While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
http://www.researchmoz.us/the-mobile-device-security-bible-2014-2020-report.html
“The Mobile Device & Network Security Bible”, this report presents in-depth assessment of the global mobile device security market. The report focuses on the
following two submarkets:
Mobile Device Client Security Software:
Anti-Malware/Anti-Virus Client Software
Back Up & Restore Software
Privacy Protection Software
Mobile VPN Client Software
Remote Locking Software
Whitepaper | Network Security - How to defend your Plant against the threats ...Yokogawa
Yokogawa offers a range of cyber-security solutions for control systems, including network security assessment, network and firewall design, PC/server and network device hardening, antivirus and patch management, backup and recovery systems, and network management systems. By seamlessly integrating these solutions with its proven control system solutions, Yokogawa is also aiming to meet its customers' needs for control system security management. Read more about Yokogawa’s approach to cyber security in this whitepaper.
http://www.researchmoz.us/the-mobile-device-security-bible-2014-2020-report.html
“The Mobile Device & Network Security Bible”, this report presents in-depth assessment of the global mobile device security market. The report focuses on the
following two submarkets:
Mobile Device Client Security Software:
Anti-Malware/Anti-Virus Client Software
Back Up & Restore Software
Privacy Protection Software
Mobile VPN Client Software
Remote Locking Software
Whitepaper | Network Security - How to defend your Plant against the threats ...Yokogawa
Yokogawa offers a range of cyber-security solutions for control systems, including network security assessment, network and firewall design, PC/server and network device hardening, antivirus and patch management, backup and recovery systems, and network management systems. By seamlessly integrating these solutions with its proven control system solutions, Yokogawa is also aiming to meet its customers' needs for control system security management. Read more about Yokogawa’s approach to cyber security in this whitepaper.
Government and Education Webinar: How the New Normal Could Improve your IT Op...SolarWinds
In this webinar, our SolarWinds sales engineer discussed about the steps you can take now to improve the productivity of your IT staff and run a more secure, lean, and agile ITOM organization
During this interactive webinar, attendees learned how SolarWinds can help you:
Achieve full-stack visibility through rationalizing and consolidating monitoring tools
Improve your security posture and automate compliance reporting requirements
Automate service management processes to do more with less
Optimize IT expenses
Enable your IT operations team for success with a solution that can rapidly respond to your organization’s needs
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
Critical Infrastructures (IC) are essential elements in our economic and social life. Cyber incidents in such organizations could create a “domino effect”. This must be an important concern in a National Cyber Security Policy. Now EU Cybersecurity Act
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
Threats, risks, actors, trends, attack techniques, defense issues and possible future scenarios for Critical Infrastructures in the age of cyber insecurity.
Iot Cyber Security & Vulnerabilities Challenges and Opportunities in Security of Internet of Things
Security is the Key
Inherent Security Challenges
Threat Spectrum – Trends
Securing the “Things”
IoT Cybersecurity – Security Triad
Threat Model
Availability threats
Integrity threats
Authenticity threats
Confidentiality threats
Non-repudiation/accountability threats
How to Perform Continuous Vulnerability ManagementIvanti
Without treating security as an ongoing process, hackers will find, weaponize, deploy, and attack your infrastructure faster than your team can patch. At the same time, the experience of your IT team working with the security group is frustrating and leads to many, many hours of manual work. Learn how to stay ahead of the bad guys and improve the experience for your team with continuous vulnerability management.
Marlink IMO 2021 Guide to Cyber Risk ManagementCHRIS CLIFFORD
Applicable to commercial ships with over 500 gross tonnage, the IMO resolution (MSC 428, 98) confirmed all shipping companies need to have cyber security in their safety management system. Flag states are encouraged to ensure these requirements are met by vessel operators in the first annual audit after January 2021. Non-compliance may lead to vessel detainment. This means maritime companies need to be identifying and safeguarding against maritime cyber risks now to be ready for the first annual verification of the Company’s Document of Compliance.
