HITCON 總召 TT
HITCON 團隊
Maarten Van Horenbeeck is Director of Security at Fastly, a Content Distribution Network that speeds up web properties around the world. He is also a Board member, and former Chairman, of the Forum of Incident Response and Security Teams (FIRST), the largest association of security teams, counting 300 members in over 70 countries. Prior to his work at Fastly, Maarten managed the Threat Intelligence team at Amazon, and helped coordinate security issues on the security teams at Google and Microsoft. Maarten has a master's degree in Information Security from Edith Cowan University, and is currently pursuing a passion in public policy through a Masters degree in International Relations. When not working, he enjoys backpacking, sailing and collecting first edition travel literature. You can follow him on Twitter @maartenvhb.
Security incidents sometimes seem unavoidable. We read about the compromise of personal or corporate data in the news on what appears to be a daily basis. In this talk, we will cover how the state of incident response, or dealing with these types of major incidents, has changed. It will take a look back at how major incidents affect us as netizens, starting with the Morris Worm, looking at Stuxnet, the DigiNotar compromise, and the major Distributed Denial of Service attacks of 2014-2015, and explore how each of those thoroughly changed the way we approach security. These incidents will show how the response to an incident really isn't just an engineering problem, at times it can be a science, and an art as well. This talk will show what it takes to protect "the internet", and how a league of defenders across the world is stepping up to give all it takes to win. By looking at the big picture, the presentation will identify key things organizations can do better to protect themselves and their customers.
George previously worked for SpaceX, Google, and Facebook. He was the first person to unlock the iPhone, and discovered a way to access to the PS3 hypervisor by shorting a memory chip to ground. Recently, he won Google's pwnium competition by achieving persistent root on the Chromebook and has been part of the winning team at DEFCON for two years running. In his spare time, George raps and plays capture the flag competitions under the name tomcr00se.
Having won 2 pwn2owns and a couple CTFs, I stopped hacking partially because of frustration with the tools. Why are we still using GDB? Why is IDA the gold standard for static analysis, when really it's objdump with a few graphs. Even hexrays, why is C the best way to view a program? I'll talk about my adventures with Project Zero, and my attempt to start addressing this problem with QIRA. And I'll suggest directions for future development, in hopes the future generations will have a more pleasant binary exploitation experience.
特別邀請
每年,南韓都有眾多的網路攻擊事件發生,當中有少數針對政府、媒體、發電廠與銀行等重要基礎單位的攻擊疑似由北韓發起,今年美國 Sony Picture Entertainment (SPE) 被駭事件,讓歐巴馬總統直指北韓為罪魁禍首,究竟背後的主謀是否為北韓?動機為何?
講師領導韓國國家網路安全局 KISA 旗下的 KrCERT/CC 應變小組,每年處理南韓國內近千件的網路安全事件,透過一手資料深入剖析北韓現有的網路軍事組織、攻擊手法,揭開北韓網路軍事系統的神秘面紗。
John Bambenek is a Senior Threat Analyst on the Threat Research Team for Fidelis Cybersecurity. He is also an adjunct faculty member in the Department of Computer Science at the University of Illinois at Urbana-Champaign where he teaches courses and runs a research lab focused on computer security for the last 3 years.
He has over 16 years experience in information security focusing on threat research, cybercriminal investigations, and tracking of malicious attacks. He has conducted investigations and research for major incidents all over the world. He graduated from the University of Illinois with a Bachelor’s degree in theoretical astrophysics with a specialization in extragalactic astronomy.
He began his career working at Ernst & Young consulting with major US-based Fortune 50 firms on cyber security issues. He later spent 6 years as a researcher at the University of Illinois conducting research on emerging threats and botnets. He owned his own firm, Bambenek Consulting, which specialized in threat research, forensics and cybercriminal investigations.
He has published two books, several information security certification courses and many articles highlighting his research in the field. He has spoken at conferences around the world on cyber security issues and on cybercrime and once appeared on the Daily Show with Jon Stewart.
