Speakers 2019

Schedule

TBA soon - October 2019

Speakers list

Workshops

Conférenciers

Kristina Balaam

Adventures in obfuscated mobile adware

Adware is arguably the most prevalent form of malware targeting mobile device users today. Until now, much of the adware we’ve seen has been crudely developed and poorly obfuscated; the “low-hanging fruit” of the mobile malware research community. However, as official app stores like the Google Play Store increase security measures to prevent adware from targeting its users, developers are relying on more sophisticated techniques for hiding their malicious functionality and monopolizing on the profitable out-of-app ad revenue stream. One publicly traded company on the NYSE with a cumulative install base of a half-billion users produced some of the most popular applications on Google Play including “TouchPal”, “Abs Workout” & “Drink Water Reminder”. We’ll look at their attempt to circumvent app store antivirus detections as a case study on the increase of sophisticated Adware in the mobile app ecosystem. We’ll discuss how they managed to bypass stringent security checks and the aftermath of their unveiling.

Biography

Kristina is a Security Intelligence Engineer at Lookout where she reverse engineers mobile malware. Prior to Lookout, she worked as a Mobile Application Security Engineer at Shopify, securing the company’s Android applications. Kristina graduated with a Bachelor of Computer Science from McGill University in 2012 and is currently pursuing a MSc. in Information Security Engineering from the SANS Institute of Technology. She blogs about computer security on Instagram, Twitter and Youtube under the handle @chmodxx.

Serge-Olivier Paquette

Gold nuggeting: Intuition, apprentissage machine et test d’intrusion

L’intuition, acquise par le biais de multiples mandats, est ce qui distingue les experts des novices. L’intuition est la capacité de regarder une grande quantité d’informations et de repérer rapidement les items intéressants, puis d’écarter le reste. Dans le cas des audits de sécurité, les testeurs d’intrusion sont généralement confrontés à des centaines, voire des milliers d’actifs en tout début de mandat. La possibilité de réduire leur attention sur les cibles prioritaires peut faire gagner des dizaines d’heures “précieuses” à une équipe.

Nous présenterons Batea, un outil modulaire, dynamique, asynchrone et Open Source qui utilise l’apprentissage machine pour transformer les données de balayage brutes en une priorisation des actifs basée sur une représentation de l’intuition des experts en sécurité. Batea priorise les résultats d’outils comme nmap lors des audits de sécurité et d’inventaire. En utilisant l’apprentissage machine, plus précisément les techniques de détection de signaux remarquables, notre modèle déniche les filons qui mènent aux pépites d’or, les actifs les plus juteux.

Batea permet entre autres de distinguer automatiquement des groupes d’actifs intéressants comme une station de travail dans une zone de serveur (et vice-versa), des configurations de serveurs inhabituelles, des sites web oubliés ainsi que des appareils réseaux, et ce sans connaissances a priori du réseau balayé ou de l’organisation.

Nous montrerons les étapes de traitement des données ainsi que les modèles internes. Nous présentons les principes de fonctionnement des modèles par densité, par forêt d’isolations et par réseau de neurones. À la fin de la présentation, les participants comprendront comment l’outil est construit, comment l’utiliser et comment l’améliorer en ajoutant des éléments d’intuition, des sources de données externes et en partageant les modèles entre les mandats.

Biography

Serge-Olivier Paquette est chercheur principal en intelligence artificielle et cybersécurité chez Delve. Ses recherches portent sur la capacité à inférer, par l’apprentissage machine, le contexte d’événement de sécurité à partir d’information incomplète. Il porte un intérêt marqué pour la sécurité informatique, les mathématiques, les puzzles, les humains et plus généralement les défis qu’on croit impossible à relever. Il aime aussi organiser des événements de sécurité et des CTF et agit ainsi à titre de VP Logistique pour Northsec.

Cédric Thibault

Techniques d’attaque et de défense dans AWS

La sécurité Infonuagique est un sujet d’actualité et fait beaucoup parler d’elle. Mais concrètement en quoi est elle différente de la sécurité traditionnelle sur site ? Au travers d’une présentation de différentes techniques d’attaque et de défense, vous obtiendrez un aperçu des risques propres aux environnements Cloud et plus spécifiquement AWS.

Biography

Passionné par les TI et l’innovation, j’ai eu l’occasion durant mes 25 années d’expérience de travailler dans de nombreux domaines diversifiés. Spécialiste en sécurité de l’information, certifié CCSK, CISSP et AWS, je me suis focalisé sur la sécurité infonuagique (AWS, Azure, GCP) mais garde un intérêt pour plusieurs domaines connexes : gestion des vulnérabilités, protection de l’information, Devsecops. Vice-président chez KPMG-Egyde, j’ai le plaisir d’accompagner de nombreux clients au Québec et au Canada dans la sécurité de leur “Journey to the Cloud” avec une large équipe dynamique et multidisciplinaire.

Cheryl Biswas

Mind the gap - managing insecurity in enterprise IoT

IoT is an ever-expanding attack surface about which we have many misconceptions and assumptions but for which we have very few policies, regulations or security. These are devices built for one purpose, not meant to be upgraded and rarely if ever patched. As more devices are enabled to connect and communicate online, in the relentless pursuit of innovation, we’ve put the cart before the horse and failed to construct a framework to effectively control and secure the capability created. Consider this: over 90% of the data in the world was created over the past two years, and current output is roughly 2.5 quintillion bytes per day. As IoT moves into a range of enterprise environments, driven by consumer demand and BYOD desire, Shadow IT becomes Shadow ET, bringing new challenges and risks that our existing compliance and security don’t address or regulate.

