Takuya Matsuda

Takuya Matsuda

1943 Born in Osaka, Japan.
1961 Graduated from Osaka Prefectural Kitano Senior High School.
1961 Enrolled in Faculty of Science, Kyoto University.
1965 Enrolled in master's course of the Graduate School of Sciences, Department of Physics, Kyoto University.
1967 Enrolled in doctoral course of the Graduate School of Sciences, Department of Physics, Kyoto University. Measured Nuclear
1970 Received Ph.D. from Kyoto University.
1970 Assistant professor in Faculty of Technology, Department of Aeronautical Engineering, Kyoto University.
1973 Associate professor in Faculty of Technology, Department of Aeronautical Engineering, Kyoto University.
1992 Professor in Faculty of Science, Department of Earth and Planetary Sciences, Kobe University.
2006 Retired from Kobe University and entitled Professor Emeritus.

Also served as affiliate professor of University of Wales College of Cardiff, affiliate professor of National Astronomical Observatory of Japan, administrative director of Astronomical Society of Japan. Currently serves as president of JAPAN SKEPTICS.
Present Post: vice-president of incorporated non-profit organization Einstein, research worker of the Nakanoshima Science Laboratory.
Expertise: Cosmology, Relativity, Astrophysics, Fluid Dynamics, Computer Simulation.
Interest: Presentation Theory, Criticism for pseudoscience, Aikido.
Author: "Relativistic Cosmology", "Year 2015 Problem... the date that computer goes beyond human", "Mistake-filled Physics"
Currently organizes "Singularity Salon" for raising Singularity from Japan.

Keynote:The Singularity is Near

An Artificial Intelligence (AI) extremely surpassed the human intelligence is called "Superintelligence". In a short while, the Superintelligence will be developed for the first time in our history. The Superintelligence raises an exponential development of the scientific technology and affects the human society and civilization. The time is called "Singularity (Technological Singularity)". An American futurist Ray Kurzweil, who bruits the concept of Singularity, predicts that the time will come in the year 2045. And he also predicts that the capacity of the AI will gets up to that of a human in the year 2029. I would like to call the period prior to 2045 as "Pre-Singularity". An AI used for a specific purpose is called "Narrow AI", and an AI used for general purposes is called "Artificial General Intelligence (AGI)“. Today there is only Narrow AI, but it will greatly affect the human society such as Technological Unemployment in the coming future. If AGI comes into being, the influence increases dramatically. Researchers all over the world endeavors to develop the AGI. In recent years, researches of the Superintelligence are implemented in Japan. I will discuss what is the Superintelligence and political, economic, technological and military significances. I will especially introduce the roadmap for the development of the Superintelligence in Japan. I will also discuss about the possibility that Singularity will be occurred from Japan in 2020s much earlier than the year 2045.

Richard Thieme

Richard Thieme

Richard Thieme is an author and professional speaker focused on challenges posed by new technologies and the future, how to redesign ourselves to meet them, and creativity in response to radical change.

His column Islands in the Clickstream was sent to subscribers in 60 countries before collection as a 2004 book. When a friend at NSA said as they worked on intelligence ethics issues, "The only way you can tell the truth is through fiction," he returned to writing short stories, 19 of which are collected in “Mind Games.” He is co-author of the critically extolled “UFOs and Government: A Historical Inquiry,” a research project using material from government documents and other primary sources, now in 65 university libraries, and working again with the “UFO History Group” on “The UFO Phenomenon.” A recent novel FOAM explores the existential challenges of what it means to be human in the 21st century.

Thieme has keynoted security conferences around the world for 21 years. His work has been taught at many universities and he has lectured at others, including Purdue (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the U of Texas, and the “Design Matters” series at the U of Calgary. He keynoted a conference on metadata for U Texas-San Antonio, addressed the reinvention of “Europe” as a “cognitive artifact” for curators and artists at Museum Sztuki in Lodz, Poland and keynoted “The Real Truth: A World’s Fair” at Raven Row Gallery, London. He has spoken for NSA, FBI, Secret Service, corporations that include Microsoft, GE, and Medtronic, and he spoke at Def Con in 2015 for the 20th year.

Keynote:The Only Way to Tell the Truth is in Fiction: The Dynamics of Life in the National Security State

Over a decade ago, a friend at the National Security Agency told Richard Thieme that he could address the core issues they discussed in a context of "ethical considerations for intelligence and security professionals" only if he wrote fiction. "It's the only way you can tell the truth," he said.