He currently specialized in tracking infrastructure of criminal networks and published several threat feeds tracking over 2 dozen threats in near time monitoring over 750,000 different domains. He runs over a half-dozen private security working groups dedicated to investigating emerging and significant criminal threats attacks institutions around the world. He was part of the successful Operation Tovar that took down Gameover Zeus and Cryptolocker leading to the indictment of the individual behind that threat. The working group consisted in over 14 different global law enforcement agencies and 150 private sector partners.
許多人都在討論資安威脅,但鮮少人真正去實踐防護措施。多數惡意程式透過 DNS 或動態網域產生演算法 (Domain Generation Algorithm) 與攻擊者進行通訊。透過逆向工程,接近即時的對攻擊者進行追蹤成為可能。
Bambenek 顧問公司總裁暨首席分析員 John Bambenek 擁有 15 年的資安實戰經驗,精采分析如何對攻擊者進行上述的追蹤及反追蹤的技巧。
Shuang Zhao(DFlower) is a member of Insight-Labs Team. He has many years of experiences in network security, including vulnerability mining, malware detection, mobile security, etc. He has developed two malware analysis sandboxes for Windows and Android. He is one of the authors of the book “0day Security:The Techniques of Software Vulnerability Analysis(2nd Edition)”. He gave speeches on OWASP China 2010 and XCon 2011.
Xiapu Luo is a research assistant professor in the Department of Computing, the Hong Kong Polytechnic University. He has been working on information security for more than 10 years and published a number of papers in top security conferences. His current research interests include Android security and privacy, Network and System Security, Internet Measurement, and Mobile Networks.
移動定位服務 (Location Based Service) 常被手機軟體用來實作「附近的好友」等功能。惡意攻擊者可以透過各種方式進行資料挖掘、進而即時追蹤特定用戶全體的實際位置。
主講者趙雙,將透過熱門通訊軟體,如:微信、新浪微博等進行實例說明,展示如何偵測全北京用戶,甚至是公眾人物的實時地理坐標。
就職於 Tencent Xuanwu 實驗室,擁有5年的安全研究經驗。
主要關注流覽器安全、漏洞挖掘相關技術的研究,獨自發現多個流覽器漏洞並報告廠商。
先進的 Exploit 技術的研究。APT 相關的攻擊與防禦技術的研究。
演講經歷:HIT0CON 2014 講師、中國互聯網安全大會 2014 講師、 XKungFoo 2013 演講人。
中國資安研究員宋凱,實例分析 Spartan 渲染引擎對漏洞保護機制的更新,並以一個 0day 漏洞為例,探討其對安全性的影響及其安全性可能存在的問題。
內容亦將探討關於 Exploit 開發的技巧、思路以及實現方法。
Michael Smith serves as Akamai’s APJ Chief Technology Officer for Security and is responsible for supporting sales, professional services, operations, product management, and marketing across all of the Akamai security solutions portfolio.
Previously, Mr. Smith was the Founder and Director of Akamai’s Customer Security Incident Response Team, responsible for leading a team of web security incident responders and researchers that study the tactics, techniques, and procedures of web attackers and apply that knowledge to help protect Akamai customers during events such as site defacements, data breaches, and distributed denial of service.
Prior to CSIRT, Mr. Smith served as Akamai's Security Evangelist and as the customer-facing ambassador for the Information Security Team, helping customers to understand both the internal security program and the unique security features and capabilities of the Akamai product portfolio and cloud-based solutions.
近年來由於資安意識普遍提升,越來越多資安訊息提供者相繼出現,提供的資安情報也趨於多樣化。然而,究竟哪些情報是真正問題核心?哪些是真正有價值的情報?
