OpenAnalysis Inc
DTCC
ESET
Proofpoint
Bishop Fox
Microsoft
Lab2038
BoostSecurity.io
BoostSecurity.io
N/A
Google Cloud
EY Canada
GitHub
Microsoft / Curated Intelligence
ESET
GoSecure
GreyNoise Intelligenc
Red Trident Inc.
Mandiant
Flare
Yellow Flag Security Inc.
Capgemini
CrowdStrike
F5
ZeroNetworks
Desjardins
White Knight Labs
White Knight Labs
Fast IOT
White Knight Labs
White Knight Labs
White Knight Labs
White Knight Labs
White Knight Labs
Invoke RE
White Knight Labs
GoSecure
Hacktive Education
Immerse yourself in our latest in-person, hands-on Offensive Active Directory Operator Course (OADOC) simulating advanced Active Directory exploitation. From enumeration to privilege escalation and defense evasion, you'll refine your expertise in exploiting modern Active Directory environments the way an advanced adversary would. Over this three-day course, instructors will guide you through dynamic attack paths inspired from real-world operations with Lab access along with an exam attempt.
This course also emphasizes on Active Directory abuses with operational security in mind, maintaining a minimal footprint while evading modern defenses. By the end, you'll have mastered a wide array of Active Directory exploitation techniques, equipping you to tackle complex engagements in real-world scenarios.
Munaf Shariff , White Knight Labs
Munaf Shariff is an information security professional whose primary areas of expertise include penetration testing, red teaming, malware development, defense evasion and Active Directory security. Munaf has worked extensively on various Red Team and Active Directory security topics holding industry recognized certifications and is actively contributing to the community with open source projects like Disable-TamperProtection and more. He also has delivered trainings at conferences like DEFCON, BLACKHAT and more.
He works as a Senior CNO Tool Developer at White Knight Labs which is a company focused on offensive security based services and hands-on enterprise security trainings.
Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.
Students will have access to several EDR products and Cobalt Strike in this course.
Greg Hatcher , White Knight Labs
Greg has a background in Army Special Forces and teaching Windows internals at the NSA. He also led a 3-man red team for CISA that specialized in attacking America’s critical infrastructure. He authored and teaches WKL’s flagship course, Offensive Development, at Wild West Hackin’ Fest and virtually on the Antisyphon platform. Greg is passionate about C programming for the Windows operating system and abusing Active Directory. Greg is an active member of the following organizations: Cloud Security Alliance, the Right Place, American Corporate Partners, West Michigan Technology Council. He regularly appears in the news discussing cyber warfare and the impact of Chinese APTs on America's critical infrastructure. Greg has the following certifications: GXPN, GCPN, CRTP, CISSP, GWAPT, and GSEC.
Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.
This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.
Students will have access to several EDR products and Cobalt Strike in this course.
Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory.
For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. What’s more, when the training is over, you can take the complete lab environment home to hack again at your own pace.
I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers.
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), HITB GSEC (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions).
Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan), YouTube (https://www.youtube.com/channel/UCG-sIlaM1xXmetFtEfqtOqg), and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).
The introduction to Malware Binary Triage (IMBT) course provides a comprehensive overview of the malware binary triage process. You will learn to reverse engineering and analyze real-world malware samples, including a nation state SMB worm, prolific loaders used by cybercriminals and a ransomware variant that has been used to attack critical infrastructure. You will learn to use Binary Ninja, x64dbg and other common open-source tools to achieve your analysis objectives. You will also learn how to analyze advanced malware techniques, including obfuscation, process injection and packing algorithms.
This course consists of eleven modules, each containing lectures and practical labs to apply the knowledge that you have gained as you complete the training course. We provide both practical demonstrations and written materials, so no matter what your learning style is, you can complete the course successfully.
Joshua Reynolds is the founder of Invoke RE. Joshua has over ten years of reverse engineering, malware analysis and security experience working for industry leading companies. He has spoken at major conferences such as REcon, RSA, DEF CON and Virus Bulletin on topics including ransomware, malicious document analysis and automating malware analysis. He has also co-developed a malware analysis course that is taught at SAIT Polytechnic.
WKL's ARTO course is meant to fill in the gaps for senior penetration testers that want to pivot into conducting red team operations against mature enterprise environments. Students will be given a Terraform script that spins up their own dedicated lab environment that they lifetime access to. Students will go through the process of purchasing domains to simulate deploying their red team attack infrastructure. WKL's instructors will go in-depth regarding the usage of CDNs in GCP, AWS, and Azure for redirectors. At the end of the course, students will have the opportunity to test their knowledge by taking the Advanced Red Team Operation Certification exam, a rigorous, hands-on 48 hours exam where students will need to gain Domain Admin control over the stigs-corp.local network and accomplish various objectives.
John Stigerwalt , White Knight Labs
John has worked as blue teamer, vCISO, developer, senior penetration tester, and red team lead. John served as the F-Secure red team lead for the western hemisphere. He has led long‐term red team engagements in highly complex Fortune 500 companies. He has worked together with Microsoft to increase kernel security for the Windows operating system. He has led training at BlackHat, DerbyCon, and Wild West Hackin’ Fest. He is the author WKL’s Advanced Red Team Operations course (ARTO). John has the following certifications: OSCP, OSCE, CRTP (Certified Red Team Professional), CRTE (Certified Red Team Expert), and SLAE (Assembly Language and Shellcoding). John is known as one of the most talented offensive cyber security experts in the world and can do whatever is asked of him on a computer.
WKL's ARTO course is meant to fill in the gaps for senior penetration testers that want to pivot into conducting red team operations against mature enterprise environments. Students will be given a Terraform script that spins up their own dedicated lab environment that they lifetime access to. Students will go through the process of purchasing domains to simulate deploying their red team attack infrastructure. WKL's instructors will go in-depth regarding the usage of CDNs in GCP, AWS, and Azure for redirectors. At the end of the course, students will have the opportunity to test their knowledge by taking the Advanced Red Team Operation Certification exam, a rigorous, hands-on 48 hours exam where students will need to gain Domain Admin control over the stigs-corp.local network and accomplish various objectives.
The "Attacking and Securing CI/CD Pipelines" course is a dynamic, hands-on training program designed to equip participants with the skills to identify, exploit, and mitigate vulnerabilities within Continuous Integration and Continuous Deployment environments. As CI/CD pipelines form the backbone of modern software development, their security is paramount. This self-paced course blends theoretical insights with practical, real-world labs to create an immersive learning experience.
Participants will explore critical security concepts, including hijacking techniques, artifact poisoning, branch protection misconfiguration bypasses, and OIDC misconfigurations. The course also emphasizes countermeasures and best practices for securing pipelines across popular platforms like GitHub Actions, AWS CodeBuild, CircleCI and Azure DevOps. By the end of the program, learners will have the expertise to both attack and secure CI/CD environments effectively.
Designed for DevSecOps professionals, penetration testers, red team operators, and security engineers, the course provides a flexible and comprehensive approach to CI/CD security. Whether you're securing pipelines or simulating attacks, this course offers a robust foundation in CI/CD security.
Harish Poornachander , White Knight Labs
Harish Poornachander is an accomplished information security professional with expertise in application security, cloud security, and CI/CD pipeline security. He is the lead developer of the course on Attacking and Securing CI/CD Pipelines, where he provides hands-on insights into identifying and mitigating vulnerabilities in CI/CD pipelines.
With extensive experience in bug bounty programs, Harish has contributed to both sides of the ecosystem, serving as a skilled researcher and an efficient triager. He has reported CI/CD vulnerabilities and misconfigurations to major organizations, including Microsoft, Google, Apache, GitHub, and others.
Harish has earned the Microsoft's Most Valuable Researcher (MVR) 24 badge and was part of the Synack Red Team (SRT) at the 0x03 level. He is currently a member of the Yogosha Strike Force and holds the OSWE certification.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the red team block.
