Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track 2 - Room A1 [clear filter]
Thursday, April 26

11:00 ADT

Static-Analysis Tools: Now you’re playing with power
You are performing penetration testing on Web applications. Do you systematically perform code reviews when you have source code access? Code review is an exercise that can prove to be an important ally. However, code review can be difficult. Thousands or even millions of lines of code will be targeted. How to prioritize and perform an effective assessment? With tools and automation of course! In this presentation, an overview of the static analysis tools will be made. The presentation of a basic methodology will also be presented. Demonstrations with FindSecBugs (Java/JVM), Brakeman (Ruby) and Bandit (Python) tools are to be expected.

avatar for Philippe Arteau

Philippe Arteau

Security Researcher, GoSecure
Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely-used Java static analysis tool Find Security Bugs... Read More →

Thursday April 26, 2018 11:00 - 11:45 ADT
Track 2 - Room A1

13:00 ADT

Hijacking the Boot Process - Ransomware Style
Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised?

In this presentation, we are going to look into how Petya, a ransomware, can overwrite an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then, we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API.  

We are also going to see how we can use a combination of different tools to figure out how a ransomware can infect the very first sector of a harddisk. Tools, such as, Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course, x64dbg and ollydbg for debugging the ransomware in application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its own kernel code.

avatar for Raul Alvarez

Raul Alvarez

Senior Security Researcher/Team Lead, Fortinet
I am a Senior Security Researcher/Team Lead at Fortinet. I am a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering. I have presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa... Read More →

Thursday April 26, 2018 13:00 - 13:45 ADT
Track 2 - Room A1

14:00 ADT

Enlisting Users in the Fight Against Phishing Attacks
Nearly every cyberattack starts with a phish and attackers are getting better and better at disguising these emails. Whether they’re a form of CEO fraud, ransomware, or spearphishing with targeted malware, phishing attacks continue to be very successful. There are technology approaches you can take to combat phishing attacks, yet they are only part of the solution. Educating and testing your users on phishes has become a common way to help your employees spot attacks. While these simulated phishes are great for testing your users, the ultimate test comes when a real phish lands in their email box. In order to help the users through this, we recommend having your users report suspicious emails to your IT team. What can you do with those messages? How can you use this channel to make your organization more secure? What ways can you reinforce the users’ positive behavior?

This hands-on tech lab will help you better understand the ways common phishing attacks work, the best ways to conduct an analysis of these attacks and the steps to take to get your people, processes and technologies working together to protect your organization.

What attendees will learn:
- How CEO fraud, ransomware and spearphishing with targeted malware phishing attacks work
- Analysis of the attacker and the phishing attacks to know who it’s from, who the victims are and the extent of the damage
- How to drill down on the technology indicators within the attack – what these indicators look like and what to do with them
- Actions to take based on your analysis, including policy changes, response plans and user education
- The best ways to enlist users in your phishing defense to help limit the damage

avatar for Todd O'Boyle

Todd O'Boyle

CTO, Strongarm
Todd O’Boyle is CTO and a co-founder at Strongarm. Prior to Strongarm, Todd spent 15 years at The MITRE Corporation, providing technical support to the Department of Defense and the Intelligence Community. He also served as principal investigator for a project developing methods... Read More →

Thursday April 26, 2018 14:00 - 14:45 ADT
Track 2 - Room A1

15:00 ADT

Supply Chain Attack Through CCleaner - Evidence Aurora Operation Still Active
Last September, hackers broke into as many as 2.27 million accounts of a computer cleaning program while targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan.

When Avast, which owns the program, looked at the computer logs, it found just 23 compromised computers at eight different companies. The hackers' program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion.

Avast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain, the main executable in v5.33.6162 had been modified.

The attack's analysis we did, showed a strong code connection between a unique implementation of base64 only previously seen in APT17 making a strong case about attribution to the same threat actor. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted specializing in supply chain attacks.

