John Bambenek

Manager of Threat Systems
at Fidelis Cybersecurity

ch0upi

趨勢科技核心技術部
技術經理

Fernando Diaz

Malware Analyst at
Hispasec/Koodous

Chen-yu Dai (GD)

CTO at Team T5 Research

KIM, MIDEUM

Researcher of KISA

James Lee

18 years old math geek

LEE, MYOUNG WON

Superintendent of K-NPA

Philippe Lin

趨勢科技 資深研究員

In Ming Loh

Threat Hunter at Countercept

miaoski

趨勢科技 資深研究員

Michael Ossmann

無線安全研究員

David Ong

Certified Functional Safety Expert

PK
Kirill Puzankov

Telecom Security Specialist

Sergey Puzankov

Telecom Security Expert

Raynold Sim

Security Engineer at LINE

Suguru

Researcher of
Kaspersky Labs Japan

Qinghao Tang

Speaker of Pacsec 2015,
Syscan 2016, hitb 2016, and
CanSecWest 2017

Michal Thim

Cyber Policy and Security Specialist

Sung-ting Tsai (TT)

Leader of Team T5 Research

Howard Tsui

Security Engineer

wj

Senior Threat Hunter at Countercept

Daoyuan Wu

PhD candidate at SMU

Fyodor Yarochkin

趨勢科技 研究員

John Bambenek

profile

John Bambenek is Manager of Threat Systems at Fidelis Cybersecurity, Lecturer in the Departments of Computer Science and Information Science at the University of Illinois at Urbana-Champaign and a handler with the SANS Internet Storm Center. He has over 18 years experience in information security and leads several international investigative efforts tracking cybercriminals, some of which have lead to high profile arrests and legal action. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He produces some of the largest bodies of open-source intelligence used by thousands of entities across the world.

topic

Building a Public RPZ Service to Protect the World's Consumers

打造公用 RPZ 服務守護世界

intro.

There are a variety of options when enterprises want to get protection for themselves. If you want to protect small offices or consumers, your choice is basically just to buy anti-virus. The problem is that until we solve the problem of most of the internet not being behind enterprises and thus unprotected, we still will face major outbreaks, DDoS, and risks from Bring-Your-Own-Devices (BYoD).
By using some basic open-source tools build in to DNS with Response Policy Zones (RPZ), it becomes possible to provide protection to the consumer internet space and begin to significantly disrupt criminal operations against the public.
This talk will cover building one of the worlds first public RPZ servers to provide service to CERTs and consumer ISPs to start to tackle the vast majority of the unsecured internet. Details on how to access and deploy the data for free from this service will be given as part of the talk.

當企業想要保護自身的時候,有非常多的選項。如果你想要保護消費者層面或是小型辦公室,你的選項基本上只需要買防毒軟體而已。問題是直到我們解決大部分的網際網路都不在大型企業中因而沒有受到保護的這件事之前,我們仍然要面對許多危機:DDoS,以及自帶裝置的風險等等。
藉由使用一些帶有 RPZ 的 DNS 的基本開源工具,我們將可能保護消費者的網際網路並開始明顯的干擾公眾的犯罪行為。
本演講將涵蓋建造世界第一個公用 RPZ 服務,以向 CERT 及消費者 ISP 等大部分不安全網路提供服務;其中也將包含如何免費存取此服務及從此服務發布資料等細節。

ch0upi

profile

Ricky Chou (ch0upi) is a staff engineer in Trend Micro. He works in data analysis, threat intel service, and problem solving with AI/ML.
Ricky and his teammates also got Top10 in KDDCup 2014 & 2016, the leading Data Mining and Knowledge Discovery competition in the world. He also participated in the computer Go project of Trend Micro, GoTrend, and got the 6th place in EUC Cup 2015.

Ricky Chou (ch0upi) 是趨勢科技核心技術部的技術經理。
工作內容著重在資料分析、威脅情報服務、及應用人工智慧與機器學習來解決實務上的問題。
曾在 2014 年及 2016 年參與全球資料探勘領域最知名的 KDDCup 競賽,皆取得前 10 名的佳績。
也參與趨勢科技的電腦圍棋人工智慧專案 GoTrend,於 2015 年日本電腦圍棋競賽 UEC Cup 取得第六名的成績。

topic

Adversarial Machine Learning and Several Counter-Measures

對抗機器學習及其對策

intro.

Machine Learning (ML) and Deep Learning have become very popular in recent years. They solve many problem considered very difficult in the past, such as face recognition, image classification, unknown virus detection, cyber attack detection, etc. Therefore, many and many security product start to use Machine Learning solution for detecting.
However, many of those security product using Machine Learning algorithm could bring some unexpected vulnerabilities. In this talk we will focus on how to attack, cheat, steal the Machine Learning model and redirect the target of attack by using those stolen model. The speaker will introduce the concept and attack method on image classification, PDF and binary detection. Demonstrate the attack and provide some ways to defense this kinds of attack.

機器學習 (ML) 和深度學習近年來飛速發展,解決了以往被視為高難度的問題,如臉部辨識、圖片分類、未知病毒偵測、網路攻擊偵測等等,也因此愈來愈多資安產品,使用機器學習作為解決方案。但是在產品中使用 ML 演算法,可能帶來一些意料之外的漏洞。本演講將著重於如何攻擊、欺騙、竊取機器學習模型,將模型辨識的結果,導向攻擊者設定的目標。作者將介紹針對圖形辨識、binary 及 PDF 的數種攻擊手法和原理,展示實際可行的攻擊,並提出防禦方法和實務上的建議。

Agenda:

  • 純機器學習的防毒軟體與 Hello World
  • 機器學習與深度學習的幾個實例
  • 攻擊機器學習的實例
  • 攻擊機器學習的手法與原理
  • Evasion
  • Poisoning
  • Stealing
  • 攻擊 Demo
  • 圖片
  • Binary
  • PDF
  • 防禦方式
  • 結論
Fernando Diaz

profile

Malware Analyst at Hispasec/Koodous. Focused on the banking threats landscape, especially Android banking Trojans as well as Windows-based ones. Interested in hunting botnets, malware analysis, reverse-engineering, and developing distributed environments.

topic

Analyzing Bankbot, a Mobile Banking Botnet

分析行動網銀木馬 Bankbot

intro.

