, Null Open Security Meet Mysore. He is also a Bug Bounty Hunter and has been listed and Acknowledged in the Hall Of Fames of top Companies such as Microsoft, Apple, Adobe, Nokia, Engine Yard, AVIRA Antivirus, etc. He will also be presenting this paper at “Nuit Du Hack” conference in Paris on 24th June 2017.