SecTor 2013 Registration is Live!
Registration for our 2013 show is live. Standard rate is now in effect. Register now, tickets are limited!
2013 Call for Speakers OPEN!
The first round Call for Speakers is now OPEN! Submit your talk now for early consideration.
2012 Videos Posted!
The Sessions for SecTor 2012 are now available for viewing.
SecTor Management and the Advisory Committee are bringing to Toronto the world's best speakers in the field of IT Security. In preparation for our 2013 conference, we are currently undertaking a Call for Speakers.
SecTor has been built on providing attendees current, real-world knowledge on the latest attacks and defences required to secure your networks. Be sure to receive our SecTor Newsletter updates so you'll know who's coming to SecTor this year and new events to be announced.
Gene Kim has been studying high-performing IT organizations since 1999. He is the author of the highly acclaimed "Visible Ops Handbook," "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win," and founder of Tripwire, Inc.
He will be presenting his findings from an ongoing study of how high-performing IT organizations simultaneously deliver stellar service levels and deliver fast flow of new features into the production environment. To successfully deliver against what on the surface appear to be conflicting objectives, (i.e. preserving service levels while introducing significant amounts of change into production), requires creating a highly-coordinated collection of teams where Development, QA, IT Operations, as well as Product Management and Information Security genuinely work together to solve business objectives.
Gene will describe what successful transformations look like, and how those transformations were achieved from a software development and service operations perspective. He will draw upon fourteen years of research of high-performing IT organizations, as well as work he's done since 2008 to help some of the largest Internet companies increase feature flow and production stability through applications of DevOps principles.
Return of the Half Schwartz FAIL Panel w/Tales from beyond the echo chamber
- James Arlen, Dave Lewis, Mike Rothman and Ben Sapiro
The ugly bastard child of FAIL Panel, in its 2nd year running, a discussion on Malware letters received to our mailbag and other general observations on infosec. We'll disagree, agree, talk over each other, ramble until cut-off, throw things and generally entertain you. Vendor and FUD free since last we last remembered to wear underwear.
Watching the watchers: hacking wireless IP security cameras - Artem Harutyunyan and Sergey Shekyan
Low cost commodity IP surveillance cameras are becoming increasingly popular among households and small businesses. As of April 2013 Shodan (www.shodanhq.com) shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the identical hardware and firmware setup. Moreover, there are even other devices (such as Internet TV boxes) that use the similar firmware.
Interestingly enough, those cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application. This easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye inside victim's house. It can be used to alter the video stream with an external stream or a still picture.
Our contribution will cover how those cameras work, as well as how to gain control over a camera in the wild. Furthermore, we will present analysis of security malpractices that that make it possible to harvest sensitive data stored on the camera, as well as to use a camera as an attack platform inside victim's private network. The presentation will conclude with the introduction of toolkit for extracting, altering and repackaging original components of the camera, as well as a live demo during which we will show how a camera (that was set-up following vendors' recommendations and tutorials) can be compromised. Last but not least we will share recommendations on how the setup of the camera can be made less insecure
Since 2004, while many were complaining about security awareness training being inadequate, we tried to do something about it. Ten years of meta research and analysis has led to some groundbreaking and truly great security awareness instruction. And anyone can do it. It turns out that effective security awareness is about exactly what you teach as much as how you teach it. Through the heavy use of example, this presentation will take you behind the scenes into that research and how to make truly effective security awareness training. After the hour is up, you will have solid information on how to solve the problem of making employees give a damn about security and bridge the gap between people and technology security measures.
Running at 99%, mitigating a layer 7 DoS - Ryan Huber
Application-Level Denial of Service (DoS) attacks are a threat to every website. DoS attacks are simple to execute but by nature difficult to defend against. I like to refer to it as a 'malicious load test'. Modern websites have many layers of moving parts. A malicious actor need only find the point at which one of these is overwhelmed to bring your infrastructure to a halt. Some approach this problem by increasing capacity, perhaps leveraging the cloud to expand horizontally. This can be a successful mitigation strategy, but a real-time broad view of who is accessing your website (and why) gives you the chance to actively defend as opposed to simply absorbing the traffic. Trending this data over time allows your response time to decrease while keeping your door open. In this talk, I will cite examples, successes, lessons learned, and present a new open source project (FLAKjacket, written in a combination of Node.js and python) that can be used as a defense framework for blocking these attacks.
Appsec Tl;dr - Gillis Jones
Have you ever wondered what it takes to get one of those "Elusive" bug bounties that people are always snapping up? In this presentation, Gillis Jones will walk you through the fundamentals of the web, and on to the art of hacking the planet. Complete with examples, secrets that the professionals try and keep quiet, and suggestions on "How to Hack"- this presentation aims to bring you to a level of proficiency in hacking the web in less than 60 minutes.
