LECTURES OF PAST

JEFF MOSS

JEFF MOSS

Founder of Black Hat & DEF CON. Chief Security Officer, ICANN, Advisor at the U.S. Department of Homeland Security Advisory Council. Known for bridging the hacker community with government agencies and has presented at numerous international security conferences and other world renown media conferences. Member of Council on Foreign Relations.

Keynote: Code Blue in the ICU!
- Thinking about network safety in a public health light

Thinking about network safety in a public health light.

SLIDE SHARE

CHRIS EAGLE

CHRIS EAGLE

Chris Eagle is a Senior Lecturer of Computer Science at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 28+ years, his research interests include computer network operations, forensics and reverse engineering. He has been a speaker at conferences such as Black Hat, Defcon, Infiltrate, and Shmoocon and is the author of "The IDA Pro Book", the definitive guide to IDA Pro. He is a multiple winner of the Defcon Capture the Flag Competition and was the organizer of that competition from 2009-2012. He is currently working with DARPA to build their Cyber Grand Challenge competition.

Keynote:CTF: All the Cool Kids are doing it

The past decade has seen a proliferation of network security games euphemistically known as "Capture the Flag" exercises. The fun of participating in these exercises is well known to those who choose to play. These exercises expose participants to new challenges, offer them the chance to meet new people with similar interests, build "street cred" and increasingly, offer significant prizes. Perhaps most significantly, when done properly, these exercises offer a considerable opportunity to spark interest in the computer security field in the next generation of computing professionals. This talk will take a look at the challenges of using such exercises as training or evaluation opportunities and will consider how to improve our ability to do so.

SLIDE SHARE

SEOK-HA LEE

SEOK-HA LEE (wh1ant)

A member of 'Wiseguys' team, which is a hacking crew in South Korea. When He was a kid, he started getting into software developments, and as time went by, he got interested in security research. In 2011, he started working in a company, doing security research with linux kernel module development to create a security solution. He has found multiple vulnerabilities and talked about security-related topics in Korean conferences. He has also organized and helped various CTF competitions in Korea as challenge-maker with exploitation challenges.

various tricks for remote linux exploits

Modern operating systems include hardened security mechanisms to block exploit attempts. ASLR and NX (DEP) are two examples of the mechanisms that are widely implemented for the sake of security. However, there exists ways to bypass such protections by leveraging advanced exploitation techniques. It becomes harder to achieve code execution when the exploitation originates from a remote location, such as when the attack originates from a client, targeting server daemons. In such cases it is harder to find out the context information of target systems and, therefore, harder to achieve code execution. Knowledge on the memory layout of the targeted process is a crucial piece of the puzzle in developing an exploit, but it is harder to figure out when the exploit attempt is performed remotely. Recently, there have been techniques to leverage information disclosure (memory leak) vulnerabilities to figure out where specific library modules are loaded in the memory layout space, and such classes of vulnerabilities have been proven to be useful to bypass ASLR. However, there is also a different way of figuring out the memory layout of a process running in a remote environment. This method involves probing for valid addresses in target remote process. In a Linux environment, forked child processes will inherit already randomized memory layout from the parent process. Thus every client connection made to server daemons will share the same memory layout. The memory layout randomization is only done during the startup of the parent service process, and not randomized again when it is forking a child process to handle client connections. Due to the inheritance of child processes, it is possible to figure out a small piece of different information from every connection, and these pieces can be assembled later to get the idea of a big picture of the target process's remote memory layout. Probing to see if a given address is a valid memory address in context of the target remote process and assembling such information together, an attacker can figure out where the libc library is loaded on the memory, thus allowing exploits to succeed further in code execution. One might call it brute force, but with a smart brute forcing strategy, the number of minimal required attempts are significantly reduced to less than 10 in usual cases. In this talk, we will be talking about how it is possible to probe for memory layout space utilizing a piece of code to put the target in a blocked state, and to achieve stable code execution in remote exploit attempt scenarios using such information, as well as other tricks that are often used in remote exploit development in the Linux environment.

SLIDE SHARE

DAI SHIMOGAITO

DAI SHIMOGAITO

CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.
・Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
・Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments

Preventing hard disk firmware manipulation attack and disaster recovery

In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.

SLIDE SHARE

YUUHEI OOTSUBO

YUUHEI OOTSUBO

Started to be interested in programming around 1987.
2005 Employed by the National Police Agency.
2007 National Police Agency Public Safety Information Technology Counter Crime Division.
2001 National Police Agency Information Communication Division Information Technology Analysis Division.
2012 Assigned to The National Information Security Center.

o-checker : Malicious document file detection tool
- Malicious feature can be detected based on file size

In the targeted email attacks, it is often used the documentation file embedded with the execution files. To detect this kind of malicious documentation file, researching with the malcode detection approach has been focused. However, because the attacker can write the arbitrary code, thus it is always behind of the attacker to find the unknown malcode by focusing the traditional malcode detection methods.

In this talk I will introduce a different analytical approach compared to the more traditional malcode detection approach to detecting targeted email attacks by focusing on structural analysis of file formats. I will explain the ability to detect malware solely on file size and introduce o-checker which has implemented a general detection method that does not rely on the content of malicious code.

SLIDE SHARE

IGOR SKOCHINSKY

IGOR SKOCHINSKY

Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.

Secret of Intel Management Engine

Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.

