2022 Horaire | 10 Septembre | Bibliothèque et Archives nationales du Québec

9:00AM – 9:05AM | Mot d’ouverture

 

9:05AM – 9:30AM | Brian Contos

Spies, Saboteurs & Scoundrels: How Russia, China & Nefarious Actors Are Hacking IoT, OT & Network Devices

 

9:30AM – 9:55AM | François Proulx & Zaid Al Hamami

2021 – The Year Of Supply Chain Breaches

 

9:55AM – 10:20AM | Thibaut Passilly & Vladislav Hrčka

SparklingElf, New Supplies To SparklingGoblin’s Linux Malware Arsenal

 

10:20AM – 10:45AM | Matt Richardson

Full Spectrum Investigations – From Darkweb To Clearweb

 

10:45AM – 11:00AM | Pause café

 

11:00AM – 11:25AM | Caitlyn Jenkins

Money Laundering Goes Virtual: Policy Implications Of The Proliferation In The Illicit Use Of Cryptocurrency

 

11:25AM – 11:50AM | Andréanne Bergeron

You Are Your Password: Understanding How Your Network And Interests Influences Your Password’S Creation Strategies

 

11:50AM – 12:15PM | Ariane Ohl-Berthiaume

Loi 25: Quoi faire maintenant?

 

12:15PM – 1:15PM | Diner

 

1:15PM – 1:40PM | Marie-Pier Villeneuve-Dubuc & Mélina Girard

Does your Social Capital Can Protect You from Detection or Banishment? The Study of Risk Management in a Hacking Forum

 

1:40PM – 2:05PM | Alexandre Côté Cyr

Clustering Malware Activity: How We Do Attribution

 

2:05PM – 2:30PM | Mangatas Tondang & Avneet Singh

Lesson Learned From Detection Engineering

 

2:30PM – 2:55PM | Mackenzie Jackson

Gaining Inital Access By Exploiting Leaked Secrets

 

2:55PM – 3:10PM | Pause café

 

3:10PM – 3:35PM | Caprico

Container Crisis 3: More Containers More Problems

 

3:35PM – 4:00PM | Magno Logan

Github Actions: Protecting Your Ci From Attackers

 

4:00PM – 4:25PM | Colin Estep

Gray Cover: The Dangers Of Cloudshells

 

4:25PM – 4:50PM | Stephanie Tran & Sharan Khela

Cybersecure Towns & Cities: Making Municipal Critical Infrastructure Cyber Resilient

 

4:50PM – 4:55PM | Mot de clôture

 

4:55PM – 8:00PM | Cocktail

2022 Horaire ― Programme détaillé

alexandre_cote

Alexandre Côté Cyr

Clustering Malware Activity: How We Do Attribution

Attributing a new campaign or malware to a known group is not an exact science. The skills it requires and the considerations surrounding it aren’t given nearly as much importance as the technical aspects of malware analysis in training and discussions. Yet, it is often the part that will garner the most attention from journalists and the general public. Proper attribution can add great value to a report; helping organizations relate new activity to their threat model and providing researchers and law enforcement with the means to link clusters of activity. When done wrong, however, it can undermine the credibility of the field and generate undue alarm. Since researchers base their attribution on available material, incorrect links can lead future efforts astray and create lasting confusion. In this presentation, we will first explain how we do attribution using technical artifacts — such as code similarity –, infrastructure, TTPs, and socio-political factors like victimology. We will use concrete examples from previous research to illustrate how these indicators can be used, or misused, to cluster activity. We will discuss the relative merits and reliability of these indicators along with how they can be combined to arrive at a more accurate conclusion. Then, we’ll cover the pitfalls associated with each of them, with examples of how we can get it wrong. This part of the presentation will also bring up other obstacles encountered when doing attribution including the varying definitions of certain groups between various researchers, along with tool sharing and so-called “umbrella groups” that encapsulate multiple sub-groups. The presentation will conclude with a discussion of the value of attribution in threat reports and the importance of documenting the reasons and confidence level associated with such claims. We will briefly touch on the larger ethical, social, and political considerations that surround this issue to encourage researchers to be rigorous when attributing threats and evaluating claims from external reporting.

Bio

Alexandre Côté Cyr is a malware researcher at ESET in Montreal with a focus on APTs. He also contributes to WeLiveSecurity where he has written about TA410 and Mustang Panda. He completed his Bachelor’s degree in computer science at UQAM in 2021. Alexandre has previously presented at Botconf and CARO Workshop. He is an active member of Montreal’s Infosec community and is involved in mentoring students getting started in the security field. His interests include operating systems fundamentals and writing shell scripts to automate tasks that don’t always need to be automated.

