[CB18] Keynote: Cyber Arms Race by Mikko Hyppönen

•

1 like•2,324 views

We are living in a world where cyber attacks have become the norm. New kinds of attackers appear, with new targets, new motivations and new methods. To understand and to fight the attacks, we need to understand who the attackers are. Security expert Mikko Hypponen will look at the latest big hacking cases and reveal what really went on.

Presentations & Public Speaking

2002 2008 2009 2011 2014 2015 2016 2017 2018
Malwaretargeting
connecteddevices

[CB18] Keynote: Cyber Arms Race by Mikko Hyppönen

[CB18] Keynote: Cyber Arms Race by Mikko Hyppönen

[CB18] Keynote: Cyber Arms Race by Mikko Hyppönen

More Related Content

More from CODE BLUE

ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定米国からは、国家安全保障のための脆弱性情報の開示方針（Vulnerabilities Equities Process）、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定米国からは、国家安全保障のための脆弱性情報の開示方針（Vulnerabilities Equities Process）、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定米国からは、国家安全保障のための脆弱性情報の開示方針（Vulnerabilities Equities Process）、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year). At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365. Currently, he is learning about ROP derivative technology and embedded equipment security.

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

2021年10月、Lazarusグループに関連する可能性が高いユニークなローダーであるWSLinkの最初の分析を公開。ほとんどのサンプルは難読化され、高度な仮想マシン（VM）難読化機能で保護されている。サンプルには明確なアーティファクトが含まれておらず、当初は難読化を公的に知られているVMと関連付けなかったが、後にそれをCodevirtualizerに接続することに成功。このVMは、ジャンクコードの挿入、仮想オペランドの暗号化、仮想オペコードの重複、難読化手法仮想命令のマージ、ネストされたVMなど、いくつかの追加の難読化技術を導入する。本発表では、VMの内部を分析し、合理的な時間で難読化技術を「見抜く」ための半自動化されたアプローチについて説明する。また、難読化されたバイトコードと難読化されていないバイトコードを比較し、本手法の有効性を紹介する。われわれの手法は、仮想オペコードのセマンティクスを抽出する既知の難読化解除手法に基づいており、単純化規則によるシンボリック実行を使用。さらに、バイトコードチャンクとVMの内部構成を記号ではなく、具体的な値として扱い、既知の難読化手法で追加の難読化技術を自動的に処理できるようにする。

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM. Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials. The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals. CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle. In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust. In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection. In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists. China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace. In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace. We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration. In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

Goで書かれたマルウェアは年々増加している。Goはクロスプラットフォームの性質を持っており、複数のプラットフォームを標的にしたい攻撃者にとって好都合な言語である。その一方で、ライブラリが静的にリンクされていることからユーザ関数とライブラリの区別が難しく、アナリストにとって解析が困難である。そうした状況で、Goマルウェアの分類や探索の需要が高まっている。本講演ではgimpfuzzyという新たな提案手法を用いてGoマルウェアに対し類似性の計算や分類が可能であることを検証する。われわれは既存手法であるgimphashにFuzzy Hashingを組み込んだ「gimpfuzzy」を新たに実装した。講演では提案手法を利用した分類の判別率を検証し、分類された結果の中からいくつかの事例を取り上げその妥当性について確認する。また、Goマルウェアの分類における課題についても検討を行う予定である。

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg. For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad. Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations. After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware. To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed. * Malware C2 Monitoring * Malware Hunting using Cloud * YARA CI/CD system * Malware Analysis System on Cloud * Memory Forensic on Cloud Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system. Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.

[cb22] What I learned from the direct confrontation with the adversaries who ...

[cb22] What I learned from the direct confrontation with the adversaries who ...

[cb22] What I learned from the direct confrontation with the adversaries who ...

