ROOTCON is the largest and premier Information Security Conference and Hacker gathering in the Philippines. The group behind ROOTCON started operations on December 27, 2008. It was then registered as DEFCON Group 6332 and carried the name DEFCONPH.
After going through copyright issues, the group was renamed PinoyGreyHat until its founder decided to rebrand to a more neutral and conference-friendly name: ROOTCON. The name was officially changed on August 9, 2010.
Among the objectives of ROOTCON is to foster camaraderie and sharing of expertise through IT Security conferences and gatherings. It also aims to spread the essence of the hacker culture here in the Philippines.
ROOTCON holds an annual hacker conference, along the months of September or October, which is packed with awesome topics, challenges and parties. Aside from the yearly conference, the group is also responsible for organizing the first ever inter-university Hacker Capture the Flag (CTF) and InfoSec gathering for university students.
This year, the 10th iteration and anniversary of ROOTCON or simply ROOTCON 10 is happening on September 22 to 24, 2016 at the Taal Vista Hotel in Tagaytay City, Philippines.
Just like last year, we will still have our electronic hacker badges for you guys and as a side note. ROOT CON is the first hacker conference in Asia to have a hacker electronic badge.
One of the main reasons why geeks go to a hacker conference and information security gathering are the awesome lineup of speakers and interesting talks. Here are the first batch of talks that got accepted (stay tuned for the next batch of talks that will be announced):
Certificate Based Strong Client Authentication as a Replacement for Username/Password
by: Lawrence E. Hughes
Username/Password Authentication (UPA) is trivial to hack today, even when used with SSL protected websites (e.g. keyboard sniffer). A username/password database on a server is a juicy tidbit for a hacker to do mass harvesting of credentials, for fun or profit. Cracking even hashed/salted passwords is not rocket science. Most passwords can be found on the most common 10,000 list. Humans are notoriously bad at coming up with good passwords, and even those can be discovered. Now completely ineffective.
SSL/TLS has been around for a number of years, and provides good server to client authentication (you know you are connected to Amazon.Com’s server), and securely exchanging a symmetric session key (for encryption), but today most sites and apps are still using UPA for client to server authentication. Encrypting it helps against script kiddies but not against a competent hacker. 2FA (e.g. SMS or OTP token) helps, but does not prevent attacks on UPA. To be honest, for the most part Amazon could care less who YOU are, so long as your credit card payment clears. Other sites (like banks) care very much who you are. They don’t want some dude in Kazakhstan named Gregor emptying your account.
Fortunately, there is another part of the SSL/TLS handshake that is a very powerful replacement for UPA. It isn’t just a bandaid for a badly broken scheme (like 2FA), it replaces that broken scheme completely.
Demystifying A Malware Attack
by: Christopher Elisan
The media reports different malware attacks, different lamentations from those affected and different opinions of industry experts. What is lost in the conversation is the background: how are these attacks started, what are the different recipes of successful attacks and who are behind them. This talk will present what goes on in an attack and the different technologies and people involved.
Exploiting Home Routers
by: Eskie Cirrus James D. Maquilang, C)PEH
And Jesus said “Why do you look at the speck of sawdust in your brother’s eye and pay no attention to the plank in your own eye?” – Matt 7:3 Lots of us are looking for VULNERABILITIES anywhere, sites, systems, programs, other networks, other wifi. But have we checked our HOME for vulnerabilities? Home Routers has lots of vulnerabilities and has GREAT potential in documenting vulnerability researches for CVEs. I will show you some remote SSID Changing using malicious website, Denial of Service, XSS, and getting router credentials.
Halcyon – A Faster Way to Build Custom Scripts for Nmap Scans
by: Sanoop Thomas
Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts. Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community. Halcyon IDE can understand Nmap library as well as traditional LUA syntax. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while developing majority of test scenarios
Mommy and Daddy Lie (InfoSec philosophies for the Corrupt Economy)
by: Lawrence Munro
The majority of systematic approaches to information security are forged in the crucibles of stable nation states, where the design assumes that the originator is wholesome and true, the playing field is lush and green and the children frolic care-free painting sea shells and making daisy-chain necklaces. When faced with economic crises, institutionalized corruption and really, really naughty people, do these models and playbooks stand up to the challenge? This talk discusses the realities of corrupt economies, with war stories from interviews conducted with the protagonists, accomplices and victims as part of my research. The challenges that arise from operating within or on the periphery of a corrupt organisation are discussed, including: the impact this has on threat and risk models, becoming part of the problem and the risk posed to third parties. A basic understanding of threat modelling and the economies of Greece, Brazil, Nigeria and South Africa is advantageous in getting the most out of this talk.