While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
Report
Share
Report
Share
1 of 21
Download to read offline
More Related Content
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo
The document discusses the development of a cyber security framework for Ontario's electricity distribution sector. It aims to establish consistent expectations for protecting privacy and ensuring reliable grid operations amid increasing cybersecurity risks from smart grid technologies. The proposed framework draws from NIST cybersecurity standards and incorporates privacy by design principles. It includes a risk profiling tool to help utilities assess cybersecurity preparedness needs based on risk levels. Reporting would involve self-assessments and board-level attestations to regulators. The framework is intended to guide utilities while allowing flexibility, and future engagement is planned with additional stakeholders.
State of the art research on Convergence and Social Media A Compendium on R&D...Oles Kulchytskyy
The information is prepared by the team of the COMPACT project (http://compact-media.eu/).
COMPACT is a Coordination and Support Action funded European Commission under framework Horizon 2020.
The objective of the COMPACT project is to increase awareness (including scientific, political, cultural, legal, economic and technical areas) of the latest technological discoveries among key stakeholders in the context of social media and convergence. The project will offer analyses and road maps of related initiatives. In addition, extensive research on policies and regulatory frameworks in media and content will be developed.
CRISP project works towards building a certification scheme for video surveillance systems, based on the evaluation of their social impact. The slides present findings from the stakeholder analysis phase of the project.
The document discusses building cybersecurity capacity through international cooperation. It notes increasing dependence on ICTs and rising cyber threats. Developing countries are most at risk as they adopt broader ICT use. Building national cybersecurity strategies and response capabilities is important, as is cooperation across international, regional, and national levels. The ITU works to build capacity through national cybersecurity strategies, establishing computer security incident response teams, conducting assessments and trainings, and facilitating information sharing and regional cooperation. The ITU also measures cyber readiness through the Global Cybersecurity Index and creates country profiles to track progress. Strengthening cybersecurity globally requires coordinated multi-stakeholder efforts.
This document discusses cybersecurity threats and strategies. It begins by outlining the objectives of reviewing the cyber threat landscape, introducing the UK Cybersecurity strategy, and considering the societal impacts of cybersecurity. It then defines various cyber threats such as advanced persistent threats, cybercrime, hacktivism, insider threats, and nuisance threats. It also discusses the UK's national cybersecurity strategy and its goals of defending against, deterring, and developing capabilities to address cyber threats. Finally, it considers cybersecurity roles and responsibilities within organizations.
This document provides an overview of a project aiming to develop a standardized toolkit and case studies to analyze how technologies can enable a low carbon economy across Europe. The project will create a 5-step process to assess the carbon reduction potential of specific technologies in different countries and identify barriers. It will also establish a coalition of organizations to provide input and help disseminate the findings to influence policy and business decisions supporting low carbon technologies. Membership levels ranging from bronze to gold are described that provide varying degrees of involvement and benefits.
The document summarizes a presentation given on data protection impact assessments (DPIAs) and the challenges of conducting them. It discusses the GDPR requirements for DPIAs, potential challenges like ensuring the right expertise, transparency of the process, and quality of the assessment. It also provides a case study of the iTRACK project, which developed an intelligent tracking platform for humanitarian aid workers, and describes their experience conducting an ethics and privacy impact assessment.
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
This webinar covers:
- An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector.
-Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus.
-Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture.
-The practical steps that healthcare organisations need to take when looking at GDPR compliance.
-The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance.
A recording of the webinar can be found here: https://www.youtube.com/watch?v=xFEkkkwAdl4
Design principles for differentiated integration schemesPaolo Chiocchetti
The document outlines an analytical framework for assessing differentiated integration schemes in the EU. It evaluates such schemes based on 7 criteria: feasibility, expected benefits, fairness, acceptance, sustainability, and desirability. Differentiated integration is defined as selective application of rules to some but not all EU members. It is relatively common in the EU but still less so than national or EU-wide legislation. The outcomes of differentiated integration can vary significantly depending on the scheme but it may increase inequality and distance between insiders and outsiders. More empirical analysis is needed to better understand public preferences regarding integration models.
