 Nag-nahirapan ako mag-anap nung gusto kong interviewan. We do try to maintain the quality of the guests on the stream. So when I do invite somebody, it's somebody I genuinely want to talk to. And this particular topic today has always held a fascination for me. Parang sobrang interested ako sa... So Cicuna is a cybersecurity outfit and we're going to hear from the CEO himself. So it's... AJ just recently got promoted to CEO of Cicuna. And so we're going to try to keep it as accurate but as technically, as layman friendly as possible. Alamama tayo dito sa hardware sugar. We tried to explain everything in layman's terms. So wala masyado ang jargon. So everybody can follow along and things like that. So let me play our usual... Saap Luigi. Thanks for joining us. So let me play... If you've watched the stream before, you know what comes next. And see you after the ad break. Os 90 kailaw na windows. Pero saan ko hukuwan? Namin legit windows. Daming options. Daming prices. Aka dito. Gudi na lang. May CD keyovers dato. Wadalilang ng order. Search for the software you need. Add to cart. Dahan ka sa payment options nila. Wala pang 5 minutes. Finished. May legit. Working CD key kana. Para sa windows mo. Gamitan ng aming code para makakuhapan ng discounts. Kaya kung nagahalap ka ng legit. Mura. At original software. Siguro the success rate of that ad running to the end is like 10% I think is how... Kamusta yung ano? It always cuts out right at the end. Tomodoy na. Tomodoy na. Okay. After na minimize ko na siya. Ayon. Let's get to our main guest Ajay from Secuna. And he's really... We were talking a bit off camera. And it's really an exciting space. Itong parang info sec and cybersecurity. Especially nowadays where everything is tied into the internet. So without further ado, we have Ajay from Secuna. Let me just bring him back in. Yon. Hello. Thanks so much Ajay, the new CEO of Secuna. Thank you Anton for having me here. And I'm very well excited to answer some questions that you may have or the attendees or participants of this live stream. Sa bahin yon. Our tech guy, our back end guys in the audience. I was talking with him before so that I could get an understanding of the common cybersecurity threats. Ang technical terms. Let's start out with the... Kind of like... Yung name na Secuna, is it Security Una? Or how did you guys come up with the... How was the name? Yeah. That is right Anton. So Secuna is a combination of two different words. So it could be English and Spanish. Or it could be English and Tagalog. So depended kung pa anong may kakatagoray si Una. So security yung sa Sec and Una is yung first. So security first, Secuna. So that's how we came up with our company way back in July 2017. But before that, there's some funny background about it na. So while we are thinking about our company name before we came up with Secuna, ang isa sa mga company name na na isip namin is Sexperts. Why Sexperts? Because security experts. But di siya okay. Even if it's funny. So it's presented to me with Secuna. It's a combination or Filipino touch. Okay. Parang yung sexperts parang medyo kulang ng professionalism kontep. Bakit ayan? Bakit manhirap e-market sa... Five years na pala yung company. Yes. So we've been operating since 2017 as mentioned. And luckily, even the pandemic, boy pa rin kami. And we're still helping a lot of companies in terms of security and data privacy. Ever since yun na yung focus din yung the same focus you have na parang penetration test and security audits. That's how you guys started out? Yes. So, another background about Secuna is before we founded this company, the idea behind it is came from me as a student who discovered vulnerability in a fintech company called Baylands. Then this Baylands found they reached out to me and decided to meet me sa Eastwood, to CC. And then kami nabusap about... Backtrack lang tayo. So you were still a student and then you found the vulnerability. Tapos kinon tapos sila na. Uy, alam mo yung site mo or yung app mo may... Yes, ethically and proper disclosure of vulnerability and they got interested. They reached out to me. Meet mo kami sa UCC sa Eastwood. Then that's where the company began. Yung pag-found na ito, pag-come up na mga company name, et cetera. Okay. In fairness, pero yung tanong ko, ano ginagawa mo na you were looking around, you were poking around their site or ado parang you were also kind of interested to see what their security was or kamusta yung backend or you were kind of poking around on purpose for that company. Yeah. Well, di actually. So as far as I remember, their website before has this page wherein you can contact them if you ever you found a security issue or a technical bug that's in their contact form. So you can't really do some poking or kung ano mga testing na gusto mo sa kahit anong website without proper tawag dito from the company. So if ever that they have that kind of contact form or policy wherein they are allowing anyone to report bugs to their website then you can do that like message mo sila, reach out to them, find whatever you discover, then that's it. So hindi lang siya basta magtitas ka lang ang kung anong. Yung parang randomly lang na ay nahanap ako. Sige, if you could run us through like the three basic services you guys provide? Yeah, sure. So currently we have three services as mentioned sa Sikuna. So the first one is our PEN test service. PEN test is the traditional service offered by cybersecurity wherein they help companies to comply with regulations, licenses, certifications, etc. So it is being done regularly in terms of quarter and annual approach or term, rather. So ganin yung penetration testing, they are trying to simulate yung mga external hackers, malicious hackers, cyber criminals trying to bridge security measures implemented by the company. That's for PEN test and that's what we are doing for our first service. For our second service we have this response service. Response service is one of our well-known service pagdating sa Sikuna because it helped governments, it helped nonprofit organizations during the pandemic yung sagsagan nung pagtahas nung numbers nung mga COVID pasasib na. So dito isa sa mga well-known organization na natuluhan namin with this service is yung Red Cross