Third Time’s a Charm: Solution to Exploitation is not Encryption

Vincent Lee

In late 2016, the ZDI had received multiple reports of command injection vulnerabilities residing in Hewlett Packard Enterprise Intelligent Management Center. As of now, HPE has attempted to patch these issues twice. After each patch release, researchers promptly bypass the ineffective patch and exploited the same underlying issues. This talk delves into the root cause of the vulnerabilities and patch diff-ing. Our technical analysis and patch analysis lets you to walk in the shoes of a bug hunter.

Security Internships: Bringing up the next generation of hackers

Anna Lorimer

Software engineering internships are increasingly popular and are becoming an integral part of career development for newcomers to the tech scene. They’re also valuable to any organization because they give senior engineers the opportunity to pass on knowledge and make it easier to find full time hires down the road. In this talk I’ll discuss how security internships differ from regular software engineering internships, how to find interns, and how to structure internships to set up both your organization and the intern(s) for success.

Evolution of Container Security: what's next?

Fernando Montenegro

Containers have emerged as a key enabling technology for different use cases: cloud adoption, DevOps, and more. We've all gone through understanding what containers are, and how to secure. Still, there's a lot more to securing container deployments than meets the eye. This talk presents a broader view of where container security concerns fit, how the market has reacted to the need for container security, and what are the areas we should be looking at next.

Kubernetes - Security you need to know about it.

Haydn Johnson

Do you like deploying applications and your infrastructure fast? How about securely? Kubernetes is a relatively new technology allowing teams to deploy applications and infrastructure much faster. It is gaining ever increasing popularity. As is always the same with new technology security has been an after-thought. Get up to speed in this talk on Kubernetes, the hacks and basic security principles.

“Is security even important?" and other clickbait titles

Ben Hughes

Security, we've all heard of it, some of us may have even bought one before. I'd like to explore whether the whole things is effective and what the implications of what that means. We're at a security conference, we've all bought in to the idea that this is a good idea, so challenging that notion seems fun and important. I promise they'll be jokes.

A tale of two "connected" medical devices

Saurabh Harit

This talk discusses the risks of connected healthcare devices. Based off output from security assessments performed against medical devices widely deployed at various hospitals and medical institutions, I will present an in-depth analysis of the target medical devices and how I was able to compromise them to gain access to plethora of medical records from all the medical institutions it was deployed at and not just the one where our target device was hosted.

Slithering Between Worlds: Tracking the Gorgon Group

Joshua Grunzweig

For the past year and a half, we have been tracking a group known as the ‘Gorgon Group’. This particular group of criminals is unique in particular due to their desires to not only conduct targeted attacks against foreign governments, but also to perform large scale commodity attacks to earn a profit. This talk will discuss how the initial discover of the Gorgon Group was made, and how a single attack led us to discovering that this group was much, much larger than we originally thought. We’ll discuss the group’s malware, tactics, motivations, and (speaking gods willing) attribution.

Tales From The Trenches

Julian Pileggi

Incident responders are on the frontlines of the battle with threat actors and fraudsters alike. This talk will bring a unique perspective into some interesting techniques used by threat actors in recent cases. The “Tales From The Trenches” talk is intended to provide case studies and stories from real-life operations. There won’t be much theory or hypothesizing. Rather, the presentation will focus on challenges and problems that organizations faced and how they overcame them.

CyberZoology: Protecting your network from new breeds of attacks with a Raspberry Pi.

Patrick Kelley

Network Security is hard. Platforms are expensive. We’ll show attendees how to protect their networks and gain additional visibility using a Raspberry Pi and open source platforms.

The challenges of securing Aadhaar - The largest Biometric database in the world.

Dolev Farhi

How can you secure a 1.4 Billion people biometric database with hundreds of millions authentication attempts a day? Aadhaar is the largest biometric repository in the world based in India, and is a subject of concern to many people around the world. Companies rely on the Aadhaar database as a source of authorization and truth. What are the consequences of a breach as a result of biometric leak for a country the size of India? In this talk, I will present the technical security aspects of Aadhaar as a database, the privacy concerns and possible attack vectors.

The Best Offense is a Good Defense

A CTF event by Security Innovation

Returning for a second year, please join Security Innovation at BSides Toronto for an opportunity to grow your security knowledge via a fun and interactive “find the vulnerabilities” game called CMD+CTRL. Players will take the reins in an expert-guided training session leveraging cheat sheets, attack tables, min-labs, and breakout sessions to learn how hackers break into websites using common vulnerabilities, insecure practices and more!

CMD+CTRL, a capture the flag-style event is open to participants at all levels, from those simply curious about a career in IT security to seasoned professionals looking to expand their technical skills. All you need to bring is your laptop and your inner evil-doer.

This event will run in parallel with the talks.

Kali Linux Dojo Workshop

Training by Johnny "ihackstuff" Long

Offensive Security is proud to present a Kali Linux workshop that provides a unique journey through our distribution while providing rare insights and an in-depth look at the most powerful features available in the Kali penetration testing platform. For a full description of the course, please have a look at this flyer. (No malware, Honest!)

Seating will be limited and advanced reservations at the time of your ticket purchase will be required (you will see it in he options list when buying your ticket). No-shows will be rapidly replaced with other willing participants, so be sure to show up on time. If you do not get a ticket, and want to try "flying on standby", make sure to prepare as outlined below. Who knows, someone might not show, and you may get their seat.

This event will run in parrallel with the talks, so choose wisely.

Student setup:

Students should have the latest version of Kali Linux installed on a machine of their choice. Basic installation procedures are here and the standard Kali downloads are here. Students can install Kali on their laptops as a single-boot or dual-boot installation, but we prefer (rather insist, for safety sake) that students instead install in a virtual machine. Installation as a virtual machine (VirtualBox, VMWare (preferred), etc) is simply a matter of installing our latest VM from here. Be sure that the machine has at least 50gb of free space!

Once installed, update the system using these steps:

root@kali:~# apt-get update
root@kali:~# apt-get dist-upgrade

Please note that we will not spend time showing students how to install Kali. A working Kali installation is a prerequisite of the course.

We will have a repository on site to facilitate last-minute updates.