Maza-in, more known as Bankbot, is an Android banking Trojan that gained popularity with its release in an underground forum. At the beginning, its targets were mostly Russian and Ukranian entities, as well as payment processors, such as PayPal, but it quickly broadened its targets to different countries, especially European ones.
Despite having other Banking Trojans on the table such as Mazarbot and Marcher; Bankbot has made it into Google Play Store, not once, but a total of three times that we are aware of.
Having myself caught one of this Banking Trojans live in Google’s Play Store, I gained interest in studying how it bypassed Google security measures and made it through to the official Android store, and its different botnet components.
In this talk we are going to talk widely about Bankbot, covering many aspects of the thread. First, its behavior: The server-side structure of the botnet, how it communicates with the victim, as well as how to get around these communications, forcing the botnet to return us the list of affected entities.
Also, the Android component will be studied, taking into account the stealing techniques it uses and how it evolved, not only to target over Android banking applications but also browsers, based on the bookmarks installed. We'll have a brief overview of the libraries that some samples include, along with their functionality. The whole infection process will be described, from initial steps to credential theft.
Additionally, we will have an overview on the component that made it through the Google Bouncer and got published into the store, including a quick look to the different countries targeted by this family since the beginning of the attack.
Finally, we will learn how to identify the sample through Yara rules, as well as known changes done to the server file structure that helps us identify these samples.

Maza-in,也就是大家所熟知的 Bankbot,是一個 Android 上的網銀木馬;其在地下論壇一發布,就迅速聚集人氣。一開始的時候其目標大多在俄羅斯、烏克蘭以及像 PayPal 等支付平台;但它迅速將目標擴展到不同的國家,尤其是歐洲各國。
儘管檯面上還有其他像 Mazarbot 和 Marcher 等網銀木馬, Bankbot 不只一次成功打入了 Google 商店;光我們注意到的就有三次之多。
在我自己從 Google 商店中了這個網銀木馬後,我開始對它以及不同的殭屍網路元件如何繞過 Google 的安全檢查而成功上架發生興趣。
在本場演講中,我們將廣泛的討論 Bankbot 各方面的威脅。其中包含它的行為、殭屍網路的伺服器端架構、與被害者的溝通、以及如何利用它們傳回受影響的個體名單。

Chen-yu Dai (GD)

profile

Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses. He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan. He has received many prizes from domestic and international CTFs, as well as bug bounty programs. He has been speaker at various conferences: HITCON, TROOPERS, CODE BLUE, IEEE GCCE, VXRL, DragonCon etc.

topic

Respond Before Incident - Building Proactive Cyber Defense Capabilities

搶先事故反應:打造主動網路防禦能力

intro.

Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.
In this talk, we aim to discuss the question “Why traditional incident response is not enough?”
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.

傳統上,事故反應長久來被認為是資安事件發生後的事後管理手段;許多組織發展出事故反應流程,並祈禱平安無事。然而,攻擊者的戰術和手段正與日俱進,發動攻擊的成本也日益降低;是時候面對「你一定會被攻破」的現實了。
在本演講中,我們將討論「為什麼傳統事故反應不夠?」的問題。
我們會使用真實世界的案例研究,示範我們如何幫助台灣的一個組職舒緩過去兩年中來自四個攻擊組織發動的進階持續性攻擊。在此案例中,我們將解釋我們如何從被動防禦轉變為主動防禦,並分享獵捕與消滅威脅的方法。

KIM, MIDEUM

profile

MIDEUM KIM, a researcher of KISA (Korea Internet & Security Agency), has experience in computer engineering, cyber incidents response and Critical Infrastructure Protection. Currently, he is responsible for Critical Infrastructure protect and audit

topic

Critical Infrastructure Protection Policy and Strategy of Korea

韓國之關鍵基礎建設政策

intro.

Korea Internet & Security Agency (KISA) is a South Korean government agency under Ministry of Science and ICT (MSIT), specializing in Internet security, critical infrastructure protection and information security industry development. KISA is operating and auditing to secure critical infrastructure protection from cyberattack threats. Through this presentation, Mr. Kim would like to show critical infrastructure policy and system of Korea.

韓國網路安全局 (KISA) 隸屬於韓國未來創造科學部 (MSIT) 之下,特別針對網路安全、關鍵基礎建設和促進網路安全相關產業。KISA 負責執行以及稽核任務來保護韓國關鍵基礎建設以防網路攻擊之威脅。

James Lee

profile

My name is James Lee, a 18 years old math geek who likes to mess around with some creative and cool stuffs. I'm passionate about Security vulnerability researching so I like to look under the hood of software.

topic

Playing with IE11 ActiveX 0days

玩轉 IE11 ActiveX 0-days

intro.

ActiveX is a feature that has been present on Internet Explorer almost since its inception and it allows us to instantiate external objects.
We'll go through this feature and look into the way I discovered the vulnerability while I play around with.

ActiveX 從早期就伴隨著 IE 到現在,提供從瀏覽器內操作外部元件的功能。 在此我們要展現如何透過 ActiveX 漏洞來玩轉 IE11.

LEE, MYOUNG WON

profile

Myoungwon Lee (Superintendent of K-NPA) has served as a police officer in Korea for 20 years. After graduating from Police University he has worked in a variety of fields and offices in Korean Police. He worked as an investigator in the criminal investigation division, transportation division and a special riot police unit. Now he is in charge of Cyber Investigation Strategy Team in National Police Agency. Just before coming to this position in 2017, he worked as a Computer Forensic Team leader.
His role as the team leader involved anti-cybercrime strategy and research and development for improving cyber investigation skills.

topic

Recent Cases of Cyber Terror from North Korea

案例分析:來自北韓的網路恐怖攻擊

intro.