Misconfiguration usurps any benefits of eroding segregation as online exposure of both sensitive data and critical systems increases. Adversaries at all levels have been watching, waiting and are making their moves because ignorance isn’t an excuse – it’s an invitation to exploitation.

Biography

Cheryl Biswas is a Strategic Threat Intel Analyst with a major bank in Toronto, Canada. She found her way into InfoSec through a helpdesk backdoor and pivoted into roles for vendor and change management, jumped a gap into privacy and DR/BCP, then laterally moved into security audits and assessments.Her degree in Political Science has evolved into researching APTs, botnets, ransomware and more. She is actively involved in the security community as a speaker, a conference volunteer, and encourages women and diversity in Infosec as a founding member of the “The Diana Initiative.”

Ophir Harpaz & Daniel Golberg

Conclusions from Tracking Server attacks at scale

There are countless attacks on internet exposed servers every second, but what are those attacks trying to achieve? How are they trying to break in? How many unique groups of attackers actually exist? As data-centers and cloud infrastructures become more popular, so do the attack campaigns targeting them. The variety of attack surfaces, vulnerabilities, exploits and attack flows is at constant growth and evolution.

We deployed a large collection of high-interaction deception servers deployed in multiple cloud environments worldwide. Each such deception machine is capable of capturing and recording attacks on various services - RDP, SSH, MySql and many more. This infrastructure provides us with a tremendous amount of data; With this infrastructure, we get to see where attacks originate from, what machines they connect-back to, the ports and services attackers attempt to breach, the processes they initiate - and many more. Using this unique and comprehensive dataset, we explore attack patterns and model the behaviour of the attackers.

In this talk, we will guide the audience through our analysis and present some interesting findings. For example, do attackers really change behavior after new vulnerabilities are disclosed? What is the lifetime of an attack machine or a command-and-control server? Do attackers bother staying persistent on victim machines? Using our results, we will provide a clearer picture of today’s data-center-oriented Cyber attacks.

Biography

Daniel Goldberg is a security research expert at Guardicore, where he is responsible for tracking the latest security intelligence, including detailed analysis of hackers’ methodologies, for use in implementing advanced countermeasures into Guardicore products and services. Daniel has over 10 years of cyber security research experience. He also maintains the Infection Monkey, an open source breach and attack simulation tool.

Ophir Harpaz is a Cybersecurity researcher at Guardicore. She is thrilled by hunting and analyzing attack campaigns on data centers and organizations, reversing malware and investigating attackers’ operational infrastructure. Author of https://begin.re workshop for reverse engineering newcomers.

Rana Khalil

Why Johnny still can’t pentest: A comparative analysis of Open Source Web Application vulnerability scanners

When conducting a web application vulnerability assessment, great emphasis is put on running a vulnerability scanner. These are automated Dynamic Application Security Testing (DAST) tools that crawl web applications to look for vulnerabilities. No matter how complete the assessor’s “manual” testing is, you find the project manager reluctant to give the stamp of approval without having run a scan first. This reaction usually stems from the fact that scanners are advertised as being your go to automated solution for finding critical vulnerabilities.

In this talk, we’ll present the findings of our thesis research where we evaluated the crawling coverage and vulnerability detection of leading open-source web application vulnerability scanners. The scanners were run in two modes:

  • Point-and-Shoot (PaS): In this mode the scanner is only given the root URL of an application and asked to scan the site.
  • Trained: In this mode the scanner is first configured and trained to maximize the crawling coverage and vulnerability detection.

We’ll present the technologies that scanners found difficult to crawl and the classes of vulnerabilities that went undetected. We’ll also outline the differences in crawling coverage and vulnerability detection when scanners are run in PaS and Trained modes.

The results of our analysis will show the sheer importance of having a human being not only spend a significant amount of time configuring the scanner, but also manually test for vulnerabilities that would be impossible to detect by a tool that has no way of understanding the logic and architecture of an application.

Biography

Rana Khalil is a recent graduate from the University of Ottawa where she earned a master’s degree in Computer Science. Her thesis focus was on evaluating open-source web application vulnerability scanners. Her research received honourable mention at the WiCyS 2019 conference. She has a diverse professional background with experience in software development, web application vulnerability assessment, malware analysis and teaching. She also has had the opportunity to speak at several conferences/chapters including BSides, ISSA and OWASP Ottawa.

Nicolas-Loïc Fortin

Zero-trust à l’ère des fuites massives d’informations

L’été 2019 a ébranlé le Québec, par une série de fuites massives d’informations. Celles-ci sont dues à une panoplie de facteur, allant de l’abus d’accès, par de la mauvaise utilisation, par le non-respect des règles administratives à la pure négligence. Ces situations sont complexes et ne peuvent se régler par les façons de faire usuelles, une boite magique ou le dernier concept à la mode.

Comment zéro trust vient s’appliquer aux fuites d’informations? Ces notions viennent placer l’information au centre du résonnement de sécurité… limitant ainsi la capacité de déplacer de grandes quantités d’informations de façon non autorisée.

Biography

Dude qui travaille en infosec depuis plus de 18 ans, griffonnant du papier et bidouillant les systèmes.

A co-fondé le Hackfest, anime le podcast la French Connection, a fondé l’événement de sécurité défensive le SeQCure… et toutes tâches connexes.