Three dozen published short stories and one novel-in-progress (FOAM) later, one result is "Mind Games," published in 2010 by Duncan Long Publishing, a collection of stories that illuminates “non-consensual realities:” the world of hackers; the worlds of intelligence professionals; encounters with other intelligent life forms; and deeper states of consciousness.

A recent scholarly study of “The Covert Sphere” by Timothy Melley documents the way the growth and influence of the intelligence community since World War 2 has created precisely the reality to which that NSA veteran pointed. The source of much of what “outsiders” believe is communicated through novels, movies, and television programs. But even IC “insiders” rely on those sources, as compartmentalization prevents the big picture from coming together because few inside have a “need to know.”

Thieme asked a historian at the NSA what historical events they could discuss with a reasonable expectation that their words denoted the same details. “Anything up to 1945,” the historian said with a laugh – but he wasn’t kidding.

Point taken.

This fascinating presentation illuminates the mobius strip on which all of us walk as we make our way through the labyrinth of security and intelligence worlds we inhabit of necessity, all of us some of the time and some of us all of the time. It discloses why “post-modernism” is not an affectation but a necessary condition of modern life. It addresses the response of an intelligence analyst at NSA who responded to one of Thieme's stories by saying, “most of this isn’t fiction, but you have to know which part to have the key to the code.” This talk does not provide that key, but it does provide the key to the key and throws into relief everything else you hear – whether from the platform or in the hallways – inside this conference. And out there in the “real world.”

“Nothing is what it seems.”

Shigeo Mitsunari

Shigeo Mitsunari & Yoshinori Takesako
Shigeo Mitsunari & Yoshinori Takesako

Shigeo Mitsunari
Shigeo Mitsunari is a researcher and a developer of security and infrastructure at Cybozu Labs, Inc.
He has developed and released the world's fastest implementation of a library for pairing-based cryptography on GitHub.
In 2010, he has won IEICE Best Paper Award for his research concerning vector decomposition problem.
In 2015 he has been selected as Microsoft MVP Developer for the field of security.
He is the author of the book "Applied Cryptography for the Cloud." (Original Japanese title: 「クラウドを支えるこれからの暗号技術」)
He is currently writing for the column "Encryption Technology in the era of cloud" at @IT.

Yoshinori Takesako

Yoshinori Takesako
Yoshinori Takesako is the executive committee chairperson, organizer, and challenge creator of the SECCON CTF contests that are held several times a year throughout Japan including large international online and in-person contests.
He is also on the OWASP Japan advisory board, the review board for the CODE BLUE conference, a Microsoft MVP of Developer Security, the leader of the Shibuya Perl Mongers group, and has been designated an expert in ISO/IEC JTC 1/SC 22 programming languages such as C# and other scripting languages.
He has also presented at information security conferences such as HITCON in 2011 "Disassembling Flash Lite 3.0 SWF Files", and OWASP AppSec APAC 2014 "Secure escaping method for the age of HTML5", and has published some books and papers:"Reading ECMA-262 Edition 5.1" and "How to Execute Arbitrary Code on x86 JIT Compliers" etc.

[Encryption][MS Office]An Backdoor leveraging master key for MS Office file encryption and the Countermeasures

The encryption method of Microsoft Office 2010 and thereafter is designed to be considerably safer than that of the versions prior to MS Office 2007. However, it is revealed that encrypted files of Excel 2010 and 2013 which are created under a specific condition can be decrypted easily, no matter how strong the configured password is. In this session, we will show the background behind the discovery of the backdoor and a demonstration of the decryption tool for the vulnerable encryption. And we will also introduce the tool that modifies the encryption of files containing such vulnerability for a stronger encryption.

Keiichi Horiai

Keiichi Horiai

In the year 2001, codered went on a rampage. This incident inspired my interest for the importance of network security, and I began fixed-point observation with PlayStation2 as a server. From the time, I followed business promotion of security consolidation for Ministry Of Defense network and network monitoring. And then, I engaged in research and development of cyber security in the technology research headquarter of Ministry Of Defense and received academic degree from Institute of Information Security(IISEC) for works of automatic malware analyzing system. Currently, I have an interest in security of low-layer in close to hardware. Ph. D., CISSP

[Network][SDR][Wireless] Wireless security testing with attack

We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.

