Agenda / 議程表
8/19 HITCON X ENT 企業場第一天 跳到第二天 day 8/20 →
Opening
Uncover APTs in the Kill Chain with Intelligence-Driven, Big Data Approaches
The Anatomy of a DDoS Attack
Break
HITCON 如何適應新時代資安威脅座談會 / HITCON X 桌遊介紹
Lunch
Insecure Internal Storage in Android
Uroburos rootkit
Bitcoin Security
IE 11 0day & Windows 8.1 Exploit
Break
被遺忘的資訊洩漏 / Information Leakage in Taiwan
常規攻擊的實時檢測
交流茶會 Social Party (Sponsor Hall)
8/20 HITCON X ENT 企業場第二天
Everyday is Zero Day, Today is Flash Player
行動 APP 檢測與鑑識
Break
安全社區的營運與經驗
寄生在騰訊業務下的黑色產業
Living with compromise: Enterprise Network Survival in tough Russian Environment
Make a secure mobile payment
Lunch
前進拉斯維加斯 - 2014 HITCON 戰隊 CTF 比賽經驗分享
Cyber Attack Reveal and Protection
Open Source and CSIRT - How can we help?
烏雲這幾年運作的心得及優缺點
Break
Who Is Attacking You? Distinguishing Motivation to Prioritize Threats
Operation Windigo – Analysis of a large Linux server-side credential-stealing malware campaign
盤古如何實現完美越獄
Knock? Knock? Who is There? APT Malware Attribution
Closing
8/21 HITCON X PLG 社群場第一天 跳到第二天 day 8/22 →
報到、早餐時間
總召致詞、Opening
Opening Keynote (國發會 何全德 處長)
BinProxy: New Paradigm of Binary Analysis With Your Favorite Web Proxy
AV 已死?消費領域的惡意軟體趨勢及應對
雲端系統登入安全分析 - 以全球網路銀行密碼輸入安全系統為例
APT Backdoor Connection Evolution in Taiwan
Smashing The Browser - From Vulnerability Discovery To Exploit
Fast Track of Mac Memory Forensics - WeChat Analysis and Security Reveal in a live system
Lunch
Insecure Internal Storage In Android
On the Feasibility of Automatically Generating Android Component Hijacking Exploits
Play Flappy Bird while you pentest Android in style
Break
掃吧你!從協議面抓出機歪的遠端桌面後門
Guess Where I am: Android 模擬器躲避的檢測與應對
DroidDolphin: a Dynamic Android Malware Detection Framework Using Big Data and Machine Learning
Coffee Break
HITCON 國際 CTF 你所不知道的數據/秘辛、得獎隊伍分享
CRAX: An Automatically Exploit Generating System
出手偷摸摸透 iOS app 原來那麼簡單
Closing
8/22 HITCON X PLG 社群場第二天 跳到第一天 day 8/21 →
報到、早餐時間
HITCON 奇葩獎頒獎典禮
Break
New Exploit Mitigation In Internet Explorer
自己的除錯器自己寫!!
AirPlay Screen Mirroring 的 Man-in-the-middle Attack
Break
APT Fail
Vulnerability, Malware and DDoS
Take advantage of randomness
Lunch
Building Adaptive Heterogeneous Architecture for Malware Behavior Analysis: MAN in Taiwan
Investigation and Intelligence Framework
Security {Breeze && ! (Breach)} @ Open Wifi; /* User Side Evil Twin Detection */
Break
Cryptanalysis in real life II
智能家居 BroadLink 入侵
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Coffee Break
針對新型漏洞企業所面臨的三大盲點
Some things before network attack (a long time observation)
企業級智能行動裝置的資安保全與防護
閉幕 / 花絮與展望 HITCON 2015
N/A
Yitzhak (Itzik) Vager is VP Product Management & Business Development for Verint Cyber Intelligence Solution, and has been working for Verint in the last fifteen years, in various technology and business positions.
During his years in Verint, Itzik has been leading multiple growth engines for the company in the areas of Cyber Security, IP Monitoring, Big Data Collection and Service Providers Compliance.
N/A
Uncover APTs in the Kill Chain with Intelligence-Driven, Big Data Approaches
N/A
Matthew is co-founder and CEO of CloudFlare. CloudFlare’s mission is to build a better Internet. Matthew wrote his first computer program at age seven when his mom would sneak him into university computer science courses. He went on to study English Literature and Computer Science in college before, oddly, skipping out on the first Internet boom to instead attend law school.
After finishing law school, Matthew worked as an attorney for one day before joining a Chicago-based tech startup. He went on to co-found Unspam Technologies, an anti-spam startup where he continues to serve as Chairman. Since then, Matthew has been an adjunct professor of law at the John Marshall Law School and co-creator of Project Honey Pot, the largest open source community tracking online fraud and abuse. He started CloudFlare with Michelle Zatlyn, and Lee Holloway in 2009.
In 2013, Matthew made the San Francisco Business Times’s 40 under 40 list and CloudFlare was named the most innovative internet and network company by the Wall Street Journal. He is a World Economic Forum Technology Pioneer, winner of the 2011 Tech Fellow Award, and serves on the Board of Advisors for the Center for Information Technology and Privacy Law. Along with being a regular contributor to TechCrunch and PandoDaily, Matthew has spoken at the RSA conference, Black Hat Summit, Web Summit, and is a frequent panelist for TechCrunch Disrupt.
On the side, Matthew is a certified ski instructor, former mountain guide, and regular attendee of the Sundance Film Festival.
Matthew holds an MBA from Harvard Business School where he was a George F. Baker Scholar and awarded the Dubliner Prize for Entrepreneurship. He is a member of the Illinois Bar, and earned his J.D. from the University of Chicago and B.A. from Trinity College.
You can follow him on Twitter @eastdakota.
N/A
The Anatomy of a DDoS Attack
N/A
N/A
N/A
N/A
N/A
Claud Xiao is Sr. Security Researcher at Palo Alto Networks. He has years of experience on antivirus and mobile security. In the past, he found the first Android bootkit -- Oldboot, reported vulnerabilities in Android system and popular applications to Google, Facebook and other Internet companies, and been invited to present at HITCON, XCON, ISC, CNCERT/CC, etc. He also leads "Android Security" board of the PEDIY forum and another Chinese mobile security community.
N/A
We're going to show an attack to read and write internal data on certain Android devices, thus bypass the fundamental security mechanism of Android and impact 94% of popular apps. In particularly, we will also disclose a category of Android apps storing password in plaintext which are vulnerable by the attack and may affect billion of users. At last, we will demonstrate system patching approaches and our security enhancement solutions for mitigating the problem.
N/A
Paul Rascagnères is a malware analyst for the G Data SecurityLabs. He is specialised in Advanced Persistant Threat (APT) and incident response. He worked on several complex cases such as government linked malware or rootkits’ analysis. He is a worldwide speaker at several security events
N/A
G Data Security experts have analyzed a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware’s code. This presentation will show the design of this rootkit and some technical aspects such as the techniques used to bypass Microsoft Windows protection against rootkits.
林志宏任職於銓安智慧科技,擔任技術部門經理。專長為軟體安全、嵌入式系統韌體保護技術,並擁有多項相關產品設計及開發經歷。
曾經參與的專案有小額支付系統、密鑰管理系統、客製化保密裝備研發、智慧卡登入整合、硬體安全模組應用等。產品開發經驗包括軟體保護產品、韌體保護解決方案、資料庫安全解決方案等。目前正在進行物聯網安全產品及解決方案的研發、比特幣安全硬體錢包研發。
對於密碼學與多媒體安全亦有高度興趣,學生時期即參與多項相關政府專案,於臺大資訊系獲得學士與碩士學位。綽號「猩猩」,橋牌是主要業餘興趣;曾經代表台灣贏得亞太青年賽冠軍、世界青年賽第四名。今年五月擊敗日本國家代表隊,榮獲橫濱橋藝邀請賽冠軍
Chris Lin is a technical manager of InfoKeyVault Technology Co., Ltd. He specializes in software security and embedded firmware protection, and has rich experience of product design and development in this area. He participated in the projects of payment systems, key management systems, applications of hardware security modules (HSM), database security, etc. Currently he is devoted to the solution of IoTsecurity, and Bitcoin hardware wallets.
Chris Lin is also interested in cryptography and multimedia security. During college years, he was often involved in cryptography or security-related projects. Both of his bachelor's and master's degrees came from CSIE department, National Taiwan University. "Gorilla" is his nickname, and bridge is his major hobby. Chris Lin represented Taiwan to win the Pacific-Asia Youth Bridge Championship, and made the semifinal of World Youth Bridge Championship. In May, his team defeated Japan national team, and won the 2014 Yokohama Invitational.
比特幣 (Bitcoin/BTC) 熱潮持續增溫,以密碼學為基礎的虛擬貨幣將成為不可擋的趨勢。自 2009 年比特幣問世至 2013 年底為止,創投注資總額為 1.1 億美元;但僅 2014 年上半年,創投注資總額高達 1.3 億美元。我們將簡單介紹比特幣運作原理,並廣泛探討比特幣各面向的安全性︰比特幣協定使用的密碼演算法 (ECDSA &SHA-2) 安全強度、導致全球最大比特幣交易中心 Mt. Gox 破產的「交易展延」攻擊、「51% 攻擊」與比特幣「末日」、交易平台安全、亂數產生器的品質、旁通道攻擊的防範,以及其他相關議題。最後我們將比較市面上各種比特幣錢包的特色與安全性,包括硬體錢包與智慧卡錢包。
The popularity of Bitcoin is increasing. CryptoCurrency seems to be an unstoppable trend. During the invention of Bitcoin in 2009 to the end of 2013, the total Bitcoin VC investment was US$110M. Remarkably, in the first half of year 2014, the total VC investment in Bitcoin startups was US$130M. We will briefly introduce how Bitcoin works, then go on to various security aspects of Bitcoin: the strength of cryptographic primitives (ECDSA & SHA-2) in Bitcoin protocol, transaction malleability attacks and the bankruptcy of Mt.Gox, "51% attack" and Bitcoin Doomsday, exchange platform security, random number generator (RNG) quality, resistance to side channel attack (SCA), etc. Finally, we will compare Bitcoin wallets in the market, including hardware wallets and smartcard wallets.
