Remote Exploitation of an Unaltered Passenger Vehicle

Charlie Miller and Chris Valasek

Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we're all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle's hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks.

Breaking the WW2 German Enigma - The Imitation "Games"

Richard Brisson

Almost anyone who is knowledgeable on cryptology is typically aware of the WW2 German Enigma and its story in regards to the code-making and code-breaking accomplishments. This talk will cover two threads on Enigma with the first being on what are facts and exaggerations in the recent movie “The Imitation Game” in regards to breaking Enigma. However, most of the talk will cover aspects on a) what the Allies (especially Britain) had to do to break Enigma (even after receiving key cryptographic details from the Poles/French in 1939) and b) especially the many operations and strategies they developed and undertook to assure continued exploitation of the Enigma ciphers. The speaker will also bring Enigma artifacts including 3-rotor Wehrmacht and 4-rotor Kriegsmarine machines which will be displayed in a booth following the talk.

BurpKit - Using WebKit to Own the Web!

Nadeem Douba

Today's web apps are developed using a mashup of client- and server-side technologies. Everything from sophisticated Javascript libraries to third-party web services are thrown into the mix. Over the years, we've been asked to test these web apps with security tools that haven't evolved at the same pace. A common short-coming in most of these tools is their inability to perform dynamic analysis to identify vulnerabilities such as dynamically rendered XSS or DOM-based XSS. This is where BurpKit comes in - a BurpSuite plugin that integrates the power of WebKit with that of BurpSuite. In this presentation we'll go over how one can leverage WebKit to write their own web pen-testing tools and introduce BurpKit. We'll show you how BurpKit is able to perform a variety of powerful tasks including dynamic XSS analysis, BurpSuite scripting, and more. Best of all, the plugin is free and open source so you can extended it to your heart's desire!

DevOps for the Home

Kellman Meghu

This is the story of one man's personal trip to the cloud (and back) as he rebuilds his home network in a devops model, supported by virtual private cloud service. This presentation takes a micro look at cloud services, and the benefits and risks that come along with it for the average home user, as well as the business. You shouldn't be surprised to see that they are the same, just at a micro level. With realtime micro level data we can tell a story, without all the abstraction, that can sometimes reveal more than all this big data. With a glimpse into the detailed benefits
of a DevOps environment supporting cloud integration, and featuring the feedback of the HomeNet CISO, 'Security Cat', we will have some fun stripping away all the pretty abstraction and explore the benefits of the integration of public cloud services. I said I would never do it, but alas, here I am, I'm in the cloud.

Cloud Computing - Risks and Reality

Sandra Liepkalns

Tight budgets and few staff cause many IT teams to be lured by the promises of low cost services and less to support. With the proliferation of services with 24/7 support and the ability to decrease your data centre footprint and power draw who wouldn't feel the business case is there? Is your privacy, security and recoverability being compromised? Learn about questions you should ask, what you need to investigate and when to say no. Case studies and lessons learned will be included in this presentation.


APT Threat to Canadian Businesses

Eric Lauzier

APT: Advanced Persistent Threats (APTs) actors, once solely engaged in intelligence gathering activities against government institutions for strategic purposes, are now targeting legitimate businesses to gather sensitive information for financial, intellectual, reputational and intelligence objectives. These same state-sponsored APT actors are also targeting Canadian businesses of all sizes to acquire information and infiltrate government networks, exploiting the established trusted connections between government entities and targeted businesses. In support of Public Safety's mission to build a safe and resilient Canada, the Canadian Cyber Incident Response Centre's (CCIRC) mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity, giving CCIRC a distinctive view of the APT footprint in Canada.

Get off My Lawn OSX Malware

Russ Nolen

As OSX systems become more and more prevalent through the enterprise landscape, knowing what OSX malware does to a well-manicured system becomes increasingly more important. This talk is based around providing the audience with some very practical knowledge for approaching OSX malware, the trends that were observed in an OSX malware research project, and what to look for doing your own landscaping on your OSX assets. Attendees will walk through the analysis garden, viewing the various fruits such as a custom built OSX sandbox, statistical analysis techniques, third party input, and host of other techniques. Utilizing various techniques, the presentation will highlight the results of OSX persistence mechanisms, malware usage of module (shared object) usage, C2 trends, and more from not only targeted attacks but also everyday run of the mill malware. The main goal of the research is to provide the audience with practical indicators for use in hunting parasites that can hurt your well groomed and beautiful looking OSX lawn.

