Looking Back: 2023

Transcript

1. LOOKING BACK: 2023 OWASP SAITAMA MTG #17, TALK #1 Image

   by Abubakr Saeed on flickr, CC-BY 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. 2023.. Image by Transformer18 on flickr, CC-BY-ND 2.0

7. FEBURARY Image by Paul Sobczak on flickr, CC-BY 2.0

8. TEXT FEBURARY - #12 ▸ 2023೥ॳΊͷ։࠵ ▸ य़೔෦ࢢ։࠵: ;Ε͍͋Ωϡʔϒ 4F

   ▸ ͜ͷ࣌࠙਌ձΛߦͳͬͨϐβ԰͕௵Εͨ… orz Image by Erik Weibust on flickr, CC-BY-NC-ND 2.0

9. TICKET TO THE DARK WORLD FRONT Image by Alexandre Gallier

   on flickr, CC-BY-NC-ND 2.0

10. TEXT FRONT: TICKET TO THE DARK WORLD ▸ ແ๏஍ଳͰ͋ΔμʔΫ΢Σϒ؀ڥ ▸

    ΞΫηεʹ͸Torϒϥ΢β͕ཁٻ͞ΕΔ͕஗͍ →Tor͸Firefox ESR →Firefoxࣗମͷվྑ͕ਐΜͰ͍Δͷ͕ͩ… ▸ Ͱ͸ࣗՈ੡؀ڥ͕ͲΕ͚ͩ௨༻͢Δͷ͔ʁ ·ͨΑΓ҆શͳ؀ڥΛ࡞Δʹ͸ʁ →ݕূͩʂ Image by Alexandre Gallier on flickr, CC-BY-NC-ND 2.0
11. None
12. None

13. TEXT FRONT: TAKEAWAYS ▸ ແ๏஍ଳͰ͋ΔμʔΫ΢Σϒ؀ڥ ▸ ܾͯ͠φϝͯ͸͍͚ͳ͍JSͷࣥ೦Λ֞ؒݟͨճ →non-JS؀ڥͳΒRFP+FPI+গ͠ͷ޻෉ͰΠέΔ →JS؀ڥ͸͔ͳΓͷϦεΫ; Torϒϥ΢β͕ඞਢ

    →͍ͣΕʹͯ͠΋શը໘Ϟʔυͷ࢖༻͸ઈରNG ▸ ΑΓ҆શͳ؀ڥΛ࡞Δʹ͸ʁ →Torϒϥ΢βΛجຊతʹSafestͰӡ༻ →Extensionͷಋೖ: uBO/LocalCDN͸༗ޮ ※Hard mode͕ྑ͍͕ڐՄཤྺʹ஫ҙ Image by Andrew on flickr, CC-BY-NC-ND 2.0
14. None
15. None

16. TEXT FRONT: TAKEAWAYS ▸ ແ๏஍ଳͰ͋ΔμʔΫ΢Σϒ؀ڥ ▸ ͋ͳͨΛ͍ͭͰ΋ݟकΔGuard nodeͷڪා →Guard node͸ϓϥΠόγʔͷΞΩϨε伳

    →ཱީิ͑͢͞Ε͹୭Ͱ΋ͳΕΔ →ͨ·ʹଟ਺ͷಉ࣭ϊʔυʹΑΔcampaign͕ ▸ ͦΜͳ૷උͰେৎ෉͔ʁ — େৎ෉ͩ໰୊ͳ͍ (r …ͦΜͳల։͕ී௨ʹ͋Δੈք; ▸ ৴པͰ͖ΔbridgeΛେ੾ʹɺͲ͏͔҆͝શʹɻ Image by KaCey97078 on flickr, CC-BY-NC 2.0

