Speakers 2018

Schedule

Schedule here

Speakers list

l’hon. Karina Gould, ministre des Institutions démocratiques du Canada

Francais & English

Parlons d’enjeux nationaux de sécurité informatique envers la démocratie : Un état de situation!

En ouverture du panel, l’hon. Karina Gould, ministre des Institutions démocratiques du Canada, fera une brève allocution afin de lancer la discussion. La ministre abordera l’état de la situation en ce qui concerne les cybermenaces au processus démocratique du Canada. Ell$

Par la suite, sous forme d’un panel de discussion, nous discuterons des enjeux que subissent régulièrement nos organisations privées et publiques en termes de d’attaque informatique et les rôles et responsabilités du gouvernement et de la société civile dans la protectio$

Pour agrémenter la discussion nous aurons avec nous:

  • Steve Waterhouse, ancien sergent du département de la défense nationale
  • Damien Bancal, journaliste traitant de hacking et sécurité informatique en France
  • Geneviève Lajeunesse, Directrice des opérations à Crypto.Québec

Et comme modérateur de la discussion:

  • Patrick Mathieu, Co-fondateur et Président du Hackfest
Biography

Karina Gould PC MP is a Canadian Liberal politician who was elected as a member of parliament in the House of Commons of Canada to represent the federal electoral district Burlington during the 2015 federal election.

Kirils Solovjovs

Hacking COMBUS in a Paradox security system

While working on a project to reverse engineer some of the internal communication protocols used in a Canadian-made Paradox security alarm system, author discovered a shocking secret on the COMBUS – the common bus connecting the control panel with keypads and other peripherals. Turns out that COMBUS isn’t protected neither electrically, nor logically, thus rendering the security system effectively broken.

This talks takes us through the discovery process, allowing to replicate research results, the findings and some theoretical attacks that are possible as a result.

As part of responsible disclosure process the author has notified Paradox, the Canadian company that offers physical security devices, most notably – home/office security alarms, about the discovered vulnerability. The company responded that the information brought forward by the author “has been dealt with”. Author sincerely hopes that means “fixed”.

Biography

Mg. sc. comp. Kirils Solovjovs is Lead Researcher at Possible Security and the most visible white-hat hacker in Latvia having discovered and responsibly disclosed or reported multiple security vulnerabilities in information systems of both national and international significance. Kirils is one of the authors of the jailbreak tool for Mikrotik RouterOS. He has extensive experience in network flow analysis, reverse engineering, social engineering and penetration testing.

David Girard

Workshop : Introduction à MISP et PyMISP pour créer des solutions avec OSINT

Votre équipe se cherche un TIP (Threat Intelligence Platform) et vous n’avez pas de budget…MISP est là. Maintenant que vous avez choisi MISP, vous ne trouvez pas d’intégration avec votre projet ou produit préféré… Pas de problème MISP est accompagné d’une librairie Python et d’un riche API et c’est compatible avec STIX et TAXII…

Biography

David Girard (Snowyow1), Chercheur sénior en sécurité, Trend Micro. Membre des comités techniques OpenC2, STIX et TAXII de OASIS. Travaille est sécurité et TI depuis plus de 30 ans…dans diverses position : développement, pen test, audits, gestion de la sécurité, architecte, consultant, réponse aux incidents, analyse de code malicieux, Forensic…dans les secteurs militaire, santé et autres. Depuis 2014 il oeuvre principalement à l’international et dans la détection de brèches. Depuis le début 2018 il fait de la recherche dans une équipe de “Data Science” sur les cyber-renseignements et la détection par analytics. Il fut conférencier lors de la première édition du Hackfest.

Christine Stevenson

THE INDUSTRIALIZATION OF RED AND BLUE TEAMING

By leveraging security instrumentation platforms, you are bringing together red and blue teaming initiatives with greater symbiotic mutualism across three major areas. First, you can validate the efficacy of security controls such as firewalls, WAFs, DLPs, EDRs, and SIEMs. If those controls aren’t working as needed, you can leverage perspective analytics to instrument them. Second, you can apply configuration assurance to verify that a change that has been made actually does what’s desired. You can also determine if that change negatively impacts other facets of security. Third, you can utilize automated, ongoing checks to ensure that what was working continues working in perpetuity. Should something stop functioning, blocking, detecting, correlating, etc., as needed, alerts will be generated in response to the environmental drift.

We need to readjust so that we are focusing on security effectiveness and the efficacy of our security controls. We need to industrialize our approach to red and blue teaming with security instrumentation through automation, environmental drift detection, prescriptive actions, and analytics that enable us to finally and empirically manage, measure, and improve security effectiveness.

Biography

Christine Stevenson has over two decades of experience in Corporate IT and Security. She has held a variety of roles over the years with a primary focus on CSIRT and Digital Forensics. She is currently a Security Engineer at Verodin, a security instrumentation start-up out of Washington D.C.

Dominic White

More MitM Makes Mana Mostly Mediate Mischievous Message

In 2014, we released the mana rogue AP toolkit at Defcon 22. This fixed KARMA attacks which no longer worked against modern devices, added new capabilities such as KARMA against some EAP networks and provided an easy to use toolkit for conducting MitM attacks once associated.

Since then, several changes in wifi client devices, including MAC randomisation, significant use of the 5GHz spectrum and an increased variety of configurations has made these attacks harder to conduct. Just firing up a vanilla script gets fewer credentials than it used to.

To address this mana will be re-released in this talk with several significant improvements to make it easier to conduct rogue AP MitM attacks against modern devices and networks.

