NorthSec 2024

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
08:00
08:00
60min
Doors open and Registration - Thursday/Jeudi

đŸ„ ☕ đŸ„Ż 🧃 Breakfast sponsored by KeepSec // DĂ©jeuner grĂące Ă  KeepSec

Ville-Marie
08:00
60min
Registration - Thursday/Jeudi

Refreshments sponsored by KoaSec // Rafraichissements grĂące Ă  KoaSec

Salle de Bal
09:00
09:00
15min
Conference Introduction

Opening speech by our President, the Conference VP and our sponsor CyberEco // Discours d'ouverture par le président, le Vice-président aux conférences et notre partenaire CyberEco

Ville-Marie
09:15
09:15
30min
Technical Analysis Past, Present, and Future - Insights from a Reverse Engineering Perspective
Sergei Frankoff

A few helpful notes from over a decade of reverse engineering malware and documenting the process along the way! By the end of this, you will be able to unpack most malware with a single breakpoint... maybe?

Malware
Ville-Marie
10:00
10:00
30min
API: Alternate Pathway to Injection
Fennix

API Documentation often gives the simplest most bare-bones examples to get something running. This runs into the old adage: Nothing is more permanent than a temporary solution. Come join me and walk through a particularly fun example of cloud API documentation showing you the wrong way.

Included will be a deep dive and demo of a vulnerability caused directly by this kind of mistake which maybe shows that Phreaking is alive and well in 2024.

Application security
Ville-Marie
10:00
180min
CTF 101
Simon Nolet (Viper)

(English follows) Vous souhaitez dĂ©couvrir les bases du CTF (Capture The Flag) ? Rejoignez-nous pour un atelier pratique qui vous permettra de plonger dans cet univers passionnant mĂȘme en tant que dĂ©butant. Apprenez les fondamentaux du CTF et familiarisez-vous avec ses mĂ©canismes lors de cet atelier interactif. Venez essayer par vous-mĂȘme et laissez-vous emporter par l'excitation du challenge ! Atelier en français.

Are you eager to discover the fundamentals of CTF (Capture The Flag)? Join us for a hands-on workshop designed to help beginners make the most out of the CTF experience. Learn the basics of CTF and get acquainted with its mechanics in this interactive session. Come give it a try and immerse yourself in the thrill of the challenge!

ScĂšne de la Commune
10:00
120min
Mastering Exegol
Charlie Bromberg (Shutdown), Mathieu Calemard du Gardin (Dramelac)

Apprenez à réaliser des tests d'intrusion de maniÚre sécurisée, professionnelle et efficace avec Exegol. Prenez une longeur d'avance en suivant ce training qui se concentrera sur la maniÚre dont les professionnels peuvent facilement configurer et utiliser leur environnement de test d'intrusion, basé sur Docker, en quelques minutes, sans difficulté.
L'époque des tests d'intrusion non professionnels, non sécurisés et laborieux est révolue.

Workshop 1
10:00
120min
Prevent First, Detect Second: An Open-Source Approach
Sagie, Dekel Paz

As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.

Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!

The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall.
First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more


Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.

Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.

Workshop 2
10:00
120min
Soldering workshop / Atelier de soudure

REGISTRATION REQUIRED HERE / INSCRIPTION OBLIGATOIRE ICI : https://tickets.nsec.io/2024/

Soldering (EN below) / Soudure (brasage)

Rejoignez-nous pour un atelier pratique de brasage oĂč vous dĂ©couvrirez les secrets de vos badges (apportez votre badge Sputnik ou Cerveau!).

Dans cet atelier passionnant, vous apprendrez les techniques de brasage tout en donnant une nouvelle vie à vos badges. Apprenez à hacker votre badge pour lui donner de nouvelles fonctionnalités et le personnaliser.

C'est une occasion unique de développer vos compétences en électronique tout en repartant avec un souvenir unique et personnalisé ! L'atelier sera offert en anglais.

INSCRIPTION OBLIGATOIRE ICI : https://tickets.nsec.io/2024/

Join us for a hands-on soldering workshop where you'll uncover the secrets of crafting your own electronic badge - bring your Brain or Sputnik badge if you have one!

In this exciting workshop, you'll learn soldering techniques while breathing new life into your (Sputnik/Brain) badge. Learn to hack your badge to add new features and customize it to your heart's content. It's a unique opportunity to enhance your electronics skills while walking away with a one-of-a-kind, personalized keepsake!

(an additional fee is required to cover the cost of materials, REGISTRATION REQUIRED HERE : https://tickets.nsec.io/2024/

Soldering Village
10:00
450min
Thursday Community Booths / Kiosques communautaires du jeudi

English below

Vous ĂȘtes cordialement invitĂ©s Ă  venir explorer la salle communautaire, oĂč la convergence de la technologie, de l'amusement et de l'apprentissage vous attend. Que vous soyez un amateur de jeux, un technophile averti ou simplement curieux de dĂ©couvrir de nouvelles choses, on vous y attend!

