Thursday 22nd March

Time Track 1 (Room A) Track 2 (Room C)
9h00 – 9h50 Take or Buy
Michael Hausding
10h00 – 10h30 Coffee break
10h30 – 11h30 Secure your assets against malicious internal users through tiered access
Joel Leo
Abusing Android In-app Billing feature
Jérémy Matos
11h30 – 12h30 How to adapt the SDLC for DevSecOps
Zane Lackey
GLibC Malloc for Exploiters – Leak It, Write It, Become a Wizard
Yannay Livneh
12h30 – 13h30 LUNCH
13h30 – 14h30 SAP Incident Response, real life examples on how to attack and defend
Jordan Santarsieri
Reducing the Cyber Exposure Gap from Cloud to Containers
Thomas Cueni, Tenable
14h30 – 15h30 Microarchitectural Attacks and the Case of Meltdown and Spectre
Daniel Gruss

Capturing flags with avatar²
15h30 – 16h00 Coffee break Boss Of The SOC
Room B
Exploit Room
Info onsite
Coffee break
16h00 – 17h00 Security by Design: Reality vs Expectations
Julien Patriarca, Wallix
Unmasking stealth operations using UBA super powers
Snir Ben-Shimol, Varonis
17h00 – 19h00

Friday 23rd March

Time Track 1 (Room A) Track 2 (Room C)
9h00 – 10h00 Quantum Cyber Blockchain IoT
JP Aumasson
Threats of Tomorrow: Using Artificial Intelligence to Predict Malicious Infrastructure Activity
Staffan Truvé
10h00 – 10h20 Coffee break
10h20 – 11h20 Unboxing your virtualBox
Niklas Baumstark
5G Machine Learning
Craig Gibson, Trend Micro
11h20 – 12h20 A Brief History of CTF
Jordan Wiens
Hijacking the Boot Process – Ransomware Style
Raul Alvarez, Fortinet
12h20 – 13h20 LUNCH
13h20 – 14h20 DPAPI and DPAPI-NG: Decrypting All Users’ Secrets and PFX Passwords
Paula Januszkewicz
Battle of the Smarts: Hacking Smartphones with Bluetooth Smart
Tal Melamed
14h20 – 15h20 A walk with Shannon: A walkthrough of a pwn2own baseband exploit
Amat Cama
How to build Least privilege security architecture for virtualization and cloud environments
Ghaleb Zekri, VMware
15h20 – 15h40 Coffee break
15h40 – 16h40 Ph0wn smart devices CTF: Behind the Scenes
Axelle Apvrille & Philippe Paget
Attacking .NET deserialization
Alvaro Muñoz
16h40 – 17h40 Email SPFoofing: modern email security features and how to break them
Roberto Clapis
Maximize the power of hex-rays decompiler
Igor Kirillov
18h00 – 2h00 CTF Contest
Room B
Exploit Room
Info onsite
2h00 – 4h00



Title: Take or Buy : Internet criminals domain names needs and what registries can do against it.

Speaker: Michael Hausding

Michael Hausding is the Competence Lead DNS & Domain Abuse for SWITCH, the ccTLD registry for .ch and .li. His main job is to prevent internet crime on and with .ch & .li domains.
He has been an incident handler for more than 20 year and a member of SWITCH-CERT. Michael holds a Master in computer science from the University of Darmstadt, a MAS in management, technology and economics from ETH Zürich and is a student of contemporary diplomacy and internet governance at the University of Malta. He is a board member of the ISOC Switzerland chapter and the Swiss Internet Security Alliance. If he is not online, he is a incident response trainer for FIRST, the Forum of Incident Response and Security Teams, a tour guide for the Swiss Alpine Club or on a bicycle.


As everyone who wants to run a business on the internet, criminals need domain names to operate their infrastructure.
But unlike everyone they have two possibilities: They can take already registered domain names by compromising the DNS or other services, or they can simply register domain names. This talk will give an overview of the criminal use of domain names and how a registry operator can help to prevent internet crime and protect internet users from online fraud.

