Sessions 2017

Playing Through the Pain: The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals

Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.

Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.

  • Richard Thieme





Attacking Linux/Moose Unraveled an Ego Market

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.

This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.

  • Olivier Bilodeau GoSecure

  • Masarah Paquet-Clouston GoSecure





Backslash Powered Scanning: Implementing Human Intuition

Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures – almost like an anti-virus. In November I released an open-source scanner that takes an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many associated benefits including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.

  • James Kettle PortSwigger





BearSSL: SSL For all Things

BearSSL is a novel SSL/TLS library optimised for constrained systems, aiming at small code footprint and low RAM usage. The talk is about presenting the library in its context, and delving into what makes a good SSL implementation and how BearSSL does it.

  • Thomas Pornin NCC Group





Data Science Tools and Techniques for the Blue Team

Every year organizations generate more data, and security teams are expected to make sense of not just a greater volume of data from the myriad of log sources that exist in corporate environments, but new sources of logs and data as well. In this talk we look at the data scientist methodology and some of the statistical and machine learning techniques available to defenders of corporate infrastructure. After explaining the strengths and weaknesses of the different techniques we will walk through analyzing some data and spend some time explaining the python code and what would be needed to scale the code from analyzing hundreds of thousands of data points to tens of millions. This is not a talk about SIEM, and related technologies. SIEM is good at collecting logs to a central location and performing on the fly inspection and correlations, but rarely has the ability to engage in deeper statistical analysis, or employ machine learning techniques.

A white paper, slides and code will be prepared for this presentation.

  • Shawn Marriott Tanium





Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program

Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.

  • Gordon MacKay Digital Defense, Inc





How Surveillance Law was Expanded in Canada, What the Media has Reported, and What’s Next

This talk will provide an overview on the specific lawful access powers that came into force in Canada March 2015‎; how they are rolling out in the view of the media and the courts (e.g. the TELUS and Rogers cases), and; how the authorities intersection with S-4 and C-51 (around permissions for information-sharing). Some highlights from the recent ‎submission on rights and security around lawful access, encryption and hacking tools will also be covered.

  • Chris Prince Office de la Protection du Consommateur (OPC)





Creating an Internet of (Private) Things—Some Things for Your Smart Toaster to Think About

The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.

  • Ian Douglas Office of the Privacy Commissioner of Canada





Pentesting: Lessons from Star Wars

Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, especially pen testers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively on offense or defense.

  • Adam Shostack





Hack Microsoft Using Microsoft Signed Binaries

Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools. How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks? The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like “f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10”? We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.

  • Pierre-Alexandre Braeken Office of the Privacy Commissioner of Canada





Hacking POS PoS Systems

Hackers try to find the easiest ways to achieve the most impact. When it comes to credit card fraud, compromising Point of Sale (PoS) systems is the latest trend. The presenters will share their experience on how attackers can exploit both technical and policy gaps to breach organizations. This talk will cover approaches to physical security, kiosk breakouts, and the extraction of sensitive data. It’s laced with real-life examples, including a detailed discussion of recently disclosed critical vulnerabilities in Oracle’s hotel management platform.

  • Jackson Thuraisamy Security Compass

  • Jason Tran Security Compass





Don’t Kill My Cat

The purpose of this presentation is to introduce a tool and the idea behind it. This tool evades antivirus, sandboxes, IDS/IPS using one simple technique. In a nutshell it abuses of polyglot files and compact low level obfuscation using assembly. The target system can then execute the payload using various vectors: powershell or Windows’ executable.

The obfuscated payload can be pretty much everything from classic meterpreter, empire payload and cobalt strike beacon to DLLs and executables. There is no limit, since the tool offers a loader that can deobfuscate an executable in memory and execute it or simply execute shellcode.

Then end goal of that tool was to provide a simple way to evade as many security layers as possible in a single payload instead of using multiple techniques to target each layer of security. This is a must have for pentesting when your target relies on multiple security products!

  • Charles F. Hamilton Mandiant a FireEye company





Stupid RedTeamer Tricks

Who said that you need to be elite to be a good red teamer?

This presentation focuses on simple, easy hacks that can change the result of a red team assessment.

The 30 minute talk will cover improvements on the age old classic of dropping usb keys (35% increase in payload delivery!); how to reduce your C&C discoverabiltiy; techniques for leveraging Outlook against your victim to improve social engineering and other very simple tricks. By the end of the presentation, audience should be inspired to build upon techniques discussed in the talk and feel more confident in doing red team engagements.

  • Laurent Desaulniers





Abusing Webhooks for Command and Control

You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is – the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You’ve implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known. Having more choices when it comes to outbound network connectivity helps. In this talk we’ll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost real-time asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we’ll show the tool that will use the concept of a broker website to work with the external C2 using webhooks.

  • Dimitry Snezhkov IBM





Modern Reconnaissance Phase by APT – Protection Layer

The Talos researchers are no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex.

This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.

The techniques and the obfuscation put in place by these actors will be described in detail. We will explain how the Macros are used and how to desobfuscated them; how the JavaScript and the PowerShell are becoming unmissable languages and how to analyse these languages with standard debugger such as WinDBG or x64dbg; how APT actors includes Flash objects in document to bypass protection and perform reconnaissance on the target; finally, we will see how Python language is used by malware to execute code on MacOS. In some cases, the reconnaissance is performed directly by a first stage malware (PE32) and not directly by the infection vector, we will see an example of the approach that targeted South Korea public sectors at the end of December. At the end of the presentation, we will show different mitigations in applications (for example in Microsoft Office and Hangul Word Processor) and in the Microsoft Windows Operating System to help attendees protect their constituents against the treats described during the talk.

  • Paul Rascagneres Cisco





Deep Dive into Tor Onion Services

Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While most people use Tor to reach ordinary websites more safely, a tiny fraction of Tor traffic makes up what overhyped journalists like to call the “Dark Web”. Tor onion services (formerly known as Tor hidden services) let people run Internet services such as websites in a way where both the service and the people reaching it can get stronger security and privacy.

The year 2004 was the first release of the onion service protocol. Over the years, as it aged, weaknesses started to appear in its design. These design flaws are a problem because people rely on onion services for many critical use cases, like metadata-free chat and file sharing, safe interaction between journalists and their sources, safe software updates, and more secure ways to reach popular websites like Facebook.

In this talk I’ll shortly present our legacy onion service, then an in-depth look of our new and improved onion service design, which provides stronger security and better scalability and a status update on the development.

  • David Goulet Tor Project