ROOTCON 10

September 22-23, 2016 Taal Vista Hotel, Tagaytay City
Media direct downloads || Back to past events


Talks

AV Is Dead! Is AV Dead?
by: Berman Enconado
(PDF) (Video)
We see it on the news, social media and ads. Over the course of the past decade, the internet has been plagued by the boom of malicious programs. Malware has continually evolved over the years to thwart every single technology that gets thrown at it. Sad to say, AV is always on the reactive side of catching them. Many companies are opting to switch to more advanced ways of finding and removing these malware. But is trashing our AVs and switching to another technology really the solution? Or will this lead us to a pitfall that will enable the bad guys to gain the upper hand, again. This research shows the untiring battles between software security companies and malware authors over the years. This case will show that there is no single technology to stop all cyber threats.

Big Data Analysis Applied to Network Security
by: Wilson Chua
(PDF) (Video)
This session will present case studies that showcases the possibilities of using Big Data analytics tools and technics in the Network security domain.

Using tools like Tableau, Neo4J, RapidMiner, Knime, Gephi, massive volume of IP traffic can be easily digested and actionable insights can be extracted in a matter of minutes. The output can be visually engaging and understandable to c-level executives.

In addition to using descriptive analytics that help with digital forensics, the session will also be sharing Predictive analytics to showcase how big data analytics can proactively "predict" which IP addresses will be 'bad' even before they do anything. This output can be used in turn by 'alerts' or 'hot' list or exclusion lists.

Certificate Based Strong Client Authentication as a Replacement for Username/Password
by: Lawrence E. Hughes
(PDF) (Video)
Username/Password Authentication (UPA) is trivial to hack today, even when used with SSL protected websites (e.g. keyboard sniffer). A username/password database on a server is a juicy tidbit for a hacker to do mass harvesting of credentials, for fun or profit. Cracking even hashed/salted passwords is not rocket science. Most passwords can be found on the most common 10,000 list. Humans are notoriously bad at coming up with good passwords, and even those can be discovered. Now completely ineffective.

SSL/TLS has been around for a number of years, and provides good server to client authentication (you know you are connected to Amazon.Com’s server), and securely exchanging a symmetric session key (for encryption), but today most sites and apps are still using UPA for client to server authentication. Encrypting it helps against script kiddies but not against a competent hacker. 2FA (e.g. SMS or OTP token) helps, but does not prevent attacks on UPA. To be honest, for the most part Amazon could care less who YOU are, so long as your credit card payment clears. Other sites (like banks) care very much who you are. They don’t want some dude in Kazakhstan named Gregor emptying your account.

Fortunately, there is another part of the SSL/TLS handshake that is a very powerful replacement for UPA. It isn’t just a bandaid for a badly broken scheme (like 2FA), it replaces that broken scheme completely.

ComeLEAK - from hacking to behind bars
by: ROOTCON Crew
(PDF) (Video)
ComeLEAK - You want to get an insight what really happened?

Weeks before the Philippine Election a group of hackers made their way inside the comelec's website and leaked a massive voters data to the public, It was then tagged as the worst public data breach in the Philippines. ROOTCON remained silent as we want to be neutral and we don’t want to provide false information to the public. After doing some investigative-research we will be presenting the facts and testimonials, giving you deep dive insights on what really happened from hacking to behind bars.

This talk is based on the research done by the ROOTCON crews.

Cyber Security Threats in Digital Advertising
by: Mark Ryan Talabis
(PDF) (Video)
This presentation is a first-hand investigation from a security practitioner of the unique security challenges and issues facing the multi-billion dollar digital advertising industry. The presentation is a detailed look of the intricacies of the advertising ecosystem, the advent of programmatic advertising, the economics of advertising fraud, and the rise of non-human traffic and malicious content that is currently plaguing the industry. This talk will include but is not limited to:

• The Digital Advertising Ecosystem and Programmatic Advertising – A primer on the digital advertising industry for the security practitioner.

• Convergence with Security – The security challenges and issues facing the digital advertising industry.

• Publisher Based Ad Fraud, Traffic Generators, Marketplaces and Exchanges – An introduction to the world of fake traffic and digital advertising fraud.

• Malware, Bots and Non-Human Traffic – Role of bots and malware in the digital advertising world.

Demystifying A Malware Attack
by: Christopher Elisan
(PDF) (Video)
The media reports different malware attacks, different lamentations from those affected and different opinions of industry experts. What is lost in the conversation is the background: how are these attacks started, what are the different recipes of successful attacks and who are behind them. This talk will present what goes on in an attack and the different technologies and people involved.

