My Experience at SINCON 2024

me happy

Introduction

SINCON Banner

Infosec in the City: SINCON is a cybersecurity conference held in Singapore, featuring workshops, talks, booths, and much more. I wouldn’t have found out about it without SherpaSec! To be honest, I had seen it around on LinkedIn here and there, but I hadn’t really gotten to know about it before SherpaSec.

SherpaSec Poster

Now in context, I held a talk about Velociraptor for SherpaSec in March alongside Rowena, who had a talk about career planning strategies in the cybersecurity industry.

I know I haven’t posted the blog about Velociraptor, that will come very soon. plz be patient, me very tired T^T

At the end of Rowena’s talk, she advertised SINCON 2024, with an opportunity to attend SINCON with an All Access Pass to the conference free of charge, sponsored by her company, HRS Talents. However, they are limiting the sponsorship to 8 people within SherpaSec, so there will be some competition. Before I talk about how I got the sponsorship (spoiler alert), I will talk about my recklessness in the whole situation.

Now, for Black Hat Asia 2024, I applied for the sponsorship without considering my assignments and final year project. For SINCON 2024, I applied for the scholarship without thinking about my final exams. Who would have thought that SINCON 2024 would fall on the same week as my final exams!!

Exam Schedule

Anyways, I got the details of my exams, and allow me to tell you how close I was. My exams fell on the 20th and 21st of May, and my dumbass had to go to Singapore on the 22nd of May. Long story short, whatever religion you believe in, there was some divine intervention there.

CRAZYYY

Sponsorship Challenge

Application Received

A few days after the SherpaSec meetup, I finally got an email regarding my application for the sponsorship! According to the email, I just have to provide my student ID and wait for the mini CTF challenge for a chance to get the free conference pass.

Challenge Received

So I waited for another week or so for the mini CTF challenge, and it finally came! It was a pretty cool Docker forensics challenge made by Pengfei, and a write-up for it will be coming out soon on my beginner’s blog.

Sponsorship Accepted

Another few days later, I got the confirmation email that I have been sponsored to go to SINCON 2024. At the time of writing, I am really, REALLY grateful. Why? Well, read on and you shall find out!

RE:HACK, You’re Making Me Blush

So, for Black Hat Asia 2024, Mr Yapp and RE:HACK sponsored my accommodation and transportation. While sending me the transportation fee for Black Hat, Mr Yapp casually just said (dramatic reenactment):

Mr Yapp: The transportation fees should be the same for SINCON right?
Me: Yepp (No pun intended)
Mr Yapp: Alright, I'll pass you double the money for SINCON then
Me: AHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

In short, thank you Mr Yapp and RE:HACK for sponsoring me to conferences like these. You guys really help and support students like me to experience the cybersecurity community outside of Malaysia! I know I might need to repay back the favour…. but for now, I’ll just enjoy the conferences hehehe.

0xDEADBEEF Before the Conference

Who You Think You Are??

So, a little context here, I have been in the cybersecurity community for quite some time. I have met a lot of people and became friends with some. And as a community, I thought, let’s help each other if that’s possible. Well ummmmm, I learned some stuff the hard way.

I have 3 juniors who also got sponsored to go to SINCON but not by HRS Talents: Emmy, Wei Ying, and Shi Min. Emmy was complaining (well, it wasn’t really complaining, but it felt like it, HAHAHAHA) that the prices of places to stay in Singapore were expensive since we are Malaysians (iykyk). I didn’t have any problems as I have a sister staying in Singapore. (stonks)

So I thought, let’s help them by asking our fellow SherpaSec founder and, of course, friend, Shiau Huei to ask SherpaSec or Div0 to subsidise their accommodation by SGD 50. This is where I kinda screwed up. When I messaged Shiau Huei about this, I was also having a conversation with 3 other people on WhatsApp, which made me speed-read everything. So, i missed the part where Shiau Huei said, it’s better for Emmy to send an email to Emil to ask for the subsidy. Missing this part, I just told Shiau Huei to just send the message, not knowing she was going to send it to a group of people.

