Speakers

Raul Alvarez is a Senior Security Researcher/AV Team Lead at Fortinet, where he conducts research on new advancement on new malware technologies. As one of the Lead Trainer in AV team, he trains the junior AV and IPS analysts on malware analysis and reverse engineering. He regularly writes articles for the Fortinet blog website. He is also regular contributor to the Virus Bulletin publication, where he currently has 22 published articles.

Presenting: Hunting Layered Malware

Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities. What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections. Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed. In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger. Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.

Milind Bhargava is a Security Consultant at TELUS Communications Inc. where he works with a team of other operations analysts to proactively investigate and analyze customer traffic, while also providing threat intelligence on attacks, campaigns, and zero-days in order to protect customer’s environment and enhance their security posture. Prior to TELUS, he has worked in IT as Network Support roles and has been Head of IT for an Oil & Gas MNC in the Middle East.

Presenting: Lighting up the Canadian Darknet Financially

Most are familiar with the term called Darknet. Many have ventured a few times out of curiosity. For me, Darknet is an untapped source of Threat Intelligence and in some cases amusement. The news you see online about things being sold on the Darknet are mostly concerning the United States, the Russians, Credit Cards and Drugs. While those are the most sought after topics, there is a lot people don’t know about the Canada’s Darknet shore. The talk covers interesting yet shocking information about Credit Cards, PayPal Accounts, Bank Accounts, Financial Data, PII, Fake IDs, Money Laundering and more. The final objective is to highlight the Canadian market and why we should not ignore it.

Daniel Boteanu, MEng, MSc, works in KPMG Canada’s Forensic Technology group where he performs breach and fraud investigations.

Daniel has extensive experience in research, investigation and penetration testing. His research has identified several previously unknown vulnerabilities within widely deployed telecommunications equipment and security access cards.

Presenting: Bypassing of Self-Encrypting Drives – Techniques for Hackers and Forensic Investigators

Full-Disk Encryption (FDE) solutions are used by both legitimate enterprises and unlawful individuals to protect the disclosure of sensitive data at rest. Hardware-based FDE, known as Self-Encrypting Drives (SED), have penetrated the market and are advertised as being more secure and as having zero overhead. This session will explore SED solutions and fundamental security issues with the current state of the standards that can be used to bypass the encryption and access the data on protected drives.

Michael’s passion is to write software and design infrastructure that helps other people excel at their jobs. He fosters a passionate desire to learn new things and develop as a person. He enjoys working with other people to solve real world problems in the infrastructure space. Michael has worked for Pason Systems since 2005, for the past 3 yrs as an IT Architect and prior as a Linux Network Admin and SRE positions.

Presenting: OpenStack Security

OpenStack Security So you have deployed OpenStack in your data center and opened it up to end users. Now everyone is building instances and creating networks. But who can access what and from where? How is network communication security handled in an OpenStack environment? In this talk we will review how network communication is handled inside OpenStack, network access to Project / Tenants, OpenStack API endpoints and endpoint transport security. We will also cover some of the OpenStack best practices for isolating projects and services.

Ross Gibb is a security researcher based in Calgary. Since 2015, he has worked at Cisco improving the efficacy of Cisco’s Advanced Malware Protection (AMP) product line. Prior to joining Cisco, Ross analyzed malware used in targeted attacks, and actively worked to take down botnets, with some success. Ross has previously presented his research at other conferences, like VirusBulletin (Berlin, 2013).

Presenting: Adware’s New Upsell: Malware

Adware has long occupied the gray area between legitimate software and malware. Antivirus vendors have struggled in recent years to classify adware. Labels given to adware, such as "misleading application", and "potentially unwanted application", attempt to warn the end user about what they are about to install. Some Antivirus vendors allow nuisance adware to be installed if it meets certain criteria, like having a digital signature, a EULA, and an uninstall method. What are corporate security analysts to do about adware? In many organizations antivirus adware detection events are ignored or silenced if users are given some amount of freedom to install software on their machines. Is this safe? This presentation will discuss a case of malware being delivered by adware. Upon contacting the owners of the infected systems, it was discovered local administrators had already been notified about the affected machines by their antivirus vendor, but only about adware installed on the system. The administrators chose to ignore the notifications, because adware detections were quite numerous and considered innocuous. The novel method used to detect the infection will be discussed, along with technical information from reverse engineering the malware.

