Shibuya Industries
NCC Group
Stand Out In Tech
Flare Systems
Wealthsimple
NCC Group
Morgan Stanley
Bell Canada
Security Innovation
Ward Solutions
Veracode Inc
Commissionnaires du Québec - Cybersecurity department (VYGL)
Syntax
1Password
Bodacea Light Industries
Imperva
Imperva
Agile Information Security
Gosecure
McAfee
Ryerson Leadership Lab
University of Ottawa
Ryerson Leadership Lab and Cybersecure Policy Exchange at Ryerson University; Data & Society Research Institute
We Hack Purple
Cisco Talos
Cisco Talos
Fortinet
Cognosec DMCC
Trend Micro
Desjardins
GoSecure
ShiftLeft Inc.
ShiftLeft
Black Hills Information Security
Egyde-KPMG
FortyNorth
FortyNorth
FalconForce
FalconForce
FalconForce
Czech Technical University
Czech Technical University
Xavier is a managing security consultant at NCC Group, with experience in both academia and the private sector. He has worked as a developer, security researcher and consultant. Xavier currently spends most of his time focusing on application and cloud security, as well as driving the development of Scout Suite (https://github.com/nccgroup/ScoutSuite/), an open source multi-cloud security-auditing tool.
Xavier holds the AWS Certified Security – Specialty, Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE) and Offensive Security Wireless Professional (OSWP) certifications.
Veronica Valeros , Czech Technical University
Veronica is a researcher and intelligence analyst from Argentina. Her research strongly focuses on helping people. A jack of all trades, she currently specializes in threat intelligence, malware traffic analysis, and data analysis. She has presented her research at international conferences such as BlackHat, EkoParty, Botconf, Virus Bulletin, Deepsec, and others. She is the co-founder of the MatesLab hackerspace based in Argentina and co-founder of the Independent Fund for Women in Tech. She is currently the director of the Civilsphere project at the Czech Technical University, dedicated to protecting civil organizations and individuals from targeted attacks. She's also the project leader at the Stratosphere Laboratory, a research group in the Czech Technical University dedicated to study and research in cybersecurity and machine learning.
Sebastian Garcia , Czech Technical University
Sebastian is a malware researcher and security teacher with extensive machine learning experience applied to network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace, he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra), and biohacking.
Charles Hamilton Director, Egyde-KPMG
Charles Hamilton is a Red Teamer, who holds the OSCE, OSCP, and SLAE64 certifications. He has more than ten years of experience delivering offensive testing services for various government clients and commercial verticals. In recent years, Charles has focused on covert Red Team operations against complex and secured environments. These operations have allowed him to hone his craft at quietly navigating a client's network without detection. Since 2014, he is the founder and operator of the RingZer0 Team website, a platform focused on teaching hacking fundamentals. The RingZer0 community currently has more than 36,000 members worldwide. Charles is also a prolific toolsmith and speaker in the InfoSec industry under the handle of Mr.Un1k0d3r. Some of Charles Hamilton trade craft can be found in his github repository.
Olaf Hartong Co-Founder & Defensive Specialist, FalconForce
Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects.
Olaf has presented at many industry conferences including Black Hat, DEF CON, DerbyCon, Splunk .conf, FIRST, MITRE ATT&CKcon, and various other conferences. Olaf is the author of various tools including ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular.
Gijs Hollestelle Co-Founder & Security Specialist, FalconForce
Gijs Hollestelle is specialized in advanced offensive and defensive capabilities. Gijs spent the last 15 years working in various technical security related roles related to ethical hacking, red teaming, cryptography, blue teaming and secure coding. Apart from solving technical challenges in the cyber security area he also enjoys teaching others to do the same. He is also an avid CTF player, competing at the highest level with multiple CTF teams including Eindbazen and Hack.ERS.
Henri Hambartsumyan Co-Founder & Red Teamer, FalconForce
Henri Hambartsumyan is an experienced technical security professional, with 10 years of technical security experience. Henri started his career as pentester and moved to the more advanced pentesting projects. Later he started executing "covert operations", which the industry later dubbed to "red teaming". In the recent years, Henri has performed countless red team operations amongst which 4 TIBER exercises. Next to projects, Henri spent most off-time in developing AV bypasses for future ops. The last year, Henri has taken an interest in blue teaming, especially in detecting more advanced tradecraft in a realistic way. Due to his in-depth understanding of the tradecraft, he currently develops detection rules for advanced attacks as part of blog series FalconFriday and for clients. Next to this, he is still active in performing red teams.
Chris Truncer Co-Founder and Offensive Security Lead, FortyNorth
Christopher Truncer (@ChrisTruncer) is a co-founder and Offensive Security Lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing tools that are not only designed for the offensive community, but can enhance the defensive community's ability to defend their network as well.
Matt Grandy Sr. Offensive Security Engineer, FortyNorth
Matthew Grandy is a senior offensive security engineer with extensive experience leading penetration testing and red team engagements across various industries. He is an offensive security certified expert (OSCE) as well as an offensive security certified professional (OSCP) and contributes regularly to the open source community, as he believes very strongly in elevating the security industry as a whole. Most notably, Matthew has contributed to the C# EyeWitness project as well as created MiddleOut, a C# compression utility. Matthew is also a previous Black Hat and Wild West Hackin' Fest instructor.
Brian King Penetration Tester, Black Hills Information Security
Brian King has been pentesting webapps since 2008. He was the second hire into his employer's application security team at a time when "PCI" was brand new and long before bug bounty programs - when experienced webapp pentesters had to be made, not found. His internal training and coaching efforts built a successful team of 30 testers, few of whom had significant security experience before joining the team. Brian believes that webapps are the best targets for pentesting because although they all look familiar on the surface, they're all different and often in surprising ways. Each webapp is a collection of puzzles for a pentester and the first puzzle is figuring out where the other puzzles are! Once you get started, each test can be an engaging chance to practice your problem-solving skills and dive into new technologies.
This workshop is in partnership with the BlackHoodie organization and is intended to be presented by and for women. We hope that all attendees respect this requirement. For further information, the organization's mission is available here.
The practical portion will consist of an exercise in reversing a beginner level challenge using a disassembler and, time permitting, with a debugger. Participants can download and install the software ahead of time to follow along during the hands on portion, or simply watch and absorb. The instructor will be using Ghidra and GNU Debugger (GDB) on an Ubuntu 20.04 machine, however attendees are free to use the tools and platform of their choice with the understanding that they may differ in interface and/or capabilities.
Morgan Whitlow is a multidisciplinary reverse engineer working primarily with embedded and mobile devices. A former lockpicking instructor and nanotechnology researcher, she eventually decided to pursue Master of Science in Applied Computer Science, breaking into tech security and hunting, monitoring, and responding to threats within client systems. She has a particular affinity for hardware and rapid prototyping.
This is a Q&A session.
Did you notice a shift in your mental health and/or your colleagues? Burnout was at an all time last year due to the surreal 2020. As we approach 2021, we recognize how critical mental health plays when accomplishing goals and productivity output. This talk dives into the factors that lead to burnout among security professionals, the clear line between burnout and failure to retain cybersecurity talent, and how to invest in your team to make sure your team is able to thrive during stressful times.
Chloé Messdaghi Tech Changemaker, Stand Out In Tech
Chloé Messdaghi is an award-winning changemaker who is innovating tech and information security sectors to meet today and tomorrow demands. For over 10 years, she has accelerated startups through solutions that empower organizations and people to stand out from the tech crowd. She is an international keynote speaker at major information security and tech conferences and events, and serves as a trusted source for national and sector reporters and editors, such as Forbes and Business Insider. Additionally, she is one of the Business Insider’s 50 Power Players of Cybersecurity, a SC Magazine honoree, Cybersecurity Advocate of the Year, and Cybersecurity Women of the Year by Cybersecurity Excellence Awards.
Outside of her work, she is the cofounder of WoSEC and Hacking is NOT a Crime, and founder of WeAreHackerz. She holds a Master of Science from The University of Edinburgh, and a BA in International Relations from University of California, Davis, as well as executive education certificates from Wharton and Cornell.
Learn more: https://www.standoutintech.com Connect on LinkedIn/Instagram/Twitter @ChloeMessdaghi
This is a Q&A session.
