ここ10年でCapture the Flag(CTF:キャプチャー・ザ・フラッグ)と呼ばれるネットワークセキュリティゲームが台頭してきた。 このゲームに参加している人ならこれらのゲームの面白さは既に理解済みだろう。 このようなゲームは参加者に対して常に新しいチャレンジを提供するだけではなく、似たような事に興味を持つ人同士の交流や仲間内での高い評価を得るのみならず、最近では様々な賞品を勝つ機会を与えるまでになっている。 このようなゲームは、正しく運用された場合は次世代のコンピュータープロフェッショナルを育てる事を可能にする点でも、非常に重要な要素の一つと言えるだろう。 本講演ではこのようなゲームをトレーニングや人材育成的評価面で使用する際の課題と改善策に付いて発表する。
クリス・イーグル - Chris Eagle
カリフォルニア州モントレーの米海軍大学校にて上級講師として活躍中。コンピュータエンジニア/研究者として28年以上のキャリアを持ち、研究内容はコンピュータネットワーク運用、フォレンジックとリバースエンジニアリングに関連する。Black Hat, Defcon, InfiltrateやShmooconなどのカンファレンスにて講演また、IDA Proに関するハンドブックの決定版と呼ばれる"The IDA Pro Book"の著者でもある。DEFCONのCapture The Flag Competionで複数回優勝しており、2009年から2012年までは、同CTF競技の開催運用側で活躍。現在はDARPAと共同でCyber Grand Challenge競技の構築を行っている。
ここ10年でCapture the Flag(CTF:キャプチャー・ザ・フラッグ)と呼ばれるネットワークセキュリティゲームが台頭してきた。 このゲームに参加している人ならこれらのゲームの面白さは既に理解済みだろう。 このようなゲームは参加者に対して常に新しいチャレンジを提供するだけではなく、似たような事に興味を持つ人同士の交流や仲間内での高い評価を得るのみならず、最近では様々な賞品を勝つ機会を与えるまでになっている。 このようなゲームは、正しく運用された場合は次世代のコンピュータープロフェッショナルを育てる事を可能にする点でも、非常に重要な要素の一つと言えるだろう。 本講演ではこのようなゲームをトレーニングや人材育成的評価面で使用する際の課題と改善策に付いて発表する。
クリス・イーグル - Chris Eagle
カリフォルニア州モントレーの米海軍大学校にて上級講師として活躍中。コンピュータエンジニア/研究者として28年以上のキャリアを持ち、研究内容はコンピュータネットワーク運用、フォレンジックとリバースエンジニアリングに関連する。Black Hat, Defcon, InfiltrateやShmooconなどのカンファレンスにて講演また、IDA Proに関するハンドブックの決定版と呼ばれる"The IDA Pro Book"の著者でもある。DEFCONのCapture The Flag Competionで複数回優勝しており、2009年から2012年までは、同CTF競技の開催運用側で活躍。現在はDARPAと共同でCyber Grand Challenge競技の構築を行っている。
This is a translation of the German preview for Tyranids 5th edition. I was not going to post it originally, but I believe it to be more accurate than the other translation that is circulating. This is not based off rumors or speculation, this is 100% from the preview, and where applicable I have made notes when uncertain of something.
Periódico local elaborado por motivos académicos. Mis aportaciones fueron "Cuando la rentabilidad lo es todo" (editorial) y "Campo de Cebada, un lugar para cultivar ideas" (reportaje)
Alivio del dolor con Criterapia, BIOFREEZE único con Yerba Mate
BIOFREEZE
El hielo es muy efectivo, sin embargo no es muy cómodo..
BIOFREEZE alivia el dolor mediante un mecanismo denominado CRIOTERAPIA, es decir, terapia en frío, la cual reduce la inflamación y por lo tanto alivia el dolor.
Este proceso de enfriamiento y calentamiento del tejido, estimula el retorno en el flujo de sangre a las áreas afectadas. Este proceso también se puede lograr aplicando hielo, pero puede causar efectos secundarios indeseables como rigidez muscular, disminución en la amplitud de movimientos e irritación de la piel, además de lo incómodo que resulta el momento que se derrite.
BIOFREEZE produce la misma sensación con los mismos efectos teraéuticos del hielo pero permite la actividad durante el tratamiento y por su contenido de ILEX Paraguariensis ( Hierba Mate ) desinflama el área afectada lo que permite una recuperación rápida y prolongada.