and also yung DICT pagdating do sa rapid pass if you guys are familiar about rapid pass so through our response service with the community that we have in Sikuna we collaborated with each other to discover vulnerabilities na potentially may kita na hackers out there na masasama then exploit it for their own gain or depending on their motivation so in that way natulungan namin sila na nakita namin yung vulnerability na report namin sa mga organization na yung then na fix namin so ngayon ula kang maririnig na na mga services namin na ka sa rapid pass ganyan wala so yung kinaganda handon so where there are a lot sorry where there are a lot of bugs in the initial kasi sempre pandemic sobrang bilis nung rollout kailangan medyo rush ba yung when you were reviewing the code and reviewing like madami bang red flags na hanap yung community actually the good thing about having a community of cybersecurity professional is they can test the application of the organization faster than the traditional because they have they have a lot of the community we have a lot of community members the cybersecurity professionals or what we call white attackers so with different skills at an expertise they can find vulnerabilities faster na so hindi siya rush actually pagdating sa rapid pass may rung nakalat na time pero at the same time mas naging mabilis yung turnaround nung nung pag-aayos nung launch nung application kasi mas marami yung mahanap so hindi siya tulad ng normal na for example you hire one cybersecurity professional company kasi meron siya isang napakalaking application tapos gusto mo ay patapos in two weeks kasi lang mas ay yung mahirap sa amin sabi natin mga two weeks tapos we have a community mas naging mabilis pa sa two weeks yung turnaround niya pero na cover lahat ng scope nung application so ay yung kina-gandahan ng having a community and expert na cybersecurity professional or pagdating sa cybersecurity field rather sorry just do your one last you there's one more service you mentioned come back to the white hat versus black hat sure so it's testing the rapid response and there's this discover service so discover namin eto na yung kung saan tinatawang nating bag bounty programs if you guys are familiar about it so bag bounty programs or in sekuna store yung discover service we allow our clients who are companies or organizations to collaborate with the community of researchers and if ever these security researchers or white hat hackers reported a vulnerability to that bag bounty program client of ours they will reward the reporter if ever if the reported vulnerability is a valid vulnerability no so that's how we we offer that kind of service in that discover service win-win situation siya for the for the reporter for the hacker they will report kung ano man yung makita nilang vulnerability and may rewardan sila for the company nago offer lang sila ng program dito na kung saan sila may rewardang kahit anong amount and at the same time masisacure nila yung vulnerability na na potentially pwede nga may result into bankruptcy or millions of fines pagdating sa data privacy act of 2012 I know your background based on research that you've also paro na invite ka sa singap or dati and then you were asked by google and facebook to try to find holes in facebook anong behind that sure so they invited hundreds of hackers around the world so international hindi lang si south east asia international siya i would say kasi pero forsy lang yung event or south east asia pero international siya because they invited a lot of hackers then from uk from middle middle east meron din tagay us and may kita mo naman yun e dun sa may event mismo so hindi lang siya totali pang south east asia siguro yung event kung saan siya hinold is sa south east asia pero most of the invited hackers is south east asians or asians rather so pero maraming international hackers so the invited hundreds of hackers around the world globally then there are only two filipino na invite privately so the first one the first one is kris so hello kris so kris is one of the the invited hacker because he found a lot of good vulnerabilities as well in facebook okay so malala malala din yung mga bag sa nakita niya yun na hanap siya so invite siya privately sa live hacking event we call it live hacking event bag bounty con then another filipino is me na invite yun na ko then but the good thing about it is both filipino si krisan na ko are part of sikuna oh okay so yeah so before that before siya mag impart nang sikuna dong mo po siya nakilala sa may bounty con then nag-applicio sa sikuna I hired him then impart na kami na sikuna so ayan siya so ayun nangyari nga then fast forward they allowed us or they task us to find security holes sa facebook applications or products what they call it products facebook products mayerong mga features do na hindi pa niriris globally and pinapapenta sa men but we can also find sa mga products na existing na so since based on may based on my observation lahat sila nakatutuk doon sa may bagong products or features in facebook so nag-focus ako sa mga existing na so pwanti yung kalaban ko and marami ako nakita mga vulnerabilities and yung mga severe ko na nakita is sa facebook page this is this is the thing that we see everyday facebook page yes and in that specific product or feature facebook page yung nakita ang vulnerability ko that time is na kaya kong makita ko siyong kaya ko ma-determine rather ko siyong mga facebook page admin sa nakaprivate by default okay okay so kung baka may page and then usually yung admins ngang private you don't know siyong mga admin but you were able to find how to make it you were able to see you were able to figure out ano yes and I can disclose that because they allowed me to create a write up or walk through or blog about it so yeah I assume napatch na yung napatch na yung vulnerability and you won 7th place I think in that contest parang number 7 or so luckily 7th place tapos na rewarded ng best report so okay na rin so definitely you're using your expertise no I mean parang even before sekuna you had a long history of looking at looking at the websites or the apps of companies to see any more vulnerabilities sorry before we jump into like any more common vulnerabilities that you