SYNOPSIS
From Adobe Reader to the Sonos One, vulnerability researchers hacked a jaw-dropping array of targets at this year’s Pwn2Own and TianFu Cup hacking contests. Amid the carnage, one conspicuous survivor remained un-pwned: Synology’s DiskStation Network Attached Storage (NAS) devices. As a sponsor of this year’s Pwn2Own, Synology doubled the bounty to $40000. However, while several participants successfully cracked the DiskStation DS418play in 2020, they failed to offer a working exploit for either the DS920+ or DS220J this year. Not for lack of trying – along with other aspiring participants, we discovered a handful of vulnerabilities but could not complete a remote exploit chain due to Synology’s defence-in-depth design.
We will present a technical analysis of Synology’s defensive coding techniques as observed in the latest DiskStation Manager (DSM) 7 operating system. We will demonstrate how these techniques prevented further exploitation of significant vulnerabilities and mitigated their impact. Along the way, we will update existing research about the proprietary findhostd protocol and DSM internals. Developers and defenders will take away practical lessons in secure coding and software design from Synology’s example. Finally, we will conclude with broader observations about the economics and strategy of hacking competitions.
AGENDA
7.45PM - 8.00PM - Registration and sign-in to webinar
8.00PM - 8:05PM - Introduction by host from chapter EXCO
8:05PM - 8:50PM - Unhackable? Lessons in Defensive Coding from Hacking Synology Network Attached Storage devices, by Eugene Lim, Cybersecurity Specialist, Government Technology Agency & Loke Huiyi, Senior Cybersecurity Specialist, Government Technology Agency
8:50PM - 9:00PM - Q&As
ABOUT THE SPEAKER
Mr. Eugene Lim, Cybersecurity Specialist, Government Technology Agency
Eugene (@spaceraccoon) hacks for good! From Amazon to Zendesk, he has helped secure products globally. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event organized by HackerOne, the US Air Force, the UK Ministry of Defense, and Yahoo. In 2021, he was 1 of 5 selected from a pool of 1 million white hat hackers for the H1-Elite Hall of Fame. As part of his vulnerability research work, he has reported vulnerabilities in Microsoft Office, Apache OpenOffice, D-Link router, and more. He also presented research on AI-powered phishing at Black Hat USA and DEF CON in 2021. He is interested in application security and sustainable DevSecOps practices.
Ms. Loke Huiyi, Senior Cybersecurity Specialist, Government Technology Agency
Hui Yi (@angelystor) is the technical lead for the product security assessment and vulnerability research team. Her claim to fame is becoming the 2nd hit on Google for “WinAFL fuzzing” and presenting on hunting application backdoors at Black Hat Asia in 2020.
****************************************************************************
For security reasons, instructions for joining the webinar will be sent to registrants one (1) day prior to the event. Please watch out for the webinar details. If in doubt, please email events@isc2chapter.sg.
This is a chapter professional development event thus 1 CPE hour will be available for your CPE submission. To facilitate submission of CPE points on your behalf by the local chapter - please identify yourself clearly by renaming yourself as <(ISC)2 membership number> + your full name when you sign in or after you've sign in. For example: '123456 Luke SkyWalker'.
Note: (ISC)2 members residing in Singapore who are not members of our local Chapter please signed up with us at www.isc2chapter.sg.
Join the community.
Membership Rates:
Professional Member: $50/- year
Associate Member (Non-credential holders): $30/- year
Student Member: $10/- year