本研究では 2019 年 11 月から C&C サーバーの IP アドレスをブロックチェーンに隠ぺいした攻撃者のビットコイン運用監視を開始した。2020 年 6 月に C&C サーバ通信をシンクホールサーバへ直接誘導する (テイクオーバーと呼ぶ) アイデアによる国際協業を Hasso Plattner Institute の Christian Doerr 教授と開始し、8 月にテイクオーバーに成功した。攻撃者のテイクオーバー回避は早く、約 2 週間で回避メカニズムを実装し攻撃を再開した。テイクオーバーは回避されてしまったが、ビットコイン運用監視は機能し続けた。この攻撃の終息はビットコイン高騰がきっかけとなった。ビットコイン取引における採掘者への手数料が利益を圧迫する要因となり、2021 年 1 月に最後の C&C 情報の更新、3 月に攻撃インフラ放棄を確認した。その後、本研究の監視範囲において同種の攻撃は観察されていない。この攻撃はすでに終息し、ビットコインの価値が下がらない限り再開される可能性は低いが、本講演では攻撃者との直接対峙により得られたノウハウを共有したい。つまり、攻撃者と対峙していた当時、この攻撃は新規性が高く、攻撃者自身も最適な運用方法を理解できていなかった。運用しながら攻撃手法を進化させる必要があり、われわれも攻撃手法を慎重に分析しながら隙を狙っていた。さらに厄介なのが、攻撃者がビットコイン半減期の影響を受けたり、単純な運用ミスをしたりして、そのたびに、われわれも攻撃者の意図を可能な限り早く理解しなければならなかったという点だ。この対峙により得られた知見は、本講演者による CODE BLUE 講演でも活かしており、本質的なノウハウとして共有する。

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口剛

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口剛

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口剛

Unlike traditional software, smart contracts have the unique organization in which a sequence of transactions shares persistent states. Unfortunately, such a characteristic makes it difficult for existing fuzzers to find out critical transaction sequences. To tackle this challenge, we employ both static and dynamic analyses for fuzzing smart contracts. First, we statically analyze smart contract bytecodes to predict which transaction sequences will lead to effective testing, and figure out if there is a certain constraint that each transaction should satisfy. Such information is then passed to the fuzzing phase and used to construct an initial seed corpus. During a fuzzing campaign, we perform a lightweight dynamic data-flow analysis to collect data-flow-based feedback to effectively guide fuzzing. We implement our ideas on a practical open-source fuzzer, named SMARTIAN. SMARTIAN can discover bugs in real-world smart contracts without the need for the source code. Our experimental results show that SMARTIAN is more effective than existing state-of-the-art tools in finding known CVEs from real-world contracts. SMARTIAN also outperforms other tools in terms of code coverage.

[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...

[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...

[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...

Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere! The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request. When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale. This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...

[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...

[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...

Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process. We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool. Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn't the design from Microsoft worth scrutinizing? We dive into IIS internals through months of Reverse-Engineering efforts to examine both the Hash Table implementation and the use of Hash Table algorithms. Several types of attacks are proposed and uncovered in our research, including (1) A specially designed Zero-Hash Flooding Attack against Microsoft's self-implemented algorithm. (2) A Cache Poisoning Attack based on the inconsistency between Hash-Keys. (3) An unusual Authentication Bypass based on a hash collision. By understanding this talk, the audience won't be surprised why we can destabilize the Hash Table easily. The audience will also learn how we explore the IIS internals and will be surprised by our results. These results could not only make a default installed IIS Server hang with 100% CPU but also modify arbitrary HTTP responses through crafted HTTP request. Moreover, we'll demonstrate how we bypass the authentication requirement with a single, crafted password by colliding the identity cache!

[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...

[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...

[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...

More from CODE BLUE (20)

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

[cb22] What I learned from the direct confrontation with the adversaries who ...

[cb22] What I learned from the direct confrontation with the adversaries who ...

[cb22] What I learned from the direct confrontation with the adversaries who ...