Alexandre Côté Cyr est chercheur en logiciel malveillant chez ESET à Montréal où il travaille principalement sur les APTs. Il contribue aussi à WeLiveSecurity où il a écrit à propos de TA410 et Mustang Panda. Alexandre a terminé son baccalauréat en informatique à l’UQAM en 2021. Il a précédemment présenté à Botconf et CARO. Il est un membre actif de la communauté Infosec de Montréal and s’implique à mentorer des étudiant.e.s qui débutent dans le domaine de la sécurité informatique. Il s’intéresse aux principes des systèmes d’exploitation et aime écrire des scripts shell pour automatiser toute sorte de tâches (qui n’ont pas nécessairement besoin d’être automatisées).

andreanne-bergeron

Andréanne Bergeron

You are your password: Understanding how your network and interests influences your password’s creation strategies

Using authentication to secure data and accounts has grown to be a natural part of using computers. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. People usually have a multitude of different passwords and when they create their passwords, they often use a strategy to make the password easy to remember (Pfleeger, et al., 2015; Stobert & Biddle, 2014; Ur, et al., 2015). This study aims to develop a model that outlines a taxonomy of password creation strategies according to the different type of social network of people. Password creation strategy refers to active approaches that can be used by a password creator to create memorable passwords (Zviran & Haga, 1990; Ur, et al., 2015). Two databases with actual passwords that have been leaked to the internet were used: One of the databases is from a non-delinquent social network and the other is from a hacker forum. Both were compared to observe the difference between the network of delinquent versus the network of non-delinquent network of users. Results show that there is a difference between the networks concerning password creation strategies. Users of the same network present a taxonomy of different behaviors but are more similar to each other when compared to the other network. Individuals who share the same social interests seem to be more likely to use the same password creation strategies. It can be hypothesized that there is an informal share of password strategies between people of a same network. From a network analysis perspective, the results make sense as individual who are similar (sharing the same interest) are also similar on other aspects (password creation strategies). Those results can be used to deepen the understanding of password types and password behavior and to understand better the networks of internet users.

Bio

Andréanne Bergeron is a cybersecurity researcher at GoSecure. She currently works on passwords creation strategies and how they are impacted by the social network of users. She is also a Ph.D. candidate at the School of Criminology of the Université de Montréal and recipient of the prestigious Vanier scholarship. Her thesis focuses on the dynamic interactions during police interrogation of online sex offenders. She explores and explains the cooperation and power relationships between police officers and suspects. She also specialized in other types of cybercrime like drug flows on the darkweb as she worked as the coordinator of the Darkweb and Anonymity Research Center. Andréanne helped organize regional and international conferences as the president of the annual Workshop on Research on Police Investigations (CREP) and as a member of the organizing comity for The Society and Criminal Psychology annual conference and for the Open-Source Analysis and Development Research Group (GARDESO).

ariane_ohl-berthiaume

Ariane Ohl-Berthiaume

Loi 25: Quoi faire maintenant?

La Loi 25 (anciennement connu sous le nom projet de loi 64) et sa réforme des dispositions législatives en matière de protection des renseignements personnels est un sujet d’actualité très populaire ces derniers temps, et avec raison! En effet, la Loi 25 s’appliquera à toutes les entreprises québécoises qui traitent des renseignements personnels ainsi qu’au secteur public. D’ailleurs, elle prévoit plusieurs nouvelles obligations à respecter, tant pour le secteur privé que public. La Loi 25 entrera en vigueur de manière progressive, soit en trois temps. Bien que la majorité des nouvelles obligations entreront en vigueur en septembre 2023, les premières nouvelles obligations entreront en vigueur dès le 22 septembre de cette année. Parmi les nouvelles obligations, pensons seulement à la nomination d’une personne responsable de la protection des renseignements personnels, le signalement d’incidents de confidentialité, la mise à jour des politiques et des pratiques de votre entreprise en matière de protection des renseignements personnels, le principe de transparence et à la réalisation d’évaluation de facteurs relatifs à la vie privée qui sont tous des exemples d’obligations qui nécessiteront sans doute un investissement important en temps et en ressources au sein de votre organisation. Plusieurs personnes se posent donc les questions suivantes: par où commencer et à quoi s’attendre? Cette présentation a pour objectif de présenter les nouvelles obligations de la Loi 25 applicables au secteur privé. Elle mettra également en lumière des conseils pratiques et des pistes de réflexion utiles à considérer dès maintenant en lien avec les nouvelles obligations en matière de protection des renseignements personnels que votre organisation devra respecter dans les prochains mois et les prochaines années. Enfin, en raison des sanctions importantes prévues à la Loi 25 pour les entreprises non conformes, il vaut mieux se mettre au travail dès maintenant!

Bio

Passionnée par la cybersécurité, la protection des renseignements personnels, le droit à la vie privée et par le droit des technologies de l’information, Ariane Ohl-Berthiaume s’est jointe à l’équipe de Mondata à titre de première avocate à l’interne en janvier 2021. Elle est donc en charge de toutes les questions juridiques qui touchent l’entreprise ainsi que de sa conformité. Mondata est une compagnie québécoise en pleine croissance ayant pour mission d’offrir aux organisations et à leurs employés la meilleure défense contre les cyberattaques. Dans l’objectif de rendre la cybersécurité et ses nombreux sujets connexes accessibles pour tous, Ariane publie fréquemment des articles afin de vulgariser les différents aspects légaux liés notamment à la cybersécurité, à la protection des renseignements personnels, au droit à la vie privée et aux technologies de l’information et donne des conférences en la matière. Elle est également membre de l’International Association of Privacy Professionals et détient les certifications Certified Information Privacy Professional/Canada et Certified Information Privacy Manager.