Indicaciones: Analgésico de uso tópico: Contracturas, Rigidez articular, Artritis y tendinitis, Esguinces y torceduras, Calambres, piernas y pies cansados, Contusiones, Osgood - Schlater ( osteocondrosis )
BIOFREEZE se piuede utilizar en terapias de Traumatología, Reumatología, Fisioterapia, Quiropraxia y Medicina del Deporte.
Composisión: Menthol 3.5% , Isopropanol , Alcanfor, Carbomer, Extracto Herbal (ILEX Paraguariensis), Methylparabeno, Propylene Glycol, Silicon Dioxide, Triethanolamine, Agua
Contraindicaciones: No use esta medicina en piel quemada por el sol o por el viento, seca, cortada, irritada, o quebrada.
Efectos Secundarios: No se han reportado. Consulte a un especialista en caso de presentar los siguientes síntomas: reacción alérgica: ronchas; dificultad para respirar; hinchazón de la cara, labios, lengua, o garganta.
Interacciones medicamentosas: No se han reportado.
Dosificación:
Adultos y niños mayores de 2 años: aplicar el producto sobre la zona afectada presionando suavemente, no es necesario hacer masaje. La dosis recomendada es de 1 a 4 aplicaciones diarias sobre la zona afectada. En caso de piel sensible, embarazo o lactancia, consulte a su médico.
Presentación: Gel tubo x 4 oz., Spray x 4 oz.; Dispensador 16 oz., roll on de 2 oz., sachets de 5 gr. Galón con dispensador.
This is a translation of the German preview for Tyranids 5th edition. I was not going to post it originally, but I believe it to be more accurate than the other translation that is circulating. This is not based off rumors or speculation, this is 100% from the preview, and where applicable I have made notes when uncertain of something.
Periódico local elaborado por motivos académicos. Mis aportaciones fueron "Cuando la rentabilidad lo es todo" (editorial) y "Campo de Cebada, un lugar para cultivar ideas" (reportaje)
Alivio del dolor con Criterapia, BIOFREEZE único con Yerba Mate
BIOFREEZE
El hielo es muy efectivo, sin embargo no es muy cómodo..
BIOFREEZE alivia el dolor mediante un mecanismo denominado CRIOTERAPIA, es decir, terapia en frío, la cual reduce la inflamación y por lo tanto alivia el dolor.
Este proceso de enfriamiento y calentamiento del tejido, estimula el retorno en el flujo de sangre a las áreas afectadas. Este proceso también se puede lograr aplicando hielo, pero puede causar efectos secundarios indeseables como rigidez muscular, disminución en la amplitud de movimientos e irritación de la piel, además de lo incómodo que resulta el momento que se derrite.
BIOFREEZE produce la misma sensación con los mismos efectos teraéuticos del hielo pero permite la actividad durante el tratamiento y por su contenido de ILEX Paraguariensis ( Hierba Mate ) desinflama el área afectada lo que permite una recuperación rápida y prolongada.
Indicaciones: Analgésico de uso tópico: Contracturas, Rigidez articular, Artritis y tendinitis, Esguinces y torceduras, Calambres, piernas y pies cansados, Contusiones, Osgood - Schlater ( osteocondrosis )
BIOFREEZE se piuede utilizar en terapias de Traumatología, Reumatología, Fisioterapia, Quiropraxia y Medicina del Deporte.
Composisión: Menthol 3.5% , Isopropanol , Alcanfor, Carbomer, Extracto Herbal (ILEX Paraguariensis), Methylparabeno, Propylene Glycol, Silicon Dioxide, Triethanolamine, Agua
Contraindicaciones: No use esta medicina en piel quemada por el sol o por el viento, seca, cortada, irritada, o quebrada.
Efectos Secundarios: No se han reportado. Consulte a un especialista en caso de presentar los siguientes síntomas: reacción alérgica: ronchas; dificultad para respirar; hinchazón de la cara, labios, lengua, o garganta.
Interacciones medicamentosas: No se han reportado.
Dosificación:
Adultos y niños mayores de 2 años: aplicar el producto sobre la zona afectada presionando suavemente, no es necesario hacer masaje. La dosis recomendada es de 1 a 4 aplicaciones diarias sobre la zona afectada. En caso de piel sensible, embarazo o lactancia, consulte a su médico.
