SPEAKERS (To Be Updated)

Patrick O’Keeffe

Patrick O’Keeffe

Patrick O'Keeffe is a German Navy Officer currently serving as NATO Legal Advisor at the Centre of Excellence for Operations in Confined and Shallow Waters (COE CSW). An aerospace engineer specialized in astrodynamics and satellite operations, and a former military aviator, Patrick O'Keeffe's is working in a multidisciplinary environment focusing on the impact of disruptive technologies on the strategic transformation. As the managing director of AMC Solutions, Patrick O’Keeffe is advising NGOs, GOs, IGOs, and companies on aerospace, maritime, and cyber strategy and policy.

Keynote: Sovereignty in Cyber Space

Threats in cyber space rise constantly. The rapid expansion of information and communication technology (ICT) has unintentionally created gaps in security policy across the globe. Moreover, reliance on the benefits of cyber technologies, as well as protecting against its vulnerabilities, presents a security challenge across several domains, agencies, and national-level processes. However, no global consensus exists regarding terminology or strategic considerations. The overarching goal of a Cyber Security Strategy is to ensure the integrity of sovereignty in cyber space and beyond. Other than on land, in the air, in space, or at sea, in cyber space the territory of a state cannot be defined by geographic coordinates or physical limits. Therefore, a comprehensive Cyber Security Strategy must include a multidimensional and multidisciplinary approach to ensure cyber operations will protect sovereignty. Patrick O’Keeffe will give an overview and introduction to the global challenges in a cross domain environment.

George Hotz

George Hotz

George Hotz first became known at 17 when he developed a procedure to unlock the original iPhone. Then the PS3. Then the Chromebook. But it's time to build. AI, the final frontier. Start simple. Just self driving cars. He is founder and CEO of comma.ai, building and open sourcing aftermarket, user installable, self driving kits.

Keynote: Make your car self-driving using open-source software

Come hear about open sourcing your car and why self-driving cars need nothing but engineers in order to solve it.

Abdul-Aziz Hariri

Abdul-Aziz Hariri , Jasiel Spelman, Brian Gorenc

Abdul-Aziz Hariri
Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri

Jasiel Spelman

Jasiel Spelman
Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Brian Gorenc

Brian Gorenc
Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Twitter: @MaliciousInput

[VMware][Exploit Development][Vulnerability Research][Fuzzing] For the Greater Good: Leveraging VMware's RPC Interface for fun and profit

Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.

Anton Cherepanov

Anton Cherepanov, Róbert Lipovský

Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.

Róbert Lipovský

Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.

[Industroyer][CrashOverride][Industrial Control Systems security][power grid black-out][Ukraine][potential global impact]Industroyer: biggest threat to industrial control systems since Stuxnet

Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.

Di Shen

Di Shen

Di Shen (@returnsme) is a Sr. Security Researcher of Keen Lab (@keen_lab), focusing on Android kernel exploitation and vulnerability hunting since 2014. These years he has found several critical vulnerabilities in Android's kernel and TrustZone and successfully developed exploits for them.

[0 days][Android kernel][Local privilege escalating][Exploit development]The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel

In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.

The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.

Haoqi Shan

Haoqi Shan, Qing Yang

Haoqi Shan
Haoqi Shan, UNICORNTEAM, 360 TECHNOLOGY. Haoqi Shan is currently a senior wireless security researcher in Unicorn Team. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on Defcon, Cansecwest, Syscan360 and HITB, etc.

Qing Yang

Qing Yang
Qing Yang is the founder of UnicornTeam & Radio Security Research Department in 360 Technology. He has rich experiences in information security area. He presented at Black Hat, DefCon, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

[NFC][MITM][Hacking Tool]Man in the NFC

NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange field now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. What if we want to “steal” from someone’s EMV. QuickPass, VisaPay bank card without “get” his wallet? To solve this problem, we build a hardware tool which we called “UniProxy”. This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-salve way. The master part can help people easily and successfully read almost all ISO 14443A type cards no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever, no matter what security protocol this card uses, as long as it meets the ISO 14443A standard, meanwhile replaying this card to corresponding legal card reader via slave part to achieve our “evil” goals. The master and slave communicates with radio transmitters and can be part between 50 – 200 meters.