We’ll also be showing our new EAP relay attack with wpa_sycophant.

After years of using mana in many security assessments, we’ve realised rogue AP’ing and MitM’ing is no simple affair. This talk will provide an overview of mana, the new capabilities and features, and walk attendees through three scenarios:

  • Intercepting corporate credentials at association (PEAP/EAP-GTC)
  • Targeting one or more devices for MitM & collecting credentials
  • “Snoopy” style geolocation & randomised MAC deanonymization

As a bonus, you’ll be able to download a training environment to practise all of this without requiring any wifi hardware (or breaking any laws).

Biography

singe has been hacking for 15 years, the last 9 of them at SensePost. This talk is about wifi, something he knows a little about.

Jen Ellis

Surviving a Cat-astrophe: The Art of Crisis Management as told through LOLcatz

How do you react during a crisis? Working in security, the unfortunate reality is that you’ll likely find out the answer to that question at some point. Dealing with high-pressure situations is part of the job; however, how you prepare, and then collaborate and communicate through the process can greatly influence the outcomes, and may determine just how stressful the experience ends up being. This session will walk through the basics of crisis management, with a strong emphasis on the alignment, teamwork, and communications pieces – both internal with core stakeholders, and external with the community and customers. We will talk through strategies you can apply in your organization to prepare for crisis situations and ensure you are better able to survive a catastrophe.

Biography

Jen Ellis is the vice president of community and public policy at Rapid7, a leading provider of analytics and automation for security and IT operations. She has extensive experience in managing crisis response, both internally for Rapid7 and previous employers, and externally as a crisis communications consultant for various third party clients. She has worked in reputation and brand management for more than 15 years, always with a strong emphasis on building credibility, authenticity, and customer trust. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Haydn Johnson

Communication to Upper Management and Colleagues - the art of influence

Do you have buy-in from upper management? Business’ are in business to make money, understanding this as security is paramount to success I have found that relationship building is my strongest asset; compassion, kindness, empathy all go together. My situation forces me to maximize everything, from time, skill, delegation and budget.

This talk is aimed at helping internal security personnel meet project milestones and gain support from upper management through the use of interpersonal relationships and effective communication.

Biography

Haydn has over 5 years of information security experience, including penetration testing, vulnerability assessments, identity and access management, cyber threat Intelligence and management. Additionally, he has a Masters in Information Technology and holds the OSCP and GXPN certifications. Haydn is now a security manager helping build a security program, which means identifying and helping to reduce risk. Haydn regularly contributes to the infosec community, speaking at various conferences including HackFest, BsidesTO, BsidesLV and SecTor.

Steven Danneman

Your Bank’s Digital Side Door

Why does my bank’s website require my MFA token but Quicken sync does not? How is using Quicken or any personal financial software different from using my bank’s website? How are they communicating with my bank? These questions ran through my head when balancing the family checkbook every month. Answering these questions led me to deeply explore the 21 year old Open Financial Exchange (OFX) protocol and the over 3000 North American banks that support it. They led me to the over 30 different implementations running in the wild and to a broad and inviting attack surface presented by these banks’ digital side doors. Now I’d like to guide you through how your Quicken, QuickBooks, Mint.com, or even GnuCash applications are gathering your checking account transactions, credit card purchases, stock portfolio, and tax documents. We’ll watch them flow over the wire and learn about the jumble of software your bank’s IT department deploys to provide them. We’ll discuss how secure these systems are, that keep track of your money, and we’ll send a few simple packets at several banks and count the number of security WTFs along the way. Lastly, I’ll demo a tool that fingerprints an OFX service, describes its capabilities, and assesses its security.

Biography

Steven Danneman is a Security Engineer at Security Innovation in Seattle, WA, making software more secure through targeted penetration testing. Previously, he lead the development team responsible for all authentication and identity management within the OneFS operating system. Steven is also a finance geek, who opens bank accounts as a hobby and loves a debate about the efficient-market hypothesis.

Steve Waterhouse

Mise à jour des menaces et des risques informatique au Canada

Revue des menaces qui nous attendent au cours des prochains mois envers nos infrastructures essencielles au Canada.

Biography

Le Capt(ret) Steve Waterhouse est un des premiers cyber-soldat à prendre les devants dans la mise en application, la préparation et l’entraînement des Officiers de sécurité informatique au Canada pour le Ministère de la Défense Nationale (MDN), puis s’est distingué à rebâtir les services informatique au Collège Militaire Royal de Saint-Jean (Quebec). Instructeur hors-pair avec les systèmes d’arme et le leadership, le Capt(ret) Waterhouse continue à enseigner au-delà de sa retraite militaire dans la cybersécurité et la réseautique. Il est aussi chroniqueur avec les divers médias écrits et électronique canadiens et international, particulièrement à Montréal, de l’actualité en cybersécurité.

Justin Ryder

So You Want To Be A Consultant? Here’s The Fine Print…

When I was aspiring to make the move into a legitimate information security role, I spent hours listening to talks and podcasts from my heroes. The tales of their travels, the environments they encountered and afterhours shenanigans lead me to believe that consulting was the only way to go. Thing is, that’s not every employer and there’s some very hard lessons that everyone seems to learn at some point. I’ve called this the “fine print” of consulting. Getting started doesn’t have to involve standard education, despite what the college recruiters might have you believe. The interviews may be many, but we’ll talk about what questions to ask and those may be more important than knowing the answers to the interviewer’s questions. We’ll also talk about what to expect in your first consulting gig, some of the major pitfalls, and how to get back on track if you fall into them. Most importantly, we’re going to talk about what it’s like to be on the road alone and how it may not be for everyone. There’s an element of self-care that we’re just recently starting to come to terms with in the community, and it’s very real. Through some of my own candid stories, my own wins and losses, I’ll pull back the curtain and show you what life is like for the infosec road warrior.

