Securing your network with open-source technologies and standard protocols: Tips & Tricks

We continually are asked “Does your product work with VPN X?”. This is the wrong question. The right question is whether any product on your network supports the authentication protocol you have chosen as a standard. Once you decide on a standard, the world opens up to you. Specifically, the world of open source software. […]

Read more

400 Apps in 40 Days

You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide […]

Read more

What’s Old Is New Again: An Overview of Mobile Application Security

The ever-increasing prevalence of mobile devices brings with it a slew of security problems. Applications running directly on mobile devices (and web apps optimized for mobile clients) are ripe for the picking even by unsophisticated attackers. The attack classes that once applied to traditional network-facing, fat client, and web applications are now valid for mobile […]

Read more

Cloud definitions you’ve been pretending to understand

We’ve all heard talks where we nodded in agreement with the speaker when he or she launched into jargon we didn’t comprehend. In this talk Jack, assisted by sock puppets, will explain common cloud computing terminology and discuss some common misconceptions about cloud computing.

Read more

A Day in the life of APT

The term ‘Advanced Persistent Threat” has dominated the cyber security world for the last several years. This marketing construct is designed to describe a real and widespread threat, but seems to cause confusion and mockery. This presentation will cut through marketing hyperbole to walk through an attack by a sophisticated actor demonstrating the tools and […]

Read more

Inside the Malware Industry

Not much is known about the malware industry and how it makes money. This talk will break the silence and expose the shady techniques used to create and spread this software, all from the perspective of someone who worked there.

Read more

A Day in the life of APT

The term ‘Advanced Persistent Threat” has dominated the cyber security world for the last several years. This marketing construct is designed to describe a real and widespread threat, but seems to cause confusion and mockery. This presentation will cut through marketing hyperbole to walk through an attack by a sophisticated actor demonstrating the tools and […]

Read more

Today’s Reality: Living in Compromise to Advanced Persistent Threats

Today’s network advanced persistent threats by definition evade detection by perimeter defenses and current concepts for defense in depth – whether you know it or not. Most organizations have developed an over-reliance upon network-layer, perimeter focused solutions that require signatures or profile-based foreknowledge of a given technical threat. As proven through numerous security breaches over […]

Read more

Gates, Guards, and Gadgets: An Introduction to the Physical Security of IT

We’re all familiar with using a defense-in-depth strategy when planning information security, but none of that matters if I can take your datacenter and load it into my truck! Join Kai Axford, a Certified Protection Professional (CPP), as he looks at the various aspects of physical security, such as barrier planning, IP surveillance, lock selection […]

Read more

Building your own secure U3 launchable Windows forensic toolkit

This toolset attempts to provide a easy to use U3 drive to gather forensic data from a windows computer. The entire toolset is located on the read-only portion of the U3 drive, and reports are writen to the writeable portion.

Read more

Mastering Trust: Hacking People, Networks, Software, and Ideas.

Why can’t we make the right decision all the time? Our sense of trust is broken. Lies, deceit, fraud, and insinuations make up a large part of crime for a reason. We are bad at trust. It’s in our biology. It’s why we sometimes make the wrong friends, date the wrong people, buy the wrong […]

Read more

Distributed Denial of Service: War Stories from the Cloud Front

Due to the rise of large-scale botnets, Distributed Denial of Service (DDoS) is making a resurgence, both in attacker capabilities and the impact on target organizations. This presentation is an overview of DDoS attacker capabilities and techniques, defenses against attacks, and lessons learned from responding to numerous DDoS attacks. The session will cover a very […]

Read more

By The Time You’ve Finished Reading This Sentence, “You’re Infected”

This talk is intended to be a rapid-fire description of 25 tactics currently used by “the bad guys” so that malware STILL evades AV, web reputation filters and IDP systems and practically any defense thrown at it. Malicious content continues to be a thorn in the side of practically all Internet users. This talk will […]

Read more

Black Berry Security FUD Free

As mobile computing devices proliferate the enterprise more ‘security’ conscious people are raising flags about mobile device security. One device which is dominant in the enterprise mobile computing world is the ubiquitous Blackberry(TM), which has quite a bit of Fear Uncertainty and Doubt surrounding it and its security controls. Rumors about blackberry compromises and confusion […]

Read more

Realize More Value From Your Existing security Tools

Dave Millier will talk about leveraging information gathered from various sources (security and system logs, reports, processes, and directly from people), and turning them into meaningful reports and dashboards that can be used to track compliance around various standards and regulations, including PCI, CobiT, SOX, NERC CIP, and others. Rather than focusing on any particular […]

Read more

Beyond Aurora’s Veil: A Vulnerable Tale

In 2009, the Conficker worm was dissected by researchers, and then fried by the spotlight on a worldwide stage. One year later, we saw the Aurora assaults similarly glow in the headlines. Defense was tense against these two nasties – yet, in each case, easily circumvented by two potent zero-day exploits that crept in from […]

