This talk covers the problems that are emerging with Web 2.0 technologies, why they are issues and what can be done. Specifically diving into the approach for analyzing AJAX and Flash! Applications using some commercial and open-source tools this talk is part informative, part educational, and all practical. Conference attendees love to have something to […]
In today’s environment of particularly scarce resources, privacy can be easily buried under its sexier older sister – security. But the need to balance the two is an ongoing concern when it comes to any system that collects, uses and discloses personal information. This session will focus on exploring the differences between the two, and […]
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device”’s transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some […]
Andrew Nash senior director of identity services, PayPal Consumers have too many online identities – they must remember dozens of accounts and passwords, consumer Internet interactions are repetitive, frustrating and littered with outdated information. The scale of the problem is immense; hundreds of millions of Internet users interact with tens of millions of Internet Service […]
An exploration of security issues relating to consoles and their risks to both home users and the business environment. This will include issues such as custom built DDoS tools, social engineering of Microsoft support staff, account theft, the risk to businesses and personal tips to keep your own details secure. I will also examine the […]
Aesop wrote a little ditty about some discontented frogs who lived in a pond. They asked Zeus for a new King. They got one. It ate them. The moral of this story is “be careful what you wish for as you might just get it.” The corresponding analog is that of virtualization and cloud security. […]
Chaining exploits and abusing trust are two heavily discussed topics in security today. If you ever deal with Windows domains come see what tools and techniques can be used to quietly liberate hashes even if the workstations are patched. This presentation will go in depth into what tools can facilitate turning acquired credentials into usable […]
Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way […]
Tired of waiting on scans to complete so you can own boxes? Maybe we can help! Let the powerful scripting engine in Nmap and the sexy attack power of Metasploit combine to form Nsploit, a framework for launching Metasploit exploits from Nmap. Nmap is supporting more vulnerability detection out of the box. Nsploit leverages that […]
In 2008 alone, we performed full forensic investigations on over 150 different environments ranging from financial institutions, hotels, restaurants and casinos. This presentation will show the inner workings of 4 very interesting pieces of malware, ranging from somewhat simple to very complex. Each sample was actually used to steal confidential data that resulted in significant […]
(or how to convince your boss to spend properly on security) We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly. Using research from the 2009 Canada wide security survey, we’ll explore (FUD Free) […]
The US Federal Government is the world’s largest consumer of IT products and, by extension, one of the largest consumers of IT security products and services. This talk covers some of the problems with security on such a massive scale; how and why some technical, operational, and managerial solutions are working or not working; and […]
The Kaminsky bug, announced at Black Hat last year, sent everyone scrambling to update their DNS infrastructure. But most people stopped after the patchwork. Over 10 TLDs, including .gov are already deployed using DNSSEC. CIRA has launched a “friends & family” test program for those who want to test DNSSEC with .ca domains (and should […]
In March 2009 researchers at the University of Toronto uncovered a network of over 1200 compromised computers spread across 103 different countries. Nearly 30% of the infected hosts were identified as high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs. This presentation will detail the GhostNet investigation from the field […]
Flash has traditionally been a graphics heavy technology used to create artistic user interfaces that runs on a client’s browser. The evolution of Flash was pushed by application developers who wanted to access complex business logic and functionality on remote servers. Through the use of the Flex programming model and the ActionScript language, Flash Remoting […]
Online financial applications have developed in a seemingly haphazard way. The result is images for host authentication, hidden cookies and inane questions. The session will break down attacks against session, host/mutual authentication and transaction authentication, and suggest more secure methods of protecting against those attacks without excessive inconvenience to the user and lay the groundwork […]
Specially crafted for SecTor’s attendees, the w3af project leader will deliver a double talk about the framework, which will guide you through its features using a demos and real life examples. The first session introduces w3af to the audience and shows all of the automated Web application scanning features, and follows up with a detailed […]
Live Analysis tools and techniques have exploded onto the incident response scene in the last two years. By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, “Locard’s Exchange Principle”, “Occam’s Razor”, and “The Alexiou Principle” to target only the systems that are part of the breach. What […]
SSLFail.com brings together Security Enthusiasts who research all things SSL/TLS. Secure Sockets Layer and Transport Layer Security are an essential part of today’s Internet and they are very poorly understood by most Users and unfortunately many Administrators. There have been a number of very important developments in the area of SSL in the past year. […]