Presentación: Gel tubo x 4 oz., Spray x 4 oz.; Dispensador 16 oz., roll on de 2 oz., sachets de 5 gr. Galón con dispensador.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
The 5 Big Problems of Cyber Security - And How Security Professionals & Hackers Can Save The World, by Keren Elazari aka @K3r3n3 for CODE BLUE, JapanThank you for inviting me to Japan. Hackers are my heroes, and the perspective I’d like to offer you today is that hackers represent an exceptional force for change with the power to literally save our digital future – and we need to think like hackers and take actions today.
Thank you for inviting me to Japan. Hackers are my heroes, and the perspective I’d like to offer you today is that hackers represent an exceptional force for change with the power to literally save our digital future – and we need to think like hackers and take actions today.
What’s the biggest problem discovered in 2014 ? IoT? Spam? Private data leaks? PoS breachs? Retail? APTs? Spam serving Botnets ? DDoS? Is it problems with Tor/ darknet? Threats to Apple’s IoS ? Crypto failures like OpenSSL heartbleed? Poodle? Microsoft Schannel? The prevalence of Zero days ? attacks on energy sector? >> 2014 what a monumental year for breaches and bug and problems.
Think about the past year – what was the biggest SECURITY problem discovered in 2014?
Was it TARGET, JP MORGAN and HOME DEPOT credit card theft? Maybe P2P BOTNETS like GAMEOVER ZEUS? Or the problems discovered in fundamental internet building blocks, like HEARTBLEED, BASH SHELL SHOCK and SSL Poodle? Maybe you are thinking about mobile malware and attacks on Apple ecosystem, like the icloud hacks, or wirelurker - or perhaps about threats to energy and public infrastructure? Or about more threats to people’s PRIVACY?
The recent attack into SONY PICTURES ENTERTAINMENT, by the so called “guardians of peace”… (allegedly from North Korea)?
Each way you look at it, the past year, 2014 , has been record breaking in breaches and cyber-attacks. A year that showed everyone is affected by security problems.
This year has proved that We are all connected, no one is safe. There is an old security saying: there are two types of organizations: those who have been hit and those who don’t yet know it.
We are all connected, no one is safe
Only two types of organization: those who have been hit and those who don’t yet know it.
Hackers know how to get anywhere. I learned this lesson almost 20 years ago -
From this lady. ANGELINA JOLIE. I was 14 when I saw the 1995 movie hackers – and I realized all the stuff I loved doing was called being hacker , and if Angelina Jolie could do it, why not try it myself …
Since then, I’ve been in security / hacking community industry almost 20 years now. I come from Tel Aviv Israel. I’ve been in security / hacking community industry almost 20 years now. I’ve worked with working for all kinds of technology companies, government agencies and academic think tanks. Now I’m an independent analyst: I track trends and bring different points of view together.
Our world is changing. We don’t know what’s around the corner, how technology is going to shape our future. I have a prediction: the safety of the digital ecosystem we rely on is at risk/.
6 months ago I had the honor of speaking At TED. I claimed that hackers, CAN BE part the information age’s immune system, IF WE SEE THEM AS A distributed force, made of individual actors, that identify the problems and the vulnerable aspects in the world, and pushes technology's onward evolution
More than 1 million people have already watched in on TED.com and it’s been translated to 20 languages – But after some time, I realized that while TED helped me reach the general population. But really, it’s YOU, I should be talking to: the hackers and security professionals who can actually make a difference in this world!
TODAY I’d like to broaden that PERSPECTIVE AND TAKE THE IMMUNE SYSTEM ANALOGY FURTHER.
if we are all connected, We all have to be part of that immune system, and we can be!
Now is the time. Everyone of us in on the front lines. ! It’s time to be the heroes.
In order to make that difference, we have to make a choice. To help you make that choice, in the next 30 minutes I will show you some of the biggest problems of cyber security, which is why cyberspace needs you and what are the things we can do, right now, to make a difference.
Here is PROBLEM 1, probably the most complicated one: IT’S Cyber Space, NOT just the WWW. We are no longer dealing with securing web sites, internet servers, databases or INFORMATION SYSTEMS. Some people make fun of the term CYBERSPACE. But I think there’s a valid reason to use the term – and here why. Do any of you know where the word actually comes from? Research it - “cyber” isn’t just a buzzword, it actually means something!
in 1948 an American math Prof Norbert Wiener borrowed the term Kybernetes, Ancient Greek for steersman- to describe the new science of CONTROL AND COMMUNICATION SYSTEMS IN THE ANIMAL AND THE MACHINE.