DĂ©couvrez nos kiosques :

  • Guys, Games and Beer (G2B)
  • Cybercap
  • Jeux de table
  • Échanges d'auto-collants
  • Foulab
  • Crochetage de serrures
  • Vol Ă  la tire : De retour pour une troisiĂšme annĂ©e, James Harrison rĂ©alisera ses techniques de prestidigitation Ă©poustouflantes de prĂšs. Vous pourriez mĂȘme apprendre un tour ou deux !
  • Atelier de CV

et plus encore

// English //
You are cordially invited to come explore the community hall, where the convergence of technology, fun, and learning awaits you. Whether you're a gaming enthusiast, a seasoned technophile, or simply curious to discover new things, we'll be expecting you there!

  • Guys, Games and Beer (G2B)
  • Cybercap
  • Tabletop games
  • Sticker exchange
  • Foulab
  • Lockpicking
  • Pickpocketing : Come learn and be amazed by Canada's Pickpocket Magician! Back for a third year, James Harrison will perform his mindblowing sleigh of hand techniques up close. You might even learn a trick or two!
  • HR village

and much more!

Salle de la Commune
10:00
30min
With Great gAIn Comes Greater Security Issues - When ML Frameworks' Scale for Growth Incorporates Security Risks to Users' Cloud Accounts
Berenice Flores

There are various Machine Learning/BigData frameworks that have become quite popular in the past year due to the release of ChatGPT. This sudden popularity has caused that the scale for growth in parallel computing comes first and leaves aside the implementation of security mechanisms in some of the frameworks' components. In this talk I will go over the research process that I performed on one of these frameworks in an AWS install, showing how it started as two vulnerabilities in a web dashboard and quickly became privilege escalation in an AWS account.

Machine Learning
Salle de Bal
10:45
10:45
30min
Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages
François Proulx, Benoit Cote-Jodoin

Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.

Application security
Ville-Marie
10:45
30min
What's New is Old - Parallels of OWASP's Top 10 for LLMs and Web Applications
Logan MacLaren

LLMs are the hot new thing, and are exciting enough to even have their own OWASP Top 10 as of 2023! But are these vulnerabilities really any different from what we already see in more traditional web applications?

In this talk, Logan will explore the different vulnerability families from the new OWASP Top 10 for LLM Applications, discuss the different scenarios represented therein with a focus on real-world exploitation scenarios, and outline how they parallel the vulnerabilities that we've all grown to love and pwn over the years.

Attendees should leave this talk with a more complete understanding of the vulnerabilities manifesting in LLM applications, how these vulnerabilities can directly affect end users, and scenarios to be conscious of when developing for, or around, LLM applications.

Machine Learning
Salle de Bal
11:30
11:30
30min
AppSec Q&A
Fennix, Benoit Cote-Jodoin, François Proulx, Philippe Arteau

Q&A Discussion for the AppSec block

Application security
Ville-Marie
11:30
30min
Machine Learning Q&A
François LabrÚche, Berenice Flores, Logan MacLaren

Q&A Discussion for the Machine Learning (ML) block.

Machine Learning
Salle de Bal
13:00
13:00
30min
Ebury, 10 years in: The evolution of a sophisticated Linux server threat
Marc-Etienne M.Léveillé

In 2014, we published a paper about Operation Windigo, where we described a cluster of server-side threats fuelled by Ebury, a backdoor and credential stealer injected into the OpenSSH server and client of compromised servers. That report shed light on web traffic redirections, delivery of Windows malware, and spam campaigns, all using Ebury-compromised servers.

After the arrest and extradition of one of the perpetrators in 2015, some of the monetization activities temporarily stopped, but not all of the botnet’s activities. Ebury continued to be updated and deployed to tens of thousands of servers each year, to reach a cumulative total of nearly 400,000 victims since 2009, the first year Ebury was seen. Moreover, we have discovered its operators have added more tools to their arsenal, such as Apache modules to exfiltrate HTTP requests or proxy traffic, Linux kernel modules to perform traffic redirections, and modified Netfilter tools to inject and hide firewall rules.

For this investigation we set up honeypots to collect Ebury samples and understand deployment tactics, and partnered with law enforcement. This gave us unique visibility into the perpetrators’ activities, which expanded to include cryptocurrency theft and possibly exfiltration of credit card details. We now have a better understanding of how they expand their botnet not only by stealing credentials, but also by actively trying to compromise the hosting provider’s infrastructure to deploy malware on all of the providers’ customer-rented servers. In some cases, this resulted in the compromise of tens of thousands of servers, hosting millions of domains.

The latest update to Ebury, versioned 1.8.2, was first seen in January 2024. In the past years, clever userland rootkit functionalities were added to Ebury, which make its detection a lot more difficult than before. From a system administrator’s perspective, not only is the malware file absent, but none of the resources it uses – such as processes, sockets, and mapped memory – are listed when inspecting the system.

This presentation not only reveals the latest toolset of the Ebury gang, but also discusses detection techniques to protect against some of the trickiest Linux threats. Some techniques are specific to Ebury, but most apply to the detection of any userland rootkit.

Malware
Ville-Marie
13:00
90min
Examen radioamateur Compétence de Base / Amateur Radio Basic Competency Exam

Une opportunité inestimable pour ceux qui aspirent à obtenir leur licence de radioamateur - passez l'examen pour la compétence de base durant Northsec!

An invaluable opportunity for those aspiring to obtain their amateur radio license - take the basic competency exam during Northsec!

Workshop 2
13:00
30min
Hardware Hacking Curiosity
Adrien Lasalle

This talk, centered around curiosity and its transformative power, reflects my personal exploration into uncharted territories, an area that few people are familiar with. Surprisingly, I had no prior experience with hardware hacking; everything I've learned so far, starting from scratch, thanks to countless YouTube tutorials and extensive PDF books.

