NullCon Delhi 2012
Though a little late, but India is surely & steadily accelerating in pitching cyber security as key agenda, and promoting cyber awareness among the young generation. Mind it, we are at the epiphany of witnessing something remarkable under the leadership of people like Raghu Raman, Alok Vijayant and Janardhan Swamy. More importantly, we are indebted to the efforts of the great team of Nullcon (n|u) to introduce such a platform right into the political and demographic capital of India – Delhi. This decision was much awaited, and in my opinion should be carry forwarded as well. From the beaches of Goa which symbolize an engineer’s chill-out place, to the political hub of Delhi, we have to make sure we get the right ears to raise our voice.
Even though I have been a part of some n|u meets, but for the first time I got the chance to attend the conference as well. And believe me, it was one I would continue to be a part of from this very day. Enough said, now let me take you through my experience. n|u conference started bang on time, which is strange as per our
standard democratic IST (Indian Standard Time of the people) treatment and traffic. Kudos to the team who maintained a strict time schedule right from the kick off talks, tea breaks to the very delicious lunch sessions. The best part of being the part of the conference was to social network with so many people and connect flesh & face with their twitter handles and email addresses! The conference was a 2 day event, and had speakers judiciously picked from technical and government profiles. There was a balance between the young creative voice, and the old governance ears. Complimenting the esteem list of speakers, the other key attraction was the exhibition stalls & booths.
I could meet people and checkout the products/ solutions from Innobuzz, Secfence, Search-Lab and others, all under one roof. The last conference I attended were BlackHat and Defcon, and believe me this conference had all good reasons to equally shine with them. Its possible due to great commitments from the team which is very much commendable in context to awareness for cyber security in India. The enthusiasm among speakers and attendees was nothing less, and 2 parallel tracks made it a juggle as well.
Day 1, 28th September 2012
The day started early with registrations kicking off at 8:30 in the morning. People starting pouring at the registration desks with their details, and walking off to see familiar faces with their guest badges! Everyone was curious to attend the keynote by Raghu Raman, CEO, NATGRID. His topic was "The Battle of the Minds" which was a planned tactic to play with the minds of attendees (in positive sense), trick our perception, and sow the seed of open ended questions. Following him there was a well deserved tea break, where I utilized to walk down the exhibition, and meet few friends – Nitin, Vipin, Rohit and Ajit. There were couple of more tracks before we took a break for delicious lunch. I was actually waiting for ZScaler track on "automating behavioral analysis for mobile apps" by Michael Sutton/ Pradeep Kulkarni. They introduced ‘cloud based’ ZAP (ZScaler Application Profiler) to which Anant immediately tweeted why the name ZAP? and he meant why the same name as OWASP ZAP Proxy. But, nevertheless, the tool was amazing. It is capable of fingerprinting mobile application with support from the community. I enjoyed the talk to the fullest, and maturity in handling security with mobile apps across Apple App-Store and Google Play store.
Following the amazing momentum of technical expertise, the baton was carried further by Lava Kumar on IronWasp. Hats off to this guy for the fantabulous tool and documentation. Applause. To take his tool to next level of contribution from our community, he introduced few but key features in the tool – the plugin support, python and ruby code capability with IDE and easy GUI development capability (hurray!). Followed by his well appreciated talk, I went straight to attend the "Forensic Timeline Analysis" by Ashish Kunte. This guy is someone who can put flesh on skeletons of data. Nice speaker with different case studies to prove the point that Forensics is an important part of Cyber Security and post incident research. I personally liked all the examples he quoted, and case studies to prove his point. With that, the day 1 was approaching a formal closure. We had a tea break to network, and followed a Security Conclave with esteemed delegates from different streams of cyber security – Implementation, Research and Governance. There was also a surprise talk by Shri Janardhan Swamy. Frankly speaking, I didn’t know about him, and had no expectations before his talk, but boy! he was remarkable with his comments, and approach towards building a better India. He personally had been an engineer, had spent a lot of time in Silicon Valley, US and later entered politics to prove his innovative point in politics as well. His thoughts on education, and growth were immensely appreciated as well. It feels good that we still have such ministers in our government. Day 1 finally moves to anchor its pace, and the ship enters the cocktail party for the delegates, and guests with a preview of the upcoming movie – reboot. All in all, a day well spent, lot to learn and good to see some known names and faces of the security industry.