That’s because in 1948 a math prof Norbert Wiener borrowed the term Kybernetes, Ancient Greek for steersman- to describe the new science of CONTROL AND COMMUNICATION SYSTEMS IN THE ANIMAL AND THE MACHINE.
Cybernetics is a network of constant interactions and communications.
The term describes feedback — communication and control in systems—where a system obtains information on its progress, assesses the feedback, corrects its course and receives further feedback on the success of the transmission.
This is the Kybernetas, the guy running the ship. Telling it where to go, how fast, and what to do.
So I think it is accurate we talk about CYBER SECURITY as the effort to secure all of the command, control and communication technologies that fuel modern society – it’s not just information, passwords or databases.
It’s the same technology that’s controling freaking laser shooting robots on mars –
And lets it twit about it!
BTW - What is the most prevalent language in the galaxy? it’s JAVA. Java running on Billion of DEVICES.
We should talk about CYBER SECURITY because there is a change going on: In the past 25 years, these technologies and software environments were the source for most software bugs that lead to security problems.
25 years of vulnerability research report - a historical look at vulnerabilities :
Linux kernel having the most CVE vulnerabilities of all other productsMicrosoft being the vendor with the most vulnerabilities
buffer overflow is the top vulnerability of the quarter century
OS Level bugs e.g. Font rendering bugs for one major OS family (MS Windows)
Software bugs in popular applications e.g. MS Office, Web browsers, Adobe PDF
Display / rendering bugs
Web application bugs
Network protocols vulnerabilities and exploitable design flaws
Telecom systems (Phreaking & GSM)
But in the next 25 years? It’s going to be these technologies: GPS, Radio, Satellite, Air traffic control and many more - connected vulnerable environments that are not just “IT (information technology) : cars, ATMs, medical devise, homes, And it’s now connected to GPS , radio systems, satellite communication, industrial controls systems.
Some of these are controlled by governments, some are publicly owned or privately run by technology companies. And most of it is owned by companies that just make stuff, like submarines, or medical devices, or traffic lights – and NOBODY told them their supposed to be a cyber-security company, too. These are old and new technologies used in new unexpected ways that expose more vulnerabilities and design flaws that ever before. And there’s isn’t one government agency on the planet hat has the power or authority to secure all of it, even if they wanted to with all their heart.
CYBER SECURITY is also about spoofing GPS signals the University of Texas students used to dupe the human steersman on this 80 million $ yacht – and hijack its course.
Students from the University of Texas gave us another reason not to mess with the Lone Star state: they'll hack your yacht. In cooperation with a luxury boat's owners, the Longhorns manipulated their $80 million vessel's nav system, covertly guiding it off-course -- all without the crew ever suspecting foul play. By transmitting spoofed global positioning system signals toward the craft, the students tricked its drivers into correcting a non-existent, three-degree course deviation, thus leading them off track
http://arstechnica.com/security/2013/07/professor-spoofs-80m-superyachts-gps-receiver-on-the-high-seas/
Humphreys conducted the test in the Ionian Sea in late June 2013 and early July 2013 with the full consent of the “White Rose of Drachs” yacht captain. His work shows just how vulnerable and relatively easy it is to send out a false GPS signal and trick the on-board receiver into believing it.
“What we did was out in the open. It was against a live vehicle, a vessel—an $80 million superyacht, controlling it with a $2,000 box”.“There were no alarms on the bridge. The GPS receiver showed a strong signal the whole time. You just need to have approximate line of sight visibility. Let’s say you had an unmanned drone. You could do it from 20 to 30 kilometers away, or on the ocean you could do two to three kilometers.”
It’s the radio frequencies that allowed Hackers to hack into insulin pump and pacemakers
Its about hacking satellites –
but Cyber Security is also about hacking a blue tooth enabled toilet !
Unless you want to join the Amish, we better start doing something differently about all of these tech.
Can we SECURE ALL THE THINGS? The reality is, There’s no way any single government organizations, or single vendor, ISP or mega corporate could find and solve all of the problems. Even if they really wanted to and had the best intentions in mind.
And what about all the new WEB giants that host a vast percentage of the human experience?