Title: DPAPI and DPAPI-NG: Decrypting All Users’ Secrets and PFX Passwords

Speaker: Paula Januszkewicz

Paula Januszkiewicz (@paulacqure) is a CEO and Founder of CQURE Inc. and CQURE Academy. She is also Enterprise Security MVP and a world class cybersecurity expert, consulting Customers all around the world. She has her heart and soul in the company, having deep belief that positive thinking is the key to success. Her quality-driven approach, extreme attention to details and conference speaking publicity have brought CQURE, at its early stage, to the never-ending world of hacks, forensics, data theft and other security challenges. Paula established CQURE in 2007 and since then she has continued to build the team’s professional image and cybersecurity skills, currently owning and managing CQURE departments in New York (US), Dubai (UAE) and Zug (Switzerland), additionally to headquarters in Warsaw (Poland). Since 2007 of CQURE Team’s exceptional quality and unique cybersecurity knowledge, experience and skills is in high demand on enterprise market.
Paula has 14 years of experience in the cybersecurity field, performing penetration tests, architecture consulting, trainings and seminars. She has performed hundreds of security projects, including those for governmental organizations and big enterprises, at the same time being a top speaker and a keynote speaker at many well-known conferences, including Microsoft Ignite (rated No 1 Speaker among 1100 speakers and 26000 attendees), RSA (in 2017 in San Francisco her session was one of the 5 hottest sessions), Black Hat, TechEd North America, TechEd Europe, TechEd Middle East, CyberCrime etc., where she is often rated as No 1 speaker. Her presentations gather thousands of people. Paula also creates security awareness programs for various organizations, including awareness sessions for top management (telecoms, banks, government etc.). She is passionate about sharing her knowledge with others. In private, she enjoys working with her research team, converting the results of her findings to authored leading-edge trainings and tools used in practice in projects. She wrote a book about Threat Management Gateway and she’s currently working on the next one… so stay tuned for more. She has access to a source code of Windows, an honor granted to just few people around the world! Paula is a type that suffers, when doing nothing – every year she takes over 215 flights to provide security services to international organizations and enterprises. You can always expect some thoughtful ideas and interesting arguments!


CQURE Team takes DPAPI (Data Protection API) and DPAPI-NG research to the completely next level! During this session you will hear about 2 great discoveries we made, first is about how to decrypt DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller (we have called it a ‘backup key’ and it is a key corresponding to the backup public key stored in the domain user’s profile). The backup key allows decrypting literally all of the domain user’s secrets (passwords / private keys / information stored by the browser). In other words, someone having the backup key is able to take over all of the identities and their secrets in the whole enterprise. It is crucial to know how this is happening! Another variant of DPAPI is DPAPI-NG used in the SID-protected PFX files and when in the previous discovery CQURE Team is able to get access to user’s secrets, here it is a bit different! Come to the session and see our second discovery about how to decrypt SID-protected PFX files even without access to user’s password but just by generating the SID and user’s token! Paula Januszkiewicz, CEO and security researcher, will present the unique team’s findings of how to get access to users’ secrets by possessing the backup key from the domain and how to decrypt the PFX files passwords. Both demonstrations are key DPAPI breakthrough that can also cause serious implications if not managed well. Tools included. Our research affects Windows 8, Windows 8.1, Windows 10 and related Windows Server.

Title: Microarchitectural Attacks and the Case of Meltdown and Spectre

Speaker: Daniel Gruss

Daniel Gruss (@lavados) is a PostDoc at Graz University of Technology. He finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He spoke at top international venues, including Black Hat USA 2016, Usenix Security 2015 & 2016, ACM CCS 2016, the Chaos Communication Congress 2015, and many more. His research team was one of the four teams that found the Meltdown and Spectre bugs published in early 2018.


When asked how to crack a safe open, most people will have a picture in mind, where a thief uses a stethoscope to listen to the inadvertent clicking noises of the lock. Despite usually not being clicking noises, the security of modern computers suffers similar problems. Adversaries can use inadvertent side effects of caching to crack our digital safes open. We will discuss memory timing and cache attacks. After building a first cache attack we will directly continue with Meltdown and Spectre.