其中熱門解法是 Cyber Threat Intelligence (CTI, 別跟 CTF 搞混了)
網路威脅情資,運用情報技巧處理資安事件,蒐集分析數據、歸納出攻擊的手法、擬定反制對手策略。而 Threat Intelligence Program 則是一套企業導入 CTI 的流程和計畫。
全球最大的內容傳遞網路服務 (CDN) 供應商 Akamai,將透過實際案例剖析,闡述面對眾多資安情報時,對於情資品質的判斷、權衡與最佳的因應策略。
Alfred has been at Palo Alto Networks for over 8 years and brings a strong track record in network security product management. Alfred is currently responsible for the entire hardware product line, threat prevention, and content filtering. Before Palo Alto Networks, Alfred was a Senior Global Product Manager at Trend Micro, where he was responsible for the Network VirusWall product line and all hardware products. Prior to Trend Micro, he was one of the first Product Managers at Fortinet.
Palo Alto Networks 將針對過去一年來 Palo Alto Networks 本身提供的智能威脅服務雲所收集到資料樣本進行分析並於會議中跟各位聽眾分享,另外也會針對 Palo Alto Networks Unit42 部門於最近針對 OPERATION LOTUS BLOSSOM 攻擊事件的調查結果跟各位做一報告。
Sr. Technical Staff Member
IBM Master Inventor
Chief Architect, Infrastructure Security, IBM Security
As a subject matter expert in application and network security, Ron has designed and developed application & network security products and global web security architecture for the Global 100. Ron holds and has patents pending that address authentication, authorization, audit, web application security, and network intrusion detection and protection.
With over 25 years experience in information technology, software development, and security architecture, Ron has focused on identifying optimal solutions to system problems, both human and digital. He has a track record of providing innovative products and solutions in healthcare, finance, and retail market segments by focusing on the achievement of defined objectives in the simplest way possible.
Achievements :
- Successful development and market launch of security focused software products.
- Solution and deployment architectures for global enterprises in Finance, Healthcare, Retail, and the Military.
- Fast assessment of organization effectiveness against defined organizational and/or project objectives.
Ron is currently the Chief Architect, Infrastructure Security, IBM Security, and Principal Architect of the X-Force Exchange, A Network Threat Intelligence Portal and Sharing Platform. Ron leads a global engineering team to deliver customer focused value through innovative implementation and agile development practice.
Chenta is a Lead security engineer with IBM Security Systems. Chenta has designed and developed the leading network security solution in IBM. His expertise includes emerging cloud technologies, with 7 years of experience in cloud security products, as well as software-defined networking, virtualization and advanced threat protection. He also has several patents filed in those areas. Chenta is now the working on IBM Security Network Protection and he currently focuses on the network security in the cloud.
面對瞬息萬變的資安威脅,政府與商務組織該如何快速、有效的對策?如何透過共通資訊平台來互通網路威脅情資?在面對大型競爭企業或國家資助的網路安全威脅時,又該如何運用情資共享來達到有效的因應?IBM 全球首席架構師 Ron Williams 擁有 25 年的軟體開發及安全架構經驗,將以 IBM 超過 15 年的網路安全研究成果,探討企業如何有效的妥善運用資安情報共享來有效打擊網路威脅。
He is a senior malware scientist at Trend Micro, researching various one-to-many detection methodologies such as autonomous malware campaign analysis system using machine learning. He previously worked for Kaspersky, FireEye, Symantec, and Sophos. He also created a critical security system for banking malware at one of the top Australian banks while battling with many core banking threats.
