12.1-2 @ 台北文創大樓6F
08:20 - 09:00
來賓報到
09:00 - 09:10
R0
Opening
HITCON 總召 TT
09:10 - 09:20
R0
致詞嘉賓
總統 蔡英文
09:20 - 09:25
R0
致詞嘉賓
招卓敏 - 思科全球副總裁暨台灣、香港及澳門董事總經理
Barbara Chiu - Vice President & Managing Director of Cisco Taiwan, Hong Kong and Macau
09:25 - 10:00
10:10 - 10:50
10:50 - 11:10
Break
11:10 - 11:50
11:50 - 13:20
Lunch
13:20 - 14:00
14:10 - 14:50
15:00 - 15:40
15:40 - 16:10
Break
16:10 - 16:50
16:50 - 17:30
08:20 - 08:50
來賓報到
08:50 - 09:30
09:30 - 10:10
10:10 - 10:30
Break
10:30 - 11:10
11:20 - 12:00
12:00 - 13:20
Lunch
13:20 - 14:00
14:50 - 15:10
Break
15:10 - 15:50
16:00 - 16:40
16:50 - 17:30
R0
Panel Discussion
17:30 - 17:50
R0
閉幕致詞與抽獎
17:50 - 19:00
Cocktail Party
Ayoul3 is a pentester working for Wavestone, a consulting firm based in France.
He got interested in Mainframe security in 2014 when, during an audit, he noticed the big security gap between this platform and standard systems like Windows and Unix.
A gap that does not make much sense because z/OS has been around for a while and is used by most major companies to perform critical business operations: wire transfer, claim refunds, bookings, etc.
If you want to test some of the tools showcased during the talk, you can check out his tools: https://github.com/ayoul3/ or blog https://zospentest.tumblr.com
CICS is the mostly widely deployed transaction system in the world with more than 20 billion transactions a day. It is mainly deployed on IBM z/OS systems.
Indeed for every person that uses an ATM, there is a good to fair chance that multiple CICS applications are involved somewhere in the chain of request. Same goes for banking operators when creating a new account, handling refunds, taxes, etc.
The talk will demystify this critical system, explain how it works but mostly how to abuse some of its functions in order to illegitimately read and write business files, access other applications, remotely execute code with zero authentication...
The tool Cicspwn will be presented to help pentesters check CICS's security and exploit all the key weaknesses detailed above (http://github.com/ayoul3/cicspwn)
I have been tracing Online Banking Malware (a.k.a Pharming) specialized in Korean Banking Environment from 2013. In the middle of 2013, the pharming malware distribution sites, using Drive-by-Download technique, were rapidly increased so the number of victims was increased as well.
The group has been dubbed "Blackmoon" due to the hardcorded string identified in the sample. There are several groups who create pharming malware but" Blackmoon" was one of the most sophisticated and active group.
In 2015, I had a chance to access that C&C server and I shared this information with law enforcement. Finally, we succeeded to take down the sever. We discovered a massive database.
The number of victims and malware distribution rate were extremely decreased after this investigation.
However, "Blackmoon" is being active again and pharming malware is getting more and more complicated recently.
It's time to cooperate to take down the pharming malware again.