Talks will be streamed on YouTube and Twitch for free.
In a world where MFA is enabled on every portal and everything is a web application, red teamers can access cookies and cached information from your browser to gain access to everything without knowing a simple password or having access to your MFA.
The training is divided into five sections: Initial Foothold, Gaining Access, Offensive Coding, Internal Reconnaissance, and Lateral Movement. Each section will be covered in depth, providing technical evidence of how each technique works. Red team exercises will be performed to assess responsiveness and detection capabilities. As a red teamer, it is important to understand what each tool and command you use is doing behind the scenes to provide proper guidance. The training will help you understand the tools and techniques used during a red team exercise, develop your own toolset, adapt existing tools when needed, identify new techniques or potential evasion tricks, and gain an overview of the popular methods used in red team exercises.
Expect to perform code reviews, network analysis, code behavior analysis, and write code to enhance your red team capabilities.
Charles F. Hamilton (Mr.Un1k0d3r) ,
Charles Hamilton is a Red Teamer with over ten years of experience delivering offensive testing services for various government clients and commercial sectors. In recent years, Charles has specialized in covert Red Team operations targeting complex and highly secured environments. These operations have enabled him to refine his skills in stealthily navigating client networks without detection.
Since 2014, he has been the founder and operator of the RingZer0 Team website, a platform dedicated to teaching hacking fundamentals. The RingZer0 community currently boasts over 50,000 members worldwide. Charles is also a prolific toolsmith and trainer who has delivered this training more than 20 times, both online and onsite. He is a speaker in the InfoSec industry, known under the handle Mr.Un1k0d3r.
Yesterday, it was Salt Typhoon. Today, it’s Liminal Panda. Tomorrow, they’ll target your latest fifth-generation networks. As 5G becomes the backbone of sensitive data management and mission-critical operations, its security is more crucial than ever. However, there’s a pressing gap in the expertise and skills needed to safeguard these systems effectively. This 5G Core Security Training is designed to give security pros the skills to identify and counter security threats in 5G networks. You'll dive into 5G core security, protocols, and learn how to use pentesting tools to assess vulnerabilities and develop exploits. The training also covers the latest security challenges and best practices, with hands-on exercises simulating real-world attacks and defenses on a local, isolated (zero RF transmitting) 5G network setup.
Dr. Altaf Shaik is a senior researcher at the Technische Universität Berlin in Germany, and conducts advanced research in telecommunications esp. in 6G security architecture, openRAN, and 5G radio access and core network security. He holds more than 11 years of experience in Telecom security and combines a professional background in embedded programming, wireless communications, and offensive network security.
Dr. Shaik spent his career as a security engineer and expert at various leading telecommunication companies including Gemalto (currently Thales), Deutsche Telekom (Germany), and Huawei Technologies (Sweden). His PhD research assisted in improving the 3GPP 4G security standards and also exposed several vulnerabilities in commercial mobile networks affecting millions of base stations, networks, and handsets worldwide. His post-doctoral research exposed vulnerable API designs in latest 5G networks and slicing vulnerabilities in the 5G security specifications leading to serious attacks.
Dr. Shaik is a frequent speaker and trainer at various prestigious international security conferences such as Blackhat, T2, SECT, Nullcon, Hardware.io and HITB, 44CON, and many others. His accomplishments landed him in the hall of fame of organizations like Google, Qualcomm, Huawei, and GSMA. He is also the founder of Kaitiaki labs and FastIoT that trains internationally various companies and governmental organizations in exploit development and also building secure mobile and IoT networks including their testing and security assessment.
This comprehensive Offensive Azure Operation & Tactics Certification course provides a deep dive into Azure's infrastructure and security landscape. Participants will explore various modules covering essential components such as Azure infrastructure understanding, enumeration techniques, initial access strategies including phishing methods, abusing reader roles, misconfigurations, and exploiting Azure services. The course extends into post-exploitation techniques, pivoting between cloud and on-premises environments, compromising DevOps, Devices using Microsoft Intune, Entra ID Connect features, leveraging Azure services for persistence, conducting Azure configuration assessments, and utilizing automation tools for security checks. This hands-on course equips participants with practical insights and skills crucial for identifying and exploiting Azure components.
Chirag Savla , White Knight Labs
Chirag Savla is a cyber security professional with 10+ years of experience. His areas of interest include penetration testing, red teaming, azure and active directory security, and post-exploitation research. For fun, he enjoys creating open-source tools and exploring new attack methodologies in his leisure. Chirag has worked extensively on Azure, Active Directory attacks and defense, and bypassing detection mechanisms. He is the author of multiple open source tools such as Process Injection, Callidus, and others. He has presented at many conferences and local meetups and has trained people in international conferences like Blackhat, BSides Milano, Wild West Hackin’ Fest, HackSpaceCon, VulnCon etc.
This comprehensive Offensive Azure Operation & Tactics Certification course provides a deep dive into Azure's infrastructure and security landscape. Participants will explore various modules covering essential components such as Azure infrastructure understanding, enumeration techniques, initial access strategies including phishing methods, abusing reader roles, misconfigurations, and exploiting Azure services. The course extends into post-exploitation techniques, pivoting between cloud and on-premises environments, compromising DevOps, Devices using Microsoft Intune, Entra ID Connect features, leveraging Azure services for persistence, conducting Azure configuration assessments, and utilizing automation tools for security checks. This hands-on course equips participants with practical insights and skills crucial for identifying and exploiting Azure components.
Raunak Parmar , White Knight Labs
Raunak Parmar works as a senior cloud security engineer at White Knight Labs. His areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He enjoys researching new attack methodologies and creating open-source tools that can be used during cloud red team activities. He has worked extensively on Azure and AWS and is the author of Vajra, an offensive cloud security tool. He has spoken at multiple respected security conferences like Black Hat, Defcon, Nullcon, RootCon, and also at local meetups.
This updated Black Hat edition training offers hands-on threat modeling exercises based on real-world projects, to equip participants with skills as Threat Modeling Practitioners. The course integrates exercises using MITRE ATT&CK, Agile and DevOps practices, and includes a challenge on threat modeling a Machine Learning-Powered Chatbot. Participants will engage in CTF-style challenges, battling for control over an offshore wind turbine park, in a threat modeling war game.
For beginner to intermediate learners, the training includes a two-hour introductory self-paced module. Exercises focus on practical use cases with detailed environments, questions, and templates. Students, in teams of 3-4, will do challenges: - Diagramming techniques for a travel booking service - Threat modeling cloud-based update services for IoT kiosks - Developing attack trees against a nuclear research facility - Using MITRE ATT&CK for SOC Risk-Based Alerting systems - Mitigating threats in payment services with microservices and S3 buckets - Applying the OWASP Threat Modeling Playbook in agile development - Securing CI/CD pipelines
Each exercise concludes with group discussions and documented solutions. Participants receive the Threat Modeling Playbook, a year of online learning platform access, and will get feedback and guidance on an after-training assignment.
Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering from the University of Ghent, and has extensive experience in the development and training of secure software. He is the founder of the Belgian chapter of OWASP and a former member of the OWASP Foundation Board. In 2022, Seba was honored as the Cyber Security Personality of the Year by the Cyber Security Coalition in Belgium, where he currently serves as the chair of the new AppSec focus group. Through his leadership on OWASP projects such as OWASP SAMM, Seba has made a significant impact in improving global security. He is currently focused on adapting application security models to the evolving landscape of DevOps and raising awareness of the importance of threat modeling among a wider audience.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.
Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!
The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall. First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more…
Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.
Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.
