Agenda

8/28 議程第一天 Day1 Agenda
跳到第 2 天 Jump to Day2 8/29 →

08:30

Registration & Breakfast

09:30
R0 國際會議廳 Conference Hall
R1 第一會議室 Conference Room 1
R2 第二會議室 Conference Room 2

總召致詞、Opening
講師介紹、攤位活動、贊助商介紹、活動介紹

Allen (HITCON 總召)
09:50
R0 國際會議廳 Conference Hall
R1 第一會議室 Conference Room 1
R2 第二會議室 Conference Room 2

Opening Keynote: Why are our tools so terrible?

Geohot
10:40

Break

10:50

Tools for discovering Flash Player 0-day attacks in the wild from big data

Peter Pi

Backdooring MS Office documents with secret master keys

Yoshinori Takesako / Shigeo Mitsunari

Inside Flash: Flash Exploit Detection Uncovered

Ga1ois / Bo Qu

SQL Injection & Cross-site Scripting

NISRA
11:40

Break

11:50
12:40

Lunch

13:50
R0 國際會議廳 Conference Hall
R1 第一會議室 Conference Room 1
R2 第二會議室 Conference Room 2

Keynote: Attacking our product by grayhats

陳鴻嘉
14:40

Break

14:50

Web Hacking 中的奇技淫巧

Orange Tsai

基于LBS APP的地理位置追踪

趙雙 / Xiapu Luo

那些年,我們一起寫的遊戲外掛

Inndy

WEB前端攻擊與防禦

HST
15:40

Break

16:10

Hacking mobile network via SS7: interception, shadowing and more

Dmitry Kurbatov / Vladimir Kropotov

iOS用戶空間安全

王緯

CTF For Beginner

陳威伯

欺騙IDA Pro Hex Rays插件!讓逆向分析者看見完全不同的結果

TDOHacker
17:00

Closing

17:30

Agenda

8/29 議程第二天 Day2 Agenda
跳到第 1 天 Jump to Day1 8/28 →

08:30

Registration & Breakfast

09:20
R0 國際會議廳 Conference Hall
R1 第一會議室 Conference Room 1
R2 第二會議室 Conference Room 2

Keynote: New Mindset for Malware Battlefield: Bytecode Analysis and Physical Machine-based for Android

Benson Wu / TonTon / Billy Chen
10:10

Break

10:20
11:10

Break

11:20
12:10

Lunch

13:20
R0 國際會議廳 Conference Hall
R1 第一會議室 Conference Room 1
R2 第二會議室 Conference Room 2

HITCON Project 發表 + 奇葩獎頒獎典禮

HITCON 主辦團隊
14:10

Break

14:20
15:10

Coffee Break

15:40

Lightning Talk 閃電秀

HITCON 主辦團隊

Microsoft Edge MemGC Internals

Henry Li

Let's Play Hide and Seek In the Cloud - The APT Malware Favored in Cloud Services

沈祈恩 (Ashley Shen) / 賴婕芳 (Belinda Lai)

無 /dev/null
16:30

Closing , 閉幕 / 花絮與展望 HITCON 2015

17:20
R0
R1
R2
Keynote-Why are our tools so terrible?
Geohot
US
N/A

N/A

George previously worked for SpaceX, Google, and Facebook. He was the first person to unlock the iPhone, and discovered a way to access to the PS3 hypervisor by shorting a memory chip to ground. Recently, he won Google's pwnium competition by achieving persistent root on the Chromebook and has been part of the winning team at DEFCON for two years running. In his spare time, George raps and plays capture the flag competitions under the name tomcr00se.

N/A

Having won 2 pwn2owns and a couple CTFs, I stopped hacking partially because of frustration with the tools. Why are we still using GDB? Why is IDA the gold standard for static analysis, when really it's objdump with a few graphs. Even hexrays, why is C the best way to view a program? I'll talk about my adventures with Project Zero, and my attempt to start addressing this problem with QIRA. And I'll suggest directions for future development, in hopes the future generations will have a more pleasant binary exploitation experience.

R0
Discover Flash Player Zero-day attacks in the wild from big data
Peter Pi
CN
TrendMicro

N/A

Personal Profile

  • Name: Peter Pi
  • Email: tiangangpi@gmail.com
  • Twitter: @heisecode
  • Weibo: @heisecode
  • Blog: http://blog.trendmicro.com/trendlabs-security-intelligence/author/peterpi/

Education Background

Master of South East University, majoring in Information and Communication Engineering.

Work state

I’m working in TrendMicro, Nanjing, China. I engaged in research and development of APT offense and defense about three years. I’m interested in vulnerability hunter and exploit development.

N/A

2015 is Flash Year. Attackers almost use flash player vulnerability to attack PC users. Zero-day attacks found in 2015 are almost Flash Player vulnerabilities. Exploit kits all equip flash 0-day and newly patched n-day to do bad things in 2015.

In our Hadoop server, there are millions of suspicious flash samples from our sourcing channels, and thousands newly added every day. We want to discover Flash 0-day attack and newly patched n-day attack actively in the wild from these big set samples. So, I need a good performance and low false alert automation method to process the big set samples.

In this presentation, I will introduce the method which I used to discover zero-day attacks and the tools I developed to help processing the big set samples.

R1
Backdooring MS Office documents with secret master keys
Yoshinori Takesako & Shigeo Mitsunari
JP
SECCON

N/A

Yoshinori Takesako (chair of SECCON)

Twitter: @takesako

Yoshinori Takesako is the executive committee chairperson, organizer, and challenge creator of the SECCON CTF contests in Japan. He is also on the OWASP Japan advisory board, the review board for the CODE BLUE conference and the leader of the Shibuya Perl Mongers group. He was received the Microsoft MVP award for Developer Security in 2008. He has presented at security conferences such as HITCON in 2011 "Disassembling Flash Lite 3.0 SWF Files", and OWASP AppSec APAC 2014 "Secure escaping method for the age of HTML5", and has published some books and papers:"Reading ECMA-262 Edition 5.1" and "How to Execute Arbitrary Code on x86 JIT Compliers" etc.

Shigeo Mitsunari (Cybozu Labs)

Twitter: @herumi

Shigeo Mitsunari is a software developer and researcher. He is interested in pairing-based cryptography and its implementation. He developes the x86/x64 JIT assembler Xbyak and very fast C++ pairing library which are open source projects. He was received the MITOH super creator by IPA in 2003, the chairman awards by information promotion consortium in 2005, the best paper award by IEICE in 2010, the Microsoft MVP award for Developer Security in 2015.

N/A

Microsoft Office 2010 and later versions employ Agile Encryption algorithm in their documents. Unlike previous versions, the password is hashed numerous times so that it cannot be easily reversed back to plaintext. Moreover, the encryption algorithms utilized and the number of hash iterations are flexible and are constantly improved over time. However, there is a vulnerability in the file format specification that can allow an attacker to later decrypt strongly encrypted documents without the password as long as the attacker has access to the originating MS Office program. This is possible by tricking MS Office into creating a nearly undetectable master key when it creates encrypted documents. I will explain how to install this master key for decryption by using a crafted backdoor program. In this talk, I will explain and demo how to backdoor MS Office to create predictable master keys in AES encrypted documents.

R2
Inside Flash: Flash Exploit Detection Uncovered
Ga1ois / Bo Qu
CN
Palo Alto Networks

N/A

Ga1ois

Ga1ois is a security researcher in Palo Alto Networks, working on some anti APT and research stuff. Before joining Palo Alto Networks, Ga1ois is a security researcher in NSFocus Security Lab, working on vulnerability analysis, discovery and exploitation. Now he focuses on the security of browser, flash and sandbox. He was also a CanSecWest and POC speaker.

Bo Qu

Bo Qu is a security researcher in Palo Alto Networks, working on some anti APT and research stuff. Before joining Palo Alto Networks, Bo Qu wrote several remote forensics tools for Linux, Windows, iOS/OSX, Android and MIPS based devices while pursuing for his Ph.D. degree. He also discovered 100+ vulnerabilities including RPC, IIS, Windows, Office, Adobe Reader, Flash and Internet Explorer.

N/A

In our topic, we will dissect and unclose some undocumented and uncovered internals inside flash for detecting flash exploits. There are 3 parts in our topic:

  • Identify (Possible) Exploit: Find vector in loop using static detection
  • Stop exploit: a lightweight page heap for FixedMalloc in flash
  • Distinguish real exploits: Find *bad* vector, especially when *bad* vector operation are JIT-ed
R4
SQL Injection & Cross-site Scripting
NIRSA
TW
NIRSA

NISRA 資訊安全研究會,全名是 ​Network and Information Security Research Association

我們是 2007 年創立,以網路資訊安全為主軸的學習團體。從一開始的讀書會,運作到如今有固定的班底,全憑藉核心成員自主性的貢獻。自主學習、代代相傳和團隊合作是歷久不衰的傳統,更是我們的精神理念。

扎根於輔仁大學資工系,以正確資安觀念作為啟發的起點,希望能將資安推廣給每一位願意付出心力學習的人,推廣觀念和提升能力對我們來說一樣重要,鼓勵各處學生親近資安,亦歡迎志同道合的人,與我們共同交流與學習!

N/A

SQL Injection 和 Cross-site Scripting 是兩個針對網頁開發不完全的漏洞,他們攻擊的目標不同卻都是利用刻意製造出來的輸入資料,讓系統產生預期之外的有害行為。手法聽起來很簡單,不過兩者實際運作的過程是怎麼一回事呢?而當中又有甚麼差異呢?

N/A

R0
What Google knows about you and your devices, and how to get it
Vladimir Katalov
RU
ElcomSoft Co.Ltd.

N/A

Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 he grew up in Moscow, Russia; studied Applied Mathematics at Moscows Engineering-Physics Institute (now National Research Nuclear University). Vladimir works at ElcomSoft up until now from the very beginning (1990); now manages all technical researches and product developments in the company. He regularly presents on various events and also regularly runs security and computer forensics trainings both for foreign and inner (Russian) computer investigative committees and other law enforcement organizations.

N/A

Google became one of the most important sources of information, as it aggregates all about user's online and offline activities, analyses it and gives recommendations. Location and browsing history, credit card data, purchases, connected devices and applications, contacts and calendars, notes and mails, photo albums, synced passwords and web form data, Hangouts chats and much more - all that data data is stored in multiple places, accessible via protocols and require authentication. You'll learn how to authenticate at Google servers without using a browser (though credentials are still required), and how to get all this information without leaving the traces.

R1
Android AIDS:Automatic Intelligence De-advertisement Scheme In CSharproid
馬聖豪
TW
N/A

馬聖豪(Adr)

CHROOT實習生、The Declaration of hacker(TDOH)核心成員,目前為義守大學資訊工程系一年級

經常於各學校、業界分享資安趣事、常識、帶領新手入門資安。 精通C&C++、MASM、CSharp、VB.NET...等特性,擅長於Windows上MASM x86逆向分析、數位鑑識, 也擅長於Android平台上各類型引擎的App實作之逆向分析。

Blog: http://helloadr.blogspot.tw/

Sheng Hao Ma (Adr)

Intern at CHROOT, core member of The Declaration of Hacker (TDOH), and currently a freshman of Computer Science at I-Shou University.

He has been sharing fun facts and general knowledge regarding information security at many schools and enterprises, and helped beginners set foot in this field. He excels at programming languages like C & C++, MASM, C#, VB.NET, while also specializes in MASM x86 reverse analysis on Windows, digital forensics, and reverse analysis of apps implemented on Android-based mobile engines.

當今網路服務夾帶廣告讓開發廠商從中獲取利益是一種常見的商業模式,廣告傳播最直接的途徑不外乎透過個人電腦上的網頁顯示,可能從您正在看的部落格、Google搜尋頁面、Youtube,都會出現各式玲瑯滿目影響使用者觀感的廣告,於是就有了去廣告插件AdBlock、Clearly等軟體誕生。

在人手一機的時代,行動廣告(行動裝置上的廣告)也是眾廠商不能放棄的一塊大餅,智慧型手機上AdBlock、AdAway...去廣告插件必須取得手機上ROOT權限才可執行去廣告服務;但資安專家們一再警告我們不應恣意放任App取得手機ROOT權限,否則將為駭客打開山海關,引入各種潛在的病毒與資訊安全問題;為了去廣告而失去手機基本的安全性,值得嗎?

本議題將探討基於Android系統架構,手工逆向、研究ProGuard混淆特徵,然後以CSharp語言實作出一款全自動逆向爆破工具,可將APK直接交由工具自動產生去廣告版的APK;讓手機不需ROOT即可獲得安全保障又無廣告的體驗;並也從議題中反向提醒,工程師使用現成廣告API賺錢,也該從各個層面好好保護自己App的安全。

Recently, there’s a common business model which provides web services with advertisements to profit from users. The most direct way of web advertising would be displaying ads on the web pages when the users browse them on the personal computers. Whenever they’re reading a blog, searching on Google, or watching videos on YouTube, there will be a myriad of ads which affect their viewing experience. That’s why ad-blocking extensions like AdBlock and Clearly came into existence.

In times where everyone owns a cellphone, mobile advertising (advertisements on mobile devices) is one of the most profitable businesses for the companies. And for the users of extensions like AdBlock or AdAway to block the ads on their cellphones, they must gain “ROOT” access first. However, we have been repeatedly warned by the information security experts that we shouldn’t give ROOT access to the apps recklessly, or we might be welcoming hackers with open arms and then be haunted by potential virus infection and information security issues. Is it worth it to sacrifice the basic protections on your cellphone to remove ads?

