Sessions 2019

Wajam: From a Start-up to Massive Spread Adware

How a Montreal-made "social search engine" application has managed to become one of the most widely spread adware, while escaping consequences.

Wajam Internet Technologies was a start-up founded in 2009 in Montreal. Their eponym product was a "social search engine" solution. Its promise was to get Internet search results based on your relations on social networks. Wajam was free to install. To start monetizing the software, they started adding ads to search results. Gradually, Wajam began acting more and more like adware: they used pay-per-install platforms to distribute the application, obfuscation and even kernel drivers (rootkit) to hide their malicious behavior from users and security products. According to D&B Hoovers, the net benefits made by the company were estimated to $CAD 4.2M in 2013.

After being investigated, the Privacy Commissioner of Canada reported in 2017 that Wajam Internet Technologies breaches the Personal Information Protection and Electronic Documents Act (PIPEDA). This did not stop their activities: they quickly sold all assets to a virtual company based in Hong Kong to avoid Canadian authorities. In late-2018, new samples targeting both Windows and macOS emerged and were quickly linked to Wajam.

This talk will detail the technical findings of these recent variants and how they are related to the previous techniques used by Wajam. The technical evolution of the samples collected over the years will be mapped with the unique history of the company. From this timeline, it will be highlighted that behaviours that could be considered as malicious are much older than one may realize, and the self-protection methods used by the software are increasing in complexity and sophistication.

  • Hugo Porcher ESET





A good list of bad ideas

Have you ever wondered, 'What if?' in a pentest? Are movies like 'Die Hard' a source of inspiration for your next red team? If so, this talk is for you!

This presentation will present a good list of bad ideas; how to evacuate a building, fake your own death and other similar capers! This talk will also cover some bad ideas on the defensive teams, new DoS techniques, a new idea to improve your phishing game, stupid ways to persist and other simple bypass that you should not try at home.

  • Laurent Desaulniers





The (Long) Journey To A Multi-Architecture Disassembler

We will describe the internals of the disassembler engine we built fully in-house to analyze x86/x64, ARM/ARM64 and MIPS executables (among others).

Disassembly is a well-known problem in the reverse-engineering community, but designing and building a disassembler engine able to deal with architectures like MIPS, ARM/ARM64 and x86/x64 at the same time, compiled by classic compilers or custom obfuscators, is a long and difficult road.

While translating individual instructions to their corresponding assembly representations is doable, producing a correct and complete representation of a whole executable is indeed another story. This adventure includes dealing with numerous compilers’ peculiarities, such as switch-case constructions, position-independent code and control-flow optimizations, while struggling with theoretically intractable questions, such as code and data distinction.

In this talk, we would like to dig into the internals of our own disassembler engine, which is part of JEB reverse-engineering platform. This component produces an assembly-like representation of a whole binary object, in particular for MIPS, ARM/ARM64 and x86/x64 executables, and has been developed fully in-house over the last three years.

During this presentation, we will describe in particular:

  • the design choices behind our disassembler engine. We will explain how we developed most of the logic in a generic way, while trying to keep architecture-specific parts contained, and how the disassembler employs different strategies depending of the architecture and the identified compiler.

  • the use of a so-called “advanced” analysis pass, based on a custom intermediate representation (IR), which allows us to compute possible runtime values in the same way on all architectures. We will explain in particular the design of our IR, and the way we translated native instructions to the IR.

  • the implementation of signatures on machine code, such that classic statically linked libraries are automatically identified. We will dig into the problems that the generation, storage and matching of such signatures brought.

  • the various techniques and tests we developed to assess the disassembler correctness.

Finally, dealing with several (quite different) architectures forced us to very often reassess our assumptions on what machine code is supposed to look like. Throughout this presentation, we will describe the mistakes and wrong assumptions we made, in the hope that it will be useful to fellow security researchers dealing with machine code.