Sagie VP Research, ZeroNetworks
Sagie is a defensive security researcher, leading the Zero-Labs team as VP of Research @ Zero Networks. With a bachelor's in Electrical-Engineer, Sagie started out designing and breaking-up communication schemas in the Intelligence unit of the military. After his service, Sagie went on to perform research on diverse topics, introducing new attacks techniques such as the "man-in-the-cloud" attacks and supply chain compromises against container developers. In recent years, Sagie is focused on research that delivers practical solutions to security teams, mainly in the form of open source security tools.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.
Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!
The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall. First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more…
Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.
Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Apprenez à réaliser des tests d'intrusion de manière sécurisée, professionnelle et efficace avec Exegol. Prenez une longeur d'avance en suivant ce training qui se concentrera sur la manière dont les professionnels peuvent facilement configurer et utiliser leur environnement de test d'intrusion, basé sur Docker, en quelques minutes, sans difficulté. L'époque des tests d'intrusion non professionnels, non sécurisés et laborieux est révolue.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Apprenez à réaliser des tests d'intrusion de manière sécurisée, professionnelle et efficace avec Exegol. Prenez une longeur d'avance en suivant ce training qui se concentrera sur la manière dont les professionnels peuvent facilement configurer et utiliser leur environnement de test d'intrusion, basé sur Docker, en quelques minutes, sans difficulté. L'époque des tests d'intrusion non professionnels, non sécurisés et laborieux est révolue.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
The objective of the workshop is to learn how to use some powerful but intimidating tools while reverse engineering IOT devices: Angr, Unicorn and Qiling.
The workshop aim to show common use cases for each of these tools and also their limits.
To that end, the workshop will propose the following exercices:
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the hardware block
Marc-andre Labonte was a system administrator for more than a decade at the McGill Genome Center while it was known as the McGill University and Genome Quebec Innovation Center. There, he took part in the design, deployment, operation and maintenance of the data center as it went through multiple upgrade cycles to accommodate ever powerful high throughput genome sequencers coming to market.
Then, he joined the ETTIC team at Desjardins in 2016 as infrastructure penetration tester. Currently doing vulnerability research on IOT devices, he also presented "Automated contact tracing experiment on ESP Vroom32" workshop at NSEC in 2021. His work is motivated by curiosity and a strong sense of personal privacy in a world of connected devices and data hungry organizations.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
This is an introduction to crypto: building blocks, protocols and attacks on them. We cover: encoding vs encryption, hashes, ‘classic’ crypto, stream ciphers, block ciphers, symmetric crypto, asymmetric crypto, has attacks, classic crypto attacks, stream cipher attack, block cipher attack models, ECB attacks, crypto protocols, digital signatures, message authentication code, nonces, simple authentication, challenge response, simple authentication attacks (key collisions, key extraction and extension, replay, valet, bad counter resync), MAC attacks, digital signature attacks, pubkey substitution, challenge response attacks (middleperson attack, UDS style seed-key predictions), WPA2 password cracking, WPA2 key reinstallation, WPA2 key nulling, TLS/SSL middleperson attacks, SWEET32, DROWN, logjam, POODLE, UDS seed-key exchange attacks (reverse key algorithm, lift key algorithm, solve for unknowns, retry-retry-retry, brute force, glitch past).
Tools covered include: rumkin.com, hashcat, john the ripper, binwalk, radare2, binvis.io, Veles, airocrack-ng, mitmproxy, MITMf.
The workshop is a ‘101’ level: geared for people good at computers but maybe no knowledge of cryptography. There will be minimal math (I promise). We’ll talk mostly about how to break bad crypto and bad crypto algorithms with 10-15min hands-on sessions integrated into 4 hours of workshop: Decrypt ‘Crypto’, Break Hashes, Break Crypto, Visualize Crypto.
We will explore three applications of the building blocks and attacks also. Towards the end we tie-in the building blocks and attacks into how the following crypto protocols get broken: WPA2, TLS and UDS Seed-Key exchange (from automotive). Please join us for an intro-level exploration of cryptography building blocks, protocols and how to attack them. And, as always, crypto means cryptography.
Ben Gardiner , Yellow Flag Security Inc.
Mr. Gardiner is an independent consultant at Yellow Flag Security, Inc. presently working to secure commercial transportation at the NMFTA and connected transportation with TMNA. With more than ten years of professional experience in embedded systems design and a lifetime of hacking experience, Gardiner has a deep knowledge of the low-level functions of operating systems and the hardware with which they interface. Prior to YFS Inc., Mr. Gardiner held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations. He holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. He is a DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV) volunteer. He is GIAC GPEN certified and a GIAC advisory board member, he is also chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2), contributor to several ATA TMC task forces, ISO WG11 committees, and a voting member of the SAE Vehicle Electronic Systems Security Committee. Mr. Gardiner has delivered workshops and presentations at several world cybersecurity events including the Cybertruck Challenge, GENIVI security sessions, Hack in Paris, HackFest and DEF CON main stage.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Our training provides an intuitive introduction to machine learning for security professionals with no prior knowledge of mathematics or ML. In the ML4SEC section attendees will gain hands-on experience building MLpowered defensive and offensive security tools using popular libraries like Tensorflow, Keras, Pytorch, and sklearn. We’ll cover the entire ML pipeline, from pre-processing data to building, training, evaluating, and predicting with ML models. In the SEC4ML section we’ll address vulnerabilities in state-of-the-art machine learning methodologies, including adversarial learning, model stealing, data poisoning, and model inference. Participants will work with vulnerable ML applications to gain a thorough understanding of these vulnerabilities and learn possible mitigation strategies. Our training provides practical knowledge that security professionals can apply in their work
Sagar Bhure Senior Software Engineer, F5
Sagar Bhure is a highly accomplished Security Researcher with a proven track record of excellence in his research on security. He is a filed patent holder with the US for his innovative work on ML and Security and has published several papers on the subject in top-tier journals. He currently leads various projects at OWASP, including the prestigious "ML Security Top 10" , an OWASP flagship project. Sagar has spoken at several industry-leading international conferences, including Hack in Paris, BlackHat, OWASP, and APISecure. He is regarded as a respected thought leader in the cybersecurity community, frequently invited to speak at conferences and workshops on topics related to offensive and defensive security. Sagar’s engaging presentations have helped to educate security professionals with cutting-edge research and tools to strengthen their security toolkits.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Are you a seasoned reverse engineer, but you tremble when a Rust binary lands on your desk? When you encounter a Rust binary, do you just run strings on it and hope for the best?
We will take a single problem - string recovery from a Rust binary - and uses it as an approachable starting point for exploring reversing Rust binaries. We will cover:
What are the practical steps we need to take to recover strings? How are strings represented in memory, passed between functions, and manipulated throughout the program?
Once we recover the strings, what do the strings mean? What can the strings we recover tell us about the compiler, language runtime, standard library, and third-party libraries in the binary?
This workshop is intended for reverse engineers and malware analysts who are familiar with reversing C or C++ binaries, but who are unfamiliar with the Rust programming language.
Cindy Xiao Senior Security Researcher, CrowdStrike
Cindy Xiao is a security researcher who works primarily on malware reverse engineering, in support of cyber threat intelligence reporting. Cindy enjoys learning from other security practitioners (both offensive and defensive), developing tools to help with analysis, and mentoring others.
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Ansible WorX (AWX), la version libre de Ansible Tower, sert à gérer des serveurs à distance de façon centralisée. L’application permet de simplifier la gestion des serveurs en s’appuyant sur la puissance de Ansible et en ajoutant des fonctionnalités de gestion d’inventaire et d'autorisations. Cependant, qui dit centralisation, dit souvent unique point de rupture.
Pour les attaquants, AWX est une cible de choix. Si des accès à la plateforme sont compromis, il est primordial de savoir l’auditer. Il serait facile de causer des incidents et des pertes de service, et c’est à éviter à tout prix. Ceci-dit la récompense de l’utilisation des accès obtenus se compte souvent en dizaines de serveurs compromis. Il s’agit donc d’ un impact majeur pour une organisation.