Biography

With over ten years in information security, Justin currently leads a malware, forensics, and incident response team for a financial services organization. Prior to this, he was a consultant on CBI’s “Red Team”, specializing in physical security audits, pentests, and malware incident response.

Martin Dubois

Utilisation de GPU pour l’inspection de trafic réseau

L’inspection du trafic réseau à la vitesse des liens réseau modernes demande une capacité de calcul que les processeurs modernes peinent à fournir. L’utilisation de GPU semble tout indiquée pour cette tâche relativement facile à paralléliser cependant le passage des données par la mémoire de l’ordinateur et l’ordonnancement des tâches du GPU par le processeur rend le traitement par les GPU inefficace.

C’est pourquoi j’ai développé une technique qui permet de faire passer les paquets réseau directement de la carte réseau vers la mémoire de la carte graphique et de la mémoire de la carte graphique vers la carte réseau si le paquet doit être redirigé.

Le processeur n’est aucunement impliqué dans l’analyse des paquets ou leur traitement et il n’est que très minimalement impliqué dans la réception et la transmission ou il ne fait que gérer les interruptions de la carte réseau génère et transmettre la méta-information à la carte réseau.

Tout l’analyse et le traitement des paquets s’effectuent en utilisant OpenCL. Ce qui permet au développeur une flexibilité absolument inégalée.

Biography

Martin Dubois a étudié en Génie informatique à l’Université Laval avant de travailler dans plusieurs « startups », principalement comme spécialiste du lien entre le logiciel et l’électronique. C’est dans ce domaine, le développement de pilote de périphériques, qu’il évolue en tant que consultant et formateur depuis plus de 15 ans. De plus, il enseigne régulièrement à temps partiel au niveau collégial ou universitaire. Il a aussi un intérêt marqué pour la sécurité informatique et l’écriture.

Cheryl Biswas

Don’t Bring Me Down: Weaponized Botnets Anyone?

We’re seeing an evolution in botnets. The impact of Mirai bringing down a huge swath of the internet two years ago raised awareness but the release of the Mirai code has raised a new army of botnets that are capable of more than just DDOS on basic systems. But Mirai isn’t the only botnet in town. There are some serious contenders with unexpected enhancements looking for new recruits to work in the bitcoin mines. Routers and cameras and toasters – oh my! The ongoing deluge of devices that connect to the Internet is an IoT nightmare, and an attacker’s dream. Default credentials and weak passwords are only the beginning. Especially with a bevy of unpatched, vulnerable systems on which to unleash some substantial exploits. Persistence and lateral movement ftw! DDoS isn’t just child’s play when attacks are in the realm of terabytes. What happens when we move past outages, and into destructive payloads? And what happens when weaponization meets automation? In this talk, we’ll explore what may come next when nation states move into the turf once held by script kiddies, and build-a-bot gets leveled up in a very bad way.

Biography

Cheryl Biswas is a Strategic Threat Intel Analyst with TD Bank in Toronto, Canada, where she monitors and assesses international relations, threat actors, vulnerabilities and exploits. Previously with KPMG Canada, she was a Cyber Security Consultant and worked on security audits and assessment, privacy, breaches, and DRP. She has worked in a variety of fields, and her experience includes project management, vendor management and change management. Cheryl holds an ITIL certification and a specialized honours degree in Political Science. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security online, and as a speaker and a volunteer at conferences. Cheryl is a founding member of “The Diana Initiative,” championing women and diversity in Infosec.

Marc-André Tremblay

“Blazing Secure” Egress Traffic with Smokescreen

Hurray! Your team has just shipped an amazing new feature allowing customers to receive notifications in the shape of webhooks. Everything is great, at least, until you get contacted by your cloud provider about those large GPU instances you’ve been running for the last hour. Oh noes, you’ve been owned. Handling egress traffic properly can be a daunting task which, if not done with the proper considerations in mind, will render your organization defenseless against vulnerabilities such as SSRF and data exfiltration. Can we properly handle egress? Stripe’s security team is excited to present Smokescreen: a proxy with mandatory access control for egress traffic. We will walk you through common egress use cases and their issues as well as demonstrate how we use Smokescreen to mitigate those.

Biography

Marc-Andre Tremblay is a Software Engineer on Stripe’s Application Security team. His focus is to build mitigations which aim to keep the company and its users safe. On his spare time, he enjoys balcony gardening, Bay Area’s beautiful vantage points as well as well as hacking on his computer. You can summon him by saying Clojure three times.

Saurabh Harit

Exploiting Connected Medical Devices: Lessons Learned & Data Earned

This talk will take an educational approach to present our research on assessing medical devices from security standpoint. Based on output from security assessments performed against two medical devices that are widely deployed at various hospitals and medical institutions, we will present an in-depth analysis of the target medical devices, discovered vulnerabilities and our approach that led us to compromise them in order to gain access to plethora of medical records from all the medical institutions they were deployed at and not just the one where our target devices were hosted.

An IoT medical device is part of a complex ecosystem that may expose numerous threats. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices but doesn’t provide security as implied in marketing materials. Others rely on standard WiFi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $10 hardware.

This presentation will focus on our assessment approach – test cases, pitfalls, success & failures. We will demonstrate the compromise of a prescription device to extract healthcare records and manipulating various sensitive settings of an infusion pump.

