08:20 -
Registration
R0 (Room 101)
09:00 - 09:20
09:20 - 10:00
Your Ideas are Worthless
10:00 - 10:40
Critical Infrastructure Protection Policy and Strategy of Korea
MIDEUM KIM, Researcher of KISA (Korea Internet & Security Agency)
10:40 - 10:55
Break
10:55 - 11:35
LINE Security Bug Bounty: A Closer Look
12:15 - 13:30
Lunch
R1 (Room: 101 CD)
R2 (Room: 101 AB)
13:30 - 14:10
Building a Public RPZ Service to Protect the World’s Consumers
John Bambenek, Manager of Threat Systems, Fidelis Cybersecurity
Recent Cases of Cyber Terror from North Korea
14:20 - 15:00
From Zer0 to Persistence - A Complete Exploit Chain against Samsung Galaxy S6
15:10 - 15:50
Jiun-Ming Chen, Adjunct Faculty, National Taiwan University;
Jong-Shian Wu (JS), Researcher at National Taiwan University
Light Up The Korean DarkWeb
15:50 - 16:10
Break
16:10 - 16:50
Adversarial Machine Learning and Several Counter-Measures
17:00 - 17:40
wj, Senior Threat Hunter at Countercept, MWR InfoSecurity
In Ming LOH, Senior Threat Hunter at Countercept, MWR InfoSecurity
Cybersecurity Talent Development in NTT Group
R0 (Room 101)
09:20 - 10:00
All our Powers Combined: Connecting Academics, Engineers, and Hackers
Yan Shoshitaishvili, Captain of Shellphish, Assistant Professor at Arizona State University
10:00 - 10:40
The Age of Broken ATMs
10:40 - 11:00
Break
11:00 - 11:40
Are you visible? – TEPCO’s Challenge for “Visibility” on Security Management
(and Security Professionals)
11:40 - 13:00
Lunch
R1 (Room: 101 CD)
R2 (Room: 101 AB)
13:00 - 13:40
Respond Before Incident - Building Proactive Cyber Defense Capabilities
13:50 - 14:30
The Key Recovery Attacks against Commercial White-box Cryptography Implementations
Sanghwan Ahn(h2spice), Senior Security Engineer, Security Department, LINE Corp.
14:30 - 14:45
Break
14:45 - 15:25
15:35 - 16:15
Attacks on Mobile Networks: Evolving Hackers’ Techniques and Defenders’ Oversights
Kirill Puzankov, Telecom Security Specialist, Positive Technologies
16:25 - 17:05
The Bald Knight Rises
R1 (Room: 101 CD)
17:10 - 17:50
Panel Discussion
17:50 - 18:00
Closing
18:00 - 19:00
Cocktail Party
I am a senior security engineer currently working in the security department at LINE corp and mostly engaged in application security such as security assessment, security architecture design, development also some other works related to security. I like to analyze the program and find vulnerabilities in it also, am interested in technology related to security. In recent years, I have been interested in white-box cryptography doing various researches such as implementation, cryptanalysis.
The Key Recovery Attacks against Commercial White-box Cryptography Implementations
密鑰還原攻擊針對商用白箱加密之實作
White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has a full control to the execution environment and an access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and a code level but actually algorithmic obfuscation.
In the white-box implementation, cryptographic keys are mathematically transformed so that never revealed in a plain form, even during execution of cryptographic algorithms. With such security in the place, it becomes extremely difficult for attackers to locate, modify, and extract the cryptographic keys. Although all current academic white-box implementations have been practically broken by various attacks including table-decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed Commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks to be available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation. This is the first report that succeeded to recover secret key protected with commercial white-box implementation to the best of my knowledge in this industry. In this talk, I would like to share how to recover the key protected with commercial white-box implementation and give you some considerations when applying white-box cryptography to services more securely." "Bio: I am a senior security engineer currently working in the security department at LINE corp and mostly engaged in application security such as security assessment, security architecture design, development also some other works related to security. I like to analyze the program and find vulnerabilities in it also, am interested in technology related to security. In recent years, I have been interested in white-box cryptography doing various researches such as implementation, cryptanalysis.
白箱加密旨在攻擊者完全控制執行環境和密碼演算法的情形下,仍能保護軟體密碼基元和密鑰;它將數學轉換與模糊處理技術相結合,因此不僅是混淆數據和代碼,實際上也混淆演算法。
白箱加密機制將密鑰進行數學轉換,即使在後續加密演算中也不會顯示為可讀形式;此一方式使得攻擊者很難找到、修改、抽離密鑰。雖然目前各種學術性白箱機制都或多或少被分解、分析、故障注入等攻擊方式破解,但迄今為止還沒有商用白箱加密機制被破解的報告。在評估用白箱加密機制是否會被前述攻擊破解中,本人發現前述攻擊方式未能破解被商用白箱加密機制保護的密鑰,因此我修改了學術文獻可見的側面通道攻擊方式,成功取得被商用白箱加密機制保護的密鑰。就我所知,這是本產業第一個成功截取被商用白箱加密機制保護之密鑰的實例。以下我將與各位分享如何截取被商用白箱加密機制保護之密鑰,並提出更安全應用白箱加密機制的幾個重點。
本人學經歷:本人目前任職於LINE集團安全部門資深安全工程師,主要從事於安全評估、安全架構設計、開發及其他安全相關的應用程式安全。我會分析程式、找出其中的弱點、鑽研安全相關的技術。最近幾年特別專注於白箱加密機制的實施、密碼分析方面的研究。
John Bambenek is Manager of Threat Systems at Fidelis Cybersecurity, Lecturer in the Departments of Computer Science and Information Science at the University of Illinois at Urbana-Champaign and a handler with the SANS Internet Storm Center. He has over 18 years experience in information security and leads several international investigative efforts tracking cybercriminals, some of which have lead to high profile arrests and legal action. He specializes in disruptive activities designed to greatly diminish the effectiveness of online criminal operations. He produces some of the largest bodies of open-source intelligence used by thousands of entities across the world.
Building a Public RPZ Service to Protect the World's Consumers
打造公用 RPZ 服務守護世界
There are a variety of options when enterprises want to get protection for themselves. If you want to protect small offices or consumers, your choice is basically just to buy anti-virus. The problem is that until we solve the problem of most of the internet not being behind enterprises and thus unprotected, we still will face major outbreaks, DDoS, and risks from Bring-Your-Own-Devices (BYoD).
By using some basic open-source tools build in to DNS with Response Policy Zones (RPZ), it becomes possible to provide protection to the consumer internet space and begin to significantly disrupt criminal operations against the public.
This talk will cover building one of the worlds first public RPZ servers to provide service to CERTs and consumer ISPs to start to tackle the vast majority of the unsecured internet. Details on how to access and deploy the data for free from this service will be given as part of the talk.
當企業想要保護自身的時候,有非常多的選項。如果你想要保護消費者層面或是小型辦公室,你的選項基本上只需要買防毒軟體而已。問題是直到我們解決大部分的網際網路都不在大型企業中因而沒有受到保護的這件事之前,我們仍然要面對許多危機:DDoS,以及自帶裝置的風險等等。
藉由使用一些帶有 RPZ 的 DNS 的基本開源工具,我們將可能保護消費者的網際網路並開始明顯的干擾公眾的犯罪行為。
本演講將涵蓋建造世界第一個公用 RPZ 服務,以向 CERT 及消費者 ISP 等大部分不安全網路提供服務;其中也將包含如何免費存取此服務及從此服務發布資料等細節。
國立臺灣大學數學系學士與碩士、美國 Purdue University 數學博士。任職於臺大數學系、以嵌入式系統安全為核心業務的「銓安智慧科技」。臺大「教學傑出獎」得主,平均每兩百位臺大教師僅一位獲獎。在臺大教授的課程包括:密碼學導論、橢圓曲線密碼學、破密學專題、後量子密碼學、金融科技導論、電資學院微積分、通識課程數學與文明。臺北市臺大校友會高爾夫球隊發起人之一、該球隊現任總幹事。中華民國橋藝協會理事、代表臺灣參加本屆世界盃之現役橋牌國家代表隊隊長。
The chief scientist of InfoKeyVault Technology Co., Ltd. and an adjunct faculty with outstanding teaching award at National Taiwan University. Courses delivered at NTU: Cryptography, Cryptanalysis, Elliptic Curve Cryptography, Post-Quantum Cryptography, and Introduction to FinTech.
