AtlSecCon 2014
AtlSecCon 2014 – Presentations Jon Blanchard – 20 top Hacked and Defaced Maritime Websites Mark Stanislav – Eyes on IZON: Surveilling IP Camera Security AtlSecCon 2014 – Agenda – Day 1 – Thursday, March 27 Time Track 1 Track 2 Track 3 8:30 AM Registration 8:45 AM Opening Remarks & Opening Keynote - Dr. Michael Geist 10:00 AM Henry Stern - Beyond Zone File Access: Discovering Novel Domain Names Using Passive DNS Colin O'Flynn - Hacking Embedded Systems: Power Analysis & Clock Glitching 10:45 AM Morning Break 11:00 AM 11:45 AM Catered Lunch - Complements of HP and Mobia David Fraser - Privacy and technology lawyer Topic: Compliance - Legal & Regulatory Requirements & Obligations Patrick O’Byrne – Senior Solution Architect, HP Enterprise Security Topic: HP Enterprise Security ArcSight – How ArcSight technology can help with audit & compliance requirements. 1:00 PM Russ Doucette - Advanced Malware: Do We Need Other Layers David Shipley - Securing the Ivory Tower Marc-Andre Belanger - UsingThreat Modeling techniques to develop the ultimate keylogger 2:00 PM Natalie Oldfield - Protecting your organization’s most valuable asset Norbert Griffin - The Blinky-Light Syndrome and why it’s Not Making Us More Secure Peter Morin - How many times did I use the bathroom today? An introduction to Open Source Intelligence 2:45 PM Afternoon Break 3:00 PM Jamie Rees - Information Assurance Mike Doherty - Legal Issues in Computer Security Research Ryan Wilson - Advanced Evasion Techniques (AET’s), bypassing NextGen Firewall, IPS and other network security defenses. How do you keep up? 4:00 PM Kellman Meghu - Weaponized Security 5:00 PM Palo Alto Networks Social Mixer 8:00 PM Speakers Dinner (Ticket Required) AtlSecCon 2014 – Agenda – Day 2 – Friday, March 28 Time Track 1 - Room 200B Track 2 - Room 200D Track 3 - Room 200C 9:00 AM Opening Remarks 9:15 AM Dale "Dr. Z" Zabriskie - The State of Mobile Security Derek Manky - Beyond BYOD – Hacking the Internet of Things 10:00 AM Rick Vanover -Data Protection Security Mishaps that you can Avoid Dale O'Grady - Application Identification 10:45 AM Morning Break 11:00 AM Matias Katz - Hacking the Cloud Ami Luttwak - An Inconvenient Zeus: The rise of SaaS Targeted Malware Jean-Francois Gignac - The Economics of Cybercrime 11:45 AM Catered Lunch - Complements of Varonis Vitaly Levin - Securing Unstructured Data, The Next Evolution of eDiscovery and Data Loss Prevention 1:00 PM Mark Stanislav - Eyes on IZON: Surveilling IP Camera Security Jon Blanchard - 20 top Hacked and Defaced Maritime Websites James Placer - Payment Card Industry 3.0 Updates and Requirements from an Industry Perspective 2:00 PM Sandy Fadale - How to Setup a Framework for the Governance of Enterprise IT Joseph Malinka - One ring to rule them all” – Using CPU Features to Enable Any Device to Protect Itself By Design Guillaume Ross - URL Scheme Security on iOS 2:45 PM Afternoon Break 3:00 PM Closing Keynote - Brian Krebs 4:00 PM Closing Remarks and Prize DrawsAtlSecCon 2014 – Speakers Opening Keynote Speaker Dr. Michael Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law. He has obtained a Bachelor of Laws (LL.B.) degree from Osgoode Hall Law School in Toronto, Master of Laws (LL.M.) degrees from Cambridge University in the UK and Columbia Law School in New York, and a Doctorate in Law (J.S.D.) from Columbia Law School. Dr. Geist is a syndicated columnist on technology law issues with his regular column appearing in the Toronto Star and the Ottawa Citizen. Dr. Geist is the editor of several copyright books including The Copyright Pentalogy: How the Supreme Court of Canada Shook the Foundations of Canadian Copyright Law (2013, University of Ottawa Press), From "Radical Extremism" to "Balanced Copyright": Canadian Copyright and the Digital Agenda (2010, Irwin Law) and In the Public Interest: The Future of Canadian Copyright Law (2005, Irwin Law). He is also the editor ofseveral monthly technology law publications, and the author of a popular blog on Internet and intellectual property law issues. Dr. Geist serves on many boards, including the CANARIE Board of Directors, the Canadian Legal Information Institute Board of Directors, the Privacy Commissioner of Canada’s Expert Advisory Board, the Electronic Frontier Foundation Advisory Board, and on the Information Program Sub-Board of the Open Society Institute. He has received numerous awards for his work including the Kroeger Award for Policy Leadership and the Public Knowledge IP3 Award in 2010, the Les Fowlie Award for Intellectual Freedom from the Ontario Library Association in 2009, the Electronic Frontier Foundation’s Pioneer Award in 2008, Canarie’s IWAY Public Leadership Award for his contribution to the development of the Internet in Canada and he was named one of Canada’s Top 40 Under 40 in 2003. In 2010, Managing Intellectual Property named him one of the 50 most influential people onintellectual property in the world and Canadian Lawyer named him one of the 25 most influential lawyers in Canada in 2011, 2012 and 2013. More information can be obtained at Closing Keynote Speaker Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. But you didn’t really want to read my résumé, did you? What most people want to know is how I got into computer security, and whether I have a technical background in the field. The short answer is “by accident,” and “no,” respectively. I earned a Bachelor of Arts in International Studies from George Mason University in 1994, and at the time I wasn’t much interested in computers, although I had programmed a bit on an Apple II and spent quite a bit of timevisiting online bulletin boards as a kid. It wasn’t until 2001 — when my entire home network was overrun by a Chinese hacking group — that I became intensely interested in computer security. I had been monkeying with a default installation of Red Hat Linux (6.2) on an old Hewlett-Packard system, because for some reason I had it in my head that it would be fun to teach myself how to turn the spare computer into an oversized firewall [ah, the irony]. That is, until the Lion Worm came around and locked me out of my system. Twice. After that incident, I decided to learn as much as I could about computer and Internet security, and read most everything on the subject that I could get my hands on at the time. It’s an obsession that hasn’t let up. Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet. The rest I think probably comes from a willingness to take risks, makemistakes, and learn from them. I am 40 years old, and live with my wife Jennifer in Northern Virginia. When I’m not at the computer, I most often spend my free time reading, writing, cooking, gardening, studying Russian and playing guitar. I also enjoy corresponding with readers, so shoot me a note and tell me what you think of the blog ( Speakers Marc-André Bélanger Marc-André Bélanger is in IT since 1997 and in security since the end of the Y2K gold rush. He is currently acting as a Senior Risk Officer within the Insurance Industry and worked, throughout his career, in Retail and Banking. He accumulated extensive experience in Incident Management, computer and mobile forensics and IT risk mitigation. Serious fan of hacking games and contests, hardware hacking and lock picking. He currently holds certifications in Fraud (CFE), Physical Security (CPO), Pen-Testing (CEPT), and Information System Security (CISSP). Using Threat Modeling techniques to design the ultimate keylogger Mostlyused to elaborate risk mitigation strategies, Threat Modeling has been around for some time now… But, let’s see how we can integrate the techniques to iterate through System Specifications. And, why not take a peek into the dark side and see how it can help us design the ultimate keylogger. We all know that a keylogger logs keys... But how can we make it better? What are the Threats to the keylogger? Obviously, being detected is the most prevalent. But just don’t get ahead of ourselves here… There are plenty of other features we’ll want to integrate into the design besides being invisible. Warning: This talk is not gonna teach you how to do Threat Modeling, nor how to integrate it into your “whatever letters acronym Lifecycle”. It’s all about using pretty colored graphs to facilitate requirements scoring and decision making through an iterative process. Moreover, trolls be warned, the term “Threat Modeling” is used to also designate “Risk Modeling” and “Attack Modeling”. Jon Blanchardis a Speaker, Technology Columnist with Canada.com and the Globe and Mail as well as the Ethics Lead for the Nova Scotia Technology Guild based in Halifax, Canada. Mr Blanchard (@dexterdyne) is a regular and popular presenter on the challenge and promise of hackism at the Atlantic Security Conference(AtlSecCon), High Technology Crime Investigation Association (HTCIA) and Atlantic Internet Marketing (AIM) Conferences - as well as Halifax Area Security Klatch (HASK), Third Wednesdays (3W) and Podcamp Halifax. 20 top Hacked and Defaced Maritime Websites This year join Jon Blanchard, canada.com Technology columnist and #SausageLove insider for the 2nd annual top 20 hacked Maritime Website report. As author of #SausageLove, Mr Blanchard's scoops this year included the Syrian Electronic Army takeover of MicroSoft @skype/skype.com and @MSFTNews/blogs.technet.com - as well as exclusive reports through 2013 on hacked Canadian websites ranging from the Canadian Naturalists portal to ManitobaHydro's backbone as well as Montreal's Dawson College and the Universities of Ottawa, Toronto, British Columbia and Ryerson. Mike Doherty is a well-rounded computer geek. Currently finishing a computer science degree at Dalhousie University, he will be joining Google's Site Reliability Engineering team in July. Mike has a background in psychology and is interested in the intersection of technology with other fields of study. As a result, he has studied usable privacy and security, and is the lead organizer of CryptoPartyHFX, a practical computer security tutorial for the public, which was the topic of a recent CBC radio interview. You can find him online at Legal Issues in Computer Security Research How does the government define hacking? What are the lines you're not allowed to cross – and what happens if you do? Computer security researchers face real legal risk, but most don't realize it. Independent researchers are especially vulnerable. If you're going to tell the emperor he hasno clothes, you'd better be prepared. This talk will provide an overview of the current legal landscape in Canada, focusing on criminal and copyright law, and contrast it with the US situation using several case studies. Practical advice for risk mitigation will be shared. Russ Doucet. For over 20 years Mr. Doucet has been working in Information Technology, with over 10 years of focus on security appliances. Russ has done many large deployments in corporate, education and government spaces, as well as rollouts and support for retail chains and other distributed organizations. Russ is also an accomplished trainer, having delivered custom-developed as well as certified curriculum for various platforms for hundreds of security professionals over the years. Russ was recognized at the inaugural Canadian Fortinet Xtreme Team technical event as the Xtreme Team MVP in Montreal 2011. Besides training, implementation, and both pre-sales and post-sales support, Mr. Doucet also frequently speaksat security seminars and conferences on a variety of forward-looking security topics in Ontario and the Eastern provinces. Finally, Mr. Doucet is a court-recognized expert, having testified in court on numerous occasions for criminal and civil matters involving security and forensics. Advanced Malware: Do We Need Other Layers There is much talk about advanced persistent threats, custom malware and targeted attacks. Not surprisingly, many vendors in firewall, antivirus, SIEM, IPS and other market segments are claiming they can block such attacks. The question is: Are they? At INSA’s: Advanced Malware: Do We Need Other Layers presentation, we will describe some next generation threats and the relative ability (or inability) of conventional technologies to block them. We will also quote industry analysts, government organisations and studies describing next generation of threats and ways in which they try to breach victim organisations and navigate inside victim networks with the ultimategoal of ex-filtrating data. Sandy Fadale is a Senior Manager with Bell Aliant where she is responsible for leading information security across all six provinces served by the organization including a team of 14 highly skilled security and compliance specialists. Sandy is responsible for overall security planning, vulnerability management, risk management, policies and standards, security awareness, Sarbanes-Oxley compliance and remediation, PCI compliance and remediation and logical access control. Sandy has more than 25 years of in-depth information technology experience in the fields of enterprise computing with an emphasis on information security which includes IT Security, application development and business continuity. Prior to Bell Aliant, Sandy was a Manager with Ernst & Young LLP and Visteon Corporation in their Information Security and Risk Advisory practices. Sandy has also served in the US Military in telecommunications utilizing various encryption techniques. Sandy iscurrently the President of Information Security Audit and Control Association (ISACA), Atlantic Provinces Chapter teaches the CISM, CGEIT and CRISC and is a Subject Matter Expert and Published in the 2012, 2013 and 2014 CRISC Review Manual. How to Setup a Framework for the Governance of Enterprise IT Through the course of this session, we will discuss at a high level the processes, knowledge requirements and tasks required for a successful governance program as listed below: • The definition, establishment and management of a framework for the governance of enterprise IT in alignment with the mission, vision and values of the enterprise • The requirements and objectives