Anyways, I got in trouble not long afterwards…

Emmy and especially I were like… f**k. Do I have beef now??? Did I tarnish my reputation??? Did I tarnish my junior’s reputation??? Do they still get to go to SINCON? Long story short, I thought, I got us into this mess, I’m gonna pull us out. (lol fr fr)

During the next SherpaSec session, Emmy and I were anxious, waiting for JinFu to appear so that we could apologise. When the session was about to end and JinFu was not to be seen, Emmy and I were just thinking, “What do we do now?” Then, Pokemon battle song… A wild JinFu appeared! I basically explained the situation and begged for forgiveness (not really begged, but Kelvin made me kneel on the floor to apologise). Jokes aside, JinFu basically said, if you need help, just ask directly; don’t use other people to get ahead. Anyways, all was dealt with, and Emmy eventually emailed Emil and got the subsidy that she and the rest needed.

Day 1: We Meet Again

Before anyone asks, yes, there was merch, and yes, I did collect a TON of it. However, there are a lot of stories to tell, so I won’t be going into that. Furthermore, the FOOD was GOOD! SO MUCH MEAT!!!!

Red Teaming is Red Teaminging

If you have seen my blog post about Black Hat Asia 2024, you would know I met a guy named Snorky! Well, guess what? He and Nicolas are the instructors for the Modern Red Teaming Workshop! Ah, it was nice to see Red Team Leaders conduct a workshop; it was fun and realistic!

However, before I go into what I learned, I have to say there were materials that needed to be downloaded before the workshop. Long story short, I did not download them. Long story? Well, take a look at SINCON’s schedule on their website:

Workshop Title

So basically, as a participant I would basically look the schedule and be like; “Alright there’s a Modern Red Teaming Workshop”! So, I didn’t bother to click on “Show More”

Workshop Description

Then at “Workshop Requirements”, there’s a section where we need to prepare an environment before joining the workshop. Did I read that? Nope. Is it SINCON’s fault? Absolutely nope. I’m just very blind and busy.

sadge

Basically I sat there watching, unable to join in the practical work, so I just looked at the slides provided to us.

Workshop Infrastructure

However, I was not sitting there doing nothing; through the slides and the talk, I learned a few things! I had heard before through Mohin that Red Teamers use redirectors to cover their tracks. Seeing it demonstrated in real life during this workshop was pretty cool! In summary, we created a phishing server that was able to capture credentials as well as MFA codes. Then, we set up a C2 server, specifically the Mythic C2, which was connected to a load balancer, and the load balancer was connected to a redirector. The redirector served as the middleman, facilitating communication between the C2 server and the compromised workstation. It’s noteworthy that the compromised workstation was running macOS. Lastly, this whole infrastructure can be scripted out in Terraform, which automates the process of building the entire environment!

Myvi

To give y’all some context, I was the only one who applied for the SINCON sponsorship in the SherpaSec session among the 1 Malaysia gang; which includes Shiau Huei, Darrshan and Danisy. This is because they don’t know whether they were able to make it due to exams.

As SINCON was getting closer, the topics and workshop that was going to be conducted was revealed and one of them was in simple terms, car hacking which was going to be conducted by Alina Tan and Camille Gay.

Shiau Huei’s Sharing Sesh

If you know Shiau Huei, you would know she loves car hacking and have given sharing sessions about it multiple times (the queen of reusing content). If you’re reading this Shiau Huei, I hope I’m not embarrassing you by saying she is a massive fan girl of Alina.

So, when she heard that Alina was going to have a workshop in SINCON and Shiau Huei might not make it, she was devastated. There were times when we were doing our final year project and I would just mention “SINCON” and she would go, “ALINAAAAAA!!!!”.

There there Shiau Huei

There, there child. Spoiler alert, Shiau Huei was able to make it to SINCON as a crew member.

Car Simulator Device

So, what did we learn? Well as Shiau Huei has already given multiple sharing sessions about car hacking, this workshop takes it a level up by giving us hardware to simulate a car! The size of the device shown is basically the size of my hand! It has everything including:

A Steering Wheel
Shift gear
Accelerator
Brakes
Indicators
Ignition
Lights

But basically we learned about CAN buses and ECUs, and how we are able to control it with can-utils which Shiau Huei already shared about but this time with hardware!

Car Hacking Group Photo

It was a very fun session even we were very tired from the trip to Singapore. We were also able to take a photo with Alina and Camille at the end! What a memory to keep!

