Security BSides is a community-driven framework for building events, by and for, information security community members. These events are already happening in major cities all over the world! We are responsible for organizing an independent BSides-Approved event in Tokyo, for Japan.


The outline of the next conference is as follows.

Date

Saturday, March 30, 2024 10:00-17:30

Location

16F, Shibuya FUKURAS, 1-2-3 Dogenzaka, Shibuya-ku, Tokyo

GMO Internet Group 2nd Headquarters GMO Yours FUKURAS

How to participate.

Please purchase tickets on the following page.

livepocket

How to enter

How to enter SHIBUYA FUKURAS

Venue provided by

GMO Internet Group

Venue

GMO Internet Group 2nd Headquarters GMO Yours FUKURAS

16F, Shibuya FUKURAS, 1-2-3 Dogenzaka, Shibuya-ku, Tokyo

schedule

09:00 - 09:50

Registration and doors open

09:50 - 10:00

Opening remarks

10:00 - 10:30

Pavan Karthick M

As a Threat Researcher at CloudSEK, I am deeply committed to automating threat intelligence and have a fervor for hunting emerging threats. My extensive research and practical experience have culminated in significant findings and the creation of multiple automation projects, benefitting both me and my peers in the cybersecurity field. My expertise, combined with an innate knack for investigation, firmly places me at the forefront of cybersecurity, with a dedicated focus on understanding and combating digital threats. Outside of my professional life, I am a passionate football enthusiast, both as a spectator and a player in the virtual realm of FIFA.


Zero-Day Assault? Uncovering Malware’s Exploits on Google Accounts

In today’s digital landscape, Google accounts are central to personal and professional lives, making them prime targets for malicious actors. This presentation investigates malwares that are manipulating intended Google features to hijack accounts, initially mislabeled as exploiting a zero-day vulnerability.

While cookie and password theft are prevalent threats, Google’s robust security typically safeguards accounts. However, a malware strain initially identified in October 2023, leverages undocumented aspects of Google’s ecosystem for operational security, allowing it to maintain persistence even after password resets. Once this initial strain was discovered, at least 8 different malware families were observed abusing the same feature. Through OSINT, HUMINT, and reverse engineering, we traced the exploit’s origins to Chromium source code, uncovering its techniques.

The presentation will emphasize the ongoing evolution of malware tactics as a reply to google’s updates to prevent abuse and account hijacking and the critical need to recognize and mitigate threats that arise from exploiting undocumented features within open-source software dependencies.

10:30 - 11:00

Aapo Oksman

Aapo Oksman is an entrepreneur and the Founder of Juurin Oy, a cybersecurity company focusing on technical IoT cybersecurity. His background is in electrical engineering, embedded devices, and test automation. Combining his background with a hacking hobby led to a cybersecurity career focusing on industrial IoT.

Bug Bounties and security research keep Aapo motivated and learning. His work in PKI and TLS has resulted in multiple CVEs from vendors like Microsoft, Apple, and Samsung. Outside work and research, Aapo’s passion is in the community. He organizes local security meetups and coaches the Finnish national youth CTF team in the yearly European Cybersecurity Challenge competition.

Breaking TLS and hacking into everything

TLS is the de facto way of securing the network connections for any phone, laptop, server, or even a light bulb. It is secure, except when it is not.

Throughout the years, I’ve broken into the TLS traffic of everything. Not all the things, but I’ve found a vulnerability in anything imaginable. I’ve hacked into your operating system, emails, and corporate credentials and could have taken control of your life.

Last year at DEF CON, I released a tool to automatically find vulnerabilities in TLS implementations. certmitm has proven to continue to find TLS vulnerabilities through my work and from countless other researchers.

The research behind this work has generated over $150,000 in bug bounty, over 10 CVEs from Apple, Microsoft, and Samsung, and close to 150 unique vulnerabilities, many still 0days.

This talk discusses how many essential things in your life rely on the security of a single line of code in every single software library and application you use. We will see examples of how these mistakes allow an attacker to decrypt your most precious data. Some of the vulnerabilities will be presented publicly for the first time.

11:00 - 11:30

Norihide Saito / Azara

Norihide Saito has been involved in development and security-related work since he was a student, and joined Flatt Security in 2020. He is currently a security engineer in charge of security diagnostics mainly for web applications and public clouds, and is active in external organizations such as ISOG-J WG1.