Brian_Contos_Photo_hWACLBq

Brian Contos

Spies, Saboteurs & Scoundrels: How Russia, China & Nefarious Actors Are Hacking IoT, OT & Network Devices

Sophisticated attackers are increasingly exploiting unsecured IoT, OT and network devices to breach organizations, launch ransomware attacks and establish long-term persistence that can survive remediation efforts, which poses vast new security challenges for businesses and government agencies. Nation-states, cybercriminals, and malicious insiders have discovered that these devices are often trivial to exploit, poorly monitored (if monitored at all) and difficult to include in IR sweeps, even after a breach has been discovered. These threats are neither theoretical nor up-and-coming: they are already occurring on a regular basis, as companies face a growing number of targeted device-based attacks. Companies have little recourse against these attacks with current security tools and policies. Countries like Russia have developed tools like Fronton that are specifically designed to attack and control these device types. Some common devices from countries like China have even been banned because they ship with malware preinstalled from the manufacturer. These devices are being turned against us and have become a new cybersecurity frontline across the enterprise, healthcare providers, manufacturing, defense, smart cities, smart buildings, smart ships, our homes, and more. Compromises are impacting the physical world by unlocking doors, shutting down power, and spying with audio and video surveillance. Attackers are using these devices to mine cryptocurrency, conduct DDoS attacks, and engage in ransomware as well as and move laterally to compromise our IT and cloud-based assets while stealing sensitive data all while maintaining persistence and evading detection within IoT, OT, and network devices. We’ve been researching IoT, OT and network device security for over five years across millions of devices and hundreds of organizations worldwide. This is unique research that isn’t being conducted by any other organization at this scale. From this research, we have original data to share on the frequency of high- and critical-level firmware vulnerabilities (CVSS scores of 8-10) found in corporate IoT devices, as well as the frequency of security mistakes made with these devices which increases the risk, from inventory failures to outdated firmware and default credentials. We also have been privy to multiple incidents recently where sophisticated attackers have exploited IoT and OT security lapses in companies to gain initial access to IT networks to launch ransomware attacks. This presentation will share several discoveries across device visibility, vulnerabilities, and exploits. The research calls out the most exploited device types, explores multiple war stories, and illustrates methods to mitigate attacks. At the heart of the problem, we don’t know what devices we have, so we don’t know what to fix. Even if we knew what to fix, it would be impossible to do so manually because of the scale. If we do fix it, we don’t have anything in place to ensure things stay fixed. This set of issues is a parade of horribles and has introduced a high level of risk across IoT, OT and network devices. It has also put IT and cloud-based assets, along with their sensitive data, at risk. These are your devices, and it’s time to take back control from the attackers by understanding their TTPs and implementing safeguards for mitigating those TTPs.  

Attendee takeaways
– Discover how IoT, OT & network devices are being hacked and by whom
– Understand how these devices are being successfully leveraged for persistence and evasion
– Explore war stories that illustrate the most vulnerable and compromised devices
– Evaluate various tactics to take back control of your IoT, OT & network devices

Bio

With two IPOs & eight acquisitions Brian Contos has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant. Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler, and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA, and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.

1586464426943_MJHdzZ5

Caitlyn Jenkins

Money Laundering Goes Virtual: Policy Implications of the Proliferation in the Illicit Use of Cryptocurrency

This presentation will report on a recently written article that deals with how cryptocurrency is leveraged for illicit purposes across the global financial system. Specifically, it establishes how cryptocurrency has been changing the nature of transnational and domestic money laundering.  It also assesses the effectiveness of conventional anti-money laundering policy and legislation against the proliferation of crypto laundering, using Canada as a critical case study. Data was collected from court cases and secondary sources to build cross-case trends of cryptocurrency use in money laundering. Illicit International Political Economy (IIPE) forms the theoretical foundation for the article, whose contribution is situated in the current literature on crypto-money laundering.
The talk will outline the results of the data which found that Bitcoin is common among crypto-money launderers, though most also use some form of alt-coin, and that the use of third-party currency exchanges is a prevalent method to create illicit funds and conceal proceeds of crime. The findings validate two hypotheses: that illicit use of crypto is prevalent in the first two stages of money laundering and that crypto is most often used in conjunction with other fiat currencies. Although law enforcement is improving on monitoring and understanding popular cryptocurrencies such as Bitcoin, alt-coins pose a significant challenge for criminal intelligence. New regulations for third-party currency exchanges are having a positive impact on curtailing crypto-laundering but are shown to be insufficient to contain the use of crypto in criminal activity. Presenting these findings will provide a more robust understanding of the use of virtual currency in transnational and domestic money laundering.  It will also contribute to an emerging body of literature on the role of technological change in enabling the global flow of illicit funds. Finally, it informs public policy on virtual currency in general, and on AML regulation in Canada in particular.