Shelly Giesbrecht is living the dream as an incident responder for Deloitte in Calgary, Alberta. In her “spare” time, Shelly is also a SANS Technology Institute MSISE student, and is currently GREM, GCFA, GFCE, GCIA, GCIH and GSEC certified. Shelly has been working in security operations since 2006 but learned her craft from the ground up as a helpdesk analyst over 15 years ago. She enjoys imaging servers in candlelight, writing regex to relax, and her favorite registry key is AppCompatCache.

Presenting: Rising from the Ashes: How to rebuild a security program gone wrong… with help from Taylor Swift

All good security programs have people, process and technology that make them run smoothly. But what happens when your security program has been derailed by a major incident, your company’s reputation has taken a hit, or even worse, the security team has lost the trust of the larger organization? With a little help from Taylor Swift song titles, your security program can rise like a phoenix from the proverbial ashes.

Tim Helming has over 15 years of experience in infosec, from network to cloud to application attacks and defenses. At DomainTools, he helps define and evangelize the company’s growing portfolio of investigative and proactive defense offerings. He cut his security teeth at WatchGuard, rising from 1st level tech support rep to product owner of some of the best-selling SMB security appliances in history. Tim has spoken at security conferences such as BSides Las Vegas, FireEye/MIRcon, Infosec World, and AusCERT, as well as media events and technology partner conferences worldwide.

Presenting: Open Up A Can of OSINT On 'Em

Mike Hracs is currently working as a member of the Deloitte “Purple” team in Calgary, Alberta. He is a senior security operations analyst by day, and aids in Pen Testing or Incident Response when help is needed. Mike is currently GREM and GCFA certified, and has held many industry certifications throughout his career. Mike began his career in 2005 as a network engineer eventually making the shift to security, and it’s been sunshine and lolly pops since then. Mike enjoys sweet talking pcaps by moonlight and listening to dial-up modems to relax. His favourite routing protocol is BGP..

Presenting: Rising from the Ashes: How to rebuild a security program gone wrong… with help from Taylor Swift

All good security programs have people, process and technology that make them run smoothly. But what happens when your security program has been derailed by a major incident, your company’s reputation has taken a hit, or even worse, the security team has lost the trust of the larger organization? With a little help from Taylor Swift song titles, your security program can rise like a phoenix from the proverbial ashes.

Jeremy is technical intelligence analyst working on behalf of his employer to assist major clients across all verticals to identify, triage, and handle security incidents. In past lives he has worked as a security operations analyst, security architect, and has also briefly served on a security governance team; all at major Calgary energy companies

Presenting: Being Intelligent about Threat Intelligence

Security was not the original plan. Marc started in Astrophysics, getting degrees from the University of Calgary and Western Ontario before finally quitting with his MSc to scrounge for money in the private sector. Luckily, the Internet was waiting. Starting as a UNIX system administrator and working his way through Internet services, dot coms and the core networking teams, Marc ended up as the Security prime for TELUS’ core networks. With a nod to his 15 years of experience in IT/networking security Marc was appointed a TELUS Fellow and is now the Chief Security Architect for TELUS.

As Chief Security Architect, Marc has responsibilities for security oversight and strategy across all of TELUS’ technologies and portfolios. He represents TELUS on Canadian national infrastructure forums and industry boards with membership in international security forums and vendor advisory boards. Outside of work, he lives in Calgary with his wife and 2 children, skis, bikes and plays in a band.

Presenting: BGP Security: What can be done about 1-hop trust?

Currently BGP security is one-hop trust, meaning that you only ever trust your direct peer, but any information that comes from an ASN beyond that peer is of unknown quality. This leads to the possibility of man-in-the-middle attacks where an organization in the routing chain injects routes that they aren't administratively responsible for and is able to redirect traffic for these routes to themselves. Current solutions to this problem involve a complete re-working of the Internet (Next generation Internet protocols) or protocol modifications and add-ons (RPKI). While these hold promise, they involve a lot of infrastructure changes and heavy lift. In the interim, what's to be done to improve the situation? Taking a national Critical Infrastructure level view, I propose that Canadian ASNs (or any trust group, for that matter) could band together and implement a low-cost solution that ensures the integrity of critical routes by simply advertising more specific prefixes than is generally allowed by Internet standards. The question is, how much BGP integrity would be gained with a focus on securing routing traffic within a single hop, vs. the traffic that originates from multiple hops. In this talk, I'll review the security problem, a few of the alternate approaches (SCION, RPKI), an analysis of the peering traffic at TELUS wrt one-hop routing, and an evaluation of the benefits that might be gained by a Canadian BGP routing exchange. As this study is not yet complete, I can't predict the results but early indications are that 70% of OUR peering traffic does not require more than a single hop (e.g. originates via a trusted partner) and would lend itself to this solution. Audience members should come away with an understanding of BGP one-hop trust and man-in-the-middle routing vulnerabilities, in addition to an awareness of proposed solutions to fix the problem. In addition, this knowledge will be further informed by the results of a peering traffic analysis on a Canadian communication provider's network.

