Blog.HappyPacket.net

Security Notes, News, and Thoughts

Thoughts on SecTor

Last week I had the opportunity to speak at SecTor: Canada's Premier IT Security Conference. I had heard positive feedback regarding the conference from previous years and as the conference is only in its 3rd year the number of attendees was impressive. I have attended a number of other conferences in the past year including ShmooCon, BlackHat and Defcon and I thought that the organization of this conference was impressive. For being a new conference I thought that SecTor had a great lineup of speakers, quality vendors, and some great keynotes.

From a speaker's prospective, my first communications with the SecTor team came during the Call For Papers(CFP) stage. Brian Bourne, the primary face of SecTor, was very responsive through this process and once I had been notified that I had been accepted to speak the rest of the planning started. Nanna Ng initiated the trip planning process and guided me through all the steps needed to get plane and hotel reservations handled. SecTor takes excellent care of their speakers. I was amazed at the extent they went to in order to make my trip painless.

SecTor had handled the booking for both airlines and hotel, so once I had all my presentation materials in, all I had to do was show up at the airport. After landing in Toronto there was a car waiting for me to take me to the hotel, where I was checked in without incident. The accommodations at the InterContinental hotel were great and it was attached to the conference center so it was just a short walk from the hotel room to the conference area. The SecTor team had worked to make sure that the travel was painless and the experience that they created for the speakers was amazing.

The conference itself started on Tuesday although there was some training on Monday. After some opening remarks by Brian, Chris Hoff delivered a great keynote on Cloud Computing. Chris is a great speaker and brought forth a ton of information on "the cloud" in an easy to understand way and really made all of the information mesh.

Following the keynotes the sessions started. The first session I attended was "When Web 2.0 Attacks - Understanding AJAX, Flash and "Highly Interactive Technology" by Rafal Los. Rafal is a great speaker and had some good information on some of the vulnerabilities that Web 2.0 present when implemented poorly and had some great points on how many of the old vulnerabilities that we thought had been dealt with are re-emerging in Web 2.0. I really enjoyed this talk.

Andrew Nash from PayPal delivered a lunch keynote. While this was my least favorite keynote, there was good information on identity management. Mr Nash is a good speaker, unfortunately I am not sure that it was as relevant to as many people at the conference. I thought it was interesting to hear some of what PayPal was doing, but there was no real link into how anyone else can leverage the resources or how the information pertained to us aside from that PayPal is working hard to protect our information.

The afternoon sessions were great. After lunch I headed over to see Jennifer Jabbusch's talk "Retaliation: Breaking Attack Vectors in the Infrastructure". She did a great job of explaining emerging threats on the network and what the latest standards are doing to help protect layers 2 and 3 in the network.

The next talk that I went to was by Robert Hansen (RSnake) on ""Consumerization and Future State of Information Warfare". Robert focused on where information warfare is heading and how the technology used by attackers has grown to the point where we are likely to see automated identities formed soon where automated applications role play a part in order to bring people in to their social media circle where the typical spam and malware will be distributed sparingly between meaningful information. Overall a really informative talk although the findings of his research were a little disheartening as it is obvious that the attackers are moving quickly and are very agile.

That evening was a reception and speakers dinner at Joe Badalis. I thought that this was hugely successful. I met some great people and had a chance to talk with both attendees and other speakers and it was overall a great time. The dinner that followed the reception was great and I had some awesome discussions with the other folks at the table. This was a great experience and I hope they keep this for future years.

There was no keynote on Wednesday morning and we instead went directly into talks. I attended Andrés Riancho two talks on the w3af framework. These talks took up the whole morning but the time was well spent. I learned much more about the w3af framework and where it is headed.
Andrés gave great demos and examples of everything from how to do a scan to how to write your own module. He even included some information about how w3af handles web scanning compared to other vendors. Andrés offers w3af training in case anyone is interested, so check it out if you want to know more about the w3af framework.

The lunch keynote was by Adam Laurie known as Major Malfunction. The title was "A day in the life of a hacker.." and covered some great stuff on hardware hacking. He was very engaging as a speaker and even included technical examples during the keynote which seems to be very rare. He went in-depth into how the biometric passports work and exposed some of the scarier sides of the technology that you don't normally get to see.

The rest of the day I was presenting. My first talk on Nsploit went ok, although it wasn't an overwhelming success. I'm not sure if it was the post lunch coma, if the talk was too technical, or if it was just boring but I didn't get a lot of interaction during the talk. I did get a lot of good questions after the talk though so that was nice. The second talk on BeEF seemed to go well with great interaction, some awesome questions, and people seemed to be much more into it. Overall it was a good experience but I may need to tweak the Nsploit talk if I do it again.

The conference finished with some closing remarks from Brian again. The vendor drawings were held and folks got their toys, and then a few of us went out for Mexican across the street for some more networking. Overall I got to meet some great people, hear some awesome talks, and had a great experience thanks to the organizers of SecTor. I hope that I get to attend next year, whether as a presenter again or as an attendee I know that I will enjoy it.

Thanks again to all the organizers of SecTor for making the trip memorable in a positive way. Hope to see everyone again next year.