In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified military or government data, but the focus seems to have shifted in recent years to raising foreign currency. N. Korea has tried hard to develop hacking capabilities as one way of earning money under the international strict sanctions imposed on them. An ATM hacking case is one of the examples.

以往,疑似來自北韓的網路攻擊,通常目的是造成社會信心瓦解,竊取國家軍事機密。但近年來攻擊似乎轉移至炒作外匯市場。北韓花費眾多心思發動網路攻擊賺取外匯以應對國際的經濟制裁。如同近年來 ATM 攻擊事件就是其中一例。

Philippe Lin

profile

Philippe Lin is a threat researcher at Trend Micro. He works in data analysis, machine learning, fast prototyping and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.

miaoski 在趨勢科技擔任資深研究員,主要的研究方向是資料分析、機器學習、prototyping 及軟體定義無線電 (SDR)。他曾擔任 Open Computing Project (OCP) 計劃的 BIOS 工程師,並在業餘時間投入 g0v 零時政府的專案,以及其它樹莓派和 Arduino 專案,詳見github.com/miaoski

topic

The Age of Broken ATMs

那些年,他們搶的 ATM

intro.

We observed this year that the attacks against Automatic Teller Machines went from theoretical research and impressive show at a conference to a very practical method used by criminal groups to monetize their access to compromised networks within financial institutions. A number of cases that took place this year got loud attention in the media, but the attacker methods and exploitation varied from one case to another. In this presentation we examine several cases of ATM breaches including well known case that took place in Taiwan, but also Russia, Kyrgyzstan and other Central Asian countries as well as Spain and a number of other countries in Europe. We discuss attack vectors against ATM devices and known methods which the attackers utilize to abuse ATM machines for the purpose of either information collection or cash withdrawal. We also discuss some of the attack methods the attackers used to infiltrate the target organizations and compromise the devices. We dive deeper to understand the eco-system and the nature of the threat actors, discuss the skills and tools available on Black Market and the evolution of ATM threats.

這些年來我們觀察到駭客針對 ATM 的攻擊從學術理論和會議上的華麗展示,演變至犯罪集團透過此方式攻佔金融機構網路並而從中獲利。近年來眾多的攻擊案例出現在媒體閃光燈下,但駭客的攻擊手法也隨之進展。在本演講中,我們將展示這些年眾多的 ATM 攻擊手法,除了大家眾所皆知的台灣 ATM 事件,還包含俄羅斯、吉爾吉斯、 眾多中東國家、西班牙以及一些歐洲國家的攻擊案例。

In Ming Loh

profile

In Ming Loh is a Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He currently holds OSCE and OSCP accreditation and was previously a software developer. His major interests are attack detection and prevention.

topic

Threat Hunting, The New Way

威脅獵捕的新方法

intro.

Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.

傳統偵測攻擊的方法並不可行。威脅獵捕的方法不只提供了一個偵測攻擊的新方向,也能在網路已經被入侵的前提下追蹤出攻擊者。
我們會以真實案例來探討為什麼威脅獵捕會是新型態偵測攻擊的方法。藉由真實世界我們所遇到的攻擊案例,將呈現為什麼威脅獵捕將會是必要且有效的攻擊偵測方式。
最後我們會建議你如何開始建立自己的威脅獵捕方法來保護組織。
你將不只能獲得威脅獵捕的基礎知識,還能瞭解如何整併人力、流程、技術來建置自己的威脅獵捕。

miaoski

profile

Philippe Lin is a threat researcher at Trend Micro. He works in data analysis, machine learning, fast prototyping and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.

miaoski 在趨勢科技擔任資深研究員,主要的研究方向是資料分析、機器學習、prototyping 及軟體定義無線電 (SDR)。他曾擔任 Open Computing Project (OCP) 計劃的 BIOS 工程師,並在業餘時間投入 g0v 零時政府的專案,以及其它樹莓派和 Arduino 專案,詳見github.com/miaoski

topic

Adversarial Machine Learning and Several Counter-Measures

對抗機器學習及其對策

intro.

Machine Learning (ML) and Deep Learning have become very popular in recent years. They solve many problem considered very difficult in the past, such as face recognition, image classification, unknown virus detection, cyber attack detection, etc. Therefore, many and many security product start to use Machine Learning solution for detecting.
However, many of those security product using Machine Learning algorithm could bring some unexpected vulnerabilities. In this talk we will focus on how to attack, cheat, steal the Machine Learning model and redirect the target of attack by using those stolen model. The speaker will introduce the concept and attack method on image classification, PDF and binary detection. Demonstrate the attack and provide some ways to defense this kinds of attack.

機器學習 (ML) 和深度學習近年來飛速發展,解決了以往被視為高難度的問題,如臉部辨識、圖片分類、未知病毒偵測、網路攻擊偵測等等,也因此愈來愈多資安產品,使用機器學習作為解決方案。但是在產品中使用 ML 演算法,可能帶來一些意料之外的漏洞。本演講將著重於如何攻擊、欺騙、竊取機器學習模型,將模型辨識的結果,導向攻擊者設定的目標。作者將介紹針對圖形辨識、binary 及 PDF 的數種攻擊手法和原理,展示實際可行的攻擊,並提出防禦方法和實務上的建議。

Agenda:

  • 純機器學習的防毒軟體與 Hello World
  • 機器學習與深度學習的幾個實例
  • 攻擊機器學習的實例
  • 攻擊機器學習的手法與原理
  • Evasion
  • Poisoning
  • Stealing
  • 攻擊 Demo
  • 圖片
  • Binary
  • PDF
  • 防禦方式
  • 結論
Keynote Speaker
Michael Ossmann

profile

Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Michael Ossmann 是為駭客製作硬體的無線安全研究員,並以 HackRF、Ubertooth 及 GreatFET 等開源專案聞名。他在試圖為創新人士開發令人驚艷的新工具時,成立了 Great Scott Gadgets。

topic

Your Ideas are Worthless

你的點子毫無價值

intro.