I'm excited to share my discoveries and experiences thus far, highlighting the potential that curiosity holds in reshaping one's path. This talk aims to provide you with the fundamentals of protocols, types of devices, and the equipment needed to start. Additionally, I will guide you on how to undertake your first hardware hacking project on a connected device. Are you up for joining me on this adventure?

Hardware
Salle de Bal
13:00
180min
How crypto gets broken (by you)
Ben Gardiner

This is an introduction to crypto: building blocks, protocols and attacks on them. We cover: encoding vs encryption, hashes, ‘classic’ crypto, stream ciphers, block ciphers, symmetric crypto, asymmetric crypto, has attacks, classic crypto attacks, stream cipher attack, block cipher attack models, ECB attacks, crypto protocols, digital signatures, message authentication code, nonces, simple authentication, challenge response, simple authentication attacks (key collisions, key extraction and extension, replay, valet, bad counter resync), MAC attacks, digital signature attacks, pubkey substitution, challenge response attacks (middleperson attack, UDS style seed-key predictions), WPA2 password cracking, WPA2 key reinstallation, WPA2 key nulling, TLS/SSL middleperson attacks, SWEET32, DROWN, logjam, POODLE, UDS seed-key exchange attacks (reverse key algorithm, lift key algorithm, solve for unknowns, retry-retry-retry, brute force, glitch past).

Tools covered include: rumkin.com, hashcat, john the ripper, binwalk, radare2, binvis.io, Veles, airocrack-ng, mitmproxy, MITMf.

The workshop is a ‘101’ level: geared for people good at computers but maybe no knowledge of cryptography. There will be minimal math (I promise). We’ll talk mostly about how to break bad crypto and bad crypto algorithms with 10-15min hands-on sessions integrated into 4 hours of workshop: Decrypt ‘Crypto’, Break Hashes, Break Crypto, Visualize Crypto.

We will explore three applications of the building blocks and attacks also. Towards the end we tie-in the building blocks and attacks into how the following crypto protocols get broken: WPA2, TLS and UDS Seed-Key exchange (from automotive). Please join us for an intro-level exploration of cryptography building blocks, protocols and how to attack them. And, as always, crypto means cryptography.

Workshop 1
13:45
13:45
30min
Scrutiny Debugger - Debug, test and configure embedded softwares through instrumentation
Pier-Yves Lessard

Debugging and testing an embedded application is always painful. A serial printf might not be enough, a high end JTAG with 1000+ pages of documentation might be too costly or complex.

Scrutiny Debugger is a new open source project that offers an alternative by enabling remote control of the memory through any communication channel (Serial, UDP, etc.). How does that work? A Python server continuously communicates with an embedded application that runs a small instrumentation library. Using the debugging symbols, extracted at compile time, the server exposes all the variables and memory structure to client applications through a websocket API. 2 clients are available: an Electron GUI and a Python SDK for programmatic interaction with the server.

Clients can read/write variables or raw memory. They can do graphs of variables; being continuous time logging or embedded graphs that triggers on a specific variable change, like an electronic scope does. Not the best for low-level driver development; but ideal for high-level embedded application.

The Python SDK is fully synchronized with the target device, meaning that a Python script can remotely run and behave like it was an internal thread inside the device; but with slow memory access time. That powerfully enables HIL (Hardware-in-the-loop) testing.

Hardware
Salle de Bal
13:45
30min
Will the real attribution please stand up?
Alexis Dorais-Joncas, Greg Lesnewich

Does attribution of cyber operations actually matter? It depends on who’s asking. Using real world APT examples from threats attributed to Iran, Turkey, North Korea and Russia, we’ll demonstrate what details go into attribution work from the perspective of email security vendor, why attribution can be useful for defenders and how Blue Teams can use it to better inform threat modeling and risk. We'll define attribution, compare the concepts of attribution and Attribution, discuss how softer attribution should be paired with harder, more technical attribution and then close by discussing potential pitfalls we’ve seen with attribution working for the government, private corporations and at a security vendor.

Malware
Ville-Marie
14:30
14:30
30min
Hardware Q&A
Marc-André Labonté, Pier-Yves Lessard, Adrien Lasalle

Q&A Discussion for the hardware block

Hardware
Salle de Bal
14:30
30min
Reverse-Engineering Nim Malware: Or a brief tale of analyzing the compiler for a language I had never used
Alexandre CÎté

Nim has become the language of choice for a number of libraries and tools used by red-teamers and pentesters. Much like with Mimikatz and Cobalt Strike before, malicious actors have started putting some of the same tooling to their nefarious purposes . One such example is Mustang Panda, a China-aligned APT that started using Nim to create custom loaders for their Korplug backdoor. For attackers, using a less common language also has benefits when it comes to evading defenses and hindering analysts’ work; we have seen the same thing with the growth of malware written in Go and Rust.
In this presentation, we will go over some of the specific challenges associated with analyzing Nim malware. We will then present tips and tools to help mitigate these difficulties. This will include the presentation of Nimfilt, our analysis script for IDA Pro that we will release shortly before the conference.
Finally, we will demonstrate the use of Nimfilt and other publicly available tools on real malware samples .

