Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”.

•Download as PPTX, PDF•

0 likes•149 views

HackIT is an annual cybersecurity conference that gathers the best technical researchers and top players in the cybersecurity industry to explore cutting-edge technologies together. In 2018, HackIT focused on the use of blockchain technology. Join our community: Website - https://hacken.live/hackit-slideshare Twitter - https://hacken.live/twitter_hackit Facebook - https://hacken.live/facebook_hackit Instagram - https://hacken.live/instagram_hackit Reddit - https://hacken.live/reddit Telegram community - https://hacken.live/tg-hackit #hackit #cybersecurity #blockchain #hacking

Modern Day Entomology
Examining the Inner Workings of the Bug Bazaar

2 Copyright 2018 Trend Micro Inc.
Director of Vulnerability Research at Trend Micro
Leads the Zero Day Initiative
Organizes Pwn2Own
Approver of Payments
Past Experiences
Lead Developer at Lockheed Martin
Bug Hunter
Past research:
Microsoft Bounty submission
Patents on Exploit Mitigation Technologies
Bug hunting in many products
Twitter: @MaliciousInput
Brian Gorenc

4 Copyright 2018 Trend Micro Inc.
How it works
Trend Micro Customers Protected Ahead of Patch
Other Network Security Vendor’s Customers at Risk
Vulnerability
submitted to the
ZDI program
Vendor Notified
Digital Vaccine®
Filter Created
Vendor Response
Window
Vulnerability is
Patched or
Remains Unfixed
Public Disclosure

6 Copyright 2018 Trend Micro Inc.
Economy in Action
Researchers
Finds Bugs
Bug Bounty
Program
Report to
Vendor
Sell Report
$1K - $25K
Signatures
Exploit Kit Creator
$10K - $100K
Vuln Broker
Government
$10K - $1000K
$10K - $1000K
Bot HerderBotnet Creator
Compromises PCs
Sells Kit Rents Botnet
Spammer DDoS Extortion Credential
Harvesting
Smart Criminal Make
One Big Purchase
Sells Stolen Creds
Dumb Criminal Buys
Beer & Chips
Re-Sells Stolen
Creds
Used
Against??

7 Copyright 2018 Trend Micro Inc.
0
100
200
300
400
500
600
700
800
900
1000
Qtr4
2013
Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
Qtr2
Active economy

9 Copyright 2018 Trend Micro Inc.
Global economy

10 Copyright 2018 Trend Micro Inc.
Highly-deployed software submissions

11 Copyright 2018 Trend Micro Inc.
SCADA submissions

12 Copyright 2018 Trend Micro Inc.
Lessons learned from Hacking Team

13 Copyright 2018 Trend Micro Inc.
Lucrative business

14 Copyright 2018 Trend Micro Inc.
How to buy 0-day: Consultancy Services

15 Copyright 2018 Trend Micro Inc.
How to buy 0-day: Vulnerability Brokers

16 Copyright 2018 Trend Micro Inc.
Payments and Pay Schedules

17 Copyright 2018 Trend Micro Inc.
Exploit Inventory

19 Copyright 2018 Trend Micro Inc.
0
5
10
15
20
25
30
35
40
Qtr1
2011
Qtr2 Qtr3 Qtr4 Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4
Browser Click-to-Play Intervention

20 Copyright 2018 Trend Micro Inc.
0
10
20
30
40
50
60
70
80
90
100
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
New Mitigations

21 Copyright 2018 Trend Micro Inc.
0
10
20
30
40
50
60
70
80
90
100
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
New Mitigations

22 Copyright 2018 Trend Micro Inc.
0
5
10
15
20
25
30
35
40
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
End of Life Announcements

23 Copyright 2018 Trend Micro Inc.
0
20
40
60
80
100
120
140
160
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
Unchecked

24 Copyright 2018 Trend Micro Inc.
0
50
100
150
200
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
Predicting the Next

25 Copyright 2018 Trend Micro Inc.
New Regulations

26 Copyright 2018 Trend Micro Inc.
Pwn2Own

28 Copyright 2018 Trend Micro Inc.
Shades of Stuxnet

29 Copyright 2018 Trend Micro Inc.
Killing CIA’s Closed Network Infiltration Tool

30 Copyright 2018 Trend Micro Inc. 30
Disrupting BlackEnergy

31 Copyright 2018 Trend Micro Inc.
CVE-2018-8174 used in targeted attacks
1. Victim opens a malicious Microsoft Word doc
2. Malicious doc downloads HTML page containing VBScript
3. VBScript triggers Use-After-Free vulnerability
VBScript Double Kill Vulnerability ITW