目前多數金融單位皆透過網頁完整性檢查來防止惡意程式的攻擊。然而,許多非 DOM 注入的攻擊形式,如:重送攻擊 (Replay Attack)、多形 (Polymorphism)、隨機化注入以及 DOM 匿蹤 Rootkit 等,正逐漸崛起。
趨勢科技資深惡意程式分析師 Sean Park 將於今年 HITCON Enterprise 揭露更多其於美國 BlackHat 2015 的重量級講題,分析金融資料傳輸的安全以及相關新興惡意程式的防護。
台灣威瑞特系統科技研究長,曾經服務公職於刑事警察局科技犯罪防制中心、警政署資訊室及中央研究院計算中心等。專長為惡意程式分析、軟體逆向工程、漏洞分析、程式開發與資安鑑識調查。
學生時期曾對研究惡意程式很有興趣,畢業後先選擇了系統廠認識韌體開發,最後又回到原先的興趣方面繼續研究。目前在台灣威瑞特系統修行,負責惡意程式分析和程式開發,喜歡以 C++ 與 Python 來解決問題。
We will present the new sophisticated APT malware group which leverage the Google Drive as data warehouse system and take advantage of OAuth to hide login procedural. Besides, we will also reveal the lessons learned in knowing our enemy base on decade-long incident response and investigation on Enfal APT operations. These lessons have helped government officials to assure national interest and plan long-term strategy in defending against cyber-espionage.
Shin Adachi has been working on information system security, design, and administration globally including in the United States, Japan, and Europe. He currently chairs Education Committee and is a program Committee Member of FIRST, or Forum of Incident Response and Security Teams, a global consortium for computer security incident responders. He represents NTT-CERT in the Americas. He is a member of Threat Landscape Stakeholders Group and CERT Expert Group for ENISA, or European Union Agency for Network and Information Security. He has contributed to globally recognized initiatives including NIST SP500-291, NIST SP 500-293, Asia PKI Innovation Award as the chief reviewer, Liberty Alliance Project, Kantara Initiative, ITU-T (Security and IdM for Next Generation Network), and APEC TEL eSecurity. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Project Management Professional (PMP).
Now we keep hearing variety of different cyber security incidents every day no matter where we are. However, wouldn’t you be surprised if many of them could have been smaller incidents than crisis or disaster reported by the press, which could result in huge loss of profits, reputation, customers, decision makers, and in the worst case, the company themselves. You may wonder why we keep hearing similar attacks and breaches every day although many vendors, small or large, keep shipping new products into the markets, claiming “advanced” “next generation” features implemented? Why such “new” “advanced” “next generation” features and technologies may not be protecting you as much as you expected?
This proposal proposes a presentation to show what could have been done NOT to make a small incident disastrous. During this presentation, real incidents the proposer has been involved with may be shown as examples for audience to understand the background and why it resulted in crisis, a disaster or a big incident, from incident responder’s viewpoints. It will also cover why a security product by itself may not be able to help you protect your information resources, how to fill the gap between the product features and “your” specific network and systems such products are implemented from different viewpoints such as network design, mobile computing, organizational cultures, natural disasters, and Internet of Things (IoT). It then will highlight what system administrators, network administrators, computer security incident responders, and other stakeholders need to look at and not to overlook.
Philippe Lin is a staff engineer in Trend Micro. He works in data analysis, machine learning, fast prototyping and threat research. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is a hobbyist of Raspberry Pi / Arduino projects and the author of Moedict-Amis, an open source dictionary of an Austronesian language.
Philippe Lin 服務於趨勢科技,工作範圍包括資料分析、機器學習、未來威脅研究等,也參加過 Open Computing Project 的 BIOS 開發。業餘喜歡玩電路、養貓。目前是阿美語萌典的維護人員。
Stephen Hilt has been in Information Security and Industrial Control Systems (ICS) Security for around 10 years. With a Bachelor’s Degree from Southern Illinois University, he started working for a large power utility in the South East of the United States. There Stephen gained an extensive background in Security Network Engineering, Incident Response, Forensics, Assessments and Penetration Testing. That is where Stephen started focusing on ICS Assessments, then moved to working as an ICS Security Consultant and Researcher for one of the most foremost ICS Security Consulting groups in the world. In 2014, Stephen was named as having one of the coolest hacks by dark reading for his PLCPwn, a weaponized PLC. As well, he has published numerous ICS Specific Nmap Scripts to Identify ICS protocols via native commands. Stephen now is at Trend Micro as a Sr. Threat Researcher, continuing ICS research, and diving into other areas of research. Over the past 10 years, Stephen has learned how to build, defend and attack ICS networks.
