08:20 -
Registration
R0 (Room 101)
09:00 - 09:20
09:20 - 10:00
Your Ideas are Worthless
10:00 - 10:40
Critical Infrastructure Protection Policy and Strategy of Korea
MIDEUM KIM, Researcher of KISA (Korea Internet & Security Agency)
10:40 - 10:55
Break
10:55 - 11:35
LINE Security Bug Bounty: A Closer Look
12:15 - 13:30
Lunch
R1 (Room: 101 CD)
R2 (Room: 101 AB)
13:30 - 14:10
Building a Public RPZ Service to Protect the World’s Consumers
John Bambenek, Manager of Threat Systems, Fidelis Cybersecurity
Recent Cases of Cyber Terror from North Korea
14:20 - 15:00
From Zer0 to Persistence - A Complete Exploit Chain against Samsung Galaxy S6
15:10 - 15:50
Jiun-Ming Chen, Adjunct Faculty, National Taiwan University;
Jong-Shian Wu (JS), Researcher at National Taiwan University
Light Up The Korean DarkWeb
15:50 - 16:10
Break
16:10 - 16:50
Adversarial Machine Learning and Several Counter-Measures
17:00 - 17:40
wj, Senior Threat Hunter at Countercept, MWR InfoSecurity
In Ming LOH, Senior Threat Hunter at Countercept, MWR InfoSecurity
Cybersecurity Talent Development in NTT Group
R0 (Room 101)
09:20 - 10:00
All our Powers Combined: Connecting Academics, Engineers, and Hackers
Yan Shoshitaishvili, Captain of Shellphish, Assistant Professor at Arizona State University
10:00 - 10:40
The Age of Broken ATMs
10:40 - 11:00
Break
11:00 - 11:40
Are you visible? – TEPCO’s Challenge for “Visibility” on Security Management
(and Security Professionals)
11:40 - 13:00
Lunch
R1 (Room: 101 CD)
R2 (Room: 101 AB)
13:00 - 13:40
Respond Before Incident - Building Proactive Cyber Defense Capabilities
13:50 - 14:30
The Key Recovery Attacks against Commercial White-box Cryptography Implementations
Sanghwan Ahn(h2spice), Senior Security Engineer, Security Department, LINE Corp.
14:30 - 14:45
Break
14:45 - 15:25
15:35 - 16:15
Attacks on Mobile Networks: Evolving Hackers’ Techniques and Defenders’ Oversights
Kirill Puzankov, Telecom Security Specialist, Positive Technologies
16:25 - 17:05
The Bald Knight Rises
R1 (Room: 101 CD)
17:10 - 17:50
Panel Discussion
17:50 - 18:00
Closing
18:00 - 19:00
Cocktail Party
I am a senior security engineer currently working in the security department at LINE corp and mostly engaged in application security such as security assessment, security architecture design, development also some other works related to security. I like to analyze the program and find vulnerabilities in it also, am interested in technology related to security. In recent years, I have been interested in white-box cryptography doing various researches such as implementation, cryptanalysis.
The Key Recovery Attacks against Commercial White-box Cryptography Implementations
White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has a full control to the execution environment and an access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and a code level but actually algorithmic obfuscation.
In the white-box implementation, cryptographic keys are mathematically transformed so that never revealed in a plain form, even during execution of cryptographic algorithms. With such security in the place, it becomes extremely difficult for attackers to locate, modify, and extract the cryptographic keys. Although all current academic white-box implementations have been practically broken by various attacks including table-decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed Commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks to be available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation. This is the first report that succeeded to recover secret key protected with commercial white-box implementation to the best of my knowledge in this industry. In this talk, I would like to share how to recover the key protected with commercial white-box implementation and give you some considerations when applying white-box cryptography to services more securely." "Bio: I am a senior security engineer currently working in the security department at LINE corp and mostly engaged in application security such as security assessment, security architecture design, development also some other works related to security. I like to analyze the program and find vulnerabilities in it also, am interested in technology related to security. In recent years, I have been interested in white-box cryptography doing various researches such as implementation, cryptanalysis.
John Bambenek is Manager of Threat Systems at Fidelis Cybersecurity, Lecturer in the Departments of Computer Science and Information Science at the University of Illinois at Urbana-Champaign and a handler with the SANS Internet Storm Center. He has over 18 years experience in information security and leads several international investigative efforts tracking cybercriminals, some of which have lead to high profile arrests and legal action. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He produces some of the largest bodies of open-source intelligence used by thousands of entities across the world.
Building a Public RPZ Service to Protect the World's Consumers
There are a variety of options when enterprises want to get protection for themselves. If you want to protect small offices or consumers, your choice is basically just to buy anti-virus. The problem is that until we solve the problem of most of the internet not being behind enterprises and thus unprotected, we still will face major outbreaks, DDoS, and risks from Bring-Your-Own-Devices (BYoD).
