Hacking & Cybersecurity

Serverless computing has been gaining popularity especially in the cloud. While the service provides much convenience for most users who have no access to the underlying environment, hackers are interested in understanding how things work behind the scene, and we want to answer some basic cybersecurity questions. For instance, what is the software used, including operating system and middleware, in the application stack? Where does the service store credentials in the environment? And most importantly, how can a serverless deployment be hacked or leveraged in an attack if ever possible? In the following video demonstration, we try to explore the AWS Lambda runtime execution environment, which is used in lots of use cases from developing application APIs to configuring cloud resources. A malicious Lambda reverse shell backdoor function is written and deployed allowing us to explore the runtime execution environment interactively - https://www.youtube.com/watch?v=khF1PMjQv_E&t=10s T

In one of the TV programs I was interviewed a few years ago, an active internet user was invited to participant in a test to assert her awareness of security when using her mobile phone. She was asked to join an interview about all the things she would do online, and during the few minutes amid the interview I was tasked to take over her PayPal account. As a matter of fact, she was quite vigilant about protecting herself online and to avoid any liability issue, both mobile devices used by her and the TV program host were prepared by me ahead of time, and new PayPal accounts, both owned by the TV program producer and host, were created on-site during the test. She was asked to open a PayPal account and setup a password during the interview, and the host immediately transferred HKD 10,000 to her account. After a few minutes, I signalled the host that I was done, and the participant was asked to check her account balance, and obviously she failed to login back to her account. She suspecte

This is a copy of my hacking demo published on Youtube some time ago. For the original video please check out my Youtube channel -  https://www.youtube.com/watch?v=gwsooCD7liU&t=27s Cloud security has been a hot topic. As more and more organizations go to the cloud, security breaches and incidents hitting the news headlines have been catching the eyes of the general public, making some people skeptical to embracing the cloud. However, when we look at the security controls of the cloud services providers, we find that most of them have actually been doing quite a nice and decent job, but then what actually happened in those cases to cause such perception? Human learns best by examples, let's look at a simulated attack to discover some common themes and patterns. We have created a demo illustrating a chained exploit, which takes advantage of different mistakes made by the customer in cloud deployment. It is also how a serious breach might have happened in US hitting the news head