top of page

Event Timeline

Day 1 (25 April 2024)

Research Day

Welcome speech
Boris So (9:00am -9:15am)

Welcome speech and celebrate for the first event of Bsides Hong Kong.

2

Techies 101: The Importance of Commercial behind the Technical
Philip Mok (9:15am - 10:15am)

A very common phenomenon for technical practitioners is getting to the point in your career of being "caged". Not being able to dig deeper into advanced exploits due to resource/schedule limitations, or encountering "brick walls" that stop you advancing to your next pay-grade when staying in a technical role. You might even have a senior/boss who blindly-abuses the phrase "try harder" by throwing you into the deep end with some "FYR" PDFs, thinking everyone learns in the same way.This frustration and negativity eventually breeds into bad blood and in worst cases results in a change of field.I believe snuffing out the passion of aspiring practitioners due to these contextual factors is a great shame to both the practitioner and the industry's growth. I started as a full-on technical practitioner and mid-way switched to become a business owner at a Big4, and in this session i will share with you my takeaways and experience to avoid death-spirals in your journey.

3

Windows Active Directory Security Hardening

Ernestine Hung (10:15am - 11:15am)

Simple Windows AD attack ways and the technique behind the attack. Determine whether any relevant evidence exists and the hardening ways.

4

Public cloud secure architecture
Man Yu  (11:15am - 12:15am)

Experience sharing on constructing a secure public cloud environment resilient to the modern digital threat landscape is the focus of this session. It will delve into the shared responsibility model, emphasizing the importance of identity and access management in cloud security. Attendees will learn the industry practices for establishing a secure network with integrated encryption and strong authentication methods. The talk will highlight the necessity of aligning with industry regulations and maintaining effective governance within the cloud. Furthermore, it will share overview of investigate advanced methods for threat detection and response, ensuring that proactive defense mechanisms are actively in place.

5

Lunch Break (12:15pm - 2:00pm)

Lunch break.

6

LLM Prompt Injection in Practice
Hebe Au (2:15pm - 3:15pm)

This session offers an overview of machine learning (ML) versus deep learning (DL) and an introduction to natural language processing (NLP), with an emphasis on the intricacies of text processing within large language models (LLMs). It will cover three key concepts in AI: LLM, prompt engineering, and prompt injection. I will share publicly known exploitations of prompt injection and a "tricky" way to write a prompt to get some interesting information from an LLM.

7

Security Aspects of Chrome Extensions
Janet Tsang (3:15pm - 4:15pm)

The current lack of standards for HTTP header configuration has led to inconsistencies in implementation, leaving some users vulnerable. This session will begin with an introduction to the fundamentals of Chrome extensions, and then explore the basics of Chrome extension development. Security considerations will also be discussed when utilizing Chrome extensions through demonstrations utilizing various APIs related to security use cases.

8

TPM Sniffing with Raspberry Pi for the Price of a Lunch

Ringo Lam (4:15pm - 5:15pm)

In this sharing, Ringo will share his journey of defeating BitLocker disk encryption protected by Trusted Platform Module (TPM). He achieved this using a Logic Analyzer, and he has also developed a custom tool with overclocked Raspberry Pi to perform the attack easily without specialized equipment.

9

From Recon to Reward: A Short Hunting Journey mainly through Access Control
Louise Ng (5:15pm - 6:00pm)

Simple access control tricks to discover vulnerabilities in real-world applications and earn rewards in a short period.

Day 2 (26 April 2024)

Workshop day

OffSec Incident Response Workshop
Dr. Malcolm Shore (9:00am - 12:00pm)

This session provides a hands-on workshop which introduces attendees to the concepts of
the OSDA IR200 course through participation in a hands-on workshop. The workshop is
based on the use of the Velociraptor Incident Response tool and a set of pcap files which
contain logs for an attack on a 5-host target.Topics:

  • Introduction to IR200

  • Introduction to Velociraptor

  • Student investigation of incident

  • Instructure walkthrough of incident investigation

2

Lunch Break (12:00pm - 2:00pm)

Lunch Break.

2

AWS DevSecOps
Andy Wong & Alvin Deng (2:00pm - 6:00pm)

Most enterprises start their DevSecOps journey by introducing test automation and security scanners into the CI/CD pipeline. While security scanners can be very useful when used correctly with rule customization, it irequires advanced security and software engineering skills such as the understanding of complex exploits and AST (Abstract Syntax Tree), and it does not cater for testing of security related business logic or application specific corner cases. Furthermore, these tools are generally not flexible enough to cater for management of complicated test cases at scale. As a result, most enterprises face the same challenges right after starting their DevSecOps journey to shift-left security, because simply plugging in scanners and throwing scan results to developers is not shift-left, it's shifting responsibility.BDD (Behavior-Driven Development) approach to security can be a saver to the life of a software engineer in dealing with security problems. Have a look at our sharing in AWS Summit here - "https://hktw-resources.awscloud.com/aws-summit-hong-kong-2023/dealing-with-challenges-of-devsecops-practice-in-enterprises" in which we introduced the concept of BDD security test automation as well as fuzzing practiced for long by big tech and mega FSI. This time, we will guide you through a DIY lab in which you can get your hands dirty and try to build your first security test cases.

3

Practical Drone Hacking

Captain Kelvin & Cato Yuen (2:00pm - 6:00pm)

Advancements in UAV technology is opening new opportunities and applications in various fields of life. However, these advancements are also causing new challenges in terms of security, adaptability, and consistency. Especially the small drones are even suffering from architectural issues and the definition of security and safety issues.  In this couse, we will introduce security risk and design considerations in designing and implementing drone systems as well as operating drones in a safe and secure way. It covers technical details from hardware to software, from attack to defense related to drone security.  Participants will get first-hand experience in attacking drones via hardware disassembly, signaling, software programming, forensics.  At the same time, participants will attempt to design their own secure drone control system architecture, implement their own drone control protocols via embedded and client programming supported by open programming platform with commodity hardware.

bottom of page