The talk will provide a detailed explanation of how these attacks fundamentally work. We will discuss countermeasures and which consequences arise from this recent development.

Title: Unboxing your VirtualBoxes: A close look at a desktop hypervisor

Speaker: Niklas Baumstark

Niklas Baumstark (@_niklasb) is an independent security researcher with an interest in reverse engineering and exploitation. He successfully attacked Safari with a privilege escalation to root at Pwn2Own 2017 together with Samuel Groß. Besides breaking real software, he loves playing and organizing CTF events, and sometimes even finds time to work towards his Master’s degree in CS.


Desktop virtualization solutions like Oracle VirtualBox are extremely useful for software development, kernel debugging and security research. They are also often used to isolate potentially malicious or vulnerable code, and thus present interesting targets for exploitation. In VirtualBox, beside the obvious guest-to-host interfaces, there are multiple interesting privilege boundaries to explore, such as the guest additions kernel module and an anti-code injection mechanism for the host hypervisor process.

This talk gives an overview of the VirtualBox architecture and exposes several design and memory corruption issues in different components which were fixed in January 2018, leading to privilege escalations on the guest, the host, as well as from guest to host. I will demonstrate and discuss the exploitation of a privilege escalation chain for macOS hosts, as well as a full VM breakout to SYSTEM on Windows 10.

Title: A Brief History of CTF

Speaker: Jordan Wiens aka Psifertex

Jordan Wiens (@psifertex) has worked for a university, a government contractor, several print and online magazines, a telephone tech-support outsourcer, and now himself (not necessarily in that order) where he and some friends are building a reverse engineering tool called Binary Ninja. He likes Reverse Engineering, Exploitation (landing is more fun than finding!), CTFs, and living near–but not walking on–the beach.


In the last two decades, Capture the Flag (CTF) competitions have grown from a few tiny informal gatherings to a massive collection of annual events. From local events at high schools to huge government-sponsored affairs, we are starting to amass some valuable lessons. Psifertex, a self-proclaimed CTF A(nthro)?pologist, has been around for many of those lessons. From dirty tricks to amazing challenges, real world impact to broader trends, join Psifertex for a whirlwind tour of the history of CTFs and a few predictions about the community’s future.

Title: Quantum Cyber Blockchain IoT

Speaker: JP Aumasson

Jean-Philippe (JP) Aumasson is Principal Research Engineer at Kudelski Security, in Switzerland. He designed the popular cryptographic functions BLAKE2 and SipHash, and has performed security assessments for many cryptography and blockchain applications. He has spoken at Black Hat, DEFCON, RSA, CCC, SyScan, Troopers. He initiated the Crypto Coding Standard and the Password Hashing Competition projects, and wrote the 2017 book “Serious Cryptography” published by No Starch Press. JP tweets as @veorq.


JP will show attacks on blockchains and their crypto, then he’ll discuss quantum FUD and theoretical quantum attacks (on blockchains). Also, IoT.

Title: A walk with Shannon – A walkthrough of a pwn2own baseband exploit.

Speaker: Amat Cama

Amat (@amatcama) is an independent security researcher based in Senegal. He has previously worked as a Penetration Tester at Virtual Security Research, a Research Assistant at the University of California, Santa Barbara Seclab, a Product Security Engineer at Qualcomm and a Senior Security Research at Beijing Chaitin Technology Co.. In 2016 he won a hall of fame prize at Geekpwn Shanghai for his demo of a remote exploit against the Valve Source Engine. In 2017, he successfully demonstrated a baseband exploit against the Samsung Galaxy S8 at Mobile Pwn2Own in Tokyo as an individual contestant. He is also an avid CTF player.


Mobile devices have become quite complicated in the past 10 years. Today they feature a number of embedded chips which are tasked with handling things such as Wifi, Bluetooth and cellular communications. These chips run firmware with which a malicious third party can interact over the air but unfortunately have not had too enough scrutiny from the security community. This talk will focus on the Samsung Shannon Baseband and how it was successfully exploited at Mobile Pwn2Own 2017.
First, we will give an overview of cellular technologies (GSM, 3G, 4G) from a security standpoint. Then we will delve into the internals of the Shannon Baseband and show how to identify vulnerabilities that are exploitable over the air. Finally we will show how to exploit one of these vulnerabilities.