So this is CYBERSPACE, this is the world we need to consider THE JOINT RESPONSIBILITY of hackers and security professionals - one big ecosystem! We are all connected.
So the biggest problem might be part of the a solution: if we are all connected - that is the nature of the cybernetic world - then we are all part of one big eco system, where we can all work together to find the problems.
Here’s REASON NUMBER 2 YOU SHOULD CARE , the second big problem: We share this ecosystem with Creative, Innovative And Collaborative, BAD GUYS, criminals and spies!
Bad guys that will do anything to get what they want – and they are CREATIVE.
this year we have seen things like Peer to Peer versions of Zeus , GAMEOVER, or the new Citadel variant.
New destructive attacks like cryptolockers that take over entire hard drives and WIPERs that delete hardrives and wipe BIOS
or MALVERTISING which is posting MALWARE in ads on well known websites.
CISCO claims you are 182 times more likely to be infected by a malcious ad than by visiting adult content site.
ROGUE ANTI VIRUS which tricks the users and installs MALWARE.
We have seen massive growth in MOBILE DEVICE malware
and POINT OF SALE (POS) malware stealing credit card nunbers directly from the cash registers
All this to show you that The current wave of cybercrime entrepreneurs – have learned the trick : innovate, diversify and create new revenue streams and get their hands on your machines.
What should WE do faced with these threats? Well,you could Keep calm and carry on .
What about taking a cue from the bad guys themselves, and working to collaborate & innovate?
What about taking a cue from the bad guys themselves, and working to collaborate & innovate?
One way is to Set up & Participate in Information sharing groups , within your sector, industry or community, where everyone can share real time data about attacks they are dealing with, or Even if you can’t share data about attacks because of privacy or technical concerns – there’s nothing stopping you from sharing knowledge and experience of practical methods that work.
Sharing is caring – but many people say, we still prefer to not share and not care.
So why should YOU care? Problem number 3, reason number 3: there are huge resources invested in keeping the world vulnerable - not just criminals.
Over the past year, we have learned that certain govs ae spending billions on vulnerability research.
Not just cybercriminals, There is a lot of money & resources that is actually making the world vulnerable.
Paying security companies to include weak encryption algorithms and backdoors.
Or learning about the Heartbleed OpenSSL bug for 2 years - which affected anyone who’s used the internet basically in the past two years – and not telling anyone.
What really my heart bleed about this though, is things like this: a publication that came out in July 2014, the cover of time – with a story about the zero day vulnerability industry. This is about the small private companies that sell zero day exploits to the highest bidder – and the headline sets out HACKERS as ARMS DEALERS.
So the solution to this problem : My perspective is that you should not keep your bugs to yourself, and don’t be an arms dealer Instead, Practice Responsible / Coordinated disclosure - disclose vulnerabilities and exploits to vendors who will get it fixed.
How has posted to a BB program? expose bugs , participate in bug bounties, do what ASUS hackers did, IBB, Project Zerowatch “5 stages of vul resposne grief” – Katie Missouris
No better disinfectant that the light of day! By Exposing and disclosing bugs and vulnerabilities, we make everyone safer!
And there are now many incentive programs for that :
who has heard about, or posted to a Bug Bounty program?
There are many BB programs – like FACEBOOK ,
August 2013: 1 miilion $ already paid in 2 years of the program, some researchers netting 20K and 100K!~
https://www.facebook.com/notes/facebook-security/an-update-on-our-bug-bounty-program/10151508163265766
SAMSUNG, YAHOO, MOZILLA, PAYPAL . You can Contribute to Bug bounty programs for fun and profit – tomorrow you will hear from a BUG hunter.
There are literary hundreds of them! ALL THE COOL KIDS ARE DOING IT.
Source : https://bugcrowd.com/list-of-bug-bounty-programs/
There’s also /hackerone.com vulnerability disclosure programs
The Internet Bug Bounty by HackerOne is rewarding friendly hackers who contribute to a more secure internet by finding bugs in things like Php, OpenSSL and Ruby – technologies that everyone's relies on!
I heard that in Japan there some signs of opening up to this idea. I know it’s scary - but there is huge potential in letting hundreds of hackers go through your code.
