SANS Holiday Hack Challenge 2013 - Honorable Mention

So last year, i was introduced to this Holiday Hack Challenge organized by SANS and i took part in it. With a career as an Ethical Hacker and graduated from a Cyber Forensics Degree, i took this challenge to see how i can exploit my knowledge to answer this.

(Source: http://pen-testing.sans.org/holiday-challenge/2013)

Well, it wasn't easy of course. Given just a PCAP file, i need to analyze, figure out the chain of events, create hypothesis and find evidence of attacks and finally suggest solutions on how to prevent this.

I spent over 3-5 nights using various PCAP analysis tools such as Wireshark, Network Miner, Xplico and Netwitness Investigator. One of the challenges i faced was the timestamp of the PCAP file. Since this PCAP file was created from the US, i only realized it 2 nights later that my Computer clock and Timezone settings was affecting the chain of events. Once i set it to the US timezone, then the chain of events made sense.

After completing the challenge, i submitted to SANS and the next day, i got a reply from Ed Skoudis! It was a compliment about my submission and it made me very confident about being one of the 4 winners.

When the results were out, i was a little disappointed that i didn't manage to get any of the top 4 positions. I looked at the answers by the Winners and i was shocked and satisfied..they were really in detail, diving deep into the technicalities of their analysis. They even managed to find something that i overlooked! A huge KUDOS to them! Truly deserved winners! 

But not all was gloomy for me. When i scrolled down under the section 'Honorable Mentions', i was excited to see my name was among the many other honorable submissions! This was what mentioned:

"Fadli B. Sidek: Fadli's response was amazingly detailed, lavishly illustrated, and beautifully formatted. It's an awesome entry from an obviously gifted information security analyst who knows how to convey information extremely effectively. This answer also pulls in the little lulzsec cartoon character near the end, to good comedic effect."

(source: http://pen-testing.sans.org/blog/pen-testing/2014/01/20/holiday-challenge-2013-winners-and-answers)

It made my day and put me in a cloud 9 for a while! I was happy that my nights spent to do this got rewarded! Anyhoo, i would like to share the report i submitted to SANS:

Special thanks to Ed Skoudis and the whole SANS team for organizing such as great challenge for all the nerds and geeks out there! Looking forward to participate in more challenges like this!

2014 - Year of the Privacy?

2012 was a year known famously for the amount of security breaches made. From Sony to Yahoo to Google have inadvertently had their personal data being leaked out. Most breaches were done from the server side.

Source: http://venturebeat.com/2012/09/17/2012-security-breaches/

Source: http://venturebeat.files.wordpress.com/2012/09/securitybreaches_25.png

2013 on the other hand was labelled as the year of the hack. As early as March 2013, companies from Apple, to Facebook and Twitter got hacked and this does not include the hacking incidents in Singapore.

Source: http://www.transfirst.com/blog/extensive-hacking-incidents-label-2013-the-year-of-the-hack

For Singapore, 2013 is seen as the year with a record of hacking incidents. Hacking related incidents such as the hack on Kong Hee's wife website to Anonymous threats to Singapore Government, the XSS attack on PMO and ISTANA website, the web defacement to Singapore schools websites, Singapore's Museum website and personal information got leaked and recently, the bank statements of Standard Chartered high profile clients got stolen.

Kong Hee's Wife Website Hacked

Source: http://www.straitstimes.com/the-big-story/chc-funds-case/story/city-harvest-church-leader-kong-hee-condemns-hacking-his-wifes-we

AMK Town Council Website Hacked

Source: http://sg.news.yahoo.com/ang-mo-kio-town-council-website-hacked-102124881.html

Anonymous Threats and Hacks in Singapore

Source: http://www.straitstimes.com/breaking-news/singapore/story/government-agencies-alert-after-hackers-threaten-attacks-20131101

Source: http://singapore.coconuts.co/2013/10/31/video-anonymous-hacktivists-warns-singapore-government

Source: http://sg.news.yahoo.com/singapore-newspaper-straits-times-hacked-020043975.html

Singapore Art Museum Website Hacked

Source: http://www.straitstimes.com/breaking-news/singapore/story/sam-website-hacked-second-cyber-intrusion-within-month-20131129

Singapore Schools Websites Hacked

Source: http://www.straitstimes.com/breaking-news/singapore/story/twelve-13-school-websites-hacked-wednesday-still-down-9am-thursday-201

Standard Chartered Clients Statements Stolen

Source: http://www.todayonline.com/singapore/standard-chartered-clients-monthly-bank-statement-stolen

With such a record number of hacking incidents in Singapore, 2013 will be known as the year Singapore got hacked the most. The year many security professionals from private organizations to governments, were placed on high alert and standby. It was indeed a tough year for security professionals in Singapore.

So what will 2014 be? 

A preview of whats going to happen were shown throughout 2013. Privacy has been another hot topic besides hacking. The case of Edward Snowden leaking out files from the NSA which tackles the US government spying on its citizens, the security of encryption keys, the spying of Malaysia by Singapore, the spying of Indonesia by Australia, the privacy of consumers against telemarketers

The Serious Leaks by Snowden

Source: http://www.theage.com.au/comment/snowden-revelations-only-the-beginning-20131229-301j6.html

The Allegations against Encryption Companies

Source: http://www.theguardian.com/world/2013/dec/20/nsa-internet-security-rsa-secret-10m-encryption

The Spying of Indonesia by Australia

Source: http://www.presstv.com/detail/2013/12/06/338456/australia-will-still-spy-on-indonesia/

The Spying Report of Malaysia by Singapore

Source: http://www.reuters.com/article/2013/11/26/us-malaysia-singapore-spying-idUSBRE9AP03P20131126

PDPC Backfires on Consumer's Privacy

Source: http://sg.news.yahoo.com/exemptions-provided-for-do-not-call-registry-033938964.html

All of these are previews of what may happen and will be the hot topic of discussion for 2014. While hacking will not stop, i predict that 2014 will be the year of privacy. The year of consumers questioning the privacy of their data and personal information. The year where companies will start concerning themselves with the security of their clients data. The year security vendors will get the most calls about privacy concerns and solutions. 