Read more

Emerging Threats, The Battle for the Access edge

Your network is under attack. Malware, Trojans, Botnets and host of other threats are alive and well in the Internet. The people who produce these threats have a new target — the wired and wireless edges of your network. To effectively detect and manage these threats you need a management platform that provides a single […]

Read more

Dissecting the Modern Threatscape: Malicious Insiders, Industrialized Hacking, and Advanced Persistent Threats

This is an intermediate to advanced level presentation that pulls from McAfee Labs research as well as real-life customers. This is original content designed to paint a clear picture of today’s threat landscape and through doing so illustrate the differences between insider threats, industrialized hackers, and APTs. Attacks are coming from all angles. In some […]

Read more

Crime & Carelessness: Gaps that Enable the Theft of Your Most Sensitive Information

“Information is power and money. Our professional lives revolve around building, inventing and working with more valuable information. How we protect and manage this information is core to the success of our economy, organizations, corporations and our personal lives. In this presentation we will explore how a criminal industry now larger than the international drug […]

Read more

Web Application Payloads

This talk will introduce attendees to the subject and show a working implementation of Web Application Payloads that uses the “system calls” exposed by vulnerable Web Applications to collect information from, and gain access to the remote Web server. The Web application payloads implementation was developed as a part of the w3af framework, an open […]

Read more

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities. This “abstraction distraction” has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security […]

Read more

Unidirectional Connectivity as a Security Enabler for SCADA and Remote Monitoring Applications

Network segregation (also called “air-gapping”) is considered a foolproof method for protecting networks from external attacks or from data theft/leakage. Unfortunately, employing this method mandates users to forego all benefits of connectivity; hence this method is not acceptable today as a viable security means. Unidirectional connectivity, hardware enforced over all layers of communications, is an […]

Read more

The Four Types of Lock

Physical security is an oft-overlooked component of data and system security in the technology world. While numerous ratings and standards exist in order classify specific security hardware, many of these standards are ill-defined and poorly-understood. Do you know what makes a “hardened” or “contractor grade” lock special? What does the phrase “high security” signify on […]

Read more

SCADA and ICS for Security Experts: How to avoid cyberdouchery

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don’t know what the hell they’re talking about — ‘fake […]

Read more

The GhostNet Story

In March 2009 researchers at the University of Toronto uncovered a network of over 1200 compromised computers spread across 103 different countries. Nearly 30% of the infected hosts were identified as high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs. This presentation will detail the GhostNet investigation from the field […]

Read more

Malware Freakshow

In 2008 alone, we performed full forensic investigations on over 150 different environments ranging from financial institutions, hotels, restaurants and casinos. This presentation will show the inner workings of 4 very interesting pieces of malware, ranging from somewhat simple to very complex. Each sample was actually used to steal confidential data that resulted in significant […]

Read more

Deblaze – A remote method enumeration tool for flex servers

Flash has traditionally been a graphics heavy technology used to create artistic user interfaces that runs on a client’s browser. The evolution of Flash was pushed by application developers who wanted to access complex business logic and functionality on remote servers. Through the use of the Flex programming model and the ActionScript language, Flash Remoting […]

Read more

Smashing the stats for fun and profit

(or how to convince your boss to spend properly on security) We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly. Using research from the 2009 Canada wide security survey, we’ll explore (FUD Free) […]

Read more

w3af – A framework to own the web

Specially crafted for SecTor’s attendees, the w3af project leader will deliver a double talk about the framework, which will guide you through its features using a demos and real life examples. The first session introduces w3af to the audience and shows all of the automated Web application scanning features, and follows up with a detailed […]

Read more

Game Over, Man: Gamers Under Fire

An exploration of security issues relating to consoles and their risks to both home users and the business environment. This will include issues such as custom built DDoS tools, social engineering of Microsoft support staff, account theft, the risk to businesses and personal tips to keep your own details secure. I will also examine the […]

Read more

Massively Scaled Security Solutions for Massively Scaled IT

The US Federal Government is the world’s largest consumer of IT products and, by extension, one of the largest consumers of IT security products and services. This talk covers some of the problems with security on such a massive scale; how and why some technical, operational, and managerial solutions are working or not working; and […]

Read more

Consumerization and Future State of Information Warfare

People crave constant communication, instant gratification, ease, and fun. But at what cost? What doors are we opening for an eventual potential for government sponsored espionage, terrorism or full scale war? How are consumers enabling or even participating in this effort? This speech will cover how individuals in a highly commercialized world can bring a […]

Read more

Towards a more secure online banking ‘ moving beyond twenty questions.

