Cons Cons Cons–2015 the year of the Cons

So this has been an interesting start of a year for my career transition into Infosec/Netsec. In March I was able to attend Black Hat Asia 2015 and Syscan 2015 (both in Singapore). On the 28th, I’m heading up to Beijing to attend ISC 2015, considered to be one of the largest China-based conferences. At the end of November I’ll be at DefCamp in Romania.

Black Hat was well too commercial or my liking. Coming from an ‘ol school underground teenage hacker past (think 2600, L0pht, cDc etc), I wasn’t so impressed. They did have an amazing buffet and one or two decent talks (Mana from Heaven–Daniel Cuthbert)  but it was really geared towards the corporate money/people/power. Did meet many security vendors from Singapore in the business hall and hopefully those contacts will be useful.

Syscan was what I really think of when I think Con. Laid back, filled with people who breathe and live security and are the practitioners who do it for fun, not just to pay the bills. The talks were very technical yet still filled with fun. All in all my type of people. I was able to meet many key people in the industry and chat with a few people I have known about from reading various hacking sites, zines, and discussions with my former hacking crew. If you had to pick a Con to go to in Asia, this is hands down my selection and advise anyone to go next year. I know I will be. Thank you Thomas Lim/Coseinc for allowing me to partake in the awesomeness of Syscan.

I will try to do more in-depth reviews soon of each.

I look forward to the two next cons I will soon be attending. If any readers happen to be attending email me at john at this domain and lets grab a drink.

Helping out–Enumeration of your target

Last week I saw a post on r/AskNetsec with a Redditor asking for help reaching out to a Hong Kong company who had all of their company data open to the internet (non-password protected directory on their server). I volunteered helping the Redditor as I understand Chinese.

The Redditor had trouble finding contact info for the company and after looking at the company name, I went on a hunt to see what data I could enumerate on the company.

Sun Zhu once said:

夫未战而庙算胜者,得算多也;未战而庙算不胜者,得算少也。

The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.

This holds true for pentesting or really any form of NetSec. You need to spend time learning everything you can about your target to help you strategically plan your attack. While I was doing this to be helpful, the enumeration of a company is a key first step in any pentest engagement.

I was quickly able to find an email, phone number, and a name of a contact for the company so the Redditor could contact them. I also reached out to the company contact with an email in Chinese in case they could not understand the Redditor. Hopefully this has protected a company from losing lots of corporate data and personally identifiable information of its employees and clients.