Countermeasure|2012 General Info Registration Program Call for Papers Presentations Speakers Training Location Sponsors News

0-60 in 60 Minutes - An Approach to iOS Application Assessments

Nishchal Bhalla & Subu Ramanathan
Founder & Security Consultant, Security Compass

This talk will introduce the audience to the nuts and bolts of iOS hacking. We will demonstrate an iOS application we built for the purpose of teaching students mobile penetration testing. This application will be used to demonstrate hunting for goodies in stored files and device logs, intercepting traffic, performing client analysis, and breaking poor mobile cryptography. We will also briefly look at some defensive coding techniques to protect against the weaknesses we exploit.

This talk is for hackers who haven't done any mobile pentesting before. We want you to come out of it with the tools and techniques needed to break your first iOS application.


Analysis and Demonstration of a Cisco Call Manager 0-day

Hugh Ellis & Andrey Markov
Director of Security Research & Director of Professional Services, VoIPshield Systems

Accelerated deployment of IP Telephony (IPT) applications by enterprises and government organizations brings significant financial and technological benefits. At the same time implementation of security for these deployments is lagging behind progress made by applications and infrastructure. In this presentation we will review most common security attacks against IPT and provide a detailed example of a remote exploit that enables the attacker full control of targeted IPT network.


Advanced Persistent Response

Peleus Uhley
Platform Security Strategist, Adobe Systems, Inc.

The past few years have been interesting for the Flash Player team to say the least. With a change in the threat landscape, multiple zero-day attacks and increasing scrutiny from the security community and the public, we have had to rapidly scale our security efforts to adjust to the new challenges. In the process, we have been provided with a unique insight into the targets and methodologies of malicious hackers. This presentation will discuss the different types of attacks we have seen, our analysis of what the attacks say about the threat landscape, and how the technical analysis influenced our application security strategy. We will also share the lessons that we've learned in the process of responding to these threats.


Advanced Persistent Threat - Intelligence Brief

Ryan Kazanciyan
Principal Consultant, Mandiant

Ryan Kazanciyan will provide a briefing on the latest intelligence regarding the Advanced Persistent Threat (APT). This briefing will be based on hundreds of advanced threat investigations conducted over the past year and highlights how advanced and motivated attackers are stealing sensitive intellectual property and financial assets from victim organizations. This straight from the front lines presentation provides case studies detailing the most recent computer security incidents Mandiant has responded to. Kris will share key statistics related to attacker activities, discuss the top trends witnessed during investigations, and wrap-up with approaches organizations can take to improve the way they detect, respond to, and contain complex breaches. The content of the briefing will be applicable to both strategic decision makers and personnel actively responding to targeted intrusions.


Building Threat Intelligence

Nart Villeneuve
Senior Threat Researcher, Trend Micro Canada

In this presentation Nart Villeneuve will examine targeted malware attacks from the reconnaissance phase through to the data ex-filtration phase. He will demonstrate how such attacks are not isolated incidents but are actually "campaigns" – a series of failed and successful intrusions – that can be linked and tracked over time. Through careful monitoring it is possible to get an inside glimpse of the attackers command and control infrastructure revealing the scope of the operation. This presentation draws from in-depth investigations of four cyber espionage networks (GhostNet, ShadowNet, LURID and LuckyCat) and focuses on building threat intelligence by developing indicators that can be used to identify the tools, tactics, and procedures used in targeted attacks.


DNS Sinkhole – Active Detection and Blocking of Known Malicious Domains

Guy Bruneau
Senior Security Consultant, ipss inc.

Do you know if your organization is infected with Advanced Persistent Threat (APT)? Are you constantly dealing with malware that force a client to download suspicious files you want blocked? It is common for bots to use evading techniques such as fast flux to avoid being blocked by constantly changing their IP(s). However, a website or a domain name is often hard coded in malware to permit the client to download updates or upload the data it collects. This is where a DNS sinkhole can be used to find these hosts and control access where they go. This DNS Sinkhole overview can be used to expand detection and prevention in your network.