By using some basic open-source tools build in to DNS with Response Policy Zones (RPZ), it becomes possible to provide protection to the consumer internet space and begin to significantly disrupt criminal operations against the public.
This talk will cover building one of the worlds first public RPZ servers to provide service to CERTs and consumer ISPs to start to tackle the vast majority of the unsecured internet. Details on how to access and deploy the data for free from this service will be given as part of the talk.
The chief scientist of InfoKeyVault Technology Co., Ltd. and an adjunct faculty with outstanding teaching award at National Taiwan University. Courses delivered at NTU: Cryptography, Cryptanalysis, Elliptic Curve Cryptography, Post-Quantum Cryptography, and Introduction to FinTech.
KRACK & ROCA
KRACK (Key Reinstallation Attack) is a security weakness in WPA2 discovered by Mathy Vanhoef et al. Such weakness in WPA2 protocol design and implementations allows attackers within proximity to hijack the "encrypted" channel between a supplicant and a Wi-Fi AP. Both personal networks and enterprise networks are affected.
ROCA (The Return of Coppersmith's Attack) is a security vulnerability in an RSA firmware library discovered by Matus Nemec et al. The flawed library, from a major manufacturer of cryptographic hardware, is widely deployed in security tokens, smart cards, electronic ID cards, TPMs, etc. Since prime numbers generated by the flawed library have insufficient entropy and a specific structure, attackers can easily identify and factorize RSA public keys that were generated from affected devices.
In this talk, we will explain how KRACK and ROCA work and some important lessons we should learn from them.
Ricky Chou (ch0upi) is a staff engineer in Trend Micro. He works in data analysis, threat intel service, and problem solving with AI/ML.
Ricky and his teammates also got Top10 in KDDCup 2014 & 2016, the leading Data Mining and Knowledge Discovery competition in the world. He also participated in the computer Go project of Trend Micro, GoTrend, and got the 6th place in EUC Cup 2015.
Adversarial Machine Learning and Several Counter-Measures
Machine Learning (ML) and Deep Learning have become very popular in recent years. They solve many problem considered very difficult in the past, such as face recognition, image classification, unknown virus detection, cyber attack detection, etc. Therefore, many and many security product start to use Machine Learning solution for detecting.
However, many of those security product using Machine Learning algorithm could bring some unexpected vulnerabilities. In this talk we will focus on how to attack, cheat, steal the Machine Learning model and redirect the target of attack by using those stolen model. The speaker will introduce the concept and attack method on image classification, PDF and binary detection. Demonstrate the attack and provide some ways to defense this kinds of attack.
Malware Analyst at Hispasec/Koodous. Focused on the banking threats landscape, especially Android banking Trojans as well as Windows-based ones. Interested in hunting botnets, malware analysis, reverse-engineering, and developing distributed environments.
Analyzing Bankbot, a Mobile Banking Botnet
Maza-in, more known as Bankbot, is an Android banking Trojan that gained popularity with its release in an underground forum. At the beginning, its targets were mostly Russian and Ukranian entities, as well as payment processors, such as PayPal, but it quickly broadened its targets to different countries, especially European ones.
Despite having other Banking Trojans on the table such as Mazarbot and Marcher; Bankbot has made it into Google Play Store, not once, but a total of three times that we are aware of.
Having myself caught one of this Banking Trojans live in Google’s Play Store, I gained interest in studying how it bypassed Google security measures and made it through to the official Android store, and its different botnet components.
In this talk we are going to talk widely about Bankbot, covering many aspects of the thread. First, its behavior: The server-side structure of the botnet, how it communicates with the victim, as well as how to get around these communications, forcing the botnet to return us the list of affected entities.
Also, the Android component will be studied, taking into account the stealing techniques it uses and how it evolved, not only to target over Android banking applications but also browsers, based on the bookmarks installed. We'll have a brief overview of the libraries that some samples include, along with their functionality. The whole infection process will be described, from initial steps to credential theft.
Additionally, we will have an overview on the component that made it through the Google Bouncer and got published into the store, including a quick look to the different countries targeted by this family since the beginning of the attack.
Finally, we will learn how to identify the sample through Yara rules, as well as known changes done to the server file structure that helps us identify these samples.
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses. He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan. He has received many prizes from domestic and international CTFs, as well as bug bounty programs. He has been speaker at various conferences: HITCON, TROOPERS, CODE BLUE, IEEE GCCE, VXRL, DragonCon etc.
Respond Before Incident - Building Proactive Cyber Defense Capabilities
Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.
In this talk, we aim to discuss the question “Why traditional incident response is not enough?”