R2
木馬屠城 - 那些年你不知不覺間引入的漏洞
Trojan talk, exploit works quietly in the old times
Flanker
CN
Keen Team

Flanker畢業於浙江大學,學生時代是CTF比賽愛好者,是blue-lotus戰隊早期成員並隨隊征戰了Defcon21 CTF國際黑客大賽。目前Flanker就職於Keen Team,專注於移動安全和程序分析領域,致力於移動平台漏洞挖掘和程序分析理論方法在其中的應用,曾向Google Android、Twitter、騰訊和阿里巴巴等多家公司和組織報告過漏洞並獲得致謝。

Flanker graduated from Zhejiang University. While still in school, he has already been a CTF enthusiast and become one of the early members of Blue-Lotus who competed in DEFCON 21 CTF. Now, Flanker is working for Keen Team and focusing on the fields of mobile security and program analysis. He is devoted to the discovering of vulnerabilities on mobile platforms with the application of program analysis theories and methods. Corporations including Google Android, Twitter, Tencent and Alibaba had acknowledged his contribution for reporting vulnerabilities.

這是壹個為開發者而開發的時代,各式各樣的SDK給移動應用開發者提供了極大地便利,但在偷懶的同時,是否想過這些SDK本身存在的問題?本次演講將歷數Android和iOS平臺上各式各樣的包括Google、Apache、阿裏巴巴、騰訊等出品的SDK存在的各種問題,從信息泄露加解密不當到沙箱逃逸到代碼執行應有盡有。本演講同時將披露阿裏巴巴和騰訊出品的被廣泛使用的SDK中的原創0day並給出分析細節,並探討如何檢測和防禦此類問題,分線分析此類問題時的經驗和相關工具編寫及使用心得。

This has become the era of developers, where various SDKs offer ultimate convenience for mobile application developers. However, have you ever thought about the issues existed within the SDKs? This speech brings out all sorts of SDK problems on Android and iOS platforms originated from companies like Google, Apache, Alibaba and Tencent, including information leak, improper encryption/decryption, sandbox escape, code execution, etc. Not only does this speech analyzes and discloses original 0-day exploits in widely used SDKs released by Alibaba and Tencent, but also talks about the detection and defense of these issues, the experiences while analyzing them, and the reflections about creating and using related tools.

R4
惡意程式分析與逆向工程
HITCON GIRLS
TW
HITCON GIRLS

HITCON GIRLS 是以女生為主的特色活動。讓資訊圈的女生們成立一個資安團隊,團隊內互相分享討論與幫助,並且希望能藉此活動鼓勵並晉用更多女生學習資安。希望能有一個女生學習資安的管道,並且在這個環境中大家互相學習與交流。

HITCON GIRLS 是由 HITCON GIRLS 團隊為了推廣資訊安全所發起的活動,該活動為人才培育系列課程,且活動本身為一群對資訊安全具有熱誠與興趣的女生們所舉辦的,並為台灣駭客年會 (HITCON) 所支持的活動之一。此活動之主旨是希望藉由資訊安全人才培育的課程讓對資訊安全有興趣的女孩們可以更容易的學習到資訊安全的基本知識和實務技術。

N/A

我們是 HITCON GIRLS 的【惡意程式分析組】,本次投稿議程討論到何謂惡意程式、針對行為的研究,為何該行為算是惡意?該行為會影響到什麼層面?不同的行為對應到相異的分析工具和思維,繁雜的複數結果往往是逼退初學者的門檻,因此希望能以簡單的文字帶大家入門,共希望以循序漸進的議程內容,鼓勵對於惡意軟體有興趣的人,一同參與、討論分析所需要具備的想法和能力。

惡意程式淺談

  • 通常我們說的惡意程式是什麼?
  • 具備什麼行為算是惡意程式?
  • 用什麼層面去分析惡意程式?

  • 層面探討(Registry、Process、網路)
  • 利用工具從各層面分析
  • 與Sandbox交叉比較
  • 動手來寫寫看惡意程式

    近期熱門實際案例分析

    逆向工程

  • 機器碼&組合語言
  • 組合語言基本概念
  • 逆向工程簡介
  • 動態分析與靜態分析比較
  • 利用我們自己寫的惡意程式來嘗試兩種分析
  • 小結 / 聽完你可以會什麼

    N/A

    R0
    R1
    R2
    Attacking our product by grayhats
    陳鴻嘉
    TW
    韓商聯加股份有限公司台灣分公司

    國立中央大學資管系學士學位和碩士學位。2014年10月加入LINE台灣分公司,擔任台灣區技術總監。負責建立台灣的產品開發團隊同時支援總部的開發計劃。之前服務於Yahoo台灣分公司,陸續負責搜尋,社群,電商等服務。一手打造Yahoo知識+的系統設計與開發,並協助建立第一代全球版的Yahoo Answers。也曾在Yahoo掌管無名小站的開發團隊,以及亞洲地區其他國家的部落格服務。也曾在電商部負責帶領「超級商城」的開發團隊。過去半年在LINE除了不斷尋找人才外,也幫助總部開發團隊打造出第一個在地化的LINE MART電商應用,同時也支援解決LINE在地化過程中出現的問題。

    The speaker holds both BS and MS degrees in Information Management at National Central University. He joined LINE Taiwan in October 2014, and is currently the CTO responsible for building up a product development team in Taiwan, while also supporting the headquarter’s development plans. Previously, he worked for Yahoo! Taiwan where he was in charge of the search engines, social networks, and e-commerce services. He is the mastermind behind the design and development of Yahoo! Zhi-shi-jia (“knowledge plus”), and helped create the first generation of “Yahoo! Answers” worldwide. At Yahoo!, he also leaded the development team of Yahoo! Chao-ji-shang-cheng ("mega shopping mall”) and Wretch (a domestic SNS), and maintained the blog services in other Asian countries. Over the past 6 months at LINE, apart from recruiting talents nonstop, he also helped the headquarter create “LINE MART,” the first localized e-commerce service, and dealt with the issues found during the localization process of LINE.

    N/A

    N/A

    R0
    Web Hacking 中的奇技淫巧
    Epic Tricks in Web Hacking
    Cheng-Da Tsai a.k.a Orange
    TW
    DEVCORE

    蔡政達

    • CHROOT 成員 / HITCON 成員
    • 國內外研討會 HITCON, AVTOKYO, WOOYUN 等講師
    • 國內外駭客比賽冠軍
    • 揭露過 Microsoft IE, Django, Yahoo ... 等 0-DAY 漏洞
    • 專精於駭客手法、Web Security 與網路滲透

    http://blog.orange.tw/

    Cheng-Da Tsai a.k.a Orange

    • Member of CHROOT and HITCON
    • Speaker at domestic and international conferences including HITCON, AVTOKYO and WOOYUN
    • CTF champions at home and abroad
    • Discovered 0-Day exploits in Microsoft IE, Django, Yahoo, etc.
    • Specializes in hacking skills, web security and network penetration

    http://blog.orange.tw/

    網頁技術繁多,攻擊手法也有太多太多的 know-how 以及組合技令人防不勝防,其中,針對 "特性" 所產生的漏洞也是最被人容易給忽視的,本議程將會展示在實戰經驗中較為有趣的特性以及較被忽略的技巧。總之,把這場議程當成進階版的 Web Security 吧!

    With so many web technologies around, there are attacking methods as much, with plenty of know-hows and “combo attacks” to catch people off guard. Among these attacks, the ones targeting at the “properties” are the most likely to be overlooked. Some of these fun “properties” and neglected skills would be demonstrated in this speech. Anyways, think of this speech as an advanced version of Web Security!

    R1
    基於LBS APP的地理位置追蹤
    I Know Where You Are: Location Privacy Tracking via LBSN Apps
    趙雙 & Xiapu Luo
    CN
    N/A

    趙雙(DFlower),Insight-Labs安全小組成員。具有多年安全研究經驗,研究方向包括漏洞挖掘、惡意代碼檢測、手機安全等。曾帶領開發Windows和Android平台的惡意代碼自動分析沙箱,曾參與合著《0day安全:軟件漏洞分析技術(第2版)》,Xcon 2011和OWASP China 2010 Speaker。

    Shuang Zhao(DFlower) is a member of Insight-Labs Team. He has many years of experiences in network security, including vulnerability mining, malware detection, mobile security, etc. He has developed two malware analysis sandboxes for Windows and Android. He is one of the authors of the book “0day Security:The Techniques of Software Vulnerability Analysis(2nd Edition)”. He gave speeches on OWASP China 2010 and XCon 2011.

    Copresenter Xiapu Luo is a research assistant professor in the Department of Computing, the Hong Kong Polytechnic University. He has been working on information security for more than 10 years and published a number of papers in top security conferences. His current research interests include Android security and privacy, Network and System Security, Internet Measurement, and Mobile Networks.

    很多LBSN(Location-based Social Network) APP都具有”Nearby”功能(例如微信、新浪微博、SayHi等),用戶可使用該功能尋找附近的陌生人或者新鮮事。然而,當用戶使用這些功能的同時,他們的地理位置也會暴漏在別人面前。本議題研究了多種主流LBSN APP的安全性,講述了黑客如何利用其地理位置泄漏的缺陷,足不出戶地搜集和追蹤任意用戶的地理位置。本議題最後給出了一個利用LBSN APP安全缺陷追蹤全北京用戶的實驗,展示了一些有趣的結果,並建立了一個位置信息泄漏的Wall of Sheep,一些實名認證的名人(歌星、影星、公司CEO等)甚至也在其中。

    With the popularity of LBSNs(Location-based Social Networks), many LBS apps including Wechat, SayHi, Weibo, etc. provided a feature "Nearby", which can be used to find other users nearby and make friends with strangers. However, while searching people around, the user himself, as well as his own location, will also be exposed to others. We examine the security of several popular LBSN apps and show how hackers are able to track the locations of any users who are using the "Nearby" feature. At last we show a real-world experiment of tracking all users in Beijing via a popular LBSN app. We build a Wall of Sheep to show the people whose location privacy is leaked, and many celebrities are on it.

    R2
    那些年,我們一起寫的遊戲外掛
    My journey through the game cheats community: the Techniques, Insights, and Advices.
    Inndy
    TW
    TDOHacker

    為了寫出屬於自己的 Game Hack 而走上不歸路的少年

    Inndy is a youngster who takes on the journey of no return to the world of hacking and reversing, in order to create the game hack of his own.

    在這場 Talk 中,我會跟大家分享從國二開始學習寫程式、寫 Game Hack 的故事,在中間分享一些我們用過的技術,以及介紹遊戲外掛圈的生態和產業

    In this talk, I’ll be sharing stories of how I learned programming and writing game cheats. Also, I'll touch on the techniques that I learned on the way, and insights into the ecosystem and industry around online game cheats.

    R4
    WEB前端攻擊與防禦
    HST
    TW
    HST

    Hack.Stuff 是一個資安社群,致力於打造良好討論氛圍~

    我們自主學習,參與各大 CTF,關注資訊安全。我們沒有年齡限制,沒有領域差別。我們的宗旨便是希望大家在學習的領域上不再孤單寂寞,不再誤入歧途,不再有所拘束!

    從去年起,我們做了一些改變!對外,舉辦技術分享會,邀請於資安領域有興趣一同學習的朋友與大家分享。對內,每週小聚可以分享你的學習近況及研究新的技術、凝聚感情,並舉辦多次黑客松,提昇所有團隊人員技術實力。

    未來,我們希望有你的加入,讓資安社群可以一同成長,一起學習~

    N/A

    web 前端攻擊與防禦

    前端攻擊,是門很有趣的黑客技術;

    它是透過設計陷阱的方式,攻擊使用者;

    本議程將透過好玩的方式,向大家介紹這門技術.

    講述熱門XSS攻擊及其餘前端攻擊手法,會從最基本且簡單的網站前端技術在講解到資訊安全相關的研究議題,不會提到過深的技術內容,希望能讓初學者聽一次就理解,好讓初心者能理解我們HST這個大家族是持續增進資安技術的歡樂學習社群"

    N/A

    R0
    Hacking mobile network via SS7: interception, shadowing and more
    Dmitry Kurbatov / Vladimir Kropotov
    RU
    Positive Technologies

    N/A

    Dmitry Kurbatov

    • Expert of Telecommunication Security Group
    • Positive Technologies
    • dkurbatov@ptsecurity.ru
    • kurbatov.dima@gmail.com
    • http://www.ptsecurity.com/
    • Russia, Moscow

    Brief: Dmitry Kurbatov graduated from Moscow State Institute of Radio Engineering, Electronics and Automation with degree in Information Security of Telecommunication Systems. He has 7 years of experience in information security of corporate networks, business applications, and telecommunication equipment. An expert at the Positive Technologies company and Positive Research Center, he participated in organizing all Positive Hack Days forums. Dmitry has published many articles on information security.

    Vladimir Kropotov

    • SOC lead
    • Positive Technologies
    • voffchik@gmail.com
    • http://www.ptsecurity.com/
    • Russia, Moscow

    Brief: His main interests lie in network traffic analysis, breaches detection, incident response, botnet investigations. He is a frequent speaker at a number of international conferences, including PHDays, ZeroNights, HITB, CARO, HITCON, G0Z, Hack.lu.

    N/A

    Telecommunication networks are essential infrastructure in today’ society. Both individuals and business depend on telecom operators to ensure reliable and protected communication for both traditional mobile services and increasingly for machine to machine (M2M) and Internet of Things (IoT) applications.

    Increasingly Telecom companies are concerned with the vulnerabilities in the SS7 network. The SS7 telephony messaging protocols are 30 years old this year making them dinosaurs in a digital world pre-dating mobile phones, digital switching and the world wide web. However, there are more people using the SS7 network that the internet.

    We will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies — SS7. The talk will address attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, DoS, unauthorized intrusion into communication channel. The research also covers ways to get access to the SS7, types of protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.

    Demo is available.

    Duration: 45-50 minutes

    Related topics: Mobile, New network attacks technologies, 3G/4G security, Protocol security/Exploitation, SS7 security.