Bio

My name is Caitlyn Jenkins, and I am a student researcher at Queen’s University. Originally from Ottawa, Ontario I moved to Kingston in 2019 and began working for the Institute of Intergovernmental Relations (IIGR) in 2020. Under the IIGR, I have explored transnational money laundering and terrorist financing, specifically how these illicit activities intersect with cryptocurrency and technological change in the global financial sector. Through this research, I have helped develop new approaches to study how cryptocurrency is leveraged in these transnational schemes. In addition, I am interested in assessing policy solutions domestically and internationally to prevent further abuse of financial technologies for the purposes of money laundering and terrorist financing. Outside of this position, I am Editor-in-Chief of Politicus, Queen’s politics and international relations undergraduate journal. I am also a recipient of the Undergraduate Student Summer Research Fellowship (2021) and am entering my final year of a BA in Political Studies at Queen’s.

caprico

Caprico

Container crisis 3: more containers more problems

This talk is an overview of Docker, where you will discover what it is, its implementation and how it can be incorporated into security. Nate Johnson guides us through an introduction to Docker complete with a demonstration of how he found and assisted in taking down a botnet that utilized Docker. This will also include the trends of more than three years of data collection and open source intelligence (OSINT) research to track these botnets across the internet. Docker, one of the fastest growing technologies in the production, development, and interestingly security. Being heralded as the new alternative and more secure alternative to Virtual Machines (VMs). But anytime that someone says something is more secure, I want to test it. Call it a itch that you need to scratch. So I scratched the itch. Docker in a basic sense in comparison with virtual machines is like a comparing a Russian Nesting Doll to a Container Barge. Docker Botnet: A docker botnet has been defined as a malicious image/container that is created to serve a threat actors use case. These use cases can range from Distributed Denial-of-Service (DDOS), crypto-mining, credential harvesting, and command and control access (C2). With this talk:
Red Team: You get a super fun exploit and exciting way to pivot around a network. With the adoption of docker and container architecture continuing to grow in the cloud-based hosting
Blue Team: You get a new thing to watch for. Threat intel galore. Especially if you are using or thinking of using Docker as your company’s infrastructure.
Both: I’ve written a tool that is great for collecting OSINT and Threat Intelligence against Docker hosts.

 

There will be two GitHub repositories that will be referred to and additional blog posts referenced during the talk that I have written and publish to show the trends and evolution of threat actors utilizing these kinds of botnets to essentially print free money. This will also include the trends of more than three years of data collection and open source intelligence (OSINT) research to track these botnets across the internet.

Bio

Caprico is a offensive security professional and OSINT specialist with experience in conducting full scope red team activities (including social engineering and physical penetration testing). In addition Caprico is also well versed in DFIR through trial by fire with boots on the ground investigation and recovery efforts from ransomware attacks, insider threat, and data loss prevention. Additionally, Caprico has been a co-host, guest, and researcher on many podcast projects that have been live streamed on multiple video-sharing platforms:

-IronGeekCast (Three Years as Co-host and Show-writer)
-GrumpyHackers (One Year as Co-host)
-HackThePlanet (Featured Guest)
-Darknet Diaries (Research Conducted for Ep 86: The LinkedIn Incident)

In 2019 he did his first talk at a local hacker space meetup on his personal discovery of botnets that were attacking misconfigured docker/kubernetes cloud instances that were externally available to the internet. Since then multiple blogs have been written on his research by himself and others to show awareness to the growing trend of cryptojacking malware as a whole.

 

Blog: capricocave.wordpress.com
Twitter: https://twitter.com/C4pr1c0

colin_estep

Colin Estep

Gray Cover: The dangers of CloudShells

A malicious insider or attacker can abuse the Google Cloud Shell service to exfiltrate data and evade detection. All of your GSuite/GCP users have access to it by default, and it is very difficult to detect. With limited detection options, we’ll cover the attack and how to mitigate the risk. In this talk, we’ll show how a malicious insider or an attacker can abuse the Google Cloud Shell service to exfiltrate data and evade detection. There’s no need for any privilege escalation or lateral movement, your GCP users will have the ability to instantiate a Cloud Shell instance by default. First we’ll introduce the Cloud Shell service and demonstrate how it can be used to easily copy files from your local computer to the Cloud Shell instance via the command line or web console. Then we’ll show that once the files are on the instance, they can be sent to another location on the Internet. Next we’ll cover why this attack is so hard to detect. Uploading files to Cloud Shell will likely blend in with normal network activity from your organization’s endpoints. Since CloudShell is not run on servers that you provision, but are managed by Google itself, you can not implement any firewall rules to control this traffic and you do not have any network logs from CloudShell instances that reflect what’s being sent to the Internet. In addition, there is no visibility into the commands being run by your users on these instances by default. Google makes Cloud Shell very easy to use and accessible to everyone by design. However, this opens a very dangerous avenue for malicious activity because you are not able to restrict its use. Red teamers should consider this method to evade detection when attempting to exfiltrate data, and blue teamers should strongly consider disabling it for most users.

Bio

Colin Estep is currently a threat researcher at Netskope focused on developing user and entity behavior analytics for cloud environments. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped create a product to do breach detection for IaaS environments. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. He was the first person hired at Netflix to focus on incident response in the cloud. At Apple, he spent his time responding to information security incidents across all of Apple’s assets worldwide. Prior to Apple, he was an FBI Agent specializing in cyber crime. As an Agent, he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators. He was lucky enough to work with amazing law enforcement partners around the world, as well as the Digital Crimes Unit at Microsoft to take down pervasive botnets.

francois_proulx
zaid2

François Proulx & Zaid Al Hamami

2021 - The year of Supply Chain Breaches

Up until now, Application Security professionals and technologies focused on writing secure code (SAST) and handling open source dependency risk (SCA) and on finding vulnerabilities in apps and API’s (various forms of DAST scanners and fuzzers). However, there’s a large attack surface that is typically forgotten: your actual development pipeline from the developer’s laptop, through your SCM, into the CI/CD systems, and finally the running application in production. In fact, many recent high-profile breaches targeted CI/CD pipelines. We dive behind the scenes of some of those attacks. We’ve all heard about the SolarWinds breach, but do you know how that breach happened, and why it will happen many more times again? What could have been done to prevent it? SolarWinds wasn’t the only Supply Chain attack, however. In 2021, attackers and/or security researchers were able to:

– implant malware in developers IDEs

– push malware to dependency repositories (like PyPI and NPM)

-trick build systems into using the attacker’s dependency packages vs. the intended ones

-insert malicious code into Homebrew

-found creative ways to exploit continuous integration and deployment systems (such as GitHub Actions, CircleCI, Jenkins, etc.)