Marc-André Bélanger

F2P - Free to pawn

Talk en français (franglais)

Remote code execution in ads services was not bad enough… Looks like those ads drivers does allow for alot more features then anticipated, from data persistence to extraction of lnstalled apps on devices… I mean, what can go wrong !

Biography

Conférencier a plusieurs reprise au Hackfest et au AtlSecCon.. Oeuvrant présentement dans l’industrie du divertissement, Marc-André a touché aussi au domaines financier et du commerce aux details.

Damien Bancal

Quand les mails du gouvernement se promènent dans le darknet

Depuis plusieurs années je surveille les black market. Depuis l’affaire Desjardins et l’exfiltration par un employé interne, ou encore le « phishing » ayant visé des employés d’Alliance Assurance, je me suis lancé dans la recherche d’informations ayant pu être volées à des citoyens canadiens. Journalistes, politiques, fonctionnaires … Plusieurs dizaines de millions de d’informations ont pu être collectées, allant de la “simple” adresse électronique, en passant par les mots de passe, les sites visités (hors cadre professionnel), données bancaires, pièces d’identités … Avec une surveillance de plus de 3 000 espaces web pirates (black market, discord, forums, web, Telegram, PasteBin) il m’a été possible de remonter des données appartenant, par exemple, à des titulaires de compte électroniques gouv.qc.ca ; asanat.qc.ca ou encore judex.qc.ca. Si l’ennemi numérique peut venir de l’intérieur avec le vol de fichiers appartenant à l’employeur, nous allons découvrir que le premier danger pour l’internaut… c’est l’internaute lui-même. Les pirates, les vendeurs de données l’ont bien compris et usent de toutes les méthodes pour acheter et revendre l’identité et la réputation numériques de leurs victimes. Vous découvrirez comme les recherches ont été lancées. Comment je suis rentré en contact avec les diffuseurs de ransomware Sodinokib et comment s’est dernier ont fait payer des dentistes américains et canadiens. Comment les données une fois exfiltrées par les pirates sont vendues, utilisées et comment ils blanchissent l’argent gagné sur le dos d’internautes volés. Cette conférence est en Français. Elle vise le grand public, la presse et les entreprises. Elle n’a pas pour mission d’être technique mais d’informer. Car s’informer, c’est déjà se sécuriser.

Biography

Journaliste francophone, travaille sur les questions de lutte contre le cybercrime depuis le début des années 90. Spécialiste en cyber intelligence. Créateurs d’un des plus vieux blog dédié à la cybersécurité (zataz.com). Chroniqueur Tv et radio. Professionnel de la blague dans le podcast “La French Connexion”.

Mahsa Moosavi

Recent developments in designing price-stable cryptocurrencies

Stablecoins are a sudden phenomenon in the rapidly growing world of cryptocurrencies. Extreme volatility in Bitcoin and other well-known cryptocurrencies has hampered transactions, increased speculation, and hindered mature lending/credit market from forming. Therefore, governments, companies, and financial institutions have shown interests in cryptocurrencies designed to have lower volatility than Bitcoin or Ether, also known as stablecoins, and now we can find quite a few of of them in circulation.

Although huge number of blog posts and research paper were published on this topic In 2018, which is known as year of the stablecoins, there is a lack of understanding the core stability mechanism and methodologies. The reason behind is that the majority of these research works focus on enumerating the intricate details of how a particular ‘brand’ of stablecoins works today—details that could change tomorrow.

In this presentation, I provide a thorough understanding of stablecoins and fundamental stability mechanisms, which is the results of a comprehensive survey we performed in early 2019. As opposed to the other research works on this topic, we are very selective in the concepts from finance we bring into the survey and explain each from first principles, while attempting to minimize or eliminate jargon. In addition, I represent the taxonomy we use to classify stablecoins in the way it hasn’t been done before.

At the end of this talk, the audience will learn (i) what are the core stability primitives and how these concepts work in practice, as well as (ii) why they are thought to adjust exchange rates to achieve price stability, what assumptions they are based on, and what risks still exist.

Biography

I’m a blockchain and security engineer/ PhD student at Concordia University. With a demonstrated history of working in the information systems security, I’m skilled in SSL Certificates, Bitcoin, Ethereum, Solidity, Blockchain and Fin-tech. I have Strong research professional with a Master’s Degree focused in information systems engineering from Concordia University. In Summer 2018, I was an intern at the Autorité des Marchés Financiers, Quebec’s regulator, where I worked on decentralizing the exchange systems in Quebec province. I have also given many tutorials and talks to the broader blockchain community including HackFest2018.

Remy Baccino

You shall not pass, even if you look like a hobbit - an appeal to smarter physical security

In recent years, we have been observing a recurring thought process for many different organisations. Although companies are taking information security increasingly more seriously, it looks like physical security is still not anyone’s concern. We mostly hear the following two arguments: “building’s security company is taking care of it” or worse, “we are aware of the risk and are accepting it”. Although it is not commonly associated to data security, physical security can quickly lead to data breaches and we need to start “assuming physical breach” in our security designs.

Biography

Professional in Red Team exercises for more than 7 years in Canada, currently leading the offensive security practice at In Fidem. Along the way I experienced working with very different organizations, from the one-man operation to 20000+ employees companies.

Although my experience in security has been mostly as a pentester and the way I have to see networks from the point of view of an attacker, my original background is a C and Delphi programmer, which helps me whenever I need to appear extra-nerdy in front of technical people.