KRACK & ROCA
密鑰重置攻擊 & Coppersmith 演算法攻擊
KRACK (Key Reinstallation Attack) is a security weakness in WPA2 discovered by Mathy Vanhoef et al. Such weakness in WPA2 protocol design and implementations allows attackers within proximity to hijack the "encrypted" channel between a supplicant and a Wi-Fi AP. Both personal networks and enterprise networks are affected.
ROCA (The Return of Coppersmith's Attack) is a security vulnerability in an RSA firmware library discovered by Matus Nemec et al. The flawed library, from a major manufacturer of cryptographic hardware, is widely deployed in security tokens, smart cards, electronic ID cards, TPMs, etc. Since prime numbers generated by the flawed library have insufficient entropy and a specific structure, attackers can easily identify and factorize RSA public keys that were generated from affected devices.
In this talk, we will explain how KRACK and ROCA work and some important lessons we should learn from them.
KRACK (密鑰重置攻擊) 是 Mathy Vanhoef 等人發現的 WPA2 安全漏洞。此一 WPA2 協定的設計及實施弱點讓攻擊者可在近距離劫持請求者和 Wi-Fi AP 之間的「加密」通道,個人和企業網路都可能成為受害者。
ROCA (Coppersmith演算法攻擊) 是 Matus Nemec 等人發現的 RSA 安全漏洞。此一由主要加密硬件製造商所提供有缺陷的韌體庫,大量採用於安全符記、智慧卡、電子 ID 卡、TPM 等裝置;其所產生的質數熵值不足且具有特定結構,攻擊者可輕易辨識、猜測受影響設備生成的 RSA 公鑰。
本次發表將說明 KRACK 及 ROCA 的操作方式,以及幾個值得學習的課題。
Ricky Chou (ch0upi) is a staff engineer in Trend Micro. He works in data analysis, threat intel service, and problem solving with AI/ML.
Ricky and his teammates also got Top10 in KDDCup 2014 & 2016, the leading Data Mining and Knowledge Discovery competition in the world. He also participated in the computer Go project of Trend Micro, GoTrend, and got the 6th place in EUC Cup 2015.
Ricky Chou (ch0upi) 是趨勢科技核心技術部的技術經理。
工作內容著重在資料分析、威脅情報服務、及應用人工智慧與機器學習來解決實務上的問題。
曾在 2014 年及 2016 年參與全球資料探勘領域最知名的 KDDCup 競賽,皆取得前 10 名的佳績。
也參與趨勢科技的電腦圍棋人工智慧專案 GoTrend,於 2015 年日本電腦圍棋競賽 UEC Cup 取得第六名的成績。
Adversarial Machine Learning and Several Counter-Measures
對抗機器學習及其對策
Machine Learning (ML) and Deep Learning have become very popular in recent years. They solve many problem considered very difficult in the past, such as face recognition, image classification, unknown virus detection, cyber attack detection, etc. Therefore, many and many security product start to use Machine Learning solution for detecting.
However, many of those security product using Machine Learning algorithm could bring some unexpected vulnerabilities. In this talk we will focus on how to attack, cheat, steal the Machine Learning model and redirect the target of attack by using those stolen model. The speaker will introduce the concept and attack method on image classification, PDF and binary detection. Demonstrate the attack and provide some ways to defense this kinds of attack.
機器學習 (ML) 和深度學習近年來飛速發展,解決了以往被視為高難度的問題,如臉部辨識、圖片分類、未知病毒偵測、網路攻擊偵測等等,也因此愈來愈多資安產品,使用機器學習作為解決方案。但是在產品中使用 ML 演算法,可能帶來一些意料之外的漏洞。本演講將著重於如何攻擊、欺騙、竊取機器學習模型,將模型辨識的結果,導向攻擊者設定的目標。作者將介紹針對圖形辨識、binary 及 PDF 的數種攻擊手法和原理,展示實際可行的攻擊,並提出防禦方法和實務上的建議。
Agenda:
Malware Analyst at Hispasec/Koodous. Focused on the banking threats landscape, especially Android banking Trojans as well as Windows-based ones. Interested in hunting botnets, malware analysis, reverse-engineering, and developing distributed environments.
Analyzing Bankbot, a Mobile Banking Botnet
分析行動網銀木馬 Bankbot
Maza-in, more known as Bankbot, is an Android banking Trojan that gained popularity with its release in an underground forum. At the beginning, its targets were mostly Russian and Ukranian entities, as well as payment processors, such as PayPal, but it quickly broadened its targets to different countries, especially European ones.
Despite having other Banking Trojans on the table such as Mazarbot and Marcher; Bankbot has made it into Google Play Store, not once, but a total of three times that we are aware of.
Having myself caught one of this Banking Trojans live in Google’s Play Store, I gained interest in studying how it bypassed Google security measures and made it through to the official Android store, and its different botnet components.
In this talk we are going to talk widely about Bankbot, covering many aspects of the thread. First, its behavior: The server-side structure of the botnet, how it communicates with the victim, as well as how to get around these communications, forcing the botnet to return us the list of affected entities.
Also, the Android component will be studied, taking into account the stealing techniques it uses and how it evolved, not only to target over Android banking applications but also browsers, based on the bookmarks installed. We'll have a brief overview of the libraries that some samples include, along with their functionality. The whole infection process will be described, from initial steps to credential theft.
Additionally, we will have an overview on the component that made it through the Google Bouncer and got published into the store, including a quick look to the different countries targeted by this family since the beginning of the attack.
Finally, we will learn how to identify the sample through Yara rules, as well as known changes done to the server file structure that helps us identify these samples.
Maza-in,也就是大家所熟知的 Bankbot,是一個 Android 上的網銀木馬;其在地下論壇一發布,就迅速聚集人氣。一開始的時候其目標大多在俄羅斯、烏克蘭以及像 PayPal 等支付平台;但它迅速將目標擴展到不同的國家,尤其是歐洲各國。
儘管檯面上還有其他像 Mazarbot 和 Marcher 等網銀木馬, Bankbot 不只一次成功打入了 Google 商店;光我們注意到的就有三次之多。
在我自己從 Google 商店中了這個網銀木馬後,我開始對它以及不同的殭屍網路元件如何繞過 Google 的安全檢查而成功上架發生興趣。
在本場演講中,我們將廣泛的討論 Bankbot 各方面的威脅。其中包含它的行為、殭屍網路的伺服器端架構、與被害者的溝通、以及如何利用它們傳回受影響的個體名單。
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses. He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan. He has received many prizes from domestic and international CTFs, as well as bug bounty programs. He has been speaker at various conferences: HITCON, TROOPERS, CODE BLUE, IEEE GCCE, VXRL, DragonCon etc.
Respond Before Incident - Building Proactive Cyber Defense Capabilities
搶先事故反應:打造主動網路防禦能力
Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.
In this talk, we aim to discuss the question “Why traditional incident response is not enough?”
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
傳統上,事故反應長久來被認為是資安事件發生後的事後管理手段;許多組織發展出事故反應流程,並祈禱平安無事。然而,攻擊者的戰術和手段正與日俱進,發動攻擊的成本也日益降低;是時候面對「你一定會被攻破」的現實了。
在本演講中,我們將討論「為什麼傳統事故反應不夠?」的問題。
我們會使用真實世界的案例研究,示範我們如何幫助台灣的一個組職舒緩過去兩年中來自四個攻擊組織發動的進階持續性攻擊。在此案例中,我們將解釋我們如何從被動防禦轉變為主動防禦,並分享獵捕與消滅威脅的方法。
Mitsuhiro Hatada has been engaged in research and development on cybersecurity at NTT Communications for over a decade. He is a member of NTT Com-SIRT and a Ph.D. student at Waseda University.
Cybersecurity Talent Development in NTT Group
NTT 集團內部資安素養培訓
Cybersecurity talent shortage is a common issue for many organizations. Towards the Tokyo 2020 Olympic and Paralympic Games, NTT has launched the educational program and certification system for cybersecurity talents since 2015. Our talk covers the definitions of both types of job and levels of skill, training courses, current status of certification, and further activities. In particular, we will share our experiences through developing a few technical training on our self-developed cyber range.
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
網路安全能力不足是許多組織都面臨的問題。為因應 2020 東京奧運及殘障奧運,NTT 自2015年 開始即實施年網路安全能力教育訓練及認證專案。本次將說明工作類型及技能水準的定義、教育訓練課程、目前的認證進度及未來計畫,特別將說明某些 NTT 自主開發的網路安全領域的技術訓練。
OSSLab CIO, 2012 & 2015 HITCON community speaker.