Title: Attacking .NET deserialization

Speaker: Alvaro Muñoz

Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with Microfocus Fortify. In this role, Muñoz can apply his passion for understanding software architecture and how security dependencies permeate systems. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has been a speaker at Security conferences such as Defcon, BlackHat, RSA, OWASP AppSecEU, HPE Protect and many others and holds several infosec certifications, including OSCP, GWAPT and CISSP. He is a proud member of int3pids CTF team and blogs at


2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.

Title: Secure your assets against malicious internal users through tiered access

Speaker: Joel Leo

Starting at Digital Island in 1998 with a fresh MCSE in Windows NT 4, I have earned experience across a number of platforms and technologies with many jumbles of letters after my name to go along with them. I’m a Principal Systems Engineer and the Active Directory Architect for Gap, Inc. and a consultant for several other organizations, focusing primarily on Active Directory. When I’m not validating replication consistency, you can usually find me hitting the waves at home in Hawaii or hotdropping targets in Eve Online.


You’ve heard the recommendation: “secure your environment with the magic of tiered access!” Like time, alchemy & marriage, it’s not that simple. In this talk, I’ll break down the recommendations and cover some of the pitfalls so you don’t end up on the boulevard of broken tiers.

Title:Hijacking the Boot Process – Ransomware Style

Speaker: Raul Alvarez, Fortinet

Raul is a Senior Security Researcher/Team Lead at Fortinet. He is a Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering.

He has presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, TakeDownCon, MISABC, InsomniHack, ShowMeCon, CircleCityCon, and HackInParis.

He is a regular contributor to the Fortinet blog and to the Virus Bulletin publication, where he has published 22 articles.


Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised?

In this presentation, we are going to look into how Petya, a ransomware, can overwrite an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then, we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API.

We are also going to see how we can use a combination of different tools to figure out how a ransomware can infect the very first sector of a harddisk. Tools, such as, Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course, x64dbg and ollydbg for debugging the ransomware in application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its own kernel code.

Title: Ph0wn smart devices CTF: Behind the Scenes

Speakers: Axelle Apvrille & Philippe Paget

Axelle Apvrille is a happy senior researcher at Fortinet, where she hunts down any strange virus on so-called ‘smart’ devices. Known in the community by her more or less mysterious handle “Crypto Girl” or “Cryptax”, she turns red each time someone mentions using MD5 (or CRC…) for hashing. She is the lead organizer of Ph0wn, a CTF dedicated to smart devices.

Phil is a computer freak escaped from the 90’s GOT (Good Old Time) and gets fun playing with software protection or hardware security. He belonged to several Atari ST’s bands with the role of 0dayz games cracker. Anonymous co-writer of a paper published in Phrack magazine #48 giving to the scene a working implementation of a fake phone-card (fake phone card – part I ; fake phone card – part II) , Phil was caught by Swedish’s police in Sweden but released free of charge. This event marked a stop in his public activities… But we all known how to keep the fun going: he then joined an underground team working on breaking audiovisual broadcast systems, without public release of sensitives information. Nowadays, Phil is working as system administrator for french administration and involved in CTF organasing (GreHack & Ph0wn) on his spare time.


Ph0wn is a CTF dedicated to **smart devices**. The event took place for the first time end of November, on the French riviera. In this talk, we will present what happened “behind the scenes”, i.e. how a CTF such as Ph0wn (and perhaps Insomni’hack too?) is created.

You will learn:

  • How long it actually takes to prepare challenges
  • The issues we encountered
  • What attacks, hacking techniques we registered during the CTF
  • What’s different about a **smart devices CTF** and how we coped with that (or not 😉

Title: Abusing Android In-app Billing feature

Speaker: Jérémy Matos

Jeremy Matos has been working in building secure software for more than 10 years.