for the framework for the governance of enterprise IT, incorporating input from enablers such as principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies • The strategic planningprocesses are incorporated into the framework for the governance of enterprise IT • The incorporation of enterprise architecture (EA) into the framework for the governance of enterprise IT in order to optimize IT-enabled business solutions • The framework for the governance of enterprise IT incorporates comprehensive and repeatable processes and activities • The roles, responsibilities and accountabilities for information systems and IT processes are established • Issues related to the framework for the governance of enterprise IT are reviewed, monitored, reported and remediated • The organizational structures are in place to enable effective planning and implementation of IT-enabled business investments Jean-Francois Gignac has been in the IT Industry for over of 10 years, working with Large enterprise clients, multinationals, public sector and non-profit while working for well recognized names such as Canon, Bell, Fortinet and Websense. With a passion for security and helping raiseawareness around today's challenges in this field he now works for Cisco. Jean-Francois's background is eclectic and he draws on past experience and lessons from industries who struggled to become IP enabled, secure and re-invent themselves in today's connected age. Jean-Francois recently came to Cisco from Sourcefire who was acquired by Cisco. Today he is the Security Account Manager for Cisco and is responsible for Eastern Canada. He lives in Montreal, is a gamer, father and loves the outdoors. The Economics of Cybercrime Cybercrime is a booming business, it`s global, it`s organized and it`s pervasive "out there". To understand the evolution of cyber criminals, theirs methods and goals is to draw the conclusion that the real motivation of cyber-criminals is financial gain. There is a viable economic model applicable to all classes of internet citizens, from individuals to multi-national corporations and even nations. As bandwidth costs have gone down, internet access proliferated,and online presence seen as necessary, or even indispensable. We move past the last decade, an era of online banking, e-commerce and into an era of ever expanding targets and much wider scene for criminals to exploit. Norbert Griffin is a Delivery Manager for Security at zedIT Solutions, one of Atlantic Canada’s largest Information Technology (IT) Services firms providing both Strategy and Execution for Large Enterprise clients in the public and private sector. With over sixteen years professional experience in the industry, Norbert has a broad range of knowledge and experience in information security, auditing, penetration testing and security operations and holds several industry recognized security certifications. Norbert has conducted assessments for Large Enterprise throughout Atlantic Canada and has helped companies develop prioritized security roadmaps and implementation plans based on findings from their assessments. Founder of the annual BSidesStJohns Security Conference inSt. John’s, NL, Norbert has been connecting security experts and industry professionals to share ideas, insights, and develop longstanding relationships with others in the province for years. The Blinky-Light Syndrome and why it’s Not Making Us More Secure How many companies buy products to solve security problems but are not any more secure and it’s not because of the product? How many "Best Practices" do they say they follow but are never really following? Every year various industry reports highlight the need to get back to the basics, so why aren’t more companies doing this? Matias Katz is a Penetration Tester who specializes Web security analysis. He has over 10 years of experience in the field. He is the founder and CEO of Mkit Security, a company that specializes in penetration testing services and hacking training. He loves to build simple tools to perform discovery and exploitation on any software or network. He has spoken at BlackHat, H2HC, Campus party, Ekoparty, OWASP andmany other important conferences. He is the founder of Andsec conference (www.andsec.org). Also, he is Super Mario World master!! Hacking the Cloud In this demo we will talk about automated tools and how they can easily fail, when they are expected by the target. I will show a complete attack to a hosting provider, without using any tool, avoiding any type of signature-based detection system. The attack will conclude with a complete takeover of the hosting provider. The main objective of this talk is to show how unreliable automated tools sometimes are, and how a simple manual attack is more likely to succeed. HTExploit, bypassing .htaccess and beyond! HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way WITHOUT having the password (and without cracking it),bypassing the whole authentication process. I will perform a live DEMO at a real server (my own), creating before the audience an htaccess protected directory, and running the tool to bypass the restriction and access the protected files. The tool provides integration for discovery and post-exploitation with different well-known tools, providing an attack strategy that includes SQLi, LFI, RFI, Shell injection, and any other type of web scan. HTExploit performs as a proxy, bypassing the htaccess restrictions and then allowing the secondary scanner to act on the target. The main characteristic of this tool is that all of the analysis performed is done inside the protected directory, not from the publicly accessible site. So the level of possible penetration is extreme. With this tool, you will be able to go from a protected directory, to a complete content listing and possible SQL injection or remote file include, giving you the chance to take over the server. HTExploit has beenpresented at Black Hat USA 2012/2013 and is now widely available through www.htexploit.org, Backtrack, Samurai, Matriux, and in a few weeks the tool will be added to the Debian repositories. It's now between the most important Web Analysis tools and has been highly credited in the hacking community. Vitaly Levin has over 20 years of experience in the financial services, government, telecommunication and software industries. He spent the last 15 years developing enterprise solutions and risk mitigation strategies for multi-national organizations, and associated industry groups. Vitaly has a combination of Business, Technology and Legal background and has been invited to presented at over a dozen events through-out North America. Securing Unstructured Data, The Next Evolution of eDiscovery and Data Loss Prevention The importance of securing and managing sensitive and confidential data was vividly reinforced by the NSA/Snowden and Wikileak incidents. Organizations must protect the rapidlygrowing volume of unstructured and semi structured data—documents, spreadsheets, presentations, media files and other business data - that can be stored in file servers, NAS devices, SharePoint, virtual data centers, cloud-based storage platforms, etc. This is taking ediscovery and data loss prevention (DLP) to the next level. Attendees will learn about solutions to this important issue from Varonis, the foremost innovator and provider of access, governance, and retention solutions for human-generated data, the fastest-growing and most sensitive class of digital information. Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total visibility and control over their data, ensuring that only the right users have access to the right data at all times from all devices, all use is monitored, and abuse is flagged. Ami Luttwak is the co-founder and CTO of Adallom, a complete cloud security solution provider for SaaS applications. Prior tothat, he was a senior software architect at Phonaris, where he designed the architecture and led the development of the Phonaris agents for the iPhone and Android platforms. Luttwak is an alumnus of the Israeli Defense Force’s 8200 unit. An inconvenient Zeus: The rise of SaaS targeted malware Vulnerabilities within SaaS applications have increasingly become the end user’s responsibility. As it gains popularity, as it has over the last few years, it is increasingly a part of our everyday work life. However, using SaaS applications – although excellent at increasing productivity – leaves a large attack surface. So, what's the risk? It’s hard to imagine how SaaS vendors can deliver a bank level of security, and harder still to imagine their customers accepting it. The more compelling piece here is the implied weakness in the shared responsibility model. There is only so much that a SaaS vendor can do, even if their controls are upgraded, their customer's security posture is the keydetermining factor in warding off this attack. Which leads to the heart of the matter, most customers look to SaaS as a way to offload responsibility, but they also need to remember their own systems can be the target. We are proposing a session where Adallom will showcase new vectors of a cyber-attack found in the wild specifically targeting enterprise SaaS applications. Joseph Malinka is the Director of Systems Engineering at Bromium. He joined Bromium in June of 2012 when the company was still in stealth mode, and played a crucial role in establishing Bromium’s early customer base and subsequent record growth. Prior to Bromium, Joe was at EMC for 11 years of which the last three years were with RSA, the Security Division of EMC. He has provided engineering, consultative, and architectural expertise in many different security domains, working extensively with medium to large enterprises in the New York City metro area in the financial, legal, and healthcare verticals. He is aCertified Information Systems Security Professional (CISSP) and received a B.S. in Applied Physics from Brigham Young University. “One ring to rule them all” – Using CPU Features to Enable Any Device to Protect Itself By Design Our society has never had more valuable information available online, and the consequences and cost of successful compromises have never been more stark. Can we fix this? Yes. We can enable any end point to protect itself by design using existing features of the CPU, and perhaps more importantly, we can deliver hardware-backed protection to existing (legacy) applications and operating systems: CPU features on commodity server, PC and mobile devices offer all that is needed to turn the tide. This talk will describe a radically new approach to system security – micro-virtualization – that makes use of CPU features for virtualization to hardware-isolate tasks within a running (any) OS, relying on CPU mechanisms to protect the system from any malware. The coretechnology is the open source Xen hypervisor, whose community continues to lead innovation in virtualization and isolation. This talk is also a call-to-arms of the research and security ecosystems to use micro-virtualization to advance security research, attack analysis and to further extend the use cases for micro-virtualization. Derek Manky formulates security strategy based on years of threat and industry knowledge, with a goal to make a positive impact towards the global war on cyber crime. Manky has presented research and strategy world-wide at many security conferences, including meetings with leading political figures who help define the future of cyber security. He works globally within the security industry and Computer Emergency Response (CERT) to connect the dots, providing mitigation advice and threat forecasts based on correlated data and personal knowledge. This strategy can be integrated into new, advanced technology to fight cyber attacks. He has been recognized as athought leader in the industry. Manky designed a vulnerability disclosure framework, which has been reliably used for years to responsibly fix security issues before criminals discover and attack them. Manky also sits on a computing program committee with a premier technology institution in Canada, advising on next generation security requirements. He continues to dedicate his career to security, research and education. Beyond BYOD – Hacking the Internet of Things Everyone knows the deal, the doom and gloom. There are threats on the internet, and plenty of them in many shapes and form – worms that have persisted for years, basic Trojans that still perform, and of course advanced persistent threats (APTs). If securing Windows based systems still proves challenging today, what will tomorrow bring? Are Linux and Mac systems really that much more secure? And what about Android vs. iOS vs. Windows Mobile with BYOD? Attacks against home routers, home automation systems, surveillance cameras,printers, smart televisions and embedded system exist today and are certain to shift the security landscape and defensive strategy in 2014 and beyond. Cyber attackers are learning it is beneficial to hide in more nooks, and cast a wider net to hook other popular platforms being adopted by the market. As a result, a larger attack surface is being created. Derek Manky, Global Security Strategist, Fortinet will examine the challenges of multi platform security as it exists today and what we can expect tomorrow. Case examples will be highlighted proving low hanging fruit is ripe for attack on these systems. Strategy will be discussed in an interactive session in an effort to get ahead of what inevitably will come. Kellman Meghu has delivered security talks in private corporate focused events, at school internet safety classes for training students and teachers, as well as public events including SecureWorld Seattle, The Check Point Experience, Bsides St. Johns, Bsides San Francisco, BsidesChicago, Bsides Detroit, Secure360, Trilateral Conference, and Sector lunch keynote for 2012. Kellman has contributed to live TV interviews in the Toronto area with CP24, CityNews, and CHCH TV, as well as radio station interviews and news articles across Canada. Weaponized Security How dangerous can you get with just