Time: 1400 - 1830 HKT Zoom Link will be provided to approved joiner
| Speaker | Topic | Abstract | Bio | |
|---|---|---|---|---|
| Alan HO x Darkfloyd | From incident to IIS backdoor | During pandemic, a lot of enterprises use VPN for accessing office desktops / servers remotely. When our team was handling an incident about SSLVPN exploitation, we discovered a deeper malware in the servers. | Alan Ho got 10+ years of experience in cyber security including penetration test, incident response, application security, security consultancy. He is the co-founder and security researcher in VXRL. He is working as contracted CISO in an online gaming company. He is also a Red / Blue Lab architecture and instructor. He is certified as OSCP, SANS GWAPT and GCIH, and published a SANS Gold Paper - Website Security For Mobile. | @alan_h0 |
| Chris CHAN (a.k.a. Dragon) | Case study of an webshell evoluation in a religious group | As a web hosting company my team helps to manage client server security and performance. Last Year a cyber-security firm released a report that one of our client is targeted by state sponsored hacker. We then discovered an hidden webshell on our client old web application server. The webshell can bypass Web application firewall detection and provide advanced features to hackers via a encrypted channel. We download the sample and examine what action the webshell can do. | Chris Chan is holder of all offensive security certifications(OSWP, OSCP, OSCE, OSWE, OSEE). Vulnerabilities hunter on bug bounty platform. 2 CVE owner on elearning platform. Over 10 years experience in cyber security research and mainly focus on Web applications security. | --- |
| DarkFloyd x Boris | Hunting Security bugs with CodeQL | Basic introduction of CodeQL and walkthrough the CodeQL structure and popular libraries, why it is important to OWASP and give a demo about way to identify bugs. | 404 | @darkfloyd1014 |
| FileDescriptor | Contemporary JavaScript Prototype Pollution | Javascript Prototype Pollution has existed for a while, yet there were only few exploitations in the wild. Last year, we saw many new researches and explotation techniques (gadgets) regarding this topic. In this talk, I will go over the recent trend of the attack and how it is a perfect bug type for bug bounty hunting. | Filedescriptor is a security researcher with 6 years experience specializing client-side (especially XSS) and browser security. He works for Cure53 as a penetration tester. As a bug bounty hunter, he is known for being the #1 on Twitter's bug bounty program. He is one of the creators of the Reconless YouTube channel | @filedescriptor |
| Juno | Building secure modern web services | Today, web services are built on many microservices based on cloud architecture. In this talk, I will share case studies about building a secure web service and mitigating lateral movement in that architecture through a security researcher's perspective during our security assessment in S.Korea Companies. | Juno Im is a security researcher of Theori. As a security researcher, he is focussing a web service/application security. He won bug-bounties on global vendors (Google, Samsung...), also played CTFs as "koreanbadass" and "the duck". | @junorouse |
| Orange Tsai | A Journey Combining Web Hacking and Binary Exploitation in Real World | This talk demonstrates an exploit chain combined Web Security, Binary Exploitation and a little bit of Cryptography to a full RCE. Instead of a theory-based attack or CTF challenge, this is a real-world case in my Red-Teamer experience! | * Principal Security Research of DEVCORE * Captain of HITCON CTF Team * Member of CHROOT * Winner of 2019 Pwnie Award Best Server-Side Bug * Winner of 2017 and 2018 Top 10 Web Hacking Techniques * Speaker of Black Hat USA/ASIA, DEFCON, HITCON, HITB, CODE BLUE, Hack.lu and Wooyun Summit * 0day researcher, focusing on Web/Application Security Blog: https://blog.orange.tw/ | @orange_8361 |
| Ron Chan | Hacking 1Password | --- | Ron Chan is a security consultant turned white hat hacker under the alias 'ngalog.' He is a top ranked hacker on HackerOne, having identified over 390 vulnerabilities in companies including GitLab, Uber, PayPal, Airbnb and Twitter. In 2019, Ron joined H1 Elite in recognition for his exceptional work on the platform, earning a custom comic book cover. Ron has a degree in Pure Physics from The Hong Kong University of Science and Technology. | @ngalongc |
| FireBird CTF | Nurturing cybersecurity enthusiasts with CTF competitions | Capture The Flag (CTF) is a kind of computer security competition that tasks you to discover vulnerabilities and break into seemingly secure systems. We will explain what we learn while playing these CTF games, and give a brief overview on Hong Kong local CTF teams and events. We will also share the experience from our new experimental course COMP4901N which provides fundamentals of CTF to students. | Firebird CTF Team Firebird CTF Team from HKUST is one of the academic CTF teams in Hong Kong. We hold regular sharing sessions and Capture The Flag (CTF) games, aiming to raise cyber security awareness among students. Cousin Wu: Captain of Firebird CTF Team. Final year student in HKUST studying pure mathematics and computer science. CTF Player. Interested in cryptography. Ringo Lam: Former captain of the Firebird CTF Team. HKUST BEng Computer Science 2020 graduate. CTF Player. Interested in frontend development, web security. | https://ctftime.org/team/65249 |