With an initial academic background as a developer, he designed and helped implementing a breakthrough mobile two-factor authentication solution. He led code reviews and security validation activities for companies exposed to reputation damage or where the insider is the enemy.

He now provides software security services at his own company. He presented last year at DefCon Crypto Village a new attack vector on encrypted messaging apps called Man In The Contacts. He also teaches application security and blockchain technologies in Swiss and French universities.


Android provides an In-app Billing API so that developers can sell extra features directly in their applications. In-app purchases are often used in games to buy credits enabling to get extra content, lives, etc…

But the integration of the payment feature is most of the time misunderstood: code running on the smartphone cannot be trusted.
Hence all the payment checks and attribution of content should be done on the server side. As it is not crystal clear in the documentation provided by Google, lots of games still do the processing client side.

We will exploit a real world Android game to get free credits. And see how easy it is to reverse engineer it and discover that checks are done client side. Then thanks to Xposed frameworked we will write a one-line only hook bypassing the payment. After that, we will show how to patch the bytecode of this application, injecting the content of the hook, to be able to redistribute it.

Finally, we will provide actionable recommendations on how to avoid that by having a quick look at what is done in AngryBirds.

Title: GLibC Malloc for Exploiters – Leak It, Write It, Become a Wizard.

Speaker: Yannay Livneh

Yannay is a security researcher and a CTF player with interest in Vulnerabilities and Exploitation in various fields – Linux, embedded devices, networking and others. Yannay has published works about various subjects in the past such as Memory Corruptions in various platforms, IoT malwares and Exploit Kit infrastructure. He has given talks in notable conferences in the past – PoC, CCC, HITCON and others. Yannay holds a C.S. degree from Bar Ilan University which he graduated at the age of 18.


The GNU C library – GLibC – is the most used library in any GNU/Linux distribution. It is loaded to almost every process and implements the standard C library API. As an attacker, the GLibC is an invaluable target for abuse and gaining exploitation primitives. In this talk we will focus on the Malloc subsystem – the memory allocator implementation in GLibC – from attackers perspective. We will start with the internals and implementation and continue to attacks. We will see how memory corruptions can lead to information disclosure, effectively bypassing ASLR, and how to write arbitrary memory. Eventually, we will learn how to combine these write primitives with various hooks in the GLibC itself to gain code execution.

This talk is a comprehensive guide to practical heap exploitation from source code to debugger and set-up. We will share hands-on knowledge that was gained in hours and hours of exploit development and CTFing. We will walk through new and surprisingly old, almost forgotten, attacks and see how they can be used in practice. We will also explore some of the near future possibilities and complications, the implications of the changes that were introduced in 2.26 (Aug 2017) and 2.27 (Feb 2018) versions.

Title: SAP Incident Response, real life examples on how to attack and defend

Speaker: Jordan Santarsieri

Jordan Santarsieri is a founder partner at Vicxer where he utilizes his 12+ years of experience in the security industry, to bring top notch research into the ERP (SAP / Oracle) world.
He is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications, helping Vicxer’s customers (Global Fortune-500 companies and defense contractors) to stay one step ahead of cyber-threats. Jordan has also discovered critical vulnerabilities in Oracle and SAP software, and is a frequent speaker at international security conferences such as Black-Hat DC, Hacker Halted, OWASP US, 8dot8 and Ekoparty.


SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, suppliers, customers, credit cards, business intelligence, Etc.
As a veteran SAP forensic investigator, I had the opportunity to experience first-hand how real life adversaries are attacking these kind of systems by executing complex hacking techniques like abusing unauthenticated SAP protocols and standard functionality with the objective of performing espionage, sabotage and fraud attacks.

This scenario is particularly dangerous, as most SAP professionals do not know that many security audit trails do not come by default, leaving the companies almost 100% unprotected in case of a security incident.
Join me on this new and highly technical talk, in which I’m going to explain trough several live demos how attackers are compromising SAP platforms, how they backdoor these platforms and how you can apply different forensic techniques to determine if your system has been compromise and what information has been accessed.