Itzael Jimenez Aranda

Discovery protocols put smart homes at risk

The proliferation of IoT devices implemented in homes are increasing because of the utility they can provide. They can give users the facility to perform different tasks just using their smart phones. Users can receive alerts, monitor or change the state of a device. For instance, they can turn on/off lights/appliances, (un)lock padlocks or door locks, monitor environment variants, and many others action available for the user depending on the device purpose. However, since IoT devices need to provide ease of implementation, they use discovery protocols, and because of that, they put on risk smart homes to be attacked, even by people without technical knowledge like our neighbors. We performed different empirical studies which have shown us why discovery protocols need to be limited. The studies also allowed us to define a threat model to help us to define and propose a solution to protect smart homes.

Biography

I’m Itzael, a security analyst.

Currently I’m a master’s student at Polytechnique Montreal working in a security lab, however I already have a master’s degree from my country, Mexico, also in security. Moreover, I work as a freelancer doing different security projects from all around the world while I finish my master’s here in Canada.

I have worked some years as a security analyst engineer in critical situations, from government projects related with presidential elections to financial situations related with banking information, thus, that allows me to understand mostly any security subject. I have presented research works in IEEE (2015) and SecureCOM (2016) conferences about malware in mobile devices. Furthermore, I am a Certified Ethical Hacker (CEH) and I used to participate in CTFs as a hobby, in fact I have won some in my country.

I consider myself a person who enjoy security as part of his life, since I have developed my own projects just as a hobby.

Mangatas Tondang

Unveiling the not-PowerShell cult

The name of PowerShell is self explanatory, some sort of command-line shell with lot of super powers hidden under the hood. It’s heavily utilized by the SysAdmin, loved by the Red Team, exploited by the APTs and now also taken into consideration by the blue team because of the advanced logging and security features. More mature blue team started building detection against PowerShell and securing their perimeter using its features like Constrained Language mode, AppLocker and Script Block/Module logging.

Although PowerShell techniques fall under Execution tactic on MITRE ATT&CK, you can pretty much achieve all the other 11 Tactics just by using PowerShell, that’s why Red teamers love PowerShell! But the red teamers who use PowerShell as their main arsenal need to avoid using PowerShell after the release of version 5 armed the security features listed above. But of course, deep down they still crave those juicy PowerShell cmdlets functionality. That’s why numbers of offensive security researchers developed Not-PowerShell tools. These tools are using the libraries and system calls used by PowerShell (counterfeit PowerShell in a nutshell) while bypassing PowerShell security features.

This talk will uncovers some of the popular techniques used for development of these Not-PowerShell tools. We will finally meet the four members of the cult; InvisiShell, PowerShDLL, PowerLessShell and NoPowerShell. After the brief introduction on how they work, we will have little show of capabilities of these tools. Lastly and most importantly, we will completely turn 180 degree, pick up and wear our blue team hat. We will try to detect these tools using Windows logging systems, the Infamous Sysmon and last not least the Event Tracing for Windows (ETW).

Biography

Professionally, Tas is a (not advanced kind of persistent) Threat Hunter for one of the major Canadian Telecommunication company. As a blue teamers, he is passionate on learning and breaking the hacking tools to pieces and try to develop detection against them. He also love following and building detection from the recent intelligence report on different APT groups.

Coming from a school that taught him broad spectrum of Information Security, he also love exploring application security, reverse engineering, and create tools that can help him and his coworkers. He wouldn’t be here without community support, that’s why he love to give security training for other people and currently he is also a member of CTF challenge development team for his almamater.

Martin Dubois

Capture de traffic réseau - haute vitesse et filtre avancés

GPU-dpi est un outil qui permet d’utiliser des critères avancés pour sélectionner les paquets à capturer sur un lien réseau rapide. En plus des critères normalement supportés par les outils de capture, l’utilisateur peut utiliser des recherches de chaine de caractère ou de bloc de donnée binaire dans la charge utile des paquets. Il peut même utiliser des expressions régulières pour détecter la présence de certains types d’informations dans les données, comme des numéros de téléphone, des adresses de courriel, des URL, des requêtes HTTP…

GPU-dpi est basé sur la technologie OpenNet présentée au Hackfest 2018. La carte réseau reçoit les paquets et les place directement dans la mémoire d’une carte graphique. Ensuite le GPU analyse les paquets et décide lesquels sont capturés. La puissance du GPU permet d’utiliser des critères de sélection très complexe même sur des liens réseau rapides avec plusieurs dizaines de Gb par seconde.

GPU-dpi est complètement intégré à Wireshark et peut aussi être utilisé seul ou avec d’autres logiciels de capture et d’analyse.

Biography

Martin Dubois a étudié en Génie informatique à l’Université Laval avant de travailler dans plusieurs « startups », principalement comme spécialiste du lien entre le logiciel et l’électronique. C’est dans ce domaine, le développement de pilote de périphériques, qu’il évolue en tant que consultant et formateur depuis plus de 15 ans. De plus, il enseigne régulièrement à temps partiel au niveau collégial ou universitaire. Il a aussi un intérêt marqué pour la sécurité informatique et l’écriture.

Anna Manley

The natural curiosity of infosec professionals is what makes them so good at their jobs. Problem-solving requires creative thinking; creative thinking is fuelled by that curiosity. But what happens when that curiosity results in you getting fired? Sued? Arrested? I’ll explore the legal implications of vulnerability discovery and disclosure when you’re a curious, off-the-clock volunteer or an on-duty professional.