Doubt, Deceit, Deficiency & Decency - A Decade of Disillusionment

James Arlen
Principal, Push the Stack Consulting & Co-Founder, OpenCERT Canada

Waking up with the sudden and shocking realization that I cannot escape the feeling that I have wasted a decade of my life. I am an infosec professional and I've been doing the best job that I can. Except nothing works right. Have I really wasted a decade? Can I prove myself wrong? Through a mixture of news stories, teachable moments, hard-won experience and perhaps an interpretive dance – you will be taken on a journey of maturity and self-discovery — an examination and ultimately a determination on one information security professional's decade of trying to make a difference. (NOTE: Due to union regulations there shall be no interpretive dance.) (NOTE 2: This is technically a cyber-finance and cyber-critical cyber-infrastructure talk, you can totally claim the CPEs for it.)


Emerging Threats in a World of Emerging Architectures - Panel Discussion


Andrew Hay
Chief Evangelist, CloudPassage, Inc.


Dave Aitel,
Founder and CEO, Immunity Inc.

Luc Beaudoin
Chief of Cyber Operations, Canadian Cyber Incident Response Centre (CCIRC) – Public Safety Canada

Dan Guido,
Co-Founder and CEO, Trail of Bits

Mischel Kwon
President & CEO, Mischel Kwon and Associates, LLC

Barton McKinley
Enterprise Security Architect, Consultant

The architectures upon which our businesses operate is constantly evolving. Cloud and mobile platforms have eroded the traditional perimeters of our business and BYOD and third party managed services have introduced entirely new security challenges with which to contend. This panel of international security experts, policy makers and researchers will explore the constantly changing architectures and offer insights into future-proofing your organization to contend with the next generation of security challenges.


Follow the Money - Organized Crime and Money Laundering on the Internet

Robert Beggs
President, Digital Defence

To date, most assessments of cybercrime by criminal organizations (more than 3 people working together) have focused on the technical aspects of detecting and responding to attacks such as phishing, theft of identity and intellectual property, and use of malicious software that is designed to stay for long periods on compromised systems. As a result, IT staff and investigators have focused on the technical means of prevention and response to attacks. This talk will take a different approach, focusing on the motive, and treating organized cybercrime as a business. Using a "value chain" perspective to identify the inputs and outputs required to enable crimes, we're going to follow the money.

Using case studies, especially ones involving Canadian organizations, we will answer the questions: What criminal organizations are involved in online crimes? How does an attack, or placement of an APT, generate revenue for organized crime? Finally, how is money laundered online? By understanding the answers to these questions, we can reduce or remove the financial motivation for attacks.


Impeding Automated Malware Analysis

Paul Royal
Research Scientist, Georgia Tech Information Security Center

Malware, as the centerpiece of threats to the Internet, has increased exponentially. To handle the large volume of malware samples collected each day, numerous automated malware analysis techniques have been developed. In response, malware authors have made analysis environment detections increasingly popular and commoditized. In turn, security practitioners have created systems that make an analysis environment appear like a normal system (e.g., baremetal malware analysis). Thus far, neither side has claimed a definitive advantage.

In this presentation, I demonstrate techniques that, if widely adopted by the criminal underground, would permanently disadvantage automated malware analysis by making it ineffective and unscalable. To do so, I turn the problem of analysis environment detection on its head. That is, instead of trying to design techniques that detect specific analysis environments, I propose malware that will fail to execute correctly on any environment other than the one originally infected.

To achieve this goal, I developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original infected host. To reinforce the potential for malware authors to leverage this type of analysis resistance, I discuss the Flashback botnet's use of a similar technique to prevent the automated analysis of its samples.


Mapping and Evolution of Android Permissions

Zach Lanier & Andrew Reiter
Security Researchers, Veracode

The Android Open Source Project provides a software stack for mobile devices. The provided API enforces restrictions on specific operations a process is allowed to perform through a permissions mechanism. Due to the fine-grained nature of the model (and lack of a map), it is non-obvious which calls require which permission(s) for an API of over 2400 classes. Also, due to the on-going development of the AOSP and API, these required permissions have changed. Both of these provide headaches for application security testers and application developers. We first discuss our methodology for building an Android API permission map, including active and passive discovery tools. We then present the evolution of the map as the Android API has transformed through releases. This work is significant because of the need for an understanding of the API permission requirements in application security testing and the current lack of clarity in this ever-growing environment. Finally, we will discuss our research findings around underlying permissions enforcements/checks in Android, and the associated security implications of changes in permissions over time.


