• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

View
 

BSidesOttawaTalks

Call For Presenters (CFP)

 

The CFP for B-Sides Ottawa is now closed. Speaker selection is underway. Thank you to everyone who submitted talks for B-Sides' first visit to Canada.

 

B-Sides Ottawa will have one track (with "availability" for additional, ad-hoc talks that come up during the event). The track will be talks voted on/confirmed before the event. 

 

CFP Selection Committee

Andrew Hay, Senior Analyst, The 451 Group

Justin Foster, Architect, Trend Micro

Jack Daniel, Community Development Manager, Astaro AG

Peter Giannoulis, Principal Consultant, Source 44 Consulting Incorporated

Mike Gibson, Security Architect, Trend Micro

 

Submitted Talks (Selection Underway)

 

  • Name: Andrew Hay, Senior Analyst, The 451 Group, @andrewsmhay
  • Title: Empty Pocket Forensics
  • Length: 50min 
  • Abstract: The perception that forensic investigation and response tools are too costly to be purchased by most organizations is a myth. Many organizations are forced to decide if the costs associated with forensic analysis exercises overshadow the risk of turning a blind eye. However, without knowing the details of how a breach or malware infection occurred, there is no way of knowing how to prevent it from happening again. This presentation will show that the costs of undertaking forensic investigations, using freely available tools, can easily find a place in the smallest of budgets.

 

  • Name: Andrew Hay, Senior Analyst, The 451 Group, @andrewsmhay
  • Title: My Life on the Information Security D-List
  • Length: 50min 
  • Abstract: People new to information security often find themselves wondering how to make a name for themselves in the industry. Andrew Hay has lived most of his career on the D-list but has worked hard to increase his status in the hopes of someday landing that coveted A-list position. Through this talk we’ll discuss how to expand your circle of influence, how to build your personal brand, and how to move up from the dreaded Infosec D-List.

 

  • Name: Peter Hillier, Ottawa-based CISO, @DeathwishDuck
  • Title: So my Doctor has an EMR; should I worry?
  • Length: 50min 
  • Abstract:  Peter Hillier will discuss the need to properly regulate eHealth in order to ensure security technical controls are assessed in the certification, implementation and use of eHealth solutions across the board. He will outline the current disconnects between the requirements to certify EMR solutions as Class 1 Medical devices and the need to make the residual data private and secure. Current certification bodies do not contain guidance for vendors or physicians. Who should step up?

 

  • Name: Will Gragido Security Researcher / Consultant / Practioner  @wgragido
  • Title: “Through the Rabbit Hole: An Expose of Darknets and the Onion Routed Underground”
  • Length: 50min
  • Abstract: The Internet and cyberspace are far from what they appear to be.  For years an evolution revolution has been underway.  This evolution revolution has seen advancement, growth, adaptation and change occur in order to both propagate and defend against new and advanced threat vectors, many of which do not traditionally reside in the realm of the information security warrior but are swiftly becoming more a part of it.  Among these, the onion routed anonymous network is playing a greater and greater role.   These networks leverage cryptographic ciphers to aid in concealing routing instruction information thus preventing detection by intermediary nodes.   They take on many forms some being embraced and celebrated as voices of free press and expression, while others are used for the trafficking and trade of goods and services within the cyber-criminal sub-ecosystem.  During this presentation you will gain an insight into the realities of these networks, their owner / operators, the conventional wisdom employed by these parties, their clientele and an informed look glimpse of the type of data which is trafficked within these environments. 

 

  • Name: Erich Samuel, Security Analyst, [email protected]
  • Title: Learning from Bruteforcers
  • Length: 50min
  • Abstract: Can we learn anything from been targeted by 680 odd sources? Can we learn from over 130 thousand bruteforce ssh attempts? And I mean besides "Change the port dummy!"I think that we can. I believe in basing actions on fact. Fact which can easily be shown and understood by others. So lets take a look at what we can find out and learn from looking at these bruteforcers and what this means for the advice we give and the actions we take.  

 

  • Name: Benoît H. Dicaire, InfoSec Strategist, INFRAX, @BDicaire
  • Title: Using ISO 27005 for Risk Assesment 
  • Length: 50min
  • Abstract: According to ISO/IEC 27001:2005, The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproductible results. However, this International Standard does not provide any specific methodology for information security risk management. Benoît will discuss concepts, models, processes and terminologies described in ISO/IEC 27005 to obtain a systematic approach to information security risk assessment.

 

  • Name: Sherif Koussa  - Principal Security Consultant - Software Secured - @skoussa
  • Title: Tweet My Trojan Please
  • Length: 50min
  • Abstract: Social media became part of our day to day activities, sure it made us more social but how safe are we tweeting, facebooking or getting Linked ! This presentation will delve into the dark side of the social networks and Privacy Commissioner Report's on Facebook. It will explore some of the recent social media attacks trying to answer the question: Are we safe socializing online? and what can we do about it?