Japanese BB from article
http://www.yomiuri.co.jp/it/security/snews/20141031-OYT8T50180.html
“"when society does not appreciate the act of discovering a vulnerability, flows rapidly into the world of back“
社会が脆弱性を発見する行為を高く評価しないと、どんどん裏の世界に流れてしまう」と懸念する
Quote by MR TOSHIO NAWA
Japanese bug hunter, Higashi-nai
Ito Akira嗣's Tokyo of software development companies and Cybozu (34), explains: a reward system that began this year in June. The person who told me to find the vulnerability of their products and services, to provide a reward of up to one million yen, depending on such as the degree of risk. So far there are engineers and students more than 200 reports from, certification and vulnerability: Restaurants about 100, it was decided to pay about 8.1 million yen.
Upon receipt of the report, and verify its contents in-house team, to be published in helping to prepare a fix.After system introduction, reports from outside was more than tripled. Its corresponding also but very, "Nante" so much defect is found from customers, dangerous company of whether "the place is the is painful is misunderstood" (Ito-san).
Before also introduced in-house there was a dispute between the "discredit the company." But, Mr. Ito et al. Decided by persuasion that "rather than leaving the vulnerability, will let you understand that I'm safe is better to re-locate aggressively".
If you don’t do vulnerability research but have some working exploits, or malware samples, you can upload to exploit db
open source vulnerability database
or virus total – there are all sites where you can upload samples of exploits , potential vulnerabilities and suspicious files.
Google acquired VirusTotal back in September 2012, promising VirusTotal will continue to operate independently. BTW, Regin suspicious files were first identified by Microsoft in 2011 after files were uploaded there.
By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Free to use, PC & MAC uploaders
Der Spiegel reported that, according to Snowden documents, the computer networks of the European Union were infiltrated by the NSA in the months before the first discovery of Regin.
SOME OF YOU ARE STILL NOT CONVINCED. Maybe don’t rely on any of these technologies, or you are not into vulnerability research – or you don’t think YOUR organizations will be affected.
Why should you care ? My next two points are kind of like two side of the same coin:
Problem #4 We Are As Vulnerable As Our Weakest Link
We are all connected to our Partners, employees, parents – and some of them are weak, easy TARGETS. Example: Target, the massive US retailers – the attackers got in by hacking first into Fazio Mechanical Services, their REFIGERATOR company - from there, the criminals got into the internal systems, and eventually the point of sale system.
Even the F35 fighter jet program, developed by LOCKHEED MATIN and BAE, was hacked because first, their SECURITY provider, RSA was hacked – and RSA was hacked because someone at EMC got an email with a excel file embedded with flash code utilizing a new adobe flash vul.
RSA was hacked – and RSA was hacked because someone at EMC got an email with a excel file embedded with flash code utilizing a new adobe flash vul.
That’s what is behind the fact the F35 looks like the J22 CHENGDU model from China.
If they haven’t gotten into YOUR Business YET – It might be a question of time before they get into a weak provider, customer, employee or partner. And then it will take even more time before you know it!
The second side of this problem – while we think that militaries or security agencies are protecting us , but actually this is an illusion: Most of the “exposed attack surface” is civilian space, publicly used infrastructure , software or services
the world’s fiercest cyber warriors might be making the world a safer by targeting terrorists and tyrants, but they are making the rest of cyber space insecure for the rest of us. They have a vested interest - instead of protecting everyone, they are exploiting everyone – that’s the PARADOX OF THE NSA’s DUAL ROLE which I mentioned. But the problem is bigger: we think that no matter how much these agencies invade our privacy, they are keeping us safe – but it’s actually not them really guarding the front lines.
So we have to work that much more on defense.
We are the front lines – not militaries or security agencies who have a vested interest to keep bugs to themselves and exploiting everyone. Most of the “exposed attack surface” is civilian space, publicly used infrastructure owned by a variety of stake holders, most of which private corps.
So The Front Lines – Are all of us, and everyone!
Every PC, device, social network account or cloud instance is an outpost on the “global battlefield”. We are all part of the playground. Our CPU cycles are commodities. Our secrets are useless – but our clicks and likes are worth money.
This is the heat map of the DNSChanger (aka Ghostclick) operation that infected 4 millions devices a few years ago - all over the world, including NASA.
3 Profit engines : click jacking, rouge AV sells and malicious hosting
Everything has value : stolen credentials, cloud storage, infected devices –things that becomes resources the bad guys can use to stage other attacks !
What this means is, that every insecure organization or person is a part of the problem – if they are not part of the solution!