-insert dangerous code into the Linux kernel

-compromise webmin, a web-based system administration tool for web servers (which is deployed to over 1M machines)

-compromise the PHP source

-And many, many more!

 

If we don’t do anything about it, we know that we can’t trust the software we’re building. Luckily, we can do a lot, and the supply chain can indeed be secured. Watch this talk if you want to understand the threat model for Supply Chain Security, learn about the details of some of 2021’s Supply Chain attacks, and why we expect many more of these in the years to come. Most importantly – you will understand the new technologies and approaches that are available today (or are under active development) to address these risks.

Bio

François Proulx is a Senior Product Security Engineer at BoostSecurity.io. He is a founding member of NorthSec and has been involved in the Montreal security community for nearly 2 decades. He is specialized in Application Security and loves to take active part in building great, usable, secure software – securely! Before joining BoostSecurity.io, François spent years at the heart of various ambitious and fast-paced Montreal tech startups (such as Intel and StreamingFast) that had security and privacy requirements. He worked closely with CTOs, product owners, UX experts and engineers to train and coach them to focus on real threats and make key decisions to get them to the next stage. François gave talks at HackFest and MontreHack and also created many challenges for the NorthSec CTF. He once was regularly taking part such as DEF CON quals, iCTF, CSAW, HackUS, Hackfest, etc. (as part of Amish Security and the likes).

Zaid Al Hamami is the founder/CEO of boostsecurity. Prior to this, Zaid was founder/CEO of another Montreal-based cybersecurity startup, IMMUN.IO, which TrendMicro acquired in 2017. Zaid spent a couple of years there as VP of AppSec. Like many in the cybersecurity world, he is an insatiable tinkerer and a never ending learner. Outside of work, Zaid is a busy family man, father of 3, a BJJ practitioner, and guitar music aficionado.
Mack_portrait_2022_LQ-100_uotCUBe

Mackenzie Jackson

Gaining Inital Access By Exploiting Leaked Secrets

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which reported that throughout 2021 over 6 million secrets were exposed in public repositories on GitHub.com. The report also showed that nearly 5% of docker images on Dockerhub.com contained at least one plain text secret. This presentation will look into this huge problem from two different perspectives, the first assumes a Black Hat position to look how offensive security teams can abuse leaked secrets to gain initial access to a specific target. The second will assume a defensive position to examine how we can prevent our secrets leaking and additional security measures we can take to stop attackers in their tracks. During our Black Hat section we will examine the anatomy of recent breaches to reveal how in each case secrets were harvested and exploited by the adversaries. These will include CodeCov2021, which exposed secrets via a public docker image, SolarWinds 2020, which exposed a secret in a public git repository belonging to an employee and the Lapsus breaches of 2022 which exposed secrets inside private source code via insider access. We will show real examples of the methods the attackers used not just to harvest the credentials, but to also exploit them, elevate their privileges and move laterally. During the defensive section of the talk we will examine why secrets sprawl within an organization despite our best efforts. This will include breaking down how development tools like git make it extremely hard to even identify the problem within our organizations. Next we will examine how to detect leaked credentials at various stages of the software development lifecycle including locally with git hooks, within the CI/CD environment and within our remote git repositories. The goal of the presentation will be to give the audience a practical understanding of how adversaires operate to find secrets and some actionable steps we can take to defend against them.

Bio

Mackenzie Jackson is a developer advocate with a passion for DevOps and code security. He was the former CTO and co-founder of the health tech company Conpago taking it from a concept to the thriving business it is today. During his time at Conpago Mackenzie oversaw many security challenges dealing with health data which sparked his passion for code security that would drive his future. As Conpago grew Mackenzie left to pursue his newfound passion and interest for security moving to France in 2020 to become part of the GitGuardian team as the developer advocate.  Today Mackenzie continues his work with GitGuardian where he is able to work closely with the research team to share his passion for all things security with others. Additionally, Mackenzie also works as a guest contributor to many security and tech publications and as the host of “The Security Repo” podcast where gets the opportunity to interview industry exports and share their knowledge.

magno-logan

Magno Logan

GitHub Actions: Protecting your CI from attackers

More organizations are applying a DevOps methodology to optimize software development. One of the main tools used in this process is a continuous integration (CI) tool that automates code changes from multiple developers working on the same project. In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we’ll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we’ll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we’ll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace. This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We’ll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which are technically not allowed via traditional means. In the end, we’ll show the problem of third-party dependencies via the GitHub Actions Marketplace. By demonstrating how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.

