Playing Through the Pain: The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals
Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
Richard Thieme
Attacking Linux/Moose Unraveled an Ego Market
For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.
This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.
Olivier Bilodeau GoSecure
Masarah Paquet-Clouston GoSecure
Backslash Powered Scanning: Implementing Human Intuition
Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures – almost like an anti-virus. In November I released an open-source scanner that takes an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many associated benefits including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
James Kettle PortSwigger
BearSSL: SSL For all Things
BearSSL is a novel SSL/TLS library optimised for constrained systems, aiming at small code footprint and low RAM usage. The talk is about presenting the library in its context, and delving into what makes a good SSL implementation and how BearSSL does it.
Thomas Pornin NCC Group
Data Science Tools and Techniques for the Blue Team
Every year organizations generate more data, and security teams are expected to make sense of not just a greater volume of data from the myriad of log sources that exist in corporate environments, but new sources of logs and data as well. In this talk we look at the data scientist methodology and some of the statistical and machine learning techniques available to defenders of corporate infrastructure. After explaining the strengths and weaknesses of the different techniques we will walk through analyzing some data and spend some time explaining the python code and what would be needed to scale the code from analyzing hundreds of thousands of data points to tens of millions. This is not a talk about SIEM, and related technologies. SIEM is good at collecting logs to a central location and performing on the fly inspection and correlations, but rarely has the ability to engage in deeper statistical analysis, or employ machine learning techniques.
A white paper, slides and code will be prepared for this presentation.
Shawn Marriott Tanium
Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program
Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.
Gordon MacKay Digital Defense, Inc
How Surveillance Law was Expanded in Canada, What the Media has Reported, and What’s Next
This talk will provide an overview on the specific lawful access powers that came into force in Canada March 2015; how they are rolling out in the view of the media and the courts (e.g. the TELUS and Rogers cases), and; how the authorities intersection with S-4 and C-51 (around permissions for information-sharing). Some highlights from the recent submission on rights and security around lawful access, encryption and hacking tools will also be covered.
Chris Prince Office de la Protection du Consommateur (OPC)
Creating an Internet of (Private) Things—Some Things for Your Smart Toaster to Think About
The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.
Ian Douglas Office of the Privacy Commissioner of Canada
Pentesting: Lessons from Star Wars
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, especially pen testers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively on offense or defense.
Adam Shostack
Hack Microsoft Using Microsoft Signed Binaries
Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like “f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10”? We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.
Pierre-Alexandre Braeken Office of the Privacy Commissioner of Canada
Hacking POS PoS Systems
Hackers try to find the easiest ways to achieve the most impact. When it comes to credit card fraud, compromising Point of Sale (PoS) systems is the latest trend. The presenters will share their experience on how attackers can exploit both technical and policy gaps to breach organizations. This talk will cover approaches to physical security, kiosk breakouts, and the extraction of sensitive data. It’s laced with real-life examples, including a detailed discussion of recently disclosed critical vulnerabilities in Oracle’s hotel management platform.
Jackson Thuraisamy Security Compass
Jason Tran Security Compass
Don’t Kill My Cat
The purpose of this presentation is to introduce a tool and the idea behind it. This tool evades antivirus, sandboxes, IDS/IPS using one simple technique. In a nutshell it abuses of polyglot files and compact low level obfuscation using assembly. The target system can then execute the payload using various vectors: powershell or Windows’ executable.
The obfuscated payload can be pretty much everything from classic meterpreter, empire payload and cobalt strike beacon to DLLs and executables. There is no limit, since the tool offers a loader that can deobfuscate an executable in memory and execute it or simply execute shellcode.
Then end goal of that tool was to provide a simple way to evade as many security layers as possible in a single payload instead of using multiple techniques to target each layer of security. This is a must have for pentesting when your target relies on multiple security products!
Charles F. Hamilton Mandiant a FireEye company
Stupid RedTeamer Tricks
Who said that you need to be elite to be a good red teamer?
This presentation focuses on simple, easy hacks that can change the result of a red team assessment.
The 30 minute talk will cover improvements on the age old classic of dropping usb keys (35% increase in payload delivery!); how to reduce your C&C discoverabiltiy; techniques for leveraging Outlook against your victim to improve social engineering and other very simple tricks. By the end of the presentation, audience should be inspired to build upon techniques discussed in the talk and feel more confident in doing red team engagements.