Our investigation got us to the conclusion that the complexity and quality of the CCleaner attack was most likely state-sponsored most probably to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout.In this talk we will demonstrate techniques used to analyze the code that led to those interesting findings. We will describe the attack process and technical flow in details.

The findings and methods we will discuss, have been previously published in two different blogpost and got extensive coverage in the media as well as the DFIR and infosec community.



avatar for Itai Tevet

Itai Tevet

CEO, Intezer
Itai possesses a combination of in-depth technical expertise and leadership experience in mitigating state-level cyber threats. He previously served as the head of IDF CERT, the Israeli Defense Force’s Cyber Incident Response team, where he led an elite group of cyber security professionals... Read More →

Thursday April 26, 2018 15:00 - 15:45 ADT
Track 2 - Room A1

16:00 ADT

AI, Deep Learning, Cognitive Security, Machine Learning: The Value Beneath the Hype
You’ve heard all the buzz words - AI, Deep Learning, Cognitive Security, Machine Learning – and you have been inundated with the security companies spewing marketing claims that these technologies will solve all your security problems; however, how do you effectively test the efficacy of these technologies? How can you be sure that they are helping reduce risk in your environment and what is the cost of using these types of technologies within your defense strategy?

Join Michael A. Davis, CTO of CounterTack, and author of Hacking Exposed: Malware and Rootkits, to learn how to setup your vendor technology evaluations, properly identify and run real-world malware and attack scenarios, learn how to fool “Artificial Intelligence” and “Machine Learning” technologies using adversarial techniques, and ultimately walk away with a better understand of the real value beneath the hype.

avatar for Michael A. Davis

Michael A. Davis

Chief Technology Officer, CounterTack
Michael A. Davis serves as CTO of CounterTack. He chose CounterTack because he recognized that the battle is moving to the endpoint, and that conventional IT security technologies can’t protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring... Read More →

Thursday April 26, 2018 16:00 - 16:45 ADT
Track 2 - Room A1
Friday, April 27

09:15 ADT

My Adventures In Pentesting Self-Education, On A Shoestring Budget
It started with a simple self-challenge: At least 30 minutes a day working on computer security and/or pentesting for the entire month of October….
Join me on a dive into the challenges and opportunities encountered while learning pentesting skills, including overviews of useful toolsets and interesting resources, wrapping up with suggestions for fellow self-starters.

avatar for Matthew Middleton

Matthew Middleton

QA Lead, Mysa Smart Thermostats
Matt is a QA Lead for Mysa Smart Thermostats, and has been a black box software tester for a decade, helping developers catch their bugs before they get out into the wild. He’s primarily been influenced by James Bach, Michael Bolton, and Cem Kaner, and subscribes to the Context-Driven... Read More →

Friday April 27, 2018 09:15 - 10:00 ADT
Track 2 - Room A1

10:15 ADT

New Crypto AEAD!
Cryptography science is growing fast, and new ‘stronger’ algorithms are competing their way up for standardization. More specifically, the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) is currently sorting out the next true candidates for symmetric encryption. In this talk, a first quick look at common AES implementation failures that highlight the gap between “Encryption” and the need of “Authenticated Encryption”. Then, a deep dive into one of the most popular AEAD algorithm in use today will raise some legitimate questions about its longevity. Finally, a selection of new algorithms submitted to the CAESAR competition will be presented in detail. At the light of this talk, the participant should understand the need of AEAD, what it has to offer and what are the next-generation candidates.

avatar for Martin Lemay

Martin Lemay

Information Security Analyst - Penetration Tester, GoSecure
Martin Lemay is a certified penetration tester for GoSecure Inc. and has performed engagements in all industry sectors from banking, financial and insurance to energy, healthcare, airlines and telcos. He contributes to various open source projects including the most advanced password... Read More →

Friday April 27, 2018 10:15 - 11:00 ADT
Track 2 - Room A1

11:15 ADT

The Story of Escape Sequence Vulnerabilities
Escape sequences (or control sequences) are sets of characters that change the behavior of the terminal and allow interacting with it. Basic escape sequences are frequently used for formatting output, e.g. for changing text color. Some sequences served purposes in physical terminals but remained in use with modern terminal emulators.