17. TEXT BACK: CHAPTER INTRO. ▸ 2݄͸ยखམͪ

18. APRIL Image by Walter on flickr, CC-BY-NC 2.0

19. TEXT APRIL - #13 ▸ य़ͷقઅ ▸ ॴ༻ͷͨΊ࠷ऴՐ༵Ͱ͸ͳ͘1िؒૣ·Δ →͍ͨ͞·ࢢձ৔͕఺ݕͱ͍͏༕͖໨ʹ ▸

    य़೔෦ࢢ։࠵ (2nd): ;Ε͍͋Ωϡʔϒ 4F

20. FILL IN THE BLANK FRONT Image by Ars Electronica on

    flickr, CC BY-NC-ND 2.0

21. TEXT FRONT: FILL IN THE BLANK ▸ ChatGPTʹ୅ද͞ΕΔLLM… ๲େͳ஌ࣝΛ࣋ͬͯࣗવݴޠͰձ࿩Ͱ͖Δػց ֶशϞσϧ

    ▸ ৘ใ࿙Ӯ͸ʁ߈ܸ͸ʁ೔ຊޠͰ͸ʁ →ݕূͩʂʢଟ෼զʑ͕ॳΊͯʣ
22. None
23. None
24. None
25. None
26. None
27. None
28. None
29. None

30. TEXT FRONT: TAKEAWAYS ▸ ৘ใ࿙Ӯʹ͍ͭͯ͸एׯ૽͗ա͗ͷײ →ͦͷ··corpusʹೖΔΘ͚Ͱ΋ͳ͍ →ΦϓτΞ΢τ΋Ͱ͖Δ (OpenAIͷΈ) ※Ή͠ΖGoogleͳͲͷ΄͏͕໰୊ ▸

    Prompt Injection: ࣗવݴޠڥք͕ᐆດͳ͜ͱΛར ༻ͯ͠ࢦྩΛૠೖ͢Δ߈ܸ →׬શʹ๷ޚ͢Δखཱͯ͸ݱঢ়ͳ͍ →೔ຊޠͰ΋े෼ʹ༗ޮ →ར༻͢ΔͳΒϦεΫϔοδࡦΛ Image by Howard Ignatius on flickr, CC-BY-NC-ND 2.0

31. KIA? CHALLENGE? ➤ ʮKia BoyzʢىѥϘʔΠζʣʯͱ͸ɺى ѥࣗಈंΛ౪Έɺ౪ΜͩؖࠃंΛ࢖ͬͯ ๫૸ӡసɺ৐ΓࣺͯɺࣄނΛى͜͢ͳͲ ͨ͠ಈըΛTiktok΍YouTubeͳͲʹ౤ߘ ͢ΔςΟʔϯΤʔδϟʔͷ͜ͱ ➤

    ͜ͷ“ѱ࣭ͳήʔϜ”ͷ͜ͱΛʮKia ChallengeʢىѥνϟϨϯδʣʯ·ͨ͸ ʮKia Boyz ChallengeʢΩΞɾϘʔΠζɾ νϟϨϯδʣʯͱݺ͹Ε͍ͯΔ THIEVES #1 BACK

32. TEXT BACK: THIEVES #1 ▸ ंͷ౪೉ࣄ͕݅ଓൃ →Ͳ͏ͳ͍ͬͯΔͷ͔ʁ

33. TEXT BACK: TAKEAWAYS ▸ ॳΊkia, ͍࣍ͰRAV4 ▸ ख๏ͱରࡦͷڞਐԽʢi.e. Πλνͬ͜͝ʣ ▸

    ΠϞϏϥΠβʔͷଘࡏͱճආ ▸ Ωʔೝূϓϩτίϧ͸ສશͱ͸ݴ͑ͳ͍ ▸ ΋͸΍෺ཧతʹकΔ͔͠ͳ͍ Image by KaCey97078 on flickr, CC-BY-NC 2.0