 

Full research article: https://research.trendmicro.com/GitHubActions

Research repositories: https://github.com/magnologan/gha-test | https://github.com/magnologan/fake-gha

Bio

Magno Logan is an Information Security Specialist for Trend Micro Cloud and Container Security Research Team. He specializes in Cloud, Container, and Application Security Research, Threat Modeling, Red Teaming, DevSecOps, and Kubernetes Security, among other topics. He has been tapped as a resource speaker for numerous security conferences around the globe. He is a CompTIA SME and has multiple certifications in security and cloud computing.

mangatas_tondang
avneet_singh

Mangatas Tondang & Avneet Singh

Lesson Learned from Detection Engineering

In the modern world of cyber security, you as a defender for sure overwhelmed by numerous technology and strategy to prevent cyber attack in your organization. In the Detection Engineering front, it becomes more confusing since there is no clear right or wrong of what Detection Engineering is. In this presentation, we will uncover things that worked in the Industry and numerous organizations, based on presenter’s years of experience and community voice. It will touch both the management and technical aspect of Detection Engineering. Hopefully this will help both companies who just started building their Detection Engineering function and the ones who already running it. Run Down:

Cover your bases – Baselining works, there are numerous detections using baselining that can stop advanced attacks. You don’t have to cover everything on your first 30 days of building a Detection Engineering function. The attack will always happen in kill chain format, if you can stop them early, you will be able to buy some time to develop later stage TTP.

Taketh and Giveth – Open Source in Detection Engineering, somebody already done it, so let’s start from there and whenever possible contribute back to the community. We will walk you through the best way to apply these detection to your program and kick start your journey in Detection Engineering.

Do It Yourself – Automation can be simple, cheap, and beginner-friendly. Thanks to simple knowledge of scripting, you can achieve the impossible! You just need to know the problem, develop a simple yet effective procedure, research the available tools (free or paid) and combine all of them into one giant ball of (automated) solution.

We will also share some detections that the attendees should cover within 30 days of Detection Engineering operation. These detections work wonders at detecting advanced attacks such as Ransomware based on real life scenarios.

Bio

Mangatas Tondang is currently working as Security Researcher within Microsoft, where his main responsibility is to improve Microsoft Detection Engineering capabilities by researching novel attacks and detection mechanisms. Before that he worked in multiple companies such as Big 4 Consulting and Telecommunication, performing and building Threat Hunting and Detection Engineering functions. He is a seasoned Incident Responder and Threat Hunter with Detection Engineering mindset; he believes after every incident there is always a new detection opportunity. He loves to be involved in the security community and has presented at numerous world class conferences such as SANS Summits and DEF CON BTV. He is also an active contributor to the DFIR Report, where he took part in real attacks analysis and provide the public with high quality threat intelligence report and article. He is also a proud member of CDEF.ID, and Indonesian Security community where he has presented, talked in podcast and is volunteering as a mentor. Outside of security, he enjoys traveling with friends and family, doing astrophotography and cooking new foods from different part of the world.

Avneet Singh is a Cyber Security professional with 4.5+ years of experience in Threat Hunting, Incident Response, Malware Analysis, Detection Engineering and Digital Forensics. He is currently working as a Senior Consultant in EY’s Managed Detection and Response team where he is working on Detection Engineering and Digital Forensics. Avneet likes to work with the malware and reverse engineer them to understand the inner working of it and use that knowledge in the Detection Engineering. He spends most of his time in the lab trying to find the efficient ways to build the resilient detection by running the malware, offensive tools, etc. He is actively involved in the community and he has contributed to the Mitre ATT&CK framework, SigmaHQ via OSCD initiative and he is an active member of TheDFIRReport team. In his free time, he loves to write scripts to automate the tasks. Outside the infosec, Avneet likes to cook and play games.

Marie-Pier Villeneuve-Dubuc
Picture1

Marie-Pier Villeneuve-Dubuc & Mélina Girard

Does your Social Capital Can Protect You from Detection or Banishment? The Study of Risk Management in a Hacking Forum

Hacking forums are commonly used to buy and sell malware, stolen account credentials and fraud services. Given the anonymous nature of hacking forums, and the opportunistic behavior of their participants, it is common for forum participants to be cheated and abused by their peers. On such occasions, forum participants are unable to enlist the help of law enforcement and the judicial system to resolve their conflict. Instead, forum participants use alternative conflict management methods such as tolerance, avoidance, ostracization and intervention by a third party such as a forum moderator or administrator. The last method is of particular interest, as forum administrators and moderators are not independent actors but rather participants themselves in the forum. It is therefore possible, and likely, that pre-existing direct and indirect social relationships could influence how administrators and moderators handle conflicts on their forum. They may for example be more tolerant and lenient with people who spam others on their forum if they are part of their close circle. This presentation investigates these special relationships with people in power on a hacker forum. More specifically, this presentation explains the impact of social capital on the risk management of a hacker forum. It investigates the use of two risk management techniques in reaction to spam: ostracism and third-party intervention through the use of bans and warnings on the DemonForum platform. Through a series of network analyses, this presentation explains when and how participants are warned rather than banned for sending spam. This study innovates by using the DemonForums’ leaked data containing several pieces of information such as private messages, bans, warnings, promotions, reputation points and more. Although this presentation studies a forum’s risk management, the empirical implications of this presentation will inform us on insider threats of networks, and how administrators and moderators protect members of their endogroup.