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
Mitsuhiro Hatada has been engaged in research and development on cybersecurity at NTT Communications for over a decade. He is a member of NTT Com-SIRT and a Ph.D. student at Waseda University.
Cybersecurity Talent Development in NTT Group
Cybersecurity talent shortage is a common issue for many organizations. Towards the Tokyo 2020 Olympic and Paralympic Games, NTT has launched the educational program and certification system for cybersecurity talents since 2015. Our talk covers the definitions of both types of job and levels of skill, training courses, current status of certification, and further activities. In particular, we will share our experiences through developing a few technical training on our self-developed cyber range.
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
OSSLab CIO, 2012 & 2015 HITCON community speaker.
Analyze the Vulnerabilities of Data Storage System and How to Defense
前言:
"傳台灣某公司主控 SSD 藏後門,銀監會要求調查" 這是真實的嗎?儲存裝置有後門嗎?如果有,那又是怎樣的狀況,我們要怎樣防範.
大綱:
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC., he has been engaged in malware analysis and cyber threat intelligence. Especially involved in analyzing incidents of Advanced Persistant Thread (APT) attacks. He presented APT Campaign Targets Japanese Critical Infrastructure at APCERT 2016.
Open Source as Fuel of Recent APT
Recently, there are so many APT attacks fueled by the usage of the open source tools.
We observed recent campaigns in 2017, and for those analysis we see that the use of open source tools are very common practice now. Such open source tools as, Metasploit Framework and Empire Powershell are widely used and some others are customized open source tools (to be exposed in the presentation) tailored to be an APT malware infection triggers or payloads.
For the targeted vectors, some are targeting Mac OS X and Windows platform of specific industries. In the recent campaigns, a part of code-signing certificates were stolen and recycled for further attacks in next targets on multiple platforms. And some others are targeting educational section with using Fileless attack via PowerShell.
In this presentation, we introduce our research details about these APTs, as well as TTPs (Tools, Techniques, and Procedures) with the flow as follows.
- Classification of the open source used for attacks:
There are plenty of open source tools used in APT attacks, one type of tools which are used for triggering exploitation in pre-infection, other tools are used for the remote access purpose on post-infection, and some more of the open source codes developed for the malicious activities were used for the APT cases infection. We will revel these in the presentation in some specific OS platforms.
- Real analysis APT cases presentation:
We will present the persistency triggered attack methods which are based from the real cases and events we investigated, we will present the flow of its front end attacks to exploitation, from exploitation to infection through to data harvesting methods, along with the source of tools and details of malicious activities detected.
- References:
In this point we will present list of the reference of the open source tools that is widely used for the recent APT attacks mentioned in the above two points
Sr. Vulnerability Researcher at Team T5. CTF Player, won 2nd place in Defcon 22 & 25 as team member of HITCON. Focus on linux and android binary exploitation.
From Zer0 to Persistence -
A Complete Exploit Chain against Samsung Galaxy S6
In this speak, we will demo a exploit chain that can remote break KNOX protection on Samsung Galaxy S6.
We used CVE-2016-3861, CVE-2016-5291 and a Leaked document- Cadmium to achieve remote root without tampering the KNOX bit. The exploit starts with a url, user can be infected by just one click or connecting to an untrusted network.
MIDEUM KIM, a researcher of KISA (Korea Internet & Security Agency), has experience in computer engineering, cyber incidents response and Critical Infrastructure Protection. Currently, he is responsible for Critical Infrastructure protect and audit
Critical Infrastructure Protection Policy and Strategy of Korea
Korea Internet & Security Agency (KISA) is a South Korean government agency under Ministry of Science and ICT (MSIT), specializing in Internet security, critical infrastructure protection and information security industry development. KISA is operating and auditing to secure critical infrastructure protection from cyberattack threats. Through this presentation, Mr. Kim would like to show critical infrastructure policy and system of Korea.
BoB Digital Forensics Student
Light Up The Korean DarkWeb
Four students from South Korea teamed up in order to dig into the Korean DarkWeb.
There is a number of publications about cyber underground including DarkWeb which covers the situation of the underground in many countries including Russia, the US, Germany, and Japan. But there is not so much information about cyber underground activities in the most connected country in the world, South Korea.
The team HGWT took on the challenge and discovered five DarkWeb forums in Korea as well as notorious activities in the Korean cyber underground part of the surface web.
In this talk, they will introduce specifics of the Korean cyber underground (including DarkWeb), share their approaches for investigations and discuss several case studies.
Team HGWT
The team HGWT (Dasom Kim, Sujin Lim, Sunghee Lim, Eunhee Jo) consists of four BoB students and is lead by two mentors in the digital forensics field, Nikolay Akatyev (VP of Engineering at Horangi Cyber Security) and Hyeon Yu (Professor at Korean Police Investigation Academy).