BACnet is an ANSI/ISO protocol for building automation and control systems for applications such as heating, ventilation, air-conditioning control, lighting control, etc. (Wikipedia) In this talk, we will demonstrate how to use Shodan to find BACnet devices exposed on the Internet, and to retrieve and analyze information from them. We will also discuss possible security impacts and take subsidized installation in Taiwanese schools as an example.
As of July 29, we found in TW 48 BACnet devices, 59 Ethernet/IP, 23 Moxa NPort. At least 14 of the devices are prone to unauthorized browse and/or changes.
Outline:
* Brief introduction to ICS and SCADA
* List of common protocols used by ICS
* Introduction to BACnet
* BACnet mapped on Shodan
* A closer look to TW devices
* Demo: Retrieve information from a chosen device
* Security impacts
* Read-only? Not necessary. A case study in a TW factory.
* Subsidized projects: massive installation in incautious hands
* Conclusion
台灣大學電機所碩士班在學中,研究主題為密碼系統硬體實作的安全性分析。
台大電信所博士畢業,對於設計無線通訊被動元件、微波與硬體量測分析有興趣。
密碼系統裝置除了演算法的安全性,在實體環境中運作時,也必須考慮物理攻擊的可能性。然而傳統的物理攻擊,通常需要侵入或破壞密碼裝置;這些方法雖然有效,但設備成本較高且過程曠日費時,攻擊效率上有其限制。1998年 Paul Kocher 等人提出差分能量攻擊 (Differential Power Analysis, DPA),開創了新的密碼分析領域,這類攻擊統稱為旁通道攻擊 (Side Channel Attacks, SCA)。攻擊者測量密碼裝置運作時洩漏的資訊,如運作時間、能量消耗 (power consumption)、電磁場變化、甚至裝置發出的聲波等參數,再透過分析收集的資訊獲得密鑰。因為 SCA 有效且不需採購昂貴器材,分析時間也能控制在合理範圍內,因此對保密裝置的安全性造成很大威脅。近年來,許多研究者提出各種相關攻擊方式,以及抵擋 SCA 的方法。因此,即使裝置有優異的加解密演算法,倘若未考慮防護 SCA,該裝置仍是不安全的。過去十多年來資訊科技的進步,使得許多領域開始大量使用安全晶片。如: IC 金融卡、電子護照、悠遊卡及軍事設備等。然而,近年十分熱門的物聯網 (Internet of Things, IoT) 應用,更成為未來的新趨勢。在這股熱潮下,數以萬計的產品將被植入晶片以網路相連,因此產品的安全性也將更受重視。對抗 SCA 的能力,也成為 IoT 產品被植入晶片時,必須考慮的重要因素。 我們架設了一個執行能量分析攻擊的平台,並將運算 AES 加密的 Smart Card 和 FPGA 作為攻擊目標。我們將首先介紹能量分析攻擊的理論基礎,並示範如何使用關聯性能量攻擊 (Correlation Power Analysis, CPA),最後藉由影片展現我們如何取得 AES-128 密鑰。經過此一示範,可讓 IoT 業者及相關單位了解:當產品未考慮 SCA 時,此攻擊方式可讓 IoT 裝置陷於危險之中。
Research assistant in the Department of Computing at the Hong Kong Polytechnic University. His research focuses on Android security including both the underlying system and apps. He has 6-year experiences of reverse-engineering and system security.
Xiapu Luo is a research assistant professor in the Department of Computing, the Hong Kong Polytechnic University. He has been working on information security for more than 10 years and published a number of papers in top security conferences. His current research interests include Android security and privacy, Network and System Security, Internet Measurement, and Mobile Networks.
Currently a Master of Science in Department of Computing in the Hong Kong Polytechnic University. His research is mainly on Android application security.
