Conference Schedule 2017


The conference will take place on March 24 2017, here is the schedule of the talks :

Time Track 1 (room K) Track 2 (room F) Track 3 (room G)
9h15 - 9h30 Welcome & Introduction
Alain Mowat
9h30 - 10h30 Bridging the gap between ICS(IoT?) and corporate IT security
Stefan Lüders
10h30 - 11h00 Coffee break
11h00 - 12h00 DevOops Redux
Chris Gates & Ken Johnson
12h00 - 13h30 LUNCH
13h30 - 14h30 Modern reconnaissance phase on APT – protection layer
Paul Rascagnères
On the Need for Integrated Circuit Security
Olivier Thomas
From your PC to your nearest ATM
David Sancho, Trend Micro
14h30 - 15h30 RHME2 CTF challenges and solutions
Eloi Sanfèlix & Andres Moreno
A new Source of trouble - Remote exploitation of the Valve Source game engine
Amat Cama
The State of Security: Securing today's elastic IT assets
Jens Freitag, Tenable
15h30 - 16h00 Coffee break
16h00 - 17h00 Automating Computer Security: Why we need computers, and why they still need us
Tyler Nighswander
La sécurité pour les managers (French)
Georges Torti
Dissecting a Metamorphic File-Infecting Ransomware
Raul Alvarez, Fortinet
17h00 - 18h00 Phishing your way through Two-Factor Authentication
Michele Orru
How we hacked Distributed Configuration Management Systems
Francis Alexander & Bharadwaj Machiraju
Locked Shields – Cyber Defence Exercise & RUAG’s Cyber Training Range
Peter Hladký, RUAG


Title: Bridging the gap between ICS(IoT?) and corporate IT security

Speaker : Stefan Lüders

Stefan Lüders, PhD, graduated from the Swiss Federal Institute of Technology in Zurich and joined CERN in 2002. Since 2009, he is heading the CERN Computer Security Incident Response Team as CERN’s Computer Security Officer with the mandate to coordinate all aspects of CERN’s computer security --- office computing security, computer centre security, GRID computing security and control system security --- whilst taking into account CERN’s operational needs. Dr. Lüders has presented on computer security and control system cyber-security topics at many different occasions to international bodies, governments, and companies, and published several articles.


The European Organization for Particle Physics, CERN, is running the world’s most-powerful particle accelerator, the Large Hadron Collider (LHC). Like a production plant, the LHC employs a series, actually more than 125, different commercial and custom-built control systems of different sizes. While its operational efficiency and safe operation is essential, computer security protections must not be neglected. However, as the LHC as well as its four attached physics experiments are one-time prototypes developed under the expertise of a world-wide community of physicists and engineers, who are constantly improving and extending the LHC and its experiments, this computer security must be suitably balanced with the need for academic freedom in research… This presentation will give an overview on LHC technologies and physics, the complexity of control systems needed to run the LHC, and the go’s and no-go’s of securing them.

Title: DevOops Redux

Speakers : Chris Gates (@carnal0wnage) & Ken Johnson (@cktricky)

Ken Johnson, CTO of nVisium, has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events. Ken is currently investing his time between OWASP’s Railsgoat, Elxir and Go, as well as all aspects of AWS offerings.

Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, Derbycon, LasCon, HashDays, HackCon, Bsides ATL, IT Defense, OWASP AppSec DC, and Devops Days. Chris is also a cofounder of NoVAHackers.


DevOps tool-chains are transforming Modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker’s perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.

Title: Automating Computer Security – Why we need computers, and why they still need us

Speaker :Tyler Nighswander (@tylerni7)

Tyler has been a computer hacker for several years. While an undergraduate student at Carnegie Mellon University, Tyler was one of the initial members of the hacking team known as the Plaid Parliament of Pwning. This team rose from a small group of students to one of the top competitive hacking teams in the world. After traveling around the world competing in hacking competitions, Tyler settled down and now works on making humans and computers think more like hackers at ForAllSecure. In 2016, the automated system he helped create won the DARPA Cyber Grand Challenge.


Automatic bug finding and exploitation have been something of a Holy Grail for security for some time. Although we have a long ways to go before we're all out of a job, the recent Cyber Grand Challenge at DEF CON 24 showed that automatic binary exploitation is further along than most people might expect. In 10 hours we saw 7 supercomputers compete in a state-of-the-art capture the flag competition with no humans at all, finding bugs in and patching complex pieces of compiled code. We will discuss this competition and some of the results, and learn about what can be expected of automated systems today and in the near future.