Ricky Chou (ch0upi) 是趨勢科技核心技術部的技術經理。
工作內容著重在資料分析、威脅情報服務、及應用人工智慧與機器學習來解決實務上的問題。
曾在 2014 年及 2016 年參與全球資料探勘領域最知名的 KDDCup 競賽,皆取得前 10 名的佳績。
也參與趨勢科技的電腦圍棋人工智慧專案 GoTrend,於 2015 年日本電腦圍棋競賽 UEC Cup 取得第六名的成績。
將惡意軟體分類成各個 malware family 的工作,一直以來都仰賴熟練的逆向工程師擔綱,但巨量的資料及愈來愈多的變種,讓人工難以追上病毒的速度。因此 Microsoft 在 2015 年連同 WWW 2015,在 Kaggle 機器學習競賽平台上舉辦了惡意軟體分類競賽。此外,BSidesLV 2016 也出現了將 VirusShare 上超過二千萬個病毒樣本,進行自動分類的講題,顯見自動的惡意軟體分類仍然是尚待改進的題目。
有鑑於機器學習仍具有一定的門檻,本議程希望向有興趣的資安研究人員,以實際的比賽過程,分享從比賽初始、改善模型、一直到結束前避免 overfitting 以免在 private board 失分的做法及經驗,並配合回顧本競賽優勝隊伍的解題方式,檢討我們的模型,提出可能改善的方向。
Mach-O is the format for executable file of Mac OS X. With the increase of market share of Mac OS X, the malware for Mac OS X also recorded an unprecedented growth in the past few years. In this presentation, we present a study of classifying Mac OS X malware with a set of features extracted from Mach-O metadata and its derivatives on our samples collected from VirusTotal during late 2014 and early 2016. There are some prior researches that attempt to classify PE executable files by the metadata extracted from PE files. Similar to the PE format, Mach-O format also provides a variety of features for classification. We collected all the Mach-O samples submitted to VirusTotal during late 2014 and early 2016. After removing files that are not compiled for i386 or X86_64, we extracted metadata from the collected Mach-O samples. Meta information from sample files, such as segment and section structures, dynamic libraries, etc., are used as features for classifying Mac OS X samples. In order to understand the effectiveness of these features, we divided our sample collection into two parts. Samples collected during Sept 2014 and Oct 2015 are used as training samples, and samples after Oct 2015 are used as testing samples.
This study summarizes the statistical changes in view of Mac OS X malware families, and the structure trending between benign and malicious samples between late 2014 and early 2016. With our collection of more than 600,000 samples and over 4,000 malicious samples, our feature evaluation is based on composition analysis of different malware families in both aspects of meta and derivative features. This work uses a variety of classification algorithms to generate predictive models with the training dataset, and to analyze the results with testing samples and their difference from AV vendors' detections on VirusTotal. We also discuss the effectiveness of selected features, and observations on our sample collection.
Winnti is malware used by Chinese threat actor for cybercrime and cyber espionage since 2009. The behavior of Winnti components is well described in the past analysis report by Novetta, but currently there are much more variants with different behavior from it. I will share my RE findings not explained in public reports including:
- Winnti worker component supporting SMTP protocol,
- Winnti as a loader for other malware family,
- rootkit driver making covert channels by hooking NDIS TCPIP protocol handlers and,
- hack tools using the same API hash calculation as Winnti components.
The configuration data of Winnti is important for threat intelligence because campaign IDs indicating target organizations or countries to the actor are included. Moreover, as Kaspersky pointed out in the blog, inline 64-bit kernel drivers are sometimes signed with stolen certificates. The certificates are also useful to identify already-compromised targets. I checked about 170 Winnti samples to extract the configurations and certificates. Based on the work, I will show Winnti targets are not only game and pharmaceutical industries, but also chemical, e-commerce, electronics and telecommunications ones.
PHP is the most prominent web server-side language used today. Although secure coding practices are used when developing in PHP, they can′t mitigate vulnerabilities in the language itself. Since PHP is written in C, it is exposed to vulnerabilities found in projects written in a low-level language, such as memory-corruption vulnerabilities, which are common when manipulating data formats. PHP-7 is a new implementation of the language, and while memory corruption bugs exist in this version as well, none of the exploitation primitives from the previous version are working (e.g. @i0n1c presentation from BH2010).
In this talk, I will discuss the memory internals of PHP7 from exploiter's and vulnerability researcher's perspective. I will explain newly found vulnerabilities and bugs. Lastly, I will demonstrate how to exploit a class of bugs in PHP-7, using a real vulnerability that was found in the unserialize mechanism as an example and present re-usable primitives for exploitation.
The internals of the language implementation changed quite dramatically, and now it's harder to exploit memory corruption bugs. The new zval system prefers embedding over pointing to members and the allocation mechanism has gone through a complete re-write, removing metadata. Thus, leading to some interesting bugs and vulnerabilities. Also, the overall result is less primitives and less control over crafted data. unserialize is a data manipulation and object instantiation mechanism in PHP which is prone to memory corruption vulnerabilities.