 

  • Name: Kellman Meghu, Security Engineering Manager Check Point Canada @kellman 
  • Title: Myths, Mistakes and Outright Lies (when it comes to your computer security)
  • Length: 50min
  • Abstract: When you build a network security architecture, by design it must evolve and contribute to its own support. Are you making the most of your security architecture? Is your policy evolved to what the technology can do today? Is your policy evolved to what the threats are today? When network security policy, technology and user requirements collide, the end result does not always equal the intent. So many factors affect our choices when it comes to security investment, media, news, mailing lists, all have a new threat waiting to leap upon us, taking down our systems, creating panic. Let’s explore the truths of how much danger you are really in, and how much effort have you put into protecting your network.  A lighthearted look at common pitfalls to building out a network security architecture, this presentation does not intend to be all encompassing, but to encourage people to reconsider and re-evaluate the responsibilities of network security. Thoughts on a variety of issues, both policy and technology is discussed.  Using a subjective threat guide, various policy based deployments are examined at a high level to measure risk versus cost. Sometimes we spend so much to accomplish so little; other times we get so much with very little cost. Assessing how we manage and deploy our security does not have to be a complex task, but it does need to be done at a regular pace. I invite you to compare your own situation, with some real life scenarios depicted in this presentation.

 

  • Name: Kellman Meghu, Security Engineering Manager Check Point Canada @kellman
  • Title: Virtually Safe?
  • Length: 50min
  • Abstract: Is your organization moving towards virtualization? The push for greener solutions that do more with less, has made people take a hard look at a virtualization strategy for managing infrastructure. Multi-core architectures have brought a new level of power to the end users, but without the software being specifically designed to take full advantage of it, there is no perceivable benefit coming from these systems. This presentation seeks to demonstrate unique ways to not just ensure threat management for a virtual infrastructure, but to also leverage it as part of the infrastructure change. When you take away the buzz, and the clouds abate, will you be left with clear skies?  Virtualization, in and of itself, is an IT infrastructure strategy, not a security strategy, and as such, this presentation seeks to define security models that not only secure, but take advantage of ‘Cloud’ computing designs. The definition of ‘Cloud’ computing models can be complex and will mean different things to different organizations, but defining the model is a requirement to being able to map to strategies that protect those assets. Building a security model for virtualization needs to happen as part of the planning process to be most effective, but on closer review, the audience should discover much of the planning work done for them, when they are able to conceptualize the strategy. Much of what we do today to protect data can be reused, but you will find that virtualization presents both a unique challenge, and a unique opportunity to create a safe environment to grow your services oriented computing models. Whether it is in the ‘Cloud’, or in the components of hardware that make it up, security is adapting to fit the needs. This session will define various ‘Cloud’ models, and the options for creating a secure infrastructure around them. When defining a strategy to abstract hardware and the dissemination of resources, let’s make sure security is considered to protect the design, as well as benefit from it.

 

  • Name: Ben Tomhave (@falconsview)
  • Title: The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform
  • Length: 50min
  • Abstract: What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision-making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success.

 

  • Name: Rafal Los @rafallos
  • Title: Into the Rabbithole Evolved Web Application Security Testing
  • Length: 50min
  • Abstract: Since the caveman first fashioned a spear humans have been using tools to make
    them more efficient and effective. Unfortunately, today's analysts often
    misunderstand the role tools play testing web applications. While tools can be
    quite good at mapping a web application's attack surface there is still much
    human analysis that must be done to find the elusive defects that lie just below
    the surface. That human analysis is daunting and irregular ... until now.

 

  • Name: Jack Daniel and panelists TBD
  • Title: InfoSec Speed Debates
  • Length: 50min
  • Abstract: An idea blatantly stolen from AusCert, but ours is better, because we don't talk funny.  Speed Debates were a great conversation starter at BSides Las Vegas.  Each panelist will have one minute to make their case for or against a variety of incendiary topics, then we’ll give a couple of participants watching the spectacle a chance to add their opinions.  To make it more interesting, the panelists will be assigned pro or con positions, on the spot, by coin toss.  The goal is to solve all the problems of InfoSec in under an hour and move on.  OK, the real goals are to 1: have fun, and 2: encourage conversation.