As the owner of an open source hardware company, I frequently encounter people who tell me why my business cannot possibly succeed. After six years of continuous growth, I would like to share my thoughts about why those people are wrong and how the mythology of invention affects perception. I’ll share lessons from my background as a hacker, researcher, open source developer, and business owner and discuss the past, present, and future of science, technology, and the value of ideas.

在成為這間開源硬體公司的老闆之後,總有人想告訴我為何他們認為我的生意將注定失敗。經過六年的持續成長,我想分享我的一些想法,告訴各位為什麼這些人是錯的,以及發明神話如何影響我們的認知。我擁有駭客、研究員、開源開發者和公司老闆等背景,我將分享衍生自這些背景的經驗,並且探討科學、技術和構想價值的過去、現在與未來。

David Ong

profile

David Ong has over 20 years of professional experience and is widely recognized as an active professional in process automation safety industries. He is a CFSE (Certified Functional Safety Expert) and has obtained his MBA from the University of Louisville in 2002. He is a member of the advisory board of CFSE Governance Board and the Founder of Excel Marco and Attila Cybertech. During the course of his career, he has executed many major projects in the Oil & Gas industry both onshore and offshore on Process Automation Safety & Control. He is well versed with the corporate standards and practices and has also helped to develop key product marketing specifications for safety PLC and SIS (Safety Instrumented Systems). Over the years, he has maintained focused on Safety PLC related application and was involved in conducting training on Functional Safety Standards and Practices. Earlier in his career, he was an instructor for several major brands of PLC and automation equipment. Having developed a strong interest in Cyber-Physical Systems (CPS), he setup Attila Cybertech to focus on Critical Information Infrastructure (CII) sectors. His principal work responsibilities include business development, major project management and training on safety and reliability standards and applications.

topic

ICS/SCADA Cybersecurity and IT Cybersecurity: Comparing Apples and Oranges

張飛打岳飛:ICS/SCADA vs IT 網路安全

intro.

Stuxnet made headlines in the OT (Operational Technology) world back in 2010. It was a wake-up call to those who never really thought ICS (Industrial Control System) could be hacked, let alone causing severe damage to a nuclear plant in Iran.
Today, SCADA/ICS engineers are now expected to designed not only functional logic, safety logic but also system hardening for cybersecurity. Cybersecurity for ICS or OT poses different problems that are unlike that of Enterprise or IT Cybersecurity.
While Enterprise security prioritizes data in the order of CIA (Confidentiality, Integrity, Availability), ICS demands the reverse, i.e. AIC. Why is availability so important to ICS? Well, think of how important is your heart pumping to blood to various organs including your brain. Stop for a few seconds and the consequences could be fatal.
Every piece of data is processed in real-time. These 'data' consist of both sensor data and commands to output elements such as actuators, valves, motors and pumps etc.
That means latency is a key factor when intercepting such data to analyze becomes challenging. Typically, it cannot afford to be delayed more than a few milliseconds. And even if suspicious data is detected, it cannot be filtered out as any false positives could have dire consequences. Nothing shapes human behaviour to ignore 'cry wolf' any more than false alarms. Even to the point of muzzling or by-passing the security mechanism.
Another aspect of OT is in the area of Functional Safety whereby safety interlocks, Emergency Shutdown System (ESD or SIS) are designed with Safety PLC. Can hackers penetrate the SIS from Process Control System (PCS)? Can malware propagate from PCS to SIS? Can cybersecurity impact safety?
Given that OT is a different animal, how can we secure OT? Are there effective ways to protect ICS from Cyber-attacks? Tune in to find out the current industrial practices and the shape of things to come.

震網 (Stuxnet) 在 2010 年的時候成為了操作技術 (OT) 界的頭條新聞。它驚醒了那些以為工業控制系統 (ICS) 永遠不會被駭的人們,並造成了伊朗核電廠的重要損害。
時至今日, SCADA/ICS 工程師們被要求不只設計可用安全的邏輯,更要強化系統的資訊安全。ICS 或 OR 的資訊安全所遇到的問題與企業或 IT 的資訊安全是相當不同的。
企業對資料安全的要求有著保密、完整、可用 (CIA) 的順序,但 ICS 則要求相反的 AIC (可用、完整、保密)。為何可用性對 ICS 來說如此重要?這很簡單,想想你的心臟跳動,輸送血液到各器官和你的腦部;停個幾秒,後果就不堪設想。
每筆資料都會被即時處理。所謂的資料包含感應器的資料以及輸出到執行器、閥門、馬達和幫浦等的指令。
這表示延遲在擷取這些資料進行分析之中佔有關鍵的地位。一般來說,幾毫秒的延遲便是極限了。而且就算偵測到可疑資料,我們也不能將它濾掉,因為任何誤報都可能有危險的後果。這些假警報就像放羊的孩子一樣會讓我們忽略掉狼來了;即便我們的安全防線已經被突破了也一樣。
OT 的另一個層面就是關於功能安全,像是安全互鎖機制,以及利用安全 PLC 設計的緊急關閉系統 (ESD 或 SIS)。駭客有辦法從 PCS 滲透 SIS 嗎?惡意軟體可以從 PCS 感染到 SIS 嗎?網路安全可以影響實體安全嗎?
假如 OT 是一隻不同種的大象,那我們該怎麼把它放進冰箱?那我們跟怎麼確保 OT 的安全。是否存在更有效率的方式防禦針對 ICS 的網路攻擊?關注本場演說,一起了解現行的業界實作以及未來的趨勢。

PK

profile

topic

Car ECU Hacking

intro.

A video is worth a thousand words
https://www.youtube.com/watch?v=x9tk1r7RHiM

見影片連結
https://www.youtube.com/watch?v=x9tk1r7RHiM

Kirill Puzankov

profile

Telecom Security Specialist, Positive Technologies
Kirill graduated from the Russian State University for the Humanities with a degree in comprehensive protection of information assets. He joined Positive Technologies in 2014 as an expert in telecommunication systems and network security. He researches signaling network security, participates in audits for international mobile operators, takes part in PT Telecom Attack Discovery deployments and expert attack analysis. He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, and Telegram accounts.

topic

Attacks on Mobile Networks: Evolving Hackers' Techniques and Defenders' Oversights

行動網路攻擊:進化的駭客技巧與防禦疏漏

intro.