Hiroaki Sakai

Hiroaki Sakai

FUJITSU LIMITED NETWORK SERVICES BUSINESS UNIT Fujitsu Security Meister (High Master Area), Security & Programming Camp (Current Security Camp) Instructor, SECCON Executive Committee, SecHack 365 Executive Council Committee, Program Committee for Workshop on Critical Software System, Personal Event Exhibition and many seminar talk, one of assembler Tanka Rokkasen(six major poets), binary karuta creator, free software creation, information dissemination by personal homepage (http://kozos.jp/), Professional Engineer (Information Engineering).
I made my own embedded OS "KOZOS" operating on an inexpensive microcomputer board as a hobby programming, and made boot loader, simple multitasking kernel, device driver, simple TCP / IP stack, simple web server, debugger correspondence, simulator correspondence etc Implementation, operate web server by full scratch software.
Also released as open source software, exhibit at various events · Podium (open source conference etc).
A majority of books / articles writing, masterpiece is "Introduction to self-made OS built-in in 12 steps" "Linker · Roda practical development technique" "Great hot blood! Introduction to assembler" "Hello" Hello, World "OS and standard library librarian and mechanism".

[embedded system][remote debug][debugger][debug stub]Possibility of arbitrary code execution by Step-Oriented Programming

An embedded system has a stub to connect with a host PC and debug a program on the system remotely. A stub is an independent control program that controls a main program to enable debugging by a debugger. A stub is simplified by only processing the simple controls such as reading or writing of the register or of a memory, and a debugger processes a complicated analysis on the host PC.
Communication with a debugger on the host PC and a stub on the embedded system is performed by a protocol called Remote Serial Protocol (RSP) over a serial communication or TCP/IP communication. If this communication is taken away, it becomes possible to operate a stub arbitrarily. We considered what kind of attack possibility there was in that case, and identified that execution of arbitrary code constructed from pieces of machine code, combined with (SOP: Step-Oriented Programming) is possible by repeating step execution while changing the value of the program counter. Therefore it is possible to construct an arbitrary code and execute it from existing machine code, even if execution of the injected machine code is impossible because execution on data area is prevented by DEP or only machine code on the flash ROM are allowed execution.
I will explain about an attack principle by SOP and the results from constructed attack code and actual inspection.

Muneaki Nishimura

Muneaki Nishimura

Senior Security Engineer at Recruit Technologies Co., Ltd. He was a security consultant for a Japanese mobile phone manufacturer and moved to this current role in 2016. One of his main responsibilities is preventing security incidents within Recruit Group. In April 2017, they launched the first red team “RECRUIT RED TEAM” at a Japanese non-security company. His hobby is finding browser vulnerabilities and was translation supervisor for the book “Browser Hack”. He was a speaker at CODE BLUE 2015, PacSec 2016, and Internet Week 2016. He is an instructor for Security Camp National Finals since 2014.

[Vulnerability][IT Asset Management software](In)Security of Japanese IT Asset Management Software

In the Spring 2017, news that an IT asset management software vulnerability was exploited by cyber attackers outside Japan made headlines in TV and national newspapers. IT asset management software is used to protect companies from employees attempting to steal internal information and is deployed on to each employees’ client machine by their IT administrator. Many of the software allow IT administrators to execute code on the employees’ machines, and allows remote control of the machines as well. According to the news, the attackers were able to spoof the IT administrator’s communication and executed a malicious code on the client machine. There are several other famous Japanese IT asset management software other than the one exploited by the attack. There are even software that advertise as “secure” because it has been used by thousands companies. Can we say the other IT asset management software are secure? To answer the question, we did a vulnerability assessment on four of these softwares. The results we found were vulnerabilities that allowed anyone remotely control the employees’ machines, vulnerabilities that let an attacker steal any information from the IT administrator’s server, and other multiple vulnerabilities similar to the one exploited by the cyber attack. This presentation will cover the technical details of the vulnerabilities we found and the common ways to attack that are used to find vulnerabilities in IT asset management software.

Orange Tsai

Orange Tsai

Cheng-Da Tsai, also as known as Orange Tsai, is member of DEVCORE and CHROOT from Taiwan. Speaker of conference such as Black Hat USA, DEFCON, HITCON, HITB, WooYun and AVTokyo. He participates numerous Capture-the-Flags (CTF), and won 2nd place in DEF CON 22/25 as team member of HITCON.
Currently focusing on vulnerability research & web application security. Orange enjoys to find vulnerabilities and participates Bug Bounty Program. He is enthusiasm for Remote Code Execution (RCE), also uncovered RCE in several vendors, such as Facebook, Uber, Apple, GitHub, Yahoo and Imgur.

