🎉議程介紹文🎉 這次即將將帶大家來看的議程有
✨Your Printer is not your Printer ! - Hacking Printers at Pwn2Own
✨Introduction to decentralized online identities and how to implement it wrong
✨Pain Pickle:系統化地繞過 Restricted Unpickler
✨如何幫你(不)發射飛彈
想更加了解今年還有哪些議程嗎🔎
我們將與大家一同來搶先看更多精彩議程,請務必鎖定粉絲專頁👀
—
🔥 趕緊購票一起來參與這場年度盛會 🔥
HITCON PEACE 2022
▌日期:2022.08.19 (五) - 2022.08.20 (六)
▌地點:南港展覽館 2 館 7 樓
▌購票連結:https://hitcon.kktix.cc/events/hitcon-peace-2022
🎉 We're announcing part 1 of our sessions sneak peek! 🎉
✨Your Printer is not your Printer ! - Hacking Printers at Pwn2Own
✨Introduction to decentralized online identities and how to implement it wrong
✨Pain Pickle: Systemically bypassing restricted unpickle
✨Disrupting factories, missile bases and warships - Exploration into DDS protocol implementations
Do you want to know more about HITCON 2022's sessions? 🔎
We will be announcing them in upcoming weeks. Make sure to subscribe to our page. 👀
—
🔥Book your tickets to join this grand annual event🔥
HITCON PEACE 2022
▌Time:August 19-20 2022
▌Location:Online/Onsite in Taipei Nangang Exhibition Center, Hall 2, 7F, Taiwan
▌Ticket:https://hitcon.kktix.cc/events/hitcon-peace-2022
【 HITCON PEACE 2022 Agenda|IoT and IIoT Security 】
▍Your Printer is not your Printer ! - Hacking Printers at Pwn2Own
越方便的東西越危險,漏洞就在你身邊
過去印表機只有單純的傳真、列印功能,想要開始使用這些功能,還得接實體線路、安裝廠商的驅動程式,相當地費工
近年來的印表機,為了更加方便大家的使用,因此在網路中實作「隨插即用」的功能,而這多半仰賴 SLP 及 LLMNR 等協定
只要將裝置連上區域網路,我們在網路中的電腦就能馬上發現它;其中執行的作業系統也並非大家所常見的 Linux、Windows,而是使用 RTOS (Real-Time Operating System) 這個為管理 CPU 時間相關應用所開發的軟體
但廠商在實作這些協定時,真的安全嗎?會不會其實是替攻擊者開啟另一道大門呢?
本場議程,將帶大家來看如何從印表機的韌體分析到取得控制權,並且於此首次揭露在 Pwn2Own 2021 Mobile時所利用的漏洞
對於 IoT、嵌入式系統安全有興趣的你千萬不可錯過!
官網議程連結➡️ https://hitcon.org/2022/sessions/704bf58c-c42b-4593-97c0-9aba91caa6e4
▍Your Printer is not your Printer ! - Hacking Printers at Pwn2Own With great convenience comes great vulnerabilities! Once upon a time, when printers were still dumb machines, and take tremendous efforts to set up - to start using it, you'll need to connect it physically to a computer and install its propietary driver. In recent years, vendors came up with ways to implement "plug-n-play" in printers to ease this effort - and they relied on protocols such as SLP and LLMNR. Connect any modern printers to your local network, and you're expected to work immediately. However, is this setup method really safe? Or does it introduce another attack vector? In this session, it will take you from analyzing firmwares from a printer to getting total control on it. Furthermore, it'll be disclosing exploits that were used on Pwn2Own 2021 for the first time. Make sure you don't miss this session if you are interested in the security of IoT and embedded devices. Link ➡️ https://hitcon.org/2022/sessions/704bf58c-c42b-4593-97c0-9aba91caa6e4
【 HITCON PEACE 2022 Agenda|Cyber Attack on Critical Infrastructure 】
▍Introduction to decentralized online identities and how to implement it wrong
常常有應用程式需要驗證使用者的證件訊息,並且將其與其他資訊進行連結,例如 IATA Travel Pass 這款由 IATA 推出,方便旅客與航空公司驗證 COVID-19 檢驗報告的 App
然而,這類驗證證件的功能在實作上非常容易遇到設計不良導致存在漏洞可讓攻擊者有機可趁
這場議程將以 IATA Travel Pass 為例,檢視 App 驗證證件時可能有哪些問題,尤其是透過 NFC 讀取護照訊息時。講者將會帶大家檢視設計這類型功能到底有哪些資安以及隱私方面的考量
對於會接觸這類型功能的會眾,或是單純對於整個證件讀取機制有興趣的會眾,千萬不要錯過這場議程!