就職于Nsfocus安全研究院,擁有5年的安全研究經驗。
關注瀏覽器安全。
漏洞挖掘相關技術的研究,獨自發現幾十個IE 11 0day漏洞並報告微軟。
先進的Exploit技術的研究。
APT相關的攻擊與防禦技術的研究。
XKungFoo 2013 演講人。
He has five years of experience on information security research, resently hold on post on Nsfocus. He alway paid attention to browser security, do some research on vulnerability digging and found more than 11 zero-day vulnerabilities of Internet Explorer that also reported to Microsoft on his own. A good researcher of exploit and APT attack/defense, he is also the speaker of XKungFoo 2013.
主要紹如在Windows 8.1滿布丁的情况下開發IE 11的通用穩定的Exploit技術。然後通過2個不同的IE 11下的未公開的漏洞舉例,演示不同的Exploit方法。其中還會包含一些有趣的新技巧,使得可以輕鬆快速穩定的開發一個Exploit,幷且通用IE 9至IE 11瀏覽器版本。最後介紹微軟新增加的保護機制Isolated Heap的原理及對抗思路,給出實際成功對抗的0day演示。
N/A
N/A
Security Strategist / Architect success leverages heavily from a blend of 20 years of solid business and technical experience, and 15 years of solid experience of analyzing / mitigating / managing business risk, especially cyber security threats and natural / artificial disasters
Initiatives include Business / Risk Impact Analysis, Security / Risk Strategy Planning, Business Continuity Management and Information Security / Information Asset Management design / implementation, sales and marketing, business tactical and strategic planning, and financial and profitability analysis.N/A
This it “fairy tale of a fictional country”, but the country is coincidently quite similar to a country in North East Asia with 128 million population and about half quadrillion GDP. Therefore, auditors may be possible to know what happened and is happening in the country with this session.
It has been 11 years since the Government adopted Executive Adviser for Chief Information Officer for each of the ministries. And local governments, prefectures, cities, and even towns followed the Government. It is true that they contributed informatization of the government. But as strong light makes dark shade, there have been issues also. And security is one of them. Although they started to pay special attention onto security after the series of cyber-attacks against the Government found in 2011, it is still on the way. I have been worked at a tem of Executive Adviser for Chief Information Officer of a ministry from 2011 to 2013. And recently the ministry was found to have had serious security breach during the time. In this presentation, I would like to introduce the light and shade of Executive Adviser for Chief Information Officers especially focusing onto security based on the experience. And especially I would like to focus on the reason why the breach was missed. Throughout the presentation, I would like all of the audiences to think about how security experts live and work effectively in the organization, based on the bad example.
Note: Since the nondisclosure agreement is still alive, the actual name of the country and the ministry cannot be shown on the side and in the speech.
獵豹移動安全技術總監
趙閩於2004年加入金山網路,專注於防毒相關工作,在病毒分析、解密、識別惡意軟體方面等有豐富經驗。趙閩曾主導金山雲3.0安全體系的設計,目前專注於行動網路安全的研究。
N/A
今年以來,Android木馬仍在迅猛增長,木馬新的攻擊手法也層出不窮。本題圍繞今年新出現的一些Android頑固木馬,分析其主要對抗手法,自動檢測方法,及清除解決方案。
N/A
Shaolin Hsu 目前是戴夫寇爾 (DEVCORE) 的資訊安全研究員,主要專注於 Web 應用程式的安全議題。在學期間曾拿過台灣兩大資訊安全競賽(資安技能金盾獎、台灣駭客年會)前三名,後協助國家單位處理 CERT 相關業務。曾建構分散式監控系統,以利快速、大量、可靠的進行資訊蒐集。本次大會議程便是透過該系統的成果,針對台灣企業網站做分析,並提供建議。
Shaolin Hsu is the information security researcher and focus on web application security in DEVCORE. Shaolin Hsu got the top three of information security competition (Collegiate Information Security Competition and HITCON) during the school, he also assisted in CERT for government. Shaolin Hsu has built distribution monitor system so that collect data more faster, more numerous and more reliable. Shaolin Hsu would like to share the analysis result of this distribution monitor system in the session, hi aimed and analyzed the enterprise website in Taiwan, also provided the solution to them.
『資訊收集』在一場成功的入侵行動中扮演十分關鍵的步驟,攻擊者往往能透過一些枝微末節的訊息,組織出有效的攻擊行動。暴露資訊通常不會有立即性危害,是以企業往往也最容易忽視這些暴露的訊息,不知道這些資訊有可能會帶來殺身之禍。
本議程將根據 DEVCORE 監控中心提供的數據,介紹台灣企業目前資訊洩漏的概況及其風險,包含企業內部主機資訊洩漏、程式碼流出等問題。同時,我們將從 DEVCORE 團隊在過往滲透測試的經驗中,整理出幾項最容易被忽略的細節,並介紹這些細節帶來的潛在危機,以及 DEVCORE 如何透過資訊洩漏,在滲透測試中給予目標致命一擊...。N/A
羅啓武,現任職于携程旅行網,從事安全工作超過6年。目前主要負責安全架構、安全産品研發,從事安全評估、應急,安全架構,賬戶安全,安全系統研發建設等工作。
2006年創辦了Sebug漏洞庫(sebug.net),並在國內多個安全會議上做技術報告。He has more than six years of experience on information security, presently he hold a post in Ctrip and mainly in charge of security architecture, develop security product, security assessment and response, account security and develop system security. He is also the founder of Sebug (sebug.net) and presented lots of technical reports of security conference in China.
現在類似XSS、CSRF等安全漏洞或攻擊方式,都有了越來越多的新玩法,有了很多新的思路。在這個議題中,主要介紹一些常規安全攻擊方式的新玩法;並介紹如何實時的檢測發現這些新的攻擊,並對攻擊源進行追踪。
N/A
N/A
As CIO and Chief Core Technology Officer, Max Cheng is responsible for overseeing Information Services and Security.
Max has held several executive positions at Trend Micro. He managed TrendLabsSM, Trend Micro’s global research and support headquarters based in Manila. Under his leadership, TrendLabs became one of the world’s leading antivirus research and product support services. He has also served as head of the global sales engineering, antivirus research and global technical support groups, and general manager of the enterprise business unit.
Max holds a master’s degree in business administration from the University of California, Los Angeles.
Lucas Leong (aka wmliang) just graduated from NCTU Software Exploitation Lab (aka 0-Day Lab).
Now, he works as a security researcher at Trend Micro.
He recommends to think as attacker and fight against in-the-wild targeted attack.
His research mainly focus on document exploitation, reverse engineering and anti-virus engine.
Also, he is the hobbyist of CTF contest in his daily life.
N/A
This is a story for the birth of a zero-day in Flash Player.
I will share about the journey from crash to exploit.
And how the challenge is overcame during the exploit development.
Finally, I'll show how danger Flash exploit is.
現任中華電信資安檢測團隊工程師,從事資安相關研究與工作五年,過去曾執行大專院校、政府機關、企業專案與金融機構滲透測試,並協助分析公司內外部資安事件惡意程式樣本。
N/A
行動資安現況概述
APP檢測 & APP鑑識分析方法介紹
APP檢測案例分享
APP鑑識案例分享
N/A
作爲國內最具知名度的軟件安全網絡社區-看雪軟件安全網站(www.pediy.com)的創始人,段鋼領導網站歷經10年多的發展,備受業內關注和推崇。看雪論壇憑藉自身實力,在成爲中國軟件安全領域公認的最權威的技術站點的同時,培養了一直綜合素質很高的管理和技術專業團隊,社會影響深遠。
作爲信息安全技術類圖書的知名作者,在管理和運作看雪論壇的10多年裏,不斷推出系列化的技術專著,社會效益明顯。與電子工業出版社,郵電出版社,機械電子出版社等知名出版機構有著良好的合作關係,組織原創及翻譯圖書約十餘本左右。同時與國內的安全企業,安全團隊有著密切合作關係,共同主辦過多次全國性信息安全活動,反響熱烈。知名的業內合作企業如深圳騰訊,珠海金山,綠盟科技,啓明星辰,comodo等公司。
2005年受邀進入盛大集團,先就職于SDG技術中心,之後盛大子公司焜安科技公司技術總監,2010年,出任盛大子公司北京盛安怡和公司總經理。與盛大高層領導,盛大首席運營官陳大年,盛大首席投資官朱海發,盛大創新院郭忠祥院長,盛大北京創新院負責人潘愛民博士,SDO技術總監朱敬,邊鋒集團總裁潘恩寧等關係良好。
作爲資深軟件安全從業者,本人長期致力于IT安全相關領域的技術研究,對軟件安全相關領域有深刻的認識和理解。He is the founder of the famous software social security networking site "Pediy" (www.pediy.com). He led and evolved Pediy more than 10 year, got lots of people's attention and praise. Pediy relied on strength itself and became to the most power of technical website that recognized by China software security field. At the same time, Pediy also trained high quality of management and technical team that has far-reaching impact on people's lives.
He is the famous author of information security books and also constantly a series of technical books that got a higher significant of social benefits during past 10 years. He has a good and harmonious relationship between the Electronic Industry Press, Posts & Telecommunications Press and China Machine Press. He wrote and translated more than 10 books and clasped with the security company and security team such as Tencent, Kingsoft, NSFOCUS, Venustech and Comodo in China. He has co-hosted several national information security activities and got an overwhelming response.
He was invited to join Shanda group in 2005 and stared the inauguration of SDG technical center, Chief Technology Officer of Beijing Kun An Information Technology. Afterward, he hold a post of General Manager in SafeWe. He also have a good relationship with the lead of Shanda group such as Chief Operating Officer - Chen Danian, Chief Investment Officer - Davis Zhu, the president of Shanda Innovations - Zhongxiang Guo, the leader of Shanda Innovations - Dr. Aimin Pan, Chief Technology Officer of SDO - Jing Zhu and Chief Executive Offcer of Bianfeng - Enlin Pan.
