BSides Winnipeg 2017

November 4th & 5th, 2017

The King's Head Pub, Winnipeg, Canada

Tickets On Sale Now

Zero Day Phishing Emails

Aemilianus Kehler

This talk will discuss tools that can be used to investigate emails to determine whether they are phising attempts.

Aemilianus AKA AK is a local tech enthusiast, currently working as a Systems Administrator for Deposit Guarantee Corporation of Manitoba. He spends his day fighting with government IT systems, and his nights trying to forget his days.

Machine Learning and the Cyberz: Separating Fact from Marketing Fiction

Brandon Enright

The latest marketing fad and hype in our industry is the pushing of machine learning as a magic pancea for all cyber ills. We're told that by utilizing artistically crafted pixie dust and rainbow unicorn algorithms all your cyber woes can cured. Unfortunately, otherwise rational people in our industry seem to give a lot of weight to these marketing claims because 1) machine learning is complicated and 2) we've seen machine learning do some really incredible things like drive cars, beat the best Go players, "dream" crazy images, etc. This talk will illustrate some of the hype we're being bombarded with, pull back the covers on what machine learning is and how it works, present some basic statistics (Bayesian) and show why security is a much harder problem for machine learning than we realize.

Accessibility & Security

Christian Johnson

For The Win: Finding WAF Evasions and Verifying Fixes with FTW

Christian Peron (Fastly)

This talk will discuss some of the core design objectives Fastly had regarding their WAF implementation. Christian will discuss the design of Fastly's custom Modsecurity toolchain, and the need to thoroughly test both their code and WAF rule sets using the FTW WAF testing framework. He will discuss how continuous testing of their rules and toolchain helps identify WAF evasion and technical issues which are used to improve their technology. Finally Christian will discuss some findings and insights that we have shared with the OWASP and security communities.

Christian has 17 years experience in cybersecurity and security based open-source engineering and development. At Fastly Christian performs threat and vulnerability research, prototype and proof of concept development.

Winnipeg-Wide Amateur Radio IP Network: VA4WAN

Colin Stanners

Commercial radio communications have evolved from islands of single-media, low-datarate "dumb" analog repeaters to interconnections of multiplexed, high-speed, self-optimizing multimedia networks. But the amateur radio hobby, where many designers and technicians of the world's radio systems learned their skills, has not seen such progress. Due to budgetary and legacy reasons, many amateur radio systems have not changed notably in the last 30 years other than case design. Unwilling to let this great hobby (and emergency resource) die like *BSD, the dedicated VA4WAN group is installing a High-Speed MultiMedia "HAMWAN" in Winnipeg and beyond, repurposing donated 2.4/5.8ghz outdoor Wi-Fi gear into the 2.3/5.9Ghz amateur radio frequency bands. This presentation introduces the amateur radio hobby, the VA4WAN project's goals, methods, current status and future plans.

Privilege Escalation: Living a New Life Without getsystem

Dmitry Balikhin

Metasploit's getsystem makes us lazy and hides a very interesting phase of penetration testing. Sometimes it simply fails. This talk will cover basic Windows and Linux privilege escalation commands and methods.

Dmitry currently works at iQmetrix as Software Developer and PCI Internal Security Assessor. He likes to design and develop software for payment terminals during the day and play with vulnerable VMs during the night.

Scraping Retailers: or How I Learnt to Stop Worrying and Love the Web

Jason Harder & Kevin Cortens (Pricerazzi)

Scraping data from the Internet is an old practice, but one that is more and more popular these days. Pricerazzi scrapes pricing and product data from retailers to facilitate price matching. Unsurprisingly, retailers have a wide range of quality in their sites, apps, and systems; they have seen many questionable things ranging from simple poor practice to severe security issues. This will be a discussion on the state of retail websites in 2017.