    R1
    iOS用戶空間安全
    Secure user/work space in the iOS environment
    王緯
    CN
    Qihoo 360 Nirvan Team

    Proteas of 360 Nirvan Team

    來自北京

    • 從 2012 年開始研究 iOS 安全
    • 擁有 5 年 iOS 應用開發經驗
    • 目前在奇虎360,專職于 iOS & OS X 安全研究
    • 主要研究領域為:iOS & OS X 攻擊面,漏洞挖掘與利用技術,深度 Fuzz 技術等層發現 iOS 用戶空間與內核空間的漏洞,並在 iOS 8.4.1 的安全更新中獲得官方致謝

    Proteas of 360 Nirvan Team, from Beijing

    • iOS security research since 2012
    • 5 years experiences of iOS application development
    • Focusing on iOS & OS X security researh at Qihoo 360
    • Topics: attacking surface, vulnerability mining & exploitation techniques, and deep fuzzing of iOS & OS X
    • Found userland and kernel vulnerabilities of iOS, and be credited in the security announce of iOS 8.4.1"
    • iOS 安全特性概覽
    • 沙盒的權限泄露
    • 應用安全與攻擊面
    • 腳本型攻擊
    • 腳本型攻擊的實施方法
    • 腳本型攻擊的防護建議
    • Overview of iOS Security Features
    • Sandbox Permission Leaks
    • Application Security and Attacks
    • Script-initiated Attacks
    • Implementation of Script-initiated Attacks
    • Defense Advices on Script-initiated Attacks
    R2
    CTF For Beginner
    陳威伯
    TW
    bamboofox

    目前是交通大學資工系大四的學生

    大三上時因為修習了程式安全這門課後,開始對資安有了初步的理解,慢慢踏進了資安的領域,主要是從逆向工程著手,去分析程式的運作流程,也因為了這門課認識了很多對資安有興趣的人,並加入了bamboofox,並在閒暇的時候和隊友一起參與CTF競賽,還有一起研究資安技術

    Wei-Bo Chen is a senior at the Department of Computer Science, National Chiao Tung University. In his junior year, he took the Secure Programming course and received some basic knowledge regarding information security, then he entered the discipline accordingly. He mainly analyzes the operation processes of applications through reverse engineering. From the course he met many information security enthusiasts. Later, he joined bamboofox to compete in CTF contests in his leisure time and dig into techniques in information security with other members.

    介紹CTF競賽, 自己自身的經歷、學習的過程和遭遇的困難,介紹工具以及CTF的技巧像是binary patch ……等

    bamboofox介紹

    Introduction to CTF competitions, my life and learning experience, difficulties I have confronted with, introduction to tools and techniques in CTF, for instance: binary patch

    Introduction to bamboofox

    R4
    欺騙IDA Pro Hex Rays插件!讓逆向分析者看見完全不同的結果
    IDA Pro Hex-Rays Decompiler Cheat
    TDOHacker
    TW
    TDOHacker

    HITCON 2013 時有群學生對於台灣資安學習環境感到灰心與失望,同時羨慕國外有良好的資安學習環境,於是為了台灣資安環境發展,也為了可以有更好的環境學習資安,所以在會場上成立了 The Declaration of Hacker ( TDOHacker ) ­ 一個以學生為主的資安社群。TDOHacke致力於在學生與校園兼推廣資安,除了每月舉辦各區資安交流聚會,讓與會者可以互相交流外,同時也在許多學校舉辦過 workshop、資安攻防講座、資安推廣講座。我們更於今年啟動了 “Wargame 開放練習平台” 與 “學習地圖開放平台” 兩項計畫,旨在提供學生更多的學習資源與練習資源。

    N/A

    現在主流Windows逆向分析軟體工具中,OllyICE與IDA Pro是最廣為人知的,並且因兩者皆擁有各式功能強大的插件,使得它們也成為了一線惡意軟體分析人員、打CTF比賽的選手們一定會用到的分析愛將。本議題探討於IDA Pro的Decompiler解析相當仰賴組合語言靜態下的資訊,進而可透過IDA Pro忽略掉的資訊來做一些欺騙的手段,讓IDA Pro Decompiler再把一段組合語言推導出的C的程式碼與實際上跑的程式碼結果是完全不同的結果達成詐欺手段,這手法可應用於病毒內,讓分析人員誤會病毒的程式碼是沒問題的或者使用在CrackME題目中,誤導分析者分析出不正確的演算法。

    N/A

    R0
    R1
    R2
    New Mindset for Malware Battlefield: Bytecode Analysis and Physical Machine-based for Android
    吳明蔚 & TonTon Huang
    TW
    Verint Systems (Taiwan)

    吳明蔚,任職Verint,台灣威瑞特總經理,2003年交大資科碩士畢業,2008年台大電機博士畢業。2011年與Jeremy共創艾斯酷博科技(Xecure Lab),同年於美國DEFCON發表惡意程式家族分類分群研究,2013年在美國Blackhat發表Lstudio網軍後台大揭密。2014年獲美國上市的以色列商Verint併購, 持續帶領台灣30人團隊研發開創性資安產品。

    黃獻德 (痛痛),目前任職於臺灣威瑞特系統的軟體設計師並努力練功升等中,同時是國立成功大學資訊工程學系(IKM Lab)的博士候選人。他於2008年取得國立臺南大學(OASE Lab)數位學習科技學系的碩士學位;他也是2010年臺灣與英國的頂尖大學合作計畫以及2012台灣與法國INRIA的雙邊交流合作計畫的訪問博士生。在此之前他曾服務於國家高速網路與計算中心以及安碁資訊。 目前他的研究興趣為Android的逆向工程分析、惡意程式行為分析、資料探勘、第二型模糊邏輯以及知識本體應用;2014年他在 HITCON X 以及 BOT2014分享了他過去的研究主題: Malware Analysis Network in Taiwan (MAN in Taiwan, http://MiT.TWMAN.ORG)。

    Benson Wu

    Benson got graduated from National Taiwan University with PhD in Electrical Engineering and National Chiao-Tung University with MS in Computer Science. He held ECSP, CEI, CSSLP certifications. Benson had given talks at Blackhat, DEFCON, OWASP, HITCON, AVTokyo, and SyScan. He was also the author of the government security guidelines on Web Security, Cloud Security, and Mobile Security in Taiwan since year 2007.

    In the past ten years, Benson had served at Network Benchmarking Lab (NBL) testing engineer; at Institution for Information Industry (III) as software engineer; at National Information and Communication Security Taskforce (NICST) as as associate researcher; at Academia Sinica as postdoctoral researcher. In early 2011, he co-founded Xecure Lab with Jeremy Chiu, launching the world first DNA-reversing detection engine for malware analysis and offering a suite of APT solution. In early 2014, Xecure Lab was acquired by Verint Systems. Benson now leads the team in Verint Systems (Taiwan).

    TonTon Huang

    TonTon Huang is currently a Software Developer at Verint Systems (Taiwan) Ltd. also, he is a PhD candidate (IKM Lab.) of the Department Computer Science and Information Engineering in National Cheng-Kung University (NCKU), Taiwan. He received his M.S. degree (OASE Lab.) in Department Information and Learning Technology (ILT) from the National University of Tainan (NUTN), Taiwan, in 2008. He also was a visiting Ph. D student based on the research project “2010 Initiative Research Cooperation among Top Universities between UK and Taiwan” and “2012 NSC-INRIA International Program - Associate Team (II)”. In the past few years, he was a project assistant researcher at the National Center for High-Performance Computing (NCHC), Taiwan and a senior security engineer at Acer e-Enabling Data Center (Acer eDC).

    His current major research interests include Android Reverse Engineering, Malware Behavioral Analysis, Data Mining, Type-2 Fuzzy Logic, and Ontology Applications. He was a speaker of HITCON X and BoT 2014 to present an open source project " Malware Analysis Network in Taiwan (MAN in Taiwan, http://MiT.TWMAN.ORG)"

    Google 的 Android 是目前全球最流行的智慧型手機操作系統,也是目前網路犯罪份子最熱衷的攻擊目標之一。現在最常見的兩種分析 Android 的方法分別是 1) 反編譯APK檔為 Java 或 smali 原始碼的靜態分析, 2) 使用虛擬環境/模擬器的動態分析。但是卻面臨了 1) 越來越多的混淆方法和加殼工具,2) 避免在虛擬或模擬環境中被動態分析的反沙箱技術等兩大挑戰,導致需要更多的時間成本以及較複雜的技術來萃取更有用的資訊進行分析。

    我們的演講將提出並且展示一種結合了能解決加殼與混淆等技術的語義靜態分析以及透過實體開發版來解決反沙箱的動態分析等技術的新型的混合式Android惡意程式探測系統。在我們的實驗過程中得到這樣的方法有高達78%的偵測率以及11%的誤判率。"

    A Hybrid Malware Probing System for Android Applications (APKProbe)

    Google's Android is the world's most prevalent mobile operating system, and as such has become a target for cyber criminals seeking to exploit it as an attack vector. Today the security community typically uses two approaches in analyzing the security of an Android application: 1) static analysis of Java source codes by decompiling the APK (Android application package); and/or 2) dynamic analysis of the running APK inside a virtualized environment. Unfortunately, these approaches are not always effective due to: 1) increasing number of obfuscator (scrambling source codes into nonreadable) and packer (encrypting source codes into anti-decompiling), and 2) anti-sandboxing techniques used by advanced malware to avoid being analyzed in virtualized environment.

    In this talk, we present and demonstrate APKProbe, the first malware detection model (to our knowledge) tuned for analyzing Android applications, which combines both semantic-based static analysis to overcome packers and physical machine-based, dynamic analysis to circumvent antisandboxing techniques. Our proof-of-concept testing shows that such a hybrid approach yields acceptable results: 78% detection rate with 11% false positives.

    Keywords: Android, Static Analysis, Dynamic Analysis

    R0
    Medical device security, critical infrastructure inside hospitals and abusing HL7 protocol
    Anirudh Duggal
    IN
    Philips Limited

    N/A

    Anirudh works with Philips Healthcare solutions as a senior software engineer and works on securing Medical devices and healthcare solutions.

    He is a part of Null community for the past 2 years and has Spoken at CoCon 2013. He has won Nullcon jailbreak 2013 and has found vulnerabilities in sites ranging from government, insurance and eCommerce.Besides also experiments with IOT devices for sustainable development and saving energy. He was a Microsoft Imagine Cup National finalist for embedded development under sustainable development and ending extreme hunger and poverty themes.

    N/A

    Security in hospitals and medical devices

    Over the years we have seen much improvement in the space of cyber security and various industries like banking, entertainment, systems. However the healthcare industry has far to go in terms of understanding the risks on their infrastructure and the scope of improvement in their security policy.

    Researchers have pointed out that the security in hospitals remains 5 years behind other industries.Some of the factors that are responsible for this include:

    • Being un aware of the risks
    • Non availability of skilled personnel
    • Emerging new technologies and threat vectors

    The talk shall discuss what the threats over a hospital architecture, the possible entry points and also the impact of a breach. It would also cover the devices in healthcare and how can they be abused using the HL7 protocol.

    R1
    從WEB腳本漏洞到客戶端應用的遠程命令執行
    Gainover
    CN
    Yooyun

    Gainover,烏雲核心白帽子,PKAV WEB安全團隊成員,有近10年的Javascript開發及5年的WEB安全研究經驗,主要關注WEB應用的安全問題,XSS研究居多,但不限於XSS。曾多次向騰訊、阿裡巴巴、百度、PayPal、eBay、Yahoo等國內外企業報告安全問題並獲得致謝或獎勵。同時,也是一名生物基礎科學研究人員,研究方向為水稻花粉發育過程中的表觀遺傳學相關內容。對於安全,一直以來視為好(hao),不幸現已成工作。

    Gainover is a whitehat core member of WooYun and a member of PKAV WEB security team. He has near 10 years of experience in Javascript development and 5 years in WEB security research. His research interests mainly focus on the security of WEB applications and researches including but not limited to XSS. Domestic and international corporations including Tencent, Alibaba, Baidu, PayPal, eBay, Yahoo have been acknowledged or awarded his contribution in helping them discover vulnerabilities or other security issues. Gainover also devotes himself in biological basic researches. His research direction is the epigenetics of the pollen development process in rice (Oryza sativa). He considers his efforts in WEB security as a hobby, but now it turns into his job.

    一些流行的WEB腳本漏洞如跨站腳本攻擊(XSS)通常用於竊取受害者的Cookies等敏感信息,但有時候這些看似危害甚小的WEB漏洞卻能具有更大的威力。一方面,隨著WEB前端開發的流行,不少客戶端應用的界面也會使用到一些WEB前端的元素:HTML、Javascript以及Flash;另一方面,中國大陸的互聯網廠商均向自己的用戶提供他們自行開發的瀏覽器產品,並且這些產品中所增添的額外功能往往是通過網頁來構建其界面。這些應用為我們提升WEB腳本漏洞的危害提供了舞台。本議題通過對實際漏洞案例的分析,分享如何將WEB腳本漏洞與客戶端軟件產品的設計缺陷相結合,實現遠程命令執行。所分享的漏洞案例包括:中國大陸的瀏覽器產品相關漏洞(如騰訊QQ瀏覽器、搜狗瀏覽器與百度瀏覽器等)、由網銀控件設計缺陷所導致的IE瀏覽器遠程命令執行、郵件客戶端產品遠程命令執行以及中國市場占有率最高的客戶端軟件 - 騰訊QQ的遠程命令執行。

    N/A

    R2
    Confessions of geek - Hard Drive Secret Let Out
    Chang Dao Hung
    TW
    OSSLab

    OSSLab CIO / Hitcon 2012 講師

    警政署的資安講師

    不敢自封為資料恢復數位鑑識專家,只是個熱愛電子工程理論實現的極客。

    CIO of OSSLab / Speaker at HITCON 2012

    Information security lecturer at Taiwan National Police Agency

    He humbly sees himself not as a data recovery “expert” in digital forensics, but only a passionate geek who puts Electronic Engineering theories into practice.