For the first time, we have managed to implement a remote exploit of a real world bug in PHP-7unserialize mechanism.
He is a PhD student at UCSB (University of California, Santa Barbara), working, under the supervision of professors Christopher Kruegel and Giovanni Vigna, in the Computer Security Group (seclab).
He earned a Bachelor and a Master degree in Computer Engineering at Politecnico di Milano, and a Master Degree in Computer Science at the University of Illinois at Chicago.
He worked on different projects about mobile security and he is also very interested in anything related to reverse engineering and low-level binary analysis.
He played many different CTF security competitions as a member of the Shellphish hacking group, qualifying multiple times for the DEFCON CTF and, recently, for the DARPA Cyber Grand Challenge.
Similarly to autonomous driving cars, autonomous hacking is becoming a reality.
To kick-start research in this field, DARPA organized the Cyber Grand Challenge (CGC), a security competition in which participants had to develop a system able to automatically exploit and patch binaries.
In 2014, Shellphish signed up for the CGC and in 2015 we qualified for the final event, which was help on August 2016.
During the final event, our system, named the Mechanical Phish, faced off against six other competitors and fought well, winning third place and placing Shellphish as the top fully-academic team.
Just after the CGC final event, we released on GitHub the entire code constituting Mechanical Phish: an impressive amount of more than 100,000 lines of Python code!
In this talk, we will introduce Mechanical Phish, presenting the challenges we tackled and the solutions we implemented while developing it.
We will also demonstrate how the released code can be used to automatically find bugs, write exploits, and patch vulnerable binaries.
Mechanical Phish uses a combination of symbolic execution (powered by angr, the binary analysis platform developed at UCSB) and fuzzing to find bugs in programs.
Then, it automatically generates an exploit able to subvert the execution of the analyzed binary by taking advantage of the found bugs.
In addition, our system is able to patch existing binaries making them resilient against attackers with minimal performance impact.
Finally, given the hardware-setup and the no-human-intervention policy of the CGC final competition, Mechanical Phish has been developed as an extremely reliable, efficient, and fault-tolerant distributed system.
A company from the financial industry based out of Australia was alerted by Kaspersky Lab products in regards to suspicious activity in their network. Based on cooperation with the company, which kindly agreed to provide us with remote access to the system where our product registered the activity, we found no active infection in the memory of the system. However, we managed to find the source of the AV alert, which was deeper than we initially thought.
This talk will show a case study of incident investigation and response of a major infection we have recently discovered. Through a case study, best practices in digital forensics and incident response will be shared based on our experience.
Recently, various targeted attacks have been analyzed for the methods of infection. Such techniques of malware infection have been published by Anti-Virus vendors and security researchers for the protection. On the other hand, the malware used in the recent attacks have been more complicated and sophisticated.
As one of the example, we confirmed several advanced Emdivi t20 in the Bluetermite APT. At that time, we had thought the samples were corrupted because its does not work in any environment. To be more precise, Emdivi family stores encrypted C2 info, mutexes, md5sum of backdoor commands, and etc. Emdivi family decrypts each encrypted data by a specific key, whereas the suspicious corrupted (?) sample Emdivi t20 used a SID of victim machine to generate the specific decrypt key. That means, the analyzing had been impossible because could not generate the exact decrypt key if we do not know the SID of the victim machine. (https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/)
The new techniques ware actually very simple but it works effectively. In our research of cyber espionage activities targeting to Taiwan and Japan, some samples still using very similar and simple technology. We introduce the details of the research about these APT, as well as some episode, how to solve the problem, and our approaches along with the description of the anti-analysis technology using actual samples.
We conduct a systematic study on mobile apps' privacy policies and identify three kinds of common problems in them. To automatically check whether an app's privacy policy has any problems, we develop a tool named PPChecker that analyzes information from multiple sources for the detection. The result shows that many privacy policies have at least one problem. Therefore, to help developers/stakeholders of apps create correct and readable privacy policy, we develop another tool named AutoPPG that can generate privacy policy templates automatically by analyzing apps. In this talk, we first introduce the background knowledge of app's privacy policy. Then, we detail how to identify the problems in apps' privacy policies. After that, we describe how to generate privacy policy templates automatically. Finally, we conclude the talk with suggestions to users, developers, and stakeholders of apps.