Info Sec for Cheapskates

Mark Havens

We are inundated with Information about high-cost solutions for info sec problems, but there are several free or low-cost solutions out there that are suitable for self-education or use in small businesses. Examples would include Snort, open source Tripwire, free honeypots, and Nessus Home as well as most of the tools in the Kali Linux distro. Without going into great detail on any of these, Mark will show how they can be combined into a comprehensive solution to some of the critical security controls either as a test lab or for zero-budget targets.

Mark has been in IT since late in the previous century, filling a wide variety of roles and continuing to prove that there is room in IT for a jack of all trades with a short attention span and good people skills. He arrived to the information security role pretty recently and is drinking from the Fire Hose of Knowledge in order to catch up.

More Secure Bootstrap Problems and Solutions

Mark Jenkins

Mark is still obsessed with what he calls secure bootstrap problems: 1) how do you know you're actually running a desired system and program build? and 2) how do you know a compiled program matches source? The latest state of the art will be reviewed, possibly including diverse double-compiling, Heads (Trammell Hudson), Joanna Rutkowska papers, reproducible builds, and non x86 prospects for owner-controlled computing.

Mark is a Winnipeg-based IT double-threat (ops and dev) who works at the University of Winnipeg Library. He's a Bachelor of Computer Science graduate (University of Manitoba 2006) and Linux Foundation Certified Engineer (LFCE). Mark spoke at BSides Winnipeg 2013 and 2015.

Avoiding Kyphosis: Security Posture in the Cloud

Mike Himbeault (Flying Fortress IT)

With public cloud adoption accelerating by all measures, the task of understanding how to deploy secure applications and architectures using the tools available in these environments is increasingly complex. This talk will cover the important aspects of public cloud security including products and tools available, compliance management, application and architecture design, identity and access management, and general best-practice.

Mike has an undergrad degree in Mathematics and a Master's degree in computer engineering focusing on computer network security. These days he does "cloud" stuff professionally, focusing on architecting and building applications and systems using public cloud technologies. Mike has several AWS certifications, enjoys powerlifting, loves cats, and volunteers with the Canadian Cyber Defence Challenge.

I Want my EIP

Mike Saunders

When Mike started learning buffer overflows, he thought it was something everybody else already knew. But the reality is, there are lots of us, just like hi,, who want to know more but are either overwhelmed by the idea that buffer overflows are beyond their capabilities or just don’t know where to get started. This is a 101-level talk; it’ll talk about how a buffer overflow works, how to fuzz an app to identify an overflow opportunity, and how to create a simple overflow that will result in a compromise of a target system. If you can already smash the stack, spray the heap, and write ROP chains in your sleep, this isn’t the talk for you. If you want to learn more about how simple buffer overflows work and how to write them, this talk is for you. When you leave, you will have the information necessary to help you write your first overflow when you walk out the door.

Mike's love of IT started in the third grade when he discovered he could view the code of BASIC programs on an Apple ][e. Mike now performs penetration testing and vulnerability assessments for a multinational agribusiness corporation. He has held many information technology and IT security positions, including developer, network administrator, system administrator, security architect and security incident handler. Mike holds the OSCP, ISC2 CISSP, and GIAC GPEN, GWAPT, GMOB, and GCIH certifications. When he is not at work, he is an avid kayak fisherman and member of a local horn rock band.

Reverse DNS the World - What do you learn? The how and what.

Rob Keizer (Pegboard Hosting)

Recent years have seen the scanning the entire IPv4 Internet become more and more commonplace. Rob has gone and compiled a database of reverse DNS records for every IP address. What information can be extracted from them? Perhaps secure-admin.someprovider.com might not have been the smartest name to use. This presentation will go over how he was able to reverse DNS the entire world, as well as some examples of interesting entries.