[Web Security][SSRF][Protocol Smuggling]A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

Ory Segal

Ory Segal

Ory Segal, Sr. Director, Threat Research, Akamai A world-renowned expert in web application and information security with over 15 years of experience. Ory is currently employed at Akamai, as Sr. Director of Threat Research, leading a team of top web security & big data researchers. Prior to Akamai Ory worked at IBM as the Security Products Architect and Product Manager for the market leading application security solution IBM Security AppScan. While at IBM, Ory received the IBM Outstanding Technical Achievement Award (OTAA - the highest technical award at IBM), and have filed numerous patents in the field of application security. Ory is serving as an officer of the Web Application Security Consortium (WASC), and was an OWASP Israel board member.

[HTTP/2][Client Fingerprinting][Web Application Security] Passive Fingerprinting of HTTP/2 Clients.

HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform

*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform

Samit Anwer

Samit Anwer

Samit Anwer is a Web and Mobile Application security researcher. He has been active in the security community since the last 3 years soon after completing his Master's from IIIT, Delhi in Mobile and Ubiquitous Computing. He is an active member of the Null Bangalore chapter and has spoken on various topics at AppSec USA 2017, c0c0n X 2017 and null chapter meets. He is actively involved with vulnerability research in popular Web and Mobile apps and has responsibly disclosed several security issues with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, and buffer overflows on MS Edge/IE 11. He currently works in the Product Security team of Citrix R&D in Bangalore, India.
His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms. When he is not breaking apps, you can find him occupied with outdoor sports, on a food spree or traveling.
His published works are as follows:
1. Chiromancer: A Tool for Boosting Android Application Performance [MobileSOFT Conference 2014, Hyderabad, India]
2. Detecting Performance Antipatterns before migrating to the Cloud [IEEE CloudCom 2013, Bristol, U.K.]
3. Performance Antipatterns: Detection and Evaluation of their Effects in the Cloud [IEEE Services 2014, Anchorage, Alaska]
LinkedIn: https://www.linkedin.com/in/samit-anwer-ba47a85b | Twitter: @samitanwer1 | FB: samit.anwer

[Static code analysis][Dalvik][GC root][Android][Memory Leak][Data-flow analysis][Live Variable Analysis]Androsia: A step ahead in securing in-memory Android application data

Android does not provide explicit APIs to reclaim memory from sensitive objects which are not "used" ahead in the program. "java.security.*" library does provide classes for holding sensitive data (like KeyStore.PasswordProtection) and API's (like destroy()) to remove sensitive content. However, the onus of calling these APIs is on the developer. Developers may invoke these APIs at a stage very late in the code or may even forget to invoke them.
In this work, we propose a novel approach to determine at every program statement which security critical objects will not be used by the app in the future. Using results from our 'data flow analysis' we can decide to flush out the security sensitive objects immediately after their last use, thereby preventing an attacker from dumping security critical information. This way an app can truly provide defence in depth.
We incorporate support for tracking objects in all possible scopes (instance field, static field, local) in our tool called Androsia, which uses static code analysis to perform a summary based inter-procedural data flow analysis to determine the points in the program where security sensitive objects are last used. Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values.

Sanghwan Ahn

Sanghwan Ahn

I am a senior security engineer currently working in the security department at LINE corp and mostly engaged in security assessment, security architecture design and development. I like to analyze the program and find vulnerabilities in it also, am interested in technology related to security. In recent years, I have been interested in white-box cryptography doing various researches such as implementation, cryptanalysis.

[White box cryptography][cryptanalysis][side channel attack][software protection]Key recovery attacks against commercial white-box cryptography implementations

White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has a full control to the execution environment and an access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and a code level but actually algorithmic obfuscation. ​
In the white-box implementation, cryptographic keys are mathematically transformed so that never revealed in a plain form, even during execution of cryptographic algorithms. With such security in the place, it becomes extremely difficult for attackers to locate, modify, and extract the cryptographic keys. Although all current academic white-box implementations have been practically broken by various attacks including table-decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed Commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks to be available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation. This is the first report that succeeded to recover secret key protected with commercial white-box implementation to the best of my knowledge in this industry. In this talk, I would like to share how to recover the key protected with commercial white-box implementation and present security guides on applying white-box cryptography to services more securely.

