Enhanced digital information technology increases the demand of data from corporations in recent years.  However, new-borned cyber threats have made cybersecurity as a critical topic that cannot be ignored by business and IT leader. Through case studies of security incidents, we will explore the evolution of cybercrime versus cybersecurity solution. Show you the business impact and how corporations could respond to the cyber attacks.

Today, enterprises are facing various cybersecurity threats. Their intranet environments, company-managed PCs or portable devices may be hacked and even become perpetrators. Therefore, there is no boundary for protection, and the zero-trust management model is imperative. 

Recently, many social networking sites, including Twitter, have been hacked repeatedly. Further than that, celebrities, politicians and well-known organizations have also become victims. Although the IoT era has brought a lot of convenience,  but numerous IoT devices have created greater challenges for internet security. Evidently, traditional manual and passive monitoring software can no longer prevent network vulnerabilities. What enterprises need is network architecture with artificial intelligence (AI) and awareness. Aruba ESP (Edge Services Platform) transforms information into knowledge at the Edge, improves the efficiency of IT personnel using AI, redefines the information security model with exclusive role-based access technology, dynamic segmentation and role-based intrusion detection, and achieves seemingly impossible information security missions with zero-trust network security protection! 

Join this session to learn about our full spectrum of security solutions including service provider network security to support IoT in the age of 5G; Zero-touch DDoS protection with Intelligent Automation; comprehensive SSL visibility into encrypted traffic; and the latest approaches to build agile multi-cloud deployments with secure application services across public, private, hybrid and containerized environments. Gain the centralized visibility, analytics and automation needed to protect your business and drive IT agility.

To achieve proper security, corporations are contingent on the proper cybersecurity strategy. However, common predicaments of cybersecurity strategies are the ambiguity, the difficulty to put into practice, and its divorce from reality. In addition to being difficult to help enterprises mitigate the threat of cybersecurity, it is also impossible to achieve results with a limited budget.
 Developing a cybersecurity strategy is difficult, but with a reference framework, you can do more with less, such as NIST, Cybersecurity Framework (CSF), MITRE ATT&CK, CIS and so on. What are all these frameworks? What are the relationships between them? How can we make wise choices to avoid being reduced to armchair strategies? In the face of real threats, how can we mitigate a series of weak links from a more comprehensive perspective?
We look forward to helping companies understand how to set cybersecurity strategies through this track. Choosing a suitable framework project can help set clearer and more defined goals of each stage, providing companies with a more concrete process of promoting cybersecurity practices while also correctly responding to the real threats.

在數位化潮流的衝擊之下，「數位轉型」是現代企業一定要不能忽視，不然，可能在這個巨大的改變大浪下，被競爭者取代或是逐漸衰敗。而在漫長的轉型過程當中，資料如何上雲並且安全，讓雲端各種運用可以安全存取或是連結內部各式資料庫（ERP，ERP，BI 或是其他數據源）則是數位轉型成功與否的重要基礎。除此之外，敏感機密資料需要與外部分享，如何安全分享機密敏感資料符合法規（PCI-DSSG，PDR，HIPPA，ISO27001...）並免資料外洩所造成的巨大賠款與傷癒損失，兩者缺一不可，本議程將說明如何將結構化資料（Database）跟非結構性資料（File）安全上雲，協助您成功數位轉型。

Insider policy violations are a major risk for all companies and can easily go undetected until it is too late. Proactively managing these risks can provide you with a game-changing advantage. Gain an understanding of what these risks are and how to gain visibility into and remediate insider policy violations and data leakage.

In last year's session "Build a strong and easy-to-use mobile app security product", we introduced some approaches to implementing packing service (or packer). Today, more and more Android developers use packers to protect their source code against being reverse-engineered or modified. However, the packing techniques are usually used by malware to prevent detection or analysis by anti-virus. Although there are already many unpacking approaches, they all need to be carried out on rooted or custom ROM devices. Moreover, many packers crash apps on rooted or custom ROM devices to prevent unpacking.
 
