Hackers have always been an integral part of the Internet, and there is a thin ethical line that divides the camp between the good and the bad guys. The Internet and its underlying infrastructure are essentially the common ground. For instance, Internet luminary Dr. Paul Vixie said in a keynote at the recent nullcon security conference that the DNS system is like a unifying field theory between the good guys and the bad.
"The bad guys need it just as much as the good guys, and in many ways the existing ecosystem has evolved in a way that makes crime easier," he said. Vixie's session on DNS security was one of the highlights at nullcon, where the key theme this year seemed to be the increasing importance and maturity of security research. The sixth edition of the event was held in Goa on Feb. 6 and 7 and saw participation from a good mix of Indian and international speakers.
nullcon is no longer just a security enthusiast's fix - the big boys are taking note.
The conference was kicked off by Janardhana Swamy, a former Member of Parliament from the state of Karnataka. Swamy said that building security into the software development process in India is a major change that the ecosystem needs to consider enforcing.
He believes the largely unstructured growth of IT infrastructure may be the primary reason that the systems in use are riddled with flaws. Analogous to the birth of the internet, India should use its current starting position with respect to the "Digital India" initiative as an advantage, he says, and build security into the massive digitization that it is planning.
Katie Moussouris, the founder of both Symantec and Microsoft's vulnerability research programs, delivered another interesting keynote. Some takeaways from this talk were the introduction to the existence of ISO standards for vulnerability handling and vulnerability disclosure - ISO 30111 and ISO 29147, respectively.
Moussouris believes that organizations need to have an accessible mechanism for researchers to report vulnerabilities. She stated, and the audience seemed to agree, that often a white hat researcher struggles with reporting vulnerability because of clunky or non-existent handling mechanisms. She also touched upon some of the legalities around vulnerability reporting and the Security Development Lifecycle, a key theme repeated in other sessions as well.
Sessions and Highlights
The focus this year remained on original and innovative research. A highlight of day one was the talk based on independent research by Rahul Sasi on his tool 'Maldrone', using which he demonstrated installing a backdoor on AR Linux-based drones to bring them down. Live demos are usually popular with the audience, and this was no exception - Sasi spoke to a packed hall.
The nullcon event is finally receiving good attention from corporate India and is characterized by a sense of maturity. With a dedicated CXO track comprising of panel discussions moderated by stalwart CISOs and industry thought leaders, the fact that it is now acceptable and relevant to attend a technical "hacker" conference says volumes about how serious the business is getting about better understanding the landscape.
Established corporate entities are looking to apply the expertise and insight on display here. So nullcon is no longer just a security enthusiast's fix - the big boys are taking note. Nothing says this better that the INR 500,000 prize for the "Defender's League" capture the flag competition held under the aegis of EMC2 - which would have been unheard of a few years ago.
The second day was more technical, with three tracks. Of particular interest were Michael Ossmann's talk on NSA tools for conducting over-the-air surveillance and Lavakumar Kuppan's startup IronWASP - an automated Web security scanner that won an innovation award from Lockheed Martin and the Government of India's department of Science and technology. Pranesh Prakash, Policy Director at Bengaluru-based Center for Internet and Society, tells me that the fact that quality software like IronWASP is Indian made is encouraging. "It shows that "Make in India" is working and that there is quality work being done here," he says.
While the gender skew in security communities is a fact of life, nullcon this year saw a good number of female participants. The organizers encouraged this in the form of a separate CTF event exclusively by women, for women called "winja." I have a feeling this may be representative of a trend of increasing involvement from women in the technical security trade.
Change in the Wind
The government participation this year was tangible. Take, for instance, the keynote by Dr. Keshav Dattatreya Nayak, the director general of microelectronic devices and computational systems at the Defense Research and Development Organization. While the talk remained broad as expected, DRDO's participation has not gone unnoticed - a big win for nullcon, in my opinion, to get the defense establishment overtly involved. This is a sign of the times and the changing importance of security and the technical community in India in the scheme of things.
There was a time when any participation from a representative of the government in such initiatives was a huge deal and lent a certain legitimacy to the proceedings and a change to the "hacking is bad" stereotype. This has changed quite a bit in the past three years, and one finds more participants from the government and military who are attending the specialized trainings for which nullcon is famous.
The nullcon trainings this year were successful by all accounts, taking place in the two days prior to the conference, covering niche topics from pen-testing smart-grids and SCADA to Android exploitation, malware reverse engineering and a new look at security audits using OSSTMM.
The biggest change in nullcon this year, for me, was the sea of new faces - fresh-faced students and grizzled veterans alike - who have come to be a part of "the next security thing." However, nullcon strives to remain true to its research-driven root, and the talks are deeply technical, with an emphasis on the new, the next - rather than the current.