Biography

Anna Manley is the principal lawyer of Manley Law Inc. and the CEO of Advocate Cognitive Technologies Inc. She practices law in the areas of Information Technology, Internet, and Privacy.

J. Wolfgang Goerlich

Design: The Art of Building Security Programs

Security happens where man meets machine. Or, fails to happen, as we see all too often. Blame the users. They’ll click anything. Blame the developers. Half their code is riddled with vulnerabilities anyways. Blame the IT staff. You’d think they’d at least know better. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? At that moment, that very moment, what factors in human psychology and industrial design are at play? And suppose we could pause time for a moment. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.

Biography

J. Wolfgang Goerlich is an Advisory CISO for Duo Security. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. He has led advisory and assessment practices in several cyber security consulting firms. Wolfgang regularly presents at regional and national conferences on the topics of risk management, incident response, business continuity, secure development life cycles, and more.

Antonio Piazza

Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felchdisclosed, step-by-step to Google how anyone with a gmail account could add an event, as “accepted” to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this”calishing” attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveragingan open source python tool that I have developed, G-Calisher, based on Beau Bullock’s and Michael Felch’s PowerShellmodule “Invoke-InjectGEventAPI” from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. Iwill also discuss how the organization can stop this attack.

Biography

Antonio Piazza, hailing from Austin, TX. USA,is an Offensive Security Engineeron theBox Red Team. Following his stint as a US Army Human Intelligence Collectorhe worked as a Defense contractor/operator on an NSA Red Teamso he is intimately familiar withspies, hacking, and everythingnerdy. Antoniois passionate about all things related to MacOS security and thus spends his days researching MacOS internals and security as well as writing free,open-source security tools to help protect Mac users.

Jean-Philippe Taggart & Jerome Segura

Comment bâtir un labo chaud pour des détonations de malware optimalesJean-Philippe Taggart, Jerome Segura - Comment bâtir un labo chaud pour des détonations de malware optimales

Cette présentation va décrire un labo chaud que l’on a developpé et qui est utilisé à chaque jour pour détonner du malware et collecter du traffic et des IOCs. Les échantillons peuvent avoir des charges utiles différentes, en fonction de la location géographique où ils sont detonnés, des mechanismes de filtrage des victimes en examinant le traffic web, et d’examination de l’environnement avant la détonation de charges malicieuses. Ce labo adresse ses problèmes d’une façon sécuritaire pour rejouer l’éxecution dans toutes ses étapes.

Biography

Senior Threat researcher @ malwarebytes and Director of Threat Intel @ malwarebytes

Yagnesh Waran P & Laura Harris

The Mechanics of Malware’s Darkside

This presentation will introduce the basics steps of carrying out static and dynamic analysis on malware using Strings, PE filetype, disassembler and other tools. Diving into the dark waters of dissecting malware will allow the audience to understand how to disassemble malware, identify key strings and process, and track the behavioral triggers once placed in a sandbox. It also highlights the limitation of static analysis and hints at the next phases of analyzing an obfuscated malware. The audience will be able to develop basic SNORT and YARA rule based on the information shared.

Biography

Yagneshwaran is an aspiring Security Researcher with a profound interest in Threat Hunting and Malware Analysis and is a recent graduate of the Network and System Security Analysis program at George Brown College. His dedication to cybersecurity grew after participating in various Capture the Flag events that happened across Toronto. His debugging skills help him to safely reverse engineer malware and analyze the code step by step.

Joe Gray

7 habits of highly effective adversaries

Despite having undergone a renaissance in terms of refining methods of both offense and defense from a professional sense over the years, there is still much disparity in terms of career navigation. Even from the sense of malicious adversaries, their TTPs evolve alongside the defense techniques. How does one get into this frame of mind and what should they do to improve and innovate? What are the minimum technical requirements to succeed? I am already in the adversarial emulation field, what is in this for me? You will learn about trends from adversarial groups (high level) so that you can actually simulate what the bad guys will do, not what other pen testers and the such are up to. Why have this discussion? Too often, we get wrapped up on named vulnerabilities or what other firms are doing and lose sight of what matters most, helping the client. As someone who spent the beginning of their career on the blue team, I am working on moving to the red team. This presentation talks about the tools, techniques, and procedures (TTP) to be successful as an adversary, whether operating as a penetration tester or red team operator while leveraging blue team experience. This is not a “pwn the planet” presentation, but rather an alternative viewpoint to allow current red teamers and pen testers to grow and to allow those seeking entry a path to follow. The secondary idea of this presentation is to encourage more collaboration and conversation between offensive and defensive disciplines.

Biography

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe is also a member of the “Password Inspection Agency” CTF team, where they have placed 3rd in the 2018 and 2019 NOLACon OSINT CTFs and 2nd in the 2019 BSides Atlanta OSINT CTF. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading. Joe is a regular contributor for Forbes and is an IBM Recognized Speaker/Presenter.

Johnny Xmas, Chris Carlis

Failing Upwards: Pentester Horror Stories

Penetration testers are often revered as the most knowledgable and elite of the Information Security warriors. They’re the modern bank robbers, pulling off sexy hacks and leaving a trail of leet 0-days in their wake. Chris and Johnny are here to show you this is patently untrue by sharing stories of horrible, hilarious failure from within the secret world of pentesting. Learning from failure is critical, and best done with somebody else’s failures.