In this session, we will propose a novel unpacking approach. We will start by implementing a virtual space with the capacity of unpacking packers on non-rooted and factory ROM devices, and then launch samples that are packed by a commercial packer in the virtual space. Finally, the virtual space will unpack sample apps packed by the packer, and recover all protected Dex files.

Today, we are facing diverse, fast-changing and evolving threats. Hackers are trying to avoid being detected with methods such as changing the seed of the algorithm and switching between IPs and domains. It is important that we use threat intelligence to detect latest threats and defend them. Quad9 is a DNS platform that provides users security protection, high performance and privacy. Quad9 systems are distributed worldwide in more than 145 locations in 88 nations, with 160 locations on deck for 2019. Quad9 data can reflect the global threat changing thanks to the wide distribution and large scale of Quad9 system. With our machine learning and deep learning models, we can find valuable and actionable threat intelligence from Quad9 data. For example, we leverage the timestamp features of Quad9 data to do volumetric analysis and found that some malware campaigns have similar trend. The result can enrich our threat intelligence and help us defend more attacks. We'll deliver a session and share the AI technique we used, and the result we got. 
Hence

While machine learning is becoming more and more important in security applications, many research already concentrates on this topic. However, many research and presentations only cover high level concept, lack of implementation. In this talk, we start from implementation as the main part, covering the implementation and problems encountered in the past while developing ML systems. The application leverage from malware analysis, APT investigation and network flow analysis. Afterwards, the whole ML cycle, data collection, data sanitization, feature selection and model tuning, will be explained. In the end, the common limitation and challenge of ML will be mentioned.

With a growing trend of AI, security analysts develop AI/ML models to detect threats, but hackers can also leverage machine learning techniques to generate adversarial examples to bypass our detection. For example, a special server certificate to fool the AI/ML system which can identify suspicious certificates. Many adversarial attacks have been proposed and proved to be effective for different machine learning models. The accuracy of machine learning models can drop from 90% to 50% (worse than random guess) after adversarial attacks. Our environment is at risk if the system can't detect those adversarial examples. With the help of adversarial training and detecting, we can train our system to detect adversarial malware and protect our environment. We'll deliver a session to showcase different types of adversarial attacks that hackers can use in the real-world to bypass our system and the countermeasures we can use against it.

Recent employees steal valuable assets within organizations, e.g. source code, to gain huge profits. Researches and development results become profitable to other competitors. 
However, few people with some techniques and skills to steal data often hard to discover.
Organizations need to equip themselves with the right knowledge and tools to defend against this growing threat type.
This session will show four techniques to avoid security system control: 

1.Encoding 
Introduce how to hide the original confidential information by coding or encryption technology to avoid audit and surveillance analysis.

2.Steganography 
Live Demo (a) Text (b) Picture (c) Image (d) Sound (e) ADS steganography and tool. 

3. Stealth Device
Use special devices as a Carrier to steal data, such as Raspberry Pi W Simulated NIC, Teensy Simulated keyboard execute scripts, screen captures Spy device...etc. 

4. Obfuscation
Use Obfuscated command of CMD & PowerShell. Penetrating hidden intentions and Avoid the regulatory environment within the company

FineArt focus on the avoidance behavior of Insider threat. Remind your organization to pay more attention to insider data theft risk.

In the research area of computer security, the method to recover key materials by analyzing the information leaked during cryptographic operation on hardware platforms is called Side-Channel Analysis (SCA). In the past two decades, both analysis and defense techniques have been increasing day by day; even hardware products with Secure Element (SE) are facing serious threats and adversaries.

The number of email scams and phishings is soaring in recent years. According to the FBI 2019 Internet Crime Report, they received over 114 thousand phishing events, which is the most frequently reported event. More, The email scam has been a major concern for years, which resulted in more than $1.7 billion in losses. Because the criminals rapidly change their fraud methods, it is getting harder and harder for victims to spot the red flags and tell real from fake. This situation is also challenging the traditional rule-based method, which is labeling by the expert.
This sharing will introduce the Fraud Buster, using artificial intelligence technologies and Trend Micro’s extensive database. Fraud Buster can make you easily avoid email scams, phishings, and frauds.