Laurent Desaulniers
Abusing Webhooks for Command and Control
You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is – the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You’ve implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.
We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known. Having more choices when it comes to outbound network connectivity helps. In this talk we’ll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost real-time asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.
Finally, we’ll show the tool that will use the concept of a broker website to work with the external C2 using webhooks.
Dimitry Snezhkov IBM
Modern Reconnaissance Phase by APT – Protection Layer
The Talos researchers are no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex.
This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.
The techniques and the obfuscation put in place by these actors will be described in detail. We will explain how the Macros are used and how to desobfuscated them; how the JavaScript and the PowerShell are becoming unmissable languages and how to analyse these languages with standard debugger such as WinDBG or x64dbg; how APT actors includes Flash objects in document to bypass protection and perform reconnaissance on the target; finally, we will see how Python language is used by malware to execute code on MacOS. In some cases, the reconnaissance is performed directly by a first stage malware (PE32) and not directly by the infection vector, we will see an example of the approach that targeted South Korea public sectors at the end of December. At the end of the presentation, we will show different mitigations in applications (for example in Microsoft Office and Hangul Word Processor) and in the Microsoft Windows Operating System to help attendees protect their constituents against the treats described during the talk.
Paul Rascagneres Cisco
Deep Dive into Tor Onion Services
Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While most people use Tor to reach ordinary websites more safely, a tiny fraction of Tor traffic makes up what overhyped journalists like to call the “Dark Web”. Tor onion services (formerly known as Tor hidden services) let people run Internet services such as websites in a way where both the service and the people reaching it can get stronger security and privacy.
The year 2004 was the first release of the onion service protocol. Over the years, as it aged, weaknesses started to appear in its design. These design flaws are a problem because people rely on onion services for many critical use cases, like metadata-free chat and file sharing, safe interaction between journalists and their sources, safe software updates, and more secure ways to reach popular websites like Facebook.
In this talk I’ll shortly present our legacy onion service, then an in-depth look of our new and improved onion service design, which provides stronger security and better scalability and a status update on the development.
David Goulet Tor Project
Talk: Playing Through the Pain: The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals
Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
Richard Thieme Commentator on Technology and Culture,
Richard Thieme (www.thiemeworks.com) is an author and professional speaker who addresses the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. He has published hundreds of articles, dozens of short stories, five books with more coming, and has delivered hundreds of speeches. A novel, FOAM, was published in September 2015 and 'A Richard Thieme Reader,' collecting fiction and non-fiction, was published on Amazon Kindle in 2016. His pre-blog column, “Islands in the Clickstream,” was distributed to thousands of subscribers in sixty countries before collection as a book in 2004. When a friend at the NSA told him, 'The only way you can tell the truth [that we discuss} is through fiction,' he returned to writing short stories (35 published to date), one result of which is 'Mind Games,' a collection of nineteen stories about anomalies, infosec, professional intelligence and edgy realities. More edgy realities are illuminated in the recently published and critically extolled 'UFOs and Government: A Historical Inquiry' to which he contributed, a 5-year research project using material from inside the military and intelligence communities to document government responses to the phenomena from WW2 to the present. It is in the collections of 65 university libraries.
Many speeches address creativity, shifts in identities, and technology-related security and intelligence issues. He and Dan Geer, CISO of CIA’s In-Q-Tel, did a “fireside chat” as a keynote for Source Boston and Richard keynoted SOURCE Boston and SOURCE Seattle in 2016 and will keynote SOURCE Dublin in 2017. He keynoted the first two Black Hats and spoke in 2016 at Def Con for the 21st year. He has keynoted conferences in Sydney, Brisbane, Canberra and Melbourne, Wellington and Auckland, Dublin and London, Berlin and Heidelberg, the Netherlands (Amsterdam, Rotterdam, and the Hague), Ghent Belgium, Dubai, Kuala Lumpur, Tokyo, Johannesburg SA, Lodz and Krakow Poland, and Eilat Israel. Clients range from GE, Microsoft and Medtronic to the National Security Agency, the Pentagon, FBI, US Dept of the Treasury. Los Alamos National Lab, and the US Secret Service.