Eiji Mori / ei01241

Eiji Mori joined Flatt Security in April 2021 after completing graduate studies at Kagoshima University. As a security engineer, he is mainly in charge of web application diagnostics and smartphone application diagnostics.

He has been involved in security camp related events in the past and has a wide range of interests from hardware to software. His hobbies are vulnerability research and muscle training.




XSS using dirty Content-Type in cloud era

Modern web applications can now be developed quickly and without managing servers by using public clouds. In these days, the same can be said for file uploads and delivery, and we found an interesting behavior in object storage, represented by Amazon S3. In object storage represented by Amazon S3, we found an interesting behavior: the values of Content-Type and others in metadata can be set to any value. In this lecture, I will introduce the vulnerabilities of the library and the problems found through this research due to different interpretations of RFCs and specifications in the implementation, as well as the threats that can occur through this functionality.

11:30 - 13:00

Lunch

13:00 - 13:30

Daniel Frank

Daniel Frank is a Principal Threat Researcher at Palo Alto Networks, with over a decade of experience. His core roles as a Threat Researcher include researching emerging threats, reverse-engineering malware, threat hunting, and threat intelligence. Frank has a BSc degree in information systems.





Over the Cassowary’s Nest - Dissecting Turla’s Latest Revision of the Kazuar Backdoor

What happens when a rarely seen piece of malware, attributed to one of the world’s most elite APT groups, reemerges in the midst of the “cyber battlefield” of the Ukraine - Russia conflict?

In July 2023, the Ukrainian CERT published an advisory about an activity attributed to Turla, targeting its defense sector from 2022, briefly mentioning a new version of the elusive Kazuar backdoor. While this new version was not found in VirusTotal or other community repositories, it did find its way into our telemetry!

Since its discovery in 2017, the Kazuar backdoor has gained notoriety as one of the most advanced and comprehensive nation-state espionage tools in the cyber warfare arena.

In this talk, we will first trace back its origin and attribution to Turla and discuss how it evolved over the years, gaining extra stealth and capabilities with each major version.

Second, we will provide a thorough and detailed technical malware analysis of the latest Kazuar version, which includes major upgrades and novel capabilities - that have not been previously publicly documented.

Third, we will dive into the SecOps measures that Kazuar’s authors took in order to fly under the radar, going into detailed analysis of their encryption implementations, packing and code obfuscation - all meant to heavily guard its code and functionality.

Finally, we will provide the audience with practical ways to hunt for the elusive Kazuar backdoor. By the end of the talk, the audience will gain a unique glimpse into the inner workings of cyber warfare at the highest levels, through the lens of the latest undocumented version of Kazuar.

13:30 - 14:00

Tripp

A red teamer and hacker with over 15 years of experience, Tripp is the founder of TenguSec and author of the upcoming Pentesting With Kali Nethunter book (due Q2 2024). Previously spoke at CarolinaCon in 2017 (A Pentester’s Intro to ICS/SCADA) and AV Tokyo 2023 (Hacker EDC/Intro to Bluetooth and Wifi hacking).





An intro to Amusement Park hacking

Amusement parks are complex ecosystems powered by sophisticated networks, control systems, and data analytics, making them ripe grounds for cybersecurity exploration. This presentation introduces the relatively uncharted world of amusement park hacking, where we navigate through the intricacies of operational technology (OT) security, wireless communication protocols, and IoT devices that keep the parks alive. We will delve into leveraging open-source intelligence (OSINT) and network simulation tools to understand and potentially exploit vulnerabilities within amusement park infrastructures. From ticketing systems and RFID wristbands to mobile apps and the SCADA systems that control the rides themselves, attendees will learn the basics of identifying and assessing cybersecurity risks in a non-traditional IT environment.

14:00 - 14:30

Masahiro Furuichi(D)

Member of YamatoSecurity, Contributor to Hayabusa and Takajo, SECCON2023 speaker.







Fukusuke Takahashi(@fukusuket)

He is a member of NTTDATA-CERT, a member of YamatoSecurity, a contributor to Hayabusa and Takajo, and a speaker at SECCON2023.







Scalable DFIR with Velociraptor and Hayabusa by YamatoSecurity

DFIR personnel are required to analyze a variety of artifacts, and it is difficult to accumulate comprehensive knowledge. In this session, we will explain the mechanism of OSS Velociraptor/Hayabusa and DFIR using them and utilizing community knowledge.

After unraveling the mechanism of the above OSS and deepening your understanding of the architecture, We will explain how to build a DFIR environment using Velociraptor + Hayabusa + community knowledge.