Analyze the Vulnerabilities of Data Storage System and How to Defense
解析儲存設備系統漏洞與反制
前言:
"傳台灣某公司主控 SSD 藏後門,銀監會要求調查" 這是真實的嗎?儲存裝置有後門嗎?如果有,那又是怎樣的狀況,我們要怎樣防範.
大綱:
Yoshihiro Ishikawa is a member of the Cyber Emergency Center of LAC., he has been engaged in malware analysis and cyber threat intelligence. Especially involved in analyzing incidents of Advanced Persistant Thread (APT) attacks. He presented APT Campaign Targets Japanese Critical Infrastructure at APCERT 2016.
Open Source as Fuel of Recent APT
使用 Open Source 發動之 APT
Recently, there are so many APT attacks fueled by the usage of the open source tools.
We observed recent campaigns in 2017, and for those analysis we see that the use of open source tools are very common practice now. Such open source tools as, Metasploit Framework and Empire Powershell are widely used and some others are customized open source tools (to be exposed in the presentation) tailored to be an APT malware infection triggers or payloads.
For the targeted vectors, some are targeting Mac OS X and Windows platform of specific industries. In the recent campaigns, a part of code-signing certificates were stolen and recycled for further attacks in next targets on multiple platforms. And some others are targeting educational section with using Fileless attack via PowerShell.
In this presentation, we introduce our research details about these APTs, as well as TTPs (Tools, Techniques, and Procedures) with the flow as follows.
- Classification of the open source used for attacks:
There are plenty of open source tools used in APT attacks, one type of tools which are used for triggering exploitation in pre-infection, other tools are used for the remote access purpose on post-infection, and some more of the open source codes developed for the malicious activities were used for the APT cases infection. We will revel these in the presentation in some specific OS platforms.
- Real analysis APT cases presentation:
We will present the persistency triggered attack methods which are based from the real cases and events we investigated, we will present the flow of its front end attacks to exploitation, from exploitation to infection through to data harvesting methods, along with the source of tools and details of malicious activities detected.
- References:
In this point we will present list of the reference of the open source tools that is widely used for the recent APT attacks mentioned in the above two points
使用開放軟體進行 APT 攻擊的案例,在近年來有增加的趨勢。
2017 年的研究顯示,這種例行的攻擊非常普遍被採用。除了 Metasploit Framework 及 Empire Powershell 等廣獲採用外,某些其他還針對 APT 惡意軟體感染觸發及負載做了修改 (演講中會再進一步說明)。
這些受害者包括特定產業的目標 Mac OS X 及 Windows 平台。最近的攻擊中顯示一組程式碼簽章被盜之後,又再循環用於下一輪多重平台攻擊;另外一些則瞄準教育界,經由 PowerShell 進行 Fileless 攻擊。
以下簡報將說明我們對這些 ATP 及 TTP (工具、技術、程序) 研究的細節,大綱如下:
- 攻擊開源工具分類:
ATP 攻擊使用的開源工具很多,ATP 攻擊使用的開放軟體很多,感染前觸發、感染後遠端存取、以及開發開源程式碼進行的惡意動作則用於 APT 案例感染。簡報中將對這些工具在個別 OS 平台的現況進行說明。
- 真實 APT 案例分析:
我們將說明實際案例及事件調查所發現的持久性觸發攻擊方法,涵蓋從前端攻擊到利用的流程、從利用到蒐集數據的感染,以及所發現的來源與惡意行為詳細資料。
- 參考資料:
前述兩點範圍內近期 APT 攻擊常用的開放軟體參考清單。
Sr. Vulnerability Researcher at Team T5. CTF Player, won 2nd place in Defcon 22 & 25 as team member of HITCON. Focus on linux and android binary exploitation.
From Zer0 to Persistence -
A Complete Exploit Chain against Samsung Galaxy S6
從 Zer0 Day 到持續攻擊:Samsung Galaxy S6 完整攻擊鏈
In this speak, we will demo a exploit chain that can remote break KNOX protection on Samsung Galaxy S6.
We used CVE-2016-3861, CVE-2016-5291 and a Leaked document- Cadmium to achieve remote root without tampering the KNOX bit. The exploit starts with a url, user can be infected by just one click or connecting to an untrusted network.
以下簡介一個遠端破解 Samsung Galaxy S6 KNOX 保護的攻擊鏈。
我們用 CVE-2016-3861, CVE-2016-5291及被洩漏的 Cadmium 文件,不經過 KNOX 達成遠端開機;攻擊鏈始於一個 URL,使用者只要點擊一下或連接非信任網站即中毒。
MIDEUM KIM, a researcher of KISA (Korea Internet & Security Agency), has experience in computer engineering, cyber incidents response and Critical Infrastructure Protection. Currently, he is responsible for Critical Infrastructure protect and audit
Critical Infrastructure Protection Policy and Strategy of Korea
韓國之關鍵基礎建設政策
Korea Internet & Security Agency (KISA) is a South Korean government agency under Ministry of Science and ICT (MSIT), specializing in Internet security, critical infrastructure protection and information security industry development. KISA is operating and auditing to secure critical infrastructure protection from cyberattack threats. Through this presentation, Mr. Kim would like to show critical infrastructure policy and system of Korea.
韓國網路安全局 (KISA) 隸屬於韓國未來創造科學部 (MSIT) 之下,特別針對網路安全、關鍵基礎建設和促進網路安全相關產業。KISA 負責執行以及稽核任務來保護韓國關鍵基礎建設以防網路攻擊之威脅。
BoB Digital Forensics Student
Light Up The Korean DarkWeb
Four students from South Korea teamed up in order to dig into the Korean DarkWeb.
There is a number of publications about cyber underground including DarkWeb which covers the situation of the underground in many countries including Russia, the US, Germany, and Japan. But there is not so much information about cyber underground activities in the most connected country in the world, South Korea.
The team HGWT took on the challenge and discovered five DarkWeb forums in Korea as well as notorious activities in the Korean cyber underground part of the surface web.
In this talk, they will introduce specifics of the Korean cyber underground (including DarkWeb), share their approaches for investigations and discuss several case studies.
Team HGWT
The team HGWT (Dasom Kim, Sujin Lim, Sunghee Lim, Eunhee Jo) consists of four BoB students and is lead by two mentors in the digital forensics field, Nikolay Akatyev (VP of Engineering at Horangi Cyber Security) and Hyeon Yu (Professor at Korean Police Investigation Academy).
BoB (Best of the Best) is a cyber security education program that fosters the next generation security leaders in Korea hosted by Korea Information Technology Institute (KITRI), supported by the Korean Government.
Philippe Lin is a threat researcher at Trend Micro. He works in data analysis, machine learning, fast prototyping and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.
miaoski 在趨勢科技擔任資深研究員,主要的研究方向是資料分析、機器學習、prototyping 及軟體定義無線電 (SDR)。他曾擔任 Open Computing Project (OCP) 計劃的 BIOS 工程師,並在業餘時間投入 g0v 零時政府的專案,以及其它樹莓派和 Arduino 專案,詳見github.com/miaoski。
The Age of Broken ATMs
那些年,他們搶的 ATM
We observed this year that the attacks against Automatic Teller Machines went from theoretical research and impressive show at a conference to a very practical method used by criminal groups to monetize their access to compromised networks within financial institutions. A number of cases that took place this year got loud attention in the media, but the attacker methods and exploitation varied from one case to another. In this presentation we examine several cases of ATM breaches including well known case that took place in Taiwan, but also Russia, Kyrgyzstan and other Central Asian countries as well as Spain and a number of other countries in Europe. We discuss attack vectors against ATM devices and known methods which the attackers utilize to abuse ATM machines for the purpose of either information collection or cash withdrawal. We also discuss some of the attack methods the attackers used to infiltrate the target organizations and compromise the devices. We dive deeper to understand the eco-system and the nature of the threat actors, discuss the skills and tools available on Black Market and the evolution of ATM threats.
這些年來我們觀察到駭客針對 ATM 的攻擊從學術理論和會議上的華麗展示,演變至犯罪集團透過此方式攻佔金融機構網路並而從中獲利。近年來眾多的攻擊案例出現在媒體閃光燈下,但駭客的攻擊手法也隨之進展。在本演講中,我們將展示這些年眾多的 ATM 攻擊手法,除了大家眾所皆知的台灣 ATM 事件,還包含俄羅斯、吉爾吉斯、 眾多中東國家、西班牙以及一些歐洲國家的攻擊案例。
My name is James Lee, a 18 years old math geek who likes to mess around with some creative and cool stuffs. I'm passionate about Security vulnerability researching so I like to look under the hood of software.