    硬碟奧密大公開

    傳說中的資料救援技術,NSA 開發的 Format 也無法清除的 EQUATIONDRUG 韌體病毒,到底是怎回事? 我們只能仰賴專業昂貴硬體設備來學習嗎? 本演講帶你使用OSSLab開發硬碟韌體程式一探硬碟奧秘.

    The legendary data recovery techniques, the notorious espionage firmware EQUATIONDRUG which even cannot be formatted by the NSA...what are these all about? Can we only rely on costly professional hardwares and equipments to learn about the techniques? This talk will guide you through the untold secrets of hard drives with the firmware tools developed by OSSLab.

    R4
    反.反外掛-從遊戲保護機制到Rootkit技術
    TDOHacker
    TW
    TDOHacker

    HITCON 2013 時有群學生對於台灣資安學習環境感到灰心與失望,同時羨慕國外有良好的資安學習環境,於是為了台灣資安環境發展,也為了可以有更好的環境學習資安,所以在會場上成立了 The Declaration of Hacker ( TDOHacker ) ­ 一個以學生為主的資安社群。TDOHacke致力於在學生與校園兼推廣資安,除了每月舉辦各區資安交流聚會,讓與會者可以互相交流外,同時也在許多學校舉辦過 workshop、資安攻防講座、資安推廣講座。我們更於今年啟動了 “Wargame 開放練習平台” 與 “學習地圖開放平台” 兩項計畫,旨在提供學生更多的學習資源與練習資源。

    N/A

    現在大多數的遊戲對自身的保護都依賴其他公司的防護軟體,針對那些防護軟體來做分析,從Ring3的保護到Rootkit的技術,以及破解針對在Ring0Driver(驅動級)保護機制,整理出原理以及相對應的破解手法,並且針對目前Windows7 32位元的系統進行說明,探討系統底層遊戲保護的奧秘。本研究使用VMware10+Windbg工具來進行雙機調試

    N/A

    R0
    Adversaries hiding in your routers - APT malware Plead analysis and tracking
    Charles Li / Zha0
    TW
    TeamT5

    N/A

    Charles:

    Working Experience:

    • Trend Micro, Senior Engineer , 2012/07-2013/02
    • Team T5 , Senior Researcher, 2013/03-Now

    Presentations: APT Fail - HITCon 2014

    Co-Speaker: Zha0

    Working Experience:

    • Trend Micro, Senior Engineer , 2012/06-2013/01
    • Team T5 , Senior Researcher, 2013/02-Now

    Presentations:

    • Virus Evolution – HIT 2006 (Hacks in Taiwan)
    • Owned Kiosk – HIT 2010 (Hacks in Taiwan)
    • APT Fail - HitCon 2014

    N/A

    Abstract

    Plead is an advanced RAT written in shellcode. Though seldom discussed publicly, it has been used to target governments, thinktanks, corporations, media etc in Taiwan for several years.

    In this talk, we will give technical analysis of its functionality and reversion. We'll also show you how compromised devices are used by PLEAD as its C2 cloud to attack Taiwan. Finally we want to discuss the relationship between Plead with another notorious group, Taidoor, from their ovelapped C2 infra.

    Agenda:

    • Introduction
    • Plead began
    • Plead analysis
    • Plead malware families
    • Phantom in routers
    • Conclusion
    R1
    Your Lightbulb Is Not Hacking You: Observation from a Honeypot Backed by Real Devices
    Philippe Lin
    TW
    Trend Micro

    Philippe Lin 服務於趨勢科技,工作範圍包括資料分析、機器學習、未來威脅研究等,也參加過 Open Computing Project 的 BIOS 開發。業餘喜歡玩電路、養貓。目前是阿美語萌典的維護人員。

    Philippe Lin is a staff engineer in Trend Micro. He works in data analysis, machine learning, fast prototyping and threat research. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is a hobbyist of Raspberry Pi / Arduino projects and the author of Moedict-Amis, an open source dictionary of an Austronesian language.

    N/A

    IoT devices are claimed to be vulnerable to massive attack. We tried to assess the status quo with two IoT honeypots in Taipei and Munich, backed by real devices like LIFX, Philips Hue, D-Link and Samsung IPCams, gaming consoles, WDCloud and SmartTV. After four months of observation, we conclude that IoT is somewhat "probed" but still far from being massively attacked.

    R2
    Hack Mobile Games For Fun
    Hung Chien-Wei
    TW
    N/A

    N/A

    I love anything that is useful to me or the world!!!

    As a programmer, over 400,000 lines of C++ code is written on Windows for various purposes.

    As a security researcher, I am interested in analyzing anything useful, especially about games :) Currently working at Trend Micro; doing C&C and APT campaign researches.

    遊戲無疑是最多人接觸過的一環。

    然而一年幾百億美元的手機遊戲產業,卻沒幾間公司重視過安全問題。瘋狂的代理、趕工,導致市場上充斥大量沒啥技術進步的遊戲。工程師加班都快死了,還有誰會去為軟體本身的安全和進步著想?

    今天就來分享如何輕鬆幫從商店下載的遊戲加feature、修bug、改善UI、提高效能。單機適用,線上也適用。畢竟隨著網路速度的提升,手機遊戲已是未來的焦點。希望藉由真誠直接的分享,提早警惕遊戲產業對軟體安全本身的重視。

    Undoubtedly, playing games is one the most public entertainment.

    The output value of mobiles games reach dozens of billions dollars every year. However, most companies never notice the security problems of their games so far. Indeed, most developers have been working overtime with all their strength for endless features and migrations; no one would like to mention the security issue.

    So now, I would like to share some easy ways to enhance a mobile game that just downloaded from stores, which includes adding features, fixing bugs, improving the UI, and even boosting the performance. It should work for most online and offline games.

    With the enhancement of network speed and stability, mobiles games will become a focus sooner or later. I hope I can give an early-alarm to game developers and players to think highly of mobile games security.

    R4
    社群簡介 - Community Lightning Introduction
    社群
    TW
    社群

    N/A

    N/A

    N/A

    N/A

    R0
    A Dozen Years of Shellphish - from DEFCON to the Cyber Grand Challenge
    Yan Shoshitaishvili
    US
    Shellphish

    N/A

    Hacking since the age of eight, Yan Shoshitaishvili is fascinated by understanding and commandeering the computation and actions carried out by binary code. He is currently pursuing his PhD in the Seclab at UC Santa Barbara and is one of the hacking aces behind team Shellphish. In the little spare time he has left, he develops and releases computer security tools on the Internet.

    N/A

    Being a member of an awesome CTF team is a rewarding experience. CTF players push themselves, forgoing sleep for the promise of cracking a challenge and getting that flag. Between CTFs, they practice and work on tools and strategies. Friendships are forged on and off of the "battlefield".

    Shellphish is the oldest active CTF team in the world. We were there from the beginning of the sport (or, at least, almost the beginning). What's more, Shellphish is thriving -- we prepared for and coordinated in our successful qualification for this year's Defcon CTF and the DARPA Cyber Grand Challenge, with the qualifying events weeks apart. Aside from being the oldest team at DEFCON CTF, we are also one of only two CTF teams among the CGC finalists.

    We're not bragging, we're just extremely enthusiastic! In this talk, I'll discuss two topics: Shellphish itself, and our participation in the DARPA Cyber Grand Challenge.

    First, we'll start with our team "culture" -- what enables us to maintain such an enthusiasm, for such a wide variety of activities, for such a long time? How does Shellphish continue to exist and grow? How do we attract and train new members?

    Then, we'll move on to some of the interesting stuff our team does -- specifically, the main focus of the talk will be Shellphish's participation in the DARPA Cyber Grand Challenge. How does a ragtag group of hackers manage to qualify for such a complex, difficult competition? What pushed our team to do it? How did we organize the effort, integrate the right tools, and ensure success? We'll go through Shellphish's whole brainstorming, design, implementation, and competition process.

    After the talk, you'll understand the different components of the Cyber Reasoning System that we ended up with, what motivated us to design the system the way we did, how it works, and how it's applicable to CTFs in general. We hope to show that a group with the right focus and skills can succeed and have fun when participating in highly-competitive security challenges.

    R1
    Some things about LAN device detection (The identification for BYOD/IoT)
    Canaan Kao
    TW
    NTHU/Trend

    Canaan 自 2001 年起進入網路入侵偵測系統相關產業,目前是博士候選人與防毒產業的一員。他舉辦了 Workshop on Understanding Botnets of Taiwan (BoT) 在 2009, 2010, 2012, 2013, 2014,並同時提供相關的演講。他去年也在 HitCon 2014 PLG 分享了最近的研究。他主要的研究興趣在於 Network Security, Intrusion Detection System, Reversing Engineering, Malware Detection, and Embedded System.

    Cannan has set foot in the network intrusion detection system (IDS) industry since 2001, and is currently a doctoral candidate and a member in the antivirus industry.

    He was the organizer and speaker at the Workshop on Understanding Botnets of Taiwan (BoT) in 2009, 2010, 2012, 2013, and 2014. Last year, he shared some of his recent research at HITCON 2014 PLG. His main research interests lie in the fields of network security, intrusion detection system, reversing engineering, malware detection, and embedded system.

    Some things about LAN device detection(關於內網設備識別的二三事)

    過去我們習慣把網路入侵偵測的主力放在 firewall/gateway 端,但是時代改變了,BYOD/IoT 所帶來在LAN端的威脅,不一定會被 firewall/gateway 察覺。因此在未來對於 LAN 端的設備進行管控便成為必要的項目,而設備們在可被管控之前,必須先可以被識別。本演講預計跟大家分享目前有哪些可以進行網路設備識別的方法,以及相關方法的可行性。

    N/A

    R2
    An Anti-Mitigation Exploit Generation Integrating with Metasploit Framework
    Vince Chen
    TW
    NCTU

    N/A

    Vince Chen just graduated from the NCTU SQLab, and He's going to be a software engineer in Mediatek. His current research is software attack and defence techniques, exploit toolchain. Vince was also a Microsoft intern last year. He enjoys sharing new technology and developing new service.

    N/A

    Due to software quality issues, recent attacks on various systems are getting serious, and the software security issues therefore become an important research topic. These attacks on the software vulnerability will not only endanger the information infrastructure, but also impact the human safety. To improve the overall robustness of the system, we need a penetration test system to audit related systems. We have proposed the concept of the exploit toolchain to automate the whole process of fuzzing, exploitation, and post-exploitation integration with the metasploit framework.

    For the exploitation process, we must be able to bypass the recent protections and mitigations of the operating system, for example ASLR (Address space layout randomization) and DEP (Data Execution Prevention). We have enhanced the ROP (Return-oriented programming) technique to bypass ASLR and DEP protections by searching gadgets with larger sizes.

    R4
    Android App逆向工程與簽章技術
    HST
    TW
    HST

    Hack.Stuff 是一個資安社群,致力於打造良好討論氛圍~

    我們自主學習,參與各大 CTF,關注資訊安全。我們沒有年齡限制,沒有領域差別。我們的宗旨便是希望大家在學習的領域上不再孤單寂寞,不再誤入歧途,不再有所拘束!

    從去年起,我們做了一些改變!對外,舉辦技術分享會,邀請於資安領域有興趣一同學習的朋友與大家分享。對內,每週小聚可以分享你的學習近況及研究新的技術、凝聚感情,並舉辦多次黑客松,提昇所有團隊人員技術實力。

    未來,我們希望有你的加入,讓資安社群可以一同成長,一起學習~

    N/A

    Android App 逆向工程與簽章技術

    簡單的介紹逆向APP與需要顧慮的安全驗證技術,會從最基礎的Android結構開始講解,告訴大家Android內部的執行方式,再來講解到Google再Android此套系統所加入的安全機制,不會提到過深的技術內容,希望能讓初學者聽一次就理解,好讓初心者能理解我們HST這個大家族是持續增進資安技術的歡樂學習社群。

    N/A

    R0
    R0-Lightning Talk

    N/A

    N/A

    N/A

    N/A

    R1
    Microsoft Edge MemGC Internals
    Henry Li
    CN
    TrendMicro

    N/A

    I am a security research in Trend Micro CDC zero day discovery team. I have 4 years of experience in vulnerability & exploit research. My research interests are browser 0day vulnerability analysis, discovery and exploit.

    N/A

    In 2014, Microsoft introduced two new exploit mitigations, called Isolated Heap and MemoryProtection.These mitigations greatly increases the difficulty of use-after-free(UAF) vulnerability exploit, but there are still many ways to bypass the mitigations when the pointer to the freed block didn’t remains on the stack.

    In order to completely prevent UAF vulnerabilities exploit,Microsoft Edge browser introduced a new memory management called MemGC. MemGC Use the mark and sweep algorithm for memory management.

    In this presentation, the first part will sketch the MemGC Internals by discussing about its data structure, its memory allocate, free, mark and sweep. The second part will discuss Why MemGC can effectively prevent the UAF'S exploit. The third part will discuss some weaknesses of MemGC.

    R2
    Let's Play Hide and Seek In the Cloud - The APT Malware Favored in Cloud Services
    沈祈恩 (Ashley Shen) / 賴婕芳 (Belinda Lai)
    TW
    Team T5

    N/A

    沈祈恩 Chi En Shen

    Chi En Shen (Ashley) is a security researcher at Team T5 Inc. Team T5 monitors, analyzes, and tracks cyber threats throughout the Asia Pacific region. Her major areas of research include malicious document, malware analysis and Advance Persistence Threat (APT). During her MSc, she designed and implemented a flexible framework for malicious office open XML document to detect APT attack. She is also a core member and speaker of HITCON GIRLS - the first security community for women in Taiwan.

