Thursday, October 06, 2016

ROOTCON 10 Capture The Flag Statistics

During ROOTCON 10, we introduced a new dedicated track for our Capture The Flag, with the comfortable CTF tables and chairs the game was well participated and was enjoyed by most of the players, not just the players enjoyed the game but as well as the spectators passing by. With the Chill-out track near by the CTF area you'll be tempted to Hack All The Drinks and Drink All The Booze.

Kudos to The Illuminated Beings for coming up with a very awesome challenges.

Here are the Statistics.

13 teams registered
304 wrong keys submitted
101 right keys submitted
30 challenges
Most solved: Trivia 3 with 9 solves
Least solved: Exploitation 1 with 0 solves

Congratulations to the following

1st place: Team Harambae
2nd place: Handshake Junior
3rd place: Hack Ganern
4th place: FlySolo
5th place: Team2Busan

We will be creating a repo on Github for the write-ups soon.

Read More

Saturday, October 01, 2016

Thank you from semprix

In-behalf of the goons and volunteers of ROOTCON I would like to personally say THANK YOU!

This years conference was an epic one.

The topics delivered were highly technical and we thank our speakers for that! The trainings were jam-packed, we are looking into expanding our trainings with different cutting-edge topics by next year. The games were well participated, receiving feedbacks that they enjoyed our Capture The Flag this year makes us to do more of it. The newly introduced Semprix’ Mysterybox didn’t gain much players, maybe it was too difficult I will try to adjust the difficulty next year.

With the newly introduced multiple tracks, the Capture The Flag had it’s dedicated area so players can focus more on the game with comfortable table and seats. The chill-out area was another best decision we had, through out the two day conference we consumed 70 liters of beer, awesome right?

The post-con party was pretty epic as well! We consumed 20 bottles of hard-drinks from Jack Daniels, Bacardi, to Mojito, 120 bottles of beer were served not to mention Smirnoff Mule sponsored us 400 bottles!

Right after the conference the goons were already brain-storming what more cool stuffs we can add to next year. Here are some stuffs to watch-out for next year.
1. We will introduce Fort ROOTCON, an area around the conference were tools and exploits have demos.
2. Hacker Jeopardy will be rescheduled for everyone to be able to attend.
3. Day 1 party and movie night will be held at the conference hall.
4. Capture the Flag will be extended from 10:00am to 11:00pm in-conjunction with the day 1 party and movie night.

Some pre-con activities we are brewing up.
1. Campus tour with student Capture The Flag.
2. Hackerspace in January
3. ROOTCON Kids will be introduced as mini-event around the month of May.

ROOTCON will continue to serve the hacking community specially in the Philippines, where hackers, geeks, pros will meet old and new friends, enjoy and of course learn from each other. With that said it wouldn't be possible without our awesome attendees, you rock!

Again I would like to say THANK YOU SO MUCH!

All the best,

Read More

Thank You Sponsors for Making ROOTCON X Awesome!


These sponsors are genuine sponsors who supports the Information Security and Hacking community in the Philippines. ROOTCON won't be as awesome without these supporters.

Elite + ROOTCON Official Badge sponsor

Elite + ROOTCON Official t-shirt sponsor

Elite Sponsor

Platinum + ROOTCON Post-con Party Sponsor

Gold Sponsor

Gold Sponsor

Day Zero Party Sponsor

Post-con drinks sponsor

With that said, ROOTCON would like to say THANK YOU!


Read More

Saturday, September 03, 2016

Drink All the Booze and Hack all The Things on ROOTCON Parties

Yes you read the title right! You can drink all the booze and hack all the things because we have parties, not just once but thrice. w00t!

Here is the official schedule:

Day 0 (September 21, 2016) - BugCrowd Night Of Drinks - 7:00PM - 11:00pm
Day 1 (September 22, 2016) - Netsuite Security Hype Party - 7:00pm - 11:00pm 
Day 2 (September 23, 2016) - ROOTCON Post-con Party - 6:00pm - til you drop
Read More

Friday, September 02, 2016

Unleashing the Immune System: How to Boost Your Security Hygiene

This is an original article we received from Christian Falco of IBM Security and that ROOTCON is glad to publish it because IBM has helped us in making ROOTCON X happen:

Over the years, companies have responded to threats by backing up the security tool truck and unloading it onto their IT environments. An expanding security arsenal of fragmented, disconnected point products and perimeter solutions can add complexity without vastly improving the organization’s overall security posture.