Bio

Marie-Pier Villeneuve-Dubuc is a master’s candidate in criminology at the University of Montreal. Her research projects focus on the malicious or criminal use of technologies and their international regulation. She is a recipient of the Canada Graduate Scholarship (CRSH) and the Research Chair in the Prevention of Cybercrime grant (CRPC). Marie-Pier received the Cyber-Talent Trophy price in 2021 in the academic category for her involvement toward students, impressive grades, and contribution to various research as an undergrad. She is a co-author on two recent scientific articles on the impact of the pandemic on drug trafficking on the darkweb and the malicious use of social media. She also co-produced a government report on the impact of the legalization of cannabis in Canada on the illicit market. Lastly, while studying how hackers react to external shocks such as data leaks, she is also writing her master’s thesis on the role of law enforcement collaboration on the success of interventions and investigations on cybercrime cases.

 

Mélina Girard is a master’s candidate in criminology at the Université de Montréal. While completing her thesis on the study of drug traffickers, she is also interested in cybercrimes, criminal trajectories and crime prevention. Aligning her fields of interest, she is a research assistant for the Network of Canadian Practitioners for the Prevention of Radicalization and Violent Extremism (RPC-PREV) and the Darknet and Anonymous Research Center (DARC). She is also co-founder of the Journal Universitaire de Criminologie (JUC) and has made academic presentations at various international conferences though her journey. Finally, Mélina is recipient of a master’s scholarship from the Social Sciences and Humanities Research Council of Canada as well as from the Quebec Research Fund.

Matt_Richardson_Head_Shot_1_9a0NSAh

Matt Richardson

Full spectrum Investigations - From Darkweb to Clearweb

This session covers the investigative techniques and technologies used in a real life investigation resulting in the identification and apprehension of an egregious Darknet child sexual abuse material (CSAM) offender. The lesson demonstrates how the offender was identified in Darknet CSAM forums, and how I pivoted from a limited set of information to launch an OSINT investigation on the clearweb and social media. OSINT is the centre piece of the lesson including Google “Dorking” techniques, and social media investigation. The username and identifiers are sanitized and the content used is not graphic although a disclaimer is advised because the lesson is in the context of a darknet CSAM investigation.

Bio

Matt Richardson is the Director of Intelligence and Investigations with the Anti-Human Trafficking Intelligence Initiative (ATII). He is expert on OSINT and Darkweb Intelligence with extensive experience in leading and coordinating complex investigations on sex trafficking and CSAM offenders. He is a Professor at Loyalist College where he teaches topics that include; technology, social media, online safety and more. Matt is a member of the Rogers Communications Cybersecurity Catalyst team where he collaborates with industry experts to generate products and education on a variety of cybersecurity topics related to online crimes. He is often sought out as a subject matter expert by the media with TV, Film, Radio, and print coverage in Canada and is a main contributor and on camera character for “Dark Highway”, a Human Trafficking documentary that is being televised in Canada and the U.S. He works in partnership with Timea’s Cause to educate and prevent sex trafficking and was a featured speaker of the 1st Canadian National Summit on Child Sexual Exploitation. Matt is passionate in his role with the ATII where as part of a team of experts he uses his skills on a daily basis to help make children, families, and communities safer places.

Stephanie_Tran_9742_sUk0nT4
Sharan_Khela_headshot_bsides_25E0iCx

Stephanie Tran & Sharan Khela

Cybersecure Towns & Cities: Making Municipal Critical Infrastructure Cyber Resilient

From water, transportation, energy and more, our lives are shaped by the critical infrastructure services provided by our municipal governments. Over the past few decades, these systems have been connected to networks to facilitate remote monitoring and service delivery. Despite its benefits, internet connectivity has also made critical infrastructure systems more vulnerable to cyber threats. With ever-rising cyber attacks and evolving geopolitical tensions, the time for our local governments to secure their infrastructure systems was yesterday. What are the obstacles that are getting in the way of securing Canada’s municipal critical infrastructure from cyber threats? Informed by interviews and a round-table discussion with municipal representatives and cybersecurity experts, our research examines this question and offers recommendations for Canada’s policymakers – because cybersecurity does not exist in a vacuum, but is rather shaped by various forces including public policy. The key challenges that we heard include the lack of available funding for cybersecurity, as underinvestment in critical infrastructure has left municipal budgets stretched to protect these assets from physical threats, nonetheless digital ones. This lack of funding has delayed the replacement of legacy systems, which are more susceptible to cyber attacks. These budget constraints tie into the struggle to hire and retain cybersecurity labour amidst a talent shortage, as smaller municipalities struggle to pay market rates for talent. Along with the fact that resourcing and funding for cybersecurity work depends heavily on the support and understanding of local government councils, it becomes clear that municipal infrastructure and IT teams are contending with multiple obstacles in their cybersecurity work. This talk synthesizes the key points that we heard from those on the frontlines of municipal critical infrastructure cybersecurity. We’ll examine the key challenges and the promising developments in this area. We also identify the public policy actions that Canadian governments and industry can take to accelerate the work needed to make municipal critical infrastructure cyber resilient.