The "walled garden" paradigm is outdated. Nearly all operators now admit that attackers have penetrated SS7 networks by exploiting a whole range of signaling network vulnerabilities.
Tracking subscriber location, obtaining call details, tapping, intercepting text messages that contain security codes are the harsh reality we live in. However, mobile operators do not sit back. They address these threats by configuring hardware in the best possible way, deploying SMS Home Routing solutions to protect confidential data and fight SMS spam and SS7 firewalls which currently offer the highest level of network protection against attackers.
But the real world is far from this rosy picture. Our researches alongside with security monitoring and audits show that attackers have learned how to skillfully bypass most of the known protection measures. In my presentation, I will address following issues:

  • What refined techniques and tricks do malefactors use;
  • What unusual attack scenarios we came across during security monitoring;
  • Methods found empirically for bypassing the protection mechanisms;
  • What security network specialists should pay special attention to in order to ensure SS7 network security and fight hackers effectively.

封閉平台的典範已經過時了;幾乎所有營運商現在都承認攻擊者已經藉由滲透一連串的訊號網路漏洞而打下了 SS7 網路。
追蹤實體位置、獲得通話細節、竊聽、攔截含有安全碼的文字簡訊;這些已都是我們生活中的現實。然而,電信營運商並不氣餒。他們藉由各種方式應對這些威脅:用最好的方式設定硬體、部署 SMS Home Routing 解決方案保護機密資料並對抗垃圾簡訊、還有 SS7 防火牆提供了目前最高等級的網路防護。
但光明的明天總是沒有等著我們。我們的研究人員利用安全監控與稽核發現攻擊者已經學會如何技巧性的繞過大部分的已知防護手段。在我的演講中,我會說明以下問題:

  • 攻擊者使用了哪些優化的技巧
  • 在安全監控中我們發現的異常攻擊情境
  • 從經驗中發現的繞過保護手段的方式
  • 網路安全專家應該特別注意的部分以確保 SS7 網路安全並有效的對抗駭客
Sergey Puzankov

profile

Telecom Security Expert, Positive Technologies.
Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he is engaged in the research of signaling network security and in audits for international mobile operators.
As an expert in telecom security, he researches signaling network security and participates in audits for international mobile operators.
Sergey is also the general developer of the SS7 Vulnerability Scanner tool and member of the Telecom Attack Discovery development team and co-author of Positive Technologies annual reports on telecom security.

topic

Attacks on Mobile Networks: Evolving Hackers' Techniques and Defenders' Oversights

行動網路攻擊:進化的駭客技巧與防禦疏漏

intro.

The "walled garden" paradigm is outdated. Nearly all operators now admit that attackers have penetrated SS7 networks by exploiting a whole range of signaling network vulnerabilities.
Tracking subscriber location, obtaining call details, tapping, intercepting text messages that contain security codes are the harsh reality we live in. However, mobile operators do not sit back. They address these threats by configuring hardware in the best possible way, deploying SMS Home Routing solutions to protect confidential data and fight SMS spam and SS7 firewalls which currently offer the highest level of network protection against attackers.
But the real world is far from this rosy picture. Our researches alongside with security monitoring and audits show that attackers have learned how to skillfully bypass most of the known protection measures. In my presentation, I will address following issues:

  • What refined techniques and tricks do malefactors use;
  • What unusual attack scenarios we came across during security monitoring;
  • Methods found empirically for bypassing the protection mechanisms;
  • What security network specialists should pay special attention to in order to ensure SS7 network security and fight hackers effectively.

封閉平台的典範已經過時了;幾乎所有營運商現在都承認攻擊者已經藉由滲透一連串的訊號網路漏洞而打下了 SS7 網路。
追蹤實體位置、獲得通話細節、竊聽、攔截含有安全碼的文字簡訊;這些已都是我們生活中的現實。然而,電信營運商並不氣餒。他們藉由各種方式應對這些威脅:用最好的方式設定硬體、部署 SMS Home Routing 解決方案保護機密資料並對抗垃圾簡訊、還有 SS7 防火牆提供了目前最高等級的網路防護。
但光明的明天總是沒有等著我們。我們的研究人員利用安全監控與稽核發現攻擊者已經學會如何技巧性的繞過大部分的已知防護手段。在我的演講中,我會說明以下問題:

  • 攻擊者使用了哪些優化的技巧
  • 在安全監控中我們發現的異常攻擊情境
  • 從經驗中發現的繞過保護手段的方式
  • 網路安全專家應該特別注意的部分以確保 SS7 網路安全並有效的對抗駭客
Raynold Sim

profile

Raynold Sim joined LINE's Security Department as a Security Engineer in 2015. He is a member of the team running LINE's Security Bug Bounty Program. Sometimes, he hunts for security bugs in other bug bounty programs, too.

topic

The Behind the Scenes Of LINE's Bug Bounty Program

透視內幕:Line 漏洞回報計畫

intro.

Bug Bounty Programs have been a hot topic in the security world. With bug bounty platforms becoming more popular, more companies all over the globe have been starting their own bounty programs to keep their services and user base secure. We will be touching on the bug bounty scene in Japan and go into a depth look of LINE's Bug Bounty program, which we have been running since 2015. In this talk, we will be sharing the behind the scenes of how we run our bug bounty program, stating the motivations on why and how we do it, and the reflections and results of running a bug bounty program.

漏洞賞金計畫 (Bug Bounty) 一直是資安領域的熱門話題。由於漏洞賞金平台越來越熱門,全球有許多公司紛紛開始自辦賞金計畫,保障其服務及用戶的資訊安全。我們會概略介紹日本賞金計畫的情況,並深入探討我們自 2015 年開始執行的 LINE 漏洞賞金計畫。本次的講題會公開我們賞金計畫的背後運作情形,並說明計畫發起原因及進行方式,最後則是執行計畫中的一些觀察及結果。

Suguru

profile

In 2008, Suguru entered Kaspersky Labs Japan as a researcher of Japan office. He had been in charge of collecting and analyzing threat information such as Malware, Spam and Phishing in cyberspace. Subsequently, he has been joining in Global Research and Analysis Team (GReAT) APAC to research Advanced Persistant Thread (APT) and recent cyber threats in APAC region.

topic

The Bald Knight Rises

光頭騎士:黎明昇起

intro.