  • Joan Calvet





Fixing the Internet's Auto-Immune Problem: Bilateral Safe Harbor for Good-Faith Hackers

This talk provides an overview of Safe Harbor in the context of good-faith hacking and introduces a current effort to create a standardized, open-source platform via disclose.io

Thousands of organizations have already adopted the idea of inviting good-faith hacking to hack into their systems via vulnerability disclosure, bug bounty and next-gen pen test programs. Even so, the risk of prosecution under anti-hacking laws still casts a cloud over the hackers who are trying to help, and many programs haven't removed this risk by including Safe Harbor language within their program policies. It's not intentional -- the simple truth is that the market has progressed so rapidly that most have implemented crowdsourced security programs without realizing this issue, nor do they know how to how to fix it. Bilateral Safe Harbor language enables program owners to not only provide a strong incentive for good-faith hackers in terms of explicit legal protection, but also to outline exactly what constitutes "good-faith" hacking for their organization, and leave legal protections against malicious hackers intact.

This talk provides an overview of Safe Harbor in the context of good-faith hacking and introduces a current effort to create a standardized, open-source, easily readable legal boilerplate for disclosure program owners all around the world to use.

  • Chloé Messdaghi BugCrowd





Cache Me If You Can: Messing with Web Caching

Recent development in AppSec research has shown an increase in popularity of caching related attacks. This talk will delve into the latest developments in web caching related vulnerabilities.

As application security gained in popularity and maturity, attackers and researchers have turned to more creative methods for exploiting web applications. In 2017, security researcher Omer Gil introduced the Web Cache Deception attack. This attack, while trivial to understand and leverage, showed the potential of attacking caching mechanisms instead of targeting the application itself in order to extract sensitive information. In 2018, GoSecure introduced a new class of attack known as Edge Side Include Injections, exploiting a design flaw introduced nearly two decades ago in popular caching servers and cache providing solutions. Again in 2018, James Kettle released his research on Web Cache Poisoning, which leverages unkeyed input to reflect arbitrary data in an HTTP response in order to get a cross-site-scripting payload cached across users.

The findings from this research show the obvious flaws we failed to identify in caching specifications for so long. This talk aims to be a precautionary tale for the next time you need to implement a web caching solution by providing a practical overview of caching attacks in web applications. We'll look at attacks targeting both modern and legacy web applications, how to detect these design oversights and leverage them, and more importantly how to mitigate them.

  • Louis Dion-Marcil Mandiant





Safer Online Sex: Harm Reduction and Queer Dating Apps

Harm reduction as a security framework can increase user safety. We will look at a case study around user-centric security based on harm reduction for gay dating apps.

User-centric security and privacy conversations are based around best-practices or a binary of what to do and what not to do. This has been detrimental to practical conversations around user security and privacy. In the context of digital sexual expression, users are typically shamed and told not to engage in those activities without providing an alternative.

Harm reduction provides an alternative framework that can be used. At its core, harm reduction is based around making risky behaviors safer. It has successfully been used for public health programming around drug use and sexual activities.

This talk will introduce harm reduction as a framework for user-centric security and privacy and walk through an example based on research around gay dating apps. Through this case study, I will discuss some of the ways that taking a harm reduction approach shifted security expectations and priorities to recommend practical features that had major implications for user safety.

Security and privacy harm reduction is still a developing conversation. This talk is aimed at a wide audience to introduce harm reduction as a framework with the goal of improving the methods and practices around user-centric security and privacy.

  • Norman Shamas





Making it easier for everyone to get Let's Encrypt certificates with Certbot

To get to 100% HTTPS adoption, it has to be easy for every website operator to turn on HTTPS. Through usability testing, the Certbot team is making Certbot more helpful for more people.

The last few years have seen a meteoric rise in HTTPS adoption on the web. At this stage, complete adoption is a feasible goal. To get there, it's going to have to be easy for every operator behind every website to turn on HTTPS.

Certbot is EFF's tool for getting automated certificates from Let's Encrypt. Certbot makes getting certificates easier, but how much easier? And which groups of users get left behind?