guys have seen if you could just explain a little bit to the audience if they're not familiar ano tong white hat siyong black hat hackers okay sure so there are a lot of hats in cybersecurity actually there are 3 so black gray and white hat hackers so let's start with white hat hackers white hat hackers are the ethical hackers in other term no so they are the security researchers who research for vulnerabilities and they will report it once they find it so that's why they call it white hat hackers no mababa it sila then there's this black hat hackers black hat hackers is ito yung mga cyber criminal in other term sila yung mga nakatrayo humanap ng bugs sa isang website then they will try to exploit it depending on their motivation or goal tapos if ever they get something from it they will try to sell it sa black market they will try to lick it online and that's black hat hackers then there's this gray hat hackers so in between siya nang dalawa ng white hat and black hat so sometimes mabuti sila sometimes so that's the three hats inside in the local scene anong karamihan ng mga tao you mentioned kasi offline it's a small community so basically everybody knows everybody else and I'm sure parang yung personal reputation mo I mean parang the more nakapasok sa isang system but you didn't have access to the more successful you were at finding things kung baga dumadagdag yung sa reputation mo parang your legend in in the local scene mas karamihan ba white hats or black hats or more like most people are kind of gray anong yung majority sa atin I would say most of them are white hats naman mga cybersecurity professionals yung mga naikita akong sa siguro dependin yung sa circle na meron ka mga friends mo yun yeah so more on na naman and good side naman mo so wala ako right now ang connection with the gray hats and black hats so far so most of them are in white hat hacking kung um um space siguro kung anong anong term in space or field or something so we also have this community called Drutcon local hacking um or cybersecurity rather um conference ito sa Pilipinas na ginagawa every year around September or October sa kadalasa sa Tagaytay or Cebu then recent tiyata na batangga sa la somewhere so doon naikita mo yung mga white hat hackers karamihan mga employed na mga bigger companies dito sa Pilipinas or minsan yung mga Filipino na na go work sa Singapore kadalasa ang karamihan kung punta pa ng Pilipinas to share knowledge yung magan yan and communicate with other white hat hackers or cybersecurity professionals so to answer the question yes most of them are white hat hackers how would you rate our level of skill based on kasi you need to keep up to date ang yung mga ginagawa na iba I mean hacking anybody with the internet can basically start learning how to hack and things like that compared to the communities abroad how do we stack up in terms of expertise and in terms of yung medyo parang innate na kasi iwan tao parang gets lang talaga kagad nila parang may naks parang intuitive talent for figuring out vulnerabilities and things like that where would you rate us based on what you seen sa atin locally and on the international scene if by international scene you mean even the Filipino working for international company yes, okay so if in that case dito sa Pilipinas I would say na iilan lang yung marunong talaga like kapag sinabi or pinakita mo yung isang specific na stuff sa kanila sabihin nila avulnerable or hindi hiyinan lang yung may kaya ng ganon and they can actually do that based on what they see so like there's actual code like looking at the code and then parang intuitively lang based on experience and parang seal alam na nila kung ano yung kaya na lang isip na mga attacks ano yung mga kaya nila nga gawin dito ano yung kaya nila dagdag pa or something para maging impactful yung nakita nila or something by just see the code or the website kaya na lang malaman so kung konti lang yung mika kaya na namin ganon yung iba kailangan pa mag-research kanyan so hindi ko malusabi na nasa ano na tayo parang kaya na natin makipag sabayan sa mga international companies or international people or foreign nationals na kaya mag-conduct then security assessment so I guess malayon pa tayo at marami pa tayong kakainin big ask experience wise eno tige comment threats na sikuna in your experience has found for its clients so basically yung talaga yung major round of the mill na madalas mo talaga nakikita in your audits sure so I'll give you some insight about our portfolio sa sikuna so sa sikuna most of our clients are fintech companies okay are you at liberty to disclose sorry yeah but not a company name industry only so most of our clients are in the industry of finance or fintech or crypto something like that and they are trying to comply with regulations of BSP or trying to comply with the data privacy act of transform as well na so most of our as mentioned most of our clients are in fintech so most of our findings are related in money so the comment threats or vulnerability is rather that we discover in some of our clients in fintech industry are like example generating monies generating cryptos gan yan kahit na we only have enough or contest small na amount or crypto then we will try in in terms of exploiting of vulnerability then we also discover some issues which is itin parang pina commonan na itita namin mga disclosure na mga personal information and sensitive personal information so like purely theoretical let's say parang cryptocurrency exchange ka dito and then so a lot of the work you do is let's say may one ano bang mura na coin one xrp one ripple I think it's 4 pesos na Anyway parang let's say 5 pesos siya may one ripple ka 5 pesos a lot of the things you do is to try to see kung may bugs in the system that will cause you to multiply the ripple yun ko lang talaga yung ripple mo yeah so initially the process is the company will provide coins or money so let's say one xrp or 5 pesos then using that money that they provide we will try to generate more money from it by doing this kind of attack na tinatawag namin round issue okay so to give you some details about how we test sa sekunan so meron kami atak called round round issue number so let's say you are trying to transfer from one account to another