Should I attend CanSecWest? Yes, if you want the latest updates on developments in the security industry and turn up prepared for extremely technical seminars. On the other hand, if the aim is to network with vendors or do non-technical marketing for your company then this conference is not for you.
This year I attended the much talked about CanSecWest conference in Vancouver with a few of my colleagues. Among regular attendees, CanSecWest is viewed as a must in order to keep track of technical developments in Cyber Security. The target audience is technical: mainly red and blue teamers along with a few engineers and architects. The talks this year did not disappoint, ranging from high to low level with speakers from varied backgrounds. Aside from the seminars, there were hands on competitions including “hack a tesla” and “capture the signal.”
For those unfamiliar with the conference, all CanSecWest seminars run on one track. This means that all of the delegates attend all of the seminars, unless of course they are competing to break out of hypervisors or exploring downtown Vancouver. The one-track system is a leveller between delegates, who all leave with the same reference points and can share ideas on any of the talks.
The talks themselves ranged from the dangers of homomorphic encryption, Zhiniang Peng and Minrui Yan, to why it is almost impossible to safely clear secrets in code, even when you write secure code at application level by Ilya van Sprundel.
The conference kicked off with a talk on misinformation campaigns and their recent influence over elections in the US and Europe by Sara-Jayne Terp of Bodacea Light Industries. Misinformation campaigns range from the essentially harmless, for example flat earth theory, to the harmful, anti-vaxxers through to campaigns aimed at National Politics.
Such campaigns are essentially social engineering on large scales, executed through social profiling and targeted ads. The algorithms run by social media platforms pick up posts that individuals interact with and work to re-enforce their views by showing videos or links on similar subjects from similar points of view.
Misinformation is an area of infosec in its infancy, the speaker delivering a call to arms for the information security community. Whether the call to arms is successful will be another story, these campaigns are seen as personal issues – as a colleague put it, some people want to drink the kool-aid. Although the consumption of fake news is personal, the results can no doubt be national, as recent political events all over the world provide evidence.
In any case, anyone interested in fighting the insidious meddling by external Nation States over national issues can now reach out to the Credibility Coalition and Misinfosec among others.
Another highlight was the talk using AI to fight AI by Mengyun Tang and Xiangqi Huang from Tencent’s Security Platform Department. This talk went over how to introduce impurities into images which would fool an AI algorithm into not recognising the contents of the image, but which would be imperceptible to the human eye. The introduction of adversarial AI will certainly be adopted by hackers to fool vulnerable AI algorithms.
Lillian Young from Google presented an update on the most notable vulnerabilities found on the Android OS reported and fixed by Google through 2018. Hearing about the way that Google manages the vulnerability triage process and learning who reports android vulnerabilities is certainly of interest to anyone with an android phone. On top of this, insight into the android architecture from the point of view common OS components and their potential to be compromised is extremely valuable.
And finally, the talk with the most immediate practical implications for Red Teamers was ‘Attack Infrastructure for the Modern Red Team’. This talk and demo were presented by Topher Timzen and Michael Leibowitz, from Oracle Cloud Infrastructure and covered their attack environment. The demo showed the deployment of the environment using terraform, and the subsequent configuration. The code presented has already been shared on GitHub as a go-to for red teams to get up and running and (legally) attacking organisations.
To summarise, CanSecWest is certainly not a conference to be missed by the ultra techie members of the infosec community. It’s an excellent conference for technical learning and is as close as possible to a one stop shop for yearly security updates.