Secure Code Review - OWASP TOP 10

Sherif Koussa
Founder and Principal Consultant, Software Secured

Secure Code Review is the best approach to uncover the largest number of security flaws in addition to the most stealth and hard to uncover security vulnerabilities. During this session, you will learn how to perform security code review and uncover vulnerabilities such as OWASP Top 10: Cross-site Scripting, SQL Injection, Access Control and much more in early stages of development. You will use a real life application "SecureTickers" pulled from SourceForge. You will get an introduction to Static Code Analysis tools and how you can extend PMD (, the open source static code analysis tool, to catch security flaws like OWASP Top 10. Expect lots of code, tools, hacking and fun! (Please note that the exercises will be mainly in Java.)


Security Awareness for Social Media in Business

Scott Wright
President, Security Perspectives Inc.

Blocking access to Facebook and Twitter at the firewall does not solve the social media security problem. As safeguards become more capable, attackers are increasingly turning to the weakest link in our business systems – the employees' lack of awareness. Social media sites such as Facebook, LinkedIn and Twitter are making life easier for attackers seeking to leverage our employees' poor risk decisions. In this session, Scott Wright, of the Social Media Security Podcast, will highlight the major threats that target human actions in social media sites, and the important risk decisions employees need to be aware of to keep their employers' information safe. Topics will range from tip-offs that you might be the subject of an attack, to how the information you post to websites and apps can put sensitive information at risk – at home, in the office and on the road.


Strategic Application Security Programs in the Enterprise

Shyama Rose
Director of Software Security Engineering, CBS

It is not news that threats in the application security landscape are changing rapidly. The security focus in the enterprise is evolving along with it. But secure development methodologies haven't kept up. Large enterprises with rapidly evolving development practices often pay little to no attention to security at all. And when they do, they find that standardized frameworks are antiquated, processes are too heavy handed, and do not fit the enterprise. So they create light-touch, ineffective programs so as not to overload the business. This presentation fills the gap between over-burdensome antiquated and light-touch ineffective programs by showing how to effectively design and apply strategic programs for complex organizations.


The Challenges of the Kill Chain

Mischel Kwon
President & CEO, Mischel Kwon and Associates, LLC

To date we spend most of our Security Operations dollars and time on managing the alerts. The game of "wacka mole" is not working. Understanding the implications of each one of the alerts has been nearly impossible – whether due to lack of data – too much data – or a lack of understanding of how the data fits together. This session will discuss basic patterns of attacks; kill chains and new models for understanding not just the alert, but also the entire attack. This discussion will cover the intelligence sources, tools, and technologies available to move away from the alert and onto the entire attack.


Using and Extending Vega in Security Testing Web Applications

David Mirza Ahmad
President, Subgraph

Vega is an open source web security testing platform written in Java and developed by Montreal-based Subgraph. Vega runs on Linux, OS X, and Windows, and includes a vulnerability scanner and intercepting proxy. Vega was released in 2011, making it a relative newcomer in the space. I'll be demonstrating how it can be used to find vulnerabilities such as cross-site scripting and SQL injection in a wide variety of applications. I'll also talk about extending Vega with the built-in Javascript interpreter. Finally, some new features will be revealed as Vega heads to its 1.0 release.


Victim of a Cyber-attack? What Your Organization May Do and What Resources May Be Available

Luc Beaudoin
Chief of Cyber Operations, Canadian Cyber Incident Response Centre (CCIRC) - Public Safety Canada

Many Canadian organizations are the victim of recurring cyber security incidents. Whether it belongs to a large multi-national, or a small municipality, networks are constantly submitted to cyber attacks. Various actions may be taken in response to these incidents with multiple types of resources available. This presentation introduces the Canadian Cyber Incident Response Centre (CCIRC) and its role as a national CSIRT and federal lead in the event of a national cyber emergency. Through this presentation an overview of mitigation strategies organizations may consider in response to a cyber-incident will be discussed along with the various information sharing, risk assessment and resourcing challenges associated with cyber-incident response.


More Abstracts Coming Soon