Dans cet atelier, vous apprendrez les différents concepts reliés à AWX et Ansible. Vous apprendrez également à utiliser des accès à AWX dans l’objectif de compromettre les serveurs gérés par la plateforme. Divers scénarios et méthodes seront abordés pour être prêt à toutes éventualités.
Dans le but d’un atelier le plus fluide possible, s’il-vous-plaît, pré-installez AWX CLI.
Simon Lacasse travaille comme testeur d'intrusions chez Desjardins, avec un focus sur des tests organisationels orientés par objectifs. Il est très intéressé par la sécurité web et d'infrastructure. Équipé d'une formation en ingénierie logicielle, il aime créer ses propres outils pour résoudre les différents défis qu'il rencontre. Lorsque possible, il aime redonner à la communauté en faisant de ses outils des logiciels libres. Simon est également un ancien membre du club de sécurité informatique de Polytechnique Montréal, PolyHack/PolyHx.
(Bio de Charl-Alexandre en attente.)
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
Ansible WorX (AWX), la version libre de Ansible Tower, sert à gérer des serveurs à distance de façon centralisée. L’application permet de simplifier la gestion des serveurs en s’appuyant sur la puissance de Ansible et en ajoutant des fonctionnalités de gestion d’inventaire et d'autorisations. Cependant, qui dit centralisation, dit souvent unique point de rupture.
Pour les attaquants, AWX est une cible de choix. Si des accès à la plateforme sont compromis, il est primordial de savoir l’auditer. Il serait facile de causer des incidents et des pertes de service, et c’est à éviter à tout prix. Ceci-dit la récompense de l’utilisation des accès obtenus se compte souvent en dizaines de serveurs compromis. Il s’agit donc d’ un impact majeur pour une organisation.
Dans cet atelier, vous apprendrez les différents concepts reliés à AWX et Ansible. Vous apprendrez également à utiliser des accès à AWX dans l’objectif de compromettre les serveurs gérés par la plateforme. Divers scénarios et méthodes seront abordés pour être prêt à toutes éventualités.
Dans le but d’un atelier le plus fluide possible, s’il-vous-plaît, pré-installez AWX CLI.
Charl-alexandre Le Brun Penetration Tester, Desjardins
Je suis un passionné de l'informatique, ce domaine est ma passion et mon métier. Je fais des tests d'intrusion depuis quelques années et sur le côté j'aime entreprendre des recherches ou des projets. Que ce soit identifié des vulnérabilités ou construire des outils, je vais toujours suivre ma curiosité.
If you've enjoyed https://nsec.io/session/2024-i-will-look-for-you-and-i-will-find-you-osint-on-publicly-shared-pictures.html, or if you've missed it, this session is not to be missed! Patricia will cover contents that didn't fit in the condensed talk format.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the Human in the Middle block.
Talks will be streamed on YouTube and Twitch for free.
Liam Neeson is coming for you. But how will he find you? Come to this talk to learn how the picture of a firetruck you took in front of your house and shared on Instagram two years ago will be the source of your demise.
In this talk, I will share how I developed this compulsive habit, in which I need to find where a picture was taken. We will cover how to perform open-source intelligence (OSINT) on publicly shared pictures and videos, which tools and techniques to use, accompanied with real step-by-step examples.
I believe that understanding how OSINT works is key to better protect ourselves online. I'm aiming to give you the tools and knowledge to be better cybersecurity professionals, and learn to be more careful and diligent online, all in a (hopefully) fun and engaging way.
Not convinced yet? This talk will also cover the following topics: metadata (d'oh!), physical keys (who doesn't like keys?), data in public registries, and conclude with Do's and Don'ts for everyone.
Patricia Gagnon-Renaud Cybersecurity Analyst — Ethical Hacking, GoSecure
Patricia Gagnon-Renaud is a Cybersecurity Analyst in the Ethical Hacking team at GoSecure. She has a bachelor's degrees in IT engineering, is a licensed engineer, and more recently, has become a Certified Information Systems Security Professional (CISSP). Her interests include social engineering, physical security, lockpicking and urbanism.
(English follows) Vous souhaitez découvrir les bases du CTF (Capture The Flag) ? Rejoignez-nous pour un atelier pratique qui vous permettra de plonger dans cet univers passionnant même en tant que débutant. Apprenez les fondamentaux du CTF et familiarisez-vous avec ses mécanismes lors de cet atelier interactif. Venez essayer par vous-même et laissez-vous emporter par l'excitation du challenge ! Atelier en français.
Are you eager to discover the fundamentals of CTF (Capture The Flag)? Join us for a hands-on workshop designed to help beginners make the most out of the CTF experience. Learn the basics of CTF and get acquainted with its mechanics in this interactive session. Come give it a try and immerse yourself in the thrill of the challenge!
Simon Nolet (Viper) , Hacktive Education
Simon is a cybersecurity expert with 10 years of experience, specializing in offensive security for the past 9 years. He focuses achieving high-impact attack chains .He has conducted over 250 penetration tests. Simon is also an active member of the cybersecurity community, dedicated to sharing his knowledge by volunteering for events like Hackfest CTF and training individuals for over 5 years in the Security 103 course and the Beginner CTF. He values honesty, promoting transparency and integrity in his work. His expertise covers networks, infrastructure, Active Directory pentesting, but he is also interested in red teaming, access control evasion, and efficient computer usage. Simon is constantly striving to enhance a company's security by producing precise reports and offering operational recommendations to increase resilience against adversaries. He believes that often, the root causes of security issues can be addressed through education and training. His goal is to educate and strengthen security measures to protect both businesses and individuals in their digital environments, with a strong emphasis on training others.
Talks will be streamed on YouTube and Twitch for free.
A few helpful notes from over a decade of reverse engineering malware and documenting the process along the way! By the end of this, you will be able to unpack most malware with a single breakpoint... maybe?
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the malware block.
Sergei Frankoff Director, OpenAnalysis Inc
Sergei is a co-founder of OpenAnalysis Inc, and part of the team behind UnpacMe. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis, and producing tutorials for the OALABS YouTube channel. With over a decade in the security industry Sergei has extensive experience working at the intersection of incident response and threat intelligence.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the hardware block
Talks will be streamed on YouTube and Twitch for free.
This talk, centered around curiosity and its transformative power, reflects my personal exploration into uncharted territories, an area that few people are familiar with. Surprisingly, I had no prior experience with hardware hacking; everything I've learned so far, starting from scratch, thanks to countless YouTube tutorials and extensive PDF books.
I'm excited to share my discoveries and experiences thus far, highlighting the potential that curiosity holds in reshaping one's path. This talk aims to provide you with the fundamentals of protocols, types of devices, and the equipment needed to start. Additionally, I will guide you on how to undertake your first hardware hacking project on a connected device. Are you up for joining me on this adventure?
Adrien Lasalle Pentester - Netrunner,
Formerly a firefighter in France 🇫🇷 🚒, I decided to pursue my passion for IT and especially offensive cybersecurity. Now a Pentester in Montreal 🇨🇦 for almost 3 years and an active member of HackersWithoutBorders North America, I am gradually specializing in internal and network intrusion testing.
Sharing our passion for this field, whether for awareness or education, is an important mission for me!
Feel free to contact me to discuss cyber or anything else over a beer :D 🍻
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the hardware block
Talks will be streamed on YouTube and Twitch for free.
Debugging and testing an embedded application is always painful. A serial printf might not be enough, a high end JTAG with 1000+ pages of documentation might be too costly or complex.
Scrutiny Debugger is a new open source project that offers an alternative by enabling remote control of the memory through any communication channel (Serial, UDP, etc.). How does that work? A Python server continuously communicates with an embedded application that runs a small instrumentation library. Using the debugging symbols, extracted at compile time, the server exposes all the variables and memory structure to client applications through a websocket API. 2 clients are available: an Electron GUI and a Python SDK for programmatic interaction with the server.