account which is both of your accounts so account a and account b then sa account a meron one xrp okay then you are trying to transfer money xrp to another account you will do it in decimal way tapos yung decimal way na yung for example sabihin nating 0.99 lang yung pinasama mo may iwan pa sa yung 0.01 right so 0.99 pinasama mo pag kapasama mo sa account b mo magiging one kasi nagkaroon ng round number so that's how we generate money so that's one example okay ah okay okay and that is an error or that's a flaw in the system on how they compute or how they process yung mga tinatransfer naman okay let's take a question from the chat na every coordinate asks in zero day threats what are the different vectors to be exploited in such vulnerabilities if you could define what the zero day if the audience is not familiar explain lang please what the zero day threat is and then I guess the question is what different vectors to be exploited I guess how do you go about well you know to zero day it's like more like a blackmail thing right like I'm gonna use to zero day if you don't pay me parang ganon but I guess the question is how else can you use a zero day exploit but Jessica please explain first for the audience what the zero day threat is sure so zero day vulnerabilities is a kind of a vulnerability na wala pang niririlis na fix so ibig sabihin kapag may nakitang zero day vulnerability expect that there are a lot of companies who uses that vulnerable software for example na pwading may exploit mga malicious hackers or any hackers out there so pwading zero day vulnerabilities again wala pang nirilis na fix or wala pang available na fix for that vulnerability kaya siyang tinawag na zero day so ang different vectors kung san siya pwading na nakita but ang pinakakamon na zero day ang pinakakamon na nakikitaan na mga zero day vulnerabilities are cms type of websites yung mga content management systems or di kaya yung mga open source projects na nandajahan like for example mga php that's open source mga java may sql or di kaya wordpress pagleting sa cms ay yung mga nakikitaan na mga zero day vulnerability naku saan yung mga malicious hackers they will try to exploit that zero day vulnerability since wala pang fix na available so lahat ng mga gumagamit na companies ng service na yung or nang software na yun ispwading na lang mga hack. Vulnerable. Yes, vulnerable in that layman's term. Chaka there are government actors like the NSA I mean they specifically stock up zero day zero day exploit para pang offensive hacking when they need it kung baka parang kasama sa weapons the toolbox nila na oh for example may nahanap kami sa Microsoft Windows 11 zero day and then for whatever reason we need to parang paminsan iniipod nila yun and they don't disclose it para wala makagawa nung patch and also I think it's just based on what I've read parang like a lot of the hospitals now are getting online so andami mga infrastructure issues yung power yung hospitals na open to things like that well based on the research Anton ang pina ka common ang pina ka affected na industry ko yung sa cybersecurity yung mga na sa healthcare industry I healthcare talaga or health tech rather why because they hold a lot of sensitive data and if you sell a data sa black market pinakamahal yan yung mga sensitive talaga it could be medical records insan may mga kasama pa do mga government IDs aside from the personal information na common na nakupuwa so pag binibenta yun sa market sa black market napakamahal niya so imagine if you manage to compromise millions of user data times that to the amount of specific data ng isang tao so let's say sabi natin 10 dollars then US dollars per specific data and you have millions so times mo yun man million times uh oh so another question from the chat actually galing sa back end developer namin for a semi complex application with around 100 dependencies so parang basically e-commerce site how do you keep up with patching paragay may lumalabas na yung vulnerabilities how do you keep up with how do you make sure it's up to date napatch lahat nung stuff is there a is there a best industry way to go about it or talaga manual lang you have three ways for that Rapael number one monitor whatever dependencies plugins third party services that you integrate in your in your website that's number one that's how you stay updated okay that's number one number two is use yung mga functionality ng mga CMS na kung saan kapag sinabi nila na hey may rong bagong version ng library nato bagong plug in nato bagong version ng plug in nato then they will inform you tapos you have to update lang it so that's number two then the number three is doing manual testing talaga if you do it regularly that's how you discover na ah may flow pala to so maagan nyan and siguro additional na lang din siguro you can set up automated notifications sa Slack or sa Discord nyo na kung saan they will inform you kung may rong bagong vulnerability sa mga plugins na nyan or you can also stay updated sa different kind of news through that automated na chatbot or something na sa wag ng additional budget yung nga si Raphael yung si Raphael yung back-end developer namin ba ayok na mag-gastos gula nang mag-gastos yun dun just stay updated using plugins or chatbots na you can set up integrate sa mga communication channel na meron kayo so yeah sige jet it's also in the chat as nabanggit nyan sa government employee currently creating software tapos he agrees na nga grave yung PHP yung PHP vulnerabilities and passed on sa question din it have certifications like CEH or CISSP ah sorry could you explain those also to be honest I'm not familiar with those and can you be an expert even after one to two years or realistically would it take more time to get experience um to be honest hindi naman required na meron kong certification to um to um kick off your career sa cyber security or get inside in this space na hindi naman kailangan certification um based on our um um um or based on my experience kasi when I try to employ a full-time employee who would like to who would like to apply for a penetration tester na na na na position ah hindi ako madalas na realization certifications kasi meron na kung ginagawang practical assessment na part ng hiring process