From the left:

Hong Rui Yi
Roheen
Emmy
Darrshan
Me
Camille
Alina
Shenghe

Tipsy Toilet Journey

BEER

Welp, if you’ve been to Singapore for a cybersecurity conference, you would know there will be beer! So me and the gang got some beers to drink and I probably drank mine a bit too fast. After 5 drinks, I wanted to go to the bathroom, as you should.

However, this time, I didn’t feel as confident to go to the bathroom without falling down. So, as a man who trusted his friends, I asked Mohin out of everyone to follow me to the bathroom. So, he followed me into the bathroom and we both went to do our business. Mohin went into a stall while I went to a urinal.

I finished my business before him (there’s no way to say this without making a dirty joke lol), so i decided to play a prank on him. Basically, I held my phone on top of the stall and started turning my phone’s flashlight on and off to simulate taking a picture of him (he didn’t notice).

Brain is Loading

This is where the story gets a bit overboard. Suddenly, a dude popped into the bathroom. Our eyes met, he looking into my eyes and me looking into his… Through my tipsiness, it took 5 seconds for me to respond:

Me: WAIT WAIT WAIT IT'S JUST A JOKE!!!

The dude: * ah understandable, have a nice day! *

* Mohin comes out of the stall *

Mohin: I heard that, what did you do?

Jason Meets the JSON List

Group Photo with Jason

So within any cybersecurity conference, Jason would be there. Now that my whole gang was at SINCON, I thought to introduce him to my friends and my friends to him! They were all chill with each other, and we ended up having McDonald’s for dinner together along with Emil! Nothing really happened besides that, honestly, so on to the next day!

Day 2: Software Became Hardware

The Next Bill Morgan

Me is Lucky

Bill Morgan is an Australian truck driver who, after bouncing back from a near-death experience, bought a scratch-off lottery ticket and won a car worth $17,000. A local news station, intrigued by his story, asked him to reenact buying a lottery ticket for a segment. During the reenactment, Bill scratched off another ticket and, to everyone’s amazement, won a $250,000 jackpot on camera.

Why did I mention Bill Morgan? Well, that’s because SINCON did not fall on my exam dates even though it was during my exam week. Not only did I receive the sponsorship from Mr. Yapp for transportation to Singapore, but I also received the sponsorship for SINCON from SherpaSec. Why is this important? That’s because there are 2 kinds of sponsorships: one for students and one under SherpaSec.

Part of the swags we received included an electronic badge with CTF challenges on it, and according to Shiau Huei, only those who actually bought tickets were prioritised. Hence, people who received the student sponsorship didn’t get the badge. However, as mine was sponsored by HRS Talents, that is why I got the badge. That is why I was really grateful towards HRS Talents and Rowena, because without their sponsorship, I wouldn’t have gotten the badge.

Soldering Station

So, what did we do with the electronic badge? We had to solder the LEDs onto the PCB. It was a tough task for me as I did not do this during my high school days. So, again shoutout to Shiau Huei for teaching me how to solder!

Anyways, this is the end product. There are a total of 8 CTF challenges within the badge, each challenge complete will enable the LED to blink. So far at the time of writing, I have completed 6 out of 8 of the challenges.

Poor Mohin

Mohin Soldering

Remember Mohin? The guy who followed me in the toilet? Well he was at the soldering station for almost 3-4 hours trying to solder his badge. Shiau Huei and I tried to help him but I admire his persistence. I mean he IS a professional red teamer, so he had A LOT of persistence.

I kinda felt bad because while the rest of us was connecting with other people and having fun, he was the soldering station alone trying to complete his badge. However, knowing him for quite some time, he was very patient and he completed it. BUT, of course there was a but, this dude decided to give the badge away at the end of the conference!

Mohin: Who doesn't have the badge? I want to give it to them
Me: Dude, keep it. 
Me: Everyone has the badge (obviously a lie). 
Me: You worked hard for it...

