09:00 – 09:30 Welcome and an update on CREST in Southeast Asia, Rowland Johnson, President, CREST International & Emil Tan, Regional Advocate
10:00 – 10:45 Lawrence Amer, Cyber Security Manager, DarkLab Hong Kong PwC, Bypass the detection & prevention obstacle: red teaming technique
Introducing the newer uncovered technique for process hollowing that is used to bypass and divert detection and prevention technologies. The presentation includes well detailed security research shipped with an un-released tool to accomplish full bypass for the majority of well-known security products.
Lawrence will present how to weaponize it during a red teaming engagement to conduct the obfuscations and deploy such an attack on a fully secured environment.
11:00 – 11.45 Sven Schleier, Technical Director, F-Secure Singapore, Intercepting Network communication of mobile apps
Sven will take a deep dive into intercepting network communication of mobile apps and its APIs and cover the different challenges you might be facing when doing the same. You might think – what’s the problem? Simply configure Burp Suite, install Burp Certificate Authority (CA) on the mobile device and set the system proxy to point to Burp. This is definitely true, but this will only cover the ‘ideal’ scenario!
But what about the following use cases?
– The app is being build in Flutter or Xamarin. If that’s the case the app will not be using the system proxy, but bypass it. The Proxy you are setting in iOS and/or Android will be ignored by the app.
– Not every app relies on HTTP; especially to overcome the overhead of HTTP, TCP might be used. Also sometimes see XMPP or other protocols. Burp can only understand HTTP.
– You might not be able to use a jailbroken or rooted device in the client’s network.
These are only same of the challenges you might be facing when trying to intercept the communication of a mobile app to become a Man-in-the-Middle.
This talk will present and follow a methodology for intercepting the network communication between a mobile app and its APIs to help enable the audience to tackle all potential use cases described above. To do this the presentation gives detailed technical demos to overcome the challenges and allow you to master them.
Sven is the Technical Director of F-Secure Singapore and has hands-on experience in attacking and defending web and mobile apps for the last 10+ years. He became specialised in Application Security and has supported and guided software development projects for Mobile and Web Applications during the whole SDLC.
Besides his day job Sven is since 2016 one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS). Sven is giving talks and workshops about Mobile Security worldwide to different audiences, ranging from developers to students and penetration testers.
11.45 – 12:15 Break
12:15 – 13:00 Anton Bolshakov, Managing Consultant, IT Defense, MDM and client-side controls
Client-side controls are increasingly becoming a staple in mobile and web application security. While client-side controls like code obfuscation, jailbreak detection, certificate pinning, non-standard parameter formatting, E2EE MDM/MAM solutions and so on help raise the bar for potential attackers, many organisations use them as their only line of defense. They often challenge pentesters to prove that these client-side controls can be defeated. This reflects a lack of understanding of what client-side control offers, and impacts pentesters who have to allocate precious time during engagements to defeat these controls before starting testing of the actual target. Using Device Management (MDM) as an example, this presentation will show that given sufficient time it can be defeated, rendering it ineffective, and in some cases expose an organization to unexpected risks. Using 2 MDMs as an examples, Anton will show the internal mechanisms of MDM and explain what MDM can protect against.
Anton is a Managing Consultant with ITDefence based in Singapore. He is a highly experienced Security Consultant having previously held the role of Manager in the Performance and Technology Practice and member of the Information Protection and Business Resilience Team at KPMG LLP and Senior Security Consultant at Dimension Data. Anton has managed and executed hundreds of Security Assessment projects across Government, Telecommunications and Financial Services sectors across the APAC Region. He is held in high regard by clients and his peers for his knowledge and skills in vulnerability identification and exploitation.
13:15 – 14:00 Jamie Riden, IO ACTIVE, How we hacked some billion dollar companies for forty bucks
Four examples where a combination of lower risk flaws allowed the IO ACTIVE red team to compromise the perimeter of a large organisation and cause a slightly unpleasant surprise for the client. Jamie will demonstrate how chaining a few seemingly insignificant issues can have serious real world consequences, and can be exploited by an attacker with a small amount of money, a modicum of talent and a lot of patience. The presentation will also describe some measures to prevent and detect such attacks in progress.
Jamie Riden has worked in penetration testing for 11 years and in information security for twice that, and has tested varied systems from a hoover to a Cray. He has experience of software development, system administration, building honeypots and blue team work. He has interests in password cracking and has built or improved password cracking rigs at three UK pentest companies. He has an Erdős number of 4
CREST’s flagship event in the UK welcomes over 450 delegates from the security industry in a wide range of positions that ranged from CISOs and senior managers, through to senior penetration testers, threat intelligence analysts and brand new entrants to the industry.
Be a part of this year’s CRESTCon Asia event by clicking below, or contact email@example.com for further details.CRESTCon Asia 2021 Tickets