DefenseCybersecurityGovTech

SecTor 2025 | 5 Years of Attack Surface Analysis in Canada

Black Hat
Black HatMay 22, 2026

Why It Matters

The findings reveal systemic, low‑effort vulnerabilities across Canada’s public sector, highlighting an urgent need for coordinated inventory, patching, and community‑driven monitoring to protect critical services from exploitation.

Key Takeaways

  • Canadian government attack surfaces grew to 60,000 subdomains by 2025.
  • Outdated TLS and misconfigurations remain prevalent across provinces.
  • Simple Google searches uncovered exploitable admin portals in multiple cities.
  • Quebec's remediation efforts reduced vulnerabilities after 2019 exposure.
  • Community-driven scans and Discord hub foster collaborative cyber‑security improvements.

Summary

The SecTor 2025 session highlighted five years of systematic attack‑surface mapping across Canada, led by Patrick and his team at ACFES. Using open‑source tools and a volunteer Discord community, they scanned federal, provincial and municipal domains, cataloguing roughly 60,000 subdomains, thousands of IPs and hundreds of misconfigurations. Key findings show that basic security hygiene—TLS versioning, patching, and proper inventory—remains alarmingly weak. Outdated TLS 1.1/SSL 3.0, exposed FTP services, and default credentials were discovered in both Quebec’s legacy sites and newer federal portals. Simple Google queries uncovered admin panels that granted full control of city services within hours. The presenters cited vivid examples: a 2008‑era login page that accepted any password, a publicly disclosed SQL injection on the Quebec election site, and a domain‑takeover scenario where abandoned DNS records let attackers hijack official pages. Even a mis‑configured Azure AD endpoint leaked user‑enumeration data, underscoring how low‑skill attacks can compromise critical infrastructure. The takeaway for policymakers and security teams is clear: without a comprehensive asset inventory and regular automated scanning, even low‑complexity flaws can expose sensitive services. Community‑driven initiatives like ACFES’s Discord provide a scalable model for continuous monitoring and rapid remediation, urging governments to prioritize baseline hardening before pursuing advanced defenses.

Original Description

Since 2019, the Hackfest community has led an ongoing initiative to analyze the public-facing attack surface of provincial governments in Quebec and Ontario, as well as federal and municipal systems. The objective: to objectively measure and report on the cybersecurity posture of our governments.
In this session, we will present the findings of our fourth large-scale assessment and offer a candid discussion on the current state of government cybersecurity in Canada. Our analysis includes attack surface metrics, exposed legacy systems, insecure web applications, and the accessibility of critical infrastructure from the public internet.
We will highlight basic security failures such as thousands of misconfigured HTTPS sites, 20-year-old legacy systems still in use, websites vulnerable to fundamental attacks like XSS and SQL injection, and more. These findings paint a clear picture: cybersecurity remains a low priority in the protection of citizens' data and critical infrastructures across multiple levels of government.
Join us for an evidence-based dive into what the data reveals — and where we must go from here.
By:
Patrick Roy | Information Security Advisor, CISSP,
Patrick Mathieu | Owner, Hackfest.ca & Product Security Leader, Hackfest
Capt(ret) Steve Waterhouse | CEO and Founder, INFOSECSW

Comments

Want to join the conversation?

Loading comments...