The Certbot team ran usability studies to find out how people were conceptualizing and using tooling around HTTPS. This talk will cover our (often surprising) results, lessons we learned, and how we're using what we learned to make Certbot more helpful for more people.

  • Erica Portnoy Electronic Frontier Foundation





Hacking Heuristics: Exploiting the Narrative

Distinctions between advantages and disadvantages are based on context, and with a strong narrative, context can be created.

We shape our world with stories, and with these stories we define our universe. Despite all the advancements in technology, humanity's ability to accurately predict future events is regressing. Why is this happening? Short answer: the narrative.

A strong narrative creates context for the seemingly impossible – red teamers can blend in with network traffic, social engineers can walk into restricted buildings, and security professionals can overcome the imposter syndrome. During this talk, I'll define behavioral heuristic fundamentals and use personal stories to illustrate the impact narration has on adversary simulation activities, developing a career in security, and my perception of myself.

  • Kelly Villanueva SpecterOps





What is our Ethical Obligation to Ship Secure Code?

There is no legal obligation to ship secure code, but is there an ethical one? This talk argues that companies - and in some cases, individual devs - are obligated in strong security best practices.

There is no legal obligation to ship secure code, and most companies survive data breaches without real consequences. Companies all too often decide that security best practices aren't worth the extra resources. And corporate responsibility if often thought of as an obligation to shareholders. But as customers, employees andcommunity members, don't we want to see more than that?

This talk explores the obligations that companies have to their user base, and the ways that community expectations can lead to stronger security practices. We'll begin with an exploration of the nature of community and corporate obligation, drawing from traditional philosophical approaches across culture. Some examples we'll explore:

  1. Even young, scrappy crypto companies will not launch until they have a pen test, referred to as an "audit report." There is no legislation requiring this, but it's become part of the culture. What can we learn from this, to potentially encourage adoption of similar practices in the broader startup community? (Is that even desirable?)

  2. It's accepted that social media companies minimize the use of full time moderators, because that would be expensive. But this comes at a real psychological cost to users. Companies like Facebook and Twitter failed to stop the spread of a violent viral video on March 14th and 15th, despite requests from authorities in New Zealand and complaints from sensitive customers worldwide. What were Facebook and Twitter's obligations here? How does cost factor in?

This talk aims to give a thoughtful overview of the security landscape and current events, with the aim of leaving the audience with a better framework for evaluating corporate obligations and advocating for improved security practices.

  • Elissa Shevinsky Faster Than Light





M33tfinder: Disclosing Corporate Secrets via Videoconferences

Remotely and without authentication list the active conferences on a videoconferencing server, obtain meeting information and perform a bruteforce attack to access the information discussed in there

Video conferencing systems are increasingly used to talk about critical issues in corporate environments, but there are very few attacks and tools dedicated to them. Cisco Meeting Server or CMS is a software used to make video conferences, which allows users to connect to meetings through different clients or via WebRTC with a browser.

During a series of tests conducted with this software, we detected that remotely and without authentication it is possible to list the active conferences on a CMS server and obtain a large amount of information for each conference such as the name of the conference, ID, video address, passcode protection and more. After our report, in November 2018 Cisco published a security advisory associated with this vulnerability with CVE-2018-15446. We also detect that remotely and without authentication, in some cases it is possible to perform a bruteforce attack of the passcode in the conferences that have one, to obtain this numeric code and access the corresponding videoconference.

Based on this research, we developed two open source tools in Python: m33tfinder and m33tbreak that allow to automate this attack, knowing only the URL of the CMS server.An attacker using our tools could identify the URL of the CMS of a certain company, obtain the valid conferences, identify the conferences that discuss critical issues such as budgets, directive committees, board meetings and join the meetings as a guest. That way the attacker could access the critical information discussed in them or record them, using only a web browser.

In our talk, we will see the overall security of videoconferencing systems, the story of how we discovered the vulnerability, how to identify the Cisco Meeting Servers exposed on the Internet, the technique used to obtain information about the conferences and perform the bruteforce attack, a demo of the tools to carry out an attack on a CMS and the countermeasures we can take to protect ourselves from these attacks in case of administering or using this or another videoconferencing system.