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
Discover a comprehensive roadmap to fortify your IT operations against unexpected downtime through systematic risk assessment, strategic redundancy planning, and the implementation of cutting-edge monitoring and response protocols. Our whitepaper outlines seven crucial steps to safeguard your IT infrastructure, helping you proactively identify and address potential weak points, ensuring robust resilience and reducing the risk of disruptive outages. By adopting our proven methodology, organizations can enhance its ability to withstand IT-caused outages, ensuring uninterrupted services, improved customer satisfaction, and safeguarding your reputation in today's highly competitive digital landscape.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
More Related Content
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi
Government and Education Webinar: How the New Normal Could Improve your IT Op...SolarWinds
In this webinar, our SolarWinds sales engineer discussed about the steps you can take now to improve the productivity of your IT staff and run a more secure, lean, and agile ITOM organization
During this interactive webinar, attendees learned how SolarWinds can help you:
Achieve full-stack visibility through rationalizing and consolidating monitoring tools
Improve your security posture and automate compliance reporting requirements
Automate service management processes to do more with less
Optimize IT expenses
Enable your IT operations team for success with a solution that can rapidly respond to your organization’s needs
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
Critical Infrastructures (IC) are essential elements in our economic and social life. Cyber incidents in such organizations could create a “domino effect”. This must be an important concern in a National Cyber Security Policy. Now EU Cybersecurity Act
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
Threats, risks, actors, trends, attack techniques, defense issues and possible future scenarios for Critical Infrastructures in the age of cyber insecurity.
Iot Cyber Security & Vulnerabilities Challenges and Opportunities in Security of Internet of Things
Security is the Key
Inherent Security Challenges
Threat Spectrum – Trends
Securing the “Things”
IoT Cybersecurity – Security Triad
Threat Model
Availability threats
Integrity threats
Authenticity threats
Confidentiality threats
Non-repudiation/accountability threats
How to Perform Continuous Vulnerability ManagementIvanti
Without treating security as an ongoing process, hackers will find, weaponize, deploy, and attack your infrastructure faster than your team can patch. At the same time, the experience of your IT team working with the security group is frustrating and leads to many, many hours of manual work. Learn how to stay ahead of the bad guys and improve the experience for your team with continuous vulnerability management.
Marlink IMO 2021 Guide to Cyber Risk ManagementCHRIS CLIFFORD
Applicable to commercial ships with over 500 gross tonnage, the IMO resolution (MSC 428, 98) confirmed all shipping companies need to have cyber security in their safety management system. Flag states are encouraged to ensure these requirements are met by vessel operators in the first annual audit after January 2021. Non-compliance may lead to vessel detainment. This means maritime companies need to be identifying and safeguarding against maritime cyber risks now to be ready for the first annual verification of the Company’s Document of Compliance.
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
Discover a comprehensive roadmap to fortify your IT operations against unexpected downtime through systematic risk assessment, strategic redundancy planning, and the implementation of cutting-edge monitoring and response protocols. Our whitepaper outlines seven crucial steps to safeguard your IT infrastructure, helping you proactively identify and address potential weak points, ensuring robust resilience and reducing the risk of disruptive outages. By adopting our proven methodology, organizations can enhance its ability to withstand IT-caused outages, ensuring uninterrupted services, improved customer satisfaction, and safeguarding your reputation in today's highly competitive digital landscape.
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (4) by Hiroyuki Itabashi
1. Introduction of the Information Security
Early Warning Partnership
October 28, 2022
Information-technology Promotion Agency, Japan
Security Center
Vulnerability Countermeasures Group, Security Promotion Dept.
Hiroyuki Itabashi
2. 2
What is the Information Security Partnership?
The purpose of this regulation is stipulated by the Ministry of Economy, Trade and
Industry's "Regulations for Handling Vulnerability-Related Information on
Software Products, etc.".
Objective:
The purpose of these rules is to prevent damage caused by computer viruses,
unauthorized computer access, etc. to unspecified persons or large numbers of
persons, to take countermeasures against such damage, and to contribute to the
realization of a society in which citizens can live safely and securely, by defining
recommended acts for those who handle vulnerability-related information of
software products, etc., in order to ensure cybersecurity. The purpose of this
document is to promote the appropriate distribution of information, to improve the
vitality and sustainable development of the economy and society, and to contribute
to the realization of a society in which citizens can live safely and with peace of
mind.
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-About the System (1)
3. 3
What is the Information Security Partnership Guideline?
■Origin of the System
The "Information Security Early Warning Partnership Guideline" is a compilation of recommended
actions to be taken by concerned parties in order to realize the appropriate distribution of vulnerability-
related information(*) , based on the aforementioned public notice. Specifically, the Guidelines describe
the process of addressing vulnerabilities in cooperation with the discoverers of vulnerability-related
information, software product developers, and website operators, with the Information-technology
Promotion Agency, Japan, acting as the receiving organization, and the JPCERT Coordination Center, a
general incorporated association, acting as the coordinating organization.
(*) Vulnerability-related information, which refers to any of the following: vulnerability information
(nature and characteristics of the vulnerability), verification methods, and attack methods.
