Recently, services that provide remote control and acquire vehicle location information (GPS) is increasing. (As far as we know, it has been especially popular in the EV cars.)
These services are the challenging business for the automotive industry and OEMs because these have a potentially huge market or an additional value to their products in the future.
On the other hands, these services may lead to new threats and risks for the automobiles. This is because the Internet connection did not consider it was not necessary for automobiles so far.
Further, some researchers have already reported vulnerabilities in the remote services that are provided by various OEMs.
These issues are all reported in a foreign territory. Then, how about in Japan?
Therefore, we analyze the client apps for Japan provided by the various OEMs. But we also targeted analyzing apps for the US because apps for Japan is not many yet.
Specifically, we analyzed vulnerabilities (cooperation between apps, certificate verification, etc...) and whether these apps are using anti-analysis techniques such as obfuscation.
In this talk, we'll introduce about a potential for abusing of remote service apps in the future and countermeasures for these risks.
--- Naohide Waguri
Naohide Waguri joined FFRI in 2013. Before he joined FFRI, he had participated in software quality assurance, software development and promotion of test automation of network equipment (Gigabit Ethernet or Multilayer switches) as a network engineer. After joined FFRI, he participated in penetration testing, analysis and investigating the trend of cyber attacks. He is currently researching threat/risk analysis and evaluation method for a security of embedded systems such as in-vehicle devices. He was a speaker at CODE BLUE 2015.
The document discusses Advanced Persistent Threats (APTs). It begins by defining APTs and noting some common misconceptions about them. It then discusses notable APT attacks from 2003 to 2017. Finally, it outlines the typical lifecycle of an APT attack, including preparation such as researching targets, acquiring tools, and testing for detection, as well as the intrusion deployment phase.
Spear phishing attacks target individuals within an organization using personalized emails to trick them into revealing sensitive information or clicking malicious links. One such attack began when a worker clicked a spear phishing link, allowing attackers to access the network. The attackers then used information from the Active Directory to identify databases and steal large amounts of personal information, including social security numbers and birth dates. Organizations need integrated security solutions across email and other vectors to detect and block these advanced targeted attacks involving spear phishing and credentials theft. FireEye Email Security aims to provide more effective protection against these types of email-based cyberattacks.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake technology has advanced to the point where average users with smartphones can easily generate highly realistic synthetic media without expertise. This raises concerns about non-consensual deepfakes, especially pornographic ones. While some apps aim to prevent abuse through controls, deepfakes remain very difficult to detect as real or fake. There are proposals to expand liability for deepfakes beyond just the perpetrator, but regulating this emerging technology poses technical and ethical challenges.
The document discusses risk-based security testing methodology for web applications. It involves deriving test cases from threat analysis techniques like attack tree analysis and understanding real-world attack vectors. The goal is to simulate real attacker scenarios and test for vulnerabilities, as well as potential abuse of business logic or flaws in the secure architecture. Security testing is integrated into the software development lifecycle to find and fix issues early.
A presentation made in several public events in 2015 about the threats related to the Internet of Things, and how modeling can be used as a way to manage mitigation methods.
Безопасность данных мобильных приложений. Мифы и реальность.
Yury Chemerkin is a security expert with 10 years of experience focused on privacy, mobile security, and compliance. He has published many papers on mobile and cloud security and speaks regularly at security conferences. Perspektivny Monitoring is a security research company founded in 2007 that focuses on commercial security monitoring, threat intelligence, software security practices, and security of mobile devices, apps, and networks. The document discusses myths and realities regarding data protection in mobile apps, providing examples of common vulnerabilities like insecure data storage, transmission, and authentication over the years. It also highlights specific apps that had data leaks or protections issues.
Implementing a comprehensive application security progaram - Tawfiq
The document discusses implementing a comprehensive application security program. It begins with an overview of advanced persistent threats (APTs) and how they systematically target networks over long periods of time to achieve political, economic, technical and military objectives. It then details how the RSA security company was hacked through a targeted email attack and credential theft. The document emphasizes that application vulnerabilities are a major entry point for APTs and stresses the importance of addressing the OWASP Top 10 security risks like injection flaws and cross-site scripting. It argues that without a risk-based approach, traditional penetration testing provides limited business value by focusing only on technical issues.
Tony Hodgson (Brainwaive LLC): Enterprise AR Cyber Security – Breaking Down B...
A talk from the Work Track at AWE USA 2018 - the World's #1 XR Conference & Expo in Santa Clara, California May 30- June 1, 2018.
Tony Hodgson (Brainwaive LLC): Enterprise AR Cyber Security – Breaking Down Barriers to Production Roll-Outs
This talk will look at the pioneering work Brainwaive LLC conducted last year building the Enterprise AR Cyber Security Framework and Test Protocol including what’s happened in the industry since last year, and gaps that must still be addressed.
http://AugmentedWorldExpo.com
Eset has built a substantial installed base in EMEA, particularly in Eastern Europe, and it has a rapidly growing small or midsize business (SMB) presence in North America. Its anti-malware engine is a consistently solid performer in test results. However, it lacks enterprise-grade management capabilities and investments in additional security features such as data protection or security assessments. F-Secure has consistently good malware detection results and supports virtual environments, but has very little brand recognition outside of Europe. Check Point is well-known for network security but has struggled to gain market share in endpoint protection due to its reliance on Kaspersky Lab for signatures and lack of data security features.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Are you looking for a reliable penetration testing solution? Contact iViZ Security that provides on demand penetration testing solution for proactive security risk management. Our penetration tests are comprehensive,reliable to keep a computer system or networks safe from various malicious attacks.
This document provides an overview of a presentation by Marco Morana from OWASP on developing an OWASP Application Security Guide for Chief Information Security Officers (CISOs). The presentation covers the need for such a guide given the evolving roles and responsibilities of CISOs. It outlines the guide's structure and contents to provide CISOs with strategic guidance on application security processes, metrics, and technology selection. A four step project plan is also presented for creating the guide based on input from the security community and CISO surveys.
[CB16] Who put the backdoor in my modem? by Ewerson Guimaraes
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This talk will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.
Which lead us to question on the research title: “Who put the backdoor in my modem?”