Playing with IE11 ActiveX 0days
玩轉 IE11 ActiveX 0-days
ActiveX is a feature that has been present on Internet Explorer almost since its inception and it allows us to instantiate external objects.
We'll go through this feature and look into the way I discovered the vulnerability while I play around with.
ActiveX 從早期就伴隨著 IE 到現在,提供從瀏覽器內操作外部元件的功能。 在此我們要展現如何透過 ActiveX 漏洞來玩轉 IE11.
Myoungwon Lee (Superintendent of K-NPA) has served as a police officer in Korea for 20 years. After graduating from Police University he has worked in a variety of fields and offices in Korean Police. He worked as an investigator in the criminal investigation division, transportation division and a special riot police unit. Now he is in charge of Cyber Investigation Strategy Team in National Police Agency. Just before coming to this position in 2017, he worked as a Computer Forensic Team leader.
His role as the team leader involved anti-cybercrime strategy and research and development for improving cyber investigation skills.
Recent Cases of Cyber Terror from North Korea
案例分析:來自北韓的網路恐怖攻擊
In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified military or government data, but the focus seems to have shifted in recent years to raising foreign currency. N. Korea has tried hard to develop hacking capabilities as one way of earning money under the international strict sanctions imposed on them. An ATM hacking case is one of the examples.
以往,疑似來自北韓的網路攻擊,通常目的是造成社會信心瓦解,竊取國家軍事機密。但近年來攻擊似乎轉移至炒作外匯市場。北韓花費眾多心思發動網路攻擊賺取外匯以應對國際的經濟制裁。如同近年來 ATM 攻擊事件就是其中一例。
In Ming Loh is a Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He currently holds OSCE and OSCP accreditation and was previously a software developer. His major interests are attack detection and prevention.
Threat Hunting, The New Way
威脅獵捕的新方法
Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.
傳統偵測攻擊的方法並不可行。威脅獵捕的方法不只提供了一個偵測攻擊的新方向,也能在網路已經被入侵的前提下追蹤出攻擊者。
我們會以真實案例來探討為什麼威脅獵捕會是新型態偵測攻擊的方法。藉由真實世界我們所遇到的攻擊案例,將呈現為什麼威脅獵捕將會是必要且有效的攻擊偵測方式。
最後我們會建議你如何開始建立自己的威脅獵捕方法來保護組織。
你將不只能獲得威脅獵捕的基礎知識,還能瞭解如何整併人力、流程、技術來建置自己的威脅獵捕。
Philippe Lin is a threat researcher at Trend Micro. He works in data analysis, machine learning, fast prototyping and software defined radio. He was a BIOS engineer in Open Computing Project. Active in open source communities, he is also a hobbyist of Raspberry Pi and Arduino projects and one of the authors of Moedict-Amis, an open source dictionary of an Austronesian language.
miaoski 在趨勢科技擔任資深研究員,主要的研究方向是資料分析、機器學習、prototyping 及軟體定義無線電 (SDR)。他曾擔任 Open Computing Project (OCP) 計劃的 BIOS 工程師,並在業餘時間投入 g0v 零時政府的專案,以及其它樹莓派和 Arduino 專案,詳見github.com/miaoski。
Adversarial Machine Learning and Several Counter-Measures
對抗機器學習及其對策
Machine Learning (ML) and Deep Learning have become very popular in recent years. They solve many problem considered very difficult in the past, such as face recognition, image classification, unknown virus detection, cyber attack detection, etc. Therefore, many and many security product start to use Machine Learning solution for detecting.
However, many of those security product using Machine Learning algorithm could bring some unexpected vulnerabilities. In this talk we will focus on how to attack, cheat, steal the Machine Learning model and redirect the target of attack by using those stolen model. The speaker will introduce the concept and attack method on image classification, PDF and binary detection. Demonstrate the attack and provide some ways to defense this kinds of attack.
機器學習 (ML) 和深度學習近年來飛速發展,解決了以往被視為高難度的問題,如臉部辨識、圖片分類、未知病毒偵測、網路攻擊偵測等等,也因此愈來愈多資安產品,使用機器學習作為解決方案。但是在產品中使用 ML 演算法,可能帶來一些意料之外的漏洞。本演講將著重於如何攻擊、欺騙、竊取機器學習模型,將模型辨識的結果,導向攻擊者設定的目標。作者將介紹針對圖形辨識、binary 及 PDF 的數種攻擊手法和原理,展示實際可行的攻擊,並提出防禦方法和實務上的建議。
Agenda:
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Michael Ossmann 是為駭客製作硬體的無線安全研究員,並以 HackRF、Ubertooth 及 GreatFET 等開源專案聞名。他在試圖為創新人士開發令人驚艷的新工具時,成立了 Great Scott Gadgets。
Your Ideas are Worthless
你的點子毫無價值
As the owner of an open source hardware company, I frequently encounter people who tell me why my business cannot possibly succeed. After six years of continuous growth, I would like to share my thoughts about why those people are wrong and how the mythology of invention affects perception. I’ll share lessons from my background as a hacker, researcher, open source developer, and business owner and discuss the past, present, and future of science, technology, and the value of ideas.
在成為這間開源硬體公司的老闆之後,總有人想告訴我為何他們認為我的生意將注定失敗。經過六年的持續成長,我想分享我的一些想法,告訴各位為什麼這些人是錯的,以及發明神話如何影響我們的認知。我擁有駭客、研究員、開源開發者和公司老闆等背景,我將分享衍生自這些背景的經驗,並且探討科學、技術和構想價值的過去、現在與未來。
David Ong has over 20 years of professional experience and is widely recognized as an active professional in process automation safety industries. He is a CFSE (Certified Functional Safety Expert) and has obtained his MBA from the University of Louisville in 2002. He is a member of the advisory board of CFSE Governance Board and the Founder of Excel Marco and Attila Cybertech. During the course of his career, he has executed many major projects in the Oil & Gas industry both onshore and offshore on Process Automation Safety & Control. He is well versed with the corporate standards and practices and has also helped to develop key product marketing specifications for safety PLC and SIS (Safety Instrumented Systems). Over the years, he has maintained focused on Safety PLC related application and was involved in conducting training on Functional Safety Standards and Practices. Earlier in his career, he was an instructor for several major brands of PLC and automation equipment. Having developed a strong interest in Cyber-Physical Systems (CPS), he setup Attila Cybertech to focus on Critical Information Infrastructure (CII) sectors. His principal work responsibilities include business development, major project management and training on safety and reliability standards and applications.
ICS/SCADA Cybersecurity and IT Cybersecurity: Comparing Apples and Oranges
張飛打岳飛:ICS/SCADA vs IT 網路安全
Stuxnet made headlines in the OT (Operational Technology) world back in 2010. It was a wake-up call to those who never really thought ICS (Industrial Control System) could be hacked, let alone causing severe damage to a nuclear plant in Iran.
Today, SCADA/ICS engineers are now expected to designed not only functional logic, safety logic but also system hardening for cybersecurity. Cybersecurity for ICS or OT poses different problems that are unlike that of Enterprise or IT Cybersecurity.
While Enterprise security prioritizes data in the order of CIA (Confidentiality, Integrity, Availability), ICS demands the reverse, i.e. AIC. Why is availability so important to ICS? Well, think of how important is your heart pumping to blood to various organs including your brain. Stop for a few seconds and the consequences could be fatal.
Every piece of data is processed in real-time. These 'data' consist of both sensor data and commands to output elements such as actuators, valves, motors and pumps etc.
That means latency is a key factor when intercepting such data to analyze becomes challenging. Typically, it cannot afford to be delayed more than a few milliseconds. And even if suspicious data is detected, it cannot be filtered out as any false positives could have dire consequences. Nothing shapes human behaviour to ignore 'cry wolf' any more than false alarms. Even to the point of muzzling or by-passing the security mechanism.
Another aspect of OT is in the area of Functional Safety whereby safety interlocks, Emergency Shutdown System (ESD or SIS) are designed with Safety PLC. Can hackers penetrate the SIS from Process Control System (PCS)? Can malware propagate from PCS to SIS? Can cybersecurity impact safety?
Given that OT is a different animal, how can we secure OT? Are there effective ways to protect ICS from Cyber-attacks? Tune in to find out the current industrial practices and the shape of things to come.