BoB (Best of the Best) is a cyber security education program that fosters the next generation security leaders in Korea hosted by Korea Information Technology Institute (KITRI), supported by the Korean Government.
Philippe Lin is a threat researcher at Trend Micro. He works in data analysis, machine learning, fast prototyping and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.
The Age of Broken ATMs
We observed this year that the attacks against Automatic Teller Machines went from theoretical research and impressive show at a conference to a very practical method used by criminal groups to monetize their access to compromised networks within financial institutions. A number of cases that took place this year got loud attention in the media, but the attacker methods and exploitation varied from one case to another. In this presentation we examine several cases of ATM breaches including well known case that took place in Taiwan, but also Russia, Kyrgyzstan and other Central Asian countries as well as Spain and a number of other countries in Europe. We discuss attack vectors against ATM devices and known methods which the attackers utilize to abuse ATM machines for the purpose of either information collection or cash withdrawal. We also discuss some of the attack methods the attackers used to infiltrate the target organizations and compromise the devices. We dive deeper to understand the eco-system and the nature of the threat actors, discuss the skills and tools available on Black Market and the evolution of ATM threats.
My name is James Lee, a 18 years old math geek who likes to mess around with some creative and cool stuffs. I'm passionate about Security vulnerability researching so I like to look under the hood of software.
Playing with IE11 ActiveX 0days
ActiveX is a feature that has been present on Internet Explorer almost since its inception and it allows us to instantiate external objects.
We'll go through this feature and look into the way I discovered the vulnerability while I play around with.
Myoungwon Lee (Superintendent of K-NPA) has served as a police officer in Korea for 20 years. After graduating from Police University he has worked in a variety of fields and offices in Korean Police. He worked as an investigator in the criminal investigation division, transportation division and a special riot police unit. Now he is in charge of Cyber Investigation Strategy Team in National Police Agency. Just before coming to this position in 2017, he worked as a Computer Forensic Team leader.
His role as the team leader involved anti-cybercrime strategy and research and development for improving cyber investigation skills.
Recent Cases of Cyber Terror from North Korea
In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified military or government data, but the focus seems to have shifted in recent years to raising foreign currency. N. Korea has tried hard to develop hacking capabilities as one way of earning money under the international strict sanctions imposed on them. An ATM hacking case is one of the examples.
In Ming Loh is a Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He currently holds OSCE and OSCP accreditation and was previously a software developer. His major interests are attack detection and prevention.
Threat Hunting, The New Way
Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.
Philippe Lin is a threat researcher at Trend Micro. He works in data analysis, machine learning, fast prototyping and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.
Adversarial Machine Learning and Several Counter-Measures
Machine Learning (ML) and Deep Learning have become very popular in recent years. They solve many problem considered very difficult in the past, such as face recognition, image classification, unknown virus detection, cyber attack detection, etc. Therefore, many and many security product start to use Machine Learning solution for detecting.
However, many of those security product using Machine Learning algorithm could bring some unexpected vulnerabilities. In this talk we will focus on how to attack, cheat, steal the Machine Learning model and redirect the target of attack by using those stolen model. The speaker will introduce the concept and attack method on image classification, PDF and binary detection. Demonstrate the attack and provide some ways to defense this kinds of attack.
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Your Ideas are Worthless
As the owner of an open source hardware company, I frequently encounter people who tell me why my business cannot possibly succeed. After six years of continuous growth, I would like to share my thoughts about why those people are wrong and how the mythology of invention affects perception. I’ll share lessons from my background as a hacker, researcher, open source developer, and business owner and discuss the past, present, and future of science, technology, and the value of ideas.
David Ong has over 20 years of professional experience and is widely recognized as an active professional in process automation safety industries. He is a CFSE (Certified Functional Safety Expert) and has obtained his MBA from the University of Louisville in 2002. He is a member of the advisory board of CFSE Governance Board and the Founder of Excel Marco and Attila Cybertech. During the course of his career, he has executed many major projects in the Oil & Gas industry both onshore and offshore on Process Automation Safety & Control. He is well versed with the corporate standards and practices and has also helped to develop key product marketing specifications for safety PLC and SIS (Safety Instrumented Systems). Over the years, he has maintained focused on Safety PLC related application and was involved in conducting training on Functional Safety Standards and Practices. Earlier in his career, he was an instructor for several major brands of PLC and automation equipment. Having developed a strong interest in Cyber-Physical Systems (CPS), he setup Attila Cybertech to focus on Critical Information Infrastructure (CII) sectors. His principal work responsibilities include business development, major project management and training on safety and reliability standards and applications.
ICS/SCADA Cybersecurity and IT Cybersecurity: Comparing Apples and Oranges
Stuxnet made headlines in the OT (Operational Technology) world back in 2010. It was a wake-up call to those who never really thought ICS (Industrial Control System) could be hacked, let alone causing severe damage to a nuclear plant in Iran.