APT groups always try to hide and be persistent inside their target environment. Although MITRE ATT&CK matrix try to collect knowledge of all adversary tactics and techniques, new techniques or skills will still show up. Recently, we found a new technique are being utilized in multiple operation and APT groups, including BlackTech, WINNTI and Operation ShadowHammer. Once while doing incident response, we found typing special URL path can trigger invisible webshell backdoor in the windows webserver without leaving any logs. The way this attack used let it hard to detect since it does not need to leave file inside webserver, it doesn’t have its own process and no log will be created. This kind of webshell backdoor can be used in any windows platform even if it doesn’t have webserver installed.

In this presentation we will show up the complete attack of this kind of backdoor cases, threat indicators, victims and disaster assessment.
What kind of technique or special windows API they used to achieve fileless, logless, processless webshell?
What should we do when doing incident response with this kind of invisible webshell?
And furthermore, we also using some windows undocumented API to build a new tool trying to catch up this kind of backdoor from memory while doing incident response.

Deep Neural Networks (DNN) have been widely deployed for a variety of tasks across many disciplines, for example, image processing, natural language processing, and voice recognition. However, creating a successful DNN model depends on the availability of huge amounts of data as well as enormous computing power, and the model training is often an arduously slow process. This presents a large barrier to those interested in utilizing a DNN. To meet the demands of users who may not have sufficient resources, cloud-based deep learning services arose as a cost-effective and flexible solution allowing users to complete their machine learning (ML) tasks efficiently. Machine Learning as a Service (MLaaS) platform providers may spend great effort collecting data and training models, and thus want to keep them proprietary. The DNN models of MLaaS platforms can only be used as web-based API interface and thus is isolated from users. In this work, we develop a novel type of attack that allows the adversary to easily extract the large-scale DNN models from various cloud-based MLaaS platforms, which are hosted by Microsoft, Face++, IBM, Google and Clarifai.

This presentation provides an analysis of the APT attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan’s semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation SemiChimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan’s semiconductor industry.

Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation SemiChimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals. Since the similar techniques and tactics to previous attack activities, we suspect the attacker is China-based hacker group.

We thus hope that this presentation will help semiconductor companies gain a better understanding of the dangers from such attacks. Additionally, as we have worked with several of the semiconductor vendors to improve their cyber security, we wish to share this valuable experience, and highlight the current challenges facing the entire industry.

Being the highest market share smartphone manufacturer, Samsung conducts a series of protection on Android called Knox Platform to ensure the security of its smartphones. During the booting process, Samsung uses S-boot (Secure Boot) to make sure it can only boot a stocked image. If the device tries to boot a custom image, it will trip a one-time programmable bit e-fuse (a.k.a Knox bit). Once a trustzone app (trustlet) detects the Knox bit tripped, it will delete the encryption key for the sensitive data to prevent unauthorized data access to the locked phone.

In this presentation, we’ll present several vulnerabilities we found in S-Boot that are related to USB request handling. By exploiting these vulnerabilities, we’re allowed to bypass the mitigation of S-boot through the USB device and obtain code execution in early boot stage. In other words, as long as we have the phone (whether locked or not) and an USB-C connector, we’ll be able to boot a custom image without tripping the Knox bit, allowing us to retrieve sensitive data from a locked device.

We will also describe how we discover and exploit the vulnerabilities in details, demonstrate the exploit on a Samsung Galaxy S10 smartphone and discuss the possible impact of these vulnerabilities.

Strategic Plan of National Cyber Security Program (Draft) (2021 to 2024)

Industry Develop program of Cyber Security

Understand the SOAR (Security Orchestration, Automation and Response) and get to know and practice the incident response

Nowadays, the ever-changing hacking techniques makes analysis more challenging. However, be it just or evil, everything is traceable on the Internet. With years of practical experiences, the cyber security consultant from CHT Security will talk about the latest attacking techniques and countermeasures, in the meantime introducing powerful network forensics tools to guide you in search of any malicious activity throughout the interconnected computer networks and of the root cause, and eventually block hackers from intruding.

