Security Heretic: We’re Doing It Wrong

Information and Computer Security is a multi-million dollar business. I am part of that business. And it’s wrong. An industry that was started with the highest of ideals, the most pure of motives has deteriorated into a crass, commercial race-to-the-bottom. Or at least it feels that way most of the time. In this presentation, a […]

Read more

Exploit-Me for Fun and Profit

The Exploit-Me suite of tools provide a powerful platform for testing websites for application vulnerabilities. Jamie Gamble and Tom Aratyn of Security Compass will demonstrate how the Exploit-Me tools could have been used to catch common vulnerabilities in real world applications, and how they could have saved time and embarrassment. We’ll start with a demonstration […]

Read more

Security and Robustness in Backbone Design

This session will explore current issues in backbone design, from large-scale outages and disaster recovery to the logistics and ethics of application layer filtering on backbone networks. The talk will cover the trends and technology advances which have recently evolved in ISP engineering, from inline Layer 7 proxies cleaning up protocols real-time to increasingly challenging […]

Read more

Tracking Current and Future Botnets

Since 2004 when the outbreak of the MyDoom virus installed botnet spamware software on the victim’s PCs, we have been identifying and tracking various forms of spamming botnets. The most recent large scale example of this is the Srizbi botnet, which numbers in the hundreds of thousands of actively spamming IP addresses, potentially indicating millions […]

Read more

Pwning the proxy

Compromising an internal proxy is easy. If you know what to do. And we’ll show you. Brute force, traffic sniffing, internal network scanning, reverse HTTP, social engineering, phishing – there are many methodologies to choose from. This talk will not only cover various ways of using these processes to compromise an internal proxy, but we’ll […]

Read more

Ten Things Everyone Should Know About Lockpicking & Physical Security

Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access […]

Read more

The Future of Snort: Why it must change for network security to live.

With over 3,000,000 downloads, Snort is the most widely deployed and trusted intrusion detection and prevention technology worldwide. How will Snort evolve over the next couple of years to keep up with the ever-changing network security landscape? Join Mr. Young as he shares his vision of future Snort features and why they are needed. This […]

Read more

New Research on Canadian Privacy Breaches

Canadian organizations must contend with 5 pieces of privacy legislation governing different sectors and industries and the expectations of personal information management. Preliminary results indicate that certain industries have a higher occurrence of different types of privacy incidents. Types of privacy breaches, in particular, tend to be clustered into unauthorized collection, use and / or […]

Read more

MetaSploit Prime

This talk dives into the upcoming features of Metasploit 3.2, including IPv6 support, wireless client exploitation, hardware integration, METASM based payloads, and much, much more. The 3.2 release will be offered under a true open source license by a brand new development team.

Read more

Googless

The October 2008 Update of the OWASP “Google Hacking” Project will demonstrate the “Spiders/Robots/Crawlers” and “Search Engine Reconnaissance” sections of the OWASP Testing Guide v3, the “Speak English” Google Translate Workaround and a demonstration of two Proof of Concept (PoC) that implement the Google SOAP Search API: “Download Indexed Cache” which retrieves content indexed within […]

Read more

WiFi Clinic – Running all day in Hall G

Physical security is far too often an overlooked aspect of modern security. ‘Its fine, the server room is locked’ you say? Come spend some time in the lockpick village. Learn how lock picking, bump keys and other lock bypass techniques work, what makes a lock secure, and what makes it weak. Attendees will get the […]

Read more

Novel Malware Detection

The last few years represent a large change in the threats against our systems. The attacks that are hitting enterprises today are much more targeted and malicious than at previous times. Where once we had script kiddies and general purpose attacks aimed at the entire Internet, now we face highly skilled software engineers who are […]

Read more

Lockpick Village – Running all day in Hall G

Physical security is far too often an overlooked aspect of modern security. ‘Its fine, the server room is locked’ you say? Come spend some time in the lockpick village. Learn how lock picking, bump keys and other lock bypass techniques work, what makes a lock secure, and what makes it weak. Attendees will get the […]

Read more

RFID Unplugged

RFID system usage is increasing in the transit, access control, and payment sectors, with little to no foresight into effective security. This presentation will cover potential threat and attack models from the business, integrator, and consumer perspective. Beginning with an overview of the systems in place today, we will review specific vulnerabilities – many with […]

Read more

Double Trouble: SQL Rootkits and Encryption

This is a joint session covering two critical SQL Server risks; SQL Server rootkits and common SQL Server encryption implementation mistakes that result in data exposure. SQL Server Rootkits: To date there has been no database rootkit research that focused directly on SQL Server, that is until now. Attendees will see first-hand how rootkits can […]