His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, and the 'Design Matters' lecture series at the University of Calgary (Alberta). He addressed the reinvention of 'Europe' as a 'cognitive artifact' for curators and artists at Museum Sztuki in Lodz, Poland, keynoted 'The Real Truth:: A World’s Fair' at Raven Row Gallery, London, and recently keynoted Code Blue in Tokyo.
Talk: Deep Dive into Tor Onion Services
Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While most people use Tor to reach ordinary websites more safely, a tiny fraction of Tor traffic makes up what overhyped journalists like to call the “Dark Web”. Tor onion services (formerly known as Tor hidden services) let people run Internet services such as websites in a way where both the service and the people reaching it can get stronger security and privacy.
The year 2004 was the first release of the onion service protocol. Over the years, as it aged, weaknesses started to appear in its design. These design flaws are a problem because people rely on onion services for many critical use cases, like metadata-free chat and file sharing, safe interaction between journalists and their sources, safe software updates, and more secure ways to reach popular websites like Facebook.
In this talk I’ll shortly present our legacy onion service, then an in-depth look of our new and improved onion service design, which provides stronger security and better scalability and a status update on the development.
David Goulet Linux Software Developer, Tor Project
David Goulet is a Tor developer focusing on onion services. He is the torsocks maintainer.
Talk: Data Science Tools and Techniques for the Blue Team
Every year organizations generate more data, and security teams are expected to make sense of not just a greater volume of data from the myriad of log sources that exist in corporate environments, but new sources of logs and data as well. In this talk we look at the data scientist methodology and some of the statistical and machine learning techniques available to defenders of corporate infrastructure. After explaining the strengths and weaknesses of the different techniques we will walk through analyzing some data and spend some time explaining the python code and what would be needed to scale the code from analyzing hundreds of thousands of data points to tens of millions. This is not a talk about SIEM, and related technologies. SIEM is good at collecting logs to a central location and performing on the fly inspection and correlations, but rarely has the ability to engage in deeper statistical analysis, or employ machine learning techniques.
A white paper, slides and code will be prepared for this presentation.
Shawn Marriott Information Security Officer, Tanium
Shawn is an information security officer at the Independent Electrical System Operator, which is responsible for operating the electrical grid providing power to one third of Canadians. Having completed Harvard Universities’ graduate certificate in data science, he is eager to share some of the tools and techniques available to make sense of the deluge of data thrown at security teams every day. With more than a decade of cyber security experience Shawn is a seasoned professional who has held a variety of roles across critical infrastructure, the financial sector and higher education. He enjoys using bug bounties to pay for vacations, and fermenting barley into beer and milk into cheese.
Talk: Abusing Webhooks for Command and Control
You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is – the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You’ve implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.
We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known. Having more choices when it comes to outbound network connectivity helps. In this talk we’ll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost real-time asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.
Finally, we’ll show the tool that will use the concept of a broker website to work with the external C2 using webhooks.
Dimitry Snezhkov Senior Managing Consultant, IBM
Dimitry Snezhkov does not like to refer to himself in the third person :) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, performing penetration testing, occasional Red Teaming and application security assessments.
Talk: Modern Reconnaissance Phase by APT – Protection Layer
The Talos researchers are no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex.
This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.
The techniques and the obfuscation put in place by these actors will be described in detail. We will explain how the Macros are used and how to desobfuscated them; how the JavaScript and the PowerShell are becoming unmissable languages and how to analyse these languages with standard debugger such as WinDBG or x64dbg; how APT actors includes Flash objects in document to bypass protection and perform reconnaissance on the target; finally, we will see how Python language is used by malware to execute code on MacOS. In some cases, the reconnaissance is performed directly by a first stage malware (PE32) and not directly by the infection vector, we will see an example of the approach that targeted South Korea public sectors at the end of December. At the end of the presentation, we will show different mitigations in applications (for example in Microsoft Office and Hangul Word Processor) and in the Microsoft Windows Operating System to help attendees protect their constituents against the treats described during the talk.
Paul Rascagneres Senior Software Engineer, Cisco
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.
