Well, yesterday I attended my first infosec convention/conference in Quebec City: Hackfest. I must say it was great! Since I have nothing to compare it to (as far as information security related conventions), I’ll compare it to the few conventions I did attend in the past.. IT an non IT related. The result is still the same, it was a great learning experience.
The convention was organized by Patrick R. Mathieu, Nicolas-Loic Fortin and Michel Cusin. It was held at the “Hotel Universel” across the street from where it was initial intended (University of Laval). They needed to move out of the University due to the swine flu vaccination campaign, and this with only 3 weeks notice… If they hadn’t mentioned it, we never would’ve noticed. The whole thing was well organized right down to the free RedBull. Smooth, on time and with people behaving correctly all went like clock work.
The day started with registrations at 8am, and ended with lock-picking and a CTF event. Unfortunately due to health issues, I couldn’t stay to watch the activities… guess it’s just good luck I didn’t register for the event, I wouldn’t have been able to participate.
9h15am The first speakers of the conference, Eric Gingras and Sebastien Duquette. Their topic was “fuzzing in a pentest”. Complete with slides and an entertaining demonstration. It was a good talk to kick off the day.
10h15 This talk was a bit over my head, seeing I’m not a PHP coder. Nonetheless it was extremely interesting. Auditing PHP code for security reasons. It open my eyes to how easy it is to make your server hosting the code vulnerable to attack. This must have made a few coders happy (and a bit scared I hope).
11h30 Botrax came on to explain how the “law” worked, and how it’s applied to a “Human” and a “person”. Yes according to the law’s definition, these two are not the same. You would be surprised how much impact this makes. As for how this applied to White Hat hacker and black… well you needed some imagination. Overall it was worth the hour.
13h30 Henry Stern, senior Security Engineer spooke about social sites attacks in various forms. At the end, seeing the whole crowed attending are computer savvy, we still got a few surprises. I can just imagine now, for the average user, how badly their computers are infected with false anti-virus software.
15h00 David Girard came on to talk about vulnerabilities in virtual machine architecture. Speaking about different technologies used for visualization.. and no VMWare is not the only one. Very eye-opening.. moral of the story update everything when you can, especially if you’re running ESX
16h15 Guy Brunneau from SANS spoke about packet analysis and retrieving file directly out of wireshark session. For me this was new. Knowing it was possible, now I have a pretty good idea on how to do it. Again very informative.
17h15 It was Mick Douglas from pauldotcom security weekly’s turn to take the stage. This guy is the reason (at least the major reason) I decided to attend. His topic “Offense is the new Defense” was a fresh outlook on how blue team, or system/security/network administrators should act/react to an attack the system. He was obviously passionate about the topic.
After all the talks were done, the lock-picking and CTF started. I stuck around to see all the various laptops boot up and get ready for war. Seeing I have no experience in a CTF (closest thing I’ve done is OSCP) it was quite impressive. Well organized, enough hardware to supply all teams with an IP the whole setup seemed to be ready in an hour. Great job guys! No waiting for the participants, I’m sure they appreciated it.
To finish this off now, must say it was a great experience and something I hope they are able to redo next year. Canada/Quebec need conventions like these. We can’t all afford to go to Shmoocon/DefCon. Not all employers are ready to send their admins to such events either. So me and my colleagues that attended this event, feel that not only this convention is fun and useful, it’s essential for Quebec’s security consultants and techs be on top of the black-hats.
I spoke to Michel Cusin before leaving, congratulating him and offering any help he may need for next year’s event. I truly believe in this event now. I hope he just remembers that a stranger took to the time offer his help.