We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about which metrics truly matter, and which vanity metrics you can learn to safely ignore, so that you can work the most effectively at protecting your organization.
Tanya Janca Ceo and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.
This is a Q&A session.
This is a Q&A session.
Joëlle-Alexandra Desmarais-Lauzon is a graduate of HEC Montreal in business administration and holds a master's degree in software engineering from the University of Sherbrooke. She has held numerous positions as an information security consultant for several large Canadian institutions and now works for Ubisoft as a security team leader (IAM).
In parallel to her professional career, she is involved in various initiatives that promote the leadership of women in the IT field.
She is also the co-founder of a small company specialized in balcony optimization, Demain Dimanche, whose products are proudly made in Montreal.
This is a Q&A session.
I'll share all the parts lists with links and steps on how to do it. The LED strip mods are pretty simple and could be completed at home by those with some soldering experience, but I will show a few ways not to do it that I learned the hard way anyways. We will try to always include the "why it's possible" for those of you not familiar with HW stuff: Attendees will leave with parts lists and plans to add off-board LEDs to the 2018 and 2019 Nsec badges as well as the burning desire to make their own mods to other conference badges, whether or not they probably should. I love making my own use of HW -- usually involving a mess of wires and I hope it rubs off on you too.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
Tools covered include: rumkin.com, hashcat, john the ripper, binwalk, radare2, binvis.io, Veles, airocrack-ng, mitmproxy, MITMf.
The workshop is a ‘101’ level: geared for people good at computers but maybe no knowledge of cryptography. There will be minimal math (I promise). We’ll talk mostly about how to break bad crypto and bad crypto algorithms with 10-15min hands-on sessions integrated into 4 hours of workshop: Decrypt ‘Crypto’, Break Hashes, Break Crypto, Visualize Crypto.
We will explore three applications of the building blocks and attacks also. Towards the end we tie-in the building blocks and attacks into how the following crypto protocols get broken: WPA2, TLS and UDS Seed-Key exchange (from automotive). Please join us for an intro-level exploration of cryptography building blocks, protocols and how to attack them. And, as always, crypto means cryptography.
All hands-on activities can be completed with a web-browser. But installing these tools beforehand will help: binwalk, Veles, hobbits, hashcat.
Mr. Gardiner is an independent consultant at Yellow Flag Security, Inc. presently working to secure heavy vehicles at the NMFTA. With more than ten years of professional experience in embedded systems design and a lifetime of hacking experience, Gardiner has a deep knowledge of the low-level functions of operating systems and the hardware with which they interface. Prior YFS Inc. and joining the NMFTA team in 2019, Mr. Gardiner held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations. He holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. He is a DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV) volunteer. He is GIAC GPEN certified and a GIAC advisory board member, he is also chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2), and a voting member of the SAE Vehicle Electronic Systems Security Committee. Mr. Gardiner has delivered workshops and presentations at several world cybersecurity events including GENIVI security sessions, Hack in Paris, HackFest and DEF CON.
This is a Q&A session.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
Workshop should go as follows:
Part 1: Quick review on the Apple-Google exposure notification protocol, split into 3 main parts
1- Broadcast of rolling proximity identifiers over Bluetooth LE and scanning for such identifiers transmitted by nearby devices.
2- Transmission of temporary exposure keys, from which rolling proximity indentifiers are generated, to public health authorities upon diagnosis.
3- Key matching protocol occurring on device to determine if the owner was in close proximity to another user who then tested positive, triggering the notification.
Part 2: Setting up and test the Bluefruit LE sniffer
Part 3: Walk-through of the Bluetooth portion of the protocol code that is to be compiled and flashed on the ESP Vroom 32. That covers the scanning code, the advertising code and critical data structures involved.
Part 4: Build, compile and flash the ESP Vroom32. Run the Bluefruit sniffer to see rolling proximity identifiers being transmitted. Play with timeouts to see identifiers being rotated.
Part 5: Conclusion
Clone the repository on GitHub https://github.com/Marc-andreLabonte/MCUTrace
Review of the Google and Apple Documents, procure ESP Vroom 32 and Bluefruit LE sniffer, setup the ESP IDF tool chain.
Setting up the ESP IDF tool chain: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/
Google and Apple Documents:
ESP Vroom 32 development board, e.g. this one from Amazon
The NSEC 2021 badge is also using the ESP32 and works for the workshop
Marc-andre Labonte Penetration tester, Desjardins
Marc-andre Labonte was a system administrator for more than a decade at the McGill Genome Center while it was known as the McGill University and Genome Quebec Innovation Center. There, he took part in the design, deployment, operation and maintenance of the data center as it went through multiple upgrade cycles to accommodate ever powerful high throughput genome sequencers coming to market.
Then, he joined the ETTIC team at Desjardins in 2016 as infrastructure penetration tester. Currently doing research and testing on IOT devices, he also presented "Leveraging UART, SPI and JTAG for firmware extraction" workshop at NSEC in 2019. His work is motivated by curiosity and a strong sense of personal privacy in a world of connected devices and data hungry organizations.
This is a Q&A session.
Back in 2014, I launched an open source CAN bus tool called CANtact. This was one of the first widely available CAN bus tools that was open source and low cost. Since then CANtacts have found their way into many automotive companies, government agencies, and hobbyist's tool boxes.
CANtact Pro is the successor to the CANtact device. It adds isolation, high speed USB, CAN-FD support, and a case. This project was launched through Crowd Supply and shipped to backers in late 2020.
This talk will discuss the process of developing, releasing, and selling an open source hardware device. We'll cover the device design process and the logistics of bringing it to market. If you've ever wanted to release your own hardware tools, this talk will give you an understanding of how to do it.
Eric Evenchick Technical Director, NCC Group
Eric is a Technical Director working within the Transportation and Hardware practices at NCC Group. His work has been focused on automotive system security, firmware binary analysis, and tool development.
Eric has developed several open-source tools for automotive security testing including CANtact and CANtact Pro. These tools have been used by a wide variety of automotive companies, security firms, and government agencies.
Eric holds a Bachelor of Applied Science in Electrical Engineering from the University of Waterloo. While in school, he performed research on development of alternative fuels vehicles in partnership with General Motors. Eric is a member of the Black Hat and SecTor review boards. He has also presented at numerous security conferences including: Black Hat, SecTor, DEF CON, ToorCon, PyCon USA, and NorthSec.
This is a Q&A session.
Geneviève Lajeunesse (denki) ,
Geneviève is a cybersecurity professional and maker. Her professional experience spans almost 2 decades in technology in various industries, currently focusing on cloud security. A seasoned educator, she has initiated hundreds of teenagers to the maker movement and disruptive technologies such as rapid prototyping of electronics and 3D printing. She volunteers alongside marginalized and at-risk groups to empower them in adopting the best cybersecurity posture possible and to innovate to futher their missions.
This is a Q&A session.
Load balancers and proxies, such as HAProxy, Varnish, Squid and Nginx, play a crucial role in website performance, and they all have different HTTP protocol parser implemented. HTTP Request Smuggling (HRS) is an attack abusing inconsistencies between the interpretation of requests’ ending by HTTP request parsers. What might be considered the end of one request for your load balancer might not be considered as such by your web server.
In this presentation, we will see how an attacker can abuse several vulnerable configurations. HTTP Request Smuggling (HRS) enable multiple attack vectors, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect and persistent XSS. For each of these vectors, a payload will be showcased and explained in-depth. Also, a live demonstration will be made to see the vulnerability in-action. Aside from exploitation, we will show how developers and system administrators can detect such faulty configurations using automated tools.
By the end of this talk, security enthusiasts from any level will have solid foundations to mitigate request smuggling, a vulnerability that has greatly evolved in the past 15 years.
Philippe Arteau Security Researcher, Gosecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He is also a contributor to the static analysis tool for .NET called Security Code Scan. He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.
This is a Q&A session.
Today we are embracing the benefits and advantages of having cloud storage in most environments especially now when everyone is working work from home and data transmits from one place to another by the use of cloud storage services such as one drive, box, dropbox & google drive. There are a couple of artifacts on the endpoint side that gives us the ability to see the bigger picture when these cloud services are being used to perform data exfiltration and any malicious actions. In short, cloud storage data can be more accessible on the local device and can contain files and metadata distinctly different than the current cloud repository. I'm going to show how to perform data acquisition on these cloud storage applications installed in endpoint and what are those metadata and evidence that we can extract from the forensics standpoint.