the security tools you have today? Do you have access to a technology that makes searching patterns of data in the network very simple? I bet you do. Now I want you to imagine implementing that technology on an open wifi and seeing what you find. This talk discusses how a tool to secure people can be turned against them, and the results of random people, leaking data about their computers, and themselves. This is all done with publicly available and commonly implemented enterprise security, just implemented in uncommon ways. Peter Morin is a Senior Information Security Specialist with Bell Aliant. His position focuses on information security risk management, penetrationtesting, cyber threat response, application code analysis, malware analysis, and computer forensics. Peter has over 18 years of in-depth information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics. Prior to Bell Aliant, Peter has held positions with KPMG LLP and Ernst & Young LLP as Senior Manager in their IT Security, Risk Advisory & Forensic practices, as well as worked with numerous tech start-up companies and various government and military agencies. Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented at numerous events held by the HTCIA, Black Hat, DEFCON, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also beenfeatured in numerous publications including SC Magazine. Peter sits on numerous executive boards including the High Technology Crime Investigation Association International Board of Directors, HTCIA International Conference, ISC2, and ISACA - Atlantic Provinces Chapter. Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA. How many times did I use the bathroom today? An introduction to Open Source Intelligence This presentation will discuss the ever growing topic of open source intelligence (OSINT). OSINT is the data mining of intelligence from publically available sources – a form a “Cyber Intelligence”. During this presentation we will discuss the various data points online that can be used to gather information about an individual, an organization, etc. including blogs, forums, personal websites, business intelligence websites such as Salesforce.com, LittleSis and crowd-sourced Jigsaw and social media sites such as Facebook, LinkedInand Twitter. We will discuss the various uses of this data including reconnaissance for hackers, foreign governments/nation states, penetration testers, and competitive intelligence. We will look at demos of some of the more popular automated analysis tools such as Maltego and the use of custom Python scripts used to collect and analyze OSINT data. Colin O'Flynn analyzes the security of embedded systems, and has spoken extensively about his open-source ChipWhisperer tool which was created as part of his ongoing PhD Research at Dalhousie University. He’s previously been involved with a variety of embedded system designs, including wireless protocols used in smart energy meters. His work on embedded security has led him to speak at a number of security conferences including Blackhat EU/USA. Hacking Embedded Systems: Power Analysis & Clock Glitching Embedded systems have historically had all sorts of 'interesting' security holes discovered in them. You often can't blame the engineers whodesigned the systems: it's extremely difficult to keep up to date with all the latest attacks. Performing 3rd party testing can be horrendously expensive, so many companies simply ignore the more exotic attack vectors. One such 'exotic' attack vector is side-channel power analysis, along with glitch attacks. In power analysis, one measures the power a device consumes on each instruction, and uses this information to break encryption or other security running on the device. The vulnerability of systems to such attacks has been known for almost 15 years. But the difficulty in setting up a lab has made these attacks less prevalent in the real world. With glitching attacks, very precise and short pulses are inserted into a devices power rails or clock inputs. It's a well know theoretical risk, but the cost of equipment which can generate suitable glitches is too expensive for most attackers. This presentation will cover some open-source tools which can be used for research into this field,which can be built or bought for $100 to $1500 depending on requirements. Dale O’Grady is a Senior Systems Engineer at Palo Alto Networks with extensive experience in layer 2-7 security. As a 20 year veteran of the Information Technology sector, Dale has had the good fortune of working as a world-wide Product Manager for security solutions such as Firewalls, Proxies, Intrusion Detection/Prevent Systems, Traffic Classification Systems, Mobile Security and Network Access Control. In 2011, Dale decided to move to a dedicated customer facing role to help customers address their real-world security challenges. Application Identification Traffic classification is at the heart of any firewall because classification forms the basis of security and acceptable use policies. Port numbers, protocols, and IP addresses are useful for network devices, but provide nothing about what is on the network. Not knowing what is on the network creates an organization dilemma – secure the network and haveunproductive users or have productive users with an increased attack surface? Detailed information about the applications, users, and content traversing networks empowers organizations to quickly determine and assess risks. Identifying the actual application lets organizations quickly learn more about activity on the network and analyze incidents from a current or comparative perspective. Please join us for this session as we take a deep dive into the benefits of application identification. We will cover concepts such as how application identification is accomplished, application versus application protocol identification, what to look for in application identification engines as well as how the future of encryption impacts application identification and of course considerations on performance and scaling for real-world scenarios. Natalie Oldfield is known as a passionate and energetic speaker, Natalie has presented to audiences throughout North America, Europe and Asia. Natalie hasworked in marketing communications and sales in multinational companies for 20 years. Natalie's experience working with international ICT organizations drew her to the conclusion that trust is the most important asset a business can protect. That conclusion prompted her extensive study in the field of her Masters degree, How Organizations Build Trust with their External Stakeholders. She facilitates workshops and training sessions and consults with companies looking to improve revenues, protect and deepen relationships, and gain a competitive edge. Natalie’s sessions offer participants strategies and practical tools to improve relationships, customer experiences and the bottom line. Natalie has also been a part time faculty member at Mount Saint Vincent University in the Communications and Public Relations