Title: Modern reconnaissance phase on APT – protection layer

Speaker : Paul Rascagnères (@r00tbsd)

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world (Recon, Shakacon,, Syscan360…). He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specifically on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.


This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users.

Title: RHME2 challenges and solutions

Speakers : Eloi Sanfelix (@esanfelix) & Andres Moreno

Eloi Sanfelix works as a Principal Security Analyst at Riscure, where he performs security evaluations on different products ranging from software-based solutions to embedded systems. Most of his working time is currently spent reverse engineering and analyzing protected software such as DRM systems and mobile payment applications, as well as the security of the software and hardware side of Trusted Execution Environments. In the last few years, he has also been involved in evaluating the security of embedded systems and smart card technology, mostly for the PayTV and the payment industries. In his spare time, Eloi enjoys participating in CTF competitions with the int3pids team.

Andres Moreno works as Security Analyst at Riscure B.V. His formal education is on electrical engineering, signal processing, and control. He worked on power systems for some time before moving into security as a full time job. He works mainly with the payment industry evaluating host card emulation solutions, and has worked in the past with embedded systems for the conditional access industry and smart cards.


An embedded CTF called rhme2 (Riscure Hack Me 2) started in November 2016, running until February 28 2017. Riscure prepared a small arduino board with a custom bootloader and shipped it to 500 participants, allowing them to load 22 challenges in the following categories: Side Channel Analysis, Fault Injection, Reverse Engineering, Cryptography, Software Exploitation and Other. In this talk we will take a look at the results of the game, highlight the most interesting challenges and the most surprising solutions we received from the challenge participants.

Title: La sécurité de l’information pour les managers

Speaker : Georges Torti

Georges Torti exerce actuellement en qualité de responsable de la sécurité de l’information et gestion des risques auprès de la Confédération. Avant de réorienter sa carrière professionnelle dans le domaine de la sécurité des systèmes d’information, il a été en charge durant près de 15 ans de la direction des systèmes d’information d’une société d’un groupe international. Il a ainsi une très bonne maîtrise des différents processus d’un département informatique, qu’ils soient stratégiques, tactiques ou opérationnels. Il est entre autres titulaire des certifications CISA (auditeur informatique) et CISM (responsable sécurité).


Quelle que soit sa taille, une PME doit prendre conscience qu’elle peut être à tout moment confrontée à la cybercriminalité. Qu’il s’agisse, par exemple, de malveillances visant à la destruction de données ou d’espionnage économique, les conséquences des attaques informatiques pour les entreprises sont généralement désastreuses et peuvent impacter leur pérennité.
Les directeurs doivent comprendre et appréhender la cyber sécurité comme un problème de gestion des risques à l’échelle de l’entreprise et non la considérer comme une question informatique.
La conférence a pour ambition d’expliquer aux cadres et chefs d’entreprises ce qu’est la sécurité de l’information, les mythes souvent rencontrés dans nos entreprises, ainsi que quelques flashs sur des domaines spécifiques pour mettre en œuvres une sécurité de l’information efficace dans l’entreprise.

Title: From your PC to your nearest ATM – a history of the sneakiest financial malware

Speaker : David Sancho, Trend Micro

David Sancho joined Trend Micro in 2002, having fulfilled a variety of technical security-related roles. Currently, his title is Senior Anti-Malware Researcher, and he specializes in web threats and other emerging technologies. In his more than 17 years of experience in the security field, David has written and published a number of research papers on malware tendencies, has been featured in the media, and has participated in customer events where he has presented on business issues and malware-related topics. His interests include web infection methods, vulnerability exploitation, and white-hat hacking in general.


The traditional way of milking dry a bank's automated teller machine (ATM) was to blow it up. Literally, steel and everything... but there's a new kid on the block. Modern criminal gangs around the world have now figured out that deploying ATM malware is an easy shortcut to jackpot up to the latest banknote inside. In this talk, we describe all the reasons that have led the criminals to develop their new golden goose, the strategies they use and each of the main malware families in this new battlefield as well as the criminal organizations responsible for this new threat. The challenge these malware writers face is accessing the special hardware of these machines: pinpad, card reader and the cash cassettes. Different malware families solve this their own particular way. The paper describes each family in detail as well as the geographical area it comes from. An overview of the criminal organizations behind these threats is presented. We will conclude with some lessons learned and recommendations on how to protect these very special machines.