Renzon Cruz Digital Forensics & Incident Response | Co-Founder of GuideM,
Renzon Cruz, a Filipino security professional living in Dubai who works as Digital Forensics & Incident Response in a FinTech company based in the UK. He previously worked as Senior Security Consultant as part of a National Cyber Security Agency in Doha, Qatar. Prior to working in Dubai, he was also assigned as Sr. Security Analyst & Incident Responder and was also a previous college instructor at New Era University, Philippines. He was also accepted to various international conferences as a speaker such as BSides Vancouver (2019), BSides London (2019), BSides Doha (2020), and ROOTCON Hacking Conference (2020). He is also a co-founder, course developer, and instructor of GuideM, a real-world cybersecurity training center based in the Philippines. He also holds different certifications such as GCFA GCFE, GCIH, eCTHP, eCDFP, eJPT, CFR. He is mainly interested in defensive strategy, threat hunting, digital forensics, and incident response, malware analysis, adversary simulation.
This is a Q&A session.
Audience
This presentation is suitable for anyone interested in knowing how to tackle the Authentication challenges of Cloud transformation in a complex enterprise environment.
Background
Now more than ever, enterprise companies are using cloud apps at an increasing pace. The pandemic outbreak has accelerated the digital shift. Work-from-home is the new normal, and this trend is unlikely to go away when the pandemic ends. This phenomenon has made the Cloud transformation evening more demanding. The access model of Software as a Service (SaaS) enables devices to connect from the internet and the corporate internal network - a prevalent access model for WFH.
We have seen enterprises rely more on business-critical SaaS applications, such as Google G Suite, Microsoft Office 365, and Salesforce. Some of them even have started to deploy their in-house applications on the Public Cloud Service Provider (CSP) 's platforms / Infrastructure as a Service (IaaS) like Amazon Web Services (AWS) and Azure. Even though many enterprises had adopted SaaS solutions, most are still earlier in the game or recently started their Cloud transformation journey. A workable integration does not necessarily imply a secure SaaS integration. To maintain the security standards with sustainability and scalability, enterprises must develop a strategic roadmap by adopting the industry-standard authentication protocols and moving away from homegrown authentication methodologies.
Managing authentication in the Cloud is a complex problem, more complicated than the traditional, on-premise (on-prem) environment. The conventional ways to handle authentication on-prem are not good enough to securely protect Public Cloud and SaaS applications from unauthorized access.
Challenges
(1) SaaS integration authentication pitfalls
• The conventional on-prem environment is like a "Walled Garden", where business activities were conducted within the office or network boundaries, guarded by, and monitored under an explicit firewall policy.
• In contrast, Public Cloud / SaaS applications reside in a more "open" and "shared" environment. They are accessible to any user with any endpoint from any location and therefore have different attack vectors and vulnerabilities. An intelligent way to strongly verify a user's identity, a contextual authentication more than Multi-factor authentication (MFA), is critical to secure the Cloud and SaaS endpoints.
• One of the most common SaaS authentication design failures is when a single sign-on (SSO) solution is not adopted or enforced across the board. Each SaaS application has its identity store and password requirements. As a result, users must maintain multiple accounts manually, resulting in creating a gateway for attackers to get unauthorized access to various SaaS applications.
(2) Risk of unmanaged growth in Cloud identities
• Failing to adopt an SSO solution in Cloud migration causes another pressing problem: the rapid creation of SaaS and CSP platforms' cloud identities.
• A typical example of a poor identity lifecycle management is zombie SaaS accounts, where inactive users or former employee SaaS accounts remain active.
• Managing user account provisioning and de-provisioning in multiple-SaaS and CSP require a centralized identity management solution.
Solutions
(1) Adopt an Identity provider (IDP) solution
• By extending SSO to Cloud applications with a single authentication point through an IDP, users can access cloud / SaaS apps using their corporate identities without sending their credentials externally. The IDP solution dramatically improves the overall user experience and provides secure and uninterrupted services by keeping one credential.
• Enterprise companies that have a long history might also have more legacy applications. Some of the applications handle basic authentication (e.g., username/password) themselves and usually use homegrown authentication methodologies that do not follow the latest industry standards. Adopting an IDP solution enables the enterprise to embrace standard authentication protocols like OpenID Connect, OAuth, and SAML, to integrate with various SaaS and CSP seamlessly. The standardization also reduces vulnerabilities in the overall IT environment and facilitates enterprises to meet compliance and regulatory requirements smoothly.
• It's essential to choose a good IDP solution that enables the security team to standardize the SSO connections to cloud applications and on-premises applications with a centralized policy framework.
(2) Tackle the Cloud authentication problems more intelligently using a Cloud-based IDP solution
• Most of the Cloud-based IDPs enable admin users to create policies that continuously assess risk and enforce policies to mitigate risks when they arise.
• In a Zero Trust Security model principle, the perimeter is no longer at the network level but now at the identity level. Cloud-based IDP leveraging machine learning and contextual-based authentication would help both users and administrators solve the "anywhere, anytime, from any device" access challenge more intelligently. Cloud-based IDP like Azure Active Directory provides services that automate the detection and remediation of identity-based risks.
Evelyn Lam IAM Lead Security Architect, Vice President, Morgan Stanley
Evelyn Lam is an Identity and Access Management Lead Security Architect, Vice President at Morgan Stanley. She has over 16 years of IT experience managing enterprise-scale global projects for such industries as Wall Street Investment Banking, Retail Banking, and Big 4 Consultancy. She has nine years of experience in leading security teams, development teams in North America and Asia, and managing client relationships in North America, Europe, and Asia.
Evelyn specializes in strategic and architectural decision-making in authentication, identity management, cloud security, and data masking.
In addition to her Security Architect role, Evelyn has a track record of public speaking, tutoring, and mentoring since 2010. She was a speaker at Grace Hopper Conference 2020, a summer guild instructor in Women in Technology in New York 2019, a speaker and a panelist at security conferences. Evelyn has been an instructor of entry-level and advanced security classes teaching security architecture and threat modeling in her Firm since 2018. She is an active member of campus recruitment teams in North America. She is also a mentor in Rewriting the Code (RTC).
Evelyn is a Certified Information Security Manager with a Master's degree in Computer Science.
This is a Q&A session.
Max Habra Lead Cloud Integrator, Data Analytics & Artificial Intelligence, Mouvement Desjardins
Lead Cloud Integrator for the Data Analytics & Innovation Team at Mouvement Desjardins, Max is a Security Consultant for Financial Services, specialized in cloud, application security and secure pipelines.
This is a Q&A session.
Discussion.
In this talk the audience will see how a simple blog article (about an Outlook Persistence technique) can and should spark a whole chain of action from your security team.
For each of the applicable steps below, sample code will be provided.
1. The idea/hypothesis
○ You read a good blog on an technic and you hunt for the IOC
2. Converting the hunt query/analytics into detection in your SIEM
○ Nobody wants to run the same search over and over again
3. Make sure your detection is working
○ It's not because your query is good that you will find events
○ Make a Atomic Red Team (ART) test to mimic the attack on a test server
○ Submit a PR for your ART test
4. Share detection with the community
○ Make a Sigma rule and PR
○ Of course some of the exclusions are Org specific so be careful how/what you share
5. Make sure your detection pipeline is working
○ You need to make sure your whole pipeline is working.
○ Did the last update to your SIEM change something that prevents future events from triggering your alert?
○ Use Schedule Tasks, CI/CD pipeline, Docker, etc to launch the ART test on a regular basis
○ Remove the test system from the alert to avoid SOC Analyst fatigue
6. Create the IR Playbook
○ Before your SOC Analysts can actually handle this alerts, they need to have a step by step guide
○ Will try to base on a opensource project like https://github.com/atc-project/atc-react
○ There's also a good SANS presentation that propose a very clear Flow chart
○ I'm working on open sourcing some Playbooks I've built at work as well.
7. Training
○ You should build a training for your current and future analyst.
○ Something that is easy to consume.
§ Video
§ Powerpoint
§ Wiki
§ etc.