    賴婕芳

    Security Engineer, assisting organizations to handle information security incidents . My daily job is analyzing malware and trying to find some detail from it. Work in information security industry for 2 years. A member in HITCON GIRLS (The Hacks in Taiwan Conference for women).

    N/A

    Defending against Advanced Persistence Threat (APT) attacks has become a blooming topic in recent years. Organizations, enterprises, and specially governments have all been designated targets of APT attacks. Since APT attacks are well crafted with advanced tactics, potential targets of APT attacks should understand how to detect, prevent, and respond to these cyber attacks.A newfangled trend that has been affecting people’s lives is the cloud service technology. Almost everybody enjoys the cost efficient and convenient features of cloud services. Yes, almost everybody, including actors. Hackers love cloud services just as much as you do, and probably even more so. When sophisticated hackers recognize the benefits of cloud services on their attack infrastructure, a second front is opened.In this talk, we will present APT malware which leverage several cloud services (including numerous blog services provided by multiple platforms, and cloud storage services such as Dropbox, Google Drive, Cloudme…etc) as their attack infrastructure. We will introduce our analysis of malware and explain how actors perform their attacks through the cloud. Additionally, we will explain the advantages malware brings with cloud services and how to respond to these threats. Furthermore, we will also uncover potential targets of these trojans, which might be a bigger concern to the audience.

    請移動至其他會議室
    R0
    R1
    R2
    Keynote-Why are our tools so terrible?
    Geohot
    US
    N/A

    N/A

    George previously worked for SpaceX, Google, and Facebook. He was the first person to unlock the iPhone, and discovered a way to access to the PS3 hypervisor by shorting a memory chip to ground. Recently, he won Google's pwnium competition by achieving persistent root on the Chromebook and has been part of the winning team at DEFCON for two years running. In his spare time, George raps and plays capture the flag competitions under the name tomcr00se.

    N/A

    Having won 2 pwn2owns and a couple CTFs, I stopped hacking partially because of frustration with the tools. Why are we still using GDB? Why is IDA the gold standard for static analysis, when really it's objdump with a few graphs. Even hexrays, why is C the best way to view a program? I'll talk about my adventures with Project Zero, and my attempt to start addressing this problem with QIRA. And I'll suggest directions for future development, in hopes the future generations will have a more pleasant binary exploitation experience.

    R0
    Discover Flash Player Zero-day attacks in the wild from big data
    Peter Pi
    CN
    TrendMicro

    N/A

    Personal Profile

    • Name: Peter Pi
    • Email: tiangangpi@gmail.com
    • Twitter: @heisecode
    • Weibo: @heisecode
    • Blog: http://blog.trendmicro.com/trendlabs-security-intelligence/author/peterpi/

    Education Background

    Master of South East University, majoring in Information and Communication Engineering.

    Work state

    I’m working in TrendMicro, Nanjing, China. I engaged in research and development of APT offense and defense about three years. I’m interested in vulnerability hunter and exploit development.

    N/A

    2015 is Flash Year. Attackers almost use flash player vulnerability to attack PC users. Zero-day attacks found in 2015 are almost Flash Player vulnerabilities. Exploit kits all equip flash 0-day and newly patched n-day to do bad things in 2015.

    In our Hadoop server, there are millions of suspicious flash samples from our sourcing channels, and thousands newly added every day. We want to discover Flash 0-day attack and newly patched n-day attack actively in the wild from these big set samples. So, I need a good performance and low false alert automation method to process the big set samples.

    In this presentation, I will introduce the method which I used to discover zero-day attacks and the tools I developed to help processing the big set samples.

    R1
    Backdooring MS Office documents with secret master keys
    Yoshinori Takesako & Shigeo Mitsunari
    JP
    SECCON

    N/A

    Yoshinori Takesako (chair of SECCON)

    Twitter: @takesako

    Yoshinori Takesako is the executive committee chairperson, organizer, and challenge creator of the SECCON CTF contests in Japan. He is also on the OWASP Japan advisory board, the review board for the CODE BLUE conference and the leader of the Shibuya Perl Mongers group. He was received the Microsoft MVP award for Developer Security in 2008. He has presented at security conferences such as HITCON in 2011 "Disassembling Flash Lite 3.0 SWF Files", and OWASP AppSec APAC 2014 "Secure escaping method for the age of HTML5", and has published some books and papers:"Reading ECMA-262 Edition 5.1" and "How to Execute Arbitrary Code on x86 JIT Compliers" etc.

    Shigeo Mitsunari (Cybozu Labs)

    Twitter: @herumi

    Shigeo Mitsunari is a software developer and researcher. He is interested in pairing-based cryptography and its implementation. He developes the x86/x64 JIT assembler Xbyak and very fast C++ pairing library which are open source projects. He was received the MITOH super creator by IPA in 2003, the chairman awards by information promotion consortium in 2005, the best paper award by IEICE in 2010, the Microsoft MVP award for Developer Security in 2015.

    N/A

    Microsoft Office 2010 and later versions employ Agile Encryption algorithm in their documents. Unlike previous versions, the password is hashed numerous times so that it cannot be easily reversed back to plaintext. Moreover, the encryption algorithms utilized and the number of hash iterations are flexible and are constantly improved over time. However, there is a vulnerability in the file format specification that can allow an attacker to later decrypt strongly encrypted documents without the password as long as the attacker has access to the originating MS Office program. This is possible by tricking MS Office into creating a nearly undetectable master key when it creates encrypted documents. I will explain how to install this master key for decryption by using a crafted backdoor program. In this talk, I will explain and demo how to backdoor MS Office to create predictable master keys in AES encrypted documents.

    R2
    Inside Flash: Flash Exploit Detection Uncovered
    Ga1ois / Bo Qu
    CN
    Palo Alto Networks

    N/A

    Ga1ois

    Ga1ois is a security researcher in Palo Alto Networks, working on some anti APT and research stuff. Before joining Palo Alto Networks, Ga1ois is a security researcher in NSFocus Security Lab, working on vulnerability analysis, discovery and exploitation. Now he focuses on the security of browser, flash and sandbox. He was also a CanSecWest and POC speaker.

    Bo Qu

    Bo Qu is a security researcher in Palo Alto Networks, working on some anti APT and research stuff. Before joining Palo Alto Networks, Bo Qu wrote several remote forensics tools for Linux, Windows, iOS/OSX, Android and MIPS based devices while pursuing for his Ph.D. degree. He also discovered 100+ vulnerabilities including RPC, IIS, Windows, Office, Adobe Reader, Flash and Internet Explorer.

    N/A

    In our topic, we will dissect and unclose some undocumented and uncovered internals inside flash for detecting flash exploits. There are 3 parts in our topic:

    • Identify (Possible) Exploit: Find vector in loop using static detection
    • Stop exploit: a lightweight page heap for FixedMalloc in flash
    • Distinguish real exploits: Find *bad* vector, especially when *bad* vector operation are JIT-ed
    R4
    SQL Injection & Cross-site Scripting
    NIRSA
    TW
    NIRSA

    NISRA 資訊安全研究會,全名是 ​Network and Information Security Research Association

    我們是 2007 年創立,以網路資訊安全為主軸的學習團體。從一開始的讀書會,運作到如今有固定的班底,全憑藉核心成員自主性的貢獻。自主學習、代代相傳和團隊合作是歷久不衰的傳統,更是我們的精神理念。

    扎根於輔仁大學資工系,以正確資安觀念作為啟發的起點,希望能將資安推廣給每一位願意付出心力學習的人,推廣觀念和提升能力對我們來說一樣重要,鼓勵各處學生親近資安,亦歡迎志同道合的人,與我們共同交流與學習!

    N/A

    SQL Injection 和 Cross-site Scripting 是兩個針對網頁開發不完全的漏洞,他們攻擊的目標不同卻都是利用刻意製造出來的輸入資料,讓系統產生預期之外的有害行為。手法聽起來很簡單,不過兩者實際運作的過程是怎麼一回事呢?而當中又有甚麼差異呢?

    N/A

    R0
    What Google knows about you and your devices, and how to get it
    Vladimir Katalov
    RU
    ElcomSoft Co.Ltd.

    N/A

    Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 he grew up in Moscow, Russia; studied Applied Mathematics at Moscows Engineering-Physics Institute (now National Research Nuclear University). Vladimir works at ElcomSoft up until now from the very beginning (1990); now manages all technical researches and product developments in the company. He regularly presents on various events and also regularly runs security and computer forensics trainings both for foreign and inner (Russian) computer investigative committees and other law enforcement organizations.

    N/A

    Google became one of the most important sources of information, as it aggregates all about user's online and offline activities, analyses it and gives recommendations. Location and browsing history, credit card data, purchases, connected devices and applications, contacts and calendars, notes and mails, photo albums, synced passwords and web form data, Hangouts chats and much more - all that data data is stored in multiple places, accessible via protocols and require authentication. You'll learn how to authenticate at Google servers without using a browser (though credentials are still required), and how to get all this information without leaving the traces.

    R1
    Android AIDS:Automatic Intelligence De-advertisement Scheme In CSharproid
    馬聖豪
    TW
    N/A

    馬聖豪(Adr)

    CHROOT實習生、The Declaration of hacker(TDOH)核心成員,目前為義守大學資訊工程系一年級

    經常於各學校、業界分享資安趣事、常識、帶領新手入門資安。 精通C&C++、MASM、CSharp、VB.NET...等特性,擅長於Windows上MASM x86逆向分析、數位鑑識, 也擅長於Android平台上各類型引擎的App實作之逆向分析。

    Blog: http://helloadr.blogspot.tw/

    Sheng Hao Ma (Adr)

    Intern at CHROOT, core member of The Declaration of Hacker (TDOH), and currently a freshman of Computer Science at I-Shou University.

    He has been sharing fun facts and general knowledge regarding information security at many schools and enterprises, and helped beginners set foot in this field. He excels at programming languages like C & C++, MASM, C#, VB.NET, while also specializes in MASM x86 reverse analysis on Windows, digital forensics, and reverse analysis of apps implemented on Android-based mobile engines.

    當今網路服務夾帶廣告讓開發廠商從中獲取利益是一種常見的商業模式,廣告傳播最直接的途徑不外乎透過個人電腦上的網頁顯示,可能從您正在看的部落格、Google搜尋頁面、Youtube,都會出現各式玲瑯滿目影響使用者觀感的廣告,於是就有了去廣告插件AdBlock、Clearly等軟體誕生。

    在人手一機的時代,行動廣告(行動裝置上的廣告)也是眾廠商不能放棄的一塊大餅,智慧型手機上AdBlock、AdAway...去廣告插件必須取得手機上ROOT權限才可執行去廣告服務;但資安專家們一再警告我們不應恣意放任App取得手機ROOT權限,否則將為駭客打開山海關,引入各種潛在的病毒與資訊安全問題;為了去廣告而失去手機基本的安全性,值得嗎?

    本議題將探討基於Android系統架構,手工逆向、研究ProGuard混淆特徵,然後以CSharp語言實作出一款全自動逆向爆破工具,可將APK直接交由工具自動產生去廣告版的APK;讓手機不需ROOT即可獲得安全保障又無廣告的體驗;並也從議題中反向提醒,工程師使用現成廣告API賺錢,也該從各個層面好好保護自己App的安全。

    Recently, there’s a common business model which provides web services with advertisements to profit from users. The most direct way of web advertising would be displaying ads on the web pages when the users browse them on the personal computers. Whenever they’re reading a blog, searching on Google, or watching videos on YouTube, there will be a myriad of ads which affect their viewing experience. That’s why ad-blocking extensions like AdBlock and Clearly came into existence.

    In times where everyone owns a cellphone, mobile advertising (advertisements on mobile devices) is one of the most profitable businesses for the companies. And for the users of extensions like AdBlock or AdAway to block the ads on their cellphones, they must gain “ROOT” access first. However, we have been repeatedly warned by the information security experts that we shouldn’t give ROOT access to the apps recklessly, or we might be welcoming hackers with open arms and then be haunted by potential virus infection and information security issues. Is it worth it to sacrifice the basic protections on your cellphone to remove ads?

    R2
    木馬屠城 - 那些年你不知不覺間引入的漏洞
    Trojan talk, exploit works quietly in the old times
    Flanker
    CN
    Keen Team

    Flanker畢業於浙江大學,學生時代是CTF比賽愛好者,是blue-lotus戰隊早期成員並隨隊征戰了Defcon21 CTF國際黑客大賽。目前Flanker就職於Keen Team,專注於移動安全和程序分析領域,致力於移動平台漏洞挖掘和程序分析理論方法在其中的應用,曾向Google Android、Twitter、騰訊和阿里巴巴等多家公司和組織報告過漏洞並獲得致謝。

    Flanker graduated from Zhejiang University. While still in school, he has already been a CTF enthusiast and become one of the early members of Blue-Lotus who competed in DEFCON 21 CTF. Now, Flanker is working for Keen Team and focusing on the fields of mobile security and program analysis. He is devoted to the discovering of vulnerabilities on mobile platforms with the application of program analysis theories and methods. Corporations including Google Android, Twitter, Tencent and Alibaba had acknowledged his contribution for reporting vulnerabilities.

    這是壹個為開發者而開發的時代,各式各樣的SDK給移動應用開發者提供了極大地便利,但在偷懶的同時,是否想過這些SDK本身存在的問題?本次演講將歷數Android和iOS平臺上各式各樣的包括Google、Apache、阿裏巴巴、騰訊等出品的SDK存在的各種問題,從信息泄露加解密不當到沙箱逃逸到代碼執行應有盡有。本演講同時將披露阿裏巴巴和騰訊出品的被廣泛使用的SDK中的原創0day並給出分析細節,並探討如何檢測和防禦此類問題,分線分析此類問題時的經驗和相關工具編寫及使用心得。

    This has become the era of developers, where various SDKs offer ultimate convenience for mobile application developers. However, have you ever thought about the issues existed within the SDKs? This speech brings out all sorts of SDK problems on Android and iOS platforms originated from companies like Google, Apache, Alibaba and Tencent, including information leak, improper encryption/decryption, sandbox escape, code execution, etc. Not only does this speech analyzes and discloses original 0-day exploits in widely used SDKs released by Alibaba and Tencent, but also talks about the detection and defense of these issues, the experiences while analyzing them, and the reflections about creating and using related tools.

