My Guests Today

This is part 2 of my conversation with:

• Brian Bourne from TASK - Toronto Area Security Klatch and founder of SecTor
• Nick Aleks from DC416 - Defcon Toronto
• Opheliar Chan from the Toronto chapter of OWASP - Open Web Application Security Project.

Notes, Links, and Corrections

1. Code Injection is a software bug that happens when a computer interprets data as instructions. It’s the number 1 application security concern according to OWASP.

2. Brian asked if Starwood Hotels had fewer bookings because of the recent hack of 383 Million Marriot customers records. These were detailed records, sometimes including passport numbers! Has this translated into fewer bookings for Marriot?

3. Ophe mentions Cross-site Scripting (XSS)

4. Brian’s first exposure to technology was poking around a Commodore 64. It was released in 1982.

5. OK I didn’t find a programming colouring book for kids, but I found a few pages of a mildly offensive colouring book for programmers: http://thecomputerboys.com/wp-content/uploads/2010/12/programmers-coloring-book.pdf

6. Ryan ToysReview is a YouTube channel with 18 million subscribers that reportedly earned $22 million dollars in 12 months! This 7-year old has already earned more than I will my whole life 😭

7. See TASK’s recently meetups, including the 2018 DEFCON/BlackHat rollup.

8. In 2018 DC416 hosted a CTF to help find missing persons. This was followed by a bigger event at DEF CON

9. In 2018 DEF CON hosted a password cracking contest.

10. Here’s a great video showing what DEF CON hacking challenges are all about https://www.youtube.com/watch?v=fHhNWAKw0bY

11. A law passed in late 2018 forces Canadian companies to disclose security breaches. It isn’t perfect, but it’s a start.

12. A lot of people have had their data leaked at some point. Brian raps off a few recent major leaks: EcoFax, Canada Revenue Agency, Canada Post (marijuana purchasers), and the Ashley Madison hack a few years back, just to name a few.

13. Brian mentions the Starwood hack, which took place continuously between 2014 and 2018 until it was finally discovered and patched up. It seems silly to rush now after so many years of neglect.

14. According to SecTor ticket sales, the average security professional would rather give up their details than pay $50 for a SecTor ticket.

15. Some new lenovo laptops have a camera privacy cover built-in. Awesome!

16. Back in 2015 some Lenovo laptops shipped with a root certificate that effectively let Lenovo (and any attackers) pretend to be any website or online service. Users would see the little green lock icon as usual, even if an attacker was impersonating the website.

17. Sennheiser made the same mistake in their HeadSetup software in 2018.

18. What is meant by Pets vs Cattle? Servers/systems you consider special and treat with care are pets. Servers you consider easily replaceable and not given much/any personal attention are cattle. Your production servers should be cattle!

Speakers’ Contract

• Brian (at) task.to
• nick (at) dc416.com
• opheliar.chan (at) owasp.org

Next Events

DC416 - Exploring Cyber Security Law & Building a Custom OSINT CTF Platform

OWASP Toronto - CMD+CTRL CTF!

TASK - March event not posted yet. See task.to