With all those steps you have come, imo, full circle on your detection.
Mathieu Saulnier Sr Manager Incident Response, Syntax
Mathieu Saulnier is a Core Mentor member for Defcon's Blue Team Village. He has held numerous positions as a consultant within several of Quebec’s largest institutions. Since 2011, he has been focused on putting in place SOC and has specialized in detection (Blue Team), content creation and mentorship. He worked as a "Senior Security Architect" and acted as "Adversary Detection Team Lead" and "Threat Hunting Team Lead" for one of Canada’s largest carrier for more than a decade and he is now "Sr Manager Incident Response" at Syntax. He loves to give talk and had the honor to do so at Derbycon, Defcon’s BTV, NorthSec, BSidesLV, Grayhat, GoSec and BSidesCharm.
This is a Q&A session.
Discussion.
The talk will start with an explanation of the flexibility that the Machine Learning (ML) approach brings compared to the static rule based one. (Throughout the talk, we will be following a credential attack T1078 example for illustrative purposes, but it will be explained how the suggested approach generalizes to other Mitre ATT&CK TTPs.) Specifically, the latter suffers when thresholds change over time and/or vary from one monitored entity (corporation/user/server/website/etc) to another. This leads to either attackers being able to "stay under the radar" or analysts being flooded with False Positives.
First part of our response to this challenge consists in utilizing Unsupervised ML for anomaly detection, which performs historical profiling of sources and outputs the measure of deviation of a given observable from the "norm". This can be done in a number of ways, but we currently use the Elastic ML component. Taking into account the recent license change announcement by Elastic, we mention that Elastic ML can be substituted with free open source solutions, for example, Python and Scikit-Learn ML library.
This is not the end of story, as advanced attackers understand that their activity is being monitored and are using automation tools to bypass detections. Thus, even though, the first part of our solution considerably reduces the amount of entities one needs to analyze (roughly from millions to tens of thousands in our environment), this is still not feasible for our analysts. Thus, the second one consists in tracking anomalies corresponding to various attackers in various log sources and leveraging Supervised ML for aggregating risk. Again, a number of options are available, but we specifically use free open source Scikit-Learn ML library.
Finally, we arrive at the last challenge: how can analysts monitor an environment abundant with anomalies of not easily interpretable ML models and exuberance of data coming from various types of logs? We address this issue by providing a front-end written in Python and using Plotly dashboard (we use only free open source components, while the latter library has also a commercial offering). It allows analysts to interactively monitor the security environment and provide prompt initial triage for any of the anomalies. It includes a novel (to our knowledge) way to succinctly visualize the most pertinent features of a large amount of events surrounding the potential incident (weighted-chains).
We conclude our presentation with a demonstration of our approach based on real, though anonymized, data. It represents a subsample of one of the distributed attacks that our solution detected, and all other available to us solutions missed. Additionally, we show why analysts performing triage reported saving time on processing of tickets.
Igor Kozlov Data Scientist, Bell Canada
Igor Kozlov received his PhD from McGill University, Canada. He co-authored 9 research articles in 3 different fields, including computational studies of data from the LHC (biggest experiment in human history). Currently he works as a Data Scientist in Cyber Security at Bell Canada. He is always happy to share his passion for everything (data, computer, natural, applied, fundamental) science.
This is a Q&A session.
Discussion.
Jared is a security researcher who specializes in Digital Forensics and Detection Engineering. Recently, he has been building and leading private sector Detection and Response programs. In his previous life, Jared led incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of PowerForensics, Uproot, maintains a DFIR focused blog at www.invoke-ir.com, and is the host of the Detection: Challenging Paradigms podcast.
This is a Q&A session.
Discussion.
Carlos aka Plug started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually led him to his first LA2600 meeting in 1998. From that point forward, he has been involved in computer security. In his free time he enjoys building Legos, playing with synthesizers, and when possible, he volunteers his time to computer security events. Currently he leads the Threat Hunting Program for a fortune 20 organization.
This is a Q&A session.
Cory Doctorow (craphound.com) is a science fiction author, activist, and journalist. His latest book is ATTACK SURFACE, a standalone adult sequel to LITTLE BROTHER. He is also the author HOW TO DESTROY SURVEILLANCE CAPITALISM, nonfiction about conspiracies and monopolies; and of RADICALIZED and WALKAWAY, science fiction for adults, a YA graphic novel called IN REAL LIFE; and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER. His first picture book was POESY THE MONSTER SLAYER (Aug 2020). He maintains a daily blog at Pluralistic.net. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina’s School of Library and Information Science and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.
This is a Q&A session.
Laurent is the Director of Penetration Testing for GoSecure. He has conducted over 400 pentesting and red team engagements over the span of 10 years and is still enthusiastic about it. Laurent is also a challenge designer for Northsec and has given talks to RSA, CQSI, NCFTA, HackFest, RSI, Montrehack, Owasp Montreal and Northsec. Besides security, Laurent is interested in Lockpicking, magic and pickpocketing.
This is a Q&A session.
Does your project depend on a Github repository? It might become vulnerable to remote code injection simply due to one small Github feature. This talk will discuss ‘repo jacking’, an obscure supply chain vulnerability that allows attackers to hijack Github repositories and achieve remote code execution through dependency injection. This vulnerability has become exceedingly widespread in open-source projects and over 70,000 projects are affected. This vulnerability can affect any language and has been found to impact small personal games, huge web frameworks, cryptocurrency wallets, and everything in between. Come learn about this vulnerability, what causes it, why it has gone unnoticed for so long, and how to exploit it. Learn how you too can scan all open-source projects for this vulnerability, look for other similar vulnerabilities, and build dependency graphs to fully understand the impact of these types of issues. Finally, come hear about the outcome of this analysis, see how prevalent it is, who is impacted, and discuss some important mitigation strategies that you can use to protect your own projects from this, and other supply chain attacks.
Indiana Moreau Security Engineer, Security Innovation
Indiana is a security engineer at Security Innovation who specializes in testing web applications, APIs, and cloud configurations. He has a background in web development and previously worked in telecommunications and banking, performing penetration tests and security assessments. In his spare time, he works on personal coding projects and eats copious amounts of sushi.
This is a Q&A session.
WIth the uprising of GraphQL as a technology, a query language made by Facebook, security professionals must be ready for the day GraphQL hits their company’s networks.
In this talk, we will walk through GraphQL basics, followed by a deep dive into the various GraphQL attack vectors, from Information Gathering to Denial of Service and Injections.
Additionally, we will discuss a recent security platform release - Damn Vulnerable GraphQL Application (DVGA), a platform made for security practitioners to learn GraphQL and its various weaknesses in a safe testing environment.
Dolev Farhi Principal Security Engineer, Wealthsimple
Dolev is a security engineer and author with extensive experience leading security engineering teams in complex environments and scale in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple, building defences for one of the fastest Fintech companies in North America.
Dolev has previously worked for several security firms and provided training for official Linux certification tracks. He is one of the founders of DEFCON Toronto (DC416), a popular Toronto-based hacker group. In his spare time, he enjoys researching vulnerabilities in IoT devices, participating and building CTF challenges and contributing exploits to Exploit-DB.
This is a Q&A session.
Electron and web apps may never be the first choice for security-conscious developers, but they are an industry reality. We recently faced this dilemma at 1Password when we set out to build the new Linux desktop client for our flagship password manager.
Compromising on security was not an option. At the same time, building a web app was the only practical option. Undeterred, we set out to harden Electron to meet our unique client-side requirements.
I am not going to pretend we made it all the way — no software framework ever will. But we did end up with an app we are proud to call 1Password, and to entrust with our user’s most sensitive data.
I hope to share what we learned so that others in a similar situation will have an easier time. At the same time, I invite the community to see what we’ve built and look at what we’ve gotten right — or wrong.
Mitchell Cohen Product Lead, 1Password
Mitchell is Product Lead at 1Password, where he specializes in delivering usable security in the browser and on the desktop. Before he joined the joined the dark side and became a software developer, Mitchell followed a circuitous path through technical writing, journalism, and liberal arts. His interests span from operating systems, to UX, to linguistics, to the history of science and technology. Mitchell lives in a tiny Toronto apartment with his partner and cat. He will make you a great cup of coffee if you ask.