We discover severe vulnerabilities in popular telematics systems, through which attackers can remotely replace their firmware with the malicious one and then launch attacks on the vehicles. We have confirmed these vulnerabilities through POC attacks on real vehicles. Moreover, we propose several approaches for fixing these vulnerabilities. We have informed the corresponding companies about the vulnerabilities and the fixing approaches with the help of HKCERT.
In this talk, we first introduce the background knowledge of telematics and its attack surface. Then, we detail how to identify and exploit the vulnerability in two telematics systems. Moreover, we discuss how to fix this vulnerability.
Vladimir was born in 1980. He holds a university degree in applied mathematics and information security. Active for over 15 years in information security projects and research, he previously built and led incident response teams at some of Fortune 500 companies. Vladimir has recently joined Trend Micro FTR team, but did this research as Positive Technologies, where he was head of Computer Security Incident Response Team (CSIRT) since 2014. He participates in various projects for leading financial, industrial, and telecom companies.
Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, and many others.
Head of Telecom Security Department, Positive Technologies
Dmitry Kurbatov was born in Moscow in 1986. He holds a university degree in information security of telecommunications systems. Dmitry joined Positive Technologies in 2010 as an information security expert and now he specializes on telecom and mobile networks security. He is responsible for the product development (SS7 Attack Discovery and SS7 Security Scanner) as well as for services in audit of telecom and mobile networks security systems.
Telecom Security Expert, Positive Technologies
Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he is engaged in the research of signaling network security and in audits for international mobile operators.
He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, and Telegram accounts. He is also a member of the SS7 Attack Discovery development team, a coauthor of Positive Technologies annual reports on telecommunication security.
Telecom networks are often used as a backbones for other critical infrastructures, such as finance. Along with that SS7 networks are often transfer personal and sensitive information, including voice, messages and often used for second factor authentication. Such networks have always been targets for cyber criminals and mature actors, those looking to obtain paid services for free or at the expense of other subscribers, or eager to succeed on messengers, emails and other accounts hijacking. In this presentation, we will describe detection approaches and attacks that use SS7 vulnerabilities affecting telecom networks and related services. We will demonstrate how integration of payment systems with communication services can jeopardize the bank accounts of ordinary subscribers and make it easier for criminals to monetize attacks. Our demo will include transfer of money from electronic accounts.
A State should develop a multi-pillars national level cyber security strategy.
It should include guidance and coordination of the national effort to secure cyberspace for the foreseen future by all stakeholders in the country, including government, defense agencies, academic research, business centers and the general public.
In order to assure a sustainable resilience, the State must create a domestic eco-system which will encourage innovation, nurture human capital and give direction to the national research and development efforts.
A true transformation must begin with a well-defined strategy out of which derives the structure and organization, which in turn, develops solutions in correlation and cooperation with the local industry and international business community.
The role of the state on that matter is to develop the national cyber security ecosystem, act as the enabler and optimizer of the multi-vector efforts and develop and share new capabilities by boosting knowledge transfer between sectors.
In today world there is a great difficulty for researchers to be researchers, during the lecture we will cover the problems faced by security researchers in getting their discoveries published and out there while not getting sued, getting paid and having fun out of the whole process. We will cover why there is a need in transparent vulnerability brokers and why bug bounties don't work.
Korea Internet & Security Agency (KISA, KrCERT/CC) is a South Korean government agency under Ministry of ICT and Future planning, specializing in Internet security, critical infrastructure protection and Internet development. As a response to the growing stakes in the area of cyber security, KISA and Ministry of ICT and Future Planning (MISP as a Korean government department) are operating and planning to secure Internet environment from various threats that are targeting Korea. Through this presentation, Mr. Park would like to show how and what Korean government is doing in past 15 years.
This presentation will briefly introduce the security features recently integrated in LINE's messaging and VoIP platform, as well as LINE's application security testing practices.
The first part will focus on LINE's overall architecture, and the transport encryption improvements in LINE's gateway server (LEGY).