Cyber attacks on companies are becoming more common and sophisticated. In response, the National Institute of Standards and Technology (NIST) is updating their policy framework to address this new trend. The standard cyber security model is shifting from cyber security (securing the system from being hacked) to cyber resilience (being able to quickly pinpoint the root cause and recover from the breach).  Companies are increasingly concentrating their efforts in being able to quickly recover and resume operations in the event of an attack. 
In this course, you will learn blue-team tactics and strategies. The tools and processes on how to monitor, hunt, and investigate cyber threats will be introduced. Several cyber intrusion cases will be used to explain how a digital forensic investigation is conducted to delineate the storyline of breach. Through these cases, you will understand the tactics, techniques, and procedures that a hacker uses, and utilize this knowledge to better identify indicators of compromise and suspicious behavior. There will be hands-on exercises to walk you through different cyber attack cases. Through these exercises, you will understand the inner workings of hackers and have a better idea on how to conduct high-quality analysis of future cyber attacks. 

Nowadays, the ever-changing hacking techniques makes analysis more challenging. However, be it just or evil, everything is traceable on the Internet. With years of practical experiences, the cyber security consultant from CHT Security will talk about the latest attacking techniques and countermeasures, in the meantime introducing powerful network forensics tools to guide you in search of any malicious activity throughout the interconnected computer networks and of the root cause, and eventually block hackers from intruding.

Cyber attacks on companies are becoming more common and sophisticated. In response, the National Institute of Standards and Technology (NIST) is updating their policy framework to address this new trend. The standard cyber security model is shifting from cyber security (securing the system from being hacked) to cyber resilience (being able to quickly pinpoint the root cause and recover from the breach).  Companies are increasingly concentrating their efforts in being able to quickly recover and resume operations in the event of an attack. 
In this course, you will learn blue-team tactics and strategies. The tools and processes on how to monitor, hunt, and investigate cyber threats will be introduced. Several cyber intrusion cases will be used to explain how a digital forensic investigation is conducted to delineate the storyline of breach. Through these cases, you will understand the tactics, techniques, and procedures that a hacker uses, and utilize this knowledge to better identify indicators of compromise and suspicious behavior. There will be hands-on exercises to walk you through different cyber attack cases. Through these exercises, you will understand the inner workings of hackers and have a better idea on how to conduct high-quality analysis of future cyber attacks. 

Vitaly has been involved in research at Kaspersky since 2005. In 2008, he was appointed Senior Antivirus Expert, before becoming  Director of the EEMEA Research Center in 2009. In 2014 he was seconded to INTERPOL, where for two years he worked in the Digital Crime Center, specializing in malware reverse engineering, digital forensics and cybercrime investigation. Currently Vitaly is based in Singapore and is leading a team of APAC threat researchers focused on targeted attacks investigation. He is the author of Kaspersky’s first open-source project, a remote digital forensics tool called Bitscout, made available on Github.
Vitaly has presented at many international security conferences as well as multiple invite-only security events. He is a trainer in malware analysis, YARA for malware hunters, and remote digital forensics.

Facing the trend of digital transformation, the SEMI industrial control system has been connected with the IT environment and suffers both IT and OT security threats. According to this situation, the semiconductor manufacturing requires lots of efforts to mitigate potential cyber security risks.

Therefore, a SEMI taskforce is developiing the standard of fab equipment computer cyber security specification. Equipment suppliers and their upstream suppliers will benefit from this standard to evaluate whether their products and services can provide the functional security capability to improve the security level of fab equipment and imporve cyber security of semi manufacturing environment.

Who produce disinformation, and who disseminate it? Who are the target audience of disinformation?

Nowsdays there are many bias in news media articles, for example, subjectivity, incompleteness, etc., which may result from different reasons such as investors' background, so such content may dramatically bias the readers' values and perspectives. With the increasing trend of AI technologies, Islander focuses on utilize the capability of understanding natural language for news articles in order to automatically analyze topics, objectivity, completeness in the real-time manner, and it can further help readers better know the standpoints and purposes behind the news media and then may make complete information more accessible in terms of fighting for information wars.

