Null Singapore Security Meetup - July

I had the opportunity to present at Null Singapore, a monthly security meetup group here. The last time i presented was about Vulnerability Assessment on SCADA systems but this time, due to a career change (or upgrade), i presented about my exploration into the deep web.

The deep web as most (or some) know it as the part of the internet not indexed by typical search engines like Google or Yahoo. It is a part of the internet where sources say most of the stuffs reside. According to an article, google managed to index up to only 4% of the world wide web...so where are the rest? The answer: Deep Web. 

My journey to the deep web wasn't a fun one. Instead, the deeper i go, the weirder i found. From selling of drugs, abuse of humans, selling of weapons, hackers for hire, assassins for hire and much much more. It is alarming to see the so called criminal activity that resides in there and due to the anonymity of the connection to each site, it is very hard to be monitored, tracked or charged by law enforcers.

In this presentation, i presented about the things i found in the deepweb. You can download the slides here. http://www.slideshare.net/FadliBSidek/red-riding-hood-in-the-deep-dark-woods

Dias presenting about Bitcoin and its role in privacy

Randen presenting about the security newsbytes

Myself presenting about the Deepweb

Null Singapore Security Meetup - June

Null Singapore is back for the fifth time and like last month, it was a full house and another record of an attendance! Credits given to NSHC Pte Ltd for providing us a room for us to have our meetup.

We start our meetup by introducing ourselves, what Null Singapore is all about, its aims, its objectives and how does this meetup benefit the audience from networking to potential cooperation with one another. This was presented by Prasanna or PK as Imran, the chapter leader was away.

Randen then presented on the security news bytes, the security events that happened in the last few weeks ranging from malware, phishing and critical infrastructures.

Michael Heinzl, from SEC Consult presented on the topic 'Finding vulnerabilities using Fuzzing'. It was an interesting topic as he demonstrates how fuzzing assist in the finding of unknown vulnerabilities and how such vulnerabilities could be turn into an exploit to further penetrate into the systems/applications. Sharing statistics of his research and end with a cool demo, Michael was able to show the audience not just in a theoretical sense but in a practical way as well.

Vincent Tan, from Vantage Point presented on the topic 'Breaking BYOD in IOS'. This was an extremely interesting talk as he shares his research and how IOS can be broken into with tools that he developed. I would not dive into the contents of his presentations (as agreed), but i'd say the delivery of the presentations, the demonstrations and the key takeaways are properly formatted and presented.

Both presenters ended with a round of applause and it was really great to see people enjoying the presentations and coming up to the speakers to know more about it. Alas, after it was all over, the 'after scene' networking session starts. I see people from different companies shaking each other's hands, getting to know each other despite the 'competition'. This is exactly what security meetups are all about... in conferences, we are never competitors...we are all enthusiasts...

Join us and get informed:

Facebook: https://www.facebook.com/nullsingapore

Twitter: https://twitter.com/nullsingapore

Meetup: http://www.meetup.com/Null-Singapore-The-Open-Security-Community/

Null Singapore Security Meet Up - May

Null Singapore is back for the fourth time and this month's meetup was by far the best turnout with almost 60 people (it was around 18-20 people for the first one). Just like the previous month's meet up, it was held at ThoughtWorks (thanks to Prasanna K again and again for the location) 

As usual, started with introducing what Null Singapore is all about, the head organizer, Imran, shared with the crowd the objectives, benefits and direction of Null Singapore and how this meetup aims to help people gain knowledge and network with security pros, enthusiasts and professionals, n00b or expert, everyone has something to offer. 

Stefan from Vantage Point presented on an interesting topic 'Why Pentesting Sucks' on which he shared the challenges faced in developers as well as penetration testers on application security and the loopholes that exist in the software development process when it comes to security. I presented a comment and scenario where certain situation, organizations who buy software do not have access to its source code thus its tough to tackle the security assessment in the development stage of the software. This comment however turned out to generate a number of rebuttals and spurned into a mini discussion between the members of the audience providing their points on how that situation can be tackled through procurement processes and trust between the company and the software vendors. Definitely a potential avenue to have panel discussion with the audience in future meetups.