We will also give an overview of LINE's end-to-end encryption implementation (Letter Sealing).
The second part will give an overview of LINE's application security test process (risk assessment), focusing on game cheating countermeasures. Finally, we will briefly present our anti-spam/abuse efforts and bug bounty program.
We have been observing an attack against certain targets in the financial industry. Evidence suggests that this attack has been active since as early as 2009, and it remains very active today, utilizing several techniques to perform long-term espionage on its targets.
This paper will talk about the targeted cyber-espionage we call Sentry Stopper. The paper will cover the different malware components used in the attack; their behaviours, which includes maintaining footholds in the network for long-term espionage; their heavy utilization of steganography; mapping and gaining access to the target's network using a network cracker component; stealing sensitive information using various methods; protecting themselves from detection and possible removal by disrupting security products. The paper will also cover other aspects of cyber-espionage such as targeted industries, regions, and other evidence we have acquired related to the campaign.
“Memory attack” has always been the core of attack action. You can do whatever you want if you dominated in the memory war. For example, executing malware, leaking confidential information or crashing the system.
In this talk, we’ll indicate “process internals” and “PE file header format”. Then we’ll discuss how Microsoft try to mitigate the memory attack with its proprietary EMET (Enhanced Mitigation Experience Toolbox) /ASLR (Address Space Layout Randomization) tools. However, these tools are proved to be limited and incomplete. We need to do better.
We are pleased to unveil the new concept of APT/Malware defense. And how does this evolutional technology shield the memory, prevent the hacker and advance over old solutions.
The Government of Japan is working on cybersecurity policy under framework prescribed by the Basic Act on Cybersecurity enacted in 2014 and the Cybersecurity Strategy adopted as a cabinet decision in September 2015. I will discuss comprehensive framework of cybersecurity policy in Japan.
Following the revision of the Basic Act this year, we are continuing to working on various issues, such as enhancing cybersecurity workforce in both public and private sector; strengthening critical information infrastructures protection.
Our target year for the cybersecurity policy is 2020, when Japan will host Olympic and Paralympic games in Tokyo. Japan will also host the Rugby World Cup in 2019. We consider cybersecurity is essential part of the success to those events, and working on ensuring cybersecurity.
In the session, I will discuss basic framework on cybersecurity in Japan, including the Basic Act on Cybersecurity and the Cybersecurity Strategy, followed by current issues on cybersecurity, including critical information infrastructure protection, workforce enhancement, and security framework towards 2020.
Earl Carter has always had a passion for solving puzzles and understanding how things operate. Mr. Carter quickly learned that identifying security weaknesses is just like solving puzzles. Almost 20 years ago, he was introduced to network security when he accepted a position at the Airforce Information Warfare center in San Antonio, Texas. In 1998, Mr. Carter starting working Cisco and became one of the founding members on the Security Technology Assessment Team (STAT).
After spending 15 years identifying new security threats and assisting product teams in hardening their devices and software to mitigate those identified security threats, Mr. Carter became a Threat Researcher for Cisco Talos. Now he spends his time hunting for new threats against live customer networks by examining various intelligence feeds and data sources. Among Mr. Carter’s significant contributions to Cisco are multiple security patents and authoring three Cisco Press Security Books along with co-authoring three more Cisco Press Security Books.
