This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...ChinaNetCloud
Internet makes the world brand-new, but it also put the system safety in danger— security problems such as DDOS attacks, data theft, and BotNet always bothering IT operations teams. How can we defend ourselves from these types of attack? By implementing four layers of security protection: network, system, code, and operation maintenance.
On July 5, Wang Han, senior architect of ChinaNetCloud shared our view points about “How to resist external attacks” with dozens of audience through webinar.
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.
Dai Shimogaito
CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.
Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...ChinaNetCloud
Internet makes the world brand-new, but it also put the system safety in danger— security problems such as DDOS attacks, data theft, and BotNet always bothering IT operations teams. How can we defend ourselves from these types of attack? By implementing four layers of security protection: network, system, code, and operation maintenance.
On July 5, Wang Han, senior architect of ChinaNetCloud shared our view points about “How to resist external attacks” with dozens of audience through webinar.
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.
Dai Shimogaito
CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.
Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
ASCO 2014 Highlights: Breast Cancer, Prostate Cancer; AI diagnosingdianecleverley
American Society of Clinical Oncology, 2014.
ALTTO: all groups did well.
IOM reports: Out-of-pocket costs, termed financial toxicity, are a side effect of this disease.
Obese women with ER+ breast cancer are at a greater risk.
WATSON-like Artificial Intelligence computer program useful in as daignosis aid
Presentation on Internet Security by @SteveMushero of @ChinaNetCloud, given in Shanghai in May, 2015.
Covers threats, risks, and solutions.
Bi-lingual English & Chinese.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
2. 关于我 About Me
• 80sec安全团队创始人
Founder Of 80sec Security Team(ID: 剑心)
• 前百度安全架构师
Former Security Team Leader In Baidu
• 乌云安全社区创始人
Founder Of Wooyun Security Community
3. 关于我 About Me
• 黑客理想主义者
Idealism In Thinking
• 黑客实用主义者
Pragmatism In Hacking
6. 当我们讨论安全时我们在讨论什么
What Are We Talking When We Talk
About Security
• 我们可以破解世界上最安全的汽车
We Can Hack The Safest Car In The World
• 但是我们却无法让人们不用弱口令
But We Can’t Stop People Using Weak Password
7. 我们面对的互联网环境
The Internet Environment We Are Facing
• 数以亿计的用户
Billions of users
• 巨大的用户基础导致同样巨大的黑色产业
Huge Black Industry Based On Huge Amount Of User
8. 我们面对的互联网环境
The Internet Environment We Are Facing
• 短时间爆发增长的企业和应用
The Burst Of Enterprises And Applications
During A Very Short Time
• 先生存再考虑安全
To Survive Before Considering Security
9. • 相对不完善的规范和机制
The Relatively Deficient Of Regulation And
Mechanism
• 安全的合规性大于实际应用
Focus More On Compliance Than Being
Really Secure
我们面对的互联网环境
The Internet Environment We Are Facing
10. • 快速发展的云和新型技术
Rapid Development In Clouds And New
Technologies
• 现在包括家里的锁都已经开始联网
Even Homelock Become Networking
Connected
我们面对的互联网环境
The Internet Environment We Are Facing
11. 如果你是一名白帽子
If You Are A Whitehat
• 你不能获得较高的薪水和较好的职业发
展
You Have No Access To Better Salary And
Career Development
• 企业并不重视安全因为用户并不了解安
全
Enterprises Paid No Attention Given
Customer’s Lack Of Understand
12. 如果你是一名白帽子
If You Are A Whitehat
• 因为商业安全社区缺乏分享和讨论
The Lack Of Share And Discussion In
Commercial Security Community
• 你的伙伴会越来越少但是敌人会越来越
多
More Enemy And Less Friend
13. 如果你是一名白帽子
If You Are A Whitehat
• 你企业的安全状况不会因为你努力而变得更好
The Safety Status Won’t Be Better For Your Hard
Work
• 因为网络环境变得更糟你的敌人更多
More Enemies For Worse Internet Environment
15. 银弹在哪里
Where Is The Silver Bullet
• 我们能用更好的安全技术来解决这些安全
问题么
Can We Solve Those Security Issues Through
Better Security Technologies?