This is a Q&A session.
If any of these answers are "yes", come join me in this talk. I will be going over each cryptographic primitive like Random Number Generators, Encryption/Decryption algorithms, message authentication codes, digital signatures, password storage etc. We will be discussing common crypto insecure patterns observed in real world applications, best secure practices and what to be wary of. All this based on evaluating bunch of leading cryptographic implementations while not loosing sight of future-proofing applications. This should help security architects/developers while designing their crypto applications and security practitioners while auditing these system.
Mansi Sheth Senior Principal Security Researcher, Veracode Inc
Mansi Sheth is a Principal Security Researcher at Veracode Inc. In her career, she has been involved with breaking, defending and building secure applications. Mansi researches various languages and technologies, finds insecure usage in customer code and suggests automation measures in finding vulnerabilities for Veracode's Binary Static Analysis service. She is an avid traveller with the motto "If not now, then when?”
This is a Q&A session.
Our presentation shows there is a space for the second-tier APT classification, one where the actor provides breach services to a larger actor, almost mimicking what happens in the crimeware scene, where some groups just gather credentials which they then sell to other crimeware groups. There are other groups that may offer hacking-as-a-service, but rather than working for the highest bidder, they serve a specific country or group, perhaps to align with their own intentions. At the same time, these groups will do whatever is best to maximize their gains. The advantage in this case is that they benefit from the “protection” of the APT for which they provide the services. Finally, this second-tier category should also include the APTs that lack the sophistication of others and often have their operations exposed due to bad opsec or amateuristic mistakes. We believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is beneficial as a whole. It will help organizations better understand the threats that they must focus their resources on. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a globally impacting level.
Warren Mercer Security Researcher, Cisco Talos
Warren Mercer joined Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps!
This is a Q&A session.
Our presentation shows there is a space for the second-tier APT classification, one where the actor provides breach services to a larger actor, almost mimicking what happens in the crimeware scene, where some groups just gather credentials which they then sell to other crimeware groups. There are other groups that may offer hacking-as-a-service, but rather than working for the highest bidder, they serve a specific country or group, perhaps to align with their own intentions. At the same time, these groups will do whatever is best to maximize their gains. The advantage in this case is that they benefit from the “protection” of the APT for which they provide the services. Finally, this second-tier category should also include the APTs that lack the sophistication of others and often have their operations exposed due to bad opsec or amateuristic mistakes. We believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is beneficial as a whole. It will help organizations better understand the threats that they must focus their resources on. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a globally impacting level.
Vitor Ventura Security Researcher, Cisco Talos
Vitor Ventura is a Cisco Talos security researcher. Has a researcher, he investigated and published various articles on emerging threats. Most of the days Vitor is hunting for threats, investigating, them reversing code but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like NorthSec, Virus Bulletin, Recon Brussels, Defcon Crypto Village and BSides Lisbon and oPorto among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections, helping to determine the extent of the damage and to define the recovery path. Before that he did penetration testing at IBM X-Force Red, where Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).
This is a Q&A session.
Large corporations have access to, and use, incredibly sophisticated anti-fraud systems that monitor dozens of signals each time one of their customers or employees log into their web portal. These signals include what browser is used, what plugins are installed, and even the language of the users’ software. Past investigations have shown that malicious actors use malware to build profiles of their victims, and create virtual environments that replicate precisely the victims’ computers fingerprint. These profiles can be loaded up in specially crafted browser plugins and used in account takeover attacks. These profiles are sold on private markets and can fetch in the hundreds of dollars when they also include the cookies and credentials of the victims for financial institutions. The aim of this presentation is to build on past research and to map over a period of a month all of the Canadian activities of a machine fingerprint market. Our analysis extends past research first by developing a new understanding of how, and which, Canadians are targeted by this type of attack. Secondly, it presents models that predict not only the price of profiles for sale – i.e., what makes a profile more valuable – but also which profiles will end up being sold among the thousands that are for sale. Through these analyses, we end up with estimations for the Canadian market for profiles for sale, and propose hypotheses as to the size of the impact of these illicit activities on the Canadian economy. The market for fingerprinting victims is growing exponentially, and is promising to be, along with ransomware, one of the biggest threats of the coming year. With more detailed knowledge about this problem, companies and individual victims will be better suited to protect themselves against these attacks, and limit the monetization of the criminal underground.
David Décary-Hétu Chief Research Officer, Flare Systems
David Hétu est cofondateur et chef de la recherche de Flare Systems. David est titulaire d'un doctorat en criminologie de l'Université de Montréal. Ses principaux intérêts de recherche portent sur les marchés illicites en ligne et l’impact de la technologie sur la criminalité, que ce soit du point de vue des délinquants ou du point de vue du législateur. Les recherches de David ont été publiées dans les plus grandes revues académiques (ex. British Medical Journal) et présentées lors de conférences de premier plan (Botconf, HOPE). Il est régulièrement invité à partager son analyse de la cybercriminalité dans les médias. David a développé l'outil logiciel DATACRYPTO pour surveiller les activités des délinquants sur le darknet et a codéveloppé l'outil logiciel BitCluster pour suivre les transactions de cryptomonnaies.
This is a Q&A session.
The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.
Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.
It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 - mostly innocent surrogate - servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.
Takeaways: - Security is only as strong as the weakest link. - CMS platforms have the potential to be the weakest link in the security chain, because they are so modular with thousands of plugins and themes. Owners are notorious for poor cyber hygiene, using old versions, unsupported plugins and weak passwords. It’s not that CMS platforms are very vulnerable like they have the potential to be. - A large scale botnet doesn’t necessarily need an exsotic exploit to expand, it can exploit old vulnerabilities to infect millions of victims. But in order to create a stable and long-term botnet, it needs a well designed agile infrastructure. - The COVID pandemic has created more opportunities for hackers, as more businesses digitize their operations. Just like the world adjusts and more businesses go online, the community needs to adjust and aducate for better security hygiene.
Ofir Shaty Security Researcher, Imperva
Security Researcher at Imperva for the last 3 years & 2 years as a database security & complience expert. Web application vulnerability research & analysis. Database Security & Web Application Security. Data & Information Security, Compliance and Regulations. Risk Management, Vulnerability Assessments and Scanning.
This is a Q&A session.
A deep dive of how four zero-day vulnerabilities in an educational management software can lead to a wormable unauthenticated attack allowing an attacker to gain system level privileges on every student computer on a network. This talk will cover the thought process and technical details of reverse engineering network traffic, creating custom Scapy layers, and the development of a single click exploit.
Sam Quinn Security Researcher, McAfee
Sam Quinn is a Security Researcher on McAfee’s Advanced Threat Research team , focused on finding new vulnerabilities in both software and hardware. Sam has a focus on IOT and embedded devices with knowledge in the fields of reverse engineering and penetration testing.
This is a Q&A session.
The KashmirBlack botnet mainly infects popular CMS platforms. It utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.
Its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.
It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 - mostly innocent surrogate - servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.
Takeaways: - Security is only as strong as the weakest link. - CMS platforms have the potential to be the weakest link in the security chain, because they are so modular with thousands of plugins and themes. Owners are notorious for poor cyber hygiene, using old versions, unsupported plugins and weak passwords. It’s not that CMS platforms are very vulnerable like they have the potential to be. - A large scale botnet doesn’t necessarily need an exsotic exploit to expand, it can exploit old vulnerabilities to infect millions of victims. But in order to create a stable and long-term botnet, it needs a well designed agile infrastructure. - The COVID pandemic has created more opportunities for hackers, as more businesses digitize their operations. Just like the world adjusts and more businesses go online, the community needs to adjust and aducate for better security hygiene.
Sarit Yerushalmi Security Researcher, Imperva
Security researcher at Imperva for the last 5 years in web application and cloud data security and for 5 years as a security analyst. Analyse CVEs and threats in web applications and cloud environment. Develop algorithms to detect and protect against attacks.
This is a Q&A session.