--- Ewerson Guimaraes
Degree in Computer Science from Fumec University, Security Analyst and Researcher at Epam Systems. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project. Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais and is an active Kali Linux Community Contributor
[CB16] (P)FACE :アップルのコアへ、そしてルート権限へのエクスプロイト by Moony Li & Jack Tang
OS Xのセキュリティ脆弱性研究はMacのデバイスが人気になるにつれ、より人気が高まっている。OX XのIOKitはユーザモードからの切り替えにおけるカーネル自身およびカーネル拡張の危殆化によりハッカーからの多くの攻撃にさらされている。多くの研究者はこの分野の研究(リファレンスを参照のこと)を進めており、我々は本研究分野の次のいくつかの成果を共有したい。
1. カーネル脆弱性を検出するためのコンテキストエンライトメントによるパッシブファジングフレームワーク
2. SMAP&SMEPをバイパスするためのユーザモードプログラムからカーネルメモリを占有するためのエクスプロイト技術
3. 本ファジング手法により検出された脆弱性の活用方法とOS Xに対し二度の成功をもたらしたルート詐取のための新たなエクスプロイト手法
我々は次の新たな手法を紹介する。PFACEと呼ばれる、OS X IO Kitに対するコンテキストエンライトメントによるパッシブファジングである。PFACEは次のような特徴を有する。
第一に、条件依存でありシステムクラッシュをもたらすコードの実行および検出を深くまた広く許可する。次に以下が含まれるモジュールを出力する。コンテキスト:脆弱性の疑いに対するインジケーター。インジケーターは最初にモジュールをレビューするための手段としてレビュアーにとって有用であろう。
多くの脆弱性を有する場合、主要な課題はどのようにROPガジェットをユーザモードプログラムからカーネル空間に転送するかである。なぜなら近年のOS XではSMAPおよびSMEPを許可しているためである。高名なセキュリティ研究者であるステファン・エッサーはOSDataはカーネルメモリを占拠する良い構造であると提案している。[リファレンスセクション5]もちろんOSDataは確かによいデータ構造である。しかし、実際にはOSDataが機能しないいくつかの課題が存在する。我々はOSDATAがユーザモードプログラムからカーネルメモリを占拠するよう機能させるための新たな手法を発見し、本手法により、新たな脆弱性の検出およびOS X (10.11.3) のルート詐取に成功している。
実際に我々はCVEにおける多くの脆弱性を発見しており、ファジング効果によるカーネルクラッシュを実現している。また、我々はMac OS X(10.11.3)においていくつかの脆弱性を使って、二つの異なるローカル権限昇格手法を確立している。
--- Moony Li & Jack Tang
[CB16] WireGuard: Next Generation Abuse-Resistant Kernel Network Tunnel by Ja...
The state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. The talk will examine both the cryptography and kernel implementation particulars of WireGuard and explore an offensive attack perspective on network tunnels.
---
Jason Donenfeld
Jason Donenfeld is an independent security researcher and software developer, with a broad background of experience, well-known in both the security community and the open source world, and has pioneered several exploitation techniques. He has worked with many severe vulnerabilities in widespread software projects, including working on 0-day vulnerabilities in the Linux kernel, as well as extensive hardware reverse engineering. His security work spans advanced mathematical and geometric algorithms, cryptography, and remote exploitation.
Jason founded Edge Security (www.edgesecurity.com), a highly capable security consulting firm, with expertise in vulnerability discovery, security assessments, reverse engineering, hardened development, and physical security.
この講演では、難解なWebアプリケーションの脆弱性を詳しく見せる。これらの脆弱性は多くのセキュリティ・コンサルタントの簡易な脆弱性診断では見逃される可能性があり、リモートコード実行、認証バイパスや、実際にお金を支払うことなくPayPal経由でお店の商品を購入されてしまうことに繋がる。
SQLインジェクションは廃れたが、私は気にしない。null、nil、NULLの世界や、noSQLインジェクション、通話音声傍受に繋がるHostヘッダ・インジェクション、PayPalの二重支払い、RailsのMessage Verifierのリモートコード実行の世界を探検しようではないか。
--- アンドレス・リアンチョ Andres Riancho
アンドレス・リアンチョはアプリケーション・セキュリティの専門家であり、現在はコミュニティを前提としたオープン・ソースのw3afプロジェクトを率いていて、世界中の企業に徹底的なWebアプリケーション侵入テストサービスを提供している。
研究の分野では、3comやISSからのIPS装置に対し重大な脆弱性を発見していて、元雇用者のひとりが行ったSAP研究に貢献し、何百ものWebアプリケーションに対して脆弱性を報告している。
彼が注力しているものは常に、Webアプリケーションのセキュリティ分野である。それは彼が開発したw3afであり、侵入テスターやセキュリティ・コンサルタントたちに幅広く使われるWebアプリケーション攻撃、Auditフレームワークだ。アンドレスは、BlackHat(米国と欧州)、SEC-T(スウェーデン)、DeepSec(オーストリア)、OWASP World C0n(米国)、CanSecWest(カナダ)、PacSecWest(日本)、T2(フィンランド)、Ekoparty(ブエノスアイレス)など、世界中の多くのセキュリティ会議において講演をし、トレーニングの場を設けてきた。
アンドレスは、自動Webアプリケーション脆弱性の検知と開発を更に研究するため、2009年にWebセキュリティに特化したコンサルタント会社Bonsai Information Securityを設立している。
[CB16] Keynote: How much security is too much? by Karsten Nohl
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
This document summarizes security research presented at the Black Hat USA 2015 conference. Several talks demonstrated remote attacks against vehicles, including exploiting vulnerabilities in Chrysler Jeeps and Tesla Model S vehicles. Other research targeted IoT devices, like hacking a Linux-powered rifle and exploiting vulnerabilities in ZigBee wireless protocols. Additional briefings covered mobile and malware attacks, like exploiting the TrustZone security architecture on Android and using return-oriented programming for antivirus evasion. The document provides high-level overviews and comments on many of the featured talks from Black Hat USA 2015 and related conferences.
Internet of Things Security: IBM HorizonWatch 2016 Trend Brief
The slides provide a quick overview of the IoT Security trend. The slides provide summary information, a list of trends to watch and links to additional resources
Open Source Insight: Auto Security & Hackers, Killer Robots, & Containers Gon...
According to the Linux Foundation’s 2017 Open Source Jobs Report, 89% of hiring managers are finding it difficult to find talent with open source expertise. Black Duck technical evangelist Tim Mackey explores how good containers go bad in a freewheeling interview with Linux.com.
IOactive and UBTech Robotics face off on “killer robot” claims and the UK Department for Transport and the Alliance for Telecommunications Industry Solutions issue connected car cybersecurity proposals.
All this and more cybersecurity and open source security news in this week’s edition of Open Source Insight.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
•Automobile security is hot topic in many conferences.
•Cyber security measures are essential for the automobile.
•We summarize the following topics based on the above background.
–Presentations at the conferences other than Black Hat USA 2015 and DEF CON 23.
–Introduction of vulnerability assessment methods of automobile security by CVSS v3.
Web Application Testing for Today’s Biggest and Emerging Threats
The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Playing with FHIR without getting burned
David Stewart, CEO at Approov
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...
apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance
April 21 & 22, 2021
Why verifying user identity Is not enough In 2021
David Stewart, CEO of Approov
The document discusses the threats posed by the growing Internet of Things (IoT), noting that IoT devices are vulnerable to life-threatening hacking, as illustrated by examples of medical devices, cars, and industrial systems being hacked. It warns that the majority of IoT devices have vulnerabilities that could be exploited by criminals, and stresses the importance of implementing security controls like firewalls, encryption, access controls and regular security updates to protect IoT devices and prevent threats to confidentiality, integrity and availability. It recommends conducting regular risk assessments, penetration testing and security training to help secure organizations' IoT environments.
