Nullcon Goa which took place between 3rd and 4th march has successfully brought together Hackers, CXOs, Security researchers, other persons who are interested in Information Security to share their research and discuss critical issues faced in the field.
nullcon Goa 2017 Highlights:
Day 1:
"Increasing your impact on Facebook Bug Bounty" by Jack Whitton explained in detail some of the statistics of their Bug Bounty Program. They also explained the difference between a good bug report and a bad one.Also what does not constitute as a bug.They also pointed out areas of facebook that need more testing.
In his talk about Nearly generic fuzzing of XML-based formats Nicolas Gregoire talked on his new XML fuzzer and how it is works. He also talked about how it was used to find vulnerabilities in Firefox , Adobe and many other popular tools. He also briefly talked about the next levels of testing he is gonna do on SVG. You can follow him here:
Drone Hijacking and other IoT hacking with GNU Radio and SDR by Arthur Garipov was very informative as he explained from the basics and showed the talk attendees on how to get stated with your own SDR setup for hacking. He also demonstrated hacking of a wireless mouse and drone by using a SDR.
Barbarians at the Gate(way) by Dave Lewis he talked about the latest happenings on the Internet and mainly focused on DDOS attack trends over the past year.
Christopher Truncer released 3.0 version of Veil Framework at nullcon- a tool designed to generate metasploit payloads that bypass common anti-virus solutions.
Daniel Bohannon showed how to do obfuscation in Powershell commands and how to detect them.
Day 2:
The keynote by Karsten Nohl titled "When enough is enough: The limits of desirable security." was very intresting to listen to. He talked about the mistakes that the security community is doing and if we are all concentrated on the wrong things when some basic issues have not yet been fixed.
In the talk on "Case study of SS7/Sigtran assessment" Akib Sayyed talked about how his team tested the SS7 networks and the vulnerabilities that were found. He also released a tool called "safeseven" that can be used to test SS7 networks.
Timur Yunusov gave a talk on ATM Security and different logical attacks that can be done against them. He explained how to bypass kiosk screens,boot into safemode's,use hardware attacks and much more.
Ajin Abraham talked on his latest project "Injecting Security into Web apps with Runtime Patching and Context Learning" .He talked about a new concept called RASP and explained its difference from a WAF.He also gave a live demo of the RASP he developed and how it blockes XSS,SQLI and RCE. He also talked about future ideas that he is going to implement to his tool.
Snippets from nullcon:
* "Cyber security in India is growing rapidly." Josh Armour, Security Program Manager at Google says. "We are happy to be present at the nullcon conference"
* Asif Baig, a Bug hunter who found security bugs in major companies and have been listed in many Hall of fames.
* Yogendra Jaiswal, DIMT Raipur student, in interview with EHN told that he found Cross Site Scripting vulnerability in Linkedin and have participated in Bugcrowd's private hunt. He also said he found 2-Step authentication bypass in wordpress.com
* Sushmil, from tesseract - a startup company, said they are developing a "Cyber Threat Intelligence" product that gathers information from multiple sources and helps client to prevent cyber attacks.
* Vishwaraj Bhattari said he found bugs in top companies including Google, Facebook, twitter.
Presentation Slides:
- Invoke-Obfuscation nullcon 2017
- Injecting Security into vulnerable web apps at Runtime
- AntiVirus Evasion Reconstructed - Veil 3.0
- Tale of training a Web Terminator!
- HYPERVISORS IN YOUR TOOLBOX
- Blockchain and security: bank and insurance applications