Hong Kong

From OWASP

1 Welcome to the OWASP Hong Kong Local Chapter
2 News from Hong Kong Chapter
3 Contact Us
4 Recent Update

Welcome to the OWASP Hong Kong Local Chapter

Welcome to the local Hong Kong chapter homepage. The chapter leader is Anthony LAI,CISSP,CISA

Participation

OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the Chapter Rules.

To join the chapter mailing list, visit our mailing list homepage. The list is used to discuss the meetings and to arrange meeting locations. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Mailing list

Email archives

funds to OWASP earmarked for Hong Kong.

The Hong Kong chapter was formed in December 2004. The objectives to establish OWASP Hong Kong Chapter are mainly because: -There are many web applications established in past 10 years. However, how many developers know that their developed application are secure. Meanwhile, there are many transactional-based systems, we should not ignore that the web application is another channel for hackers to compromise one's confidential information and interrupt any critical business operations.

- Raise the security awareness of web application development among the professionals.

- Encourage professionals to reference standard like ISO7799 for their web application security and post-deployment review as well as audit.

- Accelerate to Share, learn, discuss and review best practices of the experienced web application development security professionals even across various user groups (Java User Group and .NET User Group ) and security associations (i.e. PISA) in Hong Kong.

From left to right: James Tsao, Anthony Lai, David Walker, Richard Stagg, Marco Leung and Gary Kung

Coding Practice

- Mainstream web technologies (i.e. .NET, J2EE and PHP on Linux) security assessment

- Web application platform (i.e. Apache, IIS, Linux, Database) security assessment and review.

- Recent Web application security concerns.

- Regularly convey latest projects and presentations from OWASP.

News from Hong Kong Chapter

NEW!!!! Software Exploitation - It is about reverse engineering and exploit

I feel very honorable to invite Nguyen NAM to provide 2-day workshop on software exploit and reverse engineering. In fact, we met in OWASP Appsec Conference 2008 at Taipei and his team has won CTF (Capture The Flag) in Hack In The Box (HITB) 2008. It is really a valuable chance to have him to be in Hong Kong and this workshop is normally charged at 1000 USD per head. Meanwhile, there is NO such kind of workshop held in Hong Kong. Please reach me at anthonylai@owasp.org for reservation.

Status - 6 Nov 2008 : The speaker has got my invitation letter and he is now applying the traveling VISA to Hong Kong. Money collection will start once he confirmed me the air ticket and VISA application. However, you need to reserve it as there are already 17 reservations. The class size is expected to be 30-40.

Instructor Nam Nguyen

Date and Time 2 days, 20 - 21 Dec 2008 (Sat and Sun) Registration Time: 9:45am Time: 10:00 - 13:00; 14:30 - 18:00

Venue Room 172, IVE Haking Wong, Cheung Sha Wan

Organizer OWASP (Hong Kong Chapter) and PISA

Co-organizer and Venue Sponsorship Vocational Training Council (Haking Wong)

Fee 1000 HKD

Summary This course is a primer into software exploitation on the Linux environment. The course assumes only basic understanding of the Linux commands, and C programming with the standard library. It explains the computer architecture, assembly language then moves on to three basic classes of security bug: buffer overflow, format string, and race condition and methods to take advantage of them. Throughout the course, various examples are introduced with increasing difficulty so that participants will naturally realize the art of software exploitation for themselves.

This course does not discuss about shell coding. Except on one example where provided shell code is used as an illustration, all other challenges require only good analysis and calculation.

The course is conducted as a workshop with heavy interaction between participants and instructor. There will not be any presentation slide. Participants are to take note during the course.

Audience

Software developers, system administrators, security engineers \with some experience in Linux and C programming. It is good to prepare a candidate to join for Capture The Flag (CTF) event.

Table of Contents

1. Computer architecture

2. Assembly language

3. Buffer overflow

4. Format string

5. Race condition

6. Techniques

a. Overwrite critical variable

b. Overwrite return address

c. Return to .text

d. Return to libc

e. Overwrite .dtors

f. Overwrite .got

g. Overwrite .bss, functors

h. By pass Advanced Space Layout Randomization

7. Tools of the trade: IDA, GDB, and Python

8. Sharing of CTF in HITB

Workshop Specifics As we have got a lab. An VM image will be provided.

Speaker Biography Nam Nguyen is currently the principal security consultant with Blue Moon Consulting Co., Ltd. He started poking at binaries when he couldn't finish Dune 2 and has since spent more than a decade reverse engineering and understanding how stuffs work. Nam is a CISSP, a core member of the VNSecurity group, and a chapter lead of OWASP Vietnam. His interests include code construction and destruction, decompilation and Python.

OWASP(HK Chapter) supports 8th Infosecurityproject Conference: URL:http://www.infosecurityproject.com/

OWASAP Committee Member, Richard Stagg, uncovered Security Reality (Mar 2007) Richard from Handshake Networking could tell you the truth of that. URL:http://www.cw.com.hk/computerworldhk/article/articleDetail.jsp?id=409104

Hong Kong Standard: HKU changes Internet policy to boost security Hong Kong University has changed its Internet policy a week after The Standard reported that improperly indexed material listed on its Web sites could be accessed by users of the Google Internet search engine. Doug Crets 4/3/2006

URL: http://www.thestandard.com.hk/news_detail.asp?pp_cat=11&art_id=15675&sid=7341056&con_type=1&d_str=20060403&sear_year=2006

Hong Kong Standard: Online enemy within The biggest threats to computer users are not hackers but their own ignorance, complacency or carelessness, writes Doug Crets 3/27/2006 URL:http://www.thestandard.com.hk/news_detail.asp?pp_cat=11&art_id=15121&sid=7238709&con_type=1&d_str=20060327&sear_year=2006

Web Application Security with PISA: http://www.pisa.org.hk/event/web-appl-sec.htm

OWASP (Hong Kong Chapter): Successful Web Application Security and Hacking Demo seminar co-organized with Hong Kong Java User Group (30 Jul 2005 https://hkjug.dev.java.net/gatherings/2005/0730.html