Talk: Don’t Kill My Cat
The purpose of this presentation is to introduce a tool and the idea behind it. This tool evades antivirus, sandboxes, IDS/IPS using one simple technique. In a nutshell it abuses of polyglot files and compact low level obfuscation using assembly. The target system can then execute the payload using various vectors: powershell or Windows’ executable.
The obfuscated payload can be pretty much everything from classic meterpreter, empire payload and cobalt strike beacon to DLLs and executables. There is no limit, since the tool offers a loader that can deobfuscate an executable in memory and execute it or simply execute shellcode.
Then end goal of that tool was to provide a simple way to evade as many security layers as possible in a single payload instead of using multiple techniques to target each layer of security. This is a must have for pentesting when your target relies on multiple security products!
Workshop: Introduction to Assembly Language and Shellcoding
The purpose of this workshop is to familiarize participants with assembly language. At the end of the workshop, participants will be able to understand shellcode and optimize it to avoid null bytes or blacklisted characters.
The workshop will show basics of x86_64 assembly using Intel syntax.
Charles F. Hamilton Senior Consultant, Mandiant a FireEye company
Charles F. is a consultant working for Mandiant a FireEye company. He founded the RingZer0 Team online CTF website in 2014 where he hosts various hacking challenges. He’s been a bypass and evasion techniques enthusiast for years now: antivirus, sandboxes and endpoint security software are his favorite targets. Pure assembly and low language, such a C are his best friends too.
Workshop: Introduction to Assembly Language and Shellcoding
The purpose of this workshop is to familiarize participants with assembly language. At the end of the workshop, participants will be able to understand shellcode and optimize it to avoid null bytes or blacklisted characters.
The workshop will show basics of x86_64 assembly using Intel syntax.
Peter Heppenstall ,
Peter Heppenstall is a student at the University of Maryland studying computer science with a specialization in computer security. He is the competition team lead for the university’s cybersecurity club, where he trains students weekly in a wide range of applied security topics. Previously he has worked doing malware analysis and reverse engineering, and enjoys developing and researching modern obfuscation and anti-analysis techniques. He has written a number of intricate challenges for the RingZer0 Team online CTF, where he currently ranks 3rd worldwide.
Talk: Attacking Linux/Moose Unraveled an Ego Market
For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.
This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.
Olivier Bilodeau Cybersecurity Research Lead, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, Olivier managed large networks and server farms, wrote open source network access control software and worked as a Malware Researcher. Passionate communicator, Olivier has spoken at several conferences like BlackHat Europe, Defcon, Botconf, SecTor, Derbycon and many more. Invested in his community, he co-organizes MontréHack — a monthly workshop focused on applied information security –, he is in charge of NorthSec’s training sessions and is hosting NorthSec’s Hacker Jeopardy. His primary research interests include reverse-engineering tools, embedded Linux malware and honeypots. To relax, he likes to work on the AsciiDoc open source ecosystem and brew his own beer.
Talk: Attacking Linux/Moose Unraveled an Ego Market
For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.
This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.
Masarah is a security researcher at GoSecure, a consultancy firm specializing in cybersecurity services for the public and private sector. She is also a member of the council for the NorthSec conference. Using her economic and criminological backgrounds, she specializes on the study of market dynamics behind illegal online activities. Her goal is to conduct scientific research to understand these online phenomena, without falling into the corporate alarmist side. She presented at various international conferences such as Black Hat Europe, Botconf and the American Society of Criminology. Besides doing research, she’s passionate about programming, defending online privacy and discussing politics.
Talk: Backslash Powered Scanning: Implementing Human Intuition
Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures – almost like an anti-virus. In November I released an open-source scanner that takes an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many associated benefits including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
James Kettle Head of Research, PortSwigger
James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite’s scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and exploiting subtle CORS misconfigurations in bitcoin exchanges. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU.
Workshop: Automating Detection, Investigation and Mitigation with LimaCharlie
The workshop will begin with an overview of the various detection and automation mechanisms available in LimaCharlie.
Afterwards we will create Detections and Hunters for LimaCharlie that will automate the detection and investigation of specific malware samples (provided for the Workshop, attendees can also bring their own).