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口剛

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口剛

[cb22] ブロックチェーンにC&Cサーバー情報を隠ぺいした攻撃者との直接対峙により得られたもの by 谷口剛

[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...

[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...

[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...

[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...

[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...

[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...

[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...

[cb22] Lets Dance in the Cache Destabilizing Hash Table on Microsoft IIS by O...

Recently uploaded

f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures. About the Speaker =============== Diogo Sousa, Engineering Manager @ Canonical An opinionated individual with an interest in cryptography and its intersection with secure software development.

0x01 - Newton's Third Law: Static vs. Dynamic Abusers

0x01 - Newton's Third Law: Static vs. Dynamic Abusers

0x01 - Newton's Third Law: Static vs. Dynamic Abusers

Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...

Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...

Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...

527598851-ppc-due-to-various-govt-policies.pdf

527598851-ppc-due-to-various-govt-policies.pdf

527598851-ppc-due-to-various-govt-policies.pdf

rajpreetkaur75080

Hi-Tech Industry 2024-25 Prospective.pptx

Hi-Tech Industry 2024-25 Prospective.pptx

Hi-Tech Industry 2024-25 Prospective.pptx

Getting started with Amazon Bedrock Studio and Control Tower

Getting started with Amazon Bedrock Studio and Control Tower

Getting started with Amazon Bedrock Studio and Control Tower

Vladimir Samoylov

• For a full set of 420+ questions. Go to https://skillcertpro.com/product/oracle-database-administration-i-1z0-082-exam-questions/ • SkillCertPro offers detailed explanations to each question which helps to understand the concepts better. • It is recommended to score above 85% in SkillCertPro exams before attempting a real exam. • SkillCertPro updates exam questions every 2 weeks. • You will get life time access and life time free updates • SkillCertPro assures 100% pass guarantee in first attempt.

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

SkillCertProExams

123445566544333222333444dxcvbcvcvharsh.pptx

123445566544333222333444dxcvbcvcvharsh.pptx

123445566544333222333444dxcvbcvcvharsh.pptx

05232024 Joint Meeting - Community Networking

05232024 Joint Meeting - Community Networking

05232024 Joint Meeting - Community Networking

A proposal aimed at transforming a key site in Canoga Park into a vibrant, mixed-use development. The project includes comprehensive location analysis, neighborhood context evaluation, and zoning and planning assessments. By leveraging the site’s strengths and addressing potential challenges, we plan to create a space that integrates residential, commercial, and public areas. The development will enhance connectivity, support community objectives, and provide economic benefits, all while aligning with local zoning regulations.

The Canoga Gardens Development Project. PDF

The Canoga Gardens Development Project. PDF

The Canoga Gardens Development Project. PDF

Rahsaan L. Browne

Bridging the Divide: Enhancing Public Engagement in Urban Development This paper delves into the critical role of public engagement in urban development, emphasizing the need for community involvement to create sustainable and inclusive urban spaces. It discusses the motivations behind public participation, the challenges faced in engaging diverse communities, and the strategies for overcoming these barriers. The paper also highlights successful case studies and explores the use of technology and effective communication to facilitate broader and more meaningful engagement. By examining these elements, the paper underscores the importance of bridging the gap between planners and residents to ensure urban development reflects the collective vision and needs of the community.

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Rahsaan L. Browne

Pollinator Ambassador Earth Steward Day Presentation 2024-05-22

Pollinator Ambassador Earth Steward Day Presentation 2024-05-22

Pollinator Ambassador Earth Steward Day Presentation 2024-05-22

Acorn Recovery: Restore IT infra within minutes

Acorn Recovery: Restore IT infra within minutes

Acorn Recovery: Restore IT infra within minutes

Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.

Eureka, I found it! - Special Libraries Association 2021 Presentation

Eureka, I found it! - Special Libraries Association 2021 Presentation

Eureka, I found it! - Special Libraries Association 2021 Presentation

Access Innovations, Inc.

