As web enabled systems become an integral part of everything we interact with, how do we secure data in potential unsecure environments?
In this session you'll learn how to apply fundamental security precepts in potentially insecure environments. Topics include:
Securing identity and payment data through voice commands or text
Tokenization and encryption security
Triggering secure transactions from communications media
Cryptography implementation weaknesses: based on true storyVlatko Kosturjak
Cryptography implementation weaknesses: based on true story. It is story about Cisco password type 4 which was introduced recently. It supposed to be better than Cisco password type 5 (MD5), but due to implementation weaknesses, it ended up the other way...
As web enabled systems become an integral part of everything we interact with, how do we secure data in potential unsecure environments?
In this session you'll learn how to apply fundamental security precepts in potentially insecure environments. Topics include:
Securing identity and payment data through voice commands or text
Tokenization and encryption security
Triggering secure transactions from communications media
Cryptography implementation weaknesses: based on true storyVlatko Kosturjak
Cryptography implementation weaknesses: based on true story. It is story about Cisco password type 4 which was introduced recently. It supposed to be better than Cisco password type 5 (MD5), but due to implementation weaknesses, it ended up the other way...
"Безопасные Биткоин-транзакции без специального оборудования", Алексей КаракуловHackIT Ukraine
Одна из трудностей в использовании Биткоина — в том, что безопасность плохо сочетается с удобством. Секретные ключи от кошелька можно хранить в офлайне многими способами, однако проблема возникает, когда мы хотим потратить биткоины. Если приложение для кошелька используется на скомпрометированной системе, простого трояна достаточно, чтобы слить секретные ключи.
На сегодняшний день популярны два безопасных способа использования Биткоина: аппаратный кошелёк и «холодный кошелёк» на изолированном компьютере. Оба способа непривлекательны для новых пользователей: надёжные аппаратные кошельки достаточно дорогие, а холодные кошельки не слишком портативны и пока неудобны в использовании.
Я продемонстрирую процедуру исполнения Биткоин транзакций с переходом в офлайн режим перед вводом секретного ключа на примере ОС Tails и кошелька Electrum. Хотя процедура не даёт таких же гарантий безопасности, как холодный кошелёк, она не требует отдельного устройства для кошелька, и при этом значительно безопаснее, чем использование Биткоина на обычной десктопной ОС
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015CODE BLUE
A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them.
This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.
Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.
Follow a Firefox crash from its genesis in a collapsing browser process through the dizzying array of collection, storage, and reporting systems that make up Socorro, our open-source crash collector. Enjoy war stories of weird, interlocking failures, and see how we nevertheless continue to fulfill our mandate: “Never lose a crash.” Observe some patterns that emerged from this system which can be useful in yours.
An overview of the technology options for adding speech to web applications. It covers the HTML5 Speech Input API for speech recognition, using the Audio tag with 3rd party APIs for text-to-speech, and an overview of WebRTC application possibilities.
Presented at the Atlanta Ruby Users Group meeting on November 13, 2013.
Make the Cloud Less Cloudy: A Perspective for Software Development TeamsTechWell
With so many technologies branded as “cloud” products, it can be difficult to distinguish good technology from good marketing. The resulting confusion complicates the work of software development teams who are trying not only to architect software effectively but also trying to accelerate building, testing, and delivering software. To cut through this confusion, Bill Wilder defines key cloud terms, compares the different types of clouds, and drills into concrete examples of specific cloud services. Introducing several software architecture concepts and patterns, Bill illustrates how to position applications to run reliably, at high scale (if needed), and with maximum cost efficiency on modern cloud platforms. Specific examples are drawn from the Windows Azure and Amazon cloud platforms, though the concepts are generally applicable. Leave with an understanding of relevant cloud concepts, a better idea of how moving to the “cloud” can impact application architecture, and some practical ideas for exploiting the cloud to improve software development team productivity.
A lecture I gave for the course "Linux per tutti, tutti per GNU/Linux" about the importance of Free Software (and open standards) for the future of our common Internet and Web.
Course site http://trentowiki.it/ISFGNULinux
In this talk we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache / timing side channels to extract secrets from third-party domains and leverage new HTML5 features to carry out more stealthy attacks. This is a fast-paced practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today’s web clients.
Topics will include: Current XSS filter bypass for IE & Chrome. Same Origin Policy timing attacks on Chrome. Data URI malware with spoofed URLs and ‘download’ attribute. HTML5 drag & drop exploitation. History stealing attacks. Clipboard stealing attacks. Cross-domain hijacking attacks with flash content sniffing, Blob URLs and SVGs. Spoofing URL address bars on modern browsers. Advanced browser encoding quirks and exploitation techniques.
"Безопасные Биткоин-транзакции без специального оборудования", Алексей КаракуловHackIT Ukraine
Одна из трудностей в использовании Биткоина — в том, что безопасность плохо сочетается с удобством. Секретные ключи от кошелька можно хранить в офлайне многими способами, однако проблема возникает, когда мы хотим потратить биткоины. Если приложение для кошелька используется на скомпрометированной системе, простого трояна достаточно, чтобы слить секретные ключи.
На сегодняшний день популярны два безопасных способа использования Биткоина: аппаратный кошелёк и «холодный кошелёк» на изолированном компьютере. Оба способа непривлекательны для новых пользователей: надёжные аппаратные кошельки достаточно дорогие, а холодные кошельки не слишком портативны и пока неудобны в использовании.
Я продемонстрирую процедуру исполнения Биткоин транзакций с переходом в офлайн режим перед вводом секретного ключа на примере ОС Tails и кошелька Electrum. Хотя процедура не даёт таких же гарантий безопасности, как холодный кошелёк, она не требует отдельного устройства для кошелька, и при этом значительно безопаснее, чем использование Биткоина на обычной десктопной ОС
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015CODE BLUE
A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them.