Biography

Saurabh has been a security consultant for over a decade and has worked across diversified industry verticals such as Banking, Aerospace, building solutions, Process & Control Systems and has developed expertise is various aspects of Information security. Saurabh specializes in infrastructure pentests & adversary simulation, with secret crush on binary reverse engineering. He has contributed towards proof-of-concept exploits and white papers, as well as delivered security trainings to various fortune 500 clients globally and at reputed security conferences such as CansecWest and Black Hat. Saurabh has presented his research at several security conferences including Derbycon, Toorcon, BSidesTO, Hack3rcon, Defcon, Blackhat US & Europe Tools Arsenal and Blackhat.

Philippe Arteau

Workshop: Advanced XXE Exploitation

When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XML eXternal Entities (XXE) and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution?

The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time.

Biography

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs. He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. He presented at several conferences including Black Hat Arsenal, ATLSecCon, NorthSec, Hackfest (QC), 44CON and JavaOne.

Alina Matyukhina

Who wrote this smart contact? Privacy and Anonymity in Blockchain

Anonymity in blockchain, is a complicated issue. Within the system, Blockchain users are recognized by user accounts (public-keys only. An attacker who wants to disclose its users will try to build the one-to-many mapping between users and public-keys and link information external to the system with the users. Blockchain attempts to avoid this attack by keeping the mapping of a user to his or her public-keys on that user’s node only and by letting each user to create as many public-keys as needed. This session seeks to better understand the the trace-ability of smart contracts flows and, through this understanding, explore the possibility of de-anonymizing the smart contract creators by their coding style using authorship attribution techniques. When the linkability of two different smart contract addresses to the same user is possible, the adversary can use such techniques to link all the agreements, transactions that these addresses participate in, therefore it is a serious threat on smart contract users anonymity. In our work we showed that de-anonymization is possible, with up to 83% accuracy. This technique can not only identify benign smart contact creators, but also malicious like Fake ICO, Phishing, and Scam writers.

Biography

Alina is a cybersecurity researcher at Canadian Institute for Cybersecurity, and PhD candidate at UNB. Her research work focuses on applying machine learning, computational intelligence, and data analysis techniques to design innovative security solutions. Before joining CIC, she worked as a research assistant at Swiss Federal Institute of Technology in Lausanne, Switzerland, where she took part in cryptography and security research projects.

Éric Gagnon

La chasse aux menaces est ouverte - Débuter le Threat Hunting

La créativité grandissante des acteurs malicieux nous oblige à être aussi plus originale dans nos moyens de détection. Même si le terme Threat Hunting est assé récent, ce procédé n’est pas nouveau. Il permet entre autre d’agir pro-activement pour détecter les menaces présentent dans votre infrastructure et de ne pas dépendre de la détection automatisé d’un outil de surveillance. La présentation vous expliquera les différentes méthodologies, approches et astuces afin d’effectuer une chasse efficace.

Biography

Eric Gagnon est un passionné de la sécurité Offensive et Défensive. Il possède plus de 10 ans d’expérience dans le centre de surveillance et sécurité d’une institution financière. Il se retrouve à jouer constamment entre le côté bleu et rouge de la force. Dans son quotidien, Eric effectue des enquêtes digitales, analyses de malware, intelligences de cybermenace, gestions de vulnérabilité, tests d’intrusion et Threat Hunting. Il est fier détenteur des certifications OSCP et OSCE et adore motiver la relève à participer aux différentes compétitions de sécurité.

David Girard

Automatisation de la réponse, introduction au standard OpenC2

En tant que défendeur, nous utilisons une multitude de produits de différents fournisseurs (défense en profondeur oblige) et les attaques sont de plus en plus rapides…l’automatisation de la réponse devient donc priomordiale. Les grands fournisseurs ont tous leur propre standard et framework (Ex: McAfee OpenDXL). Et il y a une série de nouveaux fournisseurs en orchestration et automatisation de la réponse (SOAR) qui ont faient leur apparition sur le marché et qui proposent de réglé le problème de l’interopérabilité et de la rapidité de la réponse. OpenC2 de OASIS est un standard qui pense répondre à cette problématique et plusieurs fournisseurs y contribuent sous l’égilde de OASIS. Dans cette présentation nous vous introduirons à OpenC2.

Biography

David Girard (Snowyow1), Chercheur sénior en sécurité, Trend Micro. Membre des comités techniques OpenC2, STIX et TAXII de OASIS. Travaille est sécurité et TI depuis plus de 30 ans…dans diverses position : développement, pen test, audits, gestion de la sécurité, architecte, consultant, réponse aux incidents, analyse de code malicieux, Forensic…dans les secteurs militaire, santé et autres. Depuis 2014 il oeuvre principalement à l’international et dans la détection de brèches. Depuis le début 2018 il fait de la recherche dans une équipe de “Data Science” sur les cyber-renseignements et la détection par analytics. Il fut conférencier lors de la première édition du Hackfest.

Colin DeWinter & Jonathan Beverley & Ben Gardiner

RHme3 : hacking through failure

Do you try to hack things? Do you screw it up lots? We do (and we do). Over the course of 6 months we competed in Riscure’s automotive-themed challenge: RHME3; during which we broke more things than we fixed – even when we weren’t supposed to. Come join us while we regail you of a series of unlikely scenarios in a hardware and crypto oriented CTF. We made a shoddy glitching rig. We performed unlikely feats of PCB rework. We did side-channel analysis the hard way. We hacked on a plane. All these things are more (antics) will be discussed. Attendees will learn to expect failure and gain a better appreciation for the role of failure in innovation. We will also detail the useful parts of our tooling that we developed; including AVR reversing and side-channel analysis with Jlsca.

