/* No speaking simultaneous interpretation is available , however, we try to show the slides in both english & japanese as much as we can. */

/* [en] means English speaker, [ja] means Japanese speaker. */

[en] "TSURUGI Linux - the sharpest weapon in your DFIR arsenal"

Giovanni Rattaro

Tsurugi is an heavily customized Linux distribution designed to support your DFIR investigations, malware analysis and Open Sourced intelligence activities. This open source project will be officially presented and will bacame public at AvTokyo conference. During the talk other parallel projects for acquisition and for live forensics will be presented...

Giovanni Rattaro:

Giovanni 'Sug4r' Rattaro is a Senior IT security consultant at Openminded, a cybersecurity company based in Paris, Italian board member of old backtrack Linux project (now Kali Linux) and ex DEFT Linux staff.

Main interests: DFIR, Cyber Threat Intelligence, botnet hunter, pentest and Social Engineering.

Tsurugi Linux core developer.

[en] Open Source Intelligence using DeepWeb: Analysis of the correlation between malware and the open source

dasom kim & seunggi jeong

This presentation explains how to make the most of the open source and track the specific users Horangi R&D Team discover. Based on the open source of malicious users, such as users who mainly sell malware targeted at a specific company, users who sell data or personal information of users, and then visualize their activities, Analyze associativity.

Dasom Kim:

Dasom Kim is a researcher of CyberOps, Horangi Pte LTD. She is the last year student at Kyungil University and a member of the anti-forensic research club. Her research interests include digital forensics, offender profiling, anti-forensics (steganography) and virtual reality.

Seunggi JEONG:

Seunggi JEONG is a Lead CyberOps Engineer of CyberOps, Horangi Pte LTD.

[en] Play with FILE Structure - Yet Another Binary Exploit Technique


To fight against prevalent cyber threat, more mechanisms to protect operating systems have been proposed recently. Specifically, the approaches like DEP, ASLR, and RELRO are frequently applied on Linux to hinder memory corruption vulnerabilities. In other words, it is more difficult for adversaries to exploit bugs to undermine the system security.

In this session, we will propose a new attack technique that exploits the FILE structure in GNU C Library (Glibc), and introduce how to circumvent the protection adopted by modern operating systems. In more detail, we demonstrate the techniques to break data protection and launch remote code execution. Moreover, we explore the methodology to utilize different FILE structures for attack, the so called File Stream Oriented Programming.

Moreover, there are new mitigations in the latest version of Glibc recently, but we can still abuse the FILE structure by our new approaches.


Angelboy is a member of chroot and 217 team. He is researching in linux binary exploitation, especially in heap related exploitation. He participated in a lot of ctf, such as HITB、DEFCON、Boston key party, won 2nd in DEFCON CTF 2017 and won 1st in Boston key party 2016, 2017 with HTICON CTF Team. He is also a speaker at conferences such as HITCON, VXCON and HITB.

[en] A mysterious watcher ? Red Eyes Group and their activities in South Korea

CHA Minseok(Jacky)

On January 31, 2018, KRCert warned users about the zero0day vulnerability within Adobe Flash Player (CVE-2018-4878). The first attack exploiting this vulnerability was made on Korean users in November 2017. It uses the Redoor malware to infect users in the last phase of the attack. DOGcall and ROKRAT are in the same family of this malware. Redoor is known to be the malware used in Hancom Hangul(a word processor of Korea) disguised as a fake New Year address by North Korea in January 2017. However, the first attack using this malware had occurred in the autumn of 2016.

Red Eyes Group, the hacking group behind the attack, is also referred to as ScarCruft, Group123, Ricochet Chollima, Reaper, and APT37. Their profile is being built slowly in the efforts of security vendors to gather, collate, and analyze the attacks. The attacks are known to be made in not only in Korea, but also in Vietnam, Japan, and the Middle East.

And the main target of attack in Korea seems to be North Korean defectors and human rights activists. Hancom Hangul is a word processor used widely within Korea, and it has been used in targeted attacks. Some of their attacks exploit the zero-day vulnerability of Adobe Flash.