Sangmin Lee

Sangmin Lee

Sangmin Lee is a master student of SANE(Security Analysis aNd Evaluation) Lab on CIST(Center for Information Security Technologies) in Korea University. He is most interested in offensive security about system vulnerabilities and is interested in fields such as digital forensics, security assessment and software testing. Also, he participated in projects such as "Security Testing for External Interfaces of Vehicular Wireless Systems", "Cyber ​​Fast Track related to IoT devices vulnerabilities analysis" and "WebOS smart TV international security CC(Common Criteria) certification acquisition". In 2015, he participated as a mentee at BoB(Best of the Best), an information security leader training program hosted by KITRI(Korea Information Technology Research Institute). he, In BoB, conducted project to analyze vulnerabilities in embedded devices such as routers, IP cameras, Smart home and SCADA. Also, he presented the project results at POC(Power Of Community) 2015 on the subject of "What if Fire Sale occurs in Korea?"

[Smart TV][Digital Forensic Investigation][webOS Forensics]LG vs. Samsung Smart TV: Which Is Better for Tracking You?

Recently, various IoT devices such as Smart Appliance, Smart Grid and Smart Car have been developed. IoT devices collects users information to provide better personalized services and conveniences. The need for IoT devices forensics has also increased.
Smart TV is the most popular and pervasive IoT devices in the our home. Originally data collected through computer forensics, but Smart TVs have a lot of data that can track the behavior of users in the home. As a result, you can use Smart TV data as legal proof. In reality, according to the US Forbes in 2015, the Global Media company used the video search records of Samsung Smart TV as legal proof to prosecute child sex offenders.
An experimental study of the first Smart TV forensics was conducted about Samsung Smart TV(model:UN46ES8000) in 2014. This study, conducted by KIISC(Korea Institute of Information Security & Cryptology), obtained storage data through vulnerabilities in web browsers and identified various data that can trace user's actions. After that, in 2015, research for Smart TV forensics analyzing different version of Samsung Smart TV was done through same analysis procedure. However, each Smart TV manufacturers have different operating systems and default applications, It is necessary to conduct forensics study for Smart TV of other manufacturers. Though two forensic study for their LG webOS 2.0 Smart TV is conducted, studies have difficulties in obtaining forensics data. So, We conducted forensic research on LG webOS 3.0 Smart TV and identified key data that could be collected on the TV. We will also announce comparison result of forensics study for LG with Samsung Smart TV.

Satoshi Tanda

Satoshi Tanda

Satoshi has over a decade of experience in reverse engineering malware, Windows internals, and likes to devote himself to writing tools for security research. He works at CrowdStrike as a Software Engineer, and prior to that, worked for Sophos as a Threat Researcher focusing on behavior-based malware detection on Windows. Outside of work, he enjoys hiking, snowboarding, playing with cats, and spending time with his wife. He has spoken at Recon 2016, BlueHat v16, and Nullcon 2017 recently.

[PowerShell][AMSI][Anti-malware][EDR][CLR]NET Framework]PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility

In response to the emerging use of PowerShell by attackers, Microsoft released a feature called Anti-Malware Scan Interface (AMSI) in Windows 10, allowing 3rd party companies, as well as Microsoft itself, to gain more visibility into PowerShell and other scripting engines. Since this release, various research has been done on the effectiveness of AMSI, revealing its efficacy as well as its inherent weaknesses.
Despite this advance, however, many security vendors have yet to add AMSI support in their products, perhaps due to its limited platform coverage. On the other hand, red teamers and adversaries have quickly equipped themselves with techniques which attack the weaknesses of AMSI and bypass it, making detection and prevention of PowerShell attacks even harder.
This talk will discuss how to gain greater visibility into managed program execution, especially for PowerShell, using a .NET native code hooking technique to help organizations protect themselves from such advanced attacker techniques. In this session, we will demonstrate how to enhance capabilities provided by AMSI and how to overcome its limitations, through a realistic implementation of the technique, all while analyzing the internals of .NET Framework and the PowerShell engine.

Shusei Tomonaga

Shusei Tomonaga, Keisuke Muda

Shusei Tomonaga
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC’s English Blog (http://blog.jpcert.or.jp/). Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE 2015 and FIRST Conference 2017.