震網 (Stuxnet) 在 2010 年的時候成為了操作技術 (OT) 界的頭條新聞。它驚醒了那些以為工業控制系統 (ICS) 永遠不會被駭的人們,並造成了伊朗核電廠的重要損害。
時至今日, SCADA/ICS 工程師們被要求不只設計可用安全的邏輯,更要強化系統的資訊安全。ICS 或 OR 的資訊安全所遇到的問題與企業或 IT 的資訊安全是相當不同的。
企業對資料安全的要求有著保密、完整、可用 (CIA) 的順序,但 ICS 則要求相反的 AIC (可用、完整、保密)。為何可用性對 ICS 來說如此重要?這很簡單,想想你的心臟跳動,輸送血液到各器官和你的腦部;停個幾秒,後果就不堪設想。
每筆資料都會被即時處理。所謂的資料包含感應器的資料以及輸出到執行器、閥門、馬達和幫浦等的指令。
這表示延遲在擷取這些資料進行分析之中佔有關鍵的地位。一般來說,幾毫秒的延遲便是極限了。而且就算偵測到可疑資料,我們也不能將它濾掉,因為任何誤報都可能有危險的後果。這些假警報就像放羊的孩子一樣會讓我們忽略掉狼來了;即便我們的安全防線已經被突破了也一樣。
OT 的另一個層面就是關於功能安全,像是安全互鎖機制,以及利用安全 PLC 設計的緊急關閉系統 (ESD 或 SIS)。駭客有辦法從 PCS 滲透 SIS 嗎?惡意軟體可以從 PCS 感染到 SIS 嗎?網路安全可以影響實體安全嗎?
假如 OT 是一隻不同種的大象,那我們該怎麼把它放進冰箱?那我們跟怎麼確保 OT 的安全。是否存在更有效率的方式防禦針對 ICS 的網路攻擊?關注本場演說,一起了解現行的業界實作以及未來的趨勢。
Takehiro Ozaki is a Senior Research Engineer of NTT-CERT. He is in charge of threat intelligence.
Cybersecurity Talent Development in NTT Group
NTT 集團內部資安素養培訓
Cybersecurity talent shortage is a common issue for many organizations. Towards the Tokyo 2020 Olympic and Paralympic Games, NTT has launched the educational program and certification system for cybersecurity talents since 2015. Our talk covers the definitions of both types of job and levels of skill, training courses, current status of certification, and further activities. In particular, we will share our experiences through developing a few technical training on our self-developed cyber range.
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
網路安全能力不足是許多組織都面臨的問題。為因應 2020 東京奧運及殘障奧運,NTT 自2015年 開始即實施年網路安全能力教育訓練及認證專案。本次將說明工作類型及技能水準的定義、教育訓練課程、目前的認證進度及未來計畫,特別將說明某些 NTT 自主開發的網路安全領域的技術訓練。
Vadim Pogulievsky is a Cyber Research Director for Verint. His current research focuses on Automatic Forensics techniques, but his interests also stray to digital forensics, data centers, web security, malware analysis, and exploits development. Prior to joining Verint, Pogulievsky managed security research groups at McAfee Labs, M86 Security, and Finjan.
Detecting the Intent, Not just the Technique: Changing the Mindset of Cyber Defense!
偵測入侵不只靠技術:換位思考網路安全防禦
As cyber threats have evolved we are witnessing the rise of new defenses. However, these defense layers often lead to new problems. A lack of true integration makes it almost impossible to see the bigger picture and truly understand the attack. As a result, customers face endless streams of unrelated data, creating alert fatigue and too many false positives. A major shift is required in the mindset of cyber security vendors so they can create solutions that truly confront & neutralize contemporary attackers and their advanced attack methods.
In this keynote we will discuss the shift that cyber security vendors should make in order to build products that are valuable not only as a silos but also as part of their customer's entire cyber security ecosystem. Finally, we will discuss new techniques and technologies that are required for success.
隨著網路威脅的升高,網路防禦也隨之提升,同時也帶來新的問題:欠缺整合性的認知,導致我們不但見樹不見林,更無法真正瞭解攻擊的本質。客戶因此面對無止境的無關數據、模糊的警報、查無實據的發現。網路安全廠商必須在心態上徹底改變,才能產生真正正面迎擊、消滅攻擊者及其先進攻擊武器的解決方案。
本演講將說明網路安全廠商在生產不止是客戶面對網路攻擊的堡壘,更是客戶整個網路安全生態體系一環的產品時所必須的換位思考;最後,也將討論成功所需的技術和科技。
Telecom Security Specialist, Positive Technologies
Kirill graduated from the Russian State University for the Humanities with a degree in comprehensive protection of information assets. He joined Positive Technologies in 2014 as an expert in telecommunication systems and network security. He researches signaling network security, participates in audits for international mobile operators, takes part in PT Telecom Attack Discovery deployments and expert attack analysis. He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, and Telegram accounts.
Attacks on Mobile Networks: Evolving Hackers' Techniques and Defenders' Oversights
行動網路攻擊:進化的駭客技巧與防禦疏漏
The "walled garden" paradigm is outdated. Nearly all operators now admit that attackers have penetrated SS7 networks by exploiting a whole range of signaling network vulnerabilities.
Tracking subscriber location, obtaining call details, tapping, intercepting text messages that contain security codes are the harsh reality we live in. However, mobile operators do not sit back. They address these threats by configuring hardware in the best possible way, deploying SMS Home Routing solutions to protect confidential data and fight SMS spam and SS7 firewalls which currently offer the highest level of network protection against attackers.
But the real world is far from this rosy picture. Our researches alongside with security monitoring and audits show that attackers have learned how to skillfully bypass most of the known protection measures. In my presentation, I will address following issues:
封閉平台的典範已經過時了;幾乎所有營運商現在都承認攻擊者已經藉由滲透一連串的訊號網路漏洞而打下了 SS7 網路。
追蹤實體位置、獲得通話細節、竊聽、攔截含有安全碼的文字簡訊;這些已都是我們生活中的現實。然而,電信營運商並不氣餒。他們藉由各種方式應對這些威脅:用最好的方式設定硬體、部署 SMS Home Routing 解決方案保護機密資料並對抗垃圾簡訊、還有 SS7 防火牆提供了目前最高等級的網路防護。
但光明的明天總是沒有等著我們。我們的研究人員利用安全監控與稽核發現攻擊者已經學會如何技巧性的繞過大部分的已知防護手段。在我的演講中,我會說明以下問題:
Telecom Security Expert, Positive Technologies.
Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he is engaged in the research of signaling network security and in audits for international mobile operators.
As an expert in telecom security, he researches signaling network security and participates in audits for international mobile operators.
Sergey is also the general developer of the SS7 Vulnerability Scanner tool and member of the Telecom Attack Discovery development team and co-author of Positive Technologies annual reports on telecom security.
Attacks on Mobile Networks: Evolving Hackers' Techniques and Defenders' Oversights
行動網路攻擊:進化的駭客技巧與防禦疏漏
The "walled garden" paradigm is outdated. Nearly all operators now admit that attackers have penetrated SS7 networks by exploiting a whole range of signaling network vulnerabilities.
Tracking subscriber location, obtaining call details, tapping, intercepting text messages that contain security codes are the harsh reality we live in. However, mobile operators do not sit back. They address these threats by configuring hardware in the best possible way, deploying SMS Home Routing solutions to protect confidential data and fight SMS spam and SS7 firewalls which currently offer the highest level of network protection against attackers.
But the real world is far from this rosy picture. Our researches alongside with security monitoring and audits show that attackers have learned how to skillfully bypass most of the known protection measures. In my presentation, I will address following issues:
封閉平台的典範已經過時了;幾乎所有營運商現在都承認攻擊者已經藉由滲透一連串的訊號網路漏洞而打下了 SS7 網路。
追蹤實體位置、獲得通話細節、竊聽、攔截含有安全碼的文字簡訊;這些已都是我們生活中的現實。然而,電信營運商並不氣餒。他們藉由各種方式應對這些威脅:用最好的方式設定硬體、部署 SMS Home Routing 解決方案保護機密資料並對抗垃圾簡訊、還有 SS7 防火牆提供了目前最高等級的網路防護。
但光明的明天總是沒有等著我們。我們的研究人員利用安全監控與稽核發現攻擊者已經學會如何技巧性的繞過大部分的已知防護手段。在我的演講中,我會說明以下問題:
Researcher and analyst with 7 years of experience.
Areas of expertise include advanced analysis in technological related projects.
Interested in a job in the field of research and analysis of advanced technological concepts in the tech industry.
Put Something on the Internet - Get Hacked
東西藏在網路上,去駭吧!
In the past ~10 years Beyond Security runs a vulnerability disclosure program called SecurTeam Secure Disclosure (SSD)
We work with researchers from around the world, acquire their findings and report them to the vendors / clients.
