Two weeks ago Tayfun and I attended the NorthSec Conference in Montreal.
Conference talks covered pentesting, network security, software and/or hardware exploitation, web hacking, reverse engineering, malware, and cryptography.
Eva Galperin, Director of Cybersecurity at Electronic Frontier Foundation gave the opening keynote. She highlighted the shady nature of surveillance software and why antivirus doesn’t traditionally flag it as malicious. Fortunately the antivirus companies at the top of our ranking list do mark this software as malicious.
On our DIY CISO page we touch on the legality and the need to hire a lawyer. Overall, with PIPEDA, Ontario privacy act, and “Intrusion upon seclusion”; our privacy is well protected against surveillance software. Even employers are not legally allowed to put surveillance software on work computers.
Matt Mitchell, Director of Digital Safety & Privacy at Tactical Tech spoke about governments that pass laws to cripple or restrict their citizens’ internet freedoms. Often censorship isn’t apparent to the masses until it’s too late - he covered some clever techniques like throttling websites until they are unusable and removing results from search engines.
Elissa Shevinsky, CEO of Faster Than Light discussed companies’ ethical obligation to ship secure software. Businesses traditionally don’t to ship secure code because they want to be first to market. Even in 2019 tech giants like Facebook and Google store passwords insecurely so one can only imagine what smaller organizations with fewer resources are doing with them. Virtually all other industries are required to warranty their product but only some software allows you to purchase support.
Émilio Gonzalez and Francis Labelle showcased their PyRDP open source honeypot project focused on RDP. Though they appear to have just started their careers in infosec, they are already contributing significantly. LARG*net recently tried out this honeypot and had similar results but unfortunately not many attackers are targeting RDP at the moment. It was great to hear from the authors of a project we’ve used.
Kelly Villanueva, a consultant with SpecterOps, explained the hacking narrative with regards to social engineering and exploiting first impressions by wearing different clothes. If you wear jeans and t-shirt you look like an intern but if you wear a nice dress, lipstick, and heels you look more like a lawyer.
Kristin Del Rosso, Lookout’s Security Intelligence Engineer, covered some geopolitical implications of cyber surveillance when used to track political activists. The Iran government for example has a security team that actively uses red-team techniques to attack their people.
Laurent Desaulniers, a pentest team lead, outlined his list of bad ideas that should never be attempted during a pentest or really ever. Some highlights from the list included faking natural gas leaks by simply buying the substance used to cause the smell and using glassbreak devices to trigger security systems. These are bad ideas because they engage emergency services and needlessly waste their time, not to mention the potential for fines. The talk was quite funny.
Mathieu Saulnier, a Senior Security Architect at Bell Canada, gave a deep dive on the MITRE ATT&CK framework. The site is a veritable attack encyclopedia. It includes definitions of different types of attacks, detection and mitigation techniques, and lists the APT (advanced persistent threat) groups known to use the attack. It’s a great resource and I highly recommend everyone check it out!
Paul Rascagnères and Warren Mercer are both security researchers at Cisco Talos who spoke about DNSespionage. This campaign mainly targets the Middle East. What’s interesting is that the threat hasn’t disappeared despite Cisco’s fantastic mitigation work. The typical reaction of bad actors when caught is to just stop the attack but DNSespionage hasn’t slowed down at all.
Yamila Vanesa Levalle, a security researcher at ElevenPaths, spoke about her Cisco Meeting Server zero-day exploit. Her code is not only able to enumerate ongoing meetings, but can also connect to those meetings because of the ease at which their passwords are brute forced.
This conference was fantastic, it had such a great selection of speakers that it made choosing which talks to attend extra difficult. I highly recommend going to this conference next year.. just make sure your personal devices aren’t actively transmitting if you do!