Prasanna K from Thoughtworks, then presented about hacking hypervisor, specifically Xen hypervisor in which he, not only shared the theory of the topic but also the practical demo on how easy it was to gain root access to the virtual machine from a less privileged user through taking advantage to one of the source codes. 

Overall, i believed it was a great turnout and again i had fun especially seeing more people attending the meetup. I can't wait to see what future will it holds for this Null Singapore... who knows it can be as awesome as BSides conferences! Now thats what i wanna see!

Follow and add yourself to Null Singapore. We are Social! Click on the images below to be part of it..

                                                 

                                                                    

#include <iostream>

using namespace std;
int main ( )
{ 
cout << "You Guys are Awesome" << endl;
return 0;
}

Null Singapore Security Meet Up - March

I received a tweet from an Indian friend of mine Ajin Abraham asking me to check out a 'mini-con' called Null Singapore. As i was travelling during the period of the first meet up, i said i'll be attending the one in March instead.

It was pretty interesting to attend this small group of security enthusiasts and i thought i need to check out the atmosphere there as well. So a week before 19th March, i shared this meetup to my Facebook group 'Singapore Cyber Security Enthusiasts' where i share latest security articles, news and conferences in Singapore or overseas. It wasn't a bad response, about 4 signed up for the meetup.

On the 19th March, we set foot for the meetup. Located at Craig Road, and fortunately 5 mins away from my office and 10 mins away from Tanjong Pagar MRT Station, it was quite a convenient location (well at least for me). When we reached the place, we saw an empty office from the front and there were no signs to say 'Go here for Null Singapore' or anything to direct us. Well, it was not a big deal, the entrance was on the side of the building, opposite the street soccer court and it was at level 2. 

When we reached inside, the room was silent and there were already people sitting. My first though was, will there be enough seats. Well fortunately, despite the full house, everyone managed to be seated either at the sofa area or the foldable chairs. 

Started with the newsbytes by Suman Sourav sharing the latest news in the security world, from the Lenovo malware to the Carbanak Cyber gang that infiltrated the banks and stole over $1Bn. 

Suman Sourav sharing the latest news

Next was Randen Rosete who shared about the IoT (Internet of Things) and the mistakes made by developers for not properly securing the APIs that in some or many cases leave the default passwords in clear text giving a hacker the ability to intercept and create exploits easily. 

Randen Rosete and the problems with IoT

Lastly, we had a sharing session about infrastructure security by Sriram Narayanan discussing on the mistakes made, the impact of the mistakes and how it was resolved and finding the root cause of the issue. 

Sriram Narayanan on the mistakes made and lessons learned in Infrastructure security

Another 'last minute' event was the 'ice breaking' event, suggested by Paul Craig from Vantage Point security, a company specializing in Vulnerability Assessment and Penetration Testing where we all gave a brief introduction of ourselves at the end of the meetup. 

I have to say, this is a small but great atmosphere with security enthusiasts from various fields such as software engineering, application security, infrastructure, networking, threat intelligence, VA/PT and others. 

I am definitely looking forward to visit again next month.

For more information on Null Singapore Meetup: 

http://www.meetup.com/Null-Singapore-The-Open-Security-Community/

FB Group 'Singapore Cyber Security Enthusiasts': 

https://www.facebook.com/groups/236102096567858/

Blackhat Movie Review

Blackhat movie review (with SPOILERS): It's been awhile since i did a movie review here and since this movie, with its title, about hacking, i think it's wise for me to write a thing or two (well probably more) about what i feel about it.