Exploiting Home Routers
by: Eskie Cirrus James D. Maquilang, C)PEH
(PDF) (Video)
And Jesus said “Why do you look at the speck of sawdust in your brother’s eye and pay no attention to the plank in your own eye?”
- Matt 7:3
Lots of us are looking for VULNERABILITIES anywhere, sites, systems, programs, other networks, other wifi. But have we checked our HOME for vulnerabilities? Home Routers has lots of vulnerabilities and has GREAT potential in documenting vulnerability researches for CVEs. I will show you some remote SSID Changing using malicious website, Denial of Service, XSS, and getting router credentials.


Halcyon – A Faster Way to Build Custom Scripts for Nmap Scans
by: Sanoop Thomas
(PDF) (Video)
Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts. Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community.

Halcyon IDE can understand Nmap library as well as traditional LUA syntax. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while developing majority of test scenarios.

Ransomware: Battling A Rapidly Changing And Booming Industry
by: Jaaziel Sam Carlos
(PDF) (Video)
The first cases of ransomware infection were seen in 2005. This Ransomware is known as PGPCODER that blackmails victim into paying $100-$200 for the decoder mail. In 2013, ransomware continued to evolve with the rise of Cryptolocker, a ransomware that encrypts files in a system using AES +RSA encryption making it virtually impossible to decrypt without a private or master key.

During this year 2016, several notable ransomware variants have emerged in the wild. Among them include a ransomware that locks the system from the Boot Sector; a crypto-ransomware variant with a ‘voice’ capability; and a ransomware that have employed a live chat service where a victim can negotiate or ask questions to the threat actors.

This paper aims to discuss about the latest trends in the ransomware industry. It will cover the newest extortion techniques and the most common entry vectors employed by ransomware. We will also present indicators of possible ransomware attacks, and more importantly, how users can protect themselves with the existing solutions against Ransomware.

Remote code execution via Java native deserialization
by: David Jorm
(PDF) (Video)
Java's native serialization mechanism does not expose the same obvious RCE vectors as Python Pickle or XStream, and as such it is widely adopted in both commercial and open source applications. It does, however, expose RCE if certain conditions exist in classes on the server's classpath. This presentation will explain these conditions in detail, examine several instances of vulnerable classes in major Apache components, demonstrate exploitation, and provide best practices to avoid vulnerability.

Reversing Swift Apps
by: Michael Gianarakis
(PDF) (Video)
Since it's introduction at WWDC in 2014 Swift has progressed significantly as a language and has seen increased adoption by iOS and OSX developers. Despite this, information pertaining to reverse engineering Swift applications is sparse and not openly discussed. This talk will dive into the Swift language and explore reverse engineering Swift apps from a security perspective. Topics that will be covered include quick intro to Swift from a pen testers perspective, various methods for obtaining class information from Swift binaries, Objective-C/Swift bridging, Swift runtime manipulation and function hooking.

Shifting Paradigms from Windows to Mac
by: Nicholas Carlo T. Ramos
(PDF) (Video)
Much has been said about Apple and Mac users being less prone to security and malware attacks, leading them to have this false sense of security with regard to their devices. We know that this is no longer the case; based on the National Vulnerability Database (NVD) in 2014, Mac OS X has the most number of vulnerabilities reported among all operating systems, with four times the number of vulnerabilities compared to those reported on Microsoft Windows 7. A recent example is the DYLD_PRINT_TO_FILE vulnerability which when exploited enables attackers to gain root-level access to your Mac. As more vulnerabilities are exposed, Mac malware will continue to increase the way its market share is increasing as well.

Since most malware and threat actors have long been acting on the “old” stage--the Windows platform, reverse engineers and security analysts may also be accustomed to malware analysis for Windows. Mac OS X analysis is an arena that still waiting to be developed, and transitioning from Windows to Mac OS X treat analysis entails familiarity with Mac’s file formats, directory structure, processes, tools, and other artifacts. One also needs to ask how some common Windows malware routines such as terminating processes, redirecting URLs, disabling firewalls, and hiding files can be performed on Mac OS X.

This paper aims to help Windows users or those who are starting to explore Mac to make that shift. It will discuss Mac OS X file formats and well-known security features, as well as give deeper understanding on how malware can take advantage of the platform. It will compare artifacts that threats commonly abused on Windows with their counterparts on Mac, and provide information on the persistence methods malware can use. Lastly, it will discuss the latest notable Mac malware, the rise of Potentially Unwanted Applications (PUAs), Windows versus Mac OS malware trends, and the future of Mac threats.