What is biology? In simple terms, biology is the study of living organisms and their interactions with one another and their environments. This is a very broad definition because the scope of biology is vast. Biologists may study anything from the microscopic or submicroscopic view of a cell to ecosystems and the whole living planet . Listening to the daily news, you will quickly realize how many aspects of biology are discussed every day. For example, recent news topics include Escherichia coli outbreaks in spinach and Salmonella contamination in peanut butter. Other subjects include efforts toward finding a cure for AIDS, Alzheimer’s disease, and cancer. On a global scale, many researchers are committed to finding ways to protect the planet, solve environmental issues, and reduce the effects of climate change. All of these diverse endeavors are related to different facets of the discipline of biology. Biology is a science, but what exactly is science? What does the study of biology share with other scientific disciplines? Science (from the Latin scientia, meaning “knowledge”) can be defined as knowledge that covers general truths or the operation of general laws, especially when acquired and tested by the scientific method. It becomes clear from this definition that the application of the scientific method plays a major role in science. The scientific method is a method of research with defined steps that include experiments and careful observation. The steps of the scientific method will be examined in detail later, but one of the most important aspects of this method is the testing of hypotheses by means of repeatable experiments. A hypothesis is a suggested explanation for an event, which can be tested. Although using the scientific method is inherent to science, it is inadequate in determining what science is. This is because it is relatively easy to apply the scientific method to disciplines such as physics and chemistry, but when it comes to disciplines like archaeology, psychology, and geology, the scientific method becomes less applicable as it becomes more difficult to repeat experiments.

Introduction of Biology in living organisms

Introduction of Biology in living organisms

Introduction of Biology in living organisms

Recently uploaded (14)

0x01 - Newton's Third Law: Static vs. Dynamic Abusers

0x01 - Newton's Third Law: Static vs. Dynamic Abusers

0x01 - Newton's Third Law: Static vs. Dynamic Abusers

Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...

Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...

Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...

527598851-ppc-due-to-various-govt-policies.pdf

527598851-ppc-due-to-various-govt-policies.pdf

527598851-ppc-due-to-various-govt-policies.pdf

Hi-Tech Industry 2024-25 Prospective.pptx

Hi-Tech Industry 2024-25 Prospective.pptx

Hi-Tech Industry 2024-25 Prospective.pptx

Getting started with Amazon Bedrock Studio and Control Tower

Getting started with Amazon Bedrock Studio and Control Tower

Getting started with Amazon Bedrock Studio and Control Tower

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf

123445566544333222333444dxcvbcvcvharsh.pptx

123445566544333222333444dxcvbcvcvharsh.pptx

123445566544333222333444dxcvbcvcvharsh.pptx

05232024 Joint Meeting - Community Networking

05232024 Joint Meeting - Community Networking

05232024 Joint Meeting - Community Networking

The Canoga Gardens Development Project. PDF

The Canoga Gardens Development Project. PDF

The Canoga Gardens Development Project. PDF

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...

Pollinator Ambassador Earth Steward Day Presentation 2024-05-22

Pollinator Ambassador Earth Steward Day Presentation 2024-05-22

Pollinator Ambassador Earth Steward Day Presentation 2024-05-22

Acorn Recovery: Restore IT infra within minutes

Acorn Recovery: Restore IT infra within minutes

Acorn Recovery: Restore IT infra within minutes

Eureka, I found it! - Special Libraries Association 2021 Presentation

Eureka, I found it! - Special Libraries Association 2021 Presentation

Eureka, I found it! - Special Libraries Association 2021 Presentation

Introduction of Biology in living organisms

Introduction of Biology in living organisms

Introduction of Biology in living organisms

[CB18] Keynote: Cyber Arms Race by Mikko Hyppönen

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15. 2002 2008 2009 2011 2014 2015 2016 2017 2018 Malwaretargeting connecteddevices