32 Copyright 2018 Trend Micro Inc.
Matches Trending Data
ZDI Pre-disclosure Guidance Catches CVE-2018-8373
CVE-2018-8373 ITW

34 Copyright 2018 Trend Micro Inc.
Conclusion

35 Copyright 2018 Trend Micro Inc.
https://www.zerodayinitiative.com/blog
Plugging In
https://www.zerodayinitiative.com
@thezdi
PGP https://www.zerodayinitiative.com/documents/zdi-pgp-key.asc
Fingerprint: 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228
zdi@trendmicro.com

Questions
Thank you for your time and attention

Brian Gorenc, Trend Micro Much like their six-legged counterparts in nature, bugs in software have a lifecycle. They are discovered, they get exploited, they get reported, they get patched, and usually, they go away. At each stage of this lifecycle, information about the vulnerability equates to a monetary value, and, depending on how this information is disseminated, that monetary value can drastically change. Various marketplaces exist for security research, and the current gray and black markets can be as robust as their white market counterparts. Different agents within these markets influence research trends by shifting finances to or away from specific areas, resulting in more bugs discovered and reported in that area. Even if you don’t directly participate in this economy, it impacts you and the systems you defend. Bugs bought and sold in the marketplace often become security patches and sometimes get wrapped into exploit kits or malware. Administering the world’s largest vendor agnostic bug bounty program puts us in a unique position to examine the inner workings of these transactions. While firmly in the white market, our experience and relationships provide us with insight across the entire exploit landscape. Some of these factors might not be obvious to those outside of the marketplace until exposed through data leaks or compromise. These hidden factors can shift prices and send researchers – and thus exploits – in new directions. Like any open market, various factors can spur changes in supply and demand, and market actors can shape what types of research either becomes public – or finds its way into an exploit kit. This presentation covers the inner-workings of the exploit marketplace, the main players in various sectors, and the winding, often controversial lifespan of a security bug. We include real-world examples of how effectively run programs have disrupted nation-state exploit usage in the wild, and take a look at how existing and impending legislation could irrevocably affect the exploit marketplace – and maybe not for the better.

Ga society of cpa's 2018 coastal chapter

Greg Wartes, MCP

Automatizovaná bezpečnost – nadstandard nebo nutnost?

MarketingArrowECS_CZ

IoT digital disruption and new IoT business models

IoTAnalytics

IoT Meetup Hamburg 3 February 2015 - Getting Hamburg set-up for the Internet ...

Knud Lasse Lueth

IoT Meetup Hamburg 3 February 2015 - Getting Hamburg set-up for the Internet ...

IoTAnalytics

Moving Up or Down the IoT Value Chain

Dr. Mazlan Abbas

IoT Developer Survey 2018

Eclipse IoT

Web3 Security Reports for Informed Decision-Making and Risk Mitigation Stay ahead of the curve with expertly crafted Web3 security reports that offer actionable insights and unparalleled analysis. Web3 Security Outlook 2022 -> $4B were lost in 300+ security exploits in 2022 -> The report outlines all major hacks and security breaches that occurred in 2022. -> The report also explores new technologies, such as Layer 2 and zero-knowledge proofs, the role of AI in securing the Web3 ecosystem, and offers essential technical measures for smart contract developers to mitigate vulnerabilities. Protecting your Web3 assets and users from security threats is crucial but can be overwhelming. That's why we have curated a series of expertly crafted reports that provide real-world examples and practical advice. Our engaging and informative reports are the ultimate resource for businesses and organisations operating in the Web3 space. Join us on the journey to a safer Web3 world.

How IoT Will Support Tomorrow's Digital Supply Chain

SCL HUB Conference

How IoT Will Support Tomorrow's Digital Supply Chain

SCL HUB

AppCoins @ Demo Asia in Singapore (18 Sep 2018)