  • Yamila Vanesa Levalle ElevenPaths





T1: Secure Programming For Embedded Systems

Description of T1, a new programming language that targets embedded systems: low RAM, low ROM, memory-safe, portable, supports coroutines.

Among the myriad of programming languages which have been defined overthe last five decades, some provide memory safety (e.g. Java, Rust)but are often inapplicable to low-end embedded systems with 32-bitmicrocontrollers and a few dozen kilobytes of RAM at best:

  • Both RAM and ROM (Flash) sizes are severely constrained; a bulky runtime systems cannot be accommodated, and even a "normal-sized" stack is not an option.

  • Small embedded systems do not have an operating system at all, and do not provide features on which many language runtimes rely on, e.g. a MMU to trap dereferencing of NULL pointers, or multithreading.

  • Many microcontrollers use custom or reduced CPU versions that existing code generators do not support, forcing the use of a vendor-provided C compiler.

This talk describes T1, a novel programming language that tries toaddress these issues. It is an evolution of T0, the Forth-like languagewhich is already successfully used in BearSSL for managing the SSL/TLShandshake and for verifying X.509 certificate chains.

  • Thomas Pornin





Post-Quantum Manifesto

A spectre is haunting the Internet — the spectre of quantumcomputing. All the powers of old Cryptography have entered into a holyalliance to exorcise this spectre.

Significant advances in quantum computing capabilities would spell theend of the public key infrastructure as we know it. Shor's algorithm,a quantum algorithm for efficiently solving the discrete logarithmproblem, means that computational problems whose hardness is thefoundation of public key crypto are easy to compute on a quantumcomputer.

All is not lost for asymmetric cryptography. Quantum key distribution(QKD) allow the establishment of a shared secret key under the soleassumption of an authenticated channel. Post-quantum cryptographylooks instead to replace the hardness assumptions on which public-keycryptosystems are built.

This talk will review computational assumptions relied upon bytraditional cryptography and why they fail the coming of the quantumcomputer. We will review proposed alternatives that are part of NIST'spost-quantum cryptography standardization's efforts.

  • Philippe Lamontagne NRC





Trick or treat? Unveil the “stratum” of the mining pools

In this presentation we explain how to hunt for cryptomining malicious activities, focusing on detection of collaborative work using the stratum protocol.

In the world of cryptocurrency-related malware, mining botnets are a growing threat for organizations. It is also not unusual today to have banking malware, ransomware, or spyware embedding cryptomining capabilities.

In this presentation we explain how to leverage publicly available sources for hunting cryptomining malicious activities. We focus on a common behavior of such malicious activities: using collaborative work to mine cryptocurrencies.

All the tools and scripts detailed in this presentation are or will be available in a GitHub repository: https://github.com/kwouffe/

  • Emilien Le Jamtel CERT-EU

  • Ioana-Andrada Todirica CERT-EU





xRAT: Monitoring Chinese Interests Abroad With Mobile Surveillance-ware

The rapid evolution of targeted Android surveillance-ware has enabled China’s mobile arsenal to successfully compromise target devices for years - this talk dives into the xRAT family and its tools.

With mobile becoming the platform-of-choice for advanced threat actors regardless of their budget, this talk will take a closer look at a custom surveillance tool called xRAT, which has its roots in previously reported malware known as mRAT and Xsser. Both these early pieces of malware have been associated with attacks against pro-democracy activists in Hong Kong dating as far back as 2014. However, xRAT was rapidly being developed in mid 2017 and again in the second half of 2018, with a different focus.

  • Apurva Kumar Lookout

  • Arezou Hosseinzad-Amirkhizi





DNS On Fire

Cisco Talos identified malicious actors targeting the DNS protocol successfully for the past several years. In the presentation, we will present 2 threat actors we have been tracking.

