AVTOKYO2017‎ > ‎



Park Moonbeom a.k.a 朴文範
Masaki Kamizono
Tomohisa Ishikawa
Kohki Ohhira (KOH)
Soohyun Jin, Kiyong Sim
Hiroshi Kumagai

Ren Kimura
Hong-Kyo Kim

/* No speaking simultaneous interpretation is available , however, we try to show the slides in both english & japanese as much as we can. */
/* [en] means English speaker, [ja] means Japanese speaker. */

[en] Digging into radare2 for fun and profit -- pancake

r2 has been growing in popularity lately and it's being considered a serious option for several tasks related to reverse engineering, emulation, binary analysis and manipulation, as well as exploitation. It is an open source project that focus on portability but keeps it's roots on the unix philosophy.

This talk will enlight the attendees into understanding the capabilities, strengths and weaknesses of the project. Focusing on practical use cases for malware analysis and automated binary processing while explaining the basics to ease newcomers to get in touch with r2.

Introduction by @unixfreaxjp ( including radare2 workshop detail)

pancake(Sergi Alvarez):
Sergi Alvarez (also known as pancake) is the author of radare and radare2, currently working at NowSecure doing R+D on mobile security. In the past it worked as a forensics analyst, embedded software developer for autonomous sensors and optimizing codecs in assembly for intel, mips and arm. In his spare time has developed a bunch of free software projects and has been participating in the DEFCON CTF for 3 years in a row.

[ja] Be a decoy and drop it ! : A new approach to taking down exploit kits
Masaki Kamizono,Yin Minn Pa Pa,Hiroshi Kumagai,Takahiro Kasama

Recent exploit kits are operated using sophisticated infrastructure of proxies, VDS (virtual dedicated servers) and more. Thus, we replicate the infrastructure of leaked exploit kits and analyze their inner workings. This allows us to find out the vulnerable choke points for taking down the exploit kits. If we become a decoy, we might take down these exploit kits. In addition, we also discover malicious servers using the special characteristics in the code snippet of leaked exploit kits. We would like to present details on our findings in our talk.

Masaki Kamizono:Head of Laboratory, Cyber Security Laboratory
Yin Minn Pa Pa:Researcher, Cyber Security Laboratory
Hiroshi Kumagai:Senior Researcher, Cyber Security Laboratory
Takahiro Kasama:Cyber Security Laboratory, Research Organization

[ja] A Tale of Terror on Printers #1 -Utterly Simple Attack-
Kohki Ohhira (KOH)

Most offices have one or more printers. Are they managed appropriately by system administrators ?
If a printer is attacked, not administrators but users might suffer from damage.

For instance, when a person acquired a printer, s/he will setup it with supplied software. Then, the printer starts working well, so, s/he will possibly feel satisfied and forget to care about the printer.

It is easy to imagine that a printer which is untidily operated faces risks. (E.g. Password of printer administrator was not updated from factory default.)

We investigated attacks on such a printer practically.
In this session, we will explain an example of attacking such a printer, how can we protect us from the attack, and other topics.

Kohki Ohhira (KOH):
I'm working as a researcher at Fujitsu System Integration Laboratories Ltd.
I love M2M communications.

[ja] Monitoring Attacker: His name is YOUSSEF
Hiroshi Kumagai, Masaki Kamizono, Yin Minn Pa Pa, Yu Tsuda

We monitor the activities of attacker by attracting him to our sandbox environment called STARDUST, developed by NICT.  Attacker downloads his attacking tools to our environment and confirms the validity of stolen Paypal accounts and credit cards. In addition, by analyzing the observation results, we reveal the activities of attacker and we would like to introduce his true picture in our talk.

Hiroshi Kumagai:Senior Researcher, Security Laborator
Masaki Kamizono:
Head of Laboratory, Security Laboratory
Yin Minn Pa Pa:
Researcher, Security Laboratory
Yu Tsuda:
Security Researcher

[en] The Amazing Toolman - Mastering the tools and propose a hackable "Swiss Army Knife" framework for the 21st century

In this talk, I will introduce some handy tools, and then propose a hackable "Swiss Army Knife" framework for the 21st century. This framework can be used in conjunction with existing tools like burpsuite, docker, etc, and also a plenty of web extensions you often used on Chrome and Firefox. In addition, we can control and manage the WebExtension APIs as well, and therefore we can catch the snitch inside web extensions more easily.

Boik:Syue-Siang Su (Boik) has three-year experience on Web development using Rails, and actively using Open Source Software to create and manage applications or gadgets for his research in Web Security. He has received some awards from CTFs, been the speaker at Taiwan Modern Web 2017, and the lecturer at Taiwan HITCON Training and National Center for Cyber Security Technology.

[ja] Establishing CSIRT is difficult? Heh! It's the Komei trap!
Yamatono = Masahito "Yama"ga + waka"tono"

 In Japan, establishing CSIRT is one of the trend of security incidents countermeasure.
 We hear that some companies need the CSIRT as "Silver bullet" to responding security incidents, we hear it's hard to build CSIRT too.
 We suggest that CSIRT building is not so hard by showing similar activity other than CSIRT, and approach of solve problems for building CSIRT.