Today, SCADA/ICS engineers are now expected to designed not only functional logic, safety logic but also system hardening for cybersecurity. Cybersecurity for ICS or OT poses different problems that are unlike that of Enterprise or IT Cybersecurity.
While Enterprise security prioritizes data in the order of CIA (Confidentiality, Integrity, Availability), ICS demands the reverse, i.e. AIC. Why is availability so important to ICS? Well, think of how important is your heart pumping to blood to various organs including your brain. Stop for a few seconds and the consequences could be fatal.
Every piece of data is processed in real-time. These 'data' consist of both sensor data and commands to output elements such as actuators, valves, motors and pumps etc.
That means latency is a key factor when intercepting such data to analyze becomes challenging. Typically, it cannot afford to be delayed more than a few milliseconds. And even if suspicious data is detected, it cannot be filtered out as any false positives could have dire consequences. Nothing shapes human behaviour to ignore 'cry wolf' any more than false alarms. Even to the point of muzzling or by-passing the security mechanism.
Another aspect of OT is in the area of Functional Safety whereby safety interlocks, Emergency Shutdown System (ESD or SIS) are designed with Safety PLC. Can hackers penetrate the SIS from Process Control System (PCS)? Can malware propagate from PCS to SIS? Can cybersecurity impact safety?
Given that OT is a different animal, how can we secure OT? Are there effective ways to protect ICS from Cyber-attacks? Tune in to find out the current industrial practices and the shape of things to come.
Takehiro Ozaki is a Senior Research Engineer of NTT-CERT. He is in charge of threat intelligence.
Cybersecurity Talent Development in NTT Group
Cybersecurity talent shortage is a common issue for many organizations. Towards the Tokyo 2020 Olympic and Paralympic Games, NTT has launched the educational program and certification system for cybersecurity talents since 2015. Our talk covers the definitions of both types of job and levels of skill, training courses, current status of certification, and further activities. In particular, we will share our experiences through developing a few technical training on our self-developed cyber range.
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
Vadim Pogulievsky is a Cyber Research Director for Verint. His current research focuses on Automatic Forensics techniques, but his interests also stray to digital forensics, data centers, web security, malware analysis, and exploits development. Prior to joining Verint, Pogulievsky managed security research groups at McAfee Labs, M86 Security, and Finjan.
Detecting the Intent, Not just the Technique: Changing the Mindset of Cyber Defense!
As cyber threats have evolved we are witnessing the rise of new defenses. However, these defense layers often lead to new problems. A lack of true integration makes it almost impossible to see the bigger picture and truly understand the attack. As a result, customers face endless streams of unrelated data, creating alert fatigue and too many false positives. A major shift is required in the mindset of cyber security vendors so they can create solutions that truly confront & neutralize contemporary attackers and their advanced attack methods.
In this keynote we will discuss the shift that cyber security vendors should make in order to build products that are valuable not only as a silos but also as part of their customer's entire cyber security ecosystem. Finally, we will discuss new techniques and technologies that are required for success.
Telecom Security Specialist, Positive Technologies
Kirill graduated from the Russian State University for the Humanities with a degree in comprehensive protection of information assets. He joined Positive Technologies in 2014 as an expert in telecommunication systems and network security. He researches signaling network security, participates in audits for international mobile operators, takes part in PT Telecom Attack Discovery deployments and expert attack analysis. He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, and Telegram accounts.
Attacks on Mobile Networks: Evolving Hackers' Techniques and Defenders' Oversights
The "walled garden" paradigm is outdated. Nearly all operators now admit that attackers have penetrated SS7 networks by exploiting a whole range of signaling network vulnerabilities.
Tracking subscriber location, obtaining call details, tapping, intercepting text messages that contain security codes are the harsh reality we live in. However, mobile operators do not sit back. They address these threats by configuring hardware in the best possible way, deploying SMS Home Routing solutions to protect confidential data and fight SMS spam and SS7 firewalls which currently offer the highest level of network protection against attackers.
But the real world is far from this rosy picture. Our researches alongside with security monitoring and audits show that attackers have learned how to skillfully bypass most of the known protection measures. In my presentation, I will address following issues:
Telecom Security Expert, Positive Technologies.
Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he is engaged in the research of signaling network security and in audits for international mobile operators.
As an expert in telecom security, he researches signaling network security and participates in audits for international mobile operators.
Sergey is also the general developer of the SS7 Vulnerability Scanner tool and member of the Telecom Attack Discovery development team and co-author of Positive Technologies annual reports on telecom security.