    R4
    惡意程式分析與逆向工程
    HITCON GIRLS
    TW
    HITCON GIRLS

    HITCON GIRLS 是以女生為主的特色活動。讓資訊圈的女生們成立一個資安團隊,團隊內互相分享討論與幫助,並且希望能藉此活動鼓勵並晉用更多女生學習資安。希望能有一個女生學習資安的管道,並且在這個環境中大家互相學習與交流。

    HITCON GIRLS 是由 HITCON GIRLS 團隊為了推廣資訊安全所發起的活動,該活動為人才培育系列課程,且活動本身為一群對資訊安全具有熱誠與興趣的女生們所舉辦的,並為台灣駭客年會 (HITCON) 所支持的活動之一。此活動之主旨是希望藉由資訊安全人才培育的課程讓對資訊安全有興趣的女孩們可以更容易的學習到資訊安全的基本知識和實務技術。

    N/A

    我們是 HITCON GIRLS 的【惡意程式分析組】,本次投稿議程討論到何謂惡意程式、針對行為的研究,為何該行為算是惡意?該行為會影響到什麼層面?不同的行為對應到相異的分析工具和思維,繁雜的複數結果往往是逼退初學者的門檻,因此希望能以簡單的文字帶大家入門,共希望以循序漸進的議程內容,鼓勵對於惡意軟體有興趣的人,一同參與、討論分析所需要具備的想法和能力。

    惡意程式淺談

  • 通常我們說的惡意程式是什麼?
  • 具備什麼行為算是惡意程式?
  • 用什麼層面去分析惡意程式?

  • 層面探討(Registry、Process、網路)
  • 利用工具從各層面分析
  • 與Sandbox交叉比較
  • 動手來寫寫看惡意程式

    近期熱門實際案例分析

    逆向工程

  • 機器碼&組合語言
  • 組合語言基本概念
  • 逆向工程簡介
  • 動態分析與靜態分析比較
  • 利用我們自己寫的惡意程式來嘗試兩種分析
  • 小結 / 聽完你可以會什麼

    N/A

    R0
    R1
    R2
    Attacking our product by grayhats
    陳鴻嘉
    TW
    韓商聯加股份有限公司台灣分公司

    國立中央大學資管系學士學位和碩士學位。2014年10月加入LINE台灣分公司,擔任台灣區技術總監。負責建立台灣的產品開發團隊同時支援總部的開發計劃。之前服務於Yahoo台灣分公司,陸續負責搜尋,社群,電商等服務。一手打造Yahoo知識+的系統設計與開發,並協助建立第一代全球版的Yahoo Answers。也曾在Yahoo掌管無名小站的開發團隊,以及亞洲地區其他國家的部落格服務。也曾在電商部負責帶領「超級商城」的開發團隊。過去半年在LINE除了不斷尋找人才外,也幫助總部開發團隊打造出第一個在地化的LINE MART電商應用,同時也支援解決LINE在地化過程中出現的問題。

    The speaker holds both BS and MS degrees in Information Management at National Central University. He joined LINE Taiwan in October 2014, and is currently the CTO responsible for building up a product development team in Taiwan, while also supporting the headquarter’s development plans. Previously, he worked for Yahoo! Taiwan where he was in charge of the search engines, social networks, and e-commerce services. He is the mastermind behind the design and development of Yahoo! Zhi-shi-jia (“knowledge plus”), and helped create the first generation of “Yahoo! Answers” worldwide. At Yahoo!, he also leaded the development team of Yahoo! Chao-ji-shang-cheng ("mega shopping mall”) and Wretch (a domestic SNS), and maintained the blog services in other Asian countries. Over the past 6 months at LINE, apart from recruiting talents nonstop, he also helped the headquarter create “LINE MART,” the first localized e-commerce service, and dealt with the issues found during the localization process of LINE.

    N/A

    N/A

    R0
    Web Hacking 中的奇技淫巧
    Epic Tricks in Web Hacking
    Cheng-Da Tsai a.k.a Orange
    TW
    DEVCORE

    蔡政達

    • CHROOT 成員 / HITCON 成員
    • 國內外研討會 HITCON, AVTOKYO, WOOYUN 等講師
    • 國內外駭客比賽冠軍
    • 揭露過 Microsoft IE, Django, Yahoo ... 等 0-DAY 漏洞
    • 專精於駭客手法、Web Security 與網路滲透

    http://blog.orange.tw/

    Cheng-Da Tsai a.k.a Orange

    • Member of CHROOT and HITCON
    • Speaker at domestic and international conferences including HITCON, AVTOKYO and WOOYUN
    • CTF champions at home and abroad
    • Discovered 0-Day exploits in Microsoft IE, Django, Yahoo, etc.
    • Specializes in hacking skills, web security and network penetration

    http://blog.orange.tw/

    網頁技術繁多,攻擊手法也有太多太多的 know-how 以及組合技令人防不勝防,其中,針對 "特性" 所產生的漏洞也是最被人容易給忽視的,本議程將會展示在實戰經驗中較為有趣的特性以及較被忽略的技巧。總之,把這場議程當成進階版的 Web Security 吧!

    With so many web technologies around, there are attacking methods as much, with plenty of know-hows and “combo attacks” to catch people off guard. Among these attacks, the ones targeting at the “properties” are the most likely to be overlooked. Some of these fun “properties” and neglected skills would be demonstrated in this speech. Anyways, think of this speech as an advanced version of Web Security!

    R1
    基於LBS APP的地理位置追蹤
    I Know Where You Are: Location Privacy Tracking via LBSN Apps
    趙雙 & Xiapu Luo
    CN
    N/A

    趙雙(DFlower),Insight-Labs安全小組成員。具有多年安全研究經驗,研究方向包括漏洞挖掘、惡意代碼檢測、手機安全等。曾帶領開發Windows和Android平台的惡意代碼自動分析沙箱,曾參與合著《0day安全:軟件漏洞分析技術(第2版)》,Xcon 2011和OWASP China 2010 Speaker。

    Shuang Zhao(DFlower) is a member of Insight-Labs Team. He has many years of experiences in network security, including vulnerability mining, malware detection, mobile security, etc. He has developed two malware analysis sandboxes for Windows and Android. He is one of the authors of the book “0day Security:The Techniques of Software Vulnerability Analysis(2nd Edition)”. He gave speeches on OWASP China 2010 and XCon 2011.

    Copresenter Xiapu Luo is a research assistant professor in the Department of Computing, the Hong Kong Polytechnic University. He has been working on information security for more than 10 years and published a number of papers in top security conferences. His current research interests include Android security and privacy, Network and System Security, Internet Measurement, and Mobile Networks.

    很多LBSN(Location-based Social Network) APP都具有”Nearby”功能(例如微信、新浪微博、SayHi等),用戶可使用該功能尋找附近的陌生人或者新鮮事。然而,當用戶使用這些功能的同時,他們的地理位置也會暴漏在別人面前。本議題研究了多種主流LBSN APP的安全性,講述了黑客如何利用其地理位置泄漏的缺陷,足不出戶地搜集和追蹤任意用戶的地理位置。本議題最後給出了一個利用LBSN APP安全缺陷追蹤全北京用戶的實驗,展示了一些有趣的結果,並建立了一個位置信息泄漏的Wall of Sheep,一些實名認證的名人(歌星、影星、公司CEO等)甚至也在其中。

    With the popularity of LBSNs(Location-based Social Networks), many LBS apps including Wechat, SayHi, Weibo, etc. provided a feature "Nearby", which can be used to find other users nearby and make friends with strangers. However, while searching people around, the user himself, as well as his own location, will also be exposed to others. We examine the security of several popular LBSN apps and show how hackers are able to track the locations of any users who are using the "Nearby" feature. At last we show a real-world experiment of tracking all users in Beijing via a popular LBSN app. We build a Wall of Sheep to show the people whose location privacy is leaked, and many celebrities are on it.

    R2
    那些年,我們一起寫的遊戲外掛
    My journey through the game cheats community: the Techniques, Insights, and Advices.
    Inndy
    TW
    TDOHacker

    為了寫出屬於自己的 Game Hack 而走上不歸路的少年

    Inndy is a youngster who takes on the journey of no return to the world of hacking and reversing, in order to create the game hack of his own.

    在這場 Talk 中,我會跟大家分享從國二開始學習寫程式、寫 Game Hack 的故事,在中間分享一些我們用過的技術,以及介紹遊戲外掛圈的生態和產業

    In this talk, I’ll be sharing stories of how I learned programming and writing game cheats. Also, I'll touch on the techniques that I learned on the way, and insights into the ecosystem and industry around online game cheats.

    R4
    WEB前端攻擊與防禦
    HST
    TW
    HST

    Hack.Stuff 是一個資安社群,致力於打造良好討論氛圍~

    我們自主學習,參與各大 CTF,關注資訊安全。我們沒有年齡限制,沒有領域差別。我們的宗旨便是希望大家在學習的領域上不再孤單寂寞,不再誤入歧途,不再有所拘束!

    從去年起,我們做了一些改變!對外,舉辦技術分享會,邀請於資安領域有興趣一同學習的朋友與大家分享。對內,每週小聚可以分享你的學習近況及研究新的技術、凝聚感情,並舉辦多次黑客松,提昇所有團隊人員技術實力。

    未來,我們希望有你的加入,讓資安社群可以一同成長,一起學習~

    N/A

    web 前端攻擊與防禦

    前端攻擊,是門很有趣的黑客技術;

    它是透過設計陷阱的方式,攻擊使用者;

    本議程將透過好玩的方式,向大家介紹這門技術.

    講述熱門XSS攻擊及其餘前端攻擊手法,會從最基本且簡單的網站前端技術在講解到資訊安全相關的研究議題,不會提到過深的技術內容,希望能讓初學者聽一次就理解,好讓初心者能理解我們HST這個大家族是持續增進資安技術的歡樂學習社群"

    N/A

    R0
    Hacking mobile network via SS7: interception, shadowing and more
    Dmitry Kurbatov / Vladimir Kropotov
    RU
    Positive Technologies

    N/A

    Dmitry Kurbatov

    • Expert of Telecommunication Security Group
    • Positive Technologies
    • dkurbatov@ptsecurity.ru
    • kurbatov.dima@gmail.com
    • http://www.ptsecurity.com/
    • Russia, Moscow

    Brief: Dmitry Kurbatov graduated from Moscow State Institute of Radio Engineering, Electronics and Automation with degree in Information Security of Telecommunication Systems. He has 7 years of experience in information security of corporate networks, business applications, and telecommunication equipment. An expert at the Positive Technologies company and Positive Research Center, he participated in organizing all Positive Hack Days forums. Dmitry has published many articles on information security.

    Vladimir Kropotov

    • SOC lead
    • Positive Technologies
    • voffchik@gmail.com
    • http://www.ptsecurity.com/
    • Russia, Moscow

    Brief: His main interests lie in network traffic analysis, breaches detection, incident response, botnet investigations. He is a frequent speaker at a number of international conferences, including PHDays, ZeroNights, HITB, CARO, HITCON, G0Z, Hack.lu.

    N/A

    Telecommunication networks are essential infrastructure in today’ society. Both individuals and business depend on telecom operators to ensure reliable and protected communication for both traditional mobile services and increasingly for machine to machine (M2M) and Internet of Things (IoT) applications.

    Increasingly Telecom companies are concerned with the vulnerabilities in the SS7 network. The SS7 telephony messaging protocols are 30 years old this year making them dinosaurs in a digital world pre-dating mobile phones, digital switching and the world wide web. However, there are more people using the SS7 network that the internet.

    We will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies — SS7. The talk will address attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, DoS, unauthorized intrusion into communication channel. The research also covers ways to get access to the SS7, types of protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.

    Demo is available.

    Duration: 45-50 minutes

    Related topics: Mobile, New network attacks technologies, 3G/4G security, Protocol security/Exploitation, SS7 security.

    R1
    iOS用戶空間安全
    Secure user/work space in the iOS environment
    王緯
    CN
    Qihoo 360 Nirvan Team

    Proteas of 360 Nirvan Team

    來自北京

    • 從 2012 年開始研究 iOS 安全
    • 擁有 5 年 iOS 應用開發經驗
    • 目前在奇虎360,專職于 iOS & OS X 安全研究
    • 主要研究領域為:iOS & OS X 攻擊面,漏洞挖掘與利用技術,深度 Fuzz 技術等層發現 iOS 用戶空間與內核空間的漏洞,並在 iOS 8.4.1 的安全更新中獲得官方致謝

    Proteas of 360 Nirvan Team, from Beijing

    • iOS security research since 2012
    • 5 years experiences of iOS application development
    • Focusing on iOS & OS X security researh at Qihoo 360
    • Topics: attacking surface, vulnerability mining & exploitation techniques, and deep fuzzing of iOS & OS X
    • Found userland and kernel vulnerabilities of iOS, and be credited in the security announce of iOS 8.4.1"
    • iOS 安全特性概覽
    • 沙盒的權限泄露
    • 應用安全與攻擊面
    • 腳本型攻擊
    • 腳本型攻擊的實施方法
    • 腳本型攻擊的防護建議
    • Overview of iOS Security Features
    • Sandbox Permission Leaks
    • Application Security and Attacks
    • Script-initiated Attacks
    • Implementation of Script-initiated Attacks
    • Defense Advices on Script-initiated Attacks
    R2
    CTF For Beginner
    陳威伯
    TW
    bamboofox

    目前是交通大學資工系大四的學生

    大三上時因為修習了程式安全這門課後,開始對資安有了初步的理解,慢慢踏進了資安的領域,主要是從逆向工程著手,去分析程式的運作流程,也因為了這門課認識了很多對資安有興趣的人,並加入了bamboofox,並在閒暇的時候和隊友一起參與CTF競賽,還有一起研究資安技術

    Wei-Bo Chen is a senior at the Department of Computer Science, National Chiao Tung University. In his junior year, he took the Secure Programming course and received some basic knowledge regarding information security, then he entered the discipline accordingly. He mainly analyzes the operation processes of applications through reverse engineering. From the course he met many information security enthusiasts. Later, he joined bamboofox to compete in CTF contests in his leisure time and dig into techniques in information security with other members.

