Past Editions

2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | HackUS

Challenge Coins for Winners

2022

The big return to in-person events. NorthSec 2022 was held at Marché Bonsecours. The conference was livestreamed on YouTube and the CTF was remote-first with an in-person option.

Competition

Theme: The Mycoverse

Ouyaya is a startup company that wants to ride on the current trends. They are about to release their flagship product, the Mycoverse. This mushroom-themed virtual universe is a platform for cryptocoin mining and NFT purchasing. However, they have been forced by the venture fund financing them to go through a security audit by a pentester firm. The participants will discover that behind the promises of technology advances is a shell for a company that never took security seriously, and that is even acting as a cover for a massive fraud in its Shiitakoin exchange.

Top 3

Conference

Talk Videos

Talks

  • KEYNOTE: What Lies Behind Canada’s Internet Regulation Reversal? by Michael Geist
  • Obfuscation classification via Machine Learning by Yuriy Arbitman
  • Public, verifiable, and unbiasable randomness: wassat? by Yolan Romailler
  • MuddyWater: From Canaries to Turkeys by Vitor Ventura and Asheer Malhotra
  • Formalizing the right to be forgotten: law meets crypto by Philippe Lamontagne
  • 10 Things I wish I knew before my first incident by Caspian Kilkelly
  • I thought writing a technical book was supposed to be fun?!! by Vickie Li
  • The Risks of RDP and How to Mitigate Them by Olivier Bilodeau and Lisandro Ubiedo
  • A snapshot of Doplik: Unwanted Software using serialized JavaScript bytecode as an anti-analysis technique by Léanne Dutil
  • Jumping the air gap: 15 years of nation-state efforts by Alexis Dorais-Joncas and Facundo Munoz
  • The road to BeyondCorp is paved with good intentions by Maya Kaczorowski and Eric Chiang
  • Passive recon & intelligence collection using cyber-squatted domains by Rolland Winters
  • Hook, Line and Sinker - Pillaging API Webhooks by Abhay Bhargav
  • From the cluster to the cloud and back to the cluster: Lateral movements in Kubernetes by Yossi Weizman
  • Privacy-friendly QR codes for identity by Christian Paquin
  • Tell me where you live and I will tell your P@ssw0rd: Understanding the macrosocial factors influencing password’s strength by Andreanne Bergeron
  • I am become loadbalancer, owner of your network by Nate Warfield

Workshops

  • Web Application Firewall Workshop by Philippe Arteau
  • Advanced Process Injection Techniques by Yash Bharadwaj
  • Capture-The-Flag 101 by Olivier Bilodeau
  • Reverse and bypass of modern Android runtime protections [FR] by Georges-Bastien Michel
  • Fleet and osquery - open source device visibility by Guillaume Ross

Event Photos

Photos

2021

A second year in lockdown mode. This time around we were more prepared. We even hosted a remote Hacker Jeopardy.

Competition

Theme: North Sectoria

We are in the Medieval period. For some reason unexplained, technology exists in this world. It is not as prevalent as it is in our world, but it is slowly taking more and more place.

This is a challenge to the elites in place. While their status was previously granted by bloodline, these tools are making the merchant caste take a greater place in the world since they quickly learned how to take advantage of it, while the royalty is left behind, thinking this is all wizardry they don’t understand.

To solve this situation, the regency has appointed its court Wizard: someone that can advise the crown on technology issues. The participants are followers of the Wizard: tech apprentices with some connections to the guilds, who are looking to take advantage of their position to place their pawns on this new chessboard and create new alliances.

