Kathmandu, November 25, 2018: Nepal’s first International Cyber Security Conference of Nepal, ‘Threat Con 2018‘ was concluded with success yesterday at Hotel Annapurna, Kathmandu.
The organization working on ICT sectors for ICT Development, Society for Information Communication Technology (SICT) Nepal and organization working on cybersecurity, Threatnix organized the Threat Con 2018 with support from an organization like Internet Society Nepal, NPNOG, NTA, NICT, CAN Federation, NPIX.
Over 332 people attended the conference from 9 different countries with total of 112 people participants in the workshop session which were completely sold out. According to the team, live bug bounty event was organized hackers were paid a total amount of 34,000 rupees for finding 13 different vulnerabilities across 3 different platforms.
With the aim of changing the traditional way of taking the issue of cybersecurity, the event is organized. On the very first day of Threat Con 2018, two workshops entitled Bug Bounty Workshop lead by Prateek Tiwari and Secure Coding Workshop lead by Jim Manico were conducted.
In bug bounty workshop, use of content security policy header for cross-site scripting and data injection to access the data of website, deface it and inject the malware were discussed during the first half session. He demonstrated the use of shodan.io and fofa.so; search engine intended for security researcher for easy bug hunting process.
He demonstrated how to use Burp Suite while looking for the bugs and used the software on the website of Nepal’s first digital payment service E-sewa and Zomato.com as a target for bug hunting. ‘As rewards from the company range from the acknowledgement, some goodies to cash money as a Bug Bounty we should focus onto what are our target and what is the application flow on the site before hunting bugs’, says Prateek Tiwari. He shared his experience on writing the effective bug report to gain some good bug bounty rewards
In another workshop of secure coding, Jim Manico started the session with SQL and other similar injections and how it can be easily used against you if you didn’t write a good piece of code as a programmer. The workshop wasn’t focused on particular programming language so he covered the topics and issues related to almost all popular programming languages such as Javascript, JAVA, PHP, Python, .NET. Good practice of configuring the database and restricting and managing the default permission of the server to avoid the SQL injection and HQL injection were discussed.
Digital Authentication Guidelines were discussed and told the participants to start coding always with the perspective of users keeping in mind, making the system friendly to users. Participants of the workshop were advised not to limit the password length, implement the modern policies for password management, use minimum password length to 8 (best if made 16+), match the password of user against the commonly used password and leaked password lists available online, do not enforce for security questions and always be prepared for force attacks for securing your application.
The workshop was then focused on using and advocating the SSL/ TLS Everywhere and Always after sharing an idea of several versions of protocols of SSL/ TLS. The security scanning of Nepal Airlines was done several times during the workshop and even shared he’s ready to fix the issue of the website for free if someone can connect him to the representative of an organization. Few free and open source tools like Let’s Encrypt, Mozilla SSL Configuration Generator, Qualys SSL Labs were used along with application and libraries like RetireNet, RetireJS, OWASP dependency check for checking the vulnerabilities on our system.