國立臺灣大學教授
國立臺灣大學數學系學士與碩士、美國 Purdue University 數學博士。任職於臺大數學系、以嵌入式系統安全為核心業務的「銓安智慧科技」。臺大「教學傑出獎」得主,平均每兩百位臺大教師僅一位獲獎。在臺大教授的課程包括:密碼學導論、橢圓曲線密碼學、破密學專題、後量子密碼學、金融科技導論、電資學院微積分、通識課程數學與文明。臺北市臺大校友會高爾夫球隊發起人之一、該球隊現任總幹事。中華民國橋藝協會理事、代表臺灣參加本屆世界盃之現役橋牌國家代表隊隊長。
帳聯網公司創辦人劉世偉出生於台北,2002年畢業於加州史丹佛大學電機研究所,曾在日立、三星、西門子國際資通訊技術巨擘任職,至德日等先進科技大國工作見習。畢業後,進入中華民國中央研究院孟懷縈院士創辦的創銳訊 (Atheros) 任職,培養深厚的資通訊技術能力及產業經驗。在高通 (Qualcomm) 併購創銳訊後,進入高通擔任中國上海的行銷總監,負責年營業額三千五百萬美元的產品線。洞見區塊鏈技術的無限可能,便毅然決然放棄外商高階主管的職位,返家貢獻台灣社會。2014 年創辦需擬貨幣交易服務公司 MaiCoin,MaiCoin 研發出一套可以追蹤不法交易的系統「BlockSeer」,協助主管機關或比特幣受害者追查比特幣的交易軌跡。
兩年間潛心鑽研帳聯網技術發展應用,並積極結識國際舞台上區塊鏈的專家,不斷充實技術實力,見時機成熟,於 2016 年 9 月成立帳聯網路科技股份有限公司,以以太坊 (Ethereum) 的技術為基礎,期望為推動台灣金融創新基礎建設環境盡一份心力。
台灣威瑞特系統科技研究長,曾經服務公職於刑事警察局科技犯罪防制中心、警政署資訊室及中央研究院計算中心等。專長為惡意程式分析、軟體逆向工程、漏洞分析、程式開發與資安鑑識調查。
We have a saying that security is a journey, not a destination. Yet we act as if security is a process to be completed once, checked perhaps once a year, and that holes are an anomaly. We know this is how most treat their security because the majority of organizations and governments worldwide don't have a process in place to receive vulnerability reports from helpful hackers. Join Katie Moussouris, a hacker turned policy maker turned CEO, as she guides you on a security journey. The Never-ending Story of security doesn't end, and we're going to need more than a luck dragon to help us through our journey.
Vladimir was born in 1980. He holds a university degree in applied mathematics and information security. Active for over 15 years in information security projects and research, he previously built and led incident response teams at some of Fortune 500 companies. Vladimir has recently joined Trend Micro FTR team, but did this research as Positive Technologies, where he was head of Computer Security Incident Response Team (CSIRT) since 2014. He participates in various projects for leading financial, industrial, and telecom companies.
Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, and many others.
In this presentation we give a historical overview of the ’Lurk’ group: a group of malware operators conducting malicious network activities primarily in .RU region. Having ability to monitor network traffic of several large organizations we have been observing this group activity since 2011 until the middle of 2016. We discuss what methods the group used to dissimilate their malware and how the techniques of the group evolved during this time. We also point out potential links between this group and other threat actors and discuss potential relationship between this group activities and a number of attacks on banking infrastructure that we have observed in 2016.
一銀 ATM 遭駭客犯罪集團盜領案,此案對國內治安及金融產業均造成亟大震撼,民眾對金融交易安全的信任感瞬間動搖,但在全體刑事警察人員通力合作下,在短時間內順利追回近 8 千萬的贓款,媒體鎂光燈均聚焦在警方如何透過監視器等追贓緝凶。
由於相關媒體少有報導本局科技偵查作為,藉此次大會本局將綜整本案現場調研 (Incident Response) 過程、日誌檔分析 (Log Analysis) 結果、逆向工程 (Reverse Engineering) 及數位鑑識 (Digital Forensics) 等方面做簡要報告,供金融產業或資安相關人員參考。
臺北市政府資訊局局長
學歷:
私立中原大學資訊工程學系畢業
國立中正大學資訊工程研究所碩士
國立中正大學資訊工程研究所博士
經歷:
逢甲大學資訊工程學系教授
逢甲大學資訊處資訊長
逢逢甲大學資訊處副資訊長
逢甲大學資通安全研究中心主任
逢甲大學研發處校務企劃組組長
逢甲大學研發處分析評量組組長
逢甲大學資訊處資源管理中心主任
Carnegie Mellon University, USA 訪問學者
University of British Columbia, Canada 訪問學者
從台灣首都資訊長的角度,闡述政府機關在資安所遇到的挑戰:從預算、持續變動的威脅、縱深防護的謬誤、監控機制的情形到人的問題,最後闡述未來規劃可能的方向。