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...
A wide spectrum of cybersecurity and open source security news in this week’s Open Source Insight, including the need for hospitals to ramp up their cybersecurity efforts; the need to include open source security in any plan to secure medical devices; a major data breach at Italian bank Unicredit; two Black Duck executives share their views on open source security in video interviews; and why the automotive industry many be close to an iPhone moment.
IRJET - System to Identify and Define Security Threats to the users About The...
The document describes a proposed system called "MobiSecure" that would identify and define security threats from illegitimate installed applications on Android devices. It aims to scan a device's memory for applications downloaded from unknown sources that could enable cyberattacks. The system would detect such applications, inform the user, and allow deleting the application to mitigate risks. It has modules for scanning devices, displaying results with threat descriptions, and removing flagged applications. The system architecture is designed to identify malware-containing applications installed without user knowledge to help decrease cyber threats.
Enable best-of-breed security testing for enterprise, web and
mobile applications
• Facilitate application security testing for your customers at the
appropriate stage of their development lifecycle
• Identify security vulnerabilities such as SQL injection and
cross-site scripting (XSS)
• Automate correlation of static, dynamic and interactive application
security testing results
• Deliver detailed reporting to your customers that summarise
security vulnerabilities, assesses potential risk and offers
remediation tactics
What’s the State of Your Endpoint Security?IBM Security
The document discusses the challenges facing security teams, including skills gaps in security expertise, ongoing data breaches, and a lack of timely threat intelligence. It notes that the perimeter no longer exists as endpoints extend everywhere. A survey found that 44% of organizations had an endpoint breach in the last 24 months, and it takes most over 3 hours to remediate each compromised endpoint. The document promotes the IBM BigFix solution for discovering all endpoints, fixing vulnerabilities across on and off network devices quickly, and continuously monitoring endpoints to improve security.
NDIA 2021 - solar winds overview and takeawaysBryson Bort
This document summarizes the SolarWinds supply chain attack, including the various stages of malware used (SUNBURST, SUPERNOVA, TEARDROP, RAINDROP, etc.), the timeline of the attack, potential vectors used, the types of information and organizations targeted, and lessons learned about supply chain security and the challenges of cyber defense. Key takeaways include that nothing is unhackable, risk extends to all vendors and connected systems, and the largest security risk comes from people. Comprehensive defenses require detection, response, and remediation capabilities as well as assuming breaches will occur.
The document provides an overview of securing Android applications according to the OWASP (Open Web Application Security Project) approach. It discusses the OWASP Mobile Security Project, performs a crash course on Android architecture and essentials, demonstrates threat modeling for Android apps, reviews the top 10 mobile risks and associated controls from OWASP, and provides resources for further information.
The document discusses Advanced Persistent Threats (APTs). It begins by defining APTs and noting some common misconceptions about them. It then discusses notable APT attacks from 2003 to 2017. Finally, it outlines the typical lifecycle of an APT attack, including preparation such as researching targets, acquiring tools, and testing for detection, as well as the intrusion deployment phase.
Spear phishing attacks target individuals within an organization using personalized emails to trick them into revealing sensitive information or clicking malicious links. One such attack began when a worker clicked a spear phishing link, allowing attackers to access the network. The attackers then used information from the Active Directory to identify databases and steal large amounts of personal information, including social security numbers and birth dates. Organizations need integrated security solutions across email and other vectors to detect and block these advanced targeted attacks involving spear phishing and credentials theft. FireEye Email Security aims to provide more effective protection against these types of email-based cyberattacks.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
Deepfake technology has advanced to the point where average users with smartphones can easily generate highly realistic synthetic media without expertise. This raises concerns about non-consensual deepfakes, especially pornographic ones. While some apps aim to prevent abuse through controls, deepfakes remain very difficult to detect as real or fake. There are proposals to expand liability for deepfakes beyond just the perpetrator, but regulating this emerging technology poses technical and ethical challenges.
The document discusses risk-based security testing methodology for web applications. It involves deriving test cases from threat analysis techniques like attack tree analysis and understanding real-world attack vectors. The goal is to simulate real attacker scenarios and test for vulnerabilities, as well as potential abuse of business logic or flaws in the secure architecture. Security testing is integrated into the software development lifecycle to find and fix issues early.
Threat Modeling for the Internet of ThingsEric Vétillard
A presentation made in several public events in 2015 about the threats related to the Internet of Things, and how modeling can be used as a way to manage mitigation methods.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
Yury Chemerkin is a security expert with 10 years of experience focused on privacy, mobile security, and compliance. He has published many papers on mobile and cloud security and speaks regularly at security conferences. Perspektivny Monitoring is a security research company founded in 2007 that focuses on commercial security monitoring, threat intelligence, software security practices, and security of mobile devices, apps, and networks. The document discusses myths and realities regarding data protection in mobile apps, providing examples of common vulnerabilities like insecure data storage, transmission, and authentication over the years. It also highlights specific apps that had data leaks or protections issues.
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
The document discusses implementing a comprehensive application security program. It begins with an overview of advanced persistent threats (APTs) and how they systematically target networks over long periods of time to achieve political, economic, technical and military objectives. It then details how the RSA security company was hacked through a targeted email attack and credential theft. The document emphasizes that application vulnerabilities are a major entry point for APTs and stresses the importance of addressing the OWASP Top 10 security risks like injection flaws and cross-site scripting. It argues that without a risk-based approach, traditional penetration testing provides limited business value by focusing only on technical issues.
Tony Hodgson (Brainwaive LLC): Enterprise AR Cyber Security – Breaking Down B...AugmentedWorldExpo
A talk from the Work Track at AWE USA 2018 - the World's #1 XR Conference & Expo in Santa Clara, California May 30- June 1, 2018.
Tony Hodgson (Brainwaive LLC): Enterprise AR Cyber Security – Breaking Down Barriers to Production Roll-Outs
This talk will look at the pioneering work Brainwaive LLC conducted last year building the Enterprise AR Cyber Security Framework and Test Protocol including what’s happened in the industry since last year, and gaps that must still be addressed.
http://AugmentedWorldExpo.com
G01.2012 magic quadrant for endpoint protectionSatya Harish
Eset has built a substantial installed base in EMEA, particularly in Eastern Europe, and it has a rapidly growing small or midsize business (SMB) presence in North America. Its anti-malware engine is a consistently solid performer in test results. However, it lacks enterprise-grade management capabilities and investments in additional security features such as data protection or security assessments. F-Secure has consistently good malware detection results and supports virtual environments, but has very little brand recognition outside of Europe. Check Point is well-known for network security but has struggled to gain market share in endpoint protection due to its reliance on Kaspersky Lab for signatures and lack of data security features.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Are you looking for a reliable penetration testing solution? Contact iViZ Security that provides on demand penetration testing solution for proactive security risk management. Our penetration tests are comprehensive,reliable to keep a computer system or networks safe from various malicious attacks.