The burgeoning infrastructure makes it more difficult to monitor the whole network, to the point where security teams are operating in the dark. As each tool is added, costs associated with installing, configuring, managing, upgrading and patching continue to scale. Not to mention the skills gap plaguing the industry, where the expertise needed to manage and keep up with the latest threats isn’t always available.

More threats, more vendors and more tools make for more headaches.

The Immune System Approach

To see through the chaos, enterprises should approach security like an immune system. Rather than a jumbled set of tools and capabilities, picture an integrated framework of key security capabilities.

At the core of this structure is security intelligence and analytics. This serves as the key piece, ingesting security data across an IT environment (e.g., logs, flows, incidents, events, packets and anomalies) as well as information beyond the enterprise (e.g., blogs, research and websites) to understand threats and take action.

This action mimics the body’s immune response. When exposed to a cold or flu, your body’s integrated network of cells and organs transmits vital information through the nervous system to help pinpoint the virus, disrupt it with antibodies and normalize the body.

Similarly, a healthy security infrastructure uses its own network of integrated security capabilities to intelligently detect the symptoms of a cyberattack — a breach on the network, an abnormal login on a high-value server, rogue cloud app usage, whatever it may be — and respond appropriately.

An integrated and intelligent approach to security

With analytics at the core, integrated capabilities deliver a level of visibility and defense that no single security solution can provide on its own.

Strength in Integration

Attackers continue to break through conventionally siloed safeguards using techniques that impact the entire IT environment. Consider two of today’s biggest issues: advanced threats and insider threats. Yesterday’s perimeter solutions are no match for the sophistication of these threats.

An integrated threat protection system requires strong network protection, endpoint management and security, data activity monitoring and incident response to fully disrupt and respond to an attack. The system continuously consumes threat intelligence to understand the latest attack vectors. Insider threats are responsible for many of today’s high-profile cybersecurity incidents. To mitigate this risk, enterprises need strong identity controls, which in turn should be integrated with data monitoring and security intelligence that analyzes user behavior to alert, confirm or prevent unauthorized access to sensitive data sources.

In a world where multifaceted threats necessitate integrated solutions, adding more disconnected tools is simply not enough. These fragmented products and services are expensive, complex and cannot fully solve today’s challenges.

Companies are taking a strategic approach to upgrading their defenses. We’re seeing a major shift in demand for platforms that offer integrated, intelligent security solutions backed by a collaborative, extensive partner ecosystem. Boost your security hygiene with a healthy immune system approach. 

Read More

Friday, August 19, 2016

Introducing the ROOTCON X Sponsors

ROOTCON X wouldn't be kicked off if it wasn't for the sponsors. We salute these companies for caring about the InfoSec community in the Philippines:

Trustwave Holdings is an information security company that provides on demand threat, vulnerability and compliance management services and technologies for more than 3 million business customers in 96 countries. The company also operates Security Operations Centers in Chicago, Denver, Manilla, Minneapolis, Singapore, Warszawa, and Kitchener-Waterloo in Canada. Trustwave is a standalone business unit and core cyber security brand of Singtel Group Enterprise.

Netsuite is an American software company based in San Mateo, California, that sells a group of software services used to manage a business's operations and customer relations. Customers access these services over the internet paying a periodic subscription fee. Netsuite | Security provides a host of advanced functionality to secure the application including role-based access, strong encryption, robust password policies and more. NetSuite adds further layers of security such as application-only access and restricting access to only certain IP addresses to provide complete confidence and peace of mind.

Handshake Networking Ltd is a Hong Kong base information security testing company that focuses on PCI ASV scanning, a penetration test, and vulnerability assessment. Their two founders have pwned most of the ROOTCON CTF's.