Tranewreck
by: Jeff Kitson
(PDF) (Video)
This talk covers the reverse engineering and exploration of the Trane ComfortLink thermostats. These devices are manufactured and produced by Trane, a popular heating and cooling company offering Zwave and WiFi enabled thermostats packaged with their appliances. This talk covers a vulnerability in the Trane ComfortLink thermostats that allows for remote manipulation and information extraction by an attacker. The devices are vulnerable by default and this talk addresses the physical dangers posed by this vulnerability to customers. The tools and methods used in finding this vulnerability are also discussed at-length in the presentation along with a video demonstration of the exploit in action.

Trainings


Hacking 101 by: Dan "DevNull" Duplito
This training is a 2-hour teaser class for the 2-day "Hacking 101" course offered by ISOG and ISACA with the following description: Want to shift career to Information Security but just don't know how or where to start? Already part of an infosec team but want to know what else is in store for you? Or you're simply curious about "hacking" and the "hacker culture"? Then this unique, hands-on training is for you! Build the right foundations and start your infosec career smart. Develop the "hacker" mindset (without getting into trouble) and use this knowledge to defend your networks, systems and employees against malicious hackers.
(PDF)

Metasploit by: Jay "Shipcode" Turla
This short course will teach the students how to setup and use the Metasploit Framework in a structured and professional manner for penetration testing. Twe will also touch on the lesser known features of metasploit and its integration with other tools to complement our penetration testing methodology.
(PDF)

Web Security by: Jonathan Mantua
Jonathan Mantua is the co-founder of Pandora Security Labs, and currently serves as CTO. Jonathan has been developing systems for over 5 years: security products, chat systems, mobile and web applications, management systems, etc., and he has been applying agile and secure SDLC (software development life cycle) practices across the organization he works in. Jonathan also teaches secure programming at DLSU-Manila, College of Computer Studies.
(PDF)

Mobile Security by: Michael Gianarakis
iOS and Android Penetration Testing Basics

The training will focus on how to start an iOS or Android penetration testing.

Speakers

Berman Enconado
Lead Malware Researcher, ThreatTrack Inc Threat Engineering Team

Reverse engineer with 13+ years of experience in the security industry. His researches these days revolve around threat intelligence, static and dynamic behavior machine learning, anomaly based detections and the usual reversing of programs.

Christopher Elisan
Christopher Elisan is a seasoned reverse engineer and malware researcher. He is currently the Principal Malware Scientist at RSA. He has a long history of digital threat and malware expertise, reversing, research and product development. He started his career at Trend Micro as one of the pioneers of TrendLabs. This is where he honed his skills in malware reversing. After Trend Micro, he built and established F-Secure's Asia R&D where he spearheaded multiple projects that include vulnerability discovery, web security, and mobile security. After F-Secure, he joined Damballa as their resident malware subject matter expert and reverse engineer. Aside from speaking at various conferences around the world, he frequently provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications. Christopher Elisan is also a published author. He authored "Advanced Malware Analysis" and "Malware, Rootkits and Botnets." He co-authored "Hacking Exposed: Malware and Rootkits." All books are published by McGraw-Hill.

David Jorm
David has been involved in the security industry for the last 17 years. During this time he has found many high-impact and novel vulnerabilities, handled security response for dozens of open source projects, led a Chinese startup that failed miserably, and wrote the core aviation meteorology system for the southern hemisphere. He is currently part of the Trustwave SpiderLabs team.

Eskie Cirrus James D. Maquilang, C)PEH
Much of his time is spent on removing viruses, decrypting VB Script (http://pastebin.com/HdcZvDNc) and PHP backdoor shell(750991726bdebae4b93a09024bdbaf60), researching vulnerabilities, and automating things. He has been involved in projects on Digital Archiving, Mass Texting, Web Developing, Middleware, and Database Systems. There is an extreme satisfaction in me when I find system vulnerabilities.

Jaaziel Sam Carlos
Technical Lead of the Threat Response Team under the Core Technology operations group at TrendLabs, the global technical support and R&D center of Trend Micro. He analyzes different threats, creates signature for detection and also a contributor to the TrendLabs Security Intelligence blog. Currently, he is focused on PUA and Ransomware research and prevention. He is a licensed Electronics Engineer and Technician.