The first one developed a piece of malware, named DNSpionage, targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. We identified multiple countries targeted by this redirection. On 22 January 2019, the US DHS published a directive concerning this attack vector. In this presentation, we will present the timeline for these events and their technical details. The second actor is behind the campaign we named “Sea Turtle”. This actor is more advanced and more aggressive than the previous one. They do not hesitate to target directly registrars and one registry. The talk will present the 2 actors and the methodology used to target the victims.

  • Warren Mercer Talos

  • Paul Rascagnères Talos





One Key To Rule Them All - ECC Math Tricks

Come and listen to a tale in which we build upon basics about Elliptic Curves to discover how we could have One Key To Rule Them All, in order to do SSH key management or even build a Wireguard PKI.

Among the novelties developed for Bitcoin, one can find a very interesting scheme for asymmetric key derivation introduced in BIP32 (“Bitcoin Improvement Proposals”). The principle is to be able to derive child keys in a deterministic way from their parents’ keys.

This is a “feature” which is already available in straight ECC, since one can simply exploit the distributivity of the scalar multiplication over the elliptic curve addition law.

No need for any blockchain, and I'm thus explaining in this talk some basic EC maths, before explaining how this key derivation works, and I'll finally be showcasing a few examples.

  • Yolan Romailler





Threat hunting in the cloud

There are limited built-in capabilities for detecting attacks and post-exploitation of cloud services. This talk will cover methods of identifying threat actors via cloud and endpoint signals.

An endpoint security strategy can incorporate many layers of technology and security controls. Solution components such as Endpoint protection platform (EPP), Endpoint detection and response (EDR), Application whitelisting and more are utilized to provide protection and response to specific threats that affect endpoints. When dealing with endpoints that reside in cloud infrastructure new risks are introduced that cannot be adequately monitored with traditional endpoint solutions alone.

This presentation will go over general best practices for securing a cloud environment (AWS/Azure) including the use of EDR on instances as well as methods that can be employed to conduct threat hunting exercises against collected data. We will also discuss what additional investigative details and context can be gained through correlation of endpoint and cloud events.

  • Jacob Grant eSentire

  • Kurtis Armour eSentire





Using Geopolitical Conflicts for Threat Hunting - How Global Awareness Can Enable New Surveillanceware Discoveries

Geopolitical decisions are based on digital espionage; awareness of foreign affairs and human elements behind surveillance campaigns greatly assists in understanding and finding new surveillance-ware.

When on the hunt for new malware, the digital connection to the physical world can often be overlooked. We’re constantly reminded in the news of political struggles and physical warfare, with adversaries targeting each other through sanctions or military action. However, a large portion of these real world decisions are driven by digital espionage, which is evolving at an exponential rate - even ‘traditional’ digital espionage like desktop malware and phishing campaigns are being supplemented by state sponsored mobile surveillance-ware. This talk will highlight 4 real world mobile espionage campaigns tied to political and physical conflicts, allowing attendees to get a broader understanding of the targeting and intelligence collection techniques of global actors, as well as tool development to evade (repeated) detection, and hopefully use these characteristics to enhance threat hunting efforts.

  • Kristin Del Rosso Lookout





Welcome to the Jumble: Improving RDP Tooling for Malware Analysis and Pentesting

PyRDP, the open-source RDP man-in-the-middle, allows complete interception of Remote Desktop sessions. This opens the door for new techniques in malware research and pentesting.

The RDP protocol has a wide variety of interesting features, yet no tool supported the complexity of the RDP protocol for information security purposes. Inspired by RDPY, we created PyRDP, an open-source general-purpose RDP man-in-the-middle tool. This presentation will cover use cases for PyRDP in malware research and pentesting.

First, we added new features to our project to help with malware research. One crucial feature is the ability to rewrite the username and password sent to the server. This is used to allow access to the target RDP server to anyone using any credentials, which maximizes hostile interactions. Our tool also saves full RDP sessions to disk as well as clipboard content and files transferred during the sessions. Having session replays allows us to extract tactics, techniques and procedures (TTPs) from malicious actors. By using our tool and pointing it to a real RDP server, we created a fully interactive honeypot and caught a malware actor in the act.