People crave constant communication, instant gratification, ease, and fun. But at what cost? What doors are we opening for an eventual potential for government sponsored espionage, terrorism or full scale war? How are consumers enabling or even participating in this effort? This speech will cover how individuals in a highly commercialized world can bring a […]
2010 will be the beginnings of a new world of network and infrastructure security as new IEEE standards change the landscape of threat models for wired, wireless and wide area networks. Learn how to use these features to stop spoofing, eavesdropping and a host of malicious activity. I’ll give you the knowledge and tools to […]
Many new types of malware, particularly targeted attacks against high-value targets, are using a very effective vector: common document formats such as Word, PowerPoint, and PDF. Unlike executables, businesses can’t just block these ubiquitous file types. While there are ways to spot this kind of malware, many antivirus companies are lagging behind with generic detection, […]
Most SQL Injection attack detection methods are heavily dependent on IDS and web server logging which in many scenarios can be easily circumvented. Performing SQL Injection attack detection at the database can overcome current detection limitations. This session will demonstrate techniques and a new incident response tool that uses database caches to confirm or discount […]
SQL Injection has brought a lot of awareness over the last few years, from the TJX / Heartland Payment Systems compromise to the mass SQL Injection attacks in 2008, that have continued to spill over into 2009. What was termed as an ‘old school attack’ has certainly demonstrated the ability to continue to be successful. […]
The session introduces the attendee to how crimeware has become increasingly popular in recent years, the indistinguishable similarities with legitimate business and the dangers the internet community is facing. There will also be a live demonstration of the infamous Mpack (or other similar kit), including a minor exercise encouraging one to identify methods to mitigate […]
When you check into a hotel room, do you see the elegantly understated, calm yet energising modern styling, providing you with the ultimate in traveller comfort, or is it the hotel safe, pay per view tv, automated minibar and RFID door lock that gets your attention? Is the ATM in the lobby a convenient place […]
Senior Security Specialist and Web Application Security evangelist with Hewlett-Packardï¿½s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application [...]
Tracy Ann Kosa is currently a Privacy Impact Assessment Specialist with Government of Ontario PIA Centre of Excellence. She has 10 years of privacy experience across Canada working with federal and provincial legislation in the public and private sectors. A regular participant at international programs on privacy, her current research areas include the privacy implications of IDS, geo-locational privacy standards, and creating privacy design requirements. Ms. Kosa has recently decided to undertake a mission others have labeled 'crazy'. Her Mom says she's really proud of her (although she'd be mortified [...]
James Arlen is a member of Salesforce’s security team focused on Public Cloud computing at one of the world’s largest SaaS/PaaS providers. Over the past twenty plus years, James has been delivering information security solutions to Fortune 500, TSE 100, and major public-sector organizations. In both consultant and staff member roles, James led business and technical teams of professionals in short-term projects as well as multi-year organizational change initiatives. James held key contributor roles as CISO or most senior security executive at dozens of international companies across the finance, critical infrastructure, manufacturing, and [...]
Tiffany Strauchs Rad, MA, MBA, JD, is the president of ELCnetworks, LLC., a technology and business development consulting firm with offices in Portland, Maine and Cambridge, Massachusetts. Her consulting projects have included business and tech analysis for startups and security consulting for U.S. government agencies. She is also a part-time adjunct professor in the computer science department at the University of Southern Maine teaching computer law and ethics, information security, and is working to establish a computer crimes clinic at Maine School of Law. Her academic background includes study of [...]
Andrew Nash is Senior Director of Identity Services at PayPal. He is a board member of the OpenID, Information Card and Kantara Foundations. Formerly he was CTO at Sonoa Systems and Reactivity working on XML and Web Services appliances. As Director of Technologies at RSA Security, Andrew worked on a wide range of identity systems. He is a known leader in PKI and Web-Services markets, has co-authored numerous Web Services security specifications and is author of a book on Public Key Infrastructure.
Chris is a 5-time Microsoft MVP, CNET Top 100 Blogger and Director of Malware Research for FaceTime Security Labs. He has made numerous discoveries in security including a Myspace exploit that allowed users to track profile visitors, an imageshack flaw that let you view the IP address of uploaders, the first worm on the Orkut network and the first web browser installed without permission via an Instant Messaging hijack. Chris has talked about security issues at numerous conferences including InfoSec Europe 07 / 09, RSA 07 / 08, the Antispyware [...]
Christofer Hoff is VP of Strategy & Planning at Juniper Networks' Security Business Unit, previously serving as chief security architect, responsible for worldwide security solutions architecture, customer advocacy, and field enablement. He was previously director of cloud & virtualization solutions at Cisco Systems where he focused on virtualization and cloud computing security, spending most of his time interacting with global enterprises and service providers, governments, and the defense and intelligence communities. Prior to Cisco, he was Unisys Corporation's chief security architect, served as Crossbeam Systems' chief security strategist, was the [...]
