Keith is an architect by day, blogger by night. He’s responsible for all the content on this blog, and irresponsible for everything else.
2018 in review I started the year building out govScan.info, a site that audits .gov.my websites for TLS implementation. Overall I curated a list of ~5000 Malaysian government domains through various OSINT and enumeration techniques and now use that list to scan them daily. The project stalled around Jun/July, and it’s basically on auto-pilot till I figure out what to do. The scans still...
Shutting Down!! Sayakenahack was undoubtedly the highlight of my 2017. If you’ve come from sayakenahack.com, I’m sorry but I’ve shutdown the site :(. I learnt so much from it, and it was even my ticket for presenting at Hack In the Box Singapore … But all good things must come to an end, there’s no point having a site that does nothing but consume my hosting charges...
Over the past few weeks, I’ve been toying with lambda functions and thinking about using them for more than just APIs. I think people miss the most interesting aspect of serverless functions — namely that they’re massively parallel capability, which can do a lot more than just run APIs or respond to events. There’s 2-ways AWS let’s you run lambdas, either via...
GitHub Webhooks with Serverless
Just because you have webhook, doesn’t mean you need a webserver.
With serverless AWS Lambdas you’ve got a free (as in beer) and always on ability to receive webhooks callbacks without the need for pesky servers. In this post, I’ll setup a serverless solution to accept incoming POST from a GitHub webhook.
DNS Queries on GovScan.Info This post is a very quick brain-dumpĀ of stuff I did over the weekend, in the hopes that I don’t forget it :). Will post more in-depth material if time permits over the weekend. govScan.info, a site I created as a side hobby project to track TLS implementation across .gov.my websites — now tracks DNS records as well. For now, I’m only tracking MX, NS...
The security community has been abuzz with an absolutely shocker of story from Bloomberg. The piece reports that the Chinese Government had subverted the hardware supply chain of companies like Apple and Amazon, and installed a ‘tiny chip’ on motherboards manufactured by a company called Supermicro. What the chip did — or how it did ‘it’ was left mostly to the...
Hosting an S3 site via Cloudflare From my previous post, you can see that I hosted a slide show on a subdomain on hitbgsec.keithrozario.com. The site is just a keynote presentation exported to html format, which I then hosted on an S3 bucket. The challenge I struggled with, was how to point the domain which I hosted on Cloudflare to the domain hosting the static content. The recommended way is to...
I haven’t blogged in a long while — but I have a good(ish!) excuse. I spent most of August prepping for the #HITBGSEC conference in Singapore. It was my first time presenting at a security conference, and I had an absolute blast. The output of the countless hours I spent is in the embedded youtube video below, and the presentation material can downloaded here[.key] and a html version...
On the 20th of July, Singaporean authorities announced a data breach affecting SingHealth, the country largest healthcare group. The breach impacted 1.5 million people who had used SingHealth services over the last 3 years. Oh boy, another data breach with 1.5 million records … **yawn**. But Singapore has less than 6 million people, so it’s a BIG deal to this island I currently call...
Recently, there was a poorly written article in The New Straits Times, that suggested the Malaysian Police would know if you were watching porn online. Let me cut to the chase, the article is shit. The software in question, aptly named Internet Crime Against Children Child Online Protective Services (ICACCOPS) is used to detect Child Pornography, and Child Pornography only — as the name...