Mario Heiderich

Mario Heiderich

Dr. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than.

He leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled PowerPoint-slides and a lot of FUD.

The closest Mario ever was to visiting 日本(Japan) was a wild ride between ESC$B and ESC(B so it's about time to pay a visit!)

[Web][JavaScript][AngularJS]An Abusive Relationship with AngularJS – About the Security Adventures with the "Super-Hero" Framework

Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.

Muneaki Nishimura (Nishimunea)

Muneaki Nishimura (Nishimunea)

Muneaki Nishimura, also known as Nishimunea, is a security researcher, weekend bug hunter, and Mozillian. His research interests are in abusing security mechanisms in web browsers and web based platforms. He is a lecturer and current web and mobile application security track leader of Security Camp, the national information security human resource development program in Japan.

[Web][Firefox][OSS][CORS]Defeating Firefox

The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.

Xiaodun Fang

Xiaodun Fang

1. Be admitted by university at the age of 15.
2. Found vulnerabilities of a company and got his first job while he majored in chemical in university.
3. Founder of 80sec——a famous information security research team in China.
4. Technical Director of information security of Baidu.
5. Founder of WOOYUN community.
6. Founder of TangDynasty Cloud——a SaaS service."

[bug report][Community][Zero-day market]New immune system of information security from CHINA

This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.

Alfonso De Gregorio

Alfonso De Gregorio

Alfonso De Gregorio is a security technologist, founder of BeeWise, the first cyber security prediction market, and Principal Consultant at secYOUre. He started his career in information security in the late 1990s. Since then he never stopped contributing his little share to the discussion and practice of security engineering. Among the positions held, he served as Chief Security Architect at an HSM vendor, Expert at European Commission, and Visiting Scholar at the Computer Security and Industrial Cryptography (COSIC) research group, K.U. Leuven. In his career as a public speaker, Alfonso addressed a wide range of audiences across the globe, including industry executives, academics, security practitioners, and hackers, speaking about security economics, software security, intelligence support systems, cryptography engineering, cryptographic backdooring. Alfonso researches solutions for building cybersecurity incentives, tweets @secYOUre, and generally does not speak of himself in the third person.

[Zero-day market] The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-day Market

The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-day Market

Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.

To alleviate some of these hurdles, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.

Building upon the empirical observations contributed by the first three public case studies, this work presents the first results of an ongoing research on extortion and cooperation in zero-day markets through the lens of game theory.

The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.

Learn which strategies allows to maximize the profits while trading zero-days in today's marketplaces. Find out how to avoid getting extorted by zero--day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.

This work find application in a number of markets for vulnerability information and zero-day exploits. They range from over-the-counter zero-day trading, to boutique exploit providers offering zero-day vulnerabilities for a subscription fee, to service models for vulnerability research.

Clarence Chio

Clarence Chio

Clarence graduated with a B.S. and M.S. in Computer Science from Stanford University, specializing in data mining and artificial intelligence. He currently works at Shape Security, a startup in Silicon Valley building a product that protects from malicious bots and automated attacks on Global 2000 customer websites. At Shape, he works on the big data analysis systems that are used to tackle this problem. Clarence is a community speaker with Intel, traveling around the USA speaking about topics related to the Internet of Things and hardware hacking. He spoke at PHDays 2015 in Moscow, Russia, and at BSides in Las Vegas 2015. He is also the founder and organizer of the "Data Mining for Cyber Security" meetup group, the largest gathering of security data analysis professionals in the San Francisco Bay Area.

[Machine Learning][IDS]Making & Breaking Machine Learning Anomaly Detectors in Real Life

Machine learning-based (ML) techniques for network intrusion detection have gained notable traction in the web security industry over the past decade. Some Intrusion Detection Systems (IDS) successfully used these techniques to detect and deflect network intrusions before they could cause significant harm to network services. Simply put, IDS systems construct a signature model of how normal traffic looks, using data retrieved from web access logs as input. Then, an online processing system is put in place to maintain a model of how expected network traffic looks like, and/or how malicious traffic looks like. When traffic that is deviant from the expected model exceeds the defined threshold, the IDS flags it as malicious. The theory behind it was that the more data the system sees, the more accurate the model would become. This provides a flexible system for traffic analysis, seemingly perfect for the constantly evolving and growing web traffic patterns.