Bio

Stephanie Tran (she/her) is a Policy Analyst for the Cybersecure Policy Exchange at Ryerson University. Examining public policy and human rights issues related to digital technologies, Stephanie has contributed research and policy analysis at Citizen Lab, Amnesty International Canada, the United Nations Office for the Coordination of Humanitarian Affairs (UN OCHA), Global Affairs Canada’s Digital Inclusion Lab, and more. Aspiring to understand cybersecurity from all of its angles, she is currently a student in the Accelerated Cybersecurity Training Program offered by the Rogers Cybersecure Catalyst at Toronto Metropolitan University. Stephanie Tran is a trained computer programmer, having earned a Diploma in Computer Programming from Seneca College. She also holds a dual degree Master of Public Policy (Digital, New Technology and Public Affairs Policy stream) from Sciences Po in Paris, and a Master of Global Affairs from the University of Toronto. She earned her BA degree from the University of Toronto specializing in Peace, Conflict and Justice. Her past talks include presenting at the IEEE International Symposium on Technology and Society 2021, BSides Montreal 2021, and NorthSec 2021.

Sharan Khela is a Research Analyst at the Department of Canadian Heritage where she is working with the Legislative and Regulatory Policy team of the Digital Citizen Initiative, on the online safety file. She previously worked with the Ryerson Leadership Lab as a Policy and Research Assistant, where she supported projects related to technology and cybersecurity policy. The Lab is where her interest in these topics grew, especially due to the “Secure Smart Cities” research project she assisted with. She also works as a Research Coordinator for a local non-profit known as Laadliyan, which is focused on helping the South Asian community through programs and research. In the past, she has worked as an Advisory Committee Member for the Youth Secretariat’s State of Youth report, and as a Research Associate for an Equity, Diversity, Inclusion, and Anti-Racism consultant. She is also completing her Master’s of Public Policy and Administration at Toronto Metropolitan University.

thibaut_passilly
vladislav_hrcka

Thibaut Passilly & Vladislav Hrčka

SparklingElf, new supplies to SparklingGoblin’s Linux malware arsenal

StageClient is a configurable and modular Linux backdoor that we observed while investigating a targeted attack against a Hong Kong university in July 2021. Surprisingly, we discovered that the backdoor exhibits a huge functionality overlap with the Specter IoT botnet malware, a modular Linux RAT, that creates an indisputable link between the malware authors, meaning we can now say they come both from the same threat actor. More recently, we found strong connections between StageClient and SideWalk – a modular Windows backdoor belonging to SparklingGoblin, which is an APT group that partially overlaps with APT41 and BARIUM. By digging further, we found out that both StageClient and Specter are actually Linux variants of SideWalk. The targeting aligns with SparklingGoblin’s targeted verticals. Pivoting on the cryptographic artefacts of StageClient, we found multiple other samples, including a custom undocumented userland rootkit featuring several unique and interesting techniques. We consider all these tools to be part of SparklingGoblin’s arsenal. During this presentation, we will first present the connections between StageClient and Specter, by showing the common functionalities. Next, we will present the SparklingGoblin APT group to the audience, outlining the verticals and countries that this group targets, as well as their toolset and modus operandi. We will briefly describe some of the code similarities we found between StageClient and SideWalk, including encryption schemes, communication protocols, and victims fingerprinting. We will also sum up some of the differences we found, including available backdoor commands, versioning, and its defense evasion capabilities. In the third part of the presentation, we will describe the Linux rootkit we discovered. We will explain how the rootkit, that operates in userland, injects into processes and hides its files and network connections to achieve stealthiness. We will finish the presentation by a summing up of our findings, taking conclusions regarding the attribution matter.

Bio

Thibaut Passily is a Malware Researcher at ESET since 2020. Thibaut went to EPITA (École Pour l’Informatique et les Techniques Avancées) in the Paris area, and chose to major in cybersecurity, systems and networks. During his studies, he spent one year teaching programming classes to biotechnology students. Since he became passionate about computer science and especially security, Thibaut decided to make it his job after graduating in 2019. He began his security career as an intern in a threat intelligence team and then as a forensics tools developer, both in a major European cybersecurity company. Afterwards, he moved to Canada and joined ESET as a malware researcher in late 2020. Thibaut has previously spoken about APT attacks in Europe  in 2021 in an online presentation — in French — at the Paris ESD (ESET Security Days). Thibaut also contributes to WLS (WeLiveSecurity), ESET’s blog, where he has written about SparklingGoblin and their modular backdoor, SideWalk .

 

Vladislav Hrčka has been working as a malware analyst at ESET since 2017. Currently, as a part of the Experimental Research & Detection team. His focus is on reverse engineering challenging malware samples and his research into sophisticated malware families such as Stantinko or FontOnLake resulted in several articles and papers published on WeLiveSecurity. Fascinating obfuscation techniques used in malware motivated him to develop tools Stadeo and WslinkVMAnalyzer that can facilitate analysis of code obfuscated with such techniques. He has presented results of his work at the Black Hat USA, REcon and AVAR conferences. He’s currently studying Computer Science with a focus on cyber security at the Comenius University in Bratislava and going into his final year of master’s degree. Additionally, he teaches course Principles of Reverse Engineering at the Slovak University of Technology and the Comenius University. In his spare time, he occasionally participates in various CTFs and enjoys sports, especially biking and swimming.

Comité scientifique

Darren Mott | Quantum Research International
Chris MacDonald | PwC
Helen Oakley | SAP
Masarah Paquet-Clouston | Université de Montréal Mathilde Conseil | BDC Patrick Eller | Metadata Forensics Pierre-Marc Bureau | Google Canada