The document summarizes ITU's work on cybersecurity since 2003, including:
1) Establishing the Global Cybersecurity Agenda in 2007 to facilitate international cooperation on cybersecurity across five pillars.
2) Forming the High-Level Expert Group in 2007 to develop strategies to curb cyberthreats and promote cybersecurity globally.
3) Conducting various capacity building activities through the ITU-IMPACT initiative to assess countries' cyber readiness and train over 2,700 professionals worldwide.
4) Collaborating with partners like UNODC, Symantec, and Trend Micro to strengthen cybersecurity capabilities globally.
ocial support and long term care for older people – GhentaCARER+ Project
This document summarizes a conference presentation on social support and long-term care for older people. It discusses the objectives of researching potentials for social innovation and active aging. Key points included analyzing the current state of long-term care across different countries, identifying drivers and barriers to social innovation, and providing indicators for future active aging scenarios. The presentation also covered defining active aging and long-term care, differences in long-term care systems across European countries, and factors influencing social innovation initiatives in long-term care.
The document discusses how open source software is driving innovation in healthcare. It provides examples of how open source platforms are being used to develop electronic health records, enable telehealth, and create apps. The NHS's Code4Health initiative aims to create an ecosystem where clinicians can collaborate to build and share open source solutions. While open source provides benefits, managing third-party code requires processes to ensure quality, security, and intellectual property compliance.
Trigger.eu: Cocteau game for policy making - introduction and demoMarco Brambilla
COCTEAU stands for "Co-Creating the European Union".
It's a project supported by the European Union whose objective is to involve citizens to cooperate alongside policy makers, contributing to build a better future.
Protecting Critical Infrastructure: a multi-layered approachITU
The document discusses protecting critical infrastructure through a multi-layered cybersecurity approach. It notes the increasing dependence on ICTs and rising cyber threats. A coordinated response is needed across international, regional, and national levels. Key aspects include legal measures, technical/procedural measures, organizational structures, capacity building, and international cooperation. The ITU promotes cybersecurity strategies, drives implementation efforts, and fosters a global culture of cybersecurity through activities like its National CIRT Programme and Global Cybersecurity Index.
The document discusses best practices for integrating intellectual property (IP) policies into innovation policies. It summarizes that historically, IP and innovation policies have been separate, resulting in systemic failures and lack of awareness about IP issues in the innovation world and vice versa. Three potential good practices are outlined: 1) Focusing support on a select few high-impact patents/technologies rather than maximizing applications. 2) Collaborating with business support agencies to attract customers to patent search services, rather than waiting passively. 3) Developing sectoral policies that tackle challenges through innovation and integrated IP management, like Botswana's policies targeting energy through technology development. Overall, the document advocates analyzing problems carefully, using broader concepts of innovation and IP
1) APCERT is a forum of Computer Security Incident Response Teams (CSIRTs) and Computer Emergency Response Teams (CERTs) in the Asia Pacific region established in 2003. It currently has 30 operational members from 21 economies.
2) APCERT aims to promote cooperation on cybersecurity, facilitate information sharing, and assist members in responding to cyber incidents through working groups, an annual conference, and incident response drills.
3) Key recent activities include updating governance policies, conducting a capacity building survey, hosting bi-monthly online trainings, and an annual incident response drill with over 30 participating teams.
The European cyber security cPPP strategic research & innovation agendaEUBrasilCloudFORUM .
Presentation by Fabio Martinelli, CNR, National Research Council of Italy, representing the NECS project (European Network for Cybersecurity) at Cloudscape Brazil 2017
20190626 eu blockchain_how europe supports blockcahcin (cv conference) (1)Tom Lyons
The document discusses several ways that the EU is spurring blockchain applications, including establishing a common political vision, funding research projects, and establishing organizations like the EU Blockchain Observatory and Forum. It also outlines EU initiatives like the European Blockchain Partnership and funding for blockchain startups and projects. The overall aim is to establish European leadership in blockchain through activities that promote innovation and develop the right regulatory environment.