Open Source

Andrew Phillips

This session will provide a brief overview of the three types of open source material, the need for timeliness in making inquiries, a brief review of a structured methodology and some of the pitfalls you can face when making inquiries. We will also investigate solutions to acquire data that you can leverage into meaningful leads to complement other issues faced on cyber threats or attacks. The session will provide some examples of the often over looked thought process required for problem solving.

Me and 37 Million of My Friends

Justin Seitz

The Ashley Madison breach has been widely covered: maps of the cities with the most cheaters (congratulations Ottawa), anecdotal stories of careers lost, hand wringing over weak passwords and a lot more. But what does it look like when an attacker makes a concerted effort to begin mining this data against a particular organization or government? Follow along as I show open source intelligence techniques to begin identifying employees of a large organization and how their corporate policy violations are vastly increasing the attack surface of their organization. Learn how a company, who already owns their own data, can begin identifying people who are breaching policy long before a public incident shows it to the world.

JavaScript 6 - Hackers Dream or Developers Haven

Jeremy Buis and Sherif Koussa

ECMAScript 6 specs are out and include a lot of new features making Javascript a language that combines browser friendliness and enterprise powerhouse. Caution is required with these new features. This technical presentation will go over the new attack vectors in JavaScript 6, as well as the old attack vectors that just got a new breath of life. Additionally, the presentation will review the mitigation controls for these attack vectors.

The Sednit Group: "Cyber" Espionage in Eastern Europe

Joan Calvet

The Sednit group has been relentlessly attacking various governmental institutions for the past five years, most notably in Eastern Europe. They primarily want to extract sensitive information from their targets’ computer networks. For that purpose, they developed their own tool set, from simple droppers to complex backdoors that are specifically crafted for each target. They also created a tool to communicate with physically- isolated computers using removable drives in order to exfiltrate sensitive files from these machines.

Other technical originalities reside in the way they infect their target. For example, with their own exploit-kit which regularly pushes 0-day exploits --, but also with opportunistic strategies like trojanized internal applications. This presentation will discuss the Sednit group tools in details and will describe some of their recent campaigns.

Mass Surveillance by Our Governments: A Matter of National Security or Abuse of Power

Michel Cusin

Are you comfortable with the fact that Internet service providers, authorities, governments, intelligence agencies (NSA, CSIS, etc.) have the technological and legal means to spy on everything you do on the Internet? Why do they have this right? Protection against (cyber) terrorism or national security? Does this mean that mass surveillance, which is increasingly present, is actually justified and acceptable? What can we do? How can we try to protect our privacy? There ways and technological defenses available to us. The idea is not to put in place strategies to hide in order to commit illegal acts but rather to provide means to save a fundamental right that we’re losing slowly but surely: the right to privacy. For those who say they don’t care and have nothing to hide, here is a quote from Edward Snowden: "Arguing that you do not care about the right to privacy because you have nothing to hide is no different than saying you do not care about free speech because you have nothing to say.”

New Era Risk Management: Using Information to Predict, Understand and Mitigate Organizational Threats

Ray Boisvert

Risk is unavoidable, whether your organization is operating domestically or is interconnected globally. Which threats—from cyber and foreign influence to terrorism and espionage—are most critical to Canadian interests? How do Canadian firms or entities operate effectively and securely abroad? In this unique and enlightening talk, Ray Boisvert goes beyond the typical "security" speech to explore the procedures developed and applied at CSIS—such as conducting operations in difficult, if not hostile, environments—and how these lessons can be applied in either private or public institutions, and to your own work place. The ability to identify and understand the myriad of threats to business activities is critical to effectively manage those challenges. Irrespective of the business requirement, a simple yet comprehensive set of informed strategies ensure resilience and the protection of assets and reputations.

Ray draws from real life experiences in challenging on the ground situations at CSIS and I-Sec, Boisvert delivers surprisingly candid insights on how leadership can make or break a risky situation, and the benefits of mitigating risks to people, facilities and reputation (protecting shareholder value and/or public trust). He helps you craft an appropriately tailored response to your challenges, showing you how (and when) to manage threats and opportunities using advanced techniques, environmental awareness, and "smart information" to inform decision making. A trusted expert in global security, Boisvert gives insider tips the likes of which you've never seen before.

It Sucks to Be a CISO, But You Still Want to Be One - Don't You?

Eddie Schwartz

It sure seemed like a visionary idea in the mid-1990’s – cyber security would be taken seriously by inventing a C-suite position. Banks and government agencies cared about security so why not? The CISO was born, and every organization wanted one. But unfortunately expectations and results did not match reality. Does a CISO simply ensure compliance with regulations or international standards? Should a CISO provide for ROI and develop clear risk metrics? Can a CISO defend against the hoards of Chinese, Russian, Syrian, Iranian, and other angry Canadian hackers? Of course, the answer to all these questions is a resounding NO. This talk traces the history of the CISO, the unfulfilled dreams and hopes of both security practitioners and the people that hire them, epic failures and successes, and what the future holds for this evolving profession.