看雪安全社區運營經驗談
以看雪學院15年的運營背景,談下安全網站的運營。
- 緣起:介紹爲什麽創建這個網站以及最初的構想;
- 修行:安全社區運營經驗,運營模式,網站的社會效益等;
- 濟人:提高大家安全意識、安全知識,人才培養, 安全人才職業發展規劃建議;
- 承繼:未來的規劃,對民間網絡安全網站發展的預測。
N/A
反病毒行業四年經驗,先後在金山毒霸及騰訊安全中心工作,近兩年專注于黑産的專項對抗,有效保護了騰訊賬號體系的安全,在這個過程中得到一些經驗,希望同大家學習討論。
He has four years of experience on antivirus. His business background are Kingsoft Antivirus and Tencent. He foucs on against of hack industry to protect Tecent security. He got some experiences on his work and share it in the session.
騰訊的社交網絡擁有數億用戶,在這個龐大的群體下寄生著錯綜複雜的黑色産業以及數量同樣驚人的從業者。與黑産長期的對抗讓我們積累了一些經驗方法,希望通過分享這其中的一些故事與同行交流學習
N/A
N/A
Vladimir Kropotov is an independent security researcher and monitoring team lead. His main interests lie in network traffic analysis, incident response, botnet investigations, and cybercrime tracking. He is a frequent speaker at a number of conferences including HITB, CARO, PhDays and ZeroNights.
N/A
The authors will present concept of compromise indicators in practical environment with numerous real-life examples from one of the large scale enterprise network. Sampled from one of the most malware-infested environments the authors will demonstrate tools, methods and methodology they have implemented to keep a massive network safe from both opportunist botnet herders and targeted attackers.
The authors will demonstrate how use of compromise indicators in pro-active incident response and forensic investigation process. The team has developed a framework and a platform that allows integration of various IOC formats into dynamic defense framework. The framework allows integration of various 3rd party-encoded indicators (such as CyBox, OpenIOC, etc.) and provides facilities to perform individual IOC characteristic mapping to known/existing Indicators of Compromise. The input can be provided in form of an IP address, a hash, a URL, a process of executable name, an executable behavior characteristic and so on. The output of indicators of compromise can be produced in form of: snort rule(s), Yara rule(s), or a hunt description for GRR Rapid Response Framework. The researchers will demonstrate an applied process of identifying, mining and refining IOCs as well as running "IOC sweeps" on available data sources. Several tools will be demonstrated (including passive DNS, passive HTTP frameworks developed by authors) in these examples as well as possibilities of integration with 3rd party tools, such as Splunk, Moloch.
The researchers will also discuss the implementation of IOC sharing policies and facilitation of such shares and will walk attendees through series of simulated case studies including breach simulations, customized rootkits detection and use of framework to detect, refine, redeploy and sweep for potential indicators of compromise.
N/A
Summary
- IT security professional experience with financial IT architecture and payment security, research for security of new technology and trend analysis
- Built incident response plans and developed countermeasures for threats of finance like DDoS, Phishing, transaction manipulation
Specialties
- Code review, dynamic testing, building testing methodologies and environments
- Languages: Python, C, C++, PHP, Java Script and MFC
- Proficiency with security tools like vulnerability scanner, network monitor, web proxy, debugger and other tools
N/A
Recently, many kinds of mobile payment have launched, and it has got a large share of payment transactions in the world. As we know that, a breach of payment is highly dangerous because it could be exploited to steal real money, directly.
I have found diverse flows and vulnerabilities during security testing. Some of them could be used to acquire payment data and to change transactions. I will talk about threats of mobile payment and cases of vulnerability. Also, I am going to share how to test the security of mobile payment.
Lun-Chuan Lee has more than fourteen years' experience on network security, including two years in network security lab at his MS degree, ten years at Chunghwa Telecom dealing with incidents and helping customers mitigate the damages, and two years project managing in cloud computing services. He is also an Electrical Engineering, PhD candidate at National Taiwan University, majoring in cloud computing and network security. He was the organizer of Hacks In Taiwan Conference (HITCON) 2012. He promotes HITCON CTF(capture the flag) to an international competition.
蔡政達 aka Orange
CHROOT 成員,並於 DEVCORE 擔任資安顧問。
主要專精於 網站安全 以及 網路滲透 的領域上, 並且對於漏洞發掘、漏洞利用以及 CTF Games 也有極大興趣! 曾公開發表過 Microsoft, Django, Yahoo 等 CVE 與弱點。
Blog: http://blog.orange.tw/
Facebook: http://fb.com/orange.8361
Lun-Chuan Lee has more than fourteen years' experience on network security, including two years in network security lab at his MS degree, ten years at Chunghwa Telecom dealing with incidents and helping customers mitigate the damages, and two years project managing in cloud computing services. He is also an Electrical Engineering, PhD candidate at National Taiwan University, majoring in cloud computing and network security. He was the organizer of Hacks In Taiwan Conference (HITCON) 2012. He promotes HITCON CTF(capture the flag) to an international competition.
Tsai Cheng-Da a.k.a Orange
- CHROOT Security Group Member
- Cyber security consultant at DEVCORE
Orange specializes in the realm of website security and network penetration, and shows great interests in vulnerabilities mining and exploitation, and ... CTF Games! He has published several CVEs and vulnerabilities with regards to Microsoft, Django, and Yahoo etc.
台灣終於在今年取得駭客競賽世界盃 Defcon CTF 的門票了!
從兩年前聽到日韓的資安社群發展,提供完整的資安技術人才的培育。便打算花費三年準備,希望有朝一日也能前往拉斯維加斯,看看人家的 CTF 比賽。 今年五月,從沒打過 CTF 的台灣隊伍,臨時學習規則和戰術,意外地拿下 BCTF 冠軍。之後更團結各方優秀戰力,擠進了 DEFCON 決賽。這場演講,將由 HITCON 戰隊成員為各位說明2014這場奇蹟之旅,分享百度盃 BCTF、韓國 Secuinside、最後到美國拉斯維加斯 DEFCON CTF 的成長經驗!並且說明 CTF 解題思路,希望讓更多台灣的優秀駭客高手加入我們,繼續挑戰全世界。N/A
HP亞太區TippingPoint解決方案顧問
石謂龍從事IT工作逾15年,技術養成背景包括ISP網路工程師(L2 switching and L3 routing)、流量分析產品設計PM(L4 analysis)、資安SE與顧問(L7 inspection)。大多數的工作時間都在用戶端協助維運與除錯,累積豐富的實務經驗,超過二千場的演說與presentation資歷,能將實務經驗深入淺出讓與會者獲取所需資訊。石謂龍目前擔任HP亞太區暨日本TippingPoint方案的資安顧問,負責區域內的主要客戶,並協助新技術研發。N/A
人體要健康,病毒勿入.同樣的,提升資訊安全首重避免電腦遭到入侵,讓我們從日前喧騰一時的OpenSSL事件再次了解零時差攻擊手法與防禦之道. 而IT從業夥伴所關心的重要資料掉失問題則與內部潛在Botnet息息相關.我們很難避免電腦遭駭成為Botnet,因此強化Botnet活動監測並切斷其連繫通道會是最有效的處置之道.最後,如果擔任網路管理工作的您常常感到組織網路連線品質時而正常時而緩慢,究其根源往往與發生未預期的安全事件有關.面對越來越多樣也越強大的DDoS攻擊威脅,導入資安技術協助網路維運是立即要進行的必要作為.我們將為您說明如何透過層層過濾方式來消弭DDoS
N/A
Shin Adachi has been working on information system security, design, and administration globally including in the United States, Japan, and Europe.< br />
He currently chairs Education Committee and is a Program Committee Member of FIRST, or Forum of Incident Response and Security Teams, a global consortium for computer security incident responders.
He represents NTT-CERT in the Americas.
He is a member of CERT Expert Group and Threat Landscape Working Group for ENISA, or European Union Agency for Network and Information Security.
He has contributed to globally recognized initiatives including NIST SP 500-291, NIST SP 500-293, Asia PKI Innovation Award as the chief reviewer, Liberty Alliance Project, Kantara Initiative, Security and IdM for Next Generation Network for ITU-T, and APEC TEL eSecurity.
He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISM), and a Certified Project Management Professional (PMP).
Yoshiki Sugiura has over 10 years' software development experience in a software company (1985-1998).
He has various background of working as security professional. He used be a member of national computer security team JPCERT/CC from 1998 to 2002. He currently works for NTT-CERT and Inteli-CSIRT(IL-CSIRT). NTT-CERT is a CSIRT for NTT Groups, which is one of a biggest Japanese telecommunication company. IL-CSIRT is a CSIRT for NTT DATA Intellilink Corporation, which is a subsidiary of NTT DATA Group. He has 15 years' experience in IT security and CSIRT.
CSIRT stands for Computer Security Incident Response Team. CSIRT's main mission is to control computer security incident. Another mission is collaboration with other teams.
He is a steering committee member of Nippon CSIRT Association (NCA). NCA is a community for CSIRTs in Japan.
He is a big fan of GNU/Linux system and he had written some articles ona magazine about GNU/Linux system several years ago.
N/A
N/A
Current computer systems and networks cannot exist without Open Source Software and even commercial software adopt it as components of their products. On the other hand, however, a series of recent vulnerabilities found on major Open Source Software generated attacks on the network and concerns in the real world. These vulnerabilities also revealed many different issues, which have been looked over, and which cannot be resolved by a silver bullet overnight. But how the Incident Responders or CSIRTs could contribute to such situation, who respond to Computer Security Incidents everyday?