34. JUNE Image by Thai Jasmine (Smile..smile...Smile..) on flickr, CC-BY-NC 2.0

35. TEXT JUNE - #14 ▸ Ӎͷقઅ ▸ य़೔෦ࢢ։࠵ (3rd): ;Ε͍͋Ωϡʔϒ

    4F Image by Pom' on flickr, CC-BY-SA 2.0

36. THIEVES #2 FRONT

37. TEXT FRONT: THIEVES #2 ▸ લճ͸kiaͱRAV4͕ͩͬͨɺ࣮͸honda΋… →ͳͥʁ

38. TEXT FRONT: TAKEAWAYS ▸ CANόεߏ੒ʹજࡏ͢Δ໰୊ʹՃ͑ RFϦϞίϯ৴߸ͷߏ଄ʹ΋໰୊͕ ▸ rolling codeͰରࡦͨ͠ͱࢥ͑͹ɺͦͷରࡦʹ΋ ͕ܽؕ

    ▸ …͠͹Β͘ଓ͘ͷͩΖ͏͔ɻ

39. TEXT BACK: CHAPTER INTRO. ▸ ͜ͷ݄΋ยखམͪ

40. AUGEST Image by Joe Penniston on flickr, CC-BY-NC-ND 2.0

41. TEXT AUGEST - #15 ▸ ম͚ͭ͘໠ॵ ▸ ͍ͨ͞·ࢢ։࠵: RaiBoCϗʔϧ ूձࣨ

    ▸ OWASP Sendai খּ͞Μͷ͝ްҙʹΑΔ ॳͷϫʔΫγϣοϓ ▸ ։࠵໨લʹ๻͕COVID-19ͰٸᬎϦϞʔτʹ… →֤Ґ͝໎࿭Λ͓͔͚͠·ͨ͠ Image by Shawn Harquail on flickr, CC-BY-NC 2.0

42. ڴҖϞσϦϯάϫʔΫγϣοϓ WORKSHOP

43. TEXT WORKSHOP: ڴҖϞσϦϯάϫʔΫγϣοϓ ▸ OWASP SendaiνϟϓλʔϦʔμʔͷখּو੖ (@TakaharuOgasa) ͞Μ͔Β ▸ ڴҖϞσϦϯάϫʔΫγϣοϓ

    →த਎͕ೱ͍ͷͰΦϑϥΠϯݶఆʹ ▸ ࢀՃ֤Ґɺ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ

44. TEXT BACK: CHAPTER INTRO. ▸ ๻͕͏͔ͬΓCOVID-19ʹ๯͞Εͨ(͢Έ·ͤΜ) →ҨӨࢀՃͰνϟϓλʔ঺հΛ…

45. OCTOBER Image by berniezang on flickr, CC-BY-NC 2.0

46. TEXT OCTOBER - #16 ▸ Ϗʔϧͷ݄ ▸ य़೔෦ࢢ։࠵; ;Ε͍͋Ωϡʔϒ6F ..

    ༧૝Ҏ্ͷѹഭײʹҎ߱͸4FͰͱܾҙͨ͠ճ ▸ ҉໧తͩͬͨεϐʔΧʔอޢϧʔϧΛ੔උ͠ɺ ʮνϟλϜϋ΢εϧʔϧʯΛద༻͢Δࢫ໌ه Image by 5chw4r7z on flickr, CC-BY-SA 2.0

47. ※νϟλϜϋ΢εϧʔϧ: ಘΒΕͨ৘ใΛଞॴͰར༻͢Δࡍɺൃݴऀ΍ͦͷଞͷࢀՃऀ ͷ਎ݩ͓Αͼॴଐʹؔͯ͠͸ɺຊਓͷ໌ࣔతڐՄ΍֬ೝ͕ಘ ΒΕͳ͍ݶΓ͸໌ࣔతʹ΋໧ࣔతʹ΋໌Β͔ʹ͠ͳ͍ɻ ΑΖ͓͘͠ئ͍͍ͨ͠·͢🙇 TEXT

48. ECHIDNA: PENETRATION TEST ASSIST & COLLABORATION TOOL FRONT

49. TEXT FRONT: ECHIDNA: PENETRATION TEST ASSIST & COLLABORATION TOOL ▸

    ։ൃऀͷࣉా༔ (@chayakonanaika) ͞Μ͔Β σϞ͓Αͼ಺෦ઃܭʹؔ͢Δوॏͳ࿩ ▸ BlackHat EU 2023 ArsenalͰൃද ▸ ߈ܸΛՄࢹԽɾνʔϜ಺Ͱڞ༗͠ॳ৺ऀͰ΋े ෼ͳ੒ՌΛग़ͤΔΑ͏ʹڧྗʹࢧԉ͢Δπʔϧ ▸ https://github.com/Echidna-Pentest/Echidna

50. TEXT FRONT: TAKEAWAYS ▸ Echidna͸ॳ৺ऀ΍ηΩϡϦςΟνʔϜ͕߈ܸख ๏ΛֶशͰ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ ▸ ঢ়گʹԠͯ࣍͡ͷίϚϯυΛఏҊ ▸ ίϚϯυग़ྗ͔ΒॏཁͳՕॴΛநग़͠αϙʔτ