VirusTotal CTF

VirusTotal Scoreboard

Another highlight of day 2, at least for me, was the VirusTotal CTF! It’s a unique CTF that involves using VirusTotal to find your flags! It was a fun experience because we got to use the enterprise version of VirusTotal! The CTF was 1 hour long, and I got 2nd place! BUT WAIT, the way they chose the winners is by combining the results of day 1 and day 2 and awarding the highest points overall. So, I didn’t get any prizes…

However, a big shoutout to Emmy and Roheen for getting into the top 10! Emmy was in 8th place, and Roheen was in 9th place. As a purple teamer, you guys did great in a blue teaming CTF!

Chip Off the Old Block

During my Mobile Forensics course, I learned that in rare cases, forensic investigations might need to extract information from a mobile device by removing the flash memory and putting it onto a chip reader. In Malaysia, this method has only been used twice. This is where I met the legendary Captain Kelvin!

Flash Memory

He was in the Chip Off Village, where he showcased reading data off drones and mobile phones. If you have done mobile forensics before, you would know there are different kinds of flash memory in the market for different phones. This is where different chip readers are needed. Apparently, the chips shown here are used in 90% of mobile devices.

Flash Memory Readers

Overall, it was a unique experience seeing something I learned being demonstrated in real life! This is where Singapore conferences excel: more practical workshops and talks, and better demonstrations.

Bonus Day 3: Sacrifices Had to Be Made

Now, to elaborate on how busy I was during that week, let me explain my entire schedule. I had to go down to Singapore on the 22nd of May. The conference lasted from the 23rd to the 24th of May. However, on the 25th of May, RE:HACK had an event at Universiti Malaya called Cyber Skills Level Up, aimed at increasing the skills and knowledge of cybersecurity students within Malaysia so that they can one day represent Malaysia in CTFs. As a part of Malaysia Cybersecurity Camp 2023 and a member of Malaysia’s CTF Team, M53, I wanted to support the event by being there! However, the event started at 8 in the morning.

So, Emmy, Wei Ying, Shimin, and I had to rush all the way from Singapore at 12 in the morning to Malaysia by bus. We managed to arrive back in Malaysia at 5 in the morning, though not without some hiccups, especially for Emmy (for her sake, I’m not going to embarrass her here).

Tree On Car

Anyways, I rushed my butt to Universiti Malaya via the LRT, and I took a bus from the LRT to Universiti Malaya. However, halfway into the journey, at one of the bus stops, I saw a girl with glasses, a pink bag, and who was short. All indicators pointed to someone you all know as Shiau Huei! So, being sleep-deprived, I got off the bus. To cut the long story short, it wasn’t Shiau Huei. I ended up taking a 30-40 minute walk all the way to the Faculty of Computer Science & Information Technology. When I got there, everyone I knew was freaked out because it looked like I had just taken a shower (because of the sweat).

Anyways, the session went well and we went to a nearby cafe to have dinner. Before going, this happened:

Kelvin: will rain very heavy meh?
God: * thunder sounds *

The rain was so heavy, that trees started falling down onto the cars near the cafe. Luckily, nobody’s car from Cyber Skills Level Up was damaged. This was what KS said:

KS: Anyone has experience in Minecraft, go and chop the trees

However, the trees were indeed blocking our cars from exiting the university. So what ended up happening was a group of people getting their own tools to chop the trees, and that my friends, was how we were able to get outta there.

Celebrating While Suffering

But of course we took a picture with the person making the announcements before leaving!

Conclusion

Bye Bye

Overall, SINCON 2024 was another conference I totally enjoyed because not only I was the only one who went, my friends and the people I knew professionally were there. However, there were a few people missing from the conference such as:

Kelvin (who gave his ticket to Roheen)
Jia Qi (who is in the midst of her internship)
Yen Wai (who is working)
KS (who is also working)
Danisy (who was focusing on certs and his studies)

Hopefully, I will see these peeps in Hack In The Box 2024 Bangkok! We’ll have more stories to tell, more beers and fun!

To end this off, a big thanks again to Mr Yapp, RE:HACK for sponsoring me to these conferences! I hope your help has allowed me to help other people in the cybersecurity community. Another big thanks to SherpaSec, HRS Talents, and Rowena for sponsoring my tickets to SINCON, because without you all, I wouldn’t have had the money to attend the conference! Lastly, thank you, Emil, for subsidizing Emmy’s, Wei Ying’s, and Shimin’s accommodation. This happened mainly because of JinFu’s contribution to SINCON, so thank you too!