SEPTEMBER 20, 2018

Registration is closed - thank you to everyone who attended!

BSides St. John's, Canada's longest consecutive-running BSides event, is back again for another exciting day of security talks and networking. In addition to the schedule below, we will once again be hosting a Capture The Flag challenge during the after-party. This year's CTF focus will be OSINT, so get your investigator hats on!

SCHEDULE

SPEAKERS FOR 2019

Name: Alex Argeris – Cisco

Title: The Good and the Bad of Cryptocurrency

Abstract:

Cryptocurrency has been for a long time associated with criminality and underground community in general. Let’s take a step back to see if it’s still the case. We will look at how you can mine and spend your bitcoins on both side of the legality line. Also you will learn how to play with cryptojacking and how to protect against these new type of attacks.

Name: Algis Kibirkstis – EthiSecure Services inc.

Title: Fallacy Identifiation for the Information Security Professional or How to Save the Day

Abstract:

Organizations no longer have to be convinced that security and privacy are critical business concerns. Yet information security professionals continue to be challenged, at all organizational levels, to justify technological and administrative improvements – challenged by management, engineers, architects, technicians, developers, auditors and even their own peers. We infosec professionals see this coming, so we do our homework, and we always come prepared for genuine and reasonable counterarguments to the strategies and tactics we propose. But how to deal with that individual in the back of the room of a review meeting, that person that has that remarkable ability to completely derail discussions with unsound comments that suck the air right out of the room, leaving everyone else speechless? This tongue-in-cheek presentation will present examples of fallacies used in arguments, describe means of identifying these, and propose ways to steer clear and move forward with your initiatives.

Name: Jared Perry – Patrol

Title: Automating All Security Things With Serverless

Abstract:

Is it an oxymoron or your next tool for security automation? Serverless promises to remove the shackles of infrastructure and focus on application code. If you have 1 billion email messages that need processing for malware or maybe need to exfiltrate 10gb of data during a pentest, Serverless could be the answer. Let’s explore what exactly Serverless is and what it can bring to security automation.

Name: Tyler Parrott – Communications Security Establishment

Title: CSE’s AssemblyLine and the Canadian Centre for Cyber Security

Abstract:

The Communications Security Establishment (CSE), Canada’s national cryptologic agency and a leading expert in cyber security, believes in fostering collaboration and innovation. Learn how those beliefs will be applied to the recently announced Canadian Centre for Cyber Security (CCCS) and gain some insight into its implementation

Name: Brian Contos

Title: Left of Boom

Abstract:

The term “Left of Boom” was made popular in 2007 in reference to the U.S. military combating improvised explosive devices (IEDs) used by insurgents in Afghanistan and Iraq. The U.S. military spent billions of dollars developing technology and tactics to prevent and detect IEDs before detonation, with a goal of disrupting the bomb chain. This is an analog to cybersecurity as we strive to increase the incident prevention capabilities of our security tools and where we can’t prevent attacks, augment prevention with incident detection and response tools.

Name: Hugo Porcher – ESET

Title: The Dark Side of ForSSHe

Abstract:

In February 2014, ESET researchers from Montreal published a report on a group who compromised more than 40,000 Linux servers worldwide since 2011.

ESET named this campaign Windigo. At the centre of this operation, Ebury, an OpenSSH backdoor which allowed the attackers to remotely take control of compromised servers as well as stealing login credentials (passwords, keys) which were then used to connect to other servers.

This simple yet effective method allowed them to extend their network of compromised servers.

Before the installation of the Ebury backdoor, we discovered that operators collects a handful of information on the newly compromised machine.

Amongst the information gathered, they try to detect the presence of other OpenSSH backdoors potentially installed on the system.

To accomplish this, they wrote a script which search for text or binary patterns in the OpenSSH client and daemon. It includes signatures for more than 40 different backdoors and trigger alerts if the files may be compromised but isn’t covered by a signature. I will show how the script evolved across the years.

As most of those backdoors were unknown to us, we went hunting for them.

In 3 years, we were able to collect hundreds of samples matching the different rules we created base on the signatures. I will present the outcome of the analysis of these samples.

I will take a look at the diverse backdoors we dealt with: both clients and daemons, from off-the-shelves malware to more advanced ones.

From that set of malware samples, we were able to identify patterns and regroup common characteristics across all of them.

Most of the backdoors implemented additional features than just a simple hardcoded password. I will show how they evade logging functionalities of the program, override permissions, etc. Some of them used obfuscation techniques to make analysis harder.

Alongside these capabilities, different methods of data exfiltration were also used.

I will dig into four undocumented families we isolated and identified and talk about the different features they sport.

There will be a variety of techniques discussed as some of these malware went to great lengths to remove their traces from systems, remain under the radar using encryption and custom communication protocol. Infrastructure of some families have been running for years.

To gather more data about the different families we discovered, we have set up a honeypot for their operators to play with. I will detail the custom honeypot infrastructure put in place.

I will show how the attackers operate on a compromised machine and how they deploy their backdoor.

This include the checks they make before deploying their malware, how they install it and the lateral movements we have observed so far.

I will briefly talk about the new backdoor samples we were able to obtain.

Finally, I will sum up what we have learned from this research and give some pointers on preventing this kind of threats. I will see the different prerequisites that operators need in order to install their backdoor and how one can block their attempts.

I will show how to ensure the legitimacy of the OpenSSH daemons and clients and how to detect these backdoors.

Name: Michael Burton

Title: What Not to Do for Your Game’s Security Systems

Abstract:

It is a brief and (hopefully) humorous survey of some of the more visible security issues that have arisen over the last couple of decades in the field of game development. I will discuss the client- versus server-side simulation decisions made by (the original) Duke Nukem 3D and The Division, the spoofing of servers in MMOs such as World of Warcraft, and the evolution of DRM as it applies to both local and networked gaming and its implications for security. I may include other incidents if time allows

Name: Lilly Chalupowski – Go Secure

Title: The Chrome Crusader

Abstract:

Crusade into the wild world of malicious browser extensions. You will learn how to do keylogging, cookie stealing, credential harvesting and building a C&C server allowing you to execute arbitrary JavaScript remotely of your choosing. We will also be talking about CORS (Cross-Site Resource Sharing) and some interesting quirks with the browser extension environment. If you are a front-end developer and you want to dive into malicious code this would be the best way to start learning.

Name: Jon Green – Aruba/HPE

Title: Machine Learning Will Solve All of Our Security Problems

Abstract:

Attend any security conference these days and you’ll see an exhibit floor full of information security vendors claiming machine learning (ML) and artificial intelligence (AI). Is this a silver bullet, snake oil, or something in between? We’ll look at different definitions of ML and AI, see how they can solve security problems, and give you tools to cut through the hype.