In the past year (2017) we had the opportunity to acquire and report more than 20 IoT vulnerabilities.
In the lecture we will talk about IoT security, why there are so many vulnerabilities in those products and we will show different vulnerabilities found in well-known vendors.
In the end of the lecture we will give some good practice advice - what should you do with your IoT devices.
Yan, Zardus, Professor Shoshitaishvili. Yan has filled a number of roles in the security community over the years: student, engineer, student again, captain of Shellphish, and now professor. In these roles, he strove to advance the state of the art in security and, occasionally, pwn noobs. He led Shellphish through the DARPA Cyber Grand Challenge, founded the angr binary analysis framework, and participated in CTFs around the world. Now, he is leading next-generation research efforts into binary analysis at Arizona State University, and is thinking heavily about how the world of information security can move forward most effectively.
All our Powers Combined: Connecting Academics, Engineers, and Hackers
結合我們的力量:學者、工程師、駭客
The field of information security is a conglomeration of three distinct communities: security engineers working in industry, academic researchers sequestered in their universities, and enthusiastic hackers battling it out on the CTF floor. These communities have different motivations, priorities and expectations, and the various disconnects between them often lead to misunderstanding, conflict, and twitter drama. While this is entertaining, it hampers progress in our field and allows security issues, that could be addressed through the collaboration of these three communities, to persist.
My name is Zardus, and I am an academic. However, due to the applied nature of my research and my extensive involvement in CTF, I have been observing (and often facilitating) interactions between the academic, industry, and enthusiast communities. I have seen our binary analysis framework, and other results of our research, applied in industry and in the CTF community. I have guided both CTFers and industry engineers in starting their academic careers, and I have guided students into industry and CTF. Through these experiences, I have built my own understanding of the different mindsets that these communities maintain, and developed hypotheses regarding the optimal ways that these communities can interact.
This talk will explore the commonalities, differences, and interactions of these communities. It’ll delve into the hopes and dreams of CTF enthusiasts, the aloofness of academics, and the no-nonsense attitudes of industry personnel. It’ll guide the audience through understanding not only the mindset of these groups, but will also provide a conceptual framework through which we can work together to advance the state of information security.
資訊安全領域有三個不同環節:產業的資安工程師、象牙塔裡的學術研究人員、在 CTF 賽場激情鬥爭的駭客群。這些社群擁有不同的動機、重點和期望,相互間的疏離使三者之間總是存在誤解、衝突和紛爭。雖然有趣但卻有害於這個領域的進步,使得原本可藉由三方合作解決的安全問題因此而不斷延續。
我叫 Zardus,雖然服務於學術界,但因所從事研究的性質及與 CTF 的廣泛接觸,有機會觀察 (促成) 產、學、業餘社群間的互動。我親眼看見我們的二元分析框架及其他的研究成果應用於產業和 CTF 社群。我帶領過 CTF 選手和產業工程師進入學術領域、學生進入產業和 CTF 社群。這些經驗使我對這些社群的心態有了自己的理解,形成使這些社群互動最佳方式的假設。
以下將探討這三個社群、其差異及之間的互動。我會深入分析 CTF 熱心人士的渴望及夢想、學者的超然態度,以及產業工作者講求實際的心態。一方面讓各位瞭解這些群組的心態,另一方面提出一個理論架構,讓三方合作提升資訊安全的水準。
Raynold Sim joined LINE's Security Department as a Security Engineer in 2015. He is a member of the team running LINE's Security Bug Bounty Program. Sometimes, he hunts for security bugs in other bug bounty programs, too.
LINE Security Bug Bounty: A Closer Look
透視內幕:Line 漏洞回報計畫
Bug Bounty Programs have been a hot topic in the security world. With bug bounty platforms becoming more popular, more companies all over the globe have been starting their own bounty programs to keep their services and user base secure. We will be touching on the bug bounty scene in Japan and go into a depth look of LINE's Bug Bounty program, which we have been running since 2015. In this talk, we will be sharing the behind the scenes of how we run our bug bounty program, stating the motivations on why and how we do it, and the reflections and results of running a bug bounty program.
漏洞賞金計畫 (Bug Bounty) 一直是資安領域的熱門話題。由於漏洞賞金平台越來越熱門,全球有許多公司紛紛開始自辦賞金計畫,保障其服務及用戶的資訊安全。我們會概略介紹日本賞金計畫的情況,並深入探討我們自 2015 年開始執行的 LINE 漏洞賞金計畫。本次的講題會公開我們賞金計畫的背後運作情形,並說明計畫發起原因及進行方式,最後則是執行計畫中的一些觀察及結果。
In 2008, Suguru entered Kaspersky Labs Japan as a researcher of Japan office. He had been in charge of collecting and analyzing threat information such as Malware, Spam and Phishing in cyberspace. Subsequently, he has been joining in Global Research and Analysis Team (GReAT) APAC to research Advanced Persistant Thread (APT) and recent cyber threats in APAC region.
The Bald Knight Rises
光頭騎士:黎明昇起
Kaspersky Lab has been tracking the XXMM (Trojan.Win32.Xxmm) malware family since January 2017. It's one of the cyber espionage targeting Japan.
This name comes from a database path (.pdb) that suggests “xxmm” as the original project name. To date we have observed more than 300 samples including core malware components, extra modules and related malware. The XXMM family seems to be mainly used against targets in Japan and South Korea. The actor uses around 50 compromised websites as C2s, with IP addresses based on the targeted countries.
Previously this attack was called after the malware it used, such as “Tick”, “BronzeButler”, “ShadowWali” or “Daserf”. The actor keeps changing its tools, so we decided to use a more generic name. We called this campaign “The Bald Knight” from the malware builder icon which was stolen from "The Dark Knight Rises" movie poster was altered by removing the protruding ears of the knight, leaving him with bald head.
This actor used several anti-research techniques such as in memory execution, second stage backdoor, anti-reversing, anti-AV, white-listing for target IPs on C2 server and stenography techniques. In this year, we already published about a unique anti-AV technique on the blogpost "Old Malware Tricks To Bypass Detection in the Age of Big Data" (https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/) about recent activities of this actor.
We believe that this cyber espionage campaign still have been attacking against to Japan seriously. Because, one of the infection vectors was a vulnerability found on the domestic management software used by the government, public-related offices and the government-affiliated organizations in Japan.
This presentation elucidates the method and strategy of "the Bald Knight Rises" campaign based on the result from the technical analysis of their cyber weapons, and introduces their recent activities.
卡巴斯基實驗室自 2017 年 1 月起便一直追蹤 XXMM (Trojan.Win32.Xxmm) 惡意程式家族:一個針對日本的網路間諜程式。
這個名稱的由來是由資料庫路徑中發現原始專案名稱可能為 ”xxmm”。至今日我們已經觀察到超過 300 個樣本,包含核心惡意程式元件、增益模組以及相關惡意程式。XXMM 家族似乎主要被用於針對日本及南韓的目標。攻擊者使用了大約 50 個像 C2 一樣和攻擊對象國家相同 IP 地區的被感染網站。
先前這類攻擊是以使用的惡意程式取名的,像是 ”Tick”、”BronzeButler”、“ShadowWali” 或 “Daserf” 等。攻擊者不停地改變工具,所以我們便決定使用更通用的名稱。因為惡意程式的圖示使用了電影「黑暗騎士」的圖,但將頭上的耳朵拿掉,使它變成一個光頭;所以我們便將其稱為「光頭騎士」。
攻擊者使用許多反研究技巧,像是記憶體內執行、第二階段後門、反逆向、反防毒程式、IP 白名單以及速記法等。在今年,我們已經發表了一篇關於此攻擊者近期發展的獨特反防毒程式的部落格文章「Old Malware Tricks To Bypass Detection in the Age of Big Data」。
我們相信這個網路間諜攻擊仍然持續的攻擊日本當中,因為其中一個感染方式是政府及相關單位所使用的國內管理軟體漏洞。
Are you visible? – TEPCO’s Challenge for “Visibility” on Security Management (and Security Professionals)
你看得見嗎?來自東京電力的挑戰,基於安全管理下的可視化策略
“Security is very difficult and troublesome to understand. Our security team may be handle all things good” – That is typical apathy in business team and sometimes also security side makes good use of this negative idea. No, no. We security professional should prove clearly that we are useful for everyday business at risk management. From this point, security professionals must wear off hoodie, avoid slouching and try to increase our “Visibility” by ourselves. How can we make visible our daily work, responsibility and professional skills? TEPCO-Security shows our experiences and ideas for headache(s) in our community.