官網議程連結 ➡️ https://hitcon.org/2022/sessions/cc1fcfdb-e998-4734-8780-6ac8f1f8a559
▍Introduction to decentralized online identities and how to implement it wrong
IATA Travel Pass, an application made by IATA, is one of the applications that is made to scan and validate an identity document. However, such cyber-physical interactions could have loopholes in their implementation and could then be abused.
This session will take a dive into IATA Travel Pass and introduce how such cyber-physical interaction with identification papers' flow could be flawed, especially while reading information from passports with NFC.
It will also introduce a common pattern of flaws in terms of privacy and vulnerability in these cyber-physical scenarios.
Make sure to check out this session if you're interested in how a phone application works with identity documents.
Link ➡️ https://hitcon.org/2022/sessions/cc1fcfdb-e998-4734-8780-6ac8f1f8a559
【 HITCON PEACE 2022 Agenda|Automated vulnerability discovery & malware research 】
▍Pain Pickle:系統化地繞過 Restricted Unpickler
如果你有在寫 Python,那你一定用過 Pickle – Python 這最常見的資料格式 但你知道 Pickle 背後其實是一個 Stack-based Virtual Machine 嗎?不只如此,每個 Pickle 檔存的並不是單純的資料,而是這個虛擬機的程式碼 這篇議程將帶觀眾們一窺 Pickle 背後的架構,並且檢視各個常見的 Python 專案,找出能夠透過 Pickle 攻擊的漏洞;更進一步地,作者將發表一套自己撰寫的工具,用於自動尋找 gadget 並且生成 Exploit Payload 有在接觸 Python,或是對 deserialization exploit 這個歷久不衰的議題有興趣的會眾,千萬別錯過這場議程!
官網議程連結 ➡️ https://hitcon.org/2022/sessions/1d967311-5fe0-4918-a147-fb12315454bb
▍Pain Pickle: Systemically bypassing restricted unpickle
pickle module - a Python module used in common for serialization and deserialization objects.
Do you know pickle's deserializer is actually a full-fledged stack-based virtual machine? Not only so, but pickle-files are not filled with simple data, it contains bytecodes for this virtual machine.
In this session, it will take you through ins-and-outs of the pickle module, and go through some of the most popular projects written in Python, finding ways to exploit it with the pickle module. Moreover, it'll be announcing an open source tool for finding gadgets and generating exploits automatically against pickles.
Make sure to follow this session if you're already familiar with Python, or you're interested in deserialization exploits.
Link ➡️ https://hitcon.org/2022/sessions/1d967311-5fe0-4918-a147-fb12315454bb
【 HITCON PEACE 2022 Agenda|IoT and IIoT Security 】
▍如何幫你(不)發射飛彈
DDS (Data Distribution Service) 是一套廣泛用於交通、軍事以及醫療等大型設施應用上的標準,而許多使用 DDS 的設備在實作時存在不少問題導致漏洞的產生 在這場議程中講者將帶大家從 0 開始地了解 DDS,並知道如何在這類設備中挖掘 DDS 的漏洞、且著重在漏洞挖掘的技巧以及相關細節 此外,講者也曾於 Black Hat 2021 分享同一主題,但本年度將於 HITCON 中首度展示當時無法揭露的漏洞細節!
想要了解各種硬體 / 嵌入式設備漏洞挖掘的會眾們千萬不要錯過這篇議程~
官網議程連結 ➡️ https://hitcon.org/2022/sessions/20e91240-ff96-4a61-9283-c58640c28279
▍Disrupting factories, missile bases and warships - Exploration into DDS protocol implementations
Link ➡️ https://hitcon.org/2022/sessions/20e91240-ff96-4a61-9283-c58640c28279
#HITCON #HITCON2022 #HITCON_PEACE_2022 #HITCON2022_AGENDA
No comments:
Post a Comment