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
stackconf 2024 | On-Prem is the new Black by AJ JesterNETWAYS
In a world where Cloud gives us the ease and flexibility to deploy and scale your apps we often overlook security and control. The fact that resources in the cloud are still shared, the hardware is shared, the network is shared, there is not much insight into the infrastructure unless the logs are exposed by the cloud provider. Even an air gap environment in the cloud is truly not air gapped, it’s a pseudo-private network. Moreover, the general trend in the industry is shifting towards cloud repatriation, it’s a fancy term for bringing your apps and services from cloud back to on-prem, like old school how things were run before the cloud was even a thing. This shift has caused what I call a knowledge gap where engineers are only familiar with interacting with infrastructure via APIs but not the hardware or networks their application runs on. In this talk I aim to demystify on-prem environments and more importantly show engineers how easy and smooth it is to repatriate data from cloud to an on-prem air gap environment.
A study on drug utilization evaluation of bronchodilators using DDD methodDr. Chihiro
The abstract was published as a conference proceeding in a Newsletter after being presented as an e-posture and secured 2nd prize during the scientific proceedings of "National Conference on Health Economics and Outcomes Research (HEOR) to Enhance Decision Making for Global Health" held at Raghavendra Institute of Pharmaceutical Education and Research (RIPER)- Autonomous in association with the International Society for Pharmacoeconomics and Outcomes Research (ISPOR)-India Andhra Pradesh Regional Chapter during 4th& 5th August 2023.
Nasir A. A study on drug utilization evaluation of bronchodilators using the DDD method. RIPER - PDIC Bulletin ISPOR India Andhra Pradesh Regional Chapter Newsletter [Internet]. 2023 Sep;11(51):14. Available from: www.riper.ac.in
Destyney Duhon personal brand explorationminxxmaree
Destyney Duhon embodies a singular blend of creativity, resilience, and purpose that defines modern entrepreneurial spirit. As a visionary at the intersection of artistry and innovation, Destyney fearlessly navigates uncharted waters, sculpting her journey with a profound commitment to authenticity and impact.This Brand exploration power point is a great example of her dedication to her craft.
Risks & Business Risks Reduce - investment.pdfHome
In this presentation, I have shown major risks that are to face in a business investment. Also I have shown their classification and sources.
This information have taken from my text book -" Investment Analysis and Portfolio Management ~chapter 2 Investment~ " For complete this Presentation I used Figma and Canva.
My Role:
a. Student Final year - Accounting
b. Presentation Designer
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...NETWAYS
The European Commission has clearly identified open source as a strategic tool for bringing some balance to an EU cloud market currently dominated by a handful of non-EU hyperscalers. Part of that commitment comes through a series of ambitious, multi-million EU projects like the SIMPL platform for Data Spaces and the multi-country “Important Project of Common European Interest on Next Generation Cloud Infrastructure and Services” (IPCEI-CIS). For the first time in the history of the European Union, it is the EU industry who will be leading large-scale open source projects aimed at building European strategic technologies. In this talk we will explain in detail how specific European open source technologies are being brought together as part of some of those projects to start building Sovereign Multi-Cloud solutions that ensure interoperability and digital sovereignty for European users while preventing vendor lock-in in the cloud market, opening up competition in the emerging 5G/edge.
Call India AmanTel allows you to call from any country in the world including India to the USA and Canada at the cheapest rate Limited offers new users some free minutes.
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...NETWAYS
The buzz around the Linux kernel technology eBPF is growing quickly and it can be hard to know where to start or how to keep up with this technology that is reshaping our infrastructure stack. In this talk, Bill will trace how he got into eBPF, explore some of the applications leveraging eBPF today, and teach others how to dive into the hive of activity around eBPF. People just beginning with eBPF will learn how eBPF makes it possible to have efficient networking, observability without instrumentation, effortless tracing, and real-time security (among other things) without needing your own kernel team. Those already familiar with eBPF will get an overview of the eBPF landscape and learn about many new and expanding eBPF applications that allow them to harness the power without needing to dive into the bytecode. The audience will walk away with an understanding of the buzz around eBPF and knowledge of new tools that may solve some of their problems in networking, observability, and security.