Ryan has more than 15 years of experience in Information Security. He has worked as a Technical Team Leader, Database Administrator, Windows and UNIX Systems administrator, Network Engineer, Web Application developer, Systems programmer, Information Security Engineer, and is currently a Principal Consultant doing network penetration testing. Ryan has delivered his research about ATM security, network protocol attacks, and penetration testing tactics at numerous conferences, including Black Hat, DefCon, DerbyCon, Shmoocon, and SecTor to name a few. He is also an open source project contributor for projects such as Metasploit, Ettercap, [...]
Nathan Hamiel is a Senior Consultant at Idea Information Security and the leader of the practice's technical security team. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. Nathan founded the Hexagon Security Group and is the sole contributor to the Neohaxor blog. Nathan spends most of his time in the areas of application, Web 2.0, and enterprise security. Nathan was one of the original developers of the FairuzaWRT hacking firmware for the Linksys WRT wireless routers and is currently writing tools focused around [...]
Shawn Moyer is a Managing Principal Research Consultant with Accuvant Labs. Shawn has written on emerging threats and other topics for Information Security Magazine and ZDNet, and his research has been featured in the Washington Post, BusinessWeek, NPR, and the New York Times. Shawn is an eight-time speaker at the BlackHat Briefings, and has been an invited speaker at other notable security conferences in the US, China, Canada, and Japan.
Nicholas Percoco, Senior Vice President and Head of SpiderLabs at Trustwave With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwave¹s premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations [...]
Jibran Ilyas is a Senior Forensic Investigator at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, application security and security research. He has investigated some of the nation's largest data breaches and is a co-author of Trustwave's annual Global Security Reports, which provide data breach statistics and highlight latest hacker techniques. Jibran has presented talks at several global security conferences such as DEFCON, Black Hat, SecTor and SOURCE Barcelona, in the area of Computer Forensics and Cyber Crime. Jibran [...]
Ben Sapiro is the Global CISO of Great West LifeCo and has worked in both InfoSec consulting and operations since he somehow managed to graduate from b-school; he’s even done privacy and compliance work to pay the bills. Other than that, he’s a typical middle-aged Canadian security professional who has worked in several verticals including SaaS, natural resources and telecom. Ben is a contributor to the Liquidmatrix Podcast (whenever we get around to recording it) and used to help with other stuff like BSidesTO until he realized he should not test his wife’s [...]
Michael Smith serves as Akamai’s Security Evangelist and is the customer-facing ambassador from the Information Security Team, helping customers to understand both the internal security program and the unique security features and capabilities of the Akamai product portfolio and cloud-based solutions. Mr Smith fulfils a cross-functional role as a liaison between security, sales, product management, compliance, engineering, professional services, and marketing. Prior to joining Akamai, Mr Smith served as an embedded security engineer, security officer for a managed service provider, and security assessment team lead. He is an adjunct professor [...]
Paul Wouters received his Bachelors degree in Education in 1993. He co-founded an ISP and a security company specialising in IPsec and DNSSEC. For many years, he has been the release manager for Openswan, the Linux IPsec software. He is the co-founder of the first Toronto hacker space, HackLab.TO. He is an active participant and document author with the IETF, and is currently a Senior Software Engineer for the security group at Red Hat where he gets to shoot himself in the foot every day with FIPS and SElinux.
Norm Ritchie is currently the Chief Information Officer of CIRA. He joined CIRA in April 2005. He is an industry veteran with over 25 years of product development and management experience in telecommunications and Internet applications. Norm is responsible for planning, developing and maintaining all of the technology, networking and computer operations in support of CIRA. Before joining CIRA, Norm was Vice President of Development at Momentous Corporation for three years. Momentous Corporation one of Canadaï¿½s largest domain name and hosting companies and home to a number of Internet businesses [...]
Nart Villeneuve is a research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. His research focuses on Internet censorship as well as the evasion tactics used to bypass Internet filtering systems. Nart is also a senior research associate at the Information Warfare Monitor where he studies electronic surveillance and digital attacks.
Jon Rose is a researcher and pentester within Trustwave's SpiderLabs group. Jon has close to a decade of experience performing network and application security assessments, including network penetration testing, blackbox application testing, and code reviews across a wide range of programming languages and technologies. Jon has also led IT policy, standards, and guideline projects, as well as providing IT security remediation support for commercial and government clients. His security expertise also includes creating enterprise security programs, providing guidance in an enterprise security architect role, and building security into organizations existing [...]