Clients can read/write variables or raw memory. They can do graphs of variables; being continuous time logging or embedded graphs that triggers on a specific variable change, like an electronic scope does. Not the best for low-level driver development; but ideal for high-level embedded application.
The Python SDK is fully synchronized with the target device, meaning that a Python script can remotely run and behave like it was an internal thread inside the device; but with slow memory access time. That powerfully enables HIL (Hardware-in-the-loop) testing.
Pier-Yves Lessard Embedded AI software engineer,
Embedded software engineer working at NXP semiconductor on embedded AI optimization for the automotive industry. Past experience in EV/motor control software. Author of 2 (relatively) widely used open source library dedicated to ECU communications and the main developer of Scrutiny Debugger, a project soon to be released. Father of two who develops open source stuff between 21h and 00h
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the malware block.
Talks will be streamed on YouTube and Twitch for free.
Does attribution of cyber operations actually matter? It depends on who’s asking. Using real world APT examples from threats attributed to Iran, Turkey, North Korea and Russia, we’ll demonstrate what details go into attribution work from the perspective of email security vendor, why attribution can be useful for defenders and how Blue Teams can use it to better inform threat modeling and risk. We'll define attribution, compare the concepts of attribution and Attribution, discuss how softer attribution should be paired with harder, more technical attribution and then close by discussing potential pitfalls we’ve seen with attribution working for the government, private corporations and at a security vendor.
Alexis Dorais-Joncas APT Research Manager, Proofpoint
Alexis Dorais-Joncas is the Senior Manager of Proofpoint’s APT research team, where he and his team of threat researchers and intelligence analysts focus on tracking the most elusive state-sponsored threat actors and ensuring Proofpoint customers are protected against these persistent attackers. Prior to joining Proofpoint, Alexis led ESET’s Montreal-based R&D branch office for over 10 years, where his team focused on malware research, network security and targeted attacks tracking. Alexis is an established speaker on current cyberthreats, having spoken in front of diverse audiences at events such as Northsec, Bluehat, Botconf, First CTI, Sector and Rightscon. He has also been quoted in several security and technical media such as Wired, ITWorldCanada and Ars Technica, with broadcast appearances on Radio-Canada and Skynews. Alexis holds an M. Sc. in Electrical Engineering from the University of Sherbrooke in Canada.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the malware block.
Talks will be streamed on YouTube and Twitch for free.
In 2014, we published a paper about Operation Windigo, where we described a cluster of server-side threats fuelled by Ebury, a backdoor and credential stealer injected into the OpenSSH server and client of compromised servers. That report shed light on web traffic redirections, delivery of Windows malware, and spam campaigns, all using Ebury-compromised servers.
After the arrest and extradition of one of the perpetrators in 2015, some of the monetization activities temporarily stopped, but not all of the botnet’s activities. Ebury continued to be updated and deployed to tens of thousands of servers each year, to reach a cumulative total of nearly 400,000 victims since 2009, the first year Ebury was seen. Moreover, we have discovered its operators have added more tools to their arsenal, such as Apache modules to exfiltrate HTTP requests or proxy traffic, Linux kernel modules to perform traffic redirections, and modified Netfilter tools to inject and hide firewall rules.
For this investigation we set up honeypots to collect Ebury samples and understand deployment tactics, and partnered with law enforcement. This gave us unique visibility into the perpetrators’ activities, which expanded to include cryptocurrency theft and possibly exfiltration of credit card details. We now have a better understanding of how they expand their botnet not only by stealing credentials, but also by actively trying to compromise the hosting provider’s infrastructure to deploy malware on all of the providers’ customer-rented servers. In some cases, this resulted in the compromise of tens of thousands of servers, hosting millions of domains.
The latest update to Ebury, versioned 1.8.2, was first seen in January 2024. In the past years, clever userland rootkit functionalities were added to Ebury, which make its detection a lot more difficult than before. From a system administrator’s perspective, not only is the malware file absent, but none of the resources it uses – such as processes, sockets, and mapped memory – are listed when inspecting the system.
This presentation not only reveals the latest toolset of the Ebury gang, but also discusses detection techniques to protect against some of the trickiest Linux threats. Some techniques are specific to Ebury, but most apply to the detection of any userland rootkit.
Marc-Etienne M.Léveillé Senior Malware Researcher, ESET
Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacking unusual platforms, whether it’s fruity hardware or software from south pole birds. Marc-Etienne focused his research on the reverse engineering of server-side malware to discover their inner working and operation strategy. His research led to the publication of the Operation Windigo white paper that won Virus Bulletin’s Péter Szőr Award for best research paper in 2014. He presented at multiple conferences including RSAC, FIRST, 44con, CARO and Linuxcon Europe. When he’s not one of the organizer, he loves participating in CTF competitions like a partying gentleman. Outside the cyberspace, Marc-Etienne plays the clarinet and read comics.
Marc-Etienne est chercheur en logiciels malveillants chez ESET depuis 2012. Il se spécialise dans les logiciels qui ciblent les plateformes inhabituelles, comme les ordinateurs avec des pommes ou des pingouins. Durant les dernières années, Marc-Etienne s'est concentré sur la rétro-ingénierie de logiciels malveillants s'attaquant aux serveurs, à la fois pour comprendre leurs fonctionnements et comment ils sont utilisés. Ses recherches ont mené à la publication du rapport Operation Windigo qui s'est mérité le prix Péter Szőr Award à Virus Bulletin pour meilleur rapport de recherche en 2014. Il a présenté à de multiples conférences incluant RSAC, FIRST, 44con, CARO Workshop et Linuxcon Europe. Quand il n'est pas dans le comité organisateur, il aime participer à des compétitions de sécurité (CTF) comme un gentilhomme en fête. En dehors du cyberespace, Marc-Etienne joue de la clarinette et lit des bandes dessineés.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the malware block.
Talks will be streamed on YouTube and Twitch for free.
Nim has become the language of choice for a number of libraries and tools used by red-teamers and pentesters. Much like with Mimikatz and Cobalt Strike before, malicious actors have started putting some of the same tooling to their nefarious purposes . One such example is Mustang Panda, a China-aligned APT that started using Nim to create custom loaders for their Korplug backdoor. For attackers, using a less common language also has benefits when it comes to evading defenses and hindering analysts’ work; we have seen the same thing with the growth of malware written in Go and Rust. In this presentation, we will go over some of the specific challenges associated with analyzing Nim malware. We will then present tips and tools to help mitigate these difficulties. This will include the presentation of Nimfilt, our analysis script for IDA Pro that we will release shortly before the conference. Finally, we will demonstrate the use of Nimfilt and other publicly available tools on real malware samples .
Alexandre Côté Malware Researcher, ESET
Alexandre is a malware researcher at ESET since 2021. Working with the Montreal team, his research is focused on tracking APT groups and their toolsets.
He has previously presented about APTs and attribution at Botconf, Sleuthcon, Hackfest, and BSidesMTL. He is also involved in mentoring students getting started in infosec. His interests include operating systems fundamentals, writing shell scripts to automate tasks that don't always need to be automated, and brewing beer.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the malware block.
Talks will be streamed on YouTube and Twitch for free.
Does attribution of cyber operations actually matter? It depends on who’s asking. Using real world APT examples from threats attributed to Iran, Turkey, North Korea and Russia, we’ll demonstrate what details go into attribution work from the perspective of email security vendor, why attribution can be useful for defenders and how Blue Teams can use it to better inform threat modeling and risk. We'll define attribution, compare the concepts of attribution and Attribution, discuss how softer attribution should be paired with harder, more technical attribution and then close by discussing potential pitfalls we’ve seen with attribution working for the government, private corporations and at a security vendor.