IBM’s security platform provides the security intelligence to help organizations holistically protect their people, data, applications and infrastructure. IBM offers solutions for identity and access management, security information and event management, database security, application development, risk management, endpoint management, next-generation intrusion protection and more. IBM operates one of the world’s broadest security research and development, and delivery organizations. For more information, please visit, follow @IBMSecurity on Twitter or visit the IBM Security Intelligence blog.

Swarmnetics is a crowdsourced cyber security company that was founded in 2015. They harness he power of the global expert crowd to deliver security testing services to help customers identify security weaknesses in their environment. Customers get access to global expertise and pay only for results. Instead of relying on a single or small team of penetration testers from a traditional vendor, you will benefit from increased coverage and diversity of assessments performed by engaging the Swarm.
Read More

Monday, July 11, 2016

ROOTCON 10 Teaser

ROOTCON 10 Teaser from ROOT CON on Vimeo.

ROOT CON started with only less than 20 humans, as years pass by we grew and grew, this year we will be celebrating our 10th iteration, since our inception we maintain our image as the only legitimate hacking conference in the Philippines. 

ROOTCON is known for its high-caliber technical speakers, contest quality, and affordability. We have been able to bring to the Philippines sought-after and credible speakers that other groups have not been able to get. At the same time, we have been successful in keeping access to the conference affordable for the hacking community. This September 22-23, 2016 we will be proving that we are still the ROOT CON you knew years back. 

Calling all geeks, hackers and pro's, let's support ROOT CON and the hacking community and make the event awesome, fun and memorable. 

It's not yet too late, REGISTER NOW! 

Like, Love, and share. 

Read More

Tuesday, July 05, 2016

Do you want to become a ROOTCON Ambassador?

Do you have that hacker spirit and culture? Do you love ROOTCON very much? If yes then you must be our next ROOTCON Ambassador? Don't worry it's not a contest! You just need to apply and we will check if you are fit to become one.

So what is a ROOTCON Ambassadors? ROOTCON Ambassadors is a program created by ROOTCON for the attendees to enjoy yearly discounts and other perks.

What are the perks?
1. 20% discount on ROOTCON tickets applicable only on regular rates.
2. 10% off on all official ROOTCON swags.
3. FREE Entrance on ROOTCON Hackerspace activities.
4. FREE drinks at the ROOTCON chill-out area on the day of the event. ( NEW! ) 
5. Priority lane during ROOTCON event check-in.
This year we are introducing the "Chill-Out Area" where ambassador card holders can get a FREE drinks, YES FREE!
First batch cut-off will be on July 8, 2016. So what are you waiting for? Submit your entries!
Check out this link for more info:

P.S. The more entries you submit does not guarantee the chances of winning since this is not a contest :p
Read More

Tuesday, April 19, 2016

Approved 1st Round of Talks for ROOTCON X

Hey all geeks!

We've got some good news for yah. Yeah that's right! Our CFP board has just approved three talks waiting to be served on ROOTCON X:

The legendary crypto and IPV6 expert Lawrence Hughes is finally back for ROOTCON X and will deliver another awesome talk entitled "Certificate Based Strong Client Authentication as a Replacement for Username/Password".

A first time speaker at ROOTCON, Eskie Cirrus James D. Maquilang, C)PEH will be delivering his talk on "Exploiting Home Routers". For those of you who don't know Eskie, he is the guy responsible for the Vulnerability Note VU#525276 wherein he reported multiple vulnerabilities of SpeedSurf 504AN and Kasda KW58293 modems distributed by PLDT (Phillipine Long Distance Telephone).