A solution to the problem? Empower the Masses – these are the “shiny happy people” that surround us, whom we must reach out , so we can make them stronger, more resilient and prepared to be part of the solution!
We need to make them more like us. Armed and ready
Simple thing : were going to need people from all walks of life, genders, ethnicities, what have you. So white hat , black hat, or 50 shades of grey – just don’t be a douchhat. Reach out to people starting their way in this community and open the gates. Be a mentor . Start propagating – we need more security professionals out there. We’ve got to man those front lines.
Reach out to your community. One way to do it is with Crypto parties : open events teaching the basics of computer privacy and encryption methods. popular in Europe, it’s open source, distributed and easy to start one in your home town.
Another great example is Voluntary red teams: |A tel Aviv University, a voluntary team of pen testers began offering pro bono red team testing on their spare time to public institutions that needed it, but could not afford it, like a major hospitals near Tel Aviv. They got the CIO’s permission – and what they found was enough to get the hospital’s management attention. But it doesn't stop there.
You can also run cyber security drills - simulations or WarGames to help prepare for dealing with an attack.
the City of San Diego offers “cyber fire drills” for small businesses in partnership with the Naval Postgraduate School.
They help people understand the ramifications of a successful attack and how to protect against it.
To get BONUS POINTS - The Industry needs more security professionals! Cisco 2014 Security Report indicates a shortage of more than a million security professionals across the globe in 2014. Were going to need people from all walks of life, genders, ethnicities – so let’s stop being a closed club. Reach out to people starting their way in this community and open the gates. Be a mentor. Start propagating – we need more security professionals out there. We’ve got to man those front lines.
BONUS POINTS: The Industry needs you :The 2014 Cisco Annual Security Report indicates a shortage of more than a million security professionals across the globe in 2014.“The Internet drives growth and everything is dependent on one thing, having security,” said Netanyahu. “We will balance our security needs with our business.”
Israel’s cyber-security industry has grown from a few dozen companies to more than 220 in the past three years, according to the Tel Aviv-based IVC Research Center that monitors the industry. Seventy-eight companies in the space raised more than $400 million during that period and 20 multinationals operate development centers in Israel.
מיליון מקצוענים
220 חברות
78 חברות הזנק
גייסו 400 מיליון דולר
20 תאגידים בינלאומיים
Now for the 5th and final reason. why you should care and try to save the world?
THERE IS A GAP about “cyber”: it’s not considered an issue for everyone (like taylor swift).
It’s a realm of geeks, or a “government and military issue”, for “diplomats, generals & spies” - but in fact it matters to everyone. We’ve got to close that gap.
How? with FACTS. With information, with reaching out to the larger global community : it’s about influencing perceptions! Mind the gap: communicate outside the security industry, working with policy makers, media and academic group. Talk about security in a new way that matters to people.
it’s about influencing perceptions with overwhelming data and news article spread -Don’t say “it’s complicated”. Make it accessible.
Ask your managers: are you spending more money and attention on your coffee budget than on your security budget? Than it’s a problem!
Lets wake up and smell the coffee – As recent attacks have proven, bas guys are more agile than ever, They are Undeterred. Motivated – and RESULTS ORIENTED. Not afraid to use new technologies and business models all in the effort of illicit gains. But what is your organization doing about it? Do you “Spend more money on coffee than security?”
Richard Clarke, 2002 - "If you spend more on coffee than on IT security, then you will be hacked," Clarke said during his keynote address. "What's more, you deserve to be hacked."
Let’s reflect. These are all big problems. But there is some good news : we have the power to change that - There is a critical mass forming. But it needs a crucial ingredient: YOU. So act now. Even if you do one thing, you did well. Tell another hacker to do one thing. You did well. Join the movement. Each of you can make a change.
Some say: “I WOULD LOVE TO CHANGE THE WORLD, BUT THEY WON'T GIVE ME THE SOURCE CODE”
Some say: “I WOULD LOVE TO CHANGE THE WORLD, BUT THEY WON'T GIVE ME THE SOURCE CODE”
We can work together, and come up with our own solutions – which is what I am suggesting today.
I read somewhere that “The main difference between White Hats and Black Hats is having permission” –
The great All of the things I told you about are stuff you can do right now, legally.
I have told you Why, how and what. Now it’s up to you. What will you choose to do? Choose wisely, because whatever we do now, will shape our digital future. hack the planet.
Send me comments, feedback, or multicolored ponies.