This document provides an overview of a presentation by Marco Morana from OWASP on developing an OWASP Application Security Guide for Chief Information Security Officers (CISOs). The presentation covers the need for such a guide given the evolving roles and responsibilities of CISOs. It outlines the guide's structure and contents to provide CISOs with strategic guidance on application security processes, metrics, and technology selection. A four step project plan is also presented for creating the guide based on input from the security community and CISO surveys.
[CB16] Who put the backdoor in my modem? by Ewerson GuimaraesCODE BLUE
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This talk will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.
Which lead us to question on the research title: “Who put the backdoor in my modem?”
--- Ewerson Guimaraes
Degree in Computer Science from Fumec University, Security Analyst and Researcher at Epam Systems. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project. Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais and is an active Kali Linux Community Contributor
[CB16] (P)FACE :アップルのコアへ、そしてルート権限へのエクスプロイト by Moony Li & Jack TangCODE BLUE
OS Xのセキュリティ脆弱性研究はMacのデバイスが人気になるにつれ、より人気が高まっている。OX XのIOKitはユーザモードからの切り替えにおけるカーネル自身およびカーネル拡張の危殆化によりハッカーからの多くの攻撃にさらされている。多くの研究者はこの分野の研究(リファレンスを参照のこと)を進めており、我々は本研究分野の次のいくつかの成果を共有したい。
1. カーネル脆弱性を検出するためのコンテキストエンライトメントによるパッシブファジングフレームワーク
2. SMAP&SMEPをバイパスするためのユーザモードプログラムからカーネルメモリを占有するためのエクスプロイト技術
3. 本ファジング手法により検出された脆弱性の活用方法とOS Xに対し二度の成功をもたらしたルート詐取のための新たなエクスプロイト手法
我々は次の新たな手法を紹介する。PFACEと呼ばれる、OS X IO Kitに対するコンテキストエンライトメントによるパッシブファジングである。PFACEは次のような特徴を有する。
第一に、条件依存でありシステムクラッシュをもたらすコードの実行および検出を深くまた広く許可する。次に以下が含まれるモジュールを出力する。コンテキスト:脆弱性の疑いに対するインジケーター。インジケーターは最初にモジュールをレビューするための手段としてレビュアーにとって有用であろう。
多くの脆弱性を有する場合、主要な課題はどのようにROPガジェットをユーザモードプログラムからカーネル空間に転送するかである。なぜなら近年のOS XではSMAPおよびSMEPを許可しているためである。高名なセキュリティ研究者であるステファン・エッサーはOSDataはカーネルメモリを占拠する良い構造であると提案している。[リファレンスセクション5]もちろんOSDataは確かによいデータ構造である。しかし、実際にはOSDataが機能しないいくつかの課題が存在する。我々はOSDATAがユーザモードプログラムからカーネルメモリを占拠するよう機能させるための新たな手法を発見し、本手法により、新たな脆弱性の検出およびOS X (10.11.3) のルート詐取に成功している。
実際に我々はCVEにおける多くの脆弱性を発見しており、ファジング効果によるカーネルクラッシュを実現している。また、我々はMac OS X(10.11.3)においていくつかの脆弱性を使って、二つの異なるローカル権限昇格手法を確立している。
--- Moony Li & Jack Tang
[CB16] WireGuard: Next Generation Abuse-Resistant Kernel Network Tunnel by Ja...CODE BLUE
The state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. The talk will examine both the cryptography and kernel implementation particulars of WireGuard and explore an offensive attack perspective on network tunnels.
---
Jason Donenfeld
Jason Donenfeld is an independent security researcher and software developer, with a broad background of experience, well-known in both the security community and the open source world, and has pioneered several exploitation techniques. He has worked with many severe vulnerabilities in widespread software projects, including working on 0-day vulnerabilities in the Linux kernel, as well as extensive hardware reverse engineering. His security work spans advanced mathematical and geometric algorithms, cryptography, and remote exploitation.
Jason founded Edge Security (www.edgesecurity.com), a highly capable security consulting firm, with expertise in vulnerability discovery, security assessments, reverse engineering, hardened development, and physical security.
[CB16] 難解なウェブアプリケーションの脆弱性 by Andrés RianchoCODE BLUE
この講演では、難解なWebアプリケーションの脆弱性を詳しく見せる。これらの脆弱性は多くのセキュリティ・コンサルタントの簡易な脆弱性診断では見逃される可能性があり、リモートコード実行、認証バイパスや、実際にお金を支払うことなくPayPal経由でお店の商品を購入されてしまうことに繋がる。
SQLインジェクションは廃れたが、私は気にしない。null、nil、NULLの世界や、noSQLインジェクション、通話音声傍受に繋がるHostヘッダ・インジェクション、PayPalの二重支払い、RailsのMessage Verifierのリモートコード実行の世界を探検しようではないか。
--- アンドレス・リアンチョ Andres Riancho
アンドレス・リアンチョはアプリケーション・セキュリティの専門家であり、現在はコミュニティを前提としたオープン・ソースのw3afプロジェクトを率いていて、世界中の企業に徹底的なWebアプリケーション侵入テストサービスを提供している。
研究の分野では、3comやISSからのIPS装置に対し重大な脆弱性を発見していて、元雇用者のひとりが行ったSAP研究に貢献し、何百ものWebアプリケーションに対して脆弱性を報告している。
彼が注力しているものは常に、Webアプリケーションのセキュリティ分野である。それは彼が開発したw3afであり、侵入テスターやセキュリティ・コンサルタントたちに幅広く使われるWebアプリケーション攻撃、Auditフレームワークだ。アンドレスは、BlackHat(米国と欧州)、SEC-T(スウェーデン)、DeepSec(オーストリア)、OWASP World C0n(米国)、CanSecWest(カナダ)、PacSecWest(日本)、T2(フィンランド)、Ekoparty(ブエノスアイレス)など、世界中の多くのセキュリティ会議において講演をし、トレーニングの場を設けてきた。
アンドレスは、自動Webアプリケーション脆弱性の検知と開発を更に研究するため、2009年にWebセキュリティに特化したコンサルタント会社Bonsai Information Securityを設立している。
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
This document summarizes security research presented at the Black Hat USA 2015 conference. Several talks demonstrated remote attacks against vehicles, including exploiting vulnerabilities in Chrysler Jeeps and Tesla Model S vehicles. Other research targeted IoT devices, like hacking a Linux-powered rifle and exploiting vulnerabilities in ZigBee wireless protocols. Additional briefings covered mobile and malware attacks, like exploiting the TrustZone security architecture on Android and using return-oriented programming for antivirus evasion. The document provides high-level overviews and comments on many of the featured talks from Black Hat USA 2015 and related conferences.