Top 3

Conference

Talk Videos

Talks

  • KEYNOTE: You’re not an idiot by Ange Albertini
  • KEYNOTE: Privacy Without Monopoly: Beyond Feudal Security by Cory Doctorow
  • Security Metrics That Matter by Tanya Janca
  • Full Circle Detection: From Hunting to Actionable Detection by Mathieu Saulnier
  • Unmasking the Cameleons of the Criminal Underground: An Analysis From Bot To Illicit Market Level by David Décary-Hétu
  • Repo Jacking: How Github usernames expose 70,000 open-source projects to remote code injection by Indiana Moreau
  • Data Science way to deal with advanced threats. by Igor Kozlov
  • Damn GraphQL - Attacking and Defending APIs by Dolev Farhi
  • Building CANtact Pro: An Open Source CAN Bus Tool by Eric Evenchick
  • Burnout: Destabilizing Retention Goals and Threatening Organizational Security by Chloé Messdaghi
  • Blurred lines - The mixing of APTs with Crimeware groups by Warren Mercer and Vitor Ventura
  • Forensicating Endpoint Artifacts in the World of Cloud Storage Services by Renzon Cruz
  • See Something, Say Something? The State of Coordinated Vulnerability Disclosure in Canada’s Federal Government by Stephanie Tran, Florian Martin-Bariteau and Yuan Stevens
  • Bypassing advanced device profiling with DHCP packet manipulation by Ivica Stipovic
  • Just Add More LEDs: NSec 2018 and 2019 Badge Mods by Ben Gardiner
  • Hacking K-12 school software in a time of remote learning by Sam Quinn
  • Request Smuggling 101 by Philippe Arteau
  • CrimeOps of the KashmirBlack Botnet by Ofir Shaty and Sarit Yerushalmi
  • dRuby Security Internals by Addison Amiri and Jeff Dileo
  • AMITT Countermeasures - A Defensive Framework to Counter Disinformation by Roger Johnston and Sara-Jayne Terp
  • Critical Vulnerabilities in Network Equipment: Past, Present and Future by Pedro Ribeiro
  • Authentication challenges in SaaS integration and Cloud transformation by Evelyn Lam
  • Social bots: Malicious use of social media by Marie-Pier Villeneuve-Dubuc
  • Cryptography Do’s and Don’t in 2021 by Mansi Sheth
  • How to harden your Electron app by Mitchell Cohen

Workshops

  • Introduction to fuzzing by Dhiraj Mishra
  • DIY Static Code Analyzer: Building your own security tools with Joern by Suchakra Sharma and Vickie Li
  • Atomic Red Team Hands-on Getting Started Guide by Carrie Roberts
  • Capture-The-Flag 101 by Olivier Bilodeau
  • Reversing Android malware for the Smart and Lazy by Axelle Apvrille
  • Automated contact tracing experiment on ESP Vroom32 by Marc-andre Labonte
  • How Crypto Gets Broken (by you) by Ben Gardiner
  • Kubernetes Security 101: Best Practices to Secure your Cluster by Magno Logan

Badge

Badge 2021

2020

Due to the COVID-19 pandemic, in less than 3 months, we turned our in-person event to a free remote conference, transitionned our on-site CTF into an online one and honored our training sessions remotely.

Competition

Theme: Severity High

The participants were high school students that are bound together as a hacker clique. Teenagers, with teenagers concerns, but using the modern cybertechnology arsenal to do whatever they want. Working to increase their reputation and impress others, but mainly, just having fun and performing small mischiefs.

Top 3

Conference

Talk Videos

Talks

  • Practical security in the brave new Kubernetes world by Alex Ivkin
  • AMITT - Adversarial Misinformation Playbooks by Roger Johnston and Sara-Jayne Terp
  • Unicode vulnerabilities that could byͥte you by Philippe Arteau
  • IOMMU and DMA attacks by Jean-Christophe Delaunay
  • Designing Customer Account Recovery in a 2FA World by Kelley Robinson
  • Defending Human Rights in the Age of Targeted Attacks by Etienne Maynier
  • High speed fingerprint cloning: myth or reality? by Vitor Ventura and Paul Rascagnères
  • Regions are types, types are policy, and other ramblings by bx
  • Look! There’s a Threat Model in My DevSecOps by Alyssa Miller
  • The Path to Software-Defined Cryptography via Multi-Party Computation by Prof. Yehuda Lindell
  • Stay quantum safe: future-proofing encrypted secrets by Christian Paquin
  • Dynamic Data Resolver IDA plugin – Extending IDA with dynamic data by Holger Unterbrink

Workshops

  • Finding the Needle in the Needlestack: An Introduction to Digital Forensics by Emily Wicki
  • Capture-The-Flag 101 by Olivier Bilodeau
  • Offensive Cloud Security Workshop by Xavier Garceau-Aranda
  • Advanced Binary Analysis by Alexandre Beaulieu

2019

In 2019, we moved the conference to the Science Centre were we hosted two tracks of talks and four tracks of workshops.

Competition

The theme was the neurosoft brain implant: Hackers uncover the grim aftermath of an unregulated cerebral implant that took the world by storm.