 

  • Name: Adrien de Beaupré, EWA-Canada, isc.sans.edu
  • Title: Network Vulnerability Assessment Automation and Reporting
  • Length: 50min
  • Abstract: This presentation will discuss various options and tools available to automate the vulnerability assessment testing and reporting processes. Among the topics covered will be nmap scanning and output parsing, as well as nessus scanning and output parsing. The most important parts of running a VA are the methodology followed, appropriate tools and their configuration, data management, consistent results, manual validation, and standardized reporting. The ultimate goal being to streamline and automate the parts of the process, where possible, and improve efficiency. Adrien will share his experiences, tools, and techniques in running vulnerability assessments and penetration testing for a significant portion of the last 10 years with different consulting practices.

 

  • Name: Adrien de Beaupré, EWA-Canada, isc.sans.edu
  • Title: CERTs or CIRTs in Canada
  • Length: 50min
  • Abstract: This presentation is a discussion about the current state of CERT/CSIRTS in Canada, or the lack therof. Should Canada have one? Although Canadians have faced cyber attacks since the late 80’s, a true Canadian CERT does not yet exist.The current state leaves Canada without a Canadian-context coordination and service provision capability. Without this, the country will not fare well against economic or targeted attacks against Canada.

 

  • Name: Adrien de Beaupré, EWA-Canada, isc.sans.edu
  • Title: Developing Cyber Threat Intelligence
  • Length: 50min
  • Abstract: One of the issues facing many organizations is obtaining usable, accurate, timely, and tailored Cyber Threat Intelligence (CTI). CTI is required for organizations in order to maintain situational awareness on the internal and external threat environment that they operate in. Particularly problematic is that within the IT Security industry several services, while purported to be an advanced cyber threat intelligence source, use mostly open source intelligence with little value add analysis and intelligence built into the product by the vendor. This talk will discuss how to obtain CTI from a variety of open sources, including feeds from vendors, and creating your own enhanced by other sources with the appropriate people-process-technologies. As well, some of the issues and challenges faced within an organization attempting to develop a CTI capability for internal use or as a product offering will be discussed.

 

  • Name: Andrew Hay, Senior Analyst, The 451 Group, @andrewsmhay
  • Title: The Integration Lifecycle: Loving Long Logging Lifecycles
  • Length: 50min 
  • Abstract: The integration of 3rd party products within SIEM and Log Management platforms is often a race to competitive parity. Unfortunately for customers, simply having cursory integration for a product without an ongoing integration lifecycle is about as useful as the platform not supporting the device in the first place. In order to facilitate continuous value, end-to-end integration lifecycles must be designed to ensure SIEM and Log Management platform vendors have access to the most current information available from integration partners. This talk will shed light on the steps required to effectively bring a product into constant state of supportability and will equip customers with the questions to verify their vendors’ ongoing integration capabilities.

  

  • Name: Karim Nathoo & Mike Sues
  • Title: Client Side Attack Trends and Techniques
  • Length: 50min
  • Abstract: Enterprise network and perimeter security have greatly improved over the past several years.  Consequently, there has been an increasing trend towards organizations being exploited directly through their user base versus through their network infrastructure.  This presentation will outline the various client side attack trends being observed and also techniques used by attackers to make client side exploitation increasingly successful.  The discussion will include numerous technical concepts but will be performed at a level that will be coherent to audiences with limited technical expertise.  The talk will cover the following topics:
        -Motivation
        -Infection Vectors and Reconnaissance
        -Vulnerability Exploitation
        -Antivirus Bypass
        -Mobile Device Malware
        -Methods of Privilege Escalation
        -Covert Channels and Ex-Filtration
        -Hybrid Attacks
        -Conclusions and Recommendations

 

  • Name: Sean ([email protected]_Rose)
  • Title: IPv6 Security
  • Length: 50min
  • Abstract: Covering an overview of IPv6 and outlining some attacks people should be aware of in their environments. The information provided covers an attack vector built into the protocol which most people are susceptible and oblivious to.

 

  • Name: Ahmed Masud CEO/ CTO Trustifier Inc.
  • Title: A new approach to preventing injection attacks on the Web Application Stack
  • Length: 50min
  • Abstract: Code injection vulnerabilities such as, SQL injection, javascript injection, byte-code injection, etc… constitute the most susceptible path of entry for rogue hackers into the corporate networks of an organization. This paper discusses the core components of Web Application code-injection attacks; the limitations of existing approaches (such as regular expression searches) to prevent such attacks; the paper introduces a new generalized approach to solving the code-injection problem by building new solution vectors based on compiler theory, in particular GLR parser theory combined with learning engines to solve the attack identification problem. A brief introduction to Trustifier ryū is provided as an example of practical implementation of the theories and concepts put forth in this paper.