Internet of Things Security: IBM HorizonWatch 2016 Trend BriefBill Chamberlin
The slides provide a quick overview of the IoT Security trend. The slides provide summary information, a list of trends to watch and links to additional resources
Open Source Insight: Auto Security & Hackers, Killer Robots, & Containers Gon...Black Duck by Synopsys
According to the Linux Foundation’s 2017 Open Source Jobs Report, 89% of hiring managers are finding it difficult to find talent with open source expertise. Black Duck technical evangelist Tim Mackey explores how good containers go bad in a freewheeling interview with Linux.com.
IOactive and UBTech Robotics face off on “killer robot” claims and the UK Department for Transport and the Alliance for Telecommunications Industry Solutions issue connected car cybersecurity proposals.
All this and more cybersecurity and open source security news in this week’s edition of Open Source Insight.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
•Automobile security is hot topic in many conferences.
•Cyber security measures are essential for the automobile.
•We summarize the following topics based on the above background.
–Presentations at the conferences other than Black Hat USA 2015 and DEF CON 23.
–Introduction of vulnerability assessment methods of automobile security by CVSS v3.
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
The document discusses emerging threats to web applications and strategies for testing applications to identify vulnerabilities. It finds that nearly half of all vulnerabilities are in web applications, with cross-site scripting and SQL injection being most common. Many vulnerabilities have no patches available yet. New attack types like client-side vulnerabilities are also emerging. The document advocates integrating security testing into the development process to help developers write more secure code and find issues early.
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Playing with FHIR without getting burned
David Stewart, CEO at Approov
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
apidays LIVE Singapore 2021 - Why verifying user identity Is not enough In 20...apidays
apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance
April 21 & 22, 2021
Why verifying user identity Is not enough In 2021
David Stewart, CEO of Approov
The document discusses the threats posed by the growing Internet of Things (IoT), noting that IoT devices are vulnerable to life-threatening hacking, as illustrated by examples of medical devices, cars, and industrial systems being hacked. It warns that the majority of IoT devices have vulnerabilities that could be exploited by criminals, and stresses the importance of implementing security controls like firewalls, encryption, access controls and regular security updates to protect IoT devices and prevent threats to confidentiality, integrity and availability. It recommends conducting regular risk assessments, penetration testing and security training to help secure organizations' IoT environments.
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...Black Duck by Synopsys
A wide spectrum of cybersecurity and open source security news in this week’s Open Source Insight, including the need for hospitals to ramp up their cybersecurity efforts; the need to include open source security in any plan to secure medical devices; a major data breach at Italian bank Unicredit; two Black Duck executives share their views on open source security in video interviews; and why the automotive industry many be close to an iPhone moment.
IRJET - System to Identify and Define Security Threats to the users About The...IRJET Journal
The document describes a proposed system called "MobiSecure" that would identify and define security threats from illegitimate installed applications on Android devices. It aims to scan a device's memory for applications downloaded from unknown sources that could enable cyberattacks. The system would detect such applications, inform the user, and allow deleting the application to mitigate risks. It has modules for scanning devices, displaying results with threat descriptions, and removing flagged applications. The system architecture is designed to identify malware-containing applications installed without user knowledge to help decrease cyber threats.
Enable best-of-breed security testing for enterprise, web and
mobile applications
• Facilitate application security testing for your customers at the
appropriate stage of their development lifecycle
• Identify security vulnerabilities such as SQL injection and
cross-site scripting (XSS)
• Automate correlation of static, dynamic and interactive application
security testing results
• Deliver detailed reporting to your customers that summarise
security vulnerabilities, assesses potential risk and offers
remediation tactics
The document proposes a "Smart CAN Cable" as a new in-vehicle security measure for connected vehicles. The Smart CAN Cable would identify compromised ECUs on the CAN bus network. Each connector on the cable would record frames from the connected ECU and check for illegal frames. When an IDS detects an illegal frame, it asks the connectors if they have a matching frame. The connector receiving from the ECU that sent the illegal frame is then identified as compromised. The Smart CAN Cable could then cut off communication from that ECU to isolate the threat. This allows compromised ECUs to be identified and addressed, which current security measures cannot do.
Current state of automotive network securityFFRI, Inc.
Many electronic devices have been used by automobiles.These devices are connected each other and communicate to control automobile. Recent years, automotive network has been connected to smartphones and the internet. It makes new threats turn up. This slides summarizes how automotive network security have been and what is expected as incoming threats.
Mobile security is one of the most important
aspect when it comes to keeping our data secure from any
external attack like phishing, data hacking and many other
attacks that can have very disastrous effects that may also
lead to social disturbance, as in one’s private data can be
made public by the attackers.
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
The document summarizes key presentations from Black Hat Asia 2016 on mobile, IoT, and Windows security. It discusses research on detecting Android commercial spyware, demonstrating iOS malware techniques on non-jailbroken phones, mapping vulnerabilities in wireless IoT devices, hacking a professional drone via MITM attacks, and a novel Windows DSC attack framework to persistently infect systems. The document provides context and the researcher's comments on each presentation.
The document summarizes the latest issue of the (IN)SECURE magazine. It includes articles on administrative Nmap scripting, evil applications of augmented reality, social engineering attacks, and more. It also announces that the next RSA Conference Europe will take place in London next month. Contact information is provided for the magazine editors and information on how to freely distribute the magazine is given.
This document discusses Trend Micro and its IoT security solution. It provides background on Trend Micro as a company founded in 1989 with over 5,000 employees globally. It then discusses the growing threat of IoT attacks and how the Trend Micro IoT Security solution provides security across the entire IoT device lifecycle from the device level to the cloud. Key capabilities of the solution include anomaly detection, vulnerability detection, and integrating with platforms like AWS Greengrass to enable secure edge computing.
Similar to [CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for Automobiles by Naohide Waguri (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Hyundai IONIQ 5 N TA’s debut at 2024 Pikes Peak International Hill ClimbHyundai Motor Group
Hyundai IONIQ 5 N TA Spec makes its grand debut at the 2024 Pikes Peak International Hill Climb with Dani Sordo setting a new record for the Electric Modified and Production SUV/Crossover categories!
Discover more details on the IONIQ 5 N TA Spec and the Race!
Howard Wilner Envisions a Future Where Automotive Technology Enhances Mobilit...jimcarns
Howard Wilner is a respected figure in the automotive industry, known for his expertise in automotive dynamics and innovation. Howard emphasizes the importance of innovation in shaping the future of automotive technology. Howard Wilner of Sudbury MA envisions a future where automotive technology enhances mobility, sustainability, and efficiency globally.