This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.
Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.
Follow a Firefox crash from its genesis in a collapsing browser process through the dizzying array of collection, storage, and reporting systems that make up Socorro, our open-source crash collector. Enjoy war stories of weird, interlocking failures, and see how we nevertheless continue to fulfill our mandate: “Never lose a crash.” Observe some patterns that emerged from this system which can be useful in yours.
An overview of the technology options for adding speech to web applications. It covers the HTML5 Speech Input API for speech recognition, using the Audio tag with 3rd party APIs for text-to-speech, and an overview of WebRTC application possibilities.
Presented at the Atlanta Ruby Users Group meeting on November 13, 2013.
Make the Cloud Less Cloudy: A Perspective for Software Development TeamsTechWell
With so many technologies branded as “cloud” products, it can be difficult to distinguish good technology from good marketing. The resulting confusion complicates the work of software development teams who are trying not only to architect software effectively but also trying to accelerate building, testing, and delivering software. To cut through this confusion, Bill Wilder defines key cloud terms, compares the different types of clouds, and drills into concrete examples of specific cloud services. Introducing several software architecture concepts and patterns, Bill illustrates how to position applications to run reliably, at high scale (if needed), and with maximum cost efficiency on modern cloud platforms. Specific examples are drawn from the Windows Azure and Amazon cloud platforms, though the concepts are generally applicable. Leave with an understanding of relevant cloud concepts, a better idea of how moving to the “cloud” can impact application architecture, and some practical ideas for exploiting the cloud to improve software development team productivity.
A lecture I gave for the course "Linux per tutti, tutti per GNU/Linux" about the importance of Free Software (and open standards) for the future of our common Internet and Web.
Course site http://trentowiki.it/ISFGNULinux
In this talk we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache / timing side channels to extract secrets from third-party domains and leverage new HTML5 features to carry out more stealthy attacks. This is a fast-paced practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today’s web clients.
Topics will include: Current XSS filter bypass for IE & Chrome. Same Origin Policy timing attacks on Chrome. Data URI malware with spoofed URLs and ‘download’ attribute. HTML5 drag & drop exploitation. History stealing attacks. Clipboard stealing attacks. Cross-domain hijacking attacks with flash content sniffing, Blob URLs and SVGs. Spoofing URL address bars on modern browsers. Advanced browser encoding quirks and exploitation techniques.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
If you happen to work at a company that produces lots of different products, you may not only being looking for bugs in your own code, but also in other vendor’s products as well
I’ll show you how it’s possible to have a coordinated approach to getting bugs fixed outside your company, which is especially valuable if your platform supports or relies on them
High level of what we’re doing now
David is working on new ways to handle authentication that don’t depend on humans generating and remembering text for their security
MSVR is a program within Microsoft that handles bugs in non-Microsoft software
Bugs are usually found and submitted by security researchers at Microsoft across the divisions and this program coordinates fixes and advisories with the third-party vendors
MSVR is a program within Microsoft that handles bugs in non-Microsoft software
Bugs are usually found and submitted by security researchers at Microsoft across the divisions and this program coordinates fixes and advisories with the third-party vendors
More on this later
Reference for Reader+Java remark = SIR
Example: Subtle bug in BIND DNS Server that could affect Microsoft DNS Server
Reference: “Microsoft Vulnerability Research: Playing Well with Others Since 2009”
This is not about trying to force companies or researchers to work with us, but rather make sure we also live up to Microsoft’s standards and work to make everyone involved happy
Not complete but gives you a picture of the circumstances in which we tend to find vulnerabilities
Key point: it is okay to use company resources and tools to find vulnerabilities on company time, as long as you also do your job
Bugs that are below the bar still have some requirements (see later slide) but MSVR doesn’t have resources to help report them.
CVD ensures the vendor is notified and given a reasonable amount of time to fix
CVD requirement is actually in our employee handbook
CVD ensures the vendor is notified and given a reasonable amount of time to fix
CVD requirement is actually in our employee handbook
Also logged in a tracking database
Or send a mail to msvr@Microsoft
Qualifying bug = high enough severity, Microsoft platform
We don’t want to waste others’ time with incorrect or nonspecific reports
If the bug is a design flaw, maybe you have an idea to design it better
Human error doesn’t really qualify here
Hypothetical example
Lots of legwork here
Optional for MSVR
The finder always has an option to release their own content too, as long as the vendor has patched
The idea here is to attract attention to noteworthy vulnerabilities that may not otherwise attract it. E.g. we may not need to do an advisory for an Adobe issue because it’s something everyone already knows about (unless it’s under attack), nor an advisory for an XSS flaw where there’s no user action, but might do one for a vuln in a common piece of software that isn’t often patched.
There’s a tension between wanting to avoid warning the world when the danger isn’t that high, while still wanting to provide credit to your people. Having two advisory forms lets us do both.
http://technet.microsoft.com/en-us/security/msvr/msvr12-017
This is one of the tools we use in MMPC (Microsoft Malware Protection Center) to analyze and visualize file formats
Partial paste of PoC adjusted from a fuzzer-mutated OVF file
The xmlsns:ovf envelope property is malformed; instead of pointing to the ovf schema url, it’s full of %p’s, which when interrupted by a function that takes format specifies, will print values as pointers
Their team likely has access to internal knowledge about BB products, so they could see further than we could on if this was an issue or not
Thanks BlackBerry Security team!
Why use your own program instead of brokers?
Maybe your company has some great resources you can utilize to make bug hunting more interesting and efficient
If we all do this it’s good for everyone. Even if we don’t all do it, it’s still good just for you.
We understand complex software and know which fixes should and should not take a long time
We understand complex software and know which fixes should and should not take a long time