Title: Dissecting a Metamorphic File-Infecting Ransomware

Speaker : Raul Alvarez, Fortinet

Raul Alvarez joined Fortinet in 2004, and is currently working as a Senior Security Researcher/ AV Team Lead. He also one of the Lead Trainer responsible for training the junior AV/IPS analysts in malware analysis and reverse engineering. Raul has presented in different conferences like BSidesVancouver, BSidesCapeBreton, OAS-First, BSidesOttawa, SecTor, DefCamp, BCAware, AtlSecCon, BSidesCalgary, and TakeDownCon. He is also a regular contributor to the Fortinet blog and the Virus Bulletin publication, where he has published 22 articles.


Virlock is a polymorphic file-infecting ransomware. It is capable of infecting executable files and at the same time, hold your computer hostage.

Running a single infected file is a sure way of infecting your computer all over again. That is one of the main goals of Virlock. As a ransomware, the malware makes sure that you won’t be able to use your computer until you pay the ransom demand. And to make our lives, even harder, Virlock employs an on-demand polymorphic algorithm, where each and every copy of the infected executable file is different from each other. And there is more, Virlock is not only a polymorphic file-infecting ransomware. The initial set of the malware code is metamorphic in nature.

In this presentation, we will dive deep in Virlock’s code to expose how it implements its metamorphic code, and how it uses an on-demand polymorphic algorithm. We will also look at how we can detect Virlock, and how we can clean an infected file. We will also look into not only how the metamorphic algorithm works, but also on how it generates the metamorphic algorithm itself.

Title: How we hacked Distributed Configuration Management Systems

Speakers : Francis Alexander & Bharadwaj Machiraju

Francis Alexander is an Information Security Researcher and the author of NoSQL Exploitation Framework. He has a strong vision of Free & Open Information Security Education for all. His areas of interest includes web app & standalone app security, DBMS security, coding tools and fuzzing. He has spoke at multiple conferences such as Troopers, HITB AMS 2014, Hack in Paris 2014, 44Con 2014, Derbycon USA 2013, Defcon Kerala and Defcon Bangalore. All his tools are available at

Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame ( All tools are available at and all ramblings at He spoke at a few conferences including Brucon, Pycon India etc.. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.


With increase in necessity of distributed applications, coordination and configuration management tools for these classes of applications have popped up. Zookeeper and Consul being one of them are the base to many systems like Hadoop,Kafka,Apache Mesos etc. These systems might pop-up occasionally during penetration tests. The major focus of this research was to find ways to abuse these systems as well as use them for getting deeper access to other systems.

The talk deals with how they came across and exploited different configuration management systems during their pentests.

Title: Phishing your way through Two-Factor Authentication

Speaker : Michele Orru (@antisnatchor)

antisnatchor is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the "Browser Hacker's Handbook". He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge while reading and hacking code written by others. Michele loves lateral thinking, s/fishing/phishing/, black metal, and the communist utopia (however, there is no hope). He also enjoys speaking and drinking at a multitude of hacking conferences, including CONFidence, DeepSec, InsomniHack, Hacktivity, SecurityByte, AthCon, HackPra AllStars, ZeroNights, OWASP AppSec USA, 44Con, EUSecWest, Ruxcon, KiwiCon, PXE, BlackHat. Besides having a grim passion for hacking and programming, he enjoys leaving his Mac alone, while s/phishing/fishing/ on saltwater and hoping for Kubrick's resurrection.


If you do Phishing attacks on a regular basis, you will end up using a framework or scripts to automate some of the tedious parts. You have your preferred web stack for phishing pages, your custom SMTP delivery system (with SPF/DKIM enabled AND good reputation - of course), your custom payloads, and you need to maintain all of that while evolving it at the same time.

PhishLulz is an open source bundle of PhishingFrenzy, BeEF and other custom tools tailored to the fisherman. Multiple real-life engagements done with PhishLulz will be discussed, including automated functionality to concurrently grep and extrude content from OWA and Outlook 365 webmails using different credentials. You will also discover how Two-Factor Authentication is effective mostly via 'security by obscurity', as in when the attacker has zero knowledge about the presence and implementation of the 2FA solution. By fingerprinting in advance the 2FA solution, and having ready phishing templates to steal the second factor tokens, you will see how trivial bypassing 2FA can become.

Expect demos on real applications protected by 2FA via SMS/Hardware/Software-based tokens (Opsec here until you come to the talk :-).

Title: A new Source of trouble – Remote exploitation of the Valve Source game engine.