Doug Leece an information security professional from Calgary Alberta with over 20 years of experience in telephony, information systems and security. A system and network administrator dating back to the times when security was just part of the job instead of a separate department and an MCSE was your ticket to fame and fortune.

Doug began full time security consulting in 2006 with clientele ranging from small not for profit to fortune 500 in various industries including oil & gas, retail, transportation, public utilities, health, education, government and gaming clients. Despite being seen regularly in a shirt and tie, he’s still an avid techie doing independent research in the areas of network security in the enterprise and industrial control system areas.

Qualifications: A large collection of certs, training and academia, the requisite 10,000 hours in the trenches and a continued fascination with all things computer.

Presenting: Situational awareness through spreadsheets, or Big data PCAP Frankenstein

In 2016 infosec needs to be a business enabler, the days of "just say no" and expecting paper tigers to defend against the onslaught of emerging threats are long gone, if these were ever the answer in the first place. While graphs and pie charts have seldom wow'd techies those that write the cheques need credible summary data to make the decisions that determine if the doors will still be open next year. One only needs to look at an firewall log for 5 minutes to confirm we are drowning in data but still stuck on answering "are we secure" when senior leadership asks. This presentation will summarize one nerd's journey into big data and risk analysis as a means to demonstrate attack patterns through statistics and visualization. The two goals of this approach are: Increase credibility in the board room by demonstrating the ability to summarize the appearant randomness of network attacks into attacker profiles. Assist solution designers and defenders balancing the technical defences with the business priorities. We are all special snowflakes to one degree or another so this project will release some tools that allow easy customization to suit the measurements needed be that recurring monthly reports on one time analysis during an incident response. Most of us has limited budgets so everything is free and open source.

Sarah Jamie Lewis is a security researcher living in Vancouver, Canada. She currently builds and (mostly) breaks systems at a large tech company. In the past Sarah has designed and developed large stream processing systems, taught science / crypto classes in schools, developed secure proxies, conducted security audits and worked on a variety of open source projects.

Presenting: How To Fail As A Darknet Druglord

In recent years the number of so called "darknet" marketplaces has exploded. Most people have heard of Silk Road, but there have been many others lurking beneath the surface; and they have all, without exception, failed spectacularly. This talk will explore the ways in which some of these marketplaces have met their end and will hopefully answer the important questions like "Should I really use PHP?" and "Why should I never try to buy a house with Bitcoin?" The talk will apply these failures onto the current state of anonymous applications and examine how we can build more robust systems to protect everyone.

David is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support, IT security and consulting, and application security. Over the past 6 years, David has specialized in all things related to mobile applications and securing them. David has supported many different clients including financial, government, automobile, healthcare, and retail. In his spare time, David hones his Mobile and IoT testing skills by participating in numerous bug bounties.

Presenting: Don't Touch Me That Way

With over 3.1 million applications in the Apple AppStore and Google Play Store, and more than 7.5 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. One of the newly added features on mobile devices is that of a fingerprint reader. Both iOS and Android provide access to the hardware fingerprint reader through APIs. The fingerprint APIs can be used correctly and incorrectly. Join David as he shows how the APIs work, how you can use them correctly and incorrectly, and how a malicious actor may attack the fingerprint APIs.

Stephen is a local security leader, educator and practitioner with over 15 years of experience helping drive effective, business focused security. He is also a SANS instructor teaching a variety of classes in the penetration testing, incident response and industrial control system curricula. As a Director at iON Secured Networks, Stephen uses his experience and knowledge to assess, recommend and implement effective security practices and solutions. He was previously a technical lead and then manager for security teams including ICS, security operations and architecture at Encana and Cenovus. After completing a BSc in Computer Science, Stephen first cut his teeth developing operating system and network level software.