department, and a part time faculty member in the School of Business at the Nova Scotia Community College. She is a graduate of the University of New Brunswick (Bachelor of Arts),Mount Saint Vincent University (Bachelor of Public Relations), the Dupree College of Management, Georgia Institute of Technology(Certificate in Management), and is a candidate for a Masters in Communications. Protecting your organization’s most valuable asset Falling behind in digital security can be extremely expensive; failing to protect trust can be fatal. Trust can take years to build and one breech can destroy it in seconds. Security experts know where the securities threats are. Where are your trust vulnerabilities? Every organization has them. Identifying the vulnerabilities and critical trust points in your organization is critical to your success. Trust is the number one predictor of consumer satisfaction and the critical ingredient to your competitive advantage. It determines how customers, suppliers, employees, bankers and the public make decisions about your organization. They ask: Who should I believe? Which organizations can I trust? Are they competent? Will they keep myconfidential information secure? Will they do the right thing? Drawing on research, Natalie will share with you how some of the world’s top brands build and protect the trust of their stakeholders. The session will offer participants strategies and practical tools to identify critical trust points. Natalie will share the practices of building and protecting trust as well as some tips on how to rebuild trust when there is a security breech. Participants will leave with Monday morning strategies to build and protect trust in their organizations. James Placer is an Information Security and Privacy consultant with a specific focus on network architectures and International compliance requirements. He has spent the last 20 years working primarily with fortune 100 companies in the United States in evaluating, and architecting compliant security solutions He has been a keynote speaker on presentations regarding privacy legislation changes at the state and federal level in the Midwest UnitedStates along with being an adjunct professor in Information Assurance at Davenport University in Michigan. He currently splits his time between residences in Tatamagouche, NS and Allegan, Michigan when he is not on the ski slopes chasing his ski racing daughter. Payment Card Industry 3.0 Updates and Requirements from an Industry Perspective Compliance is the big stick in the corporate security world and one of the strongest drivers is the Payment Card Industry ( PCI) standards. The latest refresh of the Credit card Industry standard has been released and takes effect as of Jan1st 2014. Companies have a period of 14 months to comply with the newly released requirements. How will this affect your company and what do you need to be doing now to prepare for the next PCI audit. This presentation explains the changes in PCI 3.0 and what they mean from a company centered viewpoint for your business and what they mean for security practitioners. Does your corporation have in place therequirements, both in Canada and abroad, process to meet the new requirements? Jamie Rees With 20 plus years in information technology, the majority of that in information security related roles in communications and financial service organizations. Currently Jamie is the Director of Information Assurance - Chief Information Security Officer and the Chief Security Strategist for the Province of New Brunswick, Canada, working for the Executive Council Office. The idea that explaining security in terms of impact on business expected outcomes became evident to Jamie early in his career. Leading him to change his outlook of security programs and the value they bring to business, followed by writing the job descriptions and building the programs used to deliver information security functions. The value proposition used in delivering these roles was his training ground on how to communicate value in security. Information Assurance New Brunswick has successfully launched an InformationAssurance team as part of the government’s Office of the CIO that aligns security objectives with the government’s strategy and planning. This alignment supports government decisions and enables provisioning of secure and timely services. This is a multi-pronged program with inputs at various parts of the information life cycle. Security objectives are being built into the planning and prioritization processes of the government. IT purchase requests are vetted for appropriate security requirements and Information risk management impacts the balanced scorecards of the organization, with measures that public bodies use to report their initiatives. This was done by showing the value we add to the business in terms and language used by the business. We consulted and won over, group by group, the various boards of the public bodies. Showing each of them the value we offered, and bringing them into our process and governance bodies as stakeholders. The presentation will share the models weused, the challenges we faced and overcame and the lessons learned along the way. Guillaume K. Ross is an Information Security consultant with a background in IT. He can typically be found in the Montréal area, helping companies from big to too big with their information security programs. He believes in making security as transparent as possible to employees and IT staff as well as using capabilities found in the world of cloud computing that can help secure systems differently and sometimes better than how it is done on physical systems. None of this is relevant to his talk at AtlSecCon 2014, where only his credentials as an Apple geek are useful. URL Scheme Security on iOS Have you ever clicked a phone number in Safari to get the phone app to call that store/car dealership/pizza place you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available to Apple applications as well as third party applications. Everyone uses them without noticingthey exist. URL Schemes are great. They are, however, a source of user input that should never be trusted as safe. In this presentation, we will look at real life examples of implementations of URL Schemes that could lead to issues such as destruction of data or help a malicious person identify an iOS user. We will also look at simple ways to improve URL Scheme security for users of your apps as well as how to find URL Scheme vulnerabilities, for the ones out there who would like to help out. David Shipley is a member of the IT Security team at the University of New Brunswick. He is responsible for monitoring UNB’s networks and systems, responding to incidents and assisting in long-term security strategy and planning. David also assists with user education and behaviour change. David is a former business journalist with the New Brunswick Telegraph-Journal. He is currently pursuing his Masters of Business Administration at UNB, with a focus on information technology. Securing the IvoryTower Universities are among the highest risk targets for cyber threats due to their nature as places that promote the exchange of information. Encouraging and helping 10000+ minds to collaborate and research on a range of topics is a challenging mission for any IT organization. Having to secure that environment is even tougher. The University of New Brunswick's IT Security Action Team faces a range of threats on a daily basis. From hactivists to denial of service (DDoS) attacks, from target intrusions to trying to handle the daily deluge of malicious software, this team has seen it all. In this talk, UNB's David Shipley will discuss the team's approach to securing this vibrant environment while helping the University achieve it's educational and research objectives. Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based startup focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within smallbusiness, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken nationally at over 70 events including RSA, ISSA, B-Sides, GrrCon, Infragard, and the Rochester Security Summit. Mark’s security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Additionally, Mark is an active participant of local and nationals security organizations including ISSA, Infragard, HTCIA, ArbSec, and MiSec. Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications. Eyes on IZON: Surveilling IP Camera Security HomeIP cameras are becoming increasingly common thanks to sleek designs, WiFi connectivity, and intuitive mobile applications. Previously, such IP cameras were mostly in-use by home security aficionados and small business owners. Now, however, with increasing video quality and ease of use, these cameras are becoming popular for the average homeowner that wants a bit more confidence that all is well when they're absent. This presentation will provide insight into the security mechanisms being used by the IZON camera, some of the weaknesses found during research, and a few recommendations for them (or anyone else developing these sorts of cameras) to benefit from. Attention will be paid to topics such as network protocols, iOS app security, APIs, and other aspects of the camera's platform that has attack surface. Rick Vanover (vExpert, MCITP, VCP) is a product strategy specialist for Veeam Software based in Columbus, Ohio. Rick is a popular blogger, podcaster and active member of thevirtualization community. Rick’s IT experience includes system administration and IT management; with virtualization being the central theme of his career recently. Data Protection Security Mishaps that you can avoid When it comes to data protection, the risks are high. Too many times companies take adequate protections for live workloads; but are the same standards are applied to the durability of the data protection scheme? Different backup technologies offer different opportunities and risks for security the backup data. In this breakout session, join backup expert Rick Vanover for practical security tips for data protection administrators to avoid being the next headline. Topics covered in this session include: • Storage security strategies for backups • Managing multiple security techniques • Identifying backdoors from data protection solutions • Implementing controls for each step of the data protection process Note: Speaker works for Veeam, but this is not a Veeam track. It’sgeneral thought-leadership for data protection and security. Ryan Wilson is an experienced security practitioner and leader with over 10 years of information security consulting experience. At McAfee,Ryan is responsible for bringing Stonesoft and the McAfee NextGen Firewall to the Canadian market. Prior to assuming his role at McAfee, Ryan was Director of Security Presales and Engineering at TELUS Security Solutions and held various security related positions at Allstream. Advanced Evasion Techniques (AET’s), bypassing NextGen Firewall, IPS and other network security defenses. How do you keep up? Advanced Evasion Techniques (AET’s) represent a serious threat to organizations today, yet IPS/NGFW’s and other technologies we typically rely on do not offer protection from these threats. Evasion techniques are a means to disguise cyber-attacks in order to avoid detection and blocking by information security systems. Evasions enable cyber criminals to deliver malicious content to avulnerable system without detection that would normally stop the threat. This session will: · define AET’s · outline how you can protect against these threats, and · demonstrate a free tool called Evader, which allows you to test the effectiveness of your security infrastructure from AET’s. This session will illustrate how AET’s can elude proven IPS signatures we rely on, and gain remote shell access on a victim machine using a well-known 5 year old worm called Conficker (first detected in 2008). Dale “Dr. Z” Zabriskie As an Evangelist for Symantec Corporation, Dale “Dr. Z” Zabriskie consults with IT professionals across the globe, advising on strategies for securing and managing their information. He is a CISSP (Certified Information Systems Security Professional), certified in Cloud Security Knowledge (CCSK), and is known for his ability to relate both technically and conceptually in an authoritative yet entertaining style. In his 13-plus year tenure with Symantec, Mr. Zabriskie hasworked with organizations in over forty countries including a residence in Europe. He has also been a popular moderator and participant in numerous industry panels. His expertise is supported by over thirty years of career experience in information technology, regulatory compliance, research and development, healthcare, manufacturing, and sales with companies like IBM, SunGard, IKON, and VERITAS. The State of Mobile Security Never before have people been more aware of security when it comes to their mobile devices. Soccer Moms to CISOs are now wondering “is my mobile device secure and can someone access my data?” Symantec Evangelist Dale Zabriskie, CISSP, CCSK will discuss the challenges facing today’s mobile users, be they average consumers to highly technical IT professionals. The reality is that criminals are attacking these devices as they are a portal into banking and in many cases corporate data. Zabriskie will cover research on what these criminals do with your device once theyobtain access. AtlSecCon 2014 – Sponsors Platinum Sponsors Symantec is a global leader in providing security, storage and systems management solutions to help our customers – from consumers and small businesses to the largest global organizations – secure and manage their information against more risks at more points, more completely and efficiently than any other company. Our company’s unique focus is to eliminate risks to information, technology and processes independent of the device, platform, interaction or location. Gold Sponsors Fortinet (NASDAQ: FTNT) protects the most valuable assets of some of the largest enterprise, service provider and government organizations