Maxime Lamothe-Brassard Senior Security Engineer, Google
Maxime currently works for Google. His career has been centered around advanced computer attacks. He worked for the Canadian Intelligence apparatus in functions ranging from development of cyber defence technologies through Counter Computer Network Exploitation and Counter Intelligence. Maxime led the creation of an advanced cyber security program for the Canadian government and received several Director’s awards for his service. Leaving the government, Maxime provided direct help to private and public organisations in matters of cyber defence, working at CrowdStrike and eventually cofounding Arcadia, architecting advanced cyber defense solutions. For the past few years Maxime has also been providing analysis and guidance to major Canadian media organisations. This talk represents my own opinions and not necessarily those of my employer.
Talk: BearSSL: SSL For all Things
BearSSL is a novel SSL/TLS library optimised for constrained systems, aiming at small code footprint and low RAM usage. The talk is about presenting the library in its context, and delving into what makes a good SSL implementation and how BearSSL does it.
Thomas Pornin , NCC Group
Thomas Pornin is a prominent member of the InfoSec community, and holds a PhD in cryptography. He is the author of the BearSSL library and the TestSSLServer scanning tool; as a cryptographer, he invented the PHC candidate Makwa, and has previously participated in the AES, eSTREAM and SHA-3 competitions.
Talk: Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program
Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.
Gordon MacKay CTO, Digital Defense, Inc
Gordon MacKay, Software/Systems Guru with a dash of security hacking, serves as CTO for Digital Defense, Inc. He has presented at many conferences including 2016 ISSA International Conference, ISC2 Security Summit 2016, BSides DC 2016, Cyber Texas 2016, BSides Detroit 2016, BSides San Antonio, BSides Austin, BSides DFW, RSA and more, and has been featured by top media outlets such as Fox News, CIO Review, Softpedia and others. He holds a Bachelor’s in Computer Engineering from McGill University and is a Distinguished Ponemon Institute Fellow.
Talk: How Surveillance Law was Expanded in Canada, What the Media has Reported, and What’s Next
This talk will provide an overview on the specific lawful access powers that came into force in Canada March 2015; how they are rolling out in the view of the media and the courts (e.g. the TELUS and Rogers cases), and; how the authorities intersection with S-4 and C-51 (around permissions for information-sharing). Some highlights from the recent submission on rights and security around lawful access, encryption and hacking tools will also be covered.
Chris Prince Strategic Research and Policy Analyst, Office de la Protection du Consommateur (OPC)
Chris Prince is a Strategic Research and Policy Analyst with OPC's Legal and Policy Branch. Along with privacy policy, he has also worked on metadata standards development for Library and Archives Canada and workforce data reporting for the Treasury Board Secretariat of Canada. He has also worked in Information Management for various Canadian companies including Bombardier Aerospace, Zero Knowledge Systems, the Loewen Group and CIBC. Chris holds a Master’s degree in Library and Information Studies from McGill University (Montreal) and a Bachelor’s (Hons) degree in English and Contemporary Studies from the University of King’s College (Halifax).
Talk: Creating an Internet of (Private) Things—Some Things for Your Smart Toaster to Think About
The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.
Ian Douglas IT Research Analyst, Office of the Privacy Commissioner of Canada
Ian Douglas is part of a highly-skilled team of IT Research Analysts at the Office of the Privacy Commissioner of Canada with backgrounds in IT security, privacy, data analytics, and research. He assists in investigations when there’s a technology component involved, and conducts research in our tech lab. Ian has 30 years of experience in IT, including about 20 years of experience in IT security and about 10 years of experience in digital forensics.
Talk: Pentesting: Lessons from Star Wars
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, especially pen testers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively on offense or defense.
Adam Shostack Consultant and Advisor on Security and Privacy,
Adam is an entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped found the CVE and many other things. He’s currently building his 5th startup, focused on improving security effectiveness, and mentors startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of "Threat Modeling: Designing for Security," and the co-author of "The New School of Information Security."
Talk: Hack Microsoft Using Microsoft Signed Binaries
Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like “f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10”? We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.