Another first time speaker is a seasoned speaker at OWASP India, Nullcon, Blackhat Asia and many other conferences. Let us all welcome Sanoop Thomas who is the author of Xtreme Vulnerable Web Application (XVWA) and Halcyon. This year he will be presenting his very own Halcyon - "Halcyon – A Faster Way to Build Custom Scripts for Nmap Scans".
Read More

Friday, April 08, 2016

ROOTCON X Speakers Corner: Infosec Rockstars We Want for RC10

chuck norris

One of the main reasons why geeks go to a hacker conference and information security gathering are the awesome lineup of speakers and interesting talks. Thus, I decided to create a list of hackers we want for our conference this year. I wanna tempt you guys to come to this year's ROOTCON with these pictures:

We are definitely eyeing and convincing these guys to visit this year.

defcon speaker
Kryptia on Defcon - we want these kind of guys too
Daniel Miessler
Daniel is one of the most respected influencers in the field of Cyber Security and Infosec. He is the former Practice Principal at HP Fortify and now the Director of Client Advisory Services at IOActive. According to Onalytica, he ranks number one in their recent announcement entitled Cyber Security and InfoSec: Top 100 Influencers and Brands.

HD Moore
No need for an explanation here! We salute the guy behind the Metasploit Framework. Despite leaving Rapid 7, his legacy can never be forgotten. We really want you man!

Wei Chen
He is also known as sinn3r and is the longest serving Metasploit Exploit Developer who works at Rapid7. We want this Metasploit guy rocking on our conference for his skills and good personality. Whenever, I create a new Metasploit module - he is always there to help me and guide me.

The Entire Metasploit Team at Rapid7
We are not only inviting Wei Chen! If you are on the Metasploit Team then you are definitely invited to speak at ROOTCON. Paging jvasquez, James Lee (egyp7), William Vu (wvu-r7), Tod Beardsley, Mo Sadek, etc.

Jeremiah Grossman
He is the founder of Whitehat Security, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu and is one of the top influencers in the field of web application security. He has also presented numerous topics about web security in various hacker conferences.

Caleb Sima
In the 1990's, Caleb pioneered research on SQL Injection - yes he is a Legend! Now he is the Executive Chairman and Co-Founder of Bluebox Security. Here is his bio that I grabbed from his company's website:

Before the founding of Bluebox Security, Caleb Sima was EIR at Andreessen Horowitz. Prior to this Caleb was CEO of Armorize Technologies, an internationally acclaimed, SaaS-based malware monitoring and code security analysis firm headquartered in San Francisco. Before his tenure at Armorize, Caleb served as Chief Technology Officer for HP’s Application Security Center and was responsible for directing the lifecycle of the company’s web application security solutions. He joined HP following the acquisition in 2007 of SPI Dynamics, the company he co-founded and led as CTO, where he oversaw the development of WebInspect – a solution that set the bar in Web application security testing tools. Prior to co-founding SPI Dynamics in early 2000, Caleb worked for Internet Security Systems’ elite X-Force R&D team and as a Security Engineer for S1 Corporation.

Jason Haddix
Jason is an influential bug bounty hunter, the Director of Technical Operations at Bugcrowd Inc and a former Director of Penetration Testing at HP Fortify. He trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. Together with Daniel Miessler, they head the OWASP IoT, OWASP SecLists and OWASP Mobile Top Ten projects. He is a great web and mobile hacker. He was our keynote last year and we hope that he will be back again for this year.

Vivek Ramachandran
"Hello all! This is Vivek..." - these are the famous lines and introduction in most of Vivek's videos in and Pentester Academy where he is the CEO of the two platforms. He is a known BlackHat Trainer for Wireless Penetration Testing. He also discovered the Caffe Latte attack, broke WEP Cloaking, and conceptualized enterprise Wi-Fi Backdoors. He is definitely a badass wireless security person and we want his expertise for ROOTCON X!

John Menerick
We want this Security Dragon at Netsuite back for this year! He has presented two topics at ROOTCON IX and he delivered it well. His slides are funny and exceptional. You doubt this guy? Watch the DEFCON videos!

Mariano Nunez
He is my inspiration to SAP Security Testing because for authoring Bizploit Framework which is an open source ERP Penetration Testing framework. He is the CEO and co-founder of Onapsis which is an authority in SAP cyber security field.  According to sources, he was the first to publicly present on cyber security risks affecting SAP platforms and how to mitigate them.

