Singapore Short of Cyber Security Experts - An Opinion

But a tough-to-crack problem is that "young people do not find the job sexy" - Communications and Information Minister Yaacob Ibrahim

Early this month, Communications and Information Minister, Yaacob Ibrahim said in an interview that Singapore is short of cybersecurity experts and many young people prefer going to the banking and financial industries instead of a back end job.

Source: http://www.straitstimes.com/breaking-news/singapore/story/singapore-short-cybersecurity-experts-data-analysts-20131212

Is Singapore really short of cybersecurity experts? 

As a cyber security professional myself, i cannot say that i fully agree with the minister on this. First and foremost, the number of students over the years taking up security courses be it from government institutions or private schools are increasing. The number of graduates from schools that offered these courses are also increasing. From a private education perspectives, every year thousands of students graduated from Kaplan, SMF, Informatics, MDIS, PSB Academy, SIM...and many more. These are just some of the many private schools that offer courses involving IT and Cyber Security. So definitely, there are many security graduates...but the question is..where are they?

Singapore Poly Graduates got 3rd in HITB CTF Competition (Kuala Lumpur)

Realizing it or not,there were students who participated and got 3rd in the CTF competition in Kuala Lumpur back in 2012. (Yes i was there to witness them) There were many teams from Vietnam, Japan, Netherlands and many more and to have our local lads getting the 3rd place is an achievement worth noticing. So yes, i would say the schools are doing it right, exposing to such real life competitions to understand the way of the hack. A proud achievement to both the poly students and Singapore security community as well.

Source: http://tinyurl.com/mbwe8tw

Is it Not Sexy?

The minister stated that young people do not find the job 'sexy'. On the contrary, people who have work in the security field especially the ones who do the dirty work (not the paper pushers) be it in support, operations and engineering know very well that a career in the security industry is a very very SEXY job! Whenever i type commands in Linux or Unix terminals, it just feels right. Whenever somebody manage to hack or defend, the feeling is orgasmic! Whenever someone manage to troubleshoot and found the root cause of an issue, it feels awesome!  Those who dont feel that way are the ones who work for the sake of work. To be in a security field, one needs to have passion and interest..especially dedication...

How to move forward?

The question is, what then should the government do to entice people into taking up career in security? In my opinion, the government should start with organizing conferences to the public. Interest of a subject starts from young and if they attended such conference, who knows that event will change their mindset and start their journey to be a security professional. I got interested in hacking when i saw the movie 'Wargames' and 'Operation Takedown' not to mention 'Hackers' starring the spicy Angelina Jolie. 

The ministry of defense should also publicize advertisements about cyber warriors protecting Singapore. With all the advertisement about the military defending the land, sea and air..isnt it time for an advertisement about cyber military defending the cyber space? 

Government should also organize cyber security competitions such as Hacking competitions or Forensic competitions. Many of these potential hackers are hungry to test out systems and servers in the internet but most of them have to be calm and contain their urge because its illegal to scan or penetrate a system without permission! Recently Symantec organized 2 CTF events which greatly benefit the potential hackers to showcase their skills and talents. The recent one which was held in Suntec this year was opened to public and many people participated from different companies. Some were professionals from overseas and the winners were locals. This goes to show that Singapore has indeed a pool of talented individuals in the security community. If the government encourage such competitions, not only would they benefit the interests of the people into security, the government can also recruit these talented individuals and provide them scholarships to study or a position to work in a security related position.

Hunting and Hacking MSSQL Servers - Published Article on PenTestMag.com

Me and my colleague wrote an article about how to pentest MSSQL end to end. As pentesters, we are always constantly researching on how to make our lives easier when performing ethical hacking engagements structurally and ensure that all possible methods are used based on methodologies such as OSSTMM.

We spent about a week browsing through the web and compile what could be done to properly assess a MSSQL server/services and sat down and test it on our testing servers (knowing that most customers do not allow us to exploit the systems).

So once we wrote the article, we send it to PenTestMag.com for review and cross our fingers hoping it will be reviewed and accepted. Fair enough, upon review, we had to elaborate, add, edit and explain the methods used so it will be easy for readers to understand and technically possible to follow on a step by step basis.

Hence, after all our hard work, it was finally accepted and a month later, it got published! So ladies and gentlemen, i present you some snapshots of the article! :)

The cover of the magazine

My Colleague and myself on the cover!

The content page

The first page of the article

The end of the article and our brief bio.

The article can be downloaded at:

 http://pentestmag.com/renaissance-of-the-reconnaissance-pentest-regular-072013/

Winners of Symantec Cyber Readiness Challenge (Cloud Asia Expo, Singapore)

Finally we emerged as Champion!!!!
There were about 25 participants. Some grouped in 2, others went solo. But i have to say that this was a very very very tough CTF unlike the first Cyber Readiness Challenge where we got the first runner up.