The rapid growth of mobile app economy provides lucrative and profitable targets for hackers. Among OWASP’s top ten mobile risks for 2014, the lack of binary protections makes it easy to reverse, modify, and repackage Android apps. Recently, a number of packing services have been proposed to protect Android apps by hiding the original executable file (i.e., dex file). However, little is known about their effectiveness and efficiency. In this paper, we perform the first systematic investigation on such services by focusing on the question: can the original dex file in a packed app be recovered? If yes, how?
In our investigation of six popular packing services, we not only reveal their techniques and evaluate their effects, but also propose and develop a novel system, named DexHunter, to extract dex files from apps protected by these services. To our best knowledge, DexHunter is the first unpacking system that supports both the new Android Runtime (ART) and the Dalvik virtual machine (DVM). The experimental results based on real packed apps demonstrate that DexHunter can extract dex files from packed apps effectively and efficiently. This research reveals important issues in existing Android packing services and sheds light on the future research of Android apps protection.
Financial IT and IT Risk Management Expert, working at a Major Bank (10 years),
Research work at the institute of financial information systems (2 years),
Author of a Security Guideline, and APT Report,
IT development work at property and casualty insurance(6 years),
Freelance lector and writer since 2000,
AVTOKYO Speaker (2009, 2010, 2011, 2013.5),
HITCON Speaker (2012, 2013),
Author of "Introductionof Information Security";
textbook for colleges/universities (27,000 copies so far),
Regular writer for "Hacker Japan Magazine " (4 years),
Regular writer for Web Magazine "Scan NetSecurity"
In Japan, two insurance companies started to sell Cyber Insurance.
Rapid growth is expected in the Western countries includes the U.S., but it was not the case in Japan.First, I'll explain what are necessary for cyber insurance in order to cover the loss of the company.Then, I'll describe the situation in Japan and analyze the fundamental problems which have been preventing the growth.
1.Basics of insurance
2.Exploring the marketability of
3.Cyber Insurance in Japan
4.What I want to say at end
Chi En Shen (Ashley) is a security researcher at Team T5 inc. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. Her major areas of research include malicious document, malware analysis and Advance Persistence Threat (APT). During her MSc, she design and implement a flexible framework for malicious open XML document detection against APT attacks. She is also a core member and speaker of HITCON GIRLS - the first security community for gilrs in Taiwan.
Security Engineer, assist Organizations handling information security incidents . My daily job is analyzing malware and trying to find out who they are.Work in information security industry for 2 years, also a member in HITCON GIRLS (The Hacks in Taiwan Conference for GIRLS).
Defending against Advanced Persistence Threat (APT) attacks has become a blooming topic in recent years. Organizations, enterprises, and specially governments have all been designated targets of APT attacks. Since APT attacks are well crafted with advanced tactics, potential targets of APT attacks should understand how to detect, prevent, and respond to these cyber attacks.A newfangled trend that has been affecting people’s lives is the cloud service technology. Almost everybody enjoys the cost efficient and convenient features of cloud services. Yes, almost everybody, including actors. Hackers love cloud services just as much as you do, and probably even more so. When sophisticated hackers recognize the benefits of cloud services on their attack infrastructure, a second front is opened.In this talk, we will present APT malware which leverage several cloud services (including numerous blog services provided by multiple platforms, and cloud storage services such as Dropbox, Google Drive, Cloudme…etc) as their attack infrastructure. We will introduce our analysis of malware and explain how actors perform their attacks through the cloud. Additionally, we will explain the advantages malware brings with cloud services and how to respond to these threats. Furthermore, we will also uncover potential targets of these trojans, which might be a bigger concern to the audience.
Cyber Migrant
Undercover Economist
It is widely known that the advent of the Internet has accelerated the speed of globalization. However, when we look into the cyber criminal cases, we found that the actors share out the work and cooperate with one another using Internet, successfully developed a globalized group with a localized business model. Focusing on the movement of the information acquired by the actors, we have got a good understanding on the whole picture: The actor's interest, motivation, the movement of the resource, and monetization. These findings provide insight into precautions we can take to fight against possible cyber criminal attacks.