Privacy in a Shifting Landscape

Leslie Fournier-Dupelle

Governments have a unique responsibility when it comes to protecting personal information under their care for one simple reason: you can’t “vote with your feet” when it comes to filing your taxes, applying for benefits, registering to vote and so on. There has been a long understanding, underpinned by legislation, that your information will only be used for the purpose you gave it. That’s all changing.

The Avalanche of Vulnerabilities: How Fundamental Flaws in Accountability Have Lead to Increasingly Unmanageable Cybersecurity Risks

Mike Ahmadi

The global expenditure of resources to manage cybersecurity issues continues to grow year over year, yet the cybersecurity challenges we are facing are rapidly outpacing our ability to get them under control. Consumers of software products (including government and business) have become increasingly reliant on software, yet we all remain vastly unaware of the vulnerabilities contained in the software that manages our lives. The current legal structure under which the US (and global) software industry operates allows software companies to exempt themselves from all liability associated with software cybersecurity issues. This has led to a massive growth in vulnerable software products, and instances where software companies are negligent. Moreover, EULA agreements written by some software vendors prohibit scanning software for vulnerabilities. This leaves software users both vulnerable and unable to protect themselves from cyber attacks. In at least one instance, an insurer has gone to court to enforce "minimum required practices" hold insureds to warrants made in their applications for cyber insurance, such as patching known vulnerabilities within 30 days. This will force cyber hygiene on standards on businesses, and will force insureds to deal with known vulnerabilities. However, the insured has no visibility into the extent of the known vulnerability problem or the expertise to fix products that come new and riddled with vulnerabilities. These circumstances have led to a situation where 100 percent of the risk falls upon everyone except the organizations that produce the vulnerable software systems, applications and devices. Further, these same organizations often refuse to produce code or devices without known vulnerabilities.

Research in Cloud and Data Centre Security

Matthew Elder

In this talk, we present three research projects conducted by Symantec Research Labs, the global research organization for Symantec, addressing the latest threats and new technologies in cloud and data center security. The first project is obfuscation research in data center security, called ShadowNet, which makes the reconnaissance phase much more difficult for attackers that have infiltrated a network by keeping the locations of services opaque to the users accessing them. The second research project, called FlowTap, builds upon new software-defined networking capabilities in modern cloud platforms, such as OpenStack, to build a flexible monitoring and policy enforcement infrastructure for network traffic in order to secure cloud applications. The third project, called Harbormaster, addresses the move towards container-based application deployment by researching enterprise security policy management for application containers and enabling policy checks on Docker container management operations.

Tactics and Evolution of an Advanced Threat Actor

Artturi Lehtiö

The tools used by advanced threat actors - so-called "APT groups" - are common fodder for whitepapers from information security companies. But what about the tactics of these threat actors? How do they actually use their tools? How do they proceed from the initial compromise of a targeted organization to persistence and deeper penetration? And do their tactics evolve over time?

These are questions that rarely get answered, even though they are extremely important both for understanding advanced threat actors and especially for defending against them. The tools employed by advanced threat actors are rarely what makes them so advanced. Rather, it is how those tools are employed - the tactics - that make advanced threat actors such perilous adversaries.

This presentation will cover the tactics employed by an advanced threat actor commonly referred to as "the Dukes" or APT29. They are a threat actor that has demonstrated considerable persistence, longevity, and success in operations spanning 7 years of state-sponsored governmental espionage. The presentation will outline the tactics that make the Dukes worthy of being called an advanced threat actor. The presentation will cover not only the infection vectors, infection strategies, and tactics for initial compromise that the Dukes employ but also tactics they employ for lateral movement, deep penetration, and persistence within compromised networks. Finally, the presentation will also discuss how the tactics employed by the Dukes have evolved over their years of activity including possible motivations for these evolutions.


Attacking the Supply Chain: Vulnerable by Association

Jeffrey Carr

This presentation will focus on the active and passive exploitation of the victim company's supply chain. Real use cases in the areas of aerospace, telecommunications, and government sectors will be presented and discussed. The target in each of these cases is valuable IP or an agency's Crown Jewels.

Data Loss Prevention: Reversing + Exploitation

Zach Lanier and Kelly Lum

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass -- or worse.

This talk will discuss our research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.