James Fitts
James works at HP Fortify where he breaks mobile applications (primarily Android). He is also an exploit developer and has contributed modules to the Metasploit Framework. He has delivered an awesome topic about Android Application Assessments during the Mobile Hacking Summit (MHS) at Blackhat USA 2014.

Blake Self
Blake is one of the crew members of SOLDIERX who has been an active speaker at DEFCON. He co-authored the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has worked previously at SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations. I love his talk last DEFCON 22 entitled "Don't DDoS Me Bro: Practical DDoS Defense".

Rahul Sasi
He is the founder and CTO of Cloudsek. He is one of the most sought after Indian Information Security Researcher and one of the core members of Garage4hackers. He has also spoken at various hacker conferences every year.

Aseem Jakhar
He is the Founder at, Research Director at Payatu Labs and Founder/Organizer at NULLCON (India's Premier Hacking Conference). He is the author of open source Linux thread injection kit -Jugaad and Indroid which demonstrate a stealthy in-memory malware infection technique.

Micah Hoffman
He is also known as @WebBreacher in Twitter. He is an active member in the NoVAHackers community, writes Recon-ng modules, SANS Certified Instructor and enjoys tackling issues with the Python scripting language.

Alexander Polyakov
Alexander is another authority in SAP Cyber Security. He is the founder of ERPScan and President of the project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle.

Raymond Nunez
Mon has been a consultant to international organizations such as WHO and NEC, is the Co-Head Security Architect of DOST-ICTO for the Integrated Government Project (iGov), the Network Infrastructure and Security Consultant of the UP Computer Center, etc.

A member of Team Manila, Mon, with Paul Prantilla, has competed in the DEFCON 22 in Las Vegas this 2014. The team participated in multiple contests achieving 4th out of 264 teams for the Network Forensics Puzzle Contest (NFPC), and also 4th at the Capture the Packet Contest (CTP) championship round. They also competed in the 2014 Capture The Flag contest at Hack In The Box, Kuala Lumpur -- making them the first and only team from the Philippines to ever compete in an international CTF event.

Bruce Schneier
Bruce is one of the most influential security guru in the field of cryptography. He has been involved in the creation of many cryptographic algorithms: Skein, Solitaire, Phelix, Helix, Fortuna, Yarrow algorithm, Twofish, Blowfish, Threefish, and MacGuffin Pictures.

Christopher Elisan
Sir Tophs has spoken at ROOTCON for two conferences already and yes we want him back! He is the Principal Malware Scientist at RSA. He has a long history of digital threat and malware expertise, reversing, research and product development started at Trend Micro as one of the pioneers of TrendLabs where he honed his skills in malware reversing. He then built F-Secure’s Asia R&D where he spearheaded projects in vulnerability discovery, web security and mobile security. After F-Secure, he joined Damballa as their resident malware subject matter expert and reverse engineer. He speaks at conferences around the world and frequently provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications. Elisan’s published works include "Advanced Malware Analysis."

Shawn Webb
Shawn a.k.a lattera is a Security Engineer and Co-founder of the HardenedBSD project. It would be nice if he can introduce his project during ROOTCON 10. He is also a long-time crew member of SOLDIERX.

NJ Ouchn
He is the organizer of the major event Blackhat Arsenal Tools (US and Europe) since 2011 and the founder and the main maintainer of He also maintains the projects; DPE (Default Password Enumeration), vFeed® the open source correlated & cross-linked vulnerability database, FireCAT the Firefox Catalog of Auditing exTensions, and KromCAT – Google Chrome Catalog of Auditing exTensions. Maybe he can organize an event like Arsenal Tools? Let's see!

Daniel Cid
He is the founder of the open source OSSEC HIDS and the Founder/CTO of Sucuri. He is also the co-writer of the Host-Based Intrusion Detection book and is an active writer at

Tavis Ormandy
Tavis has been seen nowadays in the mailing lists and exploit databases breaking antivirus software. This guy is legit since he is currently employed by Google as part of their Project Zero team. Tavis you are an inspiration!