Masahito Yamaga:
CSIRT watcher
1994 - 2001 Chiba University Information Processing Center, assistant
2001 - 2006 JPCERT/CC manager, etc.
2006 - Freelance writer, consultant

A researcher in a certain CSIRT.
One of my research area is security for systems platform like operating system,  network, and virtual machine monitor.
 Ph.D. in Informatics(2011), Professional Engineer Japan(Information Engineering).
 In recent years, I'm interested in the CSIRT sustainability including maturity, capability development, and effective Kanikosen work.
Twitter ID: @wakatono


When acquiring a domain name, acquirer needs to register the information. Normally, in order to acquire a domain name for legitimate purposes, company information or personal information is registered. However, attackers mostly register fake information. I'd like to introduce result of research on fake registration information by OSINT.

Twitter: Seraph39
Malware analyst & tktk security study group organizer Twitter: Seraph39

[ja] More efficient remote debugging with thin hypervisor
Ren Kimura

Thin hypervisor has become an efficient analysis framework against the specific kind of rootkits and kernel itself.
It has less overhead than a traditional hypervisor and can build transparent guest environment on it.
However, these frameworks have lack of remote debugging ability despite of big advantage for analysis in real-world deployed systems. I'm going to demonstrate efficient remote debugging for rootkit and kernel using gdbserver on BitVisor I've developed.

Ren Kimura:

[en] A Deep Dive into the Digital Weapons and Case Study of the Enemy Country's Cyber Army
Park Moonbeom a.k.a 朴文範

Despite being one of the most closed and secretive nations in the earth, from Sony Picture breach to ATM attacks, attacks from the North Korea cyber army seems to be more and more aggressive than before. From our observation, North Korea cyber army has expanded their campaign from South Korea targets to global. Therefore, we think it is essential to understand the digital weapons they leveraged in their attacks, especial in these tense times between North Korea and their opponent countries. North Korea cyber army has been operated for several years. South Korea has been suffered from about 500 attack incidents every year, and the number is increasing. From these attacks, we were able to analysis the weapons they used and be able track attack cases by them. In this presentation, I will take a deep dive into the malicious codes they used in the both cyber espionage and cyber crime attack. In addition, we will analysis the exploits and the C&C infrastructure they used. I will analyze and explain the actual some cases of the APT attack, how they used the exploit, C&C, attack tool and so on.

Park Moonbeom a.k.a 朴文範:
Moonbeom, he is a deputy general researcher in TTPA(Trusted Third Party Agency) of Korea, has 10 years of experience in hacking analysis, digital forensic, research on hacking technic, profiling hacking source. Recently, he has been profiling and monitoring to North Korean cyber warfare groups. He is not only one of experts among government and private sector in fields of forensic, hacking analysis, hacker profiling, counter-attack on hackers, but also mentor of Korea's next generation security leader training program ‘Best of the Best(a.k.a BoB)’. Also he has participated for speaker and has presentations in various international security conference such as Ekoparty, HITCON, HITB-GSEC, TROOPERS, VXCON, etc.

[ja] Latest Penetration Test in U.S. (What is Red Team Service?)
Tomohisa Ishikawa

I am a Japanese security consultant and penetration tester in Japanese consulting firm, but since I stayed in security team of U.S. financial company in 2016, I would like to introduce U.S. penetration methodology called red team service or adversary simulations. Red Team in U.S. covers three threat elements (digital, physical, social) comprehensively as methodology, and I would like to explain the detailed method of them.

Tomohisa Ishikawa:
A Japanese security consultant. He is specialized in penetration testing, incident response, vulnerability management, secure development, and security education. In 2016, He was in the security team in U.S. financial company and learned latest security methodology in U.S.  he has various speaker experience in famous security conferences such as SANSFIRE 2011, SANSFIRE 2012, Philly Security Shell, DEF CON 24 SE Village, LASCON 2016, and BSides Philadelphia 2016.
Blog : http://www.scientia-security.org/

[en] What_happened_to_your_home?
Soohyun Jin, Kiyong Sim

Nowadays Internet of Things(IoT) technology is prevalent along with Machine Learning and Big Data. It is a technology that connects computerized objects through a network like internet and communicates information with each other. From the smart factory to make efficient manufacturing process, to the electric heater that has remotely controllable function, IoT technology applied almost every home appliances and industrial machinery.
  But as many computerized objects emerged and connected to the internet, incidents and cyber terrors utilizing IoT devices have been rapidly grown. And when it comes to investigating the incidents and collecting cyber evidences, There are differences between the IoT forensic and usual digital forensic as much as the system environment differences between the IoT devices and PCs and Servers. Also Limitation that never be seen in the digital forensic exists.
 In this talk, We cover how to hack or exploit to IoT devices(Home electric appliances) and the IoT forensic including collecting the evidences in the IoT devices that damaged or utilized for cyber terror, extracting artifacts(i.e., log files) from the IoT devices infected by malware through the IoT forensic, and analyzing the attacker's invasion pathway remaining integrity of the evidence files extracted from the IoT devices.
  And we will introduce not only 0-day vulnerabilities with exploits and useful tools developed by ourselves for the IoT forensic but also discuss the limitation of the IoT forensic. We have researched and exploited to one of home electric appliances(robot cleaner) made by LG Electronic that called ‘LG ROBOKING’.

Soohyun Jin:
- I’m not only a researcher in hacking and security academy called ‘Best of the Best(a.k.a BoB)’, but also leader of digital forensic researching group in South Korea. These days, I researching exploit technique and forensic technique for home electric appliances. I also served at the Air Force CERT, and now I am a student at a university.

Kiyong Sim:
- Kiyong Sim (tonix) is a vulnerability researcher at Hayyim Security and security academy called Best of the Best(a.k.a BoB). Nowad

[en] Wi-Fi dashboard camera vulnerability analysis using threat modeling
Hong-Kyo Kim


Hong-Kyo Kim: