CONs Hacker Conference News RootCON

RootCON 10 – Premier Hacking Conference in the Philippines [Updates]

Hello guyz RootCON 10 “The Largest Hacker Conference in the Philippines” is nearly coming, ROOTCON 10 will be held at Taal Vista Hotel, Tagaytay on September 22-24, 2016.

What: ROOTCON 10
When: September 22-24, 2016.
Where: Taal Vista Hotel, Tagaytay

email://comms[at]rootcon dØt org


RootCON registration is now,this conference is now BS just pure awesomeness! So what are you waiting for be part of the largest hacking conference in the Philippines!

REGISTER NOW!!!registration_poster


What is RootCON?

ROOTCON comes from the two words “ROOT” (super user on Unix systems) and “CON” (conference). ROOTCON operation started 27-December-2008, registered as DEFCON Group 6332, and carried the name DEFCONPH. The group held two small gatherings under DEFCONPH – known as the BeerTalks.

The main objective of the group is to provide a quality – yet fun, form of hacking conference.

ROOTCON is open to everyone. Previous participants have included InfoSec personnel, developers, businessmen, students, lawyers, feds, and the like.

ROOTCON holds an annual hacker conference, along the months of September or October. The conference first started in Metro Cebu, 3 events namely ROOTCON 2 (a.ka. BeerTalk 2), ROOTCON 3 (a.k.a GreyHat Gathering) and ROOTCON 4 were held in Metro Manila. Until such time the founder decided to give a strategic venue for Luzon and Mindanao con-goers so all succeeding events are now held in Metro Cebu. With the same crew and team on board, ROOTCON is still the premier hacking conference in the Philippines.

RootCON 10 Talks:

Certificate Based Strong Client Authentication as a Replacement for Username/Password
by: Lawrence E. Hughes

Username/Password Authentication (UPA) is trivial to hack today, even when used with SSL protected websites (e.g. keyboard sniffer). A username/password database on a server is a juicy tidbit for a hacker to do mass harvesting of credentials, for fun or profit. Cracking even hashed/salted passwords is not rocket science. Most passwords can be found on the most common 10,000 list. Humans are notoriously bad at coming up with good passwords, and even those can be discovered. Now completely ineffective.

SSL/TLS has been around for a number of years, and provides good server to client authentication (you know you are connected to Amazon.Com’s server), and securely exchanging a symmetric session key (for encryption), but today most sites and apps are still using UPA for client to server authentication. Encrypting it helps against script kiddies but not against a competent hacker. 2FA (e.g. SMS or OTP token) helps, but does not prevent attacks on UPA. To be honest, for the most part Amazon could care less who YOU are, so long as your credit card payment clears. Other sites (like banks) care very much who you are. They don’t want some dude in Kazakhstan named Gregor emptying your account.

Fortunately, there is another part of the SSL/TLS handshake that is a very powerful replacement for UPA. It isn’t just a bandaid for a badly broken scheme (like 2FA), it replaces that broken scheme completely.


Demystifying A Malware Attack
by: Christopher Elisan

The media reports different malware attacks, different lamentations from those affected and different opinions of industry experts. What is lost in the conversation is the background: how are these attacks started, what are the different recipes of successful attacks and who are behind them. This talk will present what goes on in an attack and the different technologies and people involved.


Exploiting Home Routers
by: Eskie Cirrus James D. Maquilang, C)PEH

And Jesus said “Why do you look at the speck of sawdust in your brother’s eye and pay no attention to the plank in your own eye?”
– Matt 7:3

Lots of us are looking for VULNERABILITIES anywhere, sites, systems, programs, other networks, other wifi. But have we checked our HOME for vulnerabilities? Home Routers has lots of vulnerabilities and has GREAT potential in documenting vulnerability researches for CVEs. I will show you some remote SSID Changing using malicious website, Denial of Service, XSS, and getting router credentials.


Halcyon – A Faster Way to Build Custom Scripts for Nmap Scans
by: Sanoop Thomas

Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts. Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community.

Halcyon IDE can understand Nmap library as well as traditional LUA syntax. Possible repetitive codes such as web crawling, bruteforcing etc., is pre-built in the IDE and this makes easy for script writers to save their time while developing majority of test scenarios.


Mommy and Daddy Lie (InfoSec philosophies for the Corrupt Economy)
by: Lawrence Munro

The majority of systematic approaches to information security are forged in the crucibles of stable nation states, where the design assumes that the originator is wholesome and true, the playing field is lush and green and the children frolic care-free painting sea shells and making daisy-chain necklaces. When faced with economic crises, institutionalized corruption and really, really naughty people, do these models and playbooks stand up to the challenge? This talk discusses the realities of corrupt economies, with war stories from interviews conducted with the protagonists, accomplices and victims as part of my research. The challenges that arise from operating within or on the periphery of a corrupt organisation are discussed, including: the impact this has on threat and risk models, becoming part of the problem and the risk posed to third parties. A basic understanding of threat modelling and the economies of Greece, Brazil, Nigeria and South Africa is advantageous in getting the most out of this talk.

RootCON 10 – Contest  Summary:

  • Capture the Flag
  • Hacker Jeopardy

Capture The Flag – Prepare for the toughest game at ROOTCON!

Where: Track 3
When: Opens September 22, 2016 @ 1000HRS and will close September 23, 2016 @ 1200 HRS
Operating Hours: September 22 (1000 to 22000 HRS) September 23 (1000 to 1200 HRS)
Who can play? Any ROOTCON attendees except for the ROOTCON Goons and crew.

G0dFlux and Spry

There will be sets of challenges each set will be composed of 5 levels from easy to hard difficulty, the main objective of the game is to get the flag or key on each level, each level has a corresponding points, the team to achieve the most points wins the game.

1. NO DIRECT DDoS on the game servers, anyone caught attacking the server will be disqualified.
2. NO Physical Coercion on players and crew, it’s just a game after all.
3. Bring your own gears, ROOTCON will not be providing your gears.
4. Minimum team members is 2, maximum is 4.
5. Players should register prior to playing the game.
6. Players should be on the designated CTF table.

There will only be one winner to take it all.
P10,000.00 cash + 2 Black badges.

Hacker Jeopardy
The infamouse game at ROOTCON, where everyone is a winner that is when you get drunk after the game. Below are the mechanics for the first ever Hacker Jeopardy in the Philippines! ROOTCON Hacker Jeopardy is adopted from DEFCON USA, but done Pinoy style (of course)!

Where: The Dark Mansion (ROOTCON 10 Secret Party)
When: September 23, 2016 @ TBA
Who can play? Any ROOTCON attendees except for the ROOTCON Goons and crew.

Game Show Cast:
Host/Emcee: DevNull “The Pitboss”
Score Keeper: Hacker Jeopardy Babes
Foxy baristas/drink-pourers: Hacker Jeopardy Babes

The Mechanics
The objective of the game is the same as that of the popular (Double) Jeopardy game — to win (duh!). Questions are posed as “answers” and the contestants must answer in the form of a question. Contestants earn points for each correct “question”. (Confused? Google for “Double Jeopardy”, you dork.)

In HJ, 3 Teams will put their l33t (and general) knowledge of a wide range of Topics to the test from 5 different Topics/Categories with 5 increasingly difficult “answers” per Topic. Each “answer” is worth a certain number of shot-glasses/glasses of a particular liquid metal (beer, wine, rum, gin, absinthe, etc.). The easiest “answers” will be worth 1 shot-glass/glass and the hardest worth 5 shot-glasses/glasses (shot-glass or glass, depending on the type of drink).

The HJ Game is 2 Rounds of chaotic drinking and consists of 3 opposing Teams, with each Team composing a maximum 3 elites and minimum 1 dweeb. A randomly chosen Team will get to choose a category and “question” at the start of each Round. Each Team will then have 30 seconds to press the buzzer and provide the correct “question”. E.g., if Team A buzzed first and answers correctly, the opposing Teams B and C will have to down the drinks worth that “answer”. If Team A answers incorrectly, Team A will down those drinks as penalty. As a bonus, any of the opposing Teams B and C can still buzz for a chance to answer the question if the 60-second time-limit is not yet reached. E.g., if Team B buzzed and answered correctly, Team C will have to down the penalty drinks. If not, then Team B downs their serving of pride.

The penalty drinks in the First Round (aka Liquid Metals Round) will consist of beer, wine or rum lightweights. Contestants will brave the Second Round (aka Heavy Metal Round) with cocktails from hell containing gin, vodka, tequilla, absinthe, etc. There is a “Double Jeopardy” question in each Round that is worth a surpise prize 😉

There ya go, guys. It all goes downhill after the first “answer” is popped. The Team who is most sober (i.e., drank the least number of shots/glasses) at the end of Round 2 wins the Game.

P4,000.00 cash + 2 Black Badge


For more info visit:
Facebook Page:

I started blogging around 2011 at #Ubuntupirates, #ProjectX and #pir8geek, I’m currently working as Network/Linux SysAdmin.

I’m a Linux,opensource advocate and interested in network security and InfoSec.

Leave a Reply