We will do a demonstration of these features and show replays of the malware actor we caught.

Second, in a corporate environment, RDP is oftentimes used by high-privilege user accounts to manage Active Directory, servers, users' workstations and more. Using RDP is so ingrained in day-to-day tasks that users stop thinking about the potential consequences of connecting to random machines.

We will present PyRDP's use cases in pentesting engagements and propose an approach to compromising high-privileged accounts. A man-in-the-middle in an RDP context can be used to capture credentials, but it can do more. Instead of reusing the credentials to launch another connection, attackers can interactively hijack the existing connection and disguise their actions as coming from the victim. Additionnally, it can lead to the partial compromise of the client machine by abusing features such as drive redirection to enumerate and download sensitive files. PyRDP can also be used to challenge the incident response process by attracting the incident response team to a machine and capturing their credentials as they connect. Finally, the replay files produced by PyRDP can be used to demonstrate the impact of compromise to high-level executives.

The talk will cover these attack scenarios in depth and will end with a short demo of the open-source tool and its capabilities.

  • Émilio Gonzalez Université de Sherbrooke

  • Francis Labelle





Post-Quantum Cryptography: today's defense against tomorrow's quantum hackers

I present Post-Quantum Cryptography designed to resist attacks by quantum computers, and describe our expirements in integrating it into protocols such as TLS, SSH, and VPN.

Quantum computers pose a grave threat to the cryptography we use today. Sure, they might not be built for another decade, but today’s secrets are nonetheless at risk: indeed, many adversaries have the capabilities to record encrypted traffic today and decrypt it later. In this talk, I give an overview of post-quantum cryptography (PQC), quantum-safe alternatives developed to alleviate this problem. I talk about the NIST PQC competition that will lead to new standards to replace RSA and ECC, I present our prototype integrations into real-life protocols and applications (such as TLS, SSH, and VPN), and our experiments on a variety of devices (from IoT, to cloud, to HSM). I discuss the Open Quantum Safe project for PQC development, and related open-source forks of OpenSSL, OpenSSH, and OpenVPN that can be used to experiment with PQC today. I'll present a demo of a post-quantum TLS 1.3 connection. Finally, I explain the practicality of PQC, and how to start experimenting with it to defend your applications and services against the looming quantum threat.

  • Christian Paquin Microsoft





Call Center Authentication

I called dozens of contact centers to learn about how companies attempt to identify and authenticate the end user. This talk will share best practices you can use to secure your own call centers.

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?

Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

  • Kelley Robinson Twilio





Mainframe Hacking in 2019

Over the past 5 years tactics, techniques and procedures have been developed to help you pentest a Mainframe. This talk will cover new tools not yet released and new techniques to help you hack yours.

Mainframes, the once thought unhackable are now anything but. This talk will cover the following:

  • History of mainframe hacking
  • New TTPs since previous NorthSec talk
  • About Mainframes - A quick overview
  • TCP/IP to SNA and Logical Unit ENUM
  • Getting access - How to get a shell
  • Operating system enumeration (REXX/HLASM), privilege escalation and detection avoidance
  • Unix enumeration and privilege escalation
"

  • Philip Young





The SOC Counter ATT&CK

Leverage the Mitre ATT&CK Framework to improve your organization security posture and bring your SOC up to speed with the current Tactics, Techniques and Procedures (TTP) that modern Threat Actors use

The goal of the talk is to answer a few questions we often see or hear : “ATT&CK is nice and all, but how do I (we) get started?“, “How can I (we) detect those TTP?“, “Why use the ATT&CK Framework?“, etc. The ATT&CK Framework from Mitre is the new honest in the InfoSec world. There’s a lot of open source projects that use it, commercial products have started using it to show what TTP they cover, it even has it’s own conference : ATT&CKcon.

  • Mathieu Saulnier Bell Canada