Dan Duplito
Dan is one of the few elite hackers in the Philippines who is a chick magnet according to Tikbalang. He is the Vice-President of the Information Security Division in PSBank, one of goons of ROOTCON, and an Outstanding ASEAN CISO Awardee for 2013.

Craig Smith
Craig runs runs Theia Labs, a research firm that focuses on security auditing and building hardware and software prototypes. He has worked for several auto manufacturers and provided them with his public research. He is also a founder of the Hive13 hackerspace and Craig is a frequent speaker on car hacking and has run workshops at RSA, DEF CON, and other major security conferences. He is the author of the book "Car Hacker's Handbook: A Guide for the Penetration Tester".

Douglas Berdeaux
He is the founder of WeakNet Laboratories, and the lead developer of known open-source security projects and tools like WEAKERTHAN Linux, WiFiCake-NG, WardriveSQL, GPS-Parser-ng, WPA Phishing Attack for EAP Phishing, SSWR (Scripted Security for Wireless Routers), Catchme-NG, Perlwd (Perl UNiX MD5 HASH Cracking application), and many more.

Oh wait, you are not on the list? Don't worry! If you think you can do better than these guys which I think you can then please submit your talk at cfp [at] rootcon [dot] org and follow the instructions here:
Read More

Thursday, April 07, 2016

Registration Officially Open

Our registration is now officially open, this year we looked for another alternative other than Eventbrite to lessen the cost of our ticket fee. ROOTCON is always dedicated to giving the most quality and affordable conference in the country. 

Our registration this year is the same price as last year, no increase but we made it more exciting, first 30 registrations will entitle you to a free invite to the ROOTCON secret party. 

This conference is now BS just pure awesomeness! So what are you waiting for be part of the largest hacking conference in the Philippines! 

Accepted mode of payment:

Direct Deposit (thru BPI) 

Group discount and student rates available! 


Read More

Tuesday, April 05, 2016

ROOTCON 10 Call For Papers Now Open!

Last year at ROOTCON IX, we had some awesome lineup of talks from 31337 speakers:

  • How to Shot Web: Better Web Hacking in 2015 by Jason Haddix 
  • BackDooring Git by John Menerick 
  • Open Source Internet Infrastructure Insecurity by John Menerick 
  • Unmasking Malware by Christopher Elisan 
  • Hacking Time by Carlos Tingson 
  • Hiding Behind ART by Paul Sabanal 
  • Building Automation and Control: Hacking Energy Saving System by Philippe Z Lin 
  • Detecting Indicators of a Compromise Using an SDN-Based Network Access Control Implementation by Mon Nunez & Paul Prantilla 
  • Incident Response for Targeted attacks by Jose Ramon Palanco 
  • How safe is my system from reverse engineering by Markku Kero 
  • Fixing CSRF Vulnerabilities Effectively by Lu Zhao 
  • Once more unto the data breach by Steve Miller 
  • Oh My Honey: Honeypots (or honeynets) by Ray Torres 
  • Understanding HTTP/2 by Nathan LaFollette 
Now what about this year? Well, we need the crowd of researchers and 31337 hackers again to submit your talks since ROOTCON X's CFP (Call for Papers) has been opened for this year! 

It's time to show off those fresh and sizzling new hacks on September 22-24, 2016 at the Taal Vista Hotel, Tagaytay, Philippines. What are you waiting for? Email cfp [at] rootcon [dot] org and follow the instructions here:

Topics of interest but not limited to:

  • Real-life hack (responsible disclosure)
  • Non-tech hacking
  • New tool release
  • Exploit Development
  • Reverse Engineering
  • Web Application Attacks
  • Tools 101 (Metasploit, Nmap, etc…etc…)
  • Wireless Attacks (3G, 4G, 802.11(x))
  • Cloud Security
  • Vulnerability Discovery
  • OS Level Vulnerabilities
  • Physical Security (Lock picking – Digital Locks or Digital Safes)
  • SQL Injections
  • Vendor Appliance Vulnerabilities
  • Exploitation Techniques
  • Mobile Security
  • Internet of Things (IOT)
Read More