Title: Capturing flags with avatar²

Speaker: nsr

nsr is a PhD student at EURECOM, located in the sunny french riviera. His research topics are covering – amongst others – embedded devices, fuzzing and symbolic execution. Together with his ctf team tasteless, he attended Insomnihack several times and participated successfully in the contest. Additionally, he also gathered experience as ctf organizer by helping to create ph0wn, an embedded hardware CTF.


Avatar² is an open source multi-target orchestration and instrumentation framework, which was released to the public in June last year. While the original purpose of the framework was easing analysis of embedded devices, its underlying concepts enable a way broader usage of the tool.

This talk will highlight the motivation, design and special features of the framework in order to demonstrate how it can be applied in a CTF context, which will involve showcased solving of past challenges.

Title: How to adapt the SDLC for DevSecOps

Speaker: Zane Lackey

Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners.

He has been featured in notable media outlets such as the BBC, Wall Street Journal, Associated Press, Forbes, Wired, and CNET. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, DevOpsDays, and has given invited lectures at Facebook, Goldman Sachs, IBM, Microsoft, Carnegie Mellon University, and the Federal Trade Commission.


The standard approach for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today’s world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned at Etsy on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
3) Measure maturity of your organizations security efforts in a non-theoretical way

Title: Email SPFoofing: modern email security features and how to break them

Speaker: Roberto Clapis

Roberto Clapis is a Security Engineer, working as a penetration tester for Secure Network, Italy’s leading security assessment company. He received a B.Sc. degree in Computer Engineering from Politecnico di Milano university in Italy. In his spare time Roberto contributes to open source projects and plays CTF with the “Tower of Hanoi” team. He has a strong interest in developing automated tools to optimize the process of penetration testing and code analysis.


Emails are still the most widespread way to get information about subscriptions and important public services, it is then critical for both users and providers to have a secure way to distinguish between genuine and malicious messages.

To do so, two main standards are currently adopted: SPF and DMARC. This talk will show how they can be circumvented and will describe a case study that allowed, in last October, to elude them in all office 365 email domains. The techniques described open a new attack window to circumvent most of cloud based email servers.

The session will detail how to detect and exploit such attack windows and how to protect against the aggression vectors described.

Title: Maximize the power of hex-rays decompiler

Speaker: Igor Kirillov

Security researcher, reverse engineer. At first, researching was just a hobby: then he developed and supported a bot for an online game while researching security mechanisms that would prevent the bot from executing. Then, it became his profession and life-long passion. He is also a C and Python programmer at Embedi interested in automatization of reverse engineering and searching for vulnerabilities in IoT devices.


IDA Pro Hex-Rays decompiler serves as a perfect abstraction producer over assembly language.
Its main advantage is that it gives an opportunity to modify the pseudo-code, making it as transparent and clear as possible. However, the process is extremely laborious, time-consuming, and even tedious, because, as a rule, the original code is a complete mash of standard types and variables. Standard functionality IDA Pro is equipped with are not of much help either. A major stumbling block all researchers come across in the process is structure recovery. In a decompiled code, field references look like pointer dereferences with some offset. The core feature of HexRaysPyTools plugin enables its user to collect the references of the code in a semi-automatic mode. After that, the information gathered in the GUI may be corrected and transformed into a complete structure.

Also, the plugin adds cross-refs by structure fields, helping to identify the purposes they serve much easier. Along with that, the plugin is equipped with a wide range of features that simplify the process of reverse engineering:

  • Symbols and rtti information are used to create names of virtual tables and classes
  • Assert functions can be used to automatically rename functions
  • The GUI for classes and their methods
  • Makes structure graphs
  • Negative offsets handling
  • Makes recasts and changes names. Simplifies the process of changing names and types
  • Cross-references to virtual functions
  • Modifies and hides “if – then” branches. Hides switch-branches separately

Title: Battle of the Smarts: Hacking Smartphones with Bluetooth Smart

Speaker: Tal Melamed

Tal (@_nu11p0inter) is a Cyber Security Expert, leading and executing a variety of security projects for IoT, Mobile, Web, and Client applications. Currently working with AppSec Labs (ISR), Synack (USA) and FBK (ITA), and previously at Amdocs, CheckPoint and RSA, Tal has more than a decade of experience in security research and vulnerability assessment.