 

  • Name: Karim Nathoo & Mike Sues
  • Title: Fuzzing Cows
  • Length: 50min
  • Abstract: What exactly is fuzzing? You have probably heard about it so here we'll tell you what it's all about and why organizations should care about it. First of all its nothing about nmap or Nessus and we promise not to refer to those tools anymore in our presentation! We'll start with a short archaeological venture into the history of fuzzing, where we started and the types of tools that were used back in the day up to the present and then discuss the different forms of testing that fuzzing supports. We'll then delve into the weeds and discuss how one fuzzes, reviewing the development of protocol and API models and the different types of targets of our testing. Current open source and commercial tools and how they integrate with root cause analysis tools will be discussed along with some publicly-known successes associated with this form of testing. Along the way we'll demonstrate the different steps in fuzzing and use of tools along with at least complete fuzzing example, including root cause analysis to locate a new vulnerability.

 

  • Name: Barton McKinley
  • Title: The Problem With Wearing a Red Shirt: 10 Things I Learned about Security from Star Trek
  • Length: 50min
  • Abstract:  Star Trek premiered in 1966 – in a decade filled with turmoil - to tell the story of the intrepid crew of the star ship Enterprise. In every episode, they encountered strange and deadly threats and countered them with bravery, intellect and the judicious use of violence; pretty much the way that modern security professionals handle things. As well, each week, those in red shirts – the Enterprise security personnel - would wonder if they were being paid enough even as they were sent forth to be stunned, poisoned, pummeled and all too often vaporized while dealing with some new danger …again, pretty much like modern security pros. Over the years, Star Trek the Original Series has become legend and has spawned many incarnations – over 700 episodes in all. Millions of fans have taken hope, inspiration, joy and laughter away from its viewing; learning lessons about the value of diversity, loyalty and perseverance in the process. And there were important lessons on security as well. For example, never wear red to work if you are planning to go visit hostile aliens (or clients)…would be one. 

 

  • Name: Sherif Koussa  - Principal Security Consultant - Software Secured - @skoussa
  • Title: White Box or Black Box? Is that really THE question? 
  • Length: 50min
  • Abstract: White Box security testing (AKA source code driven security assessment) and Black Box security testing (AKA web application penetration testing). The debate is still on which method of testing is better. This presentation will give an introduction to white box and black box testing, what are some of the differences and  pros and cons for each approach. The presentation will also focus on differentiating the facts from myths when it comes to penetration testing and source code driven security assessment, and finally it will try to answer the question should we white box or black box? or is that really THE question?

 

  • Name: Mike Sues
  • Title: Click Here for Phree 0ffer - Social Engineering Methodologies and Toolkits 
  • Length: 50min
  • Abstract: It seems as though everything we do in security is based on methodologies. Well, there is a good reason for this; so we have higher assurances of the quality of our analysis, process or whatever it is we are doing. So does social engineering have a methodology? Let's talk about some typical social engineering workflows and the sorts of tools that support these steps. In particular we will look at the Social Engineer Toolkit and how it fits into these workflows. Along the way we will share some of our experiences and war stories, sanitized of course to protect the guilty, of conducting Social Engineering over the years.

 

  • Name: Eric Skinner, CTO, Entrust   @EricSkinner
  • Title: The Evolving Authentication Landscape
  • Length: 50min
  • Abstract: The last couple of years have seen a rapid evolution in the threats faced by authentication systems.  Malware has become the dominant threat in financial environments and presented significant challenge to the status quo for banking authentication. I'll present a survey of authentication techniques both passive and active, in software and hardware, and describe their strengths and weaknesses against newer threats. The few techniques left standing are imperfect -- so where does this leave us heading forward?

 

  • Name: Ron Bowes @iagox86
  • Title: The Nmap Scripting Engine: Making Nmap work for you! 
  • Length: 50min
  • Abstract: The Nmap Scripting Engine, or NSE, has brought Nmap's power to an unprecedented level. More than just a portscanner, Nmap's Scripting Engine has the speed and power to scan thousands of hosts in parallel, quickly and with amazing results. Whether building packets from the ground up (such as probing DHCP or finding sniffers) or using high-level protocols (such as MSRPC or AFS), NSE makes it easy. In this highly technical presentation, the audience will be introduced to some interesting NSE scripts, be shown in detail how they work, and learn how to write their own from scratch. Learn how to make Nmap work for you! 

 

  • Name: Jorge Sebastiao @4jorge
  • Title: Security Did you Know Version 3.0? 
  • Length: 50min
  • Abstract: Security is not a product but rather a skilled continuous process. One of the biggest mistakes from today’s CSO and administrators is to fall comfortable with the security measures they have put in place. Many of them simple base their security on the wrong assumptions. A variety of security measures and technologies we use today have been broken and are no longer effective. So updating our body of knowledge is key to allow the deployment of effective countermeasures. The following is a refreshing practical talk on the latest of IT Security.  

 

Comments (0)

You don't have permission to comment on this page.