This time, the organizers came prepared. There were no wireless network at the location and participants were encouraged to bring their 3/4G dongle. Me on the other hand totally forgot about it and luckily, the organizers brought some spares in case there are those people who forgot (me).

Started with a video showing the story of the situation. Once the clock starts, the challenge begins! Heck, it was one tough ride. Started with a flag that you need to be forensically knowledgable and of course, one must know LINUX!!! We took almost half an hour to figure out the first flag. But after that, it went to become tougher. Glad i used nmap to scan the whole network for live machines and start finding vulnerabilities and poking their ports. It was not as straight forward as i thought it would be.

Nevertheless, we managed to bring back glory by becoming the champion of the tournament and again, a very very tiring 4 hours event. We didnt even managed to have our breakfast. Just a cup of mineral water and a cup of coffee and off we go, non stop action.......

Kudos to Symantec Singapore for organizing such a wonderful event. I really hope Symantec will continue to organize such event in future and allow potential hackers to participate and challenge themselves in the given environment to hack, steal and win -----legally of course !

Event: Cloud Asia Expo
Competition: Symantec Cyber Readiness Challenge
Location: Suntec City Convention Center
Country: Singapore

Check out the photos:

The partnership of the Hulk and Juggernaut

Working towards winning

The 2nd Placed Winners

The First Place Winners!

Previous Symantec CRC Participation:

First Runner Up in the first ever APAC Symantec Cyber Readiness Challenge: 

http://securityg33k.blogspot.sg/2013/09/symantec-cyber-readiness-challenge.html

Never Give Up

In life, not many are/were born with a silver spoon. Some have to work very very hard and some simply ask and they have it. People who came from difficult background or humble beginnings are often admired when they carved their way to success. This is an article that was published on the 8th of November 2013 about how he overcame rejections and still make his way up to achieve his dream career.

Front Page

Translation:

Ethical Hacker in Global Firm

ITE graduate works hard to become a Consultant in BT

Now, he may have reached his dream of becoming a consultant  but not many know how much disappointments and rejections he faced. More than 10 years ago, with a Higher Nitec in Mechanical Electrical Engineering Design certificate, he tried to appeal to take a course in Infocomm Technology in Temasek Polytechnic but was not accepted  due to unsatisfactory results. Nevertheless, in 2005 and completed his NS, Fadli went on a hunt for a private diploma in Infocomm Security from Raffles Education Corporation. With that diploma, he hoped he would be accepted for a specialist course in Polytechnic but sadly, he was unable to be accepted. His appeal to study in both TP and NYP was rejected. According to Fadli, he was told he was not accepted because he did not have any local polytechnic diploma as part of the requirement.

Disappointed but did not give up, he tried again in 2007 and this time with another diploma in Information Technology from SMF. Once again, he got rejected due to the same reason. "I was disappointed  and worried at that time." said Mr Fadli, now 30 recalling it all back. "Disappointed as though i was ignored and worried about my loans," said Mr Fadli who loaned $16000 from a bank for his degree. He hoped he will be able to pay off all his loan of about $8000 by end of next year.

According to him, he was stubborn, searching for a career in the field of IT Security and has a huge interest in Hacking. "Im not sure why but ever since i watched the show 'Operation Takedown' and 'Hackers' i fell in love with Hacking," said Mr Fadli. Ever since that, he never gave up to chase his dream career.

In 2008, he started his degree with Murdoch University and now he has armed himself with a Degree double majoring in Cyber Forensics, Information Security Management and Business Information Systems, He is also now building up his career as an IT security consultant with BT and part of the Ethical Hacking Center of Excellence. The company offers IT solutions and services globally. 

Recently, hacking events has been the talk of the town in the media when the hacker known as 'The Messiah' and claimed to be from the group 'Anonymous' vowed to threated the IT infrastructure of the Singapore Government. PM Lee Hsien Loong told that this act is dangerous and true. Unsurprised, the services offered by the security  consultants like Mr Fadli who declared himself as 'Hacker for Hire' is on demand.

He said that he never would have thought becoming a security consultant one day since owning his first computer at the age of 18. "Without hard work, all these will never be in fruition", said Mr Fadli.

Page 17

Translation:

Hard Work is the key to Success

Work and overcoming the trials of life is not an alien concept to Mr Fadli, 30 years old. Since his father died in an accident in 1988, Mr Fadli was only 5 years old at that time and his 2 other siblings had to shift house to house while his mother goes to work. His studies was more or less affected, said Mr Fadli who had to change from school to school to accomodate the shifting of houses.