Keisuke Muda

Keisuke Muda
Keisuke Muda is an analyst of the Security Operation Center at Internet Initiative Japan Inc. (IIJ), an Internet service provider company in Japan. As a member of IIJ SOC, he analyzes logs sent from various devices installed at IIJ SOC customers’ networks. He also researches and investigates vulnerabilities on software, and when a critical security hole was discovered, he analyzes and summarizes them to share with IIJ customers to ensure their security. Before becoming an analyst, he was working on the system integration. With the background, he also takes roles on enhancing IIJ SOC services and its infrastructures.

[Malware][Forensics][APT]Pursue the Attackers – Identify and Investigate Lateral Movement Based on Behavior Pattern –

In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain

Takahiro Yoshimura

Takahiro Yoshimura, Ken-ya Yoshimura

Takahiro Yoshimura
TAKAHIRO YOSHIMURA: He is Chief Technology Officer at Monolith Works Inc. In 2012 METI-coodinated CTF, Challenge CTF Japan 2012, his team (Enemy10) had won local qualification round at the 1st prize. In 2013, his team (Sutegoma2) took the 6th prize in DEFCON 21 CTF. He like to read binaries and hack things. He loves a GSD.

Ken-ya Yoshimura

Ken-ya Yoshimura
KEN-YA YOSHIMURA: Working as Chief Executive Officer at Monolith Works Inc, he is supervising an R&D lab specializing in emerging technologies. His hacker life starts when he was 8 years old; he likes to hack MSXs, NEC PC-9800s, Sharp X68000s, Windows, Macs, iPhones, iOS/Android apps, and circumvent copyright protection (for fun,) etc. He adores a GSD.

[appsec][android][hacking][static analysis][dalvik][reverse engineering]Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes

Trueseeing is an automatic vulnerability scanner for Android apps. It is capable of not only directly conducting data flow analysis over Dalvik bytecode but also automatically fixing the code, i.e. without any decompilers. This capability makes it resillent against basic obfuscations and distinguishes it among similar tools -- including the QARK, the scanner/explotation tool shown by Linkedin in DEF CON 23. Currently it recognizes the most class of vulnerabilities (as in OWASP Mobile Top 10 (2015).) We have presented it in DEF CON 25 Demo Labs. Our tool is at: https://github.com/monolithworks/trueseeing .

Jack Tang,

Jack Tang, Moony Li

Jack Tang
10+ years security industry experience
MSRC Top 36 in year 2015
MSRC Top 16 in year 2016
Won the Microsoft Mitigation Bypass Bounty in 2016
Speaker of Blackhat 2016 Europe , Blackhat 2016 Asia , Code Blue 2016, pacsec 2016
Focus on Android/Mac/Windows Kernel and Virtualization Vulnerability

Moony Li

Moony Li
8 years of security production development
RD Leader of Sandcastle core engine of DD(Deep Discovery) production for Gateway 0day exploit detection.
Current focusing on research about Mobile/Mac/Windows kernel vulnerability and exploit

[ARM64 hardware trace][code coverage][symbolic execution] Fun and Practice for exercising your ARM(64)

More and more security vulnerability of device drivers on mobile platform have been exposed in recent years. If you open the Android or CodeAurora security advisories, you will be inundated with various device driver vulnerabilities. Currently, there exist many popular fuzzing systems to hunt vulnerabilities for both Android device driver and Linux kernel, however, rare of them are designed as both smart (guiding to generate less fuzz data to cover more code) and quick (high speed of instruction trace). Hence, we introduce another practical fuzzing system in harness of both ARM64 hardware trace technology and hybrid execution technology(mix Angr symbolic execution method with trace information leverage) to be more smart and quick.

Christy Quinn

Christy Quinn

Christy Quinn is a Security Specialist in threat intelligence at Accenture Security - iDefense. Christy is a member of the iDefense Threat Hunting, OSINT and Reconnaissance (THOR) Team where he specialises in threat actor behavioural analysis paired with technical collection. His research interests include organised cyber crime, state-sponsored cyber information operations and South-East Asian security issues. Christy has a MA in Intelligence and International Security from King’s College London and a BA in International History from the London School of Economics.