Pierre-Alexandre Braeken Consultant and Advisor on Security and Privacy, Office of the Privacy Commissioner of Canada
Pierre-Alexandre Braeken is an accomplished and highly experienced security professional with over 13 years of experience in engineering and system architecture. In his career, having acquired the MCSE, MCSA, MCITP certifications, he has focused specifically on security and specializing in the implementation of large projects for businesses relying on the Microsoft infrastructure and alternative platforms. He is a Microsoft Certified Solutions Expert in Cloud Platform and Infrastructure. He has an excellent command and understanding of information security, security architecture and secure application development, as well as strong analytical skills pertaining to enterprise situations, risk and contingency plans. He’s focused on assisting organizations across Canada with implementing effective threat detection, response capabilities and performing red teaming activities. He does unique security research and speaks at major international security conferences: Black Hat Asia Briefings 2017, Singapore;Black Hat Europe Arsenal 2016, London – U.K.; B-SidesDC 2016 – Washington, U.S.; SecTor 2016 – Toronto, Canada; InfoSecurity Europe 2016 – London, U.K.; Hackfest 2015 – Quebec, Canada.
Talk: Hacking POS PoS Systems
Hackers try to find the easiest ways to achieve the most impact. When it comes to credit card fraud, compromising Point of Sale (PoS) systems is the latest trend. The presenters will share their experience on how attackers can exploit both technical and policy gaps to breach organizations. This talk will cover approaches to physical security, kiosk breakouts, and the extraction of sensitive data. It’s laced with real-life examples, including a detailed discussion of recently disclosed critical vulnerabilities in Oracle’s hotel management platform.
Jackson Thuraisamy Security Consultant, Security Compass
Jackson Thuraisamy is a Security Consultant at Security Compass. His combined experience in software development and security consulting has made him a specialist in compromising and defending application security. He likes to hunt critical vulnerabilities and plan targeted operations. He has also implemented an enterprise-wide secure SDLC initiative for a Fortune 100 client and taught defensive web security courses internationally.
Talk: Hacking POS PoS Systems
Hackers try to find the easiest ways to achieve the most impact. When it comes to credit card fraud, compromising Point of Sale (PoS) systems is the latest trend. The presenters will share their experience on how attackers can exploit both technical and policy gaps to breach organizations. This talk will cover approaches to physical security, kiosk breakouts, and the extraction of sensitive data. It’s laced with real-life examples, including a detailed discussion of recently disclosed critical vulnerabilities in Oracle’s hotel management platform.
Jason Tran Security Consultant, Security Compass
Jason Tran is a Security Consultant at Security Compass. Coming from a Computer Science background, his specialty lies in application security and identifying bugs in code reviews. For one of his notable achievements with a Fortune 500 client in online financial services, he has developed a Secure SDLC training program which is currently being used by the developers across the corporation today.
Talk: Stupid RedTeamer Tricks
Who said that you need to be elite to be a good red teamer?
This presentation focuses on simple, easy hacks that can change the result of a red team assessment.
The 30 minute talk will cover improvements on the age old classic of dropping usb keys (35% increase in payload delivery!); how to reduce your C&C discoverabiltiy; techniques for leveraging Outlook against your victim to improve social engineering and other very simple tricks. By the end of the presentation, audience should be inspired to build upon techniques discussed in the talk and feel more confident in doing red team engagements.
Laurent Desaulniers Penetration Tester,
Laurent is a senior penetration tester for a large ISP in Canada with many years of experience in that field, having done countless pentests in many diverse environments. He is enthusiast about physical security as well as application security and converted his extensive field expertise in being of the most prolific challenge writers for all of the past NorthSec events.
Workshop: Script Engine Hacking For Fun And Profit
More and more applications are allowing execution of untrusted code in their context to extend themselves. Whether it’s Javascript in a web browser, Lua plugins in video game or ruby to customize business rules, it is important to keep your infrastructure secure when running them.
This workshop is an hands-on approach to introduces the participants to the basic exploitation techniques of scripting engines. The exercise will focus on real world examples around mruby, a lightweight Ruby interpreter easily customizable to limit or completely remove I/O operation and act as a sandbox. Through successful exploitation, the participants will be able to execute arbitrary native code from a ruby script, bypassing any restriction to the ruby APIs.
The participants will be guided to look for common vulnerability patterns, successfully set up their exploit and ultimately, get control of the instruction pointer to escape the mruby virtual machine. Finally, some defensive measure will be seen to harden the vulnerable engine and limit the side-effects of a successful exploit.