This proposal proposes a presentation presented by two experts, to look at the current security issues of Open Source Software, two recent vulnerabilities as examples. Then we will discuss and explain the possible model to mitigate the vulnerability, or to make the organization sustained, and how CSIRTs can contribute referring to the reference from NIST, expecting the audience for HITCON X Enterprise from business enterprises and government or nonprofit organizations, who are subject to be targeted. The presentation will also cover various Open Source tools to monitor, protect, and analyze organizational computing environment. This presentation tries to help users understand how CSIRTs can protect their computer resources based on specific examples and issues.
This proposal assumes 30-40 minutes for presentation with 10~20 minutes for Question and Answers but open for suggestion and request from HITCON.
This is a preliminary proposal to respond to Call for Proposals from HITCON 2014 before its deadline on or before July 5, 2014. More details such as presentation slide deck can be provided upon request once this proposal is accepted.
Questions and inquiries are welcomed and can be addressed at either of the contact for the proposer.
安全團隊80sec創始人,前百度安全架構師,現烏雲漏洞報告平臺創始人。
He is the founder of 80sec security team. Previous work experience with security architecture of Baidu, presently hold on post in the founder of WooYun (WooYun.org).
安全實際上很難完全定義爲一個技術問題,我們認爲在實際環境裏有更多其他的因素來影響安全,我將分享我們創立烏雲的初衷以及實際運營的經驗以及從這運營的過程中我們得到的對于信息安全的理解。
N/A
N/A
John Hultquist leads the intelligence analysis team that tracks cyber espionage threats for iSIGHT Partners' government and commercial clients. His team authored the NEWSCASTER report which uncovered a three-year Iranian campaign targeting US and Israel through social networks. He has over seven years experience in covering emerging threats in cyber espionage and hacktivism, working in senior intelligence analysis positions in the US government prior to iSIGHT Partners. Before working in the cyber realm, he worked with the ISACs and was involved in counterinsurgency operations in the military.
N/A
The systems which run government and business are consistently under pressure from a multitude of adversaries with global origins, disparate capabilities, and a myriad of intentions and motivations. Adversaries differ tremendously in the resources they are willing to devote, their intentions for targeted systems, and their capability to affect these systems. Distinguishing between cyber criminals, hacktivists, and cyber espionage operators is the key to effectively focusing limited security resources in protecting the enterprise.
Enterprises that are regularly targeted must make hard choices with their focus. An opportunistic cybercriminal may be a threat to a single employee’s credit card number, while a cyber espionage operator may be a critical threat to valuable intellectual property. Brand-conscience firms may worry most about hacktivists.
The process of distinguishing between adversaries is complicated by the proliferation of tools as well as tactics, techniques, and procedures, the inherent difficulty of attribution, and the involvement of third parties in adversary operations, but discerning the adversary’s motivation is a first step in drilling down to the fundamental questions of persistence, sophistication, and scope of threat. This talk will cover practical techniques for determining motivation based on historic activity.
N/A
Sieng Chye has been working with malware for the last 4 years. His work involves analysing malware threats/trends in APAC, as well as delivering security awareness and training programs for partners/clients.
He serves as a subject matter expert, particularly in APAC malware threats and trends, and had been interviewed by online journalists on a wide-range of topics.
Prior to that, he worked in the managed security service industry; helping enterprise and government clients in monitoring and provisioning of security solutions.
N/A
ESET started researching a set of malicious software targeting Linux servers in the beginning of 2012. Since then, we have realized that many of these components are actually related.
We soon discovered that one malicious group is currently in control of more than ten thousand servers. They are currently using these resources to redirect web traffic from legitimate websites to malicious content, to send spam messages, and to steal more credentials from users logging onto these servers.
ESET’s research around Operation Windigo is part of a joint research effort with CERT-Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations forming an international Working Group.
The number of systems affected by Operation Windigo might seem small when compared with recent malware outbreaks where millions of desktops are infected. It is important to keep in mind that, in this case, each infected system is a server. These usually offer services to numerous users and are equipped with far more resources in terms of bandwidth, storage and computation power than normal personal computers. A denial of service attack or a spam-sending operation using one thousand servers is going to be far more effective than the same operation performed with the same number of desktop computers.
The complexity of the backdoors deployed by the malicious actors’ shows out of the ordinary knowledge of operating systems and programming. Additionally, extra care was given to ensure portability, meaning the various pieces of malware will run on a wide range of server operating systems and to do so in an extremely stealthy fashion.
The Windigo operation does not leverage any new vulnerability against Linux or UNIX systems. Known systemic weaknesses were exploited by the malicious actors in order to build and maintain their botnet.
盤古團隊在上個月全球首發了iOS7.1.x的完美越獄,該越獄支持所有的iOS7設備,也是歷史上第一次由中國團隊發布越獄工具。其實我們團隊準備好完美越獄所需要的全部漏洞後,仍然花費了2個月的時間來完成開發。由于是第一次開發越獄工具,期間遇到不少問題,感謝曾經幫助過我們的人。
本議題主要介紹我們團隊發現幷用來實現完美越獄的漏洞。我們將給出代碼簽名繞過、內核信息泄漏、內核內存覆蓋三個漏洞的細節。並且演示如何針對這些漏洞編寫溢出,從而使得盤古越獄能在你的iOS設備上存活。
Our team released Pangu untether jailbreak for iOS 7.1.x last month which support all iOS 7 compatible devices. Actually after we gathered all the vulnerabilities needed for an untether jailbreak, it still took us about two months to finish developing the tool. Since it’s the first time for us to develop an untether jailbreak tool, we were faced with various problems and thanks for all the people who helped us.
In this topic we will mainly talk about the vulnerabilities we found and used in Pangu jailbreak for untether. We will give details about our code signing bypass, kernel information leak and kernel memory overwrite vulnerabilities. Then we show you how to exploit these bugs so that Pangu jailbreak could survive on iOS devices.
盤古如何實現完美越獄
How is Pangu Jailbreak Untethered on Your iOS Devices
N/A
Frankie is an independent researcher specializing in computer forensics and malware analysis. His current research is APT Malware Attribution and making use of open source big data to identify possible malicious adversaries.
He is a member of Information Security and Forensics Society (ISFS), Professional Internet Security Association (PISA), International High Technology Crime Investigation Association (HTCIA) and a member of Honeynet Project, Hong Kong Chapter. He is a part-time lecturer of Digital Forensics classes offered by HKU SPACE and mentor for SANS Institute's malware and forensics classes offered in Hong Kong. He is also a speaker in Blackhat USA 2014.
Frankie holds a master degree of ECom/IComp from The University of Hong Kong. He also holds several industry destinations, including Certified Information Systems Security Professional (CISSP), GIAC Certified Forensic Examiner (GCFE), GIAC Certified Forensic Analyst (GCFA) and GIAC Reverse Engineering Malware (GREM).
N/A
Advanced Persistent Threat (APT) attacks are highly organized and launched for prolonged periods, generally exhibiting discernible attributes or patterns. In order to maintain the command and control (C2) network redundant, they are generally embedded with multiple DNS names. An intuitive view is that APT attackers keep and control a high number of DNS-IP address pairs.
We studied a small sample of malware from a specific victim group who had been subjected to APT attacks. Our study indicates that the attackers follow some behavioral patterns of registering DNS domains and the frequent use of stable DNS-IP pairs. We developed an automated solution to simplify the tasks of collecting and storing the information as a knowledge base for future analysis.
N/A
Dongjoo Ha (@ChakYi) is a director of NSHC Pte, ltd. His main job is finding 0day and he is interested in security threat research and any fun stuff even if that is not related with hacking, security or IT. He has worked as a pentester and security researcher for malware and network security analysis. He has presented at various hacking and security conferences such as Black Hat, DEF CON, CanSecWest & PacSec, AVTOKYO, PADOCON and POC with his lovely friends. He also enjoys playing Capture The Flag with his awesome friends.
Hyunwoo Choi (@zemisolsol) is a Ph.D. student in Graduate School of Information Security at KAIST. His research interests include finding vulnerabilities in embedded systems.
Sunyoung Sim (@redhidden) is a security researcher who works for AhnLab, Inc. a company focusing on AV. She has over 10 years experience in malicious Code analysis, network analysis and vulnerability analysis.
Joobong Cho (@silverbug) is a hacker and security researcher at RaonWhitehat, Inc. He is interested in web hacking, malicious code analysis, vulnerability analysis, including on mobile platform.
Jisun Kim (@jisunkim272) is a software developer of security products at AhnLab, Inc. She is interested in overall security field and study on it.
Gyeongik Jang (@iksploit) is a security researcher at NSHC Pte, ltd. His main job is research malware and 0days. He is interested in mobile vulnerability.
N/A
With the rapid development of information technology, the attackers have become interested in not only normal applications but also various systems such as web, mobile and embedded system. Consequently, there is an evergrowing number of applications that should be analyzed, and the lack of time and manpower has been one of the biggest problems for the defenders. To this end, we present “BinProxy”, an application analysis framework that makes an easy environment for dynamic analysis of applications. Our approach provides web proxylike analysis environments for an easy analysis, and does not required any analysis tools such as debugger, decompiler and other reversing tools. Furthermore, BinProxy can be applied to Windows, Linux, Mac or other kinds of mobile platforms including Android and iOS. In this presentation, we show several techniques for implementing BinProxy and demonstrate some use cases by using BinProxy. We believe that our framework solves the lack of time and manpower problem and presents a new paradigm for program analysis.
裴偉偉,IDF實驗室研究員及團隊負責人。2007年起關注信息安全領域,曾經在中地數碼、神州數碼從事軟件研發及大數據分析與處理工作,後加入IDF實驗室從事安全服務項目管理、系統及應用安全研究以及團隊管理工作,曾數次擔任過外企及合資企業的安全服務項目項目經理。
Pei, Wei-Wei is both the team lead and lab researcher of IDE lab. He has first developed his interests in information security since 2007, and had joined Zondy Cyber and Digital China participating in software development and big data processing and analysis. Later he joined IDF lab and devoted himself to security service management, system and applications security research as well as internal team management. He has served as Security Service Manager several times in either foreign or Taiwan funded enterprises.
