[Non-advertising] 2014 China Internet Security Conference ISC (I)

[Non-advertising] 2014 China Internet Security Conference ISC (I)
In a twinkling of an eye, one year has passed. In July, I participated in the ISC in July. Today I registered 2014 ISC again. I attended the two-day conference forum at the National Convention Center, laws, regulations, and evidence collection in the field of software, systems, mobile systems, WEB, cloud and Storage Architecture, and information security, all of which cover the main security fields. Today, I attended the opening forum in the morning and the mobile security forum in the afternoon. Let's take a brief look at some of the good ideas I have heard today.
I. National Security and Information Protection
Because I went late, I listened to the speech in the second half.Cloud xiaochun, Deputy Director and Chief Engineer of the National Computer Network Emergency Technical Handling Coordination CenterThe speech entitled "joint efforts to build a national cybersecurity Protection System" was delivered on the subject that today's cybersecurity threats cannot be solved by a single department, for example, coordinated cooperation by relevant social departments, including the National Monitoring Center (responsible for early warning, monitoring and analysis), operators (China Unicom Telecom, etc.) and Public Security judicial departments (with judicial power and administrative power), as well as cooperation with large and small security vendors. In the event of a large-scale network attack, the monitoring center first captures and sends an alert, and then reports it to the relevant public security and justice departments, coordinates operators for emergency truncation, and security vendors perform sample analysis, propose subsequent solutions. The most important point here is that the complex and diversified network requirements must be coordinated by multiple departments.
Then zhou Hongyi Of 360 gave a lecture on "Big Data Security in the IoT age", which mainly introduced his understanding Of Internet Of Things; on this basis, we look forward to the convenience and threats brought about by smart device interconnection (Smart Home VS hacker empire/Terminator ?), Then we propose three principles of big data information protection in the IoT era: confirming the privacy of user information, transmission and storage security of user information, and information exchange, so as to ensure the user's right to know.
This is the venue registration Hall:

Transformers posters at the venue:

Cloud xiaochun makes a report:

A foreigner (known as the father of the virus) made a report:

"Red cannon" Zhou Hongyi:


Ii. Smart Car cracking
This year, we talked more about Iot security than last year. It also showed on-site cracking for the Smart Car Tesla. In fact, the principle is also applicable to Audi, Mercedes-Benz and other vehicles. Let's not go over the fantasy. Let's talk about the principle directly:
-1. An RF receiver is installed on the notebook to capture the signal of the car key;
-2. The Notebook captures the key signal and records the waveform;
-3. In order to replay the signal on PC/MP, we need to convert the waveform into a binary sequence;
-4. Reverse the sequence and obtain the sent primitive, such as "123456" or "abcdef;
-5. Write a program in the notebook to call the RF transmitter to replay the signal;
This is the basic principle. The key is how to explain the waveform and replay it. This way, the door and trunk can be switched, but the car cannot ignition or control the direction light, this will not be difficult in the future;
CCTV interviews with car cracking:

On-site demonstration of car cracking by security personnel (smart watch sends the switch door signal ):


Iii. Mobile Security Forum
In the afternoon, I attended the "Mobile Security Forum", covering security issues such as IOS and Android, I was quite impressed by Associate Professor Fu Xinwen and Dr. ling Zhen's message about "you can see your password on the mobile devices around you!" The topic of the report is to use video capture to analyze users' finger movements, analyze the touch screen position, and guess users' input. The key to the center is to design an algorithm that can identify the fingertip position from the video, so as to be homomorphic in the standard keyboard.
According to the attack test results, the probability of the second guess is nearly 100%:

Other security issues related to IOS are also involved. Despite the protection of closed source, there are still some problematic APIs in IOS. The next day of tomorrow, we will focus on the WEB Security Forum.