Read more

Finding Cryptography in Object Code

Finding and identifying cryptography is a growing concern in the malware analysis community. The current state of the art is to locate it manually and identify it based on various constants used by the algorithms. By examining the operations used by cryptographic functions, it is possible to locate it based on heuristics. The types and […]

Read more

Advanced Spear Phishing Attack Framework

This talk will introduce spear phishing and how successful these attacks are in the real-world. It will then introduce a newly developed OWASP open source tool called LUNKER. This tool and research is designed to first educate and illustrate how criminals are using these attacks to gain access to real networks. And how to mitigate […]

Read more

The Four Horsemen Of the Virtualization Security Apocalypse: My Little Pwnie Edition

Despite shiny new stickers on the boxes of our favorite security vendors’ products that advertise “virtualization ready!” or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments. This talk will clearly demonstrate […]

Read more

Network Security Stripped: From layered technologies to the bare essentials

2009 will be a big year for network security, with the rejuvenation of NAC technologies, endpoint security and the new 802.1X-REV. In addition to the more complex security systems, organizations will be leveraging features already integrated in their current infrastructure devices, such as DHCP snooping, dynamic ARP protection, port filtering and dynamic IP lockdown. We’ll […]

Read more

The New New Thieves and Contemporary Security Analysis

An informative look into the modern security industry, the role security testers play, what we should be doing, and how we can address it. This presentation gives a global view from the combined research of recent ISECOM project work in the OSSTMM, Hacker Profiling Project, Trust rules in the OpenTC project, the SCARE (Source Code […]

Read more

DNSSEC: Theory and Worldwide Operational Experiences

The Domain Name System (DNS) has been up for an overhaul for many years, as the last “core internet” protocol left without any security. Attacks abusing the DNS to hijack domains, spoof websites and bypass spam filters are on the rise. July 2007 saw a major DNS hijacking attack. Gartner prominently added DNS attacks to […]

Read more

Zen and the Art of Cybersecurity

The biggest problem in corporate information security is the people performing the work. I have found that there are people outside the security field, and even many people inside the field, who think they know what they need to know about security but clearly don’t. Additionally, some people know a great deal about one aspect […]

Read more

SQL Server Database Forensics

Databases are the single most valuable asset a business owns. Databases store and process critical financial, healthcare and HR data, yet businesses place very little focus on securing and logging the underlying database transactions. As well, in an effort to trim costs, many organizations are consolidating several databases on to single mission critical systems which […]

Read more

Growing the Security Profession

As the field of information security matures, several significant barriers to progress that exist today will have to be removed if our capability to manage security risks is to improve. This presentation focuses on several of these, including the lack of truly effective channels to convey current knowledge to front-line practitioners; the division of the […]

Read more

You’re Just Not Pretty Enough to Do Investigations

You’re not attractive enough to be on CSI: Miami, but who cares…this is real life. Join Kai Axford and members of Canadian law enforcement best cybercrime teams, for a fun and engaging session, as we demonstrate tools and techniques that will prove useful in your own computer investigations. Got questions on how RCMP and TPS […]

Read more

Hacking Hollywood

Hacking stuff is for the birds. I’m taking a new path in life. I’ve decided to become a technical consultant for Hollywood. (No, not really, but work with me here). In my new role, I’ve decided it’s time to take up the torch for all my fellow consultants who have been abused by you people […]

Read more

Wireless Security – What Were They Thinking

Wireless technology was supposed to mean freedom from wires and desks. It has instead become one of the biggest security nightmares for IT. How did we get here, what are the threats (existing and emerging), and where do we go from there. With wireless available on every new laptop and even Ipods now, it’s with […]

Read more

Black Ops 2007: DNS Rebinding Attacks

The web has grown beyond anyone’s wildest expectations — but it’s still based on Internet protocols that go back thirty years. In this talk, I explore an interesting fault in the fundamental design of the web, which exposes every corporate network to the Internet and makes click fraud, SPAM, and worse distressingly trivial. Interestingly, the […]

Read more

TCP/IP Perversion

The evolution of rogue code has somewhat ignored the opportunities offered by kernel network drivers. In this paper we will analyze such opportunities and demonstrate several methods of data theft and system commandeering while evading perimeter/host based security systems and operating undetected in the long term. End node TCP/IP perversion relies on a kernel module […]

Read more

Human Factor vs. Technology

This lecture will present current challenges in operating systems security – from both a human as well as a technical perspective – and views on possible ways of addressing those issues. The main message will be that the so-called “human factor” is not, in contrast to common belief, the weakest link in IT security, as […]