Historically, there were many dangerous and easy ways to exploit popular terminals by abusing escape sequences. Some of these techniques relied on sequences that are now obsolete. Weaknesses relating to escape sequences are still being found to this day in modern terminals.

In my talk I will explore related past vulnerabilities and recent ones. I will examine vulnerabilities where terminal programs failed to sanitize bad content, and bring examples for how they may have been exploited.

I plan to discuss my own research in finding such vulnerabilities, including the details of my work on Busybox that led to CVE-2017-16544. Finally, I'll do a short demonstration on how attackers can hide malicious code from developers using git, with only a simple escape sequence.
Busybox research details:

Hiding content from git:


Ariel Z

Security Research Team Lead, Palo Alto Networks
Ariel is a security researcher and the head of research at Twistlock, dealing with hacking and securing anything related to containers.

Friday April 27, 2018 11:15 - 12:00 ADT
Track 2 - Room A1

13:00 ADT

Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests
Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers?

While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an "introspecting" hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn't.

We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.

avatar for Tomasz Tuzel

Tomasz Tuzel

Security Researcher, Assured Information Security Inc.
Tomasz has been a security researcher for over six years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.

Friday April 27, 2018 13:00 - 13:45 ADT
Track 2 - Room A1

14:00 ADT

Top 10 ways to secure Microservices
In this session, I will talk about Top 10 ways to design and build secure Microservices to protect your users and your reputation. This top 10 list includes: 
1. Use the latest version of TLS
2. Designing a secure Infrastructure and Network whether on prem or in cloud
3. Best Practices in Authentication to authentication your clients or end users.
4. Authorization of your end users or clients so they get just the right access based on least privilege and need to know.
5. Protecting your APIs against Distributed Denial of Service by using patterns such as Rate Limiting, Throttling, Daily limits etc.
6. Alerting and Monitoring your APIs to detect abnormal patterns and security issues.
7. API resiliency that directly affects Availability of your Microservices.
8. Encrypting & Hashing sensitive data - at rest and/or in transit - in memory, in cache and in db, in transit, in UI
9. Key management security
10. Session Management best practices

avatar for Chintan Jain

Chintan Jain

SVP, Security Engineering & Architecture, Security Mantra Corporation
Chintan Jain is an accomplished cyber security visionary, technology and thought leader with more than 15 years of rich full cycle experience in Cyber Security Engineering & Architecture mainly in the areas of Identity & Access Management, Application, Infrastructure and Cloud Security... Read More →

Friday April 27, 2018 14:00 - 14:45 ADT
Track 2 - Room A1

15:00 ADT

1, 2, 3, 4: I Declare Cyber War
A recent cyber-security incident in Nova Scotia has made national news.

When can you have a reasonable belief that public data is, in fact, public? A teenager was charged criminally after being accused of stealing confidential documents from a public-facing provincial Freedom of Information server. The problem is, it was only discovered because a provincial staffer made a typo in a URL.

This case is likely to have chilling effects on cyber-security research in the province if the accused is found guilty. Covered will be what happened and how, the governments response, and the nuance of "an open door" on the internet.

Could this have been an act of cyber-terrorism? Was it a simply a misunderstanding? As the incident will be replicated live; you'll be able to come to your own conclusions.

avatar for Evan d'Entremont

Evan d'Entremont

Software Engineer
Evan d’Entremont is a Halifax-based software engineer and long-time HASKer who spends his time solving complex problems. His background includes web application development and modernizing legacy applications. He currently specializes in IIoT communications and security.

Friday April 27, 2018 15:00 - 15:45 ADT
Track 2 - Room A1