Attacks on Mobile Networks: Evolving Hackers' Techniques and Defenders' Oversights
The "walled garden" paradigm is outdated. Nearly all operators now admit that attackers have penetrated SS7 networks by exploiting a whole range of signaling network vulnerabilities.
Tracking subscriber location, obtaining call details, tapping, intercepting text messages that contain security codes are the harsh reality we live in. However, mobile operators do not sit back. They address these threats by configuring hardware in the best possible way, deploying SMS Home Routing solutions to protect confidential data and fight SMS spam and SS7 firewalls which currently offer the highest level of network protection against attackers.
But the real world is far from this rosy picture. Our researches alongside with security monitoring and audits show that attackers have learned how to skillfully bypass most of the known protection measures. In my presentation, I will address following issues:
Researcher and analyst with 7 years of experience.
Areas of expertise include advanced analysis in technological related projects.
Interested in a job in the field of research and analysis of advanced technological concepts in the tech industry.
Put Something on the Internet - Get Hacked
In the past ~10 years Beyond Security runs a vulnerability disclosure program called SecurTeam Secure Disclosure (SSD)
We work with researchers from around the world, acquire their findings and report them to the vendors / clients.
In the past year (2017) we had the opportunity to acquire and report more than 20 IoT vulnerabilities.
In the lecture we will talk about IoT security, why there are so many vulnerabilities in those products and we will show different vulnerabilities found in well-known vendors.
In the end of the lecture we will give some good practice advice - what should you do with your IoT devices.
Yan, Zardus, Professor Shoshitaishvili. Yan has filled a number of roles in the security community over the years: student, engineer, student again, captain of Shellphish, and now professor. In these roles, he strove to advance the state of the art in security and, occasionally, pwn noobs. He led Shellphish through the DARPA Cyber Grand Challenge, founded the angr binary analysis framework, and participated in CTFs around the world. Now, he is leading next-generation research efforts into binary analysis at Arizona State University, and is thinking heavily about how the world of information security can move forward most effectively.
All our Powers Combined: Connecting Academics, Engineers, and Hackers
The field of information security is a conglomeration of three distinct communities: security engineers working in industry, academic researchers sequestered in their universities, and enthusiastic hackers battling it out on the CTF floor. These communities have different motivations, priorities and expectations, and the various disconnects between them often lead to misunderstanding, conflict, and twitter drama. While this is entertaining, it hampers progress in our field and allows security issues, that could be addressed through the collaboration of these three communities, to persist.
My name is Zardus, and I am an academic. However, due to the applied nature of my research and my extensive involvement in CTF, I have been observing (and often facilitating) interactions between the academic, industry, and enthusiast communities. I have seen our binary analysis framework, and other results of our research, applied in industry and in the CTF community. I have guided both CTFers and industry engineers in starting their academic careers, and I have guided students into industry and CTF. Through these experiences, I have built my own understanding of the different mindsets that these communities maintain, and developed hypotheses regarding the optimal ways that these communities can interact.
This talk will explore the commonalities, differences, and interactions of these communities. It’ll delve into the hopes and dreams of CTF enthusiasts, the aloofness of academics, and the no-nonsense attitudes of industry personnel. It’ll guide the audience through understanding not only the mindset of these groups, but will also provide a conceptual framework through which we can work together to advance the state of information security.
Raynold Sim joined LINE's Security Department as a Security Engineer in 2015. He is a member of the team running LINE's Security Bug Bounty Program. Sometimes, he hunts for security bugs in other bug bounty programs, too.
LINE Security Bug Bounty: A Closer Look
Bug Bounty Programs have been a hot topic in the security world. With bug bounty platforms becoming more popular, more companies all over the globe have been starting their own bounty programs to keep their services and user base secure. We will be touching on the bug bounty scene in Japan and go into a depth look of LINE's Bug Bounty program, which we have been running since 2015. In this talk, we will be sharing the behind the scenes of how we run our bug bounty program, stating the motivations on why and how we do it, and the reflections and results of running a bug bounty program.
In 2008, Suguru entered Kaspersky Labs Japan as a researcher of Japan office. He had been in charge of collecting and analyzing threat information such as Malware, Spam and Phishing in cyberspace. Subsequently, he has been joining in Global Research and Analysis Team (GReAT) APAC to research Advanced Persistant Thread (APT) and recent cyber threats in APAC region.
The Bald Knight Rises
Kaspersky Lab has been tracking the XXMM (Trojan.Win32.Xxmm) malware family since January 2017. It's one of the cyber espionage targeting Japan.
This name comes from a database path (.pdb) that suggests “xxmm” as the original project name. To date we have observed more than 300 samples including core malware components, extra modules and related malware. The XXMM family seems to be mainly used against targets in Japan and South Korea. The actor uses around 50 compromised websites as C2s, with IP addresses based on the targeted countries.