Even the Security Rockstar Bruce Schneier in his interview with 'Motherboard' said the following related to the security of our data:

"I'm worried about governments, the US and other governments. I'm worried about how they are using our data, how they're storing our data, and what happens to it. I'm less worried about the criminals. I think we've kinda got cyber-crime under control, it's not zero but it never will be. I'm much more worried about the powerful abusing us than the un-powerful abusing us."

Source: http://motherboard.vice.com/blog/an-interview-with-bruce-schneier

So in summary:

2012: the year of Security Breaches

2013: the year of the Hack

2014: the year of Privacy (just a prediction)

SANS Holiday Challenge 2013

Its that time of the year again where SANS organizes a holiday challenge for those who have some free time to spare during the holidays.

This year, SANS organized a challenge that includes a PCAP file that needs to be downloaded and analyzed and provide your findings based on the questions provided.

Enough talk! If you are keen to test your analysis and investigative skills, go to this site:
http://pen-testing.sans.org/holiday-challenge/2013 and test your might!


A small tip:

For those not from the US, you might find a problem with the time stamp in the packet frames. To overcome this, you need to set your machine's timezone to UTC - 6:00 or the US/Canada timezone.

HITB (Hack In The Box) Security Conference in KL 2013

Went to the Hack in the Box Security Conference held in Kuala Lumpur on the 16th -17th October 2013. Hosted in Intercontinental KL hotel, the conference was great. This is my third time in three years attending this conference and i have grown to love them. The tracks were good, the booths were awesome, the competitions such as Catch the Flag and HackWeekday were superb. Check out some of the photos of the conference.

Good Points: I will not deny that the topics of the presentations were great. They covered almost every aspects of hacking but focuses more on in depth hackings such as:
> OS/Software
> Exploitation
> Hardware

Some of the cool talks presented were the Facebook Hacking, Aviation Hacking and both Keynotes. For the HITB crew, i have to compliment them all the way. They were very friendly and approachable willing to assist and help anytime when approached. The food was superb and a 5 star class! I cant complain anything at all about the food and no one had to stand to eat (like some of the other conference i've been). The theme of the CTF was also eye catching! 'War of the Worlds: WMD'!! I mean like, seriously?!!! Even if i participated and didnt win, i still would feel good bragging to my friends that i participated in such a cool theme CTF event! The HackWeekday or should i say coding of applications competitions were superb and it had a number of categories giving each competitors to join in their respective specialized field. I've participated in several CTF competition but have yet to join one in HITB, and maybe one day i shall join. However i do like to put it out there that upon talking to the organizers of the HITB CTF, i can say that it is not those kind of straight forward network/web hacking competitions. One of crew shared that it involves more than just network/web hacking skills. One needs to have a fundamental knowledge on cryptography, steganography, reverse engineering, source code understanding, exploit engineering and binary analysis.. i was like..say what!!! damn..that is one tough CTF and whoever wins it should be respected for knowing and having the knowledge of all the mentioned aspects of computer security. Kudos to the Vietnam team for winning this.

Room for Improvement Points: While the topics were great, some of the deliveries were not. One example is the inability of some of the speakers to convey it in proper English (as some of them were from Europe and South America). One of the speakers were speaking out of a word document all the way with little interactions with the audience. Another were speaking without knowing the full stop. It was cute actually.

What i hope to see: Local Speakers at least! While the conference were attended by many locals, unfortunately none of the speakers/presenters were. Although im not a Malaysian, i would love to see some locals presenting their research in the conference. And of course, more ladies please! I've been to these conferences and sadly i rarely see any women hackers speaking. However there were a handful and countable women attending the conference. I also would hope to see topics in regards to penetration testing such as advanced network/web recon/exploitation, bypassing firewall and Anti Virus techniques which could attract more ethical hackers in these fields to attend. While there were booths that were very interesting especially when there's a mini 'challenge' or 'competition' to attract people, some were quite dull (there was even an empty booth with a single person sitting at it). I was impressed by Mozilla booth, because twice i was there, twice they had mini challenges. Such mini challenges can be seen in world class conferences such as Def Con and Black Hat and HITB booth representatives could take some tips from them. The Lock Picking by Toools were also a force to be reckoned with. Unlike Facebook booth where they were packed with people for free gifts and tshirts, the lock picking booth managed to attract more people with its complex challenges and outgoing reps.

Overall: I enjoyed myself. Its much much better than some of the conferences i've been to such as Hacker Halted hosted in Singapore. What i enjoyed most is making new friends, network and exchanging name cards and knowledge. The in between breaks were designed for that (i think) and i ended up making new friends! Great hotel, great food, awesome conference....what more could you ask? I've been to many conferences over the years and i have to say that HITB is one of the top 3 conferences that is in my list of MUST GO!!! Congrats HITB and Thanks for the great conference!

HITB Security Conference main logo banner

Tracks and Speakers displayed digitally

3 Different Tracks in 3 Different rooms

An interesting funny slide

The OWASP Booth

The Ship Captain Hackers!

The hardware used during the hack

CTF event in progress

Microsoft Wizards

Taking a pic with an Anonymous attendee

Winning a Mozilla Firefox Mug

Taking a pic with the winner of Best Windows 8 Application Competition

Stickers souvenirs from the Conference

For more information of future HITB events/conferences, visit http://conference.hitb.org/