In this presentation, I will talk about the group's attack method in South Korea, including attack targets based on the decoy document and the characteristics of the main malware. I will also use the information gained from the code to profile the developer, and compare the attack with a group which was active in 2015. There is a chance that this group has been active for longer than we thought.

CHA Minseok(Jacky):

CHA Minseok(Jacky) is a Senior Principal Malware Researcher at AhnLab. He joined AhnLab as a malware analyst in 1997.

He is a member of AVAR(Association of Anti-Virus Asia Researches) and a reporter for the WildList Organization International.

He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea.

He is a speaker at security conferences, including AVAR Conference, CARO Workshop, CodeEngn, CodeGate, ISCR(International Symposium on Cybercrime Response) and so on.

When he has free time, he enjoys old video games and old anime.

[ja] An Inconvenient Truth: Evading the Ransomware Protection in Windows 10

Soya Aoyama

The WannaCry cyber-attack all over the world in May, 2017 is still

fresh in our minds. The malware encrypted and rendered useless

hundreds of thousands of computers in over 150 countries.

As a measure against ransomware, Microsoft introduced the function

"Ransomware protection" in "Windows 10 Fall Creators Update". How does

this function work? Is it really effective?

In this talk, I will explain the operation principles of "Controlled

folder access" of "Ransomware protection" through demonstration video.

Then I show the requirements to avoid this function, and describe that

this function can be avoided very easily. And I will ask you that we

may have to reconsider the definition of vulnerability.

Soya Aoyama:

Soya Aoyama is security researcher at Fujitsu System Integration

Laboratories Limited.

Soya has been working for Fujitsu more than 20 years as software

developer of Windows, and had been writing NDIS drivers, Bluetooth

profiles, Winsock application, and more, and started security research

about 3 years ago.

Soya has gave presentation in AVTOKYO, BSidesLV, GrrCON, ToorCon and

DerbyCon in the past.

[en] Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism

Boik Su

In this talk, we'll not only go through the core ideas and concepts of the Web application firewall (WAF) and also some background information about mutation testing against web applications, but introduce a promising direction of automatically generating SQL Injection attacks with Polymorphism. We'll be giving out some case studies and bypasses for the ModSecurity's latest version (v3.1) alongside our demonstrations and explain why common detections cannot help in this place as well. The audience will then realize the power of this concept and the beauty of the SQL language after the talk.

Boik Su:

Syue-Siang Su (Boik) has four-year experience in Web development and actively using OSS to create and manage applications or gadgets for his research in Web Security. He has received some awards from CTFs, been the speaker at OSCON2018, AVTokyo 2017, Taiwan Modern Web 2017, and the lecturer at Taiwan HITCON Training and National Center for Cyber Security Technology.

* http://boik.com.tw/

[ja] Ockham's Razor: A Forensics Tale

"White Ship" (Isaac Mathis)

Isaac will do a fun talk about a DFIR incident.

"White Ship" (Isaac Mathis):

Isaac Mathis, a.k.a. "White Ship" does various security work in western Japan when not doing aikido, playing shakuhachi, meditating or maintaining his Japanese garden.

[ja] Building CTF: A thousands of mistakes


CTF is the most famous hacker's exciting contest in the world. Especially, Most famous CTF in Japan is SECCON. I'll talk about how do build the CTF and my mistakes in CTF which I helped.


Nomuken is the Otaku in Japan. He loves Japanese animation "Is the order a Rabbit?", and Hatsune Miku. He is a staff of SECCON.

[ja] Revealing hidden data behind CloudFront

Mitsuyoshi Ozaki / Mitsuaki (Mitch) Shiraishi /

Satomi Komine

Amazon CloudFront is a content delivery network (CDN) service. It provides several configurations so that it can deliver contents to clients with high transfer speeds, or ease to access. However, misconfigurations may cause a security issue.

We found a curious host which was accessible only via CloudFront during our penetration test project. Also we identified someone stored sensitive information such as FTP hostname and credentials on the host. This session shows the issue and further research to specify the cause of the issue and attempt to find some more curious hosts.

Mitsuyoshi Ozaki:

Technical testing team member at SecureWorks Japan

Mitsuaki (Mitch) Shiraishi:

Technical testing team member at SecureWorks Japan

Satomi Komine:

Technical testing team member at SecureWorks Japan