16. • 问题的核心在哪里
What Is The Core Of The Problem?
银弹在哪里
Where Is The Silver Bullet
17. 为什么 The Reason Why
封闭 Closed environment
– 用户(封闭导致看不到真实的问题)
Customers (Too Closed To Notice The Real risk)
– 企业(用户看不到问题可以不投入)
Enterprise ( No Invest In Fields Users Not Notice)
– 行业(信息的不对称可以获得利润)
Industry (Profit From Information Asymmetry )
18. 传统漏洞披露过程
Conventional Process Of
Vulnerability Disclosures
• 漏洞第一时间提交给厂商
Vulnerability Is Submitted To Enterprise At The First Time
• 厂商和修复确认及补丁推送
Enterprise Start To Confirm And fix
• 对外不主动披露任何信息
No Information Will Be Made Public Initiatively
• 可能的商业合作和奖励致谢
Possible Commercial Cooperation And Reward
19. 负责任漏洞披露过程
The Responsible Process Of
Vulnerability Disclosures
• 符合企业自身利益诉求
Conform To Enterprise Own Interest Appeal
• 符合早期信息安全环境
Conform To Early Information Security Environment
20. 变化 Changes
• MS/Adobe/Apple
– 封闭体系 Closed System
– 终端安全 Terminal Security
• Google/Amazon/Apple
– 开放体系 Open System
– 云端安全 Cloud Security
21. 我们希望 Our Expect
开放 Open
– 用户(通过安全信息的公开披露能够了解安全
)
Users ( To Better Know Security Through Information
Pubic Disclosure)
– 企业(用户对安全的关注和了解将使得企业提
高在安全的投入)
– Enterprise ( To Improve Investment In Security
To Meet Users Demand )
– 行业(透明的环境使得产品和技术价值提升)
– Industry ( Transparent Environment Promotes
The Value Of Product And Technology)
22. 负责任漏洞披露过程(乌云版)
Vulnerability Disclosures Process –Wooyun Version
• 漏洞第一时间提交给厂商
Vulnerability Is Submitted To Enterprise At The First Time
• 厂商修复确认及补丁推送
Enterprise Start To Confirm And fix
• 对外公开全部漏洞细节
Vulnerability Details Will Be Shared Publicly
• 重要漏洞会被预警和讨论
High Risk Vulnerability Will Be Warned And Discussed In
The Early Stage
23. 负责任漏洞披露过程(乌云版)
Vulnerability Disclosures Process –Wooyun Version
• 符合现有环境下行业对安全的诉求
Conform To Industry Security Appeal Under Current
Environment
• 符合现在以及未来情况下安全环境
Conform To The Current And Future Safety Environment
24. 乌云生态的核心价值体系
The Core Value System --Wooyun Ecology
• 所有企业可以第一时间修复自己安全问题和了解互联网风险
• All Enterprises Can Fix Their Own Vulnerability And Know
Internet Risk
• 社区和企业可以学习公开的问题细节从而避免更多问题出现
• Enterprises Can Avoid More Potential Problems Through
Learning From Shared Vulnerabilities
• 用户通过公开的问题可以了解到自己数据是否存在潜在风险
• Users May Find Potential Risks Through Disclosed
Information
28. 我们做到的
What We Have Done:
• 10,000+白帽子为互联网报告了100,000+
漏洞
More Than 10,000 White Hats Have Reported
100,000 Vulnerabilities For Internet Industry
29. 我们做到的
What We Have Done:
• 重要安全漏洞发现和修复周期缩短为周甚至
更短
• The Disclosure And Repair Cycle For
Important Security Vulnerability Has
Shortened To Weeks Or Even Shorter
30. 我们做到的
What We Have Done:
• 重要的安全风险用户都会了解并且敦促企业进
行处理
High Risk Users Will Understand And Urge
Enterprises To Repair
31. 我们做到的
What We Have Done:
• 企业更好的认识安全后社区白帽子有更好
的发展
• Whitehats In The Community Have Better
Career Development After Enterprises
Know More About Security
32. 我们做到的
What We Have Done:
• 白帽子+用户+企业+政府形成一个良好
的安全免疫机制
A Healthy Security Immune Mechanism Is
Established :
Whitehats + Users + Enterprises + Government