■ Scope of Application
The guideline covers vulnerabilities that may affect a large number of people; specifically, software
products widely used in Japan and web applications that run on websites presumed to be accessed
primarily from Japan (for example, websites written in Japanese, URLs that use the “jp” domain and so
on.).
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-About the System (2)
4. 4
The parties and benefits of the "Information Security
Partnership Guide Line" are as follows
Relevant
Parties
Advantages of Information Security Early Warning Partnership
Discoverer • Can prompt software developers and website operators to take
countermeasures against vulnerabilities through a public entity.
• May be publicly credited on a document when the vulnerability
countermeasure is published.
Product
Developers
• Can learn about non-public vulnerabilities that may affect their own products.
• Can make users publicly aware of how to address vulnerabilities.
• Can demonstrate that they are seriously engaged in addressing vulnerabilities.
Website
operators
• Can address their websites before the existence of a vulnerability becomes
widely known.
• Can check for and address previously unnoticed vulnerabilities.
• Can improve user safety on their websites.
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-About the System (3)
5. Security problems in software products, web applications, etc., where unauthorized computer
access, computer viruses, or other attacks can impair their functionality and performance.
vulnerability
5
Vulnerability Information Distribution Framework
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Operational Structure, etc.
Receive Vulnerability
and Analyze
Advanced Industrial
Science and Technology
Supporting Analysis
Security Promotion Realizing Security
Measures Distribution and others
Determine
announcement date,
coordinate with developers
and overseas agencies
Verify
Vulnerability
reports
Software and
other product
vulnerabilities
Website
vulnerabilities
DiscoverVulnerability
reports
Pass on
vulnerability
reports
Notification of vulnerability information
Aggregate
vulnerability
handling situation,
arrange
announcement
dates
Announce in incident involving
personal information disclosure
Announce-
ment of
counter-
measure
Users
Government
Vulnerability
reports
Website operators
verify and
implement
countermeasures
Coordinate
Vulnerability Information Portal Site
Company
Individual
Software
Developers
System
Integrators
IPA: Information-technology Promotion Agency, Japan, JPCERT/CC: Japan Computer Emergency Response Team Coordination Center
AIST: National Institute of Advanced Industrial Science and Technology
7. 7
Q2 2022 Number of vulnerability reports
Classification.
Number of
cases in this
quarter
cumulative
total
Software Products 75 cases
5,157
cases
Website 88 cases
12,308
cases
total amount 163 cases
17,465
cases
Q2 2022 Number of corrections
completed (JVN announced)
Classification.
Number of
cases in this
quarter
cumulative
total
Software Products 27 cases
2,417
cases
Website 29 cases 8,290
total amount 56 cases
10,707
cases
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Operational Status (2)
For the last three years, there has been
no significant change in the number of
software filings, but the number of
website filings has begun to decline
since 2021.
61 67 61 52 58 73 71 80 93 63 75 75
284 105 200 136 188 230 180 223
109
85 98 88
4,389 4,456 4,517 4,569 4,627 4,700 4,771 4,851 4,944 5,007 5,082 5,157
10,666 10,771 10,971 11,107 11,295 11,525 11,705 11,928 12,037 12,122 12,220 12,308
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
0
100
200
300
400
500
600
700
800
3Q
2019
4Q 1Q
2020
2Q 3Q 4Q 1Q
2021
2Q 3Q 4Q 1Q
2022
2Q
Cumulative Number
Reported
Annually Reported
Number
Software Products Websites
Cumulative for Software Products Cumulative for Websites
Quarterly number of vulnerability report
16 17 30 19 22 20 35 32 27 22 25 24
22 30 30 73 75 69 75 85 73 92 58 97
1,732 1,749 1,779 1,798 1,820 1,840 1,875 1,907 1,934 1,956 1,981 2,005
1,711 1,741 1,771 1,844 1,919 1,988 2,063 2,148 2,221
2,313 2,371 2,468
0
200
400
600
800
1,000
1,200
1,400
1,600
1,800
2,000
2,200
2,400
2,600
0
20
40
60
80
100
120
140
3Q
2019
4Q 1Q
2020
2Q 3Q 4Q 1Q
2021
2Q 3Q 4Q 1Q
2022
2Q
Reported from domestic and foreign finder Contact from an overseas CSIRT
Reported from domestic and foreign finder Contact from an overseas CSIRT
Quarterly
Number
Cumulative
Number
Number of software product vulnerability countermeasure information released
8. 8
Reporting Website : Handling Status
Reporting Software Products: Handling Status
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Operational Status (3)
Situation: The situation
40% of all filings are still
being handled.
Situation: The situation
The number of terminated
cases was 86% of all
notifications, which is a
higher percentage of
terminations than for
software products.