Speaker : Amat Cama (@amatcama)

Amat Cama is a senior security researcher at Chaitin Tech ( He likes exploitation and reverse engineering. From time to time, 'acez' also plays CTFs with his teammates from Shellphish.


A lot of research has been done on video game engines in the past but mostly these studies have been focused on developing cheats or other types of custom modifications to gameplay. Every day millions of people play online multiplayer games and expose themselves to the dangers of the internet, however, for some reason the security industry has not paid much attention to this field although online multiplayer games have been around for a long time.

In this talk, we will have a look at the Valve Source game engine as featured in 'Team Fortress 2', 'Counter Strike Global Offensive' and a number of other games. We will describe the inner workings of the game engine in order to get a basic understanding of how it works, and then we will have a look at some vulnerabilities that were discovered and how to remotely exploit them.

Of course, the talk wouldn't be complete without a demo.

Title: On the Need for Integrated Circuit Security

Speaker : Olivier THOMAS (@reivilo_t)

Oliver THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Subsequently, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device.

Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size. He is the founder and a security consultant at Texplained SARL


Microchips are everywhere and are going to take a central place in the massively interconnected world that should rise from the fast development of the IoT. Cybersecurity is focusing on the communication layer and on the protocol side. Therefore, one can easily assume that embedded firmware are at a critical place and that software / data / keys stored in microchips must be inaccessible.

Considering security starts at the embedded firmware level is a mistake as this code and its associated data are secure as long as they stay hidden from the outside world.

Despite the huge effort that PayTv CAS providers, among others, have put on the table, many examples of badly protected firmware and data are becoming public. The recent DDOS attacks that took profit of poor key management of IoT devices is one example. In addition, every time a product has its white branded version such as printer cartridges or video game controllers or any other "consumable", there is a high probability that an invasive attack has been performed to dump embedded software and keys.

In that context, it is mandatory to question the security of ICs and to perform adequate evaluation. Invasive attacks are believed to be expensive and time consuming but that belief is pretty old and is not adequate any more. On top of that, Integrated Circuit Reverse-Engineering is now possible which increases dramatically the potential of such attacks.

This talk aims at describing IC reverse engineering and the potential attacks that can be derived from a complete chip analysis. It will be based on real world scenario and on Texplained's experience and processes.

Title: The State of Security: Securing today's elastic IT assets

Speaker : Jens Freitag, Tenable

Jens Freitag is a Senior Security Specialist at Tenable Network Security and has been working in the IT industry for over twenty years. Before Tenable he worked for security companies like Sophosand Avira. He has published numerous articles and is an experienced speaker at conferences.


With increasing threats and a constantly changing IT landscape, it's more challenging than ever to keep up with identifying vulnerabilities and, more importantly, fix them. As organizations embrace public cloud, mobile and DevOps, the fundamental concept of an asset changes, and radically impacts how security teams performs their jobs and interacts with the rest of the organization.

This presentation will give you an overview of fresh vulnerability management approaches that give the visibility and insight to protect what matters most.

Title: Locked Shields – Cyber Defence Exercise & RUAG's Cyber Training Range

Speaker : Peter Hladký, RUAG

Peter Hladký graduated from the Swiss Federal Institute of Technology (ETH Zurich) and holds a Master's degree in Computer Science with specialization in Information Security. In the past, Peter worked as a Linux System Administrator Intern at Google – New York, Research Intern in the field of Cryptographic Protocols at IBM Research Lab – Zurich, Software Engineer at AdNovum, and Senior Consultant in Information Security at KPMG where he worked on number of cyber security and client data confidentiality engagements primarily with Swiss banks. Peter joined RUAG in 2016 and his current activities include building some of RUAG’s Cyber Security Services, preparation and execution of trainings at RUAG’s Cyber Training Range, and participating in this year’s Locked Shields – Cyber Defence Exercise.


The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Estonia is organizing the largest and the most advanced live-fire cyber defence exercise in the world on a yearly basis since 2010. The exercise grows each year and it is estimated that in April 2017 it will be the largest one conducted so far with over 600 players from about 26 different nations, with 20 defending blue teams and an attacking red team with more than 60 members. This presentation will give an overview of the exercise with its different teams and their roles, as well its complexity in terms of organization and infrastructure. As the preparations of this year’s exercise are still ongoing, details will be omitted, so the surprises prepared for the defending blue teams remain unspoiled. The presentation will be concluded with an overview of RUAG’s Cyber Training Range and compared with the Locked Shields. This presentation will be rather non-technical.