Malware
Ville-Marie
15:00
15:00
60min
Enregistrement du podcast PolySĂ©cure

PolySécure est un podcast francophone sur la cybersécurité qui s'adresse aux professionels et curieux depuis 2020.

Le podcast se sépare en six grands segments:

Curieux: Segment destiné au grand public, afin de vulgariser des sujets pointus et qui peuvent sembler hermétique
PME: Segment pour les petites et moyennes entreprises, oĂč les dĂ©fis de cybersĂ©curitĂ© sont existants, mais oĂč les ressources sont limitĂ©es
Professionnel: Segment pour ceux qui Ɠuvrent dans le domaine de la cybersĂ©curitĂ© ou dans un domaine connexe
Teknik: Segment pour ceux qui désire approfondir des sujets pointus en cybersécurité
Juridik: Segment abordant les questions juridiques (rappel, nous ne donnons pas de conseil juridique, veuillez consulter votre avocat pour une opinion juridique) qui affectent l'univers des technologies et de la cybersécurité. Nous y abordons réguliÚrement des sujets relatifs à la vie privée et aux lois qui la protÚge.
H'umain: Segment qui place l'humain au centre des préoccupations, puisque celui-ci n'est pas le maillon faible, mais le maillon fort de la cybersécurité.

Tous les Ă©pisodes et notes de recherche se trouvent Ă  polysecure.ca

Studio Podcast
15:15
15:15
30min
Insert coin: Hacking arcades for fun
Ignacio Navarro

Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries. We will talk about api security, access control and nfc among other things.

Other
Salle de Bal
15:15
30min
Malware Q&A
Pierre-Marc Bureau, Sergei Frankoff, Alexis Dorais-Joncas, Marc-Etienne M.Léveillé, Alexandre CÎté, Greg Lesnewich

Q&A Discussion for the malware block.

Malware
Ville-Marie
16:00
16:00
30min
Crowdsourced DDoS Attacks Amid Geopolitical Events
Zaid Osta

This talk examines the rise of crowdsourced DDoS attacks amid geopolitical events, focusing on the Russia-Ukraine and Israel-Hamas conflicts. Once the domain of well-resourced actors, large-scale attacks now involve networks of novices using open-source tools, provided there are enough individuals sympathetic to a particular political ideology or cause. To incentivize participation, hacktivists employ leaderboards, cryptocurrency rewards, and gamified ranking systems based on contributions to DDoS attacks. This transforms disruptive criminal attacks against services into a competitive and commoditized activity.

Other
Salle de Bal
16:00
30min
Unveiling the OT Threat Landscape
Camille Felx Leduc, Thomas Poinsignon Clavel

Let us embark you on a journey through the OT Threat Landscape. We will start our voyage by looking at what the global threat landscape looks like today, with a focus on Canadian (and Quebecois) events of note. We will then explore how these landscapes have evolved and the earthquakes that shaped them in recent months and years. We will wrap-up by covering some intelligence-informed takeaways and recommendations on how to weather the incoming rogue waves of the OT ocean.

Other
Ville-Marie
16:45
16:45
30min
Cyber Incident Command System: A Firefighter's Approach to Managing Cyber Incidents
AJ Jarrett

Let's face it, responding to cyber incidents is full of challenges but managing the dreaded "war room" shouldn't have to be one of them. In this talk AJ Jarrett, Incident Response Director at DTCC and former firefighter will discuss how cybersecurity and IT teams can leverage the tactics and techniques used by first responders during disasters to bring cyber incident response to the next level.

Other
Salle de Bal
16:45
30min
UnRegister Me - Advanced Techniques for hunting and securing user registration vulnerabilities.
Priyank

In a mobile-first world, user registration using only a phone number has become pretty common, this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers.

This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities. We will touch upon how authentication and authorization bugs can originate from user registration and how this can lead to full account takeover, password stealing, and denial of service. The speaker will draw from their own experiences in identifying and addressing these vulnerabilities, providing valuable insights into this common issue.

Finally, the talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues from occurring.

Attendee Takeaways
* Security engineers will gain valuable experience in identifying and addressing authentication bugs, helping them to improve their skills in this area.
* Developers will be encouraged to think more broadly about potential edge cases and vulnerabilities in their applications, leading to stronger and more secure authentication and authorization controls.

Other
Ville-Marie
18:00
18:00
45min
Gaming on the video wall

Smash, Mario Kart, who knows...

Ville-Marie
19:30
19:30
45min
Pickpocket Show

Come and see James Harrison's unique craft!

https://pickpocketmagic.com

Ville-Marie
20:15
20:15
45min
Electroencephalogram (EEG) Duel

Venez déployer vos pouvoirs de concentration dans un duel EEG comme vous n'en avez jamais vécu!

Ville-Marie
21:00
21:00
180min
Thursday Party

Party with guest DJs from Toronto! // Party avec des performances de DJ de Toronto !