across the globe. The company's fast, secure and global cyber security solutions provide broad, high-performance protection against dynamic security threats while simplifying the IT infrastructure. They are strengthened by the industry's highest level of threat research, intelligence and analytics. Unlike pure-playnetwork security providers, Fortinet can solve organizations' most important security challenges, whether in networked, application or mobile environments -- be it virtualized/cloud or physical. More than 210,000 customers worldwide, including some of the largest and most complex organizations, trust Fortinet to protect their brands. Learn more at the Fortinet Blog or FortiGuard Labs. eSentire® is the leading innovator in Active Threat Protection platform, the most comprehensive way to defend enterprises from advanced, never-before-seen cyber threats. Our flagship offering, Network Interceptor, challenges legacy security approaches, combining behavior-based analytics, immediate mitigation and actionable intelligence on a 24x7x365 basis. Our dedicated team of security experts continuously monitors customer networks to detect and block cyber attacks in real-time. Protecting over $1.2 trillion in combined assets, eSentire is the trusted choice of security decision-makers in financialservices, healthcare, mining, energy, engineering and construction, legal services, and technology companies. For more information visit and follow @esentire. Silver Sponsors Palo Alto Networks, Inc. has pioneered the next generation of network security with our innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is our next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimized hardware and software architecture. Veeam® is Modern Data Protection™. We believe today’s IT requirements have changed and that “3C” legacy backup problems—high costs, increased complexity and missing capabilities—are no longer acceptable for any organization. Veeam provides powerful, easy-to-use and affordable solutions that are Built for Virtualization™ and the Cloud—a perfect fit for the modern datacenter. Varonis mission is to help enterprises realize value from their human-generated data. Varonis increases productivity, sustainably reduces risk, and lowers cost in the enterprise. Our products automate time-consuming data management and protection tasks and extract valuable insights from your human-generated data. The Varonis Data Governance suite helps organizations manage and protect their unstructured and semi structured data—the documents, spreadsheets, presentations, media files and other business data in file servers, NAS devices, SharePoint and Exchange. These critical data assets are massive and growing rapidly. At Cisco (NASDAQ: CSCO) customers come first and an integral part of our DNA is creating long-lasting customer partnerships and working with them to identify their needs and provide solutions that support their success. Cisco has shaped the future of the Internet by creating unprecedented value and opportunity for our customers, employees, investors and ecosystempartners and has become the worldwide leader in networking - transforming how people connect, communicate and collaborate. HP's enterprise security software and solutions provide a proactive approach to security that integrates information logging and correlation, application analysis and network-level defense. With Gartner Magic Quadrant leaders in Security Information and Event Management (SIEM), Next-generation Intrusion Prevention and Managed application security testing available on demand, HP has the solutions to take your security posture into the next generation. Bronze Sponsors Educational Sponsors Experience the industry’s most realistic penetration testing, training and certifications. Taught by the core developers of Kali Linux, our information security training will immerse you into the deep-end of real world penetration testing. We know penetration testing. Between Offensive Security Training, Kali Linux and the Exploit-Database, you can trust that we have the expertise,knowledge and experience to provide you with high end penetration testing services. Offensive Security funds and develops several prominent information security niches, such as Kali Linux, the Exploit-Database, Google Hacking Database and Metasploit Framework Unleashed (MSFU) free training. The Hacker Academy provides a unique learning experience, teaching infosec from the hacker’s perspective. You might have heard the phrase, “it takes one to know one mentality”. Our philosophy is to arm our members with the knowledge necessary to practice, implement, and deploy what they have learned immediately and effectively. All training modules are available 24/7 and are perfect for any skill level. Pentester Academy plans to revolutionize online infosec training by providing comprehensive, highly technical, hands-on courses at the most affordable price! Our dream of making infosec training affordable for everyone can only come true with your support! Additional Sponsors Lunch Sponsor Day 1Lunch Sponsor Day 2 Social Mixer Sponsor Palo Alto Networks, Inc. has pioneered the next generation of network security with our innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is our next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimized hardware and software architecture. Swag Bag Sponsor Check Point Software Technologies Ltd. (www.checkpoint.com), the worldwide leader in securing the Internet, provides customers with uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology. Community Sponsors The High Technology Crime Investigation Association (HTCIA) was formed to provide education and collaboration toour global members for the prevention and investigation of high tech crimes. As such, we are an organization that aspires to help all those in the high technology field by providing extensive information, education, collective partnerships, mutual member benefits, astute board leadership and professional management. The High Technology Crime Investigation Association is composed of 8 regions within the United States and 6 international regions, including Canada. The Atlantic Chapter is one of five chapters in the Canadian region. Internationally there are 38 chapters overall. The Halifax Area Security Klatch (HASK), provides a forum for experts to encourage discussion and share expertise in understanding the latest trends and security threats facing computer networks, systems and data. Our membership includes Information Security practitioners, managers, network administrators, students, and anyone who is interesting in learning more about securing information. We meet at the HalifaxClub in Halifax, Nova Scotia. Typically, we meet the last Monday of the month except for March, June, July, August, and December; unless otherwise notified. The Halifax Hack Labs is a way to engage the local information security community to apply skills learned from other events such as the Halifax Area Security Klatch and the Atlantic Security Conference.