ko so if ever na nakita ko na marunong kang mag-conduct ng testing at alam mo yung ginagawa mo din I will hire you and that's the same process ng ibang companies out there kasi yung certifications na yung pwede nila makuwa yung during the process ok so hindi mo talaga kailangan agad agad ng certification but certification will really help you stand out sa sa application mo sa isang position or di kaya um showcase kung ano yung meron ka or something kasi personally I have ten technical certifications right now and most of them are practical or parang live hacking certification tapos may time bound pa yung certification but still meron na kung kinala marami sila na isa or wala na actually na certification but they can really do na hacking so abang galing nila so ganun siya na how well prepared are most businesses in your experience a lot of businesses come to you they say na could you test us out how well prepared are most kasi lahat na lang nagbamigrate online in your experience how well prepared are most businesses to like to face or how vulnerable na lang lemme rephrase how vulnerable are most businesses that are online right now in the Philippines are we talking about ah yes again let's do local ok locally here in our country most of the companies are not prepared to to to prevent attacks most of companies ok because they don't prioritize security at all ok they don't really prioritize security and if ever they do kumikita nyo sa mga websites nila or sa PR nila na na na sinasabi nila na na your security is our priority are we prioritizing security sabihin natin one time lang sila nagpates or something na ganyan na nalagay nila na nila na so but still most of the companies here in our country hindi ganoon prepared sa security and they prioritize sa security nila once na na bridge na nila or once na may experience sa security incident doon pa lang magano it's a bit like closing the barn door after nakatakbo na yung mga high up tiba yung after the fact na hack ka na or nagingamit na yung boner parang nakapasok na yung actually you ever kasi I'm sure in your day to day life you interact with a lot of things you might have GCash you might do online banking you might buy and sell stocks online you might I mean andami ng stuff online but you as a security expert do you ever look at the apps or the services you're using napapaisip ka na grave naman to parang will I trust na in data ko dito gagamigin ko ang service na to as it ever happen in real life na isip mo wag nalang ako sa banko na to or wag nalang ako sa service na to kasi in your professional opinion medyo delicado talaga I mean it's really like you wouldn't trust your data with those guys well yeah as a security professional and I guess other professionals out there can also agree with me na once you use an app napos mag-register ka pa lang o mag-sign up ka pa lang dan may kita mo andami ng inhingingin data syempre mapapa oops teka bakit andami inhingingin data na ito kailangan ko lang naman mag-login sa na par example sabi natin anong inakamaganda example dito so pero simple lang siguro sabi natin yung mga contact tracing applications nyan ayan bakit kailangan niya kung sino yung ano yung history ng mga colleges ko yung mga education ko bakit kailangan ng ganon ang kailangan niyang pangalan ko bakit kailangan niya malaman yung bakit kailangan niya malaman kung yung mga social media pages ko ganon so I think may mga contract tracing applications before na nag-request ng ganon and mapapaewan ka na ako bakit kailangan nila ng ganon and kapag jenak ko yung privacy policy nila hindi naman nila di need is close kung bakit kailangan yung nalagay lang doon we collect your and we may use it for et cetera et cetera yung nga doon lang taran we will use it for marketing for websites and we may pass it on to third party sorry et cetera ayung anong dapat mag-abasa ayung privacy policy yung TNC niya in terms and conditions grab it for you personally have you ever not used an app kasi parang isip mo medyo dilikado talaga ito I don't feel comfortable signing up to this service or or giving my information to this app yeah in some cases yes meron ako mga na experience na ganon kailangan application na ganto nirerequire or something na nirerequest rather pero habi ko ayaw ko gamitin yan kasi alam ko hindi siya ganon ka secure or something if you look at the website may kita mo wala nga silang security page wala nga silang ay mean privacy for security or po anong ginagawa nila security measures so simple security review lang na application nila or ng website nila like anyone from the participants of the livestream may kita naman nila or pwede nila nang gawin kung talaga yan ng website kung saan kaya magsign up check niya yung privacy policy check niyo kung meron silang security policy kung anong ginagawa nila for the security of their users check niya lang yan ganon so may kita nyo na kung meron ba talaga silang pake sa data na share niyo sa anyo another question from Maverick and to be honest I don't know I'm not familiar with this term any thoughts about cognitive cybersecurity I don't have an idea about that as well okay I thought there was an exam term that I'm not familiar from Pesto actually I also wanted to ask this question to you with the video union bank solicitors to that scam a few months back parang nakagawa sila nung fake account yung parang mark something parang tagalog name pangay and then they were able to mark Tagoyo mark Tagoyo parang sinampal pa yung ano parang medyo cheeky ang hacker and so they were able to transfer ill gotten funds to that account and then withdraw through there um if like I mean you don't need to comment if sikuna actually work for those companies or something but just based on personal experience or your professional experience how were you surprised that something like that happened that kind of scale and that kind of kung bagay yung method na ginamit para makuha nila yung funds I think ano sa sa circle na mer na ko sa cyber security space kung sino talaga na ka alam kung paano nag-work yung mga stuff or do ting sa application or websites ang isa sa mga naitita namin doon is merong issue sa API nung isa sa mga ginagamit ng mga bankon na to no so di ko alam kung ano yun pero or di ko alam kung sa API pero mas