隨著惡意軟件與AV廠商的對抗升級,AV唱衰之聲不絕于耳,同時APT時代的到來使得衆多廠商和個人開始鍾情于“APT”中的“Advanced”,但消費者層面却面臨著這種技術對抗趨勢下的“人爲刀俎我爲魚肉”之窘迫,在AV唱衰之際作爲信息安全從業者和愛好者能够做些什麽,消費領域惡意軟件趨勢又當如何,AV廠商又當如何應對這種趨勢。
N/A
王基旆 (Guide Wang) 2009年創立奧樂科技 奧樂科技現任總經理、台灣網站防護協會常務理事 1994年畢於國立交通大學資工系(1994), 2013年畢於國立交通大學EMBA Guide 於大學在校期間(1990~1994) 即研究 FreeBSD, NetBSD, Linux 等等 UNIX 系業系統,台灣第一代網路宅男、駭客。 在校期間即翻譯、著作(代筆)多部電腦書: PC Hardware DIY、Internet DIY、UNIX API 等,為20年前「Advanced Windows Socket Programming」中文電腦書「深入Windows Socket程式設計」譯者(筆名王遠杋),協助台灣早期 Windows 網路程式設計的推廣 。
Guide Wang founded THE Technology Inc. in 2009, and now serves as director in THE Technology Inc. and executive committee at Taiwan Internet Association.
He got a bachelor's degree of Information Engineering in NCTU (National Chiao Tung University) in 1994, and received his master's degree of EMBA in the same school in 2013.
During his college years (1990~1994), he had studied FreeBSD, NetBSD, Linux etc. systems, which are based in UNIX, and was proud to be the first generation of hacker and Internet geek in Taiwan. In addition to that, he also translated and composed many computer book series: PC Hardware DIY, Internet DIY, and UNIX API etc. One of his well-known translation work is "深入Windows Socket程式設計", the Chinese translation of 'Advanced Windows Socket Programming' (with his pen name: Wang, Yuan-Fan ). He had great contribution to the early Windows Internet programming promotion.
雲端運算讓使用者透過智慧型裝置(個人電腦、平板電腦、智慧型手機)遠端登入系統,隨時可以取得存放在雲端的資料與各項服務。在駭客無所不在、無所不能的網路時代,駭客最常利用鍵盤側錄、網路側錄等等技術,取得端點使用者之帳號與密碼,冒名登入雲端系統,盗取、破壞企業或組織有價值的資料、伺服器,造成嚴重之後果。針對雲端運算、電腦網路系統身份認證、登入之安全,本研究舉例南韓與大陸網路銀行目前使用的軟體輸入保護系統進行弱點分析、探討其面臨的問題,並進一步提出改善其系統的實際方法。
N/A
N/A
Threat Solution Team, Incident Response Team, TrendMicro. An APT researcher in Taiwan, had about 6 years in IR experiences. Major in forensic analysis, reverse engineering, and some simple exploit code writing. I like the sense of accomplishment after solving problems, also like to watch movies & eating cookies.
有許多台灣實際案例指出,後門程式在APT中扮演了一個相當重要的角色。除了在攻擊發起後能控制電腦外,駭客也用來進行內網入侵與擴散。後門程式必須先通過網路連線,才能受到遠端駭客的控制。從攻擊台灣的APT後門程式中,以網路連線的角度,研究後門如何bypass各式阻擋方法,以及它們的演進。以技術出現先後順序來說,誰先誰後已不可考。本議程也會詳加探討被應用於台灣APT案件中的手法與技巧,以IR與forensic方法,從中研究駭客如何設計後門與流量。並由資安防護的角度進行整理,可看出一些駭客的巧思
N/A
N/A
Chen Zhang (@demi6od) https://github.com/demi6od
Shanghai Jiao Tong University / Information Security: 4 + 3 years
NSFOCUS Security Team / Security Researcher: 2+ years
Research Interests:
- Browser security
- Vulnerability analysis, discovery and exploit
- APT/0 day detection R&D
擊碎瀏覽器 - 從漏洞發掘到漏洞利用
Part 1: 瀏覽器Fuzzing技術
介紹一套獨自開發的Fuzzer框架,以及該框架背後的Fuzzing策略 通過該Fuzzer發現的一系列漏洞,總結了幾種行之有效的Fuzzing思路以及相應的漏洞特徵
Part 2: 瀏覽器高級利用技術
簡單介紹現代瀏覽器的安全模型和攻防對抗 分析Google Chrome和IE 11下的各種堆管理機制和缺陷,以及一些高可利用性的數據結構 基于上述內容,分析兩種瀏覽器下的高級利用技術,包括兩種針對Google Chrome的創新利用方法,其中一種不受沙盒限制(Demo)。 最後總結ASLR和DEP兩種防護機制的困境。
Part 3: IE 11 0day漏洞利用開發
基于一個Fuzzing出的IE 11釋放後重用漏洞,分享從漏洞觸發到任意代碼執行的完整利用開發過程,及其中所涉及的各種技術與技巧(Demo)。 最後給大會帶來一個特殊有趣且未公開的IE 11 0day(不受隔離堆和保護釋放影響),作爲禮物和挑戰:)
Smashing The Browser - From Vulnerability Discovery To Exploit
Part 1: Browser Fuzzing Technology
Introduce a Fuzzer Framework developed by myself as well as the Fuzzing strategies behind it. Conclude some effective Fuzzing ideas and related vulnerabilities based on the results of the Fuzzer.
Part 2: Advance Browser Exploit Technology
Brief introduce the security model of modern browsers as well as the combat between exploit and mitigation. Introduce all kinds of heap management mechanisms and their defects together with some exploit-friendly data structures of Google Chrome and IE 11. Analyze the advance exploit technologies of these two browsers, including two novel exploitation techniques of Google Chrome, one of which is not limited by sandbox (Demo). Finally conclude the dilemmas of ASLR and DEP.
Part 3: IE 11 0day Exploit Development
After taking one IE 11 UAF vulnerability from my Fuzzer, I will share the whole exploit developing experience from vulnerability trigger to arbitrary code execute, together with all related technologies and skills (Demo).
At last, I will bring a special, interesting and undisclosed IE 11 0day (not affected by isolated heap and protected free) to HITCON as gift and challenge:)
N/A
Captain Kelvin (a.k.a Forensics Ninja) works in Law Enforcement Agency in HK and has over ten years experience in computer forensics and investigation. He has delivered ‘Network Forensics’ workshop at DFRWS EU 2014 and CeCOS VIII; presented ‘DDoS’ research study at DefCON 20 and AVTokyo 2012; and he also published the research paper ‘Facebook Forensics 2011’ and presented at HTCIA (APAC).
N/A
Rapidly growth of the use of Mac OS X requires forensics researchers to analyse devices such as iPad, iPhone and Mac in depth. OS X forensics really starting with Jonathan Zdziarski in 2008, but soon became widespread with most of the research and training focused on file system analysis. There are a number of tools available to analyse OS X, e.g. Volatility, Volafox, Memoryze for Mac, Mac Memory Reader, MacLockPick and Rekall, however the ability to analyse mac memory can be complex and disconcerting to the novice. We have attempted in this article to demonstrate a fast track method of mac memory forensic analysis by studying the evidence of a very popular Chinese social networking application ‘WeChat’. These applications provide not only a smart phone but also a desktop version. Therefore, we cannot ignore any possibility of evidence in either the file system or memory from a desktop machine. Memory analysis is an important intersection, therefore in this article we will examine the memory dump from a Mac machine, by acquisition, process analysis and data collection through an example of running WeChat on OS X.
香港理工大学研究型硕士,专注移动安全中的漏洞挖掘。
- 主要成果包括Android Content Provider Vulnerabilities和Exposed Component Vulnerability的检测, FileCross attacks和Android Remote Code Execution Vulnerabilities的检测。
- 汇报了主流app里的多个严重的漏洞,包括Firefox, Evernote, Yandex, Baidu, Tencent, Alibaba, 360, UC, Maxthon等。已收到数个bug bounty rewards。
Daoyuan Wu has a research master's degree from Hong Kong Polytechnic University, focused on mining vulnerabilities in mobile security.
- His main achievements included detection in the following area: Android Content Provider Vulnerabilities, Exposed Component Vulnerability, FileCross attacks, and Android Remote COde Execution Vulnerabilities.
- He has reported several serious vulnerabilities in mainstream apps, including FireFox, Evernote, Yandex, Baidu, Tencent, Alibaba, 360, UC, Maxthon etc., and received a few bug bounty rewards.
N/A
In this talk, we conduct an empirical study to explore the feasibility of automatically generating exploits for vetting component hijacking vulnerabilities in Android apps. Our study takes our hands-on exploit analysis for several real vulnerable apps as basis, and meanwhile reflects them to high-level analysis. Through this process, we identify several challenges that need to be addressed for a robust exploit generation technique, and some of them are first pinpointed. In particular, we believe one challenge is nearly impossible to be automatically tackled, if no pre-prepared domain knowledge is involved. Overall, an automatic, accurate, and efficient solution for generating component hijacking exploits remains enough room to explore.
N/A
Chris Liu is a member of the security team at Rakuten, Inc., a Tokyo based e-commerce company. His passion is in reverse engineering and malware analysis, but is currently conducting security assessment and penetration testing for web and mobile applications. He is currently involved in making automated tools for both web and Android vulnerability assessment and sometimes does malware analysis for Japanese banks. Mr. Liu is also working as a guest researcher in a Japanese university while giving lectures to the new minds of future security pioneers.
Matthew Lionetti is a member of the security team at Rakuten, Inc. Although being an experienced web application and network penetration tester, Mr. Lionetti is currently in charge of creating coding guidelines, and implementing Android vulnerability assessment automation into the development lifecycle at Rakuten. Off work, Mr. Lionetti enjoys playing lead guitar for his metal band and bug hunting while drinking beer.