Greg Lesnewich is a Senior Threat Researcher at Proofpoint, focused on identifying, tracking, detecting, and disrupting malicious activity linked to North Korea and Russia. Greg has a background in threat intelligence, incident response, and managed detection, previously working at Recorded Future, Leidos, and NCFTA, with experience in developing methods of tracking espionage and state-sponsored activity. Greg enjoys the topics of weird forensic artifacts, measuring malware similarity, YARA, and infrastructure tracking.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the red team block.
Talks will be streamed on YouTube and Twitch for free.
Malware development and evasion techniques are becoming more difficult each day. EDRs are implementing signature-based detection, behaviour-based detection, as well as entropy-based detection techniques. Shellcode is often encoded/encrypted which can cause payloads to have high entropy (randomness), therefore being detected and blocked by EDRs.
This presentation is the journey of a red teamer - improving their tools with simple techniques and learning about evasion and Windows internals along the way.
Through this talk, we will review the high-level theory behind evasion and present unique approaches to evasion techniques, including entropy reduction and shellcode callbacks. We will present a novel tool to reduce entropy via dictionary word shellcode encoding, and use Windows callback functions to launch our shellcode.
Furthermore, an overview of detecting these novel techniques will be discussed to help blue teamers in their jobs. Detection methods discussed include using YARA rules, ETW, and PE file memory scanners.
Participants will benefit from this talk in many ways. Red teamers can now immediately benefit from the tool, which is publicly released, along with C#/C++ Code samples. And Blue teamers can learn how to better detect these advanced techniques.
Will Summerhill Senior Security Consultant, Mandiant
Will Summerhill is a senior security consultant with Mandiant Canada on the Proactive team performing red teams, purple teams, and penetration testing assessments. He has been in offensive security consulting for over 7 years and has 10 years of information security experience combined. He teaches red teaming classes to clients and taught a penetration testing course at the post-grad college level.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the AppSec block
Philippe is a security engineer for ServiceNow. He has an interest in software development, penetration testing and security code review. He maintains Find Security Bugs, the static analysis tool. He has presented at various conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, 44CON and JavaOne.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the AppSec block
Talks will be streamed on YouTube and Twitch for free.
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.
François Proulx Senior Product Security Engineer, BoostSecurity.io
François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the AppSec block
Talks will be streamed on YouTube and Twitch for free.
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the AppSec block
Talks will be streamed on YouTube and Twitch for free.
API Documentation often gives the simplest most bare-bones examples to get something running. This runs into the old adage: Nothing is more permanent than a temporary solution. Come join me and walk through a particularly fun example of cloud API documentation showing you the wrong way.
Included will be a deep dive and demo of a vulnerability caused directly by this kind of mistake which maybe shows that Phreaking is alive and well in 2024.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the Machine Learning (ML) block.
François is a Research Lead at Secureworks, who focuses on applying machine learning approaches to research problems related to security alerts and vulnerabilities. He focuses on using machine learning to improve the prioritization of alerts and vulnerabilities, in the context of XDR and vulnerability management. He has a PhD from École Polytechnique de Montréal, and has published research papers on the topics of spam detection, malware analysis and machine learning applied to cybersecurity.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the Machine Learning (ML) block.
Talks will be streamed on YouTube and Twitch for free.
There are various Machine Learning/BigData frameworks that have become quite popular in the past year due to the release of ChatGPT. This sudden popularity has caused that the scale for growth in parallel computing comes first and leaves aside the implementation of security mechanisms in some of the frameworks' components. In this talk I will go over the research process that I performed on one of these frameworks in an AWS install, showing how it started as two vulnerabilities in a web dashboard and quickly became privilege escalation in an AWS account.
Berenice Flores Senior Security Consultant, Bishop Fox
As a senior penetration tester at Bishop Fox, Berenice focuses on application security and cloud penetration testing (AWS). In the past year, Berenice has worked in security research against frameworks in the cloud. Berenice holds many cybersecurity certifications including Offensive Security Certified Professional (OSCP), Off-Sec Web Assessor (OSWA) and Offensive Security Wireless Professional (OSWP). When she's not finding bugs, Berenice enjoys attending hacking conferences and collecting stickers, pins and token coins.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the Machine Learning (ML) block.
Talks will be streamed on YouTube and Twitch for free.
LLMs are the hot new thing, and are exciting enough to even have their own OWASP Top 10 as of 2023! But are these vulnerabilities really any different from what we already see in more traditional web applications?
In this talk, Logan will explore the different vulnerability families from the new OWASP Top 10 for LLM Applications, discuss the different scenarios represented therein with a focus on real-world exploitation scenarios, and outline how they parallel the vulnerabilities that we've all grown to love and pwn over the years.
Attendees should leave this talk with a more complete understanding of the vulnerabilities manifesting in LLM applications, how these vulnerabilities can directly affect end users, and scenarios to be conscious of when developing for, or around, LLM applications.
Logan MacLaren Senior Product Security Engineer, GitHub
Logan is a Senior Product Security Engineer at GitHub where he focuses on the success of their Bug Bounty program. When not hacking on GitHub itself, Logan can be found doing security research focused on open source projects, or learning and refining new skills with CTF challenges!
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the Human in the Middle block.
Talks will be streamed on YouTube and Twitch for free.
Many are aware of clout-chasing influencers on social media such. However, many have not considered this cultural phenomenon transcending into the professional world. From "thought leaders" on LinkedIn to law enforcement agencies on Twitter, it is not just Instagram models sharing content with the primary goal of getting more 'likes' and followers. In this presentation, Mr. Myler highlights examples of Infosec influencers providing guidance that, at best, distracts from prioritized risk-based cybersecurity.
W. Garrett Myler Sr. OT cybersecurity Specialist, Red Trident Inc.
W. Garrett Myler, Sr. OT cybersecurity Specialist at Red Trident Inc. and proud U.S. Air Force Reservist, has over a decade of experience supporting threat intelligence and cyber operations within the U.S. Department of Defense - from strategic to tactical levels of operation. He has traveled the world performing vulnerability assessments on industrial control systems (ICS) supporting critical infrastructure. Mr. Myler is an experienced and engaging cybersecurity instructor and presenter and has trained professionals and addressed audiences from around the world. He is a CISSP, GIAC Certified Forensic Analyst, an ISA 62443 certified "expert", and has a Masters of Science in Digital Forensics and Cyber Investigation. Mr. Myler is honored to fill the roles of husband to his wife Julie and father to their five children.
This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.
Q&A Discussion for the Human in the Middle block.
Talks will be streamed on YouTube and Twitch for free.
It is quite challenging to verify the origin of online content. In this era of disinformation exacerbated by ever-evolving AI tools, the creation of seemingly authentic fake accounts and content can be quite dangerous, with risks ranging from harming one’s reputation to damaging society as a whole. Fortunately, content provenance technologies are emerging to fight this problem. The Coalition for Content Provenance and Authenticity (C2PA) is the leading effort allowing creators to cryptographically sign their digital assets and record subsequent edits helping consumers to confirm their origin and authenticity while keeping an auditable history of the data transformations. It has been adopted by leading technology providers (Microsoft, Google, Meta), camera manufacturers (Sony, Nikon), image/video editors (Adobe), generative AI companies (OpenAI, Midjourney), and news organizations (BBC, CBC/Radio-Canada, New York Times). C2PA is also at the forefront of the fight against election disinformation, and was one of two technologies mentioned in the recent AI Elections accord signed at the Munich security conference. In this presentation, I’ll describe the C2PA use cases, specifications, and the lifecycle of a protected digital asset (such as images, videos, and audio clips) from their creation, to their modifications and validation. I’ll present open-source tools/SDKs that anyone can use to create and verify protected content or integrate this functionality in their applications and services. I’ll also present the Cross-Platform Origin of Content (XPOC) framework allowing content owners to create authoritative lists of their social media accounts and content, addressing a slightly different provenance problem. I’ll give a demonstration of the open-source tools allowing anyone to self-host and verify XPOC manifests.