Biography

Ben Gardiner is a Principal Security Engineer at Irdeto and a member of the ethical hacking team, specializing in hardware and low-level software security. With more than 10 years of professional experience in embedded systems design and a lifetime of hacking experience, Gardiner has a deep knowledge of the low-level functions of operating systems and the hardware with which they interface. He brings this knowledge to Irdeto, a pioneer in digital platform and application security. Prior to joining Irdeto in 2013, Gardiner held embedded software and systems engineer roles at several organizations. Gardiner has a Masters of Engineering in Applied Math & Stats from Queen’s University. He is also a member of and a contributor to SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2) and the GENIVI security subcommittee

Colin DeWinter is a Junior Security Engineer at Irdeto and a participant in the company’s hacking team. He is experienced in application security with a leaning towards Android systems. He developed his two years of security experince while working at Irdeto. Prior to joining Irdeto in 2017, Colin was an Electrical Engineering Student at Ontario’s Waterloo University. Outside of work Colin is an avid gamer and can normally be found playing Overwatch.

Jonathan Beverley is a Principal Reverse Engineer as part of the security assurance team at Irdeto. He has been doing profesisonal security analysis for seven years, and has been breaking stuff much longer. After getting a start making unsanctioned, but widely appreciated video game patches, he’s moved on to competing in security CTFs.

Jay Lagorio

Finding Valuable Needles in Global Source Code Haystacks with Automation

In this talk we’ll take a look at how OSINTers can automate having cool things brought to us. I will define “cool things,” describe data sources for those cool things, and show you how you too can Craal the web in your sleep and wake up to great results to sift through. Automated search capabilities of online developer tools are powerful and through that power we will put those tools to work in ways not originally envisioned by their creators. Our targets are Pastebin, Github, and Buckets with some help along the way from lesser known services to increase our effectiveness.

You’ll come away with the knowledge you need to lazily let the search engines of the web work for you through automation while still finding fantastic data for your random responsible disclosures or targeted bug bounties. Neither the stickiest Pastes, the hubbiest Gits, nor the seal’d’ist Buckets will be safe from you and the rest of us will be better for it. After describing the capabilities available to you I’ll tell you what you can do to keep yourself safe from this technique. If your data is already exposed in the ways described, I’ll walk you through what to do to clean up the mess.

Biography

Jay Lagorio, software engineer and independent security researcher, has been building computers and networks and writing code nearly his entire life. He received a B.S. in Computer Science from UMBC in 2008 and an M. Eng. from the Naval Postgraduate School in 2015. Although he specializes in Windows development, his side projects currently include open source intelligence projects to find data left out in the open waiting to be discovered.

Léanne Dutil

Throwing it out the Windows: Exfiltration d’identifiants Active Directory

Les filtres de mot de passe personnalisés de Windows permettent l’implémentation de politiques de sécurité plus sévères pour les mots de passe. Lors d’un stage chez GoSecure, Léanne a développé un outil de persistance qui permet d’exfiltrer des données par DNS en utilisant cette fonctionnalité. Déployé dans un environnement de production, cet implant exfiltre les identifiants de tout utilisateur du domaine ayant changé son mot de passe avec succès permettant ainsi à un attaquant de garder un pied dans le système.

Biography

Depuis les dernières années, Léanne Dutil a une passion grandissante pour la cybersécurité. En tant qu’étudiante en génie logiciel à l’École de Technologie Supérieure, elle n’a pas hésité à s’impliquer dans la Délégation des Compétitions en Informatique de l’ÉTS (DCI), équipe reconnue en cybersécurité. Sociable de nature, Léanne est toujours partante pour partager ses connaissances et en apprendre davantage sur la sécurité informatique.

Mahsa Moosavi

Understanding Digital Certificate Cybercrime Exploitation and Decentralizing the web using Ethereum Blockchain

Internet users have been using HTTPS (HTTP over TLS) to secure their web communications for years. Web servers use this protocol to ensures the server authentication, and to so do, they rely on the public key infrastructure (PKI) which uses a system of trusted third parties (TTPs) called the certificate authorities (CAs). Many cybercriminal exploitations and attacks on the CAs have been reported during the past years, representing major security drawbacks within the PKI. These attacks have each led to significant data leakages in the entire web. This is while there has been little quantitative analysis of the certificate authorities (CAs) and how they establish domain names validation. Thus, In this research study we take a complete look at the PKI and web certificate authorities and then implement an Ethereum-based system which can be used instead of the current centralized web PKI. We first perform a thorough empirical study on the CA ecosystem and evaluate the security issues with the domain verification techniques. We find out that a central problem with the certificate model is that CAs resort to indirection to issue certificate because they are not directly authoritative over who owns what domain. Therefore, we design and implement a new and useful paradigm for thinking about who is actually authoritative over PKI information in the web certificate model. We then consider what smart contracts could add to the web certificate model, if we move beyond using a blockchain as passive, immutable (subject to consensus) store of data. To illustrate the potential, we develop and experiment with an Ethereum-based web certificate model we call Ghazal, discuss different design decisions, and analyze deployment costs.

Biography

I’m a blockchain and security engineer/ PhD student at the Concordia University. With a demonstrated history of working in the information systems security, Im skilled in SSL Certificates, Bitcoin, Ethereum, Solidity, Blockchain and Fin-tech. I have Strong research professional with a Master’s Degree focused in information systems engineering from Concordia University. Currently I’m a summer intern at the Autorité des marchés financiers, Quebec’s regulator, working on decentralizing the exchange systems in Quebec.