However, this fairytale did not last for long. It was soon found that the attackers had been avoiding detection by ‘poisoning’ the classifier models used by these PCA systems. The adversaries slowly train the detection model by sending large volumes of seemingly benign web traffic to make the classification model more tolerant to outliers and actual malicious attempts. They succeeded.

In this talk, we will do a live demo of this 'model-poisoning' attack and analyze methods that have been proposed to decrease the susceptibility of ML-based network anomaly detection systems from being manipulated by attackers. Instead of diving into the ML theory behind this, we will emphasize on examples of these systems working in the real world, the attacks that render them impotent, and how it affects developers looking to protect themselves from network intrusion. Most importantly, we will look towards the future of ML-based network intrusion detection.

Motoki Nishio

Motoki Nishio

In 1996 born in Osaka Yao city.
He wondered that cannot select specific color in "mspaint.exe" when he was 8 years old.
And he started learning programing.
He found Chaos Computer Club e. V. (CCC) when he was 13 years old.
And he started computer security himself.
Web security engineer and PHP programmer in Osaka.
Security researcher in FFRI since 2014.
His specialty is Web security.
He reported a lot of vulnerabilities for big domain and products.

[iOS][Malware]iOS malware trends and the malware detection with the dedicated gadgets

Malware threats are becoming reality also on the iOS devices.
Apple's app review and the iOS sandbox have been protecting users from malware.
However it has become necessary to take measures because new methods of malware infection techniques have emerged recently.

The WireLurker infects to iOS app by exploiting USB Sync.
iOS Developer Enterprise Program had abused by One-Click fraud app.
These are new techniques which appeared in the past year.
Third-party framework is now available as "Embedded framework" for app development from the iOS 8.
A Research which realizes SSL Pinning using the Embedded framework has been published recently.

The iOS have been fixed a lot of security problems.
However, the attackers always are trying to bypass security.
I am concerned that the attacks to iOS will be soon earnest.
Apple still seems to believe that additional third-party security software is unnecessary.
Therefore security vendors cannot supply advanced security software for iOS.
iOS users have no choice but to depend on Apple.

I have researched iOS malware which may occur in the future.
For example, MITA malware has not been a concern currently.
That is possible by Embedded framework and Method Swizzling.
I show demonstration MITB malware which infects to iOS from PC.
Also I explain method to detect it.

I developed a prototype gadget which detects iOS malware via USB connection.
This gadget is working under the same conditions as malware.
Therefore, it is not restricted by sandbox unlike normal app.
My gadget detects malware by analysis based on attributes of iOS app signature, profile, permission, and third party framework.
It works on the Raspberry Pi and Linux.
If it integrated into battery charger, it can detect malware along with charging.
I will demonstrate of malware detection by my gadget.

Shusei Tomonaga

Shusei Tomonaga & Yuu Nakamura
Shusei Tomonaga & Yuu Nakamura

Shusei Tomonaga
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC’s English Blog (http://blog.jpcert.or.jp/).
Prior to joining JPCERT/CC, he engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor.

Yuu Nakamura

Yuu Nakamura
Yu Nakamura is a member of the Analysis Center of JPCERT/CC. Since April 2012, he has engaged in analyzing malware and defaced websites at the forefront. He recently focuses on malware analysis relating to targeted attacks in particular.
Prior to joining JPCERT/CC, he engaged in operational services at a major portal site operator.

[APT][Reverse engineering]Revealing the Attack Operations Targeting Japan

Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.

Abdul-Aziz Hariri

Abdul-Aziz Hariri and Brian Gorenc

Abdul-Aziz Hariri
Abdul-Aziz Hariri is a security researcher with Hewlett-Packard Security Research (HPSR). In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development.
Prior to joining HP, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, “Portrait of a Full-Time Bug Hunter”.

Brian Gorenc

Brian Gorenc
Brian Gorenc is the manager of Vulnerability Research with Hewlett-Packard Security Research (HPSR). In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which is the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.
Prior to joining HP, Gorenc worked for Lockheed Martin on the F-35 Joint Strike Fighter (JSF) program. In this role, he led the development effort on the Information Assurance (IA) products in the JSF’s mission planning environment.

[Binary][PDF][JavaScript] Abusing Adobe Reader’s JavaScript APIs

Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.

Bhavna Soman

Bhavna Soman

Bhavna Soman is a Cyber Analyst and Software Developer for Intel Corporation's APT response team. She works at the intersection of Threat Intelligence, Software and Data Analytics. Bhavna has a Masters degree in Information Security from Georgia Tech. Before joining Intel, she was a Threat Analyst at Damballa.