na so alam ko may issue sa pagdating sa API na kung sa ad siguro pwede nila ang ibipass yun para matransfer yung money without doing the open process yun maging yan bagay pat as I from that based on what I know they also include social engineering on the on other stuff that they perform during that kind of attack or heist na ginagawa nila so if you can explain that term baka there are people who are not yet familiar with social with the term social engineering oh yeah yung social engineering is a type of attack I guess that perform by cyber criminals to trick users or their victims no so basically para kang nasa isang um um para ka na niliga tapos may sinasabi ka mga ano tawag ito mga malahan ayawang po anong time sa Pilipino sa Tagalog pero para na akakit na mga salita na mawuro ka na or something ganan yung ginagawa na mga criminal so tinatrain nila yung ibad ibang way para makakuwa maka extract ng data from their victim so ganan yung social engineering and there are ibad ibang kasi social engineering dito papasok yung mga phishing phishing smishing so ibad ibad na naman yung pag phishing it could be tawag ito it could be through website or email pag pabishing it could be through voice call or phone call kapag smishing naman ito yung true SMS so may ibad ibang klasa yung parang that's something that everybody should keep in mind na yes there are hacking talaga na kumagada sa system and the security in place but some of the time and actually most of the time yun nga itong social engineering na kinakuha nung hackers yung information para makapasok sila like yung password like they're able to legitimate it's the correct password kasi they're somehow able to find out from the the correct user so tuto nga naman yung they didn't have to penetrate the system they just yun may phishing or they use private information that they somehow got out of the user to be able to either spoof na sya yung talaga yung user or parang sya yung makapasok nung sa system that's something i guess people need to keep in mind kasi parang hacking especially sa movie yung common perception is na parang nandugos sa keyboard mo they've got code and everything but a lot of it is trying like what's your birth date as yun pala yung common password or even yung the most common news password is 123456 human behavior rather than actually having to penetrate computer system yes so yeah for that um case naman anton siguro i would suggest or recommend yung mga tao na wag na lang magpublic ng data nila or wag magshare ng data nila publicly or to public pagdating sa mga social media because hacker also perform recon or what we called reconnaissance or information gathering in laymonster so dinagawa nila yun to gather more information and come up with their their set of potential attempts na gagawin nila para makak yung accountin yun so may yung case datin na for example ang password mo is pangalan ng shota mo ng girlfriend mo boyfriend mo pangalan ng dog mo birth date or mobile number mo which is gagay ko na yung kita yan and gano yun nangyari and another thing this one ito mabibigay ko para sa mga nakitinig kayo puntahan nyo yung website na thehashed.com okay so thehashed d-e-h-a-s-h-e-d.com thehashed then it's free you just need to sign up then magtype kayo nang kung anad email nang someone mobile number nang kakilalan yung may kita yun ay yung mga data na nalik about them and that's one way of gathering information doon sa target mo na nga di ko kaya tinaturuan kung paano akin yung mga bagay-bagay o yung mga tao pero that's actually what is happening right now your data is being disclosed exposed publicly by this kind of services like thehashed.com and wala ka na magagawa kasi nandiyan na yan online dahil yung mga companies kung sa nga nag-sign up is wala security measures na implement anggang sa data bridge nalang sila at wala na magagawa once na data bridge na yung mga company and this is all libreto i mean yung all of those personal information na nalik or na parang nandun nang for the for the viewing for the taking you can actually try to screen share it and try someone like example your name if you want because kahit si nang tao ngayon right na sign up lang dyan pwede na lang maggamit yan actually I I do often parang nakasign up ako sa sa Sa Mary Carl parang yung I've been phoned na if kung nag-leak yung email mo na password just na kag-google na kag-google alertin ako sa name ko just in case nabig lang magka I don't know there's something magka numabas sa internet so I do have basic functions like that although never ko panagamit yung parang takot at ako na ko-search yung panganat ko sa dihash baka na panghanap mahanap ko doon well kung nakadakot ka what if pa yung iba kung ikaw yung yung research na lang mas lalo pa yung yung have I been phoned naman kasi maglalagay ka lang ng email mo doon or kaya ng website domain name tapos ipapakita nyo nang sayo kung san na leak yung information mo pero actually helpful na siya pero for me hindi pa ganun ka helpful kasi di ko alam ko anong data na nalik about me doon sa mga websites na yun sa dihash.com ang pwede nyan gawin islalagay mo yung email mo tapapakita nya anong ba yung mga nalik na data from you so magubulat ka nalang may kita mo address mo nandagyan ip address mo nandagyan number one nandagyan password mo na plaintext nandagyan in your experience like working for the company anong pinaha serious na vulnerability I mean anong need for details like anong company and stuff but like yung talagang uy, kailang niyo ayusin to kasi medyo delicado talagang to kung and yung medyo hindi siya ganun kahirap like my exploit like yun serious in terms of possible repercussion anong possible data chakay yung ease of ease of penetration or ease of hacking yeah sure so actually there's one na nangisip kagal pagkasabi mo nang question example mo talaga yes yes so eto yung punyari minakita isang website application na tinatas nyo dahil client nyo tapos meron siyang upload button din sabihin ating profile picture pero yung profile picture file upload na yun na feature as walang restriction na nilagay hindi ninyirrestrict na dapat JPEG, BNG lang yung allowed so ang tendency if you are a hacker ang gagawin mo mag-upload ka ng malicious PHP file dun or tinatawag naming shell okay so yung