Design of Automatic Car Washing System and Construct Prototype.pdfrahulchaure14
Design of Automatic Car Washing System and Construct Prototype
all information on this project design calculation, arduino program, proto model 3d model
Power Metering Market Global Trends and Forecast Analysis (2023-2032)PriyanshiSingh187645
The Power Metering Market is projected to grow from USD 21,125 million in 2024 to USD 32,322.05 million by 2032, reflecting a robust compound annual growth rate (CAGR) of 5.46%.
Boost your Mercedes' performance with expert clutch care and maintenance. Our specialized services ensure your vehicle operates at peak efficiency, providing smooth and responsive handling. Prevent costly repairs and extend the life of your clutch with our thorough inspections, adjustments, and replacements. Trust our skilled technicians to keep your Mercedes running flawlessly on every journey.
Car seat adjustment is an important part of being a good driver. You have developed the habit of tracking your driving habits using a connected vehicle device. However, you haven’t trained yourself to adjust your car seat properly. That’s bad! For the best results, follow the steps in the slides below to properly adjust your car seat before driving.
International Journal of Microwave Engineering (JMICRO)jmicro
International Journal of Microwave Engineering (JMICRO) is a peer-reviewed, open access journal which invites high quality manuscripts that focuses on Engineering and theory associated with microwave /millimeter-wave technology, guided wave structures, electromagnetic theory and implementation. Authors are invited to submit original research works that stimulate the development of latest technology in industry and academia. Good quality review papers and short communications are also acceptable.
International Journal of Microwave Engineering (JMICRO)
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for Automobiles by Naohide Waguri
1. FFRI,Inc.
1
Security in the IoT World:
Analyzing the Security of Mobile Apps for Automobiles
Naohide Waguri
FFRI, Inc.
waguri@ffri.jp
October 21, 2016
CODE BLUE 2016
2. FFRI,Inc.
Who am I?
• I previously worked as a network engineer.
(Software QA, Software Developer)
• My current job is investigating and researching automotive security.
• I talked about Windows 10 IoT Core
at CODE BLUE 2015.
• I build CAN transceivers and diagnostic tools as a hobby.
(to repair my cars… )
2
3. FFRI,Inc.
Internet of Things (IoT)
• Several years have passed since use of this term started.
• A wide variety of devices are now connected to the Internet.
• The growth rate is particularly high in sectors related to human life,
such as the automotive, industrial, and medical sectors.
3
総務省 平成27年度版 情報通信白書より抜粋
(出展) IHS Technology
4. FFRI,Inc.
Current State of Automotive Security
• There are two entry points for researching and investigating attacks
on automobiles.
4
Message injection to (CAN) buses
Exploiting vulnerabilities in systems (or devices) connected to the
Internet
5. FFRI,Inc.
Current State of Automotive Security
• There are two entry points for researching and investigating attacks
on automobiles.
5
Message injection to (CAN) buses
Exploiting vulnerabilities in systems (or devices) connected to the
Internet
We will talk about this entry point. But…
6. FFRI,Inc.
Current State of Automotive Security
• There are two entry points for researching and investigating attacks
on automobiles.
6
Message injection to (CAN) buses
Exploiting vulnerabilities in systems (or devices) connected
to the Internet
We will talk about this entry point. But…
First of all
7. FFRI,Inc.
Current State of Automotive Security
• There are two entry points for researching and investigating attacks
on automobiles.
7
Message injection to (CAN) buses
Abusing vulnerabilities in the systems (or devices) that
connected to the Internet
We will talk about this entry point… But,
We will talk A LITTLE about this entry point.
8. FFRI,Inc.
Current State of Automotive Security
• In most cases, the target of this entry point is a
diagnostic port.
• Now, diagnostic ports are also used for various
applications other than maintenance.
8
Message injection to (CAN) buses
For example, owners intentionally connect the OBD-II dongle to vehicles. They need to pay
attention before connecting a dongle to their vehicle because the security level of the
vehicle decreases if the device is vulnerable or malicious.
We recommend the use of devices from reliable manufactures and developers.
9. FFRI,Inc.
For example, owners intentionally connect the OBD-II dongle to vehicles. They need to pay
attention before connecting a dongle to their vehicle because the security level of the
vehicle decreases if the device is vulnerable or malicious.
We recommend the use of devices from reliable manufactures and developers.
Current State of Automotive Security
9
バス上に追加されたデバイスからのメッセージ(インジェクション)
I disassembled an OBD-II dongle sold at popular online shops and auctions.
I found that it was a FAKE because it was using a microcontroller
different from the item description…
Also, the Bluetooth PIN cannot be changed…
The threat classification can change from “Physical” to “Adjacent”
if a vulnerable or malicious dongle is connected.
ELM327
PIC18
10. FFRI,Inc.
Current State of Automotive Security
• There are two entry points for researching and investigating attacks
on automobiles.
10
Message injection to (CAN) buses
Exploiting vulnerabilities in systems (or devices) connected to the
Internet
Here is the main subject!
11. FFRI,Inc.
Current State of Automotive Security
• The most famous case of a threat to a connected car…
11
Source: https://www.wired.com/wp-content/uploads/2015/07/150701_car_hackers_43-vscocam-photo-1.jpg
12. FFRI,Inc.
Current State of Automotive Security
• A recent case…
12
Source: http://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/
13. FFRI,Inc.
Current State of Automotive Security
13
2015
2016
Aug
Oct
Feb
Jun
Source: Samy Kamkar,
https://www.youtube.com/watch?v=3olXUbS-prU
Drive It Like You Hacked It: New Attacks And
Tools to Wirelessly Steal Cars, DEFCON 23
Source: Jianhao Liu, Jason Yan,
https://www.syscan360.org/en/archives/,
Car Hacking: Witness Theory to Scary and
Recover From Scare, SyScan360 2015
Source: Pen Test Partners LLP,
https://www.youtube.com/watch?v=NSioTiaX_-Q
Source: Troy Hunt,
https://www.youtube.com/watch?v=Nt33m7G_42Q
14. FFRI,Inc.
Motivation
• Vulnerabilities in systems where an "automobile is part of the IoT"
have been reported, one after another, from 2015 and beyond.
• These threats are not as serious as the “Jeep Hack” vulnerability, but…
・ Personal Information is stolen by attackers.
・ Vehicle position and travel history are stolen by attackers.
・ Doors are unlocked by attackers, allowing vandalism of cars.
These are threats to the (information) assets of the vehicle owner.
14
18. FFRI,Inc.
Investigation Target and Goal
18
Phase 0: Collect apps that integrate with the services provided by
each OEM.
Phase 1: Create a report on each app using AndroBugs.
19. FFRI,Inc.
• A system that helps find actual security
vulnerabilities in Android Apps.
• Open source and written in Python.