Previously this attack was called after the malware it used, such as “Tick”, “BronzeButler”, “ShadowWali” or “Daserf”. The actor keeps changing its tools, so we decided to use a more generic name. We called this campaign “The Bald Knight” from the malware builder icon which was stolen from "The Dark Knight Rises" movie poster was altered by removing the protruding ears of the knight, leaving him with bald head.
This actor used several anti-research techniques such as in memory execution, second stage backdoor, anti-reversing, anti-AV, white-listing for target IPs on C2 server and stenography techniques. In this year, we already published about a unique anti-AV technique on the blogpost "Old Malware Tricks To Bypass Detection in the Age of Big Data" (https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/) about recent activities of this actor.
We believe that this cyber espionage campaign still have been attacking against to Japan seriously. Because, one of the infection vectors was a vulnerability found on the domestic management software used by the government, public-related offices and the government-affiliated organizations in Japan.
This presentation elucidates the method and strategy of "the Bald Knight Rises" campaign based on the result from the technical analysis of their cyber weapons, and introduces their recent activities.
Are you visible? – TEPCO’s Challenge for “Visibility” on Security Management (and Security Professionals)
“Security is very difficult and troublesome to understand. Our security team may be handle all things good” – That is typical apathy in business team and sometimes also security side makes good use of this negative idea. No, no. We security professional should prove clearly that we are useful for everyday business at risk management. From this point, security professionals must wear off hoodie, avoid slouching and try to increase our “Visibility” by ourselves. How can we make visible our daily work, responsibility and professional skills? TEPCO-Security shows our experiences and ideas for headache(s) in our community.
Michal Thim is a cyber policy and security specialist with the Strategic Information and Analysis Unit, the National Cyber and Information Security Agency of the Czech Republic. His main focus is military and security developments in Western Pacific both in cyber and physical domains, including developments in cyber security and cyber warfare capabilities of China, Taiwan, DPRK, and other regional stakeholders, and analysis of Asia-based APT groups. He has been active for over a decade, in various capacities, in researching Taiwan’s defense and security, cross-strait relations, and territorial and maritime disputes in Northeast and Southeast Asia. Michal’s work has appeared in The Diplomat, The National Interest, China Policy Institute blog, Thinking Taiwan, Strategic Vision for Taiwan Security, South China Morning Post, Jamestown Foundation’s China Brief, and elsewhere. Michal tweets at @michalthim.
Improving Cybersecurity through Non-Technical Exercises and In-House Strategic Analysis: View from the Czech Republic
Cyber exercises, particularly those aimed at the decision-making process, and in-house strategic analysis are two distinctive, but intertwined, elements of enhancing cybersecurity through measures that are non-technical in nature. The former presents the decision-makers with life-like situations to test reactions to an ensuing cybersecurity incident; the latter strives to provide them with the best available contextual intelligence to a cyber-incident and related technical analysis provided by CERT analysts. These two elements are seeking a common cause: well-informed decision-makers who can make the right call in response to a severe cyber-attack on critical information infrastructure or actions of hostile state actors in cyberspace.
Decisions come with political costs, which may incentivize risk-averse behavior even if the situation calls for bolder decision making, which is not necessarily unreasonable. From the decision-making perspective, any such move invokes legal and political considerations that might not always be apparent on the operational side of the incident response. Exercises that are designed to simulate the reality of a severe cyber incident need to address these challenges. In-house strategic analysis team’s role is to support technical teams/incident response teams by proactively informing the leadership about emerging threats in cyberspace. Furthermore, strategic analysts provide a timely contextual analysis that briefs the decision-maker on political, security, and legal elements surrounding an ongoing, or recently discovered cyber security incident.
The presenter will outline decision-making process and how exercises aim to make the process as bump-free as possible, present what is meant by strategic analysis in a context of a cyber-security organization, and introduce sets of legal and political issue that hinder a timely response to a cyber-attack with the help of selected case studies.
Sung-ting Tsai is (TT) is the leader of Team T5 Research. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud, and virtualization technology. He especially is interested in new vulnerabilities in new technologies, and frequently presents the team's research at security conferences, such as Black Hat, HITCON, and Syscan. He and Ming-chieh are members of CHROOT security group in Taiwan. Sung-ting (TT) is also the organizer of HITCON - the largest technical security conference in Taiwan.
Respond Before Incident - Building Proactive Cyber Defense Capabilities
Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.
In this talk, we aim to discuss the question “Why traditional incident response is not enough?”
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
Security Engineer, and currently is working in Vulnerability Management, Vulnerability Assessment, Networking, Configuration Management, Risk Management in financial industry for a while. Fluent in Mandarin and English.