shell na yun kapag in upload namin at na upload nis mo doon sa server ng application na yun ng website na yun tapos na access mo siya pwede yung maging tawag to access to access the server so in that way kapag na access mo yung server as a hacker depending on the permission na meron yung user na yun ng server na yun pwede mo nga destroy lahat ng meron doon pwede mo na access yun database doon from that server at idilik yung database pwede mo yung burahin yung source code ng server kung saan nakahust yung application eh and eh so this it's kind of similar a little bit to my SQL ah sorry an SQL injection attack na parang dun sa password ah no no no hindi siya similar malayo siya okay if you could ba I understand SQL injections are a common way to hack sites or do you see that often common if ever na siguro kung poor PHP yung tinatest mo common siya deba pero depende pa rin sa application yan kasi ngayon napakanan namin ng technology stack or siguro sabihin natin mga ibad ibang klasin programming languages so hindi nakadalasan na ikita yung PHP right now so malabo na yung mga normal PHP application na ginawa from scratch so yung ipag gumagambit na mga tinataw natin frameworks na meron mga security measures na na e-activate or enable mo nalang para mas maging secure application or website what would you say is the most secure tech stock right now I mean of course nothing is 100% secure may butas naman talaga lahat pero in terms of yung ya overall like terms of security what would be your recommendation kung developer developer ka wala pa naman talaga yung project you're free to choose ang yung magadang framework ang magadang language what would you suggest kaya itang programming language naman secure pero basta alam mo kung pano mo isi secure nang tama or gagamitin nang tama rather so kasi yung mga let me replace lahat naman ng programming languages is ok pero depended na yung sa paggamit mo kung pano mo isi secure and pano mo gamitin nang tama so ganan naman yan so for example ang sinasabi nang lahat ayaw ko ng PHP kasi lagi yan na hack pero kung dinamit ng PHP paglateng sa mga frameworks like Laravel pero ok naman siya secure naman siya kapag ginamit mo nang tama at alam mo kung pano isi iprotect ang application so depended sa developer talaga yan if you could name one company that you think is local company that seems very good proactive security they really kung baka sila yung good example or best example that they take security They do spend resources on it, hindi lang marketing, mahalaga for them na secure yung services dila. Any organization? Pwede, ba sa local? Mehidyo mahirap yan kasi, as you mentioned, walang 100% secure. Pero siguro at least by implementing the proper security measures or best practices in terms of security and privacy. Siguro ang masasabi ko dito, ito yung mga organizations na landing pages lang kadalasa niya na dito on. Ayong talagang parang, yung info page lang talagang walang interaction. Yes, walang interaction or walang something, pero nahak pa rin yan na, nahak pa rin yan. Pero still, pagdating sa company na yung wala ko mabibi kay e. Wala talagang magandang example na top of mind na itong si ex-company talagang. Wala, even sa kuna, hindi ko siya ma-recomend kasi di naman na-assure na 100% secure to. Kahit si nyo naman company, kung may company nagsambay na 100% secure sila. Pagduda ka na. Pagduda ka na. So, ayun siya. Sige, map-recorded again, very technical question. The difference between stored and reflected XSS? Okay, I have no... Okay. Oh sure, that's technical na, no? So, sige, let me try to simplify it. So, yung reflected XSS is an attack na kung saan mag-e-inpoop, maglalagay ka ng isang JavaScript code. Na kung saan kapag kalagay mo, mag-re-reflect agad yung JavaScript na yun sa may website mo. Or sa website na binibisita mo or something. Okay? Or na-access mo something. Yung stored cross-site scripting naman, kasi yung XSS is cross-site scripting, guys. So, yung stored cross-site scripting naman, nag-input or nag-lagay ka ng JavaScript code, then pag-kalagay mo, masisib siya sa database. Then later on, kapag may in-access ka na something, or may nere-fresh ka, mag-pap-up or mag-show yung in-lagay mo ng code na mal-issues. So, ayun yung stored XSS. So again, pag-stored XSS, kahit anong refresh pa yung gawin mo, nandudun na yung JavaScript code, yung show-up. Yung reflected XSS, pag-kalagay mo ng code, nag-show-up siya, pero pag-re-fresh mo wala na. Kailangan mo ulitan yung ginawa mo. Okay, to be honest, medyo. That stuff kind of flew over me. It's technical now, sir. Medyo ano na siya. I guess sir Maverick is technical na na. Medyo may background talaga sa security. Kasi he mentioned XSS, rather than the complete. Than the cross-site scripting. So, yung mark from Facebook ask, can you recommend security to secure a website? I'm not, if you could also explain what security is, kung service ko siya? Sure. So, security is a company na ang in-offer is mga solution in cybersecurity to protect yung mga wordpress na application. So, yung security na yun is, I guess marara-recomend ko naman kasi it is built by a well-known hacker then. I'm not sure kung ito ang pangalan niya is Igor Hamako, something. Matagal na matagal na something na na tao. Pero if malia ko, din ko naman kailala kung sinapakanda. Pero maganda yung reputation ng security company pagdating sa mga wordpress application. So, to prevent attacks and secure application. Okay. We'll take one last question from the chat and then I do have one last question for you and I think we've learned a lot like at least for me, parang dami ko nang i-google mamaya na anong XSS na ito na nito. Jeff from YouTube asks, suggestions for an SMS provider? I guess they can send yung automated na pwede ka mag-send ng ads or yung messages. Well, wala kung marara-recomend kasi di ko naman siya ginagamit. I think ang mga kasagot niyan mismo is yung mga developer na also entusias pag ating sa security and privacy. So, even sa sekuna kasi di kami gumagamit ng SMS provider. So, wala akong marara-recomend. Pero ang suggestion ko dito, Jeff, is bagunta kayo ng security review. Okay. What I meant about security review is mag-request kayo na mga compliance documents nila or certifications sa meron yung SMS provider na ito