Hackfest_ca 2011

Hackfest.ca Quebec’s finest and largest Information Security conference (and according to statistics one of the bigger ones in Canada) is set for November 4th & 5th.  This year promises to be as exciting as the years previous. Great sponsors, good roster of speakers in both English and French and some good prizes up for crabs during the evening events. Check their website (link provided above).

For those that are not familiar with Hackfest, I’ll do my best to describe the experience, the atmosphere and the overall “feeling” of the event. This from my point of view and by comments made by others while I was their in past years.  Although I have never attended any other InfoSec convention (Defcon, BlackHat, Brucon etc), I have been to many IT related convention and others.

First thing that pops out when one sets foot at Hackfest is the crowd.  Every year it just keeps getting bigger and yet still has that small personal feel. Everyone is open to discussion, nice and polite to each other. We are all there for a common purpose, to share and learn from one another. I’ve seen people that are normally so shy they have trouble talking to their own shadow. At Hackfest they open up and spark conversations with perfect strangers. That in my opinion is a strong point for any convention. The environment makes you feel invited and welcomed.

The talks are, of course, interesting. A wide range of topics are always on the table. From the legal perspective to the actual demonstrations and theories displayed on large screens. Having a broad selection of topics makes the convention accessible not only to the IT guy or gal, but also to management that may want to understand more on whats going on behind the scenes when it comes to IT security.  Another good thing are the talk’s languages. Being in Quebec Canada, the predominant language up here is French. I must add to this, a good percentage of French speaking Quebec are either bilingual or have an excellent understanding of the English language. So this opens up the convention to foreign speakers (either from the US or UK) without any trouble. And lets face, if one is going to work in IT you have no choice really to understand English in the first place. I have to mention the language issue, seeing the wide spread misconception that Canada and/or Quebec is French speaking only… it is not. Last thing about the speakers, and the way the convention is setup, they are available to the public after their talk… And usually available at the bar during the evening’s event.

A few comments from speakers past range from (paraphrasing here) “Great little con not too crowed so we can actually hear ourselves speak” -Mick Douglas 2009 to Mike Kemp’s comment (2010) “This is like Defcon’s little brother much better then the one in Toronto…”  Many speakers actually participate in the events, so that alone shows their enjoy it. They wouldn’t stay otherwise no?

For the atmosphere and setting, well the convention is held in the beautiful city of Quebec. Although in November it is on the cooler side of the thermometer, it’s nothing a heavy sweater won’t fix. The city has many attractions such as historical monuments and great restaurants if one wishes to go out for some site-seeing.

Finally the glue that makes this event hold together and possible are of course the organizers. The hard work these guys put into this thing is impressive… probably obsessive.  Sharing information about information security is their primary motivation. They don’t do it for fame and fortune and it shows.  They accept suggestions and help from anyone willing to put some time. They are open and very accessible outside the event as well. In a word “human”. Very nice humans at that I must add. I’ve had the privileged to meet them on several occasions, and contribute (in my own small way) to this event.

In a nut shell, everyone can/will/would enjoy this convention. It may not be 10,000 strong like Defcon, but one must remember it had humble beginnings as well. Everything starts small and as long as the quality is present the quantity will eventually follow.

I really do hope that more people outside the Quebec InfoSec community will come this year and in future years. Hackfest deserves to be on the map along side it’s US counterparts. Pretty sure there’s enough room to share.

Hope to see you there.

-Steven McElrea
aka loneferret

Metasploit The Penetration Tester's Guide

Front Cover

A few weeks ago, I ordered the MSF pentest guide mostly authored by the Offsec crew (www.offsec.com).  Hailed as the best MSF guide, and highly praised by the project’s founder H.D Moore this guide does live up to the hype.  I rarely find an IT book that can be read cover-to-cover, especially one that is as specific as this one.

The book covers the framework’s basic functions as well as more advance ones.  It does this by taking the reader through a mock penetration test on vulnerable systems; Windows XP SP2 & Ubuntu 9.04 for example.  Some may criticize the OS selection, saying “what’s the point”, but they need to keep in mind the object of the book is the tool and not “how to hack”.

New and old users to Metasploit will appreciate this work. It covers the basics in such a way as to not lose the new comer’s interest, and for the veterans it may serve as a good refresher on certain auxiliary modules.

The guide starts off with basic setup of the tool, setting up with a database for record keeping.  Moves on to the scanning capabilities; features such as using NMAP straight from the application’s console.  Scanning for mySql or MSSql databases from the console using MSF’s built in features.  Loading and running exploits against found targets, encoding payloads to avoid anti-virus detection, pass-the-hash attacks and so on.

It also convers porting existing exploits to Metasploit and meterpreter scripting. Fast-Track and SET (www.social-engineer.org) are covered as well in later chapters.

Even if this guide is a shade under 300 hundred pages, I must say it covers Metasploit very well.  It could have easily been a few hundred pages longer, but then how good a read would that have been is unsure. For new users to the framework, this book coupled with Offsec’s Metasploit Unleasched WiKi  is great, provides enough material to have a firm understanding.  As for the veterans, they may skip a few chapters but I’m convinced some of the pages will hold their interest.

The book is published by No Starch press, and can also be purchased from their web site directly.

One last note on the authors and the work they have done. Lots of time and effort was put into this.  Seeing they are not professional writers (people that make a living off writing books), I must say they did a great job.  Pretty sure writing and compiling such a book together is no small feat.  Hats off to them…