Christian Paquin Principal Research Software Engineer, Microsoft
I’m cryptography and security engineer at Microsoft Research where I aim to bring new research innovations closer to reality. My work focuses lately on privacy-preserving identity, post-quantum cryptography, and content origin and authentication (especially surrounding the work of the C2PA in which I’m a member of the technical working group). Prior to joining Microsoft I was a crypto developer at Zero Knowledge Systems developing a TOR-precursor mixnet and the Chief Security Engineer at Credentica.
Talks will be streamed on YouTube and Twitch for free.
Did you know that ransomware groups are actually generous? They're so generous, in fact, that after putting all their time and effort into writing an exploit, they just share it with the internet for free! At GreyNoise, we've made it our mission to detect and categorize all traffic blasted onto the internet, which includes old exploits for old vulnerabilities, new exploits for new vulnerabilities, and everything in between. We'll show you what happens when an experienced exploit developer kicks back and lets others do the hard work - by building and deploying honeypots for emergent threats, we can spend our time analyzing what the baddies are up to, which vulnerabilities are actually being exploited, and who's being naughty. This talk will include real-world exploitation examples, including examples of exploits that would go on to join the Known Exploited Vulnerabilities (KEV) list. We'll Armed with that information, security teams can use their limited resources much more efficiently by prioritizing the vulnerabilities that are under attack!
Ron Bowes Lead Security Researcher, GreyNoise Intelligenc
Ron Bowes is a Lead Security Researcher on the GreyNoise Labs team, which tracks and investigates unusual--typically malicious--internet traffic. His primary role is to understand and track the big vulnerabilities of the day/week/month/year; often, that means parsing vague vendor advisories, diff'ing patches, reconstructing attacks from log files, and--most complex of all--installing and configuring enterprise software. When he's not at work, he runs the BSides San Francisco Capture the Flag contest, is a founder of The Long Con conference in Winnipeg, maintains a personal blog, and continues his question to finish every game in his Steam library.
Talks will be streamed on YouTube and Twitch for free.
Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries. We will talk about api security, access control and nfc among other things.
Ignacio Navarro Ethical Hacker, N/A
Ignacio Navarro, an Ethical Hacker and Security Researcher from Cordoba, Argentina. With around 6 years in the cybersecurity game, he's currently working as an Application Security. Their interests include code analysis, web application security, and cloud security. Speaker at Hackers2Hackers, Security Fest, BSides, Diana Initiative, Hacktivity Budapest, 8.8, Ekoparty. @Ignavarro1
Talks will be streamed on YouTube and Twitch for free.
This talk examines the rise of crowdsourced DDoS attacks amid geopolitical events, focusing on the Russia-Ukraine and Israel-Hamas conflicts. Once the domain of well-resourced actors, large-scale attacks now involve networks of novices using open-source tools, provided there are enough individuals sympathetic to a particular political ideology or cause. To incentivize participation, hacktivists employ leaderboards, cryptocurrency rewards, and gamified ranking systems based on contributions to DDoS attacks. This transforms disruptive criminal attacks against services into a competitive and commoditized activity.
Talks will be streamed on YouTube and Twitch for free.
This presentation, informed by a collaborative research project led by CDEACF, the Alliance des Maisons 2e Étape and the Lab-2038, addresses the critical need for specialized digital privacy strategies in support of Intimate Partner Violence (IPV) victims. Rather than looking at what advices security experts can give to IPV victims, we investigate how user experience, security settings and data governance pratices can directly impact their digital and physical safety. Our research highlights how generic, one-size-fits-all threat modelling and security policies by providers, including internet service providers, can inadvertently burden IPV victims. The talk emphasizes the importance of developing nuanced, victim-centred digital security approaches that acknowledge the unique challenges faced by IPV victims. It advocates for a collaborative effort among service providers, technologists, and social welfare experts to create more sensitive and effective digital privacy solutions tailored to the needs of IPV victims.
Corinne Pulgar Project manager, Lab2038
Corinne Pulgar brings a unique blend of technical expertise and social awareness to the field of digital security. With a Master's in Software Engineering from École de Technologie Supérieure (ETS) and a Bachelor's in Computer Science from Université du Québec à Montréal (UQAM), they possess a deep understanding of software development and security. They have shown a steadfast commitment to education through their contributions as a project manager and InfoSec at Lab2038 and a teaching assistant and lecturer at multiple institutions, including McGill University, ETS and UQAM. Her ability to translate complex technical concepts into accessible knowledge has made them a sought-after lecturer and mentor.
Corinne’s research, presented at conferences and published in journals, focuses on model-driven software engineering and DevOps, demonstrating their innovative approach to software development. Their work at the intersection of technology and inclusivity reflects their dedication to leveraging their technical expertise for social good, specifically in enhancing digital privacy and security for vulnerable groups. Their unique perspective, combining technical acumen with a passion for social impact, makes them an ideal speaker to address the critical issue of digital privacy in the context of IPV.
Talks will be streamed on YouTube and Twitch for free.
In a mobile-first world, user registration using only a phone number has become pretty common, this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers.
This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities. We will touch upon how authentication and authorization bugs can originate from user registration and how this can lead to full account takeover, password stealing, and denial of service. The speaker will draw from their own experiences in identifying and addressing these vulnerabilities, providing valuable insights into this common issue.
Finally, the talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues from occurring.
Attendee Takeaways * Security engineers will gain valuable experience in identifying and addressing authentication bugs, helping them to improve their skills in this area. * Developers will be encouraged to think more broadly about potential edge cases and vulnerabilities in their applications, leading to stronger and more secure authentication and authorization controls.
As an offensive security engineer at Microsoft, Priyank's primary focus is conducting security exercises that emulate real-world threats impacting billions of users. He is well known for his expertise in identifying high-impact vulnerabilities and has shared his research openly through various industry conferences.
His forte is web/mobile application security assessments, network penetration testing and secure source code reviews. In the past, he has advised F500 brands and startups and does mobile and IoT related research in his spare time.
As a new parent, he is now (re)learning hacking from his toddler who defeats all the "restrictions" to limit their mobility.
Talks will be streamed on YouTube and Twitch for free.
For organizations using Microsoft Entra ID (formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits.
Last fall, the team at Black Hills Information Security released a post exploitation kit called GraphRunner. This tool is focused on interacting with the Microsoft Graph API, which is the backbone that services Entra ID, O365 and many other services in the Microsoft cloud. The release of GraphRunner and future tools like it streamlines a number of activities that an adversary would perform after gaining access, making it simpler for anyone to use. While GraphRunner is a post exploitation toolkit, there are authentication functions that highlight how adversaries could use the OAuth authorization code flow to their advantage.
As a defender, this presents a set of challenges. Less sophisticated adversaries have a lower barrier to entry once they have gained access to the Graph API than they did before. It also highlights that the standard logging may not be sufficient to gain visibility into actions like the refreshing of tokens or other activities that a tool like GraphRunner provides.
This talk is designed to provide insight into additional data sets that Microsoft cloud users have access to but may not be as widely deployed. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner.
Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customize it to their own needs. While we won’t be able to cover all possible permutations, our goal is to identify data sets and events that can assist defenders while using GraphRunner as a representative of the kinds of methods that adversaries might use.
Attendees will come away from this talk with: -A greater understanding of GraphRunner and its capabilities -Awareness of the logging available for the Graph API beyond the standard logging -Ideas around how detections and hunts can be designed to identify GraphRunner activity
John Stoner Security Strategist, Google Cloud
John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST (CTI, Tech Colloquium), BSides (SF, Las Vegas), SANS Summits (DFIR, Threat Hunting, Cloud and SIEM), WiCyS, Way West Hacking Fest, AISA and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."
Talks will be streamed on YouTube and Twitch for free.