    介紹CTF競賽, 自己自身的經歷、學習的過程和遭遇的困難,介紹工具以及CTF的技巧像是binary patch ……等

    bamboofox介紹

    Introduction to CTF competitions, my life and learning experience, difficulties I have confronted with, introduction to tools and techniques in CTF, for instance: binary patch

    Introduction to bamboofox

    R4
    欺騙IDA Pro Hex Rays插件!讓逆向分析者看見完全不同的結果
    IDA Pro Hex-Rays Decompiler Cheat
    TDOHacker
    TW
    TDOHacker

    HITCON 2013 時有群學生對於台灣資安學習環境感到灰心與失望,同時羨慕國外有良好的資安學習環境,於是為了台灣資安環境發展,也為了可以有更好的環境學習資安,所以在會場上成立了 The Declaration of Hacker ( TDOHacker ) ­ 一個以學生為主的資安社群。TDOHacke致力於在學生與校園兼推廣資安,除了每月舉辦各區資安交流聚會,讓與會者可以互相交流外,同時也在許多學校舉辦過 workshop、資安攻防講座、資安推廣講座。我們更於今年啟動了 “Wargame 開放練習平台” 與 “學習地圖開放平台” 兩項計畫,旨在提供學生更多的學習資源與練習資源。

    N/A

    現在主流Windows逆向分析軟體工具中,OllyICE與IDA Pro是最廣為人知的,並且因兩者皆擁有各式功能強大的插件,使得它們也成為了一線惡意軟體分析人員、打CTF比賽的選手們一定會用到的分析愛將。本議題探討於IDA Pro的Decompiler解析相當仰賴組合語言靜態下的資訊,進而可透過IDA Pro忽略掉的資訊來做一些欺騙的手段,讓IDA Pro Decompiler再把一段組合語言推導出的C的程式碼與實際上跑的程式碼結果是完全不同的結果達成詐欺手段,這手法可應用於病毒內,讓分析人員誤會病毒的程式碼是沒問題的或者使用在CrackME題目中,誤導分析者分析出不正確的演算法。

    N/A

    R0
    R1
    R2
    New Mindset for Malware Battlefield: Bytecode Analysis and Physical Machine-based for Android
    吳明蔚 & TonTon Huang
    TW
    Verint Systems (Taiwan)

    吳明蔚,任職Verint,台灣威瑞特總經理,2003年交大資科碩士畢業,2008年台大電機博士畢業。2011年與Jeremy共創艾斯酷博科技(Xecure Lab),同年於美國DEFCON發表惡意程式家族分類分群研究,2013年在美國Blackhat發表Lstudio網軍後台大揭密。2014年獲美國上市的以色列商Verint併購, 持續帶領台灣30人團隊研發開創性資安產品。

    黃獻德 (痛痛),目前任職於臺灣威瑞特系統的軟體設計師並努力練功升等中,同時是國立成功大學資訊工程學系(IKM Lab)的博士候選人。他於2008年取得國立臺南大學(OASE Lab)數位學習科技學系的碩士學位;他也是2010年臺灣與英國的頂尖大學合作計畫以及2012台灣與法國INRIA的雙邊交流合作計畫的訪問博士生。在此之前他曾服務於國家高速網路與計算中心以及安碁資訊。 目前他的研究興趣為Android的逆向工程分析、惡意程式行為分析、資料探勘、第二型模糊邏輯以及知識本體應用;2014年他在 HITCON X 以及 BOT2014分享了他過去的研究主題: Malware Analysis Network in Taiwan (MAN in Taiwan, http://MiT.TWMAN.ORG)。

    Benson Wu

    Benson got graduated from National Taiwan University with PhD in Electrical Engineering and National Chiao-Tung University with MS in Computer Science. He held ECSP, CEI, CSSLP certifications. Benson had given talks at Blackhat, DEFCON, OWASP, HITCON, AVTokyo, and SyScan. He was also the author of the government security guidelines on Web Security, Cloud Security, and Mobile Security in Taiwan since year 2007.

    In the past ten years, Benson had served at Network Benchmarking Lab (NBL) testing engineer; at Institution for Information Industry (III) as software engineer; at National Information and Communication Security Taskforce (NICST) as as associate researcher; at Academia Sinica as postdoctoral researcher. In early 2011, he co-founded Xecure Lab with Jeremy Chiu, launching the world first DNA-reversing detection engine for malware analysis and offering a suite of APT solution. In early 2014, Xecure Lab was acquired by Verint Systems. Benson now leads the team in Verint Systems (Taiwan).

    TonTon Huang

    TonTon Huang is currently a Software Developer at Verint Systems (Taiwan) Ltd. also, he is a PhD candidate (IKM Lab.) of the Department Computer Science and Information Engineering in National Cheng-Kung University (NCKU), Taiwan. He received his M.S. degree (OASE Lab.) in Department Information and Learning Technology (ILT) from the National University of Tainan (NUTN), Taiwan, in 2008. He also was a visiting Ph. D student based on the research project “2010 Initiative Research Cooperation among Top Universities between UK and Taiwan” and “2012 NSC-INRIA International Program - Associate Team (II)”. In the past few years, he was a project assistant researcher at the National Center for High-Performance Computing (NCHC), Taiwan and a senior security engineer at Acer e-Enabling Data Center (Acer eDC).

    His current major research interests include Android Reverse Engineering, Malware Behavioral Analysis, Data Mining, Type-2 Fuzzy Logic, and Ontology Applications. He was a speaker of HITCON X and BoT 2014 to present an open source project " Malware Analysis Network in Taiwan (MAN in Taiwan, http://MiT.TWMAN.ORG)"

    Google 的 Android 是目前全球最流行的智慧型手機操作系統,也是目前網路犯罪份子最熱衷的攻擊目標之一。現在最常見的兩種分析 Android 的方法分別是 1) 反編譯APK檔為 Java 或 smali 原始碼的靜態分析, 2) 使用虛擬環境/模擬器的動態分析。但是卻面臨了 1) 越來越多的混淆方法和加殼工具,2) 避免在虛擬或模擬環境中被動態分析的反沙箱技術等兩大挑戰,導致需要更多的時間成本以及較複雜的技術來萃取更有用的資訊進行分析。

    我們的演講將提出並且展示一種結合了能解決加殼與混淆等技術的語義靜態分析以及透過實體開發版來解決反沙箱的動態分析等技術的新型的混合式Android惡意程式探測系統。在我們的實驗過程中得到這樣的方法有高達78%的偵測率以及11%的誤判率。"

    A Hybrid Malware Probing System for Android Applications (APKProbe)

    Google's Android is the world's most prevalent mobile operating system, and as such has become a target for cyber criminals seeking to exploit it as an attack vector. Today the security community typically uses two approaches in analyzing the security of an Android application: 1) static analysis of Java source codes by decompiling the APK (Android application package); and/or 2) dynamic analysis of the running APK inside a virtualized environment. Unfortunately, these approaches are not always effective due to: 1) increasing number of obfuscator (scrambling source codes into nonreadable) and packer (encrypting source codes into anti-decompiling), and 2) anti-sandboxing techniques used by advanced malware to avoid being analyzed in virtualized environment.

    In this talk, we present and demonstrate APKProbe, the first malware detection model (to our knowledge) tuned for analyzing Android applications, which combines both semantic-based static analysis to overcome packers and physical machine-based, dynamic analysis to circumvent antisandboxing techniques. Our proof-of-concept testing shows that such a hybrid approach yields acceptable results: 78% detection rate with 11% false positives.

    Keywords: Android, Static Analysis, Dynamic Analysis

    R0
    Medical device security, critical infrastructure inside hospitals and abusing HL7 protocol
    Anirudh Duggal
    IN
    Philips Limited

    N/A

    Anirudh works with Philips Healthcare solutions as a senior software engineer and works on securing Medical devices and healthcare solutions.

    He is a part of Null community for the past 2 years and has Spoken at CoCon 2013. He has won Nullcon jailbreak 2013 and has found vulnerabilities in sites ranging from government, insurance and eCommerce.Besides also experiments with IOT devices for sustainable development and saving energy. He was a Microsoft Imagine Cup National finalist for embedded development under sustainable development and ending extreme hunger and poverty themes.

    N/A

    Security in hospitals and medical devices

    Over the years we have seen much improvement in the space of cyber security and various industries like banking, entertainment, systems. However the healthcare industry has far to go in terms of understanding the risks on their infrastructure and the scope of improvement in their security policy.

    Researchers have pointed out that the security in hospitals remains 5 years behind other industries.Some of the factors that are responsible for this include:

    • Being un aware of the risks
    • Non availability of skilled personnel
    • Emerging new technologies and threat vectors

    The talk shall discuss what the threats over a hospital architecture, the possible entry points and also the impact of a breach. It would also cover the devices in healthcare and how can they be abused using the HL7 protocol.

    R1
    從WEB腳本漏洞到客戶端應用的遠程命令執行
    Gainover
    CN
    Yooyun

    Gainover,烏雲核心白帽子,PKAV WEB安全團隊成員,有近10年的Javascript開發及5年的WEB安全研究經驗,主要關注WEB應用的安全問題,XSS研究居多,但不限於XSS。曾多次向騰訊、阿裡巴巴、百度、PayPal、eBay、Yahoo等國內外企業報告安全問題並獲得致謝或獎勵。同時,也是一名生物基礎科學研究人員,研究方向為水稻花粉發育過程中的表觀遺傳學相關內容。對於安全,一直以來視為好(hao),不幸現已成工作。

    Gainover is a whitehat core member of WooYun and a member of PKAV WEB security team. He has near 10 years of experience in Javascript development and 5 years in WEB security research. His research interests mainly focus on the security of WEB applications and researches including but not limited to XSS. Domestic and international corporations including Tencent, Alibaba, Baidu, PayPal, eBay, Yahoo have been acknowledged or awarded his contribution in helping them discover vulnerabilities or other security issues. Gainover also devotes himself in biological basic researches. His research direction is the epigenetics of the pollen development process in rice (Oryza sativa). He considers his efforts in WEB security as a hobby, but now it turns into his job.

    一些流行的WEB腳本漏洞如跨站腳本攻擊(XSS)通常用於竊取受害者的Cookies等敏感信息,但有時候這些看似危害甚小的WEB漏洞卻能具有更大的威力。一方面,隨著WEB前端開發的流行,不少客戶端應用的界面也會使用到一些WEB前端的元素:HTML、Javascript以及Flash;另一方面,中國大陸的互聯網廠商均向自己的用戶提供他們自行開發的瀏覽器產品,並且這些產品中所增添的額外功能往往是通過網頁來構建其界面。這些應用為我們提升WEB腳本漏洞的危害提供了舞台。本議題通過對實際漏洞案例的分析,分享如何將WEB腳本漏洞與客戶端軟件產品的設計缺陷相結合,實現遠程命令執行。所分享的漏洞案例包括:中國大陸的瀏覽器產品相關漏洞(如騰訊QQ瀏覽器、搜狗瀏覽器與百度瀏覽器等)、由網銀控件設計缺陷所導致的IE瀏覽器遠程命令執行、郵件客戶端產品遠程命令執行以及中國市場占有率最高的客戶端軟件 - 騰訊QQ的遠程命令執行。

    N/A

    R2
    Confessions of geek - Hard Drive Secret Let Out
    Chang Dao Hung
    TW
    OSSLab

    OSSLab CIO / Hitcon 2012 講師

    警政署的資安講師

    不敢自封為資料恢復數位鑑識專家,只是個熱愛電子工程理論實現的極客。

    CIO of OSSLab / Speaker at HITCON 2012

    Information security lecturer at Taiwan National Police Agency

    He humbly sees himself not as a data recovery “expert” in digital forensics, but only a passionate geek who puts Electronic Engineering theories into practice.

    硬碟奧密大公開

    傳說中的資料救援技術,NSA 開發的 Format 也無法清除的 EQUATIONDRUG 韌體病毒,到底是怎回事? 我們只能仰賴專業昂貴硬體設備來學習嗎? 本演講帶你使用OSSLab開發硬碟韌體程式一探硬碟奧秘.

    The legendary data recovery techniques, the notorious espionage firmware EQUATIONDRUG which even cannot be formatted by the NSA...what are these all about? Can we only rely on costly professional hardwares and equipments to learn about the techniques? This talk will guide you through the untold secrets of hard drives with the firmware tools developed by OSSLab.