1.Vaccine/Antidote and Tracing of Disinformation/Hackers
2.Pandemics and Contagion of Online Information
3.Immunization and the Limits of Influence Campaign
4.Autoimmune Disease and Democratic Societal Polarization/Resilience

In recent years, global financial technology has flourished. Emerging technologies have become integral to the innovation of financial services in the financial industry. To improve the overall health of the financial industry as well as protect the privacy and security of customers, major national financial service institutions around the world have been actively strengthening their cybersecurity strategies. 
Financial industry cybersecurity management in Taiwan have been established for several years now. However, cyber attackers have become increasingly globalized and sophisticated, so financial cyber defense strategies must be reevaluated. In other words, we must rethink our strategy to emphasize risk management, situational security, incident prevention through system analysis, and development of an organizational culture that values security. At present, the financial industry cybersecurity policy supports both financial and security supervision, the establishment of a dedicated unit for security and investments, comprehensive financial security regulations, the hardening of financial security audits, and other measures that strengthen financial security. 
 

全球數位轉型投資將於 2023 年達到 $2.3 兆美金，每年資金投入成長率約 17%，數位轉型是企業強化競爭力的關鍵戰略，大量使用資通訊技術、物聯網技術、大數據分析、AI、社群媒體、Fintech 等關鍵技術來達到企業突破成長的目的，不同的行業在進行轉型過程中同時也面臨新型態的資安威脅及挑戰，例如：德國鋼鐵廠鍋爐受駭導致失控損毀等。
中華資安國際將從企業數位轉型面臨的資安風險，以及協助客戶處理資安事件的案例，分享企業在面臨威脅無法控制的情況下如何降低風險，以及分享建立零信任架構的資安思維，以及參考 NIST 國際資安框架，如何建立及實施資安治理制度。

Open API has  become the main interface standard for various enterprise application systems, which makes its security more prominent. This talk will introduce how to design and formulate secure enterprise Open API specifications from the perspective of Open API Specification (OAS) from the very beginning and the positive security model. 

As the Financial Supervisory Commission has been strongly promoting information security in recent years, the finance industry has been placing an increased focus on ISAC, CERT, and SOC. This agenda sheds light on the practices of intelligence sharing, incident response, and daily monitoring of a financial organization through the following three perspectives:
1. Team play between the blue team and the red team
2. AI's role in security defense
3. Use Case: MITRE ATT&CK® framework
4. (Introducing MITRE ATT&CK® inspired board game created by CyCraft!)

On Sep 14, 2019, PSD2 took effect in the European Union.  The talk is an introduction to our ongoing study: What has changed?  What was brought by open banking and 3rd party FinTech apps?  Is there an impact to privacy and cybersecurity to trust a 3rd party app?

Let's review the most worth noting Windows malwares in 2019! This comprehensible talk will lead companies to understand the attacker's thinking through several important and highly discussed samples, and observe trends from individual cases to discuss their malicious behavior and Tactics, Techniques and Procedures ( TTP), allowing companies to quickly digest malware cases occurred in last year.

As we live in a world where billions of IoT devices are connected to the Internet, there are streams of news articles that depict damages caused by malware and other threats that target such devices. While there are some things that users can do to prevent such damages, consumers expect manufacturers to consider security as part of the product design in the development lifecycle.  Panasonic, being a device manufacturer is able to collect information on these threats by connecting our own devices in the development / pre-shipment phases to a honeypot that we have developed. Since its deployment, Panasonic has been able to find 179 million attack cases and 25 thousand malware samples, of which 4,800 were unique samples targeting IoT. 20% of the samples were new and hashes for them did not exist when querying Virustotal. We have developed a system where information being collected through the honeypot is sent to a Sandbox for automated analysis, to address our concern for having a limited number of security experts. What this system allows Panasonic to do is collect "malware targeting/exploiting Pansonic IoT devices" for quicker remediation, in addition to "popular malware" targeting a wide-range of IoT devices.  In this session, we will discuss the details of this project and share some analysis of malware that have been collected. By leveraging this information, Panasonic aims to develop products that are resilient to malware. In addition, we are looking for ways to use this threat and remediation information to develop an IoT SOC.