AppCoins

Pgatss slide deck june 7, 2018

Greg Wartes, MCP

Kandola pitch deck

Tech in Asia

B2B Tech Trends 2019

Four Quadrant LLC

B2B Tech Trends 2019 Read the full post on B2B TECH TRENDS 2019 at fourquadrant.com/tech-trends-for-b2b-marketers/ Included in this SlideShare Deck is: Trend No. 1: Autonomous Things Trend No. 2: Augmented Analytics By 2020, more than 40% of data science tasks will be automated Trend No. 3: AI-Driven Development Trend No. 4: Digital Twins Trend No. 5: Empowered Edge Trend No. 6: Immersive Technologies By 2022, 70% of enterprises will be experimenting with immersive technologies for consumer and enterprise use, and 25% will have deployed to production Trend No. 7: Blockchain Blockchain Will Create $3.1T in Business Value by 2030 Trend No. 8: Smart Spaces Trend No. 9: Digital Ethics & Privacy Trend No. 10: Quantum Computing ============================================================ FOR ADDITIONAL GO TO MARKET RESOURCES VISIT www.fourquadrant.com ============================================================ Read the full post on B2B TECH TRENDS 2019 at fourquadrant.com/tech-trends-for-b2b-marketers/ CMO Spend Survey, fourquadrant.com/cmo-spend-research-results-2018-2019/ Go to Market Resources @ fourquadrant.com Predictive Marketing Analytics Buyer’s Checklist, fourquadrant.com/go-to-market-planning-templates/predictive-marketing-analytics-buyers-checklist/ Free Downloads @ fourquadrant.com/free-marketing-templates/ Go to Market Insights @ fourquadrant.com/go-to-market-planning-templates/

Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...

Black Duck by Synopsys

We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year. Open Source Insight is your weekly news resource for open source security and cybersecurity news!

Sensor expo 2018 keynote

Shahram Mehraban

In today’s digital world, the issue of cyber-security is something that is continually weighing on everyone’s mind, especially with the exponential growth of connected devices thanks to the Internet of Things. But despite the growing attack surface, businesses everywhere cannot ignore the value of implementing IoT solutions. IoT security is complex, especially due to the nature of the legacy devices and the complex ecosystem, Download Lantronix VP of Marketing Shahram Mehraban's 2018 Sensors Expo Keynote to learn more.

ALMUERZO DE TRABAJO CHECKPOINT - SECURE SOFT

Cristian Garcia G.

Introduction to Industrial IoT - Key Note Address @ ISHM

Srikanth Muralidhara

The State of FIDO

FIDO Alliance

Transforma Insights

eduardo schettino

CompTIA powered Cybersecurity Apprenticeships

Zeshan Sattar

Mobile Ad Fraud Deep Dive With AppsFlyer

GameCamp

Digital technology as driving force for industry 4.0 and digital economy

Suta Wijaya

Peter Todd - Hardware Wallets - Threats and Vulnerabilities

Hacken_Ecosystem

Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques

Hacken_Ecosystem

Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques

Walter Belgers - Lockpicking and IT security

Dima kovalenko - Is ARMv8.3 the end of ROP?

Tomi Wen - The Blockchain Built for Real World Apps

Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?

Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?

Alex Zdrilko - АI and Blockchain in real life application with the highest se...

John Graham-Cumming - Helping to build a better Internet

Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...

Max Keidun - How to build a Bitcoin exchange and not burn in hell

Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”

Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Assure Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Welocme to ViralQR, your best QR code generator.

ViralQR

Welcome to ViralQR, your best QR code generator available on the market! At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies. Our Vision We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide. Our Achievements Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes. Our Services At ViralQR, here is a comprehensive suite of services that caters to your very needs: Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses. Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding. Pricing and Packages Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service. Why choose us? ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations. Comprehensive Analytics Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country. So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!

Free Complete Python - A step towards Data Science

RinaMondal9

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support

Generative AI Deep Dive: Advancing from Proof of Concept to Production

PHP Frameworks: I want to break free (IPC Berlin 2024)

Elevating Tactical DDD Patterns Through Object Calisthenics

The Art of the Pitch: WordPress Relationships and Sales

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Assure Contact Center Experiences for Your Customers With ThousandEyes

When stars align: studies in data quality, knowledge graphs, and machine lear...

By Design, not by Accident - Agile Venture Bolzano 2024

UiPath Test Automation using UiPath Test Suite series, part 4

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Welocme to ViralQR, your best QR code generator.

Free Complete Python - A step towards Data Science

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Introduction to CHERI technology - Cybersecurity

Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”.

1. Modern Day Entomology Examining the Inner Workings of the Bug Bazaar

2. 2 Copyright 2018 Trend Micro Inc. Director of Vulnerability Research at Trend Micro Leads the Zero Day Initiative Organizes Pwn2Own Approver of Payments Past Experiences Lead Developer at Lockheed Martin Bug Hunter Past research: Microsoft Bounty submission Patents on Exploit Mitigation Technologies Bug hunting in many products Twitter: @MaliciousInput Brian Gorenc

4. 4 Copyright 2018 Trend Micro Inc. How it works Trend Micro Customers Protected Ahead of Patch Other Network Security Vendor’s Customers at Risk Vulnerability submitted to the ZDI program Vendor Notified Digital Vaccine® Filter Created Vendor Response Window Vulnerability is Patched or Remains Unfixed Public Disclosure