Presenting: Back to Basics - We Don't Need a Better Mousetrap

There is no shortage of security products and technologies that each claim to address a critical need. I love getting new toys just as much as the next guy, but do we really need more security technology? We can build much better security than we are today using the tools that we already have. I will share the areas where I see the biggest gaps over and over again and what can be done today to get the greatest benefit. Let’s pause for a minute and have a discussion about how to maximize security (not costs), leverage the capabilities that we have but aren't using today and explain to management why focusing on the basics when it comes to security is good for business.

Presenting: Managing ICS Cyber Security

Managing ICS Cyber Security within an organization is challenging. Learn what types of ICS Incidents can occur from a large organization and how to implement proven best practices to better manage the response. Practical advice on how to manage ICS Cyber Security initiatives will also discussed.

Joshua Reynolds is a part of the Research & Efficacy Team at Cisco Systems that assists in increasing the efficacy of the AMP for Endpoints and AMP ThreatGrid product lines through a number of development efforts. Joshua joined Cisco through the Sourcefire, Inc. acquisition by Cisco Systems where he performed quality assurance for the AMP for Endpoints product line.

Prior to joining Sourcefire Joshua was a System Administrator at the Calgary based consulting company Graycon Group LTD, and interned at Red Hat Asia Pacific’s Penetration Testing team while finishing his Bachelor’s degree in Information Technology at Griffith University in Australia. Joshua also holds a diploma of Information Technology from the Southern Alberta Institute of Technology where he graduated with honors.

Presenting: Ransomware: From Script Kiddies to Cyber Criminals

A new age of malware is upon us that takes advantage of the emotional vulnerability and attachment to our unprotected data. This data ranges from videos of our children to databases of client information that is invaluable to us in many respects. This malware has been popularized by the media in recent years due to its impact on everyone from large corporations to local store owners. It is commonly known as "Ransomware" where files are held hostage by being encrypted with sophisticated cryptographic algorithms which are unbreakable for the majority of stakeholders affected if implemented correctly. The only way files can be decrypted is by supplying the 'hostage takers' with a ransom in the form of digital currency. Throughout this presentation we will discuss ransomware delivery mechanisms and low level details of their implementations varying in sophistication.

Jeremy Richards from SAINT Corporation writes unauthenticated vulnerability checks for software and embedded devices by reverse engineering firmware and security patches to identify pre and post patch signatures. Jeremy has identified numerous vulnerabilities in routers, embedded, iot, and medical devices.

Presenting: Reverse Engineering Hardware 101

In this talk we tear apart IoT devices, inspect their components, extract the software, discover debug interfaces and gain root. The home automation Wink Hub is used as a test-bed as we cover the most important topics for those interested in tearing apart and understanding embedded devices. We will go over methods of gaining control of the system using JTAG, UART, and direct firmware access by dumping flash. We will do all of this with a $55 beaglebone black running opensource tools.

Kevin J. Ripa, is the owner of Computer Evidence Recovery, and Pro Data Recovery, in Calgary. He is a former member, in various capacities, of the Department of National Defence serving in both foreign and domestic postings. He is now providing superior service to various levels of law enforcement, Fortune 500 companies, and the legal community, and has assisted in many complex cyber-forensics and hacking response investigations around the world.

Kevin is a respected and sought after individual for his expertise in Information Technology investigations, and he has been qualified as an expert witness on numerous occasions at virtually all levels of the judicial process. He also gives training and lectures to industry and law enforcement around the world. Kevin holds a number of industry certifications, and has authored numerous articles in circulation, as well as chapters to a number of manuals, books, and training texts on the subjects of Computer Security and Forensics, and Data Recovery.

Presenting: 10 Biggest Myths About Computer Forensics (and other things)

This is a light-hearted, but very true presentation that dispels many of the common myths surrounding a number of things in the computer forensics world. One example is, "Can freezing a hard drive recover the data?". Another one is, "Can a virus even put child porn on a computer?" You'll just have to come and find out what the other 8 are, and the answers to all 10!

Calgary based Information Security professional with 25 years of experience in IT security, enterprise infrastructure, consulting, IT governance and audit work. Industry experience includes oil and gas, telecommunications, government, critical infrastructure and technology industries. Personally interested in ICS security as well as an unexplainable interest in control frameworks. Currently holds CISSP, CISA and CISM certifications as well as a very expired NT 4.0 MCSE.