[dark web][darknet][cryptocurrency][fraud][cyber crime][financial]AlphaBay Market - Post-Mortem of a Cyber Crime Leader

AlphaBay Market was, by far, the largest and most prolific provider of cybercrime and fraud-related services in the world, prior to its seizure and arrest of its administrator Alpha02 by the FBI on July 4, 2017. While the Tor-based marketplace was most famous for the sale of narcotics, firearms and stolen goods, the AlphaBay's forum was also the epicenter of the English-speaking cybercriminal community. This community used AlphaBay as a platform to target governments and businesses all over the world, including Japan's financial services sector. During AlphaBay's tenure as the leading criminal marketplace, it provided a hugely rich source of intelligence on the tactics, techniques and operations of cybercriminal groups targeting a wide range of business verticals, then selling exfiltrated data through the marketplace securely and anonymously. While the marketplace is now offline, these groups remain and are using the same attack techniques.

This talk reveals iDefense's research into AlphaBay, including its history and unique qualities that helped the marketplace achieve such a dominant position within the underground economy. Our findings include evidence of a uniquely sophisticated financial model, including cryptocurrency manipulation at a large scale, AlphaBay's deep ties with the Russian cybercriminal community and as a staging point for cyber criminals to build groups of expertise once they had identified an opportunity for profit. This talk will also reflect on the future for criminal marketplaces following the seizure of AlphaBay and what features we are likely to see in the next market to rise to the top.

Keishi Kubo

Keishi Kubo and Hiroshi Soeda

Keishi Kubo
Mr. Keishi Kubo is Manager of Incident Response Group, JPCERT/CC. Following the experience in security service operation and development at a Japanese major ISP, he has been working on the frontline of incident handling at JPCERT/CC since 2007. In recent years, he has been leading JPCERT/CC’s day-to-day operation, especially in onsite handling of APT incidents targeting Japanese organizations.

Hiroshi Soeda

Hiroshi Soeda
Mr. Hiroshi Soeda works as Information Security Analyst at Incident Response Group, JPCERT/CC since 2009. His primary responsibility is in providing coordination and assistance for cyber security incidents related to Japanese networks. With his technical insight, he is also in charge of analyzing incident trends and attack methods, as well as developing inhouse tools.

[APT][STIX 2.0][Visualization][APT17][Winnti][Emdivi][Tick][APT10]The Whole Picture of APT Attacks Targeting Japan - What We See from STIX-based Analysis -

JPCERT/CC analyzes APT attack campaigns observed in Japan by investigating C&C servers used in the attack and information collected by affected organizations.

In order to capture the whole picture of APT attack campaigns targeting Japanese organizations, JPCERT/CC is now developing a system to describe incident information in STIX format and store in a database. We plan to release this system on GitHub as an open source software.

This system aims to analyze attack methods and targets chronologically according to attack campaign, adversary, malware as well as method for initial intrusion and lateral movement, which is visualized as a timeline.

Based on the analysis using this system, this presentation will introduce an overview of APT attack campaigns targeting Japan in order of time, as well as the relation to other campaigns by focusing on similarities in attack methods. By focusing on the targets’ characteristics in various campaigns, we will examine each adversary’s purpose behind the attack.

In addition, technical features of this system will be covered, along with some observations gained through our analysis using STIX-based incident description.

Stefano Mele

Stefano Mele

Stefano Mele is “Of Counsel” to Carnelutti Law Firm, where for the last 7 years he has been in charge of the Technology, Privacy, Cybersecurity and Intelligence Law Department. He holds a PhD from the University of Foggia, and works collaboratively with the Department of Legal Informatics at the Faculty of Law of the University of Milan. He is the founder and Partner of the Moire Consulting Group. He is a member of the Governing Board and President of the “Cybersecurity Commission” of the Italian Atlantic Committee. He is also the President of the “Cyber Security Working Group” of the American Chamber of Commerce in Italy (AMCHAM), and a member of the “Cyber Security Roundtable” of Regione Lombardia and of the “Advisory Board on Cyber Security” of Assolombarda. He is the Director of the “InfoWarfare and Emerging Technologies” Observatory of the Italian ‘Niccolò Machiavelli’ Institute of Strategic Studies, and co-founder and President of the non-profit organization CyberPARCO. Stefano is also a lecturer for several universities and military research institutions of the Italian Ministry of Defence and NATO, and he is the author of the “Cyber Strategy & Policy Brief” and of several academic papers and articles on cybersecurity, cyber intelligence, cyber terrorism and cyber warfare topics. In 2014, he was included in NATO’s list of Key Opinion Leaders for Cyberspace Security. In 2014, the business magazine Forbes listed Stefano as one of the world’s best 20 Cyber Policy Experts to follow online.