• A static analysis tool that consumes Android APK (no source code).
• Scan for “known common coding vulnerabilities”
• Designed for massive analysis and to efficiently finding bugs.
• You can easily extend new features or vulnerability vectors.
What is AndroBugs?
• AndroBugs is a vulnerability scanner for Android apps that was
presented at Black Hat EUROPE 2015 by Mr. Yu-Cheng Lin.
19
Source: https://www.blackhat.com/docs/eu-15/materials/eu-15-Lin-Androbugs-Framework-An-Android-Application-Security-Vulnerability-Scanner.pdf
20. FFRI,Inc.
Investigation Target and Goal
20
Phase 2: Analyze the analysis reports for each app.
Understand the security level of apps provided by OEMs and
consider necessary corrective measures.
Phase 0: Collect apps that integrate with the services provided by
each OEM.
Phase 1: Create a report for each app using AndroBugs.
21. FFRI,Inc.
Typical Risks in Mobile Apps
21
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
M4 – Insecure
Authentication
M5 – Insufficient
Cryptography
M6 – Insecure
Authorization
M7 – Client Code
Quality
M8 – Code
Tampering
M9 – Reverse
Engineering
M10 – Extraneous
Functionality
Source: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
OWASP
Mobile Top 10 Risks
(2016 RC)
23. FFRI,Inc.
Overview: M1 – Improper Platform Usage
23
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
Platform security controls are improperly used,
such as the scope of public activities or fragment
activity handling.
Example:
The app will crash with a security exception if
fragment injection occurs because the activity class
that inherits from PreferenceActivity does not
override isValidFragment().
24. FFRI,Inc.
Platform security controls are improperly used, such
as the scope of public activities or fragment activity
handling.
Example:
The app will crash with a security exception if
fragment injection occurs because the activity class
that inherits from PreferenceActivity does not
override isValidFragment().
Overview: M1 – Improper Platform Usage
24
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
Among the three vulnerability risks, this was
detected second-most by AndroBugs.
However, the results of our investigation did not
find any vulnerabilities.
25. FFRI,Inc.
Overview: M2 – Insecure Data Storage
25
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
Sensitive data is handled insecurely by saving it to
external storage, outputting it to logs, etc.
Examples:
Outputting transmission data that contains
sensitive information to the debug log.
Using MODE_WORLD_READABLE/WRITABLE to
enable access from other apps when getting the
instance of SharedPreference.
26. FFRI,Inc.
Sensitive data is handled insecurely by saving it to
external storage, outputting it to logs, etc.
Examples:
Outputting transmission data that contains sensitive
information to the debug log.
Using MODE_WORLD_READABLE/WRITABLE to
enable access from other apps when getting the
instance of SharedPreference.
Overview: M2 – Insecure Data Storage
26
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
Among the three vulnerability risks, this was the
least detected by AndroBugs.
And the results of our investigation did not find any
vulnerabilities.
27. FFRI,Inc.
Overview: M3 – Insecure Communication
27
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
Man-in-the-middle (MITM) attacks are allowed
because SSL communication is implemented
incorrectly.
Many cases have been reported where verification
of the server certificate is skipped.
Examples:
Skip hostname verification.
Implement a custom (empty) trustmanager in order
to skip certificate validation.
28. FFRI,Inc.
Man-in-the-middle (MITM) attacks are allowed
because SSL communication is implemented
incorrectly.
Many cases have been reported where verification of
the server certificate is skipped.
Examples:
Skip hostname verification.
Implement a custom (empty) TrustManager in order
to skip certificate validation.
Overview: M3 – Insecure Communication
28
M1 – Improper
Platform Usage
M2 – Insecure Data
Storage
M3 – Insecure
Communication
Among the three of vulnerabilities risk, this
was the most detected by AndroBugs.
In addition, we confirmed actually vulnerable
apps.
30. FFRI,Inc.
Example of Vulnerabilities Found
Case 1: HTTP communication that contains user information
• One activity loads an HTTP URL into WebView.
• The URL posts user information to the server in clear text.
• The other URLs on the same host use HTTPS.
So, this might be based on some policy, but…
30
31. FFRI,Inc.
31
Others are using HTTPS.
(All the same host)
But this is using HTTP…
Example of Vulnerabilities Found
Case 1: HTTP communication that contains user information
32. FFRI,Inc.
Example of Vulnerabilities Found
Case 2: Server certificate validation flaw
32
Sources: https://www.ipa.go.jp/about/press/20140919_1.html
http://www.kb.cert.org/vuls/id/582497
33. FFRI,Inc.
33
What kind of vulnerability is a server certificate
validation flaw?
And what kind of risk does it pose?
Example of Vulnerabilities Found
Case 2: Server certificate validation flaw
34. FFRI,Inc.
34
脆
弱
Install the vulnerable app
from Google Play or the App Store Legitimate server
Replace
certificate
The app will encrypt
communication with a fake
certificate if certificate is not
validated.
Decrypt
and
eavesdrop, manipulate Encrypted again using
valid certificate.
Malicious
Wi-Fi
router
The communication may contain
sensitive information because it is
assumed to be encrypted.
It could be sent to a fake URL in
order to steal further information.
Example of Vulnerabilities Found
Case 2: Server certificate validation flaw
35. FFRI,Inc.
• Hostname verification is skipped because
ALLOW_ALL_HOSTNAME_VERIFIER is used.
• Certificate verification is skipped because a custom (empty)
TrustManager is used.
• WebView displays the page even if it is malicious because of
SslErrorHandler.proceed() in certificate verification.
35
Example of Vulnerabilities Found
Case 2: Server certificate validation flaw
37. FFRI,Inc.
37
• This vulnerability poses the risk that the user ID and password are
intercepted when the user logs into the service using the app.
Example of Vulnerabilities Found
Case 2: Server certificate validation flaw
38. FFRI,Inc.
Summary of risks of the app in which vulnerabilities were
found
38
Theft of personal
information
(name, address, etc.)
Theft of vehicle
information
(GPS, etc.)
If the communication is intercepted when the user registersPossibility of
eavesdropping
(login or registration)
Account
hijacking
(spoofing)
Send any
message
(e.g., replay attack)
Uninvestigated
message
specification
Vehicle theft
Possibility of further
attacks and damage
(e.g., vandalism)
Vehicle control
hijacking
(unlock doors, etc.)
39. FFRI,Inc.
Corrective Measures and Considerations for
Vulnerable Apps
• Why did these vulnerabilities occur?
39
Debugging code in the release build
Sample code copy & pasted (some might say “appropriated”) from the
Internet
Bad specifications
(Lack of understanding of secure design and coding)
40. FFRI,Inc.
• There are various vulnerabilities and enabling factors in Android. We
will introduce implementation rules for HTTP/HTTPS communication
to prevent the vulnerability found in the app we investigated.