Presenting: An introduction to a career in infosec: Tales and advice from a grouchy, bitter old man

An introduction to a career in InfoSec: Tales and advice from a grouchy, bitter old man This talk will be a (hopefully) entertaining and realistic look into the world of Information Security as a career. It is meant to provide students as well as newcomers to the InfoSec space a real world introduction based on one man’s opinion and experiences along with combined nuggets of wisdom from his peers. We will be discussing areas such as: - Don’t cross the streams - Forensics, Vulnerability and Penetration Testing, Architecture, Networks, Applications, Governance and Compliance: Where does my education and prior IT experience fit best? - A love/hate relationship: Working with and for the business - The facts of life: Budgets, resources, priorities, oh my! - Judge Dread: Governance, compliance, policies and process – Or how I learned to love control frameworks and audits - How to be worth more than a $50 vulnerability scan: Adding value to VAs and PenTests - Certs, huh, good God, what are they good for? - Rebel vs. Empire: Consultant or employee – The good, the bad and the ugly - Try it now! : Dealing with frustration, apathy and indifference - Is Mr. Robot just a (very cool) show? : Being realistic about what to expect day to day Old timers are welcome to attend and provide their personal wisdom and advice. Please note: This is not a self-help group for suffering veterans – no hugs will be provided.

Having logged 25 years in the IT industry and currently a Solution Architect, IT-Security at WestJet a Canadian based low-cost airline. He’s a key player in the creation of SAMS, a security architecture model designed to improve the way security is implemented in corporate environments.

Presenting: Realizing That Simplified Security Was All About DevOps

As providers of infrastructure services we all have to agree that DevOps is a reality and something that we must prepare for. At the same time we are asking for tools to improve our operational efficiency. WestJet's IT Security Team came to realization that these two drivers are nicely aligned. Let me show you how WestJet is architecting solutions for automated security and how these solutions are paving the way for DevOps.

John Stauffacher (@g33kspeed) is a guy, who breaks stuff. Author, Consultant, Speaker, Security Expert. With over 15 years in IT and Security, Mr Stauffacher has spent the last 4 years within Optiv Security advising clients on security defense, application security, and incident response

Presenting: Son of a Breach...How not to write a breach notification

With more and more governments requiring breach notifications to customers in response to an event, it is critical that we take a look at how we are positioning the message. What information do we disclose, what information does the customer need to take action. This talk takes a deep dive through publicly available breach notifications and points out the ones that are doing it right, and sadly the ones that fail so bad, it is almost comical.

Veronica Valeros is a security researcher from Argentina. Since 2013, she has worked as a malware analyst at Cognitive Threat Analytics (CTA, a part of Cisco Systems), Prague, Czech Republic, where she specializes in malware network traffic analysis, network behavioral patterns, and threat categorization. Prior to CTA, Veronica worked independently on various projects involving data analysis, machine learning, and malware sandboxing. Veronica is also the co-founder of MatesLab hackerspace, Buenos Aires, Argentina

Presenting: Adware’s New Upsell: Malware

Adware has long occupied the gray area between legitimate software and malware. Antivirus vendors have struggled in recent years to classify adware. Labels given to adware, such as "misleading application", and "potentially unwanted application", attempt to warn the end user about what they are about to install. Some Antivirus vendors allow nuisance adware to be installed if it meets certain criteria, like having a digital signature, a EULA, and an uninstall method. What are corporate security analysts to do about adware? In many organizations antivirus adware detection events are ignored or silenced if users are given some amount of freedom to install software on their machines. Is this safe? This presentation will discuss a case of malware being delivered by adware. Upon contacting the owners of the infected systems, it was discovered local administrators had already been notified about the affected machines by their antivirus vendor, but only about adware installed on the system. The administrators chose to ignore the notifications, because adware detections were quite numerous and considered innocuous. The novel method used to detect the infection will be discussed, along with technical information from reverse engineering the malware.

Henry Wanjala was born on 14/07/1989, in Jinja in Uganda. He studied in Jinja for both elementary and high school. Henry went to university in Uganda’s Capital, Kampala where he graduated with a Degree in Software Engineering.

Mr. Wanjala is involved with robotic’s literacy movement in Africa. In February of 2016 he mentored high school students in London Ontario, Canada for the First Robotics Competition in March of 2016. In September of 2015 he spoke at Derbycon Hacking Conference in Kentucky.

Henry is currently coding a web application that enables people to help small-scale initiatives globally that are working to improve social, humanitarian and environmental issues.

Presenting: Robotics in third world countries

With the rise of robotics and programming for children, i fill like other remote places of the world are being left behind. bringing the gap through charity will empower the poor to access and learn robotics and computer programming. It is the reason i wanna share with you about how it is all done and how it can be improved.