Nick Owen is a co-founder and CEO of WiKID Systems, Inc. WiKID has created a unique dual-source two-factor authentication system that uses public-key cryptography instead of the typical shared-secrets found in most systems. WiKID Nick's fourth startup. Nick was also an Entrepreneur-in-residence at the Advanced Technology Development Center in Atlanta. He is a graduate of the University of Virginia with an MBA from the University of Georgia. Nick helped design and architect WiKID's two factor authentication system and mutual https authentication system. Nick is the author of most of WiKID's [...]
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications. His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by [...]
Chief Information Security Officer, Nuix
Chris Pogue is the Chief Information Security Officer, Nuix, and a member of the US Secret Service Electronic Crimes Task Force. Chris is responsible for the company’s security services organization; he oversees critical investigations and contracts, and key markets throughout the United States. His team focuses on incident response, breach preparedness, penetration testing, and malware reverse engineering. Over his career, Chris has led multiple professional security services organizations and corporate security initiatives to investigate thousands of security breaches worldwide. His extensive experience is drawn from careers as a cybercrimes investigator, [...]
Jay Graver is a Lead Engineer at nCircle Network Security. For the past 5 years he has worked with the Vulnerability and Exposure Research Team specializing in interrogating Applications and Services over the network. He has years of experience creating non invasive detection of vulnerabilities. Jay is a member of the OVAL Board and works with industry initiatives such as CIS and CPE. Current Areas of research include; Regulatory Compliance, SSL library fingerprinting, Virtualization and unobfuscation techniques. Based in Toronto Ontario, he holds a BSc(Eng) Computer Engineering degree from the [...]
Mike Zusman is a Principal Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mike held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect and developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors. He has spoken at a number of top industry events including CanSecWest, Defcon, Black Hat and regional OWASP events. [...]
Tyler Reguly is a Manager of Security Research with Tripwire, and a key member of VERT (Vulnerability and Exposure Research Team), where he focuses on web application security and vulnerability detection. Tyler is involved in industry initiatives such as CVSS-SIG, and has spoken at many security events, including RSA and SecTor. Additionally, he has contributed to the Computer Systems Technology curriculum at Fanshawe College in London, Ontario by developing and teaching several security related courses. Tyler is frequently quoted by security industry press and is a prolific blogger.
Robert Hansen CISSP (CEO, Founder of SecTheory) has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group authors content on O'Reilly and co-authored "XSS Exploits" by [...]
Jennifer Jabbusch is a network security engineer and consultant with Carolina Advanced Digital, Inc. Jennifer has over 15 years experience working in various areas of the technology industry. Most recently, Ms. Jabbusch has focused in specialized areas of infrastructure security, including Network Access Control, 802.1X and Wireless Security technologies. In addition to being a CISSP, Jennifer holds several vendor-specific certifications such as HP Master ASE in Networking, Security & Mobility and Juniper JNCIA for Access Control. Her technical expertise with multiple vendor technologies gives her unique insight into the industry. [...]
Seth Hardy is a Senior Security Analyst at the Citizen Lab, Munk School of Global Affairs, University of Toronto. Prior to the Citizen Lab, he worked for a large anti-virus vendor. Seth has worked extensively on analysis of document-based malware and AV evasion methods. His other areas of experience include provably secure cryptography, random number generators, and network vulnerability research. Seth has spoken at a number of security conferences including Black Hat, DEF CON, SecTor, and the CCC. He holds degrees from Worcester Polytechnic Institute in Mathematics and Computer Science.
Kevvie Fowler is a partner in KPMG Canada's forensic practice and is an information security and data analytics specialist. As author of SQL Server Forensic Analysis and contributing author to several security and forensics books Kevvie is a recognized advisor who supports organizations across Canada and abroad. Kevvie also teaches database forensics to law enforcement agencies across North America and sits on the SANS GIAC Advisory Board where he guides the direction of emerging security and forensics research. Prior to joining KPMG, Kevvie Fowler managed his own professional services company [...]
Jerry Mangiarelli is a IT Security Specialist with TD Bank Financial Group. Jerry Mangiarelli has spent that last 9 years assessing and researching web applications, he continues to share with the security community by presenting his research at many seminars and conferences, such as EC-Council and Federation of Security Professionals. Prior to joining TD, Jerry worked for a trading partner to the military where he performed risk assessments and static code analysis.
Research & Development, eSentire Inc.
Roy Firestein started his career as an independent infosec consultant and penetration tester, dabbling in malware analysis and forensic investigations. Over the years, he built many offensive and defensive security products for his employers, such as Cymon.io. His passions lie in entrepreneurship, AI, big-data and finding novel solutions to technical security problems using modern tools and techniques. Roy is currently leading the Research & Development efforts at eSentire Inc.
Adam Laurie, aka Major Malfunction, is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest [...]