Tal is also veteran trainer; instructing and lecturing for security around the globe, and a neat developer; experimenting daily in offensive and defensive security.

Mixing Security with Education and R&D is his brew. On the Trento-Tel Aviv line. Breaking, building and Preaching since 99′.


IoT is already embedded in our everyday lives, bur despite the serious impact that IoT vulnerabilities may have on us, the security and privacy are sometime left behind for comfort and other reasons, Bluetooth Low Energy (BLE), also known as Bluetooth Smart is the most popular protocol used for interfacing IoT and smart devices. Broadly used in the healthcare, fitness, security, and home-entertainment industries, nowadays we encounter BLE in almost every aspect of our lives (e.g. in wearables, sensors, medical devices, security products, etc.).
This talk will demonstrate a possible BLE Man-in-the-Middle (MitM) attack leading the hacker to control our smartphones.

Title: Threats of Tomorrow: Using Artificial Intelligence to Predict Malicious Infrastructure Activity

Speaker: Staffan Truvé

Staffan co-founded Recorded Future in 2009. Previous to that, he was CEO of the Swedish Institute of Computer Science and Interactive Institute. Before that, he was CEO of CR&T, a research-oriented consulting company and technology incubator.

Staffan has co-founded or helped launch more than a dozen high tech start-ups, including Spotfire, Appgate, SmartEye, PilotFish, Makewave, Gavagai, Peerialism, Axiomatics, and Recorded Future. He has been on the board of several other high-tech startups, and has acted as a senior advisor to InnovationsKapital, a leading Swedish VC fund.

Staffan holds a PhD in computer science from Chalmers University of Technology. He has been a visiting Fulbright Scholar at MIT and holds an MBA from Göteborg University. His research interests include parallel and distributed computing, artificial intelligence, information visualization, and open source intelligence.Staffan is a member of the Royal Swedish Academy of Engineering Sciences, and is currently chair of division XII of the academy, Information Technology.


The ever-increasing scale and complexity of cyber threats is bringing us to a point where human threat analysts are approaching the limit of what they can handle. We believe the next-generation of cyber threats must be tackled by a combination of machines equipped with artificial intelligence (AI) and human analysts.

A new approach to forecasting malicious IP infrastructure by using machine learning.

Title: 5G Machine Learning

Speaker: Craig Gibson

With 18 years of project management, product development, architecture and investigations experience, Craig Gibson is currently dedicated to researching the evolution of the threat landscape – specifically trying to understand future impacts to government, health, banking and telecom sectors. As a United Nations delegate to China, Gibson has previously spoken internationally on topics including disruptive telecommunications, 9-1-1, public safety, payment cards, the security of voice services, call center authentication (cost reduction) and criminal code issues relating to fraud and unlawful interception of communications. Additionally, he has spoken on national infrastructure security topics to diplomats visiting Canada, as well as public safety, military officials and police executives


In 5G networks, the point is scalability, speed, and automation, reducing the need for human staff. When you multiply complexity while dividing staff, you lose a lot of control over your company (i.e. your network). A way to get this control back and keep it is a “virtual network security architect’ called a Security Orchestrator, which works with Machine Learning to define the business requirements of the security architectures it designs (and implements!) several times each day.

This talk addresses what 5G is, what Orchestration is, and some of the complex and subtle issues involved in getting automated security architecture right without introducing macro-level enterprise vulnerabilities.

Title: Reducing the Cyber Exposure Gap from Cloud to Containers

Speaker: Thomas Cueni, Tenable

Thomas Cueni joined Tenable as a Security Specialist for Switzerland and Austria. He is a cybersecurity professional with almost fifteen years of technical experience in network and endpoint security, security operations and vulnerability management. Prior to joining Tenable he was working for FireEye and Blue Coat (now Symantec), where he was doing pre-sales for major global accounts based out of Switzerland.