Ben Gardiner

CAN SIGNAL EXTRACTION FROM OPENXC WITH RADARE2

OpenXC builds its firmware – for both the open and proprietary builds – using JSON data structures which define the CAN signals. These definitions are akin to the CAN database files (.dbc) files. Reverse engineering of the open openXC builds (as an educational excersise) reveals that it is a straightforward matter to identify and extract the CAN signal definitions from the binary. Attendees will learn: What are dbc files? How to load raw binaries into r2 (ARM in particular)? How to pretty-print data structures using r2? The exposition of machine code in the talk will be via the free radare2 RE tool.

Biography

Ben Gardiner is a Principal Security Engineer at Irdeto and a member of the ethical hacking team, specializing in hardware and low-level software security. With more than 10 years of professional experience in embedded systems design and a lifetime of hacking experience, Gardiner has a deep knowledge of the low-level functions of operating systems and the hardware with which they interface. He brings this knowledge to Irdeto, a pioneer in digital platform and application security. Prior to joining Irdeto in 2013, Gardiner held embedded software and systems engineer roles at several organizations. Gardiner has a Masters of Engineering in Applied Math & Stats from Queen’s University. He is also a member of and a contributor to SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2) and the GENIVI security subcommittee

Johnny Xmas

Shut Up and Take My Money: Scraping the Venmo Public Feed

Last Summer, Venmo hit the mainstream media over the “discovery” that their public feed was, well, public. While this was completely intentional and obvious to the end user, many were still shocked that anyone with Internet access could sift through their most intimate of transactions.

This presentation will comprise of a discussion of the abandoned (but still accessible) Venmo public API, a script release to allow anyone to automatically dump the public feed for custom lengths of time, and some fun fooling around in the resulting data.

Biography

Johnny is a predominant thought leader in the US and European information Security community, most well-known for his work on the TSA Master Key leaks between 2014 and 2018. Although currently working with the Australian firm ‘Kasada.io’ to defend against the automated abuse of web infrastructure, he was previously the lead consultant on Uptake’s Industrial Cybersecurity Platform. Prior to this, he spent many years in the field as a penetration tester, focusing heavily on both IT and physical security of financial and medical facilities.

Trevor Giffen & Pamela Hammer

Breach Analytica: Exploring the history & design of hacked data services

So. Many. Breaches. Hacked data leaks are on the rise, and hacked data services have been created to both respond to a growing problem.

Many of us know of and use “Have I Been Pwned?”, one of the first services to appear in 2013, but many others have been created since then. Right now, these hacked data services offer access to billions of leaked hacked credentials, including usernames, passwords, emails, and other personally identifiable information. Some services allow users to check if they exist within these data breaches without granting them access to the raw data, while other services make this data readily available for everyone to access and abuse for a paid fee. We’ll start with a hacker history lesson, exploring a five-year timeline showing the rise and fall of hacked data services, highlighting their rights and wrongs.

This leads up to a major announcement: we are excited to present “Breach Analytica”, our own hacked data service (official announcement, live demo, and possibly a release of the website if we are ready). We will walk the audience through the process of creating a hacked data service step-by-step, sharing what we have learned along the way. We will highlight the increasingly negative impact of hacked data services, the challenges of creating a hacked data service, and why hacked data services should be used to complement security awareness training programs.

Not only will attendees gain valuable insights from our guided exploration of “hacked data services”, but they will be the first to whom we present the release of “Breach Analytica”, our hacked data search service based on what we have learned, to improve cybersecurity awareness efforts.

Biography

Trev is an undergraduate student at the University of Ontario Institute of Technology, studying Networking & IT Security. He currently works as a Jr. Cybersecurity Consultant and an Independent Editorial Contractor. Previously, he completed two IT co-ops, and a cybersecurity internship in Québec. Since 2013, he has engaged with various InfoSec communities as a personal hobby.

Pam is an undergraduate student at the University of Ontario Institute of Technology, where she studies Networking and IT Security. Holding a passion in security and development, Pam spends much of her time working on personal projects and engaging with the InfoSec community. In addition to her studies and personal hobbies, Pam also works as a Jr. Cybersecurity Consultant.

Liam Graves

ICS: A deeper dive into defending and attacking operational technology

Having set the ground work in ICS: An introduction to securing and attacking operational technology we’ll take a deeper look at designing, defending, and attacking ICS and operational technology. As a design consultant this will focus on design and defence but the advantage of knowing how these systems are put together means that I know where the skeletons are buried so stick around for some attack vectors in ICS.

The talk will cover in more detail the architecture and components of ICS and the breadth that the term ICS covers. We’ll look at critical national infrastructure, manufacturing, transportation, sensor networks, building controls, and other cyber-physical systems. There will be some discussion about applicable standards, regulation, and legislation but I will keep this bit brief and direct.

From a design, defence and attack perspective we’ll look at complexity and considerations of security in ICS including threat and risk assessments, system modelling, resilience, ICS protocols & communication, state estimation, indicators of compromise, countermeasures, and tools & tricks.

Biography

Liam has spent 19 years in the design and delivery of systems starting out in military defence systems, spent a little time in physical security in the financial sector, moved on to video analytics and distribution, and now consults on the design of operational systems in critical infrastructure.

He has contributed to the cyber security apprenticeship schemes in the UK; creating exam questions on cryptography and network security. Liam has spoken about implementing security requirements & threat assessments at UK Security Expo and had a guest spot on Brakeing Down Security podcast to discuss security apprenticeships.

