/* No speaking simultaneous interpretation is available , however, we try to show the slides in both english & japanese as much as we can. */

/* [en] means English speaker, [ja] means Japanese speaker. */

[en] "TSURUGI Linux - the sharpest weapon in your DFIR arsenal"

Giovanni Rattaro

Tsurugi is an heavily customized Linux distribution designed to support your DFIR investigations, malware analysis and Open Sourced intelligence activities. This open source project will be officially presented and will bacame public at AvTokyo conference. During the talk other parallel projects for acquisition and for live forensics will be presented...

Giovanni Rattaro:

Giovanni 'Sug4r' Rattaro is a Senior IT security consultant at Openminded, a cybersecurity company based in Paris, Italian board member of old backtrack Linux project (now Kali Linux) and ex DEFT Linux staff.

Main interests: DFIR, Cyber Threat Intelligence, botnet hunter, pentest and Social Engineering.

Tsurugi Linux core developer.

[en] Open Source Intelligence using DeepWeb: Analysis of the correlation between malware and the open source

dasom kim & seunggi jeong

This presentation explains how to make the most of the open source and track the specific users Horangi R&D Team discover. Based on the open source of malicious users, such as users who mainly sell malware targeted at a specific company, users who sell data or personal information of users, and then visualize their activities, Analyze associativity.

Dasom Kim:

Dasom Kim is a researcher of CyberOps, Horangi Pte LTD. She is the last year student at Kyungil University and a member of the anti-forensic research club. Her research interests include digital forensics, offender profiling, anti-forensics (steganography) and virtual reality.

Seunggi JEONG:

Seunggi JEONG is a Lead CyberOps Engineer of CyberOps, Horangi Pte LTD.

[en] Play with FILE Structure - Yet Another Binary Exploit Technique


To fight against prevalent cyber threat, more mechanisms to protect operating systems have been proposed recently. Specifically, the approaches like DEP, ASLR, and RELRO are frequently applied on Linux to hinder memory corruption vulnerabilities. In other words, it is more difficult for adversaries to exploit bugs to undermine the system security.

In this session, we will propose a new attack technique that exploits the FILE structure in GNU C Library (Glibc), and introduce how to circumvent the protection adopted by modern operating systems. In more detail, we demonstrate the techniques to break data protection and launch remote code execution. Moreover, we explore the methodology to utilize different FILE structures for attack, the so called File Stream Oriented Programming.

Moreover, there are new mitigations in the latest version of Glibc recently, but we can still abuse the FILE structure by our new approaches.


Angelboy is a member of chroot and 217 team. He is researching in linux binary exploitation, especially in heap related exploitation. He participated in a lot of ctf, such as HITB、DEFCON、Boston key party, won 2nd in DEFCON CTF 2017 and won 1st in Boston key party 2016, 2017 with HTICON CTF Team. He is also a speaker at conferences such as HITCON, VXCON and HITB.

[en] A mysterious watcher ? Red Eyes Group and their activities in South Korea

CHA Minseok(Jacky)

On January 31, 2018, KRCert warned users about the zero0day vulnerability within Adobe Flash Player (CVE-2018-4878). The first attack exploiting this vulnerability was made on Korean users in November 2017. It uses the Redoor malware to infect users in the last phase of the attack. DOGcall and ROKRAT are in the same family of this malware. Redoor is known to be the malware used in Hancom Hangul(a word processor of Korea) disguised as a fake New Year address by North Korea in January 2017. However, the first attack using this malware had occurred in the autumn of 2016.

Red Eyes Group, the hacking group behind the attack, is also referred to as ScarCruft, Group123, Ricochet Chollima, Reaper, and APT37. Their profile is being built slowly in the efforts of security vendors to gather, collate, and analyze the attacks. The attacks are known to be made in not only in Korea, but also in Vietnam, Japan, and the Middle East.

And the main target of attack in Korea seems to be North Korean defectors and human rights activists. Hancom Hangul is a word processor used widely within Korea, and it has been used in targeted attacks. Some of their attacks exploit the zero-day vulnerability of Adobe Flash.

In this presentation, I will talk about the group's attack method in South Korea, including attack targets based on the decoy document and the characteristics of the main malware. I will also use the information gained from the code to profile the developer, and compare the attack with a group which was active in 2015. There is a chance that this group has been active for longer than we thought.

CHA Minseok(Jacky):

CHA Minseok(Jacky) is a Senior Principal Malware Researcher at AhnLab. He joined AhnLab as a malware analyst in 1997.

He is a member of AVAR(Association of Anti-Virus Asia Researches) and a reporter for the WildList Organization International.

He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea.

He is a speaker at security conferences, including AVAR Conference, CARO Workshop, CodeEngn, CodeGate, ISCR(International Symposium on Cybercrime Response) and so on.

When he has free time, he enjoys old video games and old anime.

[ja] 不都合な真実: Windows 10でRansomware Protectionを回避

Soya Aoyama


ランサムウェア対策として、Microsoftは「Windows 10 Fall Creators Update」に「Ransomware


この講演では、デモンストレーションビデオを通じて、 "Ransomware protection"の "Controlled folder


Soya Aoyama:




[en] Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism

Boik Su

In this talk, we'll not only go through the core ideas and concepts of the Web application firewall (WAF) and also some background information about mutation testing against web applications, but introduce a promising direction of automatically generating SQL Injection attacks with Polymorphism. We'll be giving out some case studies and bypasses for the ModSecurity's latest version (v3.1) alongside our demonstrations and explain why common detections cannot help in this place as well. The audience will then realize the power of this concept and the beauty of the SQL language after the talk.

Boik Su:

Syue-Siang Su (Boik) has four-year experience in Web development and actively using OSS to create and manage applications or gadgets for his research in Web Security. He has received some awards from CTFs, been the speaker at OSCON2018, AVTokyo 2017, Taiwan Modern Web 2017, and the lecturer at Taiwan HITCON Training and National Center for Cyber Security Technology.

* http://boik.com.tw/

[ja] オッカムの剃刀:フォレンジックの物語

白船(田中ザック/Isaac Mathis)


白船(田中ザック/Isaac Mathis):

大和セキュリティ勉強会の主催者 (@yamatosecurity)の主催者。元カーネギーメロン大学の研究員。SANS 504の講師。神戸デジタル・ラボ(KDL)のProactive Defense CTO。法竹奏者。プロレベルの庭師。

[ja] Building CTF: 幾千の失敗を超えて





[ja] CloudFrontを眺めていたらやばそうなデータを見つけてしまった

尾﨑 光芳 / 白石 三晃 / 小峰 里美

Amazon CloudFrontはコンテンツ配信ネットワーク (CDN) サービスです。CloudFrontでは、コンテンツを高速に配信できるよう、また簡便なアクセスができるよう様々な設定項目が提供されています。しかしながら、その設定に不備があるとセキュリティの問題になるおそれがあります。


尾﨑 光芳:

SecureWorks Japan セキュリティ診断チーム

白石 三晃:

SecureWorks Japan セキュリティ診断チーム

小峰 里美:

SecureWorks Japan セキュリティ診断チーム