SLIDE SHARE

CHRIS VALASEK

CHRIS VALASEK

Christopher Valasek is the Director of Security Intelligence at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation’s oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh.

The Current State of Automotive Security

Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcheris point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, weill discuss aspects of reading and modifying the firmware of ECUs installed in todayis modern automobile.

SLIDE SHARE

KENJI TODA

KENJI TODA

At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)

A Security Barrier Device That Can Protect Critical Data Regardless of OS or Applications by Just Installing It.

A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.

SLIDE SHARE

YUKIHISA HORIBE

YUKIHISA HORIBE

Panasonic Corporation Analysis Cente
Panasonic PSIRT member.
Over 10 years of experience in vulnerability research and risk analysis regarding networked household appliances and embedded systems.

Networked Home Appliances and Vulnerabilities.

A decade has passed since the introduction of network enabled home appliances into the market. Every year these appliances advance in functionality and inter device integrations, such as the integration with cell phones/smart phones , service servers/ cloud services and more. This has lead to a significant increase in the information and value that the network enabled house hold appliances handle. Under such circumstances a vulnerability in the house hold appliance could be leveraged to gain access to other devices and information. In this presentation I will present whether such risks can be actualised and the changes of functionality and vulnerabilities in network enabled house hold appliances,looking at those changes from a user's and developer'sperspective.

SLIDE SHARE

YOU NAKATSURU

YOU NAKATSURU

You 'Tsuru' Nakatsuru, CISSP is a "just married" Information Security Analyst of Analysis Center at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) since April 2013.
His primary responsibilities are to analyze malware abused in highly sophisticated cyber attacks, along with R&D on advanced counter malware technologies and cutting-edge incident handling methods. He also takes an active role in capacity building for junior malware analysts.

Fight Against Citadel in Japan

Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents.
Citadel is a type of malware much like the Zeus known as banking trojans. When the malware successfully infects the users environment it utilises special functions called Web Injects to alter the website displayed in the end users computer to steal login credentials for internet banking sites.
To handle Citadel infection incidents, it is necessary to clarify whatsettings and what servers the Citadel malware uses and communicates totherefore its essential to have an in-depth knowledge of Citadel and to conduct research on the files left by Citadel. In this presentation I will present my findings on doing detailed analysis on Citadel and introduce data transmission reconstruction and file reconstruction tools which have been created to handle Citadel incidents.

SLIDE SHARE

MASAAKI CHIDA

MASAAKI CHIDA

TBA

DA Vulnerabilities and Bug Bounty

IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.

SLIDE SHARE

TOMOYUKI SHIGEMORI

TOMOYUKI SHIGEMORI

Tomoyuki Shigemori is an Information Security Analyst of Watch and Warning Group at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center).
His expertise lies in information gathering and providing early warnings on cyber threats to relevant organizations including governmental entities and infrastructures.
He has delivered presentations in many conferences such as Open Source Conference 2013, Enterprise and Parallels Summit 2013 Japan. He has also contributed as a coauthor in publishing “How to protect your business from cyber attacks (NTT Publishing)” and some other books.

HTML5 Security & Headers
- X-Crawling-Response-Header -

HTML 5 enables data storage within the website visitor’s browser , bidirectional communication between the client and server, the gathering of location information all of which allow for a highly usable website however all of these new technologies can also be leveraged by malicious actors and the impact that this will affect the visitors to the site are not being fully discussed or researched and there is a significant danger that the technology will be widely adapted without sufficient security precautions.
At JPCERT/CC we have issued a report titled “Security issues and findings regarding web applications using HTML 5.” In this report we outline items that should be considered in the development of web application using HTML5 and security issues that arise when transitioning web applications to HTML 5. The goal of the report is to disclose all our findings in an organised fashion and enable web security researchers and web application developers to have a basic foundational document.
In this presentation I will present based on the report and through demos, security issues to consider when developing web applications using HTML 5. Also I will present our findings regarding the current state of security of HTML 5 usage based on the data of 95000 website’s response headers.

SLIDE SHARE

CELIL UNUVER

CELIL UNUVER

Celil Unuver is co-founder & security researcher of SignalSEC Ltd. He is also founder of NOPcon Security Conference. His areas of expertise include Vulnerability Research & Discovery, Exploit Development, Penetration Testing and Reverse Engineering. He has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n, IstSec, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, IBM, Microsoft, Novell etc.

SCADA Software or Swiss Cheese Software?

The talk is about SCADA vulnerabilities and exploiting. We will answer some specific questions about SCADA software vulnerabilities with technical details.

The questions are;
- Why are SCADA applications buggy?
- What is the status and impact of the threat?
- How do researchers or hackers discover these vulnerabilities?

In this talk we will also look at some SCADA vulnerabilities that affects well-known SCADA/HMI vendors, and will show how it's easy to hunt these vulnerabilities via reverse engineering , fuzzing etc.

SLIDE SHARE

NICK GALBREATH

NICK GALBREATH

Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.

In 2013
- LASCON http://lascon.org/about/,
  Keynote Speaker Austin, Texas USA,
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft),
   San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist

In 2012
- DefCon
- BlackHat USA
- Others

libinjection: from SQLi to XSS

libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.

SLIDE SHARE

SPONSORS

EMERALD SPONSORS :

DIAMOND SPONSORS :

PLATINUM SPONSORS :

GOLD SPONSORS :

SILVER SPONSORS :

BRONZE SPONSORS :