N/A
Vulnerability assessment for mobiles applications are boring as hell, since when did we start living in a world where storing credentials inside the sandbox becoming a crime? There's simply no excitement left within except for the web APIs being called, so it is time to step up and change it. Hereby we propose the very first interactive proxy that runs inside your Android device. With this novel transparent proxy tool, not only we can test browser contents on the go but also mobile applications that utilize web APIs(which application doesn’t right?). This proxy will give you the ability to modify requests and responses on the fly and act as a fuzzer, either actively or passively.
The main highlight of this proxy is not the proxy itself, but the ability to utilize overlays in Android. This allows a user to have a fully interactive proxy overlaying a web browser or application without the need to constantly switch between activities. The overlay can be called or minimized in a single touch when needed without affecting the already running activity, thus removing the need for a secondary device.
So why waste your time setting up devices to run your proxy tool when you can do your scans while on the bus or as you try to beat your last highscore in flappy bird. Join us, because we will be penetration testing Android in style.
蔡政達 aka Orange
CHROOT 成員,並於 DEVCORE 擔任資安顧問。
主要專精於網站安全以及網路滲透的領域上,
並且對於漏洞發掘、漏洞利用以及 CTF Games 也有極大興趣!
曾公開發表過 Microsoft, Django, Yahoo 等 CVE 與弱點。
Blog: http://blog.orange.tw/
Facebook: http://fb.com/Orange.8361
Tsai Cheng-Da a.k.a Orange
- CHROOT Security Group Member
- Cyber security consultant at DEVCORE
Orange specializes in the realm of website security and network penetration, and shows great interests in vulnerabilities mining and exploitation, and … CTF Games!
He has published several CVEs and vulnerabilities with regards to Microsoft, Django, and Yahoo etc.
Blog: http://blog.orange.tw/
Facebook: http://fb.com/Orange.8361
相黏鍵後門被稱為是一個具有中國駭客特色的後門, 而為了要預防自己的後門被發現,這類型的後門發展了許多有創意的方式來達到隱藏自己的目的。
這場演講將會介紹有關於相黏鍵後門的發展、隱藏方式、一些有趣案例, 並希望從協議層來檢測這種類型的後門, 所以這場演講也會探討遠端桌面相關的協議以及實做,從 Protocol Negotiation, Key Exchange, Encryption 到伺服器與客戶端交換指令、資料等。
最後,將會提出我自己的解決方案,如何從協議上實做檢測與在實做上遇到許多的困難、挑戰以及解決辦法。
N/A
N/A
Wen-Juin Hu (a.k.a. MindMac) is currently pursuing his master degree at Xi'an Jiaotong University. His research interest mainly focuses on Android malicious code detection and Android application analysis. He developed SandDroid (automatic Android application analyzer, http://sanddroid.xjtu.edu.cn) and AndroMalShare (Android malicious code sharing system, http://202.117.54.231:8080). He gave security relative speeches on xKungFoo 2012 and xKungFoo 2013.
本議題在近年來Android模擬器檢測技術的基礎上,設計實現了Android應用程序中模擬器檢測行爲的識別,通過對大量真實數據的測試,發現模擬器檢測技術使用十分普遍。而絕大部分Android軟件自動化分析系統建立在Android模擬器上,因此反模擬器行爲的檢測以及構建更加真實的模擬器意義重大。本議題根據不同的模擬器檢測方法,以構建開發方便、高度可定制、部署容易爲目標,針對性地提出相應的解决措施。
總之,本議題嘗試解决如下問題:
- 如何判斷Android應用程序是否存在反模擬器行爲?
- 真實世界中,有多大比例的應用程序會進行模擬器檢測?采用何種手段進行檢測?檢測模擬器的目的是什麽? 3 如何構造更真實的模擬器,欺騙應用程序其運行在真機環境?
N/A
N/A
Shih-Hao Hung and Wen-Chieh Wu. DroidDolphin: a Dynamic Android Malware Detection Framework Using Big Data and Machine Learning. In Proceedings of the 2014 Research in Adaptive and Convergent Systems (RACS '14). ACM, New York, NY, USA
N/A
Smartphones are getting more and more popular nowadayswith various kinds of applications to make our lives moreconvenient. Unfortunately, as there are more and more applications, malicious applications, also known as malware,arises as well. A user is often tempted into install a malwarewithout any awareness, and the malware steals the users’ personal information. Some malware would send SMS ormake phone calls, which result in additional charges. Thus,detection of malware is critical to protect smartphone users.
This talk is about a dynamic analysis framework to detect Android malware which leverages the technique of the machine learning.We will introduce how we obtained the information from the Android packages and the machine learning features with a demonstration. Feel free to join us and enjoy the talk.N/A
Lance Chen has just graduated from the Institute of Computer Science and Engineering, NCTU and is looking for his first job. Lance is trying to become a open source contributor instead of just a user by contributing bug fixes to popular open source projects. Lance has been a part-time system and network administrator in Computer Center, Department of Computer Science, NCTU for four years, and enjoys dealing with system/service problems and bringing in popular technology.
N/A
CRAX stands for CRash analysis for Automatic eXploit generation. CRAX aims at generating software exploit automatically by analyzing software crashes with symbolic execution. CRAX is not only focusing on Linux/Windows applications, but also taking steps to web techniques (XSS and SQL injection) and mobile platform (Android) hacking.
N/A
- Hacker attack techniques, digital forensics process, App security testing, and App development.
Experience:
Worked at Acer Information Security Systems Department, Information Security Operations Division. (2013)
- handled information security incidents forensics
- developed Arcsight FSA
- conducted testing of Arcsight Agent
Programming skills:
- Python、HTML5、Objective-C、C#、PHP、ASP.NET、Javascript、SQL
近年來,行動裝置興起,各式各樣的App,改變使用者日常行為及工作習慣。根據國外Appthority報告指出,最熱門的100個手機應用程式中,95%的App會洩漏使用者隱私資訊,且iOS平台的AppStore上App數量已經破百萬,因而對於iOS上的App安全性受到矚目。本研究以iOS平台上的App為例,透過行動應用程式安全檢測的參考標的OWASPTop 10 Mobile 2014 RC1,搭配免費的檢測工具來分析,目前政府提供的熱門便民App,實際檢查app安全性。
N/A
Keen Team是棋震(上海)雲計算科技有限公司成立的安全研究團隊,團隊致力于爲“最優秀的程序員用最優秀的安全工程方法做出的最優秀的産品”尋找安全缺陷幷幫助修復。在過去數年的時間內向微軟、蘋果、穀歌等全球知名廠商提交了數百個“嚴重”級別的安全漏洞,是全世界範圍內發現幷報告安全漏洞最多的團隊。Keen Team在2013年和2014年國際頂級安全賽事Pwn2Own上連續兩次奪得三項冠軍,成爲Pwn2Own比賽歷史上第一支把電腦桌面操作系統和移動操作系統全部攻破的世界級安全研究團隊。目前,雲端在綫服務安全和移動智能設備的安全是Keen Team的主要研究方向。
N/A
N/A
Since Use-After-Free vulnerabilities in Internet Explorer sharply increase these years, Microsoft introduces Isolated Heap and Memory Protector in June and July. The two new mitigation makes exploitation more difficult than before. But there are still possibilities to bypass it. This talk will first present the design and implementation of Isolated Heap and Memory Protector. Then, we will cover fuzzing issues. Finally, we talk about countermeasures against the two new mitigation.
目前就讀國立清華大學研究所,是個Linux愛好者, 關注於系統安全相關領域
Chien-Chung Huang is currently pursuing his master degree at National Tsing Hua University. He has great passion in Linux. His research mainly focuses on security of operating systems.
對關注memory bug(例如buffer overflow)和hooking api相關領域的研究者來講,一定常常跟除錯器(debugger)打交道,但當除錯器缺少一些想要的功能時,例如尋找哪一個指令或是數值在memory的哪一個位址,又或者是想攔截某個function來觀察執行時的行為,是否有一個自動化的方法來達成這個目標?
上面這些功能都需要處理底層的memory細節,你可能會想到用c語言來實現 但是如果我們又想開發時間快速,那麼c語言可能不是一個好選擇,那麼是否有哪個程式語言,可以開發快速卻又有處理底層memory的能力,這時python是一個好選擇。
本議題主要探討在Linux(intel x64)下,介紹如何用python,完成或自動化系統安全研究者常遇到的問題,探討先用python寫幾個處理memory細節的功能,接者就像拼圖一樣,把這些功能組合起來,完成一些常見的需求,例如
- code injection (把code寫入到目標process的memory)
- memory search (在一個process中尋找特定指令或數值的位址)
- dynamic library function hooking (攔截function)
在使用python這種高階語言帶來的便利下,也能同時的處理系統底層memory的細節,加快工作效率。
李孟翰 aka dm4 ,幾年前被朋友帶著打wargame後才開始接觸資訊安全
- Secuinside CTF Final 2014 8th place
- 台灣駭客年會 HITCON Wargame 2011 季軍、2012 冠軍、2013 冠軍
- 行政院國家技服中心舉辦資安技能金盾獎 2012 季軍、 2013 冠軍
Li, Meng-Han, a.k.a. dm4, threw himself into the real of Information Security after his friend introduces wargame to him.
- Secuinside CTF Final 2014 8th place
- HITCON Wargame: 2011 3rd place, 2012 1st place, 2013 1st place
- Golden Shield Contest held by ICST (Information and Communication Security Technology Center): 2012 3rd place, 2013 1st place
AirPlay是 Apple 的一項傳輸協議,目的是以無線方式串流來自 iOS 或 OSX 的音樂、照片和影片至 Apple TV 。其中也包括了將 iOS 的畫面傳至 Apple TV 顯示。
為了想辦法攔截AirPlay screen mirroring 的畫面資訊,研究AirPlay screen mirroring 的 protocol ,並且參考了目前支援AirPlay的軟體,成功實現了AirPlay時的 key exchange 和 mirroring stream 的加解密。
而後,又發現了在AirPlay時, iOS 端並沒有足夠的認證機制,能夠保證連線的目標是真正的 Apple TV ,因此,攻擊者可以欺騙 iOS 端和攻擊者建立連線,攻擊者解開串流畫面後,再和真正的 Apple TV 建立AirPlay screen mirroring 連線,就可以在使用者沒有察覺的狀況下,攔截到所有的螢幕畫面,造成中間人攻擊。
N/A
N/A
Charles
Charles is a security researchers focus on cyber threat tracking, malware analysis in Team T5, a Taiwan based security company. Team T5 has more than 10 years experience on threat research, especially in Asia-Pacific region.