Read more

NAC@ack

The last two years have seen a big new marketing-buzz named “Admission Control” or “Endpoint Compliance Enforcement” and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attention: “Cisco Network Admission Control”. NAC […]

Read more

Exploit-Me Series – Free Firefox Application Penetration Testing Suite Launch

Security Compass is pleased to announce the release of the free Exploit-Me series of application penetration testing tools at SecTor. The toolset is made specifically for security consultants, developers and QA staff to facilitate testing of applications. The Exploit-Me series of tools are plug-ins to Firefox that allow for easy “right-click” style parameter fuzzing for […]

Read more

Cybercrime, CVEs, OVAL, CME and why you must care!

95% of downtime and successful criminal hacker attacks are because of your known vulnerabilities – find out what they are, current standards and new trends from the international standards body at MITRE, funded by the US Department of Homeland Security. Miliefsky is a Board member of this organization and will provide insights and free resources […]

Read more

Modern Trends in Network Fingerprinting

Both a WhiteHat Audit and a BlackHat Compromise begin with scoping out the network. Using OS and Application fingerprinting techniques have been staples of Network Reconnaissance for close to a decade. Today’s techniques include passive, active, blind and invasive fingerprinting. A brief review of current and past strategies explains the strengths and pitfalls of each […]

Read more

How Close is the Enemy

Hackers, terrorists, insiders, nation states and others all pose threats, but who really is capable of damaging our critical systems infrastructure. Not too long ago we were only concerned about hackers breaking into our systems. Today, we face a number of threats in cyber space. Trusted insiders now account for more that fifty percent of […]

Read more

Process Control and SCADA: Protecting Industrial Systems from Cyber Attack

With the recent advancements in national security initiatives, as well as parallel efforts in research by both the public and the private community, there is an immediate requirement for the strategic development of plans to protect Critical Information and Key Resources (CI/KR) from cyber attack. As such, Process Control and SCADA systems are beginning to […]

Read more

State of the Hack

During the last ten years, Kevin Mandia has been on the front lines assisting organizations in responding to international computer intrusions, theft of customer credentials, and widespread compromise of sensitive data. During his efforts to resolve these incidents, many similar challenges and issues confronted each organization. During this presentation, Mr. Mandia will provide case studies […]

Read more

Security Challenges in Virtualized Environments

This presentation tries to show different security problems that might arise in virtualized environments. It first talks about virtualization based rootkits (AKA “blue pills”) — what so special about them, clarifies some misunderstandings and also discusses how real this threat is today. It also touches on the subject of virtual machine isolation and why we […]

Read more

Data on Threat Evolution – What 47 Leading Security Vendors Are Seeing

Forty-seven of the world’s leading security vendors collaborate with a single centralized, private source of threat intelligence for the data and technical analysis that drives their daily product updates and helps focus their longer-term technology innovations. This presentation draws directly on that same key data source to derive hard data regarding the evolution of threats […]

Read more

The Evolution of Phishing to Organized Crime

This presentation will discuss the evolution of phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a “hackers’ repertoire. It has been used to hijack online brokerage accounts to aid pump ‘n dump stock scams, and as a means of creating […]

Read more

Hacking Bluetooth for Fun, Fame and Profit

Enhancements in cellular technology and mobile computing in recent years has lead to the availability of affordable and powerful mobile devices. Where before cellular phones where relegated only to the business class and other members of the upper-echelon of society, today they are deemed a necessity and have become so cheap in comparison to phones […]

Read more

A Law Enforcement Perspective

Today, more than ever, law enforcement must work closely with various partners to identify and develop strategies to address the challenges posed by the diversity and speed of crime on the internet. The fact that a significant percentage of Canada’s critical infrastructure is owned and operated by the private sector and that the diversity of […]

Read more

Securing Commodity Systems using Virtual Machines

In this talk, I will summarizing advances in academic research for mechanisms that use Virtual Machine Monitors (VMMs) to increase the security of commodity systems. Commodity systems are often required to support functionality required by legacy applications that is often at odds with security. For example, commodity systems feature dynamic extensibility, and many commodity applications […]

Read more

Attack Trends and Techniques: What’s Hot!?

The bad guys just keep getting better! They’re constantly changing their tactics and inventing new techniques to cause you harm, damage your data, and make your resources unavailable. Why do they do this? What motivates someone to — let’s call it what it is — commit computer-related crimes? How have they changed and improved? What […]

Read more
Subscribe to the Sector Blog
Enter your contact information below to have future blog posts delivered directly to your inbox!
Fields marked with an * are required