Kaspersky Lab has been tracking the XXMM (Trojan.Win32.Xxmm) malware family since January 2017. It's one of the cyber espionage targeting Japan.
This name comes from a database path (.pdb) that suggests “xxmm” as the original project name. To date we have observed more than 300 samples including core malware components, extra modules and related malware. The XXMM family seems to be mainly used against targets in Japan and South Korea. The actor uses around 50 compromised websites as C2s, with IP addresses based on the targeted countries.
Previously this attack was called after the malware it used, such as “Tick”, “BronzeButler”, “ShadowWali” or “Daserf”. The actor keeps changing its tools, so we decided to use a more generic name. We called this campaign “The Bald Knight” from the malware builder icon which was stolen from "The Dark Knight Rises" movie poster was altered by removing the protruding ears of the knight, leaving him with bald head.
This actor used several anti-research techniques such as in memory execution, second stage backdoor, anti-reversing, anti-AV, white-listing for target IPs on C2 server and stenography techniques. In this year, we already published about a unique anti-AV technique on the blogpost "Old Malware Tricks To Bypass Detection in the Age of Big Data" (https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/) about recent activities of this actor.
We believe that this cyber espionage campaign still have been attacking against to Japan seriously. Because, one of the infection vectors was a vulnerability found on the domestic management software used by the government, public-related offices and the government-affiliated organizations in Japan.
This presentation elucidates the method and strategy of "the Bald Knight Rises" campaign based on the result from the technical analysis of their cyber weapons, and introduces their recent activities.

卡巴斯基實驗室自 2017 年 1 月起便一直追蹤 XXMM (Trojan.Win32.Xxmm) 惡意程式家族:一個針對日本的網路間諜程式。
這個名稱的由來是由資料庫路徑中發現原始專案名稱可能為 ”xxmm”。至今日我們已經觀察到超過 300 個樣本,包含核心惡意程式元件、增益模組以及相關惡意程式。XXMM 家族似乎主要被用於針對日本及南韓的目標。攻擊者使用了大約 50 個像 C2 一樣和攻擊對象國家相同 IP 地區的被感染網站。
先前這類攻擊是以使用的惡意程式取名的,像是 ”Tick”、”BronzeButler”、“ShadowWali” 或 “Daserf” 等。攻擊者不停地改變工具,所以我們便決定使用更通用的名稱。因為惡意程式的圖示使用了電影「黑暗騎士」的圖,但將頭上的耳朵拿掉,使它變成一個光頭;所以我們便將其稱為「光頭騎士」。
攻擊者使用許多反研究技巧,像是記憶體內執行、第二階段後門、反逆向、反防毒程式、IP 白名單以及速記法等。在今年,我們已經發表了一篇關於此攻擊者近期發展的獨特反防毒程式的部落格文章「Old Malware Tricks To Bypass Detection in the Age of Big Data」。
我們相信這個網路間諜攻擊仍然持續的攻擊日本當中,因為其中一個感染方式是政府及相關單位所使用的國內管理軟體漏洞。

Qinghao Tang

profile

Qinghao Tang has rich experience in cloud computing security and linux kernel security. He was the speaker of Pacsec 2015, Syscan 2016, hitb 2016, and CanSecWest 2017.

topic

An Awesome Toolkit for Testing the Virtualization System

虛擬化系統測試的神奇工具箱

intro.

The public cloud and private cloud have become the infrastructure of high-tech enterprises, and I implement a toolkit to help researchers test the security of the cloud environment. This toolkit includes virtualization system vulnerability attack components and side channel attack components. The toolkit can be used to check co-residence and escape from virtual machine or container.
In this topic, I will share several components and describe the principles that implement them:

  • Co-residence check component : memory bus channel module;
  • Qemu vulnerability attack component: info leak & rip control module for any address read and write vulnerability, rop module;
  • Xen vulnerability attack component: info leak & rip control module for any address read and write vulnerability, rop module;
  • Docker vulnerability attack component: switch namespace module;
  • Vmware workstation vulnerability attack component: heap allocation module, rip control module for heap overflow vulnerability, rop module.

公有雲和私有雲正成為科技公司的基礎架構;為了幫忙研究人員測試雲端環境的安全性,我打造了一個工具箱。這個工具箱包含了虛擬化系統漏洞攻擊及跨頻道攻擊的元件,並可以用於檢查且跳脫共存的虛擬機或容器。
在本演講中,我將會分享數個元件並敘述他們的實作原理:

  • 共存檢查元件:記憶體匯排頻道模組;
  • QEmu 漏洞攻擊元件:資訊洩露 & rip 控制模組,用以讀寫任意記憶體位置、 rop 模組;
  • Xen 漏洞攻擊元件:資訊洩露 & rip 控制模組,用以讀寫任意記憶體位置、 rop 模組;
  • Docker 漏洞攻擊元件:調換命名空間模組;
  • VMware Workstation 漏洞攻擊元件:堆疊分配模組、用來進行堆疊溢位的 rip 控制模組、rop 控制模組。
Michal Thim

profile

Michal Thim is a cyber policy and security specialist with the Strategic Information and Analysis Unit, the National Cyber and Information Security Agency of the Czech Republic. His main focus is military and security developments in Western Pacific both in cyber and physical domains, including developments in cyber security and cyber warfare capabilities of China, Taiwan, DPRK, and other regional stakeholders, and analysis of Asia-based APT groups. He has been active for over a decade, in various capacities, in researching Taiwan’s defense and security, cross-strait relations, and territorial and maritime disputes in Northeast and Southeast Asia. Michal’s work has appeared in The Diplomat, The National Interest, China Policy Institute blog, Thinking Taiwan, Strategic Vision for Taiwan Security, South China Morning Post, Jamestown Foundation’s China Brief, and elsewhere. Michal tweets at @michalthim.

topic

Improving Cybersecurity through Non-Technical Exercises and In-House Strategic Analysis: View from the Czech Republic

來自捷克的觀點:透過演習及內部戰略分析來增進資訊安全

intro.