Biography

Johnny Xmas is a predominant personality in the Information Security community, most well-known for his work on the TSA Master Key leaks between 2014 and 2018. Currently working with the Australian firm ‘Kasada’ to defend against the automated abuse of web infrastructure, he was previously the lead consultant on Uptake’s Industrial Cybersecurity Platform. Prior to this, he spent many years in the field as a penetration tester, focusing heavily on both IT and physical security of financial and medical facilities, Security Engineer for a global Fortune 500 retail corporation, and Mainframe auditor and Systems Engineer for several IT asset recovery firms.

Chris Carlis is a member of Dolos Group and has built a career helping organizations become more secure through offensive testing. Locally, Chris is a community organizer in the Chicago area and helps coordinates a number of monthly gatherings designed to connect like-minded information security professionals.

Hugo Benoist

Initiation à la sociologie au service du SE et de l’OSINT.

L’OSINT (opensource intelligence, c’est à dire le renseignement auprès de sources ouvertes) et l’ingénierie sociale (techniques de manipulation) sont des pratiques de plus en plus courantes dans la pratique de la sécurité (red team, fishing…). Pour mieux les maîtriser, les sciences sociales et leurs lois peuvent être très utiles. Cette conférence cherchera à initier les personnes à la pensée sociologique de Pierre Bourdieu, grand sociologue français qui a créé la sociologie de la culture déterministe.

Nous chercherons à comprendre comment axer sa pensée (la catégorie socioprofessionnelle détermine nos goûts, nos choix) et les sciences sociales en général aux techniques d’ingénierie sociale et à la pratique de l’OSINT.

Biography

Consultant sénior en infosec (threat intell, red team…), il a étudié des domaines transverse comme la sociologie, la philosophie et l’intelligence économique. Il est le secrétaire de l’association française RTFM (https://rtfm.re) et co-fondateur de la communauté OSINT-FR (http://discord.osint-fr.net).

Steve Waterhouse

À venir

À venir

Biography

À venir

Joniel gagné-Laurin

Avez-vous confiance en votre PKI?

J’ai déjà fait une présentation similaire lors d’un événement privé de sécurité informatique, je reprendrais le même sujet en l’adaptant pour le Hackfest. Dans cette présentation, je veux mettre en évidence une potentielle problématique de sécurité en entreprise, le PKI. Autant on traite un PKI comme étant un outil de sécurité, autant il peut être détourné de sa vocation par un attaquant et l’utiliser pour infiltrer profondément un réseau d’entreprise sans que ce soit visible. Que ce soit en utilisant des certificats volés pour compromettre des communications sécurisées, en signant des exécutables malicieux par une clef du PKI de l’entreprise pour déjouer des systèmes de protection ou tout simplement émettre des certificats pour héberger des serveurs de phishing, la sécurité d’un PKI est primordiale. De plus, considérant que dans les dernières années, l’utilisation de certificats se répands dans nos appareils mobiles, comme authentifiant sur des portails ou des technologies d’accès à distance, et offre la possibilité de signer les applications internes pour pouvoir « garantir » leurs provenances, il est facile d’entrevoir comment un attaquant pourrait non seulement infecter l’entreprise, mais affecter les employés et clients de celle-ci. Malheureusement, des décisions passées, des pratiques douteuses ou un PKI qui est traité comme n’importe quel autre système peut entraîner de graves conséquences.

Mon but est de présenter quels sont les pièges à éviter lors de la mise en place d’une infrastructure, les bonnes pratiques et des exemples vécus. Cette présentation se veut informatique et qui veux soulever des questions dans l’esprit des personnes présentes, avec un peu d’humour et plusieurs memes pour agrémenter la séance.

Biography

En informatique depuis 10 ans, je me passionne pour la sécurité informatique depuis le début. Que ce soit dans mes études universitaires, mon apprentissage personnel ou par mes visites dans des conférences comme le Hackfest, j’ai toujours eu comme but d’intégrer le domaine de la sécurité informatique. Depuis maintenant 10 ans, je travaille pour Square Enix Europe, la division Européenne et Nord Américaine du groupe Square Enix. Je commence en tant qu’analyste en support technique, puis je transitionne en tant qu’administrateur réseau pour finalement devenir analyste en sécurité voilà trois ans. Mon travail ne consiste pas seulement à détecter et investiguer des incidents, mais à déployer des outils de sécurité, aider au design de solution technologique et à faire des audits de sécurités.

Adrian Korn

The OSINT Space is Growing! Are we Ready?

The amount of public data generated on the internet is exponentially growing, and in turn, so is the OSINT space. This has led to new applications of OSINT to process all this data and derive meaningful intelligence that organizations can act on.

While this fast growth is great for the industry, new applications of OSINT comes with many challenges. These challenges include defining what is “Good OSINT”, effectively navigating OSINT tools, and providing adequate interoperability between such tools.

Biography

Adrian Korn has specialized in Cyber Threat Intelligence and OSINT while working for organizations in the financial services and technology space. Adrian has previously delivered talks at DEFCON’s Recon Village, Penn State University, and has been a guest speaker on the OSINT Curious and Security Sandbox podcasts.

Leveraging his background in the intelligence field, Adrian serves as the Director of OSINT Operations & Strategic Initiatives at Trace Labs, a Not-For-Profit that crowdsources OSINT to generate new leads on active missing persons investigations. At Trace Labs, Adrian’s primary focus is on building partnerships with organizations within the OSINT and missing persons space, while also facilitating “Missing CTF” events for various conferences, academic institutions, and Not-For-Profits. Past events have included ones at Australia’s National Cyber Week, BSidesTO, DEFCON, BSides Vancouver, and Hackfest.