Jeff Kitson
Jeff Kitson is a Security Researcher with the Vulnerability Assessment Team of Trustwave SpiderLabs. His career began with full-stack web development before moving into system administration and eventually vulnerability and security research. His current work includes maintaining and developing vulnerability tools within Trustwave. His research interests include IOT devices and extracting information with software defined radio.

Lawrence E. Hughes
BS in Math (minor physics) FSU, 1973. 43 years in IT, now doing 5th venture. The 3rd venture (CipherTrust, secure e-mail proxy, based in Atlanta) was a rocking success with a $273M exit. Created the training on crypto and PKI (and ran around the world presenting it) 1998-2000. World class expert on PKI and IPv6 (see www.v6edu.com, which runs on a server in my Singapore apartment, and is used from about 130 countries). Married to a gwapa Filipina for 22 years with three FilAm kids, all born in Cebu.

Mark Ryan Talabis
Mark Ryan Talabis is a Senior Managing Consultant for the IBM (NYSE:IBM) AP Security Services Center of Competency. He was formerly the Chief Security Scientist for Zvelo Inc, the Director of the Cloud Business Unit of FireEye Inc (NASDAQ:FEYE), Lead Researcher and VP of Secure DNA and an Information Technology Consultant for the Office of Regional Economic Integration (OREI) of the Asian Development Bank (ADB).

He is a co-author of two books from Elsevier Syngress: "Information Security Analytics: Finding Security Insights, Patterns, and Anomalies in Big Data"​ (2014) and "Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis" (2012). He has presented in various security and academic conferences and organizations around the world including Blackhat, Defcon, Shakacon, INFORMS, INFRAGARD, ISSA, and ISACA. He has a number of published papers to his name in various peer-reviewed journals and is also an alumni member of the Honeynet Project. His previous works includes helping advertisers and ad networks find ways to combat non-human traffic. He is a member of the anti-malware working group of the Interactive Advertising Bureau (IAB).

He has a Master of Liberal Arts Degree (ALM) in Extension Studies (concentration in Information Technology) from Harvard University and a Master of Science (MS) degree in Information Technology from Ateneo de Manila University. He holds a Certified Information Systems Auditor (CISA); and Certified in Risk and Information Systems Control (CRISC).

Michael Gianarakis
Michael Gianarakis is the Director of Trustwave's SpiderLabs team in the Asia Pacific region. Michael has presented at various industry events and meetups in the region including, Black Hat Asia, YOW Connected, CrikeyCon and WAHCKon. Michael also helps organise the Brisbane SecTalks meet up.

Nicholas Carlo T. Ramos
Nicholas Ramos has been working in information security for more than 11 years, having held positions in related to network solutions development, heuristics, and emerging threats analysis. He is currently a Senior Malware Trainer under the Core Technology operations group at TrendLabs, the global technical support and R&D center of Trend Micro. He trains new anti-malware engineers with the fundamentals and techniques of malware reverse engineering, and provides threat awareness and training for other Trend Micro employees. He has conducted anti-cybercriminal trainings with INTERPOL in Europe, Asia, and Latin America.

He has a passion with cars and loves to travel. He holds a degree in Electronics and Communication Engineering and is a patent holder approved by the United States Patent and Trademark Office.

Sanoop Thomas
Sanoop Thomas aka s4n7h0 is one of the core team moderator for null Singapore chapter and working as security consultant mainly involving with security assessment of web applications, mobile, networks, and infrastructures. His area of interests lies in threat research and automating pentest/analysis methodologies. He has dealt with many internet threat researches and worked with multiple research groups focusing towards internet safety. He has also authored Xtreme Vulnerable Web Application (XVWA) and Halcyon. He has presented his researches in multiple security conferences such as OWASP India, Nullcon, Black Hat Asia and many others as well.

Wilson Chua
Wilson is an IT and business geek from Dagupan, Pangasinan. He finished his masters in IT Program Management at the top of the class from National University of Singapore (NUS). He is now based in Singapore and is currently certified in big data analytics.

Wilson correctly predicted the landslide victory of President Rodrigo Duterte in the last Philippine presidential elections based on twitter sentiment analysis.

He decided not to renew his other certification: Microsoft MCSE, Cisco CCNA, EC Council Ethical Hacker, PMP Project Management

Contests

Receives the Black Badge entitled them for free entrance for next years conference.
Capture The Flag - Team Harambae
Semprix' Mysterybox - no winner
Hacker Jeopardy - Team Shibal

Pics

ROOTCON 10 Pics

⇑ Back to top