More advanced device profiling techniques deploy various techniques such as nmap scan , DNS inspection, DHCP inspection, SNMP checks, and OSI layer two protocols such as Cisco Discovery Protocol or Link Layer Discovery Protocol to identify the connecting device’s features. The mechanism explained in this paper is a manipulation or spoofing of DHCP packets to trick the advanced device profiling into thinking the attacking device is a legitimate one. Essentially, we are masquerading an attacking device with crafted DHCP packets so that the device appears to the inspection engine as a legitimate device. The proof of concept has been developed that allows an attacker to define the DHCP payload to mimic the fingerprint of an arbitrary device. To the best of the author’s knowledge, no such or similar tool is publicly available. Also, this is the first paper to describe in-depth a client-based DHCP attack which is neither denial of service (server starvation) nor a rogue server.
Ivica Stipovic Information Security Consultant, Ward Solutions
Ivica works as an Information Security Consultant. He tries to understand the intricacies of security processes and find the ways to undermine them. In a previous life a network and system administrator, he moved recently towards security research. Currently, a proud employee of Ward Solutions. Formal education encompasses BSc in Computing and Telecom ,MSc in Computer Forensics and Masters in Business Administration.
This is a Q&A session.
dRuby is a "distributed object system" for Ruby (think CORBA or Java's RMI). Included in the Ruby standard library and implemented in vanilla Ruby without native extensions, it provides a simple-to-use interface to interact with Ruby objects from other Ruby processes, locally or over a network. While dRuby makes it fairly easy to expose objects and their interfaces to other processes, including those running on separate systems, it leaves a lot to be desired in terms of its security. While its own API documentation warns coyly of its insecurity with a simple-to-understand example exploit written in Ruby, the actual implementation and protocol of dRuby are not documented at all, nor are the actual risks dRuby exposes. While dRuby is well known to be a readily exploitable service enabling remote code execution, the underlying protocol exposes a number of additional risks that enable not only alternate methods of compromising dRuby services, but also the means to compromise dRuby clients.
In this talk, we will open with the background of how we found dRuby being used by a popular remote debugging dependency. We will then shift to an overview and technical discussion of dRuby and its protocol as defined by its implementation, starting with some basic examples of how to use dRuby. Following this, we will walk through an analysis of the network protocol guided by the traffic generated from our examples, and discuss how the data is processed, including a high-level discussion of the dual client-server peer-to-peer model used in dRuby. As part of this, we will also discuss the implementation of dRuby's remote method call scheme, data serialization, and proxy objects, including the default object reference scheme and ID mapper.
Throughout our discussion of dRuby's API, internals, and wire protocol, we will bring attention to and discuss relevant risks and vulnerabilities — and how they make dRuby fundamentally unsafe — and demonstrate several novel proof-of-concept exploits targeting dRuby services and clients. We will also discuss some of the existing advice and documentation for "securing" dRuby and how it fails to guard against dRuby's inherent issues.
Following this, we will briefly discuss our efforts to harden dRuby; the kinds of protocol, logic, and API changes needed to negate its issues; and additional considerations that should be taken into account not to expose further security issues.
Lastly, we will swing back to offense — or rather at offense — and close our talk with a discussion on the insecurity of existing dRuby exploits, and show how you can penalize your pentesters for using off-the-shelf exploits. As part of this, we will demonstrate an emulated implementation of the dRuby wire protocol that can be used to securely exploit dRuby services, clients, and exploits.
Jeff Dileo Technical Director, NCC Group
Jeff is a security consultant by day, and sometimes by night. A Technical Director at NCC Group, he specializes in application security, and regularly assesses mobile device firmware applications, embedded platforms, web applications, and "privileged" code of all kinds. He has spoken publicly at conferences such as DEF CON, ToorCon, RECON, and CCC, covering a wide range of topics including Android and Java bytecode instrumentation, scriptable debugging, and, more recently, eBPF and unikernel security. A connoisseur of exotic candies and snacks, he enjoys starting arguments about text editors and window managers that he doesn't actually use. Jeff holds an MS in Computer Science from NYU Poly (Tandon).
This is a Q&A session.
dRuby is a "distributed object system" for Ruby (think CORBA or Java's RMI). Included in the Ruby standard library and implemented in vanilla Ruby without native extensions, it provides a simple-to-use interface to interact with Ruby objects from other Ruby processes, locally or over a network. While dRuby makes it fairly easy to expose objects and their interfaces to other processes, including those running on separate systems, it leaves a lot to be desired in terms of its security. While its own API documentation warns coyly of its insecurity with a simple-to-understand example exploit written in Ruby, the actual implementation and protocol of dRuby are not documented at all, nor are the actual risks dRuby exposes. While dRuby is well known to be a readily exploitable service enabling remote code execution, the underlying protocol exposes a number of additional risks that enable not only alternate methods of compromising dRuby services, but also the means to compromise dRuby clients.
In this talk, we will open with the background of how we found dRuby being used by a popular remote debugging dependency. We will then shift to an overview and technical discussion of dRuby and its protocol as defined by its implementation, starting with some basic examples of how to use dRuby. Following this, we will walk through an analysis of the network protocol guided by the traffic generated from our examples, and discuss how the data is processed, including a high-level discussion of the dual client-server peer-to-peer model used in dRuby. As part of this, we will also discuss the implementation of dRuby's remote method call scheme, data serialization, and proxy objects, including the default object reference scheme and ID mapper.
Throughout our discussion of dRuby's API, internals, and wire protocol, we will bring attention to and discuss relevant risks and vulnerabilities — and how they make dRuby fundamentally unsafe — and demonstrate several novel proof-of-concept exploits targeting dRuby services and clients. We will also discuss some of the existing advice and documentation for "securing" dRuby and how it fails to guard against dRuby's inherent issues.
Following this, we will briefly discuss our efforts to harden dRuby; the kinds of protocol, logic, and API changes needed to negate its issues; and additional considerations that should be taken into account not to expose further security issues.
Lastly, we will swing back to offense — or rather at offense — and close our talk with a discussion on the insecurity of existing dRuby exploits, and show how you can penalize your pentesters for using off-the-shelf exploits. As part of this, we will demonstrate an emulated implementation of the dRuby wire protocol that can be used to securely exploit dRuby services, clients, and exploits.
Addison Amiri Security Consultant, Shibuya Industries
Addison Amiri got his start in security in the mid-2000’s when he read about how easy it was to break WEP. From there, he’s meandered the world of security, through academia and industry, eventually entering the world of professional security consulting. Along the way, he’s had the opportunity to be simultaneously amazed at how well computers work and terrified that our lives now rely on them. These days he’s traveling the world and making the most of the cyberpunk dystopia.
This is a Q&A session.
Our research confirms that Canada is falling behind when it comes to the use of transparent and clear CVD frameworks in comparison to jurisdictions across the globe. Numerous federal laws, including criminal and copyright legislation, may also have a chilling effect on security research in Canada, with deficient whistleblowing protection laws that could otherwise protect people who disclose security vulnerabilities. Our work identifies the need for increased transparency and explicit regulation in Canada’s current approach to vulnerability disclosure at the federal level.
Yuan Stevens Policy Lead on Technology, Cybersecurity and Democracy; Research Affiliate, Ryerson Leadership Lab and Cybersecure Policy Exchange at Ryerson University; Data & Society Research Institute
Yuan (rhymes with Suzanne) Stevens works at the intersections of law, policy, and technology with a focus on privacy and cybersecurity. She holds the position of Policy Lead on Technology, Cybersecurity and Democracy at the action-oriented think tank Ryerson Leadership Lab at Ryerson University. Her work equips society with the ability to understand and patch up harmful vulnerabilities in sociotechnical and legal systems. Based in Montréal, she is a research fellow at McGill University’s Centre for Media, Technology & Democracy and research affiliate at Data & Society Research Institute. She received her BCL/JD from McGill University in 2017. She serves on the board of directors for Open Privacy Research Institute, Head & Hands in Montréal, and previously worked at the Berkman Klein Center for Internet & Society at Harvard University.
This is a Q&A session.
Our research confirms that Canada is falling behind when it comes to the use of transparent and clear CVD frameworks in comparison to jurisdictions across the globe. Numerous federal laws, including criminal and copyright legislation, may also have a chilling effect on security research in Canada, with deficient whistleblowing protection laws that could otherwise protect people who disclose security vulnerabilities. Our work identifies the need for increased transparency and explicit regulation in Canada’s current approach to vulnerability disclosure at the federal level.