Adrian is also a Director and Lead Organizer for the DEFCON Toronto Chapter where he facilitates monthly meetups, workshops, and CTFs for a community of 2500+ hackers and security professionals.

Alana Staszczyszyn

War in the fifth dimension - An overview of the Weaponization of Information

Recently, cyberwarfare has hit the mainstream media as a hot security topic. Following paradigmatic attacks within the last decade that range from the disruption of electoral systems to the obliteration of physical buildings, information security has been called to answer the question: what exactly is cyberwarfare, and what are the implications of its existence? No longer are the days where one can see a “tangible” weapon that is incoming to a target; the manipulation of sociopolitical processes, interruption of civilian-serving infrastructure, and even the annihilation of physical assets exist as highly organized and resourced campaigns. These objectives may be carried out over long amounts of time. Yet, unlike traditional warfare, they are enabled by cyberoperations that are digital, invisible, and near-instant to execute.

The surety of media on the subject might lead one to believe that the issue is well defined and managed by thorough, well-implemented frameworks. Yet an investigation of the state of internationally-definitive frameworks, military doctrines, and academic literature on the topic reveals that, despite the recognition of warfare’s “fifth dimension” or “informational domain” having been coined almost two and a half decades ago, there is little consensus on what exactly counts as a true “act of war.” To further aggravate the issue, such a concept is not totally delineated even when solely considering kinetic warfare. The unique qualities of cyberspace only add more controversial nuances to an already ill-defined attempt at maintaining international peace.

This presentation will investigate some of the biggest questions that the industry faces in producing these definitions: how much injury and destruction precludes a true act of cyberwarfare? Furthermore, which entities and what targets can or cannot be considered participants in international affairs? And, finally, what separates any of these incidents from simply being sublethal acts of espionage, terrorism, or psychological and economic manipulation?

An exploration of some of the most influential case studies to date will elaborate on just how complicated this question is to answer, and the implications of nation-states’ cooperation given its lack of clarity. If the object and purpose of these regulations is to provide for the mutual de-escalation during international conflicts, then we must consider: are the current rules attractive enough for nation-states to willingly participate? And what incentives might there be to inspire them to set regulatory precedent?

Biography

Alana Staszczyszyn is a practicing security consultant. Her past and present work has focused on penetration testing as well as security governance in the public health sector. She is also heavily interested in various political, socioeconomic, and cultural aspects of cybersecurity, particularly on how the intersections of security and those domains have given rise to new risks in the cyber-threat landscape.

Vincent Marcus

Brokers Guild Incident Response

À venir

Biography

À venir

Félix Lehoux

Dark What? Démystifier le buzz via la présentation d’un outil open-source et l’analyse des données trouvées

Le Darknet est, encore aujourd’hui, un sujet chaud de l’heure. Qu’est-ce qu’il contient? Comment y accéder? Pourquoi aller sur le Darknet? Ces questions peuvent sembler faciles à répondre, mais êtes-vous certain de votre réponse? Cette présentation comprend deux parties: l’explication de l’outil Torscraper, ainsi que la présentation des résultats de l’analyse sur les données collectées. De plus, elle vise à partager mes connaissances du sujet en vous donnant tous les moyens nécessaires pour reproduire l’infrastructure de l’outil chez vous. Les diverses technologies utilisées, permettre au Torscraper d’indexer le contenu des pages visité en plus d’effectuer des recherches dans toute l’information indexée. Au niveau de l’analyse des données,la prévalence des sites douteux vendant de la drogue, des armes ou encore des services de tueur à gages sera discuté, tout comme les sites moins sérieux, tel que les mystery boxes. En résumé, la présentation va permettre aux spectateurs d’utiliser facilement un outil Open Source, de collecter des données provenant du Darknet en plus de pouvoir les analyser.

Biography

Félix est un passionné d’informatique, de sécurité et de défis. Il étudie actuellement à l’ÉTS en génie des technologies de l’information.Il est membre de la Délégation des compétitions en informatique de son école. Cela fait près de 2 ans qu’il est employé chez GoSecure. Au début, il y était dans la compagnie à titre de stagiaire. Maintenant,il y est en tant qu’analyste en cybersécurité à temps partiel. En plus de l’informatique, Félix est un passionné de sport. Il aime particulièrement le skate et le surf.

Philippe Arteau

Deserialization: RCE for modern web applications

Deserialization is the process of converting a data stream to an object instance. At the end of 2015, the Java community was taken by storm by deserialization vulnerabilities using a weakness from the library Commons-Collection. The event highlighted how many applications used unsafe deserialization. At the time, Jenkins, WebLogic, WebSphere and JBoss used the same vulnerable code pattern. Two years later, researchers turned to the .NET ecosystem and discovered that many serialization libraries were vulnerable to similar attacks. In 2018, vulnerabilities were found notably in SharePoint (Workflows API), PHP-BB (using a new PHP vector) and many more. Hundreds of CVEs were recorded for the same year proving that deserialization is still an active threat for modern web applications. Developers and pentesters can’t ignore this risk because, in most cases, it leads to remote code execution.

This 3-hour workshop will go through the basics of exploiting such vulnerabilities in multiple languages including Java, .NET and PHP. After the theory, participants will have access to vulnerable applications specially designed for the workshop. The objective for the participants will be to exploit applications using the presented methods. Step-by-step instructions and tools will be provided to the participants. Additionally, participants will gain knowledge and skills to build gadgets in dedicated exercises.