Velociraptor allows easy endpoint distribution/collection, In addition, we will introduce how incorporating community knowledge can make the DFIR environment scalable both in terms of environment and knowledge.

14:30 - 14:45

Break

14:45 - 15:15

Ryan Williams

In the tempestuous world of cyber, D8RH8R emerges as a figure both mysterious and magnetic. Once a denizen of the pulsating rhythms of the music scene, fate’s capricious hand redirected his course towards the digital frontier. From the wreckage of his former life, Ryan now found sanctuary in the familiar cadence of code, fashioning tools for the maliciously minded. His skills honed in the crucible of dial up and BBS’s. His odyssey, a tapestry woven with threads of intrigue and peril, commenced with a childhood dalliance with BASIC and the hypnotic allure of Mandelbrot code. It was then, in the tender throes of youth, that Ryan’s obsession with ones and zeros ignited, propelling him towards a destiny writ in binary. Fueled by an unquenchable thirst for enlightenment and an unyielding urge to share his revelations, Ryan birthed HVCK into existence. With a legion of devotees in tow, HVCK stands as a bastion of unvarnished truth, unencumbered by the shackles of commercialism. As he delves deeper into the murky depths of cyberspace, one truth becomes irrefutable: his journey has only just begun, and the path ahead promises to be as treacherous as it is tantalizing.

Simboxes & Scams:The long road to SS7

Simboxes & Scams: The long road to SS7. The primary focus of this discussion is the unauthorized utilization of sim boxes, also known as SIM banks, the long-line trawlers of smishing campaigns globally. Those we see arrested for sim box crime are just the tip of a very well organised and technically capable iceberg. Join me for a whirlwind tour of the code, the creeps and the complusion to unlock the mysteries of SS7 that led me to my discoveries.

15:15 - 15:45

Dennis Kengo Oka

Dr. Dennis Kengo Oka is a cybersecurity expert with more than 15 years of global experience in the automotive industry. He received his Ph.D. in automotive security focusing on solutions for the connected car. As a Senior Principal Automotive Security Strategist and Executive Advisor at Synopsys, he focuses on security solutions for the automotive software development lifecycle and supply chain. Dennis has over 70 publications consisting of conference papers, journal articles and books, and is a frequent public speaker at international automotive and cybersecurity conferences and events. His latest published book is ““Building Secure Cars: Assuring the Automotive Software Development Lifecycle”” (Wiley, 2021).

Evaluating Cybersecurity Risks for AI and SDV in the Automotive Industry

The automotive industry is currently going through a transformation with the introduction of new technologies such as AI and SDV (software-defined vehicles). Vehicles are becoming smarter, automakers are developing their own OS and applications, and working with suppliers to integrate complex software into these smart software-driven vehicles using more AI technologies. For example, VW recently announced that they are integrating ChatGPT into their vehicles.

With more AI technologies adopted in the automotive industry, there are new emerging threats that need to be considered. To better understand some of these threats, OWASP published the ““Top 10 for Large Language Model Applications”” describing various threats against LLM (Large Language Model).

In this presentation, we will cover the following. We have analyzed a number of cybersecurity challenges for AI and SDV, focusing on specific use cases in the automotive industry. We have also performed an evaluation of the risks of these threats against SDV based on the generic OWASP Top 10 for LLM. The evaluation is based on Common Vulnerability Scoring System (CVSS) and mapped towards example use cases for SDV. The results from the evaluation can be used to help automotive organizations to prioritize how to address these risks.

15:45 - 16:15

CK, Chung-Kuan Chen

Chung-Kuan Chen is currently the security research director in CyCraft, and responsible for organizing the research team, and Adjunct Assistant Professor in Soochow Uiniversity, Taiwan. He earned his PHD degree of Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware and program analysis. He tries to utilize machine learning to assist malware analysis and threat hunting, and build automatic attack and defense systems. He has published several academic journal and conference papers, and has been involved in many large research projects from digital forensic, incident response to malware analysis. He also dedicates to security education. Founder of NCTU hacker research clubs, he trained students to participate in world-class security contests, and has experience of participating DEFCON CTF (2016 in HITCON Team and 2018 as coach in BFS team). He organized the BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites. Besides, he has presented technical presentations in technique conferences, such as BlackHat, HITCON, CHITB, RootCon, CodeBlue, FIRST and VXCON. As an active member in Taiwan security community, he is the chairman of HITCON review committee as well as director of Association of Hacker In Taiwan, and member of CHROOT - the top private hacker group in Taiwan.