In a pressed state, his mother had to send her children to Jamiyah, Darul Mawa, an orphanage while he was 11 years old. "The challenge living in the home was many..if you think the influence in the school was great, imagine the influence you get living all day and night in the home", said Mr Fadli. Finally, Mr Fadli stayed in the home until he completed his O Levels from Serangoon Garden Technical school. 

To increase the family income, he had to work part time in a shop called Miz29 and selling satay while waiting for his O level results.

Upon completing his ITE education and National Service, he worked at HP as a media operator and then NCS. 3 years later, Mr Fadli went back to HP as a systems engineer. According to him, while getting different experiences in the field of IT, he often changed job in the hopes of getting a raise to pay off his education loans. In silence, he was still hoping to get a career in the field of IT Security.

The opportunity came when he was offered a position in BT Global Services in 2010. "Even though i had to stare at the computer for hours, i truly enjoyed my job. Not many have the interest in doing this kind of job but i loved it because of its challenging landscape and the need to have a strong sense of creativity and continuos learning," said Mr Fadli who has to always keep up with the knowledge of the neverending change of new threats in the cyber world.

"Most of the systems encountered are very vulnerable and able to be exploited and these vulnerabilities change in time," said Mr Fadli. As of now Mr Fadli has published at least 3 security articles at an international security magazine called PentestMag. Additionally, Mr Fadli was also a member of the BT team that won the hacking competition GWAPT, Catch the Flag in Bangkok, Thailand. He and his colleague also became the first runner up in the Cyber Readiness Challenge organized by Symantec last month. Next week, Mr Fadli and his colleague will be participating in another Catch the Flag hacking competition in the Cloud Expo Asia in Suntec. 

Mr Fadli, who now married with Mrs Siti Mariam realized how things have changed. Mr Fadli hopes that he would continue his studies once he completed his loans. He also advised teenagers with similar beginnings and background to never give up. "Our future will not change without hard work", he said.

Symantec Cyber Readiness Challenge is Back in Singapore

"Symantec Security hosts the Cyber Readiness Challenge - an interactive 'capture the flag' style competition modelled after real-life security issues – at Cloud Expo Asia 2013.

The challenge positions participants as cyber security experts who will compete for system penetration within a simulated environment set with diverse and realistic vulnerabilities.

Within a fictitious scenario, participants will face challenges of increasing complexity and difficulty as they move through the various stages of a security breach."

Conference cum CTF

Link: http://www.cloudexpoasia.com/page.cfm/Link=50/t=m/goSection=3_61

Link: http://www.cloudexpoasia.com/page.cfm/Action=Press/libID=1/listID=3/libEntryID=119

Register Here

Link: https://symantecevents.verite.com/29777/182001

For more information about Symantec's CRC

Link: http://www.symantec.com/page.jsp?id=cyber-readiness-challenge

Watch the introductory video about Symantec's CRC

Link: http://www.symantec.com/en/us/products-solutions/products/videos-lightbox.jsp?cid=how-to-participate-in-cyber-readiness-challenge

Symantec Cyber Readiness Challenge - First in Asia (Singapore)

BT got second place in the Symantec Cyber Readiness Challenge- CTF Hacking Competition!

The CTF competition was not something we expected. Before that day, we spent countless nights familiarizing ourselves with Kali and BackTrack and focusing solely on the Network hacking. Of course, we performed our recon in finding out more about similar CTFs by other organizers in the past such as from DEFCon, HITB, Black Hat and read what sort of challenges await us.

So when we arrived, we were quite shocked to see players from big named companies and also from the Big Four joining which made us humble seeing their presence but then again... hackers constantly challenge one another and thats when the fun started!

As a rule of thumb, we cant expose the content of the competition but for those who are joining the Symantec CRC competition, better get yourselves prepared with Web, Network and Database pentest. Be good with the tools used such as Metasploit and NMAP.

It was a full 4 hrs competition that made us exhausted at the end of the hour. Unfortunately, there were also hiccups during the competition and as a personal advice: better use your own dongle rather than using the available made Wifi or LAN network.

We also experienced unethical hackers during capturing the flag. One of the rules is to NOT CHANGE anything that will not allow other players to compete and one of the teams were literally changing the passwords of the accounts they cracked which if reported could be disqualified. There were some tug of war to control the system each one kicking a session from one another.

It was tough but eventually we nailed it. We got second spot and the winner got a Flag more than us! Damn it! But all in all, this was indeed a fun competition that allowed us to hack/crack/pentest a real world scenario...

The BT Team

The Banner

Another huge Banner 

WE ARE THE second placed WINNER! 

The Trophy 

The Team-Up