Let's face it, responding to cyber incidents is full of challenges but managing the dreaded "war room" shouldn't have to be one of them. In this talk AJ Jarrett, Incident Response Director at DTCC and former firefighter will discuss how cybersecurity and IT teams can leverage the tactics and techniques used by first responders during disasters to bring cyber incident response to the next level.
AJ Jarrett Incident Response Director, DTCC
AJ Jarrett is the Incident Response Director for the Threat Management Center at DTCC. Prior to joining DTCC, AJ worked for over 15 years in various IT and cybersecurity roles including defense, compliance, assessments, and incident response. In addition to his work at DTCC, AJ is also an Adjunct Instructor at the Texas A&M Engineering Extension Service and volunteers with various educational initiatives to help bring cybersecurity knowledge to as many people as possible.
Talks will be streamed on YouTube and Twitch for free.
This year marks the ten-year anniversary of Heartbleed’s discovery and public disclosure. Heartbleed was a severe flaw in the OpenSSL cryptographic library. It was publicly disclosed on April 7, 2014, initiating a long and arduous process of remediation for more than two thirds of all web servers on the internet. Anybody could potentially eavesdrop on communications, steal data or impersonate users for any vulnerable service or device, without leaving a trace. Described by some experts as “one of the most consequential vulnerability since the advent of the commercial internet”, Heartbleed abruptly unveiled the insecure and unsustainable foundations on which the internet infrastructure was built. How could so many major organizations (Google, Amazon, Facebook, financial and government institutions) depend on OpenSSL, a struggling free software project with one overworked full-time developer and $2,000 in yearly donations? How could they integrate its code without any proper security audit or reciprocal financial support? This presentation traces the historical roots of the OpenSSL project and its growing adoption, from the mid 1990s up to 2014. Based on original interviews with OpenSSL developers and security experts as well as extensive archival research, it portrays a nascent cryptographic library written “as a learning exercise” during the turmoil of the Crypto Wars of the 1990s. Finally, this presentation explores some of the long-lasting effects Heartbleed has had on the tech industry and free software community – effects that still resonate to this day, ten years later.
Titulaire d’une maîtrise en mobilisation et transfert des connaissances de l’Institut national de la recherche scientifique, Louis a toujours cherché à combiner son intérêt pour le transfert des connaissances à sa passion pour la recherche et l’impact des nouvelles technologies. Après avoir poursuivi ses études universitaires en s’intéressant à la vulnérabilité Heartbleed et son impact sur les pratiques de sécurité, Louis a collaboré avec plusieurs organismes de mobilisation des connaissances tels que Serene-risc et Research Impact Canada. Ayant récemment joint l’équipe du soutien à la recherche chez Ivado, cette présentation est l’occasion pour Louis de revisiter le sujet qui l’a passionné pendant des années.
Holder of a master's degree in knowledge mobilization from INRS, Louis has always sought to combine his interest in knowledge transfer with his passion for research and the impact of new technologies. After continuing his university studies focusing on the Heartbleed vulnerability and its impact on security practices, Louis collaborated with several knowledge mobilization organizations such as Serene-risc and Research Impact Canada. Having recently joined the research support team at Ivado, this presentation is an opportunity for Louis to revisit the subject that has fascinated him for years.
Talks will be streamed on YouTube and Twitch for free.
The talk will outline detection and threat hunting strategies that could be easily adopted by a mature SOC to look for threats in their Cloud (O365 and AWS) environment. I'll be introducing a Jupyter notebook containing detections mapped to the MITRE ATT&CK framework and threat hunting methodologies backed by unsupervised machine learning. We will take a look at huge datasets using visualizations to find anomalies. These anomalies would be converted into High-Fidelity Detection, along with some ideas to extend this hunt to IAM Platforms like OKTA
Kai Iyer Senior Security Engineer, EY Canada
Kai is a Senior Security Engineer at EY's Cyber Threat Management team and manages Applied Machine Learning and Security Engineering. He holds multiple certifications and has extensive knowledge in various domains, including Web-App Development, Data Science, Incident Response, DevSecOps and Purple Teaming. He is also an advocate for open source software and data privacy. He dreams of a world where no one clicks on phishing e-mails.
Talks will be streamed on YouTube and Twitch for free.
Let us embark you on a journey through the OT Threat Landscape. We will start our voyage by looking at what the global threat landscape looks like today, with a focus on Canadian (and Quebecois) events of note. We will then explore how these landscapes have evolved and the earthquakes that shaped them in recent months and years. We will wrap-up by covering some intelligence-informed takeaways and recommendations on how to weather the incoming rogue waves of the OT ocean.
Ms. Felx Leduc is an ICS Senior Security Consultant in Mandiant’s Canadian practice. As part of the ICS Services team, Camille supports clients with better securing their ICS networks, analyzes client networks for threats, and supports clients with strategic assessment, roadmap development, and initiative implementation, including Security Program Assessments, and threat modeling.
Talks will be streamed on YouTube and Twitch for free.
Let us embark you on a journey through the OT Threat Landscape. We will start our voyage by looking at what the global threat landscape looks like today, with a focus on Canadian (and Quebecois) events of note. We will then explore how these landscapes have evolved and the earthquakes that shaped them in recent months and years. We will wrap-up by covering some intelligence-informed takeaways and recommendations on how to weather the incoming rogue waves of the OT ocean.
Talks will be streamed on YouTube and Twitch for free.
In today's technology-driven landscape, the transition to digital transactions has eclipsed conventional face-to-face interactions, presenting novel challenges in ensuring transaction security. Users, perhaps inadvertently, heighten security risks by opening email attachments from phishing attempts, intensifying the complexities of online transaction security. Moreover, there exists the potential of voluntarily disclosing sensitive information, further adding intricacy to the digital transaction security landscape.
Compounding this issue, cyber attacks leverage customer data pilfered from compromised merchants. Victims find themselves coerced into divulging credit card details through a sophisticated, multi-step process. This research brings to light a new phishing campaign, unraveling the techniques, tactics, procedures (TTPs), and indicators of compromise (IoCs) employed by threat actors. These encompass the exploitation of the platform's chat function and the incorporation of transaction data to bolster the credibility of phishing pages.
The cyber attacks, though strikingly similar, employ urgent language and intimate knowledge of users' bookings, instilling credibility in deceitful messages. However, distinctive cues like odd URLs and typos serve as saviors for potential victims. Upon analysis, these campaigns redirect users to counterfeit sites that mirror legitimate e-commerce platforms. The craftiness of cyber criminals shines through identical HTML elements and scripts, meticulously validating data and even circumventing multi-factor authentication.
Further investigation unveils the tactics employed by cyber thieves: exploiting InfoStealer malware to breach hotel chat systems and amass valuable customer data, escalating their targeted attacks. Open-source intelligence tools reveal a broader scope, a twin campaign where attackers impersonating various platforms, not limited to travel sites but also other e-commerce platforms, since 2021. Domain fronting is also consistently employed to conceal their tracks along with some other TTPs.
The research culminates in insights and recommendations to enhance the security of all parties involved. By implementing these suggestions, it is hoped that both platforms and merchant-customers can fortify their resilience, mitigating potential risks in the dynamic digital landscape.
Mangatas Tondang (@tas_kmanager) Security Researcher, Microsoft / Curated Intelligence
Tas has spent the last five years immersed in the worlds of threat hunting, detection engineering, and security research. Currently, he's making changes at Microsoft, specializing in cloud security research. Beyond his professional endeavors, Tas is a passionate contributor to the cybersecurity community, holding roles in the DFIR report and Curated Intelligence. He's also no stranger to the stage, having presented at various conferences around the globe, to name a few SANS Summits and DEF CON BTV. When he's not navigating the digital landscape, Tas enjoys the art of astrophotography and embarking on spontaneous adventures across the globe exploring landscapes and cuisines.