Jean-Marc Le Blanc Reverse Engineer,
Currently working as a reverse engineer, Jean-Marc has worked for multiple respected security enterprises for past 5 years. On top of his professional security research, he has done allot of personal vulnerability research on large popular applications. His most recent project has been the mruby bug bounty by Shopify.
Workshop: Script Engine Hacking For Fun And Profit
More and more applications are allowing execution of untrusted code in their context to extend themselves. Whether it’s Javascript in a web browser, Lua plugins in video game or ruby to customize business rules, it is important to keep your infrastructure secure when running them.
This workshop is an hands-on approach to introduces the participants to the basic exploitation techniques of scripting engines. The exercise will focus on real world examples around mruby, a lightweight Ruby interpreter easily customizable to limit or completely remove I/O operation and act as a sandbox. Through successful exploitation, the participants will be able to execute arbitrary native code from a ruby script, bypassing any restriction to the ruby APIs.
The participants will be guided to look for common vulnerability patterns, successfully set up their exploit and ultimately, get control of the instruction pointer to escape the mruby virtual machine. Finally, some defensive measure will be seen to harden the vulnerable engine and limit the side-effects of a successful exploit.
Israël Hallé Reverse Engineer,
Israël Hallé has been exploiting challenges in security CTFs for the past years as part of the DCIETS while he was an undergraduate student, taking the first place at the two last edition of the NorthSec CTFs. Recently, he’s been contracting for Google where he served as a reverse engineer for the SafeBrowsing team. With the other trainers, Israël has been working on the mruby-engine bug bounty by Shopify where he found a few critical vulnerabilities that lead to remote code execution. When not in front of his computer, he’s likely busy either drinking craft beer or climbing rocks and boulders.
Workshop: Cracking Custom Encryption – An Intuitive Approach to Uncovering Malware’s Protected Data
As banking fraud researchers, we take part in a never-ending chase after new configurations of banking malware. We strive to have the upper hand, by figuring out where the configurations are hidden and how they are encrypted. It can be quite thrilling, when a new version of the malware is released, encryption had changed, and the configuration must be decrypted before time runs out. We’d like to share this thrill, and teach useful skills that may come in handy when dealing with a variety of custom encryption algorithms used by malware authors. In many cases, cracking an encryption requires advanced skills in math and reverse engineering. But quite often malware authors create custom algorithm for data formatting and encryption, which can be overcome using a more intuitive skillset and methods. A great example is the encryption used by Dridex, which we shall use as a case study. In this workshop, lecturing will be kept to the necessary minimum and the major part of it will be dedicated to a hands-on guided process of analyzing raw encrypted data. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Participants will gain an understanding of the process of researching an actual encryption method, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.
Pavel Asinovsky Malware Researcher, IBM Trusteer
Pavel Asinovsky is a malware researcher at IBM Trusteer for the past year and a half. Prior to that Pavel worked as a malware researcher for F5 networks and as a malware analyst at RSA-EMC. Pavel has a wide experience and interest in malware analysis
Workshop: Cracking Custom Encryption – An Intuitive Approach to Uncovering Malware’s Protected Data
As banking fraud researchers, we take part in a never-ending chase after new configurations of banking malware. We strive to have the upper hand, by figuring out where the configurations are hidden and how they are encrypted. It can be quite thrilling, when a new version of the malware is released, encryption had changed, and the configuration must be decrypted before time runs out. We’d like to share this thrill, and teach useful skills that may come in handy when dealing with a variety of custom encryption algorithms used by malware authors. In many cases, cracking an encryption requires advanced skills in math and reverse engineering. But quite often malware authors create custom algorithm for data formatting and encryption, which can be overcome using a more intuitive skillset and methods. A great example is the encryption used by Dridex, which we shall use as a case study. In this workshop, lecturing will be kept to the necessary minimum and the major part of it will be dedicated to a hands-on guided process of analyzing raw encrypted data. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Participants will gain an understanding of the process of researching an actual encryption method, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.
Magal Baz Malware Researcher, IBM Trusteer
Magal Baz is a malware researcher at IBM Trusteer, and has eight years of experience as a security researcher and team leader in the cyber security industry. Magal has a keen interest in network security, reverse engineering and malware analysis.