「安全既困難又難以捉摸,但我們的安全團隊看來似乎游刃有餘。」企業界常見此種事不關己的冷漠,網路安全業者有時也大量利用此一負面想法。但身為資訊安全專業人士,我們應該清楚證明我們在日常的風險管理的價值;亦即安全專業人士必須不停的鍛鍊、戒除懶散、提升我們自己的「可見度」。如何展現日常工作、責任和專業技能?請看 TEPCO-Security 面對本產業挑戰的經驗和理念。
Michal Thim is a cyber policy and security specialist with the Strategic Information and Analysis Unit, the National Cyber and Information Security Agency of the Czech Republic. His main focus is military and security developments in Western Pacific both in cyber and physical domains, including developments in cyber security and cyber warfare capabilities of China, Taiwan, DPRK, and other regional stakeholders, and analysis of Asia-based APT groups. He has been active for over a decade, in various capacities, in researching Taiwan’s defense and security, cross-strait relations, and territorial and maritime disputes in Northeast and Southeast Asia. Michal’s work has appeared in The Diplomat, The National Interest, China Policy Institute blog, Thinking Taiwan, Strategic Vision for Taiwan Security, South China Morning Post, Jamestown Foundation’s China Brief, and elsewhere. Michal tweets at @michalthim.
Improving Cybersecurity through Non-Technical Exercises and In-House Strategic Analysis: View from the Czech Republic
來自捷克的觀點:透過演習及內部戰略分析來增進資訊安全
Cyber exercises, particularly those aimed at the decision-making process, and in-house strategic analysis are two distinctive, but intertwined, elements of enhancing cybersecurity through measures that are non-technical in nature. The former presents the decision-makers with life-like situations to test reactions to an ensuing cybersecurity incident; the latter strives to provide them with the best available contextual intelligence to a cyber-incident and related technical analysis provided by CERT analysts. These two elements are seeking a common cause: well-informed decision-makers who can make the right call in response to a severe cyber-attack on critical information infrastructure or actions of hostile state actors in cyberspace.
Decisions come with political costs, which may incentivize risk-averse behavior even if the situation calls for bolder decision making, which is not necessarily unreasonable. From the decision-making perspective, any such move invokes legal and political considerations that might not always be apparent on the operational side of the incident response. Exercises that are designed to simulate the reality of a severe cyber incident need to address these challenges. In-house strategic analysis team’s role is to support technical teams/incident response teams by proactively informing the leadership about emerging threats in cyberspace. Furthermore, strategic analysts provide a timely contextual analysis that briefs the decision-maker on political, security, and legal elements surrounding an ongoing, or recently discovered cyber security incident.
The presenter will outline decision-making process and how exercises aim to make the process as bump-free as possible, present what is meant by strategic analysis in a context of a cyber-security organization, and introduce sets of legal and political issue that hinder a timely response to a cyber-attack with the help of selected case studies.
網路攻防演習,特別是那些著重於決策流程以及內部戰略分析的,是兩種獨特卻又糾結,利用非技術性方式增進網路安全的元素。前者代表了決策人員利用逼近現實的情境來測試面對接踵而至的網路安全事件的反應;後者則致力於提供面對網路安全事件的最佳適應能力,以及由 CERT 專家提供的相關技術分析。這兩個元素指向同一個目標:了解情況,在應對針對重要資訊設施或敵對網路攻擊行為等嚴重的網路攻防中,能做出正確決斷的決策人員。
但帶有政治代價的決策將可能導致盡力避免風險的行為,即便是需要更大膽決策的情況;這是不完全合理的。從決策的角度看來,任何觸及法律及政治考量的行動在事故回應的操作面上並不是全然顯而易見的。要設計模擬重大網路攻擊事件的演練時,這些挑戰也必須考慮進去。內部戰略分析團隊的角色是藉由主動通知網路中威脅來源的領導者,來支援技術團隊或事故反應小組。更甚者,戰略分析提供了有時序性的前後分析,能讓決策者了解圍繞在正進行中或近期發現的網路安全事件其政治、安全、及法律等各元素。
講者將概述決策流程以及演練如何讓流程盡可能順利、解釋在網路安全機構中戰略分析的意義、並藉由案例研究介紹在應對即時網路攻擊時可能成為法律或政治因素的障礙。
Sung-ting Tsai is (TT) is the leader of Team T5 Research. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud, and virtualization technology. He especially is interested in new vulnerabilities in new technologies, and frequently presents the team's research at security conferences, such as Black Hat, HITCON, and Syscan. He and Ming-chieh are members of CHROOT security group in Taiwan. Sung-ting (TT) is also the organizer of HITCON - the largest technical security conference in Taiwan.
Respond Before Incident - Building Proactive Cyber Defense Capabilities
搶先事故反應:打造主動網路防禦能力
Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that “You Will be Compromised”.
In this talk, we aim to discuss the question “Why traditional incident response is not enough?”
We will present a real-world case study showing how we helped an organization in Taiwan to mitigate the severe APT attacks from 4 attacker groups they were facing in the past 2 years. With this case, we will explain how we transform defense mode from passive to proactive, and share the methodology of threat hunting and elimination.
傳統上,事故反應長久來被認為是資安事件發生後的事後管理手段;許多組織發展出事故反應流程,並祈禱平安無事。然而,攻擊者的戰術和手段正與日俱進,發動攻擊的成本也日益降低;是時候面對「你一定會被攻破」的現實了。
在本演講中,我們將討論「為什麼傳統事故反應不夠?」的問題。
我們會使用真實世界的案例研究,示範我們如何幫助台灣的一個組職舒緩過去兩年中來自四個攻擊組織發動的進階持續性攻擊。在此案例中,我們將解釋我們如何從被動防禦轉變為主動防禦,並分享獵捕與消滅威脅的方法。
Security Engineer, and currently is working in Vulnerability Management, Vulnerability Assessment, Networking, Configuration Management, Risk Management in financial industry for a while. Fluent in Mandarin and English.
How to Construct a Sustainable Vulnerability Management Program
如何建造永續漏洞管理計畫
Whether you are ethical, unethical or halfway in between, vulnerabilities will never stop being found by you and your mates. Finding a 0day after months of hard work is definitely rewarding, but have we thought about the folks who works on the other side that have to protect keys and decide which one to patch? Well, this talk is about that. Heartbleed Vulnerability (CVE-2014-0160), Shellshock (CVE-2014-6271), Stagefright, POODLE Attack (CVE-2014-3566), Weak SSL/TLS Ciphers, and the good ole, Conficker (CVE-2008-4250), and… wait how about MS17-010? These six vulnerabilities are the most well-known, which one do you tell your IT admin teams to patch first? How do you prioritize them in a multiple billion dollar corporation with thousands of end points; do you know where they are; can you fix them all? Or even which vulnerability you should risk accept?
This talk is about build a sustainable vulnerability management program (VM) to answer these above and other vulnerability management questions, and how to build a program that can be scaled from small to large size company.
不論到道德與否,漏洞永遠都有可能被友軍發現。花費數個月努力挖掘漏洞的確是值得被獎勵的,但另一方面也有群人正努力地保護資料和決定如何修補漏洞。今天我們就是要從這個面向來探討。Heartbleed (CVE-2014-0160), Shellshock (CVE-2014-6271), Stagefright, POODLE Attack (CVE-2014-3566), Conficker (CVE-2008-4250) 等等漏洞。以及微軟 MS17-010 安全公告。以上六個都是廣為人知的漏洞。我們該如何跟 IT 人員討論第一個修補的漏洞該會是哪個?又該怎麼安排優先順序?你知道這些漏洞的細節?是該全部漏洞都修補?還是哪個漏洞針對你的公司環境並沒有那麼迫切需要修補?
本場次將討論如何建置永續漏洞管理計畫來解答以上的問題,並且有效的管理漏洞。以及該如何建立這套機制至各種規模的公司。
Wei Chea is a Senior Threat Hunter at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He has eight years of experience in information security and has worked in security operations, threat hunting for two global fortune 200 organizations.
Threat Hunting, The New Way
威脅獵捕的新方法
Traditional methods of attack detection have failed us. Threat Hunting approaches the problem of attack detection from a new perspective, and seeks to find traces of attacker behavior with the assumption that networks are already compromised.
We’ll cover our approach for real world threat hunting at scale, the key datasets required, and why threat hunting is such an important new development for threat detection. By sharing a range of the real world attack scenarios we have personally encountered, we’ll show you how essential and effective it is to implement threat hunting scenarios into your detection strategy.