Cyber exercises, particularly those aimed at the decision-making process, and in-house strategic analysis are two distinctive, but intertwined, elements of enhancing cybersecurity through measures that are non-technical in nature. The former presents the decision-makers with life-like situations to test reactions to an ensuing cybersecurity incident; the latter strives to provide them with the best available contextual intelligence to a cyber-incident and related technical analysis provided by CERT analysts. These two elements are seeking a common cause: well-informed decision-makers who can make the right call in response to a severe cyber-attack on critical information infrastructure or actions of hostile state actors in cyberspace.
Decisions come with political costs, which may incentivize risk-averse behavior even if the situation calls for bolder decision making, which is not necessarily unreasonable. From the decision-making perspective, any such move invokes legal and political considerations that might not always be apparent on the operational side of the incident response. Exercises that are designed to simulate the reality of a severe cyber incident need to address these challenges. In-house strategic analysis team’s role is to support technical teams/incident response teams by proactively informing the leadership about emerging threats in cyberspace. Furthermore, strategic analysts provide a timely contextual analysis that briefs the decision-maker on political, security, and legal elements surrounding an ongoing, or recently discovered cyber security incident.
The presenter will outline decision-making process and how exercises aim to make the process as bump-free as possible, present what is meant by strategic analysis in a context of a cyber-security organization, and introduce sets of legal and political issue that hinder a timely response to a cyber-attack with the help of selected case studies.

網路攻防演習,特別是那些著重於決策流程以及內部戰略分析的,是兩種獨特卻又糾結,利用非技術性方式增進網路安全的元素。前者代表了決策人員利用逼近現實的情境來測試面對接踵而至的網路安全事件的反應;後者則致力於提供面對網路安全事件的最佳適應能力,以及由 CERT 專家提供的相關技術分析。這兩個元素指向同一個目標:了解情況,在應對針對重要資訊設施或敵對網路攻擊行為等嚴重的網路攻防中,能做出正確決斷的決策人員。
但帶有政治代價的決策將可能導致盡力避免風險的行為,即便是需要更大膽決策的情況;這是不完全合理的。從決策的角度看來,任何觸及法律及政治考量的行動在事故回應的操作面上並不是全然顯而易見的。要設計模擬重大網路攻擊事件的演練時,這些挑戰也必須考慮進去。內部戰略分析團隊的角色是藉由主動通知網路中威脅來源的領導者,來支援技術團隊或事故反應小組。更甚者,戰略分析提供了有時序性的前後分析,能讓決策者了解圍繞在正進行中或近期發現的網路安全事件其政治、安全、及法律等各元素。
講者將概述決策流程以及演練如何讓流程盡可能順利、解釋在網路安全機構中戰略分析的意義、並藉由案例研究介紹在應對即時網路攻擊時可能成為法律或政治因素的障礙。

Sung-ting Tsai (TT)

profile

Sung-ting Tsai is (TT) is the leader of Team T5 Research. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud, and virtualization technology. He especially is interested in new vulnerabilities in new technologies, and frequently presents the team's research at security conferences, such as Black Hat, HITCON, and Syscan. He and Ming-chieh are members of CHROOT security group in Taiwan. Sung-ting (TT) is also the organizer of HITCON - the largest technical security conference in Taiwan.

topic

Respond Before Incident - Building Proactive Cyber Defense Capabilities

搶先事故反應:打造主動網路防禦能力

intro.

Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.
In this talk, we aim to discuss the question “Why traditional incident response is not enough?”
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.

傳統上,事故反應長久來被認為是資安事件發生後的事後管理手段;許多組織發展出事故反應流程,並祈禱平安無事。然而,攻擊者的戰術和手段正與日俱進,發動攻擊的成本也日益降低;是時候面對「你一定會被攻破」的現實了。
在本演講中,我們將討論「為什麼傳統事故反應不夠?」的問題。
我們會使用真實世界的案例研究,示範我們如何幫助台灣的一個組職舒緩過去兩年中來自四個攻擊組織發動的進階持續性攻擊。在此案例中,我們將解釋我們如何從被動防禦轉變為主動防禦,並分享獵捕與消滅威脅的方法。

Howard Tsui

profile

Security Engineer, and currently is working in Vulnerability Management, Vulnerability Assessment, Networking, Configuration Management, Risk Management in financial industry for a while. Fluent in Mandarin and English.

topic

How to Construct a Sustainable Vulnerability Management Program

如何建造永續漏洞管理計畫

intro.

Whether you are ethical, unethical or halfway in between, vulnerabilities will never stop being found by you and your mates. Finding a 0day after months of hard work is definitely rewarding, but have we thought about the folks who works on the other side that have to protect keys and decide which one to patch? Well, this talk is about that. Heartbleed Vulnerability (CVE-2014-0160), Shellshock (CVE-2014-6271), Stagefright, POODLE Attack (CVE-2014-3566), Weak SSL/TLS Ciphers, and the good ole, Conficker (CVE-2008-4250), and… wait how about MS17-010? These six vulnerabilities are the most well-known, which one do you tell your IT admin teams to patch first? How do you prioritize them in a multiple billion dollar corporation with thousands of end points; do you know where they are; can you fix them all? Or even which vulnerability you should risk accept?
This talk is about build a sustainable vulnerability management program (VM) to answer these above and other vulnerability management questions, and how to build a program that can be scaled from small to large size company.