Publicized, 2417 Handing, 2087
Not Accepted
506
Total
5157
0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 5500
Software
Products
Vendor-Handled, 40 Non Vulnerability, 107
4651
Fixed, 8290
Securty Alert,
1130
Total
12308
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000
Website
Unable to Handle, 231
Not Accepted, 285
Handling, 1662
Non Vulnerability, 710
12023
9. Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Operational Status (4)
9
Type of product to be reported
• Majority of "Web Application" and
"Router" notifications.
• Notifications of "applications for
smartphones" also increased.
Impact on notifiable products
• Majority of the notifications for
"Execution of arbitrary scripts,"
"Execution of arbitrary commands,"
and "Leakage of information".
Software Products Number of Notifications by
Impact
Software Products Number of Notifications by
Product Type
43%
9%
8%
5%
4%
4%
3%
2%
2%
2%
18%
WebApplication
Routers
Smartphone Application
Groupware
Development/Runtime
Smarthomeappliance
WebBrowser
FileManagement Software
SystemAdm.Software
OS
Misc.
35%
12%
10%
8%
8%
5%
4%
4%
3%
11%
Run arbitrary scripts
Execute arbitrary
command
Information leak
spoofing
Execution of arbitrary code
Access Restriction Bypass
10. Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Operation Status (5)
10
Type of product to be reported
• Majority with a "Cross Site Scripting"
notification.
• 80% of the notifications were for
"Incomplete configuration of DNS
information" and "SQL injection".
Impact on notifiable products
• Majority of the respondents filed a
"Display of false information on a
genuine website" report.
Website Number of reports by impact
Website Number of notifications by type of vulnerability
58%
11%
11%
4%
2%
2%
12%
Cross-site Scripting
Lamed DNS zone
SQL injection
Uninteded file disclosure
Directory Traversal
Inadvisability HTTPS handle
Misc.
57%
12%
11%
4%
4%
3% 2% 7%
Display a phony web page on
the legitimate website
Falsify and/or delete data
Insert domain information
Leakage of files in the server
Leakage of personal information
spoofing
Leakage of cookie information
11. 11
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Challenges in Operation (1)
Reporting Software Products
Time-consuming for developers to respond to vulnerabilities
The range of software products to be reported has expanded (smartphone apps, control
software, etc.), and vulnerabilities. Even if you contact the product developer with the
information, the product developer may not be able to investigate the vulnerability
information (e.g., many types of target products), or may not be able to provide the
information to the product developer.
In some cases, it takes time to take action.
Losing contact with the developer in the middle of coordination
There is a wide variety of software products that are reported, including software products
created by individual product developers, and even if vulnerability information is reported to
the product developer, the product developer may not be reachable during the coordination
process during the coordination process.
Negative attitude toward the publication of vulnerability countermeasure information.
Since the public disclosure of vulnerability information is perceived by product users to mean
that software products have many vulnerabilities (i.e., poor quality), the situation has not
fostered a climate of proactive disclosure of vulnerability information.
12. 12
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Challenges in Operation (2)
Reporting Website
Time-consuming to contact the website operator
For websites to be reported, the contact information of the website
operator will be investigated when contacting them with vulnerability
information. Since the website does not clearly indicate a contact
person (security-related contact person), we will investigate the the
contact information. It takes time to reach to the right contacts.
Vulnerability response takes time
The actual operators of the reported websites vary widely (from large
corporations to individuals, etc.), and even if the website operator is
notified of the vulnerability, it may take some time for the website
operator to investigate the vulnerability information (due to lack of
countermeasure personnel, etc.) and take countermeasures.
13. 13
Information Security Early Warning Partnership (Vulnerability
Reporting System)
-Measures to Address Operational Issues
Reporting Software Products
Recognizing product developers who are proactive in taking vulnerability countermeasures
The system will also consider a mechanism to evaluate product developers who proactively take
vulnerability countermeasures and disclose vulnerability countermeasure information for software product
vulnerabilities that are reported.
Spreading the word about the need for vulnerability countermeasures to product developers
Continue to provide educational materials on the necessity of vulnerability countermeasures for software
developers with the cooperation of related organizations.
Reporting Website
Dissemination of clear contact information for website vulnerability information, etc.
The "Establishment of a Security Contact Point" is available to website operators, and we will continue to
spread the information and raise awareness. Continue to disseminate and raise awareness
Continue to raise awareness
Spreading the word about the need for vulnerability countermeasures to website operators
We will continue to disseminate educational materials and videos to website operators to raise awareness
of the need for vulnerability countermeasures. Continue to provide educational materials, videos, etc.