    R4
    反.反外掛-從遊戲保護機制到Rootkit技術
    TDOHacker
    TW
    TDOHacker

    HITCON 2013 時有群學生對於台灣資安學習環境感到灰心與失望,同時羨慕國外有良好的資安學習環境,於是為了台灣資安環境發展,也為了可以有更好的環境學習資安,所以在會場上成立了 The Declaration of Hacker ( TDOHacker ) ­ 一個以學生為主的資安社群。TDOHacke致力於在學生與校園兼推廣資安,除了每月舉辦各區資安交流聚會,讓與會者可以互相交流外,同時也在許多學校舉辦過 workshop、資安攻防講座、資安推廣講座。我們更於今年啟動了 “Wargame 開放練習平台” 與 “學習地圖開放平台” 兩項計畫,旨在提供學生更多的學習資源與練習資源。

    N/A

    現在大多數的遊戲對自身的保護都依賴其他公司的防護軟體,針對那些防護軟體來做分析,從Ring3的保護到Rootkit的技術,以及破解針對在Ring0Driver(驅動級)保護機制,整理出原理以及相對應的破解手法,並且針對目前Windows7 32位元的系統進行說明,探討系統底層遊戲保護的奧秘。本研究使用VMware10+Windbg工具來進行雙機調試

    N/A

    R0
    Adversaries hiding in your routers - APT malware Plead analysis and tracking
    Charles Li / Zha0
    TW
    TeamT5

    N/A

    Charles:

    Working Experience:

    • Trend Micro, Senior Engineer , 2012/07-2013/02
    • Team T5 , Senior Researcher, 2013/03-Now

    Presentations: APT Fail - HITCon 2014

    Co-Speaker: Zha0

    Working Experience:

    • Trend Micro, Senior Engineer , 2012/06-2013/01
    • Team T5 , Senior Researcher, 2013/02-Now

    Presentations:

    • Virus Evolution – HIT 2006 (Hacks in Taiwan)
    • Owned Kiosk – HIT 2010 (Hacks in Taiwan)
    • APT Fail - HitCon 2014

    N/A

    Abstract

    Plead is an advanced RAT written in shellcode. Though seldom discussed publicly, it has been used to target governments, thinktanks, corporations, media etc in Taiwan for several years.

    In this talk, we will give technical analysis of its functionality and reversion. We'll also show you how compromised devices are used by PLEAD as its C2 cloud to attack Taiwan. Finally we want to discuss the relationship between Plead with another notorious group, Taidoor, from their ovelapped C2 infra.

    Agenda:

    • Introduction
    • Plead began
    • Plead analysis
    • Plead malware families
    • Phantom in routers
    • Conclusion
    R1
    Your Lightbulb Is Not Hacking You: Observation from a Honeypot Backed by Real Devices
    Philippe Lin
    TW
    Trend Micro

    Philippe Lin 服務於趨勢科技,工作範圍包括資料分析、機器學習、未來威脅研究等,也參加過 Open Computing Project 的 BIOS 開發。業餘喜歡玩電路、養貓。目前是阿美語萌典的維護人員。

    Philippe Lin is a staff engineer in Trend Micro. He works in data analysis, machine learning, fast prototyping and threat research. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is a hobbyist of Raspberry Pi / Arduino projects and the author of Moedict-Amis, an open source dictionary of an Austronesian language.

    N/A

    IoT devices are claimed to be vulnerable to massive attack. We tried to assess the status quo with two IoT honeypots in Taipei and Munich, backed by real devices like LIFX, Philips Hue, D-Link and Samsung IPCams, gaming consoles, WDCloud and SmartTV. After four months of observation, we conclude that IoT is somewhat "probed" but still far from being massively attacked.

    R2
    Hack Mobile Games For Fun
    Hung Chien-Wei
    TW
    N/A

    N/A

    I love anything that is useful to me or the world!!!

    As a programmer, over 400,000 lines of C++ code is written on Windows for various purposes.

    As a security researcher, I am interested in analyzing anything useful, especially about games :) Currently working at Trend Micro; doing C&C and APT campaign researches.

    遊戲無疑是最多人接觸過的一環。

    然而一年幾百億美元的手機遊戲產業,卻沒幾間公司重視過安全問題。瘋狂的代理、趕工,導致市場上充斥大量沒啥技術進步的遊戲。工程師加班都快死了,還有誰會去為軟體本身的安全和進步著想?

    今天就來分享如何輕鬆幫從商店下載的遊戲加feature、修bug、改善UI、提高效能。單機適用,線上也適用。畢竟隨著網路速度的提升,手機遊戲已是未來的焦點。希望藉由真誠直接的分享,提早警惕遊戲產業對軟體安全本身的重視。

    Undoubtedly, playing games is one the most public entertainment.

    The output value of mobiles games reach dozens of billions dollars every year. However, most companies never notice the security problems of their games so far. Indeed, most developers have been working overtime with all their strength for endless features and migrations; no one would like to mention the security issue.

    So now, I would like to share some easy ways to enhance a mobile game that just downloaded from stores, which includes adding features, fixing bugs, improving the UI, and even boosting the performance. It should work for most online and offline games.

    With the enhancement of network speed and stability, mobiles games will become a focus sooner or later. I hope I can give an early-alarm to game developers and players to think highly of mobile games security.

    R4
    社群簡介 - Community Lightning Introduction
    社群
    TW
    社群

    N/A

    N/A

    N/A

    N/A

    R0
    A Dozen Years of Shellphish - from DEFCON to the Cyber Grand Challenge
    Yan Shoshitaishvili
    US
    Shellphish

    N/A

    Hacking since the age of eight, Yan Shoshitaishvili is fascinated by understanding and commandeering the computation and actions carried out by binary code. He is currently pursuing his PhD in the Seclab at UC Santa Barbara and is one of the hacking aces behind team Shellphish. In the little spare time he has left, he develops and releases computer security tools on the Internet.

    N/A

    Being a member of an awesome CTF team is a rewarding experience. CTF players push themselves, forgoing sleep for the promise of cracking a challenge and getting that flag. Between CTFs, they practice and work on tools and strategies. Friendships are forged on and off of the "battlefield".

    Shellphish is the oldest active CTF team in the world. We were there from the beginning of the sport (or, at least, almost the beginning). What's more, Shellphish is thriving -- we prepared for and coordinated in our successful qualification for this year's Defcon CTF and the DARPA Cyber Grand Challenge, with the qualifying events weeks apart. Aside from being the oldest team at DEFCON CTF, we are also one of only two CTF teams among the CGC finalists.

    We're not bragging, we're just extremely enthusiastic! In this talk, I'll discuss two topics: Shellphish itself, and our participation in the DARPA Cyber Grand Challenge.

    First, we'll start with our team "culture" -- what enables us to maintain such an enthusiasm, for such a wide variety of activities, for such a long time? How does Shellphish continue to exist and grow? How do we attract and train new members?

    Then, we'll move on to some of the interesting stuff our team does -- specifically, the main focus of the talk will be Shellphish's participation in the DARPA Cyber Grand Challenge. How does a ragtag group of hackers manage to qualify for such a complex, difficult competition? What pushed our team to do it? How did we organize the effort, integrate the right tools, and ensure success? We'll go through Shellphish's whole brainstorming, design, implementation, and competition process.

    After the talk, you'll understand the different components of the Cyber Reasoning System that we ended up with, what motivated us to design the system the way we did, how it works, and how it's applicable to CTFs in general. We hope to show that a group with the right focus and skills can succeed and have fun when participating in highly-competitive security challenges.

    R1
    Some things about LAN device detection (The identification for BYOD/IoT)
    Canaan Kao
    TW
    NTHU/Trend

    Canaan 自 2001 年起進入網路入侵偵測系統相關產業,目前是博士候選人與防毒產業的一員。他舉辦了 Workshop on Understanding Botnets of Taiwan (BoT) 在 2009, 2010, 2012, 2013, 2014,並同時提供相關的演講。他去年也在 HitCon 2014 PLG 分享了最近的研究。他主要的研究興趣在於 Network Security, Intrusion Detection System, Reversing Engineering, Malware Detection, and Embedded System.

    Cannan has set foot in the network intrusion detection system (IDS) industry since 2001, and is currently a doctoral candidate and a member in the antivirus industry.

    He was the organizer and speaker at the Workshop on Understanding Botnets of Taiwan (BoT) in 2009, 2010, 2012, 2013, and 2014. Last year, he shared some of his recent research at HITCON 2014 PLG. His main research interests lie in the fields of network security, intrusion detection system, reversing engineering, malware detection, and embedded system.

    Some things about LAN device detection(關於內網設備識別的二三事)

    過去我們習慣把網路入侵偵測的主力放在 firewall/gateway 端,但是時代改變了,BYOD/IoT 所帶來在LAN端的威脅,不一定會被 firewall/gateway 察覺。因此在未來對於 LAN 端的設備進行管控便成為必要的項目,而設備們在可被管控之前,必須先可以被識別。本演講預計跟大家分享目前有哪些可以進行網路設備識別的方法,以及相關方法的可行性。

    N/A

    R2
    An Anti-Mitigation Exploit Generation Integrating with Metasploit Framework
    Vince Chen
    TW
    NCTU

    N/A

    Vince Chen just graduated from the NCTU SQLab, and He's going to be a software engineer in Mediatek. His current research is software attack and defence techniques, exploit toolchain. Vince was also a Microsoft intern last year. He enjoys sharing new technology and developing new service.

    N/A

    Due to software quality issues, recent attacks on various systems are getting serious, and the software security issues therefore become an important research topic. These attacks on the software vulnerability will not only endanger the information infrastructure, but also impact the human safety. To improve the overall robustness of the system, we need a penetration test system to audit related systems. We have proposed the concept of the exploit toolchain to automate the whole process of fuzzing, exploitation, and post-exploitation integration with the metasploit framework.

    For the exploitation process, we must be able to bypass the recent protections and mitigations of the operating system, for example ASLR (Address space layout randomization) and DEP (Data Execution Prevention). We have enhanced the ROP (Return-oriented programming) technique to bypass ASLR and DEP protections by searching gadgets with larger sizes.

    R4
    Android App逆向工程與簽章技術
    HST
    TW
    HST

    Hack.Stuff 是一個資安社群,致力於打造良好討論氛圍~

    我們自主學習,參與各大 CTF,關注資訊安全。我們沒有年齡限制,沒有領域差別。我們的宗旨便是希望大家在學習的領域上不再孤單寂寞,不再誤入歧途,不再有所拘束!

    從去年起,我們做了一些改變!對外,舉辦技術分享會,邀請於資安領域有興趣一同學習的朋友與大家分享。對內,每週小聚可以分享你的學習近況及研究新的技術、凝聚感情,並舉辦多次黑客松,提昇所有團隊人員技術實力。

    未來,我們希望有你的加入,讓資安社群可以一同成長,一起學習~

    N/A

    Android App 逆向工程與簽章技術

    簡單的介紹逆向APP與需要顧慮的安全驗證技術,會從最基礎的Android結構開始講解,告訴大家Android內部的執行方式,再來講解到Google再Android此套系統所加入的安全機制,不會提到過深的技術內容,希望能讓初學者聽一次就理解,好讓初心者能理解我們HST這個大家族是持續增進資安技術的歡樂學習社群。

    N/A

    R0
    R0-Lightning Talk

    N/A

    N/A

    N/A

    N/A

    R1
    Microsoft Edge MemGC Internals
    Henry Li
    CN
    TrendMicro

    N/A

    I am a security research in Trend Micro CDC zero day discovery team. I have 4 years of experience in vulnerability & exploit research. My research interests are browser 0day vulnerability analysis, discovery and exploit.

    N/A

    In 2014, Microsoft introduced two new exploit mitigations, called Isolated Heap and MemoryProtection.These mitigations greatly increases the difficulty of use-after-free(UAF) vulnerability exploit, but there are still many ways to bypass the mitigations when the pointer to the freed block didn’t remains on the stack.

    In order to completely prevent UAF vulnerabilities exploit,Microsoft Edge browser introduced a new memory management called MemGC. MemGC Use the mark and sweep algorithm for memory management.

    In this presentation, the first part will sketch the MemGC Internals by discussing about its data structure, its memory allocate, free, mark and sweep. The second part will discuss Why MemGC can effectively prevent the UAF'S exploit. The third part will discuss some weaknesses of MemGC.

    R2
    Let's Play Hide and Seek In the Cloud - The APT Malware Favored in Cloud Services
    沈祈恩 (Ashley Shen) / 賴婕芳 (Belinda Lai)
    TW
    Team T5

    N/A

    沈祈恩 Chi En Shen

    Chi En Shen (Ashley) is a security researcher at Team T5 Inc. Team T5 monitors, analyzes, and tracks cyber threats throughout the Asia Pacific region. Her major areas of research include malicious document, malware analysis and Advance Persistence Threat (APT). During her MSc, she designed and implemented a flexible framework for malicious office open XML document to detect APT attack. She is also a core member and speaker of HITCON GIRLS - the first security community for women in Taiwan.

    賴婕芳

    Security Engineer, assisting organizations to handle information security incidents . My daily job is analyzing malware and trying to find some detail from it. Work in information security industry for 2 years. A member in HITCON GIRLS (The Hacks in Taiwan Conference for women).

    N/A

    Defending against Advanced Persistence Threat (APT) attacks has become a blooming topic in recent years. Organizations, enterprises, and specially governments have all been designated targets of APT attacks. Since APT attacks are well crafted with advanced tactics, potential targets of APT attacks should understand how to detect, prevent, and respond to these cyber attacks.A newfangled trend that has been affecting people’s lives is the cloud service technology. Almost everybody enjoys the cost efficient and convenient features of cloud services. Yes, almost everybody, including actors. Hackers love cloud services just as much as you do, and probably even more so. When sophisticated hackers recognize the benefits of cloud services on their attack infrastructure, a second front is opened.In this talk, we will present APT malware which leverage several cloud services (including numerous blog services provided by multiple platforms, and cloud storage services such as Dropbox, Google Drive, Cloudme…etc) as their attack infrastructure. We will introduce our analysis of malware and explain how actors perform their attacks through the cloud. Additionally, we will explain the advantages malware brings with cloud services and how to respond to these threats. Furthermore, we will also uncover potential targets of these trojans, which might be a bigger concern to the audience.

    請移動至其他會議室