Ville-Marie
08:00
08:00
60min
Doors open and Registration - Friday/Vendredi

đŸ„ ☕ đŸ„Ż 🧃 Breakfast sponsored by IMC2 // DĂ©jeuner grĂące Ă  l'IMC2

Ville-Marie
09:00
09:00
180min
Exploiter Ansible WorX et tout le reste
Simon Lacasse, Charl-alexandre Le Brun

Ansible WorX (AWX), la version libre de Ansible Tower, sert Ă  gĂ©rer des serveurs Ă  distance de façon centralisĂ©e. L’application permet de simplifier la gestion des serveurs en s’appuyant sur la puissance de Ansible et en ajoutant des fonctionnalitĂ©s de gestion d’inventaire et d'autorisations. Cependant, qui dit centralisation, dit souvent unique point de rupture.

Pour les attaquants, AWX est une cible de choix. Si des accĂšs Ă  la plateforme sont compromis, il est primordial de savoir l’auditer. Il serait facile de causer des incidents et des pertes de service, et c’est Ă  Ă©viter Ă  tout prix. Ceci-dit la rĂ©compense de l’utilisation des accĂšs obtenus se compte souvent en dizaines de serveurs compromis. Il s’agit donc d’ un impact majeur pour une organisation.

Dans cet atelier, vous apprendrez les diffĂ©rents concepts reliĂ©s Ă  AWX et Ansible. Vous apprendrez Ă©galement Ă  utiliser des accĂšs Ă  AWX dans l’objectif de compromettre les serveurs gĂ©rĂ©s par la plateforme. Divers scĂ©narios et mĂ©thodes seront abordĂ©s pour ĂȘtre prĂȘt Ă  toutes Ă©ventualitĂ©s.

Dans le but d’un atelier le plus fluide possible, s’il-vous-plaĂźt, prĂ©-installez AWX CLI.

Workshop 2
09:00
180min
Reversing Rust Binaries: One step beyond strings
Cindy Xiao

Are you a seasoned reverse engineer, but you tremble when a Rust binary lands on your desk? When you encounter a Rust binary, do you just run strings on it and hope for the best?

We will take a single problem - string recovery from a Rust binary - and uses it as an approachable starting point for exploring reversing Rust binaries. We will cover:

  • What are the practical steps we need to take to recover strings? How are strings represented in memory, passed between functions, and manipulated throughout the program?

  • Once we recover the strings, what do the strings mean? What can the strings we recover tell us about the compiler, language runtime, standard library, and third-party libraries in the binary?

This workshop is intended for reverse engineers and malware analysts who are familiar with reversing C or C++ binaries, but who are unfamiliar with the Rust programming language.

Workshop 1
09:15
09:15
30min
BEWARE of Infosec Influencers
W. Garrett Myler

Many are aware of clout-chasing influencers on social media such. However, many have not considered this cultural phenomenon transcending into the professional world. From "thought leaders" on LinkedIn to law enforcement agencies on Twitter, it is not just Instagram models sharing content with the primary goal of getting more 'likes' and followers. In this presentation, Mr. Myler highlights examples of Infosec influencers providing guidance that, at best, distracts from prioritized risk-based cybersecurity.

Human in the Middle
Ville-Marie
09:15
30min
Heartbleed, ten years later
Louis Melançon

This year marks the ten-year anniversary of Heartbleed’s discovery and public disclosure. Heartbleed was a severe flaw in the OpenSSL cryptographic library. It was publicly disclosed on April 7, 2014, initiating a long and arduous process of remediation for more than two thirds of all web servers on the internet. Anybody could potentially eavesdrop on communications, steal data or impersonate users for any vulnerable service or device, without leaving a trace. Described by some experts as “one of the most consequential vulnerability since the advent of the commercial internet”, Heartbleed abruptly unveiled the insecure and unsustainable foundations on which the internet infrastructure was built. How could so many major organizations (Google, Amazon, Facebook, financial and government institutions) depend on OpenSSL, a struggling free software project with one overworked full-time developer and $2,000 in yearly donations? How could they integrate its code without any proper security audit or reciprocal financial support? This presentation traces the historical roots of the OpenSSL project and its growing adoption, from the mid 1990s up to 2014. Based on original interviews with OpenSSL developers and security experts as well as extensive archival research, it portrays a nascent cryptographic library written “as a learning exercise” during the turmoil of the Crypto Wars of the 1990s. Finally, this presentation explores some of the long-lasting effects Heartbleed has had on the tech industry and free software community – effects that still resonate to this day, ten years later.

Other
Salle de Bal
09:30
09:30
360min
Friday Community Booths / Kiosques communautaires du vendredi

English below

Vous ĂȘtes cordialement invitĂ©s Ă  venir explorer la salle communautaire, oĂč la convergence de la technologie, de l'amusement et de l'apprentissage vous attend. Que vous soyez un amateur de jeux, un technophile averti ou simplement curieux de dĂ©couvrir de nouvelles choses, on vous y attend!

DĂ©couvrez nos kiosques :

  • Guys, Games and Beer (G2B)
  • Cybercap
  • Jeux de table
  • Échanges d'auto-collants
  • Foulab
  • Crochetage de serrures
  • Vol Ă  la tire : De retour pour une troisiĂšme annĂ©e, James Harrison rĂ©alisera ses techniques de prestidigitation Ă©poustouflantes de prĂšs. Vous pourriez mĂȘme apprendre un tour ou deux !
  • Atelier de CV

et plus encore

// English //
You are cordially invited to come explore the community hall, where the convergence of technology, fun, and learning awaits you. Whether you're a gaming enthusiast, a seasoned technophile, or simply curious to discover new things, we'll be expecting you there!