Via this presentation we hope to have the audience walk away with a better understanding of the reality of DLP products-- their advantages, their detriments, and whether or not they are of value to their organization. We also hope to caution the audience regarding the potential downfalls of utilizing DLP and better equip them to avoid potential snake oil and inadequate products.


Operational Lessons from the RSA/EMC CIRC: People, Process & Threat Intel

Ben Smith

Regardless of where your organization resides along the security maturity spectrum, case studies from other organizations can often bring new insights into ways you can improve your security stance. In this session, RSA, The Security Division of EMC, will review some of the lessons learned and implemented by the EMC Critical Incident Response Center (CIRC), following the company’s highly-publicized 2011 breach.

A Data-Centric Approach to Security

Sol Cates

As we make our way into 2016, data security on a federal level will continue to be a concern. Government must be up to the task to amplify efforts to protect our nation’s data from both insider threats and nation-state attacks. For too long the focus has been on defending network boundaries and end points from intrusion. In tandem with the increased cyber security risk from adversaries, is the adoption of Mobile technologies, Cloud and SaaS solutions that make the network edge harder to identify and harder to protect. Agencies are left struggling with how to secure environments where classified data resides on multiple cloud instances, alongside non-classified data that is accessible by multiple tenants. During this session we will discuss a data-centric approach security. By employing innovative encryption and key management tactics the data owners, not administrators, determine access protocols and privileges for their critical assets.


What about Canada (Data) Eh?

Natasha (Sasha) Hellberg

Canada has some of the best IT Security professionals in the world yet we often have to look to US-based reports to uncover statistics about threats in Canada. Even companies with a Canadian presence who produce numerous reports, such as Trend Micro, tend to focus on regions other than Canada. Yet Canada’s landscape is much the same as the US. Building off Trend’s soon-to-be-released paper on the Underground, as well as existing profiling from Trend, this session will provide a look at Canadian specific threats and malware data that Sasha has spent time uncovering, profiling her adventures and results, exploring the Canadian Underground.

Cybercrime: Indiscriminate Nuisance or Targeted Threat

Nart Villeneuve

Is a simple, indiscriminate malware infection a noteworthy incident? Or will it pass largely unnoticed … only to transform into a significant data breach? Often dismissed as “commodity” malware, cybercrime is typically assessed to be indiscriminate and in direct contrast with Advanced Persistent Threat (APT) activity. This presentation focuses on the evolution of cybercrime and the increasingly targeted nature of crimeware activity affecting the retail and finance sectors.  it will examine the proliferation of point-of-sale (POS) malware and the challenges of tracking financially motivated threat groups.


Adaptive Security for an Evolving Landscape

Paul Da Silva

The recent high-profile data theft news stories send an unmistakable message to CISOs and security team leaders across all industries—no business is safe from a data breach. As security leaders, we have to completely re-think the way we do business and look at the new realities of cybersecurity. Join us for a dynamic security discussion where you will get expert analysis on the evolving threat landscape, updates on the current state of cybersecurity, and an in-depth look at the latest tools and strategies for an effective Data Theft Prevention security posture. As every cybersecurity expert knows, protecting your data is a choice. We’ll show you how Raytheon|Websense’s defense-grade security will protect your critical data from advanced cyber-attacks and the rapidly changing threat landscape.

Recent News

October 9th 2018

Cloud security issues are a key focus at this year’s COUNTERMEASURE IT Security Conference, with in depth training as well as key presentation from industry leaders. Graham Thompson, who participated in our 2017 cloud security panel discussion, leads an intensive three day training course, Cloud Security Fundamentals & FedRAMP. IBM’s Jeff Crume will be giving a keynote presentation on Security in the Clouds, and Teri Radichel will present on Top Priorities for Cloud Application Security. For institutions with a cloud infrastructure, these sessions should not be missed.

September 20th 2018

Charlie Miller and Chris Valasek join our growing list of speakers at COUNTERMEASURE 2018.  Their presentation on Security Self-Driving Cars will explore the future security issues of this emerging sector. 

In the not too distant future, we'll live in a world where computers are driving our cars. Soon, cars may not even have steering wheels or brake pedals. But, in this scenario, should we be worried about cyber attack of these vehicles? In this talk, two researchers who have headed self-driving car security teams for multiple companies will discuss how self driving cars work, how they might be attacked, and how they can ultimately be secured.
You can view their presentations and those of our other speakers here.

Cancellation Policy

Substitutions can be made at any time. Unfortunately we cannot refund registration fees. Each course is subject to a minimum number of students. In the unlikely event that a course must be cancelled due to low enrolment, full refunds will be provided to registered students.

For more information on COUNTERMEASURE 2018, please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. or our office line at 613-725-2079.