    ▸ ॳ৺ऀͰ΋ΫϦοΫ͚ͩͰ৵ೖՄೳ ▸ ϒϥ΢βܦ༝Ͱڞ༗λʔϛφϧΛఏڙ͢Δ͜ͱ ͰνʔϜ಺࿈ܞΛαϙʔτ

51. THREAT DRAGON BACK

52. TEXT BACK: THREAT DRAGON ▸ OWASP SendaiνϟϓλʔϦʔμʔ খּو੖ (@TakaharuOgasa) ͞Μ͔Βɺ

    OWASP Threat Dragonͷ঺հͱϋϯζΦϯ ▸ OWASPެࣜͷڴҖϞσϦϯάπʔϧ ▸ ͜Ε΋·ͨେมʹوॏͳ࿩ ▸ https://owasp.org/www-project-threat-dragon/

53. TEXT BACK: TAKEAWAYS ▸ ڴҖϞσϦϯά͸։ൃऀͷڭҭʹ༗༻ ▸ ։ൃલʹϦεΫΛચ͍ग़͢ʢWFͰ͸ॏཁʣ ▸ ਍அ΍৵ೖςετͷ୅ସͰ͸ͳ͍ ▸

    OWASP Threat Dragonͷར఺ ▸ DFDΛॻ͖ɺSTRIDEΛࢹ֮తʹදݱ ରࡦҰཡΛ࡞੒͠ɺͦΕΛอଘ ▸ ߏ੒ཁૉ͝ͱͷൃੜڴҖΧςΰϦΛߟྀ (!)

54. DECEMBER Image by joanne clifford on flickr, CC-BY-ND 2.0

55. TEXT DECEMBER ▸ ೥຤ ▸ ͍ͨ͞·ࢢ։࠵: RaiBoCϗʔϧूձࣨ Image by DaPuglet

    on flickr, CC-BY-SA 2.0

56. LOOKING BACK 2023 FRONT Image by Abubakr Saeed on flickr,

    CC-BY 2.0

57. TEXT FRONT: LOOK BACK 2023 ▸ ࠓ೥ͷ׆ಈͷ;Γ͔͑Γ ▸ KPT: Keep,

    Problem, Try Image by Abubakr Saeed on flickr, CC-BY 2.0

58. TEXT KEEP ▸ Ͱ͖ͨ͜ͱ ▸ ϫʔΫγϣοϓͷ։࠵ ʢখּ͞Μ͋Γ͕ͱ͏͍͟͝·͢ʂʣ ▸ ެืεϐʔΧʔ֤ҐͷΈͰͷ։࠵ ʢࣉా͞Μ͋Γ͕ͱ͏͍͟͝·͢ʂʣ

    ▸ ΦϑϥΠϯͷΈ։࠵ Image by willi_bremen on flickr, CC-BY-NC-ND 2.0

59. TEXT PROBLEM ▸ ࠓҰͭͩͬͨ͜ͱ ▸ ׆ಈঢ়گ͕ݟ͑ʹ͍͘ ▸ ࿩୊ͷࠂ஌͕஗͍ ▸ ղੳܥͷ࿩୊Λ΋͏গ͠΍Εͨͳ

    ▸ Ր༵ͩͱళ͕ٳΜͰ͍Δέʔε͕ଟ͍… Image by Leonid Mamchemkov on flickr, CC-BY 2.0

60. TEXT TRY ▸ ΍͍͖͍ͬͯͨ͜ͱ ▸ SNS΁ࣸਅΛೖΕͯ׆ಈใࠂ →୭͔ʂ ▸ εϐʔΧʔͷґཔ →ґཔ͕͍ͬͨΒΑΖ͓͘͠ئ͍͠·͢mm

    ▸ appsec, ಛʹΞϓϦղੳ ▸ ϫʔΫγϣοϓ͋Δ͍͸CTFྨʢ˞ձ৔͕໰୊ʣ ▸ ։࠵༵೔ͷ࠶ߟ Image by Heiner Engbrocks on flickr, CC-BY-NC 2.0

61. FIN. 18.12.2023 TAKAHIRO YOSHIMURA (@ALTERAKEY) Image by Paul Moody on

    flickr, CC-BY-NC 2.0