Working Experience:
- Trend Micro, Senior Engineer , 2012/07-2013/02
- Team T5 , Senior Researcher, 2013/03-Now
zha0
Working Experience:
- Trend Micro, Senior Engineer , 2012/06-2013/01
- Team T5 , Senior Researcher, 2013/02-Now
Presentations:
- Virus Evolution – HIT 2006 (Hacks in Taiwan)
- Owned Kiosk – HIT 2010 (Hacks in Taiwan)
APT相關議題已經出現了數十年,它往往帶著神秘、恐慌、深不可測的色彩被人們討論著。
事實上,APT只是當前世界上正在進行的網路戰 -- 沒有煙哨味的戰爭 -- 當中的一環。戰爭的背後必然有人的參與,他們也許被稱為網軍,國家支持的駭客、或是網路中的幽靈,而成為一種禁忌的象徵。Team T5在針對網路攻擊追蹤和惡意樣本分析研究中,我們看到一些APT攻擊者在嘗試進行攻擊的同時,自己也犯下許許多多愚蠢的錯誤:惡意文件製作失敗、後門程式有bug會crash、不小心將自己私人檔案包到樣本中寄出去...。我們的talk將介紹這些我們稱之為APT Fail的案例,從另一個有別於往的角度來看APT。
看完這些案例後,你會體認到藏身在APT之後的攻擊者,他們只是個和你我一樣會犯錯的正常人。N/A
HP亞太區TippingPoint解決方案顧問
石謂龍從事IT工作逾15年,技術養成背景包括ISP網路工程師(L2 switching and L3 routing)、流量分析產品設計PM(L4 analysis)、資安SE與顧問(L7 inspection)。大多數的工作時間都在用戶端協助維運與除錯,累積豐富的實務經驗,超過二千場的演說與presentation資歷,能將實務經驗深入淺出讓與會者獲取所需資訊。石謂龍目前擔任HP亞太區暨日本TippingPoint方案的資安顧問,負責區域內的主要客戶,並協助新技術研發。N/A
人體要健康,病毒勿入.同樣的,提升資訊安全首重避免電腦遭到入侵,讓我們從日前喧騰一時的OpenSSL事件再次了解零時差攻擊手法與防禦之道. 而IT從業夥伴所關心的重要資料掉失問題則與內部潛在Botnet息息相關.我們很難避免電腦遭駭成為Botnet,因此強化Botnet活動監測並切斷其連繫通道會是最有效的處置之道。將以實際案例說明,並分享HP 2013資安風險報告.
N/A
N/A
CCIE, CEH, CISSP and CISA holder, 7 years of experience in information security and ISP core network. Specialized in malware analysis and reversing, computer forensic. Designing and implementing large scale, complex multi-vendor networking and security environment, several years of experience managing teams and research projects. Manage internal IT security and ISO 27001 compliance audit. Strong research background: book authoring, professional training, propose and participant in RFC internet standard (BGP, TCP and DDoS). Research interest in DDoS, network communication technologies, distributed computing, internet anti-cheating.
N/A
The most challenging part in DDoS mitigation is not just to identify which request is legitimate, but further identify how legitimate it is by the detection of randomness - there is also bad human; by combining multiple factors from request header, and the relationships among requests, even the advanced attack that pretended to be real human can also be identified by simple detection methods.
Additional information
Format:
Presentation + short demo
TOC:
- About Random: what is random number & how they are generated
- Some random application design and application of randomness
- Detecting anomalies from randomness
IP layer
TCP layer
Application layer
Combined - Mitigating 'random' attacks
multi-layers
statistic analysis
baselining
user-behavior - Visualizing randomness
Convert random attack into picture and songs [demo]
Reverse-convert regular picture and songs into random attacks [demo]
Finding the pattens from random visualization
N/A
Hsien-De Huang (aka TonTon) has started at Verint Systems (Taiwan) Ltd., and his major research interests include Malware Behavioral Analysis, Data Mining, Type-2 Fuzzy Logic Systems, and Ontology Applications.
He received his M.S. degree in Dept. Information and Learning Technology (ILT) from the National University of Tainan (NUTN), Tainan, Taiwan, in 2008. Since 09/2010, he has been a Ph.D. student (Advisor:Prof.Hung-Yu Kao) ofDept. Computer Science and Information Engineering (CSIE) in National Cheng-Kung University (NCKU), Tainan, Taiwan. He also was a visiting Ph. D student under Prof. Hani Hagras (Co-Advisor: Prof. Chang-Shing Lee) from 10/2011~05/2012, which based on the NSC financial support of the research project 「2010 Initiative Research Cooperation among Top Universities between UK (CSEE, Univ. Essex) and Taiwan: Type- 2 Fuzzy Ontology Model and Its Applications.」
During 11/2008~09/2011, he has serviced his military Research and Development Substitute Service as a project assistant researcher at the National Center forHigh-Performance Computing (NCHC), National Applied Research Laboratories (NARLabs), Tainan, Taiwan. Also he was a Senior Security Engineer (from 01/2014~07/2014) of Acer e-Enabling Data Center (Acer eDC).
In 2009, he has developed a malware behavioral analysis tool: Taiwan Malware Analysis Net (TWMAN) and re-developed it as Malware Analysis Network in Taiwan (MAN in Taiwan, MiT) in 12/12/2012. If you are interested in MiT and want to get much further information, please visit websites: http://MiT.TWMAN.ORG.
N/A
Hackers continuously develop novel techniques to intrude into computer systems, so many security researchers should analyze and track new malicious program to protect sensitive information for the computer system. Therefore, malicious software (malware) is an important threat and one of the biggest problems really existing in the modern post-industrial society. In this paper, we are going to introduce the architecture created for malware analysis with automated, dynamic physical-virtual environment and adaptive malware behavioral knowledgebase approach: Malware Analysis Network in Taiwan (MAN in Taiwan, MiT, and http://MiT.TWMAN.ORG). We have integrated some open source network software to improve the results produced by our methodology. The core techniques of MiT are as follows: (1) automatically collect the related logs on the difference operation systems to extract malcious behavior information (Volatility, Inetsim and etc…). Also, MiT is able to automatically restore and provide samples’ reports via the cloud storage mechanism (Clonezilla, ownCloud); (2) integrate with the cloud computing technologies (Apache Hadoop, Nutch and Solr) to mining the malware behavioral information to construct domain knowledge for the malware behavior. Experiments results show that the proposed approach can effectively execute the malware behavior analysis, and the constructed system has been released under GNU General Public License version 3.
N/A
Alan has been working as a Developer and Security Analyst. He has years of experience in software development, penetration test, investigation and incidence response. He is keen on doing security research, particularly web application security, forensics, tools development and CTF.
He got SANS GWAPT and research paper: SANS Gold Paper - Website Security for Mobile, and participated in the following conferences:
- Speaker@CeCOS VIII (APWG) 2014 – Best Practice in Network Forensics
- Speaker@DFRWS EU 2014 - Network Security KungFu
N/A
Digital forensics investigators face various daily challenges because there are a large variety of high-tech cybercrimes reported, for instance APT, Hacking, Ransomware and DDOS etc... During investigation, the investigators focus on the reverse engineering malware, illustrating its behaviour and conducting packets analysis to deal with any credentials leakage and the pattern of the network attack. They often only concentrate on the evidence itself, but seldom or having difficulties to draw out the whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose. All relevant data from seized media should be utilized and analyzed, later transformed to intelligence so as to build a profile of the potential suspect with his corresponding attributes.
Based on the principle of Zachman Framework, we propose and design an Investigation and Intelligence Framework, which is an automated mechanism to identify the potential suspect at the early stage for the ease of the further investigation, correlating evidence to oversee the entire picture of the cybercrime. Our framework has adopted four of the intersections, i.e. When, Where, Who and How. 4W of the incident should be the concerned factors no matter what type of cybercrimes happened. To fulfill this 4W concept, related artifacts including timeline, location, identity and attack path would be effectively recognized at the earlier phase, and investigators can tackle the cybercrimes more successfully.
A tool is developed to demonstrate the framework, correlating evidence and intelligence in order to provide a big picture of the cybercrime story and help investigation more effectively.N/A
Rushikesh Nandedkar
- An EC-Council Certified Ethical Hacker (CEH) with more than 5 years of Experience in information security encompassing a tenure as a technical expert and information security trainer at Cyber Crime Cell, Pune Police.
- Offensive Security Certified Professional (OSCP) (In Process).
- ISTQB Certified Tester.
- Invited as a speaker at HITCON 2014, nullcon ’14, National Conference on Computing, Communication and Security ‘13.
- Earned Best Paper Award (Second Position) in National Conference on Computing, Communication and Security ‘13.
- Published research and survey papers in international journal and conferences.
- Media Presence:
I. http://www.indianexpress.com/news/cyber-theft-of-bank-accounts-rising-rs-42-lakh-lost-in-a-week/1172807/
II. http://www.indianexpress.com/news/theatre-academy-s-website-hacked–pak-zindabad–message-posted/1179348/ - Excellent knowledge and proficiency in information security and tools.
- Upholds sound knowledge on penetration testing, vulnerability assessment, open wireless network security, OWASP top 10 and other methodologies.
- Adept in grasping new methods, technology & industry trends with proven abilities in acquiring new technical concepts to be utilised in an effective way.
- An effective communicator, quick learner. Upholds strong relationship building & interpersonal skills.
- Endowed with good analytical, problem solving & organizational abilities.