Lawyer in private practice and researcher of information security,Lecturer of Utsunomiya Univ. Faculty of Engineering,President of KK IT Research Art, Specialise in law of information security and e-commerse.
The history of information security can be explained by analogy of Star Wars. The term "hacker" is originally respectful word for excellent tech person. It is the same as that Jedi can be used for both light side person and dark side person-known as Syth. (Ep1) As Jedi has to remind the stories of Syths as their bad example. So security experts have to learn security cases which occurred by hacker's curiosity. Especially, Mr. Office case (2003), making the presentation of intrusion technique at hacker conference, may be impressive example of self assertive hacker power. (Ep2) As clone troopers changed the battle scene of Star Wars, Bot net changed the scene of information security. D-Dos in stonia (2007), Korea & US (2009). (Ep3) State has come to be neglected in the Internet. However, State is "returning" to important role in thinking of international rule of Cyber. Then the balance of privacy and security is the hottest topic in the Internet.
HITCON顧問,臺灣威瑞特技術長,超過15年的資安技術研究專家,從台灣HITCON到美國Black Hat,常在國內外重要駭客大會發表研究,擅長透過詼諧生動的演講,傳授資安知識。同時也是台灣資安界著名的創業家,從2005年開始兩次創業都幸運的被國外企業直接併購,並 於2011年創立了台灣第一家專門研發APT防禦產品的Xecure Lab,技術好到在2012年就不斷有國際大廠想買下,更於2014年被美國上市科技公司併購後,專注於分析駭客活動及開發自動化分析系統。
透過長年在台灣資安圈的生態觀察,談談企業與政府機關對於資安防禦問題。一直以來,資安廠商總是誇大了膏藥的療效,甚至是荒謬的話術,導致了許多企業在防禦上錯誤的觀念與投資,在這場中將會透過幾個 APT 駭客入侵的真實情況,從鑑識與調查角度來省思企業該如何面對資安問題,並以駭客角度來告訴你正確的事件處理模式(Incident Response)
MJ0011是Windows內核、安全性漏洞領域有十年經驗的資深安全研究人員,曾在XCON/HITCON/PoC等安全會議上發表演講。在奇虎360公司負責核心安全技術部門和360Vulcan Team安全團隊。 360Vulcan Team是360內部進行高級漏洞攻擊與防禦研究的安全團隊,在今年CanSecWest上的Pwn2Own2015比賽上成功攻破IE挑戰項目。
pgboy是Windows內核和漏洞領域的資深安全研究人員,Qihoo 360Vulcan Team的成員。他在Pwn2Own2015比賽中負責沙箱繞過技術的研究
今年4月 FireEye 公司曝光了 APT28 組織利用 win32k 內核 0day CVE-2015-1701 的針對美國的俄羅斯套娃行動, 接著在5月, 卡巴斯基公司又曝光了一起針對卡巴斯基實驗室的 APT 行動 Duqu2 ,其中也使用了一個 win32k 的內核 0day CVE-2015-2360 。 經過我們的分析發現,這兩個分別攻陷了俄美兩個大國的 0day 漏洞其實是驚人地相似的:他們都是利用了幾乎同一類 Windows 內核視窗的執行序列的安全問題,只是後者的利用過程更加複雜。 在議題中,我們將分享針對這兩個漏洞執行序列問題本質的分析,包括介紹相關 Win32k 內核視窗管理的知識,同時會介紹這些漏洞對應的利用技術。 同時在此議題中,我們還會曝光一個我們在分析這兩個漏洞的過程中,發現的另一個類似的、未被修補的、可以被穩定利用的 Win32k 0day 漏洞,我們已將此漏洞報告給微軟,其已在今年7月的補丁日修補了該漏洞,因此議題中我們也會介紹該漏洞的漏洞原理和針對這個漏洞的特殊利用技巧。
He is a PhD student at UCSB (University of California, Santa Barbara), working, under the supervision of professors Christopher Kruegel and Giovanni Vigna, in the Computer Security Group (seclab).