Stephanie Tran Policy and Research Assistant, Ryerson Leadership Lab
Stephanie is a Policy and Research Assistant at the Cybersecure Policy Exchange and Ryerson Leadership Lab. She is an experienced researcher with over five years of experience analyzing public policy and human rights issues related to digital technologies, with past experience working for the Citizen Lab, Amnesty International Canada, the United Nations Office for the Coordination of Humanitarian Affairs (UN OCHA) and more. She is a trained computer programmer, having earned a Diploma in Computer Programming from Seneca College. She also holds a dual degree Master of Public Policy (Digital, New Technology and Public Affairs Policy stream) from Sciences Po in Paris, and a Master of Global Affairs from the University of Toronto. She earned her BA degree from the University of Toronto specializing in Peace, Conflict and Justice.
This is a Q&A session.
Our research confirms that Canada is falling behind when it comes to the use of transparent and clear CVD frameworks in comparison to jurisdictions across the globe. Numerous federal laws, including criminal and copyright legislation, may also have a chilling effect on security research in Canada, with deficient whistleblowing protection laws that could otherwise protect people who disclose security vulnerabilities. Our work identifies the need for increased transparency and explicit regulation in Canada’s current approach to vulnerability disclosure at the federal level.
This is a Q&A session.
Routers are considered easy to hack, and that's kind of true. But is that much harder to hack a home router than an enterprise firewall? Think twice before answering!
The purpose of this talk is to demonstrate the similarities in inner workings, technology, hardware and vulnerability density between every piece of network equipment, be it for home or enterprise.
We will walk through specific examples of vulnerabilities found in these equipments in the past and present. Vulnerability patterns will be identified, and we will discuss why they keep occuring and what circumstances led to them appearing in the first place.
Finally, we will discuss future trends for vulnerabilities in network equipment. And because it can't all be negative, we will also discuss how the constant hardening of these devices will make exploitation much harder (but far from impossible :) in the future.
Pedro Ribeiro Founder & Director of Research, Agile Information Security
Pedro started working in security by doing ISO27001 audits. After almost dying of boredom, he jumped into penetration testing, reverse engineering and vulnerability research, focusing on embedded systems and enterprise software.
He is the Founder & Director of Research at Agile Information Security, a boutique security consultancy that focuses in providing hardcore technical cyber security solutions to its clients.
In his spare time Pedro hacks hardware and software and has made public dozens of remote code execution vulnerabilities resulting in 140+ CVE, and authored 60+ Metasploit exploits. He regularly participates in Pwn2Own as part of "Flashback Team", winning Pwn2Own Tokyo 2020 outright with his teammate Radek Domanski.
This is a Q&A session.
Rayna Stamboliyska focuses on EU cyber diplomacy and resilience including issues related to cybersecurity, strategic autonomy and data protection. An award-winning author for her most recent book "La face cachée d'Internet" ("The dark side of the Internet", Larousse 2017), Rayna is also an IoT hacker and a staunch proponent of open source, data and science. Rayna has served in various Directorship and security-related foreign policy positions: she has consulted for international organisations, private companies, governments and non-profits, interfacing with public sector actors and guiding them through innovative policy-making processes. Energetic and passionate, Rayna has grown to become a recognised information security speaker committed to educating those outside of the industry on security threats and best practices. A longtime diversity advocate, she is Council Member of Women4Cyber Europe.
Currently, Rayna is the VP Governance and Public Affairs at YesWeHack, a global bug bounty and coordinated disclosure leader. She also manages the EU-funded SPARTA research and innovation project, which is a pilot for the EU Cyber Competences Network. She teaches at Sciences Po Paris and writes up the cybersecurity expert column "50 shades of Internet" at ZDNet.fr.
Octavia Hexe is a security specialist at Ubisoft and a member of Cognitive Security Collaborative. In 2020, Cognitive Security Collaborative set up the CTI League's disinformation team, and continues to work with groups around the world to bootstrap communities of disinformation responders.
His work involves security consulting, adversary emulation, and malware development. At Cognitive Security Collaborative she researches influence operation TTPs and develops mitigation strategies for the AMITT framework, performs red team exercises, and develops trainings.
This is a Q&A session.
Last year we introduced our work seeding communities and training them on the practical application of AMITT, as well as the framework's integration into free, open-source threat intelligence tools.
This year, the Cognitive Security Collaborative introduces major updates to the AMITT framework which now includes a complementary set of countermeasures to be used against adversarial influence operations.
In this talk we address some of the major disinformation events of 2020 relating to COVID-19 and the 2020 US Presidential election. Additionally, we explore the practical application of AMITT countermeasures.
Sara-Jayne Terp CEO, Bodacea Light Industries
Sara-Jayne “SJ” Terp is a data nerd with a long history of working on the hardest data problems she can find. Her background includes designing unmanned vehicle systems, transport, intelligence and disaster data systems with an emphasis on how humans and autonomous systems work together; developing crowdsourced advocacy tools, managing innovations, teaching data science to Columbia’s international development students, designing probabilistic network algorithms, working as a pyrotechnician, and CTO of the UN’s big data team. Her current interests are focused on misinformation mechanisms and counters; she founded Bodacea Light Industries to focus on this, worked with the Global Disinformation Index to create an independent disinformation rating system, and runs a Credibility Coalition working group on the application of information security principles to misinformation. SJ holds degrees in artificial intelligence and pattern analysis and neural networks.
This is a Q&A session.
This talk will be about a research project that focuses on the malicious use of social media, specifically Twitter, during the 2019 Canadian Federal Election Campaign. Social-bots have often been used in the past to manipulate public discourse through disinformation campaigns aimed at committing political interference. The mixed methodological approach combining descriptive analyses (quantitative) with interviews (qualitative) is used to draw a portrait of social-bots role during this electoral campaign. A digital analysis tool called Botometer is used to find social-bots within a database initially collected in 2019 by Commissionaires du Québec. This tool makes it possible to identify the social-bots and rate them with a score from 0 (not a social-bots) to 5 (most likely a social-bots), which will then be analyzed to determine how they inserted themselves into the political discussion during the period under study. The interviews conducted with experts in the field aim to deepen and give meaning to the results obtained previously. The results of the study show that several social-bots did not publish content in English (52% with a rating of 5), the tweets analyzed are mainly retweets (87% of the sample), thousands of users have been suspended since the last year, and the hashtags used promoted the election of Liberal Justin Trudeau to the detriment of Conservative Andrew Scheer. Additionally, the overall content is divided between positive and negative feelings, with a slight prevalence of positive content (51.01% vs. 48.99%). This talk's primary goal is to give the audience a better understanding of the research field on this very new and critical geopolitical issue that happens to manifest on the surface of cyber. This aim also to share with anyone interested in an established methodological approach tested with a Canadian case study.
Marie-Pier Villeneuve-Dubuc , Commissionnaires du Québec - Cybersecurity department (VYGL)
Marie-Pier Villeneuve-Dubuc is a student with a bachelor's degree in criminology from Université de Montréal. She is an intern from Commissionnaire du Québec in their cybersecurity department (VYGL). Marie-Pier also works with other cybersecurity organizations such as SERENE-RISC to help share knowledge about cybercrime and cybersecurity. Through her studies, she accomplished different research projects on cybercrimes, the dark web, and recently geopolitical issues such as political interference on the cyber surface. She intends on doing a master's degree focusing primarily on cybercrimes and their international matters.
This is a Q&A session.
Lex Gill is a lawyer at a groundbreaking Montreal firm known for class actions and public interest litigation in areas like human rights, environmental law, and corporate accountability. She is also an affiliate at the Citizen Lab, where she supports the organization’s work on issues like freedom of expression, equality, and surveillance. Lex teaches part-time at McGill University’s Faculty of Law, and has worked for organizations that include the Supreme Court of Canada (as clerk to the Chief Justice), the Canadian Civil Liberties Association, and the Canadian Internet Policy and Public Interest Clinic.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
In intro to fuzzing we will discuss and understand all parts to a successful fuzzing and why it’s needed, understanding various fuzzer’s and setting up the environment.
We will move ahead and start with AFL, understating the installation part. Also, we will quickly have a look on AFL key components which is, process timing, stages, findings, yields, path geometry and stability. We have created certain vulnerable binaries from which we will demonstrate overflows using AFL and analyzing the targets, crashes and hangs which gets generated by AFL.