Online financial applications have developed in a seemingly haphazard way. The result is images for host authentication, hidden cookies and inane questions. The session will break down attacks against session, host/mutual authentication and transaction authentication, and suggest more secure methods of protecting against those attacks without excessive inconvenience to the user and lay the groundwork […]

Read more

SSLFail.com

SSLFail.com brings together Security Enthusiasts who research all things SSL/TLS. Secure Sockets Layer and Transport Layer Security are an essential part of today’s Internet and they are very poorly understood by most Users and unfortunately many Administrators. There have been a number of very important developments in the area of SSL in the past year. […]

Read more

Sniper Forensics – Changing the Landscape of Modern Forensics and Incident Response

Live Analysis tools and techniques have exploded onto the incident response scene in the last two years. By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, “Locard’s Exchange Principle”, “Occam’s Razor”, and “The Alexiou Principle” to target only the systems that are part of the breach. What […]

Read more

Cain BeEF Hash: Snagging passwords without popping boxes

Chaining exploits and abusing trust are two heavily discussed topics in security today. If you ever deal with Windows domains come see what tools and techniques can be used to quietly liberate hashes even if the workstations are patched. This presentation will go in depth into what tools can facilitate turning acquired credentials into usable […]

Read more

Portable Document Malware, the Office, and You – Get owned with it, can’t do business without it

Many new types of malware, particularly targeted attacks against high-value targets, are using a very effective vector: common document formats such as Word, PowerPoint, and PDF. Unlike executables, businesses can’t just block these ubiquitous file types. While there are ways to spot this kind of malware, many antivirus companies are lagging behind with generic detection, […]

Read more

DNSSEC deployment in Canada

The Kaminsky bug, announced at Black Hat last year, sent everyone scrambling to update their DNS infrastructure. But most people stopped after the patchwork. Over 10 TLDs, including .gov are already deployed using DNSSEC. CIRA has launched a “friends & family” test program for those who want to test DNSSEC with .ca domains (and should […]

Read more

Retaliation: Breaking Attack Vectors in the Infrastructure

2010 will be the beginnings of a new world of network and infrastructure security as new IEEE standards change the landscape of threat models for wired, wireless and wide area networks. Learn how to use these features to stop spoofing, eavesdropping and a host of malicious activity. I’ll give you the knowledge and tools to […]

Read more

Hacking the Privacy Legislation

In today’s environment of particularly scarce resources, privacy can be easily buried under its sexier older sister – security. But the need to balance the two is an ongoing concern when it comes to any system that collects, uses and discloses personal information. This session will focus on exploring the differences between the two, and […]

Read more

To cache a thief | Using database caches to detect SQL Injection attacks

Most SQL Injection attack detection methods are heavily dependent on IDS and web server logging which in many scenarios can be easily circumvented. Performing SQL Injection attack detection at the database can overcome current detection limitations. This session will demonstrate techniques and a new incident response tool that uses database caches to confirm or discount […]

Read more

The Past, Present & Future – SQL Injection

SQL Injection has brought a lot of awareness over the last few years, from the TJX / Heartland Payment Systems compromise to the mass SQL Injection attacks in 2008, that have continued to spill over into 2009. What was termed as an ‘old school attack’ has certainly demonstrated the ability to continue to be successful. […]

Read more

When Web 2.0 Attacks – Understanding AJAX, Flash and “Highly Interactive” Technologies

This talk covers the problems that are emerging with Web 2.0 technologies, why they are issues and what can be done. Specifically diving into the approach for analyzing AJAX and Flash! Applications using some commercial and open-source tools this talk is part informative, part educational, and all practical. Conference attendees love to have something to […]

Read more

Nsploit: Popping boxes with Nmap

Tired of waiting on scans to complete so you can own boxes? Maybe we can help! Let the powerful scripting engine in Nmap and the sexy attack power of Metasploit combine to form Nsploit, a framework for launching Metasploit exploits from Nmap. Nmap is supporting more vulnerability detection out of the box. Nsploit leverages that […]

Read more

Your Mind: Legal Status, Rights and Securing Yourself

As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device”’s transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some […]

Read more

Crimeware: Web Exploitation Kits Revealed

The session introduces the attendee to how crimeware has become increasingly popular in recent years, the indistinguishable similarities with legitimate business and the dangers the internet community is facing. There will also be a live demonstration of the infamous Mpack (or other similar kit), including a minor exercise encouraging one to identify methods to mitigate […]

Read more

Weaponizing the Web: More attacks on User-Generated Content

Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way […]

Read more

The New New Thieves and Contemporary Security Analysis

An informative look into the modern security industry, the role security testers play, what we should be doing, and how we can address it. This presentation gives a global view from the combined research of recent ISECOM project work in the OSSTMM, Hacker Profiling Project, Trust rules in the OpenTC project, the SCARE (Source Code […]

Read more

Under the iHood

The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works […]

Read more

Network Security Stripped: From layered technologies to the bare essentials

2009 will be a big year for network security, with the rejuvenation of NAC technologies, endpoint security and the new 802.1X-REV. In addition to the more complex security systems, organizations will be leveraging features already integrated in their current infrastructure devices, such as DHCP snooping, dynamic ARP protection, port filtering and dynamic IP lockdown. We’ll […]

Read more
Subscribe to the Sector Blog
Enter your contact information below to have future blog posts delivered directly to your inbox!
Fields marked with an * are required