5. Exploit Economy

6. 6 Copyright 2018 Trend Micro Inc. Economy in Action Researchers Finds Bugs Bug Bounty Program Report to Vendor Sell Report $1K - $25K Signatures Exploit Kit Creator $10K - $100K Vuln Broker Government $10K - $1000K $10K - $1000K Bot HerderBotnet Creator Compromises PCs Sells Kit Rents Botnet Spammer DDoS Extortion Credential Harvesting Smart Criminal Make One Big Purchase Sells Stolen Creds Dumb Criminal Buys Beer & Chips Re-Sells Stolen Creds Used Against??

7. 7 Copyright 2018 Trend Micro Inc. 0 100 200 300 400 500 600 700 800 900 1000 Qtr4 2013 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Qtr1 2016 Qtr2 Qtr3 Qtr4 Qtr1 2017 Qtr2 Qtr3 Qtr4 Qtr1 2018 Qtr2 Active economy

18. Market Factors and Trends

19. 19 Copyright 2018 Trend Micro Inc. 0 5 10 15 20 25 30 35 40 Qtr1 2011 Qtr2 Qtr3 Qtr4 Qtr1 2012 Qtr2 Qtr3 Qtr4 Qtr1 2013 Qtr2 Qtr3 Qtr4 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Browser Click-to-Play Intervention

20. 20 Copyright 2018 Trend Micro Inc. 0 10 20 30 40 50 60 70 80 90 100 Qtr1 2012 Qtr2 Qtr3 Qtr4 Qtr1 2013 Qtr2 Qtr3 Qtr4 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Qtr1 2016 Qtr2 Qtr3 Qtr4 Qtr1 2017 Qtr2 Qtr3 Qtr4 Qtr1 2018 New Mitigations

21. 21 Copyright 2018 Trend Micro Inc. 0 10 20 30 40 50 60 70 80 90 100 Qtr1 2012 Qtr2 Qtr3 Qtr4 Qtr1 2013 Qtr2 Qtr3 Qtr4 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Qtr1 2016 Qtr2 Qtr3 Qtr4 Qtr1 2017 Qtr2 Qtr3 Qtr4 Qtr1 2018 New Mitigations

22. 22 Copyright 2018 Trend Micro Inc. 0 5 10 15 20 25 30 35 40 Qtr1 2012 Qtr2 Qtr3 Qtr4 Qtr1 2013 Qtr2 Qtr3 Qtr4 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Qtr1 2016 Qtr2 Qtr3 Qtr4 Qtr1 2017 Qtr2 Qtr3 Qtr4 Qtr1 2018 End of Life Announcements

23. 23 Copyright 2018 Trend Micro Inc. 0 20 40 60 80 100 120 140 160 Qtr1 2012 Qtr2 Qtr3 Qtr4 Qtr1 2013 Qtr2 Qtr3 Qtr4 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Qtr1 2016 Qtr2 Qtr3 Qtr4 Qtr1 2017 Qtr2 Qtr3 Qtr4 Qtr1 2018 Unchecked

24. 24 Copyright 2018 Trend Micro Inc. 0 50 100 150 200 Qtr1 2012 Qtr2 Qtr3 Qtr4 Qtr1 2013 Qtr2 Qtr3 Qtr4 Qtr1 2014 Qtr2 Qtr3 Qtr4 Qtr1 2015 Qtr2 Qtr3 Qtr4 Qtr1 2016 Qtr2 Qtr3 Qtr4 Qtr1 2017 Qtr2 Qtr3 Qtr4 Qtr1 2018 Predicting the Next

27. War Stories 27

31. 31 Copyright 2018 Trend Micro Inc. CVE-2018-8174 used in targeted attacks 1. Victim opens a malicious Microsoft Word doc 2. Malicious doc downloads HTML page containing VBScript 3. VBScript triggers Use-After-Free vulnerability VBScript Double Kill Vulnerability ITW

33. Conclusion

35. 35 Copyright 2018 Trend Micro Inc. https://www.zerodayinitiative.com/blog Plugging In https://www.zerodayinitiative.com @thezdi PGP https://www.zerodayinitiative.com/documents/zdi-pgp-key.asc Fingerprint: 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228 zdi@trendmicro.com