Securing the modern attack surface is a critical challenge you must effectively address to reduce cyber exposure and protect your enterprise. This interactive session will cover :

  • Making the attack surface as small as possible
  • Understanding asset priority and location
  • Expanding visibility and control over assets beyond the perimeter
  • Enhancing basic security practices to accommodate more dynamic IT environments

Title: How to build Least privilege security architecture for virtualization and cloud environments

Speaker: Ghaleb Zekri, VMware

Ghaleb Zekri is a Senior Systems Engineer in the EMEA NSX specialist team at VMware. He works closely with customers in the design, build and implementation phase of their Software-Defined Data Centre migration, using virtual networking and security software (NSX) technology to create more secure, adaptive and agile network environments.
Based in Paris, Ghaleb works with partners across the VMware ecosystem to implement NSX-enabled networks and believes that a primary driver of adoption is its ability to make the provisioning of networks simpler and more effective. He takes the view that NSX is helping to bring simplicity to the ever complex world of network security.

Ghaleb brings more than 15 years of industry experience in security and system engineering to the team, having held senior roles at both large enterprises and vendor organisations. Prior to joining VMware in 2015 he spent 5 years at Juniper Networks, where he became a Security Consulting Engineer in the Juniper Networks Center of Excellence. Before that he was the Security Solution Architect at IBM, where he played an important role in the development of the Internet Security Systems within IBM Global Technology Services.


A primary challenge to both end-user security and data center security is the way the two have fallen behind the vast changes that have transformed both.

Given the size and complexity of modern IT infrastructures, digital transformation and the advent of cloud technologies, least privilege and cyber hygiene, are the foundation for a new approach to understanding security risks and how to mitigate them. Least privilege is the concept that an application or service—or on the end-user computing side, a user or device—should only have access to the information or resources that are necessary for its legitimate purpose. It is a principle that promises to unify the approach to improving both end-user and data center security. It focuses the organization on the real risk—the applications and data—.

During this session we will go through Least privilege security architecture for virtualization and cloud environments that helps reducing the complexity while containing and shrinking the risk.

Title : Security by Design: Reality vs Expectations

Speaker : Julien Patriarca, Wallix

Julien has more than 10 years of professional experience in Cyber Security and is an Ethical Hacking enthusiast. He first joined WALLIX in 2010 as a pre-sales engineer to quickly become head of professional services, developing a deep expertise of the Bastion and PAM in general. Now considered the Bastion expert, he works on critical development projects for WALLIX’s top customers.


In this hyper-connected world, thanks to the emergence of the IOT and an ever-growing regulatory landscape requiring increased responsibility regarding data security, developers can no longer ignore the principle of “security by design”.

In this session, Bastion expert Julien Patriarca will discuss this approach from a technological point of view. Can we really anticipate all security breaches with technology and defense mechanisms? How do we account for the human element? Where do the responsibilities of the developer stop? Using real-life examples, Julien will share best practices to implement the “Security by Design” approach effectively, while making it seamless for end-users.

Title: Unmasking stealth operations using UBA super powers

Speaker: Snir Ben-Shimol, Varonis

Snir is the Head of Cyber Security at Varonis, leading the security research, forensics and incident response teams. Snir began his career in the IDF Technology and Intelligence unit and continued as a Security Researcher in the Israeli Prime Minister’s Office.

Since then, he has worked in the Advanced Security Center of EY as the Cyber Security Advisory leader, managing red-team operations and risk assessments. He has advised major international corporates and high-profile individuals to build their security resilience and protect their organization. Prior to his current role, he led Radware’s Cyber Security Research division, responsible for innovation and security solution capabilities.


The problem of evasive threats is rapidly gaining steam. The advanced techniques of composing stealth operations that were once possible only for the most sophisticated state-actors, turned out to be more common. Slow and low attack techniques, lateral movement and sophisticated data exfiltration methods are only a few of the new challenges outmaneuvering enterprise security.
By leveraging behavioral analytics and machine learning capabilities using only event logs, we can identify such evasions and protect against both adversaries and insiders.