Make CTI Cockpit via Language Model

The management of cyber threat intelligence (CTI) is a complex and challenging process due to the large quantity of unstructured data and the need for automated analysis. The emergence of natural language processing (NLP) techniques, particularly with the introduction of ChatGPT and other language models, has the potential to revolutionize the CTI processing. In the first of presentation, we will introduce the foundation of language model to understand their capability.

Afterwards, we will share our experience in developing ML-based tool during the whole CTI workflow, which generally consists of four key steps: collection and categorization, analysis, normalization, and report generation. NLP techniques such as Topic Modeling, SecBERT language model, Named Entity Recognition (NER), and ChatGPT can be leveraged to streamline these processes, from identifying and prioritizing relevant threats to extracting key information from CTI feeds, and generating summary reports. Furthermore, efforts have been made to develop CTI2STIX and CTI2MITREATT&CK tools to convert unstructured threat reports into structured, universally accepted formats such as STIX and MITRE ATT&CK. These tools contribute to seamless information exchange and standardization within the cybersecurity domain. Additionally, in the context of addressing phishing attacks, a system and procedure for early detection using multiple open-source intelligence (OSINT) sources has been developed. This system involves phases of monitoring, rapid triage, investigation, and tracking to identify and assign phishing scores to domains, leveraging machine learning algorithms and public language model models.

While machine learning and language models hold great potential in the field of security, we will conclude the presentation by summarizing the good, the bad and the ugly of integrating AI into our daily operations.

16:15 - 16:30

Break

16:30 - 17:00

Mars Cheng

Mars Cheng leads TXOne Networks’ PSIRT and Threat Research Team as their Threat Research Manager, coordinating product security initiatives and threat research efforts. He also holds the position of Executive Director for the Association of Hackers in Taiwan, facilitating collaboration between enterprises and the government to bolster the cybersecurity landscape. Additionally, Mars serves as a Cybersecurity Auditor for the Taiwan Government. His expertise spans ICS/SCADA systems, malware analysis, threat intelligence and hunting, and enterprise security. Mars has made significant contributions to the cybersecurity community, including authoring more than ten CVE-IDs and publishing in three SCI journals on applied cryptography. Mars is a frequent speaker and trainer at numerous prestigious international cybersecurity conferences, including Black Hat USA/Europe/MEA, RSA Conference, DEF CON, CODE BLUE, SecTor, Troopers, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, NoHat, ROOTCON, SINCON, CYBERSEC, and many others. He is instrumental as the General Coordinator for the HITCON CISO Summit 2024. He has successfully organized several past HITCON events, including HITCON CISO Summit 2023, HITCON PEACE 2022, HITCON 2021, and HITCON 2020, demonstrating his commitment to advancing the field of cybersecurity.

Anatomy of the Top 10 Cybersecurity Current Terrain for Critical Infrastructure for 2024

In recent years, new types of attacks targeting critical infrastructure have emerged one after another. Although the definitions of critical infrastructure vary from country to country, most of them cover industries such as oil, gas, hydropower, and manufacturing. However, the norms, enhancements, and pain points of cybersecurity for critical infrastructure and industrial control systems in various countries are roughly the same. In this session, we will share our conclusions after an in-depth analysis and investigation of global critical infrastructure companies. We will present the top ten cybersecurity statuses and dilemmas and detailed descriptions to help the audience understand the overall status and ways to overcome these dilemmas and build a secure critical infrastructure environment.

17:00 - 17:30

Hirokazu Yoshida

Security-JAWS", a member of Japan AWS User Group

My life’s work is to realize security that can be implemented and operated, and I am active in information dissemination and community activities on a daily basis.

I usually work as a security engineer at Cloud Native Corporation, consulting mainly for the information systems sector.




Introduction of the AWS Security Best Practices Usage Survey Report

While there are many security best practices published by AWS, we often hear from users asking for security best practices when implementing business workloads in an AWS environment.

The Japan AWS User Group’s security chapter, Security-JAWS, conducted a survey of people in Japan (regardless of industry, job title, position, company size, or employment status) who are involved in some way with AWS for their own business operations, to find out how AWS security best practices are being used. The results of the survey were presented in the form of a questionnaire.

In this session, we will present the results of the survey and the results of a similar survey conducted in Korea.

17:30 - 18:00

Closing remarks

18:00 - 20:00

After Party