[Binary][APT] Ninja Correlation of APT Binaries

Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 hash was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker. Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders. This gives them an asymmetric advantage.

In recent years, there has been research into “similarity metrics”― methods that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash, ssdeep and sdhash are examples of such techniques. In this talk, Bhavna will review which of these techniques is more suitable for evaluating similarities in code for APT related samples. This presentation will take a data analytics approach. We will look at binary samples from APT events from Jan- Mar 2015 and create clusters of similar binaries based on each of the three similarity metrics under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary. This can aid Incident responders in connecting otherwise disparate infections in their environment to a single threat group and apply past analyses of the abilities and motivations of that adversary to conduct more effective response.

Masaaki Chida

・He has been doing binary analysis as a hobby, while in business he has been investigating vulnerabilities of Web services and mobile apps.
・He has found several vulnerabilities in IDA Pro.
・He has more than a decade of experience in binary analysis.

[Bug Bounty][Binary][Reverse engineering]Participating Cybozu bug bounty

Cybozu Labs, Inc. provides a bug bounty program, where the company pays money as a reward for reporting vulnerabilities in their products and services.
Since these products and services are web applications, many security engineers took web-based approaches to find vulnerabilities.
Meanwhile, noticing some of the products are CGI executables programmed using C and C++, I was able to win the highest amount of bounties in 2014 through a binary analysis approach.
In this talk, I will present the vulnerabilities that I have found and the methods used in order to find them.

Aleksandr Timorin

Aleksandr Timorin & Sergey Gordeychik

Aleksandr Timorin
Aleksandr Timorin, security researcher, author of ICS/SCADA network security toolkits, PLC 0-day hunter.

Sergey Gordeychik

Sergey Gordeychik
Sergey Gordeychik is the Director and Scriptwriter of the Positive Hack Days forum, captain of SCADAStrangeLove.org team and Web Application Security Consortium (WASC) contributor. Industrial cyber-disasters researcher and speaker at S4, CCC, POC, Kaspersky SAS, etc.
The main areas of his work are the development of the enterprise security products and hack stuff. Sergey has developed a number of training courses, including "Wireless Networks Security" and "Analysis and Security Assessment of Web Applications", published several dozens of articles in various titles and a book called "Wireless Networks Security".
MCSE (starting from NT 4.0), CISSP and MVP in Enterprise Security: R&D.

[SmartGrid][SCADA][IoT]Cybersecurity of SmartGrid

Electrical Grid is one of the sophisticated systems humanity ever built. New technologies such as IEC 61850 and Europe-wide initiatives to create continent-wide SmartGrid systems makes it more and more complex.

Our latest research was devoted to the analysis of the threat landscape, architecture and implementation of the modern Smart Grid elements, including relay protection, wind and solar energy generation.

It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security.

In this talk, we summarize our practical experience in security assessment of different components of European SmartGrid technologies: from housekeeping and rooftop PV systems to digital substations. We will release new (but responsibly disclosed) vulnerabilities in SmartGrid components, Cloud SCADA technologies as well as new tools for security assessment of SmartGrid industrial protocols.

Pedro Vilaça

Pedro Vilaça

A leading expert in the field of not being an expert, plays with computers for more than 30 years, holds a degree in Economics and a MBA, writes a somewhat famous OS X related blog, breaks copy protections for fun and profit, annoys HackingTeam, trolls Apple¹s product security policy, loves to solve weird problems, tries to spread some knowledge and write a different bio for each conference. Lately very interested in improving OS X security and malware research. Wrote a long OS X rootkits article for Phrack and finally making that OS X rootkits book a reality.

[EFI][EFI rootkit][OSX]Is there an EFI monster inside your apple?

A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them.

This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.

Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.

Florian Grunow

Florian Grunow

Florian Grunow is a security analyst at ERNW GmbH in Heidelberg, Germany. He holds a Master of Science degree in computer science with a focus on software engineering and a Bachelor of Science degree in medical computer sciences. He is the team lead of one of the penetration testing teams at ERNW and in addition responsible for the internal education program. His research focus is on the security of medical devices.

[Medical][IoT](In)Security of Medical Devices

The number of high tech medical equipment is increasing in hospitals. We also see a big market for home monitoring. The security of these devices will play a big role in the future. Our research shows that medical devices taking care of critical tasks like anesthesia devices lack basic security mechanisms. This talk has mainly two parts. In one part we discuss the general problem that we are facing with the security of medical devices. The other part will show proof-of-concepts for different attacks and scenarios to even kill a patient in an undetectable way.

In the first part we will provide information about the general problem that we are facing when dealing with security in the field of medical devices. We will show further research already done by other parties. The number of features increase and vendors start to implement network connectivity. We will show that vendors try to shift responsibility for the security of the devices to the hospitals and discuss why hospitals are not the ones who should be responsible for this issue. This part will have a section where we show how medical devices have evolved and what features we will have to use in the near future. In addition we will provide how hackers can get their hands dirty if they want to step into the same research we did.

Masato Kinugawa

Masato Kinugawa

Masato Kinugawa is a full-time professional bug hunter. He has discovered several vulnerabilities of famous web applications and web browsers. He was a speaker at OWASP AppSec APAC 2014, and the second CODE BLUE conference. He was also an instructor at the Security Camp 2015. His favorite vulnerability is XSS.

[Web][IE][XSS]X-XSS-Nightmare: 1; mode=attack XSS Attacks By Abusing the XSS Filter

Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.

Naohide Waguri

Naohide Waguri

Naohide Waguri joined FFRI in 2013. Before he joined FFRI, he had participated in evaluation of the quality of domestic software and developed network equipment. In the past, he was involved in secure testing and tracking cyber attacks. He is currently working in security of embedded systems as a part of fundamental technology, such as in-vehicle devices.

[Windows][IoT]Threat Analysis of Windows 10 IoT Core and Recommended Security Measures

Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.

Seungjoo Gabriel Kim

Seungjoo Gabriel Kim

Seungjoo Gabriel Kim (Nick : Pr0xy5kim) is a professor of Department of Cyber Defense at Korea University (KU), a head of SANE (Security Analysis aNd Evaluation) Lab, and a founder/advisory director of a hacker group, HARU and an international security & hacking conference, SECUINSIDE.
- 1999 ~ 2004 : Director of the Cryptographic Technology Team and the (CC-based) IT Security Evaluation Team of the Korea Internet & Security Agency (KISA)
- 2004 ~ 2011 : Assistant & associate professor of Sungkyunkwan University (SKKU)
- B.S.('94), M.S.('96), and Ph.D.('99) in Information Engineering from SKKU.
- A visiting professor of Korea Military Academy, A member of advisory committee of Korean E-Government, National Intelligence Service of Korea, Digital Investigation Advisory Committee of Supreme Prosecutors' Office, Ministry of Justice, KISA(Korea Information Security Agency), and Daum Kakao Corp. etc.
- Homepage : http://www.kimlab.net
- Facebook & Twitter : skim71

[Education] [Community] How South Korea Invests in Human Capital for Cyber-Security

In Korea, cyber warfare has become real, not a virtual one. North Korea continues to expand its cyber warfare capabilities.
South Korean National Intelligence Service (NIS, Korean CIA) officially reported 75,472 cyberattacks launched against the government and public agencies from 2010 until October 2014. Additionally, the NIS's National Cyber Security Center reported that North Korea attempts millions of indiscriminate cyber-attack attempts on government agencies and private corporations in South Korea.
The NIS believes that North Korean General Bureau of Reconnaissance, specifically Unit 121, dedicates more than 6,000 full-time hackers who create malicious computer codes. This estimate, which was echoed by the South Korean Ministry of Defense in a white paper released in January 2015, is double the estimated figure previously released by the NIS in 2013. According to claims by North Korean defectors, the North Korean government began to focus on its cyber capabilities as an attempt to develop its asymmetric warfare in the 1990s, when economic hardships put strains on its conventional military assets. At that time, Mirim University - since renamed Pyongyang Automation University - was opened to train hackers in electronic warfare tactics.
To narrow the gap with the North, recently South Korean government has been devoting itself to raise more cyber security experts. In this talk I will talk how our government invests in human capital for cyber-security. Especially, I will focus on the training programs of , , and , all of which play the central role for bring up security experts. Aside from state-run programs, I will give a talk about private sector’s effort to train white-hat hackers (for example, SECUINSIDE of , CODEGATE of , POC of , , , etc).
Given that a variety of training programs are underway to secure more security and hacking experts, we seems to be making progress. For example, , the team comprised of students from Korea University and the Korea-based IT security solution provider RAONSECURE, won the TOP prize at the ‘DEFCON CTF 23’! However, we have problems that still needs to be solved. I will also point out these.