How to Construct a Sustainable Vulnerability Management Program
Whether you are ethical, unethical or halfway in between, vulnerabilities will never stop being found by you and your mates. Finding a 0day after months of hard work is definitely rewarding, but have we thought about the folks who works on the other side that have to protect keys and decide which one to patch? Well, this talk is about that. Heartbleed Vulnerability (CVE-2014-0160), Shellshock (CVE-2014-6271), Stagefright, POODLE Attack (CVE-2014-3566), Weak SSL/TLS Ciphers, and the good ole, Conficker (CVE-2008-4250), and… wait how about MS17-010? These six vulnerabilities are the most well-known, which one do you tell your IT admin teams to patch first? How do you prioritize them in a multiple billion dollar corporation with thousands of end points; do you know where they are; can you fix them all? Or even which vulnerability you should risk accept?
This talk is about build a sustainable vulnerability management program (VM) to answer these above and other vulnerability management questions, and how to build a program that can be scaled from small to large size company.
Wei Chea is a Senior Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He has eight years of experience in information security and has worked in security operations, threat hunting for two global fortune 200 organizations.
Threat Hunting, The New Way
Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.
Daoyuan Wu is a PhD candidate at Singapore Management University (SMU). He has accumulated 10 years' experience in the computer security area, and is currently doing the mobile security research. He likes to build automatic analysis tools and identify new classes of vulnerabilities. He has published ten academic papers and was the first reporter of content provider vulnerabilities in many popular Android apps (over 60 CVEs). He has won bug bounties from top vendors including Facebook, Yahoo, Mail.Ru, Yandex, Baidu, Tencent, Alibaba, and Qihoo 360. Beside app vulnerabilities, he reported one system issue in Android (CVE-2014-7224) and one in iOS (CVE-2015-5921 with Apple iOS9 acknowledgement).
Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications
Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, I will show in my talk that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.
Jong-Shian Wu is a researcher at National Taiwan University, working on topics related to cryptographic engineering. He enjoys studying how programs, languages, protocols, and computer systems actually work, and is particularly interested in real-world applications of cryptography.
KRACK & ROCA
KRACK (Key Reinstallation Attack) is a security weakness in WPA2 discovered by Mathy Vanhoef et al. Such weakness in WPA2 protocol design and implementations allows attackers within proximity to hijack the "encrypted" channel between a supplicant and a Wi-Fi AP. Both personal networks and enterprise networks are affected.
ROCA (The Return of Coppersmith's Attack) is a security vulnerability in an RSA firmware library discovered by Matus Nemec et al. The flawed library, from a major manufacturer of cryptographic hardware, is widely deployed in security tokens, smart cards, electronic ID cards, TPMs, etc. Since prime numbers generated by the flawed library have insufficient entropy and a specific structure, attackers can easily identify and factorize RSA public keys that were generated from affected devices.
In this talk, we will explain how KRACK and ROCA work and some important lessons we should learn from them.
Fyodor is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
The Age of Broken ATMs
We observed this year that the attacks against Automatic Teller Machines went from theoretical research and impressive show at a conference to a very practical method used by criminal groups to monetize their access to compromised networks within financial institutions. A number of cases that took place this year got loud attention in the media, but the attacker methods and exploitation varied from one case to another. In this presentation we examine several cases of ATM breaches including well known case that took place in Taiwan, but also Russia, Kyrgyzstan and other Central Asian countries as well as Spain and a number of other countries in Europe. We discuss attack vectors against ATM devices and known methods which the attackers utilize to abuse ATM machines for the purpose of either information collection or cash withdrawal. We also discuss some of the attack methods the attackers used to infiltrate the target organizations and compromise the devices. We dive deeper to understand the eco-system and the nature of the threat actors, discuss the skills and tools available on Black Market and the evolution of ATM threats.
BoB Digital Forensics Mentor
Light Up The Korean DarkWeb
Four students from South Korea teamed up in order to dig into the Korean DarkWeb.
There is a number of publications about cyber underground including DarkWeb which covers the situation of the underground in many countries including Russia, the US, Germany, and Japan. But there is not so much information about cyber underground activities in the most connected country in the world, South Korea.
The team HGWT took on the challenge and discovered five DarkWeb forums in Korea as well as notorious activities in the Korean cyber underground part of the surface web.
In this talk, they will introduce specifics of the Korean cyber underground (including DarkWeb), share their approaches for investigations and discuss several case studies.
Team HGWT
The team HGWT (Dasom Kim, Sujin Lim, Sunghee Lim, Eunhee Jo) consists of four BoB students and is lead by two mentors in the digital forensics field, Nikolay Akatyev (VP of Engineering at Horangi Cyber Security) and Hyeon Yu (Professor at Korean Police Investigation Academy).
BoB (Best of the Best) is a cyber security education program that fosters the next generation security leaders in Korea hosted by Korea Information Technology Institute (KITRI), supported by the Korean Government.