36. Questions Thank you for your time and attention

Editor's Notes

Vulnerability Submitted: A researcher submits a previously unpatched vulnerability to the Zero Day Initiative, who validates the vulnerability, determines its worth, and makes a monetary offer to the researcher. Vendor Notified: The Zero Day Initiative responsibly and promptly notifies the appropriate product vendor of a security flaw with their product(s) or service(s). Digital Vaccine® Filter Created: Simultaneously with the vendor being notified, Trend Micro TippingPoint works to create a Digital Vaccine filter to protect customers from the unpatched vulnerability. Vendor Response: The Zero Day Initiative allows the vendor four months to address the vulnerability. Vulnerability is Patched or Remains Unfixed: The vendor will either release a patch for the vulnerability or indicate to the Zero Day Initiative that it is unable to, or chooses not to, patch the vulnerability. Public Disclosure: The Zero Day Initiative will publicly and responsibly disclose the details of the vulnerability on its Web site in accordance with its vulnerability disclosure policy.
Adobe, Apple, Foxit, Google, Microsoft, Mozilla, Oracle, WebKit
3S Pocketnet Tech, ABB, Advantech, ARRIS, Codesys, Cogent Real-Time Systems, Ecava, GE, Honeywell, Indusoft, MICROSYS, Proface, PTC, Rockwell Automation, Schneider Electric, Tibbo, Trihedral Engineering Ltd, Unitronics, WellinTech
Now, when Hacking Team happened most in the industry poured over the evidence look for 0-day. Not ZDI. We looked for financial data. Who was buying, Who was selling, What were the prices? Are we making a impact in the shady grey market? Hacking Team dumps give us solid evidence here…and it is quite lucrative. RAV service 90,000 E to Czech Republic Similar service to Kazazkhstan for 180,000 E Additional buyers: Guatemala Lebanon Mongolia Russia Egypt Vietnam Malaysia Federal police of brazil Bangladesh Police - Rapid Action Battalion Republic of South Korea - Army Saudi Arabia Cyprus UAE Mexico Republic of Hungary And Small company called Cyberpoint in MD< USA
Information from their Board of Directors meeting leads to other interesting insights into the marketplace 10 million in revue Expected >30% growth Paid employees $80,000 on average Other Personal Cost 500,000 Grow by 50% next year What is the category? Could it be consultancy fees and the broker costs. Highly likely. To make this money, you need in this business you need 0-day exploits. Via FTE or from the free market… How do they do they engage in the free market?
Go directly to the researchers. But you have to be good… For example, take Vitaliy Toropov
Next option is Vulnerability Brokers to keeps the remote access product working is brokers. Here we have an Adobe Flash exploit for sale The most interesting here is the asset availability. Why buy exclusive or non-exclusive? Stealthiness, of course. For highly target attacks, a “fire-and-forget” model is the only real option. The more it is out there, the more likely it will get caught. But what does that benefit cost?
Much better then the consultancy rate. $95,000 Paid out over a 3 month period. Why is this done? 0-day is only as good as long as it is 0-day. Fees are paid out over time so the original researcher does not burn the bug after the payment.
What is being avilable? Browsers, Kernel, Mobile, Security Software, Core Software like PHP So how does ZDI fair in the what it is attracting from the marketplace? Are we buying and fixing bugs that will impact the grey market and protect customers? The answer is YES But where is the evidence of our impact in this market place?
Jan 2013 - https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/
JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
Adobe End of life announcement - https://theblog.adobe.com/adobe-flash-update/
JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
December 2013 The purpose of the amendments was to prevent Western technology companies from selling surveillance technology to governments known to abuse human rights. The Wassenaar Arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities. https://www.wassenaar.org/app/uploads/2018/01/WA-DOC-17-PUB-006-Public-Docs-Vol.II-2017-List-of-DU-Goods-and-Technologies-and-Munitions-List.pdf
Starting in 2007, the Pwn2Own hacking competition has grown into the world’s premier hacking contest. 2017 was the 10th anniversary of the contest, and more than $1 million dollars was made available to contestants. It’s only a slight hyperbole to refer to Pwn2Own as the root of all research. When we announce a new category for Pwn2Own, we don’t expect to see any entries in that category that year. However, history has shown that once we announce a new target at Pwn2Own, researchers start working in that area and submit entries the following year. That happened in 2016 when we announce VMWare as a target. As expected, we didn’t get any entries in 2016, but we did get two successful VMWare escapes in 2017. This was also our first year with Hyper-V and Apache web server as a target, and again, we didn’t receive any attempts on these targets. Next year’s conference should prove interesting.

Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”.

Recommended

Recommended

More Related Content

Similar to Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”.

Similar to Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”. (20)

More from Hacken_Ecosystem

More from Hacken_Ecosystem (13)

Recently uploaded

Recently uploaded (20)

Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”.

Editor's Notes