Top 3 were:

Conference

Talk Videos

Talks

  • KEYNOTE: Where Do We Go From Here? Stalkerware, Spouseware, and What We Should Do About It by Eva Galperin
  • KEYNOTE: Cybersecurity vs the world by Matt Mitchell
  • Wajam: From a Start-up to Massive Spread Adware by Hugo Porcher
  • A good list of bad ideas by Laurent Desaulniers
  • The (Long) Journey To A Multi-Architecture Disassembler by Joan Calvet
  • Fixing the Internet’s Auto-Immune Problem: Bilateral Safe Harbor for Good-Faith Hackers by Chloé Messdaghi
  • Cache Me If You Can: Messing with Web Caching by Louis Dion-Marcil
  • Safer Online Sex: Harm Reduction and Queer Dating Apps by Norman Shamas
  • Making it easier for everyone to get Let’s Encrypt certificates with Certbot by Erica Portnoy
  • Hacking Heuristics: Exploiting the Narrative by Kelly Villanueva
  • What is our Ethical Obligation to Ship Secure Code? by Elissa Shevinsky
  • M33tfinder: Disclosing Corporate Secrets via Videoconferences by Yamila Vanesa Levalle
  • T1: Secure Programming For Embedded Systems by Thomas Pornin
  • Post-Quantum Manifesto by Philippe Lamontagne
  • Trick or treat? Unveil the “stratum” of the mining pools by Emilien Le Jamtel and Ioana-Andrada Todirica
  • xRAT: Monitoring Chinese Interests Abroad With Mobile Surveillance-ware by Apurva Kumar and Arezou Hosseinzad-Amirkhizi
  • DNS On Fire by Paul Rascagnères and Warren Mercer
  • One Key To Rule Them All - ECC Math Tricks by Yolan Romailler
  • Threat hunting in the cloud by Jacob Grant and Kurtis Armour
  • Using Geopolitical Conflicts for Threat Hunting - How Global Awareness Can Enable New Surveillanceware Discoveries by Kristin Del Rosso
  • Welcome to the Jumble: Improving RDP Tooling for Malware Analysis and Pentesting by Émilio Gonzalez and Francis Labelle
  • Post-Quantum Cryptography: today’s defense against tomorrow’s quantum hackers by Christian Paquin
  • Call Center Authentication by Kelley Robinson
  • Mainframe Hacking in 2019 by Philip Young
  • The SOC Counter ATT&CK by Mathieu Saulnier

Workshops

  • Deserialization: RCE for modern web applications by Philippe Arteau
  • Red Teaming Workshop by Charles F. Hamilton
  • Introduction to appliance reverse engineering by Olivier Arteau
  • Container Security Deep Dive by Yashvier Kosaraju
  • Reversing WebAssembly Module 101 by Patrick Ventuzelo
  • Threat Modeling by Jonathan Marcil
  • Introduction to Return Oriented Programming by Lisa Aichele
  • Leveraging UART, SPI and JTAG for firmware extraction by Marc-andre Labonte
  • Hunting Linux Malware for Fun and Flags by Marc-Etienne M.Léveillé
  • Using angr to augment binary analysis workflow by Alexander Druffel and Florian Magin
  • Capture-The-Flag 101 by Olivier Bilodeau
  • Intro to badge soldering by Martin Lebel
  • 64-bit shellcoding and introduction to buffer overflow exploitation on Linux by Silvia Väli
  • Breaking smart contracts by Maurelian and Shayan Eskandari
  • From Bitcoins Amateurs to Experts: Fundamentals, grouping, tracing and extracting bulk information with open-source tools by Masarah Paquet-Clouston

Event Photos

Photos

2018

In 2018, we added one track to the conference. Additionally, our training sessions outgrew Marché Bonsecours and went to the Holiday Inn.

Competition

The theme was space.