After that we will move ahead and start with smart fuzzing where we will integrate ASAN with AFL, but before that we will give a brief understanding about ASAN and MSAN and how it is used to detects the runtime bugs during the compilation of a binary.
In end we will give small exercise’s to students to gets hands-on, on what they have learned so far and clear their doubts. We will quickly wrap-up our workshop by discussing about how they can leverage this knowledge against the bug bounty programs and then show casing multiple bugs which we found during our research.
Dhiraj Mishra Senior Security Consultant, Cognosec DMCC
An active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at BlackHat and presented in conferences such as Ekoparty, Hacktivity, PHDays & HITB. In his free time, he blogs at www.inputzero.io and tweets on @RandomDhiraj
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
In this lab, we will discuss how code can be represented in a graphical format, which can then be queried interactively to find security bugs in code. We will then use the open-source project Joern (Open-Source Code Querying Engine for C/C++) to build a DIY SAST tool. Joern has been used extensively to hunt bugs in Linux Kernel, Cisco DCNM, and recent Amnesia:33 set of bugs by Forescout. It exposes a very easy to use Scala API to build custom tools around it and hence the choice!
We will begin by introducing common vulnerabilities and how to create a mental model to identify them when investigating code and binaries. We will explore a sample program's control and data flow and see potential cases of security bugs that can be modeled and discovered using a graph representation of the source code.
The interactive portion of the lab includes an in-depth walk-through of the data and control flow of a sample program along with instruction on using the Joern framework to uncover potential vulnerabilities in that code. Lab attendees will use Joern to uncover bugs and create new build rules and scripts for future bug hunting. We will eventually create a complete custom static code analyzer for a sample use-case and see it in action.
Lab Outline
Goals
As they finish the workshop, the attendees,
Intermediate developers/application security professionals with basic understanding of programs and compilers (A quick programming language structures refresher will be provided before actual hands-on sessions commence which explains various graphical representations of code and how they fit together)
Participants should install Joern (https://docs.joern.io/home/) in advance if possible.
Suchakra Sharma Staff Scientist, ShiftLeft Inc.
Suchakra Sharma is Staff Scientist at ShiftLeft Inc. where he builds code analysis tools and and hunts security bugs. He completed his Ph.D. in Computer Engineering from Polytechnique Montréal where he worked on eBPF technology and hardware-assisted tracing techniques for OS analysis. As part of his research, he also developed one of the first hardware-trace based virtual machine analysis techniques. He has delivered talks and trainings at venues such as RSA, USENIX LISA, SCALE, Papers We Love, Tracing Summit, etc. When not playing with computers, he hikes and writes poems.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
In this lab, we will discuss how code can be represented in a graphical format, which can then be queried interactively to find security bugs in code. We will then use the open-source project Joern (Open-Source Code Querying Engine for C/C++) to build a DIY SAST tool. Joern has been used extensively to hunt bugs in Linux Kernel, Cisco DCNM, and recent Amnesia:33 set of bugs by Forescout. It exposes a very easy to use Scala API to build custom tools around it and hence the choice!
We will begin by introducing common vulnerabilities and how to create a mental model to identify them when investigating code and binaries. We will explore a sample program's control and data flow and see potential cases of security bugs that can be modeled and discovered using a graph representation of the source code.
The interactive portion of the lab includes an in-depth walk-through of the data and control flow of a sample program along with instruction on using the Joern framework to uncover potential vulnerabilities in that code. Lab attendees will use Joern to uncover bugs and create new build rules and scripts for future bug hunting. We will eventually create a complete custom static code analyzer for a sample use-case and see it in action.
Lab Outline
Goals
As they finish the workshop, the attendees,
Intermediate developers/application security professionals with basic understanding of programs and compilers (A quick programming language structures refresher will be provided before actual hands-on sessions commence which explains various graphical representations of code and how they fit together)
Participants should install Joern (https://docs.joern.io/home/) in advance if possible.
Vickie Li Developer Evangelist, ShiftLeft
Vickie Li is the resident developer evangelist at ShiftLeft. She is an experienced web developer with an avid interest in security research. She can be found on https://vickieli.dev, where she blogs about security news, techniques, and her latest bug bounty findings. She also hosts “Security Simplified”, a developer education series focusing on web security: https://www.youtube.com/c/vickielidev.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
Emulate adversaries with the Atomic Red Team library of scripted cyber attacks. These scripted attacks, called atomic tests, will help you better understand the attack techniques defined in the MITRE ATT&CK framework and can be used to build and validate your defenses. Join Carrie and Darin Roberts for a one hour introduction to Atomic Red Team followed by two hours of access to hands-on labs where you will be able to able to execute atomic tests.
For the labs, all attendees will be provided with a virtual machine in the cloud so you'll just need to be able to make a remote desktop connection to an IP address on the internet.
Participants must be able to RDP (remote desktop) to a provided public IP address in order to complete the hands-on lab exercises.
Carrie Roberts Dynamic Defense Engineer,
Carrie Roberts is a web application developer, turned pentester, turned red teamer, turned blue. She loves to learn and give back to the community. She is currently one of the primary Atomic Red Team project maintainers and developers and has developed many of her own open source tools including the Domain Password Audit Tool (DPAT) and Slack Extract. She holds Masters Degrees in both Computer Science and Information Security Engineering. She has earned 12 GIAC certifications including the prestigious “Security Expert” (GSE) certification. She has spoken at numerous security conferences including DerbyCon and Wild West Hackin’ Fest, published many blog posts on topics ranging from social engineering to bypassing anti-virus, and contributed new research on the VBA Stomping maldoc technique.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
The objective of this workshop is to dive into Capture-The-Flag (CTF) competitions. First, by introducing participants to the basic concepts. Then, by helping them prepare for the upcoming NorthSec CTF, and, finally, evolve in their practice of applied cybersecurity.
We will have easy and medium CTF challenges in several categories (binaries, Web, exploitation, forensics) and we will give hints and solutions during the workshop.
This is meant to be for CTF first-timers. Seasoned players should play NorthSec's official CTF.
Requirements
a Linux VM
Olivier Bilodeau Cybersecurity Research Lead, GoSecure
Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys attracting embedded Linux malware, writing tools for malware research, reverse-engineering all-the-things and vulnerability research. Passionate communicator, Olivier has spoken at several conferences like BlackHat USA/Europe, Defcon, Botconf, SecTor, Derbycon, HackFest and many more. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on applied information security, and NorthSec, Montreal's community conference and Capture-The-Flag.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
This workshop is best suited for intermediate to advanced reverse engineers/researchers. Basically, you need to be at ease in a Unix environment + be able to read and write small programs.
Before the workshop, it is recommended to
(1) Download and install Android Studio (2) Setup an Android emulator x86_64 without Google Play
Other software will be installed during the workshop.
Axelle Apvrille Principal Security Researcher, Fortinet
Axelle is Principal Security Researcher at Fortinet. She has been working there for over 10 years on mobile malware and IoT malware. She is also the lead organizer of Ph0wn CTF, a CTF dedicated to smart objects, which takes place on the French Riviera. In a previous life, Axelle worked on cryptography (implementation) and security protocols.
This is a Q&A session.
Workshops are first-come first-serve and have a participant limit. Tickets will be distributed (for free) via Eventbrite starting on May 11, 2021.
Are you starting to use Kubernetes for container orchestration? Do you need guidelines on how to start securing Kubernetes in your organization? Do you want to find a way to increase the protection of your Kubernetes clusters without increasing the complexity of the infrastructure? Do you need to use Kubernetes clusters in a safe, efficient and affordable way? Everything in a practical way with a focus on security best practices? Then this is the workshop for you!
Create and AWS account and setup a Cloud9 instance.
Magno Logan Information Security Specialist and Senior Threat Researcher, Trend Micro
Magno Logan works as an Information Security Specialist for Trend Micro Cloud and Container Security Research Team. He specializes in Cloud, Container and Application Security Research, Threat Modelling, Red Teaming, DevSecOps, and Kubernetes Security, among other topics. He has been tapped as a resource speaker for numerous security conferences around the globe including Canada, USA, Portugal and Brazil. He is also the founder of JampaSec and a member of the CNCF SIG-Security team.