The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works […]

This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We’ll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We’ll also compromise computers and an iPhone by subverting their software installation and […]

The last several years has seen a rapid growth in critical infrastructure cyber security. Within this domain, the issue related to SCADA and process control have received much attention. As a follow on to last years session that was an introduction to cyber security and industrial control systems, this briefing will extend the material to […]

Information and Computer Security is a multi-million dollar business. I am part of that business. And it’s wrong. An industry that was started with the highest of ideals, the most pure of motives has deteriorated into a crass, commercial race-to-the-bottom. Or at least it feels that way most of the time. In this presentation, a […]

The Exploit-Me suite of tools provide a powerful platform for testing websites for application vulnerabilities. Jamie Gamble and Tom Aratyn of Security Compass will demonstrate how the Exploit-Me tools could have been used to catch common vulnerabilities in real world applications, and how they could have saved time and embarrassment. We’ll start with a demonstration […]

This session will explore current issues in backbone design, from large-scale outages and disaster recovery to the logistics and ethics of application layer filtering on backbone networks. The talk will cover the trends and technology advances which have recently evolved in ISP engineering, from inline Layer 7 proxies cleaning up protocols real-time to increasingly challenging […]

Since 2004 when the outbreak of the MyDoom virus installed botnet spamware software on the victim’s PCs, we have been identifying and tracking various forms of spamming botnets. The most recent large scale example of this is the Srizbi botnet, which numbers in the hundreds of thousands of actively spamming IP addresses, potentially indicating millions […]

Compromising an internal proxy is easy. If you know what to do. And we’ll show you. Brute force, traffic sniffing, internal network scanning, reverse HTTP, social engineering, phishing – there are many methodologies to choose from. This talk will not only cover various ways of using these processes to compromise an internal proxy, but we’ll […]

Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access […]

With over 3,000,000 downloads, Snort is the most widely deployed and trusted intrusion detection and prevention technology worldwide. How will Snort evolve over the next couple of years to keep up with the ever-changing network security landscape? Join Mr. Young as he shares his vision of future Snort features and why they are needed. This […]

Canadian organizations must contend with 5 pieces of privacy legislation governing different sectors and industries and the expectations of personal information management. Preliminary results indicate that certain industries have a higher occurrence of different types of privacy incidents. Types of privacy breaches, in particular, tend to be clustered into unauthorized collection, use and / or […]

This talk dives into the upcoming features of Metasploit 3.2, including IPv6 support, wireless client exploitation, hardware integration, METASM based payloads, and much, much more. The 3.2 release will be offered under a true open source license by a brand new development team.

The October 2008 Update of the OWASP “Google Hacking” Project will demonstrate the “Spiders/Robots/Crawlers” and “Search Engine Reconnaissance” sections of the OWASP Testing Guide v3, the “Speak English” Google Translate Workaround and a demonstration of two Proof of Concept (PoC) that implement the Google SOAP Search API: “Download Indexed Cache” which retrieves content indexed within […]

Physical security is far too often an overlooked aspect of modern security. ‘Its fine, the server room is locked’ you say? Come spend some time in the lockpick village. Learn how lock picking, bump keys and other lock bypass techniques work, what makes a lock secure, and what makes it weak. Attendees will get the […]

The last few years represent a large change in the threats against our systems. The attacks that are hitting enterprises today are much more targeted and malicious than at previous times. Where once we had script kiddies and general purpose attacks aimed at the entire Internet, now we face highly skilled software engineers who are […]

Physical security is far too often an overlooked aspect of modern security. ‘Its fine, the server room is locked’ you say? Come spend some time in the lockpick village. Learn how lock picking, bump keys and other lock bypass techniques work, what makes a lock secure, and what makes it weak. Attendees will get the […]

RFID system usage is increasing in the transit, access control, and payment sectors, with little to no foresight into effective security. This presentation will cover potential threat and attack models from the business, integrator, and consumer perspective. Beginning with an overview of the systems in place today, we will review specific vulnerabilities – many with […]

Known by most by his email name, ‘Stepto’, Stephen Toulouse was involved in some of the most fundamental security incidents and decisions made at Microsoft over the past several years. In 2007 Stepto moved from Microsoft’s Trustworthy Computing division to pursue his lifelong dream of being paid to play video games and work for the […]

This is a joint session covering two critical SQL Server risks; SQL Server rootkits and common SQL Server encryption implementation mistakes that result in data exposure. SQL Server Rootkits: To date there has been no database rootkit research that focused directly on SQL Server, that is until now. Attendees will see first-hand how rootkits can […]

Based on the book No-Tech Hacking, this presentation shows life through the eyes of today’s hacker. I’ll show what kinds of tactics a hacker will employ and the perspective they have that allows them to stay one step ahead of the good guys. I’ll focus on the hacker mind, showing in a compelling way the […]

Finding and identifying cryptography is a growing concern in the malware analysis community. The current state of the art is to locate it manually and identify it based on various constants used by the algorithms. By examining the operations used by cryptographic functions, it is possible to locate it based on heuristics. The types and […]

Security in the Real World – Panel of Experts

This talk will introduce spear phishing and how successful these attacks are in the real-world. It will then introduce a newly developed OWASP open source tool called LUNKER. This tool and research is designed to first educate and illustrate how criminals are using these attacks to gain access to real networks. And how to mitigate […]

Opening Keynote” – David Black, Manager, Cyber Infrastructure Protection Section RCMP, Technical Security Branch

Despite shiny new stickers on the boxes of our favorite security vendors’ products that advertise “virtualization ready!” or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments. This talk will clearly demonstrate […]

2009 will be a big year for network security, with the rejuvenation of NAC technologies, endpoint security and the new 802.1X-REV. In addition to the more complex security systems, organizations will be leveraging features already integrated in their current infrastructure devices, such as DHCP snooping, dynamic ARP protection, port filtering and dynamic IP lockdown. We’ll […]

An informative look into the modern security industry, the role security testers play, what we should be doing, and how we can address it. This presentation gives a global view from the combined research of recent ISECOM project work in the OSSTMM, Hacker Profiling Project, Trust rules in the OpenTC project, the SCARE (Source Code […]