Top 3 were:

Conference

Talk Videos

Talks

  • KEYNOTE: How to Think (About Complex Adversarial Systems) by Eleanor Saitta
  • A Journey into Red Team by Charles Hamilton
  • Stupid Purple Teamer Tricks by Laurent Desaulniers
  • Quick Retooling with .NET Payloads by Dimitry Snezhkov
  • Ichthyology: Phishing as a Science by Karla Burnett
  • Logic against sneak obfuscated malware by Thaís aka barbie Moreira Hamasaki
  • Binary analysis, meet the blockchain by Mark Mossberg
  • Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) by Daniel (DBO) Bohannon
  • Non-Crypto Constant-Time Coding by Thomas Pornin
  • Smart contract vulnerabilities: The most interesting transactions on the Ethereum blockchain by Sarah Friend and Jon Maurelian
  • Not the Droid You’re Looking For: Evading Vulnerability Exploitation Through Secure Android Development by Kristina Balaam
  • Cell Site Simulators From the Ground Up by Yomna Nasser
  • Exploits in Wetware by Robert Sell (Creep)
  • Data Breaches: Barbarians in the Throne Room by Dave “gattaca” Lewis
  • Surprise Supplies! by Paul Rascagnères and Warren Mercer
  • Prototype pollution attacks in NodeJS applications by Olivier Arteau
  • What are containers exactly and can they be trusted? by Stéphane Graber
  • Only an Electron away from code execution by Silvia Väli
  • The Blackbear project by Marc-André Labonté
  • From Hacking Team to Hacked Team to…? by Filip Kafka
  • Video game hacks, cheats, and glitches by Ron Bowes
  • Tightening the Net in Iran by Mahsa Alimardani
  • Brain Implants & Mind Reading by Melanie Segado
  • One Step Before Game Hackers – Instrumenting Android Emulators by Wan Mengyuan (Nevermoe)
  • Homeward Bound: Scanning Private IP Space with DNS Rebinding by Danny Cooper and Allan Wirth
  • Getting ahead of the elliptic curve by Martijn Grooten
  • Source code vulnerability research and browser exploitation by Jean-Marc Leblanc
  • Python and Machine Learning: How to use algorithms to create yara rules with a malware zoo for hunting by Sebastien Larinier (sebdraven)

Workshops

  • Hacking APIs and the MEAN Stack with OWASP DevSlop by Nicole Becher and Tanya Janca
  • A Gentle Introduction to Fuzzing by Israël Hallé and Jean-Marc Leblanc
  • Wi-Fi Security by Mark El-Khoury
  • Incident Response in the Age of Threat Intelligence with MISP, TheHive & Cortex by Raphaël Vinot and Saâd Kadhi
  • Botnet Tracking and Data Analysis Using Open-Source Tools by Masarah Paquet-Clouston and Olivier Bilodeau
  • Capture-The-Flag 101 by Olivier Bilodeau, Laurent Desaulniers and Charles Hamilton
  • IoT Firmware Exploitation by Aaron Guzman
  • Hands-on Modern Access Control Bypassing by Vikram Salunke
  • Orange is the new Hack - Introduction to Machine Learning with Orange by Philippe Arteau

Event Photos

Photos

2017

In 2017 we introduced a track of workshops running along the conference.

NorthSec gathered around 600 infosec professionals, students and enthusiasts that year.

Competition

The theme was Rao’s Rigged Elections.

Top 3 were:

Conference

Talk Videos

Talks

  • KEYNOTE: Playing Through the Pain: The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals by Richard Thieme
  • Hack Microsoft Using Microsoft Signed Binaries by Pierre-Alexandre Braeken
  • Attacking Linux/Moose Unraveled an Ego Market by Masarah Paquet-Clouston & Olivier Bilodeau
  • BearSSL: SSL For all Things by Thomas Pornin
  • Hacking POS PoS Systems by Jackson Thuraisamy & Jason Tran
  • Backslash Powered Scanning: Implementing Human Intuition by James Kettle
  • Don’t Kill My Cat by Charles F. Hamilton
  • Stupid RedTeamer Tricks by Laurent Desaulniers
  • Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program by Gordon MacKay

Workshops

  • Introduction to Assembly Language and Shellcoding by Charles F. Hamilton & Peter Heppenstall
  • Automating Detection, Investigation and Mitigation with LimaCharlie by Maxime Lamothe-Brassard
  • Script Engine Hacking For Fun And Profit by Jean-Marc Le Blanc & Israël Hallé
  • Cracking Custom Encryption – An Intuitive Approach to Uncovering Malware’s Protected Data by Pavel Asinovsky & Magal Baz

Event Photos

Photos

2016

In 2016 we introduced training sessions before the conference growing NorthSec into a whole week event. The NorthSec security festival was born. We also gave a badge to every conference and competition attendee.