Exploiting the Zero'th Hour: Developing your Advanced Persistent Threat to Pwn the Network - Solomon Sonya and Nick Kulesza
Advanced Persistent Threats (APT) and Botnets represent one of the largest security concerns with regards to network defense and exploitation. Most security professionals know about these advanced tools; many people have even discussed the overall concept regarding command and control of networked systems, however, many experts to not yet understand how to create a botnet and establish unhindered command and control to many systems across the Internet. If a security researcher or penetration tester sets out to build a botnet, where do they begin and how do they overcome serious difficulties encountered in the development of their botnet and APT malware? This talk solves these issues by showing exactly how to create a botnet (from scratch), how to build new implants and the master controller to herd all infected systems into one user interface, and includes live demos of Splinter, the Remote Administration Tool (RAT) we created to demonstrate the entire process and release to the community for use. And so what about defense you ask? One word answers this: PWNED!!! As systems continue to be exploited on a daily basis, the end result of this presentation is to show how to build these botnets such that white-hat hackers, penetration testers, red team experts, and computer incident responders can tie this knowledge into implementing better security measures for the protection of our networks.
Weaponized Security - Kellman Meghu
How dangerous can you get with just the security tools you have today? Do you have access to a technology that makes searching patterns of data in the network very simple? I bet you do. Now I want you to imagine implementing that technology on an open wifi to investigate and monitor, not protect. This talk discusses how a tool to secure people can be turned against them, and the results of random people, leaking data about their computers, and themselves. This is all done with publicly available and commonly implemented enterprise security, just implemented in uncommon ways. PLEASE NOTE: This presentation contains content from a free wifi connection that the users did agree to full release of information in exchange for service, in so much as they clicked accept on a captive portal to get online. You can't say we didn't try to warn them. The data extracted from this network in no way reflects the thoughts, feeling or attitudes of the presenter, and some of it may be offensive in nature. Who knows, maybe you are even in this presentation yourself, have you ever used 'free' wifi?
Build Your Own Android Spy-Phone - Kevin McNamee
Know your enemy! Attendees will see a live demonstration of how we built a proof-of-concept Android Spy-Phone. We will show how we developed the Android spy-phone module and demonstrate how to inject it into legitimate applications to infect unsuspecting victims. We will demonstrate how the spy-phone command and control server can take complete control of the infected phone to steal information, track its location, track SMS and telephone messages, send SMS messages from the phone, and take photos and eavesdrop on conversations without the user knowing. In the BYOD/APT context these capabilities provide a formidable cyber-espionage platform.
Frayed Edges; Monitoring a perimeter that no longer exists - Mark Nunnikhoven
The foundations of traditional network security are crumbling in the public cloud. Old assumptions will leave your cloud deployments vulnerable and exposed. In this talk, we'll examine the existing models of network security and how you can transition to new cloud-friendly models that take advantage of dynamic cloud environments. With the stage set, we'll dive into the details of how to piggyback on cloud deployment and monitoring tools to increase visibility into your cloud deployment to provide you with the awareness you need.
The World's Deadliest Malware - Christopher Pogue
This silent threat infects more than 1,000 victims annually. It shows no prejudice, it has no compassion. It comes like an unseen thief in the night to steal. It IS the World's Deadliest Malware.
Point of Sale breaches continue to plague the business world. Credit card data is being stolen in ever increasing numbers with no signs of slowing down. How do these breaches occur? How are targets selected? How does the malware get deployed? What does it do once it gets there? Why does Anti-Virus not catch it? Who is performing these breaches? Why? Does it really have that much of an impact on the business world?
Hear the answers to all of these questions, and much more straight from the front lines field from Trustwave SpiderLabs Director of Incident Response and Digital Forensics, Chris Pogue. Hear how these investigations are conducted, what cutting edge tools and techniques are being used to identify this criminal activity, and actually see the malware at work first hand! (Yes...there is a Demo).
Your own pentesting army complete with air support - Philip Polstra
This talk will discuss pentesting with an army of low-powered devices running a custom Linux distro (known as The Deck). The devices are connected via 802.15.4 networking for command and control. The Deck runs on the BeagleBone and BeagleBoard family of devices. An airborne version of The Deck which (along with wireless sensors) is embedded in a flying wing platform will also be presented. All hardware and software (including the flying wing platform) is 100% open source.
Fiber Channel – Your OTHER Data Center Network - Rob VandenBrink
The majority of large datacenter storage architectures in the world are currently based on Fiber Channel networks. Unfortunately, the emphasis on security, compliance, and audit remains on hosts and traditional Ethernet networks, leaving the Fiber Channel behind as "a storage thing" that for some reason is never secured. Abdicating this responsibility leaves the Fiber Channel network open as a conduit for unfettered, unmonitored recon and theft of data, without regard for security zones you may have defined on your IP network.
In this presentation we'll explore commonly overlooked security settings in Fiber Channel security, how to audit, pentest, or attack fiber channel, and more importantly, how to secure your Fiber Channel network. Live demos of methods and tools are (of course) part of this presentation.
For a synopsis of previous year sessions and events, we invite you to visit our Past Events page.