  • Guys, Games and Beer (G2B)
  • Cybercap
  • Tabletop games
  • Sticker exchange
  • Foulab
  • Lockpicking
  • Pickpocketing : Come learn and be amazed by Canada's Pickpocket Magician! Back for a third year, James Harrison will perform his mindblowing sleigh of hand techniques up close. You might even learn a trick or two!
  • HR village

and much more!

Salle de la Commune
09:30
180min
Soldering village / Village de la soudure

Open all day // Ouvert toute la journée
Venez apprendre ou perfectionner votre technique de brasage! Nos bénévoles sauront vous aider à vous initier ou vous améliorer. Premier arrivé, premier servi!

Come learn or perfect your soldering technique! Our volunteers will be able to help you get started or improve. First come, first served!

Soldering Village
10:00
10:00
30min
GraphRunner and Defending Your Microsoft Tenant
John Stoner

For organizations using Microsoft Entra ID (formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits.

Last fall, the team at Black Hills Information Security released a post exploitation kit called GraphRunner. This tool is focused on interacting with the Microsoft Graph API, which is the backbone that services Entra ID, O365 and many other services in the Microsoft cloud. The release of GraphRunner and future tools like it streamlines a number of activities that an adversary would perform after gaining access, making it simpler for anyone to use. While GraphRunner is a post exploitation toolkit, there are authentication functions that highlight how adversaries could use the OAuth authorization code flow to their advantage.

As a defender, this presents a set of challenges. Less sophisticated adversaries have a lower barrier to entry once they have gained access to the Graph API than they did before. It also highlights that the standard logging may not be sufficient to gain visibility into actions like the refreshing of tokens or other activities that a tool like GraphRunner provides.

This talk is designed to provide insight into additional data sets that Microsoft cloud users have access to but may not be as widely deployed. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner.

Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customize it to their own needs. While we won’t be able to cover all possible permutations, our goal is to identify data sets and events that can assist defenders while using GraphRunner as a representative of the kinds of methods that adversaries might use.

Attendees will come away from this talk with:
-A greater understanding of GraphRunner and its capabilities
-Awareness of the logging available for the Graph API beyond the standard logging
-Ideas around how detections and hunts can be designed to identify GraphRunner activity

Other
Salle de Bal
10:00
30min
Real or fake? Tools to fight online disinformation
Christian Paquin

It is quite challenging to verify the origin of online content. In this era of disinformation exacerbated by ever-evolving AI tools, the creation of seemingly authentic fake accounts and content can be quite dangerous, with risks ranging from harming one’s reputation to damaging society as a whole.
Fortunately, content provenance technologies are emerging to fight this problem. The Coalition for Content Provenance and Authenticity (C2PA) is the leading effort allowing creators to cryptographically sign their digital assets and record subsequent edits helping consumers to confirm their origin and authenticity while keeping an auditable history of the data transformations. It has been adopted by leading technology providers (Microsoft, Google, Meta), camera manufacturers (Sony, Nikon), image/video editors (Adobe), generative AI companies (OpenAI, Midjourney), and news organizations (BBC, CBC/Radio-Canada, New York Times). C2PA is also at the forefront of the fight against election disinformation, and was one of two technologies mentioned in the recent AI Elections accord signed at the Munich security conference.
In this presentation, I’ll describe the C2PA use cases, specifications, and the lifecycle of a protected digital asset (such as images, videos, and audio clips) from their creation, to their modifications and validation. I’ll present open-source tools/SDKs that anyone can use to create and verify protected content or integrate this functionality in their applications and services.
I’ll also present the Cross-Platform Origin of Content (XPOC) framework allowing content owners to create authoritative lists of their social media accounts and content, addressing a slightly different provenance problem. I’ll give a demonstration of the open-source tools allowing anyone to self-host and verify XPOC manifests.

Human in the Middle
Ville-Marie
10:45
10:45
30min
I will look for you and I will find you: OSINT on publicly shared pictures
Patricia Gagnon-Renaud

Liam Neeson is coming for you. But how will he find you? Come to this talk to learn how the picture of a firetruck you took in front of your house and shared on Instagram two years ago will be the source of your demise.

In this talk, I will share how I developed this compulsive habit, in which I need to find where a picture was taken. We will cover how to perform open-source intelligence (OSINT) on publicly shared pictures and videos, which tools and techniques to use, accompanied with real step-by-step examples.

I believe that understanding how OSINT works is key to better protect ourselves online. I'm aiming to give you the tools and knowledge to be better cybersecurity professionals, and learn to be more careful and diligent online, all in a (hopefully) fun and engaging way.

Not convinced yet? This talk will also cover the following topics: metadata (d'oh!), physical keys (who doesn't like keys?), data in public registries, and conclude with Do's and Don'ts for everyone.