Biography of the late Mrs. Stella Atsupui Eddah.pdf
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (3) by Lorenzo Pupillo
1. Coordinated Vulnerability Disclosure Policies in
the EU
Code Blue Security Conference, Tokyo 27-28 October 2022
Lorenzo Pupillo, Associate Senior Research Fellow and Head of the
Cybersecurity@CEPS Inititiative, CEPS, Brussels
2. ENISA Study 2021
ENISA: Project Officers
• Marnix Dekker
• Evangelos Kantas
• Slawomir Bryska
CEPS: Research Team
• Lorenzo Pupillo
• Carolina Polito
• Francesco Campoli
Wavestone Research Team
• Nick Conway
• Aude Thirriot
• Thiago Barbizan
• Solène Drugeot
• Cristian Michael Tracci
3. Agenda
Current state of play of CVD policies
• State of play in the EU Member States
• State of play in non-EU countries
Key findings on CVD national policies
• Level of criticality of the vulnerability treatment and
CVD processes
• Good practices on CVD policy and elements of a
CVD process
Overview of challenges and issues on CVD
national policies
• Challenges and issues related to CVD policies
• Suggestions on how to overcome CVD policy
challenges shared by interviewees
5. State of play in the EU Member States (1/3)
While evolving in a fragmented EU environment, multiple
EU Member States are making steps forward in the
development of national CVD policies but at different
paces.
• Belgium, France, Lithuania, and the Netherlands
have implemented CVD policies.
• 4 Member States are on the point of implementing a
policy: the proposal is either being examined at the
level of policymakers or is currently tested in Pilot
Projects.
6. State of play in the EU Member
States (2/3)
• 10 Member States are in the process of
implementing a national CVD policy. However,
failure in reaching consensus at the political or
legislative level hampered such a process.
• Finally, 9 Member States has not implemented a
CVD policy and the process for establishing one has
not yet started.
7. State of play in the EU Member
States (3/3)
While evolving in a fragmented
EU environment, multiple EU
Member States are making
steps forward in the
development of national CVD
policies but at different paces.
Implementation of CVD policy at national level in Europe
9. Level of criticality of the
vulnerability treatment LIFECYCLE
and CVD processes
• Discovery: to reduce a vulnerability’s
harmfulness, someone has to discover it
in the first place.
• Handling: If the vulnerability is in a
product’s code (code vulnerability), the
‘code owner’ needs to develop mitigation
and distribute it to all users
(‘vulnerability handling’).
• Management: if the vulnerability is a
misconfiguration or unapplied mitigation
(often a patch) in an information system
(system vulnerability), the ‘system
owner’ needs to manage it, i.e., apply the
patch or change the system or product
configuration as soon as possible.
• Disclosure: In most cases, code
vulnerability information needs to be
disclosed publicly or at least to the
security community or targeted
audiences
9
10. GOOD
PRACTICES ON
CVD POLICY
AND
ELEMENTS OF
A CVD
PROCESS
Content of a CVD Policy
• The CVD policy shall contain a description of the
mutual obligations of the involved parties, namely:
• Authorization to Access the Computer System
(Proportionality)
• Information required to report a vulnerability
• Confidentiality
• Procedural deadlines (within 90 days)
• Communication channels
• Reward to Security researchers
• Public disclosure
11. GOOD PRACTICES ON CVD
POLICY AND ELEMENTS OF A
CVD PROCESS
Member States have highlighted a series of procedures they have implemented that should be regarded as best practices:
• References to two standards: ISO/IEC 2914741 (disclosing vulnerability) and ISO/IEC 3011142 (processing procedures for the
reported vulnerability
• Bottom-up Approach (The Netherlands)
• Talk to the vendors
• Familiarise with the ethical hackers community
• Insulate the information
• Implement the OECD’s recommendations/good practices
• Adopt the Common Security Advisory Framework
12. ZOOMING on SOME
Elements of CVD processes
• Entities involved: role of the national CERT and/or the National
Cybersecurity Authority: (observer or central role )
• Tools: dedicated website, implementation of ticketing systems,
custom tools (Cuckoo Sandbox), validation tools (Burp suite),
warning and information systems (Common Security Advisory
Framework), communication tools especially in multiparty
processes, find vulnerabilities through opensource intelligence
software
• Awareness raising campaigns: Lithuania: Cybersec Breakfast;
The Netherlands: Hack right
• Operational and crisis management activities
15. LEGAL CHALLENGES
• Criminal law: According to the Cybercrime Convention, intentionally accessing a computer system
without rights is a criminal offence.