Blackhat movie poster

First off, just for general movie knowledge, when this movie was initially scripted there were a lot of protests within the industry about the synopsis that the American government is working with the Chinese government to tackle a foreign hacker while in fact, there's a huge friction between the two in the cyber war arena in the real world. (the latter was briefly mentioned in the movie)

The start of the movie was quite cool, we see a hacker clicking the Enter button and showed the movement of the data in a matrix-ial format from the computer right to the destination, a power plant. I enjoyed the first 10 mins of the movie as it showed the HMI (Human Machine Interface) of the SCADA systems and how it was hijacked. Those who know how Stuxnet works can relate to the movie since the RAT (remote access trojan) or 'virus' in this movie was probably inspired by the Stuxnet worm (where it was able to destroy many nuclear centrifuges causing it to be replaced and renewed costing millions of dollars) What a huge coincidence that i talked about this SCADA and Power Plants security talks last year.

Power Plant Meltdown from the Blackhat movie

HMI interface for a SCADA system

However, the way the things was handled by the US government and the Chinese government (cooperating with each other) was unrealistic. From the book, 'WORMS' by Mark Bowden, back when the famous Conficker virus was going on a rampage in the US, affecting millions of computers, the US government did not even bother to take further action especially when being educated that the Conficker has the ability to start a Cyber Pearl Harbor back in the days so to see that the US government providing assistance to the Chinese government was quite far fetched (but hey, who knows this movie could entice a possible cooperation between them). 

WORM by Mark Bowden

Everything went well until when they decided to kill the direction of the movie. Im not going to comment on this as i was utterly disappointed.. its like watching the latest Transformers scene in China...pointless! Chris Hemsworth, the hacker in the movie was somehow good at martial arts and even know how to use a gun better than the villains. (Seriously??? Now i missed Hugh Jackman in Swordfish). 

Swordfish the movie

My verdict: It was all positive hype in the first 30 mins until it went totally downhill the rest. Don't expect a Blackhat vs Blackhat cyber battle or a Die Hard 4.0 kind of vibe. The villains were lame and making the 90s movie Hackers way better than this.

SecureSingapore - an (ISC)2 event

Was privileged to be invited to speak at SecureSingapore yesterday, an event that was held right after GovWare. This was my first time to give a full presentation at a Singapore-based conference. Previously when i presented in ABS-FITA and WebSense (both in Singapore), i was doing the technical demo but this time i had a whole hour to speak. My speaking experience from conferences in India, UAE and US gave me the confidence to speak in this.

 

The topic of my talk. Unlike Defcon Kerala and The Hackers Conference in India and BSidesLV in Vegas, i need to ensure that my talk covers more on a holistic view of SCADA and Critical Infrastructure and little on the low level technical side. 

I had a great time presenting to a room full of CISSP certified professionals and security practitioners. I was also delighted to get some laughs and response from the crowd. One of the things i did was to demonstrate the way Stuxnet works and got 3 volunteers from the crowd to assist me in illustrating it.

At the end of my talk, i had a chance to meet and greet people from industries such as banks and product vendors. One of them was the President of ISC2 Singapore himself!  This was a new experience for me and i certainly thank BT and ISC2 for giving me the privilege to share my knowledge to the industry experts.

And what better way to be given the thumbs up than to receive such an honest feedback from one of the audience.

Singapore Governmentware 2014

Attended Govware recently which was held in Suntec City Convention Center on the 23rd - 25th of September.

Link: http://www.govware.sg/index.html

Had a lot of great talks but of course dont expect the kind of Defcon or BSides Technical talks as these were more focused to decision makers as well as C & S level people on the latest emerging technologies that would assist them to protect their organizations.

And since i have this interest in Critical Infrastructure and SCADA, i attended the following tracks which provided a holistic view of the Critical Infrastructure issues and how their products or services can assist organizations.

One of the things i liked about Govware is the Cyber challenge CTF event that allow students and hacking enthusiasts to participate and test their hacking skills. As a past CTF participant myself, i know the pressure and the fun involved in such events.. whoever the winner will definitely has something to brag about!

And of course, the many vendors and product booths. Some showed awesome demonstrations, some provided free Tshirts, stickers and USB sticks!

And yeah, thats me having a selfie at Govware! ;)