不論到道德與否,漏洞永遠都有可能被友軍發現。花費數個月努力挖掘漏洞的確是值得被獎勵的,但另一方面也有群人正努力地保護資料和決定如何修補漏洞。今天我們就是要從這個面向來探討。Heartbleed (CVE-2014-0160), Shellshock (CVE-2014-6271), Stagefright, POODLE Attack (CVE-2014-3566), Conficker (CVE-2008-4250) 等等漏洞。以及微軟 MS17-010 安全公告。以上六個都是廣為人知的漏洞。我們該如何跟 IT 人員討論第一個修補的漏洞該會是哪個?又該怎麼安排優先順序?你知道這些漏洞的細節?是該全部漏洞都修補?還是哪個漏洞針對你的公司環境並沒有那麼迫切需要修補?
本場次將討論如何建置永續漏洞管理計畫來解答以上的問題,並且有效的管理漏洞。以及該如何建立這套機制至各種規模的公司。

wj

profile

Wei Chea is a Senior Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He has eight years of experience in information security and has worked in security operations, threat hunting for two global fortune 200 organizations.

topic

Threat Hunting, The New Way

威脅獵捕的新方法

intro.

Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.

傳統偵測攻擊的方法並不可行。威脅獵捕的方法不只提供了一個偵測攻擊的新方向,也能在網路已經被入侵的前提下追蹤出攻擊者。
我們會以真實案例來探討為什麼威脅獵捕會是新型態偵測攻擊的方法。藉由真實世界我們所遇到的攻擊案例,將呈現為什麼威脅獵捕將會是必要且有效的攻擊偵測方式。
最後我們會建議你如何開始建立自己的威脅獵捕方法來保護組織。
你將不只能獲得威脅獵捕的基礎知識,還能瞭解如何整併人力、流程、技術來建置自己的威脅獵捕。

Daoyuan Wu

profile

Daoyuan Wu is a PhD candidate at Singapore Management University (SMU). He has accumulated 10 years' experience in the computer security area, and is currently doing the mobile security research. He likes to build automatic analysis tools and identify new classes of vulnerabilities. He has published ten academic papers and was the first reporter of content provider vulnerabilities in many popular Android apps (over 60 CVEs). He has won bug bounties from top vendors including Facebook, Yahoo, Mail.Ru, Yandex, Baidu, Tencent, Alibaba, and Qihoo 360. Beside app vulnerabilities, he reported one system issue in Android (CVE-2014-7224) and one in iOS (CVE-2015-5921 with Apple iOS9 acknowledgement).

Daoyuan Wu 新加坡管理大學博士候選人。鑽研電腦安全領域超過十年,近年來主攻研究行動裝置安全。擅長運用自動化分析工具來挖掘新式的安全漏洞。Daoyuan Wu 已發表了十篇學術論文,挖掘出超過 60 個 CVE,其中不乏許多熱門的 Android app。Daoyuan Wu 也貢獻了眾多漏洞回報計劃,包含 Facebook, Yahoo, Mail.Ru, Yandex, Baidu, Tencent, Alibaba, and Qihoo 360。除了 Android app 漏洞之外,講者還貢獻了一個 Android 系統漏洞 CVE-2014-7224 以及 iOS 系統漏洞 CVE-2015-5921。

topic

Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications

Android 及 iOS 應用程式中非直接檔案外洩的跨平台分析

intro.

Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, I will show in my talk that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.

處在今日,越來越多敏感資料儲存在行動裝置 APP 中。例如瀏覽器歷史紀錄、聊天記錄。不管是 Android 還是 iOS 系統,為了保護這些隱私資訊,都會使用 sandbox 技術來確保各個 app 之間無法彼此讀寫資訊。然而,本場演講會示範如何透過直接破解手機 app 來偷取私密隱私資料。尤其是,我們將展示新的 indirect file leak (IFL) 攻擊瀏覽器、command interpreters 以及 app 後端 server 從某些熱門 app 中偷取資料。不同以往的攻擊手法 (ex. Evernote, QQ, etc…),我們將針對 iOS 及 Android 來示範 IFL 攻擊。此外 IFS 攻擊可從遠端發動,受害的行動裝置不需要安裝惡意的 app。最終來分析比較 IFS 及其他相關攻擊手法。

Fyodor Yarochkin

profile

Fyodor is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

Fyodor 任職於趨勢科技,同時在中研院從事威脅事件調查,現在亦是臺灣大學電機系博士生。是 Snort 早期開發者、開源軟體的傳播者,並持續奉行 ”快樂寫程式” 的信條。在此之前,Fyodor 的專業經歷包括擔任八年以上的網路及安全漏洞資安分析師,以及為各大區域銀行、金融、半導體和電信機構進行遠端網路安全性評估及網路入侵測試。Fyodor 現仍是台灣安全社群的活躍成員,並已於多場區域性及全球性大會中發表演講。

topic

The Age of Broken ATMs

那些年,他們搶的 ATM

intro.

We observed this year that the attacks against Automatic Teller Machines went from theoretical research and impressive show at a conference to a very practical method used by criminal groups to monetize their access to compromised networks within financial institutions. A number of cases that took place this year got loud attention in the media, but the attacker methods and exploitation varied from one case to another. In this presentation we examine several cases of ATM breaches including well known case that took place in Taiwan, but also Russia, Kyrgyzstan and other Central Asian countries as well as Spain and a number of other countries in Europe. We discuss attack vectors against ATM devices and known methods which the attackers utilize to abuse ATM machines for the purpose of either information collection or cash withdrawal. We also discuss some of the attack methods the attackers used to infiltrate the target organizations and compromise the devices. We dive deeper to understand the eco-system and the nature of the threat actors, discuss the skills and tools available on Black Market and the evolution of ATM threats.

這些年來我們觀察到駭客針對 ATM 的攻擊從學術理論和會議上的華麗展示,演變至犯罪集團透過此方式攻佔金融機構網路並而從中獲利。近年來眾多的攻擊案例出現在媒體閃光燈下,但駭客的攻擊手法也隨之進展。在本演講中,我們將展示這些年眾多的 ATM 攻擊手法,除了大家眾所皆知的台灣 ATM 事件,還包含俄羅斯、吉爾吉斯、 眾多中東國家、西班牙以及一些歐洲國家的攻擊案例。