Biography

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs. He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. He presented at several conferences including Black Hat Arsenal, ATLSecCon, NorthSec, Hackfest (QC), Hack in Paris, AppSec USA, 44CON and JavaOne.

Simon Décosse, Marc-Antoine Bernier, Philippe Pépos Petitclerc

User Interaction Revisited: Beyond alert(1);

This workshop is constructed around a very simple idea: weaponizing payloads where user interaction is required. By taking a different approach to the exploitation of these vulnerabilities and adding details about the context and the environment in which they are exposed, we will demonstrate how required user interaction is not much of an issue at all. Participants will explore and learn how a few neglected individual vulnerabilities could be chained into a critical vulnerability, or how caching servers and Reflected XSS could help you obtain code execution on your targets.

In order to maximize trainee takeaways, this workshop features dedicated lab time to work in a hands-on strategy and develop an autonomous approach to exploit development.

Biography

All three trainers are penetration testers working for a large financial institution in Montreal. Their expertise ranges from web application to infrastructure penetration testing with a strong tangent for adversarial simulation. They share the same pedagogical philosophy: material should be presented with thorough understanding of key concepts in mind rather than simply presenting tools without the appropriate background required to acquire reusable knowledge.

Alexandre Major

Vendredi soir à l’usine…”, une simulation atypique. (PLACES LIMITÉES)

Au coeur de tout incident de sécurité se trouve une énigme : des victimes, une scène de crime, des motifs, mais aussi une méthodologie, un indice, et des instincts pour la résoudre. Cet atelier-conférence, un curieux hybride d’une simulation “tabletop”, d’un meurtre et mystère et d’un livre dont vous êtes le héros, vous présente une simulation d’incident de sécurité d’une façon que vous n’aurez jamais vu auparavant. En équipe, vous devrez gérer un incident de sécurité corporatif (fictif?) en utilisant toutes vos connaissances, votre intuition et peut-être même un soupçon de sens politique. Vous serez en (saine) compétition avec d’autres équipes toutes aussi rusées que vous.

Bien qu’il ne s’agisse pas d’une simulation technologique (pas de machine virtuelle à hacker, désolé!), elle se déroulera malgré tout sur une plateforme numérique nouveau genre et intégrera des éléments narratifs. Les équipes seront munies d’une tablette avec une application particulière prévue à cet effet, et matériel imprimé représentant l’environnement, les gens et “l’ambiance” où se déroule l’incident. Elles utiliseront alors leurs connaissances et leur expertise pour explorer les environnements, examiner les équipements, interroger les gens, et déduire et contenir l’incident qui menace l’entreprise.

À la fin de la simulation, une seule l’équipe pourra prétendre à la victoire en ayant géré l’incident avec le plus d’efficacité (contenir et régler la situation sans impacter l’entreprise) et efficience (en utilisant judicieusement le temps et les ressources mises à sa disposition).

Biography

Professionnel en sécurité informatique depuis le début de sa carrière, Alexandre a travaillé dans tous les domaines de la sécurité allant de la gestion d’incident à l’architecture technologique. Muni d’un sain respect pour la Red Team, il se réclame par contre sans gêne de la Blue Team, et c’est dans celle-ci qu’il a oeuvré toute sa carrière tant en aéronautique que dans le milieu financier ou les jeux vidéos. Il est aussi passionné depuis sa tendre enfance de tous les jeux: vidéos bien sûr, mais aussi jeux de société de toutes sortes et jeux de rôles sur table. Accessoirement, il déteste le Monopoly et les jeux d’argent. Il a déjà présenté avec succès dans plusieurs conférences, toujours avec un ton détendu et irrévérencieux, des sujets aussi divers que le DLP, la ludification de la sécurité, sa préférée en date restant une présentation de “live hacking pour secrétaires”, qui a connu un franc succès (auprès des secrétaires en question). Il est depuis peu chef de la sécurité pour la plus grande entreprise de jeux vidéos dont vous n’entendrez jamais parler dans les médias.

Wendy Edwards

Introduction to Security and Machine Learning

Most of us have heard vendors promoting products that use “machine learning.” But what does that actually mean? This is a general introduction to machine learning concepts and a discussion about their applications to security. We begin by talking about commonly used terminology – what do we mean when we say artificial intelligence, neural networks, machine learning, and deep learning? How do they work?

What can machine learning do for security? A number of things, it turns out. One major challenge in security is determining what’s normal and what’s malicious. Machine learning can help with this. For example, ML techniques are used in spam filtering scan email and automatically detect junk. Large email providers, e.g., Google and Yahoo, have intelligent systems that can create new spam filtering rules based on automated learning from large volumes of email.

Machine learning is also being applied to other areas like network traffic monitoring and malware analysis. Traditional network intrusion detection (NIDS) involves rules and signatures, where behavior associated with known threats is identified. But what about new threats, such as zero-day exploits? Anomaly-based detection compares traffic to normal behavior, and has the potential to detect previously unknown attacks with no established signature. Traditional malware analysis has also relied on signatures to identify potentially harmful software. Machine learning analyzes characteristics of an unknown specimen and attempts to determine whether it’s likely to be malicious.

We present some examples of freely available machine learning software, e.g., Google TensorFlow and Keras for Python, and walk through some simple use cases.

Biography

Wendy is a software developer interested in security and data science. She is a NASA Datanaut and a 2017 graduate of the SANS Women’s Academy. She won a 2019 research grant from Summercon and has spoken at multiple conferences.