[Cybersecurity][Public-Private Partnership][National Security][Strategy][Cyber][Critical Infrastructures][Cooperation][European Union][Italy][United States][Germany][United Kingdom][Information Security]National Security and Public-Private Partnership for Cybersecurity: Strengths and Challenges

The high level of pervasiveness of technologies and the Internet in every field of today’s social fabric has completely changed every aspect of our society, service delivery and management, access to information – in both its quality and quantity – as well as the relationship between the aforementioned elements and the citizens, what’s more, in a rather limited stretch of time. From this perspective, the public-private partnership looks like a growing functional need in cybersecurity, mainly due to two elements: first, the fact that the majority of critical infrastructures are owned and managed by privates; secondly, the use of ICT technologies in such systems has become widespread, their level of interconnection being significantly high. This research analyses the strategic approach of some of the most important States to the public-private partnership for cybersecurity, highlighting strengths and weaknesses, and outlining also the essential requirements to plan and structure an effective and efficient partnership.

Kaoru Otsuka

Kaoru Otsuka

Kaoru started his career as a programmer when he was a second year junior high school student. He analyzed protocol of a certain chat application with jailbroken iPhone and created API with the analyzed data. From these experiences, he became interested in jailbreaking. He is graduate of Security Camp 2017.

[U20][youth][iOS][Kernel][Jailbreak][Sandbox]Take a Jailbreak -Stunning Guards for iOS Jailbreak-

In this talk, I investigate several exploiting ideas for iOS kernel jailbreak using recently exposed vulnerabilities. Recently, Ian Beer found the following promising vulnerabilities:
CVE-2016-7637: Broken kernel mach port name ‘uref’ handling on iOS/MacOS can lead to privileged port name replacement in other processes,
CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port,
CVE-2016-7661: MacOS/iOS arbitrary port replacement in powerd.
However, naive combination of the above vulnerabilities cannot easily break recent mitigations implemented in iOS versions. Recent iOS provides the kernel level mitigations against exploitation such as kernel patch protection, sandboxing, AMFI(Apple Mobile File Integrity), MAC(Mandatory Access Control) policy, KASLR(Kernel ASLR) etc. These mitigations will be briefly explained.

Saki Hashimoto

Saki Hashimoto , Masayuki Takeda

Saki Hashimoto
Saki Hashimoto is an undergraduate law major at Keio University. After participating in Cyber Koshien in 2015, she has helped run and design challenges for CTF for GIRLS. She is a Certified Administrative Procedures Legal Specialist since 2016. With experience with part-time work and interning as a software engineer, she is interested in programming and the legal profession.

Masayuki Takeda

Masayuki Takeda - Masayuki Takeda -
Masayuki Takeda is an undergraduate student at Keio University majoring in computer science, a Security Camp alumni (2014, Network Security Class), and co-founder of CTF team scryptos. He is currently interested in SIGINT and anonymous communication technology.

[U20][Law][Vulnerability][Unauthorized Access][Reverse Engineering]Vulnerabilities: A Legal Perspective

While handling security vulnerabilities always entails legal risk, there is a great deal of ambiguity regarding what exactly is legal due to a lack of judicial precedent. We will not only introduce legal theories and what precedent we have but also examine the logical process behind the interpretation and application of law. First, we will consider what kind of circumstances allow the public disclosure of vulnerability details. Freedom of expression, the right to know, and public order and morality are relevant points of discussion. We will also discuss civil and criminal liability in regards to obstruction of business and defamation, and analyze the legal characteristics of vulnerability disclosure with the importance of knowing the details and the extent of damage possible through abuse hanging in the balance. Specifically, we will take a look at Information-Technology Promotion Agency (IPA), an Independent Administrative Institution which operates a vulnerability reporting program, and whether information concerning vulnerabilities is in scope of disclosure for Administrative Information Disclosure laws which apply to IPA.
In addition, we will evaluate what constitutes violation of the Act on the Prohibition of Unauthorized Computer Access in the process of discovering vulnerabilities, the validity of anti-reverse engineering clauses in contracts, and whether immunity from criminal liability is granted for validation studies for vulnerabilities.