Yuma Kurogome

Yuma Kurogome

He is an undergraduate student at Keio University and (most young) lecturer at Security Camp 2015.
He has made a profound study of reverse engineering at several security companies and CTFs.
Now he is interested in automated malware analysis using dynamic binary instrumentation, taint analysis, and symbolic execution.

[Fuzzy hash][Binary][Dynamic analysis] PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynamic Binary Instrumentation and Fuzzy Hashing

Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.

Yuki Koike

Yuki Koike

Yuki Koike is a student at Nada High School in Japan.
At the age of 13, he participated in "Security Camp 2012", a camp-style training program organized by IPA (Japan’s Information-technology Promotion Agency), which led him to start learning exploitation technology.
Since then, he has been competing in CTFs to train himself and finally formed the CTF team binja in 2014.
His team binja competed as finalists for the DEF CON CTF in Las Vegas and recently he won first place for the CODEGATE CTF Juniors competition in Korea.
Now his interest shifts from the vulnerabilities of the fantasy world to that of the real and he is studying low-level software security and exploit automation.

[Binary]Master Canary Forging: A new exploitation method to bypass stack canaries

Stack Smashing Protection(SSP) is one of the oldest and fundamental protections against exploits, and is now supported by most compilers and modern operating systems.
One technique for SSP is using stack canaries, which verify if a stack buffer has been overflown by checking the integrity of a value stored immediately after the buffer.
Previously, the main methods to bypass stack canaries were to exploit different vulnerabilities to either avoid the canary validation completely, or to provide the correct canary value by leaking the value.
In this talk I will propose a new technique to bypass stack canaries in SSP which takes a different approach from the previous two methods.

Sung-ting Tsai (TT)

Sung-ting Tsai (TT) & Chi-en Shen (Ashley)

Sung-ting Tsai (TT)
Sung-ting (TT) is the CEO of Team T5 Research. They monitor, analyze, and track cyber threats throughout the Asia Pacific region. They have much experience on incident response and helping people to solve cyber attack issues. His major areas of interest include document exploit, malware, sandbox technologies, system vulnerability and protection. He especially is interested in new vulnerabilities in new technologies, and frequently presents the team's research at security conferences around the world.
TT is also the organizer of HITCON, the largest hacker community and security conference in Taiwan.

Chi-en Shen (Ashley)

Chi-en Shen (Ashley)
Chi-en Shen (Ashley) is senior threat analyst at Team T5 Research. Her major areas of research include malicious document, malware analysis and Advance Persistence Threat (APT). She is in charge of campaign tracking in the team and has been tracking several cyber espionage groups for years. During her MSc, she design and implement a flexible framework for malicious open XML document detection against APT attacks.
Ashley is also a core member and speaker of HITCON GIRLS, the first security community for women in Taiwan.

[APT] [Community]Failures of security industry in the last decade - Lessons learned from hundreds of cyber espionage breaches

Cyber espionage attacks have been aware of for around 10 years. Security vendors keep inventing new technology to defend against attack. Many solutions look fancy, however breaches keep happening. People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful. In Taiwan, we have more than 10 years history with cyber espionage attacks. Government, enterprises, and security vendors were fighting hard with threat actors, but new victims still got compromised day by day.
In recent years, a lot of Japanese government agencies, defense industry, enterprises are suffering from cyber attacks from cyber espionage groups. We keep seeing breaches and incidents from news. We believe many victims still have no good strategy to defend and control the situation.
In this talk, cyber espionage attacks in the last decade would be discussed from Asia Pacific region’s point of view. We’ll discuss why security solutions didn’t work, how actors easily bypassed those fancy solutions and adopted countermeasures quickly with very low cost. Besides, according to our incident response’s experience for hundreds times and consulting to help victim for several years, we will try to propose a design of security model to prevent, detect, react, and remediate cyber espionage threats.

Travis Carelock

Travis Carelock

Travis is currently working as an engineer on the Security Team at SoundCloud. In previous roles, he has served as the Technical and Content Director for the Black Hat Conference Series, and Sr. Systems Administrator for the Louisiana Department of Justice. He enjoys thinking about defense, as well as building tools and systems that helps him and his team sleep a bit better at night.

[Network][DevOps]Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsau“

The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.