Amrita Iyer
- ISTQB Certified tester having 6+ years of experience with key focus in the area of Software Testing to fetch Quality deliverables to meet client’s expectation for various Business Applications in the IT Industry.
- Experience working with various software development methodologies including Agile, Iterative and Waterfall.
- Expertise in end-to-end Testing, Functional testing, Integration testing and Regression Testing.
- Experience in Database testing, GUI, Compatibility and Smoke testing.
- Experience in working on Unix platform (AIX).
- Expertise in Web based testing and possesses sound knowledge of Web architecture.
- Sound knowledge on RDBMS concepts.
- Hands-on experience in database testing, security testing and possess good data analysis skills.
- Experience in testing web based applications as well as client server applications.
- Well versed with STLC and bug life cycle.
- Abilities in handling multiple priorities, with a bias for action and a genuine interest in professional Testing.
- Effortless time management.
- Escalate issues positively as little details are the foundation of quality
- Personal skills include excellent communication, strong sense of organization, effective time management and have the ability to work in team as well as independently.
- A quick learner who can swiftly adapt to new challenges
N/A
Wireless networks are prominently seen nowadays. They are so well fitted to the requirements of the mass that, they had become an inseparable element of our day to day life. With this ease there came some drawbacks as well. To name a few, the physical location of wireless host is difficult to trace, the coverage periphery of wireless network cannot be restricted to exact geographical references, so on and so forth.
Like these there are many more drawbacks which paved a road for an attacker to intrude in wireless networks.
Evil Twin Attack is an attack in which a malicious user spoofs the identity of legitimate access point and creates an Evil Twin (Fake Access Point) that allures the legitimate access point users to connect to Evil Twin. Once they are connected the attacker is privileged with the capability to raise a wide array of attacks on the users.
We are focusing on the one who suffers, "The User" and one specific attack "Rogue Access Point".
Our talk will be addressing the rogue access points in open wireless networks, technique of their detection from a normal user side, some excursion on tethered wifi hotspots, incognito wireless networks (not hidden wireless networks) etc.
周教授目前任教於文化大學資工系, 研究領域主要是專精RFID,自然人憑證和雲端安全,曾為 HITCON 2012 給過專題演講,已有數位研究生以此題目畢業,其畢業論文皆有理論和實際的攻擊. 周教授對於世界上普遍使用的 Mifare Classic 系列智慧卡片有特殊的心得和想法, 目前朝向與國內外專家合作挑戰那些已改良的智慧卡片的安全漏洞,在會中期待他會揭露國內外相關卡片的弱點和不為人知的秘密, 另外他也將會與聽眾分享雲湍計算等的安全議題
Professor Li-Ping Chou is currently conducting research at Chinese Culture University. His expertise includes RFID, citizen digital certificates, and cloud security. Many master thesis (topics including both theoretical and practical attacks) has been published because of his inspiring speech given at HITCON 2012. Professor Chou has plenty of thoughts on world-widely used Mifare Classis series smart cards; he is currently cooperating with experts around the world challenging exploitation of modified smart cards. In his speech, please look forward to his exposure of secrets and vulnerabilities of smart cards around the world. He will also share his point of view on security issues in cloud computing.
這次講題將延續 HITCON 2012 的題目, 變成Cryptanalysis in real life II, 包含以下部份:
- 主要 RFID 的安全性做深入探討, 針對新的悠遊卡提出可能有效的攻擊方法 悠遊卡的弱點並不僅在於它的Stream cipher有問題, 更根本的原因在於Mifare Classic認證機制本身隱藏了安全性上的缺陷, 因此我們將同樣為Stream cipher的Hitag2套用進Mifare Classic的認證機制, 在使用代數差分攻擊情況下與先前在Crypto1上的兩個攻擊手法作分析與比較, 顯示代數差分攻擊對於兩種串流式架構的皆有傷害力。
- 雲端安全性的最新理論進展, 包含Fully Homomorphic Encryption, Program Obfuscation, Dark Mail 等等和未來應用上給我們的深遠影響
N/A
原看雪論壇版主,PC逆向有深入研究。 曾經負責PC脫殼模塊,金山KVM雲後臺自動鑒定系統。
對虛擬機、數據挖掘方面有研究。 現從事獵豹移動安全研究、熱點安全事件相關工作。 對行動安全及黑色產業鏈有深入研究。
Zhangqun Chen is a former forum moderator at "Pediy" site with in-depth study in PC reverse engineering. He has developed PC unpacking module and Kingsoft KVM cloud automatic virus identification system. Aside, he has also been into virtual machine as well as data mining, and now is dedicated in Cheetah Mobile security research, and wifi security incidents. He has a profound understanding in mobile security and malware industry.
講解BroadLink無線插座、無線家居設備的WIFI入侵攻擊。
N/A
交通大學DSNSLab博士班學生熱愛資安相關議題,並時常參與國內外資安競賽 研究興趣包括惡意程式、逆向分析、虛擬機器及數位鑑識 並參與多項惡意程式相關研究與資安相關計畫
Chen, Zhong-Kuan is now a student pursuing his doctor's degree in NCTU DSNSLab. He has great passion in information security, and has been a frequent participant in international information security contest. His research interests includes malwares, reverse engineering, virtual machine, and digital forensics. He also involves in a few projects related to malware research and information security.
隨者惡意程式的攻擊手法日漸精細,動態分析逐漸成了不可或缺的分析手法。然而惡意程式議會嘗試利用Anti-Debug、Anti-VM的手法嘗試繞過虛擬機器以躲避這類型的分析。本議程會簡單介紹虛擬機器運行之原理,並基於虛擬機器建構惡意程式分析平台,透過“Out-of-Box”的方式進行程式的監控、調試。最後則進一步探討如何檢測並抵禦Anti-Debug、Anti-VM的手法。
N/A
N/A
Senior Engineer at Taiwan Mobile
- Penetration Testing
- Security Incident
- Malware Analysis
- Vulnerability Research
Engineer at Acer
- Security Health Check
- Malware Analysis
- Computer Forensics Penetration Testing
Outline
近年來,網路弱點的揭露伴隨攻擊手法的改進,自動化攻擊程式也越來越多,導致以往高技術的駭客攻擊技巧連初階者script kids也可輕易使用,迫使企業不得不正視新型弱點風險。 本演講將從企業的角度來分析並評估網路弱點造成的影響,分享資安工程師如何透過國內外資訊安全弱點的發佈,評估弱點對於企業造成的衝擊,並進而擬定因應措施及防禦對策,降低資料外洩風險。
Agenda
- 資訊安全現況提要
-
去年漏洞提報率
-
產品漏洞統計
- 近期重大弱點漏洞概述
- 新型弱點的發現
-
如何蒐集新型弱點資訊
- 篩選重大弱點資訊
- 評估弱點風險對於企業影響力
-
解析弱點成因
- 判斷對企業影響的範圍
-
因應與防範措施
- 結論
Canaan 自 2001 年起參與網路入侵偵測系統的開發工作,主要任職於威播科技(該公司於 2013 被 TrendMicro 所併購)。他在兼修博士的期間是教育部 Anti-Botnet 計畫主要的執行者,並且也主辦多屆的 台灣區 Botnet 偵測與防治技術研討會 (Workshop on Understanding Botnets of Taiwan).
N/A
多年來我們的 Botnet 網路行為的分析多著重於入侵或是攻擊事件發生後的事後分析,我們雖然可以透過對Malware樣本與惡意網路流量的廣泛收集來精確地分析出 Malware 相關的通訊協定以及中繼站(C&C Servers),儘管這樣的做法可以有效地找出內網未被發現的受害者,但是對於阻止新型或是未知的攻擊成效有限,因為我們並不容易精確地知道 Bot/Malware 到底是怎麼進到主機裡。是透過未知的 0-day弱點?還是透過 e-mail 附件?亦或是透過隨身攜帶的行動裝置 BYOD?針對透過網路攻擊的這條入侵路徑,我們是否有什麼辦法可以增加一點攻擊前的察覺性,真的有機會去阻止主機變成 bot,而不是只能做尋找哪些主機已經變成 bot 的偵測。
假設一種狀況,我們的手機先中了某 Malware,該 Malware 的目的是入侵我們家裡的某牌 NAS,然後向我們勒索錢財。當我們把中Malware的手機帶回家後,假設它無法從手機的相關設定中確認家裡有沒有那牌的 NAS,那它要怎麼知道家裡有沒有那牌的NAS呢?最簡單的方法就是對內網進行 Port Scan,確認目標的IP與 service port後再開始攻擊,假設攻擊的手法又是 0-day,那就很難被察覺。如果我們有辦法精確地辨認出不尋常的 Port Scan,我們就可以有機會阻止攻擊。
因此,在本次的分享中,我們會介紹 Port Scan 有哪些手法,包含Vertical Scan, Horizontal Scan and Internet Scan,以及相關的偵測方法,包含 IDS/IPS-based 與 Honeypot-based 等,並分析它們的反應時間與可行性。此外,也會分享一個從 2009 至現在的 hidden honeypot-based port scan detector 的相關統計分析資料給大家參考,因為會掃到 hidden port scan detector 的,通常是對我們的網路有大規模探索的意圖,然而這些大規模的探索活動,在某些資安新聞/事件發生的前後,會不會有值得注意的特徵呢?。最後,也會釋出相關的 port scan detection 的程式碼給大家。
N/A
MobileIron資深技術顧問,從事IT超過十年,專注於Mobile IT的發展。協助企業快速因應BYOD的管理難題、提升行動工作者的滿意度、降低企業行動裝置的管理成本,以及確保服務的即時性,讓企業快速應用與有效管理Mobile IT及其相應的資安保全。曾參與多個中大型Mobile IT專案的設計、規劃及建置。
N/A
隨著智能行動裝置在公司企業內部的廣泛應用, 其相應的商業應用程式及其數據的資安保全與防護也受到極大的關注與討論。在此,我們將介紹業界領先的企業行動管理(Enterprise Mobility Management, EMM)平台供應商MobileIron的相關對策與解決方案。
N/A