profile picture

Ender Phan

Security Engineer

Education

Bsc. Cyber Security Engineering

Tallinn University Of Technology
2015 - 2018

Short course

Charles Sturt University
20014 - 2015

Languages

  • English (Professional)
  • Vietnamese (Native)
  • Chinese (Communication)

Interests

  • Badminton
  • Guitar, Pinano
  • Reading books

Career Profile

Dedicated Cyber Security professional with 7 years of diverse experience, specializing in Banking Identity, Blockchain Security, ISO27001, Web & Mobile Application Pentesting/Audits, and Smart Contract Audits. Proficient in code reviews and a significant contributor to the OWASP MSTG project. Proudly ranked #6 at Defcon 2019’s Capture The Coin competition. Holder of credentials including OSWE, OSCP, and CBSP. Recognized with numerous CVEs and esteemed security reports for major firms like Apple, Viettel, Telia, Blockchain, and TransferWise. Authored several acclaimed security research papers. Fluent in English and Vietnamese with a foundational understanding of Chinese.

Experiences

Security Manager

2019 - Present
Fact Group, Malta
  • Carry out any technical related audits, such as cybersecurity audits on crypto-exchanges, electronic money institutions and similar entities, or other similar technical audit engagements.
  • Ccarry out any technical related audits, such as blockchain technology audits on behalf of the Malta Digital Innovation Authority (MDIA), Malta Financial Services Authority (MFSA), carrying out ISO27001 or similar ISO standards’ based audits, or other similar technical audit engagements.
  • Manage smart contract audits, applications pen-testing projects (web, mobile).
  • Carry out penetration testing and similar tests and preparing reports accordingly.
  • Carry out RNG Testing, ISO 27001.

Founder & CEO

2019 - Present
Kubertu Ltd
  • Founder of Kubertu
  • Provides cyber security services: Penetration Testing, Cyber Security Solutions, SOC, Smart Contract Audits, Smart Conrtact Development, DApp Development.

Application Security Engineer

2018 - 2019
Infinity Blockchain Labs
  • Security penetration testing & security audit for web applications & mobile applications (IOS, Android) in Blockchain.
  • Develop a smart contract audit checklist and smart contract security research in both Ethereum and NEO blockchain network
  • Bug hunting, search for vulnerabilities in the software built and owned by the company then analyze and evaluate the impact of risks
  • Develop automatic security scanning tools for services & daily activities.
  • Participates in internal & external projects. Solve 3 levels of incidents and problems Perform penetration testing on Android, iOS. Identify risks and provide suggestions on how to improve on the security based on the vulnerabilities identified
  • Participate in the secure design of new products and features. Participate in the definition of the official mobile security process for the mobile teams
  • Perform security code reviews on mobile software products, and document Security research

Cyber Security & Identity Engineer

2016 - 2019
Swedbank, Estonia
  • Security developments in protecting privileged accounts, authentication & authorization, health check & monitoring, etc.
  • Implement penetration testing for windows active directory (attack vectors, malware analysis, Kerberos etc.) Solve level 3 incidents & problems and sets-up infrastructure and application operational requirements, methodologies & procedures.
  • Plan, build, test and run diagnostics for the above-mentioned services, sub-services and infrastructure component.
  • Analyses and performs capacity and performance management for the services, sub-services and infrastructure components.
  • Ensure development and maintenance of services, sub-services and infrastructure components for all platforms within contractual SLA.
  • Responsible for Windows AD security including privileged accounts, authentication & authorization, health check & monitoring and other services.
  • Build and develop platform infrastructure and/or application infrastructure. Sets-up framework and guidelines for platform infrastructure and/or application infrastructure.

Certifications

Offensive Security Web Expert (OSWE)

2020
Offensive Security
OSWE

Certified OSWEs have a clear and practical understanding of white box web application assessment and security. They’ve proven their ability to review advanced source code in web apps, identify vulnerabilities, and exploit them. They use creative and lateral thinking to determine innovative ways of exploiting web vulnerabilities OSWEs are able to assist web development teams in creating and maintaining web apps that are secure by design.


Certified Blockchain Security Professional (CBSP)

2019
Blockchain Training Alliance
CBSP

The Certified Blockchain Security Professional (CBSP) exam is an elite way to demonstrate the knowledge and skills in Blockchain Security

  • Advanced Blockchain Security Mechanisms of Ethereum Security, Hyperledger Security and Corda Security. - Smart Contract Security
  • Vulnerabilities and Attacks of Network-Level, System-Level and Smart Contract.

Top 10 - Capture of the Coin 2019

2019
Coinbase, DefCon
Defcon

The contest had 438 registered users and 154 active participants both online and during Defcon 27’s Blockchain Village.


Offensive Security Certified Professional (OSCP)

2018
Offensive Security
OSCP

An OSCP has demonstrated the ability to use persistence, creativity, and perceptiveness to identify vulnerabilities and execute organized attacks under tight time constraints. OSCP holders have also shown they can think outside the box while managing both time and resources.


Projects

KOK Token - The KOK Foundation is a company that aims to innovate the existing business model by integrating global content industry and blockchain technology with the mission of “Keystone of Opportunity and Knowledge.” KOK aims to improve the distorted systems of traditional digital media contents industry and create a platform with more enjoyable, distinguishing, powerful content where the media industry can co-develop both in qualitative and quantitative aspects.
Active Directory Objects Enumeration - Aims to Giving out a colorful HTML report which contains information of domain, domain summary and data illustration with pie charts and bar graphs.
Crypto Trading Signals Bot - Aims to send the trading signals for users when it meets the requirements such as Abnormal Change in volume, RSI/price divergence, MA10 x MA20.
Andump - Dump data from Sandbox and external enclaves, Print all sensitive data along with its file location.
VNStock - Aims to calculate the intrinsic value of the Vietnam Companies.
Windows Tier 0 Groups Monitoring - Aims to monitor and healt checking the Windows Tier 0 Groups.

CVE

CVE-2019-13098
CVE-2019-13097
CVE-2019-11383
CVE-2019-13099
CVE-2019-13100
CVE-2019-11384

Publications

My publications and personal security research

  • Protecting Windows Privileged Accounts
    • Loc Phan
    Offensive Security
  • Android Security Research: Crypto Wallet Local Storage Attack
    • Loc Phan
    Offensive Security
  • Security research blog
    • Loc Phan
    Personal Blog