Human in the Middle
Ville-Marie
10:45
30min
Jupyter Jetpack: Automating Cloud Threat Hunting
Kai Iyer

The talk will outline detection and threat hunting strategies that could be easily adopted by a mature SOC to look for threats in their Cloud (O365 and AWS) environment. I'll be introducing a Jupyter notebook containing detections mapped to the MITRE ATT&CK framework and threat hunting methodologies backed by unsupervised machine learning. We will take a look at huge datasets using visualizations to find anomalies. These anomalies would be converted into High-Fidelity Detection, along with some ideas to extend this hunt to IAM Platforms like OKTA

Other
Salle de Bal
11:30
11:30
30min
Double Trouble: Unmasking Twin Phishing Campaigns Targeting E-commerce and Travel Sites
Mangatas Tondang (@tas_kmanager)

In today's technology-driven landscape, the transition to digital transactions has eclipsed conventional face-to-face interactions, presenting novel challenges in ensuring transaction security. Users, perhaps inadvertently, heighten security risks by opening email attachments from phishing attempts, intensifying the complexities of online transaction security. Moreover, there exists the potential of voluntarily disclosing sensitive information, further adding intricacy to the digital transaction security landscape.

Compounding this issue, cyber attacks leverage customer data pilfered from compromised merchants. Victims find themselves coerced into divulging credit card details through a sophisticated, multi-step process. This research brings to light a new phishing campaign, unraveling the techniques, tactics, procedures (TTPs), and indicators of compromise (IoCs) employed by threat actors. These encompass the exploitation of the platform's chat function and the incorporation of transaction data to bolster the credibility of phishing pages.

The cyber attacks, though strikingly similar, employ urgent language and intimate knowledge of users' bookings, instilling credibility in deceitful messages. However, distinctive cues like odd URLs and typos serve as saviors for potential victims. Upon analysis, these campaigns redirect users to counterfeit sites that mirror legitimate e-commerce platforms. The craftiness of cyber criminals shines through identical HTML elements and scripts, meticulously validating data and even circumventing multi-factor authentication.

Further investigation unveils the tactics employed by cyber thieves: exploiting InfoStealer malware to breach hotel chat systems and amass valuable customer data, escalating their targeted attacks. Open-source intelligence tools reveal a broader scope, a twin campaign where attackers impersonating various platforms, not limited to travel sites but also other e-commerce platforms, since 2021. Domain fronting is also consistently employed to conceal their tracks along with some other TTPs.

The research culminates in insights and recommendations to enhance the security of all parties involved. By implementing these suggestions, it is hoped that both platforms and merchant-customers can fortify their resilience, mitigating potential risks in the dynamic digital landscape.

Other
Salle de Bal
11:30
30min
Human in the Middle Q&A
Octavia Hexe, Patricia Gagnon-Renaud, W. Garrett Myler, Christian Paquin

Q&A Discussion for the Human in the Middle block.

Human in the Middle
Ville-Marie
13:00
13:00
30min
Browser is the new LSASS
Charles F. Hamilton (Mr.Un1k0d3r)

In a world where MFA is enabled on every portal and everything is a web application, red teamers can access cookies and cached information from your browser to gain access to everything without knowing a simple password or having access to your MFA.

Red team
Ville-Marie
13:00
180min
Machine Learning For Security Professionals: Building And Hacking ML Systems
Sagar Bhure

Our training provides an intuitive introduction to machine learning for security professionals with no prior knowledge of mathematics or ML. In the ML4SEC section attendees will gain hands-on experience building MLpowered defensive and offensive security tools using popular libraries like Tensorflow, Keras, Pytorch, and sklearn. We’ll cover the entire ML pipeline, from pre-processing data to building, training, evaluating, and predicting with ML models. In the SEC4ML section we’ll address vulnerabilities in state-of-the-art machine learning methodologies, including adversarial learning, model stealing, data poisoning, and model inference. Participants will work with vulnerable ML applications to gain a thorough understanding of these vulnerabilities and learn possible mitigation strategies. Our training provides practical knowledge that security
professionals can apply in their work

Workshop 1
13:00
120min
Soldering Workshop - Day 2 / Atelier de soudure - Jour 2

REGISTRATION REQUIRED HERE / INSCRIPTION OBLIGATOIRE ICI : https://tickets.nsec.io/2024/

Soldering (EN below) / Soudure (brasage)

Rejoignez-nous pour un atelier pratique de brasage oĂč vous dĂ©couvrirez les secrets de vos badges (apportez votre badge Sputnik ou Cerveau!).

Dans cet atelier passionnant, vous apprendrez les techniques de brasage tout en donnant une nouvelle vie à vos badges. Apprenez à hacker votre badge pour lui donner de nouvelles fonctionnalités et le personnaliser.

C'est une occasion unique de développer vos compétences en électronique tout en repartant avec un souvenir unique et personnalisé ! L'atelier sera offert en anglais.

INSCRIPTION OBLIGATOIRE ICI : https://tickets.nsec.io/2024/

Join us for a hands-on soldering workshop where you'll uncover the secrets of crafting your own electronic badge - bring your Brain or Sputnik badge if you have one!

In this exciting workshop, you'll learn soldering techniques while breathing new life into your (Sputnik/Brain) badge. Learn to hack your badge to add new features and customize it to your heart's content. It's a unique opportunity to enhance your electronics skills while walking away with a one-of-a-kind, personalized keepsake!

(an additional fee is required to cover the cost of materials, REGISTRATION REQUIRED HERE : https://tickets.nsec.io/2024/

Soldering Village
13:00
180min
Toolbox for reverse engineering and binary exploitation
Marc-André Labonté

The objective of the workshop is to learn how to use some powerful but intimidating tools while reverse engineering IOT devices: Angr, Unicorn and Qiling.

The workshop aim to show common use cases for each of these tools and also their limits.