Liam holds an MSc in Information Security from Royal Holloway and is a CESG Senior Information Architect. He can be found on twitter @tunnytraffic and NetSec Focus, a community for security enthusiasts.

Gabriel Ryan

Workshop : Advanced Wireless Attacks Against Enterprise Networks

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and additional required equipment will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment.


Areas of focus include:

  • Wireless reconnaissance and target identification within a red team environment
  • Attacking and gaining entry to WPA2-EAP wireless networks
  • LLMNR/NBT-NS Poisoning
  • Firewall and NAC Evasion Using Indirect Wireless Pivots
  • MITM and SMB Relay Attacks
  • Downgrading modern SSL/TLS implementations using partial HSTS bypasses
Biography

Gabriel Ryan is a penetration tester and researcher with a passion for wireless and infrastructure testing. He currently serves a co-founder and managing security consultant for Digital Silence, a Denver based consulting firm that specializes in impact driven penetration testing and red team engagements.

Prior to joining Digital Silence, Gabriel worked as a penetration tester and researcher for Gotham Digital Silence, contributing heavily to their wireless security practice and regularly performing large scale infrastructure assessments and red teams for Fortune 500 companies. Some of Gabriel’s most recent work includes the development of EAPHammer, an 802.11ac focused tool for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys producing music, exploring the outdoors, and riding motorcycles.

Gabriel Ryan

Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010

Existing techniques for bypassing wired port security are limited to attacking 802.1x-2004, which does not provide encryption or the ability to perform authentication on a packet-by-packet basis [1][2][3][4]. The development of 802.1x-2010 mitigates these issues by using MacSEC to provide Layer 2 encryption and packet integrity checks to the protocol [5]. Since MacSEC encrypts data on a hop-by-hop basis, it successfully protects against the bridge-based attacks pioneered by the likes of Steve Riley, Abb, and Alva Duckwall [5][6].

In addition to the development of 802.1x-2010, improved 802.1x support by peripheral devices such as printers also poses a challenge to attackers. Gone are the days in which bypassing 802.1x was as simple as finding a printer and spoofing address, as hardware manufacturers have gotten smarter.

In this talk, we will introduce a novel technique for bypassing 802.1x-2010 by demonstrating how MacSEC fails when weak forms of EAP are used. Additionally, we will discuss how improved 802.1x support by peripheral devices does not necessarily translate to improved port-security due to the widespread use of weak EAP. Finally, we will consider how improvements to the Linux kernel have made bridge-based techniques easier to implement and demonstrate an alternative to using packet injection for network interaction. We have packaged each of these techniques and improvements into an open source tool called Silent Bridge, which we plan on releasing at the conference.

  • [1] https://blogs.technet.microsoft.com/steriley/2005/08/11/august-article-802-1x-on-wired-networks-considered-harmful/
  • [2] https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf
  • [3] https://www.gremwell.com/marvin-mitm-tapping-dot1x-links
  • [4] https://hackinparis.com/data/slides/2017/2017_Legrand_Valerian_802.1x_Network_Access_Control_and_Bypass_Techniques.pdf
  • [5] https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/deploy_guide_c17-663760.html
  • [6] https://1.ieee802.org/security/802-1ae/
Biography

Gabriel Ryan is a penetration tester and researcher with a passion for wireless and infrastructure testing. He currently serves a co-founder and principal security consultant for Digital Silence, a Denver based consulting firm that specializes in impact driven penetration testing and red team engagements.

Prior to joining Digital Silence, Gabriel worked as a penetration tester and researcher for Gotham Digital Silence, contributing heavily to their wireless security practice and regularly performing large scale infrastructure assessments and red teams for Fortune 500 companies. Some of Gabriel’s most recent work includes the development of EAPHammer, an 802.11ac focused tool for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys producing music, exploring the outdoors, and riding motorcycles.

Matt Eidelberg

Vibing Your Way Through an Enterprise – How Attackers are Becoming More Sneaky

Traditional defenses are no longer adequate when faced with modern attacks – attackers will always find a way in. Once an attacker has established a foothold inside a domain, their primary objective is to compromise their target as quickly as possible without being detected. Because of this, many organizations have the begun the practice of monitoring for threats based on traffic patterns and characteristics of user activity, known as threat hunting. Unfortunately, these tools and appliances are not perfect, and adversaries are constantly developing new techniques to remain undetected. This talk will focus on some of the techniques attackers perform to carry out domain enumeration, as well as, hunting users and systems which can be leveraged for elevated access while remaining undetected. I will cover techniques attackers perform, utilizing the objects integral to a domain environment how they are effective and why they work. Finally, I will discuss and provide recommendations to help combat and mitigate these techniques.

Based on my research I’ve developed a framework I call Vibe, which utilizes these techniques to perform lateral movement while remaining undetected. This tool uses zero PowerShell. This tool can be used by both red and blue teams.

Biography

Matthew Eidelberg is a husband, father, and big security fanatic. Matthew works as a Senior Security Consultant on Optiv’s Attack and Penetration team. Matthew’s primary role is to conduct security penetration testing and red teaming assessments for Optiv’s clients, while also developing detailed remediation procedures in order to provide the best value to Optiv’s clients. Previously, Matthew worked as a Security Consultant for the Herjavec Group in Canada, providing the same type of work for clients in Canada, the United States and Asia. Matthew received his Bachelor of Technology in Informatics and Security, Seneca@York University in 2012 and was certified as an Offensive Security Certified Professional in March of 2015.