Finally, we’ll give you advice on how to start your own threat hunting journey within your organization.
By the end you’ll not only have an understanding of the concept of threat hunting, you’ll also know how to combine people, processes and technology to apply it yourself.
傳統偵測攻擊的方法並不可行。威脅獵捕的方法不只提供了一個偵測攻擊的新方向,也能在網路已經被入侵的前提下追蹤出攻擊者。
我們會以真實案例來探討為什麼威脅獵捕會是新型態偵測攻擊的方法。藉由真實世界我們所遇到的攻擊案例,將呈現為什麼威脅獵捕將會是必要且有效的攻擊偵測方式。
最後我們會建議你如何開始建立自己的威脅獵捕方法來保護組織。
你將不只能獲得威脅獵捕的基礎知識,還能瞭解如何整併人力、流程、技術來建置自己的威脅獵捕。
Daoyuan Wu is a PhD candidate at Singapore Management University (SMU). He has accumulated 10 years' experience in the computer security area, and is currently doing the mobile security research. He likes to build automatic analysis tools and identify new classes of vulnerabilities. He has published ten academic papers and was the first reporter of content provider vulnerabilities in many popular Android apps (over 60 CVEs). He has won bug bounties from top vendors including Facebook, Yahoo, Mail.Ru, Yandex, Baidu, Tencent, Alibaba, and Qihoo 360. Beside app vulnerabilities, he reported one system issue in Android (CVE-2014-7224) and one in iOS (CVE-2015-5921 with Apple iOS9 acknowledgement).
Daoyuan Wu 新加坡管理大學博士候選人。鑽研電腦安全領域超過十年,近年來主攻研究行動裝置安全。擅長運用自動化分析工具來挖掘新式的安全漏洞。Daoyuan Wu 已發表了十篇學術論文,挖掘出超過 60 個 CVE,其中不乏許多熱門的 Android app。Daoyuan Wu 也貢獻了眾多漏洞回報計劃,包含 Facebook, Yahoo, Mail.Ru, Yandex, Baidu, Tencent, Alibaba, and Qihoo 360。除了 Android app 漏洞之外,講者還貢獻了一個 Android 系統漏洞 CVE-2014-7224 以及 iOS 系統漏洞 CVE-2015-5921。
Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications
Android 及 iOS 應用程式中非直接檔案外洩的跨平台分析
Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile systems, notably Android and iOS, use sandboxes to isolate apps' file zones from one another. However, I will show in my talk that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, we devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can affect both Android and iOS. Moreover, our IFL methods allow an adversary to launch the attacks remotely, without implanting malicious apps in victim's smartphones. We finally compare the impacts of four different types of IFL attacks on Android and iOS, and propose several mitigation methods.
處在今日,越來越多敏感資料儲存在行動裝置 APP 中。例如瀏覽器歷史紀錄、聊天記錄。不管是 Android 還是 iOS 系統,為了保護這些隱私資訊,都會使用 sandbox 技術來確保各個 app 之間無法彼此讀寫資訊。然而,本場演講會示範如何透過直接破解手機 app 來偷取私密隱私資料。尤其是,我們將展示新的 indirect file leak (IFL) 攻擊瀏覽器、command interpreters 以及 app 後端 server 從某些熱門 app 中偷取資料。不同以往的攻擊手法 (ex. Evernote, QQ, etc…),我們將針對 iOS 及 Android 來示範 IFL 攻擊。此外 IFS 攻擊可從遠端發動,受害的行動裝置不需要安裝惡意的 app。最終來分析比較 IFS 及其他相關攻擊手法。
Jong-Shian Wu is a researcher at National Taiwan University, working on topics related to cryptographic engineering. He enjoys studying how programs, languages, protocols, and computer systems actually work, and is particularly interested in real-world applications of cryptography.
KRACK & ROCA
密鑰重置攻擊 & Coppersmith 演算法攻擊
KRACK (Key Reinstallation Attack) is a security weakness in WPA2 discovered by Mathy Vanhoef et al. Such weakness in WPA2 protocol design and implementations allows attackers within proximity to hijack the "encrypted" channel between a supplicant and a Wi-Fi AP. Both personal networks and enterprise networks are affected.
ROCA (The Return of Coppersmith's Attack) is a security vulnerability in an RSA firmware library discovered by Matus Nemec et al. The flawed library, from a major manufacturer of cryptographic hardware, is widely deployed in security tokens, smart cards, electronic ID cards, TPMs, etc. Since prime numbers generated by the flawed library have insufficient entropy and a specific structure, attackers can easily identify and factorize RSA public keys that were generated from affected devices.
In this talk, we will explain how KRACK and ROCA work and some important lessons we should learn from them.
KRACK (密鑰重置攻擊) 是 Mathy Vanhoef 等人發現的 WPA2 安全漏洞。此一 WPA2 協定的設計及實施弱點讓攻擊者可在近距離劫持請求者和 Wi-Fi AP 之間的「加密」通道,個人和企業網路都可能成為受害者。
ROCA (Coppersmith演算法攻擊) 是 Matus Nemec 等人發現的 RSA 安全漏洞。此一由主要加密硬件製造商所提供有缺陷的韌體庫,大量採用於安全符記、智慧卡、電子 ID 卡、TPM 等裝置;其所產生的質數熵值不足且具有特定結構,攻擊者可輕易辨識、猜測受影響設備生成的 RSA 公鑰。
本次發表將說明 KRACK 及 ROCA 的操作方式,以及幾個值得學習的課題。
Fyodor is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a "happy" programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.
Fyodor 任職於趨勢科技,同時在中研院從事威脅事件調查,現在亦是臺灣大學電機系博士生。是 Snort 早期開發者、開源軟體的傳播者,並持續奉行 ”快樂寫程式” 的信條。在此之前,Fyodor 的專業經歷包括擔任八年以上的網路及安全漏洞資安分析師,以及為各大區域銀行、金融、半導體和電信機構進行遠端網路安全性評估及網路入侵測試。Fyodor 現仍是台灣安全社群的活躍成員,並已於多場區域性及全球性大會中發表演講。
The Age of Broken ATMs
那些年,他們搶的 ATM
We observed this year that the attacks against Automatic Teller Machines went from theoretical research and impressive show at a conference to a very practical method used by criminal groups to monetize their access to compromised networks within financial institutions. A number of cases that took place this year got loud attention in the media, but the attacker methods and exploitation varied from one case to another. In this presentation we examine several cases of ATM breaches including well known case that took place in Taiwan, but also Russia, Kyrgyzstan and other Central Asian countries as well as Spain and a number of other countries in Europe. We discuss attack vectors against ATM devices and known methods which the attackers utilize to abuse ATM machines for the purpose of either information collection or cash withdrawal. We also discuss some of the attack methods the attackers used to infiltrate the target organizations and compromise the devices. We dive deeper to understand the eco-system and the nature of the threat actors, discuss the skills and tools available on Black Market and the evolution of ATM threats.
這些年來我們觀察到駭客針對 ATM 的攻擊從學術理論和會議上的華麗展示,演變至犯罪集團透過此方式攻佔金融機構網路並而從中獲利。近年來眾多的攻擊案例出現在媒體閃光燈下,但駭客的攻擊手法也隨之進展。在本演講中,我們將展示這些年眾多的 ATM 攻擊手法,除了大家眾所皆知的台灣 ATM 事件,還包含俄羅斯、吉爾吉斯、 眾多中東國家、西班牙以及一些歐洲國家的攻擊案例。
BoB Digital Forensics Mentor
Light Up The Korean DarkWeb
Four students from South Korea teamed up in order to dig into the Korean DarkWeb.
There is a number of publications about cyber underground including DarkWeb which covers the situation of the underground in many countries including Russia, the US, Germany, and Japan. But there is not so much information about cyber underground activities in the most connected country in the world, South Korea.
The team HGWT took on the challenge and discovered five DarkWeb forums in Korea as well as notorious activities in the Korean cyber underground part of the surface web.
In this talk, they will introduce specifics of the Korean cyber underground (including DarkWeb), share their approaches for investigations and discuss several case studies.
Team HGWT
The team HGWT (Dasom Kim, Sujin Lim, Sunghee Lim, Eunhee Jo) consists of four BoB students and is lead by two mentors in the digital forensics field, Nikolay Akatyev (VP of Engineering at Horangi Cyber Security) and Hyeon Yu (Professor at Korean Police Investigation Academy).
BoB (Best of the Best) is a cyber security education program that fosters the next generation security leaders in Korea hosted by Korea Information Technology Institute (KITRI), supported by the Korean Government.