Inside nullcon Security EventFounder Shares Vision; Previews Annual Hacking Conference
Even as India grapples with issues in capacity building and training in information security, for the past six years there has been a community-driven effort to educate, train and indeed conduct new research into uncharted new areas of information security - all home-grown in India. Enter nullcon, a highly technical hacking conference that takes place each year in Goa.
"With nullcon we tried to incubate a knowledge-driven, community-centric model rather than the certification-driven ecosystem that has been thriving in India," says Aseem Jakhar, co-founder of the event. "The emphasis is on new and innovative research and training."
There is a need for training on current and evolving security trends which has not been addressed in India, he says. Before the advent of nullcon, getting niche and specialized training in security topics was difficult.
As the conference kicks off this year, Jakhar speaks to Information Security Media group about India's largest and most popular security event.
The conference spans four days, two for training, followed by two days of talks on Feb 6 and 7 at the Bogmalo beach resort in Goa. A major highlight this year is the addition of a CXO track to foster connects between CXOs and business over the technical side of security. Nullcon is know for its capture the flag exercises, and this year EMC is conducting the CTF at nullcon, Jakhar says.
Jakhar is Director of Research at Payatu Technologies and is a renowned security researcher. Besides founding nullcon, he is well known as a regular speaker/trainer at international security conferences including Blackhat, Defcon, Brucon, Hack in Paris, AusCERT, PHDays, Hack.lu and others. He has also authored several open source security tools.
Evolution of nullcon
Varun Haran: Aseem, can you share with me how nullcon as a security conference has evolved over the years? How has it differentiated itself from other similar efforts in India?
Aseem Jakhar: This is the sixth year for nullcon. We started in 2010. The idea behind the conference was to bring security researchers together and give them a platform where they could showcase and share their ideas. This was at a time when there wasn't any such research-oriented platform in India. nullcon is closely affiliated to the null community, which I co-founded many years back as a non-profit organization. The success the community saw and the way it grew was a driving motivation to establish a platform like nullcon.
nullcon's vision is to focus on new security research. In keeping with its motto, 'the next security thing', we are not interested in what has already happened and what the current issues are to any great extent. We are interested in what the future on information security looks like - what are the next generation of attacks that are going to happen? We want to promote a knowledge-based security ecosystem, rather than a credential-based one by providing a platform for local researchers to showcase innovative research and solutions that can have practical application.
Over the years, we have seen a significant increase in participation from the technical community in terms of new research being done within the country. In the last couple of years, we have begun to see significant C-level executives attending this conference as well. This year we have a dedicated CXO track for the top management.
The entire conference is CFP driven and sees international participation as well, and we are expecting over 600 footfalls this year - the first nullcon had about 120 attendees. We are now planning to start a conference focused on hardware security in Europe because we feel that is an area of security that is under represented.
Not Just a Hacking Event
Haran: You have succeeded in providing a platform for the security researcher of every persuasion in India. How in your view has the Indian InfoSec community benefited?
Jakhar: We look at the impact nullcon as a platform has made and drastic changes that the research presented here has made to the way the security is perceived by the Indian security community. The cutting edge research presented here not only serves to sensitize and change perceptions in India, but also helps the industry globally. There is a lot of responsible disclosure that is being done highlighting flaws in global software products. This has helped a lot of companies mitigate issues in their infrastructure.
The biggest challenge along the way was nullcon's perception as a hacker conference - which it is in the true sense. However, 'hacking' in popular perception was something only bad guys did, and this has been something we have had to fight every step of the way. That is not what we were about at all. We did not want to get together to discuss cybercrime.
Instead, nullcon became a venue to focus on research aspects of the security and creating awareness. We said, here is the problem, here's what you can do to fix it. We were talking about a more proactive approach to security. We are now slowly seeing acceptance and people are starting to realize the importance of the platform.
Haran: What are some of the highlights this year?
Jakhar: nullcon has an action packed agenda this year. nullcon's CTF has always been popular with attendees. This year we are having two CTFs - one on each day of the conference. The first CTF is powered by EMC and is for a prize of 500,000 INR. The second is more unique; it's a CTF by women for women called Winja that will take place on the 7th. Among several interesting talks lined up, one I can talk about is Rahul Sasi to speak about 'Maldrone' - a toolkit he has developed for hacking drones.
Michael Ossman, the hardware hacker is going to do a session on some interesting tools used by the NSA for over-the-air surveillance. I have already mentioned the CXO track which is different from the technical talks that are the staple at nullcon. We are seeing students who have just passed out coming up with new and innovative research that we are excited about. The conference this year promises to be very interesting.
Benefits to Businesses
Haran: How would you translate the benefits of a platform like nullcon to the business and management communities? What are some of the challenges that technical conferences like nullcon can help them address?
Jakhar: Awareness around cybersecurity is on the rise in the industry. Most companies in India are still of the mindset that nobody wants to hack them. But a large number of the bigger players are getting smarter, and changes are happening in the landscape. Earlier, we had to convince them on how the platform could help them in understanding security and secure themselves better, today we see a trend where people who have attended nullcon trainings have gone back and spoken to others in their organization and are spreading the word.
nullcon trainings have been very popular from the start. These are specialized, niche trainings on various technical topics that have grown in popularity among attendees over the years. nullcon has also become popular for activities like capture the flag and hackathons and similar to the evolution in the maturity of the research on display here, we have seen an increase in the skill-set of the people who participate in these challenges. Though we started with simple ones, today these challenges have become fairly complex.
Meeting India's Staffing Needs
Haran: As the founder of a platform that is well known for its level of technical expertise and the high quality of the trainings provided, what is your take on how India can overcome its manpower deficit in cybersecurity?
Jakhar: I think it is the right kind of technical expertise that is needed. There are a lot of educational institutions that are putting up cybersecurity courses, but these are limited in scope and are not able to keep up with the rapidly evolving security landscape, becoming quickly out of date. I think the scope needs to be broadened and there is a need to continually update these courses. Education is something I see as requiring a refresh to address this issue.
Security education needs to be more hands-on. Rather than focusing on silos, the concept of built-in security at the software development needs to catch on. nullcon is involved in advising universities and other course providers on their syllabus and focus areas. The academia can also leverage these platforms to network with the community to round out their curricula.
Haran: nullcon has seen a deep level engagement with the community from the very start. As you scale up, how do you see this dynamic evolving?
Jakhar: The focus of nullcon will remain the community. We are going to stick to this format, which benefits everyone, not just the corporates. The CXO track is the only major change that has happened recently. I see this as a great opportunity for CXOs to interact with the security researchers and better understand the evolving threat landscape. We plan to keep the entire effort more forward looking rather than discussing current issues.