In 2016, NorthSec gathered around 500 infosec professionals, students and enthusiasts.

Competition

The theme was the leaks around Marcus Madison’s Bakery.

Top 3 were:

Conference

Talk Videos

Talks

  • KEYNOTE: How Anonymous (narrowly) Evaded the Cyberterrorism Rhetorical Machine by Gabriella Coleman
  • The New Wave of Deserialization Bugs by Philippe Arteau
  • Applying DevOps Principles for Better Malware Analysis by Olivier Bilodeau & Hugo Genesse
  • Practical Uses of Program Analysis: Automatic Exploit Generation by Sophia D’Antoine
  • CANtact: An Open Tool for Automotive Exploitation by Eric Evenchick
  • Bypassing Application Whitelisting in Critical Infrastructures by René Freingruber
  • Inter-VM Data Exfiltration: The Art of Cache Timing Covert Channel on x86 Multi-Core by Etienne Martineau
  • Analysis of High-level Intermediate Representation in a Distributed Environment for Large Scale Malware Processing by Eugene Rodionov & Alexander Matrosov
  • Real Solutions From Real Incidents: Save Money and Your Job! by Guillaume Ross & Jordan Rogers
  • Security Problems of an Eleven Year Old and How to Solve Them by Jake Sethi-Reiner
  • Android – Practical Introduction into the (In)Security by Miroslav Stampar
  • Hide Yo’ Kids: Hacking Your Family’s Connected Things by Mark Stanislav
  • Law, Metaphor and the Encrypted Machine by Lex Gill
  • Stupid Pentester Tricks by Laurent Desaulniers
  • Not Safe For Organizing: The state of targeted attacks against civil society by Masashi Crete-Nishihata & John Scott-Railton

Event Photos

Photos

2015

In 2015 we added a two-day conference to the event and gave a hardware badge per CTF team.

NorthSec gathered around 400 infosec professionals, students and enthusiasts that year.

Competition

The theme was the revolution against Rao’s intricate Kingdom.

Top 3:

Conference

Talk Videos

Talks

  • KEYNOTE: Privacy, Surveillance & Oversight by Chris Prince - Office of the Privacy Commissioner of Canada
  • Breaking PRNGs: A predictable talk on Pseudo Random Number Generators by Philippe Arteau
  • 2 years of Montréhack: the local CTF training initiative by Olivier Bilodeau
  • The Sednit Group: “Cyber” Espionage in Eastern Europe by Joan Calvet
  • CHEKS, Complexity Science in Encryption Key Management by Jean-François Cloutier & François Gagnon
  • Hopping on the CAN Bus by Eric Evenchick
  • EMET 5.2 - armor or curtain? by René Freingruber
  • Bitcoin: Putting the “pseudo” back in pseudonymous by Mathieu Lavoie
  • DDoS: Barbarians At The Gate by Dave Lewis
  • TextSecure: Present and Future by Trevor Perrin
  • The Uroburos case: analysis of the tools used by this actor by Paul Rascagnères
  • Object Oriented Code RE with HexraysCodeXplorer by Eugene Rodionov
  • CTF or WTF? by Guillaume Ross
  • Threat Modeling for the Gaming Industry by Robert Wood
  • Why You Should (But Don’t) Care About Mainframe Security by Phil “Soldier of Fortran” Young

Flash Talks

  • Philippe Arteau: Rosetta Flash And Why Flash Is Still Vulnerable…
  • Joan Calvet & Paul Rascagnères: Totally Spies!
  • Guillaume Ross: iOS App Analytics And Your Privacy

Event Photos

Photos

2014

In 2014, NorthSec gathered around 300 infosec professionals, students and enthusiasts.

Competition

The theme was the Associated Nation Organization (ANO)

Top 3:

Promo Video

Event Photos

Photos

2013

For the first year of NorthSec, we were hosted at ÉTS University in Montreal

NorthSec gathered around 150 infosec professionals, students and enthusiasts that year.

Competition

The theme was Onionotar, a parody of a Certificate Authority

Top 3:

Fan Video

Event Photos

Photos

HackUS

NorthSec is the spiritual child of the HackUS competition hosted at Université de Sherbrooke in 2010 and 2011. The first Hacker Jeopardy — in the format you are familiar with at NorthSec — happened at HackUS in 2011 from a desire to have a break and a social event during the CTF.