40
(出展)Androidアプリのセキュア設計・セキュアコーディングガイド 2016年9月1日版
http://www.jssec.org/dl/android_securecoding.pdf
Use HTTPS communication when sending sensitive information
Verify the safety of the received data if it uses HTTP communication
Implement appropriate exception handling for SSLException
(e.g., user notification)
Do not implement a custom TrustManager
Do not implement a custom HostnameVerifier
Corrective Measures and Considerations for
Vulnerable Apps
41. FFRI,Inc.
Use HTTPS communication when sending sensitive information
Verify the safety of the received data if it uses HTTP communication
Implement the appropriate exception handling to SSLExceptiopn
(For example, such as user notification)
Do not implement custom TrustManager
Do not implement custom HostnameVerifier
• There are various vulnerabilities and enabling factors in Android. We
will introduce implementation rules for HTTP/HTTPS communication
to prevent the vulnerability found in the app we investigated.
41
(出展)Androidアプリのセキュア設計・セキュアコーディングガイド 2016年9月1日版
http://www.jssec.org/dl/android_securecoding.pdf
What is sensitive information?
We need to understand the system and user
information that must be protected in advance.
Corrective Measures and Considerations for
Vulnerable Apps
42. FFRI,Inc.
Use the HTTPS communication if it contains sensitive information
Verify the safety of the received data if it uses HTTP communication
Implement the appropriate exception handling to SSLExceptiopn
(For example, such as user notification)
Do not implement custom TrustManager
Do not implement custom HostnameVerifier
• There are various vulnerabilities and enabling factors in Android. We
will introduce implementation rules for HTTP/HTTPS communication
to prevent the vulnerability found in the app we investigated.
42
(出展)Androidアプリのセキュア設計・セキュアコーディングガイド 2016年9月1日版
http://www.jssec.org/dl/android_securecoding.pdf
Vulnerable processing of incoming data may be
targeted by attackers.
We need to perform fuzz testing.
Corrective Measures and Considerations for
Vulnerable Apps
43. FFRI,Inc.
Use the HTTPS communication if it contains sensitive information
Verify the safety of the received data if it uses HTTP communication
Implement the appropriate exception handling for SSLException
(e.g., user notification)
Do not implement custom TrustManager
Do not implement custom HostnameVerifier
• There are various vulnerabilities and enabling factors in Android. We
will introduce implementation rules for HTTP/HTTPS communication
to prevent the vulnerability found in the app we investigated.
43
(出展)Androidアプリのセキュア設計・セキュアコーディングガイド 2016年9月1日版
http://www.jssec.org/dl/android_securecoding.pdf
Caused by
certificate error
Necessary to consider the
behavior for each feature
specification
Exception occurs if there is a certificate error
→ There may be an MITM attack in progress
Corrective Measures and Considerations for
Vulnerable Apps
44. FFRI,Inc.
Use HTTPS communication when sending sensitive information
Verify the safety of the received data if it uses HTTP communication
Implement the appropriate exception handling to SSLException
(e.g., user notification)
Do not implement a custom TrustManager
Do not implement a custom HostnameVerifier
• There are various vulnerabilities and enabling factors in Android. We
will introduce implementation rules for HTTP/HTTPS communication
to prevent the vulnerability found in the app we investigated.
44
(出展)Androidアプリのセキュア設計・セキュアコーディングガイド 2016年9月1日版
http://www.jssec.org/dl/android_securecoding.pdf
Use the private CA root certificate to validate the server
certificate if you are using a private certificate.
Do not do this to skip certificate validation even if you are
debugging.
Corrective Measures and Considerations for
Vulnerable Apps
45. FFRI,Inc.
45
・If you are going to develop an Android app…
・If you want to know other rules for Android apps…
・If you have not read these yet…
Android アプリのセキュア設計・セキュアコーディングガイド
(http://www.jssec.org/dl/android_securecoding.pdf)
Check it out and give it a try! (Sorry, this is Japanese only.)
46. FFRI,Inc.
Summary: Scan Reports
• Not all positive scan results are true vulnerabilities because
AndroBugs reports common vulnerabilities mechanically.
• AndroBugs detects many SSL security alerts because most risk
factors arise from apps using HTTP communication.
• We created a web-based custom scan report for each app by using
the reports output by AndroBugs.
46
48. FFRI,Inc.
Summary: Scan Reports
48
App
Author
Remote Control
Feature
No. of
Critical
Vulnerabiltiy Risks
M1 – Improper
Platform Usage
M2 – Insecure
Data Storage
M3 – Insecure
Communication
A Yes 11 5 1 5
B No 5 3 1 1
C No 5 2 1 2
D No 5 2 1 2
E Yes 4 0 0 4
F Yes 4 1 1 2
G Yes 3 0 0 3
H Yes 2 1 0 1
I Partial 1 0 0 1
J Yes 1 0 0 1
K Partial 0 0 0 0
49. FFRI,Inc.
Summary: Possibility of Exploits in the Future
49
App Author Note
A
We confirmed there are exploitable vulnerabilities. There is a risk of MITM attacks.
Classes that inherit from PreferenceActivity do not implement isValidFragment().
The app might crash due to fragment injection if the class becomes a public activity.
B We could not find any exploitable vulnerabilities in this app.
C We could not find any exploitable vulnerabilities in this app.
D We could not find any exploitable vulnerabilities in this app.
Analysis will take a long time because the app was obfuscated.
E
We could not find any exploitable vulnerabilities in this app.
This app crashes as part of an activity because it does not support the new permission model starting from
Android M.
F We could not find any exploitable vulnerabilities in this app.
Analysis will take a long time because the app was obfuscated.
G We could not find any exploitable vulnerabilities in this app.
H We could not find any exploitable vulnerabilities in this app.
I We could not find any exploitable vulnerabilities in this app.
J We could not find any exploitable vulnerabilities in this app.
K We could not find any exploitable vulnerabilities in this app.
50. FFRI,Inc.
Conclusions
• Client-side vulnerabilities were confirmed in remote control services for
which other vulnerabilities have been reported recently.
• However, most of the apps did not have the above implementation errors.
• Most apps have been easy to analyze because they are not
obfuscated.
50
The results of this report apply to only Android apps.
Even if the client app is secure, if the server or vehicle is vulnerable, then
attackers will target those vulnerable points.
Services like remote control have the potential of being scaled to monitoring of
many vehicles at the same time for autonomous cars.
Therefore, we need to consider the security of the system as a whole, not only
the individual apps and vehicles.
51. FFRI,Inc.
Future Work
• Continue the analysis…
– We have not yet finished analyzing all of the vulnerability risks
detected by AndroBugs.
• This investigation did not cover all of the available apps.
– We also want to investigate other apps that were outside of the
scope of this investigation.
• Our investigation scope at this time was only Android apps.
– We also want to investigate server/vehicle-side applications if we
have a chance.
51