Israël Hallé

A Gentle Introduction to Fuzzing / Introduction au Fuzzing

Fuzzing could be summed up as a testing method feeding random inputs to a program. Where a more traditional approach to testing relies on manual design of tests based on known assumptions, fuzzing bring an automated means of creating test cases. Although a single test generated by a fuzzer is unlikely to find any defaults, millions of them in quick iterations makes it very likely to trigger unexpected behaviors and crashes. With the rise of smarter fuzzers, fuzzing has become an efficient and reliable way to test most edge cases of a program and makes it possible to cover very large programs that would require otherwise a large amount of effort from manual reviewing and testing. The low amount of manual intervention required to set up a modern smart fuzzer dismisses any pretexts a developer or security research might have to not fuzz its project. If you aren’t fuzzing, the bad guys will (and find all the bugs that comes with it).

This workshop aims to introduce the basic concepts of fuzzing to the participants and to enable them to make fuzzing a critical step of their testing process. The class is going to start with a quick introduction about the concepts of fuzzing, why they should do it and some benefits other organizations have gained from it. The workshop will then move on to a hands-on approach on how to set up AFL and run it against a program and how to interpret the outputs. Most of the exercice will turn around a sample program with intentional bugs and gotchas, and once the participants have an understanding of the basis, they will be walked through real-world scenarios. Finally, a time will be allocated at the end for the participants to fuzz a project of their choice with the assistance of the presenters.

Requirements

For a better experience participants must:

  • Bring their own laptops with a working Docker installation. Docker will be used to give a proper AFL working environment to all participants. No support will be provided for participants running AFL outside of the provided Docker image.

For a better experience we encourage participants to:

  • Have a basic knowledge of C and common C vulnerabilities (Buffer Overflow, Format String, etc). The workshop won’t cover the exploitation of found crashes, but it might be more helpful to understand why those crashes happen and what can be done from them.
  • Command-line knowledge, particularly how to build a program with gcc from the command-line interface.
Biography

Israël Hallé has a B.Eng. from the École de Technologie Supérieure (E.T.S.). He worked as a developer on the Merchant Protection and Checkout teams at Shopify. He also did malware analysis and reverse engineering contracting work for Google on their Safe browsing team. He is now working full-time developing the technology that powers Flare Systems. Israël has organized exploitation workshops at E.T.S. and at the NorthSec conference in addition to participating in multiples security CTFs, mostly working on binary reverse engineering and exploitation challenges.

Damien Bancal

RGPD en Europe : 6 mois d’expériences

Depuis le 25 mai 2018 l’Europe et la France vivent avec le nouveau règlement sur les données personnelles, le RGPD. On va revenir sur les six mois passés avec mes expériences et des cas vécus. Alors, le RGPD efficace ou pas ?

Biography

Journaliste tv, radio, … ; speaker ; blogueur (zataz.com a 25 ans) et clown.

Sebastian Feldmann

Harakiri: Manipulating binaries to optimize closed source fuzzing

Fuzzing of proprietary software brings many problems for researchers as, due to the nature of proprietary software, the source code is not available. However changing the original control flow graph (CFG) of the program is crucial for fuzzing as it allows generating information about an execution with certain input ( e.g. coverage feedback) and optimizing the program logic for fuzzing. Existing approaches to change the CFG of an existing executable, such as Dynamic Binary Instrumentation ( DBI ), cause a significant overhead for fuzzing which makes its use problematic.

In this talk I am going to address two major problems that arise when fuzzing closed source windows applications that have a GUI and introduce my solutions for these, with which I have found various memory corruptions in different Windows PDF-Viewers such as CVE-2018-6462 (PDF-XChange Viewer - Heap Overflow) and not yet disclosed corruptions in Adobe Acrobat Reader DC.

Biography

Sebastian is Security Researcher at GoSecure and a postgraduate student at Technical University of Darmstadt, Germany and Tallinn Technical University, Estonia.

With 7 years of experience in software development for banks and consulting-businesses he got involved with security and regularly participates in CTF-events.

After his latest occupation as a pentester in Germany he started working at GoSecure to finish his Master’s thesis and works on different projects in the area of fuzzing closed source applications with which he managed to find various memory corruptions in products of well known vendors such as Adobe or Tracker-software.

Kirill Shipulin

How to bypass an IDS with netcat and linux

Developers and researchers are confronted with a huge number of tools and technologies in their daily work, each of which has its own pros and cons. This realization is important for network devices intended to stop attacks — they should be “omnivores” with regard to network protocols. The speaker’s passion is to study and recreate various hacker attacks, exploits and tactics at the network level in order to develop reliable detection techniques for intrusion detection systems. While working on lots of attacks he noticed some tiny network conditions when a packet sequence slip away from IDS system but get to the target. Will your IDS system detect data network connection was broken? Using nc and a Linux machine, the speaker will demonstrate 4 CVEs he found for bypassing IDS systems, based on the example of the popular Suricata IDS.

Biography

Expert at Positive Technologies, Team for the Research of Attack Detection Methods Was born in 1993. Kirill earned a degree in Telecom Systems Information Security from the State University of Nizhny Novgorod in 2016. He used to work as a developer and QA engineer. In 2016, he joined Positive Technologies. Kirill is in charge of researching and writing network signatures to detect exploitation of new vulnerabilities, researching network attacks and methods of detecting them, as well as threat intelligence analytics. He spoke at the DefCamp #8 conference with the report “Turning IDS signatures against an IDS itself: a new evasion technique.” and at the Positive Hack Days #8 with the report “How to bypass an IDS with netcat and linux”.