showing na, yes, they are secure. They are compliant with different regulations locally sa kanilang bansa or di kayo internationally. So, that's the only way for you to know kung okay batong SMS provider na ito pagtating sa security and privacy. So, the problem right now dito sa country natin is hindi natin nerequire yung security review kapag gusto natin yung avail yung service ng isang company. Sa US, very common yun, kailang flow yun yun. Security review. Bago ka namin koa in at integrate sa company namin, ang mga certifications sa meron ka, palisys na meron kayo pagdating sa security and privacy and anong other stuff na pwede namin makita for security review. So, mga ganun. So, sa Philippines kasi wala basta, nakita may application na gustoan mo ko-kawain mo na. That's it. Wala na. Hindi baling security na yun. Basta, we'll figure it out later. Mark from Facebook says SMA4, I don't know if I'm supposed to disclose this but that's also what hardware sugar uses. Pero sinabiyan ako nung developer namin na wag na i-reveal yun in tech stack namin and yung mga services na ginagamit namin because yun yun. The less people know the more secure the system is. Well, you don't need to, Anton. And sininisa yun developer niyo. Ah, sir Raphael. Sir Raphael. So, well, din yun na ilangan kasi meron mga websites na ginagamit ang hackers to properly fingerprint or guide your information about the tech stack na ginagamit niyo. Ah, so they can they can like keep it in a site and then parang may list na of like it'll most likely ito yun and then ano waw, sobrang organized na. It's like a very so there really are a lot of like if like you're not bago ko pa lang sa hacking you're still trying to figure out like how to do it and things like that but there seems to be a lot of tools online that allow you to magsimula magsimula on that path. Yes, marami. Marami. Dito, marami kan tools na gagamit sa cybersecurity but most of them that's the same function. Okay. And kung gusto mo nang matuto in cybersecurity and sabi mo nga maraming kanay kita mga websites dito check mo nalang ko ano yung contents yung silabos nung yung mga tinuturudon then check yung mga preview nung mga videos para malaman makong interesting siya para sayo o hindi pero meron din dito mga websites na kung saan may mga blogs nung tuturus hila kung paano ginagwato mga security testing na ito. So iba-iba siya so depend na siguro kung aning gusto mo matutunan. Sige, last question before we let you go has there been any hack that you've seen na parang in your opinion sobrang ganda like sobrang elegant sobrang innovative nung pagkapasok I mean there's a certain art also to trying to figure out these things na parang hindi ko na isip yun pero vulnerable siya kasi ginamit yung isang part nung system or something has there been one na parang nung nakita mo na isip mo na nung narinig mo nung umikot yung mga kwento na alal mo vulnerable na ito kasi ito yung ginamit or something has there been one na paisip ka na oh, ganda na parang hindi ko na isip na gamiten yun in that way or hindi ko na isip na pwede ka pala pomasok using that approach has there been any one thing that stood out one attack that stood out for you? Wala eh Wala eh Wala ko maisip ay yung gusto ko sabihan wala ko maisip na parang okay, ayos to ha parang okay to gawin na parang So well lahat namin kasi interesting parang for me parang wala ko maisip na nang mag stood out and mahirap isipin marami ka nang na try or something pero parang lahat nila nang final output once na mak compromised mo yung server then that's it yun na yan so pero if ever na tatanongin mo ko kung ano yung parang interesting na na mga hacking activities na nangyari right ng Sa Philippines ang interesting para sa aking is yung nangyari sa common again smart method ah, sige let's sorry, last na parang supposedly na hack yung ano diba but not the the common server itself or just parang a database anong I'm not too familiar kasi with the detail sir hindi ata na breach yung actual common server in alleged lang or something hindi talaga I think na breach yung common but yung time party na gina-gama third party which is kasi base naman do sa pinapakita ang hacker group na yun kung hacker group man yun o kung ilang tao man meron doon yung xsox kung kila lang yung kung sino yun ang pinapakita niya sa mga video screen siya sa pinapakita niya is not really common bad yung smart method so ayin yung interesting is paanan na nang nakita saan sila pumasok on access point nila ano attack vector nila ano yung vulnerable na system server applications website et cetera paano sila nakapasok and bakit sila nakakapag move sa ibad ibang klasin yung servers patin nila nang kawat ng data na to and yung mga tanong na na medyo mapapa isip ka talaga na akala ko tapos na tong 2016 ganyan ganyan bakit nang sabi na atong xsox na to bakit na data parang tayo na ikitang 2016 sa comilyp pagtating na nananan doon sa may smartmatic maganong bagay isip ka talaga so di natin alam ko paano nila ginawa and interesting malaman kung ano yung magiging output na to paasyang for me maganda siyang gawan nang parang tawag dito case study security na so akala natin security comilyp pero pinasok pala sila using the other third party then napakontin yung data so ayun yung meron tayong data based doon pinapakita na access point okay and on that note thanks so much to A.J. congratulations again the newly minted CEO of Sikuna yun and thanks so much it's always been a topic na i've been interested in so parang it's really nice to hear from somebody na talagang very well versed in the industry and yun yun yung white hat so parang defensive hacking kaisa sa yung offensive na trying to get into systems and things like that yun so if anybody in the audience does work for companies that needs security audit do check out Sikuna so yun thanks so much for joining us on the stream we do have a video dropping tomorrow that's from my brother Rafael who is BACNA from his trip so I think it's a chair review so stick around for that so yun stay on the line A.J. even after I end the stream will still be the video will still be on but yun for the rest of the audience thanks so much for joining me have a good week stay safe and baka mag game stream at ako Friday let's see yun see ya guys