He earned a Bachelor and a Master degree in Computer Engineering at Politecnico di Milano, and a Master Degree in Computer Science at the University of Illinois at Chicago.
He worked on different projects about mobile security and he is also very interested in anything related to reverse engineering and low-level binary analysis.
He played many different CTF security competitions as a member of the Shellphish hacking group, qualifying multiple times for the DEFCON CTF and, recently, for the DARPA Cyber Grand Challenge.
Shellphish started at UC Santa Barbara as the SecLab hacking team. As members graduated and moved, the team expanded to include other locations such as Boston/Massachusetts, Alpes-Maritimes/France, London/United Kingdom and other exotic locations. The team enjoys surfing, walks on the beach and pwning n00bs. Shellphish has participated in more Defcon CTF editions than any other team. Recently, Shellphish qualified for the final phase of the DARPA Cyber Grand Challenge (CGC), a hacking competition whose goal is to develop a "Cyber Reasoning System" to automatically identify, exploit, and fix security vulnerabilities in binary programs. In this talk, we will provide details about the CGC and the Cyber Reasoning System built by Shellphish.
Brandon Dixon is the lead developer and co-founder of PassiveTotal. His primary research involves data analysis, tool development and devising strategies to counter threats earlier in their decision cycle. Throughout the years, Brandon has developed several public tools, most notably PassiveTotal, PDF X-Ray and HyperTotal. His research and development on various security topics has gained accolades from many major security vendors and peers in the industry.
Steve Ginty is co-founder of PassiveTotal, an analyst focused threat infrastructure analysis platform, and has over 9 years of experience in the IT Security Industry. Steve has spent the past 5 years researching targeted intrusions, most recently leading a team of researches implementing proactive methodologies to track malware and threat infrastructure associated with attack activity. Steve’s primary areas of research include threat infrastructure analysis and threat data visualization.
Having a good set of historical data is like having a time machine. As threat researchers, passive/active DNS provides us with a map of an attacker's infrastructure behaviors and history. Unfortunately, this data set is static, lacking context, additional enrichment data and the ability to persist analysis to guide analyst assessments. In the early days of threat infrastructure analysis, we simply displayed passive DNS results inside of an HTML table. While smaller sets of data were easy to analyze, as resolutions grew, so did the complexity of the data and the effort needed to properly analyze it. This can lead to mistakes being made, missed changes, and failure to really understand the data set due to the quantity of data presented. According to a January 2014 study published by MIT, the human brain is capable of processing an entire image in as little as 13 milliseconds of exposure. With this in mind, we looked to remake these raw data sets into color-coded, visual indicators and images that allow analysts to interpret results faster, reduce analysis and assessment time, and persist findings. Attendees should expect to walk away with a better understanding of how DNS data is useful in security research, different ways to interpret the data, and tools that could provide assistance when performing analysis.
CCIE (Security) CISSP,現任萬達電商安全主任工程師,曾任網信金融安全專家,當當網安全經理,6年以上安全/運維工作經驗,長期參與一線的攻防對抗。現主要關注於入侵防禦,大資料安全分析,行為建模,以及安全體系建設。擅長網路安全,日誌分析。烏雲峰會,WOT2015,SACC2013 演講嘉賓。
作為從事甲方安全的從業人員,日誌分析是發現安全事件的主要手段,是作為安全從業人員的必備技能之一,現在攻擊手法的多樣化,0-Nday的出現使得分析日誌更加複雜,而隨著業務的發展,導致日誌量的增大,從海量資料中提取最有效的事件資訊,則更是考驗分析人員的能力,那麼對這門必修課來說,讓我們回顧一下過去,展望一下未來。