Do As I Say, Not As I Do: Why Our Security Advice Sucks and How We Can Change That

Sarah LaCroix

Let's talk about risk assessment and personal security! As technically inclined people, we are at an advantage when it comes to our privacy and security. We are more aware of the risks and consequences associated with our use of technology than the average person. For them, standard security advice is overwhelming, unrealistic and failure to comply comes with intangible consequences. Sensationalist media coverage of obscure DDoS attacks from China combined with the reality that people tend to suck at assessing risk means that the average person is more worried about the Russian government reading their email than they are of giving their own password away. On the other side of things, as professionals who have some idea of what actually can go wrong, our trouble with assessing risk tends to take us in the opposite direction. We lock everything down to the point of missing out on some of the cool things that our tech can offer us. This talk looks at how we can help ourselves and the people around us better assess their risk so we can start giving more realistic advice.

Sarah started her education in technology by hanging out with IT professionals and hobbyists who were passionate about their projects. She grew that interest by volunteering at conferences and asking lots of questions. When she finally had more questions than her friends could answer, she decided it was time for a more formal education. She started with Applied Computer Science and Business Administration at University of Winnipeg, then studied Digital Forensics, Penetration Testing and Ethical Hacking at Glasgow Caledonian University in Scotland before transferring into the Business Information Technology program at Red River College. She is currently on the board of technology student group, Bits and Bytes Association. Never quite satisfied with her current level of knowledge, Sarah is always working to strengthen her skills and build her expertise by taking on side projects and talking to people more experienced than herself. Upon graduation (expected: June, 2019), she wants to work as a security analyst. She enjoys hipster coffee, going to the gym, and Instagramming her food. You can find her on the Internet as @punkrockgoth.

Operating your own BGP Autonomous System on the Internet (AKA: BGP for Fun & Profit)

Theodore Baschak

Border Gateway Protocol or BGP for short, is the standardized, open protocol that allows ISPs of all sizes to form routing relationships with other ISPs, carriers, and Internet Exchanges. Theo will talk about challenges he has faced operating his own personal BGP Autonomous System (as395089) since April 2016.

With nearly two decades experience working with Manitoban ISP networks, Theo has long toiled behind the scenes of many ISPs and enterprises bringing the Internet to people. He continues to be involved in the local Internet provider community through things like the Manitoba Internet Exchange (MBIX), and the Manitoba Network Operator Group (MBNOG), and currently holds a director position on the MBIX board, as well as a volunteer network operator role at MBIX.

Managing Large Assessments

Tim Jensen (AppSec Consulting)

Conducting assessments against 2500+ machines is very different than conducting smaller 500 or less assessments. This talk will provide basics on managing these sorts of assessments, and provide tips for automating repetitive tasks to allow you to maximize your engagement time. This includes useful tools Tim has found, custom scripts, and writing basic Metasploit Aux modules to get things done fast.

The Ins and Outs of NTLM Relaying (and why you should give a damn!)

Travis Friesen (MERLIN, Flying Fortress IT)

The Microsoft NTLM authentication protocol has been around since 1993, and remains widely supported 24 years later. In this talk, Travis will discuss NTLM relaying, a powerful, ubiquitous attack against networks that support NTLM authentication, the potential impact of these attacks, and techniques to protect your network.

After obtaining a Master of Science in computer engineering focussing on computer security, Travis took a break from InfoSec for a couple years to write autopilot software for UAVs. Now he's back, working at MERLIN to help to keep schools safe from the bad guys, while educating future white hats by volunteering as part of the infrastructure and challenge team for the Canadian Cyber Defence Challenge.

An IT Risk Assessment of the Titanic

William Kempan

If we did a typical IT Risk assessment of the Titanic before its maiden voyage, would it have sailed? Would the risk of loss of life come in as "Medium-Low" with a Low likelihood? Would the risk practitioners have focused on an incremental approach of adding another 4 lifeboats, and putting in an initiative in the next fiscal year to fund four more? A tongue in cheek look at the typical problems with risk assessments in IT Security.

Hopping Fences - Practical WAF Bypasses

Yvan Boily (Fastly)

An overview of techniques for bypassing web application firewalls, and how to use them in conjunction with automated testing tools to validate the efficacy of application defenses.