Cybersecurity issues concerning commercially available IoT and embedded systems have impeded the implementation of numerous business proposals. With Linux occupying a significant place in the embedded system, the question as to how economical cybersecurity solutions can be achieved under engineering and commercial considerations (e.g., technologies, resources, and certification requirements) warrants further investigation. Contrary to the traditional cybersecurity solutions of developing antivirus software, we promote Taiwan’s own SELinux from the perspective of open source technologies and share the team’s major transformation and the derived benefits.

The Linux operating system is used in various platforms such as servers, embedded platforms, and IoT devices. For these platforms, it's vital to keep Linux kernel up-to-date; otherwise, it's risky even though we have a secure design in user application.

In this presentation, SZ Lin will not only analysis the status and trends of CVEs in Linux kernel during these years, but also share the information from the upstream community.

In addition, he will also introduce the tools to check the CVE status of specific kernel, and share the experiences in patching kernel. Collaboration with the community makes Linux kernel more secure.

Synology's Product Security Incident Response Team (PSIRT) is responsible for reacting to Synology's product security incidents. In this presentation, we will introduce how we embrace the CVE (Common Vulnerabilities and Exposures) ecosystem, how we collaborate with international organizations, and how we design and implement the SBoM (Software Bill of Materials) for automation and day-to-day incident response.

This talk will first explain "Why should vehicle communication take standard rather than blackbox?", then discuss some past works & current researches of attack vectors on car security. After realizing that every new feature will bring new security issue, we will take a deep dive into the protocol which AGL try to assign as standard between endpoint vehicle and vendor factory ─ OMA DM, than a simple Demo to emphasize how important we should reinforce these protocol weaknesses.

Is true that there're backdoors for drones and communication system? Are drones vulnerable to be hacked? The new regulations are on the road by March 31 2020, is your drone safe? How many backdoors does a drone which made in China has?

Let's explore the technical vulnerabilities and regulations by real case studies. From GPS attacks, communication attacks, original hardware factory production and test instructions, to how does the modify ban and the height issues effect the DJI drones?

What could we learn from the flight safety incident at Taoyuan Airport on December 31 2019 for the drones safety?

Isn't Taipei 101 New Year's Eve banning drones? But how many rogue drones are flying?

This session will comprehensively analyze the drone security, real hacking methods, log analysis and drones tracking. 

As 5G commercialization gradually becomes a reality, the importance of mobile communication security has gradually emerged. However, the research on mobile communication security has quite high threshold. For the general users, the mobile Internet is magic. Turn on your phone and pay the monthly fee to connect to the Internet. For researchers, analyzing and testing this Magic is a big challenge either. Despite the growth of open source telecommunications related projects, security research on telecommunications issues still need more preparation than others. This agenda will share how we have overcome limitations and obstacles in communications security research.

- Case Study: Cyber incidents of OT (Operation Technology) environments
- Challenge of security protection in ICS (Industrial Control System) applications
- Comprehensive cybersecurity strategy for OT industries
- Overview for ICS/OT Cybersecurity Framework
- Best practices and use cases of ICS/OT Cybersecurity Framework

1. OT attack scenario at continuous process and discrete manufacturing  

2. Factory, shopfloor, and equipment can be protected and prevented from early prevention and insight 

The notorious WannaCry, a ransomware that was not developed and targeting the OT environment but caused many factories and critical infrastructure to shut down, which also made ICS information security issues a major concern for enterprise and factory management. ICS cybersecurity management is different from general IT information security management; In the ICS world;  “Availability” is always the first priority in any consideration.  This agenda is sharing the experience and knowledge of how TXOne helping factories recover after they got the hit by WannaCry and how to keep the “Availability” as the principle by using Micromanagement and Cell Segregation method, and further transform that recovery methods into ICS cybersecurity countermeasures.