Day 2, 29th September 2012
The day 2 was a fresh day but it carried our continued expectations from the conference, as well as from the community. As expected there were lot of brain storming sessions right at the start. To begin with, we had Alok Vijayant speaking on government’s take on cyber security and our proactive and reactive approach to tackle the same. He gave us a glance on some statistics, decisions, and offensive security. He answered as well as dodged some questions very well, and with full commitment towards building a better security force, he went right through our imaginations. Following him, it was the turn of Ravi Borgaonkar, on dirty use of USSD codes. His talk highlighted how some USSD codes can reset your phone. Then the discussion shifted to GSM and telecom operators. Someone also quoted that government has mandated the use of plain-text in GSM communications, and the use of A2/ A5 encryption is optional. Service providers refrain from using it as it results in a second delay, which sometimes an issue to hold the customer base. This is a judiciary call to either highlight a ‘faster connectivity’ to customers, or give a ’2 second’ delay due to encryption for good security (which has never been hacked & exposed in mainstream). Parallel to this discussion, Rahul Sasi was talking about DTMF fuzzing. How the tones can be used in a dirty way to let the application speak out the errors to you, or even crash! After an hour of me playing a ping pong hop between these 2 parallel talks, it was time to refuel my appetite and excited mind. At the lunch hour, there were mouth watering dishes waiting for us, as well the exhibitors with their great products and solutions.
Post lunch there were some interesting talks behind the curtains, waiting for their legit audience. The first one was on "reverse engineering of fraudster brain" by Neyolov Evgeny. The presentation is what I could understand more than what he actually wanted me too. He had a Russian accent in his talk, and an anchor style of delivering the talk. People couldn’t understand him well, because he restricted his hand movement with digging his pockets. Nevertheless, the topic was interesting and I could gather what we wanted us to know. After a fraudster understanding the concept of games, and money laundering, we were driven back to technical fronts of web application security by Ahamed Nafeez. His topic was "how to catch an XSS before someone exploits/reports it." The talk was great, and he explained the different forms of protection – the client and the server based. It was thrilling to understand both the frontiers, and see how the long lived XSS still can beat the sh*t out of any website. The complexities are increasing and with WAF, htmlentities(), its getting difficult, but yet possible to perform an XSS. The challenges are never ending, and the tug of war between the breakers and makers will continue in the virtual world. Parallel to this web application security, a humble guy Prasanna introduced us to IronSAP which is a module for IronWASP. He developed a module to enable consultants perform pen-test on the web component (more to come in further versions) of SAP. With him taking the stage, and announcing the tool, there was another guy waiting for his turn. He was there to release a 0-day in LinkedIn. Jovin Lobo, a consultant released a click-jacking vulnerability in LinkedIn. LinkedIn has a vulnerability in the ‘remove-connections’ page, which can be leveraged by a malicious user to perform a click-jacking attack.
Now the time has come to big well deserving gratitude to the n|u team, and adieu to our friends and speakers. There was an executive briefing at the end, wherein every speaker was given a chance to summarize their topic and take questions from the audience in 5 minutes. This was very important as many of us missed good talks in our choice to decide Track 1 or Track 2. But, the executive summary brought the joy on our faces, and a contentment that it was the best 2 days well spent with like headed people, right minds, intelligent discussions, and new opportunities!
Post Conference Highlights
After a tiring day of topics and talks, I got a pleasant surprise to see many faces which I knew only via social networks. Beyond the n|u team, I met a very active name in security reporting – Varun Haran from Search Security India. It was time to chillout, so some of us headed right to have some drinks and chit chat. A perfect high spirited ending to a great day!
Looking forward to more such networks, and conferences. See you soon at n|u con – Goa, 2013. Till then, take care and happy hacking. Cheers!
PS: One of the major attraction of the conference were beautiful girls at the hotel, exhibitions booths and good to see them explaining security terms. I believe it’s a hidden but obvious fantasy that every hacker has. Isn’t it?