To that end, the workshop will propose the following exercices:

  • Decipher XOR encrypted strings with Angr
  • Automated buffer overflow exploitation with Angr
  • Emulation of arbitrary function or code blocks with Unicorn
  • Binary emulation with Qiling
  • Complete device emulation after firmware extraction with Renode
Workshop 2
13:15
13:15
45min
Guys Games and Beer Podcast Recording - Cybersecurity in the Video Game Industry

Podcast recording in front of a live audience in English. Contact us in #villages on Discord to be interviewed!

More info: https://www.facebook.com/GuysGamesAndBeer

Other
ScĂšne de la Commune
13:45
13:45
30min
Simplified Malware Evasion - Entropy and other Techniques
Will Summerhill

Malware development and evasion techniques are becoming more difficult each day. EDRs are implementing signature-based detection, behaviour-based detection, as well as entropy-based detection techniques. Shellcode is often encoded/encrypted which can cause payloads to have high entropy (randomness), therefore being detected and blocked by EDRs.

This presentation is the journey of a red teamer - improving their tools with simple techniques and learning about evasion and Windows internals along the way.

Through this talk, we will review the high-level theory behind evasion and present unique approaches to evasion techniques, including entropy reduction and shellcode callbacks. We will present a novel tool to reduce entropy via dictionary word shellcode encoding, and use Windows callback functions to launch our shellcode.

Furthermore, an overview of detecting these novel techniques will be discussed to help blue teamers in their jobs. Detection methods discussed include using YARA rules, ETW, and PE file memory scanners.

Participants will benefit from this talk in many ways. Red teamers can now immediately benefit from the tool, which is publicly released, along with C#/C++ Code samples. And Blue teamers can learn how to better detect these advanced techniques.

Red team
Ville-Marie
14:30
14:30
30min
Red Team Q&A
Laurent Desaulniers, Will Summerhill, Charles F. Hamilton (Mr.Un1k0d3r)

Q&A Discussion for the red team block.

Red team
Ville-Marie
15:15
15:15
30min
Finding signals in the noise: Why write exploits when attackers share them for free?
Ron Bowes

Did you know that ransomware groups are actually generous? They're so generous, in fact, that after putting all their time and effort into writing an exploit, they just share it with the internet for free! At GreyNoise, we've made it our mission to detect and categorize all traffic blasted onto the internet, which includes old exploits for old vulnerabilities, new exploits for new vulnerabilities, and everything in between. We'll show you what happens when an experienced exploit developer kicks back and lets others do the hard work - by building and deploying honeypots for emergent threats, we can spend our time analyzing what the baddies are up to, which vulnerabilities are actually being exploited, and who's being naughty. This talk will include real-world exploitation examples, including examples of exploits that would go on to join the Known Exploited Vulnerabilities (KEV) list. We'll Armed with that information, security teams can use their limited resources much more efficiently by prioritizing the vulnerabilities that are under attack!

Other
Ville-Marie
15:15
60min
I will look for you and I will find you: OSINT Extras
Patricia Gagnon-Renaud

If you've enjoyed https://nsec.io/session/2024-i-will-look-for-you-and-i-will-find-you-osint-on-publicly-shared-pictures.html, or if you've missed it, this session is not to be missed! Patricia will cover contents that didn't fit in the condensed talk format.

Human in the Middle
ScĂšne de la Commune
16:00
16:00
30min
Redefining Digital Security: A New Approach for IPV Victims
Corinne Pulgar

This presentation, informed by a collaborative research project led by CDEACF, the Alliance des Maisons 2e Étape and the Lab-2038, addresses the critical need for specialized digital privacy strategies in support of Intimate Partner Violence (IPV) victims. Rather than looking at what advices security experts can give to IPV victims, we investigate how user experience, security settings and data governance pratices can directly impact their digital and physical safety. Our research highlights how generic, one-size-fits-all threat modelling and security policies by providers, including internet service providers, can inadvertently burden IPV victims. The talk emphasizes the importance of developing nuanced, victim-centred digital security approaches that acknowledge the unique challenges faced by IPV victims. It advocates for a collaborative effort among service providers, technologists, and social welfare experts to create more sensitive and effective digital privacy solutions tailored to the needs of IPV victims.

Other
Ville-Marie
16:45
16:45
30min
Lightning Talks

Lightning talks by the community for the community!

5 minutes, no sales pitches!

To enter, fill the form: https://forms.gle/fuUevAiRG3TaNHn77

Ville-Marie
17:15
17:15
15min
Fermeture Conference Closing

Closing conference remarks // Fermeture de la conférence

Ville-Marie
18:00
18:00
60min
CTF Salle de Bal Registration / Enregistrement

Setup your table // Installez vous

CTF
19:00
19:00
60min
CTF Salle de la commune Registration / Enregistrement

Setup your table // Installez-vous

CTF
20:00
20:00
30min
The CTF Begins // Ouverture du CTF

Opening speeches: Welcome by Emile and Theme reveal by Eric. Sponsored speech by Boost Security.

//

Discours de bienvenue par Émile et rĂ©vĂ©lation du thĂšme par Eric. Discours de notre commanditaire Boost Security.

CTF
20:30
20:30
390min
CTF Day 1 // Competition Jour 1

Get all the flags, learn on the way. // Obtenez tous les drapeaux, apprenez au passage.

CTF