• Copyright law: Researchers can breach copyright law when the information disclosed entails
portions of copyrighted code. The vulnerability owners can establish exemptions, enabling the
possibility of safe harbours
• Data protection law: Researchers, discovering vulnerabilities may access personal data which
could be interpreted as a breach of data protection law.
• Contract Law: Bug bounty policies and in some cases vulnerability disclosure policies represent the
terms of a contract between the vulnerability owner and the researcher. Breaching the terms of
the contract entails legal liability and risks for the researcher,
• Export control legislation and regulation are often cited as a legal risk for researchers as they may
apply to tools and knowledge used to discover vulnerabilities
16. Other
CHALLENGES
Economic Challenges Political challenges
• Vulnerabilities and software market
dynamics
• Lack of cooperation among
stakeholders
• Limited market incentives for
security researchers to participate in
CVD programs
• Most security researchers are
activists not professionals employed
by private companies
• Lack of resources and skills to
implement CVD polices
• Cost of implementation and
operation of CVD policies are
considered as relatively less
impactful
• Top Down or Bottom-up Approach
• The role of Government
• Updating imperfect cybercrime
and Intellectual Property
frameworks
• Support and enable CVD policies
• Leading by example in
establishing CVD policies
(adapting CVD within the
government, etc..)
• The role of the private sector
• Leader or follower?
17. Overcome
the
challenges
Overcome the Legal Challenges
• Two questions relating to the link of vulnerabilities discovery and criminal
offence:
• Circumstances under which finding vulnerabilities may be associated with
criminal offense (substantial).
• Conditions to be met for any crimes associated with finding vulnerabilities
to be prosecuted (procedural).
• Since according to the Budapest Convention only the ‘unauthorised access
should be considered as criminal offence’, computer system owners can
authorise access through the publication of a CVD policy; EU countries could
implement CVD policies that will offer a limited liability waiver to security
researchers.
• Since Criminal Law is a prerogative of Member States , they could amend their
criminal law to create the legal certainty for security researchers.
• The EU could amend the 2013/40/EU Cybercrime Directive to offer legal
certainty to security researchers.
• The protection of security researchers could also be achieved by recognising
the status of whistle-blower in the sense of Directive 2019/1937.
• It would be helpful to define the role of ethical hackers: a law could be
drafted defining ad-hoc criteria.
18. Overcome
the
challenges
• Overcome the economic challenges
• Promote appropriate policies aimed at encouraging security researchers to actively
participate in CVD programmes
• Specific role for bug bounty programmes: should the EU set up a program or rather
harmonise regulation an practices across the EU Member States?
• Support to research programmes to foster CVD policies among public and private
researchers in Europe (Digital Europe Programme and Horizon Europe)
• The EU should make available funding and programmes to train people and make
viable the development of CVD policies in the EU
• Overcome the political challenges
• Top Down or Bottom-up Approach: An EU approach could take the form of a common
model of CVD at the EU level, promoting coordination at the EU and international
level.
• The role of Government:
• Updating cybercrime and intellectual property frameworks to better protect
security researchers, for example through ‘safe harbours’,
• Leading by example in the establishment of a CVD policy (e.g., CVD within the
government, etc.)
• The role of the private sector:
• Private entities should not wait for government policy interventions and define CVD
polices to publish on the organisation’s website.
19. CVD in NIS 2
• The Directive also establishes a framework for
Coordinated Vulnerability Disclosure and
requires Member States to designate CSIRTs to
act as trusted intermediaries and facilitate the
interaction between the reporting entities and
the manufacturers or providers of ICT products
and ICT services. ENISA is required to develop
and maintain a European vulnerability registry
for the discovered vulnerabilities.