Tuesday, March 8, 2011

My experience at Null con

The recently concluded Null con seminar for hackers was my first experience and first ever hackers seminar I have attended. Before reaching there I had all sort of mixed thoughts in my mind. However, I was excited to meet all those loving and hating hacker friends on my Facebook and experience the vibes of their world.

I and my team entered the seminar hall and tried to locate any known face. And then, a thin, humble and cute guy named Murtuja noticing me came and shook hands with us. Since we were one of the sponsors of the event, I regularly interact with him online. Young guys all around and enthusiastic ambience made me feel that my visit was not worthless. One thing which kept my mind very busy was to understand the meaning of the event’s name Null con. Because if we go by dictionary, Null means illogical or worthless and CON meaning defraud, cheat etc… Thus, Null con would mean worthless defraud? This name was sulking me somewhere but finally I got the answer on their website…It said:

Long time ago the land of mortals was plagued with numerals. Men were grappling to get hold of the unknown, the void, the zilch. How does one quantify, measure something that doesn’t exist. The legend goes like this – A few good blokes meditating under a banyan tree further under the influence of some nourishing herbs, in a profound moment of awesomeness, it dawned on them to seek the eternal wisdom of ...nothing. And so was born what we call 0零nullnu . The rest, as they say, is history. Nullcon celebrates this quest for knowledge and desire to carry on this legacy. If you too share this passion for knowledge, if a core dump brings glimmer to your eyes, if you want to share your hack with others and you have an inquisitiveness to learn, then nullcon is the place for you. If meeting hackers/researchers/phreaks in a 2 days event packed conference and the sun-bathed beaches of the tropical paradise called Goa won’t get you off your bed, nothing ever will.

That’s true what they have said. The way they have explained is simple and appropriate. I must appreciate these young organizers Murtuja, Corrupt, Aseem Jakhad and few other chapters of nullcon for conducting such a well-organized seminar. Everything was taken care off; mind blowing arrangements outstanding choice of speakers was something worth watching. The dignitaries invited were quite high profiled people. Even though this was just their second seminar, it was really worth applauding…

I couldn’t attend many speakers on the first day of the seminar but whomever I attended, the best out of them was Hari Prasad. Having very good oratory skills and experience, his subject of speech was Security Analysis of India’s Electronic Voting Machines: Memoirs of a whistleblower. He was the one arrested and released. He was a very calm and down to earth speaker. Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of the machines’ design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine’s design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines’ simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with only brief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally.

Unfortunately, I couldn’t attend Anurag Dhanda, Assaf Nativ , Sunil Kumar, Abhijeet Hatekar and Harsimran Walia’s speech but got very good feedback about their sessions.

Another pocket size power house was Rahul Sasi. Although he was lacking in communication skills and little shying by character, he was aggressively possessing command over his subject and had a composed personality. His presence made me remember the event of teacher’s day of my schooldays. Jokes apart… But, his command over Penetration Testing a Biometric System and the research work reveals the methodologies that could be aided in checking the security of a Finger Print Scanner, Remotely and Locally. The biometric system, almost all runs with a remote administration module in the MIPS, which would be connected to network via the same switch, Man in the Middle attacks is always possible and other attacks like: http://www.exploit-db.com/exploits/11822/ but the issue of identifying these devices as normal network scans would only detect these as a Linux System. So he had built an Nmap script which could spot such devices on the network. The script works on the basis of internal databases of [banner and services] used by Biometric Hardware vendors, current list populates most used devices [India only]. A video or if possible, a real scenario would be demonstrated. And usage of Nmap module was usp of his session.

I found him great because there were so many over rated speakers present for the event. These are considered to be demi gods and patriotic hackers of this country but when it came one to one in giving presentation, there were many flaws like poor communication skills and monotonous way of explaining. The feel was as good as attending some so called ethical hacking introductory seminars.

Saumil Shah, a witty, humorous and having very lively personality did his presentation in a very simple and sober manner. Simple expressions, good explanations and research were superb. It was quite a play way method of teaching and sharing. Even a noob like me could understand nicely. Attack techniques have undergone a paradigm shift. 2000 was the year of the “full frontal” attack, as he calls it, the first line of defence and the network perimeter. What I liked about this speaker was his easy go attitude, his interaction and communicative skills. His way of relating things and explaining made it for the audience to understand. His talk explores some innovative exploit delivery techniques arising out of broken standards, poor trust relationships and bloated desktop software. This talk ends with a discussion on exploit sophistication and the shape of things to come for 2011.

Yarochkin Fyodor, another sweetheart and a black hat hacker conveyed his message very smartly to whomever he wanted. His speech left me speechless…No bullshit on underground crime: traces, trends, attribution techniques and more. We’ve been analyzing underground crime scenes from eastern European block and China for past few years, on the top of it we’ve been working heavily on discovering malware outbreaks and other crime activities, His experience and findings were discussed brilliantly. In short he really took my heart away.

I must say Saumil, Hari Prasad and Fyodor were the show stoppers of the seminar.

long awaited but most disappointing presentation was of Alokji (NTRO). It was like the same old wine in new bottle. Same excuses, same narration and when it came to the time of interaction, he left his audience craving for digging graves of lapses in securities on GOVT front. As nullcon Dwitiya approached its end. Mr P.V. Kumar (Chairman, NTRO) the chief guest on the second day delivered his message in typical government officer’s style. Just as one of the formality but worth appreciating fact was he marked his presence there.

Whatever it is, I am glad that I could meet many people. Nullcon has really become a major security event in the Indian subcontinent. I am also sure they will attract the who's who in the security industry. The good bye session was little painful because second day was the day when everyone had started knowing each other better but ultimately that was last day of the seminar. I am sure that, there are many like me who left the venue eagerly waiting for another nullcon to happen with heavy heart and withdrawal symptoms...

One thing more which I would like to say is that there is no intention of mine to criticize or demoralise somebody. Whatever I said is completely based on my true thoughts and feelings as far without wrong motives or reasons.

keep it up guys…


  1. Very good overall coverage of the conference.... although i was not able to attend most of the presentation however the only presentations that i would love to attend out of all would be Fyodder's intelligent analysis (I earn by bread and butter through analysis ;)) and Rahul Sasi biometric coz that was some good stuff.

    rest all were either overview or too deep in technicallity....

  2. Hey mam thanks for giving a very good response, coz very few people will only come to you and explain where all u sucked. Other would only flatter. But these critics and visions would very well help me in rating myself and help myself improve.

    Thanks for your time and write up.